archicore 0.3.1 → 0.3.2

package/dist/server/routes/auth.js

@@ -5,16 +5,94 @@ import { Router } from 'express';
 import { AuthService } from '../services/auth-service.js';
 import { auditService } from '../services/audit-service.js';
 import { Logger } from '../../utils/logger.js';
+import { emailService } from '../services/email-service.js';
+import { isDisposableEmail, getDisposableEmailError } from '../utils/disposable-email-domains.js';
+import { cache } from '../services/cache.js';
 export const authRouter = Router();
 const authService = AuthService.getInstance();
-// Middleware to check authentication
+// Cookie configuration for auth tokens
+// Note: sameSite 'lax' allows cookies on top-level navigations (redirects from OAuth, links)
+// while still protecting against CSRF on POST requests
+const COOKIE_OPTIONS = {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
+    path: '/'
+};
+// Helper to set auth cookie
+function setAuthCookie(res, token) {
+    res.cookie('archicore_token', token, COOKIE_OPTIONS);
+}
+// Helper to clear auth cookie
+function clearAuthCookie(res) {
+    res.clearCookie('archicore_token', { path: '/' });
+}
+// ========== Email Verification Code Storage (Redis with fallback) ==========
+const VERIFICATION_PREFIX = 'verify:';
+const VERIFICATION_TTL = 10 * 60; // 10 minutes in seconds
+// Fallback in-memory storage when Redis is unavailable
+const verificationCodes = new Map();
+// Get verification code from Redis or fallback
+async function getVerificationCode(email) {
+    const key = `${VERIFICATION_PREFIX}${email}`;
+    // Try Redis first
+    const cached = await cache.get(key);
+    if (cached)
+        return cached;
+    // Fallback to memory
+    const memCached = verificationCodes.get(email);
+    if (memCached && memCached.expiresAt > Date.now()) {
+        return memCached;
+    }
+    // Cleanup expired
+    if (memCached)
+        verificationCodes.delete(email);
+    return null;
+}
+// Set verification code in Redis or fallback
+async function setVerificationCode(email, data) {
+    const key = `${VERIFICATION_PREFIX}${email}`;
+    // Store in Redis with TTL
+    await cache.set(key, data, { ttl: VERIFICATION_TTL });
+    // Also store in memory as fallback
+    verificationCodes.set(email, data);
+}
+// Delete verification code
+async function deleteVerificationCode(email) {
+    const key = `${VERIFICATION_PREFIX}${email}`;
+    await cache.del(key);
+    verificationCodes.delete(email);
+}
+// Generate 6-digit verification code
+function generateVerificationCode() {
+    return Math.floor(100000 + Math.random() * 900000).toString();
+}
+// Cleanup expired memory codes
+setInterval(() => {
+    const now = Date.now();
+    for (const [email, data] of verificationCodes.entries()) {
+        if (data.expiresAt < now) {
+            verificationCodes.delete(email);
+        }
+    }
+}, 60 * 1000); // Clean up every minute
+// Middleware to check authentication (supports both Bearer token and httpOnly cookie)
 export async function authMiddleware(req, res, next) {
     const authHeader = req.headers.authorization;
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    const cookieToken = req.cookies?.archicore_token;
+    // Try Bearer token first, then cookie
+    let token = null;
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+        token = authHeader.substring(7);
+    }
+    else if (cookieToken) {
+        token = cookieToken;
+    }
+    if (!token) {
         res.status(401).json({ error: 'No token provided' });
         return;
     }
-    const token = authHeader.substring(7);
     const user = await authService.validateToken(token);
     if (!user) {
         res.status(401).json({ error: 'Invalid or expired token' });
@@ -31,9 +109,96 @@ export async function adminMiddleware(req, res, next) {
     }
     next();
 }
+/**
+ * POST /api/auth/send-verification-code
+ * Send email verification code
+ */
+authRouter.post('/send-verification-code', async (req, res) => {
+    try {
+        const { email } = req.body;
+        if (!email || typeof email !== 'string') {
+            res.status(400).json({ success: false, error: 'Valid email is required' });
+            return;
+        }
+        // Validate email format
+        const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+        if (!emailRegex.test(email)) {
+            res.status(400).json({ success: false, error: 'Invalid email format' });
+            return;
+        }
+        // Check for disposable/temporary email
+        if (isDisposableEmail(email)) {
+            res.status(400).json({ success: false, error: getDisposableEmailError() });
+            return;
+        }
+        // Check if email already registered
+        // This prevents enumeration but allows re-verification
+        const normalizedEmail = email.toLowerCase().trim();
+        // Generate verification code
+        const code = generateVerificationCode();
+        const expiresAt = Date.now() + 10 * 60 * 1000; // 10 minutes
+        // Store code in Redis (with memory fallback)
+        await setVerificationCode(normalizedEmail, {
+            email: normalizedEmail,
+            code,
+            expiresAt,
+            verified: false
+        });
+        // Send email
+        const emailSent = await emailService.sendVerificationCode(normalizedEmail, code);
+        if (!emailSent) {
+            Logger.warn(`[Auth] Failed to send verification code to ${normalizedEmail}`);
+            res.status(500).json({ success: false, error: 'Failed to send verification code' });
+            return;
+        }
+        Logger.info(`[Auth] Verification code sent to ${normalizedEmail}`);
+        res.json({ success: true, message: 'Verification code sent to your email' });
+    }
+    catch (error) {
+        Logger.error('[Auth] Send verification code error:', error);
+        res.status(500).json({ success: false, error: 'Failed to send verification code' });
+    }
+});
+/**
+ * POST /api/auth/verify-email
+ * Verify email with code
+ */
+authRouter.post('/verify-email', async (req, res) => {
