agent-messenger 1.0.0 → 1.1.0

package/src/platforms/teams/token-extractor.ts

@@ -0,0 +1,462 @@
+import { execSync } from 'node:child_process'
+import { createDecipheriv, pbkdf2Sync } from 'node:crypto'
+import { copyFileSync, existsSync, readFileSync, unlinkSync } from 'node:fs'
+import { homedir, tmpdir } from 'node:os'
+import { join } from 'node:path'
+
+export interface ExtractedTeamsToken {
+  token: string
+}
+
+interface KeychainVariant {
+  service: string
+  account: string
+}
+
+const TEAMS_PROCESS_NAMES: Record<string, string> = {
+  darwin: 'Microsoft Teams',
+  win32: 'Teams.exe',
+  linux: 'teams',
+}
+
+const SKYPETOKEN_COOKIE_NAME = 'skypetoken_asm'
+const TEAMS_HOST_PATTERNS = [
+  '.asyncgw.teams.microsoft.com',
+  '.asm.skype.com',
+  'teams.microsoft.com',
+  'teams.live.com',
+  '.microsoft.com',
+]
+
+export class TeamsTokenExtractor {
+  private platform: NodeJS.Platform
+
+  constructor(platform?: NodeJS.Platform) {
+    this.platform = platform ?? process.platform
+  }
+
+  getTeamsCookiesPaths(): string[] {
+    switch (this.platform) {
+      case 'darwin':
+        return [
+          join(
+            homedir(),
+            'Library',
+            'Containers',
+            'com.microsoft.teams2',
+            'Data',
+            'Library',
+            'Application Support',
+            'Microsoft',
+            'MSTeams',
+            'EBWebView',
+            'WV2Profile_tfw',
+            'Cookies'
+          ),
+          join(
+            homedir(),
+            'Library',
+            'Containers',
+            'com.microsoft.teams2',
+            'Data',
+            'Library',
+            'Application Support',
+            'Microsoft',
+            'MSTeams',
+            'EBWebView',
+            'WV2Profile_tfl',
+            'Cookies'
+          ),
+          join(
+            homedir(),
+            'Library',
+            'Containers',
+            'com.microsoft.teams2',
+            'Data',
+            'Library',
+            'Application Support',
+            'Microsoft',
+            'MSTeams',
+            'EBWebView',
+            'Default',
+            'Cookies'
+          ),
+          join(homedir(), 'Library', 'Application Support', 'Microsoft', 'Teams', 'Cookies'),
+        ]
+      case 'linux':
+        return [join(homedir(), '.config', 'Microsoft', 'Microsoft Teams', 'Cookies')]
+      case 'win32': {
+        const localAppData = process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local')
+        const appdata = process.env.APPDATA || join(homedir(), 'AppData', 'Roaming')
+        return [
+          // New Teams (MSIX/Store) - WebView2 profile paths
+          join(
+            localAppData,
+            'Packages',
+            'MSTeams_8wekyb3d8bbwe',
+            'LocalCache',
+            'Microsoft',
+            'MSTeams',
+            'EBWebView',
+            'WV2Profile_tfw',
+            'Cookies'
+          ),
+          join(
+            localAppData,
+            'Packages',
+            'MSTeams_8wekyb3d8bbwe',
+            'LocalCache',
+            'Microsoft',
+            'MSTeams',
+            'EBWebView',
+            'WV2Profile_tfl',
+            'Cookies'
+          ),
+          join(
+            localAppData,
+            'Packages',
+            'MSTeams_8wekyb3d8bbwe',
+            'LocalCache',
+            'Microsoft',
+            'MSTeams',
+            'EBWebView',
+            'Default',
+            'Cookies'
+          ),
+          // Classic Teams fallback
+          join(appdata, 'Microsoft', 'Teams', 'Cookies'),
+        ]
+      }
+      default:
+        return []
+    }
+  }
+
+  getLocalStatePath(): string {
+    switch (this.platform) {
+      case 'darwin':
+        return join(
+          homedir(),
+          'Library',
+          'Application Support',
+          'Microsoft',
+          'Teams',
+          'Local State'
+        )
+      case 'linux':
+        return join(homedir(), '.config', 'Microsoft', 'Microsoft Teams', 'Local State')
+      case 'win32': {
