@openparachute/vault 0.1.0

package/src/owner-auth.ts

@@ -0,0 +1,159 @@
+/**
+ * Owner authentication for the OAuth consent page.
+ *
+ * The "owner" is the person who set up this vault — identified by a password
+ * stored globally in config.yaml (owner_password_hash). The password is used
+ * to prove ownership when authorizing third-party OAuth clients.
+ *
+ * Password hashing uses Bun.password (bcrypt, cost 12 by default) — no deps.
+ *
+ * Rate limiting is per-IP, in-memory. Acceptable for v1: resets on restart,
+ * doesn't handle multi-process deployments. Tighten later if needed.
+ */
+
+import { readGlobalConfig, writeGlobalConfig } from "./config.ts";
+
+const BCRYPT_COST = 12;
+const MIN_PASSWORD_LENGTH = 12;
+
+// ---------------------------------------------------------------------------
+// Password storage
+// ---------------------------------------------------------------------------
+
+/** Read the stored bcrypt hash, or null if none set (or set to empty string). */
+export function getOwnerPasswordHash(): string | null {
+  const hash = readGlobalConfig().owner_password_hash;
+  if (typeof hash !== "string" || hash.length === 0) return null;
+  return hash;
+}
+
+/** Whether a password has been set. */
+export function hasOwnerPassword(): boolean {
+  return getOwnerPasswordHash() !== null;
+}
+
+/** Validate password strength. Returns error message or null. */
+export function validatePasswordStrength(password: string): string | null {
+  if (password.length < MIN_PASSWORD_LENGTH) {
+    return `Password must be at least ${MIN_PASSWORD_LENGTH} characters.`;
+  }
+  return null;
+}
+
+/** Hash and store the owner password. Throws on weak passwords. */
+export async function setOwnerPassword(password: string): Promise<void> {
+  const err = validatePasswordStrength(password);
+  if (err) throw new Error(err);
+
+  const hash = await Bun.password.hash(password, {
+    algorithm: "bcrypt",
+    cost: BCRYPT_COST,
+  });
+
+  const config = readGlobalConfig();
+  config.owner_password_hash = hash;
+  writeGlobalConfig(config);
+}
+
+/** Remove the stored password (disables password-based consent auth). */
+export function clearOwnerPassword(): void {
+  const config = readGlobalConfig();
+  delete config.owner_password_hash;
+  writeGlobalConfig(config);
+}
+
+/** Verify a provided password against the given hash. */
+export async function verifyOwnerPassword(password: string, hash: string): Promise<boolean> {
+  try {
+    return await Bun.password.verify(password, hash);
+  } catch {
+    return false;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Rate limiting
+// ---------------------------------------------------------------------------
+
+interface RateLimitEntry {
+  failures: number;
+  firstFailureAt: number;
+  lockedUntil: number | null;
+}
+
+/**
+ * Per-IP rate limiter for consent-page attempts.
+ *
+ * Policy:
+ *   - Up to MAX_FAILURES failed attempts within WINDOW_MS → lockout
+ *   - Lockout lasts LOCKOUT_MS
+ *   - A successful attempt clears the IP's counter
+ */
+export class RateLimiter {
+  private entries = new Map<string, RateLimitEntry>();
+
+  constructor(
+    private readonly maxFailures = 10,
+    private readonly windowMs = 60_000,
+    private readonly lockoutMs = 15 * 60_000,
+  ) {}
+
+  /**
+   * Check whether an IP is currently allowed to attempt auth.
+   * Returns `{ allowed: false, retryAfterSec }` if locked out.
+   */
+  check(ip: string): { allowed: true } | { allowed: false; retryAfterSec: number } {
+    const entry = this.entries.get(ip);
+    if (!entry) return { allowed: true };
+
+    const now = Date.now();
+    if (entry.lockedUntil && entry.lockedUntil > now) {
+      return { allowed: false, retryAfterSec: Math.ceil((entry.lockedUntil - now) / 1000) };
+    }
+
+    // Expired lockout or old window — reset and allow
+    if (entry.lockedUntil && entry.lockedUntil <= now) {
+      this.entries.delete(ip);
+      return { allowed: true };
+    }
+    if (now - entry.firstFailureAt > this.windowMs) {
+      this.entries.delete(ip);
+      return { allowed: true };
+    }
+
+    return { allowed: true };
+  }
+
+  /** Record a failed attempt. Triggers lockout if threshold reached. */
+  recordFailure(ip: string): void {
+    const now = Date.now();
+    const entry = this.entries.get(ip);
+
+    if (!entry || now - entry.firstFailureAt > this.windowMs) {
+      this.entries.set(ip, {
+        failures: 1,
+        firstFailureAt: now,
+        lockedUntil: null,
+      });
+      return;
+    }
+
+    entry.failures += 1;
+    if (entry.failures >= this.maxFailures) {
+      entry.lockedUntil = now + this.lockoutMs;
+    }
+  }
+
+  /** Record a successful attempt. Clears the IP's counter. */
+  recordSuccess(ip: string): void {
+    this.entries.delete(ip);
+  }
+
+  /** For tests: drop all state. */
+  reset(): void {
+    this.entries.clear();
+  }
+}
+
+/** Singleton rate limiter for the OAuth consent endpoint. */
+export const authorizeRateLimit = new RateLimiter();

