@openparachute/hub 0.7.4-rc.2 → 0.7.4-rc.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +4 -11
- package/src/__tests__/admin-auth.test.ts +128 -0
- package/src/__tests__/admin-clients.test.ts +103 -1
- package/src/__tests__/admin-lock.test.ts +7 -1
- package/src/__tests__/admin-vaults.test.ts +216 -10
- package/src/__tests__/api-account-2fa.test.ts +453 -0
- package/src/__tests__/api-hub-upgrade.test.ts +59 -3
- package/src/__tests__/api-mint-token.test.ts +75 -0
- package/src/__tests__/api-modules.test.ts +143 -0
- package/src/__tests__/api-settings-root-redirect.test.ts +302 -0
- package/src/__tests__/auth.test.ts +336 -0
- package/src/__tests__/clients.test.ts +326 -8
- package/src/__tests__/cloudflare-connector-service.test.ts +3 -1
- package/src/__tests__/cors.test.ts +138 -1
- package/src/__tests__/doctor.test.ts +755 -0
- package/src/__tests__/hub-command.test.ts +69 -2
- package/src/__tests__/hub-server.test.ts +127 -5
- package/src/__tests__/hub-settings.test.ts +188 -0
- package/src/__tests__/init.test.ts +153 -0
- package/src/__tests__/jwt-sign.test.ts +27 -0
- package/src/__tests__/managed-unit.test.ts +62 -0
- package/src/__tests__/oauth-handlers.test.ts +626 -0
- package/src/__tests__/oauth-ui.test.ts +107 -1
- package/src/__tests__/scope-explanations.test.ts +19 -0
- package/src/__tests__/setup-gate.test.ts +111 -3
- package/src/__tests__/setup-wizard.test.ts +124 -7
- package/src/__tests__/supervisor.test.ts +25 -0
- package/src/__tests__/vault-names.test.ts +32 -3
- package/src/__tests__/vault-remove.test.ts +40 -19
- package/src/__tests__/well-known.test.ts +37 -2
- package/src/admin-agent-grants.ts +16 -1
- package/src/admin-auth.ts +13 -4
- package/src/admin-clients.ts +66 -5
- package/src/admin-grants.ts +11 -2
- package/src/admin-vaults.ts +77 -27
- package/src/api-account-2fa.ts +395 -0
- package/src/api-admin-lock.ts +7 -0
- package/src/api-hub-upgrade.ts +52 -4
- package/src/api-hub.ts +10 -1
- package/src/api-invites.ts +18 -3
- package/src/api-me.ts +11 -2
- package/src/api-mint-token.ts +16 -1
- package/src/api-modules.ts +119 -1
- package/src/api-revoke-token.ts +14 -1
- package/src/api-settings-hub-origin.ts +14 -1
- package/src/api-settings-root-redirect.ts +201 -0
- package/src/api-tokens.ts +14 -1
- package/src/api-users.ts +15 -6
- package/src/api-vault-caps.ts +11 -2
- package/src/cli.ts +56 -5
- package/src/clients.ts +178 -0
- package/src/commands/auth.ts +263 -1
- package/src/commands/doctor.ts +1250 -0
- package/src/commands/hub.ts +102 -1
- package/src/commands/init.ts +108 -0
- package/src/commands/vault-remove.ts +16 -24
- package/src/cors.ts +7 -3
- package/src/help.ts +65 -1
- package/src/hub-db.ts +14 -0
- package/src/hub-server.ts +173 -25
- package/src/hub-settings.ts +163 -1
- package/src/jwt-sign.ts +25 -6
- package/src/managed-unit.ts +30 -1
- package/src/oauth-handlers.ts +110 -7
- package/src/oauth-ui.ts +174 -0
- package/src/rate-limit.ts +28 -0
- package/src/scope-explanations.ts +2 -1
- package/src/setup-wizard.ts +40 -21
- package/src/supervisor.ts +46 -2
- package/src/vault-names.ts +15 -4
- package/src/well-known.ts +10 -1
- package/web/ui/dist/assets/{index--728BX3j.css → index-BcC4U5gM.css} +1 -1
- package/web/ui/dist/assets/index-CVqK1cV5.js +61 -0
- package/web/ui/dist/index.html +2 -2
- package/web/ui/dist/assets/index-DZzX_Enf.js +0 -61
package/src/managed-unit.ts
CHANGED
|
@@ -454,6 +454,25 @@ function installLaunchdUnit(opts: InstallManagedUnitOpts): ManagedUnitInstallRes
|
|
|
454
454
|
};
|
|
455
455
|
}
|
|
456
456
|
|
|
457
|
+
/**
|
|
458
|
+
* #528: is `loginctl` linger already enabled for `userName`? Best-effort probe:
|
|
459
|
+
* `loginctl show-user <user> --property=Linger` prints `Linger=yes` / `Linger=no`.
|
|
460
|
+
* Returns true ONLY on a clear `Linger=yes`; ANY ambiguity (non-zero exit, a
|
|
461
|
+
* throw, or unparseable output) returns false so the caller falls through to the
|
|
462
|
+
* enable attempt — we never SKIP enabling on a guess, only when linger is
|
|
463
|
+
* provably already on. (`show-user` of a user with no session can itself exit
|
|
464
|
+
* non-zero; treat that as "unknown → try to enable".)
|
|
465
|
+
*/
|
|
466
|
+
function lingerAlreadyOn(deps: ManagedUnitDeps, userName: string): boolean {
|
|
467
|
+
try {
|
|
468
|
+
const probe = deps.run(["loginctl", "show-user", userName, "--property=Linger"]);
|
|
469
|
+
if (probe.code !== 0) return false;
|
|
470
|
+
return /(^|\n)\s*Linger=yes\s*(\n|$)/i.test(probe.stdout);
|
|
471
|
+
} catch {
|
|
472
|
+
return false;
|
|
473
|
+
}
|
|
474
|
+
}
|
|
475
|
+
|
|
457
476
|
function installSystemdUnit(opts: InstallManagedUnitOpts): ManagedUnitInstallResult {
|
|
458
477
|
const { unit, deps, messages } = opts;
|
|
459
478
|
const start = opts.start ?? true;
|
|
@@ -490,10 +509,20 @@ function installSystemdUnit(opts: InstallManagedUnitOpts): ManagedUnitInstallRes
|
|
|
490
509
|
// systemctl but not loginctl would propagate the spawn error out and hard-fail
|
|
491
510
|
// the calling command. (Run on both start + install-without-start: linger is a
|
|
492
511
|
// boot-survival nicety independent of whether we start the unit now.)
