@openparachute/hub 0.5.2 → 0.5.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.2",
+  "version": "0.5.7",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/admin-handlers.test.ts

@@ -13,6 +13,7 @@ import {
 import { CSRF_COOKIE_NAME, CSRF_FIELD_NAME } from "../csrf.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import type { ConfigSchema, ModuleManifest } from "../module-manifest.ts";
+import { __resetForTests as resetRateLimit } from "../rate-limit.ts";
 import type { ServicesManifest } from "../services-manifest.ts";
 import { SESSION_TTL_MS, buildSessionCookie, createSession, findSession } from "../sessions.ts";
 import { createUser } from "../users.ts";
@@ -106,6 +107,10 @@ function fakeReadManifest(installDir: string): Promise<ModuleManifest | null> {
 let harness: Harness;
 beforeEach(() => {
   harness = makeHarness();
+  // Per-test rate-limit state — login tests share the UNKNOWN_IP sentinel
+  // bucket since they don't set CF-Connecting-IP, so without a reset the
+  // 6th test in this file would 429 spuriously.
+  resetRateLimit();
 });
 afterEach(() => {
   harness.cleanup();
@@ -222,6 +227,93 @@ describe("handleAdminLoginPost", () => {
     expect(res.status).toBe(302);
     expect(res.headers.get("location")).toBe("/admin/config");
   });
+
+  // hub#185 — per-IP rate-limit (5 attempts / 15 min) on POST /admin/login.
+  test("6 rapid POSTs from same IP get 200/401×4/429 and the 429 carries Retry-After", async () => {
+    await createUser(harness.db, "admin", "correct-pw");
+    const buildReq = (password: string) => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        username: "admin",
+        password,
+        next: "/admin/config",
+      });
+      return new Request("http://hub.test/admin/login", {
+        method: "POST",
+        headers: { ...headers, cookie: CSRF_COOKIE, "cf-connecting-ip": "203.0.113.42" },
+        body,
+      });
+    };
+    // First attempt: correct password → 302. Counts as attempt #1.
+    const first = await handleAdminLoginPost(harness.db, buildReq("correct-pw"));
+    expect(first.status).toBe(302);
+    // Attempts 2–5: wrong password → 401 each.
+    for (let i = 2; i <= 5; i++) {
+      const r = await handleAdminLoginPost(harness.db, buildReq("wrong"));
+      expect(r.status).toBe(401);
+    }
+    // Attempt 6: rate-limit fires before credential check → 429 + Retry-After.
+    const denied = await handleAdminLoginPost(harness.db, buildReq("wrong"));
+    expect(denied.status).toBe(429);
+    const retryAfter = denied.headers.get("retry-after");
+    expect(retryAfter).not.toBeNull();
+    const seconds = Number(retryAfter);
+    expect(seconds).toBeGreaterThan(0);
+    // Window is 15 min = 900s, so retry-after sits in (0, 900].
+    expect(seconds).toBeLessThanOrEqual(900);
+  });
+
+  test("rate-limit is per-IP: a different IP can still log in after another's bucket fills", async () => {
+    await createUser(harness.db, "admin", "pw");
+    const buildReq = (ip: string, password: string) => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        username: "admin",
+        password,
+        next: "/admin/config",
+      });
+      return new Request("http://hub.test/admin/login", {
+        method: "POST",
+        headers: { ...headers, cookie: CSRF_COOKIE, "cf-connecting-ip": ip },
+        body,
+      });
+    };
+    // Exhaust ip-a's bucket with 5 wrong-password attempts, then confirm 429.
+    for (let i = 0; i < 5; i++) {
+      await handleAdminLoginPost(harness.db, buildReq("203.0.113.7", "wrong"));
+    }
+    const aDenied = await handleAdminLoginPost(harness.db, buildReq("203.0.113.7", "wrong"));
+    expect(aDenied.status).toBe(429);
+    // Different IP: fresh bucket, correct credentials → 302.
+    const bOk = await handleAdminLoginPost(harness.db, buildReq("198.51.100.99", "pw"));
+    expect(bOk.status).toBe(302);
+  });
+
+  test("rate-limit fires before credential check (denied request never touches DB)", async () => {
+    // No user exists in the harness DB. First 5 attempts should be 401
+    // ("Invalid credentials" — no such user). 6th should be 429 with the
+    // rate-limit body, NOT a credential-failure body.
+    const buildReq = () => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        username: "ghost",
+        password: "x",
+        next: "/admin/config",
+      });
+      return new Request("http://hub.test/admin/login", {
+        method: "POST",
+        headers: { ...headers, cookie: CSRF_COOKIE, "cf-connecting-ip": "203.0.113.99" },
+        body,
+      });
+    };
+    for (let i = 0; i < 5; i++) {
+      const r = await handleAdminLoginPost(harness.db, buildReq());
+      expect(r.status).toBe(401);
+    }
+    const denied = await handleAdminLoginPost(harness.db, buildReq());
+    expect(denied.status).toBe(429);
+    expect(await denied.text()).toContain("Too many login attempts");
+  });
 });
 