package/src/prompt.ts

@@ -0,0 +1,141 @@
+/**
+ * Simple interactive prompts for CLI setup.
+ *
+ * Uses `node:readline/promises` for input so the interface is explicitly
+ * closed after each prompt. The older `for await (const line of console)`
+ * pattern held stdin open across prompts and in Bun sometimes caused
+ * subsequent `console.log` writes to appear swallowed.
+ */
+import { createInterface } from "node:readline/promises";
+
+async function readLine(prompt: string): Promise<string> {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    return await rl.question(prompt);
+  } finally {
+    rl.close();
+  }
+}
+
+/**
+ * Ask a yes/no question. Returns true for yes.
+ */
+export async function confirm(question: string, defaultYes = true): Promise<boolean> {
+  const hint = defaultYes ? "[Y/n]" : "[y/N]";
+  // Loop in case the user types something non-yes/no.
+  while (true) {
+    const answer = (await readLine(`${question} ${hint} `)).trim().toLowerCase();
+    if (answer === "") return defaultYes;
+    if (answer === "y" || answer === "yes") return true;
+    if (answer === "n" || answer === "no") return false;
+  }
+}
+
+/**
+ * Ask for a text input. Returns the trimmed answer, or defaultValue if empty.
+ */
+export async function ask(question: string, defaultValue = ""): Promise<string> {
+  const hint = defaultValue ? ` (${defaultValue})` : "";
+  const answer = (await readLine(`${question}${hint}: `)).trim();
+  return answer || defaultValue;
+}
+
+/**
+ * Ask for a password with masked input (shows "*" per character).
+ * Falls back to plain echo if stdin isn't a TTY (e.g. piped input in CI).
+ */
+export async function askPassword(question: string): Promise<string> {
+  const stdin = process.stdin;
+  if (!stdin.isTTY || typeof stdin.setRawMode !== "function") {
+    return ask(question);
+  }
+
+  process.stdout.write(`${question}: `);
+
+  return new Promise<string>((resolve, reject) => {
+    stdin.setRawMode(true);
+    stdin.resume();
+    stdin.setEncoding("utf8");
+
+    let buf = "";
+    let settled = false;
+
+    // Always restore terminal state on exit, success or failure.
+    const cleanup = () => {
+      if (settled) return;
+      settled = true;
+      try {
+        stdin.removeListener("data", onData);
+        stdin.removeListener("error", onError);
+        stdin.setRawMode(false);
+        stdin.pause();
+      } catch {
+        // Best-effort; don't mask the underlying completion.
+      }
+    };
+
+    const onData = (data: string) => {
+      try {
+        for (const ch of data) {
+          // Enter — done
+          if (ch === "\r" || ch === "\n") {
+            process.stdout.write("\n");
+            cleanup();
+            resolve(buf);
+            return;
+          }
+          // Ctrl-C — abort
+          if (ch === "\u0003") {
+            process.stdout.write("\n");
+            cleanup();
+            process.exit(130);
+          }
+          // Backspace / DEL
+          if (ch === "\u0008" || ch === "\u007f") {
+            if (buf.length > 0) {
+              buf = buf.slice(0, -1);
+              process.stdout.write("\b \b");
+            }
+            continue;
+          }
+          // Printable
+          if (ch >= " ") {
+            buf += ch;
+            process.stdout.write("*");
+          }
+        }
+      } catch (err) {
+        cleanup();
+        reject(err);
+      }
+    };
+    const onError = (err: Error) => {
+      cleanup();
+      reject(err);
+    };
+
+    stdin.on("data", onData);
+    stdin.on("error", onError);
+  });
+}
+
+/**
+ * Ask user to pick from options. Returns the chosen value.
+ */
+export async function choose(question: string, options: { label: string; value: string; description?: string }[]): Promise<string> {
+  console.log(question);
+  for (let i = 0; i < options.length; i++) {
+    const desc = options[i].description ? ` — ${options[i].description}` : "";
+    console.log(`  ${i + 1}) ${options[i].label}${desc}`);
+  }
+  process.stdout.write(`  Choice [1]: `);
+
+  for await (const line of console) {
+    const answer = line.trim();
+    if (answer === "") return options[0].value;
+    const idx = parseInt(answer, 10) - 1;
+    if (idx >= 0 && idx < options.length) return options[idx].value;
+    process.stdout.write(`  Please enter 1-${options.length}: `);
+  }
+  return options[0].value;
+}

