@vex-chat/spire 0.8.0 → 1.0.0

package/dist/Spire.js

@@ -1,128 +1,166 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.Spire = exports.JWT_EXPIRY = exports.TOKEN_EXPIRY = void 0;
-const fs_1 = __importDefault(require("fs"));
-const crypto_1 = require("@vex-chat/crypto");
-const types_1 = require("@vex-chat/types");
-const events_1 = require("events");
-const express_1 = __importDefault(require("express"));
-const express_ws_1 = __importDefault(require("express-ws"));
-const tweetnacl_1 = __importDefault(require("tweetnacl"));
-const uuid = __importStar(require("uuid"));
-const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
-const msgpack_lite_1 = __importDefault(require("msgpack-lite"));
-const ClientManager_1 = require("./ClientManager");
-const Database_1 = require("./Database");
-const server_1 = require("./server");
-const utils_1 = require("./server/utils");
-const createLogger_1 = require("./utils/createLogger");
+import { EventEmitter } from "events";
+import { execSync } from "node:child_process";
+import * as fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import express from "express";
+import { XUtils } from "@vex-chat/crypto";
+import { xRandomBytes, xSignKeyPairFromSecret, xSignOpen, } from "@vex-chat/crypto";
+import { MailWSSchema, RegistrationPayloadSchema, TokenScopes, UserSchema, } from "@vex-chat/types";
+import jwt from "jsonwebtoken";
+import { stringify as uuidStringify } from "uuid";
+import { WebSocketServer } from "ws";
+import { z } from "zod/v4";
+import { ClientManager } from "./ClientManager.js";
+import { Database, hashPassword } from "./Database.js";
+import { initApp, protect } from "./server/index.js";
+import { authLimiter } from "./server/rateLimit.js";
+import { censorUser, getParam, getUser } from "./server/utils.js";
+import { createLogger } from "./utils/createLogger.js";
+import { getJwtSecret } from "./utils/jwtSecret.js";
+import { msgpack } from "./utils/msgpack.js";
 // expiry of regkeys = 24hr
-exports.TOKEN_EXPIRY = 1000 * 60 * 10;
-exports.JWT_EXPIRY = "7d";
+export const TOKEN_EXPIRY = 1000 * 60 * 10;
+export const JWT_EXPIRY = "7d";
+export const DEVICE_AUTH_JWT_EXPIRY = "1h";
+const DEVICE_CHALLENGE_EXPIRY = 1000 * 60; // 60 seconds
+const STATUS_LATENCY_BUDGET_MS = 250;
 // 3-19 chars long
 const usernameRegex = /^(\w{3,19})$/;
+// ── Zod schemas for trust-boundary validation ──────────────────────────
+const wsAuthMsg = z.object({
+    token: z.string().min(1),
+    type: z.literal("auth"),
+});
+const jwtPayload = z.object({
+    bearerToken: z.string().optional(),
+    exp: z.number().optional(),
+    user: UserSchema,
+});
+const authPayload = z.object({
+    password: z.string().min(1),
+    username: z.string().min(1),
+});
+const deviceAuthPayload = z.object({
+    deviceID: z.string().min(1),
+    signKey: z.string().min(1),
+});
+const deviceVerifyPayload = z.object({
+    challengeID: z.string().min(1),
+    signed: z.string().min(1),
+});
+const mailPostPayload = z.object({
+    header: z.custom((val) => val instanceof Uint8Array),
+    mail: MailWSSchema,
+});
 const directories = ["files", "avatars", "emoji"];
 for (const dir of directories) {
-    if (!fs_1.default.existsSync(dir)) {
-        fs_1.default.mkdirSync(dir);
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir);
     }
 }
-const TokenScopes = types_1.XTypes.HTTP.TokenScopes;
-class Spire extends events_1.EventEmitter {
+const getAppVersion = () => {
+    try {
+        const raw = fs.readFileSync(new URL("../package.json", import.meta.url), {
+            encoding: "utf8",
+        });
+        const pkg = JSON.parse(raw);
+        if (typeof pkg === "object" &&
+            pkg !== null &&
+            "version" in pkg &&
+            typeof pkg.version === "string") {
+            return pkg.version;
+        }
+        return "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+};
+const getCommitSha = () => {
+    const sourceDir = path.dirname(fileURLToPath(import.meta.url));
+    const repoRoot = path.resolve(sourceDir, "..");
+    try {
+        const sha = execSync("git rev-parse --verify --short=12 HEAD", {
+            cwd: repoRoot,
+            encoding: "utf8",
+            stdio: ["ignore", "pipe", "ignore"],
+            timeout: 1500,
+        }).trim();
+        return sha || "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+};
+export class Spire extends EventEmitter {
+    actionTokens = [];
+    api = express();
+    clients = [];
+    commitSha = getCommitSha();
+    db;
+    dbReady = false;
+    deviceChallenges = new Map();
+    log;
+    options;
