npm - @sleep2agi/commhub-server - Versions diffs - 0.5.0-preview.26 → 0.5.0-preview.27 - Mend

@sleep2agi/commhub-server 0.5.0-preview.26 → 0.5.0-preview.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.26",
+  "version": "0.5.0-preview.27",
   "description": "CommHub Server \u2014 AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 18 MCP tools.",
   "type": "module",
   "main": "src/index.ts",

package/src/auth.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * V3 Auth module — user registration, login, token management
  */
-import { db, generateId, hashPassword, hashToken, generateToken, uuidv4 } from "./db.js";
+import { db, generateId, hashPassword, hashToken, generateToken, generateUserToken, generateNetworkToken, uuidv4 } from "./db.js";
 export interface AuthUser {
   user_id: string;
@@ -15,7 +15,9 @@ export interface AuthResult {
   ok: boolean;
   error?: string;
   user?: AuthUser;
-  token?: string;
+  token?: string;           // user token (utok_)
+  network_token?: string;   // network token (ntok_) for default network
+  network_id?: string;
 }
 export function register(username: string, password: string, email?: string, displayName?: string): AuthResult {
@@ -26,12 +28,16 @@ export function register(username: string, password: string, email?: string, dis
   const existing = db.get<any>("SELECT user_id FROM users WHERE username = ?1", username);
   if (existing) return { ok: false, error: "username already taken" };
+  // First user → auto admin
+  const userCount = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM users");
+  const isFirstUser = !userCount || userCount.cnt === 0;
   const userId = generateId("u");
   const pwHash = hashPassword(password);
   db.run(
-    "INSERT INTO users (user_id, username, password_hash, email, display_name) VALUES (?1, ?2, ?3, ?4, ?5)",
-    [userId, username, pwHash, email || null, displayName || username]
+    "INSERT INTO users (user_id, username, password_hash, email, display_name, role) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [userId, username, pwHash, email || null, displayName || username, isFirstUser ? "admin" : "user"]
   );
   // Auto-create default network + add as owner member
@@ -45,18 +51,28 @@ export function register(username: string, password: string, email?: string, dis
     [networkId, userId]
   );
-  // Auto-create API token
-  const token = generateToken();
-  const tokenId = generateId("tok");
+  // User token (utok_) — not bound to network, for CLI/Dashboard login
+  const userToken = generateUserToken();
+  const userTokenId = generateId("tok");
   db.run(
     "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
-    [tokenId, hashToken(token), userId, networkId, "default", "full"]
+    [userTokenId, hashToken(userToken), userId, null, "user-login", "user"]
+  );
+  // Network token (ntok_) — bound to default network, for agent-node
+  const networkToken = generateNetworkToken();
+  const networkTokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [networkTokenId, hashToken(networkToken), userId, networkId, "default-network", "network"]
   );
   return {
     ok: true,
-    user: { user_id: userId, username, display_name: displayName || username, email: email || null, role: "user" },
-    token,
+    user: { user_id: userId, username, display_name: displayName || username, email: email || null, role: isFirstUser ? "admin" : "user" },
+    token: userToken,
+    network_token: networkToken,
+    network_id: networkId,
   };
 }
@@ -68,36 +84,54 @@ export function login(username: string, password: string): AuthResult {
   if (!user) return { ok: false, error: "invalid username or password" };
   if (user.password_hash !== hashPassword(password)) return { ok: false, error: "invalid username or password" };
-  // Find or create token
-  let tokenRow = db.get<any>(
-    "SELECT token_id FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 1",
+  // Generate/rotate user token (utok_, not bound to network)
+  let userTokenRow = db.get<any>(
+    "SELECT token_id FROM api_tokens WHERE user_id = ?1 AND scope = 'user' ORDER BY created_at DESC LIMIT 1",
     user.user_id);
-  let token: string;
-  if (tokenRow) {
-    // Generate new token (rotate)
-    token = generateToken();
+  const userToken = generateUserToken();
+  if (userTokenRow) {
     db.run("UPDATE api_tokens SET token_hash = ?1, last_used_at = datetime('now') WHERE token_id = ?2",
-      [hashToken(token), tokenRow.token_id]);
+      [hashToken(userToken), userTokenRow.token_id]);
   } else {
-    token = generateToken();
     const tokenId = generateId("tok");
-    const networkId = db.get<any>(
-      "SELECT network_id FROM networks WHERE owner_id = ?1 LIMIT 1",
-      user.user_id)?.network_id;
     db.run(
-      "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name) VALUES (?1, ?2, ?3, ?4, ?5)",
-      [tokenId, hashToken(token), user.user_id, networkId || null, "login"]
+      "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+      [tokenId, hashToken(userToken), user.user_id, null, "user-login", "user"]
     );
   }
+  // Find default network
+  const defaultNet = db.get<any>(
+    "SELECT network_id FROM network_members WHERE user_id = ?1 ORDER BY role = 'owner' DESC LIMIT 1",
+    user.user_id);
+  const networkId = defaultNet?.network_id || null;
+  // Backward compat: also try old atok_ tokens
+  const token = userToken;
   return {
     ok: true,
     user: { user_id: user.user_id, username: user.username, display_name: user.display_name, email: user.email, role: user.role },
     token,
+    network_id: networkId,
   };
 }
+/** Create a network-scoped token (ntok_) for a specific node */
+export function createNetworkTokenForNode(userId: string, networkId: string, nodeName: string): { ok: boolean; token?: string; error?: string } {
+  // Verify user is a member of this network with write access
+  const role = getUserNetworkRole(userId, networkId);
+  if (!role || role === "viewer") return { ok: false, error: "no write access to this network" };
+  const token = generateNetworkToken();
+  const tokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(token), userId, networkId, `node:${nodeName}`, "network"]
+  );
+  return { ok: true, token };
+}
 export function resolveToken(token: string): { user: AuthUser; networkId: string | null } | null {
   const tHash = hashToken(token);
   const row = db.get<any>(

