npm - @myrialabs/clopen - Versions diffs - 0.1.10 → 0.2.1 - Mend

@myrialabs/clopen 0.1.10 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/README.md +23 -1
package/backend/index.ts +20 -0
package/backend/lib/auth/auth-service.ts +484 -0
package/backend/lib/auth/index.ts +4 -0
package/backend/lib/auth/permissions.ts +63 -0
package/backend/lib/auth/rate-limiter.ts +145 -0
package/backend/lib/auth/tokens.ts +53 -0
package/backend/lib/database/migrations/024_create_users_table.ts +29 -0
package/backend/lib/database/migrations/025_create_auth_sessions_table.ts +38 -0
package/backend/lib/database/migrations/026_create_invite_tokens_table.ts +31 -0
package/backend/lib/database/migrations/index.ts +21 -0
package/backend/lib/database/queries/auth-queries.ts +201 -0
package/backend/lib/database/queries/index.ts +2 -1
package/backend/lib/engine/adapters/opencode/server.ts +1 -1
package/backend/lib/mcp/config.ts +13 -18
package/backend/lib/mcp/index.ts +9 -0
package/backend/lib/mcp/remote-server.ts +132 -0
package/backend/lib/mcp/servers/helper.ts +49 -3
package/backend/lib/mcp/servers/index.ts +3 -2
package/backend/lib/preview/browser/browser-audio-capture.ts +20 -3
package/backend/lib/preview/browser/browser-navigation-tracker.ts +3 -0
package/backend/lib/preview/browser/browser-pool.ts +73 -176
package/backend/lib/preview/browser/browser-preview-service.ts +3 -2
package/backend/lib/preview/browser/browser-tab-manager.ts +261 -23
package/backend/lib/preview/browser/browser-video-capture.ts +36 -1
package/backend/lib/utils/ws.ts +87 -1
package/backend/ws/auth/index.ts +21 -0
package/backend/ws/auth/invites.ts +84 -0
package/backend/ws/auth/login.ts +283 -0
package/backend/ws/auth/status.ts +41 -0
package/backend/ws/auth/users.ts +32 -0
package/backend/ws/engine/claude/accounts.ts +3 -1
package/backend/ws/engine/utils.ts +38 -6
package/backend/ws/index.ts +4 -4
package/backend/ws/preview/browser/interact.ts +27 -5
package/bin/clopen.ts +39 -0
package/bun.lock +113 -51
package/frontend/App.svelte +47 -29
package/frontend/lib/components/auth/InvitePage.svelte +215 -0
package/frontend/lib/components/auth/LoginPage.svelte +129 -0
package/frontend/lib/components/auth/SetupPage.svelte +1022 -0
package/frontend/lib/components/common/FolderBrowser.svelte +9 -9
package/frontend/lib/components/common/UpdateBanner.svelte +2 -2
package/frontend/lib/components/preview/browser/BrowserPreview.svelte +1 -1
package/frontend/lib/components/preview/browser/core/mcp-handlers.svelte.ts +12 -4
package/frontend/lib/components/settings/SettingsModal.svelte +50 -15
package/frontend/lib/components/settings/SettingsView.svelte +21 -7
package/frontend/lib/components/settings/account/AccountSettings.svelte +5 -0
package/frontend/lib/components/settings/admin/InviteManagement.svelte +239 -0
package/frontend/lib/components/settings/admin/UserManagement.svelte +127 -0
package/frontend/lib/components/settings/general/AdvancedSettings.svelte +10 -4
package/frontend/lib/components/settings/general/AuthModeSettings.svelte +229 -0
package/frontend/lib/components/settings/general/GeneralSettings.svelte +6 -1
package/frontend/lib/components/settings/general/UpdateSettings.svelte +5 -5
package/frontend/lib/components/settings/security/SecuritySettings.svelte +10 -0
package/frontend/lib/components/settings/system/SystemSettings.svelte +10 -0
package/frontend/lib/components/settings/user/UserSettings.svelte +147 -74
package/frontend/lib/components/workspace/WorkspaceLayout.svelte +5 -10
package/frontend/lib/services/preview/browser/browser-webcodecs.service.ts +31 -8
package/frontend/lib/stores/features/auth.svelte.ts +308 -0
package/frontend/lib/stores/features/settings.svelte.ts +53 -9
package/frontend/lib/stores/features/user.svelte.ts +26 -68
package/frontend/lib/stores/ui/settings-modal.svelte.ts +42 -21
package/frontend/lib/stores/ui/update.svelte.ts +2 -2