+    queuedRequestIncrements = 0;
+    requestsTotal = 0;
+    requestsTotalLoaded = false;
+    server = null;
+    signKeys;
+    startedAt = new Date();
+    version = getAppVersion();
+    wss = new WebSocketServer({ noServer: true });
     constructor(SK, options) {
         super();
-        this.clients = [];
-        this.expWs = express_ws_1.default(express_1.default());
-        this.api = this.expWs.app;
-        this.wss = this.expWs.getWss();
-        this.actionTokens = [];
-        this.server = null;
-        this.signKeys = tweetnacl_1.default.sign.keyPair.fromSecretKey(crypto_1.XUtils.decodeHex(SK));
-        this.db = new Database_1.Database(options);
-        this.log = createLogger_1.createLogger("spire", (options === null || options === void 0 ? void 0 : options.logLevel) || "error");
-        this.init((options === null || options === void 0 ? void 0 : options.apiPort) || 16777);
+        this.signKeys = xSignKeyPairFromSecret(XUtils.decodeHex(SK));
+        // Trust a single proxy hop (nginx / cloudflare / load balancer).
+        // Required so `req.ip` and `express-rate-limit`'s keyGenerator see
+        // the real client address via X-Forwarded-For. Never use `true` —
+        // that lets attackers spoof the header and bypass rate limiting.
+        // If spire is deployed without a proxy, set this to 0 instead.
+        this.api.set("trust proxy", 1);
+        this.db = new Database(options);
+        this.db.on("ready", () => {
+            this.dbReady = true;
+            this.bootstrapRequestCounter().catch((err) => {
+                this.log.error("Failed to load persisted request counter: " + String(err));
+            });
+        });
+        this.log = createLogger("spire", options?.logLevel || "error");
+        this.init(options?.apiPort || 16777);
         this.options = options;
     }
-    close() {
-        var _a, _b;
-        return __awaiter(this, void 0, void 0, function* () {
-            this.wss.clients.forEach((ws) => {
-                ws.terminate();
-            });
-            this.wss.on("close", () => {
-                this.log.info("ws: closed.");
-            });
-            (_a = this.server) === null || _a === void 0 ? void 0 : _a.on("close", () => {
-                this.log.info("http: closed.");
-            });
-            (_b = this.server) === null || _b === void 0 ? void 0 : _b.close();
-            this.wss.close();
-            yield this.db.close();
-            return;
+    async close() {
+        this.wss.clients.forEach((ws) => {
+            ws.terminate();
         });
+        this.wss.on("close", () => {
+            this.log.info("ws: closed.");
+        });
+        this.server?.on("close", () => {
+            this.log.info("http: closed.");
+        });
+        this.server?.close();
+        this.wss.close();
+        await this.db.close();
+        return;
     }
-    notify(userID, event, transmissionID, data, deviceID) {
-        for (const client of this.clients) {
-            if (deviceID) {
-                if (client.getDevice().deviceID === deviceID) {
-                    const msg = {
-                        transmissionID,
-                        type: "notify",
-                        event,
-                        data,
-                    };
-                    client.send(msg);
-                }
-            }
-            else {
-                if (client.getUser().userID === userID) {
-                    const msg = {
-                        transmissionID,
-                        type: "notify",
-                        event,
-                        data,
-                    };
-                    client.send(msg);
-                }
-            }
+    async bootstrapRequestCounter() {
+        const persistedTotal = await this.db.getRequestsTotal();
+        const startupIncrements = this.queuedRequestIncrements;
+        this.queuedRequestIncrements = 0;
+        this.requestsTotal = persistedTotal + startupIncrements;
+        if (startupIncrements > 0) {
+            await this.db.incrementRequestsTotal(startupIncrements);
         }
+        this.requestsTotalLoaded = true;
     }
     createActionToken(scope) {
         const token = {
-            key: uuid.v4(),
-            time: new Date(Date.now()),
+            key: crypto.randomUUID(),
             scope,
+            time: new Date().toISOString(),
         };
         this.actionTokens.push(token);
         return token;
@@ -132,69 +170,93 @@ class Spire extends events_1.EventEmitter {
             this.actionTokens.splice(this.actionTokens.indexOf(key), 1);
