@openparachute/hub 0.5.13 → 0.5.14-rc.2

package/src/__tests__/api-users.test.ts

@@ -1,5 +1,6 @@
 /**
- * Tests for `/api/users*` (multi-user Phase 1, PR 2). Covers:
+ * Tests for `/api/users*` (multi-user Phase 1 PR 2 + Phase 2 PR 1).
+ * Covers:
  *
  *   - Auth boundary: every endpoint requires a bearer carrying
  *     `parachute:host:admin`.
@@ -11,6 +12,10 @@
  *     400 `assigned_vault_not_found`).
  *   - DELETE happy path with token revocation; first-admin-undeletable
  *     returns 403; 404 on unknown id.
+ *   - POST /:id/reset-password (Phase 2 PR 1) happy path with token
+ *     revocation, first-admin protection (403 cannot_reset_first_admin),
+ *     password-validation branches (too-short 400, too-long 413 before
+ *     argon2id), missing target (404), auth boundary.
  *   - GET /api/users/vaults returns the same name set the OAuth issuer
  *     would resolve against.
  *   - 405 on wrong methods.
@@ -25,10 +30,12 @@ import {
   handleDeleteUser,
   handleListUsers,
   handleListVaults,
+  handleResetUserPassword,
+  handleUpdateUserVaults,
 } from "../api-users.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import { findTokenRowByJti, recordTokenMint, signAccessToken } from "../jwt-sign.ts";
-import { createUser } from "../users.ts";
+import { createUser, getUserById, verifyPassword } from "../users.ts";
 
 const ISSUER = "https://hub.test";
 const HOST_ADMIN_SCOPE = "parachute:host:admin";
@@ -170,7 +177,7 @@ describe("handleListUsers", () => {
       expect(u).toHaveProperty("id");
       expect(u).toHaveProperty("username");
       expect(u).toHaveProperty("password_changed");
-      expect(u).toHaveProperty("assigned_vault");
+      expect(u).toHaveProperty("assigned_vaults");
       expect(u).toHaveProperty("created_at");
     }
   });
@@ -214,13 +221,13 @@ describe("handleCreateUser", () => {
     const res = await post(bearer, {
       username: "alice",
       password: "alice-strong-passphrase",
-      assignedVault: null,
+      assignedVaults: [],
     });
     expect(res.status).toBe(201);
     const body = (await res.json()) as { user: Record<string, unknown> };
     expect(body.user.username).toBe("alice");
     expect(body.user.password_changed).toBe(false);
-    expect(body.user.assigned_vault).toBeNull();
+    expect(body.user.assigned_vaults).toEqual([]);
     expect(body.user).not.toHaveProperty("password_hash");
   });
 
@@ -325,9 +332,9 @@ describe("handleCreateUser", () => {
     const stamp = "2026-05-20T00:00:00.000Z";
     harness.db
       .prepare(
-        "INSERT INTO users (id, username, password_hash, created_at, updated_at, password_changed, assigned_vault) VALUES (?, ?, ?, ?, ?, ?, ?)",
+        "INSERT INTO users (id, username, password_hash, created_at, updated_at, password_changed) VALUES (?, ?, ?, ?, ?, ?)",
       )
-      .run("legacy-id", "Alice", "$argon2id$fake", stamp, stamp, 1, null);
+      .run("legacy-id", "Alice", "$argon2id$fake", stamp, stamp, 1);
     const { bearer } = await makeAdminBearer();
     const res = await post(bearer, {
       username: "alice",
@@ -343,25 +350,55 @@ describe("handleCreateUser", () => {
     const res = await post(bearer, {
       username: "alice",
       password: "alice-strong-passphrase",
-      assignedVault: "ghost-vault",
+      assignedVaults: ["ghost-vault"],
     });
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
     expect(body.error).toBe("assigned_vault_not_found");
   });
 
