@openparachute/hub 0.5.13 → 0.5.14-rc.1

package/src/__tests__/users.test.ts

@@ -3,6 +3,7 @@ import { mkdtempSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { recordTokenMint, signAccessToken } from "../jwt-sign.ts";
 import {
   PASSWORD_MIN_LEN,
   SingleUserModeError,
@@ -11,10 +12,13 @@ import {
   UsernameTakenError,
   createUser,
   deleteUser,
+  getFirstAdminId,
   getUserById,
   getUserByUsername,
   getUserByUsernameCI,
+  isFirstAdmin,
   listUsers,
+  resetUserPassword,
   setPassword,
   userCount,
   validatePassword,
@@ -348,3 +352,260 @@ describe("validatePassword", () => {
     expect(validatePassword("aaaaaaaaaaaa").valid).toBe(true);
   });
 });
+
+describe("resetUserPassword", () => {
+  test("returns false when user does not exist", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(await resetUserPassword(db, "no-such-id", "twelvechars1")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("returns false when user vanishes between pre-check and tx body", async () => {
+    // Reviewer-flagged race path (hub#427). The argon2 hash is computed
+    // outside the transaction (async), giving a window where a concurrent
+    // delete can land between the existence pre-check and the UPDATE tx.
+    // The helper must return false in that case so the caller can 404
+    // instead of cosmetically claiming success.
+    const { db, cleanup } = makeDb();
+    try {
+      const user = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+      });
+      // Simulate the race: delete the row, then invoke the reset. The
+      // pre-check runs in `resetUserPassword` against the now-empty table.
+      // (We can't intercept between pre-check and tx without forking the
+      // helper; deleting before the call is the equivalent post-condition
+      // — if the row is gone the tx body will UPDATE 0 rows.)
+      db.prepare("DELETE FROM users WHERE id = ?").run(user.id);
+      expect(await resetUserPassword(db, user.id, "new-temp-passphrase")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("rotates hash, flips password_changed back to 0, bumps updated_at", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      // Seed user as "already changed their password" (true) to prove the
+      // reset flips it back to false for the force-redirect rail.
+      const initial = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+        now: () => new Date(1000),
+      });
+      const oldHash = initial.passwordHash;
+      const oldUpdated = initial.updatedAt;
+      const later = new Date(2000);
+      expect(await resetUserPassword(db, initial.id, "new-temp-passphrase", () => later)).toBe(
+        true,
+      );
+      const fresh = getUserById(db, initial.id);
+      expect(fresh).not.toBeNull();
+      expect(fresh?.passwordHash).not.toBe(oldHash);
+      expect(fresh?.passwordChanged).toBe(false);
+      expect(fresh?.updatedAt).not.toBe(oldUpdated);
+      // Round-trip verify: old password no longer works, new one does.
+      expect(await verifyPassword(fresh!, "alice-strong-passphrase")).toBe(false);
+      expect(await verifyPassword(fresh!, "new-temp-passphrase")).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("revokes still-active tokens belonging to the user", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const user = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+      });
+      const minted = await signAccessToken(db, {
+        sub: user.id,
+        scopes: ["vault:home:read"],
+        audience: "vault",
+        clientId: "notes-client",
+        issuer: "https://hub.test",
+        ttlSeconds: 600,
+      });
+      recordTokenMint(db, {
+        jti: minted.jti,
+        createdVia: "operator_mint",
+        subject: user.username,
+        userId: user.id,
+        clientId: "notes-client",
+        scopes: ["vault:home:read"],
+        expiresAt: minted.expiresAt,
+      });
+      // Pre-state: token row not yet revoked.
+      const before = db
+        .query<{ revoked_at: string | null }, [string]>(
+          "SELECT revoked_at FROM tokens WHERE jti = ?",
+        )
+        .get(minted.jti);
+      expect(before?.revoked_at).toBeNull();
+
+      expect(await resetUserPassword(db, user.id, "new-temp-passphrase")).toBe(true);
+
+      // Post-state: token row has revoked_at set, user_id retained (the
+      // user row sticks around, audit trail re-anchors naturally).
+      const after = db
+        .query<{ revoked_at: string | null; user_id: string | null }, [string]>(
+          "SELECT revoked_at, user_id FROM tokens WHERE jti = ?",
+        )
+        .get(minted.jti);
+      expect(after?.revoked_at).not.toBeNull();
