@openparachute/hub 0.5.14-rc.8 → 0.6.0

package/src/__tests__/two-factor.test.ts

@@ -0,0 +1,183 @@
+import type { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import * as OTPAuth from "otpauth";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import {
+  _resetTotpReplayCache,
+  findBackupCodeIndex,
+  generateBackupCodes,
+  generateTotpSecret,
+  normalizeBackupCode,
+  verifyTotpCode,
+} from "../totp.ts";
+import {
+  backupCodesRemaining,
+  clearEnrollment,
+  getTotpState,
+  isTotpEnrolled,
+  persistEnrollment,
+  verifySecondFactor,
+} from "../two-factor-store.ts";
+import { createUser } from "../users.ts";
+
+/** Generate the current live TOTP code for a base32 secret. */
+function liveCode(secretBase32: string, label = "owner"): string {
+  return new OTPAuth.TOTP({
+    issuer: "Parachute Hub",
+    label,
+    algorithm: "SHA1",
+    digits: 6,
+    period: 30,
+    secret: OTPAuth.Secret.fromBase32(secretBase32),
+  }).generate();
+}
+
+describe("totp — secret + code", () => {
+  beforeEach(() => _resetTotpReplayCache());
+
+  test("generateTotpSecret returns a base32 secret + an otpauth:// URI", () => {
+    const { secret, otpauthUrl } = generateTotpSecret("alice");
+    expect(secret.length).toBeGreaterThan(0);
+    expect(/^[A-Z2-7]+$/.test(secret)).toBe(true);
+    expect(otpauthUrl.startsWith("otpauth://totp/")).toBe(true);
+    expect(otpauthUrl).toContain("Parachute%20Hub");
+  });
+
+  test("a live code verifies; a wrong code does not", () => {
+    const { secret } = generateTotpSecret("alice");
+    expect(verifyTotpCode(secret, liveCode(secret))).toBe(true);
+    _resetTotpReplayCache();
+    expect(verifyTotpCode(secret, "000000")).toBe(false);
+  });
+
+  test("non-6-digit input is rejected without throwing", () => {
+    const { secret } = generateTotpSecret("alice");
+    expect(verifyTotpCode(secret, "12345")).toBe(false);
+    expect(verifyTotpCode(secret, "1234567")).toBe(false);
+    expect(verifyTotpCode(secret, "abcdef")).toBe(false);
+    expect(verifyTotpCode(secret, "")).toBe(false);
+  });
+
+  test("replay: a code accepted once is rejected on the second try (markUsed default)", () => {
+    const { secret } = generateTotpSecret("alice");
+    const code = liveCode(secret);
+    expect(verifyTotpCode(secret, code)).toBe(true);
+    expect(verifyTotpCode(secret, code)).toBe(false); // replay rejected
+  });
+});
+
+describe("totp — backup codes", () => {
+  test("generates 10 hyphenated codes + matching argon2id hashes", async () => {
+    const { codes, hashes } = await generateBackupCodes();
+    expect(codes.length).toBe(10);
+    expect(hashes.length).toBe(10);
+    for (const c of codes) {
+      expect(/^[a-z2-9]{5}-[a-z2-9]{5}$/.test(c)).toBe(true);
+    }
+    for (const h of hashes) {
+      expect(h.startsWith("$argon2")).toBe(true);
+    }
+  });
+
+  test("findBackupCodeIndex matches a code (hyphen-insensitive) and rejects unknowns", async () => {
+    const { codes, hashes } = await generateBackupCodes();
+    // Match by normalized form (strip hyphen) and by raw hyphenated form.
+    const idx0 = await findBackupCodeIndex(codes[0]!, hashes);
+    expect(idx0).toBe(0);
+    const idxNorm = await findBackupCodeIndex(normalizeBackupCode(codes[3]!), hashes);
+    expect(idxNorm).toBe(3);
+    const miss = await findBackupCodeIndex("zzzzz-zzzzz", hashes);
+    expect(miss).toBe(-1);
+  });
+});
+
+describe("two-factor-store", () => {
+  let db: Database;
+  let configDir: string;
+  let userId: string;
