@openparachute/hub 0.6.3 → 0.6.4-rc.10

package/src/__tests__/api-account.test.ts

@@ -28,8 +28,11 @@ import {
   handleAccountHomeGet,
   markPasswordChanged,
 } from "../api-account.ts";
+import { registerClient } from "../clients.ts";
 import { CSRF_COOKIE_NAME, CSRF_FIELD_NAME } from "../csrf.ts";
+import { recordGrant } from "../grants.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { recordTokenMint } from "../jwt-sign.ts";
 import {
   CHANGE_PASSWORD_MAX_ATTEMPTS,
   CHANGE_PASSWORD_WINDOW_MS,
@@ -257,6 +260,63 @@ describe("POST /account/change-password", () => {
     }
   });
 
+  // Item F / hub#469 — a successful self-service password change revokes the
+  // user's still-active tokens (so a token minted under the admin's temp
+  // password dies with the rotation). Mirrors `resetUserPassword`'s admin-reset
+  // revoke. Tokens belonging to OTHER users are untouched.
+  test("self-change revokes the user's active tokens, leaves other users' tokens (item F)", async () => {
+    const { userId, cookie } = await sessionCookieFor(harness.db, "newbie", "old-default-pw", {
+      passwordChanged: false,
+    });
+    const other = await createUser(harness.db, "other", "other-strong-passphrase", {
+      passwordChanged: true,
+      allowMulti: true,
+    });
+    // Seed one active token for the changing user + one for another user.
+    recordTokenMint(harness.db, {
+      jti: "tok-self-1",
+      createdVia: "cli_mint",
+      subject: userId,
+      userId,
+      clientId: "parachute-account",
+      scopes: ["vault:work:read"],
+      expiresAt: new Date(Date.now() + 86_400_000).toISOString(),
+    });
+    recordTokenMint(harness.db, {
+      jti: "tok-other-1",
+      createdVia: "cli_mint",
+      subject: other.id,
+      userId: other.id,
+      clientId: "parachute-account",
+      scopes: ["vault:work:read"],
+      expiresAt: new Date(Date.now() + 86_400_000).toISOString(),
+    });
+
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+      next: "/account/",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+
+    const selfTok = harness.db
+      .query<{ revoked_at: string | null }, [string]>("SELECT revoked_at FROM tokens WHERE jti = ?")
+      .get("tok-self-1");
+    const otherTok = harness.db
+      .query<{ revoked_at: string | null }, [string]>("SELECT revoked_at FROM tokens WHERE jti = ?")
+      .get("tok-other-1");
+    expect(selfTok?.revoked_at).not.toBeNull(); // changing user's token revoked
+    expect(otherTok?.revoked_at).toBeNull(); // other user's token untouched
+  });
+
   test("non-admin user with no next defaults to /account/ (no admin-shell flash)", async () => {
     // Without this rewrite, a friend's change-password POST would 302 to
     // /admin/vaults, the SPA would load, the 403 from
@@ -743,7 +803,7 @@ describe("handleAccountHomeGet", () => {
 
   test("302 → /login when no session cookie is present", async () => {
     const req = new Request(`${HUB_ORIGIN}/account/`);
-    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
     expect(res.status).toBe(302);
     const location = res.headers.get("location") ?? "";
     // Round-trip /account/ as the `next` param so post-login lands back.
@@ -762,7 +822,7 @@ describe("handleAccountHomeGet", () => {
     const session = createSession(harness.db, { userId: friend.id });
     const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
     const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
-    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
     expect(res.status).toBe(200);
     expect(res.headers.get("content-type")).toContain("text/html");
     const html = await res.text();
@@ -774,6 +834,65 @@ describe("handleAccountHomeGet", () => {
     expect(html).toContain(`https://notes.parachute.computer/add?url=${encoded}`);
   });
 