         }
     }
-    validateToken(key, scope) {
-        this.log.info("Validating token: " + key);
-        for (const rKey of this.actionTokens) {
-            if (rKey.key === key) {
-                if (rKey.scope !== scope) {
-                    continue;
-                }
-                const age = new Date(Date.now()).getTime() - rKey.time.getTime();
-                this.log.info("Token found, " + age + " ms old.");
-                if (age < exports.TOKEN_EXPIRY) {
-                    this.log.info("Token is valid.");
-                    this.deleteActionToken(rKey);
-                    return true;
-                }
-                else {
-                    this.log.info("Token is expired.");
-                }
-            }
-        }
-        this.log.info("Token not found.");
-        return false;
-    }
     init(apiPort) {
+        this.api.use((_req, _res, next) => {
+            this.requestsTotal += 1;
+            if (!this.requestsTotalLoaded) {
+                this.queuedRequestIncrements += 1;
+            }
+            else {
+                this.db.incrementRequestsTotal(1).catch((err) => {
+                    this.log.warn("Failed to persist request counter increment: " +
+                        String(err));
+                });
+            }
+            next();
+        });
         // initialize the expression app configuration with loose routes/handlers
-        server_1.initApp(this.api, this.db, this.log, this.validateToken.bind(this), this.signKeys, this.notify.bind(this));
-        // All the app logic strongly coupled to spire class :/
-        this.api.ws("/socket", (ws, req) => {
-            const userDetails = req.user;
-            if (!userDetails) {
-                this.log.warn("User attempted to open socket with no jwt.");
-                const err = {
-                    type: "unauthorized",
-                    transmissionID: uuid.v4(),
-                };
-                const msg = crypto_1.XUtils.packMessage(err);
-                ws.send(msg);
+        initApp(this.api, this.db, this.log, this.validateToken.bind(this), this.signKeys, this.notify.bind(this));
+        // WS auth: client sends { type: "auth", token } as first message
+        this.wss.on("connection", (ws) => {
+            this.log.info("WS connection established, waiting for auth...");
+            const AUTH_TIMEOUT = 10_000;
+            const timer = setTimeout(() => {
+                this.log.warn("WS auth timeout — closing.");
                 ws.close();
-                return;
-            }
-            this.log.info("New client initiated.");
-            this.log.info(JSON.stringify(userDetails));
-            const client = new ClientManager_1.ClientManager(ws, this.db, this.notify.bind(this), userDetails, this.options);
-            client.on("fail", () => {
-                this.log.info("Client connection is down, removing: " + client.toString());
-                if (this.clients.includes(client)) {
-                    this.clients.splice(this.clients.indexOf(client), 1);
+            }, AUTH_TIMEOUT);
+            const onFirstMessage = (data) => {
+                const str = Buffer.isBuffer(data)
+                    ? data.toString()
+                    : data instanceof ArrayBuffer
+                        ? Buffer.from(data).toString()
+                        : Buffer.concat(data).toString();
+                clearTimeout(timer);
+                ws.off("message", onFirstMessage);
+                try {
+                    const rawParsed = JSON.parse(str);
+                    const authResult = wsAuthMsg.safeParse(rawParsed);
+                    if (!authResult.success) {
+                        throw new Error("Expected { type: 'auth', token }, got: " +
+                            JSON.stringify(authResult.error.issues));
+                    }
+                    const result = jwt.verify(authResult.data.token, getJwtSecret());
+                    const jwtResult = jwtPayload.safeParse(result);
+                    if (!jwtResult.success) {
+                        throw new Error("Invalid JWT payload: " +
+                            JSON.stringify(jwtResult.error.issues));
+                    }
+                    const userDetails = jwtResult.data.user;
+                    this.log.info("WS auth succeeded for " + userDetails.username);
+                    const client = new ClientManager(ws, this.db, this.notify.bind(this), userDetails, this.options);
+                    client.on("fail", () => {
