@sleep2agi/commhub-server 0.7.0-preview.0 → 0.8.0-preview.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.7.0-preview.0",
+  "version": "0.8.0-preview.0",
   "description": "CommHub Server — AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 18 MCP tools.",
   "type": "module",
   "main": "src/index.ts",

package/src/auth.ts

@@ -2,6 +2,7 @@
  * V3 Auth module — user registration, login, token management
  */
 import { db, generateId, hashPassword, hashToken, generateToken, generateUserToken, generateNetworkToken, uuidv4 } from "./db.js";
+import { WEAK_PASSWORDS } from "./password-dict.js";
 
 export interface AuthUser {
   user_id: string;
@@ -20,10 +21,17 @@ export interface AuthResult {
   network_id?: string;
 }
 
+function validatePasswordStrength(password: string, label = "password"): string | null {
+  if (!password || password.length < 8) return `${label} must be at least 8 characters`;
+  if (WEAK_PASSWORDS.has(password.toLowerCase())) return `${label} is too common`;
+  return null;
+}
+
 export function register(username: string, password: string, email?: string, displayName?: string): AuthResult {
   if (!username || username.length < 2) return { ok: false, error: "username must be at least 2 characters" };
   if (username.length > 50) return { ok: false, error: "username too long (max 50)" };
-  if (!password || password.length < 6) return { ok: false, error: "password must be at least 6 characters" };
+  const passwordError = validatePasswordStrength(password);
+  if (passwordError) return { ok: false, error: passwordError };
   if (!/^[a-zA-Z0-9_\-\u4e00-\u9fff]+$/.test(username)) return { ok: false, error: "username contains invalid characters" };
 
   const existing = db.get<any>("SELECT user_id FROM users WHERE username = ?1", username);
@@ -126,10 +134,10 @@ export function createNetworkTokenForNode(userId: string, networkId: string, nod
   return { ok: true, token };
 }
 
-export function resolveToken(token: string): { user: AuthUser; networkId: string | null; tokenName: string | null } | null {
+export function resolveToken(token: string): { user: AuthUser; networkId: string | null; tokenName: string | null; tokenId: string | null } | null {
   const tHash = hashToken(token);
   const row = db.get<any>(
-    `SELECT t.user_id, t.network_id, t.scope, t.name AS token_name,
+    `SELECT t.token_id, t.user_id, t.network_id, t.scope, t.name AS token_name,
             u.username, u.display_name, u.email, u.role
      FROM api_tokens t JOIN users u ON t.user_id = u.user_id
      WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`,
@@ -143,6 +151,7 @@ export function resolveToken(token: string): { user: AuthUser; networkId: string
   return {
     user: { user_id: row.user_id, username: row.username, display_name: row.display_name, email: row.email, role: row.role },
     networkId: row.network_id,
+    tokenId: row.token_id || null,
     // tokenName carries the binding identity. For node-scoped ntok_, it's
     // 'node:<alias>'; we strip the prefix and use it as the default
     // from_session for any MCP send_task / send_message / etc, so peer
@@ -239,13 +248,47 @@ export function revokeToken(userId: string, tokenId: string): { ok: boolean; err
   return result.changes > 0 ? { ok: true } : { ok: false, error: "token not found" };
 }
 
