@logboard/cli 1.0.0

package/services/AuditService.js

@@ -0,0 +1,249 @@
+'use strict';
+const fsP = require('fs').promises;
+const path = require('path');
+const config = require('../config');
+
+
+class AuditService {
+	constructor (org) {
+		this._org = org || null;
+	}
+
+	_file (cfgRef, orgAttr) {
+		return this._org && this._org[orgAttr] ? this._org[orgAttr] : cfgRef;
+	}
+
+	_getFile () {
+		return this._file(config.AUDIT_FILE, 'auditFile');
+	}
+
+	// ── Write ─────────────────────────────────────────────────────────────────
+	async log (actor, action, target, meta = {}, ip = '') {
+		console.log('AUDIT', { actor, action, target, ...meta });
+		const entry = JSON.stringify({
+			ts: new Date().toISOString(),
+			actor: actor || 'system',
+			action,
+			target: target || '',
+			ip: ip || '',
+			...meta,
+		});
+		try {
+			await fsP.appendFile(this._getFile(), `${entry}\n`, 'utf8');
+		} catch {}
+	}
+
+	/** Track a page view with optional duration (seconds) */
+	async logPageView (username, page, durationSec, ip) {
+		await this.log(
+			username,
+			'page_view',
+			page,
+			{ durationSec: durationSec || 0 },
+			ip,
+		);
+	}
+
+	/** Track a log search / view event */
+	async logLogAccess (username, service, date, q, ip) {
+		await this.log(
+			username,
+			'log_view',
+			service,
+			{ date, q: q || '', filter: `${service}/${date}` },
+			ip,
+		);
+	}
+
+	// ── Read ──────────────────────────────────────────────────────────────────
+	async list ({ limit = 200, offset = 0, q = '', action = '' } = {}) {
+		try {
+			const raw = await fsP.readFile(this._getFile(), 'utf8');
+			let lines = raw.split('\n').filter(Boolean).reverse();
+			if (q) {
+				const lq = q.toLowerCase();
+				lines = lines.filter((l) => l.toLowerCase().includes(lq));
+			}
+			if (action) {
+				lines = lines.filter((l) => l.includes(`"action":"${action}"`));
+			}
+			const total = lines.length;
+			const page = lines.slice(offset, offset + limit).map((l) => {
+				try {
+					return JSON.parse(l);
+				} catch {
+					return { raw: l };
+				}
+			});
+			return { entries: page, total };
+		} catch (e) {
+			if (e.code === 'ENOENT') {
+				return { entries: [], total: 0 };
+			}
+			throw e;
+		}
+	}
+
+	async clear () {
+		await fsP.writeFile(this._getFile(), '', 'utf8');
+	}
+
+	// ── Analytics ─────────────────────────────────────────────────────────────
+	async getAnalytics (days = 7) {
+		try {
+			const raw = await fsP.readFile(this._getFile(), 'utf8');
+			const lines = raw.split('\n').filter(Boolean);
+			const cutoff = new Date(
+				Date.now() - days * 24 * 60 * 60 * 1000,
+			).toISOString();
+
+			// Parse only entries within the window
+			const entries = [];
+			for (const l of lines) {
+				try {
+					const e = JSON.parse(l);
+					if (e.ts >= cutoff) {
+						entries.push(e);
+					}
+				} catch {}
+			}
+
+			// ── 1. Activity by day ─────────────────────────────────────────────
+			const byDay = {};
+			for (let i = 0; i < days; i++) {
+				const d = new Date();
+				d.setDate(d.getDate() - i);
+				byDay[d.toISOString().slice(0, 10)] = 0;
+			}
+			entries.forEach((e) => {
+				const day = e.ts.slice(0, 10);
+				if (day in byDay) {
+					byDay[day]++;
+				}
+			});
+			const dailyActivity = Object.entries(byDay)
+				.sort(([a], [b]) => a.localeCompare(b))
+				.map(([date, count]) => ({ date, count }));
+
+			// ── 2. Action breakdown ────────────────────────────────────────────
+			const actionCounts = {};
+			entries.forEach((e) => {
