@opentrust/dashboard 7.3.21 → 7.3.22

package/dist/index.js

@@ -7,7 +7,7 @@ import { join, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import { sessionAuth } from "./middleware/session-auth.js";
 import { authRouter } from "./routes/auth.js";
-import { settingsRouter } from "./routes/settings.js";
+import { settingsRouter, ensureSystemApiKey } from "./routes/settings.js";
 import { agentsRouter } from "./routes/agents.js";
 import { scannersRouter } from "./routes/scanners.js";
 import { policiesRouter } from "./routes/policies.js";
@@ -82,13 +82,15 @@ app.use("/api/commands", commandsRouter);
 app.use("/api/hosts", hostsRouter);
 app.use("/api/system", systemRouter);
 app.use(errorHandler);
-app.listen(PORT, () => {
+app.listen(PORT, async () => {
     console.log(`OpenTrust API running on port ${PORT}`);
     console.log(`DashboardMode: ${DASHBOARD_MODE}`);
-    if (process.env.DEV_MODE === "true") {
-        console.log(`DevMode: ON — authentication disabled`);
+    console.log(`Auth: username/password login (default: admin/admin)`);
+    try {
+        const systemKey = await ensureSystemApiKey();
+        console.log(`System API Key: ${systemKey.slice(0, 12)}...${systemKey.slice(-4)}`);
     }
-    else {
-        console.log(`Auth: POST /api/auth/request — send magic link`);
+    catch {
+        console.warn("Warning: failed to initialize system API key");
     }
 });

package/dist/middleware/session-auth.js

@@ -1,27 +1,55 @@
-const IS_DEV_MODE = process.env.DEV_MODE === "true";
+import { db, settingsQueries } from "@opentrust/db";
 const CORE_URL = process.env.OG_CORE_URL || "http://localhost:53666";
 const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
-const DEV_TENANT_ID = "default";
-const DEV_EMAIL = "dev@localhost";
-const DEV_API_KEY = "sk-og-dev";
+const KEY_CACHE_TTL_MS = 60_000; // 1 minute
+const DEFAULT_TENANT_ID = "default";
 const sessionCache = new Map();
+let cachedSystemKey = null;
+let cachedSystemKeyAt = 0;
+async function getSystemApiKey() {
+    if (cachedSystemKey && Date.now() - cachedSystemKeyAt < KEY_CACHE_TTL_MS) {
+        return cachedSystemKey;
+    }
+    try {
+        const settings = settingsQueries(db);
+        const key = await settings.get("system_api_key");
+        cachedSystemKey = key || null;
+        cachedSystemKeyAt = Date.now();
+        return cachedSystemKey;
+    }
+    catch {
+        return cachedSystemKey;
+    }
+}
 /**
  * Session authentication middleware for OpenTrust.
  *
- * When DEV_MODE=true, skips all validation and uses default dev identity.
- * Otherwise validates the API key against the core (cached for 5 minutes).
- * Sets res.locals.tenantId, res.locals.userEmail, and res.locals.coreApiKey.
+ * Supports two authentication modes:
+ * 1. sk-ot-* keys: validated directly against the system_api_key in settings DB
+ * 2. sk-og-* keys: validated against Core (backward compatible)
  */
 export async function sessionAuth(req, res, next) {
-    if (IS_DEV_MODE) {
-        res.locals.tenantId = DEV_TENANT_ID;
-        res.locals.userEmail = DEV_EMAIL;
-        res.locals.coreApiKey = DEV_API_KEY;
-        next();
+    const apiKey = req.headers.authorization?.replace("Bearer ", "")
+        || req.headers["x-api-key"];
+    if (!apiKey) {
+        res.status(401).json({ success: false, error: "Not authenticated" });
+        return;
+    }
+    // sk-ot-* keys: validate against system_api_key stored in Dashboard settings
+    if (apiKey.startsWith("sk-ot-")) {
+        const systemKey = await getSystemApiKey();
+        if (systemKey && apiKey === systemKey) {
+            res.locals.tenantId = DEFAULT_TENANT_ID;
+            res.locals.userEmail = "admin@opentrust";
+            res.locals.coreApiKey = apiKey;
+            next();
+            return;
+        }
+        res.status(401).json({ success: false, error: "Invalid system API key" });
         return;
     }
-    const apiKey = req.headers.authorization?.replace("Bearer ", "");
-    if (!apiKey?.startsWith("sk-og-")) {
+    // sk-og-* keys: validate against Core (backward compatible)
+    if (!apiKey.startsWith("sk-og-")) {
         res.status(401).json({ success: false, error: "Not authenticated" });
         return;
     }