+      expect(after?.user_id).toBe(user.id);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("does not re-revoke an already-revoked token", async () => {
+    // Defense-in-depth: a previously-revoked token shouldn't have its
+    // revoked_at timestamp overwritten by a fresh reset. The UPDATE's
+    // WHERE clause filters on `revoked_at IS NULL` so this is naturally
+    // enforced; pinning it here so a future refactor that drops the
+    // filter trips the test.
+    const { db, cleanup } = makeDb();
+    try {
+      const user = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+      });
+      const minted = await signAccessToken(db, {
+        sub: user.id,
+        scopes: ["vault:home:read"],
+        audience: "vault",
+        clientId: "notes-client",
+        issuer: "https://hub.test",
+        ttlSeconds: 600,
+      });
+      const earlierStamp = "2026-01-01T00:00:00.000Z";
+      recordTokenMint(db, {
+        jti: minted.jti,
+        createdVia: "operator_mint",
+        subject: user.username,
+        userId: user.id,
+        clientId: "notes-client",
+        scopes: ["vault:home:read"],
+        expiresAt: minted.expiresAt,
+      });
+      db.prepare("UPDATE tokens SET revoked_at = ? WHERE jti = ?").run(earlierStamp, minted.jti);
+
+      expect(await resetUserPassword(db, user.id, "new-temp-passphrase")).toBe(true);
+
+      const row = db
+        .query<{ revoked_at: string | null }, [string]>(
+          "SELECT revoked_at FROM tokens WHERE jti = ?",
+        )
+        .get(minted.jti);
+      expect(row?.revoked_at).toBe(earlierStamp);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("leaves tokens for other users untouched", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const alice = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+      });
+      const bob = await createUser(db, "bob", "bob-strong-passphrase", {
+        allowMulti: true,
+        passwordChanged: true,
+      });
+      const bobToken = await signAccessToken(db, {
+        sub: bob.id,
+        scopes: ["vault:home:read"],
+        audience: "vault",
+        clientId: "notes-client",
+        issuer: "https://hub.test",
+        ttlSeconds: 600,
+      });
+      recordTokenMint(db, {
+        jti: bobToken.jti,
+        createdVia: "operator_mint",
+        subject: bob.username,
+        userId: bob.id,
+        clientId: "notes-client",
+        scopes: ["vault:home:read"],
+        expiresAt: bobToken.expiresAt,
+      });
+
+      await resetUserPassword(db, alice.id, "new-temp-passphrase");
+
+      const bobRow = db
+        .query<{ revoked_at: string | null }, [string]>(
+          "SELECT revoked_at FROM tokens WHERE jti = ?",
+        )
+        .get(bobToken.jti);
+      expect(bobRow?.revoked_at).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("getFirstAdminId / isFirstAdmin", () => {
+  test("getFirstAdminId returns null on an empty users table", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(getFirstAdminId(db)).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("getFirstAdminId returns the earliest-created user id", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const admin = await createUser(db, "admin", "pw1", { now: () => new Date(1000) });
+      await createUser(db, "alice", "pw2", {
+        allowMulti: true,
+        now: () => new Date(2000),
+      });
+      await createUser(db, "bob", "pw3", {
+        allowMulti: true,
+        now: () => new Date(3000),
+      });
+      expect(getFirstAdminId(db)).toBe(admin.id);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("isFirstAdmin matches earliest user, false for everyone else", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const admin = await createUser(db, "admin", "pw1", { now: () => new Date(1000) });
+      const friend = await createUser(db, "alice", "pw2", {
+        allowMulti: true,
+        now: () => new Date(2000),
+      });
+      expect(isFirstAdmin(db, admin.id)).toBe(true);
+      expect(isFirstAdmin(db, friend.id)).toBe(false);
+      expect(isFirstAdmin(db, "no-such-id")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("isFirstAdmin tracks the admin even after a later user is deleted", async () => {
+    // Deleting a non-first user doesn't promote anyone — the original
+    // admin still holds the "first" slot.
+    const { db, cleanup } = makeDb();
+    try {
+      const admin = await createUser(db, "admin", "pw1", { now: () => new Date(1000) });
+      const friend = await createUser(db, "alice", "pw2", {
+        allowMulti: true,
+        now: () => new Date(2000),
+      });
+      deleteUser(db, friend.id);
+      expect(getFirstAdminId(db)).toBe(admin.id);
+      expect(isFirstAdmin(db, admin.id)).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+});

