@venturewild/workspace 0.1.12 → 0.1.13

package/server/src/share.mjs

@@ -1,115 +1,148 @@
-// Share-by-URL token issuance + verification (AR-20).
-// Reuses bmo-sync invite shape: tokens are signed claims with role + workspace + expiry.
-
-import { SignJWT, jwtVerify } from 'jose';
-import { nanoid } from 'nanoid';
-import { readFileSync, writeFileSync } from 'node:fs';
-
-const SHARE_ISSUER = 'wild-workspace';
-
-function secretToKey(secret) {
-  return new TextEncoder().encode(secret);
-}
-
-export async function mintShareToken({
-  secret,
-  workspaceId,
-  role,
-  ttlSeconds = 60 * 60 * 24, // 24h default per R17 mitigation
-  audience = 'wild-workspace-viewer',
-  subject = nanoid(12),
-}) {
-  if (!['viewer', 'client'].includes(role)) {
-    throw new Error(`shareable role must be 'viewer' or 'client'; got ${role}`);
-  }
-  const key = secretToKey(secret);
-  const iat = Math.floor(Date.now() / 1000);
-  const exp = iat + ttlSeconds;
-  const jwt = await new SignJWT({
-    role,
-    workspaceId,
-    jti: nanoid(16),
-  })
-    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
-    .setIssuer(SHARE_ISSUER)
-    .setAudience(audience)
-    .setSubject(subject)
-    .setIssuedAt(iat)
-    .setExpirationTime(exp)
-    .sign(key);
-  return { token: jwt, exp, role, workspaceId, sub: subject };
-}
-
-export async function verifyShareToken(token, secret) {
-  if (!token) return null;
-  try {
-    const { payload } = await jwtVerify(token, secretToKey(secret), {
-      issuer: SHARE_ISSUER,
-    });
-    return payload;
-  } catch {
-    return null;
-  }
-}
-
-export function buildShareUrl({ shareBaseUrl, workspaceId, token }) {
-  const base = shareBaseUrl.replace(/\/$/, '');
-  return `${base}/share/${encodeURIComponent(workspaceId)}?t=${encodeURIComponent(token)}`;
-}
-
-// Token registry so the partner can list + revoke. The revocation set (and the
-// active-token list) is persisted to `<dataDir>/revoked.json` so a "revoked"
-// share token stays revoked across a server restart (concern C8) — without it,
-// the in-memory set reset on restart and a previously-revoked-but-unexpired JWT
-// validated again by signature. No `persistPath` → in-memory only (tests).
-export class TokenRegistry {
-  constructor({ persistPath = null } = {}) {
-    this.persistPath = persistPath;
-    this.tokens = new Map(); // sub -> { sub, role, workspaceId, exp, label, createdAt }
-    this.revoked = new Set();
-    this._load();
-  }
-  _load() {
-    if (!this.persistPath) return;
-    try {
-      const data = JSON.parse(readFileSync(this.persistPath, 'utf8'));
-      if (Array.isArray(data.revoked)) this.revoked = new Set(data.revoked);
-      if (Array.isArray(data.tokens)) {
-        for (const t of data.tokens) if (t?.sub) this.tokens.set(t.sub, t);
-      }
-    } catch {
-      /* missing / corrupt — start empty */
-    }
-  }
-  _persist() {
-    if (!this.persistPath) return;
-    try {
-      const now = Math.floor(Date.now() / 1000);
-      // Don't carry expired tokens forward; the revoked set stays (small).
-      const tokens = [...this.tokens.values()].filter((r) => r.exp > now);
-      writeFileSync(
-        this.persistPath,
-        JSON.stringify({ revoked: [...this.revoked], tokens }, null, 2),
-        { mode: 0o600 },
-      );
-    } catch {
-      /* read-only fs — revocation degrades to in-memory for this run */
-    }
-  }
-  add(record) {
-    this.tokens.set(record.sub, record);
-    this._persist();
-  }
-  list() {
-    const now = Math.floor(Date.now() / 1000);
-    return [...this.tokens.values()].filter((r) => r.exp > now && !this.revoked.has(r.sub));
-  }
-  revoke(sub) {
-    this.revoked.add(sub);
-    this.tokens.delete(sub);
-    this._persist();
-  }
-  isRevoked(sub) {
-    return this.revoked.has(sub);
-  }
-}
+// Share-by-URL token issuance + verification (AR-20).
+// Reuses bmo-sync invite shape: tokens are signed claims with role + workspace + expiry.