package/dist/routes/auth.js

@@ -1,125 +1,127 @@
 import { Router } from "express";
+import { createHash } from "node:crypto";
+import { db, settingsQueries } from "@opentrust/db";
+import { ensureSystemApiKey } from "./settings.js";
 export const authRouter = Router();
-const IS_DEV_MODE = process.env.DEV_MODE === "true";
-const CORE_URL = process.env.OG_CORE_URL || "http://localhost:53666";
-const DEV_EMAIL = "dev@localhost";
-const DEV_RESPONSE = {
-    success: true,
-    email: DEV_EMAIL,
-    agentId: "dev-agent",
-    name: "Dev Agent",
-    quotaTotal: 999999,
-    quotaUsed: 0,
-    quotaRemaining: 999999,
-    agents: [],
-};
-async function fetchCoreAccount(apiKey) {
-    try {
-        const res = await fetch(`${CORE_URL}/api/v1/account`, {
-            headers: { Authorization: `Bearer ${apiKey}` },
-        });
-        if (!res.ok)
-            return null;
-        return res.json();
-    }
-    catch {
-        return null;
-    }
+const DEFAULT_USERNAME = "admin";
+const DEFAULT_PASSWORD = "admin";
+const settings = settingsQueries(db);
+function hashPassword(password) {
+    return createHash("sha256").update(password).digest("hex");
 }
-async function fetchCoreAccounts(apiKey) {
+async function ensureAdminCredentials() {
+    const existing = await settings.get("admin_password_hash");
+    if (existing)
+        return;
+    await settings.set("admin_username", DEFAULT_USERNAME);
+    await settings.set("admin_password_hash", hashPassword(DEFAULT_PASSWORD));
+}
+authRouter.get("/config", async (_req, res) => {
     try {
-        const res = await fetch(`${CORE_URL}/api/v1/accounts`, {
-            headers: { Authorization: `Bearer ${apiKey}` },
-        });
-        if (!res.ok)
-            return null;
-        return res.json();
+        const pwHash = await settings.get("admin_password_hash");
+        const isDefault = pwHash === hashPassword(DEFAULT_PASSWORD);
+        res.json({ defaultPassword: isDefault });
     }
     catch {
-        return null;
+        res.json({ defaultPassword: true });
     }
-}
-authRouter.get("/config", (_req, res) => {
-    res.json({ devMode: IS_DEV_MODE });
 });
 authRouter.post("/login", async (req, res, next) => {
-    if (IS_DEV_MODE) {
-        res.json(DEV_RESPONSE);
-        return;
-    }
     try {
-        const { apiKey, email } = req.body;
-        if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
-            res.status(400).json({ success: false, error: "Valid email required" });
+        await ensureAdminCredentials();
+        const { username, password } = req.body;
+        if (!username || !password) {
+            res.status(400).json({ success: false, error: "Username and password required" });
             return;
         }
-        if (!apiKey || !apiKey.startsWith("sk-og-")) {
-            res.status(400).json({ success: false, error: "Valid API key required (sk-og-...)" });
+        const storedUsername = await settings.get("admin_username") || DEFAULT_USERNAME;
+        const storedHash = await settings.get("admin_password_hash") || hashPassword(DEFAULT_PASSWORD);
+        if (username !== storedUsername || hashPassword(password) !== storedHash) {
+            res.status(401).json({ success: false, error: "Invalid username or password" });
             return;
         }
-        const account = await fetchCoreAccount(apiKey);
-        if (!account?.success) {
-            res.status(401).json({ success: false, error: "Invalid API key" });
-            return;
-        }
-        if (!account.email) {
-            res.status(403).json({ success: false, error: "Agent not yet activated. Complete email verification first." });
-            return;
-        }
-        if (account.email.toLowerCase() !== email.toLowerCase()) {
-            res.status(401).json({ success: false, error: "Email does not match this API key" });
-            return;
-        }
-        const accounts = await fetchCoreAccounts(apiKey);
-        const agents = accounts?.agents ?? [];
+        const apiKey = await ensureSystemApiKey();
         res.json({
             success: true,
-            email: account.email,
-            agentId: account.agentId,
-            name: account.name,
