auramaxx 0.0.1

package/server/lib/oauth2-refresh.ts

@@ -0,0 +1,241 @@
+/**
+ * OAuth2 Refresh Token Logic
+ * ==========================
+ *
+ * Handles transparent access_token refresh for oauth2 credential type.
+ * Called during credential read path — if access_token is expired,
+ * refreshes via token_endpoint and updates stored credential.
+ */
+
+import { CredentialFile, CredentialField } from '../types';
+import { getCredential, readCredentialSecrets, updateCredential } from './credentials';
+
+/** Buffer in seconds before expiry to trigger refresh */
+const EXPIRY_BUFFER_SECONDS = 60;
+
+/** Minimum seconds between refreshes for the same credential */
+const REFRESH_COOLDOWN_SECONDS = 5;
+
+/** Track last refresh time per credential for rate limiting */
+const lastRefreshTime = new Map<string, number>();
+
+export interface OAuth2RefreshResult {
+  accessToken: string;
+  refreshToken?: string;
+  expiresIn?: number;
+  tokenType?: string;
+}
+
+/**
+ * Check if an oauth2 credential's access_token is expired or nearly expired.
+ */
+export function isTokenExpired(credential: CredentialFile): boolean {
+  const rawExpiresAt = credential.meta.expires_at as number | string | null | undefined;
+  const expiresAt =
+    typeof rawExpiresAt === 'string' ? Number(rawExpiresAt) : rawExpiresAt;
+
+  if (!Number.isFinite(expiresAt)) return true; // Missing/invalid expiry info → assume expired
+  if (expiresAt <= 0) return true;
+
+  const now = Math.floor(Date.now() / 1000);
+  return now >= expiresAt - EXPIRY_BUFFER_SECONDS;
+}
+
+/**
+ * Check if refresh is rate-limited for this credential.
+ */
+export function isRefreshRateLimited(credentialId: string): boolean {
+  const last = lastRefreshTime.get(credentialId);
+  if (!last) return false;
+  return (Date.now() - last) < REFRESH_COOLDOWN_SECONDS * 1000;
+}
+
+/**
+ * Perform OAuth2 token refresh against the token_endpoint.
+ */
+export async function refreshAccessToken(
+  tokenEndpoint: string,
+  refreshToken: string,
+  clientId: string,
+  clientSecret: string,
+  authMethod: string = 'client_secret_post',
+): Promise<OAuth2RefreshResult> {
+  const params = new URLSearchParams({
+    grant_type: 'refresh_token',
+    refresh_token: refreshToken,
+  });
+
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/x-www-form-urlencoded',
+    Accept: 'application/json',
+  };
+
+  if (authMethod === 'client_secret_basic') {
+    const encoded = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
+    headers['Authorization'] = `Basic ${encoded}`;
+  } else {
+    // client_secret_post (default)
+    params.set('client_id', clientId);
+    params.set('client_secret', clientSecret);
+  }
+
+  const response = await fetch(tokenEndpoint, {
+    method: 'POST',
+    headers,
+    body: params.toString(),
+  });
+
+  if (!response.ok) {
+    const body = await response.text();
+    const status = response.status;
+    const loweredBody = body.toLowerCase();
+    const parsed = (() => {
+      try {
+        return JSON.parse(body) as Record<string, unknown>;
+      } catch {
+        return null;
+      }
+    })();
+    const hasInvalidGrant =
+      status === 400 &&
+      (loweredBody.includes('invalid_grant') ||
+       (typeof parsed?.error === 'string' && parsed.error.toLowerCase() === 'invalid_grant'));
+
+    // 401 or 400 with invalid_grant means refresh token is revoked
+    if (status === 401 || hasInvalidGrant) {
+      const err = new Error(`OAuth2 refresh token revoked (${status}): ${body}`);
+      (err as any).revoked = true;
+      (err as any).statusCode = status;
+      throw err;
+    }
+    throw new Error(`OAuth2 refresh failed (${status}): ${body}`);
+  }
+
+  const data = await response.json() as Record<string, unknown>;
+
+  if (typeof data.access_token !== 'string') {
+    throw new Error('OAuth2 refresh response missing access_token');
+  }
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: typeof data.refresh_token === 'string' ? data.refresh_token : undefined,
+    expiresIn: typeof data.expires_in === 'number' ? data.expires_in : undefined,
+    tokenType: typeof data.token_type === 'string' ? data.token_type : undefined,
+  };
+}
+
+/**
+ * Attempt a fetch-based refresh with one retry on transient network errors.
