@openparachute/hub 0.5.14-rc.11 → 0.5.14-rc.13

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.14-rc.11",
-  "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
+  "version": "0.5.14-rc.13",
+  "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {
     "access": "public"
@@ -37,13 +37,16 @@
   },
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
-    "@types/bun": "latest"
+    "@types/bun": "latest",
+    "@types/qrcode": "^1.5.6"
   },
   "peerDependencies": {
     "typescript": "^5"
   },
   "dependencies": {
     "@node-rs/argon2": "^2.0.2",
-    "jose": "^6.2.2"
+    "jose": "^6.2.2",
+    "otpauth": "^9.5.0",
+    "qrcode": "^1.5.4"
   }
 }

package/src/__tests__/account-home-ui.test.ts

@@ -32,6 +32,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     // Welcome header includes the username.
     expect(html).toContain("Welcome, alice");
@@ -69,6 +70,7 @@ describe("renderAccountHome", () => {
       hubOrigin: `${HUB_ORIGIN}/`,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     const cleanEncoded = encodeURIComponent(`${HUB_ORIGIN}/vault/alice`);
     expect(html).toContain(`https://notes.parachute.computer/add?url=${cleanEncoded}`);
@@ -86,6 +88,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: true,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     expect(html).toContain("Welcome, admin");
     expect(html).toContain("hub administrator");
@@ -106,6 +109,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     expect(html).toContain("Welcome, ghost");
     expect(html).toContain("Ask the hub operator");
@@ -123,6 +127,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     // Change-password link points at the existing /account/change-password
     // route (server-rendered HTML, separate handler).
@@ -136,6 +141,37 @@ describe("renderAccountHome", () => {
     expect(html).toContain("<code>alice</code>");
   });
 
+  test("account card — 2FA status reflects twoFactorEnabled (hub#473)", () => {
+    const off = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["alice"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+      twoFactorEnabled: false,
+    });
+    expect(off).toContain('data-testid="2fa-status"');
+    expect(off).toContain(">Off<");
+    // Off → "Set up two-factor" affordance.
+    expect(off).toContain('data-testid="setup-2fa-link"');
+    expect(off).toContain('href="/account/2fa"');
+
+    const on = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["alice"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+      twoFactorEnabled: true,
+    });
+    expect(on).toContain(">On<");
+    // On → "Manage two-factor" affordance.
+    expect(on).toContain('data-testid="manage-2fa-link"');
+    expect(on).toContain('href="/account/2fa"');
+  });
+
   test("multi-vault branch — renders one tile per assigned vault (Phase 2 PR 2)", () => {
     const html = renderAccountHome({
       username: "alice",
@@ -144,6 +180,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     // Plural heading.
     expect(html).toContain("Your vaults");
@@ -191,6 +228,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     // The injected username/vault metacharacters are escaped — the only
     // `<script>` tag in the output is the page's own copy-button helper, so

package/src/__tests__/auth.test.ts

@@ -65,34 +65,159 @@ async function captureOutput(fn: () => Promise<number> | number): Promise<{
 }
 
