@openparachute/vault 0.1.0

package/src/token-store.test.ts

@@ -0,0 +1,174 @@
+/**
+ * Tests for the token store — scoped tokens with permissions.
+ * Tokens now live inside each vault's SQLite database (schema v7).
+ */
+
+import { describe, test, expect, beforeEach, afterEach } from "bun:test";
+import { Database } from "bun:sqlite";
+import { initSchema } from "../core/src/schema.ts";
+import {
+  generateToken,
+  createToken,
+  resolveToken,
+  listTokens,
+  revokeToken,
+} from "./token-store.ts";
+
+let db: Database;
+
+beforeEach(() => {
+  db = new Database(":memory:");
+  initSchema(db);
+});
+
+afterEach(() => {
+  db.close();
+});
+
+describe("token CRUD", () => {
+  test("create and resolve a full-access token", () => {
+    const { fullToken } = generateToken();
+    createToken(db, fullToken, { label: "test-token", permission: "full" });
+
+    const resolved = resolveToken(db, fullToken);
+    expect(resolved).not.toBeNull();
+    expect(resolved!.permission).toBe("full");
+  });
+
+  test("token with read permission", () => {
+    const { fullToken } = generateToken();
+    createToken(db, fullToken, {
+      label: "reader",
+      permission: "read",
+    });
+
+    const resolved = resolveToken(db, fullToken);
+    expect(resolved!.permission).toBe("read");
+  });
+
+  test("default permission is full", () => {
+    const { fullToken } = generateToken();
+    createToken(db, fullToken, { label: "default-perm" });
+
+    const resolved = resolveToken(db, fullToken);
+    expect(resolved!.permission).toBe("full");
+  });
+
+  test("legacy admin permission normalizes to full", () => {
+    const { fullToken } = generateToken();
+    // Simulate a legacy token by writing "admin" directly to DB
+    const hash = require("./config.ts").hashKey(fullToken);
+    db.prepare("INSERT INTO tokens (token_hash, label, permission, created_at) VALUES (?, ?, ?, ?)")
+      .run(hash, "legacy-admin", "admin", new Date().toISOString());
+
+    const resolved = resolveToken(db, fullToken);
+    expect(resolved!.permission).toBe("full");
+  });
+
+  test("legacy write permission normalizes to full", () => {
+    const { fullToken } = generateToken();
+    const hash = require("./config.ts").hashKey(fullToken);
+    db.prepare("INSERT INTO tokens (token_hash, label, permission, created_at) VALUES (?, ?, ?, ?)")
+      .run(hash, "legacy-write", "write", new Date().toISOString());
+
+    const resolved = resolveToken(db, fullToken);
+    expect(resolved!.permission).toBe("full");
+  });
+
+  test("expired token is rejected", () => {
+    const { fullToken } = generateToken();
+    createToken(db, fullToken, {
+      label: "expired",
+      permission: "full",
+      expires_at: "2020-01-01T00:00:00.000Z", // in the past
+    });
+
+    const resolved = resolveToken(db, fullToken);
+    expect(resolved).toBeNull();
+  });
+
+  test("non-expired token is accepted", () => {
+    const { fullToken } = generateToken();
+    const future = new Date(Date.now() + 86400000).toISOString(); // +1 day
+    createToken(db, fullToken, {
+      label: "valid",
+      permission: "read",
+      expires_at: future,
+    });
+
+    const resolved = resolveToken(db, fullToken);
+    expect(resolved).not.toBeNull();
+    expect(resolved!.permission).toBe("read");
+  });
+
+  test("invalid token returns null", () => {
+    const resolved = resolveToken(db, "pvt_does_not_exist");
+    expect(resolved).toBeNull();
+  });
+
+  test("list tokens shows all tokens", () => {
+    const { fullToken: t1 } = generateToken();
+    const { fullToken: t2 } = generateToken();
+    createToken(db, t1, { label: "first", permission: "full" });
+    createToken(db, t2, { label: "second", permission: "read" });
+
+    const tokens = listTokens(db);
+    expect(tokens.length).toBe(2);
+    expect(tokens.some((t) => t.label === "first")).toBe(true);
+    expect(tokens.some((t) => t.label === "second")).toBe(true);
+    // Each token should have a display ID
+    expect(tokens.every((t) => t.id.startsWith("t_"))).toBe(true);
+  });
+
+  test("revoke token by display ID", () => {
+    const { fullToken } = generateToken();
+    createToken(db, fullToken, { label: "to-revoke" });
+
+    const tokens = listTokens(db);
+    expect(tokens.length).toBe(1);
+
+    const revoked = revokeToken(db, tokens[0].id);
+    expect(revoked).toBe(true);
+
+    const after = listTokens(db);
+    expect(after.length).toBe(0);
+
+    // Token should no longer resolve
+    expect(resolveToken(db, fullToken)).toBeNull();
+  });
+
+  test("revoke non-existent token returns false", () => {
+    expect(revokeToken(db, "t_doesnotexist")).toBe(false);
+  });
+
+  test("resolve updates last_used_at", () => {
+    const { fullToken } = generateToken();
+    createToken(db, fullToken, { label: "usage-tracking" });
+
+    // Before first use
+    const before = listTokens(db);
+    expect(before[0].last_used_at).toBeNull();
+
+    // Resolve (which should update last_used_at)
+    resolveToken(db, fullToken);
+
+    const after = listTokens(db);
+    expect(after[0].last_used_at).not.toBeNull();
+  });
+});
+
+describe("token generation", () => {
+  test("generated tokens have pvt_ prefix", () => {
+    const { fullToken, tokenHash } = generateToken();
+    expect(fullToken.startsWith("pvt_")).toBe(true);
+    expect(tokenHash.startsWith("sha256:")).toBe(true);
+  });
+
+  test("generated tokens are unique", () => {
+    const t1 = generateToken();
+    const t2 = generateToken();
+    expect(t1.fullToken).not.toBe(t2.fullToken);
+    expect(t1.tokenHash).not.toBe(t2.tokenHash);
+  });
+});
+

package/src/token-store.ts

@@ -0,0 +1,241 @@
+/**
+ * Token operations for per-vault token management.
