@openparachute/hub 0.6.5-rc.7 → 0.7.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.6.5-rc.7",
+  "version": "0.7.0",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/account-setup.test.ts

@@ -527,6 +527,40 @@ describe("POST /account/setup/<token> — vault-name validation (N1)", () => {
     // No account created.
     expect(getUserByUsernameCI(harness.db, "sam")).toBeNull();
   });
+
+  test("an invitee-chosen RESERVED vault name (list/new/assets/admin) → 400, never provisioned (B2h)", async () => {
+    // Pre-consolidation, the invite path's validator reserved only "list" —
+    // a non-admin invite redeemer could squat "admin" and capture the
+    // daemon-level /vault/admin mount. One consolidated set closes that.
+    const admin = await createUser(harness.db, "operator", "operator-password-1");
+    for (const name of ["list", "new", "assets", "admin"]) {
+      // vault_name null → the redeemer names their own vault.
+      const { rawToken } = issueInvite(harness.db, { createdBy: admin.id });
+      const { token: csrfToken, cookieFragment } = csrfPair();
+      const stub = makeStubRunCommand();
+      const res = await handleAccountSetupPost(
+        postReq(
+          rawToken,
+          {
+            [CSRF_FIELD_NAME]: csrfToken,
+            username: "sam",
+            password: "sam-strong-password-12",
+            password_confirm: "sam-strong-password-12",
+            vault_name: name,
+          },
+          cookieFragment,
+        ),
+        rawToken,
+        deps(stub.run),
+      );
+      expect(res.status).toBe(400);
+      const html = await res.text();
+      expect(html).toContain("reserved");
+      // The vault CLI is never reached; no account created.
+      expect(stub.calls.length).toBe(0);
+      expect(getUserByUsernameCI(harness.db, "sam")).toBeNull();
+    }
+  });
 });
 
 describe("POST /account/setup/<token> — concurrent redeem (N2)", () => {

package/src/__tests__/account-vault-admin-token.test.ts

@@ -128,7 +128,8 @@ describe("handleAccountVaultAdminTokenPost — happy path (assigned vault)", ()
     expect(res.status).toBe(303);
     expect(res.headers.get("cache-control")).toBe("no-store");
     const location = res.headers.get("location") ?? "";
-    // Default managementUrl is /admin/ → lands on the vault admin SPA home.
+    // Default managementUrl is the relative "admin/" (B4 per-instance form)
+    // → lands on the vault admin SPA home under the vault's mount.
     expect(location.startsWith(`${ISSUER}/vault/work/admin/#token=`)).toBe(true);
 
     const token = tokenFromLocation(location);
@@ -151,18 +152,49 @@ describe("handleAccountVaultAdminTokenPost — happy path (assigned vault)", ()
     expect(rows?.n).toBe(1);
   });
 
-  test("honors a vault-declared managementUrl (e.g. a custom admin path)", async () => {
+  test("honors a vault-declared RELATIVE managementUrl (B4 per-instance form)", async () => {
     const { cookie, csrfToken } = await seedFriend(["work"]);
     const res = await handleAccountVaultAdminTokenPost(
       mintReq("work", { cookie, csrfToken }),
       "work",
-      deps({ managementUrl: "/manage/" }),
+      deps({ managementUrl: "manage/" }),
     );
     expect(res.status).toBe(303);
     const location = res.headers.get("location") ?? "";
     expect(location.startsWith(`${ISSUER}/vault/work/manage/#token=`)).toBe(true);
   });
 