+
+  beforeEach(async () => {
+    _resetTotpReplayCache();
+    configDir = mkdtempSync(join(tmpdir(), "phub-2fa-store-"));
+    db = openHubDb(hubDbPath(configDir));
+    const u = await createUser(db, "owner", "owner-password-123");
+    userId = u.id;
+  });
+  afterEach(() => {
+    db.close();
+    rmSync(configDir, { recursive: true, force: true });
+  });
+
+  test("fresh user: not enrolled, no backup codes", () => {
+    expect(isTotpEnrolled(db, userId)).toBe(false);
+    expect(getTotpState(db, userId).secret).toBeNull();
+    expect(backupCodesRemaining(db, userId)).toBe(0);
+  });
+
+  test("persistEnrollment stores the secret + 10 backup codes (hashed) + a timestamp", async () => {
+    const { secret } = generateTotpSecret("owner");
+    const result = await persistEnrollment(db, userId, secret);
+    expect(result.backupCodes.length).toBe(10);
+    expect(isTotpEnrolled(db, userId)).toBe(true);
+    const state = getTotpState(db, userId);
+    expect(state.secret).toBe(secret);
+    expect(state.backupCodes.length).toBe(10);
+    expect(state.enrolledAt).toBeTruthy();
+    // Stored codes are hashes, NOT the plaintext returned to the user.
+    for (const stored of state.backupCodes) {
+      expect(stored.startsWith("$argon2")).toBe(true);
+      expect(result.backupCodes).not.toContain(stored);
+    }
+  });
+
+  test("verifySecondFactor accepts a live TOTP code", async () => {
+    const { secret } = generateTotpSecret("owner");
+    await persistEnrollment(db, userId, secret);
+    const res = await verifySecondFactor(db, userId, liveCode(secret), false);
+    expect(res).toEqual({ ok: true, via: "totp" });
+  });
+
+  test("verifySecondFactor accepts a backup code ONCE, then rejects its reuse (single-use)", async () => {
+    const { secret } = generateTotpSecret("owner");
+    const { backupCodes } = await persistEnrollment(db, userId, secret);
+    const code = backupCodes[0]!;
+    expect(backupCodesRemaining(db, userId)).toBe(10);
+
+    const first = await verifySecondFactor(db, userId, code, false);
+    expect(first).toEqual({ ok: true, via: "backup_code" });
+    // Consumed: one fewer remaining.
+    expect(backupCodesRemaining(db, userId)).toBe(9);
+
+    // Reuse of the same code is rejected.
+    const second = await verifySecondFactor(db, userId, code, false);
+    expect(second).toEqual({ ok: false });
+    expect(backupCodesRemaining(db, userId)).toBe(9);
+  });
+
+  test("verifySecondFactor rejects a wrong code without consuming anything", async () => {
+    const { secret } = generateTotpSecret("owner");
+    await persistEnrollment(db, userId, secret);
+    const res = await verifySecondFactor(db, userId, "999999", false);
+    expect(res).toEqual({ ok: false });
+    expect(backupCodesRemaining(db, userId)).toBe(10);
+  });
+
+  test("clearEnrollment removes secret + backup codes (idempotent)", async () => {
+    const { secret } = generateTotpSecret("owner");
+    await persistEnrollment(db, userId, secret);
+    expect(isTotpEnrolled(db, userId)).toBe(true);
+    clearEnrollment(db, userId);
+    expect(isTotpEnrolled(db, userId)).toBe(false);
+    expect(backupCodesRemaining(db, userId)).toBe(0);
+    // Idempotent — clearing again is a no-op.
+    clearEnrollment(db, userId);
+    expect(isTotpEnrolled(db, userId)).toBe(false);
+  });
+
+  test("verifySecondFactor on a not-enrolled user returns ok:false", async () => {
+    expect(await verifySecondFactor(db, userId, "123456", false)).toEqual({ ok: false });
+  });
+});

