@myrialabs/clopen 0.1.10 → 0.2.1

package/backend/ws/auth/login.ts

@@ -0,0 +1,283 @@
+import { t } from 'elysia';
+import { createRouter } from '$shared/utils/ws-server';
+import {
+	createAdmin,
+	getAuthMode,
+	loginWithToken,
+	createUserFromInvite,
+	logout,
+	logoutAllSessions,
+	validateInviteToken,
+	regeneratePAT,
+	updateUserName,
+	createOrGetNoAuthAdmin,
+	needsSetup
+} from '$backend/lib/auth/auth-service';
+import { settingsQueries } from '$backend/lib/database/queries';
+import { getTokenType } from '$backend/lib/auth/tokens';
+import { authRateLimiter } from '$backend/lib/auth/rate-limiter';
+import { ws } from '$backend/lib/utils/ws';
+
+const authUserSchema = t.Object({
+	id: t.String(),
+	name: t.String(),
+	role: t.Union([t.Literal('admin'), t.Literal('member')]),
+	color: t.String(),
+	avatar: t.String(),
+	createdAt: t.String()
+});
+
+export const loginHandler = createRouter()
+	// Setup — create first admin (only works when no users exist)
+	.http('auth:setup', {
+		data: t.Object({
+			name: t.String({ minLength: 1 })
+		}),
+		response: t.Object({
+			user: authUserSchema,
+			sessionToken: t.String(),
+			personalAccessToken: t.String(),
+			expiresAt: t.String()
+		})
+	}, async ({ data, conn }) => {
+		const result = createAdmin(data.name);
+
+		// Save authMode to system settings
+		const currentSettings = settingsQueries.get('system:settings');
+		const parsed = currentSettings?.value
+			? (typeof currentSettings.value === 'string' ? JSON.parse(currentSettings.value) : currentSettings.value)
+			: {};
+		parsed.authMode = 'required';
+		settingsQueries.set('system:settings', JSON.stringify(parsed));
+
+		// Set auth on connection
+		const tokenHash = (await import('$backend/lib/auth/tokens')).hashToken(result.sessionToken);
+		ws.setAuth(conn, result.user.id, result.user.role, tokenHash);
+
+		return result;
+	})
+
+	// Setup no-auth mode — create default admin, save authMode setting
+	.http('auth:setup-no-auth', {
+		data: t.Object({}),
+		response: t.Object({
+			user: authUserSchema,
+			sessionToken: t.String(),
+			expiresAt: t.String()
+		})
+	}, async ({ conn }) => {
+		if (!needsSetup()) {
+			throw new Error('Setup already completed.');
+		}
+
+		// Save authMode to system settings
+		const currentSettings = settingsQueries.get('system:settings');
+		const parsed = currentSettings?.value
+			? (typeof currentSettings.value === 'string' ? JSON.parse(currentSettings.value) : currentSettings.value)
+			: {};
+		parsed.authMode = 'none';
+		settingsQueries.set('system:settings', JSON.stringify(parsed));
+
+		// Create or get default admin
+		const result = createOrGetNoAuthAdmin();
+
+		// Set auth on connection
+		const tokenHash = (await import('$backend/lib/auth/tokens')).hashToken(result.sessionToken);
+		ws.setAuth(conn, result.user.id, result.user.role, tokenHash);
+
+		return result;
+	})
+
+	// Auto-login for no-auth mode (returning visitors)
+	.http('auth:auto-login-no-auth', {
+		data: t.Object({}),
+		response: t.Object({
+			user: authUserSchema,
+			sessionToken: t.String(),
+			expiresAt: t.String()
+		})
+	}, async ({ conn }) => {
+		if (getAuthMode() !== 'none') {
+			throw new Error('Auto-login is only available in no-auth mode');
+		}
+
+		const result = createOrGetNoAuthAdmin();
+
+		// Set auth on connection
+		const tokenHash = (await import('$backend/lib/auth/tokens')).hashToken(result.sessionToken);
+		ws.setAuth(conn, result.user.id, result.user.role, tokenHash);
+
+		return result;
+	})
+
+	// Login with token (PAT or session token)
+	.http('auth:login', {
+		data: t.Object({
+			token: t.String({ minLength: 1 })
+		}),
+		response: t.Object({
+			user: authUserSchema,
+			sessionToken: t.String(),
+			expiresAt: t.String()
+		})
+	}, async ({ data, conn }) => {
+		const ip = ws.getRemoteAddress(conn);
+		const tokenType = getTokenType(data.token);
+
+		// Session tokens are re-authentication (reconnect) — skip rate limit entirely.
+		// Only rate-limit PAT and unknown tokens (brute-force targets).
+		const isRateLimited = tokenType !== 'session';
+
+		if (isRateLimited) {
