@pixelbyte-software/pixcode 1.51.3 → 1.51.4

package/server/middleware/auth.js

@@ -4,8 +4,9 @@ import { userDb, appConfigDb, apiKeysDb } from '../database/db.js';
 import { IS_PLATFORM } from '../constants/config.js';
 
 // Use env var if set, otherwise auto-generate a unique secret per installation
-const JWT_SECRET = process.env.JWT_SECRET || appConfigDb.getOrCreateJwtSecret();
-const isPixcodeApiKey = (token) => typeof token === 'string' && (token.startsWith('px_') || token.startsWith('ck_'));
+const JWT_SECRET = process.env.JWT_SECRET || appConfigDb.getOrCreateJwtSecret();
+const isPixcodeApiKey = (token) => typeof token === 'string' && (token.startsWith('px_') || token.startsWith('ck_'));
+const ADMIN_ROLES = new Set(['owner', 'admin']);
 
 // Optional API key middleware
 const validateApiKey = (req, res, next) => {
@@ -22,7 +23,7 @@ const validateApiKey = (req, res, next) => {
 };
 
 // JWT authentication middleware
-const authenticateToken = async (req, res, next) => {
+const authenticateToken = async (req, res, next) => {
   // Platform mode:  use single database user
   if (IS_PLATFORM) {
     try {
@@ -101,15 +102,28 @@ const authenticateToken = async (req, res, next) => {
     console.error('Token verification error:', error);
     return res.status(403).json({ error: 'Invalid token' });
   }
-};
+};
+
+const requireAdmin = (req, res, next) => {
+  if (!req.user) {
+    return res.status(401).json({ error: 'Access denied. No authenticated user.' });
+  }
+
+  if (!ADMIN_ROLES.has(req.user.role)) {
+    return res.status(403).json({ error: 'Admin access required.' });
+  }
+
+  next();
+};
 
 // Generate JWT token
 const generateToken = (user) => {
   return jwt.sign(
     {
-      userId: user.id,
-      username: user.username
-    },
+      userId: user.id,
+      username: user.username,
+      role: user.role || null,
+    },
     JWT_SECRET,
     { expiresIn: '7d' }
   );
@@ -120,10 +134,10 @@ const authenticateWebSocket = (token) => {
   // Platform mode: bypass token validation, return first user
   if (IS_PLATFORM) {
     try {
-      const user = userDb.getFirstUser();
-      if (user) {
-        return { id: user.id, userId: user.id, username: user.username };
-      }
+      const user = userDb.getFirstUser();
+      if (user) {
+        return { id: user.id, userId: user.id, username: user.username, role: user.role || null };
+      }
       return null;
     } catch (error) {
       console.error('Platform mode WebSocket error:', error);
@@ -143,9 +157,9 @@ const authenticateWebSocket = (token) => {
 
   if (isPixcodeApiKey(token)) {
     try {
-      const user = apiKeysDb.validateApiKey(token);
-      if (!user) return null;
-      return { userId: user.id, username: user.username };
+      const user = apiKeysDb.validateApiKey(token);
+      if (!user) return null;
+      return { id: user.id, userId: user.id, username: user.username, role: user.role || null };
     } catch (error) {
       console.error('WebSocket API key validation error:', error);
       return null;
@@ -159,7 +173,7 @@ const authenticateWebSocket = (token) => {
     if (!user) {
       return null;
     }
-    return { userId: user.id, username: user.username };
+    return { id: user.id, userId: user.id, username: user.username, role: user.role || null };
   } catch (error) {
     console.error('WebSocket token verification error:', error);
     return null;
@@ -167,9 +181,10 @@ const authenticateWebSocket = (token) => {
 };
 
 export {
-  validateApiKey,
-  authenticateToken,
-  generateToken,
+  validateApiKey,
+  authenticateToken,
+  requireAdmin,
+  generateToken,
   authenticateWebSocket,
   JWT_SECRET
 };

package/server/routes/auth.js

@@ -12,7 +12,15 @@ import {
   saveRemoteConnectionConfig,
 } from '../services/remote-connection.js';
 