+ */
+async function refreshWithRetry(
+  tokenEndpoint: string,
+  refreshToken: string,
+  clientId: string,
+  clientSecret: string,
+  authMethod: string,
+): Promise<OAuth2RefreshResult> {
+  try {
+    return await refreshAccessToken(tokenEndpoint, refreshToken, clientId, clientSecret, authMethod);
+  } catch (err: any) {
+    // Don't retry on revoked tokens or HTTP errors — only network failures
+    if (err.revoked) throw err;
+    if (err.message?.startsWith('OAuth2 refresh failed')) throw err;
+    if (err.message?.startsWith('OAuth2 refresh response')) throw err;
+    // Transient network error — retry once
+    return await refreshAccessToken(tokenEndpoint, refreshToken, clientId, clientSecret, authMethod);
+  }
+}
+
+/**
+ * Read oauth2 credential secrets, auto-refreshing if expired.
+ * Returns the (possibly refreshed) sensitive fields.
+ */
+export async function readOAuth2SecretsWithRefresh(
+  credentialId: string,
+): Promise<CredentialField[]> {
+  const credential = getCredential(credentialId);
+  if (!credential) throw new Error(`Credential not found: ${credentialId}`);
+  if (credential.type !== 'oauth2') throw new Error('Not an oauth2 credential');
+
+  let fields = readCredentialSecrets(credentialId);
+
+  if (isTokenExpired(credential)) {
+    // Rate limit check
+    if (isRefreshRateLimited(credentialId)) {
+      // Return current fields without refreshing
+      return fields;
+    }
+
+    const fieldMap = new Map(fields.map(f => [f.key, f.value]));
+    const refreshToken = fieldMap.get('refresh_token');
+    const clientId = fieldMap.get('client_id');
+    const clientSecret = fieldMap.get('client_secret');
+    const tokenEndpoint = credential.meta.token_endpoint as string;
+    const authMethod = (credential.meta.auth_method as string) || 'client_secret_post';
+
+    if (!refreshToken || !clientId || !clientSecret || !tokenEndpoint) {
+      throw new Error('OAuth2 credential missing required fields for refresh');
+    }
+
+    try {
+      const result = await refreshWithRetry(
+        tokenEndpoint,
+        refreshToken,
+        clientId,
+        clientSecret,
+        authMethod,
+      );
+
+      // Record refresh time for rate limiting
+      lastRefreshTime.set(credentialId, Date.now());
+
+      // Update fields with new tokens
+      const updatedFields = fields.map(f => {
+        if (f.key === 'access_token') return { ...f, value: result.accessToken };
+        if (f.key === 'refresh_token' && result.refreshToken) return { ...f, value: result.refreshToken };
+        return f;
+      });
+
+      // Update expires_at and last_refreshed in meta
+      const newExpiresAt = result.expiresIn
+        ? Math.floor(Date.now() / 1000) + result.expiresIn
+        : null;
+
+      updateCredential(credentialId, {
+        meta: {
+          ...credential.meta,
+          needs_reauth: false,
+          reauth_reason: null,
+          expires_at: newExpiresAt,
+          last_refreshed: new Date().toISOString(),
+        },
+        sensitiveFields: updatedFields,
+      });
+
+      fields = updatedFields;
+    } catch (err: any) {
+      if (err.revoked) {
+        // Mark credential as needing re-authentication
+        updateCredential(credentialId, {
+          meta: {
+            ...credential.meta,
+            needs_reauth: true,
+            reauth_reason: err.message,
+            last_refreshed: new Date().toISOString(),
+          },
+        });
+        throw new Error(`OAuth2 token revoked — credential ${credentialId} marked as needs_reauth`);
+      }
+      throw err;
+    }
+  }
+
+  return fields;
+}
+
+/**
+ * Default fields to exclude from oauth2 credential reads by agents.