+			const rateLimitError = authRateLimiter.check(ip, 'auth:login');
+			if (rateLimitError) {
+				throw new Error(rateLimitError);
+			}
+		}
+
+		try {
+			const result = loginWithToken(data.token);
+
+			// Success — clear any rate limit record for this IP
+			if (isRateLimited) {
+				authRateLimiter.recordSuccess(ip);
+			}
+
+			// Set auth on connection
+			ws.setAuth(conn, result.user.id, result.user.role, result.tokenHash);
+
+			return {
+				user: result.user,
+				sessionToken: result.sessionToken,
+				expiresAt: result.expiresAt
+			};
+		} catch (err) {
+			// Record failure for rate limiting (only non-session tokens)
+			if (isRateLimited) {
+				authRateLimiter.recordFailure(ip, 'auth:login');
+			}
+			throw err;
+		}
+	})
+
+	// Accept invite — create user from invite token
+	.http('auth:accept-invite', {
+		data: t.Object({
+			inviteToken: t.String({ minLength: 1 }),
+			name: t.String({ minLength: 1 })
+		}),
+		response: t.Object({
+			user: authUserSchema,
+			sessionToken: t.String(),
+			personalAccessToken: t.String(),
+			expiresAt: t.String()
+		})
+	}, async ({ data, conn }) => {
+		const ip = ws.getRemoteAddress(conn);
+
+		// Rate limit check
+		const rateLimitError = authRateLimiter.check(ip, 'auth:accept-invite');
+		if (rateLimitError) {
+			throw new Error(rateLimitError);
+		}
+
+		try {
+			const result = createUserFromInvite(data.inviteToken, data.name);
+
+			authRateLimiter.recordSuccess(ip);
+
+			// Set auth on connection
+			const tokenHash = (await import('$backend/lib/auth/tokens')).hashToken(result.sessionToken);
+			ws.setAuth(conn, result.user.id, result.user.role, tokenHash);
+
+			return result;
+		} catch (err) {
+			authRateLimiter.recordFailure(ip, 'auth:accept-invite');
+			throw err;
+		}
+	})
+
+	// Validate invite token (for UI, doesn't consume the invite)
+	.http('auth:validate-invite', {
+		data: t.Object({
+			inviteToken: t.String({ minLength: 1 })
+		}),
+		response: t.Object({
+			valid: t.Boolean(),
+			error: t.Optional(t.String())
+		})
+	}, async ({ data, conn }) => {
+		const ip = ws.getRemoteAddress(conn);
+
+		const rateLimitError = authRateLimiter.check(ip, 'auth:validate-invite');
+		if (rateLimitError) {
+			return { valid: false, error: rateLimitError };
+		}
+
+		const result = validateInviteToken(data.inviteToken);
+
+		// Record failure if invalid token (probing)
+		if (!result.valid) {
+			authRateLimiter.recordFailure(ip, 'auth:validate-invite');
+		}
+
+		return { valid: result.valid, error: result.error };
+	})
+
+	// Logout — clear session
+	.http('auth:logout', {
+		data: t.Object({}),
+		response: t.Object({
+			success: t.Boolean()
+		})
+	}, async ({ conn }) => {
+		const state = ws.getConnectionState(conn);
+		if (state?.sessionTokenHash) {
+			logout(state.sessionTokenHash);
+		}
+		ws.clearAuth(conn);
+		return { success: true };
+	})
+
+	// Regenerate Personal Access Token
+	.http('auth:regenerate-pat', {
+		data: t.Object({}),
+		response: t.Object({
+			personalAccessToken: t.String()
+		})
+	}, async ({ conn }) => {
+		const userId = ws.getUserId(conn);
+		const pat = regeneratePAT(userId);
+		return { personalAccessToken: pat };
+	})
+
+	// Logout all sessions (admin only — used when switching auth mode)
+	.http('auth:logout-all', {
+		data: t.Object({}),
+		response: t.Object({
+			count: t.Number()
+		})
+	}, async () => {
+		const count = logoutAllSessions();
+
+		// Broadcast force-logout to ALL connected clients before clearing auth.
+		// This ensures clients receive the event while still connected.
+		ws.emit.global('auth:force-logout', { reason: 'Auth mode changed' });
+
+		// Clear in-memory auth state on all active WebSocket connections.
+		// After this, the auth gate will block any further messages.
+		ws.clearAllAuth();
+
+		return { count };
+	})
+
+	// Update display name (authenticated user)
+	.http('auth:update-name', {
+		data: t.Object({
+			newName: t.String({ minLength: 1 })
+		}),
+		response: authUserSchema
+	}, async ({ data, conn }) => {
+		const userId = ws.getUserId(conn);
+		return updateUserName(userId, data.newName);
+	});

