npm - @riddix/hamh - Versions diffs - 2.1.0-alpha.592 → 2.1.0-alpha.594 - Mend

@riddix/hamh 2.1.0-alpha.592 → 2.1.0-alpha.594

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/backend/cli.js +197 -47
package/dist/backend/cli.js.map +3 -3
package/dist/frontend/assets/{index-zPFZkqBD.js → index-DZBgce-y.js} +68 -68
package/dist/frontend/index.html +1 -1
package/package.json +6 -6

package/dist/backend/cli.js CHANGED Viewed

@@ -10026,7 +10026,7 @@ function MockCrypto(index = 128, implementation = StandardCrypto) {
     throw new ImplementationError(`Index for stable crypto must be 0-255`);
   }
   const crypto8 = new implementation();
-  const { randomBytes: randomBytes2, createKeyPair } = crypto8;
+  const { randomBytes: randomBytes3, createKeyPair } = crypto8;
   Object.defineProperties(crypto8, {
     index: {
       get() {
@@ -10038,11 +10038,11 @@ function MockCrypto(index = 128, implementation = StandardCrypto) {
     },
     entropic: {
       get() {
-        return crypto8.randomBytes === randomBytes2;
+        return crypto8.randomBytes === randomBytes3;
       },
       set(entropic) {
         if (entropic) {
-          crypto8.randomBytes = randomBytes2;
+          crypto8.randomBytes = randomBytes3;
           crypto8.createKeyPair = createKeyPair;
         } else {
           disableEntropy();
@@ -148035,6 +148035,17 @@ async function extractBackupData(buffer) {
   const data = JSON.parse(content.toString());
   return { backupData: data, zipDirectory: directory };
 }
+function resolveWithin(baseDir, relative) {
+  if (relative.length === 0 || path.isAbsolute(relative)) {
+    return null;
+  }
+  const resolvedBase = path.resolve(baseDir);
+  const resolvedTarget = path.resolve(resolvedBase, relative);
+  if (resolvedTarget !== resolvedBase && !resolvedTarget.startsWith(resolvedBase + path.sep)) {
+    return null;
+  }
+  return resolvedTarget;
+}
 async function restoreIdentityFiles(zipDirectory, bridgeId, storageLocation) {
   const identityPrefix = `identity/${bridgeId}/`;
   const identityFiles = zipDirectory.files.filter(
@@ -148047,7 +148058,12 @@ async function restoreIdentityFiles(zipDirectory, bridgeId, storageLocation) {
   fs.mkdirSync(targetDir, { recursive: true });
   for (const file of identityFiles) {
     const relativePath = file.path.substring(identityPrefix.length);
-    const targetPath = path.join(targetDir, relativePath);
+    const targetPath = resolveWithin(targetDir, relativePath);
+    if (!targetPath) {
+      throw new Error(
+        `Refusing to restore identity file with unsafe path: ${file.path}`
+      );
+    }
     const targetDirPath = path.dirname(targetPath);
     fs.mkdirSync(targetDirPath, { recursive: true });
     const content = await file.buffer();
@@ -148067,7 +148083,12 @@ async function restoreBridgeIcon(zipDirectory, bridgeId, storageLocation) {
   fs.mkdirSync(iconsDir, { recursive: true });
   for (const file of iconFiles) {
     const fileName = file.path.substring(iconPrefix.length);
-    const targetPath = path.join(iconsDir, fileName);
+    const targetPath = resolveWithin(iconsDir, fileName);
+    if (!targetPath) {
+      throw new Error(
+        `Refusing to restore bridge icon with unsafe path: ${file.path}`
+      );
+    }
     const content = await file.buffer();
     fs.writeFileSync(targetPath, content);
   }
@@ -149101,9 +149122,7 @@ function lockCredentialApi(lockCredentialStorage) {
     async (_req, res) => {
       const credentials = lockCredentialStorage.getAllCredentials();
       const sanitizedCredentials = credentials.map(sanitizeCredential);
-      res.json({
-        credentials: sanitizedCredentials
-      });
+      res.json({ credentials: sanitizedCredentials });
     }
   );
   router.get(
@@ -151436,16 +151455,25 @@ var WebApi = class extends Service {
     });
   }
   createDynamicAuthMiddleware() {
+    const envAuth = this.props.auth;
+    const envMiddleware = envAuth ? basicAuth({
+      users: { [envAuth.username]: envAuth.password },
+      challenge: true,
+      realm: "Home Assistant Matter Hub"
+    }) : void 0;
+    const storageMiddleware = basicAuth({
+      authorizer: (username, password) => this.settingsStorage.verifyAuth(username, password),
+      challenge: true,
+      realm: "Home Assistant Matter Hub"
+    });
     return (req, res, next) => {
-      const auth = this.props.auth ?? this.settingsStorage.auth;
-      if (!auth) {
+      if (envMiddleware) {