-  test("happy path with assigned_vault that exists in services.json", async () => {
+  test("happy path with single assigned_vaults that exists in services.json", async () => {
     harness.cleanup();
     harness = makeHarness(manifestWithVaults("home"));
     const { bearer } = await makeAdminBearer();
     const res = await post(bearer, {
       username: "alice",
       password: "alice-strong-passphrase",
-      assignedVault: "home",
+      assignedVaults: ["home"],
     });
     expect(res.status).toBe(201);
     const body = (await res.json()) as { user: Record<string, unknown> };
-    expect(body.user.assigned_vault).toBe("home");
+    expect(body.user.assigned_vaults).toEqual(["home"]);
+  });
+
+  test("happy path with multiple assigned_vaults (Phase 2 PR 2)", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("personal", "family"));
+    const { bearer } = await makeAdminBearer();
+    const res = await post(bearer, {
+      username: "alice",
+      password: "alice-strong-passphrase",
+      assignedVaults: ["personal", "family"],
+    });
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as { user: Record<string, unknown> };
+    const list = body.user.assigned_vaults as string[];
+    expect(new Set(list)).toEqual(new Set(["personal", "family"]));
+  });
+
+  test("400 assigned_vault_not_found when ANY vault in the array is unknown", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("home"));
+    const { bearer } = await makeAdminBearer();
+    const res = await post(bearer, {
+      username: "alice",
+      password: "alice-strong-passphrase",
+      assignedVaults: ["home", "ghost"],
+    });
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("assigned_vault_not_found");
+    expect(body.error_description).toContain("ghost");
   });
 });
 