package/backend/ws/auth/status.ts

@@ -0,0 +1,41 @@
+import { t } from 'elysia';
+import { createRouter } from '$shared/utils/ws-server';
+import { needsSetup, getUserById, getAuthMode, isOnboardingComplete } from '$backend/lib/auth/auth-service';
+import { ws } from '$backend/lib/utils/ws';
+
+export const statusHandler = createRouter()
+	.http('auth:status', {
+		data: t.Object({}),
+		response: t.Object({
+			needsSetup: t.Boolean(),
+			onboardingComplete: t.Boolean(),
+			authenticated: t.Boolean(),
+			authMode: t.Union([t.Literal('none'), t.Literal('required')]),
+			user: t.Optional(t.Object({
+				id: t.String(),
+				name: t.String(),
+				role: t.Union([t.Literal('admin'), t.Literal('member')]),
+				color: t.String(),
+				avatar: t.String(),
+				createdAt: t.String()
+			}))
+		})
+	}, async ({ conn }) => {
+		const setup = needsSetup();
+		const onboardingDone = isOnboardingComplete();
+		const authMode = getAuthMode();
+		const authenticated = ws.isAuthenticated(conn);
+
+		let user = undefined;
+		if (authenticated) {
+			const state = ws.getConnectionState(conn);
+			if (state?.userId) {
+				const dbUser = getUserById(state.userId);
+				if (dbUser) {
+					user = dbUser;
+				}
+			}
+		}
+
+		return { needsSetup: setup, onboardingComplete: onboardingDone, authenticated, authMode, user };
+	});

package/backend/ws/auth/users.ts

@@ -0,0 +1,32 @@
+import { t } from 'elysia';
+import { createRouter } from '$shared/utils/ws-server';
+import { listUsers, removeUser } from '$backend/lib/auth/auth-service';
+
+export const usersHandler = createRouter()
+	// List all users (admin only — enforced by auth gate)
+	.http('auth:list-users', {
+		data: t.Object({}),
+		response: t.Array(t.Object({
+			id: t.String(),
+			name: t.String(),
+			role: t.Union([t.Literal('admin'), t.Literal('member')]),
+			color: t.String(),
+			avatar: t.String(),
+			createdAt: t.String()
+		}))
+	}, async () => {
+		return listUsers();
+	})
+
+	// Remove user (admin only)
+	.http('auth:remove-user', {
+		data: t.Object({
+			userId: t.String({ minLength: 1 })
+		}),
+		response: t.Object({
+			success: t.Boolean()
+		})
+	}, async ({ data }) => {
+		removeUser(data.userId);
+		return { success: true };
+	});

package/backend/ws/engine/claude/accounts.ts

@@ -21,6 +21,7 @@ import { engineQueries } from '../../../lib/database/queries';
 import { resetEnvironment, getClaudeUserConfigDir } from '../../../lib/engine/adapters/claude/environment';
 import { debug } from '$shared/utils/logger';
 import { getCleanSpawnEnv } from '../../../lib/shared/env';
+import { resolveCommand } from '../utils';
 
 // ── Helpers ──
 
@@ -190,9 +191,10 @@ export const accountsHandler = createRouter()
 		ptyEnv['CLAUDE_CONFIG_DIR'] = getClaudeUserConfigDir();
 		ptyEnv['BROWSER'] = 'false';
 
+		const claudeCmd = await resolveCommand('claude');
 		let pty: ReturnType<typeof spawn>;
 		try {
-			pty = spawn('claude', ['setup-token'], {
+			pty = spawn(claudeCmd, ['setup-token'], {
 				name: 'xterm-256color',
 				cols: 1000,
 				rows: 30,

package/backend/ws/engine/utils.ts

@@ -4,6 +4,8 @@
  * Shared helpers used by engine status handlers.
  */
 
+type EngineCommand = 'claude' | 'opencode';
+
 export function getBackendOS(): 'windows' | 'macos' | 'linux' {
 	switch (process.platform) {
 		case 'win32': return 'windows';
@@ -12,22 +14,52 @@ export function getBackendOS(): 'windows' | 'macos' | 'linux' {
 	}
 }
 
-export async function detectCLI(command: string): Promise<{ installed: boolean; version: string | null }> {
+const resolvedCommands = new Map<EngineCommand, string>();
+
+/**
+ * Resolves the correct CLI command for the current platform.
+ * On Windows, tries the base command first, then falls back to
+ * command.cmd for older CLI installations. Result is cached.
+ */
+export async function resolveCommand(command: EngineCommand): Promise<string> {
+	const cached = resolvedCommands.get(command);
+	if (cached) return cached;
+
+	let resolved: string = command;
+
+	if (!await trySpawn(command) && process.platform === 'win32') {
+		const fallback = command + '.cmd';
+		if (await trySpawn(fallback)) resolved = fallback;
+	}
+
+	resolvedCommands.set(command, resolved);
+	return resolved;
+}
+
+async function trySpawn(command: string): Promise<boolean> {
+	try {
+		const proc = Bun.spawn([command, '--version'], { stdout: 'pipe', stderr: 'pipe' });
+		return (await proc.exited) === 0;
+	} catch {
+		return false;
+	}
+}
+
+export async function detectCLI(command: EngineCommand): Promise<{ installed: boolean; version: string | null }> {
+	const resolved = await resolveCommand(command);
+
 	try {
-		const proc = Bun.spawn([command, '--version'], {
+		const proc = Bun.spawn([resolved, '--version'], {
 			stdout: 'pipe',
 			stderr: 'pipe'
 		});
 
 		const exitCode = await proc.exited;
-		if (exitCode !== 0) {
-			return { installed: false, version: null };
-		}
+		if (exitCode !== 0) return { installed: false, version: null };
 
 		const stdout = await new Response(proc.stdout).text();
 		const raw = stdout.trim();
 		// Extract only the version token (e.g. "2.1.52" from "2.1.52 (Claude Code)")
-		// Takes everything before the first whitespace or parenthesis
 		const version = raw.split(/[\s(]/)[0] || raw || null;
 		return { installed: true, version };
 	} catch {

package/backend/ws/index.ts

@@ -13,6 +13,7 @@
 import { createRouter } from '$shared/utils/ws-server';
 
 // Import all module routers
+import { authRouter } from './auth';
 import { chatRouter } from './chat';
 import { terminalRouter } from './terminal';
 import { previewRouter } from './preview';
@@ -26,7 +27,6 @@ import { filesRouter } from './files';
 import { systemRouter } from './system';
 import { tunnelRouter } from './tunnel';
 import { gitRouter } from './git';
-import { mcpRouter } from './mcp';
 import { engineRouter } from './engine';
 
 // ============================================
@@ -34,6 +34,9 @@ import { engineRouter } from './engine';
 // ============================================
 
 export const wsRouter = createRouter()
+	// Authentication
+	.merge(authRouter)
+
 	// Terminal System
 	.merge(terminalRouter)
 
@@ -59,9 +62,6 @@ export const wsRouter = createRouter()
 	// Git Source Control
 	.merge(gitRouter)
 
