npm - @openparachute/hub - Versions diffs - 0.3.0-rc.1 → 0.5.1 - Mend

@openparachute/hub 0.3.0-rc.1 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/README.md +19 -17
package/package.json +15 -4
package/src/__tests__/admin-auth.test.ts +197 -0
package/src/__tests__/admin-config.test.ts +281 -0
package/src/__tests__/admin-grants.test.ts +271 -0
package/src/__tests__/admin-handlers.test.ts +530 -0
package/src/__tests__/admin-host-admin-token.test.ts +115 -0
package/src/__tests__/admin-vault-admin-token.test.ts +190 -0
package/src/__tests__/admin-vaults.test.ts +615 -0
package/src/__tests__/auth-codes.test.ts +253 -0
package/src/__tests__/auth.test.ts +1063 -17
package/src/__tests__/cli.test.ts +50 -0
package/src/__tests__/clients.test.ts +264 -0
package/src/__tests__/cloudflare-state.test.ts +167 -7
package/src/__tests__/csrf.test.ts +117 -0
package/src/__tests__/expose-cloudflare.test.ts +232 -37
package/src/__tests__/expose-off-auto.test.ts +15 -9
package/src/__tests__/expose-public-auto.test.ts +153 -0
package/src/__tests__/expose.test.ts +216 -24
package/src/__tests__/grants.test.ts +164 -0
package/src/__tests__/hub-db.test.ts +153 -0
package/src/__tests__/hub-server.test.ts +984 -26
package/src/__tests__/hub.test.ts +56 -49
package/src/__tests__/install.test.ts +327 -3
package/src/__tests__/jwks.test.ts +37 -0
package/src/__tests__/jwt-sign.test.ts +361 -0
package/src/__tests__/lifecycle.test.ts +616 -5
package/src/__tests__/module-manifest.test.ts +183 -0
package/src/__tests__/oauth-handlers.test.ts +3112 -0
package/src/__tests__/oauth-ui.test.ts +253 -0
package/src/__tests__/operator-token.test.ts +140 -0
package/src/__tests__/providers-detect.test.ts +158 -0
package/src/__tests__/scope-explanations.test.ts +108 -0
package/src/__tests__/scope-registry.test.ts +220 -0
package/src/__tests__/services-manifest.test.ts +137 -1
package/src/__tests__/sessions.test.ts +116 -0
package/src/__tests__/setup.test.ts +361 -0
package/src/__tests__/signing-keys.test.ts +153 -0
package/src/__tests__/upgrade.test.ts +541 -0
package/src/__tests__/users.test.ts +154 -0
package/src/__tests__/well-known.test.ts +127 -10
package/src/admin-auth.ts +126 -0
package/src/admin-config-ui.ts +534 -0
package/src/admin-config.ts +226 -0
package/src/admin-grants.ts +160 -0
package/src/admin-handlers.ts +365 -0
package/src/admin-host-admin-token.ts +83 -0
package/src/admin-vault-admin-token.ts +98 -0
package/src/admin-vaults.ts +359 -0
package/src/auth-codes.ts +189 -0
package/src/cli.ts +202 -25
package/src/clients.ts +210 -0
package/src/cloudflare/config.ts +25 -6
package/src/cloudflare/state.ts +108 -28
package/src/commands/auth.ts +851 -19
package/src/commands/expose-cloudflare.ts +85 -45
package/src/commands/expose-interactive.ts +20 -44
package/src/commands/expose-off-auto.ts +27 -11
package/src/commands/expose-public-auto.ts +179 -0
package/src/commands/expose.ts +63 -32
package/src/commands/install.ts +337 -48
package/src/commands/lifecycle.ts +269 -38
package/src/commands/setup.ts +366 -0
package/src/commands/status.ts +4 -1
package/src/commands/upgrade.ts +429 -0
package/src/csrf.ts +101 -0
package/src/grants.ts +142 -0
package/src/help.ts +133 -19
package/src/hub-control.ts +12 -0
package/src/hub-db.ts +164 -0
package/src/hub-server.ts +643 -22
package/src/hub.ts +97 -390
package/src/jwks.ts +41 -0
package/src/jwt-audience.ts +40 -0
package/src/jwt-sign.ts +275 -0
package/src/module-manifest.ts +435 -0
package/src/oauth-handlers.ts +1175 -0
package/src/oauth-ui.ts +582 -0
package/src/operator-token.ts +129 -0
package/src/providers/detect.ts +97 -0
package/src/scope-explanations.ts +137 -0
package/src/scope-registry.ts +158 -0
package/src/service-spec.ts +270 -97
package/src/services-manifest.ts +57 -1
package/src/sessions.ts +115 -0
package/src/signing-keys.ts +120 -0
package/src/users.ts +144 -0
package/src/well-known.ts +62 -26