-            quotaTotal: account.quotaTotal,
-            quotaUsed: account.quotaUsed,
-            quotaRemaining: account.quotaRemaining,
-            agents,
+            email: `${username}@opentrust`,
+            name: username,
+            apiKey,
         });
     }
     catch (err) {
         next(err);
     }
 });
-authRouter.get("/me", async (req, res, next) => {
-    if (IS_DEV_MODE) {
-        res.json(DEV_RESPONSE);
-        return;
-    }
+authRouter.post("/change-password", async (req, res, next) => {
     try {
-        const apiKey = req.headers.authorization?.replace("Bearer ", "");
-        if (!apiKey?.startsWith("sk-og-")) {
+        const token = req.headers.authorization?.replace("Bearer ", "");
+        const systemKey = await ensureSystemApiKey();
+        if (!token || token !== systemKey) {
             res.status(401).json({ success: false, error: "Not authenticated" });
             return;
         }
-        const account = await fetchCoreAccount(apiKey);
-        if (!account?.success || !account.email) {
-            res.status(401).json({ success: false, error: "Invalid or inactive API key" });
+        const { currentPassword, newPassword } = req.body;
+        if (!currentPassword || !newPassword) {
+            res.status(400).json({ success: false, error: "Current and new password required" });
             return;
         }
-        const accounts = await fetchCoreAccounts(apiKey);
-        const agents = accounts?.agents ?? [];
-        res.json({
-            success: true,
-            email: account.email,
-            agentId: account.agentId,
-            name: account.name,
-            quotaTotal: account.quotaTotal,
-            quotaUsed: account.quotaUsed,
-            quotaRemaining: account.quotaRemaining,
-            agents,
-        });
+        if (newPassword.length < 4) {
+            res.status(400).json({ success: false, error: "Password must be at least 4 characters" });
+            return;
+        }
+        const storedHash = await settings.get("admin_password_hash") || hashPassword(DEFAULT_PASSWORD);
+        if (hashPassword(currentPassword) !== storedHash) {
+            res.status(401).json({ success: false, error: "Current password is incorrect" });
+            return;
+        }
+        await settings.set("admin_password_hash", hashPassword(newPassword));
+        res.json({ success: true });
     }
     catch (err) {
         next(err);
     }
 });
+authRouter.get("/me", async (req, res) => {
+    const token = req.headers.authorization?.replace("Bearer ", "")
+        || req.headers["x-api-key"];
+    if (!token) {
+        res.status(401).json({ success: false, error: "Not authenticated" });
+        return;
+    }
+    // Validate sk-ot-* system key
+    if (token.startsWith("sk-ot-")) {
+        const systemKey = await ensureSystemApiKey();
+        if (token === systemKey) {
+            const username = await settings.get("admin_username") || DEFAULT_USERNAME;
+            res.json({ success: true, email: `${username}@opentrust`, name: username });
+            return;
+        }
+        res.status(401).json({ success: false, error: "Invalid system API key" });
+        return;
+    }
+    // Backward compat: sk-og-* keys via Core
+    if (token.startsWith("sk-og-")) {
+        try {
+            const coreUrl = process.env.OG_CORE_URL || "http://localhost:53666";
+            const coreRes = await fetch(`${coreUrl}/api/v1/account`, {
+                headers: { Authorization: `Bearer ${token}` },
+            });
+            if (!coreRes.ok) {
+                res.status(401).json({ success: false, error: "Invalid API key" });
+                return;
+            }
+            const data = await coreRes.json();
+            if (data.success && data.email) {
+                res.json({ success: true, email: data.email, name: data.name || data.email });
+                return;
+            }
+        }
+        catch { }
+        res.status(401).json({ success: false, error: "Invalid or inactive API key" });
+        return;
+    }
+    res.status(401).json({ success: false, error: "Not authenticated" });
+});
 authRouter.post("/logout", (_req, res) => {
     res.json({ success: true });
 });