-const router = express.Router();
+const router = express.Router();
+
+function publicUser(user) {
+  return {
+    id: user.id,
+    username: user.username,
+    role: user.role || 'member',
+  };
+}
 
 // Check auth status and setup requirements
 router.get('/status', async (req, res) => {
@@ -60,19 +68,19 @@ router.post('/register', async (req, res) => {
     // Use a transaction to prevent race conditions
     db.prepare('BEGIN').run();
     try {
-      // Check if users already exist (only allow one user)
-      const hasUsers = userDb.hasUsers();
-      if (hasUsers) {
-        db.prepare('ROLLBACK').run();
-        return res.status(403).json({ error: 'User already exists. This is a single-user system.' });
-      }
+      // Check if users already exist. Additional accounts are created by admins.
+      const hasUsers = userDb.hasUsers();
+      if (hasUsers) {
+        db.prepare('ROLLBACK').run();
+        return res.status(403).json({ error: 'Initial admin already exists. Ask an admin to create another account.' });
+      }
       
       // Hash password
       const saltRounds = 12;
       const passwordHash = await bcrypt.hash(password, saltRounds);
       
       // Create user
-      const user = userDb.createUser(username, passwordHash);
+      const user = userDb.createUser(username, passwordHash, { role: 'admin' });
       
       // Generate token
       const token = generateToken(user);
@@ -83,10 +91,10 @@ router.post('/register', async (req, res) => {
       userDb.updateLastLogin(user.id);
 
       res.json({
-        success: true,
-        user: { id: user.id, username: user.username },
-        token
-      });
+        success: true,
+        user: publicUser(user),
+        token
+      });
     } catch (error) {
       db.prepare('ROLLBACK').run();
       throw error;
@@ -130,11 +138,11 @@ router.post('/login', async (req, res) => {
     // Update last login
     userDb.updateLastLogin(user.id);
     
-    res.json({
-      success: true,
-      user: { id: user.id, username: user.username },
-      token
-    });
+    res.json({
+      success: true,
+      user: publicUser(user),
+      token
+    });
     
   } catch (error) {
     console.error('Login error:', error);

package/server/routes/git.js

@@ -4,16 +4,17 @@ import { promises as fs } from 'fs';
 
 import express from 'express';
 
-import { extractProjectDirectory } from '../projects.js';
-import { queryClaudeSDK } from '../claude-sdk.js';
-import { spawnCursor } from '../cursor-cli.js';
+import { extractProjectDirectory } from '../projects.js';
+import { queryClaudeSDK } from '../claude-sdk.js';
+import { spawnCursor } from '../cursor-cli.js';
+import { userHasProjectAccess } from '../services/platformization.js';
 
-const router = express.Router();
+const router = express.Router();
 const COMMIT_DIFF_CHARACTER_LIMIT = 500_000;
 const FILESYSTEM_SCAN_MAX_FILES = 5_000;
 const FILESYSTEM_SCAN_MAX_DEPTH = 10;
-const filesystemChangeSnapshots = new Map();
-const FILESYSTEM_SCAN_EXCLUDED_DIRS = new Set([
+const filesystemChangeSnapshots = new Map();
+const FILESYSTEM_SCAN_EXCLUDED_DIRS = new Set([
   '.git',
   '.hg',
   '.svn',
@@ -28,9 +29,23 @@ const FILESYSTEM_SCAN_EXCLUDED_DIRS = new Set([
   '.turbo',
   '.cache',
   '.pixcode-dev',
-]);
-
-function isNotGitRepositoryMessage(message = '') {
+]);
+
+router.use((req, res, next) => {
+  const project = req.query.project || req.body?.project;
+  if (!project) {
+    return next();
+  }
+
+  const capability = req.method === 'GET' ? 'viewFiles' : 'editFiles';
+  if (!userHasProjectAccess(req.user, { name: String(project), projectName: String(project) }, capability)) {
+    return res.status(403).json({ error: 'Project access denied.' });
+  }
+
+  next();
+});
+
+function isNotGitRepositoryMessage(message = '') {
   return message.includes('Not a git repository')
     || message.includes('not a git repository')
     || message.includes('Project directory is not a git repository');