+				actionCounts[e.action] = (actionCounts[e.action] || 0) + 1;
+			});
+			const topActions = Object.entries(actionCounts)
+				.sort(([, a], [, b]) => b - a)
+				.slice(0, 12)
+				.map(([action, count]) => ({ action, count }));
+
+			// ── 3. Most active users ───────────────────────────────────────────
+			const userCounts = {};
+			entries.forEach((e) => {
+				if (e.actor && e.actor !== 'system') {
+					userCounts[e.actor] = (userCounts[e.actor] || 0) + 1;
+				}
+			});
+			const topUsers = Object.entries(userCounts)
+				.sort(([, a], [, b]) => b - a)
+				.slice(0, 10)
+				.map(([actor, count]) => ({ actor, count }));
+
+			// ── 4. Most viewed pages ───────────────────────────────────────────
+			const pageCounts = {};
+			const pageTime = {};
+			entries
+				.filter((e) => e.action === 'page_view')
+				.forEach((e) => {
+					const p = e.target || 'unknown';
+					pageCounts[p] = (pageCounts[p] || 0) + 1;
+					pageTime[p] = (pageTime[p] || 0) + (e.durationSec || 0);
+				});
+			const topPages = Object.entries(pageCounts)
+				.sort(([, a], [, b]) => b - a)
+				.slice(0, 10)
+				.map(([page, views]) => ({
+					page,
+					views,
+					avgDurationSec: Math.round((pageTime[page] || 0) / views),
+				}));
+
+			// ── 5. Most accessed services (log views) ─────────────────────────
+			const svcCounts = {};
+			entries
+				.filter((e) => e.action === 'log_view')
+				.forEach((e) => {
+					svcCounts[e.target] = (svcCounts[e.target] || 0) + 1;
+				});
+			const topServices = Object.entries(svcCounts)
+				.sort(([, a], [, b]) => b - a)
+				.slice(0, 10)
+				.map(([service, views]) => ({ service, views }));
+
+			// ── 6. Login timeline ──────────────────────────────────────────────
+			const loginByDay = {};
+			Object.keys(byDay).forEach((d) => (loginByDay[d] = 0));
+			entries
+				.filter((e) => e.action === 'login')
+				.forEach((e) => {
+					const d = e.ts.slice(0, 10);
+					if (d in loginByDay) {
+						loginByDay[d]++;
+					}
+				});
+			const loginTimeline = Object.entries(loginByDay)
+				.sort(([a], [b]) => a.localeCompare(b))
+				.map(([date, logins]) => ({ date, logins }));
+
+			// ── 7. Settings changes ────────────────────────────────────────────
+			const settingsChanges = entries.filter(
+				(e) => e.action === 'settings_update',
+			).length;
+
+			// ── 8. Security events ─────────────────────────────────────────────
+			const securityEvents = entries.filter((e) =>
+				[
+					'login_fail',
+					'2fa_enable',
+					'2fa_disable',
+					'password_change',
+					'role_change',
+					'api_key_create',
+					'api_key_delete',
+				].includes(e.action),
+			);
+
+			return {
+				period: days,
+				totalEvents: entries.length,
+				uniqueUsers: Object.keys(userCounts).length,
+				dailyActivity,
+				topActions,
+				topUsers,
+				topPages,
+				topServices,
+				loginTimeline,
+				settingsChanges,
+				securityEvents: securityEvents.slice(-20).reverse(),
+				generatedAt: new Date().toISOString(),
+			};
+		} catch (e) {
+			if (e.code === 'ENOENT') {
+				return {
+					period: days,
+					totalEvents: 0,
+					uniqueUsers: 0,
+					dailyActivity: [],
+					topActions: [],
+					topUsers: [],
+					topPages: [],
+					topServices: [],
+					loginTimeline: [],
+					settingsChanges: 0,
+					securityEvents: [],
+				};
+			}
+			throw e;
+		}
+	}
+}
+
+module.exports = AuditService;

package/services/AuthService.js

@@ -0,0 +1,234 @@
+'use strict';
+const jwt = require('jsonwebtoken');
+const bcrypt = require('bcryptjs');
