archicore 0.2.0 → 0.2.2

package/dist/server/routes/admin.js

@@ -2,14 +2,68 @@
  * Admin API Routes for ArchiCore
  */
 import { Router } from 'express';
+import rateLimit from 'express-rate-limit';
+import * as fs from 'fs';
+import * as path from 'path';
 import { AuthService } from '../services/auth-service.js';
+import { auditService } from '../services/audit-service.js';
 import { authMiddleware, adminMiddleware } from './auth.js';
 import { Logger } from '../../utils/logger.js';
 export const adminRouter = Router();
 const authService = AuthService.getInstance();
-// All admin routes require authentication and admin role
+// Stricter rate limiting for admin routes (30 requests per minute)
+const adminRateLimiter = rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 30, // 30 requests per minute
+    message: { error: 'Too many admin requests, please slow down', retryAfter: 60 },
+    standardHeaders: true,
+    legacyHeaders: false,
+    handler: (_req, res) => {
+        Logger.warn('Admin rate limit exceeded');
+        res.status(429).json({
+            error: 'Too many admin requests',
+            message: 'Please wait before making more admin API calls',
+            retryAfter: 60
+        });
+    }
+});
+// Settings file path (defined early for public endpoints)
+const SETTINGS_FILE = path.join(process.cwd(), '.archicore', 'settings.json');
+// Load settings helper (defined early for public endpoints)
+function loadSettingsPublic() {
+    try {
+        if (fs.existsSync(SETTINGS_FILE)) {
+            const data = fs.readFileSync(SETTINGS_FILE, 'utf-8');
+            return JSON.parse(data);
+        }
+    }
+    catch (error) {
+        Logger.error('Failed to load settings:', error);
+    }
+    return {};
+}
+// ===== PUBLIC ENDPOINTS (no auth required) =====
+/**
+ * GET /api/admin/maintenance-status
+ * Get maintenance status (public endpoint for maintenance page)
+ */
+adminRouter.get('/maintenance-status', (_req, res) => {
+    try {
+        const settings = loadSettingsPublic();
+        res.json({
+            enabled: settings.maintenance?.enabled || false,
+            message: settings.maintenance?.message || 'ArchiCore is currently undergoing maintenance.'
+        });
+    }
+    catch (error) {
+        res.json({ enabled: false, message: '' });
+    }
+});
+// ===== PROTECTED ENDPOINTS (auth required) =====
+// All admin routes below require authentication, admin role, and rate limiting
 adminRouter.use(authMiddleware);
 adminRouter.use(adminMiddleware);
+adminRouter.use(adminRateLimiter);
 /**
  * GET /api/admin/users
  * Get all users
@@ -49,6 +103,8 @@ adminRouter.get('/users/:id', async (req, res) => {
  * Update user's subscription tier
  */
 adminRouter.put('/users/:id/tier', async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const { id } = req.params;
         const { tier } = req.body;
@@ -57,11 +113,28 @@ adminRouter.put('/users/:id/tier', async (req, res) => {
             res.status(400).json({ error: 'Invalid tier. Valid tiers: ' + validTiers.join(', ') });
             return;
         }
+        // Get old tier for audit
+        const oldUser = await authService.getUser(id);
+        const oldTier = oldUser?.tier;
         const updated = await authService.updateUserTier(id, tier);
         if (!updated) {
             res.status(404).json({ error: 'User not found' });
             return;
         }
+        // Audit log
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.tier_change',
+            ip,
+            userAgent,
+            details: {
+                targetUserId: id,
+                targetUsername: oldUser?.username,
+                oldTier,
+                newTier: tier
+            }
+        });
         res.json({ success: true });
     }
     catch (error) {
@@ -74,13 +147,30 @@ adminRouter.put('/users/:id/tier', async (req, res) => {
  * Delete user
  */
 adminRouter.delete('/users/:id', async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const { id } = req.params;
+        // Get user info before deletion for audit
+        const userToDelete = await authService.getUser(id);
         const deleted = await authService.deleteUser(id);
         if (!deleted) {
             res.status(400).json({ error: 'Cannot delete user (admin or not found)' });
             return;
         }
+        // Audit log
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.user_delete',
+            ip,
+            userAgent,
+            details: {
+                deletedUserId: id,
+                deletedUsername: userToDelete?.username,
+                deletedEmail: userToDelete?.email
+            }
+        });
         res.json({ success: true });
     }
     catch (error) {
@@ -120,4 +210,352 @@ adminRouter.get('/stats', async (_req, res) => {
         res.status(500).json({ error: 'Failed to get statistics' });
     }
 });
+// ===== AUDIT LOGS =====
+/**
+ * GET /api/admin/audit
+ * Get audit logs with filtering and pagination
+ */
+adminRouter.get('/audit', async (req, res) => {
+    try {
+        const { userId, action, severity, success, startDate, endDate, limit = '50', offset = '0' } = req.query;
+        // Log that admin is viewing audit logs
+        const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+        const userAgent = req.headers['user-agent'];
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.view_logs',
+            ip,
+            userAgent,
+            details: { filters: { userId, action, severity } }
+        });
+        const result = await auditService.query({