@@ -477,6 +514,214 @@ describe("handleDeleteUser", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// POST /api/users/:id/reset-password — admin-initiated password reset
+// (multi-user Phase 2 PR 1)
+// ---------------------------------------------------------------------------
+
+describe("handleResetUserPassword", () => {
+  async function post(
+    bearer: string | null,
+    id: string,
+    body: Record<string, unknown> | string | null,
+    headers: Record<string, string> = {},
+  ): Promise<Response> {
+    const init: RequestInit = {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...(bearer ? { authorization: `Bearer ${bearer}` } : {}),
+        ...headers,
+      },
+      body: body === null ? undefined : typeof body === "string" ? body : JSON.stringify(body),
+    };
+    return await handleResetUserPassword(req(`/api/users/${id}/reset-password`, init), id, deps());
+  }
+
+  test("401 with no Authorization header", async () => {
+    const res = await post(null, "some-id", { new_password: "twelvechars1" });
+    expect(res.status).toBe(401);
+  });
+
+  test("403 when bearer lacks parachute:host:admin", async () => {
+    const { bearer } = await makeAdminBearer(["other:scope"]);
+    const res = await post(bearer, "some-id", { new_password: "twelvechars1" });
+    expect(res.status).toBe(403);
+  });
+
+  test("405 on GET", async () => {
+    const { bearer } = await makeAdminBearer();
+    const res = await handleResetUserPassword(
+      withBearer("/api/users/some-id/reset-password", bearer, { method: "GET" }),
+      "some-id",
+      deps(),
+    );
+    expect(res.status).toBe(405);
+  });
+
+  test("404 when target user does not exist", async () => {
+    const { bearer } = await makeAdminBearer();
+    const res = await post(bearer, "no-such-id", { new_password: "twelvechars1" });
+    expect(res.status).toBe(404);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("not_found");
+  });
+
+  test("403 cannot_reset_first_admin when targeting the first admin", async () => {
+    const { bearer, userId } = await makeAdminBearer();
+    const res = await post(bearer, userId, { new_password: "twelvechars1" });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("cannot_reset_first_admin");
+    // First-admin row's hash + password_changed bit untouched.
+    const fresh = getUserById(harness.db, userId);
+    expect(fresh?.passwordChanged).toBe(true);
+  });
+
+  test("400 invalid_password when new_password is too short (< 12 chars)", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const res = await post(bearer, friend.id, { new_password: "short" });
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("invalid_password");
+    expect(body.error_description).toMatch(/12 characters/);
+  });
+
+  test("413 password_too_long when new_password > 256 chars (before argon2id touches it)", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const huge = "a".repeat(300);
+    const t0 = Date.now();
+    const res = await post(bearer, friend.id, { new_password: huge });
+    const elapsed = Date.now() - t0;
+    expect(res.status).toBe(413);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("password_too_long");
+    // Same liveness check as the create-user path: 300-char argon2id is
+    // hundreds of ms; cap-and-reject should complete in <200ms.
+    expect(elapsed).toBeLessThan(200);
+  });
+
+  test("400 invalid_request when content-type is not application/json", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const res = await post(bearer, friend.id, "new_password=twelvechars1", {
+      "content-type": "application/x-www-form-urlencoded",
+    });
+    expect(res.status).toBe(400);
+  });
+
+  test("400 invalid_request when new_password missing", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const res = await post(bearer, friend.id, {});
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("invalid_request");
+  });
+
+  test("happy path — rotates hash, flips password_changed=false, returns user shape", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const oldHash = friend.passwordHash;
+    const res = await post(bearer, friend.id, { new_password: "new-temp-passphrase" });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      ok: boolean;
+      user: { id: string; password_changed: boolean; username: string };
+    };
+    expect(body.ok).toBe(true);
+    expect(body.user.id).toBe(friend.id);
+    expect(body.user.username).toBe("alice");
+    expect(body.user.password_changed).toBe(false);
+    // Echo body never carries the hash (or the new password).
+    expect(body.user).not.toHaveProperty("password_hash");
+    expect(body).not.toHaveProperty("new_password");
+    // Round-trip on the user row: new password works, old does not, hash
+    // moved, password_changed is now false (force-redirect on next login).
+    const fresh = getUserById(harness.db, friend.id);
+    expect(fresh).not.toBeNull();
+    expect(fresh?.passwordHash).not.toBe(oldHash);
+    expect(fresh?.passwordChanged).toBe(false);
+    expect(await verifyPassword(fresh!, "new-temp-passphrase")).toBe(true);
+    expect(await verifyPassword(fresh!, "alice-strong-passphrase")).toBe(false);
+  });
+
+  test("response body includes revocation_lag_seconds = 60 so clients can surface the propagation lag (smoke 2026-05-27 finding 3)", async () => {
+    // Resource servers cache the revocation list via scope-guard's
+    // REVOCATION_CACHE_TTL_MS = 60_000 — so even though hub marks the
+    // user's tokens revoked immediately and publishes them on the
+    // revocation list, vault/scribe/etc. may keep accepting the
+    // revoked token for up to 60 seconds. For the stolen-device
+    // recovery threat model that's a meaningful exposure window
+    // the admin needs to know about. Surface the lag in the
+    // response body so the SPA's success banner can warn operators.
