npm - @openparachute/hub - Versions diffs - 0.5.14-rc.8 → 0.6.0 - Mend

@openparachute/hub 0.5.14-rc.8 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

package/README.md +109 -15
package/package.json +7 -3
package/src/__tests__/account-home-ui.test.ts +251 -15
package/src/__tests__/account-vault-token.test.ts +355 -0
package/src/__tests__/admin-vaults.test.ts +70 -4
package/src/__tests__/api-mint-token.test.ts +693 -5
package/src/__tests__/api-modules-ops.test.ts +45 -0
package/src/__tests__/api-revoke-token.test.ts +384 -0
package/src/__tests__/api-users.test.ts +7 -2
package/src/__tests__/auth.test.ts +157 -30
package/src/__tests__/cli.test.ts +44 -5
package/src/__tests__/expose-2fa-warning.test.ts +31 -17
package/src/__tests__/expose-auth-preflight.test.ts +71 -72
package/src/__tests__/expose-cloudflare.test.ts +482 -14
package/src/__tests__/expose.test.ts +52 -2
package/src/__tests__/hub-server.test.ts +97 -0
package/src/__tests__/hub.test.ts +85 -6
package/src/__tests__/init.test.ts +102 -1
package/src/__tests__/lifecycle.test.ts +464 -2
package/src/__tests__/oauth-handlers.test.ts +1252 -83
package/src/__tests__/oauth-ui.test.ts +12 -1
package/src/__tests__/operator-token-issuer-self-heal.test.ts +412 -0
package/src/__tests__/resource-binding.test.ts +97 -0
package/src/__tests__/scope-explanations.test.ts +77 -12
package/src/__tests__/services-manifest.test.ts +122 -4
package/src/__tests__/setup-wizard.test.ts +335 -15
package/src/__tests__/status.test.ts +36 -0
package/src/__tests__/two-factor-flow.test.ts +602 -0
package/src/__tests__/two-factor.test.ts +183 -0
package/src/__tests__/upgrade.test.ts +78 -1
package/src/__tests__/users.test.ts +68 -0
package/src/__tests__/vault-auth-status.test.ts +47 -6
package/src/__tests__/vault-hub-origin-env.test.ts +263 -0
package/src/account-home-ui.ts +488 -38
package/src/account-vault-token.ts +282 -0
package/src/admin-handlers.ts +159 -4
package/src/admin-login-ui.ts +49 -5
package/src/admin-vaults.ts +48 -15
package/src/api-account.ts +14 -0
package/src/api-mint-token.ts +132 -24
package/src/api-modules-ops.ts +49 -11
package/src/api-revoke-token.ts +107 -21
package/src/api-users.ts +29 -3
package/src/cli.ts +26 -21
package/src/clients.ts +18 -6
package/src/cloudflare/config.ts +10 -4
package/src/cloudflare/detect.ts +39 -44
package/src/commands/auth.ts +165 -24
package/src/commands/expose-2fa-warning.ts +34 -32
package/src/commands/expose-auth-preflight.ts +89 -78
package/src/commands/expose-cloudflare.ts +370 -12
package/src/commands/expose.ts +8 -0
package/src/commands/init.ts +33 -2
package/src/commands/lifecycle.ts +386 -17
package/src/commands/status.ts +22 -0
package/src/commands/upgrade.ts +55 -11
package/src/commands/wizard.ts +8 -4
package/src/env-file.ts +10 -0
package/src/help.ts +3 -1
package/src/hub-db.ts +39 -1
package/src/hub-server.ts +52 -0
package/src/hub.ts +82 -14
package/src/oauth-handlers.ts +298 -21
package/src/oauth-ui.ts +10 -0
package/src/operator-token.ts +151 -0
package/src/pending-login.ts +116 -0
package/src/rate-limit.ts +51 -0
package/src/resource-binding.ts +134 -0
package/src/scope-attenuation.ts +85 -0
package/src/scope-explanations.ts +131 -14
package/src/services-manifest.ts +112 -0
package/src/setup-wizard.ts +77 -7
package/src/tailscale/run.ts +28 -11
package/src/totp.ts +201 -0
package/src/two-factor-handlers.ts +287 -0
package/src/two-factor-store.ts +181 -0
