@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/admin-handlers.ts

@@ -1,66 +1,29 @@
 /**
- * HTTP handlers for the hub admin surface — login (`/admin/login`) and the
- * config portal (`/admin/config`, `/admin/config/<name>`). Sessions ride the
- * same `parachute_hub_session` cookie that the OAuth login mints, since PR
- * #112 widened the cookie path from `/oauth/` to `/`.
+ * HTTP handlers for the hub admin surface — login + logout. Sessions ride
+ * the same `parachute_hub_session` cookie that the OAuth login mints, since
+ * PR #112 widened the cookie path from `/oauth/` to `/`.
+ *
+ * `/login` (was `/admin/login` pre-#231-followup) is the canonical entry
+ * for ALL parachute auth — admin operators, OAuth user flows, etc. The
+ * `/admin/login` and `/admin/logout` paths 301-redirect for back-compat.
  *
  * Every state-changing POST is double-submit-CSRF protected
- * (`parachute_hub_csrf` cookie + `__csrf` form field, constant-time compare),
- * and every authenticated GET issues a 302 to `/admin/login?next=<path>`
- * when no session is found rather than rendering an inline login form —
- * keeps each route's intent clean and lets the operator bookmark
- * `/admin/config` without thinking about state.
+ * (`parachute_hub_csrf` cookie + `__csrf` form field, constant-time compare).
  */
 import type { Database } from "bun:sqlite";
-import {
-  type AdminConfigModuleView,
-  type ModuleStatus,
-  renderAdminConfigPage,
-  renderAdminError,
-  renderAdminLogin,
-} from "./admin-config-ui.ts";
-import {
-  type ConfigurableModule,
-  configPathFor,
-  discoverConfigurableModules,
-  readModuleConfig,
-  validateAndCoerce,
-  writeModuleConfig,
-} from "./admin-config.ts";
-import { restart as lifecycleRestart } from "./commands/lifecycle.ts";
-import { CONFIG_DIR } from "./config.ts";
+import { renderAdminError, renderAdminLogin } from "./admin-login-ui.ts";
 import { CSRF_FIELD_NAME, ensureCsrfToken, verifyCsrfToken } from "./csrf.ts";
-import type { ModuleManifest } from "./module-manifest.ts";
-import {
-  type ServicesManifest,
-  readManifest as readServicesManifest,
-} from "./services-manifest.ts";
+import { checkAndRecord, clientIpFromRequest } from "./rate-limit.ts";
 import {
   SESSION_TTL_MS,
   buildSessionClearCookie,
   buildSessionCookie,
   createSession,
   deleteSession,
-  findSession,
   parseSessionCookie,
 } from "./sessions.ts";
 import { getUserByUsername, verifyPassword } from "./users.ts";
 
-export interface AdminDeps {
-  /** Resolves the installed-services manifest (production: `services-manifest.readManifest`). */
-  loadServicesManifest?: () => ServicesManifest;
-  /** Per-module `.parachute/module.json` reader (production: `module-manifest.readModuleManifest`). */
-  readManifest?: (installDir: string) => Promise<ModuleManifest | null>;
-  /** `~/.parachute` (defaults to `CONFIG_DIR`). Module configs land at `<configDir>/<name>/config.json`. */
-  configDir?: string;
-  /** Test seam — defaults to `commands/lifecycle.restart`. */
-  restartService?: (name: string) => Promise<number>;
-  /** Test seam — defaults to logging to stderr. */
-  log?: (line: string) => void;
-  /** Test seam — defaults to real clock. */
-  now?: () => Date;
-}
-
 function htmlResponse(body: string, status = 200, extra: Record<string, string> = {}): Response {
   return new Response(body, {
     status,
@@ -72,31 +35,27 @@ function redirect(location: string, extra: Record<string, string> = {}): Respons
   return new Response(null, { status: 302, headers: { location, ...extra } });
 }
 