+const speakeasy = require('speakeasy');
+const QRCode = require('qrcode');
+const fsP = require('fs').promises;
+const config = require('../config');
+const logger = require('../lib/logger');
+
+// ── Org-aware user store helpers ──────────────────────────────────────────
+async function getUsers (org) {
+	const file = org ? org.usersFile : config.USERS_FILE;
+	try {
+		return JSON.parse(await fsP.readFile(file, 'utf8'));
+	} catch (e) {
+		if (e.code === 'ENOENT') {
+			return {};
+		}
+		throw e;
+	}
+}
+
+async function saveUsers (users, org) {
+	const file = org ? org.usersFile : config.USERS_FILE;
+	await fsP.writeFile(file, JSON.stringify(users, null, 2), 'utf8');
+}
+
+// ── Find which org a username belongs to (for login without org context) ──
+async function findUserOrg (username) {
+	const OrgService = require('./OrgService');
+	const orgs = await OrgService.getOrgs();
+	for (const slug of Object.keys(orgs)) {
+		const p = OrgService.orgPaths(slug);
+		try {
+			const users = JSON.parse(await fsP.readFile(p.usersFile, 'utf8'));
+			if (users[username]) {
+				return { slug, user: users[username] };
+			}
+		} catch {}
+	}
+	return null;
+}
+
+class AuthService {
+	// ── Login ─────────────────────────────────────────────────────────────────
+	// orgSlug is optional — if not provided, searches all orgs (legacy/single-tenant mode)
+	async login (username, password, totpToken, orgSlug) {
+		if (!username || !password) {
+			throw Object.assign(new Error('Username and password required'), {
+				status: 400,
+			});
+		}
+
+		let user = null;
+		let resolvedOrgSlug = orgSlug;
+
+		if (orgSlug) {
+			// Org-specific login
+			const OrgService = require('./OrgService');
+			const org = await OrgService.getOrg(orgSlug);
+			if (!org) {
+				throw Object.assign(new Error('Org not found'), { status: 404 });
+			}
+			const users = await getUsers(org);
+			user = users[username];
+		} else {
+			// Legacy mode — search all orgs then fall back to flat users file
+			const found = await findUserOrg(username);
+			if (found) {
+				user = found.user;
+				resolvedOrgSlug = found.slug;
+			} else {
+				// Check super-admins.json
+				try {
+					const SFILE = require('path').join(config.DATA_DIR, 'super-admins.json');
+					const sas   = JSON.parse(await fsP.readFile(SFILE, 'utf8'));
+					if (sas[username] && await bcrypt.compare(password, sas[username].password)) {
+						const t = jwt.sign({ username, role: 'super-admin', orgSlug: null }, config.JWT_SECRET, { expiresIn: '8h' });
+						logger.info('[Auth] Super-admin login: "' + username + '"');
+						return { token: t, role: 'super-admin', orgSlug: null, totpEnabled: false };
+					}
+				} catch {}
+				// Flat file fallback (pre-migration)
+				try {
+					const users = JSON.parse(
+						await fsP.readFile(config.USERS_FILE, 'utf8'),
+					);
+					user = users[username];
+					resolvedOrgSlug = 'default';
+				} catch {}
+			}
+		}
+
+		// Timing-safe comparison even when user doesn't exist
+		const dummyHash
+      = '$2a$10$invalidhashfortimingprotection000000000000000000000000';
+		const valid = await bcrypt.compare(
+			password,
+			user ? user.password : dummyHash,
+		);
+		if (!user || !valid) {
+			logger.warn(
+				`[Auth] Failed login: "${username}" (org: ${resolvedOrgSlug || 'none'})`,
+			);
+			throw Object.assign(new Error('Invalid credentials'), { status: 401 });
+		}
+
+		if (user.totpSecret) {
+			if (!totpToken) {
+				throw Object.assign(new Error('2FA token required'), { status: 401 });
