@kikkimo/claude-launcher 1.0.0 → 2.1.0

package/lib/auth/password-input.js

@@ -0,0 +1,158 @@
+/**
+ * Secure Password Input Module
+ * Handles masked password input without showing plaintext characters
+ */
+
+const readline = require('readline');
+const stdinManager = require('../utils/stdin-manager');
+
+/**
+ * Get password input with proper masking (no plaintext display)
+ * @param {string} prompt - The prompt message to display
+ * @returns {Promise<string>} - The entered password
+ */
+function getPasswordInput(prompt) {
+    return new Promise((resolve, reject) => {
+        let password = '';
+        let scope = null;
+        let cleanedUp = false;
+
+        // Display prompt - this is necessary for password input
+        process.stdout.write(prompt);
+
+        if (!process.stdin.isTTY) {
+            // Non-TTY environment fallback - use scope's createReadline
+            try {
+                scope = stdinManager.acquire('line', {
+                    id: 'passwordInput_nonTTY',
+                    allowNested: false
+                });
+            } catch (error) {
+                reject(new Error(`Failed to acquire stdin for password input: ${error.message}`));
+                return;
+            }
+
+            const rl = scope.createReadline();
+            rl.question('', (answer) => {
+                rl.close();
+                scope.release();
+                resolve(answer.trim());
+            });
+            return;
+        }
+
+        // Use StdinManager to acquire raw mode scope
+        try {
+            scope = stdinManager.acquire('raw', {
+                id: 'passwordInput',
+                allowNested: false
+            });
+        } catch (error) {
+            reject(new Error(`Failed to acquire stdin for password input: ${error.message}`));
+            return;
+        }
+
+        const cleanup = () => {
+            if (cleanedUp) return;
+            cleanedUp = true;
+
+            try {
+                scope.removeAllListeners('data');
+                scope.release();
+            } catch (error) {
+                // Ignore cleanup errors
+            }
+        };
+
+        const handleKeyPress = (data) => {
+            const key = data.toString();
+
+            // Handle Ctrl+C - cancel password input immediately
+            if (key === '\u0003') {
+                cleanup();
+                reject(new Error('Password input cancelled by Ctrl+C'));
+                return;
+            }
+
+            // If waiting for second Ctrl+C, any other key cancels it
+            if (stdinManager.isCtrlCPending()) {
+                stdinManager.cancelCtrlC();
+                // Continue to process this key normally
+            }
+
+            // Handle different key combinations
+            switch (key) {
+                case '\r': // Enter (CR)
+                case '\n': // Line Feed (LF)
+                case '\r\n': // CRLF
+                    process.stdout.write('\n');
+                    cleanup();
+                    resolve(password);
+                    return;
+
+                case '\u007f': // Backspace (DEL)
+                case '\b': // Backspace (BS)
+                    if (password.length > 0) {
+                        password = password.slice(0, -1);
+                        // Clear the last asterisk
+                        process.stdout.write('\b \b');
+                    }
+                    return;
+
+                case '\u001b': // Escape
+                    cleanup();
+                    reject(new Error('Password input cancelled'));
+                    return;
+
+                default:
+                    // Process each character individually to handle IME batch input
+                    // When using Chinese IME, multiple chars may come in one event (e.g., "vis")
+                    for (let i = 0; i < key.length; i++) {
+                        const char = key[i];
+                        const charCode = char.charCodeAt(0);
+
+                        // Filter out control characters (only accept ASCII printable)
+                        if (charCode >= 32 && charCode < 127) {
+                            password += char;
+                            process.stdout.write('*');
+                        }
+                    }
+                    return;
+            }
+        };
+
+        try {
+            scope.on('data', handleKeyPress);
+        } catch (error) {
+            cleanup();
+            reject(error);