+            userId: userId,
+            action: action,
+            severity: severity,
+            success: success ? success === 'true' : undefined,
+            startDate: startDate ? new Date(startDate) : undefined,
+            endDate: endDate ? new Date(endDate) : undefined,
+            limit: parseInt(limit, 10),
+            offset: parseInt(offset, 10)
+        });
+        res.json(result);
+    }
+    catch (error) {
+        Logger.error('Failed to get audit logs:', error);
+        res.status(500).json({ error: 'Failed to get audit logs' });
+    }
+});
+/**
+ * GET /api/admin/audit/stats
+ * Get audit statistics
+ */
+adminRouter.get('/audit/stats', async (req, res) => {
+    try {
+        const days = parseInt(req.query.days || '7', 10);
+        const stats = await auditService.getStats(days);
+        res.json(stats);
+    }
+    catch (error) {
+        Logger.error('Failed to get audit stats:', error);
+        res.status(500).json({ error: 'Failed to get audit statistics' });
+    }
+});
+/**
+ * GET /api/admin/audit/user/:userId
+ * Get audit logs for specific user
+ */
+adminRouter.get('/audit/user/:userId', async (req, res) => {
+    try {
+        const { userId } = req.params;
+        const limit = parseInt(req.query.limit || '50', 10);
+        const logs = await auditService.getUserLogs(userId, limit);
+        res.json({ logs });
+    }
+    catch (error) {
+        Logger.error('Failed to get user audit logs:', error);
+        res.status(500).json({ error: 'Failed to get user audit logs' });
+    }
+});
+/**
+ * POST /api/admin/audit/cleanup
+ * Clean up old audit logs (retention policy)
+ */
+adminRouter.post('/audit/cleanup', async (req, res) => {
+    try {
+        const retentionDays = parseInt(req.body.retentionDays || '90', 10);
+        const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+        const userAgent = req.headers['user-agent'];
+        // Log cleanup action
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.view_logs',
+            ip,
+            userAgent,
+            details: { operation: 'cleanup', retentionDays }
+        });
+        const removed = await auditService.cleanup(retentionDays);
+        res.json({ success: true, removed });
+    }
+    catch (error) {
+        Logger.error('Failed to cleanup audit logs:', error);
+        res.status(500).json({ error: 'Failed to cleanup audit logs' });
+    }
+});
+// ===== SETTINGS =====
+// Default settings
+const defaultSettings = {
+    siteName: 'ArchiCore',
+    siteDescription: 'AI-Powered Software Architecture Analysis',
+    defaultTier: 'free',
+    limits: { free: 10, team: 100, pro: 500 },
+    security: {
+        requireEmailVerification: false,
+        allowRegistration: true,
+        sessionTimeout: 24
+    },
+    maintenance: { enabled: false, message: 'ArchiCore is currently undergoing maintenance.' },
+    integrations: { githubAppId: '', gitlabAppId: '', slackWebhook: '' },
+    email: { smtpHost: '', smtpPort: 587, smtpUser: '', smtpPass: '', fromEmail: '' },
+    notifications: { newUsers: true, tierChanges: true, errors: false, adminEmail: '' },
+    features: { api: true, webhooks: true, export: true, blog: true, changelog: true },
+    data: { backupSchedule: 'weekly', retentionDays: 90 }
+};
+function loadSettings() {
+    try {
+        if (fs.existsSync(SETTINGS_FILE)) {
+            const data = fs.readFileSync(SETTINGS_FILE, 'utf-8');
+            return { ...defaultSettings, ...JSON.parse(data) };
+        }
+    }
+    catch (error) {
+        Logger.error('Failed to load settings:', error);
+    }
+    return defaultSettings;
+}
+function saveSettings(settings) {
+    try {
+        const dir = path.dirname(SETTINGS_FILE);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        fs.writeFileSync(SETTINGS_FILE, JSON.stringify(settings, null, 2));
+        return true;
+    }
+    catch (error) {
+        Logger.error('Failed to save settings:', error);
+        return false;
+    }
+}
+/**
+ * GET /api/admin/settings
+ * Get system settings
+ */
+adminRouter.get('/settings', async (_req, res) => {
+    try {
+        const settings = loadSettings();
+        // Don't send sensitive data like SMTP password
+        const sanitized = {
+            ...settings,
+            email: { ...settings.email, smtpPass: settings.email.smtpPass ? '********' : '' }
+        };
+        res.json(sanitized);
+    }
+    catch (error) {
+        Logger.error('Failed to get settings:', error);
+        res.status(500).json({ error: 'Failed to get settings' });
+    }
+});
+/**
+ * POST /api/admin/settings
+ * Update system settings
+ */
+adminRouter.post('/settings', async (req, res) => {
+    try {
+        const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+        const userAgent = req.headers['user-agent'];
+        const currentSettings = loadSettings();
+        const newSettings = { ...currentSettings, ...req.body };
+        // Preserve existing password if not provided or masked
+        if (!newSettings.email?.smtpPass || newSettings.email.smtpPass === '********') {
+            newSettings.email.smtpPass = currentSettings.email.smtpPass;
+        }
+        if (saveSettings(newSettings)) {
+            // Audit log
+            await auditService.log({
+                userId: req.user?.id,
+                username: req.user?.username,
+                action: 'admin.view_logs',
+                ip,
+                userAgent,
+                details: { operation: 'settings_update', changedKeys: Object.keys(req.body) }