package/src/published.test.ts

@@ -0,0 +1,214 @@
+import { describe, it, expect } from "bun:test";
+import { handleViewNote } from "./routes.ts";
+
+// Redirect URL builder — mirrors the logic in server.ts
+function buildRedirectUrl(reqUrl: string, noteId: string, prefix = ""): string {
+  const dest = new URL(`${prefix}/view/${noteId}`, reqUrl);
+  dest.search = new URL(reqUrl).search;
+  return dest.toString();
+}
+
+describe("/public → /view redirect", () => {
+  it("preserves query params including ?key=", () => {
+    const url = buildRedirectUrl("http://localhost:1940/public/abc?key=pvk_secret", "abc");
+    expect(url).toBe("http://localhost:1940/view/abc?key=pvk_secret");
+  });
+
+  it("works without query params", () => {
+    const url = buildRedirectUrl("http://localhost:1940/public/abc", "abc");
+    expect(url).toBe("http://localhost:1940/view/abc");
+  });
+
+  it("preserves multiple query params", () => {
+    const url = buildRedirectUrl("http://localhost:1940/public/abc?key=pvk_x&format=html", "abc");
+    expect(url).toBe("http://localhost:1940/view/abc?key=pvk_x&format=html");
+  });
+
+  it("works for vault-scoped paths", () => {
+    const url = buildRedirectUrl("http://localhost:1940/vaults/work/public/abc?key=pvk_x", "abc", "/vaults/work");
+    expect(url).toBe("http://localhost:1940/vaults/work/view/abc?key=pvk_x");
+  });
+});
+
+// Minimal Store stub — only getNote is needed
+function makeStore(notes: Record<string, { content: string; tags?: string[]; metadata?: Record<string, unknown>; path?: string }>) {
+  return {
+    getNote(id: string) {
+      const n = notes[id];
+      if (!n) return null;
+      return {
+        id,
+        content: n.content,
+        tags: n.tags ?? [],
+        metadata: n.metadata ?? {},
+        path: n.path,
+        createdAt: "2025-01-01T00:00:00Z",
+        updatedAt: "2025-01-01T00:00:00Z",
+      };
+    },
+    getNoteByPath(path: string) {
+      for (const [id, n] of Object.entries(notes)) {
+        if (n.path?.toLowerCase() === path.toLowerCase()) {
+          return this.getNote(id);
+        }
+      }
+      return null;
+    },
+  } as any;
+}
+
+describe("handleViewNote", () => {
+  it("returns 404 for non-existent note", () => {
+    const store = makeStore({});
+    const resp = handleViewNote(store, "missing");
+    expect(resp.status).toBe(404);
+  });
+
+  it("returns 404 for note without publish tag (unauthenticated)", () => {
+    const store = makeStore({
+      "n1": { content: "hello", tags: ["other"] },
+    });
+    const resp = handleViewNote(store, "n1");
+    expect(resp.status).toBe(404);
+  });
+
+  it("serves note with publish tag as HTML", async () => {
+    const store = makeStore({
+      "n1": { content: "# Hello\n\nWorld", tags: ["publish"], path: "Blog/My Post.md" },
+    });
+    const resp = handleViewNote(store, "n1");
+    expect(resp.status).toBe(200);
+    expect(resp.headers.get("Content-Type")).toBe("text/html; charset=utf-8");
+
+    const html = await resp.text();
+    expect(html).toContain("<title>My Post</title>");
+    expect(html).toContain("<h1>Hello</h1>");
+    expect(html).toContain("<p>World</p>");
+  });
+
+  it("serves note with metadata.published=true", async () => {
+    const store = makeStore({
+      "n2": { content: "Content here", metadata: { published: true } },
+    });
+    const resp = handleViewNote(store, "n2");
+    expect(resp.status).toBe(200);
+    const html = await resp.text();
+    expect(html).toContain("<p>Content here</p>");
+  });
+
+  it("renders markdown features correctly", async () => {
+    const store = makeStore({
+      "n3": {
+        content: "**bold** and *italic* and `code`\n\n- item 1\n- item 2\n\n```\ncode block\n```\n\n[link](https://example.com)",
+        tags: ["publish"],
+      },
+    });
+    const resp = handleViewNote(store, "n3");
+    const html = await resp.text();
+    expect(html).toContain("<strong>bold</strong>");
+    expect(html).toContain("<em>italic</em>");
+    expect(html).toContain("<li>item 1</li>");