+ *
+ * Tokens live in each vault's SQLite database (the `tokens` table is part of
+ * the vault schema as of v7). All functions take a Database parameter — the
+ * vault's own DB connection.
+ *
+ * Two permission levels:
+ *   - "full"  — unrestricted access (CRUD, delete, token management)
+ *   - "read"  — query-only (no mutations)
+ *
+ * Legacy "admin" and "write" values in the DB are normalized to "full" at
+ * read time for backward compatibility.
+ */
+
+import { Database } from "bun:sqlite";
+import crypto from "node:crypto";
+import { hashKey } from "./config.ts";
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export type TokenPermission = "full" | "read";
+
+/**
+ * Normalize legacy permission values ("admin", "write") to the current
+ * two-tier model. Existing DB rows may contain the old values.
+ */
+export function normalizePermission(p: string): TokenPermission {
+  if (p === "read") return "read";
+  return "full"; // "admin", "write", or anything else → full
+}
+
+export interface Token {
+  token_hash: string;
+  label: string;
+  permission: TokenPermission;
+  /** @deprecated Scope columns exist in DB but are not enforced at runtime. */
+  scope_tag: string | null;
+  /** @deprecated Scope columns exist in DB but are not enforced at runtime. */
+  scope_path_prefix: string | null;
+  expires_at: string | null;
+  created_at: string;
+  last_used_at: string | null;
+}
+
+export interface ResolvedToken {
+  permission: TokenPermission;
+}
+
+// ---------------------------------------------------------------------------
+// Token operations
+// ---------------------------------------------------------------------------
+
+export function generateToken(): { fullToken: string; tokenHash: string } {
+  const random = crypto.randomBytes(32).toString("base64url").slice(0, 32);
+  const fullToken = `pvt_${random}`;
+  return { fullToken, tokenHash: hashKey(fullToken) };
+}
+
+export function createToken(
+  db: Database,
+  fullToken: string,
+  opts: {
+    label: string;
+    permission?: TokenPermission;
+    /** @deprecated Written to DB but not enforced at runtime. */
+    scope_tag?: string | null;
+    /** @deprecated Written to DB but not enforced at runtime. */
+    scope_path_prefix?: string | null;
+    expires_at?: string | null;
+  },
+): Token {
+  const tokenHash = hashKey(fullToken);
+  const now = new Date().toISOString();
+  const permission = opts.permission ?? "full";
+
+  db.prepare(`
+    INSERT INTO tokens (token_hash, label, permission, scope_tag, scope_path_prefix, expires_at, created_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    tokenHash,
+    opts.label,
+    permission,
+    opts.scope_tag ?? null,
+    opts.scope_path_prefix ?? null,
+    opts.expires_at ?? null,
+    now,
+  );
+
+  return {
+    token_hash: tokenHash,
+    label: opts.label,
+    permission,
+    scope_tag: opts.scope_tag ?? null,
+    scope_path_prefix: opts.scope_path_prefix ?? null,
+    expires_at: opts.expires_at ?? null,
+    created_at: now,
+    last_used_at: null,
+  };
+}
+
+/**
+ * Resolve a bearer token. Returns the token info if valid, null if not found or expired.
+ * Updates last_used_at on successful resolution.