+        const localAppData = process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local')
+        const appdata = process.env.APPDATA || join(homedir(), 'AppData', 'Roaming')
+        const newTeamsPath = join(
+          localAppData,
+          'Packages',
+          'MSTeams_8wekyb3d8bbwe',
+          'LocalCache',
+          'Microsoft',
+          'MSTeams',
+          'EBWebView',
+          'Local State'
+        )
+        if (existsSync(newTeamsPath)) return newTeamsPath
+        return join(appdata, 'Microsoft', 'Teams', 'Local State')
+      }
+      default:
+        return ''
+    }
+  }
+
+  getKeychainVariants(): KeychainVariant[] {
+    return [
+      // New Teams (com.microsoft.teams2) keychain entry - try first
+      { service: 'Microsoft Teams Safe Storage', account: 'Microsoft Teams' },
+      // Work/school variant
+      {
+        service: 'Microsoft Teams (work or school) Safe Storage',
+        account: 'Microsoft Teams (work or school)',
+      },
+      // Edge WebView2 fallback
+      { service: 'Microsoft Edge Safe Storage', account: 'Microsoft Edge' },
+      // Classic Teams fallback
+      { service: 'Teams Safe Storage', account: 'Teams' },
+    ]
+  }
+
+  isValidSkypeToken(token: string): boolean {
+    if (!token || token.length === 0) return false
+    // Skype tokens are typically JWT format or long base64 strings (50+ chars)
+    return token.length >= 50
+  }
+
+  isEncryptedValue(value: Buffer): boolean {
+    if (!value || value.length < 4) return false
+    const prefix = value.subarray(0, 3).toString('utf8')
+    return prefix === 'v10' || prefix === 'v11'
+  }
+
+  async extract(): Promise<ExtractedTeamsToken | null> {
+    // Extract from Cookies database (works for both New Teams and Classic Teams)
+    const cookieToken = await this.extractFromCookiesDB()
+    if (cookieToken && this.isValidSkypeToken(cookieToken)) {
+      return { token: cookieToken }
+    }
+
+    return null
+  }
+
+  private async extractFromCookiesDB(): Promise<string | null> {
+    const dbPaths = this.getTeamsCookiesPaths()
+
+    for (const dbPath of dbPaths) {
+      if (!dbPath || !existsSync(dbPath)) continue
+
+      // Try copy-first strategy to handle file locking
+      const token = await this.copyAndExtract(dbPath)
+      if (token) return token
+    }
+
+    return null
+  }
+
+  private async copyAndExtract(dbPath: string): Promise<string | null> {
+    const tempPath = join(tmpdir(), `teams-cookies-${Date.now()}`)
+
+    try {
+      this.copyDatabaseToTemp(dbPath, tempPath)
+      const token = await this.extractFromSQLite(tempPath)
+      this.cleanupTempFile(tempPath)
+      return token
+    } catch {
+      // File locked or copy failed
+      this.cleanupTempFile(tempPath)
+      return null
+    }
+  }
+
+  private copyDatabaseToTemp(sourcePath: string, destPath: string): string {
+    copyFileSync(sourcePath, destPath)
+    return destPath
+  }
+
+  private cleanupTempFile(tempPath: string): void {
+    try {
+      if (existsSync(tempPath)) {
+        unlinkSync(tempPath)
+      }
+    } catch {
+      // Ignore cleanup errors
+    }
+  }
+
+  private async extractFromSQLite(dbPath: string): Promise<string | null> {
+    try {
+      for (const hostPattern of TEAMS_HOST_PATTERNS) {
+        const sql = `
+          SELECT encrypted_value 
+          FROM cookies 
+          WHERE name = '${SKYPETOKEN_COOKIE_NAME}' 
+          AND host_key LIKE '%${hostPattern}%'
+          LIMIT 1
+        `
+
+        type CookieRow = { encrypted_value?: Uint8Array | Buffer } | null
+
+        let row: CookieRow
+        if (typeof globalThis.Bun !== 'undefined') {
+          const { Database } = require('bun:sqlite')
+          const db = new Database(dbPath, { readonly: true })
+          row = db.query(sql).get() as CookieRow
+          db.close()
+        } else {
+          const Database = require('better-sqlite3')
+          const db = new Database(dbPath, { readonly: true })
+          row = db.prepare(sql).get() as CookieRow
+          db.close()
+        }
+
+        if (row?.encrypted_value) {
+          const decrypted = this.decryptCookie(Buffer.from(row.encrypted_value))