+                        this.log.info("Client connection is down, removing: " +
+                            client.toString());
+                        if (this.clients.includes(client)) {
+                            this.clients.splice(this.clients.indexOf(client), 1);
+                        }
+                        this.log.info("Current authorized clients: " +
+                            String(this.clients.length));
+                    });
+                    client.on("authed", () => {
+                        this.log.info("New client authorized: " + client.toString());
+                        this.clients.push(client);
+                        this.log.info("Current authorized clients: " +
+                            String(this.clients.length));
+                    });
                 }
-                this.log.info("Current authorized clients: " + this.clients.length);
-            });
-            client.on("authed", () => {
-                this.log.info("New client authorized: " + client.toString());
-                this.clients.push(client);
-                this.log.info("Current authorized clients: " + this.clients.length);
+                catch (err) {
+                    this.log.warn("WS auth failed: " + String(err));
+                    const errMsg = {
+                        transmissionID: crypto.randomUUID(),
+                        type: "unauthorized",
+                    };
+                    ws.send(XUtils.packMessage(errMsg));
+                    ws.close();
+                }
+            };
+            ws.on("message", onFirstMessage);
+            ws.on("close", () => {
+                clearTimeout(timer);
             });
         });
         this.api.get("/token/:tokenType", (req, res, next) => {
-            if (req.params.tokenType !== "register") {
-                server_1.protect(req, res, next);
+            if (getParam(req, "tokenType") !== "register") {
+                protect(req, res, next);
             }
             else {
                 next();
             }
-        }, (req, res) => __awaiter(this, void 0, void 0, function* () {
+        }, (req, res) => {
             const allowedTokens = [
                 "file",
                 "register",
@@ -204,33 +266,33 @@ class Spire extends events_1.EventEmitter {
                 "emoji",
                 "connect",
             ];
-            const { tokenType } = req.params;
+            const tokenType = getParam(req, "tokenType");
             if (!allowedTokens.includes(tokenType)) {
                 res.sendStatus(400);
                 return;
             }
             let scope;
             switch (tokenType) {
-                case "file":
-                    scope = TokenScopes.File;
-                    break;
-                case "register":
-                    scope = TokenScopes.Register;
-                    break;
                 case "avatar":
                     scope = TokenScopes.Avatar;
                     break;
+                case "connect":
+                    scope = TokenScopes.Connect;
+                    break;
                 case "device":
                     scope = TokenScopes.Device;
                     break;
-                case "invite":
-                    scope = TokenScopes.Invite;
-                    break;
                 case "emoji":
                     scope = TokenScopes.Emoji;
                     break;
-                case "connect":
-                    scope = TokenScopes.Connect;
+                case "file":
+                    scope = TokenScopes.File;
+                    break;
+                case "invite":
+                    scope = TokenScopes.Invite;
+                    break;
+                case "register":
+                    scope = TokenScopes.Register;
                     break;
                 default:
                     res.sendStatus(400);
@@ -242,110 +304,250 @@ class Spire extends events_1.EventEmitter {
                 this.log.info("New token created: " + token.key);
                 setTimeout(() => {
                     this.deleteActionToken(token);
-                }, exports.TOKEN_EXPIRY);
-                return res.send(msgpack_lite_1.default.encode(token));
+                }, TOKEN_EXPIRY);
+                const acceptHeader = req.get("accept")?.toLowerCase() || "";
+                const wantsJson = acceptHeader.includes("application/json") &&
+                    !acceptHeader.includes("application/msgpack") &&
+                    !acceptHeader.includes("*/*");
+                if (wantsJson) {