|
|
512
|
+
//
|
|
513
|
+
// #528: pre-check the CURRENT linger state before trying to enable it. When
|
|
514
|
+
// linger is ALREADY on (the common re-install / re-migrate case on a box
|
|
515
|
+
// whose owner already enabled it), `enable-linger` is a no-op we don't need —
|
|
516
|
+
// and on some systemd builds it can return non-zero even though linger is
|
|
517
|
+
// genuinely on, raising a scary "couldn't enable lingering, your hub won't
|
|
518
|
+
// survive reboot" warning that is a FALSE ALARM. So: probe first; if linger
|
|
519
|
+
// is on, skip both the enable AND the warning. Only when linger is genuinely
|
|
520
|
+
// OFF and the enable attempt then fails do we warn. This is the single-owner
|
|
521
|
+
// self-host reboot-survival happy path — keep it quiet when it's already good.
|
|
493
522
|
if (!root && userName) {
|
|
494
523
|
if (deps.which("loginctl") === null) {
|
|
495
524
|
outMessages.push(messages.lingerWarning);
|
|
496
|
-
} else {
|
|
525
|
+
} else if (!lingerAlreadyOn(deps, userName)) {
|
|
497
526
|
try {
|
|
498
527
|
const linger = deps.run(["loginctl", "enable-linger", userName]);
|
|
499
528
|
if (linger.code !== 0) outMessages.push(messages.lingerWarning);
|
package/src/oauth-handlers.ts
CHANGED
|
@@ -294,8 +294,11 @@ export function buildServicesCatalog(
|
|
|
294
294
|
if (audiences.has("vault")) {
|
|
295
295
|
for (const entry of manifest.services) {
|
|
296
296
|
if (!isVaultEntry(entry)) continue;
|
|
297
|
-
|
|
298
|
-
|
|
297
|
+
// #478: an empty-paths vault row is "installed but no servable instance"
|
|
298
|
+
// — skip it so it never counts toward (or, below, fabricates) a phantom
|
|
299
|
+
// vault. Mirrors the continue in well-known.ts / admin-vaults.ts.
|
|
300
|
+
if (entry.paths.length === 0) continue;
|
|
301
|
+
for (const path of entry.paths) {
|
|
299
302
|
const instance = vaultInstanceNameFor(entry.name, path);
|
|
300
303
|
if (broadVaultScope || namedVaults.has(instance)) admittedVaultPathCount++;
|
|
301
304
|
}
|
|
@@ -308,12 +311,16 @@ export function buildServicesCatalog(
|
|
|
308
311
|
for (const entry of manifest.services) {
|
|
309
312
|
if (isVaultEntry(entry)) {
|
|
310
313
|
if (!audiences.has("vault")) continue;
|
|
314
|
+
// #478: an empty-paths vault row is "installed but no servable instance"
|
|
315
|
+
// — skip it so the catalog never offers a phantom `vault` / `vault:default`
|
|
316
|
+
// entry pointing at root before any vault exists. Mirrors well-known.ts /
|
|
317
|
+
// admin-vaults.ts / vault-names.ts.
|
|
318
|
+
if (entry.paths.length === 0) continue;
|
|
311
319
|
// Walk every path the row exposes. Real multi-vault on the hub is a
|
|
312
320
|
// single `parachute-vault` row with N paths (one per vault instance);
|
|
313
321
|
// legacy per-vault rows (`parachute-vault-<name>`) are handled by the
|
|
314
322
|
// same loop because each contributes one path.
|
|
315
|
-
const
|
|
316
|
-
for (const path of paths) {
|
|
323
|
+
for (const path of entry.paths) {
|
|
317
324
|
const instance = vaultInstanceNameFor(entry.name, path);
|
|
318
325
|
const admit = broadVaultScope || namedVaults.has(instance);
|
|
319
326
|
if (!admit) continue;
|
|
@@ -1209,9 +1216,31 @@ export function handleAuthorizeGet(db: Database, req: Request, deps: OAuthDeps):
|
|
|
1209
1216
|
return issueAuthCodeRedirect(db, parsed, requestedScopes, session.userId, deps);
|
|
1210
1217
|
}
|
|
1211
1218
|
|
|
1219
|
+
// hub#689 — does the user hold ADMIN on every vault they could pick? Admin
|
|
1220
|
+
// (isFirstAdmin) owns the whole hub. A non-admin owns a vault only if their
|
|
1221
|
+
// `user_vaults` role grants admin there (today role=write does; a role=read
|
|
1222
|
+
// assignment would NOT). Re-derived from the DB so the owner-verb-selector
|
|
1223
|
+
// is offered only to a genuine owner — the submit path re-checks the PICKED
|
|
1224
|
+
// vault and the cap is the backstop, but rendering it precisely avoids
|
|
1225
|
+
// promising an admin upgrade the cap would silently demote.
