@openparachute/hub 0.6.3 → 0.6.4-rc.1

package/src/__tests__/expose-2fa-warning.test.ts

@@ -87,13 +87,16 @@ describe("printPublic2FAWarning", () => {
     });
     expect(fired).toBe(true);
     const joined = logs.join("\n");
-    // hub#473: real hub-login 2FA. The warning now recommends the real
-    // `parachute auth 2fa enroll` path (+ the /account/2fa browser path) and
-    // still nudges a strong owner password.
-    expect(joined).toContain("/login is now reachable on the public internet");
+    // hub#473: real hub-login 2FA. The recommendation now leads with the
+    // friendly "strongly recommended" framing, points at both the /account/2fa
+    // browser path and the `parachute auth 2fa enroll` CLI path, makes clear
+    // it's not a requirement, and still nudges a strong owner password.
+    expect(joined).toContain("Strongly recommended: turn on two-factor authentication");
+    expect(joined).toContain("reachable from the public internet");
     expect(joined).toContain("https://vault.example.com/login");
+    expect(joined).toContain("https://vault.example.com/account/2fa");
     expect(joined).toContain("parachute auth 2fa enroll");
-    expect(joined).toContain("/account/2fa");
+    expect(joined).toContain("It's a recommendation, not a requirement");
     expect(joined).toContain("parachute auth set-password");
   });
 
@@ -120,9 +123,9 @@ describe("printPublic2FAWarning", () => {
       publicUrl: "https://vault.example.com",
     });
     expect(fired).toBe(true);
-    expect(logs.some((l) => l.includes("/login is now reachable on the public internet"))).toBe(
-      true,
-    );
+    expect(
+      logs.some((l) => l.includes("Strongly recommended: turn on two-factor authentication")),
+    ).toBe(true);
   });
 
   test("embeds the supplied publicUrl into the /login pointer", () => {

package/src/__tests__/expose-cloudflare.test.ts

@@ -1230,9 +1230,10 @@ describe("exposeCloudflareUp", () => {
 
         expect(code).toBe(0);
         const joined = logs.join("\n");
-        // hub#473: real hub-login 2FA — the warning now recommends the real
-        // `parachute auth 2fa enroll` path.
-        expect(joined).toContain("/login is now reachable on the public internet");
+        // hub#473: real hub-login 2FA — the recommendation now leads with the
+        // friendly "strongly recommended" framing and the real `parachute auth
+        // 2fa enroll` / `/account/2fa` paths.
+        expect(joined).toContain("Strongly recommended: turn on two-factor authentication");
         expect(joined).toContain("https://vault.example.com/login");
         expect(joined).toContain("parachute auth 2fa enroll");
       } finally {
@@ -1281,7 +1282,7 @@ describe("exposeCloudflareUp", () => {
 
         expect(code).toBe(0);
         const joined = logs.join("\n");
-        expect(joined).not.toContain("/login is now reachable on the public internet");
+        expect(joined).not.toContain("Strongly recommended: turn on two-factor authentication");
         // The contextual 2FA warning is suppressed (2FA already enrolled); the
         // always-shown owner-password guidance from `printAuthGuidance` still
         // appears, and it now (hub#473) also surfaces the real `2fa enroll`