+  test("a LEADING-SLASH managementUrl resolves origin-absolute (B4 inverted pin)", async () => {
+    // Pre-B4 "/manage/" joined under the vault mount (/vault/work/manage/).
+    // Under the unified semantics a leading-"/" is origin-absolute.
+    const { cookie, csrfToken } = await seedFriend(["work"]);
+    const res = await handleAccountVaultAdminTokenPost(
+      mintReq("work", { cookie, csrfToken }),
+      "work",
+      deps({ managementUrl: "/manage/" }),
+    );
+    expect(res.status).toBe(303);
+    const location = res.headers.get("location") ?? "";
+    expect(location.startsWith(`${ISSUER}/manage/#token=`)).toBe(true);
+  });
+
+  test('COMPAT SHIM: the literal legacy "/admin/" managementUrl still joins under the vault (one release)', async () => {
+    // Deployed vaults declare managementUrl "/admin/" — the OLD per-instance
+    // form. Origin-absolute resolution would deep-link the daemon-level
+    // /vault/admin mount instead of the instance SPA, so the literal
+    // "/admin"/"/admin/" keeps the old vault-join for one release with a
+    // deprecation log.
+    const { cookie, csrfToken } = await seedFriend(["work"]);
+    const res = await handleAccountVaultAdminTokenPost(
+      mintReq("work", { cookie, csrfToken }),
+      "work",
+      deps({ managementUrl: "/admin/" }),
+    );
+    expect(res.status).toBe(303);
+    const location = res.headers.get("location") ?? "";
+    expect(location.startsWith(`${ISSUER}/vault/work/admin/#token=`)).toBe(true);
+  });
+
   test("a friend assigned to multiple vaults can deep-link each, never cross-vault", async () => {
     const { cookie, csrfToken } = await seedFriend(["work", "home"]);
     for (const v of ["work", "home"]) {