package/dist/routes/settings.js

@@ -1,17 +1,29 @@
 import { Router } from "express";
+import { randomBytes } from "node:crypto";
 import { db, settingsQueries } from "@opentrust/db";
 import { maskSecret } from "@opentrust/shared";
 import { checkCoreHealth } from "../services/core-client.js";
 const settings = settingsQueries(db);
 export const settingsRouter = Router();
+const SENSITIVE_KEYS = ["og_core_key", "session_token", "system_api_key"];
+export function generateSystemApiKey() {
+    return `sk-ot-${randomBytes(16).toString("hex")}`;
+}
+export async function ensureSystemApiKey() {
+    const existing = await settings.get("system_api_key");
+    if (existing)
+        return existing;
+    const key = generateSystemApiKey();
+    await settings.set("system_api_key", key);
+    return key;
+}
 // GET /api/settings
 settingsRouter.get("/", async (_req, res, next) => {
     try {
         const all = await settings.getAll();
-        // Mask sensitive values
         const masked = {};
         for (const [key, value] of Object.entries(all)) {
-            if (key === "og_core_key" || key === "session_token") {
+            if (SENSITIVE_KEYS.includes(key)) {
                 masked[key] = maskSecret(value);
             }
             else {
@@ -32,8 +44,8 @@ settingsRouter.put("/", async (req, res, next) => {
             res.status(400).json({ success: false, error: "Request body must be a key-value object" });
             return;
         }
-        // Prevent overwriting session_token via this endpoint
         delete updates.session_token;
+        delete updates.system_api_key;
         for (const [key, value] of Object.entries(updates)) {
             await settings.set(key, value);
         }
@@ -43,6 +55,34 @@ settingsRouter.put("/", async (req, res, next) => {
         next(err);
     }
 });
+// GET /api/settings/api-key — reveal or masked system API key
+settingsRouter.get("/api-key", async (req, res, next) => {
+    try {
+        const key = await ensureSystemApiKey();
+        const reveal = req.query.reveal === "true";
+        res.json({
+            success: true,
+            data: {
+                key: reveal ? key : maskSecret(key),
+                masked: !reveal,
+            },
+        });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// POST /api/settings/generate-key — regenerate system API key
+settingsRouter.post("/generate-key", async (_req, res, next) => {
+    try {
+        const key = generateSystemApiKey();
+        await settings.set("system_api_key", key);
+        res.json({ success: true, data: { key } });
+    }
+    catch (err) {
+        next(err);
+    }
+});
 // POST /api/settings/test-connection
 settingsRouter.post("/test-connection", async (_req, res, next) => {
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opentrust/dashboard",
-  "version": "7.3.21",
+  "version": "7.3.22",
   "type": "module",
   "description": "OpenTrust Dashboard — management panel for AI Agent security (API + embedded web)",
   "main": "dist/index.js",
@@ -19,8 +19,8 @@
     "morgan": "^1.10.0",
     "nodemailer": "^8.0.1",
     "zod": "^3.23.0",
-    "@opentrust/shared": "7.3.21",
-    "@opentrust/db": "7.3.21"
+    "@opentrust/shared": "7.3.22",
+    "@opentrust/db": "7.3.22"
   },
   "devDependencies": {
     "@types/cors": "^2.8.17",