|
|
1226
|
+
const userHoldsAdminOnPickable =
|
|
1227
|
+
userIsAdmin ||
|
|
1228
|
+
(assignedVaults.length > 0 &&
|
|
1229
|
+
assignedVaults.every((v) =>
|
|
1230
|
+
(vaultVerbsForUserVault(db, session.userId, v) ?? []).includes("admin"),
|
|
1231
|
+
));
|
|
1232
|
+
|
|
1212
1233
|
return htmlResponse(
|
|
1213
1234
|
renderConsent(
|
|
1214
|
-
consentProps(
|
|
1235
|
+
consentProps(
|
|
1236
|
+
client,
|
|
1237
|
+
parsed,
|
|
1238
|
+
vaultNames,
|
|
1239
|
+
csrf.token,
|
|
1240
|
+
assignedVaults,
|
|
1241
|
+
userIsAdmin,
|
|
1242
|
+
userHoldsAdminOnPickable,
|
|
1243
|
+
),
|
|
1215
1244
|
),
|
|
1216
1245
|
200,
|
|
1217
1246
|
extra,
|
|
@@ -1270,7 +1299,8 @@ function capScopesToUserAuthority(
|
|
|
1270
1299
|
if (name === undefined || verb === undefined || !VAULT_VERBS.has(verb)) return true;
|
|
1271
1300
|
// Named vault verb requested by a non-owner: admit only if the user holds
|
|
1272
1301
|
// it. `vaultVerbsForUserVault` returns null for an unassigned vault (drop)
|
|
1273
|
-
// or the held verb list
|
|
1302
|
+
// or the held verb list — a `write` role holds [read, write, admin], a
|
|
1303
|
+
// `read` role holds [read] (see `vaultVerbsForRole`).
|
|
1274
1304
|
const held = vaultVerbsForUserVault(db, userId, name);
|
|
1275
1305
|
return held !== null && (held as readonly string[]).includes(verb);
|
|
1276
1306
|
});
|
|
@@ -1682,6 +1712,44 @@ async function handleConsentSubmit(
|
|
|
1682
1712
|
400,
|
|
1683
1713
|
);
|
|
1684
1714
|
}
|
|
1715
|
+
// hub#689 — owner-on-own-vault verb widening. The consent screen offers
|
|
1716
|
+
// owners a read/write/admin selector (pre-selected to admin) for an
|
|
1717
|
+
// unnamed `vault:read`/`vault:write` request, so an owner whose AI client
|
|
1718
|
+
// asked for read-only can grant the level it actually needs in-flow. The
|
|
1719
|
+
// submitted `verb_select` is an UNTRUSTED hint — we re-derive ownership of
|
|
1720
|
+
// the PICKED vault server-side here, and `capScopesToUserAuthority` (inside
|
|
1721
|
+
// issueAuthCodeRedirect) is the backstop that drops any verb the user
|
|
1722
|
+
// doesn't actually hold. This only ever rewrites the unnamed read/write
|
|
1723
|
+
// verb(s) to the selected level on the picked vault; named scopes and every
|
|
1724
|
+
// other scope are untouched. A forged `verb_select=admin` from a user who
|
|
1725
|
+
// doesn't own the picked vault gets capped back to what they hold (or, for
|
|
1726
|
+
// a vault outside a pinned user's assignment, never reaches here — the
|
|
1727
|
+
// mismatch checks above already 400'd it).
|
|
1728
|
+
const selectedVerb = String(form.get("verb_select") ?? "").trim();
|
|
1729
|
+
if (selectedVerb === "read" || selectedVerb === "write" || selectedVerb === "admin") {
|
|
1730
|
+
// Re-derive, server-side, whether THIS user owns (holds admin on) the
|
|
1731
|
+
// PICKED vault. Owner === first admin (holds admin everywhere) OR an
|
|
1732
|
+
// assigned user whose role grants admin on this vault. Never trust the
|
|
1733
|
+
// client-submitted selector to establish authority.
|
|
1734
|
+
const heldOnPicked = vaultVerbsForUserVault(db, session.userId, pickedVault);
|
|
1735
|
+
const ownsPicked = userIsAdmin || (heldOnPicked?.includes("admin") ?? false);
|
|
1736
|
+
if (ownsPicked) {
|
|
1737
|
+
scopes = scopes.map((s) => {
|
|
1738
|
+
const parts = s.split(":");
|
|
1739
|
+
// Only widen the unnamed read/write verbs the selector was offered
|
|
1740
|
+
// for — leave an unnamed `vault:admin`, named scopes, and non-vault
|
|
1741
|
+
// scopes exactly as requested.
|
|
1742
|
+
if (
|
|
1743
|
+
parts.length === 2 &&
|
|
1744
|
+
parts[0] === "vault" &&
|
|
1745
|
+
(parts[1] === "read" || parts[1] === "write")
|
|
1746
|
+
) {
|
|
1747
|
+
return `vault:${selectedVerb}`;
|
|
1748
|
+
}
|
|
1749
|
+
return s;
|
|
1750
|
+
});
|
|
1751
|
+
}
|
|
1752
|
+
}
|
|
1685
1753
|
scopes = narrowVaultScopes(scopes, pickedVault);
|
|
1686
1754
|
}
|
|
1687
1755
|
|
|
@@ -2638,7 +2706,13 @@ export async function handleRegister(
|
|
|
2638
2706
|
let sameHub = false;
|
|
2639
2707
|
if (req.headers.get("authorization")) {
|
|
2640
2708
|
try {
|
|
2641
|
-
|
|
2709
|
+
// Validate the operator bearer's `iss` against the SET of origins the
|
|
2710
|
+
// hub answers on (`deps.hubBoundOrigins` — loopback ∪ expose-state ∪
|
|
2711
|
+
// platform ∪ per-request issuer), not just the single per-request
|
|
2712
|
+
// `issuer`, so a host-admin credential minted under a still-valid prior
|
|
2713
|
+
// origin keeps auto-approving across an origin switch (hub#516 parity).
|
|
2714
|
+
// Falls back to `[deps.issuer]` when no set getter is wired (tests).
|
|
2715
|
+
await requireScope(db, req, "hub:admin", deps.hubBoundOrigins?.() ?? deps.issuer);
|
|
2642
2716
|
status = "approved";
|
|
2643
2717
|
sameHub = true;
|
|
2644
2718
|
} catch (err) {
|
|
@@ -2746,6 +2820,10 @@ function consentProps(
|
|
|
2746
2820
|
csrfToken: string,
|
|
2747
2821
|
assignedVaults: readonly string[],
|
|
2748
2822
|
userIsAdmin: boolean,
|
|
2823
|
+
// hub#689 — true when the user holds admin on every vault they could pick
|
|
2824
|
+
// (admin owns the hub; an assigned non-admin only if their role grants admin
|
|
2825
|
+
// on each assigned vault). Gates whether the owner-verb-selector renders.