 describe("handleAdminLogoutPost (#113)", () => {

package/src/__tests__/expose-2fa-warning.test.ts

@@ -0,0 +1,125 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { is2FAEnrolled, printPublic2FAWarning } from "../commands/expose-2fa-warning.ts";
+import type { VaultAuthStatus } from "../vault/auth-status.ts";
+
+function status(partial: Partial<VaultAuthStatus> = {}): VaultAuthStatus {
+  return {
+    hasOwnerPassword: false,
+    hasTotp: false,
+    tokenCount: 0,
+    vaultNames: [],
+    ...partial,
+  };
+}
+
+describe("is2FAEnrolled", () => {
+  test("returns true when status carries hasTotp: true", () => {
+    expect(is2FAEnrolled({ status: status({ hasTotp: true }) })).toBe(true);
+  });
+
+  test("returns false when status carries hasTotp: false", () => {
+    expect(is2FAEnrolled({ status: status({ hasTotp: false }) })).toBe(false);
+  });
+
+  test("reads totp_secret from vaultHome's config.yaml when status not supplied", () => {
+    const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
+    try {
+      writeFileSync(join(dir, "config.yaml"), 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
+      expect(is2FAEnrolled({ vaultHome: dir })).toBe(true);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("missing config.yaml → not enrolled (false)", () => {
+    const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
+    try {
+      // No config.yaml written.
+      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("empty totp_secret value → not enrolled (matches vault's readGlobalConfig)", () => {
+    const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
+    try {
+      writeFileSync(join(dir, "config.yaml"), 'totp_secret: ""\n');
+      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("malformed config.yaml → not enrolled (safer fail mode, fires warning)", () => {
+    // The probe parses config.yaml with a line-anchored regex (no YAML
+    // dependency), so junk content simply doesn't match `totp_secret: "..."`
+    // and resolves to `hasTotp: false` — which fires the public-exposure
+    // warning rather than silently suppressing it. Pin that contract so a
+    // future refactor of auth-status.ts can't quietly invert it.
+    const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
+    try {
+      writeFileSync(join(dir, "config.yaml"), "totp_secret: [unbalanced\n  ::: not yaml\n");
+      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});
+
+describe("printPublic2FAWarning", () => {
+  test("not enrolled → fires warning, returns true", () => {
+    const logs: string[] = [];
+    const fired = printPublic2FAWarning({
+      status: status({ hasTotp: false }),
+      log: (l) => logs.push(l),
+      publicUrl: "https://vault.example.com",
+    });
+    expect(fired).toBe(true);
+    const joined = logs.join("\n");
+    expect(joined).toContain("2FA is not enrolled");
+    expect(joined).toContain("https://vault.example.com/admin/login");
+    expect(joined).toContain("parachute auth 2fa enroll");
+  });
+
+  test("enrolled → suppressed, returns false, logs nothing", () => {
+    const logs: string[] = [];
+    const fired = printPublic2FAWarning({
+      status: status({ hasTotp: true }),
+      log: (l) => logs.push(l),
+      publicUrl: "https://vault.example.com",
+    });
+    expect(fired).toBe(false);
+    expect(logs).toEqual([]);
+  });
+
+  test("password-also-missing case still fires (warning is layer-independent of password state)", () => {
+    // The wide-open state (no password, no 2FA) hits this branch too — the
+    // hub's own `printAuthGuidance` (cloudflare) and `runAuthPreflight`
+    // (interactive wizard) cover the password remediation; this warning is
+    // strictly about 2FA.
+    const logs: string[] = [];
+    const fired = printPublic2FAWarning({
+      status: status({ hasOwnerPassword: false, hasTotp: false }),
+      log: (l) => logs.push(l),
+      publicUrl: "https://vault.example.com",
+    });
+    expect(fired).toBe(true);
+    expect(logs.some((l) => l.includes("2FA is not enrolled"))).toBe(true);
+  });
+
+  test("embeds the supplied publicUrl into the /admin/login pointer", () => {
+    const logs: string[] = [];
+    printPublic2FAWarning({
+      status: status({ hasTotp: false }),
+      log: (l) => logs.push(l),
+      publicUrl: "https://parachute.taildf9ce2.ts.net",
+    });
+    expect(logs.some((l) => l.includes("https://parachute.taildf9ce2.ts.net/admin/login"))).toBe(
+      true,
+    );
+  });
+});

