anyagent-bridge 0.5.0

package/server/auth/providers/google.js

@@ -0,0 +1,44 @@
+/**
+ * AnyAgent Bridge — Google OAuth provider (Stage 3)
+ *
+ * OpenID Connect authorization-code flow with PKCE. Identity comes from the
+ * UserInfo endpoint using the freshly-issued access token (no JWT verification
+ * needed: the token was obtained directly from Google's token endpoint over TLS
+ * with the client secret). The allow-key is the verified email.
+ */
+
+module.exports = {
+  id: 'google',
+  label: 'Google',
+  scope: 'openid email profile',
+  authUrl: 'https://accounts.google.com/o/oauth2/v2/auth',
+  tokenUrl: 'https://oauth2.googleapis.com/token',
+  usePkce: true,
+  extraAuthParams: { access_type: 'online', prompt: 'select_account' },
+
+  async fetchIdentity(accessToken) {
+    const res = await fetch('https://openidconnect.googleapis.com/v1/userinfo', {
+      headers: { Authorization: `Bearer ${accessToken}`, Accept: 'application/json' }
+    });
+    if (!res.ok) throw new Error(`Google userinfo ${res.status}`);
+    const u = await res.json();
+    return {
+      sub: u.sub,
+      email: u.email || null,
+      emailVerified: u.email_verified === true || u.email_verified === 'true',
+      name: u.name || u.email || null
+    };
+  },
+
+  // What the operator allowlist matches against, and what gets claimed.
+  allowKey(identity) {
+    return identity.email ? String(identity.email).toLowerCase() : null;
+  },
+
+  // Reject identities that cannot be safely authorized.
+  validate(identity) {
+    if (!identity.email) return 'Google account has no email';
+    if (!identity.emailVerified) return 'Google email is not verified';
+    return null;
+  }
+};

package/server/auth/sessions.js

@@ -0,0 +1,160 @@
+/**
+ * AnyAgent Bridge — SessionStore (Stage 3)
+ *
+ * Issues and validates signed, expiring login sessions. A session token is
+ * stateless-signed (HMAC-SHA256 over the payload) AND tracked server-side by id,
+ * so it can be listed and revoked — logout and "sign out everywhere" are real,
+ * not cosmetic. Persisted to .data/auth-sessions.json so logins survive a
+ * server restart (mirrors sessions.json for terminals).
+ *
+ * Token format:  base64url(JSON{id,sub,exp}) + "." + base64url(HMAC-SHA256)
+ * Validation requires: good signature, not expired, and id still present in the
+ * store (deleting the id == revoking the token).
+ */
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+
+class SessionStore {
+  constructor({ secret, ttlMs, filePath, logger } = {}) {
+    if (!secret) throw new Error('SessionStore requires a signing secret');
+    this.secret = secret;
+    this.ttlMs = ttlMs || 12 * 60 * 60 * 1000;
+    this.filePath = filePath;
+    this.logger = logger || console;
+    this.sessions = new Map(); // id -> meta
+    this._load();
+  }
+
+  _sign(payload) {
+    const body = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const sig = crypto.createHmac('sha256', this.secret).update(body).digest('base64url');
+    return `${body}.${sig}`;
+  }
+
+  /** Mint a new session for a principal. Returns { token, session }. */
+  mint({ sub, provider, name, email, ip, ttlMs } = {}) {
+    const id = crypto.randomBytes(16).toString('hex');
+    const iat = Date.now();
+    const exp = iat + (ttlMs || this.ttlMs);
+    const session = {
+      id,
+      sub: sub || 'unknown',
+      provider: provider || 'token',