package/src/two-factor-ui.ts +462 -0
package/src/users.ts +58 -0
package/src/vault/auth-status.ts +71 -19
package/src/vault-hub-origin-env.ts +163 -0
package/web/ui/dist/assets/index-BiBlvEaj.css +1 -0
package/web/ui/dist/assets/index-CIN3mnmf.js +61 -0
package/web/ui/dist/index.html +2 -2
package/src/__tests__/vault-tokens-create-interactive.test.ts +0 -183
package/src/commands/vault-tokens-create-interactive.ts +0 -143
package/web/ui/dist/assets/index-7DtAXz7y.css +0 -1
package/web/ui/dist/assets/index-tRmPbbC7.js +0 -61

package/src/__tests__/vault-hub-origin-env.test.ts ADDED Viewed

@@ -0,0 +1,263 @@
+/**
+ * Tests for the durable half of the OAuth issuer-mismatch fix: persisting the
+ * hub's PUBLIC origin into `<configDir>/vault/.env` so the launchd / systemd
+ * daemon — which boots vault out-of-band and never sees the `parachute start`
+ * spawn env — validates hub-minted JWTs' `iss` against the public origin
+ * instead of vault's loopback default. See `vault-hub-origin-env.ts`.
+ */
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { readEnvFileValues } from "../env-file.ts";
+import type { ExposeState } from "../expose-state.ts";
+import { writeExposeState } from "../expose-state.ts";
+import {
+  clearVaultHubOrigin,
+  isLoopbackOrigin,
+  persistVaultHubOrigin,
+  publicOriginFromExposeState,
+  selfHealVaultHubOrigin,
+} from "../vault-hub-origin-env.ts";
+let dir: string;
+beforeEach(() => {
+  dir = mkdtempSync(join(tmpdir(), "pcli-vhoe-"));
+});
+afterEach(() => {
+  rmSync(dir, { recursive: true, force: true });
+});
+function vaultEnv(): string {
+  return join(dir, "vault", ".env");
+}
+describe("isLoopbackOrigin", () => {
+  test("flags 127.0.0.1 / localhost / [::1] / 0.0.0.0", () => {
+    expect(isLoopbackOrigin("http://127.0.0.1:1939")).toBe(true);
+    expect(isLoopbackOrigin("http://localhost:1939")).toBe(true);
+    expect(isLoopbackOrigin("http://[::1]:1939")).toBe(true);
+    // 0.0.0.0 is a bind-all wildcard, not a reachable origin.
+    expect(isLoopbackOrigin("http://0.0.0.0:1939")).toBe(true);
+  });
+  test("does not flag a public FQDN", () => {
+    expect(isLoopbackOrigin("https://parachute-aaron.tailc75afc.ts.net")).toBe(false);
+    expect(isLoopbackOrigin("https://hub.example.com")).toBe(false);
+  });
+  test("non-URL strings are treated as non-loopback (don't block persistence)", () => {
+    expect(isLoopbackOrigin("not a url")).toBe(false);
+  });
+});
+describe("persistVaultHubOrigin", () => {
+  test("writes a non-loopback public origin into vault/.env", () => {
+    const wrote = persistVaultHubOrigin(dir, "https://parachute-aaron.tailc75afc.ts.net", () => {});
+    expect(wrote).toBe(true);
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe(
+      "https://parachute-aaron.tailc75afc.ts.net",
+    );
+  });
+  test("refuses to persist a loopback origin (would shadow a later exposure)", () => {
+    const wrote = persistVaultHubOrigin(dir, "http://127.0.0.1:1939", () => {});
+    expect(wrote).toBe(false);
+    expect(existsSync(vaultEnv())).toBe(false);
+  });
+  test("refuses to persist a 0.0.0.0 origin (--hub-origin flows straight through)", () => {
+    // `--hub-origin http://0.0.0.0:1939` bypasses deriveHubOrigin and reaches
+    // here verbatim; baking a bind-all wildcard into vault/.env would advertise
+    // a non-functional issuer and recreate the iss-mismatch class.