package/src/__tests__/expose-cloudflare.test.ts

@@ -511,6 +511,107 @@ describe("exposeCloudflareUp", () => {
       env.cleanup();
     }
   });
+
+  // 2FA-enrollment warning (#186). The cloudflare path is always public —
+  // every successful bringup makes /admin/login reachable on the open
+  // internet, where 2FA is the primary defense beyond #188's rate-limit floor.
+  describe("2FA-enrollment warning", () => {
+    test("not enrolled → warning fires after the success block", async () => {
+      const env = makeEnv();
+      try {
+        const uuid = "cccccccc-0000-0000-0000-000000000003";
+        const { runner } = queueRunner([
+          { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" },
+          { code: 0, stdout: "[]", stderr: "" },
+          {
+            code: 0,
+            stdout: `Tunnel credentials written to ${env.cloudflaredHome}/${uuid}.json.\nCreated tunnel parachute with id ${uuid}\n`,
+            stderr: "",
+          },
+          { code: 0, stdout: "", stderr: "" },
+        ]);
+        const { spawner } = fakeSpawner(42100);
+        const logs: string[] = [];
+
+        const code = await exposeCloudflareUp("vault.example.com", {
+          runner,
+          spawner,
+          alive: () => false,
+          kill: () => {},
+          log: (l) => logs.push(l),
+          manifestPath: env.manifestPath,
+          statePath: env.statePath,
+          configPath: env.configPath,
+          logPath: env.logPath,
+          cloudflaredHome: env.cloudflaredHome,
+          // No password, no 2FA — fully wide open. The warning should still
+          // fire; password-recovery copy already lives in `printAuthGuidance`.
+          vaultAuthStatus: {
+            hasOwnerPassword: false,
+            hasTotp: false,
+            tokenCount: 0,
+            vaultNames: [],
+          },
+        });
+
+        expect(code).toBe(0);
+        const joined = logs.join("\n");
+        expect(joined).toContain("2FA is not enrolled");
+        expect(joined).toContain("https://vault.example.com/admin/login");
+        expect(joined).toContain("parachute auth 2fa enroll");
+      } finally {
+        env.cleanup();
+      }
+    });
+
+    test("enrolled → warning suppressed (no '2FA is not enrolled' line)", async () => {
+      const env = makeEnv();
+      try {
+        const uuid = "dddddddd-0000-0000-0000-000000000004";
+        const { runner } = queueRunner([
+          { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" },
+          { code: 0, stdout: "[]", stderr: "" },
+          {
+            code: 0,
+            stdout: `Tunnel credentials written to ${env.cloudflaredHome}/${uuid}.json.\nCreated tunnel parachute with id ${uuid}\n`,
+            stderr: "",
+          },
+          { code: 0, stdout: "", stderr: "" },
+        ]);
+        const { spawner } = fakeSpawner(42101);
+        const logs: string[] = [];
+
+        const code = await exposeCloudflareUp("vault.example.com", {
+          runner,
+          spawner,
+          alive: () => false,
+          kill: () => {},
+          log: (l) => logs.push(l),
+          manifestPath: env.manifestPath,
+          statePath: env.statePath,
+          configPath: env.configPath,
+          logPath: env.logPath,
+          cloudflaredHome: env.cloudflaredHome,
+          vaultAuthStatus: {
+            hasOwnerPassword: true,
+            hasTotp: true,
+            tokenCount: 1,
+            vaultNames: ["default"],
+          },
+        });
+
+        expect(code).toBe(0);
+        const joined = logs.join("\n");
+        expect(joined).not.toContain("2FA is not enrolled");
+        // The existing `printAuthGuidance` 2FA-recommend bullet is unrelated
+        // to the new contextual warning and stays in place — assert it on a
+        // shape that doesn't collide with the warning text.
+        expect(joined).toContain("(recommended) TOTP + backup codes");
+      } finally {
+        env.cleanup();
+      }
+    });
+  });
 });
 
 describe("exposeCloudflareOff", () => {