@openparachute/hub 0.5.10-rc.4 → 0.5.10-rc.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.10-rc.4",
+  "version": "0.5.10-rc.6",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/csrf.test.ts

@@ -29,7 +29,7 @@ describe("generateCsrfToken", () => {
 });
 
 describe("buildCsrfCookie", () => {
-  test("emits the expected attributes", () => {
+  test("emits the expected attributes (default secure)", () => {
     const v = buildCsrfCookie("abc");
     expect(v).toContain(`${CSRF_COOKIE_NAME}=abc`);
     expect(v).toContain("HttpOnly");
@@ -38,6 +38,19 @@ describe("buildCsrfCookie", () => {
     expect(v).toContain("Path=/");
     expect(v).toContain("Max-Age=");
   });
+
+  test("omits Secure when secure: false (HTTP localhost)", () => {
+    const v = buildCsrfCookie("abc", { secure: false });
+    expect(v).toContain(`${CSRF_COOKIE_NAME}=abc`);
+    expect(v).toContain("HttpOnly");
+    expect(v).not.toContain("Secure");
+    expect(v).toContain("SameSite=Lax");
+  });
+
+  test("keeps Secure when secure: true (explicit)", () => {
+    const v = buildCsrfCookie("abc", { secure: true });
+    expect(v).toContain("Secure");
+  });
 });
 
 describe("parseCsrfCookie", () => {
@@ -71,6 +84,32 @@ describe("ensureCsrfToken", () => {
     expect(result.token.length).toBeGreaterThan(0);
     expect(result.setCookie).toBeDefined();
   });
+
+  // Bug 1 (rc.5 → rc.6) regression: cookies minted over plain HTTP must
+  // NOT carry the Secure attribute or browsers silently drop them on
+  // http://localhost:1939, breaking the very next double-submit POST.
+  test("sets Secure when the request URL is https://", () => {
+    const req = new Request("https://hub.example/admin/setup");
+    const result = ensureCsrfToken(req);
+    expect(result.setCookie).toContain("Secure");
+  });
+
+  test("omits Secure when the request URL is http://localhost", () => {
+    const req = new Request("http://localhost:1939/admin/setup");
+    const result = ensureCsrfToken(req);
+    expect(result.setCookie).not.toContain("Secure");
+    // The rest of the cookie shape stays intact — only Secure flips.
+    expect(result.setCookie).toContain("HttpOnly");
+    expect(result.setCookie).toContain("SameSite=Lax");
+  });
+
+  test("sets Secure when http:// request carries X-Forwarded-Proto: https", () => {
+    const req = new Request("http://hub.internal/admin/setup", {
+      headers: { "x-forwarded-proto": "https" },
+    });
+    const result = ensureCsrfToken(req);
+    expect(result.setCookie).toContain("Secure");
+  });
 });
 
 describe("verifyCsrfToken", () => {

package/src/__tests__/hub-server.test.ts

@@ -74,10 +74,16 @@ describe("hubFetch routing", () => {
     // The dynamic path takes over from the static disk file the moment a
     // DB is configured. With no session cookie, we still render — just
     // with the "Sign in" affordance.
+    //
+    // hub#259 rc.6: requires an admin row to bypass the fresh-hub
+    // funnel redirect to /admin/setup (Bug 2 fix). Seed one so this
+    // test continues to exercise the signed-out-but-setup-done branch.
     const h = makeHarness();
     try {
       const db = openHubDb(hubDbPath(h.dir));
       try {
+        const { createUser } = await import("../users.ts");
+        await createUser(db, "owner", "pw");
         const res = await hubFetch(h.dir, { getDb: () => db })(req("/"));
         expect(res.status).toBe(200);
         expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
@@ -979,10 +985,12 @@ describe("hubFetch routing", () => {
     }
   });
 
