@riddix/hamh 2.1.0-alpha.592 → 2.1.0-alpha.593

package/dist/backend/cli.js

@@ -10026,7 +10026,7 @@ function MockCrypto(index = 128, implementation = StandardCrypto) {
     throw new ImplementationError(`Index for stable crypto must be 0-255`);
   }
   const crypto8 = new implementation();
-  const { randomBytes: randomBytes2, createKeyPair } = crypto8;
+  const { randomBytes: randomBytes3, createKeyPair } = crypto8;
   Object.defineProperties(crypto8, {
     index: {
       get() {
@@ -10038,11 +10038,11 @@ function MockCrypto(index = 128, implementation = StandardCrypto) {
     },
     entropic: {
       get() {
-        return crypto8.randomBytes === randomBytes2;
+        return crypto8.randomBytes === randomBytes3;
       },
       set(entropic) {
         if (entropic) {
-          crypto8.randomBytes = randomBytes2;
+          crypto8.randomBytes = randomBytes3;
           crypto8.createKeyPair = createKeyPair;
         } else {
           disableEntropy();
@@ -148035,6 +148035,17 @@ async function extractBackupData(buffer) {
   const data = JSON.parse(content.toString());
   return { backupData: data, zipDirectory: directory };
 }
+function resolveWithin(baseDir, relative) {
+  if (relative.length === 0 || path.isAbsolute(relative)) {
+    return null;
+  }
+  const resolvedBase = path.resolve(baseDir);
+  const resolvedTarget = path.resolve(resolvedBase, relative);
+  if (resolvedTarget !== resolvedBase && !resolvedTarget.startsWith(resolvedBase + path.sep)) {
+    return null;
+  }
+  return resolvedTarget;
+}
 async function restoreIdentityFiles(zipDirectory, bridgeId, storageLocation) {
   const identityPrefix = `identity/${bridgeId}/`;
   const identityFiles = zipDirectory.files.filter(
@@ -148047,7 +148058,12 @@ async function restoreIdentityFiles(zipDirectory, bridgeId, storageLocation) {
   fs.mkdirSync(targetDir, { recursive: true });
   for (const file of identityFiles) {
     const relativePath = file.path.substring(identityPrefix.length);
-    const targetPath = path.join(targetDir, relativePath);
+    const targetPath = resolveWithin(targetDir, relativePath);
+    if (!targetPath) {
+      throw new Error(
+        `Refusing to restore identity file with unsafe path: ${file.path}`
+      );
+    }
     const targetDirPath = path.dirname(targetPath);
     fs.mkdirSync(targetDirPath, { recursive: true });
     const content = await file.buffer();
@@ -148067,7 +148083,12 @@ async function restoreBridgeIcon(zipDirectory, bridgeId, storageLocation) {
   fs.mkdirSync(iconsDir, { recursive: true });
   for (const file of iconFiles) {
     const fileName = file.path.substring(iconPrefix.length);
-    const targetPath = path.join(iconsDir, fileName);
+    const targetPath = resolveWithin(iconsDir, fileName);
+    if (!targetPath) {
+      throw new Error(
+        `Refusing to restore bridge icon with unsafe path: ${file.path}`
+      );
+    }
     const content = await file.buffer();
     fs.writeFileSync(targetPath, content);
   }
@@ -151436,16 +151457,25 @@ var WebApi = class extends Service {
     });
   }
   createDynamicAuthMiddleware() {
+    const envAuth = this.props.auth;
+    const envMiddleware = envAuth ? basicAuth({
+      users: { [envAuth.username]: envAuth.password },
+      challenge: true,
+      realm: "Home Assistant Matter Hub"
+    }) : void 0;
+    const storageMiddleware = basicAuth({
+      authorizer: (username, password) => this.settingsStorage.verifyAuth(username, password),
+      challenge: true,
+      realm: "Home Assistant Matter Hub"
+    });
     return (req, res, next) => {
-      const auth = this.props.auth ?? this.settingsStorage.auth;
-      if (!auth) {
+      if (envMiddleware) {
+        return envMiddleware(req, res, next);
+      }
+      if (!this.settingsStorage.auth) {
         return next();
       }
-      return basicAuth({
-        users: { [auth.username]: auth.password },
-        challenge: true,
-        realm: "Home Assistant Matter Hub"
-      })(req, res, next);
+      return storageMiddleware(req, res, next);
     };
   }
   async start() {
