@openparachute/hub 0.5.14-rc.8 → 0.6.0

package/src/__tests__/expose.test.ts

@@ -1,8 +1,9 @@
 import { describe, expect, test } from "bun:test";
-import { existsSync, mkdtempSync, rmSync } from "node:fs";
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { exposePublic, exposeTailnet } from "../commands/expose.ts";
+import { readEnvFileValues } from "../env-file.ts";
 import { readExposeState, writeExposeState } from "../expose-state.ts";
 import type { EnsureHubOpts, HubSpawner, StopHubOpts } from "../hub-control.ts";
 import { writePid } from "../process-state.ts";
@@ -696,6 +697,53 @@ describe("expose tailnet off", () => {
     }
   });
 
+  test("clears the persisted PARACHUTE_HUB_ORIGIN from vault/.env on teardown", async () => {
+    // OAuth issuer-mismatch fix: `expose up` persisted the public origin into
+    // vault/.env so the daemon validates `iss` against it. With exposure gone,
+    // a local-only hub mints loopback-`iss` tokens, so a stale public origin
+    // left in `.env` would itself cause the mismatch on the next daemon boot.
+    // Tearing it down reverts vault to its loopback default.
+    const h = makeHarness();
+    try {
+      writeExposeState(
+        {
+          version: 1,
+          layer: "tailnet",
+          mode: "path",
+          canonicalFqdn: "parachute.taildf9ce2.ts.net",
+          port: 443,
+          funnel: false,
+          entries: [{ kind: "proxy", mount: "/", target: "http://127.0.0.1:1939", service: "hub" }],
+          hubOrigin: "https://parachute.taildf9ce2.ts.net",
+        },
+        h.statePath,
+      );
+      mkdirSync(join(h.configDir, "vault"), { recursive: true });
+      writeFileSync(
+        join(h.configDir, "vault", ".env"),
+        "SCRIBE_AUTH_TOKEN=secret\nPARACHUTE_HUB_ORIGIN=https://parachute.taildf9ce2.ts.net\n",
+      );
+      const { runner } = makeRunner();
+      const code = await exposeTailnet("off", {
+        runner,
+        statePath: h.statePath,
+        wellKnownPath: h.wellKnownPath,
+        hubPath: h.hubPath,
+        wellKnownDir: h.wellKnownDir,
+        configDir: h.configDir,
+        skipHub: true,
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      const values = readEnvFileValues(join(h.configDir, "vault", ".env"));
+      expect(values.PARACHUTE_HUB_ORIGIN).toBeUndefined();
+      // Sibling keys preserved.
+      expect(values.SCRIBE_AUTH_TOKEN).toBe("secret");
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("leaves state in place on teardown failure", async () => {
     const h = makeHarness();
     try {
@@ -961,7 +1009,9 @@ describe("expose public up", () => {
       });
       expect(code).toBe(0);
       const joined = logs.join("\n");
-      expect(joined).toContain("2FA is not enrolled");
+      // hub#473: real hub-login 2FA. The warning now recommends the real
+      // `parachute auth 2fa enroll` path.
+      expect(joined).toContain("/login is now reachable on the public internet");
       expect(joined).toContain("parachute auth 2fa enroll");
       // /login pointer uses the canonical https://<fqdn> origin.
       expect(joined).toContain("https://parachute.taildf9ce2.ts.net/login");

