npm - @sleep2agi/commhub-server - Versions diffs - 0.7.0-preview.0 → 0.8.0-preview.1 - Mend

@sleep2agi/commhub-server 0.7.0-preview.0 → 0.8.0-preview.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.7.0-preview.0",
+  "version": "0.8.0-preview.1",
   "description": "CommHub Server — AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 18 MCP tools.",
   "type": "module",
   "main": "src/index.ts",

package/src/auth.ts CHANGED Viewed

@@ -2,6 +2,7 @@
  * V3 Auth module — user registration, login, token management
  */
 import { db, generateId, hashPassword, hashToken, generateToken, generateUserToken, generateNetworkToken, uuidv4 } from "./db.js";
+import { WEAK_PASSWORDS } from "./password-dict.js";
 export interface AuthUser {
   user_id: string;
@@ -20,18 +21,31 @@ export interface AuthResult {
   network_id?: string;
 }
+function validatePasswordStrength(password: string, label = "password"): string | null {
+  if (!password || password.length < 8) return `${label} must be at least 8 characters`;
+  if (WEAK_PASSWORDS.has(password.toLowerCase())) return `${label} is too common`;
+  return null;
+}
 export function register(username: string, password: string, email?: string, displayName?: string): AuthResult {
   if (!username || username.length < 2) return { ok: false, error: "username must be at least 2 characters" };
   if (username.length > 50) return { ok: false, error: "username too long (max 50)" };
-  if (!password || password.length < 6) return { ok: false, error: "password must be at least 6 characters" };
   if (!/^[a-zA-Z0-9_\-\u4e00-\u9fff]+$/.test(username)) return { ok: false, error: "username contains invalid characters" };
   const existing = db.get<any>("SELECT user_id FROM users WHERE username = ?1", username);
   if (existing) return { ok: false, error: "username already taken" };
-  // First user → auto admin
+  // First user → auto admin. Bootstrap admin may use a weak/memorable default
+  // password (e.g. "anethub") for quick start; they should rotate via
+  // `anet passwd` afterwards. Subsequent users must meet full strength.
   const userCount = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM users");
   const isFirstUser = !userCount || userCount.cnt === 0;
+  if (isFirstUser) {
+    if (!password || password.length < 4) return { ok: false, error: "password must be at least 4 characters" };
+  } else {
+    const passwordError = validatePasswordStrength(password);
+    if (passwordError) return { ok: false, error: passwordError };
+  }
   const userId = generateId("u");
   const pwHash = hashPassword(password);
@@ -126,10 +140,10 @@ export function createNetworkTokenForNode(userId: string, networkId: string, nod
   return { ok: true, token };
 }
-export function resolveToken(token: string): { user: AuthUser; networkId: string | null; tokenName: string | null } | null {
+export function resolveToken(token: string): { user: AuthUser; networkId: string | null; tokenName: string | null; tokenId: string | null } | null {
   const tHash = hashToken(token);
   const row = db.get<any>(
-    `SELECT t.user_id, t.network_id, t.scope, t.name AS token_name,
+    `SELECT t.token_id, t.user_id, t.network_id, t.scope, t.name AS token_name,
             u.username, u.display_name, u.email, u.role
      FROM api_tokens t JOIN users u ON t.user_id = u.user_id
      WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`,
@@ -143,6 +157,7 @@ export function resolveToken(token: string): { user: AuthUser; networkId: string
   return {
