@lifeaitools/clauth 1.4.3 → 1.4.5

package/cli/commands/serve.js

@@ -502,10 +502,18 @@ function dashboardHtml(port, whitelist, isStaged = false) {
   .card:hover{border-color:#3b82f6}
   .card-name{font-size:1rem;font-weight:600;color:#f8fafc;margin-bottom:3px}
   .card-type{font-size:.78rem;color:#64748b;text-transform:uppercase;letter-spacing:.5px}
-  .card-getkey{font-size:.75rem;color:#3b82f6;text-decoration:none;opacity:.7;transition:opacity .15s}
-  .card-getkey:hover{opacity:1;text-decoration:underline}
+  .card-getkey{font-size:.75rem;color:#60a5fa;text-decoration:none;transition:color .15s}
+  .card-getkey:hover{color:#93c5fd;text-decoration:underline}
   .card-value{font-family:'Courier New',monospace;font-size:.82rem;color:#22c55e;background:#0f172a;border-radius:4px;padding:8px 10px;margin-top:10px;word-break:break-all;max-height:80px;overflow:auto;display:none}
   .card-actions{margin-top:10px;display:flex;gap:7px;flex-wrap:wrap}
+  .btn-rename{background:#1e293b;color:#94a3b8;border:1px solid #334155;padding:3px 8px;font-size:.75rem;border-radius:4px;cursor:pointer;transition:color .15s,border-color .15s}
+  .btn-rename:hover{color:#e2e8f0;border-color:#60a5fa}
+  .btn-delete{background:#1e293b;color:#f87171;border:1px solid #4b2020;padding:3px 8px;font-size:.75rem;border-radius:4px;cursor:pointer;transition:background .15s,border-color .15s}
+  .btn-delete:hover{background:#2d1f1f;border-color:#ef4444}
+  .rename-panel{display:none;margin-top:8px;background:#0f172a;border-radius:6px;padding:8px 10px;border:1px solid #1e3a5f}
+  .rename-input{width:calc(100% - 100px);background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-size:.85rem;padding:5px 8px;outline:none}
+  .rename-input:focus{border-color:#3b82f6}
+  .rename-msg{font-size:.75rem;margin-left:6px}
   .set-panel{display:none;margin-top:10px;background:#0f172a;border-radius:6px;padding:10px;border:1px solid #1e3a5f}
   .set-panel label{font-size:.75rem;color:#64748b;display:block;margin-bottom:6px}
   .set-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;resize:vertical;min-height:58px;transition:border-color .2s}
@@ -887,10 +895,12 @@ const KEY_URLS = {
 // Extra links shown below the primary KEY_URLS link
 const EXTRA_LINKS = {
   "gmail": [
+    { label: "↗ Open Gmail", url: "https://mail.google.com" },
     { label: "↗ OAuth Playground (get refresh token)", url: "https://developers.google.com/oauthplayground/" },
     { label: "↗ Enable Gmail API", url: "https://console.cloud.google.com/apis/library/gmail.googleapis.com" },
   ],
   "gcal": [
+    { label: "↗ Open Google Calendar", url: "https://calendar.google.com" },
     { label: "↗ OAuth Playground (get refresh token)", url: "https://developers.google.com/oauthplayground/" },
     { label: "↗ Enable Calendar API", url: "https://console.cloud.google.com/apis/library/calendar-json.googleapis.com" },
   ],
@@ -959,20 +969,35 @@ async function boot() {
   try {
     const ping = await fetch(BASE + "/ping").then(r => r.json());
     if (ping.locked) {
-      showLockScreen();
+      showLockScreen(ping.hard_locked);
     } else {
       showMain(ping);
       loadServices();
     }
   } catch {
-    showLockScreen();
+    showLockScreen(false);
   }
 }
 