package/src/__tests__/admin-channel-token.test.ts

@@ -0,0 +1,173 @@
+/**
+ * Tests for the channel UI session→bearer mint endpoint. Mirrors
+ * `admin-host-admin-token.test.ts` shape (channel has a single bare audience,
+ * no per-vault name). Covers:
+ *   - 401 when no admin session cookie is present.
+ *   - 401 when the cookie names a deleted session.
+ *   - 405 on POST.
+ *   - 200 + JWT carrying `aud: "channel"` and `channel:read channel:send channel:admin`.
+ *   - First-admin gate: 403 for a signed-in non-first-admin (friend); the
+ *     admin's happy path still mints when a friend exists alongside.
+ */
+import type { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { CHANNEL_TOKEN_TTL_SECONDS, handleChannelToken } from "../admin-channel-token.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { validateAccessToken } from "../jwt-sign.ts";
+import { SESSION_TTL_MS, buildSessionCookie, createSession, deleteSession } from "../sessions.ts";
+import { rotateSigningKey } from "../signing-keys.ts";
+import { createUser } from "../users.ts";
+
+const ISSUER = "https://hub.test";
+
+interface Harness {
+  db: Database;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const dir = mkdtempSync(join(tmpdir(), "phub-channel-token-"));
+  const db = openHubDb(hubDbPath(dir));
+  return {
+    db,
+    cleanup: () => {
+      db.close();
+      rmSync(dir, { recursive: true, force: true });
+    },
+  };
+}
+
+let harness: Harness;
+beforeEach(() => {
+  harness = makeHarness();
+});
+afterEach(() => {
+  harness.cleanup();
+});
+
+async function withSession(): Promise<{ cookie: string; userId: string }> {
+  const user = await createUser(harness.db, "operator", "hunter2");
+  const session = createSession(harness.db, { userId: user.id });
+  const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+  return { cookie, userId: user.id };
+}
+
+/**
+ * Seed an admin (first-created user) + a second non-admin "friend" account,
+ * return cookies + ids for both. Used by the first-admin-gate tests.
+ */
+async function withAdminAndFriend(): Promise<{
+  adminCookie: string;
+  adminId: string;
+  friendCookie: string;
+  friendId: string;
+}> {
+  const admin = await createUser(harness.db, "admin", "admin-passphrase");
+  const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+    allowMulti: true,
+  });
+  const adminSession = createSession(harness.db, { userId: admin.id });
+  const friendSession = createSession(harness.db, { userId: friend.id });
+  return {
+    adminCookie: buildSessionCookie(adminSession.id, Math.floor(SESSION_TTL_MS / 1000)),
+    adminId: admin.id,
+    friendCookie: buildSessionCookie(friendSession.id, Math.floor(SESSION_TTL_MS / 1000)),
+    friendId: friend.id,
+  };
+}
+
+describe("handleChannelToken", () => {
+  test("401 when no session cookie is present", async () => {
+    const req = new Request(`${ISSUER}/admin/channel-token`);
+    const res = await handleChannelToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("unauthenticated");
+  });
+
+  test("401 when the cookie names a deleted session", async () => {
+    const { cookie } = await withSession();
+    const sid = cookie.match(/parachute_hub_session=([^;]+)/)?.[1] ?? "";
+    deleteSession(harness.db, sid);
+    const req = new Request(`${ISSUER}/admin/channel-token`, { headers: { cookie } });
+    const res = await handleChannelToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(401);
+  });
+
+  test("405 on POST", async () => {
+    const { cookie } = await withSession();
+    const req = new Request(`${ISSUER}/admin/channel-token`, {
+      method: "POST",
+      headers: { cookie },
+    });
+    const res = await handleChannelToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(405);
+  });
+
+  test("200 mints a JWT carrying aud:channel + channel:read channel:send channel:admin", async () => {
+    const { cookie, userId } = await withSession();
+    rotateSigningKey(harness.db);
+    const req = new Request(`${ISSUER}/admin/channel-token`, { headers: { cookie } });
+    const res = await handleChannelToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(200);
+    expect(res.headers.get("cache-control")).toBe("no-store");
+
+    const body = (await res.json()) as { token: string; expires_at: string; scopes: string[] };
+    // `channel:send` (post) + `channel:read` (SSE replies) + `channel:admin`
+    // (config UI list/edit — 2026-06-09 modular-UI architecture P3). Deliberately
+    // NOT `channel:write` — that's the session-reply scope a UI token must not hold.
+    expect(body.scopes).toEqual(["channel:read", "channel:send", "channel:admin"]);
+    expect(body.scopes).not.toContain("channel:write");
+    expect(body.token.length).toBeGreaterThan(20);
+
+    const expMs = new Date(body.expires_at).getTime();
+    const skew = expMs - Date.now();
+    expect(skew).toBeGreaterThan((CHANNEL_TOKEN_TTL_SECONDS - 30) * 1000);
+    expect(skew).toBeLessThan((CHANNEL_TOKEN_TTL_SECONDS + 30) * 1000);
+
+    const validated = await validateAccessToken(harness.db, body.token, ISSUER);
+    expect(validated.payload.sub).toBe(userId);
+    expect(validated.payload.iss).toBe(ISSUER);
+    // Bare service audience — channel validates `aud === "channel"`
+    // (parachute-channel src/hub-jwt.ts CHANNEL_AUDIENCE).
+    expect(validated.payload.aud).toBe("channel");
+    const scopeClaim = (validated.payload as { scope?: string }).scope ?? "";
+    const scopes = scopeClaim.split(/\s+/);
+    expect(scopes).toContain("channel:read");
+    expect(scopes).toContain("channel:send");
+    expect(scopes).toContain("channel:admin");
+    expect(scopes).not.toContain("channel:write");
+  });
+
+  test("403 not_admin when a signed-in non-first-admin (friend) hits the endpoint", async () => {
+    // Privesc closure (mirrors host/vault-admin-token). The friend's session
+    // is valid; the endpoint must refuse because session.userId isn't the
+    // first-admin row.
+    const { friendCookie } = await withAdminAndFriend();
+    rotateSigningKey(harness.db);
+    const req = new Request(`${ISSUER}/admin/channel-token`, {
+      headers: { cookie: friendCookie },
+    });
+    const res = await handleChannelToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("not_admin");
+    expect(body.error_description).toContain("/account/");
+  });
+
+  test("first-admin path still succeeds when a friend exists alongside", async () => {
+    const { adminCookie, adminId } = await withAdminAndFriend();
+    rotateSigningKey(harness.db);
+    const req = new Request(`${ISSUER}/admin/channel-token`, {
+      headers: { cookie: adminCookie },
+    });
+    const res = await handleChannelToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { token: string };
+    const validated = await validateAccessToken(harness.db, body.token, ISSUER);
+    expect(validated.payload.sub).toBe(adminId);
+  });
+});