@@ -151539,39 +151569,43 @@ var BetterLogger = class _BetterLogger extends Logger {
     }
   }
   debug(...values4) {
-    const message = values4.map((v) => String(v)).join(" ");
-    addLogEntry({
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      level: "debug",
-      message: `[${this.loggerName}] ${message}`
-    });
+    if (this._level <= LogLevel.DEBUG) {
+      addLogEntry({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "debug",
+        message: `[${this.loggerName}] ${values4.map((v) => String(v)).join(" ")}`
+      });
+    }
     super.debug(...values4);
   }
   info(...values4) {
-    const message = values4.map((v) => String(v)).join(" ");
-    addLogEntry({
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      level: "info",
-      message: `[${this.loggerName}] ${message}`
-    });
+    if (this._level <= LogLevel.INFO) {
+      addLogEntry({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "info",
+        message: `[${this.loggerName}] ${values4.map((v) => String(v)).join(" ")}`
+      });
+    }
     super.info(...values4);
   }
   warn(...values4) {
-    const message = values4.map((v) => String(v)).join(" ");
-    addLogEntry({
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      level: "warn",
-      message: `[${this.loggerName}] ${message}`
-    });
+    if (this._level <= LogLevel.WARN) {
+      addLogEntry({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "warn",
+        message: `[${this.loggerName}] ${values4.map((v) => String(v)).join(" ")}`
+      });
+    }
     super.warn(...values4);
   }
   error(...values4) {
-    const message = values4.map((v) => String(v)).join(" ");
-    addLogEntry({
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      level: "error",
-      message: `[${this.loggerName}] ${message}`
-    });
+    if (this._level <= LogLevel.ERROR) {
+      addLogEntry({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "error",
+        message: `[${this.loggerName}] ${values4.map((v) => String(v)).join(" ")}`
+      });
+    }
     super.error(...values4);
   }
   debugCtx(message, context) {
@@ -152643,10 +152677,56 @@ function mockDeviceId(entityId) {
 
 // src/services/storage/app-settings-storage.ts
 init_service();
+import { randomBytes, scryptSync, timingSafeEqual } from "node:crypto";
+var SCRYPT_KEYLEN = 64;
+var SCRYPT_COST_N = 16384;
+var SCRYPT_BLOCK_R = 8;
+var SCRYPT_PARALLEL_P = 1;
+var SALT_BYTES = 16;
 var DEFAULT_BACKUP_SETTINGS = {
   autoBackup: true,
   backupRetentionCount: 5
 };
+function hashPassword(plain2) {
+  const salt = randomBytes(SALT_BYTES);
+  const derived = scryptSync(plain2, salt, SCRYPT_KEYLEN, {
+    N: SCRYPT_COST_N,
+    r: SCRYPT_BLOCK_R,
+    p: SCRYPT_PARALLEL_P
+  });
+  return {
+    passwordHash: derived.toString("hex"),
+    passwordSalt: salt.toString("hex")
+  };
+}
+function verifyPasswordHash(plain2, passwordHash, passwordSalt) {
+  let expected;
+  let salt;
+  try {
+    expected = Buffer.from(passwordHash, "hex");
+    salt = Buffer.from(passwordSalt, "hex");
+  } catch {
+    return false;
+  }
+  if (expected.length !== SCRYPT_KEYLEN || salt.length === 0) {
+    return false;
+  }
+  const derived = scryptSync(plain2, salt, SCRYPT_KEYLEN, {
+    N: SCRYPT_COST_N,
+    r: SCRYPT_BLOCK_R,
+    p: SCRYPT_PARALLEL_P
+  });
+  return timingSafeEqual(derived, expected);
+}
+function constantTimeStringEquals(a, b) {
+  const bufA = Buffer.from(a);
+  const bufB = Buffer.from(b);
+  if (bufA.length !== bufB.length) {
+    timingSafeEqual(bufA, bufA);
+    return false;
+  }
+  return timingSafeEqual(bufA, bufB);
+}
 var AppSettingsStorage = class extends Service {
   constructor(appStorage) {
     super("AppSettingsStorage");
@@ -152654,6 +152734,11 @@ var AppSettingsStorage = class extends Service {
   }
   storage;
   settings = {};
+  // Caches the last plaintext password that was successfully verified
+  // against the stored hash, keyed by username. This lets repeated basic-auth
+  // calls avoid re-running scrypt on every HTTP request without persisting
+  // the plaintext to disk.