package/package.json +8 -6
package/shared/types/stores/settings.ts +16 -2
package/shared/utils/logger.ts +1 -0
package/shared/utils/ws-client.ts +30 -13
package/shared/utils/ws-server.ts +42 -4
package/backend/lib/mcp/stdio-server.ts +0 -103
package/backend/ws/mcp/index.ts +0 -61

package/README.md CHANGED Viewed

@@ -18,6 +18,7 @@
 - **Integrated Terminal** - Multi-tab terminal with full PTY control
 - **File Management** - Directory browsing, live editing, and real-time file watching
 - **Git Management** - Full source control: staging, commits, branches, push/pull, stash, log, conflict resolution
+- **Flexible Authentication** - No Login or With Login mode with admin/member roles, invite links, rate-limited login, CLI token recovery — configurable during setup and in Settings
 - **Real-time Collaboration** - Multiple users can work on the same project simultaneously
 - **Built-in Cloudflare Tunnel** - Expose local projects publicly for testing and sharing
@@ -48,7 +49,7 @@ Or manually via Bun:
 bun add -g @myrialabs/clopen
 ```
-You can also update from the **Settings > General > Updates** section in the web UI.
+You can also update from the **Settings > System > Updates** section in the web UI.
 ### Usage
@@ -58,6 +59,27 @@ clopen
 Starts the server on `http://localhost:9141`.
+### First-Time Setup
+On first launch, a setup wizard guides you through:
+1. **Authentication mode** — Choose between **No Login** (no authentication required, ideal for personal/local use) or **With Login** (login with Personal Access Token, supports team collaboration)
+2. **Admin account** — If With Login mode is selected, create your admin account and save the generated PAT
+3. **AI Engines** — Check Claude Code and OpenCode installation status
+4. **Preferences** — Set theme, font size, and notification preferences
+You can change the authentication mode anytime in **Settings > Security > Authentication**.
+To invite team members (With Login mode), go to **Settings > Team > Invite** and generate an invite link (valid for 15 minutes).
+If you lose your admin token:
+```bash
+clopen reset-pat
+```
+This regenerates and displays a new admin PAT.
 ---
 ## Development

package/backend/index.ts CHANGED Viewed

@@ -28,6 +28,20 @@ import { statSync } from 'node:fs';
 // Import WebSocket router
 import { wsRouter } from './ws';
+// MCP remote server for Open Code custom tools
+import { handleMcpRequest, closeMcpServer } from './lib/mcp/remote-server';
+// Auth middleware
+import { checkRouteAccess } from './lib/auth/permissions';
+import { ws as wsServer } from './lib/utils/ws';
+// Register auth gate on WebSocket router — blocks unauthenticated/unauthorized access
+wsRouter.setAuthMiddleware(async (conn, action) => {
+	const isAuth = wsServer.isAuthenticated(conn);
+	const role = wsServer.getRole(conn);
+	return checkRouteAccess(action, isAuth, role);
+});
 /**
  * Clopen - Elysia Backend Server
  *
@@ -63,6 +77,10 @@ const app = new Elysia()
 		environment: SERVER_ENV.NODE_ENV
 	}))
+	// MCP remote server endpoint for Open Code custom tools
+	// Handles GET (SSE stream), POST (JSON-RPC), DELETE (session close)
+	.all('/mcp', async ({ request }) => handleMcpRequest(request))
 	// Mount WebSocket router (all functionality now via WebSocket)
 	.use(wsRouter.asPlugin('/ws'));
@@ -141,6 +159,8 @@ startServer().catch((error) => {
 async function gracefulShutdown() {
 	console.log('\n🛑 Shutting down server...');
 	try {
+		// Close MCP remote server (before engines, as they may still reference it)
+		await closeMcpServer();
 		// Dispose all AI engines
 		await disposeAllEngines();
 		// Stop accepting new connections

package/backend/lib/auth/auth-service.ts ADDED Viewed

@@ -0,0 +1,484 @@
+/**
+ * Auth Service
+ *
+ * Core authentication logic: user creation, session management, invite handling.