+ * Agents only need the access_token — never the refresh machinery.
+ */
+export const OAUTH2_DEFAULT_EXCLUDE_FIELDS = ['refresh_token', 'client_secret', 'client_id', 'token_endpoint'];

package/server/lib/oursecret.ts

@@ -0,0 +1,71 @@
+import { NOTE_CONTENT_KEY } from '../../shared/credential-field-schema';
+import { createCredential, listCredentials } from './credentials';
+
+export const OURSECRET_NOTE_NAME = 'OURSECRET';
+
+export const OURSECRET_NOTE_CONTENT = 'Ready to auramaxx and mog prompt peasants?';
+
+export const DONTLOOK_NOTE_NAME = 'DONTLOOK';
+
+export const DONTLOOK_NOTE_CONTENT = 'who let the auramaxxers out?';
+
+export const GETTING_STARTED_NOTE_NAME = 'GETTING_STARTED';
+
+export const GETTING_STARTED_NOTE_CONTENT = `Quick start (Agent):
+- Enable Aura skills or MCP for your client.
+- Ask your agent: aura get OURSECRET
+- Ask your agent: aura set DEMO_KEY sk-demo-123
+
+Quick start (CLI):
+- npx auramaxx get OURSECRET
+- npx auramaxx set DEMO_KEY sk-demo-123
+- npx auramaxx inject DEMO_KEY --env AURA_QUICKHACK
+`;
+
+function hasSeededNote(vaultId: string, name: string): boolean {
+  const hasLegacyNote = listCredentials({ vaultId, type: 'note' })
+    .some((credential) => credential.name.trim().toUpperCase() === name);
+  const hasPlainNote = listCredentials({ vaultId, type: 'plain_note' })
+    .some((credential) => credential.name.trim().toUpperCase() === name);
+
+  return hasLegacyNote || hasPlainNote;
+}
+
+function ensureSeededNote(vaultId: string, name: string, content: string, type: 'note' | 'plain_note' = 'note'): { created: boolean } {
+  if (hasSeededNote(vaultId, name)) {
+    return { created: false };
+  }
+
+  const meta: Record<string, unknown> = {
+    tags: ['onboarding', 'docs', 'agents'],
+    system: true,
+  };
+
+  if (type === 'plain_note') {
+    meta[NOTE_CONTENT_KEY] = content;
+  }
+
+  createCredential(
+    vaultId,
+    type,
+    name,
+    meta,
+    type === 'note'
+      ? [{ key: NOTE_CONTENT_KEY, value: content, type: 'text', sensitive: true }]
+      : [],
+  );
+
+  return { created: true };
+}
+
+export function ensureOurSecretForVault(vaultId: string): { created: boolean } {
+  return ensureSeededNote(vaultId, OURSECRET_NOTE_NAME, OURSECRET_NOTE_CONTENT, 'plain_note');
+}
+
+export function ensureDontLookForVault(vaultId: string): { created: boolean } {
+  return ensureSeededNote(vaultId, DONTLOOK_NOTE_NAME, DONTLOOK_NOTE_CONTENT, 'note');
+}
+
+export function ensureGettingStartedForVault(vaultId: string): { created: boolean } {
+  return ensureSeededNote(vaultId, GETTING_STARTED_NOTE_NAME, GETTING_STARTED_NOTE_CONTENT, 'plain_note');
+}

package/server/lib/passkey-credential.ts

@@ -0,0 +1,360 @@
+/**
+ * Passkey Credential Operations — Software WebAuthn Authenticator
+ * ===============================================================
+ *
+ * Generates ECDSA P-256 keypairs, builds WebAuthn attestation/assertion objects,
+ * and stores passkey credentials in the encrypted vault.