 describe("parachute auth", () => {
-  test("2fa enroll forwards to parachute-vault 2fa enroll", async () => {
-    const { runner, calls } = makeRunner(0);
-    const code = await auth(["2fa", "enroll"], runner);
-    expect(code).toBe(0);
-    expect(calls).toEqual([["parachute-vault", "2fa", "enroll"]]);
+  test("2fa is hub-local — never forwards to parachute-vault", async () => {
+    // 2fa used to forward to the deprecated `parachute-vault 2fa` stub. As of
+    // hub#473 it's real hub-login TOTP, fully hub-local (hub.db). No subprocess.
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+      const { runner, calls } = makeRunner(0);
+      const out = await captureOutput(() =>
+        auth(["2fa", "status"], { runner, dbPath: tmp.dbPath }),
+      );
+      expect(out.code).toBe(0);
+      expect(calls).toEqual([]); // did NOT spawn parachute-vault
+      expect(out.stdout).toContain("Two-factor authentication: OFF");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("2fa enroll --some-flag forwards every arg after the subcommand", async () => {
-    const { runner, calls } = makeRunner(0);
-    const code = await auth(["2fa", "enroll", "--some-flag", "value"], runner);
-    expect(code).toBe(0);
-    expect(calls).toEqual([["parachute-vault", "2fa", "enroll", "--some-flag", "value"]]);
+  test("2fa status reports OFF for a fresh user, then ON after a CLI enroll round-trip", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+
+      // status → OFF
+      const off = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(off.code).toBe(0);
+      expect(off.stdout).toContain("OFF");
+
+      // enroll requires a confirm code — drive the readLine seam with the
+      // live TOTP code generated from the secret the command prints.
+      const { generateTotpSecret } = await import("../totp.ts");
+      // We can't intercept the random secret the command mints, so instead
+      // exercise the store directly to assert the ON path is reachable, then
+      // assert the CLI status reflects it. (The handler-level enroll round
+      // trip is covered in two-factor.test.ts against the real secret.)
+      const db2 = openHubDb(tmp.dbPath);
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      const u = listUsers(db2)[0]!;
+      const { secret } = generateTotpSecret(u.username);
+      await persistEnrollment(db2, u.id, secret);
+      db2.close();
+
+      const on = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(on.code).toBe(0);
+      expect(on.stdout).toContain("ON");
+      expect(on.stdout).toContain("backup_codes");
+
+      // disenroll clears it.
+      const dis = await captureOutput(() =>
+        auth(["2fa", "disenroll"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(dis.code).toBe(0);
+      expect(dis.stdout).toContain("Turned off");
+
+      const off2 = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(off2.stdout).toContain("OFF");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("exit code from parachute-vault is propagated", async () => {
-    const { runner } = makeRunner(3);
-    const code = await auth(["2fa", "status"], runner);
-    expect(code).toBe(3);
+  test("2fa enroll confirms the printed secret against a live code, prints backup codes", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+
+      // Single console.log interception that BOTH accumulates stdout and lets
+      // the readLine seam read the secret the command just printed. (Avoids
+      // nesting two console.log replacements.)
+      const OTPAuth = await import("otpauth");
+      const origLog = console.log;
+      let stdout = "";
+      let capturedSecret = "";
+      console.log = (...a: unknown[]) => {
+        const line = a.map(String).join(" ");
+        stdout += `${line}\n`;
+        const m = line.match(/secret key:\s+([A-Z2-7]+)/);
+        if (m) capturedSecret = m[1]!;
+      };
+      let code = "";
+      let exitCode = 0;
+      try {
+        exitCode = await auth(["2fa", "enroll"], {
+          dbPath: tmp.dbPath,
+          isInteractive: () => true,
+          readLine: async () => {
+            // The secret has been printed by the time the prompt fires.
+            const totp = new OTPAuth.TOTP({
+              issuer: "Parachute Hub",
+              label: "owner",
+              algorithm: "SHA1",
+              digits: 6,
+              period: 30,
+              secret: OTPAuth.Secret.fromBase32(capturedSecret),
+            });
+            code = totp.generate();
+            return code;
+          },
+        });
+      } finally {
+        console.log = origLog;
+      }
+      expect(exitCode).toBe(0);
+      expect(capturedSecret.length).toBeGreaterThan(0);
+      expect(stdout).toContain("now ON");
+      // 10 backup codes printed (hyphenated form).
+      const backupLines = stdout.split("\n").filter((l) => /^ {2}[a-z2-9]{5}-[a-z2-9]{5}$/.test(l));
+      expect(backupLines.length).toBe(10);
+      expect(code.length).toBe(6);
+      // The persisted state reflects the enrollment: the captured secret is
+      // now stored on the user row. (We don't re-verify `code` — the enroll
+      // confirm consumed it via the replay cache, by design.)
+      const db2 = openHubDb(tmp.dbPath);
+      const { getTotpState } = await import("../two-factor-store.ts");
+      const uid = listUsers(db2)[0]!.id;
+      const persisted = getTotpState(db2, uid);
+      expect(persisted.secret).toBe(capturedSecret);
+      expect(persisted.backupCodes.length).toBe(10);
+      db2.close();
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("ENOENT on a vault-forwarded subcommand surfaces install hint and exit 127", async () => {
-    const runner: Runner = {
-      async run() {
-        throw new Error("ENOENT: spawn parachute-vault");
-      },
-    };
-    const code = await auth(["2fa", "status"], runner);
-    expect(code).toBe(127);
+  test("2fa enroll refuses to re-enroll when already on", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      const u = await createUser(db, "owner", "owner-password-123");
+      const { generateTotpSecret } = await import("../totp.ts");
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      await persistEnrollment(db, u.id, generateTotpSecret("owner").secret);
+      db.close();
+      const out = await captureOutput(() =>
+        auth(["2fa", "enroll"], { dbPath: tmp.dbPath, isInteractive: () => true }),
+      );
+      expect(out.code).toBe(1);
+      expect(out.stderr).toContain("already enabled");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
   test("set-password no longer forwards to vault", async () => {
@@ -142,23 +267,25 @@ describe("authHelp", () => {
   test("lists every blessed subcommand", () => {
     expect(h).toContain("parachute auth set-password");
     expect(h).toContain("parachute auth list-users");
-    expect(h).toContain("parachute auth 2fa status");
-    expect(h).toContain("parachute auth 2fa enroll");
-    expect(h).toContain("parachute auth 2fa disable");
-    expect(h).toContain("parachute auth 2fa backup-codes");
+    expect(h).toContain("parachute auth 2fa");
     expect(h).toContain("parachute auth rotate-key");
   });
 