+                    return res.json(token);
+                }
+                res.set("Content-Type", "application/msgpack");
+                return res.send(msgpack.encode(token));
             }
             catch (err) {
-                console.error(err.toString());
+                this.log.error(String(err));
                 return res.sendStatus(500);
             }
-        }));
-        this.api.post("/whoami", (req, res) => __awaiter(this, void 0, void 0, function* () {
+        });
+        this.api.post("/whoami", (req, res) => {
             if (!req.user) {
                 res.sendStatus(401);
                 return;
             }
-            res.send(msgpack_lite_1.default.encode({
-                user: req.user,
+            res.send(msgpack.encode({
                 exp: req.exp,
-                token: req.cookies.auth,
+                token: req.bearerToken,
+                user: req.user,
             }));
-        }));
-        this.api.post("/goodbye", server_1.protect, (req, res) => __awaiter(this, void 0, void 0, function* () {
-            const token = jsonwebtoken_1.default.sign({ user: utils_1.censorUser(req.user) }, process.env.SPK, { expiresIn: -1 });
-            res.cookie("auth", token, { path: "/" });
-            res.sendStatus(200);
-        }));
-        this.api.post("/mail", server_1.protect, (req, res) => __awaiter(this, void 0, void 0, function* () {
-            const senderDeviceDetails = req.device;
-            if (!senderDeviceDetails) {
-                res.sendStatus(401);
+        });
+        this.api.get("/healthz", (_req, res) => {
+            if (!this.dbReady) {
+                res.status(503).json({ dbReady: false, ok: false });
                 return;
             }
-            const authorUserDetails = req.user;
-            const { header, mail, } = req.body;
+            res.json({ dbReady: true, ok: true });
+        });
+        this.api.get("/status", async (_req, res) => {
+            const started = Date.now();
+            const dbHealthy = this.dbReady ? await this.db.isHealthy() : false;
+            const checkDurationMs = Date.now() - started;
+            const ok = dbHealthy;
+            res.json({
+                checkDurationMs,
+                commitSha: this.commitSha,
+                dbHealthy,
+                dbReady: this.dbReady,
+                latencyBudgetMs: STATUS_LATENCY_BUDGET_MS,
+                metrics: {
+                    requestsTotal: this.requestsTotal,
+                },
+                now: new Date(),
+                ok,
+                startedAt: this.startedAt.toISOString(),
+                uptimeSeconds: Math.floor(process.uptime()),
+                version: this.version,
+                withinLatencyBudget: checkDurationMs <= STATUS_LATENCY_BUDGET_MS,
+            });
+        });
+        this.api.post("/goodbye", protect, (req, res) => {
+            jwt.sign({ user: req.user }, getJwtSecret(), { expiresIn: -1 });
+            res.sendStatus(200);
+        });
+        // ── Device-key auth ──────────────────────────────────────────
+        this.api.post("/auth/device", authLimiter, async (req, res) => {
             try {
-                yield this.db.saveMail(mail, header, senderDeviceDetails.deviceID, authorUserDetails.userID);
-                this.log.info("Received mail for " + mail.recipient);
-                const recipientDeviceDetails = yield this.db.retrieveDevice(mail.recipient);
-                if (!recipientDeviceDetails) {
-                    res.sendStatus(400);
-                    return;
+                const parsed = deviceAuthPayload.safeParse(req.body);
+                if (!parsed.success) {
+                    return res
+                        .status(400)
+                        .send({ error: "deviceID and signKey required." });
+                }
+                const { deviceID, signKey } = parsed.data;
+                const device = await this.db.retrieveDevice(deviceID);
+                if (!device || device.signKey !== signKey) {
+                    return res.status(404).send({ error: "Device not found." });
                 }
-                res.sendStatus(200);
-                this.notify(recipientDeviceDetails.owner, "mail", uuid.v4(), null, mail.recipient);
+                // Generate challenge nonce (32 bytes)
+                const nonce = XUtils.encodeHex(xRandomBytes(32));
+                const challengeID = crypto.randomUUID();
+                this.deviceChallenges.set(challengeID, {
+                    deviceID,