package/src/db.ts CHANGED Viewed

@@ -324,6 +324,14 @@ export function generateToken(): string {
   return `atok_${crypto.randomUUID().replace(/-/g, "")}`;
 }
+export function generateUserToken(): string {
+  return `utok_${crypto.randomUUID().replace(/-/g, "")}`;
+}
+export function generateNetworkToken(): string {
+  return `ntok_${crypto.randomUUID().replace(/-/g, "")}`;
+}
 export function logAudit(userId: string | null, username: string | null, action: string, targetType?: string, targetId?: string, detail?: string, ip?: string, networkId?: string) {
   try {
     db.run(

package/src/index.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import { z } from "zod/v4";
 import { registerTools } from "./tools.js";
 import { db, logTaskEvent, logAudit } from "./db.js";
 import { createSSEStream, pushEvent, pushBroadcast, getSSEStats } from "./push.js";
-import { register, login, resolveToken, getUserNetworks, getUserAllNetworks, createNetwork, deleteNetwork, renameNetwork, changePassword, listTokens, createToken, revokeToken, getNetworkMembers, getUserNetworkRole, addNetworkMember, updateMemberRole, removeNetworkMember, createInvite, joinByInvite, type AuthUser } from "./auth.js";
+import { register, login, resolveToken, getUserNetworks, getUserAllNetworks, createNetwork, deleteNetwork, renameNetwork, changePassword, listTokens, createToken, revokeToken, getNetworkMembers, getUserNetworkRole, addNetworkMember, updateMemberRole, removeNetworkMember, createInvite, joinByInvite, createNetworkTokenForNode, type AuthUser } from "./auth.js";
 const PORT = Number(process.env.PORT) || 9200;
 const AUTH_TOKEN = process.env.COMMHUB_AUTH_TOKEN;
@@ -304,6 +304,23 @@ Bun.serve({
       }
     }
+    // ── V3.13: Create network token for a node ──
+    if (url.pathname === "/api/auth/node-token" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        if (!body.network_id || !body.node_name) return withCors(req, Response.json({ ok: false, error: "network_id and node_name required" }, { status: 400 }));
+        const result = createNetworkTokenForNode(resolved.user.user_id, body.network_id, body.node_name);
+        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "node_token_created", "network", body.network_id, body.node_name);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
     // ── V3: Token management ──
     if (url.pathname === "/api/auth/tokens" && req.method === "GET") {
       const token = req.headers.get("Authorization")?.replace("Bearer ", "");