auramaxx 0.0.1

package/server/lib/credential-import.ts

@@ -0,0 +1,608 @@
+/**
+ * Credential Import — Parse external password manager exports
+ * ============================================================
+ *
+ * Normalizes CSV exports from 1Password, Bitwarden, LastPass, Chrome,
+ * and generic CSV into ImportedCredential[], ready for vault import.
+ */
+
+import { parse } from 'csv-parse/sync';
+import { CredentialType, CredentialField } from '../types';
+import { listCredentials } from './credentials';
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface ImportedField {
+  key: string;
+  value: string;
+  sensitive: boolean;
+}
+
+export interface ImportedCredential {
+  name: string;
+  type: CredentialType;
+  url?: string;
+  fields: ImportedField[];
+  tags?: string[];
+}
+
+export interface ColumnMapping {
+  title?: string;
+  url?: string;
+  username?: string;
+  password?: string;
+  notes?: string;
+}
+
+export interface SplitResult {
+  meta: Record<string, unknown>;
+  sensitiveFields: CredentialField[];
+}
+
+export type ImportFormat =
+  | '1password-csv'
+  | '1password-json'
+  | '1password-1pux'
+  | 'bitwarden-csv'
+  | 'bitwarden-json'
+  | 'lastpass-csv'
+  | 'icloud-csv'
+  | 'chrome-csv'
+  | 'chrome-json'
+  | 'firefox-csv'
+  | 'firefox-json'
+  | 'generic-csv';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Strip UTF-8 BOM if present */
+function stripBOM(text: string): string {
+  return text.charCodeAt(0) === 0xfeff ? text.slice(1) : text;
+}
+
+function parseCsvRows(csv: string): Record<string, string>[] {
+  const cleaned = stripBOM(csv);
+  return parse(cleaned, {
+    columns: true,
+    skip_empty_lines: true,
+    trim: true,
+    relax_column_count: true,
+  }) as Record<string, string>[];
+}
+
+function normalizeColumnName(value: string): string {
+  return value.toLowerCase().replace(/[^a-z0-9]/g, '');
+}
+
+function getRowValue(row: Record<string, string>, aliases: string[]): string {
+  const lookup = new Map<string, string>();
+  for (const [key, value] of Object.entries(row)) {
+    lookup.set(normalizeColumnName(key), value);
+  }
+  for (const alias of aliases) {
+    const found = lookup.get(normalizeColumnName(alias));
+    if (found !== undefined && String(found).trim() !== '') {
+      return String(found).trim();
+    }
+  }
+  return '';
+}
+
+/** Normalize URL for duplicate comparison: strip protocol, www., trailing slash */
+export function normalizeUrl(url: string): string {
+  if (!url) return '';
+  let u = url.trim().toLowerCase();
+  // strip protocol
+  u = u.replace(/^https?:\/\//, '');
+  // strip www.
+  u = u.replace(/^www\./, '');
+  // strip trailing slash
+  u = u.replace(/\/+$/, '');
+  return u;
+}
+
+/**
+ * Split ImportedField[] into meta (non-sensitive) + sensitiveFields (sensitive).
+ * The CredentialField objects get a default type based on key.
+ */
+export function splitFields(
+  fields: ImportedField[],
+  url?: string,
+  tags?: string[]
+): SplitResult {
+  const meta: Record<string, unknown> = {};
+  const sensitiveFields: CredentialField[] = [];
+
+  if (url) meta.url = url;
+  if (tags && tags.length > 0) meta.tags = tags;
+
+  for (const f of fields) {
+    if (!f.value && f.value !== '') continue; // skip undefined/null
+    if (f.sensitive) {
+      sensitiveFields.push({
+        key: f.key,
+        value: f.value,
+        type: 'secret',
+        sensitive: true,
+      });
+    } else {
+      // Store non-sensitive fields in meta for searchability
+      meta[f.key] = f.value;
+    }
+  }
+
+  return { meta, sensitiveFields };
+}
+
+// ---------------------------------------------------------------------------
+// Duplicate detection
+// ---------------------------------------------------------------------------
+
+export interface DuplicateMatch {
+  index: number;
+  existingId: string;
+  existingName: string;
+  matchType: 'exact' | 'name-only';
+}
+
+/**
+ * Check imported credentials against existing vault credentials for duplicates.
+ * Returns a map of import index → duplicate match info.