+        }
+    });
+}
+
+/**
+ * Get password input with confirmation
+ * @param {string} prompt - The initial prompt message
+ * @param {string} confirmPrompt - The confirmation prompt message
+ * @returns {Promise<string>} - The confirmed password
+ */
+async function getPasswordWithConfirmation(prompt, confirmPrompt = 'Confirm Password: ') {
+    const password = await getPasswordInput(prompt);
+
+    if (!password) {
+        throw new Error('Password cannot be empty');
+    }
+
+    const confirmPassword = await getPasswordInput(confirmPrompt);
+
+    if (password !== confirmPassword) {
+        throw new Error('Passwords do not match');
+    }
+
+    return password;
+}
+
+module.exports = {
+    getPasswordInput,
+    getPasswordWithConfirmation
+};

package/lib/auth/password-strength.js

@@ -0,0 +1,154 @@
+/**
+ * Password Strength Validation Module
+ * Enforces strong password requirements for security
+ */
+
+const i18n = require('../i18n');
+
+/**
+ * Validate password strength according to security requirements
+ * @param {string} password - The password to validate
+ * @returns {Object} - Validation result with success status and detailed feedback
+ */
+function validatePasswordStrength(password) {
+    const result = {
+        valid: false,
+        score: 0,
+        errors: [],
+        suggestions: []
+    };
+
+    // Basic validation
+    if (!password) {
+        result.errors.push(i18n.tSync('errors.password.empty'));
+        return result;
+    }
+
+    // Length requirement (≥6 characters)
+    if (password.length < 6) {
+        result.errors.push(i18n.tSync('errors.password.too_short'));
+    } else {
+        result.score += 1;
+    }
+
+    // ASCII only validation
+    if (!/^[\x20-\x7E]*$/.test(password)) {
+        result.errors.push(i18n.tSync('errors.password.non_ascii'));
+    } else {
+        result.score += 1;
+    }
+
+    // No spaces or unusual whitespace characters
+    if (/\s/.test(password)) {
+        result.errors.push(i18n.tSync('errors.password.contains_spaces'));
+    } else {
+        result.score += 1;
+    }
+
+    // Character type requirements (at least 2 of 4 types)
+    let characterTypes = 0;
+    const hasLowercase = /[a-z]/.test(password);
+    const hasUppercase = /[A-Z]/.test(password);
+    const hasNumbers = /[0-9]/.test(password);
+    const hasSpecialChars = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?~`]/.test(password);
+
+    if (hasLowercase) characterTypes++;
+    if (hasUppercase) characterTypes++;
+    if (hasNumbers) characterTypes++;
+    if (hasSpecialChars) characterTypes++;
+
+    if (characterTypes < 2) {
+        result.errors.push(i18n.tSync('errors.password.insufficient_types'));
+
+        // Provide specific suggestions
+        if (!hasLowercase) result.suggestions.push(i18n.tSync('errors.password.suggest_lowercase'));
+        if (!hasUppercase) result.suggestions.push(i18n.tSync('errors.password.suggest_uppercase'));
+        if (!hasNumbers) result.suggestions.push(i18n.tSync('errors.password.suggest_numbers'));
+        if (!hasSpecialChars) result.suggestions.push(i18n.tSync('errors.password.suggest_special'));
+    } else {
+        result.score += characterTypes; // Bonus points for more character types
+    }
+
+    // Common weak password patterns - exact matches only for common weak passwords
+    const weakPatterns = [
+        /^123456$/,
+        /^1234567$/,
+        /^12345678$/,
+        /^password$/i,
+        /^admin$/i,
+        /^qwerty$/i,
+        /^abc123$/i,
+        /^111111$/,
+        /^000000$/,
+        /^(.)\1{5,}/, // Repeated characters (6+ times)
+        /^(012|123|234|345|456|567|678|789|890){3,}/, // Sequential numbers (3+ repetitions)
+        /^(abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz){3,}/i // Sequential letters (3+ repetitions)
+    ];
+
+    for (const pattern of weakPatterns) {
+        if (pattern.test(password)) {
+            result.errors.push(i18n.tSync('errors.password.weak_pattern'));
+            break;
+        }
+    }
+
+    // Additional strength scoring
+    if (password.length >= 8) result.score += 1;
+    if (password.length >= 12) result.score += 1;
+    if (characterTypes >= 3) result.score += 1;
+    if (characterTypes === 4) result.score += 1;
+
+    // Strength classification
+    if (result.score >= 8) {
+        result.strength = 'Very Strong';
+    } else if (result.score >= 6) {
+        result.strength = 'Strong';
+    } else if (result.score >= 4) {
