@openparachute/vault 0.3.3 → 0.4.0

package/src/oauth.ts

@@ -46,6 +46,37 @@ export interface AuthorizePostOptions {
 // Helpers
 // ---------------------------------------------------------------------------
 
+/**
+ * Today the consent page binds one of two scope strings — "read" or "full" —
+ * with `read ⊂ full`. `narrowerScope` picks the more-restrictive of two
+ * inputs (used to floor `selected` by `requested` at /oauth/authorize),
+ * `isScopeSubset` checks an inbound /oauth/token scope against the bound
+ * scope. Both default to "full" only if **both** inputs allow "full",
+ * otherwise narrow to "read". When the consent vocabulary expands beyond
+ * read/full, both helpers should switch to vault:read|write|admin and the
+ * inheritance rules in scopes.ts (`hasScope`).
+ */
+function normalizeConsentScope(s: string | null | undefined): "read" | "full" {
+  return s === "read" ? "read" : "full";
+}
+
+function narrowerScope(a: string, b: string): "read" | "full" {
+  return normalizeConsentScope(a) === "read" || normalizeConsentScope(b) === "read"
+    ? "read"
+    : "full";
+}
+
+function isScopeSubset(requested: string, bound: string): boolean {
+  // Strict: only "read" / "full" are acceptable on the wire today. Unknown
+  // scope strings are rejected as out-of-bounds rather than silently
+  // normalized — otherwise `scope=vault:admin` would coast through when
+  // bound is "full".
+  if (requested !== "read" && requested !== "full") return false;
+  const bnd = normalizeConsentScope(bound);
+  if (bnd === "full") return requested === "read" || requested === "full";
+  return requested === "read";
+}
+
 /**
  * Public-facing base URL of the server. Honors `x-forwarded-*` headers so a
  * Cloudflare Tunnel / Tailscale Funnel / reverse-proxied deployment advertises
@@ -351,7 +382,7 @@ export async function handleAuthorizePost(
   const { vaultName, clientIp, ownerPasswordHash, totpSecret, rateLimiter = authorizeRateLimit } = opts;
   const totpEnrolled = typeof totpSecret === "string" && totpSecret.length > 0;
 
-  let form: FormData;
+  let form: Awaited<ReturnType<typeof req.formData>>;
   try {
     form = await req.formData();
   } catch {
@@ -363,13 +394,12 @@ export async function handleAuthorizePost(
   const redirectUri = form.get("redirect_uri") as string;
   const codeChallenge = form.get("code_challenge") as string;
   const codeChallengeMethod = form.get("code_challenge_method") as string || "S256";
-  // Requested scope (from hidden field, carried from GET) and selected scope
-  // (from radio button on the consent page). Default selected to requested.
-  const requestedScope = form.get("scope") as string || "full";
+  // Requested scope is carried from the GET via a hidden field on the consent
+  // page; the user's radio-button choice arrives in `selected_scope`. The
+  // required-ness check runs *after* the deny short-circuit below — a deny
+  // POST doesn't mint anything and shouldn't need scope to refuse.
+  const requestedScopeRaw = form.get("scope");
   const selectedScopeRaw = form.get("selected_scope") as string | null;
-  const selectedScope = selectedScopeRaw === "read" || selectedScopeRaw === "full"
-    ? selectedScopeRaw
-    : (requestedScope === "read" ? "read" : "full");
   const state = form.get("state") as string || "";
 
   if (!clientId || !redirectUri || !codeChallenge) {
@@ -404,6 +434,20 @@ export async function handleAuthorizePost(
     return Response.redirect(redirect.toString(), 302);
   }
 
+  // Past this point we're processing consent — scope must be explicitly
+  // present. Defaulting absent scope to "full" would silently cement a
+  // grant the user never confirmed (#197).
+  if (typeof requestedScopeRaw !== "string" || requestedScopeRaw.length === 0) {
+    return Response.json(
+      { error: "invalid_request", error_description: "scope is required" },
+      { status: 400 },
+    );
+  }
+  const requestedScope = requestedScopeRaw;
+  const selectedScope = selectedScopeRaw === "read" || selectedScopeRaw === "full"
+    ? selectedScopeRaw
+    : (requestedScope === "read" ? "read" : "full");
+
   // Rate-limit the owner-auth step. Applied before any credential check so
   // brute-force attempts are capped regardless of which path (password or
   // legacy token) is being used.
@@ -483,7 +527,13 @@ export async function handleAuthorizePost(
 
   if (clientIp) rateLimiter.recordSuccess(clientIp);
 