+    try {
+        const { email, code } = req.body;
+        if (!email || !code) {
+            res.status(400).json({ success: false, error: 'Email and code are required' });
+            return;
+        }
+        const normalizedEmail = email.toLowerCase().trim();
+        const storedData = await getVerificationCode(normalizedEmail);
+        if (!storedData) {
+            res.status(400).json({ success: false, error: 'No verification code found. Please request a new one.' });
+            return;
+        }
+        if (storedData.expiresAt < Date.now()) {
+            await deleteVerificationCode(normalizedEmail);
+            res.status(400).json({ success: false, error: 'Verification code expired. Please request a new one.' });
+            return;
+        }
+        if (storedData.code !== code.trim()) {
+            res.status(400).json({ success: false, error: 'Invalid verification code' });
+            return;
+        }
+        // Mark as verified and update in Redis
+        storedData.verified = true;
+        await setVerificationCode(normalizedEmail, storedData);
+        Logger.info(`[Auth] Email verified: ${normalizedEmail}`);
+        res.json({ success: true, message: 'Email verified successfully' });
+    }
+    catch (error) {
+        Logger.error('[Auth] Verify email error:', error);
+        res.status(500).json({ success: false, error: 'Failed to verify email' });
+    }
+});
 /**
  * POST /api/auth/register
- * Register new user
+ * Register new user (requires verified email)
  */
 authRouter.post('/register', async (req, res) => {
     const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
@@ -44,11 +209,32 @@ authRouter.post('/register', async (req, res) => {
             res.status(400).json({ success: false, error: 'Email, username, and password are required' });
             return;
         }
+        // Check email verification - MANDATORY
+        const normalizedEmail = email.toLowerCase().trim();
+        const verification = await getVerificationCode(normalizedEmail);
+        if (!verification) {
+            res.status(400).json({ success: false, error: 'Please verify your email first. Request a verification code to continue.' });
+            return;
+        }
+        if (!verification.verified) {
+            res.status(400).json({ success: false, error: 'Email not verified. Please enter the verification code sent to your email.' });
+            return;
+        }
+        if (verification.expiresAt < Date.now()) {
+            await deleteVerificationCode(normalizedEmail);
+            res.status(400).json({ success: false, error: 'Verification expired. Please request a new verification code.' });
+            return;
+        }
         if (password.length < 8) {
             res.status(400).json({ success: false, error: 'Password must be at least 8 characters' });
             return;
         }
         const result = await authService.register(email, username, password);
+        // Clear verification code after successful registration
+        if (result.success) {
+            await deleteVerificationCode(normalizedEmail);
+            Logger.info(`[Auth] Verification code cleared for ${normalizedEmail} after successful registration`);
+        }
         // Audit log
         if (result.success && result.user) {
             await auditService.log({
@@ -60,6 +246,10 @@ authRouter.post('/register', async (req, res) => {
                 details: { email }
             });
         }
+        // Set httpOnly cookie if registration successful
+        if (result.success && result.token) {
+            setAuthCookie(res, result.token);
+        }
         res.json(result);
     }
     catch (error) {
@@ -92,6 +282,10 @@ authRouter.post('/login', async (req, res) => {
             success: result.success,
             errorMessage: result.success ? undefined : result.error
         });
+        // Set httpOnly cookie if login successful
+        if (result.success && result.token) {
+            setAuthCookie(res, result.token);
+        }
         res.json(result);
     }
     catch (error) {
@@ -116,7 +310,10 @@ authRouter.post('/logout', authMiddleware, async (req, res) => {
     const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
     const userAgent = req.headers['user-agent'];
     try {
-        const token = req.headers.authorization?.substring(7);
+        // Get token from header or cookie
+        const headerToken = req.headers.authorization?.substring(7);
+        const cookieToken = req.cookies?.archicore_token;
+        const token = headerToken || cookieToken;
         if (token) {
             await authService.logout(token);
         }
@@ -128,6 +325,8 @@ authRouter.post('/logout', authMiddleware, async (req, res) => {
             ip,
             userAgent
         });
+        // Clear the auth cookie
+        clearAuthCookie(res);
         res.json({ success: true });
     }
     catch (error) {

package/dist/server/routes/device-auth.js

@@ -58,8 +58,8 @@ router.post('/code', (_req, res) => {
     if (!serverUrl) {
         const host = process.env.HOST || 'localhost';
         const port = process.env.PORT || 3000;
-        // If HOST is 0.0.0.0 (bind to all interfaces), use the server's actual IP or fallback to request origin
-        const effectiveHost = host === '0.0.0.0' ? (process.env.SERVER_IP || '194.156.66.251') : host;
+        // If HOST is 0.0.0.0 (bind to all interfaces), use localhost for fallback
+        const effectiveHost = host === '0.0.0.0' ? 'localhost' : host;
         serverUrl = `http://${effectiveHost}:${port}`;
     }
     res.json({

package/dist/server/routes/gitlab.d.ts

@@ -0,0 +1,12 @@
+/**
+ * GitLab Integration Routes for ArchiCore
+ *
+ * Provides API endpoints for:
+ * - Managing GitLab instances (add, remove, list)
+ * - Listing and connecting repositories
+ * - Branch selection
+ * - Webhooks for auto-analysis
+ */
+export declare const gitlabRouter: import("express-serve-static-core").Router;
+export default gitlabRouter;
+//# sourceMappingURL=gitlab.d.ts.map