-// --- session gate ----------------------------------------------------------
-
 /**
- * Return the active session for this request, or null. Caller decides what
- * to do on null — most paths should redirect to `/admin/login?next=<path>`.
+ * Post-login default landing. The admin SPA mounts at `/admin/*` and treats
+ * `/admin/vaults` as its home (vault list, the default tab). Anywhere else
+ * would either bounce the operator out of the SPA shell or land on a
+ * legacy server-rendered page — `/admin/vaults` is the canonical entry.
  */
-function activeSession(db: Database, req: Request) {
-  const sid = parseSessionCookie(req.headers.get("cookie"));
-  return sid ? findSession(db, sid) : null;
-}
-
-function loginRedirect(req: Request, extra: Record<string, string> = {}): Response {
-  const url = new URL(req.url);
-  const next = `${url.pathname}${url.search}`;
-  return redirect(`/admin/login?next=${encodeURIComponent(next)}`, extra);
-}
+const POST_LOGIN_DEFAULT = "/admin/vaults";
 
 function safeNext(raw: string | null): string {
-  if (!raw) return "/admin/config";
+  if (!raw) return POST_LOGIN_DEFAULT;
   // Only allow same-origin paths — never honor an absolute URL or scheme.
-  if (!raw.startsWith("/") || raw.startsWith("//")) return "/admin/config";
+  if (!raw.startsWith("/") || raw.startsWith("//")) return POST_LOGIN_DEFAULT;
   return raw;
 }
 
-// --- /admin/login ----------------------------------------------------------
+// --- /login ---------------------------------------------------------------
+//
+// Renamed from `/admin/login` so the surface name reflects what it is — the
+// canonical entry for ALL parachute auth (operators, OAuth user flows,
+// etc.), not an admin-only door. `/admin/login` and `/admin/logout` 301
+// to here from `hub-server.ts` for back-compat.
 
 export function handleAdminLoginGet(_db: Database, req: Request): Response {
   const url = new URL(req.url);
@@ -106,7 +65,11 @@ export function handleAdminLoginGet(_db: Database, req: Request): Response {
   return htmlResponse(renderAdminLogin({ next, csrfToken: csrf.token }), 200, extra);
 }
 
-export async function handleAdminLoginPost(db: Database, req: Request): Promise<Response> {
+export async function handleAdminLoginPost(
+  db: Database,
+  req: Request,
+  deps: AdminLoginDeps = {},
+): Promise<Response> {
   const form = await req.formData();
   const formCsrf = form.get(CSRF_FIELD_NAME);
   if (!verifyCsrfToken(req, typeof formCsrf === "string" ? formCsrf : null)) {
@@ -118,6 +81,24 @@ export async function handleAdminLoginPost(db: Database, req: Request): Promise<
       400,
     );
   }
+  // Rate-limit gate fires *after* CSRF (so a junk cross-site POST doesn't
+  // burn a bucket slot for the victim's IP) but *before* credential check.
+  // Every legitimate login attempt — wrong password, missing user, eventually
+  // failed-2FA (#186) — counts toward the same bucket so an attacker can't
+  // partition the cooldown across stages.
+  const clientIp = clientIpFromRequest(req);
+  const now = deps.now ? deps.now() : new Date();
+  const gate = checkAndRecord(clientIp, now);
+  if (!gate.allowed) {
+    return htmlResponse(
+      renderAdminError({
+        title: "Too many login attempts",
+        message: `Too many login attempts from this IP. Try again in ${gate.retryAfterSeconds ?? 1} seconds.`,
+      }),
+      429,
+      { "retry-after": String(gate.retryAfterSeconds ?? 1) },
+    );
+  }
   const username = String(form.get("username") ?? "");
   const password = String(form.get("password") ?? "");
   const next = safeNext(String(form.get("next") ?? ""));
@@ -147,17 +128,27 @@ export async function handleAdminLoginPost(db: Database, req: Request): Promise<
   return redirect(next, { "set-cookie": cookie });
 }
 
-// --- /admin/logout ---------------------------------------------------------
+/**
+ * Test-injection seam for `handleAdminLoginPost`. Production callers omit
+ * `deps`; tests pass a deterministic clock so the rate-limit assertions
+ * don't race wall-clock time.
+ */
+export interface AdminLoginDeps {
+  /** Test seam — defaults to real clock. */
+  now?: () => Date;
+}
+
+// --- /logout --------------------------------------------------------------
 