+                    nonce,
+                    time: Date.now(),
+                });
+                // Clean up expired challenges
+                setTimeout(() => {
+                    this.deviceChallenges.delete(challengeID);
+                }, DEVICE_CHALLENGE_EXPIRY);
+                this.log.info("Device challenge issued for " + deviceID);
+                return res.send(msgpack.encode({ challenge: nonce, challengeID }));
             }
             catch (err) {
-                this.log.error(err);
-                res.status(500).send(err.toString());
+                this.log.error("Device challenge error: " + String(err));
+                return res.sendStatus(500);
             }
-        }));
-        this.api.post("/auth", (req, res) => __awaiter(this, void 0, void 0, function* () {
-            const credentials = req.body;
-            if (typeof credentials.password !== "string") {
-                res.status(400).send("Password is required and must be a string.");
+        });
+        this.api.post("/auth/device/verify", authLimiter, async (req, res) => {
+            try {
+                const parsed = deviceVerifyPayload.safeParse(req.body);
+                if (!parsed.success) {
+                    return res.status(400).send({
+                        error: "challengeID and signed required.",
+                    });
+                }
+                const { challengeID, signed } = parsed.data;
+                const challenge = this.deviceChallenges.get(challengeID);
+                if (!challenge) {
+                    return res.status(401).send({
+                        error: "Challenge expired or not found.",
+                    });
+                }
+                // Consume the challenge (single-use)
+                this.deviceChallenges.delete(challengeID);
+                // Check expiry
+                if (Date.now() - challenge.time > DEVICE_CHALLENGE_EXPIRY) {
+                    return res
+                        .status(401)
+                        .send({ error: "Challenge expired." });
+                }
+                // Look up the device to get its public signKey
+                const device = await this.db.retrieveDevice(challenge.deviceID);
+                if (!device) {
+                    return res.status(404).send({ error: "Device not found." });
+                }
+                // Verify the Ed25519 signature
+                const opened = xSignOpen(XUtils.decodeHex(signed), XUtils.decodeHex(device.signKey));
+                if (!opened) {
+                    return res
+                        .status(401)
+                        .send({ error: "Signature verification failed." });
+                }
+                // Verify the signed content matches the challenge nonce
+                const signedNonce = XUtils.encodeHex(opened);
+                if (signedNonce !== challenge.nonce) {
+                    return res
+                        .status(401)
+                        .send({ error: "Challenge mismatch." });
+                }
+                // Look up device owner
+                const user = await this.db.retrieveUser(device.owner);
+                if (!user) {
+                    return res
+                        .status(404)
+                        .send({ error: "Device owner not found." });
+                }
+                // Issue short-lived JWT (1 hour, not 7 days)
+                const token = jwt.sign({ user: censorUser(user) }, getJwtSecret(), { expiresIn: DEVICE_AUTH_JWT_EXPIRY });
+                this.log.info("Device-key auth succeeded for " +
+                    user.username +
+                    " (device " +
+                    device.deviceID +
+                    ")");
+                return res.send(msgpack.encode({ token, user: censorUser(user) }));
+            }
+            catch (err) {
+                this.log.error("Device verify error: " + String(err));
+                return res.sendStatus(500);
+            }
+        });
+        this.api.post("/mail", protect, async (req, res) => {
+            const senderDeviceDetails = req.device;
+            if (!senderDeviceDetails) {
+                res.sendStatus(401);
+                return;
+            }
+            const authorUserDetails = getUser(req);
+            const parsed = mailPostPayload.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({
+                    error: "Invalid mail payload",
+                    issues: parsed.error.issues,
+                });
+                return;
+            }
