@openparachute/hub 0.5.13 → 0.5.14-rc.10

package/src/__tests__/admin-vaults.test.ts

@@ -8,11 +8,21 @@ import { signAccessToken } from "../jwt-sign.ts";
 import { upsertService, writeManifest } from "../services-manifest.ts";
 import { rotateSigningKey } from "../signing-keys.ts";
 
-/** Build the JSON shape parachute-vault create --json emits (PR #184). */
-function vaultCreateJson(name: string, token = `pvt_${name}_token`): string {
+/**
+ * Build the JSON shape `parachute-vault create --json` emits (PR #184).
+ * Post the pvt_* DROP the `token` is a hub-issued access JWT (scoped
+ * `vault:<name>:admin`), and may be the empty string when the vault
+ * couldn't mint — in which case `token_guidance` carries the reason.
+ */
+function vaultCreateJson(
+  name: string,
+  token = `hubjwt.${name}.access`,
+  tokenGuidance?: string,
+): string {
   return JSON.stringify({
     name,
     token,
+    ...(tokenGuidance ? { token_guidance: tokenGuidance } : {}),
     paths: {
       vault_dir: `/home/test/.parachute/vault/${name}`,
       vault_db: `/home/test/.parachute/vault/${name}/vault.db`,
@@ -404,7 +414,7 @@ describe("POST /vaults — orchestration", () => {
           );
           return {
             exitCode: 0,
-            stdout: vaultCreateJson("work", "pvt_supersecret"),
+            stdout: vaultCreateJson("work", "hubjwt.work.access"),
             stderr: "",
           };
         };
@@ -420,7 +430,7 @@ describe("POST /vaults — orchestration", () => {
           token?: string;
           paths?: { vault_dir: string; vault_db: string; vault_config: string };
         };
-        expect(body.token).toBe("pvt_supersecret");
+        expect(body.token).toBe("hubjwt.work.access");
         expect(body.paths).toEqual({
           vault_dir: "/home/test/.parachute/vault/work",
           vault_db: "/home/test/.parachute/vault/work/vault.db",
@@ -434,6 +444,62 @@ describe("POST /vaults — orchestration", () => {
     }
   });
 
+  test("201 forwards an empty token + token_guidance when the vault couldn't mint (post-DROP)", async () => {
+    // The vault emits `token: ""` + a `token_guidance` reason when no hub
+    // origin was reachable to mint against (e.g. loopback create). The hub
+    // must forward both verbatim so the SPA can render the
+    // created-but-no-token state instead of confusing it with a re-POST.
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        upsertService(
+          {
+            name: "parachute-vault",
+            port: 1940,
+            paths: ["/vault/default"],
+            health: "/health",
+            version: "0.3.5",
+          },
+          h.manifestPath,
+        );
+        const runCommand = async (_cmd: readonly string[]): Promise<RunResult> => {
+          upsertService(
+            {
+              name: "parachute-vault",
+              port: 1940,
+              paths: ["/vault/default", "/vault/work"],
+              health: "/health",
+              version: "0.3.5",
+            },
+            h.manifestPath,
+          );
+          return {
+            exitCode: 0,
+            stdout: vaultCreateJson("work", "", "no hub origin reachable to mint against"),
+            stderr: "",
+          };
+        };
+        const res = await call({
+          db,
+          manifestPath: h.manifestPath,
+          body: { name: "work" },
+          runCommand,
+        });
+        // Still a fresh create — HTTP 201, NOT 200.
+        expect(res.status).toBe(201);
+        const body = (await res.json()) as { token?: string; token_guidance?: string };
+        expect(body.token).toBe("");
+        expect(body.token_guidance).toBe("no hub origin reachable to mint against");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("500 when `parachute-vault create --json` exits 0 but stdout is unparseable", async () => {
     const h = makeHarness();
     try {

package/src/__tests__/api-account.test.ts

@@ -25,6 +25,7 @@ import { join } from "node:path";
 import {
   handleAccountChangePasswordGet,
   handleAccountChangePasswordPost,
+  handleAccountHomeGet,
   markPasswordChanged,
 } from "../api-account.ts";
 import { CSRF_COOKIE_NAME, CSRF_FIELD_NAME } from "../csrf.ts";
@@ -256,7 +257,110 @@ describe("POST /account/change-password", () => {
     }
   });
 