-  // Generate auth code — persist the user-selected scope (not the requested one)
+  // Generate auth code — bind the NARROWER of (requested, selected). The
+  // user can shrink the requested scope at consent time (e.g. flip "full"
+  // to "read"); they cannot broaden it. Without this floor, a malicious
+  // form could smuggle `selected_scope=full` even when /authorize?scope=read
+  // was the original ask, escalating beyond what the client requested at
+  // authorize time (#94, RFC 6749 §3.3).
+  const boundScope = narrowerScope(requestedScope, selectedScope);
   const code = crypto.randomBytes(32).toString("base64url");
   const expiresAt = new Date(Date.now() + 10 * 60 * 1000).toISOString(); // 10 minutes
 
@@ -492,7 +542,7 @@ export async function handleAuthorizePost(
   db.prepare(`
     INSERT INTO oauth_codes (code, client_id, code_challenge, code_challenge_method, scope, redirect_uri, expires_at, created_at, vault_name)
     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-  `).run(code, clientId, codeChallenge, codeChallengeMethod, selectedScope, redirectUri, expiresAt, new Date().toISOString(), vaultName ?? null);
+  `).run(code, clientId, codeChallenge, codeChallengeMethod, boundScope, redirectUri, expiresAt, new Date().toISOString(), vaultName ?? null);
 
   redirect.searchParams.set("code", code);
   return Response.redirect(redirect.toString(), 302);
@@ -607,14 +657,35 @@ export async function handleToken(
     return Response.json({ error: "invalid_grant", error_description: "PKCE verification failed" }, { status: 400 });
   }
 
+  // RFC 6749 §3.3 / §6: a `scope` parameter at /oauth/token, if present,
+  // must equal or be a subset of the scope bound to the auth code at
+  // /oauth/authorize. Reject expansion attempts as `invalid_scope` rather
+  // than silently honoring the bound scope (#94). Absent param → use bound.
+  const requestedTokenScopeRaw = params.get("scope");
+  let effectiveScope = authCode.scope;
+  if (requestedTokenScopeRaw !== null && requestedTokenScopeRaw.trim().length > 0) {
+    const requested = requestedTokenScopeRaw.trim();
+    if (!isScopeSubset(requested, authCode.scope)) {
+      return Response.json(
+        {
+          error: "invalid_scope",
+          error_description:
+            "Requested scope exceeds the scope bound at authorization time.",
+        },
+        { status: 400 },
+      );
+    }
+    effectiveScope = requested;
+  }
+
   // Mark code as used
   db.prepare("UPDATE oauth_codes SET used = 1 WHERE code = ?").run(code);
 
-  // Translate the consent-time selected scope into both the legacy permission
-  // column and the OAuth-standard scope list we now persist on the token row.
-  // The consent page only offers read vs full today; full becomes the
-  // admin-inheriting scope set so hub admin operations keep working.
-  const permission: TokenPermission = authCode.scope === "read" ? "read" : "full";
+  // Translate the (possibly-narrowed) effective scope into both the legacy
+  // permission column and the OAuth-standard scope list we persist on the
+  // token row. The consent page only offers read vs full today; full becomes
+  // the admin-inheriting scope set so hub admin operations keep working.
+  const permission: TokenPermission = effectiveScope === "read" ? "read" : "full";
   const scopes = legacyPermissionToScopes(permission);
   const scopeString = serializeScopes(scopes);
 

package/src/owner-auth.ts

@@ -88,6 +88,9 @@ interface RateLimitEntry {
  *   - Up to MAX_FAILURES failed attempts within WINDOW_MS → lockout
  *   - Lockout lasts LOCKOUT_MS
  *   - A successful attempt clears the IP's counter
+ *   - Hard cap on entry count — when full, the oldest insertion is evicted
+ *     before a new one is recorded. Prevents memory exhaustion via IP /
+ *     client_id enumeration (#93).
  */
 export class RateLimiter {
   private entries = new Map<string, RateLimitEntry>();
@@ -96,6 +99,7 @@ export class RateLimiter {
     private readonly maxFailures = 10,
     private readonly windowMs = 60_000,
     private readonly lockoutMs = 15 * 60_000,
+    private readonly maxEntries = 10_000,
   ) {}
 