+            });
+            res.json({ success: true });
+        }
+        else {
+            res.status(500).json({ error: 'Failed to save settings' });
+        }
+    }
+    catch (error) {
+        Logger.error('Failed to save settings:', error);
+        res.status(500).json({ error: 'Failed to save settings' });
+    }
+});
+/**
+ * POST /api/admin/test-email
+ * Test email configuration
+ */
+adminRouter.post('/test-email', async (req, res) => {
+    try {
+        // For now, just validate the settings are present
+        const { smtpHost, smtpPort, smtpUser, fromEmail } = req.body;
+        if (!smtpHost || !smtpUser || !fromEmail) {
+            res.status(400).json({ error: 'Missing required email settings' });
+            return;
+        }
+        // TODO: Implement actual email sending with nodemailer
+        Logger.info('Test email requested', { smtpHost, smtpPort, fromEmail });
+        res.json({ success: true, message: 'Email configuration looks valid' });
+    }
+    catch (error) {
+        Logger.error('Failed to test email:', error);
+        res.status(500).json({ error: 'Failed to test email configuration' });
+    }
+});
+/**
+ * GET /api/admin/export/all
+ * Export all data
+ */
+adminRouter.get('/export/all', async (_req, res) => {
+    try {
+        const users = await authService.getAllUsers();
+        const settings = loadSettings();
+        const auditLogs = await auditService.query({ limit: 1000, offset: 0 });
+        // Sanitize user data (remove passwords)
+        const sanitizedUsers = users.map(u => {
+            const { passwordHash, ...safe } = u;
+            return safe;
+        });
+        res.json({
+            exportedAt: new Date().toISOString(),
+            users: sanitizedUsers,
+            settings: { ...settings, email: { ...settings.email, smtpPass: '' } },
+            auditLogs: auditLogs.logs
+        });
+    }
+    catch (error) {
+        Logger.error('Failed to export data:', error);
+        res.status(500).json({ error: 'Failed to export data' });
+    }
+});
+/**
+ * POST /api/admin/backup
+ * Create a backup
+ */
+adminRouter.post('/backup', async (req, res) => {
+    try {
+        const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+        const userAgent = req.headers['user-agent'];
+        // Log backup action
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.view_logs',
+            ip,
+            userAgent,
+            details: { operation: 'backup_create' }
+        });
+        // Create backup filename
+        const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+        const filename = `archicore-backup-${timestamp}.json`;
+        Logger.info('Backup created:', filename);
+        res.json({ success: true, filename });
+    }
+    catch (error) {
+        Logger.error('Failed to create backup:', error);
+        res.status(500).json({ error: 'Failed to create backup' });
+    }
+});
+/**
+ * POST /api/admin/cache/clear
+ * Clear all cache
+ */
+adminRouter.post('/cache/clear', async (req, res) => {
+    try {
+        const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+        const userAgent = req.headers['user-agent'];
+        // TODO: Implement actual cache clearing (Redis, in-memory, etc.)
+        Logger.info('Cache clear requested by admin');
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.view_logs',
+            ip,
+            userAgent,
+            details: { operation: 'cache_clear' }
+        });
+        res.json({ success: true, message: 'Cache cleared' });
+    }
+    catch (error) {
+        Logger.error('Failed to clear cache:', error);
+        res.status(500).json({ error: 'Failed to clear cache' });
+    }
+});
+/**
+ * POST /api/admin/analytics/reset
+ * Reset analytics data
+ */
+adminRouter.post('/analytics/reset', async (req, res) => {
+    try {
+        const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+        const userAgent = req.headers['user-agent'];
+        // TODO: Implement actual analytics reset
+        Logger.info('Analytics reset requested by admin');
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.view_logs',
+            ip,
+            userAgent,
+            details: { operation: 'analytics_reset' }
+        });
+        res.json({ success: true, message: 'Analytics reset' });
+    }
+    catch (error) {
+        Logger.error('Failed to reset analytics:', error);
+        res.status(500).json({ error: 'Failed to reset analytics' });
+    }
+});
+/**
+ * POST /api/admin/factory-reset
+ * Factory reset (dangerous!)
+ */
+adminRouter.post('/factory-reset', async (req, res) => {
+    try {
+        const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+        const userAgent = req.headers['user-agent'];
+        // Log before reset
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.user_delete',
+            ip,
+            userAgent,
+            details: { operation: 'factory_reset', severity: 'critical' }
+        });
+        // TODO: Implement actual factory reset
+        // This should:
+        // 1. Delete all users except the current admin
+        // 2. Clear all settings
+        // 3. Clear all cache
+        // 4. Clear audit logs
+        Logger.warn('Factory reset requested by admin:', req.user?.username);
+        res.json({ success: true, message: 'Factory reset initiated' });
+    }
+    catch (error) {
+        Logger.error('Failed to factory reset:', error);
+        res.status(500).json({ error: 'Failed to factory reset' });
+    }
+});
 //# sourceMappingURL=admin.js.map