-  // First-boot setup placeholder (hub#258). When no admin exists the page
-  // is the bootstrap onboarding surface; once an admin exists it 301s to
-  // /login so a stale bookmark still lands somewhere useful.
-  test("/admin/setup renders placeholder HTML when no admin exists", async () => {
+  // First-boot setup wizard (hub#259, expanding hub#258's static
+  // placeholder). When no admin exists, GET /admin/setup renders the
+  // wizard's account-step form. Once admin + vault both exist, it 301s
+  // to /login so a stale bookmark still lands somewhere useful. With
+  // admin but no vault, the wizard resumes at the vault step.
+  test("/admin/setup renders the wizard's account form when no admin exists", async () => {
     const h = makeHarness();
     try {
       const db = openHubDb(hubDbPath(h.dir));
@@ -991,7 +999,8 @@ describe("hubFetch routing", () => {
         expect(res.status).toBe(200);
         expect(res.headers.get("content-type")).toContain("text/html");
         const body = await res.text();
-        expect(body).toContain("first-boot setup");
+        expect(body).toContain('action="/admin/setup/account"');
+        // Env-var seed path is still surfaced as the alt-path disclosure.
         expect(body).toContain("PARACHUTE_INITIAL_ADMIN_USERNAME");
       } finally {
         db.close();
@@ -1001,13 +1010,35 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("/admin/setup 301s to /login when an admin already exists", async () => {
+  test("/admin/setup 301s to /login once admin + vault both exist (hub#259)", async () => {
     const h = makeHarness();
     try {
       const db = openHubDb(hubDbPath(h.dir));
       try {
         await createUser(db, "owner", "pw");
-        const res = await hubFetch(h.dir, { getDb: () => db })(req("/admin/setup"));
+        // Seed the vault entry so the wizard's state derives as "done"
+        // and the GET 301s. Without this the wizard would still resume
+        // at the vault step.
+        const { writeManifest } = await import("../services-manifest.ts");
+        const { join } = await import("node:path");
+        writeManifest(
+          {
+            services: [
+              {
+                name: "parachute-vault",
+                version: "0.1.0",
+                port: 1940,
+                paths: ["/vault/default"],
+                health: "/health",
+              },
+            ],
+          },
+          join(h.dir, "services.json"),
+        );
+        const res = await hubFetch(h.dir, {
+          getDb: () => db,
+          manifestPath: join(h.dir, "services.json"),
+        })(req("/admin/setup"));
         expect(res.status).toBe(301);
         expect(res.headers.get("location")).toBe("/login");
       } finally {
@@ -1058,7 +1089,7 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("pre-admin lockout: /login is gated, /admin/setup + /health + well-known stay open", async () => {
+  test("pre-admin lockout: /login is gated, /admin/setup + /health + well-known stay open, / funnels to /admin/setup", async () => {
     const h = makeHarness();
     try {
       writeFileSync(join(h.dir, "hub.html"), "<html>discovery</html>");
@@ -1075,9 +1106,11 @@ describe("hubFetch routing", () => {
         // /health open
         const healthRes = await handler(req("/health"));
         expect(healthRes.status).toBe(200);
-        // / open
+        // / funnels to the wizard (hub#259 rc.6 fix for Bug 2 — the
+        // static portal pre-setup is useless; redirect to setup).
         const rootRes = await handler(req("/"));
-        expect(rootRes.status).toBe(200);
+        expect(rootRes.status).toBe(302);
+        expect(rootRes.headers.get("location")).toBe("/admin/setup");
         // /.well-known/parachute.json open
         const wkRes = await handler(req("/.well-known/parachute.json"));
         expect(wkRes.status).toBe(200);

package/src/__tests__/request-protocol.test.ts

@@ -0,0 +1,54 @@
+/**
+ * `isHttpsRequest` is the single signal cookie-mint helpers use to
+ * decide whether to set the `Secure` attribute. Wrong answer here
+ * causes browsers to silently drop cookies on HTTP localhost (Bug 1
+ * from the rc.5 fresh-machine test) OR mint Secure-less cookies behind
+ * a TLS-terminating reverse proxy (the opposite failure mode).
+ *
+ * Three signals tested, in priority order: direct URL scheme,
+ * X-Forwarded-Proto header, plain HTTP default.
+ */
+import { describe, expect, test } from "bun:test";
+import { isHttpsRequest } from "../request-protocol.ts";
+
+describe("isHttpsRequest", () => {
+  test("returns true for https:// request URL", () => {
+    expect(isHttpsRequest(new Request("https://hub.example/x"))).toBe(true);
+  });
+
+  test("returns false for http:// request URL", () => {
+    expect(isHttpsRequest(new Request("http://localhost:1939/x"))).toBe(false);
+  });
+
+  test("returns true when X-Forwarded-Proto: https on an http:// request", () => {
+    const req = new Request("http://hub.internal/x", {
+      headers: { "x-forwarded-proto": "https" },
+    });
+    expect(isHttpsRequest(req)).toBe(true);
+  });
+
+  test("returns false when X-Forwarded-Proto: http", () => {
+    const req = new Request("http://hub.internal/x", {
+      headers: { "x-forwarded-proto": "http" },
+    });
+    expect(isHttpsRequest(req)).toBe(false);
+  });
+
+  test("tolerates uppercase / whitespace / list shape in X-Forwarded-Proto", () => {
+    // Some proxies emit `https,http` (chain of two hops) or " HTTPS "
+    // with whitespace. The first token is what we honor.
+    expect(
+      isHttpsRequest(new Request("http://hub/x", { headers: { "x-forwarded-proto": " HTTPS " } })),
+    ).toBe(true);
+    expect(
+      isHttpsRequest(
+        new Request("http://hub/x", { headers: { "x-forwarded-proto": "https,http" } }),
+      ),
+    ).toBe(true);
+    expect(
+      isHttpsRequest(
+        new Request("http://hub/x", { headers: { "x-forwarded-proto": "http,https" } }),
+      ),
+    ).toBe(false);
+  });
+});

package/src/__tests__/sessions.test.ts

@@ -81,7 +81,7 @@ describe("deleteSession", () => {
 });
 