package/web/ui/dist/assets/index-BKzPDdB0.js +60 -0
package/web/ui/dist/assets/index-Dyk6g7vT.css +1 -0
package/web/ui/dist/index.html +14 -0

package/src/__tests__/admin-vault-admin-token.test.ts ADDED Viewed

@@ -0,0 +1,190 @@
+/**
+ * Tests for the per-vault session→bearer mint endpoint. Mirrors
+ * `admin-host-admin-token.test.ts` shape; differences:
+ *   - Per-vault scope (`vault:<name>:admin`).
+ *   - Vault name validated against the caller-supplied known-names set.
+ *   - 404 on unknown name; 400 on syntactically invalid name.
+ */
+import type { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  VAULT_ADMIN_TOKEN_TTL_SECONDS,
+  handleVaultAdminToken,
+} from "../admin-vault-admin-token.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { validateAccessToken } from "../jwt-sign.ts";
+import { SESSION_TTL_MS, buildSessionCookie, createSession, deleteSession } from "../sessions.ts";
+import { createUser } from "../users.ts";
+const ISSUER = "https://hub.test";
+interface Harness {
+  db: Database;
+  cleanup: () => void;
+}
+function makeHarness(): Harness {
+  const dir = mkdtempSync(join(tmpdir(), "phub-vault-admin-token-"));
+  const db = openHubDb(hubDbPath(dir));
+  return {
+    db,
+    cleanup: () => {
+      db.close();
+      rmSync(dir, { recursive: true, force: true });
+    },
+  };
+}
+let harness: Harness;
+beforeEach(() => {
+  harness = makeHarness();
+});
+afterEach(() => {
+  harness.cleanup();
+});
+async function withSession(): Promise<{ cookie: string; userId: string }> {
+  const user = await createUser(harness.db, "operator", "hunter2");
+  const session = createSession(harness.db, { userId: user.id });
+  const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+  return { cookie, userId: user.id };
+}
+const known = (...names: string[]): ReadonlySet<string> => new Set(names);
+describe("handleVaultAdminToken", () => {
+  test("401 when no session cookie is present", async () => {
+    const req = new Request(`${ISSUER}/admin/vault-admin-token/default`);
+    const res = await handleVaultAdminToken(req, "default", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: known("default"),
+    });
+    expect(res.status).toBe(401);
+  });
+  test("401 when the cookie names a deleted session", async () => {
+    const { cookie } = await withSession();
+    const sid = cookie.match(/parachute_hub_session=([^;]+)/)?.[1] ?? "";
+    deleteSession(harness.db, sid);
+    const req = new Request(`${ISSUER}/admin/vault-admin-token/default`, { headers: { cookie } });
+    const res = await handleVaultAdminToken(req, "default", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: known("default"),
+    });
+    expect(res.status).toBe(401);
+  });
+  test("405 on POST", async () => {
+    const { cookie } = await withSession();
+    const req = new Request(`${ISSUER}/admin/vault-admin-token/default`, {
+      method: "POST",
+      headers: { cookie },
+    });
+    const res = await handleVaultAdminToken(req, "default", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: known("default"),
+    });
+    expect(res.status).toBe(405);
+  });
+  test("404 when the vault name isn't installed on this hub", async () => {
+    const { cookie } = await withSession();
+    const req = new Request(`${ISSUER}/admin/vault-admin-token/ghost`, { headers: { cookie } });
+    const res = await handleVaultAdminToken(req, "ghost", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: known("default"),
+    });
+    expect(res.status).toBe(404);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("not_found");
+  });
+  test("400 when the vault name is syntactically invalid", async () => {
+    const { cookie } = await withSession();
+    // The router slice can hand us anything; reject names that can't be a real
+    // services.json key (slashes, dots, empty) before doing any DB work.