+ */
+export function resolveToken(db: Database, providedToken: string): ResolvedToken | null {
+  // Hash-then-lookup: the SQL = comparison on SHA-256 output is not timing-safe,
+  // but this is acceptable — the attacker would need to guess a valid SHA-256
+  // preimage, which is computationally infeasible regardless of timing leaks.
+  const candidateHash = hashKey(providedToken);
+
+  const row = db.prepare(`
+    SELECT token_hash, permission, expires_at
+    FROM tokens WHERE token_hash = ?
+  `).get(candidateHash) as {
+    token_hash: string;
+    permission: string;
+    expires_at: string | null;
+  } | null;
+
+  if (!row) return null;
+
+  // Check expiry
+  if (row.expires_at && new Date(row.expires_at) < new Date()) {
+    return null;
+  }
+
+  // Update last_used_at
+  db.prepare("UPDATE tokens SET last_used_at = ? WHERE token_hash = ?")
+    .run(new Date().toISOString(), row.token_hash);
+
+  return { permission: normalizePermission(row.permission) };
+}
+
+/**
+ * List all tokens (for CLI display). Never exposes the hash directly —
+ * shows a truncated prefix for identification.
+ */
+export function listTokens(db: Database): (Token & { id: string })[] {
+  const rows = db.prepare(`
+    SELECT token_hash, label, permission, scope_tag, scope_path_prefix,
+           expires_at, created_at, last_used_at
+    FROM tokens ORDER BY created_at DESC
+  `).all() as Token[];
+
+  return rows.map((r) => ({
+    ...r,
+    permission: normalizePermission(r.permission),
+    // Derive a short display ID from the hash (first 12 chars after "sha256:")
+    id: `t_${r.token_hash.slice(7, 19)}`,
+  }));
+}
+
+/**
+ * Revoke (delete) a token by its display ID or full hash.
+ * Returns true if exactly one token was deleted.
+ * If a display ID prefix matches multiple tokens, returns false (ambiguous).
+ */
+export function revokeToken(db: Database, idOrHash: string): boolean {
+  // Try matching by display ID prefix
+  if (idOrHash.startsWith("t_")) {
+    const hashPrefix = idOrHash.slice(2);
+    const rows = db.prepare(
+      "SELECT token_hash FROM tokens WHERE token_hash LIKE ?"
+    ).all(`sha256:${hashPrefix}%`) as { token_hash: string }[];
+    if (rows.length === 1) {
+      db.prepare("DELETE FROM tokens WHERE token_hash = ?").run(rows[0].token_hash);
+      return true;
+    }
+    if (rows.length > 1) {
+      // Ambiguous prefix — refuse to revoke
+      return false;
+    }
+  }
+
+  // Try matching by full hash
+  const result = db.prepare("DELETE FROM tokens WHERE token_hash = ?").run(idOrHash);
+  return result.changes > 0;
+}
+
+// ---------------------------------------------------------------------------
+// Migration: import existing API keys from config.yaml into a vault's DB
+// ---------------------------------------------------------------------------
+
+/**
+ * Import existing API keys for a specific vault from config.yaml into its DB.
+ * Idempotent — skips keys whose hash already exists.
+ *
+ * Imports:
+ * - Per-vault keys from vault.yaml (direct match)
+ * - Global keys from config.yaml (they become full-access tokens in every vault)
+ */
+export function migrateVaultKeys(
+  db: Database,
+  vaultKeys: { key_hash: string; label: string; scope?: string; created_at: string; last_used_at?: string }[],
+  globalKeys?: { key_hash: string; label: string; scope?: string; created_at: string; last_used_at?: string }[],
+): number {
+  let migrated = 0;
+
+  // Import per-vault keys
+  for (const key of vaultKeys) {
+    const exists = db.prepare("SELECT 1 FROM tokens WHERE token_hash = ?").get(key.key_hash);
+    if (!exists) {
+      db.prepare(`
+        INSERT INTO tokens (token_hash, label, permission, created_at, last_used_at)
+        VALUES (?, ?, ?, ?, ?)
+      `).run(
+        key.key_hash,
+        key.label,
+        key.scope === "read" ? "read" : "full",
+        key.created_at,
+        key.last_used_at ?? null,
+      );
+      migrated++;
+    }
+  }
+
+  // Import global keys as full-access tokens
+  if (globalKeys) {
+    for (const key of globalKeys) {
+      const exists = db.prepare("SELECT 1 FROM tokens WHERE token_hash = ?").get(key.key_hash);
+      if (!exists) {
+        db.prepare(`
+          INSERT INTO tokens (token_hash, label, permission, created_at, last_used_at)
+          VALUES (?, ?, ?, ?, ?)
+        `).run(
+          key.key_hash,
+          key.label,
+          "full",
+          key.created_at,
+          key.last_used_at ?? null,
+        );
+        migrated++;
+      }
+    }
+  }
+
+  return migrated;
+}