|
|
2826
|
+
userHoldsAdminOnPickable = userIsAdmin,
|
|
2749
2827
|
) {
|
|
2750
2828
|
const scopes = params.scope.split(" ").filter((s) => s.length > 0);
|
|
2751
2829
|
const unnamedVerbs = unnamedVaultVerbs(scopes);
|
|
@@ -2875,6 +2953,25 @@ function consentProps(
|
|
|
2875
2953
|
const only = vaultNames[0];
|
|
2876
2954
|
if (only) displayVault = only;
|
|
2877
2955
|
}
|
|
2956
|
+
// hub#689 — owner-on-own-vault verb selector. The client requested an
|
|
2957
|
+
// unnamed `vault:read`/`vault:write` verb, and the consenting user owns
|
|
2958
|
+
// (holds admin on) every vault they could pick — first admin owns the whole
|
|
2959
|
+
// hub; an assigned non-admin holds admin on each of their assigned vaults
|
|
2960
|
+
// (vaultVerbsForRole('write') → [read,write,admin]). Offer the selector so
|
|
2961
|
+
// they can grant the level their client actually needs (or downgrade), with
|
|
2962
|
+
// admin pre-selected. Suppressed when the request can't be authorized (zero-
|
|
2963
|
+
// vault non-admin) or the assignment is stale (no valid vault to own).
|
|
2964
|
+
//
|
|
2965
|
+
// SECURITY: this only DECIDES WHETHER TO RENDER. The actual widening is
|
|
2966
|
+
// re-derived server-side in `handleConsentSubmit` against the *picked* vault
|
|
2967
|
+
// and capped by `capScopesToUserAuthority`. The selector value is a hint.
|
|
2968
|
+
const upgradeableUnnamedVerbs = unnamedVerbs.filter((v) => v === "read" || v === "write");
|
|
2969
|
+
const userOwnsEveryPickableVault =
|
|
2970
|
+
!hasStaleAssignment && userCanAuthorizeRequest && userHoldsAdminOnPickable;
|
|
2971
|
+
const ownerVerbSelector =
|
|
2972
|
+
upgradeableUnnamedVerbs.length > 0 && userOwnsEveryPickableVault
|
|
2973
|
+
? { requestedVerbs: upgradeableUnnamedVerbs }
|
|
2974
|
+
: undefined;
|
|
2878
2975
|
return {
|
|
2879
2976
|
params,
|
|
2880
2977
|
clientId: client.clientId,
|
|
@@ -2883,6 +2980,7 @@ function consentProps(
|
|
|
2883
2980
|
csrfToken,
|
|
2884
2981
|
vaultPicker,
|
|
2885
2982
|
displayVault,
|
|
2983
|
+
ownerVerbSelector,
|
|
2886
2984
|
staleAssignedVault,
|
|
2887
2985
|
// Approve stays enabled for non-vault scopes even when assigned_vault
|
|
2888
2986
|
// is stale — the user can still consent to e.g. `scribe:transcribe`
|
|
@@ -2892,6 +2990,11 @@ function consentProps(
|
|
|
2892
2990
|
blockApproveForStaleAssignment:
|
|
2893
2991
|
staleAssignedVault !== undefined && (unnamedVerbs.length > 0 || hasNamedStaleVaultScope),
|
|
2894
2992
|
userCanAuthorizeRequest,
|
|
2993
|
+
// hub#314 — surface the client's provenance (same-hub first-party vs
|
|
2994
|
+
// external third-party DCR) so the operator sees the trust level on the
|
|
2995
|
+
// consent screen. Clean DB-backed signal: the `same_hub` column written
|
|
2996
|
+
// at DCR time (bearer hub:admin / same-origin session → true).
|
|
2997
|
+
sameHub: client.sameHub,
|
|
2895
2998
|
};
|
|
2896
2999
|
}
|
|
2897
3000
|
|
package/src/oauth-ui.ts
CHANGED
|
@@ -147,6 +147,46 @@ export interface ConsentViewProps {
|
|
|
147
147
|
* the user on an error page. Defaults to authorizable when omitted.
|
|
148
148
|
*/
|
|
149
149
|
userCanAuthorizeRequest?: boolean;
|
|
150
|
+
/**
|
|
151
|
+
* hub#689 — owner-on-own-vault verb selector. Set when the consenting user
|
|
152
|
+
* OWNS (holds admin on) every vault they could pick AND the client requested
|
|
153
|
+
* an unnamed `vault:read`/`vault:write` verb. Renders a read/write/admin
|
|
154
|
+
* radio group, pre-selected to admin, so the owner can grant the level their
|
|
155
|
+
* AI client actually needs in-flow (the requested-scope shape was the
|
|
156
|
+
* blocker, not the user's authority) — or transparently downgrade.
|
|
157
|
+
*
|
|
158
|
+
* The submitted `verb_select` is an UNTRUSTED hint: the consent-submit
|
|
159
|
+
* handler re-derives, server-side, whether the user actually owns the picked
|
|
160
|
+
* vault before widening, and `capScopesToUserAuthority` remains the backstop
|
|
161
|
+
* that drops any verb the user doesn't hold. The selector only ever WIDENS
|
|
162
|
+
* the unnamed verb(s) on the picked vault; it never touches any other scope.
|
|
163
|
+
*/
|
|
164
|
+
ownerVerbSelector?: OwnerVerbSelector;
|
|
165
|
+
/**
|
|
166
|
+
* hub#314 — same-hub vs external trust marker. True when the requesting
|
|
167
|
+
* client was registered through this hub's own flow / first-party install
|
|
168
|
+
* (`OAuthClient.sameHub` — bearer `hub:admin` OR session-cookie +
|
|
169
|
+
* same-origin DCR). False for a third-party Dynamic Client Registration
|
|
170
|
+
* (an external app, e.g. Claude.ai, that self-registered). Drives a small
|
|
171
|
+
* trust badge in the consent card header so the operator knows the trust
|
|
172
|
+
* level of the app they're approving before they click Approve.