package/src/__tests__/expose.test.ts

@@ -558,7 +558,9 @@ describe("expose tailnet up", () => {
         },
       });
       expect(code).toBe(0);
-      expect(logs.join("\n")).not.toContain("2FA is not enrolled");
+      expect(logs.join("\n")).not.toContain(
+        "Strongly recommended: turn on two-factor authentication",
+      );
     } finally {
       h.cleanup();
     }
@@ -931,9 +933,10 @@ describe("expose public up", () => {
       });
       expect(code).toBe(0);
       const joined = logs.join("\n");
-      // hub#473: real hub-login 2FA. The warning now recommends the real
-      // `parachute auth 2fa enroll` path.
-      expect(joined).toContain("/login is now reachable on the public internet");
+      // hub#473: real hub-login 2FA. The recommendation now leads with the
+      // friendly "strongly recommended" framing and the real `parachute auth
+      // 2fa enroll` path.
+      expect(joined).toContain("Strongly recommended: turn on two-factor authentication");
       expect(joined).toContain("parachute auth 2fa enroll");
       // /login pointer uses the canonical https://<fqdn> origin.
       expect(joined).toContain("https://parachute.taildf9ce2.ts.net/login");
@@ -966,7 +969,9 @@ describe("expose public up", () => {
         },
       });
       expect(code).toBe(0);
-      expect(logs.join("\n")).not.toContain("2FA is not enrolled");
+      expect(logs.join("\n")).not.toContain(
+        "Strongly recommended: turn on two-factor authentication",
+      );
     } finally {
       h.cleanup();
     }

package/src/__tests__/hub-origin-resolution.test.ts

@@ -31,9 +31,20 @@ function req(url: string): Request {
   return new Request(url, { method: "GET" });
 }
 
+/**
+ * Stub the expose-state reader to "no exposure recorded" so these
+ * settings/env/request-tier tests are isolated from the host's real
+ * `~/.parachute/expose-state.json`. Without this, the default reader picks
+ * up a live exposure on the dev box and the expose tier shadows the
+ * request-origin fallback these tests assert. (The expose tier itself is
+ * exercised in the dedicated describe blocks below with its own injected
+ * origins.)
+ */
+const noExpose = (): string | undefined => undefined;
+
 describe("resolveIssuer — precedence chain", () => {
   test("falls back to request origin when no settings + no env", () => {
-    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined);
+    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined, noExpose);
     expect(got).toBe("http://127.0.0.1:1939");
   });
 
@@ -42,6 +53,7 @@ describe("resolveIssuer — precedence chain", () => {
       req("http://127.0.0.1:1939/oauth/token"),
       db,
       "https://hub.from-env.example",
+      noExpose,
     );
     expect(got).toBe("https://hub.from-env.example");
   });
@@ -52,13 +64,14 @@ describe("resolveIssuer — precedence chain", () => {
       req("http://127.0.0.1:1939/oauth/token"),
       db,
       "https://hub.from-env.example",
+      noExpose,
     );
     expect(got).toBe("https://hub.from-settings.example");
   });
 
   test("hub_settings wins over request origin (no env)", () => {
     setHubOrigin(db, "https://hub.from-settings.example");
-    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined);
+    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined, noExpose);
     expect(got).toBe("https://hub.from-settings.example");
   });
 
@@ -69,6 +82,7 @@ describe("resolveIssuer — precedence chain", () => {
       req("http://127.0.0.1:1939/oauth/token"),
       db,
       "https://hub.from-env.example",
+      noExpose,
     );
     expect(got).toBe("https://hub.from-env.example");
   });
@@ -76,7 +90,7 @@ describe("resolveIssuer — precedence chain", () => {
   test("clearing hub_settings + no env reverts to request origin", () => {
     setHubOrigin(db, "https://hub.from-settings.example");
     setHubOrigin(db, null);
-    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined);
+    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined, noExpose);
     expect(got).toBe("http://127.0.0.1:1939");
   });
 
@@ -84,13 +98,14 @@ describe("resolveIssuer — precedence chain", () => {
     // The wellknown / discovery surfaces may hit oauthDeps before a DB
     // is wired; resolveIssuer must not throw — just skip the settings
     // layer.
-    const got = resolveIssuer(req("http://127.0.0.1:1939/"), undefined, undefined);
+    const got = resolveIssuer(req("http://127.0.0.1:1939/"), undefined, undefined, noExpose);
     expect(got).toBe("http://127.0.0.1:1939");
 
     const gotEnv = resolveIssuer(
       req("http://127.0.0.1:1939/"),
       undefined,
       "https://hub.from-env.example",
+      noExpose,
     );
     expect(gotEnv).toBe("https://hub.from-env.example");
   });
@@ -103,19 +118,19 @@ describe("resolveIssuer — precedence chain", () => {
     const baseUrl = "http://127.0.0.1:1939/oauth/token";
 