+			}
+			const ok = speakeasy.totp.verify({
+				secret: user.totpSecret,
+				encoding: 'base32',
+				token: totpToken,
+				window: 1,
+			});
+			if (!ok) {
+				throw Object.assign(new Error('Invalid 2FA token'), { status: 401 });
+			}
+		}
+
+		// JWT includes orgSlug so every subsequent request knows the org
+		const payload = {
+			username,
+			role: user.role || 'viewer',
+			orgSlug: resolvedOrgSlug || 'default',
+		};
+		const token = jwt.sign(payload, config.JWT_SECRET, {
+			expiresIn: config.JWT_EXPIRES_IN || '24h',
+		});
+		logger.info(
+			`[Auth] Login: "${username}" (org: ${resolvedOrgSlug}, role: ${user.role || 'viewer'})`,
+		);
+		return {
+			token,
+			role: user.role || 'viewer',
+			orgSlug: resolvedOrgSlug || 'default',
+			totpEnabled: !!user.totpSecret,
+		};
+	}
+
+	// ── Super-admin login (no org — crosses all orgs) ─────────────────────────
+	async superAdminLogin (username, password) {
+		const SUPER_FILE = require('path').join(
+			config.DATA_DIR,
+			'super-admins.json',
+		);
+		let superAdmins = {};
+		try {
+			superAdmins = JSON.parse(await fsP.readFile(SUPER_FILE, 'utf8'));
+		} catch {}
+		const sa = superAdmins[username];
+		const dummyHash
+      = '$2a$10$invalidhashfortimingprotection000000000000000000000000';
+		const valid = await bcrypt.compare(password, sa ? sa.password : dummyHash);
+		if (!sa || !valid) {
+			throw Object.assign(new Error('Invalid super-admin credentials'), {
+				status: 401,
+			});
+		}
+		const token = jwt.sign(
+			{ username, role: 'super-admin', orgSlug: null },
+			config.JWT_SECRET,
+			{ expiresIn: '8h' },
+		);
+		return { token, role: 'super-admin' };
+	}
+
+	// ── TOTP ──────────────────────────────────────────────────────────────────
+	async setupTotp (username, org) {
+		const secret = speakeasy.generateSecret({
+			length: 20,
+			name: `LogBoard (${username})`,
+		});
+		const qr = await QRCode.toDataURL(secret.otpauth_url);
+		return { secret: secret.base32, otpauth: secret.otpauth_url, qr };
+	}
+
+	async enableTotp (username, base32Secret, token, org) {
+		const ok = speakeasy.totp.verify({
+			secret: base32Secret,
+			encoding: 'base32',
+			token,
+			window: 1,
+		});
+		if (!ok) {
+			throw Object.assign(new Error('Invalid OTP'), { status: 400 });
+		}
+		const users = await getUsers(org);
+		if (!users[username]) {
+			throw Object.assign(new Error('User not found'), { status: 404 });
+		}
+		users[username].totpSecret = base32Secret;
+		await saveUsers(users, org);
+	}
+
+	async disableTotp (username, org) {
+		const users = await getUsers(org);
+		if (!users[username]) {
+			throw Object.assign(new Error('User not found'), { status: 404 });
+		}
+		delete users[username].totpSecret;
+		await saveUsers(users, org);
+	}
+
+	async getTotpStatus (username, org) {
+		const users = await getUsers(org);
+		return { enabled: !!users[username]?.totpSecret };
+	}
+
+	// ── Password change ────────────────────────────────────────────────────────
+	async changePassword (username, oldPassword, newPassword, org) {
+		if (!newPassword || newPassword.length < 6) {
+			throw Object.assign(new Error('Password must be at least 6 chars'), {
+				status: 400,
+			});
+		}
+		const users = await getUsers(org);
+		if (!users[username]) {
+			throw Object.assign(new Error('User not found'), { status: 404 });
+		}
+		const valid = await bcrypt.compare(oldPassword, users[username].password);
+		if (!valid) {
+			throw Object.assign(new Error('Current password incorrect'), {
+				status: 401,