     user: { user_id: row.user_id, username: row.username, display_name: row.display_name, email: row.email, role: row.role },
     networkId: row.network_id,
+    tokenId: row.token_id || null,
     // tokenName carries the binding identity. For node-scoped ntok_, it's
     // 'node:<alias>'; we strip the prefix and use it as the default
     // from_session for any MCP send_task / send_message / etc, so peer
@@ -239,13 +254,47 @@ export function revokeToken(userId: string, tokenId: string): { ok: boolean; err
   return result.changes > 0 ? { ok: true } : { ok: false, error: "token not found" };
 }
-export function changePassword(userId: string, oldPassword: string, newPassword: string): { ok: boolean; error?: string } {
-  if (!newPassword || newPassword.length < 6) return { ok: false, error: "new password must be at least 6 characters" };
+export function issueUserToken(userId: string, name = "user-login"): { token: string; token_id: string } {
+  const token = generateUserToken();
+  const tokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, NULL, ?4, 'user')",
+    [tokenId, hashToken(token), userId, name]
+  );
+  return { token, token_id: tokenId };
+}
+export function revokeOtherUserTokens(userId: string, exceptTokenId?: string | null): number {
+  const result = exceptTokenId
+    ? db.run("DELETE FROM api_tokens WHERE user_id = ?1 AND network_id IS NULL AND token_id != ?2", [userId, exceptTokenId])
+    : db.run("DELETE FROM api_tokens WHERE user_id = ?1 AND network_id IS NULL", [userId]);
+  return result.changes;
+}
+export function changePassword(userId: string, oldPassword: string, newPassword: string, currentTokenId?: string | null): { ok: boolean; error?: string; revoked?: number } {
+  const passwordError = validatePasswordStrength(newPassword, "new password");
+  if (passwordError) return { ok: false, error: passwordError };
   const user = db.get<any>("SELECT password_hash FROM users WHERE user_id = ?1", userId);
   if (!user) return { ok: false, error: "user not found" };
   if (user.password_hash !== hashPassword(oldPassword)) return { ok: false, error: "incorrect current password" };
   db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(newPassword), userId]);
-  return { ok: true };
+  const revoked = revokeOtherUserTokens(userId, currentTokenId);
+  return { ok: true, revoked };
+}
+export function resetUserPassword(targetUsername: string, callerIsHubAdmin: boolean): { ok: boolean; error?: string; username?: string; user_id?: string; password?: string; token?: string; token_id?: string; revoked?: number } {
+  if (!callerIsHubAdmin) return { ok: false, error: "hub admin required" };
+  const user = db.get<any>("SELECT user_id, username FROM users WHERE username = ?1", targetUsername);
+  if (!user) return { ok: false, error: "user not found" };
+  const password = `anet-${crypto.randomUUID().replace(/-/g, "").slice(0, 18)}`;
+  db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(password), user.user_id]);
+  const revoked = revokeOtherUserTokens(user.user_id, null);
+  const issued = issueUserToken(user.user_id, "admin-reset");
+  db.run(
+    "INSERT INTO audit_log (user_id, username, action, target_type, target_id, detail) VALUES (?1, ?2, 'password_reset_by_admin', 'user', ?3, ?4)",
+    [user.user_id, user.username, user.user_id, "local hub admin reset"]
+  );
+  return { ok: true, username: user.username, user_id: user.user_id, password, token: issued.token, token_id: issued.token_id, revoked };
 }
 // ══════════════════════════════════════