package/src/__tests__/upgrade.test.ts

@@ -3,7 +3,7 @@ import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import type { UpgradeRunner } from "../commands/upgrade.ts";
-import { compareVersions, detectChannel, upgrade } from "../commands/upgrade.ts";
+import { compareVersions, defaultRunner, detectChannel, upgrade } from "../commands/upgrade.ts";
 import { upsertService } from "../services-manifest.ts";
 
 interface RunCall {
@@ -402,6 +402,83 @@ describe("parachute upgrade", () => {
     }
   });
 
+  test("git absent (ENOENT): no crash, isGitCheckout → false, npm path taken", async () => {
+    // Real EC2 repro: a published-npm install on a minimal server with no
+    // `git` binary. The production runner's Bun.spawn(["git", ...]) throws
+    // synchronously with ENOENT; the upgrade flow must degrade to the npm
+    // path rather than crashing with an uncaught "Executable not found".
+    const h = makeHarness();
+    try {
+      const installDir = join(h.installRoot, "vault");
+      writePackageJson(installDir, { name: "@openparachute/vault", version: "0.4.0" });
+      seedVault(h.manifestPath, installDir, "0.4.0");
+
+      const calls: RunCall[] = [];
+      // Simulate the git-absent host: any spawn of `git` ENOENTs, surfaced
+      // through the runner as a non-zero captured result (code 127). This is
+      // exactly what the patched defaultRunner produces — we assert the
+      // upgrade flow handles that result gracefully.
+      const runner: UpgradeRunner = {
+        async run(cmd, opts) {
+          calls.push({ cmd: [...cmd], cwd: opts?.cwd, kind: "run" });
+          if (cmd[0] === "git") return 127; // git-less host
+          if (cmd[0] === "bun" && cmd[1] === "add" && cmd[2] === "-g") {
+            writePackageJson(installDir, { name: "@openparachute/vault", version: "0.5.0" });
+          }
+          return 0;
+        },
+        async capture(cmd, opts) {
+          calls.push({ cmd: [...cmd], cwd: opts?.cwd, kind: "capture" });
+          if (cmd[0] === "git") return { code: 127, stdout: "git: not found on this host\n" };
+          return { code: 0, stdout: "" };
+        },
+      };
+
+      let restartedShort: string | undefined;
+      const logs: string[] = [];
+      const code = await upgrade("vault", {
+        manifestPath: h.manifestPath,
+        configDir: h.configDir,
+        runner,
+        findGlobalInstall: () => join(installDir, "package.json"),
+        restartFn: async (svc) => {
+          restartedShort = svc;
+          return 0;
+        },
+        log: (l) => logs.push(l),
+      });
+
+      // No throw; the npm path ran end-to-end.
+      expect(code).toBe(0);
+      expect(restartedShort).toBe("vault");
+      const joined = logs.join("\n");
+      // isGitCheckout returned false → npm-installed branch, not bun-linked.
+      expect(joined).toMatch(/npm-installed/);
+      expect(joined).not.toMatch(/bun-linked/);
+      expect(joined).toMatch(/bun add -g @openparachute\/vault@latest/);
+      expect(joined).toMatch(/0\.4\.0 → 0\.5\.0/);
+      // We probed git (and degraded) but never reached the git-mutating
+      // commands (pull / status) that only run on the bun-linked branch.
+      const gitRun = calls.filter((c) => c.kind === "run" && c.cmd[0] === "git");
+      expect(gitRun).toHaveLength(0);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("defaultRunner.capture: git-absent ENOENT yields code 127, no throw", async () => {
+    // Drive the *production* runner against a binary that doesn't exist, to
+    // prove the synchronous-spawn-throw is caught (not just the injectable
+    // seam). Bun.spawn throws ENOENT synchronously for a missing binary.
+    const missing = `parachute-no-such-binary-${process.pid}`;
+    const captured = await defaultRunner.capture([missing, "--version"]);
+    expect(captured.code).toBe(127);
+    expect(captured.stdout).toContain("not found on this host");
+
+    const ran = await defaultRunner.run([missing, "--version"]);
+    expect(ran).toBe(127);
+  });
+
   test("npm-installed: version unchanged → skip restart", async () => {
     const h = makeHarness();
     try {

package/src/__tests__/users.test.ts

@@ -24,6 +24,8 @@ import {
   userCount,
   validatePassword,
   validateUsername,
+  vaultVerbsForRole,
+  vaultVerbsForUserVault,
   verifyPassword,
 } from "../users.ts";
 