+        result.strength = 'Good';
+    } else if (result.score >= 2) {
+        result.strength = 'Weak';
+    } else {
+        result.strength = 'Very Weak';
+    }
+
+    // Final validation - require Good level or above (score >= 4) and no errors
+    // Explicitly reject Weak and Very Weak passwords
+    if (result.strength === 'Weak' || result.strength === 'Very Weak') {
+        result.errors.push(i18n.tSync('errors.password.strength_insufficient', result.strength));
+        result.suggestions.push(i18n.tSync('errors.password.suggest_longer'));
+        result.suggestions.push(i18n.tSync('errors.password.suggest_more_types'));
+    }
+
+    result.valid = result.errors.length === 0 && result.score >= 4;
+
+    return result;
+}
+
+/**
+ * Get password requirements description for user guidance
+ * @returns {Array} - Array of requirement strings
+ */
+function getPasswordRequirements() {
+    return i18n.tSync('ui.general.password_requirements_list');
+}
+
+/**
+ * Generate example of a strong password for user reference
+ * @returns {string} - Example strong password
+ */
+function generatePasswordExample() {
+    const examples = [
+        'MyStr0ng!Pass',
+        'Secure#123Pass',
+        'Good$Pass456',
+        'Safe&Strong7',
+        'Best!Choice9'
+    ];
+    return examples[Math.floor(Math.random() * examples.length)];
+}
+
+module.exports = {
+    validatePasswordStrength,
+    getPasswordRequirements,
+    generatePasswordExample
+};

package/lib/auth/password-validator.js

@@ -0,0 +1,255 @@
+/**
+ * Password Validation Module
+ * Handles all password verification scenarios
+ */
+
+const { getPasswordInput } = require('./password-input');
+const colors = require('../ui/colors');
+const { validatePasswordStrength, getPasswordRequirements, generatePasswordExample } = require('./password-strength');
+const i18n = require('../i18n');
+
+/**
+ * Force cleanup stdin state to prevent navigation issues
+ */
+function forceStdinCleanup() {
+    try {
+        if (process.stdin.isTTY) {
+            process.stdin.setRawMode(false);
+            process.stdin.removeAllListeners('data');
+            process.stdin.removeAllListeners('keypress');
+            process.stdin.pause();
+        }
+    } catch (error) {
+        // Ignore cleanup errors
+    }
+}
+
+/**
+ * Convert strength string to translated version
+ * @param {string} strength - English strength string
+ * @returns {string} - Translated strength string
+ */
+function getTranslatedStrength(strength) {
+    const strengthMap = {
+        'Very Weak': 'very_weak',
+        'Weak': 'weak',
+        'Good': 'good',
+        'Strong': 'strong',
+        'Very Strong': 'very_strong'
+    };
+
+    const strengthKey = strengthMap[strength] || 'weak';
+    return i18n.tSync(`password.strength.${strengthKey}`);
+}
+
+/**
+ * Verify user password for export/import operations
+ * @param {Object} apiManager - The API manager instance
+ * @param {string} operation - The operation being performed (for error messages)
+ * @returns {Promise<boolean>} - True if password is verified, false otherwise
+ */
+async function verifyExportPassword(apiManager, operation = 'operation') {
+    try {
+        const password = await getPasswordInput(i18n.tSync('messages.prompts.enter_password'));
+
+        if (!password) {
+            forceStdinCleanup();
+            console.log(colors.red + i18n.tSync('errors.password.empty') + colors.reset);
+            return false;
+        }
+
+        if (!apiManager.verifyExportPassword(password)) {
+            forceStdinCleanup();
+            console.log(colors.red + '❌ ' + i18n.tSync('errors.password.verification_failed') + colors.reset);
+            console.log(colors.gray + i18n.tSync('errors.general.operation_failed', operation) + colors.reset);
+            return false;
+        }
+
+        return true;
+    } catch (error) {
+        forceStdinCleanup();
+        if (error.message.includes('cancelled')) {
+            console.log(colors.yellow + '\n' + i18n.tSync('errors.general.cancelled_by_user').replace('{0}', operation) + colors.reset);
+        } else {
+            console.log(colors.red + `❌ Password verification error: ${error.message}` + colors.reset);
+        }
+        return false;
+    }
+}
+
+/**
+ * Verify current password before changing it
+ * @param {Object} apiManager - The API manager instance
+ * @returns {Promise<boolean>} - True if current password is verified, false otherwise
+ */