+ */
+export function detectDuplicates(
+  imported: ImportedCredential[],
+  vaultId: string
+): Map<number, DuplicateMatch> {
+  const existing = listCredentials({ vaultId });
+  const duplicates = new Map<number, DuplicateMatch>();
+
+  // Build lookup maps from existing credentials
+  const existingByNameAndUrl = new Map<string, { id: string; name: string }>();
+  const existingByName = new Map<string, { id: string; name: string }>();
+
+  for (const cred of existing) {
+    const name = cred.name.trim().toLowerCase();
+    const url = normalizeUrl((cred.meta?.url as string) || '');
+    const key = `${name}|${url}`;
+    existingByNameAndUrl.set(key, { id: cred.id, name: cred.name });
+    existingByName.set(name, { id: cred.id, name: cred.name });
+  }
+
+  for (let i = 0; i < imported.length; i++) {
+    const cred = imported[i];
+    const name = cred.name.trim().toLowerCase();
+    const url = normalizeUrl(cred.url || '');
+
+    // Check exact match (name + URL)
+    const exactKey = `${name}|${url}`;
+    const exactMatch = existingByNameAndUrl.get(exactKey);
+    if (exactMatch && url) {
+      duplicates.set(i, {
+        index: i,
+        existingId: exactMatch.id,
+        existingName: exactMatch.name,
+        matchType: 'exact',
+      });
+      continue;
+    }
+
+    // Check name-only match
+    const nameMatch = existingByName.get(name);
+    if (nameMatch) {
+      duplicates.set(i, {
+        index: i,
+        existingId: nameMatch.id,
+        existingName: nameMatch.name,
+        matchType: 'name-only',
+      });
+    }
+  }
+
+  return duplicates;
+}
+
+
+
+function parseJsonObject(input: string): any {
+  const cleaned = stripBOM(input).trim();
+  if (!cleaned) return [];
+
+  let parsed: any;
+  try {
+    parsed = JSON.parse(cleaned);
+  } catch {
+    throw new Error('Invalid JSON payload');
+  }
+
+  if (Array.isArray(parsed)) return parsed;
+  if (parsed && typeof parsed === 'object') return parsed;
+  throw new Error('Invalid JSON payload');
+}
+
+function coerceItems(root: any, keys: string[]): any[] {
+  if (Array.isArray(root)) return root;
+  for (const key of keys) {
+    if (Array.isArray(root?.[key])) return root[key];
+  }
+  return [];
+}
+
+// ---------------------------------------------------------------------------
+// 1Password CSV Parser
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse 1Password CSV export.
+ * Expected columns: Title, URL, Username, Password, Notes, Type, OTP
+ */
+export function parse1PasswordCSV(csv: string): ImportedCredential[] {
+  const cleaned = stripBOM(csv);
+  const records = parse(cleaned, {
+    columns: true,
+    skip_empty_lines: true,
+    trim: true,
+    relax_column_count: true,
+  }) as Record<string, string>[];
+
+  return records.map((row) => {
+    const fields: ImportedField[] = [];
+
+    if (row.Username) {
+      fields.push({ key: 'username', value: row.Username, sensitive: false });
+    }
+    if (row.Password) {
+      fields.push({ key: 'password', value: row.Password, sensitive: true });
+    }
+    if (row.Notes) {
+      fields.push({ key: 'notes', value: row.Notes, sensitive: false });
+    }
+    if (row.OTP) {
+      fields.push({ key: 'totp', value: row.OTP, sensitive: true });
+    }
+
+    // Map 1Password types to AuraMaxx types
+    let type: CredentialType = 'login';
+    const rawType = (row.Type || '').toLowerCase();
+    if (rawType.includes('card') || rawType.includes('credit')) type = 'card';
+    else if (rawType.includes('note')) type = 'note';
+    else if (rawType.includes('api')) type = 'api';
+    else if (rawType.includes('identity')) type = 'custom';
+
+    return {
+      name: row.Title || 'Untitled',
+      type,
+      url: row.URL || undefined,
+      fields,
+    };
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Bitwarden CSV Parser
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse Bitwarden CSV export.