+          if (decrypted && this.isValidSkypeToken(decrypted)) {
+            return decrypted
+          }
+        }
+      }
+
+      return null
+    } catch {
+      return null
+    }
+  }
+
+  private decryptCookie(encryptedValue: Buffer): string | null {
+    if (!this.isEncryptedValue(encryptedValue)) {
+      // Not encrypted, return as-is
+      return encryptedValue.toString('utf8')
+    }
+
+    if (this.platform === 'win32') {
+      return this.decryptWindowsCookie(encryptedValue)
+    } else if (this.platform === 'darwin') {
+      return this.decryptMacCookie(encryptedValue)
+    } else if (this.platform === 'linux') {
+      return this.decryptLinuxCookie(encryptedValue)
+    }
+
+    return null
+  }
+
+  private decryptWindowsCookie(encryptedData: Buffer): string | null {
+    try {
+      const localStatePath = this.getLocalStatePath()
+      if (!existsSync(localStatePath)) return null
+
+      const localState = JSON.parse(readFileSync(localStatePath, 'utf8'))
+      const encryptedKey = Buffer.from(localState.os_crypt.encrypted_key, 'base64')
+
+      // Remove DPAPI prefix (5 bytes)
+      const dpapiBlobKey = encryptedKey.subarray(5)
+      const masterKey = this.decryptDPAPI(dpapiBlobKey)
+      if (!masterKey) return null
+
+      return this.decryptAESGCM(encryptedData, masterKey)
+    } catch {
+      return null
+    }
+  }
+
+  private decryptDPAPI(encryptedBlob: Buffer): Buffer | null {
+    try {
+      const b64 = encryptedBlob.toString('base64')
+      const psScript = `
+        Add-Type -AssemblyName System.Security
+        $bytes = [Convert]::FromBase64String('${b64}')
+        $decrypted = [Security.Cryptography.ProtectedData]::Unprotect($bytes, $null, 'CurrentUser')
+        [Convert]::ToBase64String($decrypted)
+      `.replace(/\n/g, ' ')
+
+      const result = execSync(`powershell -Command "${psScript}"`, { encoding: 'utf8' })
+      return Buffer.from(result.trim(), 'base64')
+    } catch {
+      return null
+    }
+  }
+
+  private decryptMacCookie(encryptedData: Buffer): string | null {
+    const password = this.getKeychainPassword()
+    if (!password) return null
+
+    // Derive key using PBKDF2 (Chromium uses 1003 iterations, 16 byte key for AES-128-CBC)
+    const key = pbkdf2Sync(password, 'saltysalt', 1003, 16, 'sha1')
+    return this.decryptAESCBC(encryptedData, key)
+  }
+
+  private decryptLinuxCookie(encryptedData: Buffer): string | null {
+    // Linux uses a hardcoded password 'peanuts' for Chromium-based apps
+    const key = pbkdf2Sync('peanuts', 'saltysalt', 1, 16, 'sha1')
+    return this.decryptAESCBC(encryptedData, key)
+  }
+
+  private getKeychainPassword(): string | null {
+    const variants = this.getKeychainVariants()
+
+    for (const variant of variants) {
+      const password = this.execSecurityCommand(variant.service, variant.account)
+      if (password) return password
+    }
+
+    return null
+  }
+
+  private execSecurityCommand(service: string, account: string): string | null {
+    try {
+      // Escape double quotes in service/account to prevent command injection
+      const safeService = service.replace(/"/g, '\\"')
+      const safeAccount = account.replace(/"/g, '\\"')
+      const result = execSync(
+        `security find-generic-password -s "${safeService}" -a "${safeAccount}" -w 2>/dev/null`,
+        { encoding: 'utf8' }
+      )
+      return result.trim()
+    } catch {
+      return null
+    }
+  }
+
+  private decryptAESCBC(encryptedData: Buffer, key: Buffer): string | null {
+    try {
+      const ciphertext = encryptedData.subarray(3)
+      const iv = Buffer.alloc(16, 0x20)
+
+      const decipher = createDecipheriv('aes-128-cbc', key, iv)
+      decipher.setAutoPadding(true)
+
+      const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
+      const decryptedStr = decrypted.toString('utf8')
+
+      // Chromium v24+ prepends a 32-byte integrity hash before the actual value
+      // Look for JWT token start (eyJ) or other token patterns
+      const jwtStart = decryptedStr.indexOf('eyJ')