 /**
  * POST-only — logout is state-changing, so it rides the same double-submit
- * CSRF discipline as login + config posts. Without CSRF, a malicious
- * cross-origin form could log the operator out (annoyance, not catastrophe,
- * but the safety belt is already on the bus).
+ * CSRF discipline as login. Without CSRF, a malicious cross-origin form
+ * could log the operator out (annoyance, not catastrophe, but the safety
+ * belt is already on the bus).
  *
  * Always idempotent: clearing the cookie succeeds even if there's no
- * matching session row. Returns 302 → /admin/login so the operator lands
- * back on the form ready to re-authenticate.
+ * matching session row. Returns 302 → /login so the operator lands back
+ * on the form ready to re-authenticate.
  */
 export async function handleAdminLogoutPost(db: Database, req: Request): Promise<Response> {
   const form = await req.formData();
@@ -173,193 +164,5 @@ export async function handleAdminLogoutPost(db: Database, req: Request): Promise
   }
   const sid = parseSessionCookie(req.headers.get("cookie"));
   if (sid) deleteSession(db, sid);
-  return redirect("/admin/login", { "set-cookie": buildSessionClearCookie() });
-}
-
-// --- /admin/config ---------------------------------------------------------
-
-export async function handleAdminConfigGet(
-  db: Database,
-  req: Request,
-  deps: AdminDeps = {},
-): Promise<Response> {
-  const session = activeSession(db, req);
-  if (!session) return loginRedirect(req);
-
-  const csrf = ensureCsrfToken(req);
-  const setCookieExtra: Record<string, string> = csrf.setCookie
-    ? { "set-cookie": csrf.setCookie }
-    : {};
-
-  const modules = await loadModuleViews(deps);
-  const flash = parseFlash(req);
-  if (flash) applyFlashTo(modules, flash);
-  return htmlResponse(
-    renderAdminConfigPage({ modules, csrfToken: csrf.token }),
-    200,
-    setCookieExtra,
-  );
-}
-
-export async function handleAdminConfigPost(
-  db: Database,
-  req: Request,
-  moduleName: string,
-  deps: AdminDeps = {},
-): Promise<Response> {
-  const session = activeSession(db, req);
-  if (!session) return loginRedirect(req);
-
-  const form = await req.formData();
-  const formCsrf = form.get(CSRF_FIELD_NAME);
-  if (!verifyCsrfToken(req, typeof formCsrf === "string" ? formCsrf : null)) {
-    return htmlResponse(
-      renderAdminError({
-        title: "Invalid form submission",
-        message: "The form's CSRF token did not match. Reload the page and try again.",
-      }),
-      400,
-    );
-  }
-
-  const modules = await discoverConfigurableModules(discoverDeps(deps));
-  const target = modules.find((m) => m.name === moduleName);
-  if (!target) {
-    return htmlResponse(
-      renderAdminError({
-        title: "Unknown module",
-        message: `No installed module named "${moduleName}" declares a config schema on this hub.`,
-      }),
-      404,
-    );
-  }
-
-  const csrfToken = typeof formCsrf === "string" ? formCsrf : "";
-  const submitted = collectFormValues(form, target);
-  const result = validateAndCoerce(submitted, target.schema);
-  if (!result.ok) {
-    return rerenderWithStatus(deps, target, csrfToken, {
-      fieldErrors: result.errors,
-      pending: submitted,
-      errorMessage: "Some fields need attention before this config can be saved.",
-    });
-  }
-
-  try {
-    writeModuleConfig(target.configPath, result.data ?? {});
-  } catch (err) {
-    return rerenderWithStatus(deps, target, csrfToken, {
-      pending: submitted,
-      errorMessage: `Failed to write ${target.configPath}: ${err instanceof Error ? err.message : String(err)}`,
-    });
-  }
-
-  const restartFn = deps.restartService ?? defaultRestart(deps);
-  let restartCode = 0;
-  try {
-    restartCode = await restartFn(target.name);
-  } catch (err) {
-    return successRedirect(target.name, "saved-restart-failed", err);
-  }
