archicore 0.3.1 → 0.3.2

package/dist/server/routes/oauth.js

@@ -0,0 +1,198 @@
+/**
+ * OAuth Authentication Routes
+ * Google and GitHub OAuth login flows
+ */
+import { Router } from 'express';
+import passport from '../config/passport.js';
+import { AuthService } from '../services/auth-service.js';
+import { auditService } from '../services/audit-service.js';
+import { Logger } from '../../utils/logger.js';
+import { isDisposableEmail, getDisposableEmailError } from '../utils/disposable-email-domains.js';
+export const oauthRouter = Router();
+const authService = AuthService.getInstance();
+// Cookie configuration for auth tokens
+const COOKIE_OPTIONS = {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax', // lax for OAuth redirects
+    maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
+    path: '/'
+};
+// Helper to set auth cookie
+function setAuthCookie(res, token) {
+    res.cookie('archicore_token', token, COOKIE_OPTIONS);
+}
+// Validate redirect URL to prevent open redirect attacks
+function isValidRedirect(url) {
+    if (!url)
+        return false;
+    // Must start with / and not with // (protocol-relative URL)
+    if (!url.startsWith('/') || url.startsWith('//'))
+        return false;
+    // Block encoded characters that could be used for bypass
+    if (url.includes('%') || url.includes('\\'))
+        return false;
+    // Block URLs that could redirect externally
+    if (url.includes('@') || url.includes('://'))
+        return false;
+    return true;
+}
+// Get redirect URL from query or default to dashboard
+function getRedirectUrl(req) {
+    const redirect = req.query.redirect;
+    if (isValidRedirect(redirect)) {
+        return redirect;
+    }
+    return '/dashboard';
+}
+// Generate error redirect URL
+function getErrorRedirectUrl(message) {
+    return `/auth?error=${encodeURIComponent(message)}`;
+}
+/**
+ * GET /api/auth/oauth/google
+ * Initiate Google OAuth flow
+ */
+oauthRouter.get('/google', (req, res, next) => {
+    // Store redirect URL in session/cookie for after OAuth
+    const redirectUrl = getRedirectUrl(req);
+    res.cookie('oauth_redirect', redirectUrl, {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        maxAge: 10 * 60 * 1000, // 10 minutes
+    });
+    passport.authenticate('google', {
+        session: false,
+        scope: ['profile', 'email'],
+    })(req, res, next);
+});
+/**
+ * GET /api/auth/oauth/google/callback
+ * Google OAuth callback
+ */
+oauthRouter.get('/google/callback', passport.authenticate('google', { session: false, failureRedirect: '/auth?error=google_auth_failed' }), async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
+    try {
+        const profile = req.user;
+        if (!profile || !profile.email) {
+            Logger.error('[OAuth] Google callback - no profile or email');
+            return res.redirect(getErrorRedirectUrl('No email provided by Google'));
+        }
+        // Check for disposable email
+        if (isDisposableEmail(profile.email)) {
+            Logger.warn(`[OAuth] Google callback - disposable email blocked: ${profile.email}`);
+            return res.redirect(getErrorRedirectUrl(getDisposableEmailError()));
+        }
+        // Login or register user via OAuth
+        const result = await authService.oauthLogin('google', profile);
+        if (!result.success || !result.token) {
+            Logger.error('[OAuth] Google callback - login failed:', result.error);
+            return res.redirect(getErrorRedirectUrl(result.error || 'Authentication failed'));
+        }
+        // Audit log
+        await auditService.log({
+            userId: result.user?.id,
+            username: result.user?.username,
+            action: 'auth.oauth.google',
+            ip,
+            userAgent,
+            details: { email: profile.email },
+            success: true,
+        });
+        // Get redirect URL from cookie with validation
+        const savedRedirect = req.cookies.oauth_redirect;
+        const redirectUrl = isValidRedirect(savedRedirect) ? savedRedirect : '/dashboard';
+        res.clearCookie('oauth_redirect');
+        // Set httpOnly cookie with auth token (secure, not exposed to JS)
+        setAuthCookie(res, result.token);
+        // Redirect to frontend without token in URL (token is in httpOnly cookie)
+        Logger.info(`[OAuth] Google login successful for ${profile.email}, redirecting to ${redirectUrl}`);
+        res.redirect(redirectUrl);
+    }
+    catch (error) {
+        Logger.error('[OAuth] Google callback error:', error);
+        await auditService.log({
+            action: 'auth.oauth.google',
+            ip,
+            userAgent,
+            success: false,
+            errorMessage: error instanceof Error ? error.message : 'Unknown error',
+        });
+        res.redirect(getErrorRedirectUrl('Authentication failed'));
+    }
+});
+/**
+ * GET /api/auth/oauth/github
+ * Initiate GitHub OAuth flow
+ */
+oauthRouter.get('/github', (req, res, next) => {
+    // Store redirect URL in cookie for after OAuth
+    const redirectUrl = getRedirectUrl(req);
+    res.cookie('oauth_redirect', redirectUrl, {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        maxAge: 10 * 60 * 1000, // 10 minutes
+    });
+    passport.authenticate('github', {
+        session: false,
+        scope: ['user:email'],
+    })(req, res, next);
+});
+/**
+ * GET /api/auth/oauth/github/callback
+ * GitHub OAuth callback
+ */
+oauthRouter.get('/github/callback', passport.authenticate('github', { session: false, failureRedirect: '/auth?error=github_auth_failed' }), async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
+    try {
+        const profile = req.user;
+        if (!profile || !profile.email) {
+            Logger.error('[OAuth] GitHub callback - no profile or email');
+            return res.redirect(getErrorRedirectUrl('No email provided by GitHub. Please make your email public in GitHub settings.'));
+        }
+        // Check for disposable email
+        if (isDisposableEmail(profile.email)) {
+            Logger.warn(`[OAuth] GitHub callback - disposable email blocked: ${profile.email}`);
+            return res.redirect(getErrorRedirectUrl(getDisposableEmailError()));
+        }
+        // Login or register user via OAuth
+        const result = await authService.oauthLogin('github', profile);
+        if (!result.success || !result.token) {
+            Logger.error('[OAuth] GitHub callback - login failed:', result.error);
+            return res.redirect(getErrorRedirectUrl(result.error || 'Authentication failed'));
+        }
+        // Audit log
+        await auditService.log({
+            userId: result.user?.id,
+            username: result.user?.username,
+            action: 'auth.oauth.github',
+            ip,
+            userAgent,
+            details: { email: profile.email },
+            success: true,
+        });
+        // Get redirect URL from cookie with validation
+        const savedRedirect = req.cookies.oauth_redirect;
+        const redirectUrl = isValidRedirect(savedRedirect) ? savedRedirect : '/dashboard';
+        res.clearCookie('oauth_redirect');
+        // Set httpOnly cookie with auth token (secure, not exposed to JS)
+        setAuthCookie(res, result.token);
+        // Redirect to frontend without token in URL (token is in httpOnly cookie)
+        Logger.info(`[OAuth] GitHub login successful for ${profile.email}, redirecting to ${redirectUrl}`);
+        res.redirect(redirectUrl);
+    }
+    catch (error) {
+        Logger.error('[OAuth] GitHub callback error:', error);
+        await auditService.log({
+            action: 'auth.oauth.github',
+            ip,
+            userAgent,
+            success: false,
+            errorMessage: error instanceof Error ? error.message : 'Unknown error',
+        });
+        res.redirect(getErrorRedirectUrl('Authentication failed'));
+    }
+});
+//# sourceMappingURL=oauth.js.map