+ */
+
+import crypto from 'crypto';
+import { encode as cborEncode } from 'cbor-x';
+import {
+  createCredential,
+  listCredentials,
+  getCredential,
+  readCredentialSecrets,
+  updateCredential,
+} from './credentials';
+import { CredentialField } from '../types';
+
+// Our software authenticator AAGUID (random, unique to Aura)
+const AURA_AAGUID = Buffer.from('a0a1a2a3a4a5a6a7a8a9aaabacadaeaf', 'hex');
+
+const PASSKEY_CHALLENGE_TTL_MS = 120_000;
+const usedChallenges = new Map<string, number>();
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+export class PasskeyCredentialValidationError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'PasskeyCredentialValidationError';
+  }
+}
+
+function base64urlEncode(buf: Buffer | Uint8Array): string {
+  return Buffer.from(buf).toString('base64url');
+}
+
+function base64urlDecode(str: string): Buffer {
+  return Buffer.from(str, 'base64url');
+}
+
+function sha256(data: Buffer | string): Buffer {
+  return crypto.createHash('sha256').update(data).digest();
+}
+
+function cleanupUsedChallenges(now = Date.now()): void {
+  for (const [challenge, expiresAt] of usedChallenges.entries()) {
+    if (expiresAt <= now) {
+      usedChallenges.delete(challenge);
+    }
+  }
+}
+
+function consumeFreshChallenge(challenge: string): void {
+  const now = Date.now();
+  cleanupUsedChallenges(now);
+
+  const key = challenge.trim();
+  if (!key) {
+    throw new PasskeyCredentialValidationError('challenge is required');
+  }
+
+  if (usedChallenges.has(key)) {
+    throw new PasskeyCredentialValidationError('challenge replay detected');
+  }
+
+  usedChallenges.set(key, now + PASSKEY_CHALLENGE_TTL_MS);
+}
+
+export function _resetPasskeyCredentialChallengeStoreForTests(): void {
+  usedChallenges.clear();
+}
+
+function validateOriginPolicy(origin: string, rpId: string): void {
+  let parsed: URL;
+  try {
+    parsed = new URL(origin);
+  } catch {
+    throw new PasskeyCredentialValidationError('clientDataJSON.origin must be a valid URL');
+  }
+
+  const host = parsed.hostname.toLowerCase();
+  const normalizedRpId = rpId.toLowerCase();
+  const isRpMatch = host === normalizedRpId || host.endsWith(`.${normalizedRpId}`);
+  if (!isRpMatch) {
+    throw new PasskeyCredentialValidationError('clientDataJSON.origin does not match rpId');
+  }
+
+  const isLocalhost = host === 'localhost' || host.endsWith('.localhost');
+  const allowedHttp = parsed.protocol === 'http:' && isLocalhost;
+  if (parsed.protocol !== 'https:' && !allowedHttp) {
+    throw new PasskeyCredentialValidationError('clientDataJSON.origin must be https (except localhost)');
+  }
+}
+
+function parseAndValidateClientDataJSON(params: {
+  clientDataJSON: string;
+  expectedType: 'webauthn.create' | 'webauthn.get';
+  expectedChallenge: string;
+  rpId: string;
+  expectedOrigin?: string;
+}): { challenge: string; origin: string } {
+  let parsed: Record<string, unknown>;
+
+  try {
+    const raw = base64urlDecode(params.clientDataJSON).toString('utf8');
+    parsed = JSON.parse(raw) as Record<string, unknown>;
+  } catch {
+    throw new PasskeyCredentialValidationError('clientDataJSON must be valid base64url-encoded JSON');
+  }
+
+  const type = parsed.type;
+  const challenge = parsed.challenge;
+  const origin = parsed.origin;
+
+  if (type !== params.expectedType) {
+    throw new PasskeyCredentialValidationError(`clientDataJSON.type must be ${params.expectedType}`);
+  }
+
+  if (typeof challenge !== 'string' || challenge !== params.expectedChallenge) {
+    throw new PasskeyCredentialValidationError('clientDataJSON.challenge mismatch');
+  }
+
+  if (typeof origin !== 'string' || !origin.trim()) {
+    throw new PasskeyCredentialValidationError('clientDataJSON.origin is required');
+  }
+
+  validateOriginPolicy(origin, params.rpId);
+
+  if (params.expectedOrigin && origin !== params.expectedOrigin) {
+    throw new PasskeyCredentialValidationError('clientDataJSON.origin mismatch');
+  }
+
+  return { challenge, origin };
+}
+
+/**
+ * Encode an EC public key in COSE_Key format (ECDSA P-256).