-function showLockScreen() {
+function showLockScreen(hardLocked) {
   document.getElementById("lock-screen").style.display = "flex";
   document.getElementById("main-view").style.display = "none";
-  setTimeout(() => document.getElementById("lock-input").focus(), 50);
+  const input = document.getElementById("lock-input");
+  const btn   = document.getElementById("unlock-btn");
+  const sub   = document.getElementById("lock-sub");
+  const err   = document.getElementById("lock-err");
+  if (hardLocked) {
+    input.disabled = true;
+    btn.disabled = true;
+    sub.textContent = "Too many failed attempts";
+    err.textContent = "✗ Vault locked — restart daemon to try again";
+  } else {
+    input.disabled = false;
+    btn.disabled = false;
+    sub.textContent = "Paste your password to unlock";
+    err.textContent = "";
+    setTimeout(() => input.focus(), 50);
+  }
 }
 
 // ── Upgrade detection ────────────────────────────────────────────
@@ -1011,6 +1036,11 @@ function showMain(ping) {
   checkUpgrade(ping);
   document.getElementById("lock-screen").style.display = "none";
   document.getElementById("main-view").style.display = "block";
+  // Reset lock screen state for next lock
+  document.getElementById("lock-input").disabled = false;
+  document.getElementById("unlock-btn").disabled = false;
+  document.getElementById("lock-sub").textContent = "Paste your password to unlock";
+  document.getElementById("lock-err").textContent = "";
   if (ping) {
     document.getElementById("s-pid").textContent = ping.pid || "—";
     document.getElementById("s-fails").textContent =
@@ -1025,8 +1055,10 @@ async function unlock() {
   const input = document.getElementById("lock-input");
   const btn   = document.getElementById("unlock-btn");
   const err   = document.getElementById("lock-err");
+  const sub   = document.getElementById("lock-sub");
   const pw    = input.value;
 
+  if (input.disabled) return;
   if (!pw) { err.textContent = "Password is required."; return; }
 
   btn.disabled = true; btn.textContent = "Verifying…"; err.textContent = "";
@@ -1038,7 +1070,22 @@ async function unlock() {
       body: JSON.stringify({ password: pw })
     }).then(r => r.json());
 
-    if (r.error) throw new Error(r.error);
+    if (r.hard_locked) {
+      input.value = "";
+      input.disabled = true;
+      btn.disabled = true;
+      btn.textContent = "Unlock";
+      sub.textContent = "Too many failed attempts";
+      err.textContent = "✗ Vault locked — restart daemon to try again";
+      return;
+    }
+
+    if (r.error) {
+      const rem = r.failures_remaining !== undefined
+        ? \` (\${r.failures_remaining} attempt\${r.failures_remaining !== 1 ? "s" : ""} remaining)\`
+        : "";
+      throw new Error(r.error + rem);
+    }
 
     input.value = "";
     const ping = await fetch(BASE + "/ping").then(r => r.json());
@@ -1050,14 +1097,14 @@ async function unlock() {
     err.textContent = "✗ " + (e.message || "Invalid password");
     setTimeout(() => input.className = "lock-input", 600);
   } finally {
-    btn.disabled = false; btn.textContent = "Unlock";
+    if (!input.disabled) { btn.disabled = false; btn.textContent = "Unlock"; }
   }
 }
 
 // ── Lock ────────────────────────────────────
 async function lockVault() {
-  await fetch(BASE + "/lock", { method: "POST" }).catch(() => {});
-  showLockScreen();
+  const r = await fetch(BASE + "/lock", { method: "POST" }).then(r => r.json()).catch(() => ({}));
+  showLockScreen(r.hard_locked || false);
 }
 