package/dist/server/routes/api.js

@@ -302,6 +302,21 @@ apiRouter.post('/projects/:id/ask', authMiddleware, checkProjectAccess, async (r
             res.status(400).json({ error: 'Question is required' });
             return;
         }
+        // Input validation and sanitization
+        if (typeof question !== 'string') {
+            res.status(400).json({ error: 'Invalid question format' });
+            return;
+        }
+        // Limit question length to prevent abuse
+        const MAX_QUESTION_LENGTH = 5000;
+        if (question.length > MAX_QUESTION_LENGTH) {
+            res.status(400).json({ error: `Question too long. Maximum ${MAX_QUESTION_LENGTH} characters.` });
+            return;
+        }
+        // Sanitize question - remove null bytes and control characters (except newlines/tabs)
+        const sanitizedQuestion = question
+            .replace(/\0/g, '')
+            .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F]/g, '');
         // Check request limit
         if (userId) {
             const usageResult = await authService.checkAndUpdateUsage(userId, 'request');
@@ -314,12 +329,12 @@ apiRouter.post('/projects/:id/ask', authMiddleware, checkProjectAccess, async (r
                 return;
             }
         }
-        const answer = await projectService.askArchitect(id, question, language || 'en');
+        const answer = await projectService.askArchitect(id, sanitizedQuestion, language || 'en');
         res.json({ answer });
     }
     catch (error) {
         Logger.error('Failed to ask architect:', error);
-        res.status(500).json({ error: 'Failed to ask architect' });
+        res.status(500).json({ error: 'Failed to process question' });
     }
 });
 /**