package/server/routes/platformization.js

@@ -1,6 +1,7 @@
-import express from 'express';
-
-import {
+import express from 'express';
+
+import { requireAdmin } from '../middleware/auth.js';
+import {
   checkRemoteAccessHealth,
   createAdminUser,
   createEvaluationRun,
@@ -66,20 +67,20 @@ router.patch('/team/members/:id', (req, res) => {
   res.json({ success: true, member });
 });
 
-router.get('/admin/users', (_req, res) => {
-  res.json({ success: true, users: getPlatformizationState().adminUsers });
-});
-
-router.post('/admin/users', async (req, res) => {
-  try {
-    res.status(201).json({ success: true, user: await createAdminUser(req.body || {}, userId(req)) });
-  } catch (error) {
+router.get('/admin/users', requireAdmin, (_req, res) => {
+  res.json({ success: true, users: getPlatformizationState().adminUsers });
+});
+
+router.post('/admin/users', requireAdmin, async (req, res) => {
+  try {
+    res.status(201).json({ success: true, user: await createAdminUser(req.body || {}, userId(req)) });
+  } catch (error) {
     handleError(res, error);
   }
 });
 
-router.patch('/admin/users/:id', (req, res) => {
-  const user = updateAdminUser(req.params.id, req.body || {}, userId(req));
+router.patch('/admin/users/:id', requireAdmin, (req, res) => {
+  const user = updateAdminUser(req.params.id, req.body || {}, userId(req));
   if (!user) {
     res.status(404).json({ success: false, error: 'Admin user not found.' });
     return;
@@ -87,20 +88,20 @@ router.patch('/admin/users/:id', (req, res) => {
   res.json({ success: true, user });
 });
 
-router.get('/project-collaborators', (_req, res) => {
-  res.json({ success: true, collaborators: getPlatformizationState().projectCollaborators });
-});
-
-router.post('/project-collaborators', (req, res) => {
-  try {
+router.get('/project-collaborators', requireAdmin, (_req, res) => {
+  res.json({ success: true, collaborators: getPlatformizationState().projectCollaborators });
+});
+
+router.post('/project-collaborators', requireAdmin, (req, res) => {
+  try {
     res.status(201).json({ success: true, collaborator: createProjectCollaborator(req.body || {}, userId(req)) });
   } catch (error) {
     handleError(res, error);
   }
 });
 
-router.patch('/project-collaborators/:id', (req, res) => {
-  const collaborator = updateProjectCollaborator(req.params.id, req.body || {}, userId(req));
+router.patch('/project-collaborators/:id', requireAdmin, (req, res) => {
+  const collaborator = updateProjectCollaborator(req.params.id, req.body || {}, userId(req));
   if (!collaborator) {
     res.status(404).json({ success: false, error: 'Project collaborator not found.' });
     return;

package/server/services/platformization.js

@@ -116,10 +116,14 @@ function writeStore(store) {
   appConfigDb.set(CONFIG_KEY, JSON.stringify(store));
 }
 
-function compact(text, max = 120) {
-  const value = String(text || '').replace(/\s+/g, ' ').trim();
-  return value.length > max ? value.slice(0, max).replace(/[-_\s]+$/g, '') : value;
-}
+function compact(text, max = 120) {
+  const value = String(text || '').replace(/\s+/g, ' ').trim();
+  return value.length > max ? value.slice(0, max).replace(/[-_\s]+$/g, '') : value;
+}
+
+function compactProjectIdentifier(value) {
+  return String(value || '').replace(/\s+/g, ' ').trim();
+}
 
 function slugify(value) {
   const slug = compact(value, 72)
@@ -140,9 +144,64 @@ function addAudit(store, action, actorId, details = {}) {
   store.auditLog = store.auditLog.slice(0, 250);
 }
 