+  test("onboarding NOT condensed when only a first-party browser grant exists (hub#583, GET /account/)", async () => {
+    // The exact field report: create account → open Notes (a first-party OAuth
+    // client that writes a vault-scoped grant) → later visit /account/ to wire
+    // up Claude. The checklist must NOT already be condensed.
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    // Notes signs in via DCR (generated client_id, client_name "Notes") and
+    // records a vault-scoped grant.
+    const notes = registerClient(harness.db, {
+      redirectUris: ["https://hub.test/notes/cb"],
+      clientName: "Notes",
+    });
+    recordGrant(harness.db, friend.id, notes.client.clientId, ["vault:alice:read"]);
+
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    // Full checklist (not condensed): the connect step is present, the
+    // "you're connected" done-line is NOT.
+    expect(html).toContain('data-connected="false"');
+    expect(html).toContain('data-testid="onboarding-step-2"');
+    expect(html).not.toContain('data-testid="onboarding-done-line"');
+  });
+
+  test("onboarding condensed when an external AI client grant exists (hub#583, GET /account/)", async () => {
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    // Claude Code: a genuine external MCP client.
+    const claude = registerClient(harness.db, {
+      redirectUris: ["https://claude.ai/cb"],
+      clientName: "Claude",
+    });
+    recordGrant(harness.db, friend.id, claude.client.clientId, ["vault:alice:read"]);
+
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    // Condensed done-state.
+    expect(html).toContain('data-connected="true"');
+    expect(html).toContain('data-testid="onboarding-done-line"');
+    expect(html).toContain("You're connected");
+    // And it still keeps the "Connect another AI" expander.
+    expect(html).toContain('data-testid="onboarding-connect-another"');
+  });
+
   test("200 + admin branch when the first-admin signs in (no vault assignments)", async () => {
     // The first-created user with no vault pin is the admin posture.
     const admin = await createUser(harness.db, "admin", "admin-passphrase", {
@@ -782,7 +901,7 @@ describe("handleAccountHomeGet", () => {
     const session = createSession(harness.db, { userId: admin.id });
     const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
     const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
-    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
     expect(res.status).toBe(200);
     const html = await res.text();
     expect(html).toContain("Welcome, admin");
@@ -813,8 +932,121 @@ describe("handleAccountHomeGet", () => {
       harness.db.exec("PRAGMA foreign_keys = ON");
     }
     const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
-    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
     expect(res.status).toBe(302);
     expect(res.headers.get("location")).toBe("/login");
   });
+
+  test("renders the per-vault usage stat when usage resolves", async () => {
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, {
+      db: harness.db,
+      hubOrigin: HUB_ORIGIN,
+      resolveVaultPort: () => 1940,
+      // Stub the fetch: resolves to a known stat.
+      fetchUsage: async () => ({ notes: 7, totalBytes: 2 * 1024 * 1024 }),
+    });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain('data-testid="vault-usage"');
+    expect(html).toContain("7 notes · 2.0 MB");
+  });
+
+  test("omits the usage stat gracefully when the fetch fails (null)", async () => {
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, {
+      db: harness.db,
+      hubOrigin: HUB_ORIGIN,
+      resolveVaultPort: () => 1940,
+      fetchUsage: async () => null,
+    });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    // Tile still renders; just no usage stat.
+    expect(html).toContain("<strong>alice</strong>");
+    expect(html).not.toContain('data-testid="vault-usage"');
+  });
+
+  test("renders the 'Advanced vault settings ↗' deep-link button for an assigned vault", async () => {
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain('data-testid="vault-admin-button"');
+    expect(html).toContain("Advanced vault settings");
+    expect(html).toContain('action="/account/vault-admin-token/alice"');
+  });
+
+  test("renders the backup-state line when the mirror status resolves enabled", async () => {
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, {
+      db: harness.db,
+      hubOrigin: HUB_ORIGIN,
+      resolveVaultPort: () => 1940,
+      // Stub the mirror fetch: resolves to a backed-up, GitHub-pushing config.
+      fetchMirror: async () => ({ enabled: true, backedUpToRemote: true }),
+    });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain('data-testid="backup-state-line"');
+    // Already pushing → the handler threads mirrorPushing=true, so the
+    // "Back up to GitHub ↗" action is suppressed.
+    expect(html).not.toContain('data-testid="backup-github-button"');
+    expect(html).toContain("version history + GitHub");
+  });
+
+  test("omits the backup line gracefully when the mirror fetch fails (null)", async () => {
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, {
+      db: harness.db,
+      hubOrigin: HUB_ORIGIN,
+      resolveVaultPort: () => 1940,
+      fetchMirror: async () => null,
+    });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    // Tile still renders; just no backup line.
+    expect(html).toContain("<strong>alice</strong>");
+    expect(html).not.toContain('data-testid="backup-state-line"');
+  });
 });