 // ── Make Live (blue-green: promote staged instance to live port) ──
@@ -1155,6 +1202,14 @@ function renderServiceGrid(services) {
         <button class="btn-project" onclick="toggleProjectEdit('\${s.name}')">\${s.project ? "✎ Project" : "+ Project"}</button>
         <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
         <button class="btn-rotate" id="rotbtn-\${s.name}" style="display:none;background:#0e7490;border:1px solid #06b6d4;color:#cffafe;font-size:.75rem;padding:3px 8px;border-radius:4px;cursor:pointer" onclick="rotateKey('\${s.name}')">↻ Rotate</button>
+        <button class="btn-rename" onclick="toggleRename('\${s.name}')" title="Rename service">✎</button>
+        <button class="btn-delete" onclick="deleteService('\${s.name}')" title="Delete service">✕</button>
+      </div>
+      <div class="rename-panel" id="rn-\${s.name}">
+        <input class="rename-input" id="rn-input-\${s.name}" value="\${s.name}" spellcheck="false" autocomplete="off" placeholder="New name…">
+        <button class="btn" onclick="saveRename('\${s.name}')" style="padding:4px 10px;font-size:.8rem">Save</button>
+        <button class="btn" onclick="toggleRename('\${s.name}')" style="padding:4px 10px;font-size:.8rem;background:#1e293b">Cancel</button>
+        <span class="rename-msg" id="rn-msg-\${s.name}"></span>
       </div>
       <div class="project-edit" id="pe-\${s.name}">
         <input type="text" id="pe-input-\${s.name}" value="\${s.project || ""}" placeholder="Project name…" spellcheck="false" autocomplete="off">
@@ -1360,6 +1415,53 @@ async function clearProject(name) {
   await saveProject(name);
 }
 
+// ── Rename service ───────────────────────────
+function toggleRename(name) {
+  const panel = document.getElementById("rn-" + name);
+  const open  = panel.style.display === "block";
+  panel.style.display = open ? "none" : "block";
+  if (!open) {
+    const inp = document.getElementById("rn-input-" + name);
+    inp.value = name;
+    inp.focus(); inp.select();
+    document.getElementById("rn-msg-" + name).textContent = "";
+  }
+}
+
+async function saveRename(oldName) {
+  const inp  = document.getElementById("rn-input-" + oldName);
+  const msg  = document.getElementById("rn-msg-" + oldName);
+  const newName = inp.value.trim();
+  if (!newName || newName === oldName) { toggleRename(oldName); return; }
+  msg.style.color = "#94a3b8"; msg.textContent = "Saving…";
+  try {
+    const r = await fetch(BASE + "/rename/" + oldName, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ new_name: newName })
+    }).then(r => r.json());
+    if (r.locked) { showLockScreen(false); return; }
+    if (r.error) throw new Error(r.error);
+    msg.style.color = "#4ade80"; msg.textContent = "✓ Renamed";
+    setTimeout(() => loadServices(), 800);
+  } catch (e) {
+    msg.style.color = "#f87171"; msg.textContent = "✗ " + e.message;
+  }
+}
+
+// ── Delete service ───────────────────────────
+async function deleteService(name) {
+  if (!confirm(\`Delete service "\${name}"? This cannot be undone.\`)) return;
+  try {
+    const r = await fetch(BASE + "/delete/" + name, { method: "POST" }).then(r => r.json());
+    if (r.locked) { showLockScreen(false); return; }
+    if (r.error) throw new Error(r.error);
+    loadServices();
+  } catch (e) {
+    alert("Delete failed: " + e.message);
+  }
+}
+
 // ── Set key ─────────────────────────────────
 function toggleSet(name) {
   const panel = document.getElementById("set-panel-" + name);
@@ -2279,6 +2381,9 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
   }
   const MAX_FAILS = 10;
   let failCount = 0;
+  const MAX_AUTH_FAILS = 10;
+  let authFailCount = 0;
+  let authHardLocked = false;
   let password = initPassword || null;   // null = locked; set via POST /auth
   const machineHash = getMachineHash();
 
@@ -2487,17 +2592,18 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       error: message,
       failures: failCount,
       failures_remaining: remaining,
-      ...(failCount >= MAX_FAILS ? { shutdown: true } : {})
+      ...(failCount >= MAX_FAILS ? { locked: true } : {})
     });
 
     res.writeHead(code, { "Content-Type": "application/json", ...CORS });
     res.end(body);
 
     if (failCount >= MAX_FAILS) {
-      const msg = `[${new Date().toISOString()}] Failure limit reached — shutting down\n`;
+      const msg = `[${new Date().toISOString()}] Failure limit reached — locking vault\n`;
       try { fs.appendFileSync(LOG_FILE, msg); } catch {}
-      removePid();
-      setTimeout(() => process.exit(1), 100);
+      password = null;
+      failCount = 0;
+      stopTunnel();
     }
   }
 
