alvin-bot 4.20.1 → 4.20.2

package/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [4.20.2] — 2026-05-04
+
+### 🛡️ Security: Web UI loopback by default + Slack caller allowlist
+
+Two real attack surfaces closed.
+
+**Web UI binds to 127.0.0.1 by default.** Previous versions called `server.listen(port)` with no host argument, which Node interprets as "listen on all interfaces". Combined with an empty `WEB_PASSWORD` (which the login route silently treats as "anyone can log in"), this meant any device on the same LAN could log into the bot's Web UI and reach every authenticated endpoint — user list, memory contents, model switch, the WebSocket chat, etc. New default: bind to `127.0.0.1`. To restore LAN access, set `WEB_HOST=0.0.0.0` explicitly in `.env`. If both `WEB_HOST=0.0.0.0` and an empty `WEB_PASSWORD` are present, the bot logs a loud warning on startup.
+
+**Slack caller allowlist.** New `SLACK_ALLOWED_USERS` env var: comma-separated list of Slack user IDs allowed to talk to the bot (DMs, @mentions, slash commands). Empty list keeps the legacy behaviour — any workspace member can interact, which is safe iff the workspace is private to the operator. To find your Slack user ID: open your profile in Slack → "..." → "Copy member ID", or just message the bot once and read the line `[slack] caller discovered: user=U… — to lock the bot to specific users, add to .env: SLACK_ALLOWED_USERS=U…` from the logs (we log each unique caller once when the allowlist is empty).
+
+**`alvin-bot doctor` now reports both.** New `Web UI:` and `Slack:` sections flag insecure combos and show whether an allowlist is active.
+
+No schema or behaviour changes for users who already have `WEB_PASSWORD` set or only use the bot via Telegram. Telegram allowlist (`ALLOWED_USERS`) is unchanged.
+
 ## [4.20.1] — 2026-05-03
 
 ### 🛡️ Hardening for the v4.20.0 SQLite migration

package/bin/cli.js

@@ -1361,6 +1361,37 @@ async function doctor() {
     console.log(`  ❌ ALLOWED_USERS not set (nobody can message the bot)`);
   }
 
+  // ── Web UI security ──
+  console.log("\n  Web UI:");
+  const webHost = getEnv("WEB_HOST") || "127.0.0.1";
+  const webPw = getEnv("WEB_PASSWORD");
+  if (webHost === "127.0.0.1" || webHost === "::1") {
+    console.log(`  ✅ WEB_HOST=${webHost} — loopback only (LAN unreachable)`);
+  } else if (webHost === "0.0.0.0" || webHost === "*") {
+    if (webPw) {
+      console.log(`  ✅ WEB_HOST=${webHost} (LAN-reachable) + WEB_PASSWORD set`);
+    } else {
+      console.log(`  ❌ WEB_HOST=${webHost} (LAN-reachable) WITHOUT WEB_PASSWORD — anyone on LAN can log in`);
+      console.log(`     Fix: set WEB_PASSWORD in .env, or set WEB_HOST=127.0.0.1`);
+    }
+  } else {
+    console.log(`  ℹ️  WEB_HOST=${webHost}${webPw ? " + WEB_PASSWORD set" : " — WEB_PASSWORD empty"}`);
+  }
+
+  // ── Slack caller allowlist ──
+  if (getEnv("SLACK_BOT_TOKEN")) {
+    console.log("\n  Slack:");
+    const slackAllow = getEnv("SLACK_ALLOWED_USERS");
+    if (slackAllow) {
+      const ids = slackAllow.split(",").map(s => s.trim()).filter(Boolean);
+      console.log(`  ✅ SLACK_ALLOWED_USERS: ${ids.length} user${ids.length === 1 ? "" : "s"} (caller allowlist active)`);
+    } else {
+      console.log(`  ⚠️  SLACK_ALLOWED_USERS not set — any workspace member can talk to the bot`);
+      console.log(`     Safe iff the Slack workspace is private to you. Otherwise add e.g.:`);
+      console.log(`     SLACK_ALLOWED_USERS=U0ABC123,U0DEF456`);
+    }
+  }
+
   // ── Memory (semantic search backend) ──
   console.log("\n  Memory:");
   const embJson = resolve(DATA_DIR, "memory", ".embeddings.json");

package/dist/config.js

@@ -63,6 +63,20 @@ export const config = {
     sessionMode: (process.env.SESSION_MODE || "per-user"),
     webhookEnabled: process.env.WEBHOOK_ENABLED === "true",
     webhookToken: process.env.WEBHOOK_TOKEN || "",
+    // Web UI bind host. Default is 127.0.0.1 (loopback only) — set to "0.0.0.0"
+    // explicitly if you want LAN/external access. Combined with WEB_PASSWORD
+    // this is the safe default since v4.20.2; previous versions defaulted to
+    // listening on all interfaces with no auth required when WEB_PASSWORD was
+    // empty.
+    webHost: process.env.WEB_HOST || "127.0.0.1",
+    // Slack caller allowlist. Comma-separated Slack user IDs (e.g. "U0ABC123,U0DEF456").
+    // When non-empty, only these users can talk to the bot in Slack DMs and via @mention.
+    // When empty, the bot accepts any Slack workspace member (legacy behavior; safe iff
+    // the workspace is private to you).
+    slackAllowedUsers: (process.env.SLACK_ALLOWED_USERS || "")
+        .split(",")
+        .map(s => s.trim())
+        .filter(Boolean),
     // Browser
     cdpUrl: process.env.CDP_URL || "",
     browseServerPort: Number(process.env.BROWSE_SERVER_PORT) || 3800,