|
|
173
|
+
*
|
|
174
|
+
* Omitted / undefined → no badge (provenance unknown; only the GET-handler
|
|
175
|
+
* call site, which always has the client row, populates it). Provenance is
|
|
176
|
+
* a clean DB-backed signal — see the `same_hub` column on `clients` and the
|
|
177
|
+
* `consentProps` call site in `oauth-handlers.ts`.
|
|
178
|
+
*/
|
|
179
|
+
sameHub?: boolean;
|
|
180
|
+
}
|
|
181
|
+
|
|
182
|
+
export interface OwnerVerbSelector {
|
|
183
|
+
/**
|
|
184
|
+
* The unnamed read/write verb(s) the client requested. Only `read`/`write`
|
|
185
|
+
* are upgradeable here — an unnamed `vault:admin` request already renders
|
|
186
|
+
* with the admin badge and needs no selector. Used to word the selector
|
|
187
|
+
* help text ("the app asked for write access").
|
|
188
|
+
*/
|
|
189
|
+
requestedVerbs: string[];
|
|
150
190
|
}
|
|
151
191
|
|
|
152
192
|
export interface VaultPicker {
|
|
@@ -328,6 +368,8 @@ export function renderConsent(props: ConsentViewProps): string {
|
|
|
328
368
|
staleAssignedVault,
|
|
329
369
|
blockApproveForStaleAssignment,
|
|
330
370
|
userCanAuthorizeRequest,
|
|
371
|
+
ownerVerbSelector,
|
|
372
|
+
sameHub,
|
|
331
373
|
} = props;
|
|
332
374
|
// Substitute unnamed `vault:<verb>` rows with the resolved named form so
|
|
333
375
|
// the operator sees the scope shape that will appear in the token. Raw
|
|
@@ -339,6 +381,7 @@ export function renderConsent(props: ConsentViewProps): string {
|
|
|
339
381
|
? `<li class="scope scope-empty">No scopes requested — the app gets a session token only.</li>`
|
|
340
382
|
: displayedScopes.map(renderScopeRow).join("\n");
|
|
341
383
|
const pickerSection = vaultPicker ? renderVaultPicker(vaultPicker) : "";
|
|
384
|
+
const verbSelectorSection = ownerVerbSelector ? renderOwnerVerbSelector(ownerVerbSelector) : "";
|
|
342
385
|
// Approve is disabled when the picker can't yield a valid vault. The
|
|
343
386
|
// empty-vault branch (no vaults registered) is the original case. A
|
|
344
387
|
// locked-vault picker (multi-user Phase 1) always has a valid value via
|
|
@@ -391,6 +434,24 @@ export function renderConsent(props: ConsentViewProps): string {
|
|
|
391
434
|
before authorizing vault access.
|
|
392
435
|
</p>`
|
|
393
436
|
: "";
|
|
437
|
+
// hub#314 — same-hub vs external trust marker. `sameHub === true` means the
|
|
438
|
+
// client was registered through this hub's own flow (first-party / operator-
|
|
439
|
+
// authenticated DCR); `false` means a third-party app self-registered via
|
|
440
|
+
// public Dynamic Client Registration. `undefined` → no badge (provenance
|
|
441
|
+
// unknown to the caller). The badge sits in the header so the operator sees
|
|
442
|
+
// the trust level before reading the scope list.
|
|
443
|
+
const trustMarker =
|
|
444
|
+
sameHub === undefined
|
|
445
|
+
? ""
|
|
446
|
+
: sameHub
|
|
447
|
+
? `<p class="trust-marker trust-marker-same-hub">
|
|
448
|
+
<span class="badge badge-trust-same-hub">First-party</span>
|
|
449
|
+
<span class="trust-marker-text">Registered through this hub.</span>
|
|
450
|
+
</p>`
|
|
451
|
+
: `<p class="trust-marker trust-marker-external">
|
|
452
|
+
<span class="badge badge-trust-external">External</span>
|
|
453
|
+
<span class="trust-marker-text">A third-party app that registered itself. Approve only if you recognise it.</span>
|
|
454
|
+
</p>`;
|
|
394
455
|
const body = `
|
|
395
456
|
<div class="card">
|
|
396
457
|
<div class="card-header">
|
|
@@ -402,6 +463,7 @@ export function renderConsent(props: ConsentViewProps): string {
|
|
|
402
463
|
<p class="subtitle">
|
|
403
464
|
This app is requesting access to your Parachute account.
|
|
404
465
|
</p>
|
|
466
|
+
${trustMarker}
|
|
405
467
|
<p class="client-meta">
|
|
406
468
|
<span class="client-meta-label">client_id</span>
|
|
407
469
|
<code>${escapeHtml(clientId)}</code>
|
|
@@ -418,6 +480,7 @@ export function renderConsent(props: ConsentViewProps): string {
|
|
|
418
480
|
${renderCsrfHiddenInput(csrfToken)}
|
|
419
481
|
${renderHiddenInputs(params)}
|
|
420
482
|
${pickerSection}
|
|
483
|
+
${verbSelectorSection}
|
|
421
484
|
<div class="button-row">
|
|
422
485
|
<button type="submit" name="approve" value="yes" class="btn btn-primary"${approveDisabled}>Approve</button>
|
|
423
486
|
<button type="submit" name="approve" value="no" class="btn btn-secondary">Deny</button>
|
|
@@ -492,6 +555,60 @@ function renderVaultPicker(picker: VaultPicker): string {
|
|
|
492
555
|
</section>`;
|
|
493
556
|
}
|
|
494
557
|
|
|
558
|
+
/**
|
|
559
|
+
* hub#689 — owner-on-own-vault verb selector. Rendered only when the
|
|
560
|
+
* consenting user owns (holds admin on) every vault they could pick and the
|
|
561
|
+
* client requested an unnamed `vault:read`/`vault:write` verb. Three radios
|
|
562
|
+
* (read / write / admin), pre-selected to **admin** so the common case (the
|
|
563
|
+
* owner's own AI client that needs full access) is one click — but the owner
|
|
564
|
+
* sees and submits the choice, and can downgrade.