+ */
+import { authQueries, settingsQueries } from '$backend/lib/database/queries';
+import { generateSessionToken, generatePAT, generateInviteToken, hashToken, getTokenType } from './tokens';
+import { generateColorFromString, getInitials } from '$backend/lib/user/helpers';
+import { debug } from '$shared/utils/logger';
+/** Default session lifetime in days */
+const DEFAULT_SESSION_DAYS = 30;
+export interface AuthUser {
+	id: string;
+	name: string;
+	color: string;
+	avatar: string;
+	role: 'admin' | 'member';
+	createdAt: string;
+}
+export interface AuthResult {
+	user: AuthUser;
+	sessionToken: string;
+	expiresAt: string;
+}
+export interface SetupResult extends AuthResult {
+	personalAccessToken: string;
+}
+function toAuthUser(dbUser: { id: string; name: string; color: string; avatar: string; role: 'admin' | 'member'; created_at: string }): AuthUser {
+	return {
+		id: dbUser.id,
+		name: dbUser.name,
+		color: dbUser.color,
+		avatar: dbUser.avatar,
+		role: dbUser.role,
+		createdAt: dbUser.created_at
+	};
+}
+function createSessionForUser(userId: string, sessionDays?: number): { sessionToken: string; expiresAt: string; tokenHash: string } {
+	const days = sessionDays ?? DEFAULT_SESSION_DAYS;
+	const sessionToken = generateSessionToken();
+	const tokenHash = hashToken(sessionToken);
+	const now = new Date().toISOString();
+	const expiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000).toISOString();
+	authQueries.createSession({
+		id: `session-${crypto.randomUUID()}`,
+		user_id: userId,
+		token_hash: tokenHash,
+		expires_at: expiresAt,
+		created_at: now,
+		last_active_at: now
+	});
+	return { sessionToken, expiresAt, tokenHash };
+}
+/**
+ * Check if the system needs initial setup (no users exist)
+ */
+export function needsSetup(): boolean {
+	return authQueries.countUsers() === 0;
+}
+/**
+ * Get parsed system settings from DB (cached per call).
+ */
+function getSystemSettingsParsed(): Record<string, unknown> {
+	try {
+		const setting = settingsQueries.get('system:settings');
+		if (setting?.value) {
+			return typeof setting.value === 'string' ? JSON.parse(setting.value) : setting.value;
+		}
+	} catch {
+		// Settings may not exist yet
+	}
+	return {};
+}
+/**
+ * Get the current auth mode from system settings.
+ * Returns 'required' by default (before setup is complete).
+ */
+export function getAuthMode(): 'none' | 'required' {
+	const parsed = getSystemSettingsParsed();
+	if (parsed.authMode === 'none' || parsed.authMode === 'required') {
+		return parsed.authMode as 'none' | 'required';
+	}
+	return 'required';
+}
+/**
+ * Check if the initial onboarding wizard has been completed.
+ */
+export function isOnboardingComplete(): boolean {
+	const parsed = getSystemSettingsParsed();
+	return parsed.onboardingComplete === true;
+}
+/**
+ * Create a default admin user for no-auth mode.
+ * Does not generate a PAT (not needed for no-auth).
+ * If users already exist, returns the first admin.