+    const req = new Request(`${ISSUER}/admin/vault-admin-token/has..dots`, {
+      headers: { cookie },
+    });
+    const res = await handleVaultAdminToken(req, "has..dots", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: known("has..dots"),
+    });
+    expect(res.status).toBe(400);
+  });
+  test("200 mints a JWT carrying vault:<name>:admin", async () => {
+    const { cookie, userId } = await withSession();
+    const req = new Request(`${ISSUER}/admin/vault-admin-token/work`, { headers: { cookie } });
+    const res = await handleVaultAdminToken(req, "work", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: known("work", "default"),
+    });
+    expect(res.status).toBe(200);
+    expect(res.headers.get("cache-control")).toBe("no-store");
+    const body = (await res.json()) as { token: string; expires_at: string; scopes: string[] };
+    expect(body.scopes).toEqual(["vault:work:admin"]);
+    expect(body.token.length).toBeGreaterThan(20);
+    const expMs = new Date(body.expires_at).getTime();
+    const skew = expMs - Date.now();
+    expect(skew).toBeGreaterThan((VAULT_ADMIN_TOKEN_TTL_SECONDS - 30) * 1000);
+    expect(skew).toBeLessThan((VAULT_ADMIN_TOKEN_TTL_SECONDS + 30) * 1000);
+    const validated = await validateAccessToken(harness.db, body.token, ISSUER);
+    expect(validated.payload.sub).toBe(userId);
+    expect(validated.payload.iss).toBe(ISSUER);
+    // Per-vault audience: vault validates `aud === "vault.<name>"` against
+    // its own URL-bound config (parachute-vault src/auth.ts ~line 167).
+    // A constant `aud: "hub"` here would be rejected by every vault.
+    expect(validated.payload.aud).toBe("vault.work");
+    const scopeClaim = (validated.payload as { scope?: string }).scope ?? "";
+    expect(scopeClaim.split(/\s+/)).toContain("vault:work:admin");
+  });
+  test("audience is per-vault — different vaults get different aud claims", async () => {
+    // Regression for PR #173 follow-up: a single shared audience constant
+    // meant a token minted for vault `boulder` carried `aud: "hub"` and
+    // got rejected by vault's strict-equality check against
+    // `vault.boulder`. Mint twice and confirm each token is bound to its
+    // own vault.
+    const { cookie } = await withSession();
+    const namesSet = known("default", "boulder");
+    const reqDefault = new Request(`${ISSUER}/admin/vault-admin-token/default`, {
+      headers: { cookie },
+    });
+    const resDefault = await handleVaultAdminToken(reqDefault, "default", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: namesSet,
+    });
+    expect(resDefault.status).toBe(200);
+    const bodyDefault = (await resDefault.json()) as { token: string };
+    const validatedDefault = await validateAccessToken(harness.db, bodyDefault.token, ISSUER);
+    expect(validatedDefault.payload.aud).toBe("vault.default");
+    const reqBoulder = new Request(`${ISSUER}/admin/vault-admin-token/boulder`, {
+      headers: { cookie },
+    });
+    const resBoulder = await handleVaultAdminToken(reqBoulder, "boulder", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: namesSet,
+    });
+    expect(resBoulder.status).toBe(200);
+    const bodyBoulder = (await resBoulder.json()) as { token: string };
+    const validatedBoulder = await validateAccessToken(harness.db, bodyBoulder.token, ISSUER);
+    expect(validatedBoulder.payload.aud).toBe("vault.boulder");
+  });
+});