     // Pass 1 — no settings, no env → request origin.
-    expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuer(req(baseUrl), db, undefined, noExpose)).toBe("http://127.0.0.1:1939");
 
     // Mid-flight write.
     setHubOrigin(db, "https://hub.example.com");
 
     // Pass 2 — settings wins immediately.
-    expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("https://hub.example.com");
+    expect(resolveIssuer(req(baseUrl), db, undefined, noExpose)).toBe("https://hub.example.com");
 
     // Mid-flight clear.
     setHubOrigin(db, null);
 
     // Pass 3 — back to request origin.
-    expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuer(req(baseUrl), db, undefined, noExpose)).toBe("http://127.0.0.1:1939");
   });
 
   test("X-Forwarded-Proto: https upgrades the request-origin fallback", () => {
@@ -124,11 +139,14 @@ describe("resolveIssuer — precedence chain", () => {
     // `http://...` in OAuth discovery — mixed-content blocked when the
     // page loaded over https://. See hub#355 (the notes app's
     // /oauth/register call surfaced this).
-    const r = new Request("http://parachute-hub.onrender.com/.well-known/oauth-authorization-server", {
-      method: "GET",
-      headers: { "X-Forwarded-Proto": "https" },
-    });
-    expect(resolveIssuer(r, db, undefined)).toBe("https://parachute-hub.onrender.com");
+    const r = new Request(
+      "http://parachute-hub.onrender.com/.well-known/oauth-authorization-server",
+      {
+        method: "GET",
+        headers: { "X-Forwarded-Proto": "https" },
+      },
+    );
+    expect(resolveIssuer(r, db, undefined, noExpose)).toBe("https://parachute-hub.onrender.com");
   });
 
   test("X-Forwarded-Proto with comma-separated values takes the first", () => {
@@ -138,14 +156,14 @@ describe("resolveIssuer — precedence chain", () => {
       method: "GET",
       headers: { "X-Forwarded-Proto": "https, http" },
     });
-    expect(resolveIssuer(r, db, undefined)).toBe("https://hub.internal");
+    expect(resolveIssuer(r, db, undefined, noExpose)).toBe("https://hub.internal");
   });
 
   test("missing X-Forwarded-Proto leaves the URL scheme as-is (localhost dev)", () => {
     // No reverse proxy → no header → keep http for the local-dev shape.
     // Operators on plain HTTP localhost depend on this.
     const r = new Request("http://127.0.0.1:1939/oauth/token", { method: "GET" });
-    expect(resolveIssuer(r, db, undefined)).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuer(r, db, undefined, noExpose)).toBe("http://127.0.0.1:1939");
   });
 
   test("X-Forwarded-Proto is IGNORED when hub_settings or env wins", () => {
@@ -161,26 +179,28 @@ describe("resolveIssuer — precedence chain", () => {
 
     // Env layer wins, even though the header says https — the env value
     // is returned verbatim (preserving whatever scheme the operator set).
-    expect(resolveIssuer(r, db, "http://configured.example")).toBe("http://configured.example");
+    expect(resolveIssuer(r, db, "http://configured.example", noExpose)).toBe(
+      "http://configured.example",
+    );
 