 describe("buildSessionCookie", () => {
-  test("emits the expected attributes", () => {
+  test("emits the expected attributes (default secure)", () => {
     const v = buildSessionCookie("abc", 86400);
     expect(v).toContain(`${SESSION_COOKIE_NAME}=abc`);
     expect(v).toContain("HttpOnly");
@@ -91,16 +91,39 @@ describe("buildSessionCookie", () => {
     expect(v).not.toContain("Path=/oauth");
     expect(v).toContain("Max-Age=86400");
   });
+
+  // Bug 1 (rc.5 → rc.6) regression: session cookies minted over plain
+  // HTTP must NOT carry Secure or browsers drop them, leaving the
+  // operator un-signed-in on the very next request.
+  test("omits Secure when secure: false (HTTP localhost)", () => {
+    const v = buildSessionCookie("abc", 86400, { secure: false });
+    expect(v).toContain(`${SESSION_COOKIE_NAME}=abc`);
+    expect(v).toContain("HttpOnly");
+    expect(v).not.toContain("Secure");
+    expect(v).toContain("SameSite=Lax");
+  });
+
+  test("keeps Secure when secure: true (explicit)", () => {
+    const v = buildSessionCookie("abc", 86400, { secure: true });
+    expect(v).toContain("Secure");
+  });
 });
 
 describe("buildSessionClearCookie", () => {
-  test("emits Max-Age=0", () => {
+  test("emits Max-Age=0 (default secure)", () => {
     const v = buildSessionClearCookie();
     expect(v).toContain(`${SESSION_COOKIE_NAME}=`);
     expect(v).toContain("Max-Age=0");
+    expect(v).toContain("Secure");
     expect(v).toContain("Path=/");
     expect(v).not.toContain("Path=/oauth");
   });
+
+  test("omits Secure when secure: false (HTTP localhost)", () => {
+    const v = buildSessionClearCookie({ secure: false });
+    expect(v).not.toContain("Secure");
+    expect(v).toContain("Max-Age=0");
+  });
 });
 
 describe("parseSessionCookie", () => {

package/src/__tests__/setup-gate.test.ts

@@ -130,27 +130,44 @@ describe("setup gate (no admin yet)", () => {
     }
   });
 
-  test("/ passes through the gate (renders discovery page)", async () => {
+  // Bug 2 (rc.5 → rc.6) regression: on a fresh hub, GET `/` should
+  // funnel straight to the wizard rather than render the static
+  // portal — the operator otherwise has to manually navigate to
+  // `/admin/setup`. The portal pre-setup carries no usable signal
+  // (no installed services to discover, no admin to sign in as).
+  test("/ 302s to /admin/setup when no admin exists (fresh-hub funnel)", async () => {
     const db = openHubDb(hubDbPath(h.dir));
     try {
       const res = await hubFetch(h.dir, { getDb: () => db })(req("/"));
-      expect(res.status).toBe(200);
-      expect(res.headers.get("content-type")).toContain("text/html");
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe("/admin/setup");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("/hub.html 302s to /admin/setup when no admin exists", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      const res = await hubFetch(h.dir, { getDb: () => db })(req("/hub.html"));
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe("/admin/setup");
     } finally {
       db.close();
     }
   });
 
-  test("/admin/setup renders the placeholder HTML", async () => {
+  test("/admin/setup renders the wizard (account step) when no admin exists", async () => {
     const db = openHubDb(hubDbPath(h.dir));
     try {
       const res = await hubFetch(h.dir, { getDb: () => db })(req("/admin/setup"));
       expect(res.status).toBe(200);
       expect(res.headers.get("content-type")).toContain("text/html");
       const html = await res.text();
-      // Spot-check the env-var seed is documented — it's the canonical
-      // bootstrap path for containers and we don't want a future
-      // refactor to silently strip it.
+      // Spot-check the wizard is rendering its account-step form (hub#259
+      // replaced the env-var-only placeholder with a real wizard, but the
+      // env-var path is still surfaced as the "alt-path" disclosure).
+      expect(html).toContain('action="/admin/setup/account"');
       expect(html).toContain("PARACHUTE_INITIAL_ADMIN_USERNAME");
       expect(html).toContain("PARACHUTE_INITIAL_ADMIN_PASSWORD");
     } finally {
@@ -182,13 +199,22 @@ describe("setup gate (admin exists)", () => {
     }
   });
 
-  test("/admin/setup 301s to /login once an admin exists", async () => {
+  test("/admin/setup resumes at the vault step when admin exists but vault doesn't (hub#259)", async () => {
     const db = openHubDb(hubDbPath(h.dir));
     try {
       await createUser(db, "owner", "pw");
-      const res = await hubFetch(h.dir, { getDb: () => db })(req("/admin/setup"));
-      expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/login");
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: join(h.dir, "services.json"),
+      })(req("/admin/setup"));
+      // With admin in place but no vault entry in services.json, the
+      // wizard's GET resumes at step 3 — the vault-name form — rather
+      // than 301-ing to /login. The 301-to-/login fires only once BOTH
+      // admin and vault are in place; that case is exercised in the
+      // setup-wizard suite where the manifest is seeded.
+      expect(res.status).toBe(200);
+      const html = await res.text();
+      expect(html).toContain('action="/admin/setup/vault"');
     } finally {
       db.close();
     }