|
|
565
|
+
*
|
|
566
|
+
* The `admin` option keeps the `.scope-admin` red border + admin badge so an
|
|
567
|
+
* admin grant stays visibly flagged even when pre-selected. The submitted
|
|
568
|
+
* `verb_select` is an untrusted hint re-checked server-side (ownership
|
|
569
|
+
* re-derivation in `handleConsentSubmit` + `capScopesToUserAuthority` backstop);
|
|
570
|
+
* this template only renders the choice.
|
|
571
|
+
*/
|
|
572
|
+
function renderOwnerVerbSelector(selector: OwnerVerbSelector): string {
|
|
573
|
+
const requested = selector.requestedVerbs.map((v) => `<code>vault:${escapeHtml(v)}</code>`);
|
|
574
|
+
const requestedList =
|
|
575
|
+
requested.length === 1
|
|
576
|
+
? requested[0]
|
|
577
|
+
: `${requested.slice(0, -1).join(", ")} and ${requested.at(-1)}`;
|
|
578
|
+
const option = (
|
|
579
|
+
verb: "read" | "write" | "admin",
|
|
580
|
+
title: string,
|
|
581
|
+
desc: string,
|
|
582
|
+
checked: boolean,
|
|
583
|
+
): string => {
|
|
584
|
+
const isAdmin = verb === "admin";
|
|
585
|
+
const cls = `verb-option${isAdmin ? " verb-option-admin scope-admin" : ""}`;
|
|
586
|
+
const badge = isAdmin ? `<span class="badge badge-admin">admin</span>` : "";
|
|
587
|
+
return `
|
|
588
|
+
<label class="${cls}">
|
|
589
|
+
<input type="radio" name="verb_select" value="${verb}"${checked ? " checked" : ""} />
|
|
590
|
+
<span class="verb-option-body">
|
|
591
|
+
<span class="verb-option-head">
|
|
592
|
+
<span class="verb-option-title">${escapeHtml(title)}</span>
|
|
593
|
+
${badge}
|
|
594
|
+
</span>
|
|
595
|
+
<span class="verb-option-desc">${escapeHtml(desc)}</span>
|
|
596
|
+
</span>
|
|
597
|
+
</label>`;
|
|
598
|
+
};
|
|
599
|
+
return `
|
|
600
|
+
<section class="verb-selector">
|
|
601
|
+
<h2 class="scopes-title">Access level</h2>
|
|
602
|
+
<p class="picker-help">
|
|
603
|
+
This app asked for ${requestedList} access to your vault. Because you own
|
|
604
|
+
this vault, you can grant a different level — admin is selected so your app
|
|
605
|
+
can do everything it might need; lower it if you'd rather not.
|
|
606
|
+
</p>
|
|
607
|
+
<div class="verb-options">${option("read", "Read only", "View notes, tags, attachments, and config.", false)}${option("write", "Read & write", "Create, edit, and delete notes, tags, and attachments.", false)}${option("admin", "Admin", "Full access plus config, triggers/automation, GitHub backup, and minting tokens.", true)}
|
|
608
|
+
</div>
|
|
609
|
+
</section>`;
|
|
610
|
+
}
|
|
611
|
+
|
|
495
612
|
/**
|
|
496
613
|
* "App not yet approved" page (#74). Two branches:
|
|
497
614
|
*
|
|
@@ -1282,6 +1399,47 @@ const STYLES = `
|
|
|
1282
1399
|
font-size: 0.88rem;
|
|
1283
1400
|
color: ${PALETTE.fg};
|
|
1284
1401
|
}
|
|
1402
|
+
/* hub#689 — owner-on-own-vault verb selector. Same card shell as the
|
|
1403
|
+
vault picker; the admin option carries the .scope-admin red border so an
|
|
1404
|
+
admin grant stays visibly flagged even when pre-selected. */
|
|
1405
|
+
.verb-selector {
|
|
1406
|
+
margin: 0 0 1.25rem;
|
|
1407
|
+
padding: 0.75rem 0.85rem;
|
|
1408
|
+
border: 1px solid ${PALETTE.borderLight};
|
|
1409
|
+
border-radius: 6px;
|
|
1410
|
+
background: ${PALETTE.bgSoft};
|
|
1411
|
+
}
|
|
1412
|
+
.verb-selector .scopes-title { margin-bottom: 0.4rem; }
|
|
1413
|
+
.verb-options {
|
|
1414
|
+
display: flex;
|
|
1415
|
+
flex-direction: column;
|
|
1416
|
+
gap: 0.4rem;
|
|
1417
|
+
}
|
|
1418
|
+
.verb-option {
|
|
1419
|
+
display: flex;
|
|
1420
|
+
align-items: flex-start;
|
|
1421
|
+
gap: 0.5rem;
|
|
1422
|
+
padding: 0.5rem 0.65rem;
|
|
1423
|
+
border: 1px solid ${PALETTE.border};
|
|
1424
|
+
border-radius: 6px;
|
|
1425
|
+
background: ${PALETTE.cardBg};
|
|
1426
|
+
cursor: pointer;
|
|
1427
|
+
transition: border-color 0.15s ease, background 0.15s ease;
|
|
1428
|
+
}
|
|
1429
|
+
.verb-option:hover { border-color: ${PALETTE.accent}; }
|
|
1430
|
+
.verb-option input[type=radio] { margin-top: 0.25rem; }
|
|
1431
|
+
.verb-option input[type=radio]:focus { outline: 2px solid ${PALETTE.accent}; outline-offset: 2px; }
|
|
1432
|
+
.verb-option-body { display: flex; flex-direction: column; gap: 0.1rem; }
|
|
1433
|
+
.verb-option-head {
|
|
1434
|
+
display: flex;
|
|
1435
|
+
align-items: center;
|
|
1436
|
+
gap: 0.4rem;
|
|
1437
|
+
flex-wrap: wrap;
|
|
1438
|
+
}
|
|
1439
|
+
.verb-option-title { font-weight: 500; color: ${PALETTE.fg}; font-size: 0.9rem; }
|
|
1440
|
+
.verb-option-desc { font-size: 0.82rem; color: ${PALETTE.fgMuted}; }
|
|
1441
|
+
.verb-option-admin .verb-option-title { color: ${PALETTE.danger}; }
|
|
1442
|
+
|
|
1285
1443
|
.vault-picker-empty .picker-help { color: ${PALETTE.danger}; }
|
|
1286
1444
|
.vault-picker-empty .picker-help code { color: ${PALETTE.fg}; }
|
|
1287
1445
|
.vault-picker-locked .picker-help { color: ${PALETTE.fgMuted}; }