@@ -3013,8 +3119,11 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         status: "ok",
         pid: process.pid,
         locked: !password,
+        hard_locked: authHardLocked,
         failures: failCount,
         failures_remaining: MAX_FAILS - failCount,
+        auth_failures: authFailCount,
+        auth_failures_remaining: MAX_AUTH_FAILS - authFailCount,
         services: whitelist || "all",
         port,
         tunnel_status: tunnelStatus,
@@ -3285,11 +3394,18 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         return res.end(JSON.stringify({ error: "password is required" }));
       }
 
+      if (authHardLocked) {
+        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Too many failed attempts — restart daemon to try again", hard_locked: true }));
+      }
+
       try {
         const { token, timestamp } = deriveToken(pw, machineHash);
         const result = await api.test(pw, machineHash, token, timestamp);
         if (result.error) throw new Error(result.error);
         password = pw;   // unlock — store in process memory only
+        authFailCount = 0;
+        authHardLocked = false;
         const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
         // Start rotation engine on unlock
@@ -3341,9 +3457,19 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         }
         return ok(res, { ok: true, locked: false });
       } catch {
-        // Wrong password — not a lockout strike, just a UI auth attempt
+        authFailCount++;
+        const authRemaining = MAX_AUTH_FAILS - authFailCount;
+        const failLog = `[${new Date().toISOString()}] [AUTH FAIL ${authFailCount}/${MAX_AUTH_FAILS}] Wrong password\n`;
+        try { fs.appendFileSync(LOG_FILE, failLog); } catch {}
+        if (authFailCount >= MAX_AUTH_FAILS) {
+          authHardLocked = true;
+          const lockLog = `[${new Date().toISOString()}] Auth failure limit reached — vault hard-locked\n`;
+          try { fs.appendFileSync(LOG_FILE, lockLog); } catch {}
+          res.writeHead(401, { "Content-Type": "application/json", ...CORS });
+          return res.end(JSON.stringify({ error: "Too many failed attempts — restart daemon to try again", hard_locked: true }));
+        }
         res.writeHead(401, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "Invalid password" }));
+        return res.end(JSON.stringify({ error: "Invalid password", failures_remaining: authRemaining }));
       }
     }
 
@@ -3353,7 +3479,47 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       stopTunnel();
       const logLine = `[${new Date().toISOString()}] Vault locked\n`;
       try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-      return ok(res, { ok: true, locked: true });
+      return ok(res, { ok: true, locked: true, hard_locked: authHardLocked });
+    }
+
+    // POST /rename/:service — rename a service
+    const renameMatch = reqPath.match(/^\/rename\/([a-zA-Z0-9_-]+)$/);
+    if (method === "POST" && renameMatch) {
+      if (lockedGuard(res)) return;
+      const service = renameMatch[1].toLowerCase();
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+      const newName = (body.new_name || "").trim().toLowerCase();
+      if (!newName || !/^[a-z0-9_-]+$/.test(newName)) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid name — use lowercase letters, numbers, hyphens, underscores" }));
+      }
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.updateService(password, machineHash, token, timestamp, service, { name: newName, label: newName });
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { ok: true, old_name: service, new_name: newName });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // POST /delete/:service — remove a service entirely
+    const deleteMatch = reqPath.match(/^\/delete\/([a-zA-Z0-9_-]+)$/);
+    if (method === "POST" && deleteMatch) {
+      if (lockedGuard(res)) return;
+      const service = deleteMatch[1].toLowerCase();
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.removeService(password, machineHash, token, timestamp, service, true);
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { ok: true, deleted: service });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
     }
 
     // POST /toggle/:service — enable or disable a service

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.4.3",
+  "version": "1.4.5",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {