@neuralnomads/codenomad-dev 0.10.3-dev-20260213-ba418a85 → 0.10.3-dev-20260213-e9f281a6

package/src/auth/auth-store.ts

@@ -1,175 +0,0 @@
-import fs from "fs"
-import path from "path"
-import type { Logger } from "../logger"
-import { hashPassword, type PasswordHashRecord, verifyPassword } from "./password-hash"
-
-export interface AuthFile {
-  version: 1
-  username: string
-  password: PasswordHashRecord
-  userProvided: boolean
-  updatedAt: string
-}
-
-export interface AuthStatus {
-  username: string
-  passwordUserProvided: boolean
-}
-
-export class AuthStore {
-  private cachedFile: AuthFile | null = null
-  private overrideAuth: AuthFile | null = null
-  private bootstrapUsername: string | null = null
-
-  constructor(private readonly authFilePath: string, private readonly logger: Logger) {}
-
-  getAuthFilePath() {
-    return this.authFilePath
-  }
-
-  load(): AuthFile | null {
-    if (this.overrideAuth) {
-      return this.overrideAuth
-    }
-
-    if (this.cachedFile) {
-      return this.cachedFile
-    }
-
-    try {
-      if (!fs.existsSync(this.authFilePath)) {
-        return null
-      }
-      const raw = fs.readFileSync(this.authFilePath, "utf-8")
-      const parsed = JSON.parse(raw) as AuthFile
-      if (!parsed || parsed.version !== 1) {
-        this.logger.warn({ authFilePath: this.authFilePath }, "Auth file has unsupported version")
-        return null
-      }
-      this.cachedFile = parsed
-      return parsed
-    } catch (error) {
-      this.logger.warn({ err: error, authFilePath: this.authFilePath }, "Failed to load auth file")
-      return null
-    }
-  }
-
-  ensureInitialized(params: {
-    username: string
-    password?: string
-    allowBootstrapWithoutPassword: boolean
-  }): void {
-    const password = params.password?.trim()
-    if (password) {
-      const now = new Date().toISOString()
-      const runtime: AuthFile = {
-        version: 1,
-        username: params.username,
-        password: hashPassword(password),
-        userProvided: true,
-        updatedAt: now,
-      }
-      this.overrideAuth = runtime
-      this.cachedFile = null
-      this.bootstrapUsername = null
-      this.logger.debug({ authFilePath: this.authFilePath }, "Using runtime auth password override; ignoring auth file")
-      return
-    }
-
-    const existing = this.load()
-    if (existing) {
-      if (existing.username !== params.username) {
-        // Keep existing username unless explicitly overridden later.
-        this.logger.debug({ existing: existing.username, requested: params.username }, "Auth username differs from requested")
-      }
-      this.bootstrapUsername = null
-      return
-    }
-
-    if (params.allowBootstrapWithoutPassword) {
-      this.bootstrapUsername = params.username
-      this.logger.debug({ authFilePath: this.authFilePath }, "No auth file present; bootstrap-only mode enabled")
-      return
-    }
-
-    throw new Error(
-      `No server password configured. Create ${this.authFilePath} or start with --password / CODENOMAD_SERVER_PASSWORD.`,
-    )
-  }
-
-  validateCredentials(username: string, password: string): boolean {
-    const auth = this.load()
-    if (!auth) {
-      return false
-    }
-
-    if (username !== auth.username) {
-      return false
-    }
-
-    return verifyPassword(password, auth.password)
-  }
-
-  setPassword(params: { password: string; markUserProvided: boolean }): AuthStatus {
-    if (this.overrideAuth) {
-      throw new Error(
-        "Server password is provided via CLI/env and cannot be changed while running. Restart without --password / CODENOMAD_SERVER_PASSWORD to use auth.json.",
-      )
-    }
-
-    const current = this.load()
-
-    if (!current) {
-      if (!this.bootstrapUsername) {
-        throw new Error("Auth is not initialized")
-      }
-
-      const created: AuthFile = {
-        version: 1,
-        username: this.bootstrapUsername,
-        password: hashPassword(params.password),
-        userProvided: params.markUserProvided,
-        updatedAt: new Date().toISOString(),
-      }
-
-      this.persist(created)
-      this.bootstrapUsername = null
-      return { username: created.username, passwordUserProvided: created.userProvided }
-    }
-
-    const next: AuthFile = {
-      ...current,
-      password: hashPassword(params.password),
-      userProvided: params.markUserProvided,
-      updatedAt: new Date().toISOString(),
-    }
-
-    this.persist(next)
-    return { username: next.username, passwordUserProvided: next.userProvided }
-  }
-
-  getStatus(): AuthStatus {
-    const current = this.load()
-    if (current) {
-      return { username: current.username, passwordUserProvided: current.userProvided }
-    }
-
-    if (this.bootstrapUsername) {
-      return { username: this.bootstrapUsername, passwordUserProvided: false }
-    }
-
-    throw new Error("Auth is not initialized")
-  }
-
-  private persist(auth: AuthFile) {
-    try {
-      fs.mkdirSync(path.dirname(this.authFilePath), { recursive: true })
-      fs.writeFileSync(this.authFilePath, JSON.stringify(auth, null, 2), "utf-8")
-      this.cachedFile = auth
-      this.logger.debug({ authFilePath: this.authFilePath }, "Persisted auth file")
-    } catch (error) {
-      this.logger.error({ err: error, authFilePath: this.authFilePath }, "Failed to persist auth file")
-      throw error
-    }
-  }
-}

package/src/auth/http-auth.ts

@@ -1,38 +0,0 @@
-import type { FastifyReply, FastifyRequest } from "fastify"
-
-export function parseCookies(header: string | undefined): Record<string, string> {
-  const result: Record<string, string> = {}
-  if (!header) return result
-
-  const parts = header.split(";")
-  for (const part of parts) {
-    const index = part.indexOf("=")
-    if (index < 0) continue
-    const key = part.slice(0, index).trim()
-    const value = part.slice(index + 1).trim()
-    if (!key) continue
-    result[key] = decodeURIComponent(value)
-  }
-  return result
-}
-
-export function isLoopbackAddress(remoteAddress: string | undefined): boolean {
-  if (!remoteAddress) return false
-  if (remoteAddress === "127.0.0.1" || remoteAddress === "::1") return true
-  if (remoteAddress === "::ffff:127.0.0.1") return true
-  return false
-}
-
-export function wantsHtml(request: FastifyRequest): boolean {
-  const accept = (request.headers["accept"] ?? "").toString().toLowerCase()
-  return accept.includes("text/html") || accept.includes("application/xhtml")
-}
-
-export function sendUnauthorized(request: FastifyRequest, reply: FastifyReply) {
-  if (request.method === "GET" && !request.url.startsWith("/api/") && wantsHtml(request)) {
-    reply.redirect("/login")
-    return
-  }
-
-  reply.code(401).send({ error: "Unauthorized" })
-}

package/src/auth/manager.ts

@@ -1,163 +0,0 @@
-import type { FastifyReply, FastifyRequest } from "fastify"
-import path from "path"
-import type { Logger } from "../logger"
-import { AuthStore } from "./auth-store"
-import { TokenManager } from "./token-manager"
-import { SessionManager } from "./session-manager"
-import { isLoopbackAddress, parseCookies } from "./http-auth"
-
-export const BOOTSTRAP_TOKEN_STDOUT_PREFIX = "CODENOMAD_BOOTSTRAP_TOKEN:" as const
-export const DEFAULT_AUTH_USERNAME = "codenomad" as const
-export const DEFAULT_AUTH_COOKIE_NAME = "codenomad_session" as const
-
-export interface AuthManagerInit {
-  configPath: string
-  username: string
-  password?: string
-  generateToken: boolean
-  dangerouslySkipAuth?: boolean
-}
-
-export class AuthManager {
-  private readonly authStore: AuthStore | null
-  private readonly tokenManager: TokenManager | null
-  private readonly sessionManager = new SessionManager()
-  private readonly cookieName = DEFAULT_AUTH_COOKIE_NAME
-  private readonly authEnabled: boolean
-
-  constructor(private readonly init: AuthManagerInit, private readonly logger: Logger) {
-    this.authEnabled = !Boolean(init.dangerouslySkipAuth)
-
-    if (!this.authEnabled) {
-      this.authStore = null
-      this.tokenManager = null
-      return
-    }
-
-    const authFilePath = resolveAuthFilePath(init.configPath)
-    this.authStore = new AuthStore(authFilePath, logger.child({ component: "auth" }))
-
-    // Startup: password comes from CLI/env, auth.json, or bootstrap-only mode.
-    this.authStore.ensureInitialized({
-      username: init.username,
-      password: init.password,
-      allowBootstrapWithoutPassword: init.generateToken,
-    })
-
-    this.tokenManager = init.generateToken ? new TokenManager(60_000) : null
-  }
-
-  isAuthEnabled(): boolean {
-    return this.authEnabled
-  }
-
-  getCookieName(): string {
-    return this.cookieName
-  }
-
-  isTokenBootstrapEnabled(): boolean {
-    return Boolean(this.tokenManager)
-  }
-
-  issueBootstrapToken(): string | null {
-    if (!this.tokenManager) return null
-    return this.tokenManager.generate()
-  }
-
-  consumeBootstrapToken(token: string): boolean {
-    if (!this.tokenManager) return false
-    return this.tokenManager.consume(token)
-  }
-
-  validateLogin(username: string, password: string): boolean {
-    if (!this.authEnabled) {
-      return true
-    }
-    return this.requireAuthStore().validateCredentials(username, password)
-  }
-
-  createSession(username: string) {
-    if (!this.authEnabled) {
-      return { id: "auth-disabled", createdAt: Date.now(), username: this.init.username }
-    }
-    return this.sessionManager.createSession(username)
-  }
-
-  getStatus() {
-    if (!this.authEnabled) {
-      return { username: this.init.username, passwordUserProvided: false }
-    }
-    return this.requireAuthStore().getStatus()
-  }
-
-  setPassword(password: string) {
-    if (!this.authEnabled) {
-      throw new Error("Internal authentication is disabled")
-    }
-    return this.requireAuthStore().setPassword({ password, markUserProvided: true })
-  }
-
-  isLoopbackRequest(request: FastifyRequest): boolean {
-    return isLoopbackAddress(request.socket.remoteAddress)
-  }
-
-  getSessionFromRequest(request: FastifyRequest): { username: string; sessionId: string } | null {
-    if (!this.authEnabled) {
-      // When auth is disabled, treat all requests as authenticated.
-      // We still return a stable username so callers can display it.
-      return { username: this.init.username, sessionId: "auth-disabled" }
-    }
-
-    const cookies = parseCookies(request.headers.cookie)
-    const sessionId = cookies[this.cookieName]
-    const session = this.sessionManager.getSession(sessionId)
-    if (!session) return null
-    return { username: session.username, sessionId: session.id }
-  }
-
-  setSessionCookie(reply: FastifyReply, sessionId: string) {
-    reply.header("Set-Cookie", buildSessionCookie(this.cookieName, sessionId))
-  }
-
-  setSessionCookieWithOptions(reply: FastifyReply, sessionId: string, options?: { secure?: boolean }) {
-    reply.header("Set-Cookie", buildSessionCookie(this.cookieName, sessionId, options))
-  }
-
-  clearSessionCookie(reply: FastifyReply) {
-    reply.header("Set-Cookie", buildSessionCookie(this.cookieName, "", { maxAgeSeconds: 0 }))
-  }
-
-  clearSessionCookieWithOptions(reply: FastifyReply, options?: { secure?: boolean }) {
-    reply.header("Set-Cookie", buildSessionCookie(this.cookieName, "", { maxAgeSeconds: 0, ...options }))
-  }
-
-  private requireAuthStore(): AuthStore {
-    if (!this.authStore) {
-      throw new Error("Auth store is unavailable")
-    }
-    return this.authStore
-  }
-}
-
-function resolveAuthFilePath(configPath: string) {
-  const resolvedConfigPath = resolvePath(configPath)
-  return path.join(path.dirname(resolvedConfigPath), "auth.json")
-}
-
-function resolvePath(filePath: string) {
-  if (filePath.startsWith("~/")) {
-    return path.join(process.env.HOME ?? "", filePath.slice(2))
-  }
-  return path.resolve(filePath)
-}
-
-function buildSessionCookie(name: string, value: string, options?: { maxAgeSeconds?: number; secure?: boolean }) {
-  const parts = [`${name}=${encodeURIComponent(value)}`, "HttpOnly", "Path=/", "SameSite=Lax"]
-  if (options?.secure) {
-    parts.push("Secure")
-  }
-  if (options?.maxAgeSeconds !== undefined) {
-    parts.push(`Max-Age=${Math.max(0, Math.floor(options.maxAgeSeconds))}`)
-  }
-  return parts.join("; ")
-}

package/src/auth/password-hash.ts

@@ -1,49 +0,0 @@
-import crypto from "crypto"
-
-export interface PasswordHashRecord {
-  algorithm: "scrypt"
-  saltBase64: string
-  hashBase64: string
-  keyLength: number
-  params: {
-    N: number
-    r: number
-    p: number
-    maxmem: number
-  }
-}
-
-const DEFAULT_SCRYPT_PARAMS = {
-  N: 16384,
-  r: 8,
-  p: 1,
-  maxmem: 32 * 1024 * 1024,
-}
-
-export function hashPassword(password: string): PasswordHashRecord {
-  const salt = crypto.randomBytes(16)
-  const params = DEFAULT_SCRYPT_PARAMS
-  const keyLength = 64
-  const derived = crypto.scryptSync(password, salt, keyLength, params)
-  return {
-    algorithm: "scrypt",
-    saltBase64: salt.toString("base64"),
-    hashBase64: Buffer.from(derived).toString("base64"),
-    keyLength,
-    params,
-  }
-}
-
-export function verifyPassword(password: string, record: PasswordHashRecord): boolean {
-  if (record.algorithm !== "scrypt") {
-    return false
-  }
-
-  const salt = Buffer.from(record.saltBase64, "base64")
-  const expected = Buffer.from(record.hashBase64, "base64")
-  const derived = crypto.scryptSync(password, salt, record.keyLength, record.params)
-  if (expected.length !== derived.length) {
-    return false
-  }
-  return crypto.timingSafeEqual(expected, Buffer.from(derived))
-}

package/src/auth/session-manager.ts

@@ -1,23 +0,0 @@
-import crypto from "crypto"
-
-export interface SessionInfo {
-  id: string
-  createdAt: number
-  username: string
-}
-
-export class SessionManager {
-  private sessions = new Map<string, SessionInfo>()
-
-  createSession(username: string): SessionInfo {
-    const id = crypto.randomBytes(32).toString("base64url")
-    const info: SessionInfo = { id, createdAt: Date.now(), username }
-    this.sessions.set(id, info)
-    return info
-  }
-
-  getSession(id: string | undefined): SessionInfo | undefined {
-    if (!id) return undefined
-    return this.sessions.get(id)
-  }
-}

package/src/auth/token-manager.ts

@@ -1,32 +0,0 @@
-import crypto from "crypto"
-
-export interface BootstrapToken {
-  token: string
-  createdAt: number
-  consumed: boolean
-}
-
-export class TokenManager {
-  private token: BootstrapToken | null = null
-
-  constructor(private readonly ttlMs: number) {}
-
-  generate(): string {
-    const token = crypto.randomBytes(32).toString("base64url")
-    this.token = { token, createdAt: Date.now(), consumed: false }
-    return token
-  }
-
-  consume(token: string): boolean {
-    if (!this.token) return false
-    if (this.token.consumed) return false
-    if (Date.now() - this.token.createdAt > this.ttlMs) return false
-    if (token !== this.token.token) return false
-    this.token.consumed = true
-    return true
-  }
-
-  peek(): string | null {
-    return this.token?.token ?? null
-  }
-}