package/dist/server/services/audit-service.d.ts

@@ -4,7 +4,7 @@
  * Logs user actions for security and compliance purposes
  * Supports PostgreSQL (primary) with JSON file fallback
  */
-export type AuditAction = 'auth.login' | 'auth.logout' | 'auth.register' | 'auth.password_change' | 'auth.device_login' | 'user.update' | 'user.tier_change' | 'user.delete' | 'project.create' | 'project.delete' | 'project.analyze' | 'project.simulate' | 'project.ask' | 'project.docs' | 'github.connect' | 'github.disconnect' | 'github.repo_connect' | 'github.repo_disconnect' | 'github.webhook_received' | 'api.key_create' | 'api.key_revoke' | 'api.request' | 'admin.login' | 'admin.user_update' | 'admin.user_delete' | 'admin.tier_change' | 'admin.view_logs';
+export type AuditAction = 'auth.login' | 'auth.logout' | 'auth.register' | 'auth.password_change' | 'auth.device_login' | 'auth.oauth.google' | 'auth.oauth.github' | 'user.update' | 'user.tier_change' | 'user.delete' | 'project.create' | 'project.delete' | 'project.analyze' | 'project.simulate' | 'project.ask' | 'project.docs' | 'github.connect' | 'github.disconnect' | 'github.repo_connect' | 'github.repo_disconnect' | 'github.webhook_received' | 'api.key_create' | 'api.key_revoke' | 'api.request' | 'admin.login' | 'admin.user_update' | 'admin.user_delete' | 'admin.tier_change' | 'admin.view_logs';
 export type AuditSeverity = 'info' | 'warning' | 'critical';
 export interface AuditLogEntry {
     id: string;

package/dist/server/services/auth-service.d.ts

@@ -17,6 +17,18 @@ export declare class AuthService {
     private createDefaultAdmin;
     private saveUsers;
     private saveSessions;
+    /**
+     * Store session in Redis for fast lookup
+     */
+    private cacheSession;
+    /**
+     * Get session from Redis cache
+     */
+    private getCachedSession;
+    /**
+     * Remove session from Redis cache
+     */
+    private removeCachedSession;
     private readonly BCRYPT_ROUNDS;
     /**
      * Hash password with bcrypt (async)
@@ -49,7 +61,7 @@ export declare class AuthService {
     oauthLogin(provider: 'github' | 'google', profile: {
         id: string;
         email: string;
-        name: string;
+        displayName: string;
         avatar?: string;
     }): Promise<AuthResponse>;
     validateToken(token: string): Promise<User | null>;