package/src/__tests__/hub-server.test.ts

@@ -3,6 +3,7 @@ import { existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { fileURLToPath } from "node:url";
+import { buildCsrfCookie, generateCsrfToken } from "../csrf.ts";
 import { HUB_SVC, hubPortPath } from "../hub-control.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import {
@@ -16,6 +17,7 @@ import { setNotesRedirectDisabled } from "../hub-settings.ts";
 import { clearNotesRedirectLogState } from "../notes-redirect.ts";
 import { pidPath } from "../process-state.ts";
 import { type ServiceEntry, writeManifest } from "../services-manifest.ts";
+import { buildSessionCookie, createSession } from "../sessions.ts";
 import { rotateSigningKey } from "../signing-keys.ts";
 import type { ModuleState, Supervisor } from "../supervisor.ts";
 import { createUser } from "../users.ts";
@@ -4171,3 +4173,98 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
     }
   });
 });
+
+describe("POST /account/vault-token/<name> — friend scoped mint (routed end-to-end)", () => {
+  // Drive the real dispatch (`hubFetch`) so the route wiring + precedence
+  // (the `/account/vault-token/` prefix must win over `/account/` and the
+  // SPA catch-all) is exercised, not just the handler in isolation.
+  async function seed(h: Harness, assignedVaults: string[]) {
+    const db = openHubDb(hubDbPath(h.dir));
+    rotateSigningKey(db); // mint needs an active signing key
+    await createUser(db, "operator", "operator-password-123");
+    const friend = await createUser(db, "friend", "friend-password-123", {
+      assignedVaults,
+      allowMulti: true,
+    });
+    const session = createSession(db, { userId: friend.id });
+    const csrf = generateCsrfToken();
+    const cookie = `${buildSessionCookie(session.id, 3600, { secure: false })}; ${
+      buildCsrfCookie(csrf, { secure: false }).split(";")[0]
+    }`;
+    return { db, friendId: friend.id, cookie, csrf };
+  }
+
+  function postBody(csrf: string, verb: string): string {
+    const b = new URLSearchParams();
+    b.set("__csrf", csrf);
+    b.set("verb", verb);
+    return b.toString();
+  }
+
+  test("assigned vault → 200 with a token banner, routed through hubFetch", async () => {
+    const h = makeHarness();
+    writeManifest({ services: [vaultEntry("work")] }, h.manifestPath);
+    const { db, cookie, csrf } = await seed(h, ["work"]);
+    try {
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: h.manifestPath,
+        issuer: "https://hub.test",
+      })(
+        req("/account/vault-token/work", {
+          method: "POST",
+          headers: { cookie, "content-type": "application/x-www-form-urlencoded" },
+          body: postBody(csrf, "read"),
+        }),
+      );
+      expect(res.status).toBe(200);
+      const html = await res.text();
+      expect(html).toContain('data-testid="minted-token-banner"');
+      expect(html).toContain("vault:work:read");
+    } finally {
+      db.close();
+      h.cleanup();
+    }
+  });
+
+  test("unassigned vault → 403, no token, routed through hubFetch", async () => {
+    const h = makeHarness();
+    writeManifest({ services: [vaultEntry("work")] }, h.manifestPath);
+    const { db, cookie, csrf } = await seed(h, ["work"]);
+    try {
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: h.manifestPath,
+        issuer: "https://hub.test",
+      })(
+        req("/account/vault-token/other", {
+          method: "POST",
+          headers: { cookie, "content-type": "application/x-www-form-urlencoded" },
+          body: postBody(csrf, "read"),
+        }),
+      );
+      expect(res.status).toBe(403);
+      const html = await res.text();
+      expect(html).not.toContain('data-testid="minted-token-banner"');
+    } finally {
+      db.close();
+      h.cleanup();
+    }
+  });
+
+  test("GET on the mint path → 405 (POST-only)", async () => {
+    const h = makeHarness();
+    writeManifest({ services: [vaultEntry("work")] }, h.manifestPath);
+    const { db } = await seed(h, ["work"]);
+    try {
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: h.manifestPath,
+      })(req("/account/vault-token/work"));
+      expect(res.status).toBe(405);
+    } finally {
+      db.close();
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/hub.test.ts

@@ -5,7 +5,15 @@ import { join } from "node:path";
 import { renderHub, writeHubFile } from "../hub.ts";
 
 describe("renderHub", () => {
-  const html = renderHub();
+  // The verbose discovery body (Get started / Services / Admin) + its
+  // data-loading script render only for a signed-in visitor (the signed-out
+  // landing is slimmed — see the "signed-out slimming" describe block below).
+  // Assertions about that verbose body therefore run against a signed-in
+  // render; assertions about the page shell (doctype, styles, brand) hold for
+  // both and use whichever render is convenient.
+  const html = renderHub({
+    session: { displayName: "operator", csrfToken: "csrf-shell" },
+  });
 
   test("is a self-contained HTML document with inline styles and script", () => {
     expect(html).toStartWith("<!doctype html>");
@@ -162,12 +170,72 @@ describe("renderHub", () => {
   });
 
