@venturewild/workspace 0.3.7 → 0.4.0

package/server/src/pairing.mjs

@@ -1,137 +1,137 @@
-// In-memory store of pending "sign in this device" requests (Phase 2 device
-// approval). A new device calls POST /api/auth/pair/start → we mint a short
-// human CODE (the owner reads it off the new device) plus an unguessable
-// requestId (the device polls by THIS, never the code). The owner approves from
-// a partner session — which must echo the matching code (confused-deputy
-// defense) — and we attach a minted device token; the device claims it ONCE.
-//
-// Deliberately in-memory + ephemeral (5-min TTL): a pending request that
-// survived a restart would just be a longer attack window for no UX gain — the
-// device simply re-requests. The durable artifact is the minted token
-// (persisted via TokenRegistry), not the pairing record.
-
-import crypto from 'node:crypto';
-import { nanoid } from 'nanoid';
-
-const DEFAULT_TTL_MS = 5 * 60 * 1000; // 5 minutes
-const DEFAULT_MAX_PENDING = 5;
-
-// 6-digit zero-padded code. Used ONLY owner-side (the approver matches it
-// against the code shown on the new device). It is NEVER an auth credential on
-// the public poll path — the device authenticates by requestId — so its low
-// entropy is not an internet-facing brute-force surface.
-function makeCode() {
-  return String(crypto.randomInt(0, 1_000_000)).padStart(6, '0');
-}
-
-export class PairingStore {
-  constructor({ ttlMs = DEFAULT_TTL_MS, maxPending = DEFAULT_MAX_PENDING, clock = () => Date.now() } = {}) {
-    this.ttlMs = ttlMs;
-    this.maxPending = maxPending;
-    this.clock = clock;
-    // requestId -> { requestId, code, label, status, createdAt, expiresAt, token, sub, exp }
-    this.requests = new Map();
-  }
-
-  // Expire stale pending requests; drop terminal records a while after expiry to
-  // bound memory. Called on every accessor so the map self-cleans.
-  prune() {
-    const now = this.clock();
-    for (const [id, r] of this.requests) {
-      if (r.status === 'pending' && r.expiresAt <= now) r.status = 'expired';
-      if (r.expiresAt + this.ttlMs <= now) this.requests.delete(id);
-    }
-  }
-
-  pendingCount() {
-    this.prune();
-    let n = 0;
-    for (const r of this.requests.values()) if (r.status === 'pending') n += 1;
-    return n;
-  }
-
-  // Returns { requestId, code, expiresAt } or null if the global pending cap is
-  // reached (anti-spam: bounds how cluttered the owner's approval list can get).
-  create({ label } = {}) {
-    if (this.pendingCount() >= this.maxPending) return null;
-    const now = this.clock();
-    const requestId = nanoid(16);
-    // Codes must be UNIQUE among pending so "owner types the code" resolves to
-    // exactly one request (collision odds are ~nil at maxPending=5, but be
-    // deterministic about it).
-    const pendingCodes = new Set(
-      [...this.requests.values()].filter((r) => r.status === 'pending').map((r) => r.code),
-    );
-    let code = makeCode();
-    for (let guard = 0; pendingCodes.has(code) && guard < 50; guard += 1) code = makeCode();
-    const rec = {
-      requestId,
-      code,
-      label: label || 'a device',
-      status: 'pending',
-      createdAt: now,
-      expiresAt: now + this.ttlMs,
-      token: null,
-      sub: null,
-      exp: null,
-    };
-    this.requests.set(requestId, rec);
-    return { requestId, code: rec.code, expiresAt: rec.expiresAt };
-  }
-
-
-  get(requestId) {
-    this.prune();
-    return this.requests.get(requestId) || null;
-  }
-
-  // Pending, non-expired requests for the owner's approval UI (includes the code
-  // so the owner can visually match it against the new device's screen).
-  listPending() {
-    this.prune();
-    // Includes the code so the owner can match it against the new device's
-    // screen and approve the right one if more than one is pending. Approval
-    // itself is by requestId (one tap); the code is the human "is this mine?"
-    // confirmation, not a typed secret.
-    return [...this.requests.values()]
-      .filter((r) => r.status === 'pending')
-      .map((r) => ({ requestId: r.requestId, code: r.code, label: r.label, createdAt: r.createdAt }));
-  }
-
-  // Approve a specific pending request (the one the owner tapped, having matched
-  // its code against the new device). Returns true on success. `tokenInfo` =
-  // { token, sub, exp } from mintDeviceToken.
-  approve(requestId, tokenInfo) {
-    this.prune();
-    const r = this.requests.get(requestId);
-    if (!r || r.status !== 'pending') return false;
-    r.status = 'approved';
-    r.token = tokenInfo.token;
-    r.sub = tokenInfo.sub;
-    r.exp = tokenInfo.exp;
-    return true;
-  }
-
-  deny(requestId) {
-    this.prune();
-    const r = this.requests.get(requestId);
-    if (!r || r.status !== 'pending') return false;
-    r.status = 'denied';
-    return true;
-  }
-
-  // One-shot token read: once approved, the device gets the token exactly once;
-  // a replayed poll yields { status:'claimed' } with no token.