-export function changePassword(userId: string, oldPassword: string, newPassword: string): { ok: boolean; error?: string } {
-  if (!newPassword || newPassword.length < 6) return { ok: false, error: "new password must be at least 6 characters" };
+export function issueUserToken(userId: string, name = "user-login"): { token: string; token_id: string } {
+  const token = generateUserToken();
+  const tokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, NULL, ?4, 'user')",
+    [tokenId, hashToken(token), userId, name]
+  );
+  return { token, token_id: tokenId };
+}
+
+export function revokeOtherUserTokens(userId: string, exceptTokenId?: string | null): number {
+  const result = exceptTokenId
+    ? db.run("DELETE FROM api_tokens WHERE user_id = ?1 AND network_id IS NULL AND token_id != ?2", [userId, exceptTokenId])
+    : db.run("DELETE FROM api_tokens WHERE user_id = ?1 AND network_id IS NULL", [userId]);
+  return result.changes;
+}
+
+export function changePassword(userId: string, oldPassword: string, newPassword: string, currentTokenId?: string | null): { ok: boolean; error?: string; revoked?: number } {
+  const passwordError = validatePasswordStrength(newPassword, "new password");
+  if (passwordError) return { ok: false, error: passwordError };
   const user = db.get<any>("SELECT password_hash FROM users WHERE user_id = ?1", userId);
   if (!user) return { ok: false, error: "user not found" };
   if (user.password_hash !== hashPassword(oldPassword)) return { ok: false, error: "incorrect current password" };
   db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(newPassword), userId]);
-  return { ok: true };
+  const revoked = revokeOtherUserTokens(userId, currentTokenId);
+  return { ok: true, revoked };
+}
+
+export function resetUserPassword(targetUsername: string, callerIsHubAdmin: boolean): { ok: boolean; error?: string; username?: string; user_id?: string; password?: string; token?: string; token_id?: string; revoked?: number } {
+  if (!callerIsHubAdmin) return { ok: false, error: "hub admin required" };
+  const user = db.get<any>("SELECT user_id, username FROM users WHERE username = ?1", targetUsername);
+  if (!user) return { ok: false, error: "user not found" };
+  const password = `anet-${crypto.randomUUID().replace(/-/g, "").slice(0, 18)}`;
+  db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(password), user.user_id]);
+  const revoked = revokeOtherUserTokens(user.user_id, null);
+  const issued = issueUserToken(user.user_id, "admin-reset");
+  db.run(
+    "INSERT INTO audit_log (user_id, username, action, target_type, target_id, detail) VALUES (?1, ?2, 'password_reset_by_admin', 'user', ?3, ?4)",
+    [user.user_id, user.username, user.user_id, "local hub admin reset"]
+  );
+  return { ok: true, username: user.username, user_id: user.user_id, password, token: issued.token, token_id: issued.token_id, revoked };
 }
 
 // ══════════════════════════════════════

package/src/index.ts

@@ -4,24 +4,24 @@ import { z } from "zod/v4";
 import { registerTools } from "./tools.js";
 import { db, logTaskEvent, logAudit } from "./db.js";
 import { createSSEStream, pushEvent, getSSEStats } from "./push.js";
-import { register, login, resolveToken, getUserNetworks, getUserAllNetworks, createNetwork, deleteNetwork, renameNetwork, changePassword, listTokens, createToken, revokeToken, getNetworkMembers, getUserNetworkRole, addNetworkMember, updateMemberRole, removeNetworkMember, createInvite, joinByInvite, createNetworkTokenForNode, type AuthUser } from "./auth.js";
+import { register, login, resolveToken, getUserNetworks, getUserAllNetworks, createNetwork, deleteNetwork, renameNetwork, changePassword, issueUserToken, listTokens, createToken, revokeToken, getNetworkMembers, getUserNetworkRole, addNetworkMember, updateMemberRole, removeNetworkMember, createInvite, joinByInvite, createNetworkTokenForNode, type AuthUser } from "./auth.js";
 
 const PORT = Number(process.env.PORT) || 9200;
 const HOST = process.env.HOST || "127.0.0.1";
 const AUTH_TOKEN = process.env.COMMHUB_AUTH_TOKEN;
 const DEV_OPEN = process.argv.includes("--dev-open") || process.env.COMMHUB_DEV_OPEN === "1";
 const TMUX_ENABLED = process.env.COMMHUB_ENABLE_TMUX === "1";
-const SECURITY_LABEL = AUTH_TOKEN ? "🔒 secured" : "⚠️ DEV OPEN MODE";
+const SECURITY_LABEL = DEV_OPEN ? "⚠️ DEV OPEN MODE" : "🔒 secured";
 const TMUX_ALLOWLIST = new Set(
   (process.env.COMMHUB_TMUX_ALLOWLIST || "")
     .split(",")
     .map((s) => s.trim())
     .filter(Boolean)
 );
+let masterTokenDeprecationLogged = false;
 
-if (!AUTH_TOKEN && !DEV_OPEN) {
-  console.error("[commhub] refusing to start without COMMHUB_AUTH_TOKEN. Use --dev-open or COMMHUB_DEV_OPEN=1 for local-only development.");
-  process.exit(1);
+if (AUTH_TOKEN) {
+  console.warn("[commhub] COMMHUB_AUTH_TOKEN is deprecated and will be removed in v1.0. See RFC-001.");
 }
 