+        return envMiddleware(req, res, next);
+      }
+      if (!this.settingsStorage.auth) {
         return next();
       }
-      return basicAuth({
-        users: { [auth.username]: auth.password },
-        challenge: true,
-        realm: "Home Assistant Matter Hub"
-      })(req, res, next);
+      return storageMiddleware(req, res, next);
     };
   }
   async start() {
@@ -151539,39 +151567,43 @@ var BetterLogger = class _BetterLogger extends Logger {
     }
   }
   debug(...values4) {
-    const message = values4.map((v) => String(v)).join(" ");
-    addLogEntry({
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      level: "debug",
-      message: `[${this.loggerName}] ${message}`
-    });
+    if (this._level <= LogLevel.DEBUG) {
+      addLogEntry({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "debug",
+        message: `[${this.loggerName}] ${values4.map((v) => String(v)).join(" ")}`
+      });
+    }
     super.debug(...values4);
   }
   info(...values4) {
-    const message = values4.map((v) => String(v)).join(" ");
-    addLogEntry({
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      level: "info",
-      message: `[${this.loggerName}] ${message}`
-    });
+    if (this._level <= LogLevel.INFO) {
+      addLogEntry({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "info",
+        message: `[${this.loggerName}] ${values4.map((v) => String(v)).join(" ")}`
+      });
+    }
     super.info(...values4);
   }
   warn(...values4) {
-    const message = values4.map((v) => String(v)).join(" ");
-    addLogEntry({
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      level: "warn",
-      message: `[${this.loggerName}] ${message}`
-    });
+    if (this._level <= LogLevel.WARN) {
+      addLogEntry({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "warn",
+        message: `[${this.loggerName}] ${values4.map((v) => String(v)).join(" ")}`
+      });
+    }
     super.warn(...values4);
   }
   error(...values4) {
-    const message = values4.map((v) => String(v)).join(" ");
-    addLogEntry({
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      level: "error",
-      message: `[${this.loggerName}] ${message}`
-    });
+    if (this._level <= LogLevel.ERROR) {
+      addLogEntry({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "error",
+        message: `[${this.loggerName}] ${values4.map((v) => String(v)).join(" ")}`
+      });
+    }
     super.error(...values4);
   }
   debugCtx(message, context) {
@@ -152643,10 +152675,56 @@ function mockDeviceId(entityId) {
 // src/services/storage/app-settings-storage.ts
 init_service();
+import { randomBytes, scryptSync, timingSafeEqual } from "node:crypto";
+var SCRYPT_KEYLEN = 64;
+var SCRYPT_COST_N = 16384;
+var SCRYPT_BLOCK_R = 8;
+var SCRYPT_PARALLEL_P = 1;
+var SALT_BYTES = 16;
 var DEFAULT_BACKUP_SETTINGS = {
   autoBackup: true,
   backupRetentionCount: 5
 };
+function hashPassword(plain2) {
+  const salt = randomBytes(SALT_BYTES);
+  const derived = scryptSync(plain2, salt, SCRYPT_KEYLEN, {
+    N: SCRYPT_COST_N,
+    r: SCRYPT_BLOCK_R,
+    p: SCRYPT_PARALLEL_P
+  });
+  return {
+    passwordHash: derived.toString("hex"),
+    passwordSalt: salt.toString("hex")
+  };
+}
+function verifyPasswordHash(plain2, passwordHash, passwordSalt) {
+  let expected;
+  let salt;
+  try {
+    expected = Buffer.from(passwordHash, "hex");
+    salt = Buffer.from(passwordSalt, "hex");
+  } catch {
+    return false;
+  }
+  if (expected.length !== SCRYPT_KEYLEN || salt.length === 0) {
+    return false;
+  }
+  const derived = scryptSync(plain2, salt, SCRYPT_KEYLEN, {
+    N: SCRYPT_COST_N,
+    r: SCRYPT_BLOCK_R,
+    p: SCRYPT_PARALLEL_P
+  });
+  return timingSafeEqual(derived, expected);
+}
+function constantTimeStringEquals(a, b) {
+  const bufA = Buffer.from(a);
+  const bufB = Buffer.from(b);
+  if (bufA.length !== bufB.length) {
+    timingSafeEqual(bufA, bufA);
+    return false;
+  }
+  return timingSafeEqual(bufA, bufB);
+}
 var AppSettingsStorage = class extends Service {
   constructor(appStorage) {
     super("AppSettingsStorage");
@@ -152654,6 +152732,11 @@ var AppSettingsStorage = class extends Service {
   }
   storage;
   settings = {};
+  // Caches the last plaintext password that was successfully verified
+  // against the stored hash, keyed by username. This lets repeated basic-auth
+  // calls avoid re-running scrypt on every HTTP request without persisting
+  // the plaintext to disk.