-  test("missing next defaults to /admin/vaults", async () => {
+  test("non-admin user with no next defaults to /account/ (no admin-shell flash)", async () => {
+    // Without this rewrite, a friend's change-password POST would 302 to
+    // /admin/vaults, the SPA would load, the 403 from
+    // /admin/host-admin-token would bounce them to /account/ — a visible
+    // two-hop flash. Mirror the login-redirect rewrite in admin-handlers.ts.
+    await createUser(harness.db, "operator", "operator-strong-passphrase");
+    const { cookie } = await sessionCookieFor(harness.db, "friend", "old-default-pw", {
+      passwordChanged: false,
+      allowMulti: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/account/");
+  });
+
+  test("non-admin user with next=/admin/users gets rewritten to /account/", async () => {
+    await createUser(harness.db, "operator", "operator-strong-passphrase");
+    const { cookie } = await sessionCookieFor(harness.db, "friend", "old-default-pw", {
+      passwordChanged: false,
+      allowMulti: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+      next: "/admin/users",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/account/");
+  });
+
+  test("non-admin user with non-admin next= passes through unchanged", async () => {
+    // Friends with a legitimate non-admin destination (e.g. /oauth/authorize
+    // mid-flow) should land where they intended — the rewrite only catches
+    // /admin/* targets.
+    await createUser(harness.db, "operator", "operator-strong-passphrase");
+    const { cookie } = await sessionCookieFor(harness.db, "friend", "old-default-pw", {
+      passwordChanged: false,
+      allowMulti: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+      next: "/oauth/authorize?client_id=abc",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/oauth/authorize?client_id=abc");
+  });
+
+  test("non-admin with exact next=/admin (no trailing slash) rewrites to /account/", async () => {
+    // Pins the exact-match arm of the prefix gate. Tests in #426 cover
+    // /admin/users (prefix match) and the no-next case (POST_CHANGE_DEFAULT
+    // → rewrite). This is the third arm.
+    await createUser(harness.db, "operator", "operator-strong-passphrase");
+    const { cookie } = await sessionCookieFor(harness.db, "friend", "old-default-pw", {
+      passwordChanged: false,
+      allowMulti: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+      next: "/admin",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/account/");
+  });
+
+  test("first admin with no next still defaults to /admin/vaults", async () => {
+    // Existing behavior — preserved by the non-admin gate. The first user
+    // is the admin under Phase 1; admin SPA is the intended landing.
     const { cookie } = await sessionCookieFor(harness.db, "newbie", "old-default-pw", {
       passwordChanged: false,
     });
@@ -628,3 +732,89 @@ describe("markPasswordChanged", () => {
     expect(after?.passwordChanged).toBe(true);
   });
 });
+
+describe("handleAccountHomeGet", () => {
+  // Integration smoke for `GET /account/` — verifies session gating
+  // (302 → /login when missing) and the happy path (200 + rendered HTML
+  // with the user's vault). The pure-renderer assertions live in
+  // `account-home-ui.test.ts`; this suite pins handler-level wiring.
+
+  const HUB_ORIGIN = "https://hub.test";
+
+  test("302 → /login when no session cookie is present", async () => {
+    const req = new Request(`${HUB_ORIGIN}/account/`);
+    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(302);
+    const location = res.headers.get("location") ?? "";
+    // Round-trip /account/ as the `next` param so post-login lands back.
+    expect(location).toBe(`/login?next=${encodeURIComponent("/account/")}`);
+  });
+
+  test("200 + HTML for a signed-in friend with an assigned vault", async () => {
+    // Create the admin first (so the friend is NOT the first admin),
+    // then a friend with an assigned vault.
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(200);
+    expect(res.headers.get("content-type")).toContain("text/html");
+    const html = await res.text();
+    expect(html).toContain("Welcome, alice");
+    // Vault name visible.
+    expect(html).toContain("<strong>alice</strong>");
+    // Notes CTA carries the hub-origin-encoded vault URL.
+    const encoded = encodeURIComponent(`${HUB_ORIGIN}/vault/alice`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${encoded}`);
+  });
+
+  test("200 + admin branch when the first-admin signs in (no vault assignments)", async () => {
+    // The first-created user with no vault pin is the admin posture.
+    const admin = await createUser(harness.db, "admin", "admin-passphrase", {
+      passwordChanged: true,
+    });
+    const session = createSession(harness.db, { userId: admin.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain("Welcome, admin");
+    expect(html).toContain("hub administrator");
+    expect(html).toContain('href="/admin/"');
+  });
+
+  test("302 → /login when the session points at a deleted user", async () => {
+    // Stale-session shape: a session row outlives its user. The handler
+    // hands back to /login rather than rendering against null.
+    //
+    // Construction note: `deleteUser` drops the session as part of its
+    // cleanup transaction, and the sessions.user_id FK is RESTRICT, so
+    // we briefly drop FK enforcement to fabricate the orphan-session
+    // shape. The handler's job is robustness against an externally-
+    // induced orphan (e.g. a race between session-read and user-delete
+    // on a different connection); the test exercises that defensive
+    // branch directly.
+    const user = await createUser(harness.db, "ghost", "ghost-passphrase", {
+      passwordChanged: true,
+    });
+    const session = createSession(harness.db, { userId: user.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    harness.db.exec("PRAGMA foreign_keys = OFF");
+    try {
+      harness.db.prepare("DELETE FROM users WHERE id = ?").run(user.id);
+    } finally {
+      harness.db.exec("PRAGMA foreign_keys = ON");
+    }
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/login");
+  });
+});