+ * Expected columns: folder, favorite, type, name, notes, fields, reprompt,
+ *   login_uri, login_username, login_password, login_totp
+ */
+export function parseBitwardenCSV(csv: string): ImportedCredential[] {
+  const cleaned = stripBOM(csv);
+  const records = parse(cleaned, {
+    columns: true,
+    skip_empty_lines: true,
+    trim: true,
+    relax_column_count: true,
+  }) as Record<string, string>[];
+
+  return records.map((row) => {
+    const fields: ImportedField[] = [];
+
+    if (row.login_username) {
+      fields.push({ key: 'username', value: row.login_username, sensitive: false });
+    }
+    if (row.login_password) {
+      fields.push({ key: 'password', value: row.login_password, sensitive: true });
+    }
+    if (row.notes) {
+      fields.push({ key: 'notes', value: row.notes, sensitive: false });
+    }
+    if (row.login_totp) {
+      fields.push({ key: 'totp', value: row.login_totp, sensitive: true });
+    }
+
+    let type: CredentialType = 'login';
+    const rawType = (row.type || '').toLowerCase();
+    if (rawType === 'card') type = 'card';
+    else if (rawType === 'securenote' || rawType === 'note') type = 'note';
+    else if (rawType === 'identity') type = 'custom';
+
+    const tags: string[] = [];
+    if (row.folder) tags.push(row.folder);
+
+    return {
+      name: row.name || 'Untitled',
+      type,
+      url: row.login_uri || undefined,
+      fields,
+      tags: tags.length > 0 ? tags : undefined,
+    };
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Chrome CSV Parser
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse Chrome password CSV export.
+ * Expected columns: name, url, username, password, note
+ */
+export function parseChromeCSV(csv: string): ImportedCredential[] {
+  const cleaned = stripBOM(csv);
+  const records = parse(cleaned, {
+    columns: true,
+    skip_empty_lines: true,
+    trim: true,
+    relax_column_count: true,
+  }) as Record<string, string>[];
+
+  return records.map((row) => {
+    const fields: ImportedField[] = [];
+
+    if (row.username) {
+      fields.push({ key: 'username', value: row.username, sensitive: false });
+    }
+    if (row.password) {
+      fields.push({ key: 'password', value: row.password, sensitive: true });
+    }
+    if (row.note) {
+      fields.push({ key: 'notes', value: row.note, sensitive: false });
+    }
+
+    return {
+      name: row.name || 'Untitled',
+      type: 'login' as CredentialType,
+      url: row.url || undefined,
+      fields,
+    };
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Firefox CSV Parser
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse Firefox password CSV export.
+ * Expected columns: url, username, password, httpRealm, formActionOrigin,
+ *   guid, timeCreated, timeLastUsed, timePasswordChanged
+ */
+export function parseFirefoxCSV(csv: string): ImportedCredential[] {
+  const cleaned = stripBOM(csv);
+  const records = parse(cleaned, {
+    columns: true,
+    skip_empty_lines: true,
+    trim: true,
+    relax_column_count: true,
+  }) as Record<string, string>[];
+
+  return records.map((row) => {
+    const fields: ImportedField[] = [];
+
+    if (row.username) {
+      fields.push({ key: 'username', value: row.username, sensitive: false });
+    }
+    if (row.password) {
+      fields.push({ key: 'password', value: row.password, sensitive: true });
+    }
+
+    // Derive a name from the URL
+    let name = 'Untitled';
+    if (row.url) {
+      try {
+        name = new URL(row.url).hostname.replace(/^www\./, '');
+      } catch {
+        name = row.url;
+      }
+    }
+
+    return {
+      name,
+      type: 'login' as CredentialType,
+      url: row.url || undefined,
+      fields,
+    };
+  });
+}
+
+// ---------------------------------------------------------------------------
+// iCloud Keychain CSV Parser
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse iCloud Keychain / Apple Passwords CSV export.
+ * Common columns include:
+ *   Title, URL, Username, Password, Notes, OTPAuth
+ */
+export function parseICloudCSV(csv: string): ImportedCredential[] {
+  const records = parseCsvRows(csv);
+
+  return records.map((row) => {
+    const title = getRowValue(row, ['Title', 'Name', 'Site', 'Website']);
+    const url = getRowValue(row, ['URL', 'Website', 'Site URL', 'Site']);
+    const username = getRowValue(row, ['Username', 'User Name', 'Account', 'Login']);
+    const password = getRowValue(row, ['Password', 'Passcode']);
+    const notes = getRowValue(row, ['Notes', 'Note', 'Comments']);
+    const totp = getRowValue(row, ['OTPAuth', 'TOTP', 'One-Time Code', 'One-Time Password']);
+
+    const fields: ImportedField[] = [];
+    if (username) fields.push({ key: 'username', value: username, sensitive: false });
+    if (password) fields.push({ key: 'password', value: password, sensitive: true });
+    if (notes) fields.push({ key: 'notes', value: notes, sensitive: false });
+    if (totp) fields.push({ key: 'totp', value: totp, sensitive: true });
+
+    let name = title || 'Untitled';
+    if (!title && url) {
+      try {
+        name = new URL(url).hostname.replace(/^www\./, '');
+      } catch {
+        name = url;
+      }
+    }
+
+    return {
+      name,
+      type: 'login' as CredentialType,
+      url: url || undefined,
+      fields,
+    };
+  });
+}
+
+// ---------------------------------------------------------------------------
+// LastPass CSV Parser
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse LastPass CSV export.