+    const wrote = persistVaultHubOrigin(dir, "http://0.0.0.0:1939", () => {});
+    expect(wrote).toBe(false);
+    expect(existsSync(vaultEnv())).toBe(false);
+  });
+  test("is idempotent — no rewrite when the value is already current", () => {
+    const log: string[] = [];
+    expect(persistVaultHubOrigin(dir, "https://hub.example.com", (l) => log.push(l))).toBe(true);
+    expect(persistVaultHubOrigin(dir, "https://hub.example.com", (l) => log.push(l))).toBe(false);
+    // Only the first call logged.
+    expect(log).toHaveLength(1);
+    expect(log[0]).toMatch(/persisted PARACHUTE_HUB_ORIGIN=https:\/\/hub\.example\.com/);
+  });
+  test("updates a stale origin in-place and preserves sibling keys", () => {
+    writeFileSync(
+      mkVaultDir(),
+      "SCRIBE_AUTH_TOKEN=secret\nPARACHUTE_HUB_ORIGIN=https://old.example.com\nSCRIBE_URL=http://127.0.0.1:1943\n",
+    );
+    const wrote = persistVaultHubOrigin(dir, "https://new.example.com", () => {});
+    expect(wrote).toBe(true);
+    const values = readEnvFileValues(vaultEnv());
+    expect(values.PARACHUTE_HUB_ORIGIN).toBe("https://new.example.com");
+    // Sibling keys untouched.
+    expect(values.SCRIBE_AUTH_TOKEN).toBe("secret");
+    expect(values.SCRIBE_URL).toBe("http://127.0.0.1:1943");
+  });
+});
+describe("clearVaultHubOrigin", () => {
+  test("removes a persisted origin and leaves sibling keys", () => {
+    writeFileSync(
+      mkVaultDir(),
+      "SCRIBE_AUTH_TOKEN=secret\nPARACHUTE_HUB_ORIGIN=https://hub.example.com\n",
+    );
+    const wrote = clearVaultHubOrigin(dir, () => {});
+    expect(wrote).toBe(true);
+    const values = readEnvFileValues(vaultEnv());
+    expect(values.PARACHUTE_HUB_ORIGIN).toBeUndefined();
+    expect(values.SCRIBE_AUTH_TOKEN).toBe("secret");
+  });
+  test("no-op when no origin is present", () => {
+    writeFileSync(mkVaultDir(), "SCRIBE_AUTH_TOKEN=secret\n");
+    expect(clearVaultHubOrigin(dir, () => {})).toBe(false);
+  });
+  test("no-op when vault/.env doesn't exist", () => {
+    expect(clearVaultHubOrigin(dir, () => {})).toBe(false);
+  });
+});
+/** Create `<dir>/vault/` and return the `.env` path so writeFileSync lands. */
+function mkVaultDir(): string {
+  mkdirSync(join(dir, "vault"), { recursive: true });
+  return vaultEnv();
+}
+function exposeStatePath(): string {
+  return join(dir, "expose-state.json");
+}
+/** Cloudflare-shaped expose state (subdomain mode, single hub-catchall entry). */
+function cloudflareState(overrides: Partial<ExposeState> = {}): ExposeState {
+  return {
+    version: 1,
+    layer: "public",
+    mode: "subdomain",
+    canonicalFqdn: "gitcoin-parachute.unforced.dev",
+    port: 1939,
+    funnel: false,
+    entries: [{ kind: "proxy", mount: "/", target: "http://localhost:1939", service: "hub" }],
+    hubOrigin: "https://gitcoin-parachute.unforced.dev",
+    ...overrides,
+  };
+}
+/** Tailnet-shaped expose state (path mode). */
+function tailnetState(overrides: Partial<ExposeState> = {}): ExposeState {
+  return {
+    version: 1,
+    layer: "tailnet",
+    mode: "path",
+    canonicalFqdn: "parachute-aaron.tailc75afc.ts.net",
+    port: 1939,
+    funnel: false,
+    entries: [{ kind: "proxy", mount: "/", target: "http://localhost:1939", service: "hub" }],
+    hubOrigin: "https://parachute-aaron.tailc75afc.ts.net",
+    ...overrides,
+  };
+}
+describe("publicOriginFromExposeState", () => {
+  test("undefined when no expose-state file exists", () => {
+    expect(publicOriginFromExposeState(exposeStatePath())).toBeUndefined();
+  });
+  test("returns the cloudflare hubOrigin", () => {
+    writeExposeState(cloudflareState(), exposeStatePath());
+    expect(publicOriginFromExposeState(exposeStatePath())).toBe(
+      "https://gitcoin-parachute.unforced.dev",
+    );
+  });
+  test("returns the tailnet hubOrigin", () => {
+    writeExposeState(tailnetState(), exposeStatePath());
+    expect(publicOriginFromExposeState(exposeStatePath())).toBe(
+      "https://parachute-aaron.tailc75afc.ts.net",
+    );
+  });
+  test("synthesizes https://<canonicalFqdn> when hubOrigin is absent (pre-Phase-0 state)", () => {
+    // hubOrigin is optional on older state files; canonicalFqdn is mandatory.