+            const { header, mail } = parsed.data;
+            await this.db.saveMail(mail, header, senderDeviceDetails.deviceID, authorUserDetails.userID);
+            this.log.info("Received mail for " + mail.recipient);
+            const recipientDeviceDetails = await this.db.retrieveDevice(mail.recipient);
+            if (!recipientDeviceDetails) {
+                res.sendStatus(400);
                 return;
             }
-            if (typeof credentials.username !== "string") {
-                res.status(400).send("Username is required and must be a string.");
+            res.sendStatus(200);
+            this.notify(recipientDeviceDetails.owner, "mail", crypto.randomUUID(), null, mail.recipient);
+        });
+        this.api.post("/auth", authLimiter, async (req, res) => {
+            const parsed = authPayload.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({
+                    error: "Invalid credentials format",
+                });
                 return;
             }
+            const { password, username } = parsed.data;
             try {
-                const userEntry = yield this.db.retrieveUser(credentials.username);
+                const userEntry = await this.db.retrieveUser(username);
                 if (!userEntry) {
                     res.sendStatus(404);
                     this.log.warn("User does not exist.");
                     return;
                 }
-                const salt = crypto_1.XUtils.decodeHex(userEntry.passwordSalt);
-                const payloadHash = crypto_1.XUtils.encodeHex(Database_1.hashPassword(credentials.password, salt));
+                const salt = XUtils.decodeHex(userEntry.passwordSalt);
+                const payloadHash = XUtils.encodeHex(hashPassword(password, salt));
                 if (payloadHash !== userEntry.passwordHash) {
                     res.sendStatus(401);
                     return;
                 }
-                const token = jsonwebtoken_1.default.sign({ user: utils_1.censorUser(userEntry) }, process.env.SPK, { expiresIn: exports.JWT_EXPIRY });
+                const token = jwt.sign({ user: censorUser(userEntry) }, getJwtSecret(), { expiresIn: JWT_EXPIRY });
                 // just to make sure
-                jsonwebtoken_1.default.verify(token, process.env.SPK);
-                res.cookie("auth", token, { path: "/" });
-                res.send(msgpack_lite_1.default.encode({ user: utils_1.censorUser(userEntry), token }));
+                jwt.verify(token, getJwtSecret());
+                res.send(msgpack.encode({ token, user: censorUser(userEntry) }));
             }
             catch (err) {
-                this.log.error(err.toString());
+                this.log.error(String(err));
                 res.sendStatus(500);
             }
-        }));
-        this.api.post("/register", (req, res) => __awaiter(this, void 0, void 0, function* () {
+        });
+        this.api.post("/register", authLimiter, async (req, res) => {
             try {
-                const regPayload = req.body;
+                const regParsed = RegistrationPayloadSchema.safeParse(req.body);
+                if (!regParsed.success) {
+                    res.status(400).json({
+                        error: "Invalid registration payload",
+                        issues: regParsed.error.issues,
+                    });
+                    return;
+                }
+                const regPayload = regParsed.data;
                 if (!usernameRegex.test(regPayload.username)) {
                     res.status(400).send({
                         error: "Username must be between three and nineteen letters, digits, or underscores.",
                     });
                     return;
                 }
-                const regKey = tweetnacl_1.default.sign.open(crypto_1.XUtils.decodeHex(regPayload.signed), crypto_1.XUtils.decodeHex(regPayload.signKey));
+                const regKey = xSignOpen(XUtils.decodeHex(regPayload.signed), XUtils.decodeHex(regPayload.signKey));
                 if (regKey &&
-                    this.validateToken(uuid.stringify(regKey), TokenScopes.Register)) {
-                    const [user, err] = yield this.db.createUser(regKey, regPayload);
+                    this.validateToken(uuidStringify(regKey), TokenScopes.Register)) {
+                    const [user, err] = await this.db.createUser(regKey, regPayload);
                     if (err !== null) {
-                        switch (err.code) {
+                        const errCode = "code" in err && typeof err.code === "string"
