archicore 0.2.1 → 0.2.2

package/dist/server/services/auth-service.d.ts

@@ -17,6 +17,27 @@ export declare class AuthService {
     private createDefaultAdmin;
     private saveUsers;
     private saveSessions;
+    private readonly BCRYPT_ROUNDS;
+    /**
+     * Hash password with bcrypt (async)
+     */
+    private hashPasswordAsync;
+    /**
+     * Legacy SHA256 hash for backward compatibility
+     */
+    private hashPasswordLegacy;
+    /**
+     * Verify password against hash (supports both bcrypt and legacy SHA256)
+     */
+    private verifyPassword;
+    /**
+     * Check if password needs rehashing (from legacy to bcrypt)
+     */
+    private needsRehash;
+    /**
+     * Sync hash for JSON fallback (still uses legacy for simplicity)
+     * @deprecated Use hashPasswordAsync for new passwords
+     */
     private hashPassword;
     private createEmptyUsage;
     private generateToken;

package/dist/server/services/auth-service.js

@@ -6,6 +6,7 @@
 import { randomUUID } from 'crypto';
 import { createHash } from 'crypto';
 import { readFile, writeFile, mkdir } from 'fs/promises';
+import bcrypt from 'bcrypt';
 import { join } from 'path';
 import { TIER_LIMITS } from '../../types/user.js';
 import { db } from './database.js';
@@ -65,7 +66,7 @@ export class AuthService {
         const admin = {
             id: 'admin-' + randomUUID(),
             email: 'admin@archicore.io',
-            username: 'Administrator',
+            username: 'ArchiCore Team',
             passwordHash: this.hashPassword('admin123'),
             tier: 'admin',
             provider: 'email',
@@ -85,9 +86,45 @@ export class AuthService {
         await writeFile(sessionsPath, JSON.stringify({ sessions: this.sessions }, null, 2));
     }
     // ========== HELPER METHODS ==========
-    hashPassword(password) {
+    BCRYPT_ROUNDS = 12;
+    /**
+     * Hash password with bcrypt (async)
+     */
+    async hashPasswordAsync(password) {
+        return bcrypt.hash(password, this.BCRYPT_ROUNDS);
+    }
+    /**
+     * Legacy SHA256 hash for backward compatibility
+     */
+    hashPasswordLegacy(password) {
         return createHash('sha256').update(password + 'archicore-salt-2024').digest('hex');
     }
+    /**
+     * Verify password against hash (supports both bcrypt and legacy SHA256)
+     */
+    async verifyPassword(password, hash) {
+        // Check if it's a bcrypt hash (starts with $2b$ or $2a$)
+        if (hash.startsWith('$2')) {
+            return bcrypt.compare(password, hash);
+        }
+        // Legacy SHA256 hash
+        return this.hashPasswordLegacy(password) === hash;
+    }
+    /**
+     * Check if password needs rehashing (from legacy to bcrypt)
+     */
+    needsRehash(hash) {
+        return !hash.startsWith('$2');
+    }
+    /**
+     * Sync hash for JSON fallback (still uses legacy for simplicity)
+     * @deprecated Use hashPasswordAsync for new passwords
+     */
+    hashPassword(password) {
+        // For new registrations, we should use async version