+    const { hubOrigin, ...rest } = cloudflareState();
+    void hubOrigin;
+    writeExposeState(rest as ExposeState, exposeStatePath());
+    expect(publicOriginFromExposeState(exposeStatePath())).toBe(
+      "https://gitcoin-parachute.unforced.dev",
+    );
+  });
+});
+describe("selfHealVaultHubOrigin (Cloudflare 401 self-heal)", () => {
+  test("writes the cloudflare public origin when vault/.env is UNSET", () => {
+    // The exact broken-deploy shape: expose-state carries a public cloudflare
+    // hubOrigin but vault/.env has no PARACHUTE_HUB_ORIGIN, so the daemon falls
+    // back to loopback and 401s every hub token. Restart self-corrects it.
+    writeExposeState(cloudflareState(), exposeStatePath());
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(true);
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe(
+      "https://gitcoin-parachute.unforced.dev",
+    );
+  });
+  test("overwrites a LOOPBACK value already persisted in vault/.env", () => {
+    writeExposeState(cloudflareState(), exposeStatePath());
+    writeFileSync(mkVaultDir(), "PARACHUTE_HUB_ORIGIN=http://127.0.0.1:1939\n");
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(true);
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe(
+      "https://gitcoin-parachute.unforced.dev",
+    );
+  });
+  test("tailnet shape still self-heals (no regression)", () => {
+    writeExposeState(tailnetState(), exposeStatePath());
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(true);
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe(
+      "https://parachute-aaron.tailc75afc.ts.net",
+    );
+  });
+  test("does NOT persist when there's no exposure (genuine loopback / local dev)", () => {
+    // No expose-state file → no public origin → vault keeps its loopback
+    // default. Persisting loopback would shadow a later exposure.
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(false);
+    expect(existsSync(vaultEnv())).toBe(false);
+  });
+  test("leaves a DIFFERENT non-loopback value alone (deliberate --hub-origin override)", () => {
+    writeExposeState(cloudflareState(), exposeStatePath());
+    writeFileSync(mkVaultDir(), "PARACHUTE_HUB_ORIGIN=https://custom.example.com\n");
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(false);
+    // Untouched — self-heal only fixes unset/loopback, never clobbers a public
+    // value an operator may have set on purpose.
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe("https://custom.example.com");
+  });
+  test("no-op (no double-write) when the persisted value already equals the public origin", () => {
+    writeExposeState(cloudflareState(), exposeStatePath());
+    writeFileSync(mkVaultDir(), "PARACHUTE_HUB_ORIGIN=https://gitcoin-parachute.unforced.dev\n");
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(false);
+  });
+  test("expose-state with a loopback hubOrigin is treated as no public exposure", () => {
+    // A loopback hubOrigin (local-dev hub) must never be persisted — it would
+    // recreate the iss mismatch on the daemon boot path.
+    writeExposeState(cloudflareState({ hubOrigin: "http://127.0.0.1:1939" }), exposeStatePath());
+    // canonicalFqdn is still public here, but hubOrigin wins — we honor the
+    // explicit value the writer chose.
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(false);
+    expect(existsSync(vaultEnv())).toBe(false);
+  });
+});