@@ -735,3 +737,69 @@ describe("getFirstAdminId / isFirstAdmin", () => {
     }
   });
 });
+
+describe("vaultVerbsForRole / vaultVerbsForUserVault (friend token-mint cap)", () => {
+  test("vaultVerbsForRole maps roles to verbs, fails closed on unknown", () => {
+    expect(vaultVerbsForRole("write")).toEqual(["read", "write"]);
+    expect(vaultVerbsForRole("read")).toEqual(["read"]);
+    // Unknown / future roles grant NO mintable verb — never silently
+    // default to write. `admin` is explicitly NOT a mintable role here.
+    expect(vaultVerbsForRole("admin")).toEqual([]);
+    expect(vaultVerbsForRole("owner")).toEqual([]);
+    expect(vaultVerbsForRole("")).toEqual([]);
+  });
+
+  test("vaultVerbsForUserVault returns the role's verbs for an assigned vault", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      await createUser(db, "admin", "pw1");
+      const friend = await createUser(db, "alice", "pw2", {
+        allowMulti: true,
+        assignedVaults: ["work"],
+      });
+      // createUser/setUserVaults insert role='write' today → read+write.
+      expect(vaultVerbsForUserVault(db, friend.id, "work")).toEqual(["read", "write"]);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("vaultVerbsForUserVault returns null for a vault NOT in the assignment", async () => {
+    // This null is the authorization spine of the friend mint path: a vault
+    // the user isn't assigned to → null → the handler 403s. No cross-vault.
+    const { db, cleanup } = makeDb();
+    try {
+      await createUser(db, "admin", "pw1");
+      const friend = await createUser(db, "alice", "pw2", {
+        allowMulti: true,
+        assignedVaults: ["work"],
+      });
+      expect(vaultVerbsForUserVault(db, friend.id, "other")).toBeNull();
+      // The unrestricted admin has no user_vaults rows → null for everything.
+      const admin = getUserById(db, getFirstAdminId(db) ?? "");
+      expect(vaultVerbsForUserVault(db, admin?.id ?? "", "work")).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("vaultVerbsForUserVault honors a hand-set read-only role (fail-closed forward-compat)", async () => {
+    // The schema reserves `role` for future granularity; if a row ever holds
+    // role='read', the cap must drop write. Simulate by direct UPDATE.
+    const { db, cleanup } = makeDb();
+    try {
+      await createUser(db, "admin", "pw1");
+      const friend = await createUser(db, "alice", "pw2", {
+        allowMulti: true,
+        assignedVaults: ["work"],
+      });
+      db.prepare("UPDATE user_vaults SET role = 'read' WHERE user_id = ? AND vault_name = ?").run(
+        friend.id,
+        "work",
+      );
+      expect(vaultVerbsForUserVault(db, friend.id, "work")).toEqual(["read"]);
+    } finally {
+      cleanup();
+    }
+  });
+});

package/src/__tests__/vault-auth-status.test.ts

@@ -39,10 +39,10 @@ describe("readVaultAuthStatus — hub.db source of truth (multi-user Phase 1+)",
         vaultHome: env.path,
         countTokens: () => 0,
         probeHubDbHasUserPassword: () => true,
+        probeHubDbHasTotp: () => false,
       });
       expect(status.hasOwnerPassword).toBe(true);
-      // No hub-side TOTP column yet (Phase 3). Stays false on the hub.db
-      // path until the schema gains a column.
+      // No TOTP enrolled in hub.db (and no legacy YAML) → false.
       expect(status.hasTotp).toBe(false);
     } finally {
       env.cleanup();
@@ -57,6 +57,7 @@ describe("readVaultAuthStatus — hub.db source of truth (multi-user Phase 1+)",
         vaultHome: env.path,
         countTokens: () => 0,
         probeHubDbHasUserPassword: () => false,
+        probeHubDbHasTotp: () => false,
       });
       expect(status.hasOwnerPassword).toBe(true);
       expect(status.hasTotp).toBe(false);
@@ -87,6 +88,7 @@ describe("readVaultAuthStatus — hub.db source of truth (multi-user Phase 1+)",
         vaultHome: env.path,
         countTokens: () => 0,
         probeHubDbHasUserPassword: () => false,
+        probeHubDbHasTotp: () => false,
       });
       expect(status.hasOwnerPassword).toBe(false);
       expect(status.hasTotp).toBe(false);
@@ -95,17 +97,18 @@ describe("readVaultAuthStatus — hub.db source of truth (multi-user Phase 1+)",
     }
   });
 
