@vividcodeai/embeddedcowork 0.0.21 → 0.0.23

package/dist/api-types.js

@@ -0,0 +1 @@
+export const WINDOWS_DRIVES_ROOT = "__drives__";

package/dist/auth/auth-store.js

@@ -0,0 +1,134 @@
+import fs from "fs";
+import path from "path";
+import { hashPassword, verifyPassword } from "./password-hash";
+export class AuthStore {
+    constructor(authFilePath, logger) {
+        this.authFilePath = authFilePath;
+        this.logger = logger;
+        this.cachedFile = null;
+        this.overrideAuth = null;
+        this.bootstrapUsername = null;
+    }
+    getAuthFilePath() {
+        return this.authFilePath;
+    }
+    load() {
+        if (this.overrideAuth) {
+            return this.overrideAuth;
+        }
+        if (this.cachedFile) {
+            return this.cachedFile;
+        }
+        try {
+            if (!fs.existsSync(this.authFilePath)) {
+                return null;
+            }
+            const raw = fs.readFileSync(this.authFilePath, "utf-8");
+            const parsed = JSON.parse(raw);
+            if (!parsed || parsed.version !== 1) {
+                this.logger.warn({ authFilePath: this.authFilePath }, "Auth file has unsupported version");
+                return null;
+            }
+            this.cachedFile = parsed;
+            return parsed;
+        }
+        catch (error) {
+            this.logger.warn({ err: error, authFilePath: this.authFilePath }, "Failed to load auth file");
+            return null;
+        }
+    }
+    ensureInitialized(params) {
+        const password = params.password?.trim();
+        if (password) {
+            const now = new Date().toISOString();
+            const runtime = {
+                version: 1,
+                username: params.username,
+                password: hashPassword(password),
+                userProvided: true,
+                updatedAt: now,
+            };
+            this.overrideAuth = runtime;
+            this.cachedFile = null;
+            this.bootstrapUsername = null;
+            this.logger.debug({ authFilePath: this.authFilePath }, "Using runtime auth password override; ignoring auth file");
+            return;
+        }
+        const existing = this.load();
+        if (existing) {
+            if (existing.username !== params.username) {
+                // Keep existing username unless explicitly overridden later.
+                this.logger.debug({ existing: existing.username, requested: params.username }, "Auth username differs from requested");
+            }
+            this.bootstrapUsername = null;
+            return;
+        }
+        if (params.allowBootstrapWithoutPassword) {
+            this.bootstrapUsername = params.username;
+            this.logger.debug({ authFilePath: this.authFilePath }, "No auth file present; bootstrap-only mode enabled");
+            return;
+        }
+        throw new Error(`No server password configured. Create ${this.authFilePath} or start with --password / EMBEDDEDCOWORK_SERVER_PASSWORD.`);
+    }
+    validateCredentials(username, password) {
+        const auth = this.load();
+        if (!auth) {
+            return false;
+        }
+        if (username !== auth.username) {
+            return false;
+        }
+        return verifyPassword(password, auth.password);
+    }
+    setPassword(params) {
+        if (this.overrideAuth) {
+            throw new Error("Server password is provided via CLI/env and cannot be changed while running. Restart without --password / EMBEDDEDCOWORK_SERVER_PASSWORD to use auth.json.");
+        }
+        const current = this.load();
+        if (!current) {
+            if (!this.bootstrapUsername) {
+                throw new Error("Auth is not initialized");
+            }
+            const created = {
+                version: 1,
+                username: this.bootstrapUsername,
+                password: hashPassword(params.password),
+                userProvided: params.markUserProvided,
+                updatedAt: new Date().toISOString(),
+            };
+            this.persist(created);
+            this.bootstrapUsername = null;
+            return { username: created.username, passwordUserProvided: created.userProvided };
+        }
+        const next = {
+            ...current,
+            password: hashPassword(params.password),
+            userProvided: params.markUserProvided,
+            updatedAt: new Date().toISOString(),
+        };
+        this.persist(next);
+        return { username: next.username, passwordUserProvided: next.userProvided };
+    }
+    getStatus() {
+        const current = this.load();
+        if (current) {
+            return { username: current.username, passwordUserProvided: current.userProvided };
+        }
+        if (this.bootstrapUsername) {
+            return { username: this.bootstrapUsername, passwordUserProvided: false };
+        }
+        throw new Error("Auth is not initialized");
+    }
+    persist(auth) {
+        try {
+            fs.mkdirSync(path.dirname(this.authFilePath), { recursive: true });
+            fs.writeFileSync(this.authFilePath, JSON.stringify(auth, null, 2), "utf-8");
+            this.cachedFile = auth;
+            this.logger.debug({ authFilePath: this.authFilePath }, "Persisted auth file");
+        }
+        catch (error) {
+            this.logger.error({ err: error, authFilePath: this.authFilePath }, "Failed to persist auth file");
+            throw error;
+        }
+    }
+}