     // Settings layer wins above env, also verbatim.
     setHubOrigin(db, "http://settings.example");
-    expect(resolveIssuer(r, db, "https://env.example")).toBe("http://settings.example");
+    expect(resolveIssuer(r, db, "https://env.example", noExpose)).toBe("http://settings.example");
   });
 });
 
 describe("resolveIssuerSource — attribution for SPA", () => {
   test('"request" when nothing is configured', () => {
-    expect(resolveIssuerSource(db, undefined)).toBe("request");
+    expect(resolveIssuerSource(db, undefined, noExpose)).toBe("request");
   });
 
   test('"env" when configuredIssuer is set + no settings row', () => {
-    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("env");
+    expect(resolveIssuerSource(db, "https://hub.from-env.example", noExpose)).toBe("env");
   });
 
   test('"settings" when hub_settings row is set, even if env is also set', () => {
     setHubOrigin(db, "https://hub.from-settings.example");
-    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("settings");
+    expect(resolveIssuerSource(db, "https://hub.from-env.example", noExpose)).toBe("settings");
   });
 
   test("attribution matches resolved value across the chain", () => {
@@ -189,16 +209,150 @@ describe("resolveIssuerSource — attribution for SPA", () => {
     // settings layer is what got returned.
     setHubOrigin(db, "https://hub.example.com");
     const r1 = req("http://127.0.0.1:1939/oauth/token");
-    expect(resolveIssuer(r1, db, "https://hub.from-env.example")).toBe("https://hub.example.com");
-    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("settings");
+    expect(resolveIssuer(r1, db, "https://hub.from-env.example", noExpose)).toBe(
+      "https://hub.example.com",
+    );
+    expect(resolveIssuerSource(db, "https://hub.from-env.example", noExpose)).toBe("settings");
 