+                            ? err.code
+                            : undefined;
+                        switch (errCode) {
                             case "ER_DUP_ENTRY":
-                                const usernameConflict = err
-                                    .toString()
-                                    .includes("users_username_unique");
-                                const signKeyConflict = err
-                                    .toString()
-                                    .includes("users_signkey_unique");
+                                const usernameConflict = String(err).includes("users_username_unique");
+                                const signKeyConflict = String(err).includes("users_signkey_unique");
                                 this.log.warn("User attempted to register duplicate account.");
                                 if (usernameConflict) {
                                     res.status(400).send({
@@ -365,15 +567,19 @@ class Spire extends events_1.EventEmitter {
                                 break;
                             default:
                                 this.log.info("Unsupported sql error type: " +
-                                    err.code);
-                                this.log.error(err);
+                                    String(errCode));
+                                this.log.error(String(err));
                                 res.sendStatus(500);
                                 break;
                         }
                     }
                     else {
                         this.log.info("Registration success.");
-                        res.send(msgpack_lite_1.default.encode(utils_1.censorUser(user)));
+                        if (!user) {
+                            res.sendStatus(500);
+                            return;
+                        }
+                        res.send(msgpack.encode(censorUser(user)));
                     }
                 }
                 else {
@@ -383,13 +589,67 @@ class Spire extends events_1.EventEmitter {
                 }
             }
             catch (err) {
-                this.log.error("error registering user: " + err.toString());
+                this.log.error("error registering user: " + String(err));
                 res.sendStatus(500);
             }
-        }));
+        });
         this.server = this.api.listen(apiPort, () => {
-            this.log.info("API started on port " + apiPort.toString());
+            this.log.info("API started on port " + String(apiPort));
         });
+        // Accept all WS upgrades — auth happens post-connection.
+        this.server.on("upgrade", (req, socket, head) => {
+            this.wss.handleUpgrade(req, socket, head, (ws) => {
+                this.wss.emit("connection", ws);
+            });
+        });
+    }
+    notify(userID, event, transmissionID, data, deviceID) {
+        for (const client of this.clients) {
+            if (deviceID) {
+                if (client.getDevice().deviceID === deviceID) {
+                    const msg = {
+                        data,
+                        event,
+                        transmissionID,
+                        type: "notify",
+                    };
+                    client.send(msg);
+                }
+            }
+            else {
+                if (client.getUser().userID === userID) {
+                    const msg = {
+                        data,
+                        event,
+                        transmissionID,
+                        type: "notify",
+                    };
+                    client.send(msg);
+                }
+            }
+        }
+    }
+    validateToken(key, scope) {
+        this.log.info("Validating token: " + key);
+        for (const rKey of this.actionTokens) {
+            if (rKey.key === key) {
+                if (rKey.scope !== scope) {
+                    continue;
+                }
+                const age = Date.now() - new Date(rKey.time).getTime();
+                this.log.info("Token found, " + String(age) + " ms old.");
+                if (age < TOKEN_EXPIRY) {
+                    this.log.info("Token is valid.");
+                    this.deleteActionToken(rKey);
+                    return true;
+                }
+                else {
+                    this.log.info("Token is expired.");
+                }
+            }
+        }
+        this.log.info("Token not found.");
+        return false;
     }
 }
-exports.Spire = Spire;
+//# sourceMappingURL=Spire.js.map