+ */
+export function createOrGetNoAuthAdmin(): AuthResult {
+	// If users already exist, return the first admin
+	const existingUsers = authQueries.getAllUsers();
+	const existingAdmin = existingUsers.find(u => u.role === 'admin');
+	if (existingAdmin) {
+		const { sessionToken, expiresAt } = createSessionForUser(existingAdmin.id);
+		debug.log('auth', `No-auth mode: reusing existing admin: ${existingAdmin.name} (${existingAdmin.id})`);
+		return {
+			user: toAuthUser(existingAdmin),
+			sessionToken,
+			expiresAt
+		};
+	}
+	// Create default admin
+	const userId = `user-${crypto.randomUUID()}`;
+	const now = new Date().toISOString();
+	const defaultName = 'Admin';
+	const dbUser = authQueries.createUser({
+		id: userId,
+		name: defaultName,
+		color: generateColorFromString(defaultName),
+		avatar: getInitials(defaultName),
+		role: 'admin',
+		personal_access_token_hash: '', // No PAT for no-auth mode
+		created_at: now
+	});
+	const { sessionToken, expiresAt } = createSessionForUser(userId);
+	debug.log('auth', `No-auth mode: created default admin: ${defaultName} (${userId})`);
+	return {
+		user: toAuthUser(dbUser),
+		sessionToken,
+		expiresAt
+	};
+}
+/**
+ * Create the first admin user (setup flow)
+ * Only works when no users exist.
+ */
+export function createAdmin(name: string): SetupResult {
+	if (!needsSetup()) {
+		throw new Error('Setup already completed. Admin account exists.');
+	}
+	const trimmedName = name.trim();
+	if (trimmedName.length === 0) {
+		throw new Error('Name cannot be empty');
+	}
+	const userId = `user-${crypto.randomUUID()}`;
+	const now = new Date().toISOString();
+	const pat = generatePAT();
+	const patHash = hashToken(pat);
+	const dbUser = authQueries.createUser({
+		id: userId,
+		name: trimmedName,
+		color: generateColorFromString(trimmedName),
+		avatar: getInitials(trimmedName),
+		role: 'admin',
+		personal_access_token_hash: patHash,
+		created_at: now
+	});
+	const { sessionToken, expiresAt } = createSessionForUser(userId);
+	debug.log('auth', `Admin account created: ${trimmedName} (${userId})`);
+	return {
+		user: toAuthUser(dbUser),
+		sessionToken,
+		expiresAt,
+		personalAccessToken: pat
+	};
+}
+/**
+ * Create a user from an invite token
+ */
+export function createUserFromInvite(rawInviteToken: string, name: string): SetupResult {
+	const trimmedName = name.trim();
+	if (trimmedName.length === 0) {
+		throw new Error('Name cannot be empty');
+	}
+	const inviteHash = hashToken(rawInviteToken);
+	const invite = authQueries.getInviteByTokenHash(inviteHash);
+	if (!invite) {
+		throw new Error('Invalid invite token');
+	}
+	// Check expiry
+	if (invite.expires_at && new Date(invite.expires_at) < new Date()) {
+		throw new Error('Invite token has expired');
+	}
+	// Check max uses
+	if (invite.max_uses > 0 && invite.use_count >= invite.max_uses) {
+		throw new Error('Invite token has reached maximum uses');
+	}
+	// Only allow creating member role from invite (single admin policy)
+	const role: 'admin' | 'member' = 'member';
+	const userId = `user-${crypto.randomUUID()}`;
+	const now = new Date().toISOString();
+	const pat = generatePAT();
+	const patHash = hashToken(pat);
+	const dbUser = authQueries.createUser({
+		id: userId,
+		name: trimmedName,
+		color: generateColorFromString(trimmedName),
+		avatar: getInitials(trimmedName),
+		role,
+		personal_access_token_hash: patHash,
+		created_at: now
+	});
+	// Increment invite use count
+	authQueries.incrementUseCount(invite.id);
+	const { sessionToken, expiresAt } = createSessionForUser(userId);
+	debug.log('auth', `User created from invite: ${trimmedName} (${userId}), role: ${role}`);
+	return {
+		user: toAuthUser(dbUser),
+		sessionToken,
+		expiresAt,
+		personalAccessToken: pat
+	};
+}
+/**
+ * Login with a token (PAT or session token)
+ */
+export function loginWithToken(token: string): AuthResult & { tokenHash: string } {