-  claim(requestId) {
-    this.prune();
-    const r = this.requests.get(requestId);
-    if (!r) return { status: 'expired' };
-    if (r.status === 'approved' && r.token) {
-      const token = r.token;
-      r.status = 'claimed';
-      r.token = null;
-      return { status: 'approved', token };
-    }
-    return { status: r.status };
-  }
-}
+// In-memory store of pending "sign in this device" requests (Phase 2 device
+// approval). A new device calls POST /api/auth/pair/start → we mint a short
+// human CODE (the owner reads it off the new device) plus an unguessable
+// requestId (the device polls by THIS, never the code). The owner approves from
+// a partner session — which must echo the matching code (confused-deputy
+// defense) — and we attach a minted device token; the device claims it ONCE.
+//
+// Deliberately in-memory + ephemeral (5-min TTL): a pending request that
+// survived a restart would just be a longer attack window for no UX gain — the
+// device simply re-requests. The durable artifact is the minted token
+// (persisted via TokenRegistry), not the pairing record.
+
+import crypto from 'node:crypto';
+import { nanoid } from 'nanoid';
+
+const DEFAULT_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const DEFAULT_MAX_PENDING = 5;
+
+// 6-digit zero-padded code. Used ONLY owner-side (the approver matches it
+// against the code shown on the new device). It is NEVER an auth credential on
+// the public poll path — the device authenticates by requestId — so its low
+// entropy is not an internet-facing brute-force surface.
+function makeCode() {
+  return String(crypto.randomInt(0, 1_000_000)).padStart(6, '0');
+}
+
+export class PairingStore {
+  constructor({ ttlMs = DEFAULT_TTL_MS, maxPending = DEFAULT_MAX_PENDING, clock = () => Date.now() } = {}) {
+    this.ttlMs = ttlMs;
+    this.maxPending = maxPending;
+    this.clock = clock;
+    // requestId -> { requestId, code, label, status, createdAt, expiresAt, token, sub, exp }
+    this.requests = new Map();
+  }
+
+  // Expire stale pending requests; drop terminal records a while after expiry to
+  // bound memory. Called on every accessor so the map self-cleans.
+  prune() {
+    const now = this.clock();
+    for (const [id, r] of this.requests) {
+      if (r.status === 'pending' && r.expiresAt <= now) r.status = 'expired';
+      if (r.expiresAt + this.ttlMs <= now) this.requests.delete(id);
+    }
+  }
+
+  pendingCount() {
+    this.prune();
+    let n = 0;
+    for (const r of this.requests.values()) if (r.status === 'pending') n += 1;
+    return n;
+  }
+
+  // Returns { requestId, code, expiresAt } or null if the global pending cap is
+  // reached (anti-spam: bounds how cluttered the owner's approval list can get).
+  create({ label } = {}) {
+    if (this.pendingCount() >= this.maxPending) return null;
+    const now = this.clock();
+    const requestId = nanoid(16);
+    // Codes must be UNIQUE among pending so "owner types the code" resolves to
+    // exactly one request (collision odds are ~nil at maxPending=5, but be
+    // deterministic about it).
+    const pendingCodes = new Set(
+      [...this.requests.values()].filter((r) => r.status === 'pending').map((r) => r.code),
+    );
+    let code = makeCode();
+    for (let guard = 0; pendingCodes.has(code) && guard < 50; guard += 1) code = makeCode();
+    const rec = {
+      requestId,
+      code,
+      label: label || 'a device',
+      status: 'pending',
+      createdAt: now,
+      expiresAt: now + this.ttlMs,
+      token: null,
+      sub: null,
+      exp: null,
+    };
+    this.requests.set(requestId, rec);
+    return { requestId, code: rec.code, expiresAt: rec.expiresAt };
+  }
+
+
+  get(requestId) {
+    this.prune();
+    return this.requests.get(requestId) || null;
+  }
+
+  // Pending, non-expired requests for the owner's approval UI (includes the code
+  // so the owner can visually match it against the new device's screen).
+  listPending() {
+    this.prune();
+    // Includes the code so the owner can match it against the new device's
+    // screen and approve the right one if more than one is pending. Approval
+    // itself is by requestId (one tap); the code is the human "is this mine?"
+    // confirmation, not a typed secret.
+    return [...this.requests.values()]
+      .filter((r) => r.status === 'pending')
+      .map((r) => ({ requestId: r.requestId, code: r.code, label: r.label, createdAt: r.createdAt }));
+  }
+
+  // Approve a specific pending request (the one the owner tapped, having matched
+  // its code against the new device). Returns true on success. `tokenInfo` =
+  // { token, sub, exp } from mintDeviceToken.
+  approve(requestId, tokenInfo) {
+    this.prune();
+    const r = this.requests.get(requestId);
+    if (!r || r.status !== 'pending') return false;
+    r.status = 'approved';
+    r.token = tokenInfo.token;
+    r.sub = tokenInfo.sub;
+    r.exp = tokenInfo.exp;
+    return true;
+  }
+
+  deny(requestId) {
+    this.prune();
+    const r = this.requests.get(requestId);
+    if (!r || r.status !== 'pending') return false;
+    r.status = 'denied';
+    return true;
+  }
+
+  // One-shot token read: once approved, the device gets the token exactly once;
+  // a replayed poll yields { status:'claimed' } with no token.
+  claim(requestId) {
+    this.prune();
+    const r = this.requests.get(requestId);
+    if (!r) return { status: 'expired' };
+    if (r.status === 'approved' && r.token) {
+      const token = r.token;
+      r.status = 'claimed';
+      r.token = null;
+      return { status: 'approved', token };
+    }
+    return { status: r.status };
+  }
+}