package/src/__tests__/api-invites.test.ts

@@ -0,0 +1,217 @@
+/**
+ * Admin API tests for `/api/invites*` (`api-invites.ts`).
+ *
+ *   - host:admin gate (403 without the scope)
+ *   - POST create → 201 with single-emit token + URL; defaults applied
+ *   - GET list → status-annotated, raw token NEVER present
+ *   - DELETE /:id → revoke; 409 when already terminal; 404 unknown
+ */
+import type { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { handleCreateInvite, handleListInvites, handleRevokeInvite } from "../api-invites.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { signAccessToken } from "../jwt-sign.ts";
+import { createUser } from "../users.ts";
+
+const ISSUER = "https://hub.test";
+const HOST_ADMIN_SCOPE = "parachute:host:admin";
+
+interface Harness {
+  db: Database;
+  manifestPath: string;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const dir = mkdtempSync(join(tmpdir(), "phub-api-invites-"));
+  const db = openHubDb(hubDbPath(dir));
+  const manifestPath = join(dir, "services.json");
+  writeFileSync(manifestPath, JSON.stringify({ services: [] }));
+  return {
+    db,
+    manifestPath,
+    cleanup: () => {
+      db.close();
+      rmSync(dir, { recursive: true, force: true });
+    },
+  };
+}
+
+let harness: Harness;
+beforeEach(() => {
+  harness = makeHarness();
+});
+afterEach(() => {
+  harness.cleanup();
+});
+
+async function makeAdminBearer(scopes = [HOST_ADMIN_SCOPE]): Promise<string> {
+  const user = await createUser(harness.db, "operator", "operator-password-1", {
+    allowMulti: true,
+    passwordChanged: true,
+  });
+  const minted = await signAccessToken(harness.db, {
+    sub: user.id,
+    scopes,
+    audience: "hub",
+    clientId: "parachute-hub-spa",
+    issuer: ISSUER,
+    ttlSeconds: 600,
+  });
+  return minted.token;
+}
+
+function deps() {
+  return { db: harness.db, issuer: ISSUER, manifestPath: harness.manifestPath };
+}
+
+function withBearer(path: string, bearer: string, init: RequestInit = {}): Request {
+  const headers = new Headers(init.headers ?? {});
+  headers.set("authorization", `Bearer ${bearer}`);
+  return new Request(`${ISSUER}${path}`, { ...init, headers });
+}
+
+describe("/api/invites auth", () => {
+  test("403 without host:admin scope", async () => {
+    const bearer = await makeAdminBearer(["other:scope"]);
+    const res = await handleListInvites(withBearer("/api/invites", bearer), deps());
+    expect(res.status).toBe(403);
+  });
+});
+
+describe("POST /api/invites", () => {
+  test("201 with single-emit token + URL; defaults (write/provision/7d)", async () => {
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({}),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as {
+      invite: { id: string; status: string; role: string; provision_vault: boolean };
+      token: string;
+      url: string;
+    };
+    expect(body.token.length).toBeGreaterThan(40);
+    expect(body.url).toBe(`${ISSUER}/account/setup/${body.token}`);
+    expect(body.invite.role).toBe("write");
+    expect(body.invite.provision_vault).toBe(true);
+    expect(body.invite.status).toBe("pending");
+    // The id is the sha256 hash — never the raw token.
+    expect(body.invite.id).not.toBe(body.token);
+  });
+
+  test("400 on a bad role", async () => {
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ role: "admin" }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(400);
+  });
+
+  test("400 rejects a shared-vault invite (provision_vault=false + vault_name)", async () => {
+    // Defense in depth (FIX-1): assigning a redeemer to a PRE-EXISTING vault
+    // as owner-admin is a cross-tenant breach; shared-vault invites aren't
+    // supported yet, so the create handler refuses this combination outright.
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ provision_vault: false, vault_name: "someoneelse" }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("invalid_request");
+    expect(body.error_description).toContain("shared-vault");
+  });
+
+  test("account-only invite (provision_vault=false, NO vault_name) is still allowed", async () => {
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ provision_vault: false }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as {
+      invite: { provision_vault: boolean; vault_name: string | null };
+    };
+    expect(body.invite.provision_vault).toBe(false);
+    expect(body.invite.vault_name).toBeNull();
+  });
+});
+
+describe("GET /api/invites", () => {
+  test("lists invites; raw token NEVER present in the wire shape", async () => {
+    const bearer = await makeAdminBearer();
+    const created = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ vault_name: "maya" }),
+      }),
+      deps(),
+    );
+    const createdBody = (await created.json()) as { token: string };
+    const list = await handleListInvites(withBearer("/api/invites", bearer), deps());
+    const body = (await list.json()) as { invites: { id: string }[] };
+    expect(body.invites.length).toBe(1);
+    // The raw token must not be recoverable from the list.
+    const json = JSON.stringify(body);
+    expect(json).not.toContain(createdBody.token);
+  });
+});
+
+describe("DELETE /api/invites/:id", () => {
+  test("revokes a pending invite; 409 if already revoked; 404 unknown", async () => {
+    const bearer = await makeAdminBearer();
+    const created = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({}),
+      }),
+      deps(),
+    );
+    const { invite } = (await created.json()) as { invite: { id: string } };
+
+    const ok = await handleRevokeInvite(
+      withBearer(`/api/invites/${invite.id}`, bearer, { method: "DELETE" }),
+      invite.id,
+      deps(),
+    );
+    expect(ok.status).toBe(200);
+
+    const again = await handleRevokeInvite(
+      withBearer(`/api/invites/${invite.id}`, bearer, { method: "DELETE" }),
+      invite.id,
+      deps(),
+    );
+    expect(again.status).toBe(409);
+
+    const unknown = await handleRevokeInvite(
+      withBearer("/api/invites/deadbeef", bearer, { method: "DELETE" }),
+      "deadbeef",
+      deps(),
+    );
+    expect(unknown.status).toBe(404);
+  });
+});