+  test("2fa help documents the real hub-login TOTP subcommands (#473)", () => {
+    expect(h).toContain("#473");
+    // Real enroll / disenroll subcommands are now advertised.
+    expect(h).toContain("2fa enroll");
+    expect(h).toContain("2fa disenroll");
+    expect(h).toContain("otpauth://");
+    expect(h).toContain("backup codes");
+  });
+
   test("set-password help mentions the new flags + hub-local home", () => {
     expect(h).toContain("--username");
     expect(h).toContain("--allow-multi");
     expect(h).toContain("hub.db");
   });
 
-  test("mentions the vault-install hint", () => {
-    expect(h).toContain("parachute install vault");
-  });
-
   test("rotate-key explains the 24h JWKS retention", () => {
     expect(h).toContain("jwks.json");
     // "24" + "hours" may be split by line wrap; check both pieces.

package/src/__tests__/cli.test.ts

@@ -123,6 +123,43 @@ describe("cli per-subcommand help", () => {
     expect(stderr).toMatch(/dash\.cloudflare\.com/);
   });
 
+  test("expose cloudflare is an alias for expose public --cloudflare (Fix 5)", async () => {
+    // No --domain, non-TTY → same hard error as `expose public --cloudflare`.
+    // That it reaches the cloudflare-domain check (not "unknown layer") proves
+    // the alias rewrote the layer to public + forced the cloudflare flag.
+    const { code, stderr } = await runCli(["expose", "cloudflare"]);
+    expect(code).toBe(1);
+    expect(stderr).toMatch(/--domain <hostname> is required/);
+    expect(stderr).not.toMatch(/unknown layer/);
+  });
+
+  test("expose cloudflare --domain X routes to the cloudflare path (not 'unknown layer')", async () => {
+    // cloudflared isn't installed under PATH="", so the cloudflare path prints
+    // its own not-installed hint — distinct from the layer-validation error.
+    const proc = Bun.spawn(
+      [process.execPath, CLI, "expose", "cloudflare", "--domain", "vault.example.com"],
+      {
+        stdout: "pipe",
+        stderr: "pipe",
+        env: {
+          ...process.env,
+          PATH: "",
+          HOME: "/tmp/parachute-hub-nonexistent-home",
+          PARACHUTE_HOME: "/tmp/parachute-hub-nonexistent-home",
+        },
+      },
+    );
+    const [stdout, stderr, code] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text(),
+      proc.exited,
+    ]);
+    expect(code).toBe(1);
+    expect(stderr).not.toMatch(/unknown layer/);
+    // Reached the cloudflare path (cloudflared detection), proving the alias.
+    expect(stdout).toMatch(/cloudflared is not installed/);
+  });
+
   test("expose tailnet --cloudflare is rejected (cloudflare is public-only)", async () => {
     const { code, stderr } = await runCli([
       "expose",