package/dist/auth/http-auth.js

@@ -0,0 +1,37 @@
+export function parseCookies(header) {
+    const result = {};
+    if (!header)
+        return result;
+    const parts = header.split(";");
+    for (const part of parts) {
+        const index = part.indexOf("=");
+        if (index < 0)
+            continue;
+        const key = part.slice(0, index).trim();
+        const value = part.slice(index + 1).trim();
+        if (!key)
+            continue;
+        result[key] = decodeURIComponent(value);
+    }
+    return result;
+}
+export function isLoopbackAddress(remoteAddress) {
+    if (!remoteAddress)
+        return false;
+    if (remoteAddress === "127.0.0.1" || remoteAddress === "::1")
+        return true;
+    if (remoteAddress === "::ffff:127.0.0.1")
+        return true;
+    return false;
+}
+export function wantsHtml(request) {
+    const accept = (request.headers["accept"] ?? "").toString().toLowerCase();
+    return accept.includes("text/html") || accept.includes("application/xhtml");
+}
+export function sendUnauthorized(request, reply) {
+    if (request.method === "GET" && !request.url.startsWith("/api/") && wantsHtml(request)) {
+        reply.redirect("/login");
+        return;
+    }
+    reply.code(401).send({ error: "Unauthorized" });
+}

package/dist/auth/manager.js

@@ -0,0 +1,140 @@
+import path from "path";
+import { AuthStore } from "./auth-store";
+import { TokenManager } from "./token-manager";
+import { SessionManager } from "./session-manager";
+import { isLoopbackAddress, parseCookies } from "./http-auth";
+export const BOOTSTRAP_TOKEN_STDOUT_PREFIX = "EMBEDDEDCOWORK_BOOTSTRAP_TOKEN:";
+export const DEFAULT_AUTH_USERNAME = "embeddedcowork";
+export const DEFAULT_AUTH_COOKIE_NAME = "embeddedcowork_session";
+export class AuthManager {
+    constructor(init, logger) {
+        this.init = init;
+        this.logger = logger;
+        this.sessionManager = new SessionManager();
+        this.cookieName = sanitizeCookieName(init.cookieName);
+        this.authEnabled = !Boolean(init.dangerouslySkipAuth);
+        if (!this.authEnabled) {
+            this.authStore = null;
+            this.tokenManager = null;
+            return;
+        }
+        const authFilePath = resolveAuthFilePath(init.configPath);
+        this.authStore = new AuthStore(authFilePath, logger.child({ component: "auth" }));
+        // Startup: password comes from CLI/env, auth.json, or bootstrap-only mode.
+        this.authStore.ensureInitialized({
+            username: init.username,
+            password: init.password,
+            allowBootstrapWithoutPassword: init.generateToken,
+        });
+        this.tokenManager = init.generateToken ? new TokenManager(60000) : null;
+    }
+    isAuthEnabled() {
+        return this.authEnabled;
+    }
+    getCookieName() {
+        return this.cookieName;
+    }
+    isTokenBootstrapEnabled() {
+        return Boolean(this.tokenManager);
+    }
+    issueBootstrapToken() {
+        if (!this.tokenManager)
+            return null;
+        return this.tokenManager.generate();
+    }
+    consumeBootstrapToken(token) {
+        if (!this.tokenManager)
+            return false;
+        return this.tokenManager.consume(token);
+    }
+    validateLogin(username, password) {
+        if (!this.authEnabled) {
+            return true;
+        }
+        return this.requireAuthStore().validateCredentials(username, password);
+    }
+    createSession(username) {
+        if (!this.authEnabled) {
+            return { id: "auth-disabled", createdAt: Date.now(), username: this.init.username };
+        }
+        return this.sessionManager.createSession(username);
+    }
+    getStatus() {
+        if (!this.authEnabled) {
+            return { username: this.init.username, passwordUserProvided: false };
+        }
+        return this.requireAuthStore().getStatus();
+    }
+    setPassword(password) {
+        if (!this.authEnabled) {
+            throw new Error("Internal authentication is disabled");
+        }
+        return this.requireAuthStore().setPassword({ password, markUserProvided: true });
+    }
+    isLoopbackRequest(request) {
+        return isLoopbackAddress(request.socket.remoteAddress);
+    }
+    getSessionFromRequest(request) {
+        return this.getSessionFromHeaders(request.headers);
+    }
+    getSessionFromHeaders(headers) {
+        if (!this.authEnabled) {
+            // When auth is disabled, treat all requests as authenticated.
+            // We still return a stable username so callers can display it.
+            return { username: this.init.username, sessionId: "auth-disabled" };
+        }
+        const cookieHeader = Array.isArray(headers.cookie) ? headers.cookie.join("; ") : headers.cookie;
+        const cookies = parseCookies(cookieHeader);
+        const sessionId = cookies[this.cookieName];
+        const session = this.sessionManager.getSession(sessionId);
+        if (!session)
+            return null;
+        return { username: session.username, sessionId: session.id };
+    }
+    setSessionCookie(reply, sessionId) {
+        reply.header("Set-Cookie", buildSessionCookie(this.cookieName, sessionId));
+    }
+    setSessionCookieWithOptions(reply, sessionId, options) {
+        reply.header("Set-Cookie", buildSessionCookie(this.cookieName, sessionId, options));
+    }
+    clearSessionCookie(reply) {
+        reply.header("Set-Cookie", buildSessionCookie(this.cookieName, "", { maxAgeSeconds: 0 }));
+    }
+    clearSessionCookieWithOptions(reply, options) {
+        reply.header("Set-Cookie", buildSessionCookie(this.cookieName, "", { maxAgeSeconds: 0, ...options }));
+    }
+    requireAuthStore() {
+        if (!this.authStore) {
+            throw new Error("Auth store is unavailable");
+        }
+        return this.authStore;
+    }
+}
+function sanitizeCookieName(value) {
+    const trimmed = value?.trim();
+    if (!trimmed) {
+        return DEFAULT_AUTH_COOKIE_NAME;
+    }
+    const sanitized = trimmed.replace(/[^A-Za-z0-9_-]/g, "_");
+    return sanitized.length > 0 ? sanitized : DEFAULT_AUTH_COOKIE_NAME;
+}
+function resolveAuthFilePath(configPath) {
+    const resolvedConfigPath = resolvePath(configPath);
+    return path.join(path.dirname(resolvedConfigPath), "auth.json");
+}
+function resolvePath(filePath) {
+    if (filePath.startsWith("~/")) {
+        return path.join(process.env.HOME ?? "", filePath.slice(2));
+    }
+    return path.resolve(filePath);
+}
+function buildSessionCookie(name, value, options) {
+    const parts = [`${name}=${encodeURIComponent(value)}`, "HttpOnly", "Path=/", "SameSite=Lax"];
+    if (options?.secure) {
+        parts.push("Secure");
+    }
+    if (options?.maxAgeSeconds !== undefined) {
+        parts.push(`Max-Age=${Math.max(0, Math.floor(options.maxAgeSeconds))}`);
+    }
+    return parts.join("; ");
+}