+  verifiedPassword = null;
   async initialize() {
     this.storage = this.appStorage.createContext("settings");
     const stored = await this.storage.get(
@@ -152663,12 +152746,72 @@ var AppSettingsStorage = class extends Service {
     this.settings = stored ?? {};
   }
   get auth() {
-    return this.settings.auth;
+    if (!this.settings.auth) {
+      return void 0;
+    }
+    return { username: this.settings.auth.username };
   }
-  async setAuth(auth) {
-    this.settings.auth = auth;
+  async setAuth(credentials) {
+    if (!credentials) {
+      this.settings.auth = void 0;
+      this.verifiedPassword = null;
+    } else {
+      const { passwordHash, passwordSalt } = hashPassword(credentials.password);
+      this.settings.auth = {
+        username: credentials.username,
+        passwordHash,
+        passwordSalt
+      };
+      this.verifiedPassword = {
+        username: credentials.username,
+        password: credentials.password
+      };
+    }
     await this.persist();
   }
+  verifyAuth(username, password) {
+    const stored = this.settings.auth;
+    if (!stored) {
+      return false;
+    }
+    if (!constantTimeStringEquals(username, stored.username)) {
+      return false;
+    }
+    if (this.verifiedPassword && this.verifiedPassword.username === stored.username && constantTimeStringEquals(password, this.verifiedPassword.password)) {
+      return true;
+    }
+    if (stored.password !== void 0) {
+      const matches = constantTimeStringEquals(password, stored.password);
+      if (matches) {
+        this.verifiedPassword = { username: stored.username, password };
+        void this.migrateLegacyPlaintext(password);
+      }
+      return matches;
+    }
+    if (stored.passwordHash && stored.passwordSalt) {
+      if (verifyPasswordHash(password, stored.passwordHash, stored.passwordSalt)) {
+        this.verifiedPassword = { username: stored.username, password };
+        return true;
+      }
+    }
+    return false;
+  }
+  async migrateLegacyPlaintext(plain2) {
+    const current = this.settings.auth;
+    if (!current || current.password === void 0) {
+      return;
+    }
+    const { passwordHash, passwordSalt } = hashPassword(plain2);
+    this.settings.auth = {
+      username: current.username,
+      passwordHash,
+      passwordSalt
+    };
+    try {
+      await this.persist();
+    } catch {
+    }
+  }
   get backupSettings() {
     return { ...DEFAULT_BACKUP_SETTINGS, ...this.settings.backup };
   }
@@ -152977,7 +153120,7 @@ var EntityMappingStorage = class extends Service {
 // src/services/storage/lock-credential-storage.ts
 init_service();
-import { pbkdf2Sync, randomBytes } from "node:crypto";
+import { pbkdf2Sync, randomBytes as randomBytes2, timingSafeEqual as timingSafeEqual2 } from "node:crypto";
 var CURRENT_VERSION2 = 2;
 var HASH_ITERATIONS = 1e5;
 var HASH_KEY_LENGTH = 64;
@@ -153014,7 +153157,7 @@ var LockCredentialStorage = class extends Service {
   async migrate(data) {
     if (data.version === 1) {
       for (const legacyCredential of data.credentials) {
-        const salt = randomBytes(SALT_LENGTH).toString("hex");
+        const salt = randomBytes2(SALT_LENGTH).toString("hex");
         const hash2 = this.hashPin(legacyCredential.pinCode, salt);
         const credential = {
           entityId: legacyCredential.entityId,
@@ -153058,8 +153201,15 @@ var LockCredentialStorage = class extends Service {
     if (!credential?.enabled) {
       return false;
     }
-    const hash2 = this.hashPin(pin, credential.pinCodeSalt);
-    return hash2 === credential.pinCodeHash;
+    const computed = Buffer.from(
+      this.hashPin(pin, credential.pinCodeSalt),
+      "hex"
+    );
+    const expected = Buffer.from(credential.pinCodeHash, "hex");
+    if (computed.length !== expected.length) {
+      return false;
+    }
+    return timingSafeEqual2(computed, expected);
   }
   /**
    * Check if a credential exists and is enabled for an entity
@@ -153080,7 +153230,7 @@ var LockCredentialStorage = class extends Service {
   async setCredential(request) {
     const now = Date.now();
     const existing = this.credentials.get(request.entityId);
-    const salt = randomBytes(SALT_LENGTH).toString("hex");
+    const salt = randomBytes2(SALT_LENGTH).toString("hex");
     const hash2 = this.hashPin(request.pinCode, salt);
     const credential = {
       entityId: request.entityId,