+      if (jwtStart > 0 && jwtStart <= 32) {
+        return decryptedStr.substring(jwtStart)
+      }
+
+      // If no JWT prefix found but decryption succeeded, check if first 32 bytes are garbage
+      if (decrypted.length > 32) {
+        const possibleToken = decryptedStr.substring(32)
+        if (possibleToken.length > 50 && /^[A-Za-z0-9._-]+$/.test(possibleToken.substring(0, 50))) {
+          return possibleToken
+        }
+      }
+
+      return decryptedStr
+    } catch {
+      return null
+    }
+  }
+
+  private decryptAESGCM(encryptedData: Buffer, key: Buffer): string | null {
+    try {
+      // Format: v10 (3 bytes) + IV (12 bytes) + ciphertext + auth tag (16 bytes)
+      if (encryptedData.length < 3 + 12 + 16) return null
+
+      const iv = encryptedData.subarray(3, 15)
+      const authTag = encryptedData.subarray(-16)
+      const ciphertext = encryptedData.subarray(15, -16)
+
+      const decipher = createDecipheriv('aes-256-gcm', key, iv)
+      decipher.setAuthTag(authTag)
+
+      const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
+      return decrypted.toString('utf8')
+    } catch {
+      return null
+    }
+  }
+
+  async isTeamsRunning(): Promise<boolean> {
+    const processName = this.getProcessName()
+    return this.checkProcessRunning(processName)
+  }
+
+  private getProcessName(): string {
+    return TEAMS_PROCESS_NAMES[this.platform] || TEAMS_PROCESS_NAMES.linux
+  }
+
+  private checkProcessRunning(processName: string): boolean {
+    try {
+      if (this.platform === 'win32') {
+        const result = execSync(`tasklist /FI "IMAGENAME eq ${processName}" 2>nul`, {
+          encoding: 'utf8',
+        })
+        return result.toLowerCase().includes(processName.toLowerCase())
+      } else {
+        const result = execSync(`pgrep -f "${processName}" 2>/dev/null || true`, {
+          encoding: 'utf8',
+        })
+        return result.trim().length > 0
+      }
+    } catch {
+      return false
+    }
+  }
+}

package/src/platforms/teams/types.test.ts

@@ -0,0 +1,226 @@
+import { expect, test } from 'bun:test'
+import {
+  TeamsChannelSchema,
+  TeamsConfigSchema,
+  TeamsCredentialsSchema,
+  TeamsError,
+  TeamsFileSchema,
+  TeamsMessageSchema,
+  TeamsReactionSchema,
+  TeamsTeamSchema,
+  TeamsUserSchema,
+} from './types'
+
+// TeamsTeamSchema tests
+test('TeamsTeamSchema validates correct team', () => {
+  const result = TeamsTeamSchema.safeParse({
+    id: '19:abc123@thread.tacv2',
+    name: 'Test Team',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsTeamSchema validates team with optional description', () => {
+  const result = TeamsTeamSchema.safeParse({
+    id: '19:abc123@thread.tacv2',
+    name: 'Test Team',
+    description: 'A test team',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsTeamSchema rejects missing id', () => {
+  const result = TeamsTeamSchema.safeParse({
+    name: 'Test Team',
+  })
+  expect(result.success).toBe(false)
+})
+
+test('TeamsTeamSchema rejects missing name', () => {
+  const result = TeamsTeamSchema.safeParse({
+    id: '19:abc123@thread.tacv2',
+  })
+  expect(result.success).toBe(false)
+})
+
+// TeamsChannelSchema tests
+test('TeamsChannelSchema validates correct channel', () => {
+  const result = TeamsChannelSchema.safeParse({
+    id: '19:channel123@thread.tacv2',
+    team_id: '19:abc123@thread.tacv2',
+    name: 'General',
+    type: 'standard',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsChannelSchema rejects missing required fields', () => {
+  const result = TeamsChannelSchema.safeParse({
+    id: '19:channel123@thread.tacv2',
+    name: 'General',
+  })
+  expect(result.success).toBe(false)
+})
+
+// TeamsMessageSchema tests
+test('TeamsMessageSchema validates correct message', () => {
+  const result = TeamsMessageSchema.safeParse({
+    id: '1234567890123',
+    channel_id: '19:channel123@thread.tacv2',
+    author: {
+      id: 'user123',
+      displayName: 'Test User',
+    },
+    content: 'Hello world',
+    timestamp: '2024-01-01T00:00:00.000Z',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsMessageSchema rejects missing required fields', () => {