+        // This is kept for backward compatibility with JSON storage
+        return this.hashPasswordLegacy(password);
+    }
     createEmptyUsage() {
         return {
             requestsToday: 0,
@@ -130,7 +167,7 @@ export class AuthService {
             return;
         const adminId = 'admin-' + randomUUID();
         await db.query(`INSERT INTO users (id, email, username, password_hash, tier, provider)
-       VALUES ($1, $2, $3, $4, $5, $6)`, [adminId, 'admin@archicore.io', 'Administrator', this.hashPassword('admin123'), 'admin', 'email']);
+       VALUES ($1, $2, $3, $4, $5, $6)`, [adminId, 'admin@archicore.io', 'ArchiCore Team', this.hashPassword('admin123'), 'admin', 'email']);
         Logger.info('Default admin user created');
     }
     // ========== PUBLIC API ==========
@@ -149,9 +186,10 @@ export class AuthService {
                 }
                 const userId = 'user-' + randomUUID();
                 const token = this.generateToken();
+                const passwordHash = await this.hashPasswordAsync(password);
                 await db.transaction(async (client) => {
                     await client.query(`INSERT INTO users (id, email, username, password_hash, tier, provider)
-             VALUES ($1, $2, $3, $4, $5, $6)`, [userId, email.toLowerCase(), username, this.hashPassword(password), 'free', 'email']);
+             VALUES ($1, $2, $3, $4, $5, $6)`, [userId, email.toLowerCase(), username, passwordHash, 'free', 'email']);
                     await client.query(`INSERT INTO sessions (token, user_id, expires_at)
              VALUES ($1, $2, $3)`, [token, userId, new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)]);
                 });
@@ -203,10 +241,18 @@ export class AuthService {
                     return { success: false, error: 'Invalid email or password' };
                 }
                 const row = result.rows[0];
-                if (row.password_hash !== this.hashPassword(password)) {
+                // Verify password (supports both bcrypt and legacy SHA256)
+                const isValid = await this.verifyPassword(password, row.password_hash || '');
+                if (!isValid) {
                     return { success: false, error: 'Invalid email or password' };
                 }
                 const token = this.generateToken();
+                // Rehash legacy passwords to bcrypt
+                if (row.password_hash && this.needsRehash(row.password_hash)) {
+                    const newHash = await this.hashPasswordAsync(password);
+                    await db.query('UPDATE users SET password_hash = $1 WHERE id = $2', [newHash, row.id]);
+                    Logger.info(`Upgraded password hash for user ${row.id}`);
+                }
                 await db.query('UPDATE users SET last_login_at = NOW() WHERE id = $1', [row.id]);
                 await db.query('INSERT INTO sessions (token, user_id, expires_at) VALUES ($1, $2, $3)', [token, row.id, new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)]);
                 const user = this.rowToUser(row);

