@openparachute/hub 0.5.7 → 0.5.10-rc.10

package/src/scope-explanations.ts

@@ -66,6 +66,30 @@ export const SCOPE_EXPLANATIONS: Record<string, ScopeExplanation> = {
       "Provision and manage vaults across this host (create new vaults, configure cross-vault settings).",
     level: "admin",
   },
+  // Fine-grained host scopes (#213) — the `parachute auth rotate-operator
+  // --scope-set <set>` vocabulary. Each is a narrowing of `parachute:host:admin`:
+  // an operator who wants a tighter token mints with one of these and uses
+  // it in place of the broad operator.token. Operator-only (non-requestable).
+  "parachute:host:install": {
+    label: "Install or upgrade Parachute modules on this host.",
+    level: "admin",
+  },
+  "parachute:host:start": {
+    label: "Lifecycle Parachute modules on this host (start, stop, restart, status).",
+    level: "admin",
+  },
+  "parachute:host:expose": {
+    label: "Bring tailnet or public exposure layers up and down on this host.",
+    level: "admin",
+  },
+  "parachute:host:auth": {
+    label: "Mint hub-issued tokens and manage user accounts on this host.",
+    level: "admin",
+  },
+  "parachute:host:vault": {
+    label: "Administer vaults on this host (create, configure, delete).",
+    level: "admin",
+  },
 };
 
 /**
@@ -83,7 +107,7 @@ export const FIRST_PARTY_SCOPES = Object.keys(SCOPE_EXPLANATIONS).sort();
  *   - `parachute auth rotate-operator` writes the long-lived operator token
  *     (`~/.parachute/operator.token`, mode 0600) for service accounts.
  *   - `GET /admin/host-admin-token` exchanges a valid `parachute_hub_session`
- *     cookie (set by `/admin/login` after a password check) for a
+ *     cookie (set by `/login` after a password check) for a
  *     short-lived JWT consumed by the in-tree vault-management SPA.
  *
  * Both surfaces predicate on local-operator identity that the public OAuth
@@ -104,7 +128,14 @@ export const FIRST_PARTY_SCOPES = Object.keys(SCOPE_EXPLANATIONS).sort();
  * intentional: the blast radius of compromised cross-vault admin doesn't
  * justify third-party requestability.
  */
-export const NON_REQUESTABLE_SCOPES: ReadonlySet<string> = new Set(["parachute:host:admin"]);
+export const NON_REQUESTABLE_SCOPES: ReadonlySet<string> = new Set([
+  "parachute:host:admin",
+  "parachute:host:install",
+  "parachute:host:start",
+  "parachute:host:expose",
+  "parachute:host:auth",
+  "parachute:host:vault",
+]);
 
 /**
  * Per-vault `vault:<name>:admin` scopes are also non-requestable: they let

package/src/sessions.ts

@@ -83,26 +83,38 @@ export function deleteSession(db: Database, id: string): void {
 
 /**
  * Build a `Set-Cookie` header value for the given session id. HttpOnly +
- * SameSite=Lax + Secure (we always assume a TLS terminator; localhost dev
- * still sets Secure because Tailscale serves with HTTPS even on the tailnet
- * mount). Path=/ covers the whole hub origin: the operator's session is "logged
- * into this hub", and admin pages outside /oauth/ (config portal, etc.) ride
- * the same session. State-changing admin POSTs require a CSRF token (see
- * src/csrf.ts) since SameSite=Lax alone doesn't prevent same-site CSRF.
+ * SameSite=Lax + Secure (conditional) + Path=/.
+ *
+ * Path=/ covers the whole hub origin: the operator's session is "logged
+ * into this hub", and admin pages outside /oauth/ (config portal, etc.)
+ * ride the same session. State-changing admin POSTs require a CSRF token
+ * (see src/csrf.ts) since SameSite=Lax alone doesn't prevent same-site
+ * CSRF.
+ *
+ * `Secure` defaults to true (production behind a TLS terminator).
+ * Callers minting the cookie for a known-HTTP request — `/login` POST
+ * over `http://localhost:1939`, the wizard's account POST same — pass
+ * `secure: false` (computed from `isHttpsRequest(req)`) so the
+ * browser actually keeps the cookie. Setting `Secure` unconditionally
+ * over plain HTTP silently drops the cookie and breaks the very next
+ * authenticated request.
  */
-export function buildSessionCookie(sessionId: string, maxAgeSeconds: number): string {
-  return [
-    `${SESSION_COOKIE_NAME}=${sessionId}`,
-    "HttpOnly",
-    "Secure",
-    "SameSite=Lax",
-    "Path=/",
-    `Max-Age=${maxAgeSeconds}`,
-  ].join("; ");
+export function buildSessionCookie(
+  sessionId: string,
+  maxAgeSeconds: number,
+  opts: { secure?: boolean } = {},
+): string {
+  const parts = [`${SESSION_COOKIE_NAME}=${sessionId}`, "HttpOnly"];
+  if (opts.secure !== false) parts.push("Secure");
+  parts.push("SameSite=Lax", "Path=/", `Max-Age=${maxAgeSeconds}`);
+  return parts.join("; ");
 }
 
-export function buildSessionClearCookie(): string {
-  return `${SESSION_COOKIE_NAME}=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0`;
+export function buildSessionClearCookie(opts: { secure?: boolean } = {}): string {
+  const parts = [`${SESSION_COOKIE_NAME}=`, "HttpOnly"];
+  if (opts.secure !== false) parts.push("Secure");
+  parts.push("SameSite=Lax", "Path=/", "Max-Age=0");
+  return parts.join("; ");
 }
 
 export function parseSessionCookie(cookieHeader: string | null): string | null {
@@ -121,7 +133,7 @@ export function parseSessionCookie(cookieHeader: string | null): string | null {
  * callers don't repeat the parse+find+null-check dance.
  *
  * Caller decides what to do on null — admin pages redirect to
- * `/admin/login?next=<path>`, OAuth's DCR endpoint falls through to
+ * `/login?next=<path>`, OAuth's DCR endpoint falls through to
  * status=`pending` (closes #199).
  */
 export function findActiveSession(