package/dist/server/services/auth-service.js

@@ -11,6 +11,11 @@ import { join } from 'path';
 import { TIER_LIMITS } from '../../types/user.js';
 import { db } from './database.js';
 import { Logger } from '../../utils/logger.js';
+import { emailService } from './email-service.js';
+import { cache } from './cache.js';
+// Redis session configuration
+const SESSION_PREFIX = 'session:';
+const SESSION_TTL = 7 * 24 * 60 * 60; // 7 days in seconds
 const DATA_DIR = '.archicore';
 const USERS_FILE = 'users.json';
 const SESSIONS_FILE = 'sessions.json';
@@ -85,6 +90,53 @@ export class AuthService {
         const sessionsPath = join(this.dataDir, SESSIONS_FILE);
         await writeFile(sessionsPath, JSON.stringify({ sessions: this.sessions }, null, 2));
     }
+    // ========== REDIS SESSION METHODS ==========
+    /**
+     * Store session in Redis for fast lookup
+     */
+    async cacheSession(token, userId, expiresAt) {
+        try {
+            const sessionData = {
+                userId,
+                expiresAt: expiresAt.toISOString()
+            };
+            await cache.set(`${SESSION_PREFIX}${token}`, sessionData, {
+                ttl: SESSION_TTL
+            });
+        }
+        catch (error) {
+            Logger.debug('Session cache set failed (non-critical):', error);
+        }
+    }
+    /**
+     * Get session from Redis cache
+     */
+    async getCachedSession(token) {
+        try {
+            const data = await cache.get(`${SESSION_PREFIX}${token}`);
+            if (data) {
+                return {
+                    userId: data.userId,
+                    expiresAt: new Date(data.expiresAt)
+                };
+            }
+        }
+        catch (error) {
+            Logger.debug('Session cache get failed (non-critical):', error);
+        }
+        return null;
+    }
+    /**
+     * Remove session from Redis cache
+     */
+    async removeCachedSession(token) {
+        try {
+            await cache.del(`${SESSION_PREFIX}${token}`);
+        }
+        catch (error) {
+            Logger.debug('Session cache delete failed (non-critical):', error);
+        }
+    }
     // ========== HELPER METHODS ==========
     BCRYPT_ROUNDS = 12;
     /**
@@ -195,6 +247,11 @@ export class AuthService {
                 });
                 const userResult = await db.query('SELECT * FROM users WHERE id = $1', [userId]);
                 const user = this.rowToUser(userResult.rows[0]);
+                // Cache session in Redis
+                const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
+                await this.cacheSession(token, userId, expiresAt);
+                // Send welcome email (non-blocking)
+                emailService.sendWelcome(email, username).catch(err => Logger.warn('[Auth] Failed to send welcome email:', err));
                 return { success: true, token, user: this.sanitizeUser(user) };
             }
             catch (error) {
@@ -224,13 +281,18 @@ export class AuthService {
         this.users.push(user);
         await this.saveUsers();
         const token = this.generateToken();
+        const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
         const session = {
             token,
             userId: user.id,
-            expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
+            expiresAt
         };
         this.sessions.push(session);
         await this.saveSessions();
+        // Cache session in Redis
+        await this.cacheSession(token, user.id, expiresAt);
+        // Send welcome email (non-blocking)
+        emailService.sendWelcome(email, username).catch(err => Logger.warn('[Auth] Failed to send welcome email:', err));
         return { success: true, token, user: this.sanitizeUser(user) };
     }
     async login(email, password) {
@@ -253,8 +315,11 @@ export class AuthService {
                     await db.query('UPDATE users SET password_hash = $1 WHERE id = $2', [newHash, row.id]);
                     Logger.info(`Upgraded password hash for user ${row.id}`);
                 }
+                const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
                 await db.query('UPDATE users SET last_login_at = NOW() WHERE id = $1', [row.id]);
-                await db.query('INSERT INTO sessions (token, user_id, expires_at) VALUES ($1, $2, $3)', [token, row.id, new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)]);
+                await db.query('INSERT INTO sessions (token, user_id, expires_at) VALUES ($1, $2, $3)', [token, row.id, expiresAt]);
+                // Cache session in Redis
+                await this.cacheSession(token, row.id, expiresAt);
                 const user = this.rowToUser(row);
                 return { success: true, token, user: this.sanitizeUser(user) };
             }
@@ -275,13 +340,16 @@ export class AuthService {
         user.lastLoginAt = new Date();
         await this.saveUsers();
         const token = this.generateToken();
+        const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
         const session = {
             token,
             userId: user.id,
-            expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
+            expiresAt
         };
         this.sessions.push(session);
         await this.saveSessions();
+        // Cache session in Redis
+        await this.cacheSession(token, user.id, expiresAt);