package/src/__tests__/expose-2fa-warning.test.ts

@@ -24,46 +24,53 @@ describe("is2FAEnrolled", () => {
     expect(is2FAEnrolled({ status: status({ hasTotp: false }) })).toBe(false);
   });
 
-  test("reads totp_secret from vaultHome's config.yaml when status not supplied", () => {
+  test("falls back to legacy config.yaml totp_secret when hub.db is absent", () => {
+    // hub#473: hub.db is the source of truth for real 2FA, but a super-old
+    // install with no hub.db still suppresses the warning if the legacy vault
+    // YAML totp_secret is set. Point hubDbPath at a nonexistent file so the
+    // YAML fallback is exercised.
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
       writeFileSync(join(dir, "config.yaml"), 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(true);
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(true);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("missing config.yaml → not enrolled (false)", () => {
+  test("missing config.yaml + absent hub.db → not enrolled (false)", () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
-      // No config.yaml written.
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      // No config.yaml written, no hub.db.
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(false);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("empty totp_secret value → not enrolled (matches vault's readGlobalConfig)", () => {
+  test("empty totp_secret value + absent hub.db → not enrolled", () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
       writeFileSync(join(dir, "config.yaml"), 'totp_secret: ""\n');
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(false);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("malformed config.yaml → not enrolled (safer fail mode, fires warning)", () => {
-    // The probe parses config.yaml with a line-anchored regex (no YAML
-    // dependency), so junk content simply doesn't match `totp_secret: "..."`
-    // and resolves to `hasTotp: false` — which fires the public-exposure
-    // warning rather than silently suppressing it. Pin that contract so a
-    // future refactor of auth-status.ts can't quietly invert it.
+  test("hub.db with an enrolled user → enrolled (the real signal)", async () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
-      writeFileSync(join(dir, "config.yaml"), "totp_secret: [unbalanced\n  ::: not yaml\n");
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      const { hubDbPath, openHubDb } = await import("../hub-db.ts");
+      const { createUser } = await import("../users.ts");
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      const { generateTotpSecret } = await import("../totp.ts");
+      const dbPath = hubDbPath(dir);
+      const db = openHubDb(dbPath);
+      const u = await createUser(db, "owner", "owner-password-123");
+      await persistEnrollment(db, u.id, generateTotpSecret("owner").secret);
+      db.close();
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: dbPath })).toBe(true);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
@@ -80,9 +87,14 @@ describe("printPublic2FAWarning", () => {
     });
     expect(fired).toBe(true);
     const joined = logs.join("\n");
-    expect(joined).toContain("2FA is not enrolled");
+    // hub#473: real hub-login 2FA. The warning now recommends the real
+    // `parachute auth 2fa enroll` path (+ the /account/2fa browser path) and
+    // still nudges a strong owner password.
+    expect(joined).toContain("/login is now reachable on the public internet");
     expect(joined).toContain("https://vault.example.com/login");
     expect(joined).toContain("parachute auth 2fa enroll");
+    expect(joined).toContain("/account/2fa");
+    expect(joined).toContain("parachute auth set-password");
   });
 
   test("enrolled → suppressed, returns false, logs nothing", () => {
@@ -108,7 +120,9 @@ describe("printPublic2FAWarning", () => {
       publicUrl: "https://vault.example.com",
     });
     expect(fired).toBe(true);
-    expect(logs.some((l) => l.includes("2FA is not enrolled"))).toBe(true);
+    expect(logs.some((l) => l.includes("/login is now reachable on the public internet"))).toBe(
+      true,
+    );
   });
 
   test("embeds the supplied publicUrl into the /login pointer", () => {