package/src/__tests__/well-known.test.ts

@@ -426,10 +426,10 @@ describe("buildWellKnown", () => {
   // joined onto the canonical origin into a deep-linkable `url`.
   describe("uis hierarchical sub-units (hub#313)", () => {
     const app: ServiceEntry = {
-      name: "parachute-app",
+      name: "parachute-surface",
       port: 1946,
-      paths: ["/app"],
-      health: "/app/healthz",
+      paths: ["/surface"],
+      health: "/surface/healthz",
       version: "0.1.0",
     };
 
@@ -455,7 +455,7 @@ describe("buildWellKnown", () => {
         services: [withUis],
         canonicalOrigin: "https://x.example",
       });
-      const appSvc = doc.services.find((s) => s.name === "parachute-app");
+      const appSvc = doc.services.find((s) => s.name === "parachute-surface");
       expect(appSvc?.uis).toEqual([
         {
           name: "gitcoin-brain",
@@ -500,7 +500,7 @@ describe("buildWellKnown", () => {
         services: [empty],
         canonicalOrigin: "https://x.example",
       });
-      const svc = doc.services.find((s) => s.name === "parachute-app");
+      const svc = doc.services.find((s) => s.name === "parachute-surface");
       expect(svc).not.toHaveProperty("uis");
     });
 
@@ -519,7 +519,7 @@ describe("buildWellKnown", () => {
         services: [withIcon],
         canonicalOrigin: "https://x.example",
       });
-      const svc = doc.services.find((s) => s.name === "parachute-app");
+      const svc = doc.services.find((s) => s.name === "parachute-surface");
       expect(svc?.uis?.[0]?.iconUrl).toBe("https://x.example/app/slug/icon.svg");
     });
 
@@ -538,7 +538,7 @@ describe("buildWellKnown", () => {
         services: [withIcon],
         canonicalOrigin: "https://x.example",
       });
-      const svc = doc.services.find((s) => s.name === "parachute-app");
+      const svc = doc.services.find((s) => s.name === "parachute-surface");
       expect(svc?.uis?.[0]?.iconUrl).toBe("https://cdn.example.com/icon.svg");
     });
 
@@ -562,7 +562,7 @@ describe("buildWellKnown", () => {
         services: [mixed],
         canonicalOrigin: "https://x.example",
       });
-      const svc = doc.services.find((s) => s.name === "parachute-app");
+      const svc = doc.services.find((s) => s.name === "parachute-surface");
       const full = svc?.uis?.find((u) => u.name === "full");
       const minimal = svc?.uis?.find((u) => u.name === "minimal");
       expect(full?.tagline).toBe("Has it all");
@@ -593,7 +593,7 @@ describe("buildWellKnown", () => {
         services: [app1, app2],
         canonicalOrigin: "https://x.example",
       });
-      const svc1 = doc.services.find((s) => s.name === "parachute-app");
+      const svc1 = doc.services.find((s) => s.name === "parachute-surface");
       const svc2 = doc.services.find((s) => s.name === "parachute-app-2");
       expect(svc1?.uis?.map((u) => u.name)).toEqual(["a"]);
       expect(svc2?.uis?.map((u) => u.name)).toEqual(["b"]);