+			});
+		}
+		users[username].password = await bcrypt.hash(newPassword, 10);
+		await saveUsers(users, org);
+	}
+}
+
+module.exports = AuthService;

package/services/BookmarkService.js

@@ -0,0 +1,49 @@
+'use strict';
+const fsP = require('fs').promises;
+const path = require('path');
+const crypto = require('crypto');
+const config = require('../config');
+
+const FILE = path.join(config.DATA_DIR, 'bookmarks.json');
+
+class BookmarkService {
+	async _load () { try { return JSON.parse(await fsP.readFile(FILE, 'utf8')); } catch { return {}; } }
+	async _save (obj) { await fsP.writeFile(FILE, JSON.stringify(obj, null, 2), 'utf8'); }
+
+	async getAll (username) {
+		const db = await this._load();
+		return (db[username] || []).sort((a, b) => new Date(b.createdAt)-new Date(a.createdAt));
+	}
+
+	async create (username, { service, date, lineIndex, line, note }) {
+		const db = await this._load();
+		if (!db[username]) { db[username] = []; }
+		// Prevent duplicate bookmarks of same line
+		const exists = db[username].find((b) => b.service===service && b.date===date && b.lineIndex===lineIndex);
+		if (exists) { if (note) { exists.note = note; await this._save(db); } return exists; }
+		const entry = {
+			id: crypto.randomUUID(), service, date, lineIndex: Number(lineIndex),
+			line: (line||'').slice(0, 500), note: note||'',
+			createdAt: new Date().toISOString(), 
+		};
+		db[username].unshift(entry);
+		if (db[username].length > 200) { db[username] = db[username].slice(0, 200); }
+		await this._save(db);
+		return entry;
+	}
+
+	async updateNote (username, id, note) {
+		const db = await this._load();
+		const bm = (db[username]||[]).find((b) => b.id===id);
+		if (bm) { bm.note = note; await this._save(db); }
+		return bm;
+	}
+
+	async delete (username, id) {
+		const db = await this._load();
+		db[username] = (db[username]||[]).filter((b) => b.id !== id);
+		await this._save(db);
+	}
+}
+
+module.exports = new BookmarkService();

package/services/GlobalSettingsService.js

@@ -0,0 +1,44 @@
+'use strict';
+const fsP   = require('fs').promises;
+const path  = require('path');
+const config= require('../config');
+
+const FILE = () => path.join(config.DATA_DIR, 'global-settings.json');
+
+const DEFAULTS = {
+  registrationMode:     'open',   // 'open' | 'invite'
+  defaultPlan:          'free',
+  githubClientId:       '',
+  githubClientSecret:   '',
+  googleClientId:       '',
+  googleClientSecret:   '',
+  smtpHost:             '',
+  smtpPort:             587,
+  smtpUser:             '',
+  smtpPass:             '',
+  smtpFrom:             '',
+  appBaseUrl:           'http://localhost:9900',
+};
+
+class GlobalSettingsService {
+  async get() {
+    try { return { ...DEFAULTS, ...JSON.parse(await fsP.readFile(FILE(),'utf8')) }; }
+    catch(e) { if(e.code==='ENOENT') return { ...DEFAULTS }; throw e; }
+  }
+
+  async save(upd = {}) {
+    const cur  = await this.get();
+    const next = { ...cur };
+    const allowed = ['registrationMode','defaultPlan','githubClientId','githubClientSecret',
+                     'googleClientId','googleClientSecret','smtpHost','smtpPort','smtpUser',
+                     'smtpPass','smtpFrom','appBaseUrl'];
+    for (const k of allowed) {
+      if (upd[k] !== undefined && upd[k] !== '') next[k] = upd[k];
+    }
+    await fsP.mkdir(config.DATA_DIR, { recursive: true });
+    await fsP.writeFile(FILE(), JSON.stringify(next, null, 2), 'utf8');
+    return next;
+  }
+}
+
+module.exports = new GlobalSettingsService();