package/dist/server/services/encryption.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Encryption Service for ArchiCore
+ *
+ * AES-256-GCM encryption for sensitive data
+ */
+declare class EncryptionService {
+    private key;
+    private initialized;
+    /**
+     * Initialize encryption with key from environment
+     */
+    init(): void;
+    /**
+     * Encrypt a string value
+     */
+    encrypt(plaintext: string): string;
+    /**
+     * Decrypt a string value
+     */
+    decrypt(ciphertext: string): string;
+    /**
+     * Hash a value (one-way, for comparison)
+     */
+    hash(value: string): string;
+    /**
+     * Check if a value is encrypted (starts with valid base64 of correct length)
+     */
+    isEncrypted(value: string): boolean;
+    /**
+     * Encrypt if not already encrypted
+     */
+    ensureEncrypted(value: string): string;
+    /**
+     * Mask sensitive data for logging (show only last 4 chars)
+     */
+    mask(value: string): string;
+    /**
+     * Generate a secure random token
+     */
+    generateToken(length?: number): string;
+    /**
+     * Generate a secure random secret
+     */
+    generateSecret(length?: number): string;
+}
+export declare const encryption: EncryptionService;
+export {};
+//# sourceMappingURL=encryption.d.ts.map

package/dist/server/services/encryption.js

@@ -0,0 +1,148 @@
+/**
+ * Encryption Service for ArchiCore
+ *
+ * AES-256-GCM encryption for sensitive data
+ */
+import crypto from 'crypto';
+import { Logger } from '../../utils/logger.js';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+// const SALT_LENGTH = 32; // Reserved for future use
+class EncryptionService {
+    key = null;
+    initialized = false;
+    /**
+     * Initialize encryption with key from environment
+     */
+    init() {
+        if (this.initialized)
+            return;
+        const encryptionKey = process.env.ENCRYPTION_KEY;
+        if (!encryptionKey) {
+            Logger.warn('ENCRYPTION_KEY not set - generating temporary key (NOT FOR PRODUCTION)');
+            // Generate a temporary key for development
+            this.key = crypto.randomBytes(32);
+        }
+        else {
+            // Derive key from password using PBKDF2
+            const salt = process.env.ENCRYPTION_SALT || 'archicore-default-salt';
+            this.key = crypto.pbkdf2Sync(encryptionKey, salt, 100000, 32, 'sha256');
+        }
+        this.initialized = true;
+        Logger.info('Encryption service initialized');
+    }
+    /**
+     * Encrypt a string value
+     */
+    encrypt(plaintext) {
+        if (!this.key) {
+            this.init();
+        }
+        try {
+            // Generate random IV
+            const iv = crypto.randomBytes(IV_LENGTH);
+            // Create cipher
+            const cipher = crypto.createCipheriv(ALGORITHM, this.key, iv);
+            // Encrypt
+            let encrypted = cipher.update(plaintext, 'utf8', 'hex');
+            encrypted += cipher.final('hex');
+            // Get auth tag
+            const authTag = cipher.getAuthTag();
+            // Combine: iv + authTag + encrypted
+            const combined = Buffer.concat([
+                iv,
+                authTag,
+                Buffer.from(encrypted, 'hex')
+            ]);
+            return combined.toString('base64');
+        }
+        catch (error) {
+            Logger.error('Encryption failed:', error);
+            throw new Error('Encryption failed');
+        }
+    }
+    /**
+     * Decrypt a string value
+     */
+    decrypt(ciphertext) {
+        if (!this.key) {
+            this.init();
+        }
+        try {
+            // Decode from base64
+            const combined = Buffer.from(ciphertext, 'base64');
+            // Extract components
+            const iv = combined.subarray(0, IV_LENGTH);
+            const authTag = combined.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+            const encrypted = combined.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+            // Create decipher
+            const decipher = crypto.createDecipheriv(ALGORITHM, this.key, iv);
+            decipher.setAuthTag(authTag);
+            // Decrypt
+            let decrypted = decipher.update(encrypted);
+            decrypted = Buffer.concat([decrypted, decipher.final()]);
+            return decrypted.toString('utf8');
+        }
+        catch (error) {
+            Logger.error('Decryption failed:', error);
+            throw new Error('Decryption failed');
+        }
+    }
+    /**
+     * Hash a value (one-way, for comparison)
+     */
+    hash(value) {
+        const salt = process.env.ENCRYPTION_SALT || 'archicore-default-salt';
+        return crypto
+            .createHmac('sha256', salt)
+            .update(value)
+            .digest('hex');
+    }
+    /**
+     * Check if a value is encrypted (starts with valid base64 of correct length)
+     */
+    isEncrypted(value) {
+        try {
+            const decoded = Buffer.from(value, 'base64');
+            // Minimum length: IV (16) + AuthTag (16) + at least 1 byte encrypted
+            return decoded.length > IV_LENGTH + AUTH_TAG_LENGTH;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Encrypt if not already encrypted
+     */
+    ensureEncrypted(value) {
+        if (this.isEncrypted(value)) {
+            return value;
+        }
+        return this.encrypt(value);
+    }
+    /**
+     * Mask sensitive data for logging (show only last 4 chars)
+     */
+    mask(value) {
+        if (value.length <= 4) {
+            return '****';
+        }
+        return '*'.repeat(value.length - 4) + value.slice(-4);
+    }
+    /**
+     * Generate a secure random token
+     */
+    generateToken(length = 32) {
+        return crypto.randomBytes(length).toString('hex');
+    }
+    /**
+     * Generate a secure random secret
+     */
+    generateSecret(length = 64) {
+        return crypto.randomBytes(length).toString('base64url');
+    }
+}
+// Export singleton instance
+export const encryption = new EncryptionService();
+//# sourceMappingURL=encryption.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "archicore",
-  "version": "0.2.1",
+  "version": "0.2.2",
   "description": "AI Software Architect - code analysis, impact prediction, semantic search",
   "main": "dist/index.js",
   "type": "module",