+async function verifyCurrentPassword(apiManager) {
+    try {
+        const currentPassword = await getPasswordInput(i18n.tSync('messages.prompts.enter_current_password'));
+
+        if (!currentPassword) {
+            forceStdinCleanup();
+            console.log(colors.red + i18n.tSync('errors.password.empty') + colors.reset);
+            return false;
+        }
+
+        if (!apiManager.verifyExportPassword(currentPassword)) {
+            forceStdinCleanup();
+            console.log(colors.red + '❌ ' + i18n.tSync('errors.password.current_incorrect') + colors.reset);
+            return false;
+        }
+
+        return true;
+    } catch (error) {
+        forceStdinCleanup();
+        if (error.message.includes('cancelled')) {
+            console.log(colors.yellow + '\n' + i18n.tSync('errors.password.verification_cancelled') + colors.reset);
+        } else {
+            console.log(colors.red + `❌ Password verification error: ${error.message}` + colors.reset);
+        }
+        return false;
+    }
+}
+
+/**
+ * Prompt user to set up a new password with validation
+ * @param {Object} apiManager - The API manager instance
+ * @param {boolean} isFirstTime - Whether this is the first time setting a password
+ * @returns {Promise<boolean>} - True if password is successfully set, false otherwise
+ */
+async function setupNewPassword(apiManager, isFirstTime = false) {
+    try {
+        console.log('');
+        console.log(colors.cyan + (isFirstTime ? i18n.tSync('password.setup.title') : i18n.tSync('password.setup.change_title')) + colors.reset);
+        console.log('');
+
+        if (!isFirstTime) {
+            console.log(colors.yellow + '⚠️  ' + i18n.tSync('password.setup.warning') + colors.reset);
+            console.log('');
+        }
+
+        // Display password requirements
+        console.log(colors.cyan + i18n.tSync('ui.general.password_requirements_title') + colors.reset);
+        const requirements = getPasswordRequirements();
+        requirements.forEach(req => {
+            console.log(colors.gray + '  ' + req + colors.reset);
+        });
+        console.log('');
+        console.log(colors.gray + i18n.tSync('ui.general.example_strong_password', generatePasswordExample()) + colors.reset);
+        console.log('');
+
+        let attempts = 0;
+        const maxAttempts = 3;
+
+        while (attempts < maxAttempts) {
+            attempts++;
+
+            // Get new password
+            const passwordPrompt = i18n.tSync('ui.general.new_password_attempt', attempts, maxAttempts);
+            const newPassword = await getPasswordInput(passwordPrompt);
+
+            if (!newPassword) {
+                forceStdinCleanup();
+                console.log(colors.red + i18n.tSync('errors.password.empty') + colors.reset);
+                if (attempts < maxAttempts) {
+                    console.log('');
+                    continue;
+                } else {
+                    return false;
+                }
+            }
+
+            // Validate password strength
+            const validation = validatePasswordStrength(newPassword);
+
+            if (!validation.valid) {
+                console.log(colors.red + '❌ ' + i18n.tSync('errors.password.requirements_not_met') + colors.reset);
+                validation.errors.forEach(error => {
+                    console.log(colors.red + '  • ' + error + colors.reset);
+                });
+
+                if (validation.suggestions.length > 0) {
+                    console.log(colors.yellow + '💡 ' + i18n.tSync('ui.general.suggestions') + colors.reset);
+                    validation.suggestions.forEach(suggestion => {
+                        console.log(colors.yellow + '  • ' + suggestion + colors.reset);
+                    });
+                }
+                // If password is invalid, force display strength as "Weak" regardless of technical score
+                const strengthKey = validation.valid ? validation.strength : 'Weak';
+                const translatedStrength = getTranslatedStrength(strengthKey);
+                console.log(colors.gray + i18n.tSync('ui.general.current_password_strength', translatedStrength) + colors.reset);
+
+                if (attempts < maxAttempts) {
+                    console.log('');
+                    continue;
+                } else {
+                    console.log(colors.red + i18n.tSync('ui.general.max_attempts_password_failed') + colors.reset);
+                    return false;
+                }