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const res = await post(bearer, friend.id, { new_password: "new-temp-passphrase" });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      ok: boolean;
+      user: unknown;
+      revocation_lag_seconds: number;
+    };
+    expect(body.revocation_lag_seconds).toBe(60);
+  });
+
+  test("revokes the friend's existing tokens (pre-reset token row has revoked_at after)", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const minted = await signAccessToken(harness.db, {
+      sub: friend.id,
+      scopes: ["vault:home:read"],
+      audience: "vault",
+      clientId: "notes-client",
+      issuer: ISSUER,
+      ttlSeconds: 600,
+    });
+    recordTokenMint(harness.db, {
+      jti: minted.jti,
+      createdVia: "operator_mint",
+      subject: friend.username,
+      userId: friend.id,
+      clientId: "notes-client",
+      scopes: ["vault:home:read"],
+      expiresAt: minted.expiresAt,
+    });
+    expect(findTokenRowByJti(harness.db, minted.jti)?.revokedAt).toBeNull();
+
+    const res = await post(bearer, friend.id, { new_password: "new-temp-passphrase" });
+    expect(res.status).toBe(200);
+
+    const row = findTokenRowByJti(harness.db, minted.jti);
+    expect(row?.revokedAt).not.toBeNull();
+    // User row sticks around (unlike delete), so user_id is NOT NULLed.
+    expect(row?.userId).toBe(friend.id);
+  });
+});
+
 // ---------------------------------------------------------------------------
 // GET /api/users/vaults — vault-name list for the assigned-vault dropdown
 // ---------------------------------------------------------------------------
@@ -520,3 +765,130 @@ describe("handleListVaults", () => {
     expect(body.vaults).toEqual(["home", "scratch", "work"]);
   });
 });
+
+// ---------------------------------------------------------------------------
+// PATCH /api/users/:id/vaults — edit vault assignments (Phase 2 PR 2)
+// ---------------------------------------------------------------------------
+
+describe("handleUpdateUserVaults", () => {
+  async function patch(
+    bearer: string,
+    userId: string,
+    body: Record<string, unknown> | string,
+    headers: Record<string, string> = {},
+  ): Promise<Response> {
+    const init: RequestInit = {
+      method: "PATCH",
+      headers: {
+        "content-type": "application/json",
+        authorization: `Bearer ${bearer}`,
+        ...headers,
+      },
+      body: typeof body === "string" ? body : JSON.stringify(body),
+    };
+    return await handleUpdateUserVaults(req(`/api/users/${userId}/vaults`, init), userId, deps());
+  }
+
+  test("401 with no Authorization header", async () => {
+    const res = await handleUpdateUserVaults(
+      req("/api/users/some-id/vaults", {
+        method: "PATCH",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ assigned_vaults: [] }),
+      }),
+      "some-id",
+      deps(),
+    );
+    expect(res.status).toBe(401);
+  });
+
+  test("405 on non-PATCH", async () => {
+    const { bearer } = await makeAdminBearer();
+    const res = await handleUpdateUserVaults(
+      withBearer("/api/users/x/vaults", bearer, { method: "POST" }),
+      "x",
+      deps(),
+    );
+    expect(res.status).toBe(405);
+  });
+
+  test("404 when target user does not exist", async () => {
+    const { bearer } = await makeAdminBearer();
+    const res = await patch(bearer, "no-such-id", { assigned_vaults: [] });
+    expect(res.status).toBe(404);
+  });
+
+  test("403 cannot_edit_first_admin_vaults for the first admin", async () => {
+    // The bearer-minting helper creates the first admin already; mint
+    // again returns the same admin's id.
+    const { bearer, userId } = await makeAdminBearer();
+    const res = await patch(bearer, userId, { assigned_vaults: ["home"] });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("cannot_edit_first_admin_vaults");
+  });
+
+  test("400 when assigned_vaults is missing", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+    });
+    const res = await patch(bearer, friend.id, {});
+    expect(res.status).toBe(400);
+  });
+
+  test("400 when assigned_vaults entry is not a string", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+    });
+    const res = await patch(bearer, friend.id, { assigned_vaults: ["ok", 7] });
+    expect(res.status).toBe(400);
+  });
+
+  test("400 assigned_vault_not_found when a vault doesn't exist in services.json", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("home"));
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+    });
+    const res = await patch(bearer, friend.id, { assigned_vaults: ["home", "ghost"] });
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("assigned_vault_not_found");
+  });
+
+  test("happy path — replaces the user's vault list and bumps updated_at", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("home", "work", "family"));
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      assignedVaults: ["home"],
+    });
+    const res = await patch(bearer, friend.id, { assigned_vaults: ["work", "family"] });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      ok: boolean;
+      user: { id: string; assigned_vaults: string[]; updated_at: string };
+    };
+    expect(body.ok).toBe(true);
+    expect(new Set(body.user.assigned_vaults)).toEqual(new Set(["work", "family"]));
+    expect(body.user.assigned_vaults).not.toContain("home");
+  });
+
+  test("empty array clears every assignment", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("home", "work"));
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      assignedVaults: ["home", "work"],
+    });
+    const res = await patch(bearer, friend.id, { assigned_vaults: [] });
+    expect(res.status).toBe(200);
+    const fresh = getUserById(harness.db, friend.id);
+    expect(fresh?.assignedVaults).toEqual([]);
+  });
+});