     setHubOrigin(db, null);
-    expect(resolveIssuer(r1, db, "https://hub.from-env.example")).toBe(
+    expect(resolveIssuer(r1, db, "https://hub.from-env.example", noExpose)).toBe(
       "https://hub.from-env.example",
     );
-    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("env");
+    expect(resolveIssuerSource(db, "https://hub.from-env.example", noExpose)).toBe("env");
+
+    expect(resolveIssuer(r1, db, undefined, noExpose)).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuerSource(db, undefined, noExpose)).toBe("request");
+  });
+});
+
+/**
+ * The expose-state tier (#531). On the reboot-persistent owner-operated
+ * path the launchd plist / systemd unit carries no PARACHUTE_HUB_ORIGIN, so
+ * the hub boots with no `configuredIssuer`. Without this tier it would stamp
+ * `iss` from the per-request origin (loopback) and exposed resource servers
+ * (vault) reject the token with `unexpected "iss" claim value`. The exposed
+ * origin recorded in expose-state.json's hubOrigin is consulted between the
+ * env tier and the request-origin fallback. The `readExpose` seam (4th /
+ * 3rd param) drives this without touching the real ~/.parachute.
+ */
+describe("resolveIssuer — expose-state tier (#531)", () => {
+  const EXPOSED = "https://parachute.taildf9ce2.ts.net";
+  // Simulates the reported bug: token minted under loopback, request arrives
+  // at loopback, but the canonical exposed origin lives in expose-state.
+  const loopbackReq = () => req("http://127.0.0.1:1939/oauth/token");
+
+  test("REGRESSION: expose origin used (NOT request origin) when settings+env both absent", () => {
+    const got = resolveIssuer(loopbackReq(), db, undefined, () => EXPOSED);
+    expect(got).toBe(EXPOSED);
+    expect(got).not.toBe("http://127.0.0.1:1939");
+  });
+
+  test("settings wins over expose", () => {
+    setHubOrigin(db, "https://hub.from-settings.example");
+    const got = resolveIssuer(loopbackReq(), db, undefined, () => EXPOSED);
+    expect(got).toBe("https://hub.from-settings.example");
+  });
+
+  test("env wins over expose", () => {
+    const got = resolveIssuer(loopbackReq(), db, "https://hub.from-env.example", () => EXPOSED);
+    expect(got).toBe("https://hub.from-env.example");
+  });
+
+  test("expose wins over request origin", () => {
+    // settings + env both absent → expose beats the per-request loopback origin.
+    const got = resolveIssuer(loopbackReq(), db, undefined, () => EXPOSED);
+    expect(got).toBe(EXPOSED);
+  });
+
+  test("full precedence: settings > env > expose > request", () => {
+    // request-only
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => undefined)).toBe(
+      "http://127.0.0.1:1939",
+    );
+    // expose beats request
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => EXPOSED)).toBe(EXPOSED);
+    // env beats expose
+    expect(resolveIssuer(loopbackReq(), db, "https://env.example", () => EXPOSED)).toBe(
+      "https://env.example",
+    );
+    // settings beats env (and expose)
+    setHubOrigin(db, "https://settings.example");
+    expect(resolveIssuer(loopbackReq(), db, "https://env.example", () => EXPOSED)).toBe(
+      "https://settings.example",
+    );
+  });
+
+  test("malformed expose-state falls through to request without throwing", () => {
+    // A reader that throws simulates a corrupt expose-state.json. The
+    // `exposeIssuerOrigin` wrapper guards the `readExpose()` call itself in
+    // try/catch, so even an injected non-swallowing reader can NEVER
+    // propagate into the request path — resolveIssuer falls through to the
+    // request origin instead of 500ing the hub.
+    const throwing = () => {
+      throw new Error("malformed expose-state.json");
+    };
+    expect(() => resolveIssuer(loopbackReq(), db, undefined, throwing)).not.toThrow();
+    expect(resolveIssuer(loopbackReq(), db, undefined, throwing)).toBe("http://127.0.0.1:1939");
+    // A reader that returns undefined (the default's post-swallow shape) also
+    // yields the request origin.
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => undefined)).toBe(
+      "http://127.0.0.1:1939",
+    );
+  });
+
+  test("loopback expose origin ignored (never re-pin the degraded mode)", () => {
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "http://127.0.0.1:1939")).toBe(
+      "http://127.0.0.1:1939",
+    );
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "http://localhost:1939")).toBe(
+      "http://127.0.0.1:1939",
+    );
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "http://0.0.0.0:1939")).toBe(
+      "http://127.0.0.1:1939",
+    );
+  });
+
+  test("non-http(s) / empty expose origin ignored", () => {
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "ftp://x.example")).toBe(
+      "http://127.0.0.1:1939",
+    );
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "")).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "not-a-url")).toBe(
+      "http://127.0.0.1:1939",
+    );
+  });
+
+  test("undefined db (pre-config gate) still consults expose before request", () => {
+    const got = resolveIssuer(loopbackReq(), undefined, undefined, () => EXPOSED);
+    expect(got).toBe(EXPOSED);
+  });
+});
+
+describe("resolveIssuerSource — expose attribution (#531)", () => {
+  const EXPOSED = "https://parachute.taildf9ce2.ts.net";
+
+  test('"expose" when resolved from expose-state (settings+env absent)', () => {
+    expect(resolveIssuerSource(db, undefined, () => EXPOSED)).toBe("expose");
+  });
+
+  test('"settings" wins over expose', () => {
+    setHubOrigin(db, "https://settings.example");
+    expect(resolveIssuerSource(db, undefined, () => EXPOSED)).toBe("settings");
+  });
+
+  test('"env" wins over expose', () => {
+    expect(resolveIssuerSource(db, "https://env.example", () => EXPOSED)).toBe("env");
+  });
+
+  test('"request" when no settings/env and no (valid) expose origin', () => {
+    expect(resolveIssuerSource(db, undefined, () => undefined)).toBe("request");
+    expect(resolveIssuerSource(db, undefined, () => "http://127.0.0.1:1939")).toBe("request");
+  });
 
-    expect(resolveIssuer(r1, db, undefined)).toBe("http://127.0.0.1:1939");
-    expect(resolveIssuerSource(db, undefined)).toBe("request");
+  test("attribution matches resolved value for the expose tier", () => {
+    // Pair the source label with the resolved value so they can't drift.
+    const r = req("http://127.0.0.1:1939/oauth/token");
+    expect(resolveIssuer(r, db, undefined, () => EXPOSED)).toBe(EXPOSED);
+    expect(resolveIssuerSource(db, undefined, () => EXPOSED)).toBe("expose");
   });
 });