-  test("hub.db says yes overrides absent YAML — TOTP still reflects YAML state", () => {
+  test("hub.db password=true, hub.db TOTP unreachable → TOTP falls back to YAML state", () => {
     const env = makeVaultHome();
     try {
-      // TOTP-only YAML: vault-side 2FA was configured but hub.db is the
-      // canonical password source. Should report password=true (hub.db),
-      // totp=true (YAML).
+      // hub#473: hub.db is the canonical TOTP source, but when the TOTP probe
+      // is unreachable (pre-v11 column absent) it falls back to the legacy
+      // vault YAML totp_secret. password=true (hub.db), totp=true (YAML fallback).
       writeConfig(env.path, 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
       const status = readVaultAuthStatus({
         vaultHome: env.path,
         countTokens: () => 0,
         probeHubDbHasUserPassword: () => true,
+        probeHubDbHasTotp: () => undefined,
       });
       expect(status.hasOwnerPassword).toBe(true);
       expect(status.hasTotp).toBe(true);
@@ -113,6 +116,40 @@ describe("readVaultAuthStatus — hub.db source of truth (multi-user Phase 1+)",
       env.cleanup();
     }
   });
+
+  test("hub.db TOTP=true is the real signal — overrides absent YAML", () => {
+    const env = makeVaultHome();
+    try {
+      // No YAML totp_secret, but a hub.db user has enrolled real 2FA (hub#473).
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: () => true,
+        probeHubDbHasTotp: () => true,
+      });
+      expect(status.hasTotp).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db TOTP=false (column present, none enrolled) overrides a stale YAML true", () => {
+    const env = makeVaultHome();
+    try {
+      // Legacy YAML totp_secret present, but hub.db definitively says no user
+      // has enrolled real hub-login 2FA → report false (the real signal wins).
+      writeConfig(env.path, 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: () => true,
+        probeHubDbHasTotp: () => false,
+      });
+      expect(status.hasTotp).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
 });
 
 describe("readVaultAuthStatus — YAML fallback (pre-multi-user installs)", () => {
@@ -123,6 +160,7 @@ describe("readVaultAuthStatus — YAML fallback (pre-multi-user installs)", () =
         vaultHome: env.path,
         countTokens: () => 0,
         probeHubDbHasUserPassword: hubDbUnreachable,
+        probeHubDbHasTotp: hubDbUnreachable,
       });
       expect(status.hasOwnerPassword).toBe(false);
       expect(status.hasTotp).toBe(false);
@@ -147,6 +185,7 @@ describe("readVaultAuthStatus — YAML fallback (pre-multi-user installs)", () =
         vaultHome: env.path,
         countTokens: () => 0,
         probeHubDbHasUserPassword: hubDbUnreachable,
+        probeHubDbHasTotp: hubDbUnreachable,
       });
       expect(status.hasOwnerPassword).toBe(true);
       expect(status.hasTotp).toBe(true);
@@ -163,6 +202,7 @@ describe("readVaultAuthStatus — YAML fallback (pre-multi-user installs)", () =
         vaultHome: env.path,
         countTokens: () => 0,
         probeHubDbHasUserPassword: hubDbUnreachable,
+        probeHubDbHasTotp: hubDbUnreachable,
       });
       expect(status.hasOwnerPassword).toBe(false);
       expect(status.hasTotp).toBe(false);
@@ -179,6 +219,7 @@ describe("readVaultAuthStatus — YAML fallback (pre-multi-user installs)", () =
         vaultHome: env.path,
         countTokens: () => 0,
         probeHubDbHasUserPassword: hubDbUnreachable,
+        probeHubDbHasTotp: hubDbUnreachable,
       });
       expect(status.hasOwnerPassword).toBe(true);
       expect(status.hasTotp).toBe(false);