 // Read version from package.json so banners and /health stay in sync.
@@ -106,7 +106,16 @@ function requireAuth(req: Request): Response | null {
 
   // Legacy: check global COMMHUB_AUTH_TOKEN
   if (!AUTH_TOKEN && DEV_OPEN) return null; // explicit local/dev open mode
-  if (token === AUTH_TOKEN) return null;
+  if (token === AUTH_TOKEN) {
+    const u = new URL(req.url);
+    const readOnlyApi = u.pathname.startsWith("/api/") && (req.method === "GET" || req.method === "HEAD" || req.method === "OPTIONS");
+    if (!readOnlyApi) return Response.json({ ok: false, error: "master-token auth is deprecated; use admin utok_" }, { status: 401 });
+    if (!masterTokenDeprecationLogged) {
+      console.warn("[commhub] master-token auth is deprecated and will be removed in v1.0. See RFC-001.");
+      masterTokenDeprecationLogged = true;
+    }
+    return null;
+  }
 
   return Response.json({ error: "unauthorized" }, { status: 401 });
 }
@@ -472,9 +481,14 @@ Bun.serve({
       if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
       try {
         const body = await req.json() as any;
-        const result = changePassword(resolved.user.user_id, body.old_password, body.new_password);
-        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "password_changed", "user", resolved.user.user_id);
-        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+        const result = changePassword(resolved.user.user_id, body.old_password, body.new_password, resolved.tokenId);
+        if (result.ok) {
+          const issued = issueUserToken(resolved.user.user_id, "password-change");
+          if (resolved.tokenId) revokeToken(resolved.user.user_id, resolved.tokenId);
+          logAudit(resolved.user.user_id, resolved.user.username, "password_changed", "user", resolved.user.user_id);
+          return withCors(req, Response.json({ ...result, token: issued.token, token_id: issued.token_id }));
+        }
+        return withCors(req, Response.json(result, { status: 400 }));
       } catch (e: any) {
         return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
       }
@@ -706,8 +720,8 @@ Bun.serve({
         sessions_count: count?.cnt ?? 0,
         sse_connections: sse.total,
         sse_sessions: sse.sessions,
-        auth: AUTH_TOKEN ? "enabled" : "dev-open",
-        security: AUTH_TOKEN ? "secured" : "dev-open",
+        auth: DEV_OPEN ? "dev-open" : "user-token",
+        security: DEV_OPEN ? "dev-open" : "secured",
         tmux: TMUX_ENABLED ? "enabled" : "disabled",
         v3_auth: true,
         multi_network: true,

package/src/password-dict.ts

@@ -0,0 +1,100 @@
+const WEAK_PASSWORDS_RAW = `
+123456
+password
+123456789
+12345
+12345678
+qwerty
+1234567
+111111
+1234567890
+123123
+abc123
+1234
+password1
+iloveyou
+1q2w3e4r
+000000
+qwerty123
+zaq12wsx
+dragon
+sunshine
+princess
+letmein
+monkey
+football
+baseball
+welcome
+admin
+login
+master
+hello
+freedom
+whatever
+trustno1
+qazwsx
+654321
+superman
+batman
+passw0rd
+password123
+asdfgh
+zxcvbnm
+qwertyuiop
+1qaz2wsx
+lovely
+flower
+hunter
+shadow
+buster
+soccer
+hockey
+killer
+george
+charlie
+andrew
+michael
+jessica
+michelle
+pepper
+jordan
+harley
+ranger
+ginger
+joshua
+maggie
+mustang
+computer
+internet
+secret
+summer
+winter
+spring
+autumn
+orange
+banana
+cookie
+coffee
+matrix
+starwars
+pokemon
+naruto
+888888
+666666
+5201314
+121212
+112233
+159753
+987654321
+`;
+
+const weak = new Set(WEAK_PASSWORDS_RAW.trim().split(/\s+/).map((p) => p.toLowerCase()));
+
+for (let i = 0; i <= 999; i++) {
+  weak.add(String(i).padStart(6, "0"));
+  weak.add(`password${i}`);
+  weak.add(`qwerty${i}`);
+}
+
+export const WEAK_PASSWORDS = weak;
+