   test("default render (no session) emits the 'Sign in' affordance", () => {
-    expect(html).toContain('class="auth-indicator"');
-    expect(html).toContain("Sign in");
-    expect(html).toContain('href="/login?next=/"');
+    const out = renderHub();
+    expect(out).toContain('class="auth-indicator"');
+    expect(out).toContain("Sign in");
+    expect(out).toContain('href="/login?next=/"');
     // No POST form, no CSRF input — those only appear when signed in.
-    expect(html).not.toContain('action="/logout"');
-    expect(html).not.toContain("__csrf");
+    expect(out).not.toContain('action="/logout"');
+    expect(out).not.toContain("__csrf");
+  });
+});
+
+describe("renderHub — signed-out slimming (operator feedback)", () => {
+  // A signed-out visitor should see a clean, minimal landing: brand +
+  // tagline (in the header) + a single clear "Sign in" call. The hub's
+  // internal detail — the service catalog, vault listings, admin surfaces,
+  // and the well-known-driven loading script — must NOT render until the
+  // visitor authenticates. The signed-in render is unchanged.
+  const signedOut = renderHub();
+  const signedIn = renderHub({
+    session: { displayName: "operator", csrfToken: "csrf-xyz" },
+  });
+
+  test("signed-out: brand wordmark + tagline still render (the slim landing keeps the brand)", () => {
+    expect(signedOut).toContain("<h1>Parachute</h1>");
+    expect(signedOut).toContain("Truly personal computing. Your knowledge belongs with you.");
+  });
+
+  test("signed-out: a clear 'Sign in' call is the primary affordance", () => {
+    expect(signedOut).toContain('data-testid="signed-out-signin"');
+    expect(signedOut).toContain('href="/login?next=/"');
+    expect(signedOut).toContain("Sign in");
+  });
+
+  test("signed-out: the verbose Services / Admin / Get started sections are absent", () => {
+    expect(signedOut).not.toContain('id="services-section"');
+    expect(signedOut).not.toContain('id="admin-section"');
+    expect(signedOut).not.toContain('id="get-started-section"');
+    expect(signedOut).not.toContain("<h2>Services</h2>");
+    expect(signedOut).not.toContain("<h2>Admin</h2>");
+    // Admin links / token surface must not be exposed pre-auth.
+    expect(signedOut).not.toContain("/admin/vaults");
+    expect(signedOut).not.toContain("/admin/tokens");
+  });
+
+  test("signed-out: the well-known service-catalog loading script is not emitted", () => {
+    // No data-driven discovery body to populate when signed out → no script.
+    // (The brand mark is an inline SVG, not a <script>; assert on the IIFE's
+    // load function rather than a blanket "no <script>".) The footer's
+    // public "discovery" anchor → /.well-known/parachute.json stays — it's a
+    // plain link, not the catalog-fetching script — so assert on the fetch
+    // call + the loader function, not the URL string.
+    expect(signedOut).not.toContain("loadServices");
+    expect(signedOut).not.toContain("renderServices");
+    expect(signedOut).not.toContain("fetch('/.well-known/parachute.json'");
+    expect(signedOut).not.toContain("<script>");
+  });
+
+  test("signed-in: the verbose sections + loading script DO render (signed-in view unchanged)", () => {
+    expect(signedIn).toContain('id="services-section"');
+    expect(signedIn).toContain('id="admin-section"');
+    expect(signedIn).toContain('id="get-started-section"');
+    expect(signedIn).toContain("/admin/vaults");
+    expect(signedIn).toContain("/.well-known/parachute.json");
+    expect(signedIn).toContain("loadServices");
+    // And the signed-out lede / standalone Sign-in CTA is gone (the
+    // auth-indicator carries sign-out instead).
+    expect(signedIn).not.toContain('data-testid="signed-out-signin"');
   });
 });
 
@@ -189,6 +257,17 @@ describe("renderHub — signed-in indicator (rc.13)", () => {
     expect(html).not.toContain('href="/login?next=/"');
   });
 
+  test("signed-in indicator carries an Account breadcrumb to /account/", () => {
+    // Onboarding discoverability: a signed-in friend needs a single link
+    // to the self-service /account/ home (change password, their vault).
+    // Applies to admins too — harmless for them.
+    const html = renderHub({
+      session: { displayName: "aaron", csrfToken: "csrf-token-xyz" },
+    });
+    expect(html).toContain('href="/account/"');
+    expect(html).toContain("Account");
+  });
+
   test("displayName with HTML special chars is escaped", () => {
     // Username field allows alphanumerics historically, but the
     // displayName field on the wire is forward-compatible with profile

package/src/__tests__/init.test.ts

@@ -2,7 +2,7 @@ import { describe, expect, test } from "bun:test";
 import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { init, looksLikeServer, resolveAdminUrl } from "../commands/init.ts";
+import { hasNoDisplay, init, looksLikeServer, resolveAdminUrl } from "../commands/init.ts";
 import type { ExposeState } from "../expose-state.ts";
 import { writeHubPort } from "../hub-control.ts";
 import { writePid } from "../process-state.ts";
@@ -345,6 +345,76 @@ describe("init", () => {
     }
   });
 