-  if (restartCode !== 0) return successRedirect(target.name, "saved-restart-failed");
-  return successRedirect(target.name, "saved");
-}
-
-function defaultRestart(deps: AdminDeps): (name: string) => Promise<number> {
-  return (name) =>
-    lifecycleRestart(name, {
-      configDir: deps.configDir ?? CONFIG_DIR,
-      log: deps.log,
-    });
-}
-
-function discoverDeps(deps: AdminDeps) {
-  const out: Parameters<typeof discoverConfigurableModules>[0] = {
-    loadServicesManifest: deps.loadServicesManifest ?? readServicesManifest,
-    configDir: deps.configDir ?? CONFIG_DIR,
-  };
-  if (deps.readManifest) out.readManifest = deps.readManifest;
-  return out;
-}
-
-async function loadModuleViews(deps: AdminDeps): Promise<AdminConfigModuleView[]> {
-  const modules = await discoverConfigurableModules(discoverDeps(deps));
-  return modules.map((module) => {
-    const { data, parseError } = readModuleConfig(module.configPath);
-    const view: AdminConfigModuleView = { module, current: data };
-    if (parseError) view.parseError = parseError;
-    return view;
-  });
-}
-
-function collectFormValues(
-  form: Awaited<ReturnType<Request["formData"]>>,
-  module: ConfigurableModule,
-): Record<string, string | boolean | undefined> {
-  const out: Record<string, string | boolean | undefined> = {};
-  for (const [key, prop] of Object.entries(module.schema.properties)) {
-    if (prop.type === "boolean") {
-      // Unchecked checkboxes don't appear in form data — absence = false.
-      out[key] = form.has(key);
-      continue;
-    }
-    const v = form.get(key);
-    out[key] = typeof v === "string" ? v : undefined;
-  }
-  return out;
-}
-
-// --- flash + redirect helpers ---------------------------------------------
-
-const FLASH_PARAM = "_status";
-const FLASH_MODULE_PARAM = "_module";
-
-function successRedirect(moduleName: string, status: string, err?: unknown): Response {
-  const target = new URL("/admin/config", "http://placeholder");
-  target.searchParams.set(FLASH_PARAM, status);
-  target.searchParams.set(FLASH_MODULE_PARAM, moduleName);
-  if (err) target.searchParams.set("_err", err instanceof Error ? err.message : String(err));
-  target.hash = `module-${moduleName}`;
-  return redirect(`${target.pathname}${target.search}${target.hash}`);
-}
-
-function parseFlash(req: Request): { module: string; status: string; errMessage?: string } | null {
-  const url = new URL(req.url);
-  const status = url.searchParams.get(FLASH_PARAM);
-  const mod = url.searchParams.get(FLASH_MODULE_PARAM);
-  if (!status || !mod) return null;
-  const errMessage = url.searchParams.get("_err") ?? undefined;
-  const out: { module: string; status: string; errMessage?: string } = { module: mod, status };
-  if (errMessage) out.errMessage = errMessage;
-  return out;
-}
-
-function applyFlashTo(
-  views: AdminConfigModuleView[],
-  flash: { module: string; status: string; errMessage?: string },
-): void {
-  const view = views.find((v) => v.module.name === flash.module);
-  if (!view) return;
-  if (flash.status === "saved") {
-    view.status = { successMessage: `Saved and restarted ${view.module.displayName}.` };
-    return;
-  }
-  if (flash.status === "saved-restart-failed") {
-    const tail = flash.errMessage ? ` (${flash.errMessage})` : "";
-    view.status = {
-      errorMessage: `Saved ${view.module.displayName} config but the restart did not succeed${tail}. Run \`parachute restart ${view.module.name}\` and check logs.`,
-    };
-  }
-}
-
-async function rerenderWithStatus(
-  deps: AdminDeps,
-  target: ConfigurableModule,
-  csrfToken: string,
-  status: ModuleStatus,
-): Promise<Response> {
-  const views = await loadModuleViews(deps);
-  const view = views.find((v) => v.module.name === target.name);
-  if (view) view.status = status;
-  return htmlResponse(renderAdminConfigPage({ modules: views, csrfToken }), 422);
+  return redirect("/login", { "set-cookie": buildSessionClearCookie() });
 }