+	const tokenType = getTokenType(token);
+	const tokenHash = hashToken(token);
+	if (tokenType === 'pat') {
+		// PAT login — find user by PAT hash, create new session
+		const user = authQueries.getUserByPatHash(tokenHash);
+		if (!user) {
+			throw new Error('Invalid access token');
+		}
+		const session = createSessionForUser(user.id);
+		debug.log('auth', `PAT login: ${user.name} (${user.id})`);
+		return {
+			user: toAuthUser(user),
+			sessionToken: session.sessionToken,
+			expiresAt: session.expiresAt,
+			tokenHash: session.tokenHash
+		};
+	}
+	if (tokenType === 'session') {
+		// Session token login — validate existing session
+		const session = authQueries.getSessionByTokenHash(tokenHash);
+		if (!session) {
+			throw new Error('Invalid session token');
+		}
+		// Check expiry
+		if (new Date(session.expires_at) < new Date()) {
+			authQueries.deleteSession(session.id);
+			throw new Error('Session expired');
+		}
+		// Update last active
+		authQueries.updateLastActive(session.id);
+		const user = authQueries.getUserById(session.user_id);
+		if (!user) {
+			authQueries.deleteSession(session.id);
+			throw new Error('User not found');
+		}
+		debug.log('auth', `Session login: ${user.name} (${user.id})`);
+		return {
+			user: toAuthUser(user),
+			sessionToken: token,
+			expiresAt: session.expires_at,
+			tokenHash
+		};
+	}
+	throw new Error('Invalid token format');
+}
+/**
+ * Logout — delete session by token hash
+ */
+export function logout(tokenHash: string): void {
+	authQueries.deleteSessionByTokenHash(tokenHash);
+	debug.log('auth', 'Session deleted');
+}
+/**
+ * Get user by ID
+ */
+export function getUserById(id: string): AuthUser | null {
+	const user = authQueries.getUserById(id);
+	return user ? toAuthUser(user) : null;
+}
+/**
+ * List all users
+ */
+export function listUsers(): AuthUser[] {
+	return authQueries.getAllUsers().map(toAuthUser);
+}
+/**
+ * Remove a user (prevents removing the last admin)
+ */
+export function removeUser(userId: string): void {
+	const user = authQueries.getUserById(userId);
+	if (!user) {
+		throw new Error('User not found');
+	}
+	if (user.role === 'admin' && authQueries.countAdmins() <= 1) {
+		throw new Error('Cannot remove the last admin');
+	}
+	// Delete all sessions for this user
+	authQueries.deleteSessionsByUserId(userId);
+	// Delete the user (cascade will handle invite_tokens.created_by)
+	authQueries.deleteUser(userId);
+	debug.log('auth', `User removed: ${user.name} (${userId})`);
+}
+/**
+ * Create an invite token
+ */
+export function createInvite(
+	createdBy: string,
+	options: { label?: string; maxUses?: number; expiresInMinutes?: number }
+): { inviteToken: string; invite: ReturnType<typeof authQueries.getInviteByTokenHash> } {
+	const rawToken = generateInviteToken();
+	const tokenHash = hashToken(rawToken);
+	const now = new Date().toISOString();
+	const expiresAt = options.expiresInMinutes
+		? new Date(Date.now() + options.expiresInMinutes * 60 * 1000).toISOString()
+		: null;
+	const invite = authQueries.createInvite({
+		id: `invite-${crypto.randomUUID()}`,
+		token_hash: tokenHash,
+		role: 'member',
+		label: options.label ?? null,
+		created_by: createdBy,
+		max_uses: options.maxUses ?? 1,
+		use_count: 0,
+		expires_at: expiresAt,
+		created_at: now
+	});
+	debug.log('auth', `Invite created by ${createdBy}: ${invite.id}`);
+	return { inviteToken: rawToken, invite };
+}
+/**
+ * Validate an invite token (without using it)
+ */
+export function validateInviteToken(rawToken: string): { valid: boolean; role?: string; error?: string } {
+	const tokenHash = hashToken(rawToken);
+	const invite = authQueries.getInviteByTokenHash(tokenHash);
+	if (!invite) {
+		return { valid: false, error: 'Invalid invite token' };
+	}
+	if (invite.expires_at && new Date(invite.expires_at) < new Date()) {