+
+import { SignJWT, jwtVerify } from 'jose';
+import { nanoid } from 'nanoid';
+import { readFileSync, writeFileSync } from 'node:fs';
+
+const SHARE_ISSUER = 'wild-workspace';
+
+function secretToKey(secret) {
+  return new TextEncoder().encode(secret);
+}
+
+export async function mintShareToken({
+  secret,
+  workspaceId,
+  role,
+  ttlSeconds = 60 * 60 * 24, // 24h default per R17 mitigation
+  audience = 'wild-workspace-viewer',
+  subject = nanoid(12),
+}) {
+  if (!['viewer', 'client'].includes(role)) {
+    throw new Error(`shareable role must be 'viewer' or 'client'; got ${role}`);
+  }
+  const key = secretToKey(secret);
+  const iat = Math.floor(Date.now() / 1000);
+  const exp = iat + ttlSeconds;
+  const jwt = await new SignJWT({
+    role,
+    workspaceId,
+    jti: nanoid(16),
+  })
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setIssuer(SHARE_ISSUER)
+    .setAudience(audience)
+    .setSubject(subject)
+    .setIssuedAt(iat)
+    .setExpirationTime(exp)
+    .sign(key);
+  return { token: jwt, exp, role, workspaceId, sub: subject };
+}
+
+// Mint a PARTNER-role token for an approved device (Phase 2 device sign-in).
+// Separate from `mintShareToken` on purpose: that path is least-privilege and
+// must NEVER mint partner (its viewer/client guard is load-bearing). A device
+// token is full owner access, so it's bounded (90d default) and individually
+// revocable via `TokenRegistry` (its `device-` subject is registered at approve
+// time). It verifies through the same `verifyShareToken` path — `classifyToken`
+// then resolves `role:'partner'` exactly like the env partner token, but with a
+// revocable `sub`.
+export async function mintDeviceToken({
+  secret,
+  workspaceId,
+  ttlSeconds = 90 * 24 * 60 * 60, // 90 days — bounded RCE-grade token
+  audience = 'wild-workspace-device',
+  subject = `device-${nanoid(12)}`,
+}) {
+  const key = secretToKey(secret);
+  const iat = Math.floor(Date.now() / 1000);
+  const exp = iat + ttlSeconds;
+  const jwt = await new SignJWT({
+    role: 'partner',
+    workspaceId,
+    jti: nanoid(16),
+  })
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setIssuer(SHARE_ISSUER)
+    .setAudience(audience)
+    .setSubject(subject)
+    .setIssuedAt(iat)
+    .setExpirationTime(exp)
+    .sign(key);
+  return { token: jwt, exp, role: 'partner', workspaceId, sub: subject };
+}
+
+export async function verifyShareToken(token, secret) {
+  if (!token) return null;
+  try {
+    const { payload } = await jwtVerify(token, secretToKey(secret), {
+      issuer: SHARE_ISSUER,
+    });
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+export function buildShareUrl({ shareBaseUrl, workspaceId, token }) {
+  const base = shareBaseUrl.replace(/\/$/, '');
+  return `${base}/share/${encodeURIComponent(workspaceId)}?t=${encodeURIComponent(token)}`;
+}
+
+// Token registry so the partner can list + revoke. The revocation set (and the
+// active-token list) is persisted to `<dataDir>/revoked.json` so a "revoked"
+// share token stays revoked across a server restart (concern C8) — without it,
+// the in-memory set reset on restart and a previously-revoked-but-unexpired JWT
+// validated again by signature. No `persistPath` → in-memory only (tests).
+export class TokenRegistry {
+  constructor({ persistPath = null } = {}) {
+    this.persistPath = persistPath;
+    this.tokens = new Map(); // sub -> { sub, role, workspaceId, exp, label, createdAt }
+    this.revoked = new Set();
+    this._load();
+  }
+  _load() {
+    if (!this.persistPath) return;
+    try {
+      const data = JSON.parse(readFileSync(this.persistPath, 'utf8'));
+      if (Array.isArray(data.revoked)) this.revoked = new Set(data.revoked);
+      if (Array.isArray(data.tokens)) {
+        for (const t of data.tokens) if (t?.sub) this.tokens.set(t.sub, t);
+      }
+    } catch {
+      /* missing / corrupt — start empty */
+    }
+  }
+  _persist() {
+    if (!this.persistPath) return;
+    try {
+      const now = Math.floor(Date.now() / 1000);
+      // Don't carry expired tokens forward; the revoked set stays (small).
+      const tokens = [...this.tokens.values()].filter((r) => r.exp > now);
+      writeFileSync(
+        this.persistPath,
+        JSON.stringify({ revoked: [...this.revoked], tokens }, null, 2),
+        { mode: 0o600 },
+      );
+    } catch {
+      /* read-only fs — revocation degrades to in-memory for this run */
+    }
+  }
+  add(record) {
+    this.tokens.set(record.sub, record);
+    this._persist();
+  }
+  list() {
+    const now = Math.floor(Date.now() / 1000);
+    return [...this.tokens.values()].filter((r) => r.exp > now && !this.revoked.has(r.sub));
+  }
+  revoke(sub) {
+    this.revoked.add(sub);
+    this.tokens.delete(sub);
+    this._persist();
+  }
+  isRevoked(sub) {
+    return this.revoked.has(sub);
+  }
+}