+            }
+
+            // Confirm password
+            const confirmPassword = await getPasswordInput(i18n.tSync('password.setup.confirm_password_prompt'));
+
+            if (newPassword !== confirmPassword) {
+                forceStdinCleanup();
+                console.log(colors.red + i18n.tSync('ui.general.passwords_mismatch') + colors.reset);
+                if (attempts < maxAttempts) {
+                    console.log('');
+                    continue;
+                } else {
+                    return false;
+                }
+            }
+
+            // Success - set the password
+            apiManager.setExportPassword(newPassword);
+            console.log('');
+            console.log(colors.green + '✓ ' + i18n.tSync('password.setup.password_success', getTranslatedStrength(validation.strength)) + colors.reset);
+            return true;
+        }
+
+        return false;
+
+    } catch (error) {
+        forceStdinCleanup();
+        if (error.message.includes('cancelled')) {
+            console.log(colors.yellow + '\n' + i18n.tSync('errors.password.setup_cancelled') + colors.reset);
+        } else {
+            console.log(colors.red + `❌ Failed to set password: ${error.message}` + colors.reset);
+        }
+        return false;
+    }
+}
+
+/**
+ * Handle password change operation
+ * @param {Object} apiManager - The API manager instance
+ * @returns {Promise<boolean>} - True if password is successfully changed, false otherwise
+ */
+async function changePassword(apiManager) {
+    try {
+        // First verify current password
+        const currentVerified = await verifyCurrentPassword(apiManager);
+        if (!currentVerified) {
+            return false;
+        }
+
+        console.log(colors.green + i18n.tSync('errors.password.current_password_verified') + colors.reset);
+        console.log('');
+
+        // Set new password
+        return await setupNewPassword(apiManager, false);
+
+    } catch (error) {
+        forceStdinCleanup();
+        console.log(colors.red + `❌ Password change failed: ${error.message}` + colors.reset);
+        return false;
+    }
+}
+
+module.exports = {
+    verifyExportPassword,
+    verifyCurrentPassword,
+    setupNewPassword,
+    changePassword
+};

package/lib/crypto.js

@@ -0,0 +1,85 @@
+/**
+ * Crypto Module - Handles encryption and decryption for sensitive data
+ */
+
+const crypto = require('crypto');
+const os = require('os');
+
+/**
+ * Generate encryption key from machine-specific data
+ */
+function getEncryptionKey() {
+    const machineId = os.hostname() + os.userInfo().username + os.platform();
+    return crypto.pbkdf2Sync(machineId, 'claude-launcher-salt', 10000, 32, 'sha256');
+}
+
+/**
+ * Encrypt data using AES-256-CBC
+ * @param {string} plaintext - The text to encrypt
+ * @returns {object} Result object with success status and encrypted value or error
+ */
+function encrypt(plaintext) {
+    try {
+        const key = getEncryptionKey();
+        const iv = crypto.randomBytes(16);
+        const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
+
+        let encrypted = cipher.update(plaintext, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+
+        const result = iv.toString('hex') + ':' + encrypted;
+
+        return {
+            success: true,
+            value: result,
+            error: null
+        };
+    } catch (error) {
+        return {
+            success: false,
+            value: null,
+            error: error.message
+        };
+    }
+}
+
+/**
+ * Decrypt data using AES-256-CBC
+ * @param {string} encryptedData - The encrypted data to decrypt
+ * @returns {object} Result object with success status and decrypted value or error
+ */
+function decrypt(encryptedData) {
+    try {
+        const key = getEncryptionKey();
+
+        const parts = encryptedData.split(':');
+        if (parts.length !== 2) {
+            throw new Error('Invalid encrypted data format');
+        }
+
+        const iv = Buffer.from(parts[0], 'hex');
+        const encrypted = parts[1];
+
+        const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
+
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+
+        return {
+            success: true,
+            value: decrypted,
+            error: null
+        };
+    } catch (error) {
+        return {
+            success: false,
+            value: null,
+            error: error.message
+        };
+    }
+}
+
+module.exports = {
+    encrypt,
+    decrypt
+};