+  const result = TeamsMessageSchema.safeParse({
+    id: '1234567890123',
+    channel_id: '19:channel123@thread.tacv2',
+    content: 'Hello world',
+  })
+  expect(result.success).toBe(false)
+})
+
+// TeamsUserSchema tests
+test('TeamsUserSchema validates correct user', () => {
+  const result = TeamsUserSchema.safeParse({
+    id: 'user123',
+    displayName: 'Test User',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsUserSchema validates user with optional fields', () => {
+  const result = TeamsUserSchema.safeParse({
+    id: 'user123',
+    displayName: 'Test User',
+    email: 'test@example.com',
+    userPrincipalName: 'test@example.onmicrosoft.com',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsUserSchema rejects missing required fields', () => {
+  const result = TeamsUserSchema.safeParse({
+    id: 'user123',
+  })
+  expect(result.success).toBe(false)
+})
+
+// TeamsReactionSchema tests
+test('TeamsReactionSchema validates correct reaction', () => {
+  const result = TeamsReactionSchema.safeParse({
+    emoji: 'like',
+    count: 5,
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsReactionSchema rejects missing required fields', () => {
+  const result = TeamsReactionSchema.safeParse({
+    emoji: 'like',
+  })
+  expect(result.success).toBe(false)
+})
+
+// TeamsFileSchema tests
+test('TeamsFileSchema validates correct file', () => {
+  const result = TeamsFileSchema.safeParse({
+    id: 'file123',
+    name: 'document.pdf',
+    size: 1024,
+    url: 'https://teams.microsoft.com/files/...',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsFileSchema validates file with optional contentType', () => {
+  const result = TeamsFileSchema.safeParse({
+    id: 'file123',
+    name: 'document.pdf',
+    size: 1024,
+    url: 'https://teams.microsoft.com/files/...',
+    contentType: 'application/pdf',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsFileSchema rejects missing required fields', () => {
+  const result = TeamsFileSchema.safeParse({
+    id: 'file123',
+    name: 'document.pdf',
+  })
+  expect(result.success).toBe(false)
+})
+
+// TeamsCredentialsSchema tests
+test('TeamsCredentialsSchema validates correct credentials', () => {
+  const result = TeamsCredentialsSchema.safeParse({
+    token: 'skypetoken_value',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsCredentialsSchema validates credentials with cookie', () => {
+  const result = TeamsCredentialsSchema.safeParse({
+    token: 'skypetoken_value',
+    cookie: 'skypetoken_asm_value',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsCredentialsSchema rejects missing token', () => {
+  const result = TeamsCredentialsSchema.safeParse({})
+  expect(result.success).toBe(false)
+})
+
+// TeamsConfigSchema tests
+test('TeamsConfigSchema validates correct config', () => {
+  const result = TeamsConfigSchema.safeParse({
+    current_team: null,
+    token: 'token_value',
+    teams: {},
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsConfigSchema validates config with token_expires_at', () => {
+  const result = TeamsConfigSchema.safeParse({
+    current_team: '19:abc123@thread.tacv2',
+    token: 'token_value',
+    token_expires_at: '2024-01-01T00:00:00.000Z',
+    teams: {
+      '19:abc123@thread.tacv2': {
+        team_id: '19:abc123@thread.tacv2',
+        team_name: 'Test Team',
+      },
+    },
+  })
+  expect(result.success).toBe(true)
+})
+
+test('TeamsConfigSchema rejects missing required fields', () => {
+  const result = TeamsConfigSchema.safeParse({
+    current_team: null,
+    token: 'token_value',
+  })
+  expect(result.success).toBe(false)
+})
+
+// TeamsError tests
+test('TeamsError has correct name and code', () => {
+  const error = new TeamsError('Test error', 'TEST_CODE')
+  expect(error.name).toBe('TeamsError')
+  expect(error.message).toBe('Test error')
+  expect(error.code).toBe('TEST_CODE')
+})
+
+test('TeamsError is instance of Error', () => {
+  const error = new TeamsError('Test error', 'TEST_CODE')
+  expect(error instanceof Error).toBe(true)
+})