+ * Common columns include:
+ *   url, username, password, totp, extra, name, grouping, fav
+ */
+export function parseLastPassCSV(csv: string): ImportedCredential[] {
+  const records = parseCsvRows(csv);
+
+  return records.map((row) => {
+    const nameFromRow = getRowValue(row, ['name', 'title']);
+    const url = getRowValue(row, ['url', 'uri', 'website']);
+    const username = getRowValue(row, ['username', 'user name', 'login']);
+    const password = getRowValue(row, ['password', 'passcode']);
+    const notes = getRowValue(row, ['extra', 'notes', 'note']);
+    const totp = getRowValue(row, ['totp', 'otp']);
+    const grouping = getRowValue(row, ['grouping', 'group', 'folder']);
+
+    const fields: ImportedField[] = [];
+    if (username) fields.push({ key: 'username', value: username, sensitive: false });
+    if (password) fields.push({ key: 'password', value: password, sensitive: true });
+    if (notes) fields.push({ key: 'notes', value: notes, sensitive: false });
+    if (totp) fields.push({ key: 'totp', value: totp, sensitive: true });
+
+    let name = nameFromRow || 'Untitled';
+    if (!nameFromRow && url) {
+      try {
+        name = new URL(url).hostname.replace(/^www\./, '');
+      } catch {
+        name = url;
+      }
+    }
+
+    const tags = grouping ? [grouping] : undefined;
+
+    return {
+      name,
+      type: 'login' as CredentialType,
+      url: url || undefined,
+      fields,
+      tags,
+    };
+  });
+}
+
+// ---------------------------------------------------------------------------
+// JSON Parsers
+// ---------------------------------------------------------------------------
+
+export function parse1PasswordJSON(json: string): ImportedCredential[] {
+  const root = parseJsonObject(json);
+  const items = coerceItems(root, ['items']);
+
+  return items.map((item: any) => {
+    const login = item?.login ?? {};
+    const fields: ImportedField[] = [];
+
+    if (login.username) fields.push({ key: 'username', value: String(login.username), sensitive: false });
+    if (login.password) fields.push({ key: 'password', value: String(login.password), sensitive: true });
+    if (item?.notesPlain || item?.notes) fields.push({ key: 'notes', value: String(item.notesPlain || item.notes), sensitive: false });
+
+    const url = login?.urls?.[0]?.href || login?.uris?.[0]?.uri || login?.uris?.[0]?.url || item?.url || undefined;
+    return {
+      name: String(item?.title || item?.name || 'Untitled'),
+      type: 'login' as CredentialType,
+      url,
+      fields,
+    };
+  });
+}
+
+export function parseBitwardenJSON(json: string): ImportedCredential[] {
+  const root = parseJsonObject(json);
+  const items = coerceItems(root, ['items']);
+
+  return items.map((item: any) => {
+    const login = item?.login ?? {};
+    const fields: ImportedField[] = [];
+
+    if (login.username) fields.push({ key: 'username', value: String(login.username), sensitive: false });
+    if (login.password) fields.push({ key: 'password', value: String(login.password), sensitive: true });
+    if (item?.notes) fields.push({ key: 'notes', value: String(item.notes), sensitive: false });
+    if (login?.totp) fields.push({ key: 'totp', value: String(login.totp), sensitive: true });
+
+    return {
+      name: String(item?.name || 'Untitled'),
+      type: 'login' as CredentialType,
+      url: login?.uris?.[0]?.uri || undefined,
+      fields,
+    };
+  });
+}
+
+export function parseChromeJSON(json: string): ImportedCredential[] {
+  const root = parseJsonObject(json);
+  const items = coerceItems(root, ['items', 'logins', 'passwords', 'credentials']);
+
+  return items.map((item: any) => {
+    const fields: ImportedField[] = [];
+    if (item?.username) fields.push({ key: 'username', value: String(item.username), sensitive: false });
+    if (item?.password) fields.push({ key: 'password', value: String(item.password), sensitive: true });
+    if (item?.note || item?.notes) fields.push({ key: 'notes', value: String(item.note || item.notes), sensitive: false });
+
+    return {
+      name: String(item?.name || item?.title || 'Untitled'),
+      type: 'login' as CredentialType,
+      url: item?.url || item?.origin || item?.signon_realm || undefined,
+      fields,
+    };
+  });
+}
+
+export function parseFirefoxJSON(json: string): ImportedCredential[] {
+  const root = parseJsonObject(json);
+  const items = coerceItems(root, ['logins', 'items', 'credentials']);
+
+  return items.map((item: any) => {
+    const fields: ImportedField[] = [];
+    if (item?.username) fields.push({ key: 'username', value: String(item.username), sensitive: false });
+    if (item?.password) fields.push({ key: 'password', value: String(item.password), sensitive: true });
+
+    const url = item?.url || item?.hostname || undefined;
+    let name = 'Untitled';
+    if (url) {
+      try {
+        name = new URL(String(url)).hostname.replace(/^www\./, '');
+      } catch {
+        name = String(url);
+      }
+    }
+
+    return {
+      name,
+      type: 'login' as CredentialType,
+      url,
+      fields,
+    };
+  });
+}

package/server/lib/credential-scope.ts

@@ -0,0 +1,102 @@
+/**
+ * Credential Scope — Matching & Field Exclusion Resolution
+ * ========================================================
+ *
+ * Handles scope normalization, credential-to-scope matching for access control,
+ * and resolution of which sensitive fields to exclude from reads.