package/dist/auth/password-hash.js

@@ -0,0 +1,32 @@
+import crypto from "crypto";
+const DEFAULT_SCRYPT_PARAMS = {
+    N: 16384,
+    r: 8,
+    p: 1,
+    maxmem: 32 * 1024 * 1024,
+};
+export function hashPassword(password) {
+    const salt = crypto.randomBytes(16);
+    const params = DEFAULT_SCRYPT_PARAMS;
+    const keyLength = 64;
+    const derived = crypto.scryptSync(password, salt, keyLength, params);
+    return {
+        algorithm: "scrypt",
+        saltBase64: salt.toString("base64"),
+        hashBase64: Buffer.from(derived).toString("base64"),
+        keyLength,
+        params,
+    };
+}
+export function verifyPassword(password, record) {
+    if (record.algorithm !== "scrypt") {
+        return false;
+    }
+    const salt = Buffer.from(record.saltBase64, "base64");
+    const expected = Buffer.from(record.hashBase64, "base64");
+    const derived = crypto.scryptSync(password, salt, record.keyLength, record.params);
+    if (expected.length !== derived.length) {
+        return false;
+    }
+    return crypto.timingSafeEqual(expected, Buffer.from(derived));
+}

package/dist/auth/session-manager.js

@@ -0,0 +1,17 @@
+import crypto from "crypto";
+export class SessionManager {
+    constructor() {
+        this.sessions = new Map();
+    }
+    createSession(username) {
+        const id = crypto.randomBytes(32).toString("base64url");
+        const info = { id, createdAt: Date.now(), username };
+        this.sessions.set(id, info);
+        return info;
+    }
+    getSession(id) {
+        if (!id)
+            return undefined;
+        return this.sessions.get(id);
+    }
+}

package/dist/auth/token-manager.js

@@ -0,0 +1,27 @@
+import crypto from "crypto";
+export class TokenManager {
+    constructor(ttlMs) {
+        this.ttlMs = ttlMs;
+        this.token = null;
+    }
+    generate() {
+        const token = crypto.randomBytes(32).toString("base64url");
+        this.token = { token, createdAt: Date.now(), consumed: false };
+        return token;
+    }
+    consume(token) {
+        if (!this.token)
+            return false;
+        if (this.token.consumed)
+            return false;
+        if (Date.now() - this.token.createdAt > this.ttlMs)
+            return false;
+        if (token !== this.token.token)
+            return false;
+        this.token.consumed = true;
+        return true;
+    }
+    peek() {
+        return this.token?.token ?? null;
+    }
+}