package/src/admin-host-admin-token.ts

@@ -1,25 +1,40 @@
 /**
  * `GET /admin/host-admin-token` — exchange a valid admin session cookie for a
- * short-lived JWT carrying `parachute:host:admin`.
+ * short-lived JWT carrying both `parachute:host:admin` and
+ * `parachute:host:auth` (the same superset an `--scope-set admin` operator
+ * token holds).
  *
- * Why this exists: the hub's vault-management SPA (served under `/hub/`)
- * needs a Bearer to call admin endpoints like `POST /vaults`, but
- * `parachute:host:admin` is in `NON_REQUESTABLE_SCOPES` — the public
- * `/oauth/authorize` endpoint refuses to mint it so third-party apps can't
- * acquire cross-vault provisioning capability via consent.
+ * Why this exists: the hub's admin SPA (served under `/hub/`) needs a Bearer
+ * to call:
+ *   - `parachute:host:admin` surfaces — `POST /vaults` (vault provisioning),
+ *     `/api/grants` (OAuth consent grant management).
+ *   - `parachute:host:auth` surfaces — `GET /api/auth/tokens`,
+ *     `POST /api/auth/mint-token`, `POST /api/auth/revoke-token` (the token
+ *     registry endpoints from hub#212 Phase 2).
+ *
+ * Both scopes are in `NON_REQUESTABLE_SCOPES` — the public `/oauth/authorize`
+ * endpoint refuses to mint either, so third-party apps can't acquire these
+ * capabilities via consent. This local mint path is the SPA's only way in.
  *
  * The local mint path now has two surfaces:
- *   1. `parachute auth ...` — operator-token file (~1y, on-disk, mode 0600).
+ *   1. `parachute auth ...` — operator-token file (90d, on-disk, mode 0600).
  *   2. THIS endpoint — short-lived JWT (10 min) handed to the SPA in memory.
  *
  * Both paths require already-proved local-operator identity:
  *   - operator-token mint runs as the operator's unix user.
  *   - this endpoint requires a valid `parachute_hub_session` cookie, which
- *     was set by `/admin/login` after a password check.
+ *     was set by `/login` after a password check.
  *
  * Tokens minted here are deliberately NOT persisted in the `tokens` table
  * (no refresh, no revocation tracking). They expire on their own; the SPA
  * re-fetches when the JWT is about to lapse.
+ *
+ * Background on the dual-scope shape: prior to hub#212 Phase 2 this endpoint
+ * minted `parachute:host:admin` only. The Phase 2 admin endpoints
+ * (`/api/auth/*`) gate on `parachute:host:auth`, which the SPA's bearer
+ * lacked — `/hub/tokens` failed with `bearer token lacks parachute:host:auth`
+ * on first end-to-end load. Adding `:host:auth` here brings the SPA bearer
+ * in line with the admin scope-set semantics from hub#214 / #222.
  */
 import type { Database } from "bun:sqlite";
 import { signAccessToken } from "./jwt-sign.ts";
@@ -29,7 +44,7 @@ import { findSession, parseSessionCookie } from "./sessions.ts";
 export const HOST_ADMIN_TOKEN_TTL_SECONDS = 10 * 60;
 const HOST_ADMIN_AUDIENCE = "hub";
 const HOST_ADMIN_CLIENT_ID = "parachute-hub-spa";
-export const HOST_ADMIN_SCOPES = ["parachute:host:admin"] as const;
+export const HOST_ADMIN_SCOPES = ["parachute:host:admin", "parachute:host:auth"] as const;
 
 export interface MintHostAdminTokenDeps {
   db: Database;
@@ -47,7 +62,7 @@ export async function handleHostAdminToken(
   const sid = parseSessionCookie(req.headers.get("cookie"));
   const session = sid ? findSession(deps.db, sid) : null;
   if (!session) {
-    return jsonError(401, "unauthenticated", "no admin session — sign in at /admin/login first");
+    return jsonError(401, "unauthenticated", "no admin session — sign in at /login first");
   }
   const minted = await signAccessToken(deps.db, {
     sub: session.userId,