         return { success: true, token, user: this.sanitizeUser(user) };
     }
     async oauthLogin(provider, profile) {
@@ -294,7 +362,7 @@ export class AuthService {
                     // Create new user
                     userId = 'user-' + randomUUID();
                     await db.query(`INSERT INTO users (id, email, username, avatar, tier, provider, provider_id)
-             VALUES ($1, $2, $3, $4, $5, $6, $7)`, [userId, profile.email.toLowerCase(), profile.name || profile.email.split('@')[0], profile.avatar, 'free', provider, profile.id]);
+             VALUES ($1, $2, $3, $4, $5, $6, $7)`, [userId, profile.email.toLowerCase(), profile.displayName || profile.email.split('@')[0], profile.avatar, 'free', provider, profile.id]);
                 }
                 else {
                     // Update existing
@@ -305,7 +373,10 @@ export class AuthService {
              WHERE id = $1`, [userId, profile.avatar, provider, profile.id]);
                 }
                 const token = this.generateToken();
-                await db.query('INSERT INTO sessions (token, user_id, expires_at) VALUES ($1, $2, $3)', [token, userId, new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)]);
+                const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
+                await db.query('INSERT INTO sessions (token, user_id, expires_at) VALUES ($1, $2, $3)', [token, userId, expiresAt]);
+                // Cache session in Redis
+                await this.cacheSession(token, userId, expiresAt);
                 result = await db.query('SELECT * FROM users WHERE id = $1', [userId]);
                 const user = this.rowToUser(result.rows[0]);
                 return { success: true, token, user: this.sanitizeUser(user) };
@@ -323,7 +394,7 @@ export class AuthService {
             user = {
                 id: 'user-' + randomUUID(),
                 email: profile.email.toLowerCase(),
-                username: profile.name || profile.email.split('@')[0],
+                username: profile.displayName || profile.email.split('@')[0],
                 avatar: profile.avatar,
                 tier: 'free',
                 provider,
@@ -345,16 +416,38 @@ export class AuthService {
         }
         await this.saveUsers();
         const token = this.generateToken();
+        const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
         const session = {
             token,
             userId: user.id,
-            expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
+            expiresAt
         };
         this.sessions.push(session);
         await this.saveSessions();
+        // Cache session in Redis
+        await this.cacheSession(token, user.id, expiresAt);
         return { success: true, token, user: this.sanitizeUser(user) };
     }
     async validateToken(token) {
+        // Try Redis cache first for fast lookup
+        const cachedSession = await this.getCachedSession(token);
+        if (cachedSession) {
+            // Check expiration
+            if (cachedSession.expiresAt < new Date()) {
+                await this.removeCachedSession(token);
+                // Also remove from primary storage
+                if (this.useDatabase()) {
+                    await db.query('DELETE FROM sessions WHERE token = $1', [token]).catch(() => { });
+                }
+                return null;
+            }
+            // Get user from cache or database
+            const user = await this.getUser(cachedSession.userId);
+            if (user) {
+                return user;
+            }
+        }
+        // Fall back to database/JSON storage
         if (this.useDatabase()) {
             try {
                 const result = await db.query('SELECT * FROM sessions WHERE token = $1', [token]);
@@ -363,11 +456,14 @@ export class AuthService {
                 const session = result.rows[0];
                 if (new Date(session.expires_at) < new Date()) {
                     await db.query('DELETE FROM sessions WHERE token = $1', [token]);
+                    await this.removeCachedSession(token);
                     return null;
                 }
                 const userResult = await db.query('SELECT * FROM users WHERE id = $1', [session.user_id]);
                 if (userResult.rows.length === 0)
                     return null;
+                // Cache the session for next time
+                await this.cacheSession(token, session.user_id, new Date(session.expires_at));
                 return this.rowToUser(userResult.rows[0]);
             }
             catch (error) {
@@ -383,11 +479,16 @@ export class AuthService {
         if (new Date(session.expiresAt) < new Date()) {
             this.sessions = this.sessions.filter(s => s.token !== token);
             await this.saveSessions();
+            await this.removeCachedSession(token);
             return null;
         }
+        // Cache the session for next time
+        await this.cacheSession(token, session.userId, new Date(session.expiresAt));
         return this.users.find(u => u.id === session.userId) || null;
     }
     async logout(token) {
+        // Always remove from Redis cache
+        await this.removeCachedSession(token);
         if (this.useDatabase()) {
             await db.query('DELETE FROM sessions WHERE token = $1', [token]);
             return;