+  verifiedPassword = null;
   async initialize() {
     this.storage = this.appStorage.createContext("settings");
     const stored = await this.storage.get(
@@ -152663,12 +152748,72 @@ var AppSettingsStorage = class extends Service {
     this.settings = stored ?? {};
   }
   get auth() {
-    return this.settings.auth;
+    if (!this.settings.auth) {
+      return void 0;
+    }
+    return { username: this.settings.auth.username };
   }
-  async setAuth(auth) {
-    this.settings.auth = auth;
+  async setAuth(credentials) {
+    if (!credentials) {
+      this.settings.auth = void 0;
+      this.verifiedPassword = null;
+    } else {
+      const { passwordHash, passwordSalt } = hashPassword(credentials.password);
+      this.settings.auth = {
+        username: credentials.username,
+        passwordHash,
+        passwordSalt
+      };
+      this.verifiedPassword = {
+        username: credentials.username,
+        password: credentials.password
+      };
+    }
     await this.persist();
   }
+  verifyAuth(username, password) {
+    const stored = this.settings.auth;
+    if (!stored) {
+      return false;
+    }
+    if (!constantTimeStringEquals(username, stored.username)) {
+      return false;
+    }
+    if (this.verifiedPassword && this.verifiedPassword.username === stored.username && constantTimeStringEquals(password, this.verifiedPassword.password)) {
+      return true;
+    }
+    if (stored.password !== void 0) {
+      const matches = constantTimeStringEquals(password, stored.password);
+      if (matches) {
+        this.verifiedPassword = { username: stored.username, password };
+        void this.migrateLegacyPlaintext(password);
+      }
+      return matches;
+    }
+    if (stored.passwordHash && stored.passwordSalt) {
+      if (verifyPasswordHash(password, stored.passwordHash, stored.passwordSalt)) {
+        this.verifiedPassword = { username: stored.username, password };
+        return true;
+      }
+    }
+    return false;
+  }
+  async migrateLegacyPlaintext(plain2) {
+    const current = this.settings.auth;
+    if (!current || current.password === void 0) {
+      return;
+    }
+    const { passwordHash, passwordSalt } = hashPassword(plain2);
+    this.settings.auth = {
+      username: current.username,
+      passwordHash,
+      passwordSalt
+    };
+    try {
+      await this.persist();
+    } catch {
+    }
+  }
   get backupSettings() {
     return { ...DEFAULT_BACKUP_SETTINGS, ...this.settings.backup };
   }
@@ -152977,7 +153122,7 @@ var EntityMappingStorage = class extends Service {
 
 // src/services/storage/lock-credential-storage.ts
 init_service();
-import { pbkdf2Sync, randomBytes } from "node:crypto";
+import { pbkdf2Sync, randomBytes as randomBytes2 } from "node:crypto";
 var CURRENT_VERSION2 = 2;
 var HASH_ITERATIONS = 1e5;
 var HASH_KEY_LENGTH = 64;
@@ -153014,7 +153159,7 @@ var LockCredentialStorage = class extends Service {
   async migrate(data) {
     if (data.version === 1) {
       for (const legacyCredential of data.credentials) {
-        const salt = randomBytes(SALT_LENGTH).toString("hex");
+        const salt = randomBytes2(SALT_LENGTH).toString("hex");
         const hash2 = this.hashPin(legacyCredential.pinCode, salt);
         const credential = {
           entityId: legacyCredential.entityId,
@@ -153080,7 +153225,7 @@ var LockCredentialStorage = class extends Service {
   async setCredential(request) {
     const now = Date.now();
     const existing = this.credentials.get(request.entityId);
-    const salt = randomBytes(SALT_LENGTH).toString("hex");
+    const salt = randomBytes2(SALT_LENGTH).toString("hex");
     const hash2 = this.hashPin(request.pinCode, salt);
     const credential = {
       entityId: request.entityId,