@sleep2agi/commhub-server 0.5.0-preview.19 → 0.5.0-preview.20

package/README.md

@@ -89,9 +89,20 @@ delivered/acked/running → reassign → delivered (新agent)
 
 ## 鉴权
 
-设置 `COMMHUB_AUTH_TOKEN` 后, 所有端点需要 Bearer token:
-- Header: `Authorization: Bearer <token>`
-- 或 Query: `?token=<token>`
+两种认证方式:
+1. **V3 用户系统** (推荐): `POST /api/auth/register` → 获取 `atok_xxx` token
+2. **全局 token** (传统): `COMMHUB_AUTH_TOKEN` 环境变量
+
+Header: `Authorization: Bearer <token>` 或 Query: `?token=<token>`
+
+## V3 功能
+
+- **用户系统**: 注册/登录/Token 认证
+- **多网络**: 每个用户可创建多个独立网络
+- **网络隔离**: 不同网络的数据完全隔离
+- **试用授权**: 14 天免费试用, 到期需授权码
+- **审计日志**: 所有操作记录
+- **限流**: 注册 30/min, 登录 10/min (per IP)
 - `/health` 不需要 auth
 
 ## License

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.19",
+  "version": "0.5.0-preview.20",
   "description": "CommHub MCP Server — AI Agent communication hub with SSE push, MCP protocol, and REST API",
   "type": "module",
   "main": "src/index.ts",

package/src/auth.ts

@@ -132,3 +132,12 @@ export function createNetwork(userId: string, name: string, description?: string
   );
   return { ok: true, network_id: networkId, network_name: name };
 }
+
+export function changePassword(userId: string, oldPassword: string, newPassword: string): { ok: boolean; error?: string } {
+  if (!newPassword || newPassword.length < 6) return { ok: false, error: "new password must be at least 6 characters" };
+  const user = db.query<any, [string]>("SELECT password_hash FROM users WHERE user_id = ?1").get(userId);
+  if (!user) return { ok: false, error: "user not found" };
+  if (user.password_hash !== hashPassword(oldPassword)) return { ok: false, error: "incorrect current password" };
+  db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(newPassword), userId]);
+  return { ok: true };
+}

package/src/index.ts

@@ -4,7 +4,7 @@ import { z } from "zod/v4";
 import { registerTools } from "./tools.js";
 import { db, logTaskEvent, logAudit } from "./db.js";
 import { createSSEStream, pushEvent, pushBroadcast, getSSEStats } from "./push.js";
-import { register, login, resolveToken, getUserNetworks, createNetwork, type AuthUser } from "./auth.js";
+import { register, login, resolveToken, getUserNetworks, createNetwork, changePassword, type AuthUser } from "./auth.js";
 
 const PORT = Number(process.env.PORT) || 9200;
 const AUTH_TOKEN = process.env.COMMHUB_AUTH_TOKEN;
@@ -290,6 +290,21 @@ Bun.serve({
       }
     }
 
+    if (url.pathname === "/api/auth/password" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        const result = changePassword(resolved.user.user_id, body.old_password, body.new_password);
+        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "password_changed", "user", resolved.user.user_id);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+
     // ── V3: Network management ──
     if (url.pathname === "/api/networks" && req.method === "GET") {
       const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");