+      name: name || null,
+      email: email || null,
+      ip: ip || null,
+      iat,
+      exp,
+      lastSeen: iat
+    };
+    this.sessions.set(id, session);
+    this._persist();
+    const token = this._sign({ id, sub: session.sub, exp });
+    return { token, session };
+  }
+
+  /**
+   * Verify a candidate token. Returns the live session meta on success, or null.
+   * Signature is checked BEFORE the payload is parsed (never trust unverified
+   * bytes). Touches lastSeen on success.
+   */
+  verify(token) {
+    if (!token || typeof token !== 'string') return null;
+    const dot = token.indexOf('.');
+    if (dot <= 0 || dot === token.length - 1) return null;
+
+    const body = token.slice(0, dot);
+    const sig = token.slice(dot + 1);
+    const expected = crypto.createHmac('sha256', this.secret).update(body).digest('base64url');
+    const a = Buffer.from(sig);
+    const b = Buffer.from(expected);
+    if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) return null;
+
+    let payload;
+    try {
+      payload = JSON.parse(Buffer.from(body, 'base64url').toString('utf8'));
+    } catch (e) {
+      return null;
+    }
+    if (!payload || !payload.id || !payload.exp) return null;
+    if (Date.now() > payload.exp) { this._drop(payload.id); return null; }
+
+    const meta = this.sessions.get(payload.id);
+    if (!meta) return null;                          // revoked or unknown id
+    if (Date.now() > meta.exp) { this._drop(payload.id); return null; }
+
+    meta.lastSeen = Date.now();
+    return meta;
+  }
+
+  revoke(id) {
+    const existed = this.sessions.delete(id);
+    if (existed) this._persist();
+    return existed;
+  }
+
+  list() {
+    this._pruneExpired();
+    return Array.from(this.sessions.values()).map(s => ({
+      id: s.id,
+      sub: s.sub,
+      provider: s.provider,
+      name: s.name,
+      email: s.email,
+      ip: s.ip,
+      iat: s.iat,
+      exp: s.exp,
+      lastSeen: s.lastSeen
+    }));
+  }
+
+  count() {
+    this._pruneExpired();
+    return this.sessions.size;
+  }
+
+  _drop(id) {
+    if (this.sessions.delete(id)) this._persist();
+  }
+
+  _pruneExpired() {
+    const now = Date.now();
+    let changed = false;
+    for (const [id, meta] of this.sessions.entries()) {
+      if (now > meta.exp) { this.sessions.delete(id); changed = true; }
+    }
+    if (changed) this._persist();
+  }
+
+  _load() {
+    if (!this.filePath) return;
+    try {
+      if (fs.existsSync(this.filePath)) {
+        const data = JSON.parse(fs.readFileSync(this.filePath, 'utf8'));
+        const list = Array.isArray(data.sessions) ? data.sessions : [];
+        const now = Date.now();
+        for (const s of list) {
+          if (s && s.id && s.exp && now < s.exp) this.sessions.set(s.id, s);
+        }
+      }
+    } catch (e) {
+      this.logger.error(`[Auth] Failed to load sessions: ${e.message}`);
+    }
+  }
+
+  _persist() {
+    if (!this.filePath) return;
+    try {
+      const tmp = this.filePath + '.tmp';
+      const data = JSON.stringify({ sessions: Array.from(this.sessions.values()) }, null, 2);
+      fs.writeFileSync(tmp, data, { mode: 0o600 });
+      fs.renameSync(tmp, this.filePath); // atomic replace
+    } catch (e) {
+      this.logger.error(`[Auth] Failed to persist sessions: ${e.message}`);
+    }
+  }
+}
+
+module.exports = SessionStore;