package/dist/platforms/slack.js

@@ -18,6 +18,32 @@
  */
 import fs from "fs";
 import { parseSlackSlashCommand } from "./slack-slash-parser.js";
+import { config } from "../config.js";
+/**
+ * v4.20.2 — Slack caller allowlist. When SLACK_ALLOWED_USERS is set in the
+ * environment (comma-separated Slack user IDs), only those users get past
+ * this gate. When the list is empty, fall back to legacy behaviour: any
+ * member of the workspace can talk to the bot. The empty-list case is safe
+ * iff the workspace is private to the operator.
+ *
+ * Slack user IDs are workspace-scoped (e.g. "U0ABC123"); rotate the list if
+ * you migrate workspaces.
+ */
+function isSlackUserAllowed(userId) {
+    if (config.slackAllowedUsers.length === 0) {
+        // No allowlist set — log each unique caller once so the operator can
+        // copy a known ID into SLACK_ALLOWED_USERS and lock the bot down.
+        if (userId && !discoveredCallers.has(userId)) {
+            discoveredCallers.add(userId);
+            console.warn(`[slack] caller discovered: user=${userId} — to lock the bot to specific users, ` +
+                `add to .env: SLACK_ALLOWED_USERS=${userId}` +
+                (discoveredCallers.size > 1 ? ` (or comma-separate multiple)` : ""));
+        }
+        return true;
+    }
+    return config.slackAllowedUsers.includes(userId);
+}
+const discoveredCallers = new Set();
 let _slackState = {
     status: "disconnected",
     botName: null,
@@ -148,6 +174,13 @@ export class SlackAdapter {
         const userId = message.user || "";
         const channelId = message.channel || "";
         const messageId = message.ts || "";
+        // v4.20.2 — caller allowlist. If SLACK_ALLOWED_USERS is set, silently
+        // ignore anyone not on the list. Empty list = legacy behaviour
+        // (any workspace member can talk to the bot — safe iff the workspace
+        // is private to the operator).
+        if (!isSlackUserAllowed(userId)) {
+            return;
+        }
         // Determine channel type
         // DMs (im) have channel_type "im", group DMs are "mpim", channels are "channel"/"group"
         const channelType = message.channel_type || "";
@@ -222,6 +255,10 @@ export class SlackAdapter {
         const channelId = command.channel_id || "";
         const userId = command.user_id || "";
         const userName = command.user_name || userId;
+        // v4.20.2 — caller allowlist for slash commands.
+        if (!isSlackUserAllowed(userId)) {
+            return;
+        }
         const incoming = {
             platform: "slack",
             messageId: `cmd-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
@@ -247,6 +284,10 @@ export class SlackAdapter {
         const userId = event.user || "";
         const channelId = event.channel || "";
         const messageId = event.ts || "";
+        // v4.20.2 — same caller allowlist as DMs.
+        if (!isSlackUserAllowed(userId)) {
+            return;
+        }
         // Strip the @mention from text
         text = text.replace(new RegExp(`<@${this.botUserId}>`, "g"), "").trim();
         if (!text)

package/dist/web/server.js

@@ -1566,7 +1566,11 @@ function scheduleBindAttempt(port, attempt) {
     // invalid backlog, kernel hiccup) can throw synchronously. Catch here
     // so the main routine never crashes during web-UI bind.
     try {
-        server.listen(port, () => {
+        // v4.20.2 — bind to config.webHost (default 127.0.0.1) so the Web UI
+        // is loopback-only unless the operator opts in by setting WEB_HOST=0.0.0.0.
+        // Empty/"*" maps to all interfaces.
+        const bindHost = (config.webHost === "*" || config.webHost === "") ? undefined : config.webHost;
+        server.listen(port, bindHost, () => {
             if (handled)
                 return; // Should be impossible; paranoia.
             handled = true;
@@ -1587,10 +1591,17 @@ function scheduleBindAttempt(port, attempt) {
             server.on("error", (err) => {
                 console.warn(`[web] post-bind server error (ignored): ${err.message}`);
             });
-            console.log(`🌐 Web UI: http://localhost:${actualWebPort}`);
+            const bindLabel = bindHost && bindHost !== "127.0.0.1" && bindHost !== "::1"
+                ? `http://${bindHost}:${actualWebPort}` + (bindHost === "0.0.0.0" ? " (LAN-reachable)" : "")
+                : `http://localhost:${actualWebPort}`;
+            console.log(`🌐 Web UI: ${bindLabel}`);
             if (actualWebPort !== originalPort) {
                 console.log(`   (Port ${originalPort} was busy, using ${actualWebPort} instead)`);
             }
+            if (bindHost === "0.0.0.0" && !process.env.WEB_PASSWORD) {
+                console.warn("⚠️ Web UI is bound to 0.0.0.0 but WEB_PASSWORD is empty — anyone on the LAN can log in. " +
+                    "Set WEB_PASSWORD in ~/.alvin-bot/.env or set WEB_HOST=127.0.0.1.");
+            }
         });
     }
     catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.20.1",
+  "version": "4.20.2",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",