+    expect(html).toContain("<li>item 2</li>");
+    expect(html).toContain("<pre><code>");
+    expect(html).toContain('href="https://example.com"');
+  });
+
+  it("escapes HTML in note content", async () => {
+    const store = makeStore({
+      "n4": { content: "<script>alert('xss')</script>", tags: ["publish"] },
+    });
+    const resp = handleViewNote(store, "n4");
+    const html = await resp.text();
+    expect(html).not.toContain("<script>");
+    expect(html).toContain("&lt;script&gt;");
+  });
+
+  it("strips javascript: URI links to prevent XSS", async () => {
+    const store = makeStore({
+      "n6": { content: "[click me](javascript:alert(1))", tags: ["publish"] },
+    });
+    const resp = handleViewNote(store, "n6");
+    const html = await resp.text();
+    expect(html).not.toContain("javascript:");
+    expect(html).toContain("click me");
+    expect(html).not.toContain("<a ");
+  });
+
+  it("strips data: URI links to prevent XSS", async () => {
+    const store = makeStore({
+      "n7": { content: "[click](data:text/html;base64,PHNjcmlwdD4=)", tags: ["publish"] },
+    });
+    const resp = handleViewNote(store, "n7");
+    const html = await resp.text();
+    expect(html).not.toContain("data:");
+    expect(html).toContain("click");
+  });
+
+  it("allows safe http/https/mailto links", async () => {
+    const store = makeStore({
+      "n8": { content: "[site](https://example.com) and [mail](mailto:a@b.com)", tags: ["publish"] },
+    });
+    const resp = handleViewNote(store, "n8");
+    const html = await resp.text();
+    expect(html).toContain('href="https://example.com"');
+    expect(html).toContain('href="mailto:a@b.com"');
+  });
+
+  it("supports dark mode via media query", async () => {
+    const store = makeStore({
+      "n5": { content: "test", tags: ["publish"] },
+    });
+    const resp = handleViewNote(store, "n5");
+    const html = await resp.text();
+    expect(html).toContain("prefers-color-scheme: dark");
+  });
+
+  // CSP header
+  it("includes Content-Security-Policy header", () => {
+    const store = makeStore({
+      "n1": { content: "test", tags: ["publish"] },
+    });
+    const resp = handleViewNote(store, "n1");
+    const csp = resp.headers.get("Content-Security-Policy");
+    expect(csp).toContain("script-src 'none'");
+    expect(csp).toContain("default-src 'self'");
+  });
+
+  // Auth-aware behavior
+  it("serves any note when authenticated", async () => {
+    const store = makeStore({
+      "private": { content: "secret stuff", tags: ["internal"] },
+    });
+    const resp = handleViewNote(store, "private", { authenticated: true });
+    expect(resp.status).toBe(200);
+    const html = await resp.text();
+    expect(html).toContain("<p>secret stuff</p>");
+  });
+
+  it("returns 404 for unpublished note when not authenticated", () => {
+    const store = makeStore({
+      "private": { content: "secret stuff", tags: ["internal"] },
+    });
+    const resp = handleViewNote(store, "private");
+    expect(resp.status).toBe(404);
+  });
+
+  // Custom published tag
+  it("uses custom published_tag from config", async () => {
+    const store = makeStore({
+      "n1": { content: "public content", tags: ["public"] },
+    });
+    const resp = handleViewNote(store, "n1", { publishedTag: "public" });
+    expect(resp.status).toBe(200);
+    const html = await resp.text();
+    expect(html).toContain("<p>public content</p>");
+  });
+
+  it("rejects note with default tag when custom tag is configured", () => {
+    const store = makeStore({
+      "n1": { content: "content", tags: ["publish"] },
+    });
+    const resp = handleViewNote(store, "n1", { publishedTag: "public" });
+    expect(resp.status).toBe(404);
+  });
+});

package/src/qrcode-terminal.d.ts

@@ -0,0 +1,9 @@
+declare module "qrcode-terminal" {
+  export function generate(
+    text: string,
+    opts: { small?: boolean },
+    cb: (qr: string) => void,
+  ): void;
+  const _default: { generate: typeof generate };
+  export default _default;
+}