package/server/auth/store.js

@@ -0,0 +1,135 @@
+/**
+ * AnyAgent Bridge — AuthStore (Stage 3)
+ *
+ * Persists the long-lived auth state that is NOT a session:
+ *   - TOTP enrollment (active secret + hashed one-time recovery codes)
+ *   - a pending (not-yet-confirmed) TOTP secret during setup
+ *   - OAuth "claimed" identities (first-user-claim / TOFU records)
+ *
+ * Written to .data/auth-users.json with 0600 perms and atomic replace. Secrets
+ * live here, never in the git-tracked config. The session signing secret is kept
+ * in a separate file so this one can be inspected without leaking it.
+ */
+
+const crypto = require('crypto');
+const fs = require('fs');
+
+function hashCode(code) {
+  return crypto.createHash('sha256').update(String(code)).digest('hex');
+}
+
+class AuthStore {
+  constructor({ filePath, logger } = {}) {
+    this.filePath = filePath;
+    this.logger = logger || console;
+    this.data = {
+      totp: { confirmed: false, secret: null, confirmedAt: null, recoveryCodes: [], lastCounter: 0 },
+      totpPending: { secret: null, createdAt: null },
+      oauthClaimed: { google: [], github: [] }
+    };
+    this._load();
+  }
+
+  _load() {
+    if (!this.filePath) return;
+    try {
+      if (fs.existsSync(this.filePath)) {
+        const parsed = JSON.parse(fs.readFileSync(this.filePath, 'utf8'));
+        this.data = {
+          totp: { confirmed: false, secret: null, confirmedAt: null, recoveryCodes: [], lastCounter: 0, ...(parsed.totp || {}) },
+          totpPending: { secret: null, createdAt: null, ...(parsed.totpPending || {}) },
+          oauthClaimed: { google: [], github: [], ...(parsed.oauthClaimed || {}) }
+        };
+      }
+    } catch (e) {
+      this.logger.error(`[Auth] Failed to load auth store: ${e.message}`);
+    }
+  }
+
+  _persist() {
+    if (!this.filePath) return;
+    try {
+      const tmp = this.filePath + '.tmp';
+      fs.writeFileSync(tmp, JSON.stringify(this.data, null, 2), { mode: 0o600 });
+      fs.renameSync(tmp, this.filePath);
+    } catch (e) {
+      this.logger.error(`[Auth] Failed to persist auth store: ${e.message}`);
+    }
+  }
+
+  // ── TOTP ───────────────────────────────────────────────────────────────────
+  get totpConfirmed() { return !!this.data.totp.confirmed; }
+  get totpSecret() { return this.data.totp.secret; }
+
+  setPendingTotp(secret) {
+    this.data.totpPending = { secret, createdAt: Date.now() };
+    this._persist();
+  }
+
+  getPendingTotp() { return this.data.totpPending.secret; }
+
+  /** Promote the pending secret to active and store hashed recovery codes. */
+  confirmTotp(secret, recoveryCodesPlain, initialCounter) {
+    this.data.totp = {
+      confirmed: true,
+      secret,
+      confirmedAt: Date.now(),
+      recoveryCodes: (recoveryCodesPlain || []).map(c => ({ hash: hashCode(c), used: false })),
+      // Baseline the replay counter to the code that confirmed enrollment, so that
+      // same code cannot be immediately replayed to log in.
+      lastCounter: Number.isFinite(initialCounter) ? initialCounter : 0
+    };
+    this.data.totpPending = { secret: null, createdAt: null };
+    this._persist();
+  }
+
+  disableTotp() {
+    this.data.totp = { confirmed: false, secret: null, confirmedAt: null, recoveryCodes: [], lastCounter: 0 };
+    this.data.totpPending = { secret: null, createdAt: null };
+    this._persist();
+  }
+
+  // Replay guard: the highest TOTP step counter accepted so far. A code at a
+  // counter <= this must be rejected as a replay (RFC 6238 §5.2).
+  getTotpLastCounter() { return this.data.totp.lastCounter || 0; }
+  setTotpLastCounter(counter) {
+    if (Number.isFinite(counter) && counter > (this.data.totp.lastCounter || 0)) {
+      this.data.totp.lastCounter = counter;
+      this._persist();
+    }
+  }
+
+  /** Consume a one-time recovery code (constant-time hash compare). */
+  useRecoveryCode(code) {
+    const target = Buffer.from(hashCode(String(code).replace(/\s+/g, '')), 'hex');
+    let match = null;
+    for (const rc of this.data.totp.recoveryCodes) {
+      if (rc.used) continue;
+      const h = Buffer.from(rc.hash, 'hex');
+      if (h.length === target.length && crypto.timingSafeEqual(h, target)) match = rc;
+    }
+    if (!match) return false;
+    match.used = true;
+    this._persist();
+    return true;
+  }
+
+  recoveryCodesRemaining() {
+    return this.data.totp.recoveryCodes.filter(rc => !rc.used).length;
+  }
+
+  // ── OAuth claim (TOFU) ───────────────────────────────────────────────────────
+  getClaimed(provider) {
+    return Array.isArray(this.data.oauthClaimed[provider]) ? this.data.oauthClaimed[provider] : [];
+  }
+
+  claim(provider, key) {
+    if (!this.data.oauthClaimed[provider]) this.data.oauthClaimed[provider] = [];
+    if (!this.data.oauthClaimed[provider].includes(key)) {
+      this.data.oauthClaimed[provider].push(key);
+      this._persist();
+    }
+  }
+}
+
+module.exports = { AuthStore, hashCode };