-	// MCP (bridge for Open Code stdio server)
-	.merge(mcpRouter)
-
 	// AI Engine Management
 	.merge(engineRouter);
 

package/backend/ws/preview/browser/interact.ts

@@ -243,13 +243,35 @@ export const interactPreviewHandler = createRouter()
 							await session.page.mouse.move(action.x!, action.y!, {
 								steps: action.steps || 1 // Reduced from 5 to 1 for faster response
 							});
-							// Update cursor position in browser context (fire-and-forget, don't await)
+							// Update cursor position and detect cursor type in browser context (fire-and-forget, don't await)
+							// This replaces the disabled cursor-tracking script (blocked by CloudFlare)
 							session.page.evaluate((data) => {
 								const { x, y } = data;
-								if ((window as any).__cursorInfo) {
-									(window as any).__cursorInfo.x = x;
-									(window as any).__cursorInfo.y = y;
-									(window as any).__cursorInfo.timestamp = Date.now();
+								// Detect cursor type from element under mouse
+								let cursor = 'default';
+								try {
+									const el = document.elementFromPoint(x, y);
+									if (el) {
+										cursor = window.getComputedStyle(el).cursor || 'default';
+									}
+								} catch {}
+
+								// Initialize or update __cursorInfo
+								const existing = (window as any).__cursorInfo;
+								if (existing) {
+									existing.cursor = cursor;
+									existing.x = x;
+									existing.y = y;
+									existing.timestamp = Date.now();
+									existing.hasRecentInteraction = true;
+								} else {
+									(window as any).__cursorInfo = {
+										cursor,
+										x,
+										y,
+										timestamp: Date.now(),
+										hasRecentInteraction: true
+									};
 								}
 							}, { x: action.x!, y: action.y! }).catch(() => { /* Ignore evaluation errors */ });
 						} catch (error) {

package/bin/clopen.ts

@@ -31,6 +31,7 @@ interface CLIOptions {
 	help?: boolean;
 	version?: boolean;
 	update?: boolean;
+	resetPat?: boolean;
 }
 
 // Get version from package.json
@@ -95,6 +96,7 @@ USAGE:
 
 COMMANDS:
   update                  Update clopen to the latest version
+  reset-pat               Regenerate admin Personal Access Token
 
 OPTIONS:
   -p, --port <number>     Port to run the server on (default: ${DEFAULT_PORT})
@@ -107,6 +109,7 @@ EXAMPLES:
   clopen --port 9150      # Start on port 9150
   clopen --host 0.0.0.0   # Bind to all network interfaces
   clopen update           # Update to the latest version
+  clopen reset-pat        # Regenerate admin login token
   clopen --version        # Show version
 
 For more information, visit: https://github.com/myrialabs/clopen
@@ -167,6 +170,10 @@ function parseArguments(): CLIOptions {
 				options.update = true;
 				break;
 
+			case 'reset-pat':
+				options.resetPat = true;
+				break;
+
 			default:
 				console.error(`❌ Error: Unknown option "${arg}"`);
 				console.log('Run "clopen --help" for usage information');
@@ -250,6 +257,31 @@ async function runUpdate() {
 	console.log('\n  Restart clopen to apply the update.');
 }
 
+async function recoverAdminToken() {
+	const version = getVersion();
+	console.log(`\x1b[36mClopen\x1b[0m v${version} — Admin Token Recovery\n`);
+
+	// Initialize database (import dynamically to avoid loading full backend)
+	const { initializeDatabase } = await import('../backend/lib/database/index');
+	const { listUsers, regeneratePAT } = await import('../backend/lib/auth/auth-service');
+
+	await initializeDatabase();
+
+	const users = listUsers();
+	const admin = users.find(u => u.role === 'admin');
+
+	if (!admin) {
+		console.error('❌ No admin user found. Start clopen first to complete setup.');
+		process.exit(1);
+	}
+
+	const newPAT = regeneratePAT(admin.id);
+
+	console.log(`  Admin  : ${admin.name}`);
+	console.log(`  New PAT: \x1b[32m${newPAT}\x1b[0m`);
+	console.log(`\n  Use this token to log in. Keep it safe — it won't be shown again.`);
+}
+
 async function setupEnvironment() {
 	// Check if .env exists, if not copy from .env.example
 	if (!existsSync(ENV_FILE)) {
@@ -400,6 +432,13 @@ async function main() {
 			process.exit(0);
 		}
 
+		// Recover admin token if requested
+		if (options.resetPat) {
+			await setupEnvironment();
+			await recoverAdminToken();
+			process.exit(0);
+		}
+
 		// 1. Setup environment variables
 		await setupEnvironment();