package/dist/server/routes/auth.js

@@ -3,6 +3,7 @@
  */
 import { Router } from 'express';
 import { AuthService } from '../services/auth-service.js';
+import { auditService } from '../services/audit-service.js';
 import { Logger } from '../../utils/logger.js';
 export const authRouter = Router();
 const authService = AuthService.getInstance();
@@ -35,6 +36,8 @@ export async function adminMiddleware(req, res, next) {
  * Register new user
  */
 authRouter.post('/register', async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const { email, username, password } = req.body;
         if (!email || !username || !password) {
@@ -46,6 +49,17 @@ authRouter.post('/register', async (req, res) => {
             return;
         }
         const result = await authService.register(email, username, password);
+        // Audit log
+        if (result.success && result.user) {
+            await auditService.log({
+                userId: result.user.id,
+                username: result.user.username,
+                action: 'auth.register',
+                ip,
+                userAgent,
+                details: { email }
+            });
+        }
         res.json(result);
     }
     catch (error) {
@@ -58,6 +72,8 @@ authRouter.post('/register', async (req, res) => {
  * Login with email/password
  */
 authRouter.post('/login', async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const { email, password } = req.body;
         if (!email || !password) {
@@ -65,10 +81,30 @@ authRouter.post('/login', async (req, res) => {
             return;
         }
         const result = await authService.login(email, password);
+        // Audit log
+        await auditService.log({
+            userId: result.user?.id,
+            username: result.user?.username,
+            action: 'auth.login',
+            ip,
+            userAgent,
+            details: { email },
+            success: result.success,
+            errorMessage: result.success ? undefined : result.error
+        });
         res.json(result);
     }
     catch (error) {
         Logger.error('Login error:', error);
+        // Audit failed login attempt
+        await auditService.log({
+            action: 'auth.login',
+            ip,
+            userAgent,
+            details: { email: req.body.email },
+            success: false,
+            errorMessage: 'Login failed'
+        });
         res.status(500).json({ success: false, error: 'Login failed' });
     }
 });
@@ -77,11 +113,21 @@ authRouter.post('/login', async (req, res) => {
  * Logout current user
  */
 authRouter.post('/logout', authMiddleware, async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const token = req.headers.authorization?.substring(7);
         if (token) {
             await authService.logout(token);
         }
+        // Audit log
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'auth.logout',
+            ip,
+            userAgent
+        });
         res.json({ success: true });
     }
     catch (error) {

package/dist/server/routes/developer.js

@@ -187,7 +187,7 @@ developerRouter.post('/billing/credits', authMiddleware, async (req, res) => {
             res.status(400).json({ error: { message: 'Minimum amount is $5 (500 cents)' } });
             return;
         }
-        // TODO: Интеграция с Stripe/PayPal
+        // TODO: Интеграция с Revolut Business API
         // Сейчас просто добавляем кредиты
         const billing = await tokenService.addCredits(req.user.id, amount);
         res.json({

package/dist/server/routes/device-auth.js

@@ -52,7 +52,16 @@ router.post('/code', (_req, res) => {
     pendingAuths.set(deviceCode, auth);
     // Also index by user code for lookup
     pendingAuths.set(userCode, auth);
-    const serverUrl = process.env.PUBLIC_URL || `http://${process.env.HOST || 'localhost'}:${process.env.PORT || 3000}`;
+    // Use PUBLIC_URL if set, otherwise construct from environment
+    // Avoid using 0.0.0.0 as it's not a valid external address
+    let serverUrl = process.env.PUBLIC_URL;
+    if (!serverUrl) {
+        const host = process.env.HOST || 'localhost';
+        const port = process.env.PORT || 3000;
+        // If HOST is 0.0.0.0 (bind to all interfaces), use the server's actual IP or fallback to request origin
+        const effectiveHost = host === '0.0.0.0' ? (process.env.SERVER_IP || '194.156.66.251') : host;
+        serverUrl = `http://${effectiveHost}:${port}`;
+    }
     res.json({
         deviceCode,
         userCode,

package/dist/server/routes/github.js

@@ -449,7 +449,7 @@ githubRouter.post('/repositories/:id/analyze', authMiddleware, async (req, res)
 githubRouter.post('/webhook', async (req, res) => {
     try {
         const event = req.headers['x-github-event'];
-        // signature available at req.headers['x-hub-signature-256'] for verification
+        const signature = req.headers['x-hub-signature-256'];
         const payload = req.body;
         if (!event || !payload) {
             res.status(400).json({ error: 'Invalid webhook' });
@@ -467,9 +467,22 @@ githubRouter.post('/webhook', async (req, res) => {
             res.status(200).json({ message: 'Repository not connected' });
             return;
         }
-        // Verify signature (if webhook secret is set)
-        // Note: In production, you'd verify the signature properly using:
-        // githubService.verifyWebhookSignature(JSON.stringify(req.body), signature, secret)
+        // Verify webhook signature (HMAC-SHA256)
+        if (repo.webhookSecret) {
+            if (!signature) {
+                Logger.warn(`Webhook missing signature for ${fullName}`);
+                res.status(401).json({ error: 'Missing signature' });
+                return;
+            }
+            const secret = githubService.getWebhookSecret(repo.webhookSecret);
+            const payloadBody = JSON.stringify(payload);
+            if (!githubService.verifyWebhookSignature(payloadBody, signature, secret)) {
+                Logger.warn(`Invalid webhook signature for ${fullName}`);
+                res.status(401).json({ error: 'Invalid signature' });
+                return;
+            }
+            Logger.debug(`Webhook signature verified for ${fullName}`);
+        }
         Logger.info(`Webhook received: ${event} for ${fullName}`);
         // Handle different events
         switch (event) {