package/server/auth/totp.js

@@ -0,0 +1,140 @@
+/**
+ * AnyAgent Bridge — TOTP (Stage 3)
+ *
+ * RFC 4226 (HOTP) + RFC 6238 (TOTP), implemented with only Node's `crypto`.
+ * No new npm dependency. Compatible with Google Authenticator / 1Password /
+ * Authy (SHA1, 6 digits, 30s period, base32 secret).
+ *
+ * Pure functions — no state, no I/O. The store/manager own persistence.
+ */
+
+const crypto = require('crypto');
+
+// RFC 4648 base32 alphabet (no padding on encode; padding tolerated on decode).
+const B32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
+function base32Encode(buf) {
+  let bits = 0;
+  let value = 0;
+  let out = '';
+  for (let i = 0; i < buf.length; i++) {
+    value = (value << 8) | buf[i];
+    bits += 8;
+    while (bits >= 5) {
+      out += B32_ALPHABET[(value >>> (bits - 5)) & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) {
+    out += B32_ALPHABET[(value << (5 - bits)) & 31];
+  }
+  return out;
+}
+
+function base32Decode(str) {
+  const clean = String(str).toUpperCase().replace(/\s+/g, '').replace(/=+$/, '');
+  let bits = 0;
+  let value = 0;
+  const out = [];
+  for (const ch of clean) {
+    const idx = B32_ALPHABET.indexOf(ch);
+    if (idx === -1) continue; // ignore anything outside the alphabet
+    value = (value << 5) | idx;
+    bits += 5;
+    if (bits >= 8) {
+      out.push((value >>> (bits - 8)) & 0xff);
+      bits -= 8;
+    }
+  }
+  return Buffer.from(out);
+}
+
+/** A fresh random base32 secret (default 20 bytes = 160 bits, RFC 4226 §4). */
+function generateSecret(bytes = 20) {
+  return base32Encode(crypto.randomBytes(bytes));
+}
+
+/** HOTP value for a given counter. Counter is treated as a 64-bit big-endian int. */
+function hotp(secretBase32, counter, digits = 6) {
+  const key = base32Decode(secretBase32);
+  const buf = Buffer.alloc(8);
+  // Split into hi/lo 32-bit words so counters above 2^32 stay correct.
+  const hi = Math.floor(counter / 0x100000000);
+  const lo = counter % 0x100000000;
+  buf.writeUInt32BE(hi, 0);
+  buf.writeUInt32BE(lo, 4);
+
+  const hmac = crypto.createHmac('sha1', key).update(buf).digest();
+  const offset = hmac[hmac.length - 1] & 0x0f;
+  const bin = ((hmac[offset] & 0x7f) << 24) |
+              ((hmac[offset + 1] & 0xff) << 16) |
+              ((hmac[offset + 2] & 0xff) << 8) |
+              (hmac[offset + 3] & 0xff);
+  const otp = bin % Math.pow(10, digits);
+  return String(otp).padStart(digits, '0');
+}
+
+/** Current TOTP value. `opts.now` (ms) overridable for tests. */
+function totp(secretBase32, opts = {}) {
+  const step = opts.step || 30;
+  const now = opts.now != null ? opts.now : Date.now();
+  const counter = Math.floor((now / 1000) / step);
+  return hotp(secretBase32, counter, opts.digits || 6);
+}
+
+/**
+ * Return the matched step counter for a user-supplied code (allowing ±`window`
+ * steps of drift), or -1 if it matches no step. Constant-time per candidate.
+ * The counter is what the caller persists to prevent replay (RFC 6238 §5.2):
+ * a code at counter <= the last accepted counter must be rejected.
+ */
+function matchCounter(secretBase32, code, opts = {}) {
+  if (!secretBase32 || code == null) return -1;
+  const cleaned = String(code).replace(/\s+/g, '');
+  if (!/^\d{6,8}$/.test(cleaned)) return -1;
+
+  const step = opts.step || 30;
+  const digits = opts.digits || 6;
+  const window = opts.window != null ? opts.window : 1;
+  const now = opts.now != null ? opts.now : Date.now();
+  const counter = Math.floor((now / 1000) / step);
+
+  const candidate = Buffer.from(cleaned);
+  for (let i = -window; i <= window; i++) {
+    if (counter + i < 0) continue; // negative counters are not valid TOTP steps
+    const expected = Buffer.from(hotp(secretBase32, counter + i, digits));
+    if (expected.length === candidate.length && crypto.timingSafeEqual(expected, candidate)) {
+      return counter + i;
+    }
+  }
+  return -1;
+}
+
+/**
+ * Verify a user-supplied code against a secret, allowing ±`window` steps of
+ * clock drift (default ±1 = ±30s). Boolean convenience over matchCounter().
+ * NOTE: this does NOT prevent replay on its own — callers that need replay
+ * protection must use matchCounter() and persist the accepted counter.
+ */
+function verifyTotp(secretBase32, code, opts = {}) {
+  return matchCounter(secretBase32, code, opts) >= 0;
+}
+
+/** otpauth:// provisioning URI for authenticator-app QR codes / manual entry. */
+function provisioningUri(secretBase32, label, issuer) {
+  const fullLabel = issuer ? `${issuer}:${label}` : label;
+  const params = new URLSearchParams({ secret: secretBase32, algorithm: 'SHA1', digits: '6', period: '30' });
+  if (issuer) params.set('issuer', issuer);
+  return `otpauth://totp/${encodeURIComponent(fullLabel)}?${params.toString()}`;
+}
+
+module.exports = {
+  base32Encode,
+  base32Decode,
+  generateSecret,
+  hotp,
+  totp,
+  matchCounter,
+  verifyTotp,
+  provisioningUri
+};