|
|
@@ -1456,6 +1614,22 @@ const STYLES = `
|
|
|
1456
1614
|
.badge-send { background: ${PALETTE.accentSoft}; color: ${PALETTE.accent}; }
|
|
1457
1615
|
.badge-admin { background: ${PALETTE.danger}; color: ${PALETTE.cardBg}; }
|
|
1458
1616
|
|
|
1617
|
+
/* hub#314 — same-hub vs external trust marker on the consent header. The
|
|
1618
|
+
first-party badge uses the accent (calm/trusted); external uses the danger
|
|
1619
|
+
tint so a third-party DCR client stands out without being alarmist. */
|
|
1620
|
+
.trust-marker {
|
|
1621
|
+
display: flex;
|
|
1622
|
+
align-items: baseline;
|
|
1623
|
+
gap: 0.45rem;
|
|
1624
|
+
flex-wrap: wrap;
|
|
1625
|
+
margin: 0.75rem 0 0;
|
|
1626
|
+
font-size: 0.85rem;
|
|
1627
|
+
color: ${PALETTE.fgMuted};
|
|
1628
|
+
}
|
|
1629
|
+
.trust-marker-text { flex: 1; min-width: 12rem; }
|
|
1630
|
+
.badge-trust-same-hub { background: ${PALETTE.accentSoft}; color: ${PALETTE.accent}; }
|
|
1631
|
+
.badge-trust-external { background: ${PALETTE.dangerSoft}; color: ${PALETTE.danger}; }
|
|
1632
|
+
|
|
1459
1633
|
@media (max-width: 480px) {
|
|
1460
1634
|
main { padding: 0.75rem; }
|
|
1461
1635
|
.card { padding: 1.5rem 1.25rem; border-radius: 10px; }
|
package/src/rate-limit.ts
CHANGED
|
@@ -87,6 +87,21 @@ export const CHANGE_PASSWORD_WINDOW_MS = 5 * 60 * 1000;
|
|
|
87
87
|
* cookie attacker shouldn't get a 5-shot grind window.
|
|
88
88
|
*/
|
|
89
89
|
export const CHANGE_PASSWORD_MAX_ATTEMPTS = 3;
|
|
90
|
+
/**
|
|
91
|
+
* `/api/account/2fa/confirm` (TOTP enrollment seal) window: 15 minutes. This is
|
|
92
|
+
* the SELF-only, already-session-authenticated enrollment step — the operator is
|
|
93
|
+
* typing the first live code off their own authenticator while it drifts into
|
|
94
|
+
* sync, so legitimate mistypes are common and must not be punished. The threat
|
|
95
|
+
* is only a hijacked session grinding the (client-held, not-yet-persisted)
|
|
96
|
+
* in-flight secret, which the 10^6 code space + replay cache already make
|
|
97
|
+
* effectively non-exploitable — so this is defense-in-depth, deliberately MORE
|
|
98
|
+
* generous than the 3/5-min change-password bucket. NOT the `/login/2fa` bucket:
|
|
99
|
+
* that one is the strict, pre-auth brute-force door (5/15-min); enrollment is a
|
|
100
|
+
* different, lower-risk surface and gets its own lenient bucket.
|
|
101
|
+
*/
|
|
102
|
+
export const TOTP_ENROLL_CONFIRM_WINDOW_MS = 15 * 60 * 1000;
|
|
103
|
+
/** `/api/account/2fa/confirm` attempts allowed per window. 11th is denied. */
|
|
104
|
+
export const TOTP_ENROLL_CONFIRM_MAX_ATTEMPTS = 10;
|
|
90
105
|
/**
|
|
91
106
|
* `/login/2fa` window length: 15 minutes — same as `/login`. The second-
|
|
92
107
|
* factor step (hub#473) sits behind a verified password + a short-lived
|
|
@@ -289,6 +304,18 @@ export const changePasswordRateLimiter = new RateLimiter(
|
|
|
289
304
|
*/
|
|
290
305
|
export const totpRateLimiter = new RateLimiter(TOTP_MAX_ATTEMPTS, TOTP_WINDOW_MS);
|
|
291
306
|
|
|
307
|
+
/**
|
|
308
|
+
* `/api/account/2fa/confirm` enrollment-seal bucket. Lenient (10 / 15 min),
|
|
309
|
+
* keyed by `user.id` (the session already establishes identity). Separate from
|
|
310
|
+
* `totpRateLimiter` so an enrollment mistype and a `/login/2fa` failure never
|
|
311
|
+
* share a window — different surfaces, different threat models (see the const
|
|
312
|
+
* docs above).
|
|
313
|
+
*/
|
|
314
|
+
export const totpEnrollConfirmRateLimiter = new RateLimiter(
|
|
315
|
+
TOTP_ENROLL_CONFIRM_MAX_ATTEMPTS,
|
|
316
|
+
TOTP_ENROLL_CONFIRM_WINDOW_MS,
|
|
317
|
+
);
|
|
318
|
+
|
|
292
319
|
/**
|
|
293
320
|
* Coarse per-IP CEILING rate limiter — 60 attempts / 15 min, keyed by client
|
|
294
321
|
* IP ONLY. Shared by all interactive auth doors (`/login`, the
|
|
@@ -342,6 +369,7 @@ export function __resetForTests(): void {
|
|
|
342
369
|
loginRateLimiter.reset();
|
|
343
370
|
changePasswordRateLimiter.reset();
|
|
344
371
|
totpRateLimiter.reset();
|
|
372
|
+
totpEnrollConfirmRateLimiter.reset();
|
|
345
373
|
vaultTokenMintRateLimiter.reset();
|
|
346
374
|
signupRateLimiter.reset();
|
|
347
375
|
authIpCeilingRateLimiter.reset();
|
|
@@ -42,7 +42,8 @@ export const SCOPE_EXPLANATIONS: Record<string, ScopeExplanation> = {
|
|
|
42
42
|
level: "write",
|
|
43
43
|
},
|
|
44
44
|
"vault:admin": {
|
|
45
|
-
label:
|
|
45
|
+
label:
|
|
46
|
+
"Read and write everything, plus admin: config & settings, triggers & automation, GitHub backup, and minting access tokens.",
|
|
46
47
|
level: "admin",
|
|
47
48
|
},
|
|
48
49
|
// Optional-module scopes (scribe / agent). These are in FIRST_PARTY_SCOPES
|
package/src/setup-wizard.ts
CHANGED
|
@@ -1592,14 +1592,33 @@ export function handleSetupGet(req: Request, deps: SetupWizardDeps): Response {
|
|
|
1592
1592
|
// poll on the auth the wizard already carries.