+ */
+
+import { CredentialFile } from '../types';
+import { getDefaultSync } from './defaults';
+
+/**
+ * Normalize a scope string for consistent matching.
+ * Trims whitespace, applies NFKC normalization, and lowercases.
+ */
+export function normalizeScope(scope: string): string {
+  return scope.trim().normalize('NFKC').toLowerCase();
+}
+
+/**
+ * Check if a credential matches any of the given scopes.
+ *
+ * Scope types:
+ * - `*` — matches everything
+ * - `cred-xxxxx` — exact credential ID match
+ * - `tag:X` — matches if credential's meta.tags contains X
+ * - `vault:X` — matches if credential's vaultId equals X
+ *
+ * Selector wildcards:
+ * - `tag:*` / `vault:*` — match any tag / any vault
+ * - trailing `*` in tag/vault selectors — prefix wildcard
+ *   (e.g. `tag:generated/*`, `vault:pri*`)
+ *
+ * All comparisons use normalized values.
+ * Empty scopes array matches nothing.
+ */
+function matchesSelector(value: string, selector: string): boolean {
+  if (selector === '*') return true;
+  if (selector.endsWith('*')) {
+    const prefix = selector.slice(0, -1);
+    return value.startsWith(prefix);
+  }
+  return value === selector;
+}
+
+export function matchesScope(credential: CredentialFile, scopes: string[]): boolean {
+  if (scopes.length === 0) return false;
+
+  const normalizedScopes = scopes.map(normalizeScope);
+
+  for (const scope of normalizedScopes) {
+    // Wildcard
+    if (scope === '*') return true;
+
+    // Exact ID match
+    if (scope === normalizeScope(credential.id)) return true;
+
+    // Tag match
+    if (scope.startsWith('tag:')) {
+      const tagValue = scope.slice(4);
+      const tags = (credential.meta.tags as string[] | undefined) || [];
+      if (tagValue === '*' && tags.length > 0) return true;
+      if (tags.some(t => matchesSelector(normalizeScope(t), tagValue))) return true;
+    }
+
+    // Vault match
+    if (scope.startsWith('vault:')) {
+      const vaultValue = scope.slice(6);
+      if (matchesSelector(normalizeScope(credential.vaultId), vaultValue)) return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Resolve which fields to exclude from a credential read.
+ *
+ * Resolution order:
+ * 1. Token's explicit excludeFields (even if empty array []) → use as-is
+ * 2. Type default from `defaults.credential.excludeFields.{type}` → use if found
+ * 3. Fall back to empty array (exclude nothing)
+ */
+export function resolveExcludeFields(
+  tokenExcludes: string[] | undefined,
+  credentialType: string
+): string[] {
+  // Token explicitly set excludeFields (even [] means "show everything")
+  if (tokenExcludes !== undefined) {
+    if (Array.isArray(tokenExcludes) && tokenExcludes.length === 0) {
+      console.warn('[credential-scope] Token has excludeFields: [] — all sensitive fields will be exposed. Ensure this is intentional.');
+    }
+    return tokenExcludes;
+  }
+
+  // Type default
+  const typeDefault = getDefaultSync<string[]>(
+    `defaults.credential.excludeFields.${credentialType}`,
+    []
+  );
+  return typeDefault;
+}