package/src/__tests__/chrome-strip.test.ts

@@ -82,21 +82,21 @@ describe("shouldInjectChrome", () => {
     expect(shouldInjectChrome("/admin/vaults")).toBe(true);
     expect(shouldInjectChrome("/scribe/admin")).toBe(true);
     expect(shouldInjectChrome("/vault/default/admin/")).toBe(true);
-    expect(shouldInjectChrome("/app/admin/modules")).toBe(true);
+    expect(shouldInjectChrome("/surface/admin/modules")).toBe(true);
   });
 
-  test("default: opts out the Notes PWA at /app/notes/*", () => {
-    expect(shouldInjectChrome("/app/notes")).toBe(false);
-    expect(shouldInjectChrome("/app/notes/")).toBe(false);
-    expect(shouldInjectChrome("/app/notes/index.html")).toBe(false);
-    expect(shouldInjectChrome("/app/notes/assets/index-XXX.js")).toBe(false);
+  test("default: opts out the Notes PWA at /surface/notes/*", () => {
+    expect(shouldInjectChrome("/surface/notes")).toBe(false);
+    expect(shouldInjectChrome("/surface/notes/")).toBe(false);
+    expect(shouldInjectChrome("/surface/notes/index.html")).toBe(false);
+    expect(shouldInjectChrome("/surface/notes/assets/index-XXX.js")).toBe(false);
   });
 
   test("opt-out prefix matching does not over-match sibling paths", () => {
-    // `/app/notesbook` must NOT match `/app/notes/` — startsWith check
+    // `/surface/notesbook` must NOT match `/surface/notes/` — startsWith check
     // requires a trailing slash boundary.
-    expect(shouldInjectChrome("/app/notesbook")).toBe(true);
-    expect(shouldInjectChrome("/app/notes-archive/")).toBe(true);
+    expect(shouldInjectChrome("/surface/notesbook")).toBe(true);
+    expect(shouldInjectChrome("/surface/notes-archive/")).toBe(true);
   });
 
   test("custom opt-out list is honored", () => {
@@ -111,8 +111,8 @@ describe("shouldInjectChrome", () => {
     expect(shouldInjectChrome("/foo/bar", ["/foo"])).toBe(false);
   });
 
-  test("the canonical opt-out list contains /app/notes/", () => {
-    expect(CHROME_OPT_OUT_PREFIXES).toContain("/app/notes/");
+  test("the canonical opt-out list contains /surface/notes/", () => {
+    expect(CHROME_OPT_OUT_PREFIXES).toContain("/surface/notes/");
   });
 });
 
@@ -250,27 +250,27 @@ describe("injectChromeIntoResponse", () => {
     expect(cssOut).toBe(css);
   });
 
-  test("passes through responses on opt-out paths (/app/notes/) unchanged", async () => {
+  test("passes through responses on opt-out paths (/surface/notes/) unchanged", async () => {
     const res = new Response("<html><body>notes</body></html>", {
       status: 200,
       headers: { "content-type": "text/html" },
     });
     const out = await injectChromeIntoResponse(res, {
       chromeHtml: chrome,
-      pathname: "/app/notes/",
+      pathname: "/surface/notes/",
     });
     expect(out).toBe(res);
     expect(await out.text()).toBe("<html><body>notes</body></html>");
   });
 
-  test("passes through responses on opt-out sub-paths (/app/notes/assets/x.js)", async () => {
+  test("passes through responses on opt-out sub-paths (/surface/notes/assets/x.js)", async () => {
     const res = new Response("<html><body>notes</body></html>", {
       status: 200,
       headers: { "content-type": "text/html" },
     });
     const out = await injectChromeIntoResponse(res, {
       chromeHtml: chrome,
-      pathname: "/app/notes/index.html",
+      pathname: "/surface/notes/index.html",
     });
     expect(out).toBe(res);
   });