|
|
1593
1593
|
const opId = url.searchParams.get("op");
|
|
1594
1594
|
if (opId) {
|
|
1595
|
-
|
|
1596
|
-
|
|
1597
|
-
|
|
1598
|
-
|
|
1599
|
-
|
|
1600
|
-
|
|
1601
|
-
|
|
1602
|
-
|
|
1595
|
+
// hub#618: post-setup this JSON `?op=` surface is unauth-reachable —
|
|
1596
|
+
// `/admin/setup` is always lockout-exempt (the dispatcher's
|
|
1597
|
+
// `shouldGateForSetup` lets it through so a stale bookmark resolves), and
|
|
1598
|
+
// the snapshot is read BEFORE any session check. The leak is small (an
|
|
1599
|
+
// in-memory op's status + install-progress log lines, behind an
|
|
1600
|
+
// unguessable UUID), but it's still a post-setup admin surface, so gate
|
|
1601
|
+
// it once setup is COMPLETE. During setup (no admin yet) the surface
|
|
1602
|
+
// stays OPEN: the unauth CLI wizard (`parachute init`) AND the brand-new-
|
|
1603
|
+
// operator browser both poll this `?op=` snapshot mid-setup before any
|
|
1604
|
+
// session exists — gating then would break first-boot vault
|
|
1605
|
+
// provisioning. Loopback always passes (same on-box trust as the
|
|
1606
|
+
// `bootstrapToken` branch below); a valid session also passes.
|
|
1607
|
+
const setupComplete = state.hasAdmin && state.hasVault && state.hasExposeMode;
|
|
1608
|
+
const opSnapshotAllowed =
|
|
1609
|
+
!setupComplete ||
|
|
1610
|
+
deps.requestIsLoopback === true ||
|
|
1611
|
+
findActiveSession(deps.db, req) !== null;
|
|
1612
|
+
if (opSnapshotAllowed) {
|
|
1613
|
+
const op = deps.registry?.get(opId);
|
|
1614
|
+
if (op) {
|
|
1615
|
+
envelope.operation = {
|
|
1616
|
+
id: op.id,
|
|
1617
|
+
status: op.status,
|
|
1618
|
+
log: op.log,
|
|
1619
|
+
...(op.error !== undefined ? { error: op.error } : {}),
|
|
1620
|
+
};
|
|
1621
|
+
}
|
|
1603
1622
|
}
|
|
1604
1623
|
}
|
|
1605
1624
|
// hub#576: hand the actual token to a LOOPBACK caller only. The on-box
|
|
@@ -2325,19 +2344,19 @@ export async function handleSetupVaultPost(req: Request, deps: SetupWizardDeps):
|
|
|
2325
2344
|
if (registry) {
|
|
2326
2345
|
// hub#267: thread the typed name through `PARACHUTE_VAULT_NAME` so
|
|
2327
2346
|
// vault's first-boot path (vault#342) names the created vault
|
|
2328
|
-
// accordingly.
|
|
2329
|
-
// field blank — vault's `resolveFirstBootVaultName` defaults to
|
|
2330
|
-
// `default` on absent env vars, so this preserves the prior
|
|
2331
|
-
// behaviour for the empty-input case.
|
|
2347
|
+
// accordingly.
|
|
2332
2348
|
//
|
|
2333
|
-
//
|
|
2334
|
-
//
|
|
2335
|
-
//
|
|
2336
|
-
//
|
|
2337
|
-
|
|
2338
|
-
|
|
2339
|
-
|
|
2340
|
-
|
|
2349
|
+
// #478 Part 2: ALWAYS set `PARACHUTE_VAULT_NAME`, even when the name
|
|
2350
|
+
// is "default". Once vault removes its silent auto-create-on-missing-env
|
|
2351
|
+
// behavior, vault's first-boot will require the env var to know which
|
|
2352
|
+
// vault to create — a missing `PARACHUTE_VAULT_NAME` will mean "no vault
|
|
2353
|
+
// to create" rather than "create one named default". Passing it
|
|
2354
|
+
// explicitly for every path (including the default) is correct and safe:
|
|
2355
|
+
// vault's `resolveFirstBootVaultName` accepts "default" as a valid name
|
|
2356
|
+
// and behaves identically to the prior implicit default.
|
|
2357
|
+
const spawnEnv: Record<string, string> = {
|
|
2358
|
+
PARACHUTE_VAULT_NAME: vaultName,
|
|
2359
|
+
};
|
|
2341
2360
|
// Capture importParams + deps in the runInstall promise chain — when
|
|
2342
2361
|
// mode === "import", run the vault-side `/.parachute/mirror/import`
|
|
2343
2362
|
// POST as a follow-up step once the supervised vault has come up
|
|
@@ -2358,7 +2377,7 @@ export async function handleSetupVaultPost(req: Request, deps: SetupWizardDeps):
|
|
|
2358
2377
|
registry,
|
|
2359
2378
|
...(deps.run ? { run: deps.run } : {}),
|
|
2360
2379
|
...(deps.isLinked ? { isLinked: deps.isLinked } : {}),
|
|
2361
|
-
|
|
2380
|
+
spawnEnv,
|
|
2362
2381
|
})
|
|
2363
2382
|
.then(async () => {
|
|
2364
2383
|
if (!importToRun) return;
|