package/src/index.ts CHANGED Viewed

@@ -4,24 +4,24 @@ import { z } from "zod/v4";
 import { registerTools } from "./tools.js";
 import { db, logTaskEvent, logAudit } from "./db.js";
 import { createSSEStream, pushEvent, getSSEStats } from "./push.js";
-import { register, login, resolveToken, getUserNetworks, getUserAllNetworks, createNetwork, deleteNetwork, renameNetwork, changePassword, listTokens, createToken, revokeToken, getNetworkMembers, getUserNetworkRole, addNetworkMember, updateMemberRole, removeNetworkMember, createInvite, joinByInvite, createNetworkTokenForNode, type AuthUser } from "./auth.js";
+import { register, login, resolveToken, getUserNetworks, getUserAllNetworks, createNetwork, deleteNetwork, renameNetwork, changePassword, issueUserToken, listTokens, createToken, revokeToken, getNetworkMembers, getUserNetworkRole, addNetworkMember, updateMemberRole, removeNetworkMember, createInvite, joinByInvite, createNetworkTokenForNode, type AuthUser } from "./auth.js";
 const PORT = Number(process.env.PORT) || 9200;
 const HOST = process.env.HOST || "127.0.0.1";
 const AUTH_TOKEN = process.env.COMMHUB_AUTH_TOKEN;
 const DEV_OPEN = process.argv.includes("--dev-open") || process.env.COMMHUB_DEV_OPEN === "1";
 const TMUX_ENABLED = process.env.COMMHUB_ENABLE_TMUX === "1";
-const SECURITY_LABEL = AUTH_TOKEN ? "🔒 secured" : "⚠️ DEV OPEN MODE";
+const SECURITY_LABEL = DEV_OPEN ? "⚠️ DEV OPEN MODE" : "🔒 secured";
 const TMUX_ALLOWLIST = new Set(
   (process.env.COMMHUB_TMUX_ALLOWLIST || "")
     .split(",")
     .map((s) => s.trim())
     .filter(Boolean)
 );
+let masterTokenDeprecationLogged = false;
-if (!AUTH_TOKEN && !DEV_OPEN) {
-  console.error("[commhub] refusing to start without COMMHUB_AUTH_TOKEN. Use --dev-open or COMMHUB_DEV_OPEN=1 for local-only development.");
-  process.exit(1);
+if (AUTH_TOKEN) {
+  console.warn("[commhub] COMMHUB_AUTH_TOKEN is deprecated and will be removed in v1.0. See RFC-001.");
 }
 // Read version from package.json so banners and /health stay in sync.
@@ -106,7 +106,16 @@ function requireAuth(req: Request): Response | null {
   // Legacy: check global COMMHUB_AUTH_TOKEN
   if (!AUTH_TOKEN && DEV_OPEN) return null; // explicit local/dev open mode
-  if (token === AUTH_TOKEN) return null;
+  if (token === AUTH_TOKEN) {
+    const u = new URL(req.url);
+    const readOnlyApi = u.pathname.startsWith("/api/") && (req.method === "GET" || req.method === "HEAD" || req.method === "OPTIONS");
+    if (!readOnlyApi) return Response.json({ ok: false, error: "master-token auth is deprecated; use admin utok_" }, { status: 401 });
+    if (!masterTokenDeprecationLogged) {
+      console.warn("[commhub] master-token auth is deprecated and will be removed in v1.0. See RFC-001.");
+      masterTokenDeprecationLogged = true;
+    }
+    return null;
+  }
   return Response.json({ error: "unauthorized" }, { status: 401 });
 }
@@ -472,9 +481,14 @@ Bun.serve({
       if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
       try {
         const body = await req.json() as any;
-        const result = changePassword(resolved.user.user_id, body.old_password, body.new_password);
-        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "password_changed", "user", resolved.user.user_id);
-        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+        const result = changePassword(resolved.user.user_id, body.old_password, body.new_password, resolved.tokenId);
+        if (result.ok) {
+          const issued = issueUserToken(resolved.user.user_id, "password-change");
+          if (resolved.tokenId) revokeToken(resolved.user.user_id, resolved.tokenId);
+          logAudit(resolved.user.user_id, resolved.user.username, "password_changed", "user", resolved.user.user_id);
+          return withCors(req, Response.json({ ...result, token: issued.token, token_id: issued.token_id }));
+        }
+        return withCors(req, Response.json(result, { status: 400 }));
       } catch (e: any) {
         return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
       }
@@ -706,8 +720,8 @@ Bun.serve({
         sessions_count: count?.cnt ?? 0,
         sse_connections: sse.total,
         sse_sessions: sse.sessions,
-        auth: AUTH_TOKEN ? "enabled" : "dev-open",
-        security: AUTH_TOKEN ? "secured" : "dev-open",
+        auth: DEV_OPEN ? "dev-open" : "user-token",
+        security: DEV_OPEN ? "dev-open" : "secured",
         tmux: TMUX_ENABLED ? "enabled" : "disabled",
         v3_auth: true,
         multi_network: true,

package/src/password-dict.ts ADDED Viewed

@@ -0,0 +1,100 @@
+const WEAK_PASSWORDS_RAW = `
+123456
+password
+123456789
+12345
+12345678
+qwerty
+1234567
+111111
+1234567890
+123123
+abc123
+1234
+password1
+iloveyou
+1q2w3e4r
+000000
+qwerty123
+zaq12wsx
+dragon
+sunshine
+princess
+letmein
+monkey
+football
+baseball
+welcome
+admin
+login
+master
+hello
+freedom
+whatever
+trustno1
+qazwsx
+654321
+superman
+batman
+passw0rd
+password123
+asdfgh
+zxcvbnm
+qwertyuiop
+1qaz2wsx
+lovely
+flower
+hunter
+shadow
+buster
+soccer
+hockey
+killer
+george
+charlie
+andrew
+michael
+jessica
+michelle
+pepper
+jordan
+harley
+ranger
+ginger
+joshua
+maggie
+mustang
+computer
+internet
+secret
+summer
+winter
+spring
+autumn
+orange
+banana
+cookie
+coffee
+matrix
+starwars
+pokemon
+naruto
+888888
+666666
+5201314
+121212
+112233
+159753
+987654321
+`;
+const weak = new Set(WEAK_PASSWORDS_RAW.trim().split(/\s+/).map((p) => p.toLowerCase()));
+for (let i = 0; i <= 999; i++) {
+  weak.add(String(i).padStart(6, "0"));
+  weak.add(`password${i}`);
+  weak.add(`qwerty${i}`);
+}
+export const WEAK_PASSWORDS = weak;