package/dist/server/services/email-service.d.ts

@@ -0,0 +1,63 @@
+interface EmailOptions {
+    to: string;
+    subject: string;
+    html: string;
+    text?: string;
+}
+declare class EmailService {
+    private transporter;
+    private config;
+    private enabled;
+    constructor();
+    /**
+     * Initialize email service from environment variables
+     */
+    private initializeFromEnv;
+    /**
+     * Create nodemailer transporter
+     */
+    private createTransporter;
+    /**
+     * Verify SMTP connection
+     */
+    verify(): Promise<boolean>;
+    /**
+     * Send email
+     */
+    send(options: EmailOptions): Promise<boolean>;
+    /**
+     * Send device verification code email
+     */
+    sendDeviceCode(email: string, code: string, verificationUrl: string): Promise<boolean>;
+    /**
+     * Send email verification code
+     */
+    sendVerificationCode(email: string, code: string): Promise<boolean>;
+    /**
+     * Send welcome email after registration
+     */
+    sendWelcome(email: string, username: string): Promise<boolean>;
+    /**
+     * Create HTML template for device verification code
+     */
+    private createDeviceCodeTemplate;
+    /**
+     * Create HTML template for welcome email
+     */
+    private createWelcomeTemplate;
+    /**
+     * Create HTML template for email verification code
+     */
+    private createVerificationCodeTemplate;
+    /**
+     * Strip HTML tags for plain text version
+     */
+    private stripHtml;
+    /**
+     * Check if email service is enabled
+     */
+    isEnabled(): boolean;
+}
+export declare const emailService: EmailService;
+export {};
+//# sourceMappingURL=email-service.d.ts.map