@rsktash/beads-ui 0.1.25 → 0.1.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rsktash/beads-ui",
-  "version": "0.1.25",
+  "version": "0.1.27",
   "repository": {
     "type": "git",
     "url": "https://github.com/rsktash/beads-ui.git"

package/server/app.js

@@ -5,7 +5,7 @@ import express from 'express';
 import fs from 'node:fs';
 import path from 'node:path';
 import { createRequire } from 'node:module';
-import { authMiddleware, isAuthEnabled, loadUsers, login } from './auth.js';
+import { authMiddleware, isAuthEnabled, loadUsers, login, verifyToken } from './auth.js';
 
 const require = createRequire(import.meta.url);
 const pkg = require('../package.json');
@@ -63,7 +63,9 @@ export function createApp(config) {
       res.json({ ok: true, authEnabled: false });
       return;
     }
-    const user = /** @type {any} */ (req).user;
+    const authHeader = req.headers.authorization;
+    const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null;
+    const user = token ? verifyToken(token) : null;
     if (!user) {
       res.status(401).json({ ok: false, error: 'Unauthorized' });
       return;

package/server/auth.js

@@ -2,8 +2,9 @@
  * Optional authentication module.
  * When a users config file exists and contains users, auth is enforced.
  * When no users are configured, auth is bypassed entirely.
+ * Simple session tokens stored in memory — no JWT complexity.
  */
-import { createHmac, randomBytes } from 'node:crypto';
+import { randomBytes } from 'node:crypto';
 import fs from 'node:fs';
 import { debug } from './logging.js';
 
@@ -12,13 +13,12 @@ const log = debug('auth');
 /** @type {{ username: string, password: string, role?: string }[]} */
 let users = [];
 
-/** JWT secret — generated per server start when no env override */
-const JWT_SECRET = process.env.BEADS_UI_JWT_SECRET || randomBytes(32).toString('hex');
-const TOKEN_EXPIRY_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+/** @type {Map<string, { username: string, role: string }>} */
+const sessions = new Map();
 
 /**
  * Load users from config file.
- * File path: BEADS_UI_AUTH_FILE env var, or ./beads-ui-users.json in cwd.
+ * @param {string} [filePath] - BEADS_UI_AUTH_FILE env var
  */
 export function loadUsers() {
   const filePath = process.env.BEADS_UI_AUTH_FILE || '';
@@ -31,7 +31,7 @@ export function loadUsers() {
     const parsed = JSON.parse(raw);
     users = Array.isArray(parsed.users) ? parsed.users : [];
     log('loaded %d users from %s', users.length, filePath);
-  } catch (err) {
+  } catch {
     log('no users file at %s — auth disabled', filePath);
     users = [];
   }
@@ -42,41 +42,13 @@ export function isAuthEnabled() {
   return users.length > 0;
 }
 
-
 /**
- * Create a JWT-like token (HMAC-SHA256 signed).
- * @param {{ username: string, role: string }} payload
- * @returns {string}
- */
-function createToken(payload) {
-  const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url');
-  const body = Buffer.from(JSON.stringify({
-    ...payload,
-    iat: Date.now(),
-    exp: Date.now() + TOKEN_EXPIRY_MS
-  })).toString('base64url');
-  const sig = createHmac('sha256', JWT_SECRET).update(`${header}.${body}`).digest('base64url');
-  return `${header}.${body}.${sig}`;
-}
-
-/**
- * Verify and decode a token.
+ * Verify a session token.
  * @param {string} token
  * @returns {{ username: string, role: string } | null}
  */
 export function verifyToken(token) {
-  try {
-    const parts = token.split('.');
-    if (parts.length !== 3) return null;
-    const [header, body, sig] = parts;
-    const expected = createHmac('sha256', JWT_SECRET).update(`${header}.${body}`).digest('base64url');
-    if (sig !== expected) return null;
-    const payload = JSON.parse(Buffer.from(body, 'base64url').toString());
-    if (payload.exp && payload.exp < Date.now()) return null;
-    return { username: payload.username, role: payload.role };
-  } catch {
-    return null;
-  }
+  return sessions.get(token) || null;
 }
 
 /**
@@ -90,13 +62,14 @@ export function login(username, password) {
   if (!user) return { ok: false, error: 'Invalid credentials' };
   if (password !== user.password) return { ok: false, error: 'Invalid credentials' };
   const role = user.role || '';
-  const token = createToken({ username, role });
+  const token = randomBytes(32).toString('hex');
+  sessions.set(token, { username, role });
   return { ok: true, token, user: { username, role } };
 }
 
 /**
  * Express middleware — skips auth if no users configured.
- * Protects all routes except /api/auth/* and static assets.
+ * Protects API routes only. Static assets and SPA routes pass through.
  * @param {import('express').Request} req
  * @param {import('express').Response} res
  * @param {import('express').NextFunction} next
@@ -104,12 +77,10 @@ export function login(username, password) {
 export function authMiddleware(req, res, next) {
   if (!isAuthEnabled()) return next();
 
-  // Allow auth endpoints and health check
+  // Allow auth endpoints, health check, and config
   if (req.path.startsWith('/api/auth') || req.path === '/healthz' || req.path === '/api/config') return next();
 
   // Allow static assets and SPA routes (auth enforced client-side)
-  const ext = req.path.split('.').pop();
-  if (ext && ['js', 'css', 'html', 'svg', 'png', 'ico', 'woff', 'woff2', 'ttf'].includes(ext)) return next();
   if (!req.path.startsWith('/api/')) return next();
 
   // Check Authorization header
@@ -119,11 +90,11 @@ export function authMiddleware(req, res, next) {
     res.status(401).json({ ok: false, error: 'Unauthorized' });
     return;
   }
-  const decoded = verifyToken(token);
-  if (!decoded) {
+  const user = verifyToken(token);
+  if (!user) {
     res.status(401).json({ ok: false, error: 'Invalid token' });
     return;
   }
-  /** @type {any} */ (req).user = decoded;
+  /** @type {any} */ (req).user = user;
   next();
 }