+  test("linux SSH (no display): prints the link, does NOT spawn a browser (Fix 2)", async () => {
+    // A TTY isn't enough — an SSH session is a TTY with no display, so
+    // `xdg-open` fails/blocks. Aaron hit this on EC2: init tried to open a
+    // browser and failed with "Couldn't launch a browser." We now skip the
+    // spawn on a server-shaped box and just print the URL.
+    const h = makeHarness();
+    try {
+      writeHubPort(1939, h.configDir);
+      const opened: string[] = [];
+      const logs: string[] = [];
+      const code = await init({
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        log: (l) => logs.push(l),
+        alive: () => false,
+        ensureHub: async () => ({ pid: 7, port: 1939, started: true }),
+        readExposeStateFn: () => undefined,
+        isTty: true,
+        platform: "linux",
+        env: { SSH_CONNECTION: "1.2.3.4 22 5.6.7.8 22" },
+        // Pre-pick the browser wizard so a real desktop would spawn — proves
+        // the display guard (not the prompt) is what suppresses the spawn.
+        wizardChoice: "browser",
+        prompt: async () => "y",
+        openBrowser: (url) => {
+          opened.push(url);
+          return true;
+        },
+        noExposePrompt: true,
+        installVaultModuleImpl: noopVaultInstall,
+      });
+      expect(code).toBe(0);
+      expect(opened).toEqual([]); // never spawned
+      expect(logs.join("\n")).toContain("No display detected");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("linux WITH a display still spawns the browser (desktop unchanged)", async () => {
+    const h = makeHarness();
+    try {
+      writeHubPort(1939, h.configDir);
+      const opened: string[] = [];
+      const code = await init({
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        log: () => {},
+        alive: () => false,
+        ensureHub: async () => ({ pid: 7, port: 1939, started: true }),
+        readExposeStateFn: () => undefined,
+        isTty: true,
+        platform: "linux",
+        env: { DISPLAY: ":0" },
+        wizardChoice: "browser",
+        prompt: async () => "y",
+        openBrowser: (url) => {
+          opened.push(url);
+          return true;
+        },
+        noExposePrompt: true,
+        installVaultModuleImpl: noopVaultInstall,
+      });
+      expect(code).toBe(0);
+      expect(opened).toEqual(["http://127.0.0.1:1939/admin/"]);
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("ensureHub failure exits 1 with an actionable hint", async () => {
     const h = makeHarness();
     try {
@@ -398,6 +468,37 @@ describe("looksLikeServer heuristic", () => {
   });
 });
 
+describe("hasNoDisplay heuristic (Fix 2 — headless browser-open guard)", () => {
+  test("macOS / Windows always have a display", () => {
+    expect(hasNoDisplay("darwin", {})).toBe(false);
+    expect(hasNoDisplay("darwin", { SSH_CONNECTION: "1.2.3.4 22 5.6.7.8 22" })).toBe(false);
+    expect(hasNoDisplay("win32", {})).toBe(false);
+  });
+
+  test("linux SSH session (a TTY, but no display) → no display", () => {
+    expect(hasNoDisplay("linux", { SSH_CONNECTION: "1.2.3.4 22 5.6.7.8 22" })).toBe(true);
+    expect(hasNoDisplay("linux", { SSH_TTY: "/dev/pts/0" })).toBe(true);
+  });
+
+  test("linux headless console (no SSH, no DISPLAY) → no display", () => {
+    expect(hasNoDisplay("linux", {})).toBe(true);
+  });
+
+  test("linux desktop with DISPLAY / WAYLAND_DISPLAY → has a display", () => {
+    expect(hasNoDisplay("linux", { DISPLAY: ":0" })).toBe(false);
+    expect(hasNoDisplay("linux", { WAYLAND_DISPLAY: "wayland-0" })).toBe(false);
+  });
+
+  test("WSL (linux + DISPLAY-less but a dev laptop) is treated as having a display via looksLikeServer exclusion", () => {
+    // WSL with no DISPLAY would otherwise look headless; looksLikeServer
+    // excludes it, but the bare no-DISPLAY fallback still trips. This documents
+    // that a WSL user without an X server set won't auto-spawn — acceptable,
+    // since xdg-open would fail there anyway. WSL WITH an X server (DISPLAY set)
+    // correctly resolves to has-a-display.
+    expect(hasNoDisplay("linux", { WSL_DISTRO_NAME: "Ubuntu", DISPLAY: ":0" })).toBe(false);
+  });
+});
+
 describe("init exposure chain", () => {
   test("TTY + no exposure + no flags → prompt is shown", async () => {
     const h = makeHarness();