+		return { valid: false, error: 'Invite has expired' };
+	}
+	if (invite.max_uses > 0 && invite.use_count >= invite.max_uses) {
+		return { valid: false, error: 'Invite has reached maximum uses' };
+	}
+	return { valid: true, role: invite.role };
+}
+/**
+ * List all invites
+ */
+export function listInvites() {
+	return authQueries.getAllInvites();
+}
+/**
+ * Revoke an invite
+ */
+export function revokeInvite(id: string): void {
+	authQueries.revokeInvite(id);
+	debug.log('auth', `Invite revoked: ${id}`);
+}
+/**
+ * Regenerate Personal Access Token for a user
+ */
+export function regeneratePAT(userId: string): string {
+	const user = authQueries.getUserById(userId);
+	if (!user) {
+		throw new Error('User not found');
+	}
+	const pat = generatePAT();
+	const patHash = hashToken(pat);
+	authQueries.updateUser(userId, { personal_access_token_hash: patHash });
+	debug.log('auth', `PAT regenerated for user: ${userId}`);
+	return pat;
+}
+/**
+ * Update user display name
+ */
+export function updateUserName(userId: string, newName: string): AuthUser {
+	const trimmedName = newName.trim();
+	if (trimmedName.length === 0) {
+		throw new Error('Name cannot be empty');
+	}
+	authQueries.updateUser(userId, {
+		name: trimmedName,
+		color: generateColorFromString(trimmedName),
+		avatar: getInitials(trimmedName)
+	});
+	const updated = authQueries.getUserById(userId);
+	if (!updated) {
+		throw new Error('User not found after update');
+	}
+	return toAuthUser(updated);
+}
+/**
+ * Logout all sessions (all users)
+ */
+export function logoutAllSessions(): number {
+	const count = authQueries.deleteAllSessions();
+	debug.log('auth', `All sessions deleted: ${count}`);
+	return count;
+}
+/**
+ * Cleanup expired sessions
+ */
+export function cleanupExpiredSessions(): number {
+	const count = authQueries.deleteExpiredSessions();
+	if (count > 0) {
+		debug.log('auth', `Cleaned up ${count} expired sessions`);
+	}
+	return count;
+}

package/backend/lib/auth/index.ts ADDED Viewed

@@ -0,0 +1,4 @@
+export * from './tokens';
+export * from './auth-service';
+export * from './permissions';
+export { authRateLimiter } from './rate-limiter';

package/backend/lib/auth/permissions.ts ADDED Viewed

@@ -0,0 +1,63 @@
+/**
+ * Route Permission Configuration
+ *
+ * Defines which WebSocket routes require authentication and which require admin role.
+ * Used by the auth gate in WSRouter.handleMessage().
+ */
+import { getAuthMode } from './auth-service';
+/** Routes that can be accessed WITHOUT authentication */
+export const PUBLIC_ROUTES = new Set([
+	'auth:status',
+	'auth:login',
+	'auth:setup',
+	'auth:setup-no-auth',
+	'auth:auto-login-no-auth',
+	'auth:accept-invite',
+	'auth:validate-invite',
+	'ws:set-context'
+]);
+/** Routes that require admin role */
+export const ADMIN_ONLY_ROUTES = new Set([
+	'auth:create-invite',
+	'auth:list-invites',
+	'auth:revoke-invite',
+	'auth:list-users',
+	'auth:remove-user',
+	'settings:update-system'
+]);
+/**
+ * Check if a route action is allowed for the given auth state.
+ * In no-auth mode, all routes are allowed (bypasses authentication check).
+ */
+export function checkRouteAccess(
+	action: string,
+	authenticated: boolean,
+	role: string | null
+): { allowed: boolean; error?: string } {
+	// Public routes — always allowed
+	if (PUBLIC_ROUTES.has(action)) {
+		return { allowed: true };
+	}
+	// No-auth mode — bypass authentication for all routes
+	if (getAuthMode() === 'none') {
+		return { allowed: true };
+	}
+	// Must be authenticated for everything else
+	if (!authenticated) {
+		return { allowed: false, error: 'Authentication required' };
+	}
+	// Admin-only routes
+	if (ADMIN_ONLY_ROUTES.has(action) && role !== 'admin') {
+		return { allowed: false, error: 'Admin access required' };
+	}
+	// All other routes — any authenticated user
+	return { allowed: true };
+}