-function normalizeRole(role) {
-  return TEAM_ROLES[role] ? role : 'viewer';
-}
+function normalizeRole(role) {
+  return TEAM_ROLES[role] ? role : 'viewer';
+}
+
+export function isAdminUser(user = {}) {
+  return user?.role === 'admin' || user?.role === 'owner';
+}
+
+function resolveUser(input = {}) {
+  const users = userDb.listUsers();
+  const userId = Number(input.userId);
+  if (Number.isFinite(userId)) {
+    return users.find((user) => user.id === userId && user.is_active) || null;
+  }
+
+  const userRef = compact(input.userRef || input.email || input.username || '').toLowerCase();
+  if (!userRef) return null;
+  return users.find((user) => user.is_active && String(user.username).toLowerCase() === userRef) || null;
+}
+
+function projectMatches(collaborator, project = {}) {
+  const projectName = compactProjectIdentifier(project.name || project.projectName || project);
+  const projectPath = compactProjectIdentifier(project.fullPath || project.path || project.projectPath || '');
+
+  return Boolean(
+    (projectName && collaborator.projectName === projectName) ||
+    (projectPath && collaborator.projectPath === projectPath)
+  );
+}
+
+export function userHasProjectAccess(user, project, capability = 'viewFiles') {
+  if (isAdminUser(user)) return true;
+  if (!user?.id && !user?.userId) return false;
+
+  const userId = Number(user.id ?? user.userId);
+  const username = String(user.username || '').toLowerCase();
+  const store = readStore();
+
+  return store.projectCollaborators.some((collaborator) => {
+    if (collaborator.status === 'disabled') return false;
+    if (!projectMatches(collaborator, project)) return false;
+
+    const sameUser = Number(collaborator.userId) === userId ||
+      String(collaborator.userRef || '').toLowerCase() === username;
+    if (!sameUser) return false;
+
+    if (capability === 'viewFiles') {
+      return collaborator.capabilities?.viewFiles !== false;
+    }
+
+    return collaborator.capabilities?.[capability] === true;
+  });
+}
+
+export function filterProjectsForUser(projects = [], user) {
+  if (isAdminUser(user)) return projects;
+  return projects.filter((project) => userHasProjectAccess(user, project, 'viewFiles'));
+}
 
 function normalizeScope(scope) {
   return SECRET_SCOPES.includes(scope) ? scope : 'project';
@@ -338,13 +397,18 @@ export function updateAdminUser(userId, patch = {}, actorId = null) {
   };
 }
 
-export function createProjectCollaborator(input = {}, actorId = null) {
-  const projectName = compact(input.projectName || input.project || '');
-  const projectPath = input.projectPath || null;
-  const userRef = compact(input.userRef || input.email || input.username || '');
-  if (!projectName || !userRef) {
-    throw new Error('Project collaborator requires a project name and user reference.');
-  }
+export function createProjectCollaborator(input = {}, actorId = null) {
+  const projectName = compactProjectIdentifier(input.projectName || input.project || '');
+  const projectPath = input.projectPath || null;
+  const targetUser = resolveUser(input);
+  const userRef = compact(input.userRef || input.email || input.username || targetUser?.username || '');
+  if (!projectName || !userRef) {
+    throw new Error('Project collaborator requires a project name and user reference.');
+  }
+
+  if (!targetUser) {
+    throw new Error('Create the user account before assigning project access.');
+  }
 
   const role = ['partner', 'worker', 'reviewer', 'viewer'].includes(input.role) ? input.role : 'worker';
   const capabilities = {
@@ -357,10 +421,11 @@ export function createProjectCollaborator(input = {}, actorId = null) {
     manageProjectSettings: role === 'partner',
   };
   const collaborator = {
-    id: crypto.randomUUID(),
-    projectName,
-    projectPath,
-    userRef,
+    id: crypto.randomUUID(),
+    projectName,
+    projectPath,
+    userId: targetUser.id,
+    userRef,
     role,
     capabilities: {
       ...capabilities,