   /**
@@ -130,6 +134,7 @@ export class RateLimiter {
     const entry = this.entries.get(ip);
 
     if (!entry || now - entry.firstFailureAt > this.windowMs) {
+      this.evictIfFull();
       this.entries.set(ip, {
         failures: 1,
         firstFailureAt: now,
@@ -153,7 +158,58 @@ export class RateLimiter {
   reset(): void {
     this.entries.clear();
   }
+
+  /** Current entry count — exposed for tests + observability. */
+  size(): number {
+    return this.entries.size;
+  }
+
+  /**
+   * Evict the oldest insertion(s) until size < maxEntries. Map preserves
+   * insertion order, so `keys().next().value` is the oldest. We re-insert
+   * on window-rollover (delete + new set), so insertion order tracks
+   * recency-of-failure closely enough for FIFO eviction.
+   */
+  private evictIfFull(): void {
+    while (this.entries.size >= this.maxEntries) {
+      const oldest = this.entries.keys().next().value;
+      if (oldest === undefined) break;
+      this.entries.delete(oldest);
+    }
+  }
 }
 
-/** Singleton rate limiter for the OAuth consent endpoint. */
+/**
+ * Singleton rate limiter — kept for back-compat with callers that don't pass
+ * through per-vault routing. Fresh callers should prefer
+ * `getAuthorizeRateLimiter(vaultName)` so traffic on one vault's consent flow
+ * doesn't lock out IPs on another vault's consent flow (#93).
+ *
+ * @deprecated Use `getAuthorizeRateLimiter(vaultName)` instead. The singleton
+ * cross-pollutes per-vault consent traffic — one vault under brute-force can
+ * lock out IPs on every other vault's consent page.
+ */
 export const authorizeRateLimit = new RateLimiter();
+
+/**
+ * Per-vault rate limiter registry. The vault count is admin-bounded (vaults
+ * are created via CLI, not by clients) so this Map can grow only with operator
+ * action — no attacker-driven growth path. Each instance carries the
+ * default 10,000-entry IP cap, scoped to its vault (#93).
+ */
+const vaultAuthorizeRateLimiters = new Map<string, RateLimiter>();
+
+/** Lazily get-or-create the rate limiter for a given vault. */
+export function getAuthorizeRateLimiter(vaultName: string): RateLimiter {
+  let limiter = vaultAuthorizeRateLimiters.get(vaultName);
+  if (!limiter) {
+    limiter = new RateLimiter();
+    vaultAuthorizeRateLimiters.set(vaultName, limiter);
+  }
+  return limiter;
+}
+
+/** For tests: drop all per-vault limiters. */
+export function resetVaultAuthorizeRateLimiters(): void {
+  vaultAuthorizeRateLimiters.clear();
+}

package/src/prompt.ts

@@ -141,17 +141,18 @@ export async function askPassword(question: string): Promise<string> {
 export async function choose(question: string, options: { label: string; value: string; description?: string }[]): Promise<string> {
   console.log(question);
   for (let i = 0; i < options.length; i++) {
-    const desc = options[i].description ? ` — ${options[i].description}` : "";
-    console.log(`  ${i + 1}) ${options[i].label}${desc}`);
+    const opt = options[i]!;
+    const desc = opt.description ? ` — ${opt.description}` : "";
+    console.log(`  ${i + 1}) ${opt.label}${desc}`);
   }
   process.stdout.write(`  Choice [1]: `);
 
   for await (const line of console) {
     const answer = line.trim();
-    if (answer === "") return options[0].value;
+    if (answer === "") return options[0]!.value;
     const idx = parseInt(answer, 10) - 1;
-    if (idx >= 0 && idx < options.length) return options[idx].value;
+    if (idx >= 0 && idx < options.length) return options[idx]!.value;
     process.stdout.write(`  Please enter 1-${options.length}: `);
   }
-  return options[0].value;
+  return options[0]!.value;
 }