+ * See RFC 8152 Section 13.1.1
+ */
+function encodeCosePublicKey(publicKeyDer: Buffer): Buffer {
+  const raw = crypto.createPublicKey({ key: publicKeyDer, format: 'der', type: 'spki' })
+    .export({ format: 'jwk' });
+
+  const x = base64urlDecode(raw.x!);
+  const y = base64urlDecode(raw.y!);
+
+  const coseKey = new Map<number, number | Buffer>();
+  coseKey.set(1, 2);      // kty: EC2
+  coseKey.set(3, -7);     // alg: ES256
+  coseKey.set(-1, 1);     // crv: P-256
+  coseKey.set(-2, x);     // x coordinate
+  coseKey.set(-3, y);     // y coordinate
+
+  return Buffer.from(cborEncode(coseKey));
+}
+
+// ---------------------------------------------------------------------------
+// Registration (navigator.credentials.create)
+// ---------------------------------------------------------------------------
+
+export interface PasskeyRegisterOptions {
+  vaultId: string;
+  rpId: string;
+  rpName?: string;
+  userName?: string;
+  displayName?: string;
+  userHandle: string; // base64url
+  challenge: string;  // base64url — from clientDataJSON
+  origin: string;
+  clientDataJSON: string; // base64url — raw from browser
+}
+
+export interface PasskeyRegisterResult {
+  credentialId: string;    // base64url
+  attestationObject: string; // base64url
+  clientDataJSON: string;    // base64url (pass-through)
+  publicKey: string;         // base64url (SPKI DER)
+  publicKeyCose: string;     // base64url (COSE)
+  transports: string[];
+  auraCredentialId: string;  // internal cred-xxx id
+}
+
+export function registerPasskey(opts: PasskeyRegisterOptions): PasskeyRegisterResult {
+  parseAndValidateClientDataJSON({
+    clientDataJSON: opts.clientDataJSON,
+    expectedType: 'webauthn.create',
+    expectedChallenge: opts.challenge,
+    rpId: opts.rpId,
+    expectedOrigin: opts.origin,
+  });
+  consumeFreshChallenge(opts.challenge);
+
+  const { publicKey, privateKey } = crypto.generateKeyPairSync('ec', {
+    namedCurve: 'prime256v1',
+    publicKeyEncoding: { type: 'spki', format: 'der' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+  });
+
+  const credentialIdBuf = crypto.randomBytes(32);
+  const credentialId = base64urlEncode(credentialIdBuf);
+
+  const cosePublicKey = encodeCosePublicKey(publicKey as Buffer);
+
+  const rpIdHash = sha256(opts.rpId);
+  const flags = Buffer.from([0x45]); // UP + UV + AT
+  const signCount = Buffer.alloc(4);
+
+  const credIdLenBuf = Buffer.alloc(2);
+  credIdLenBuf.writeUInt16BE(credentialIdBuf.length);
+
+  const authData = Buffer.concat([
+    rpIdHash,
+    flags,
+    signCount,
+    AURA_AAGUID,
+    credIdLenBuf,
+    credentialIdBuf,
+    cosePublicKey,
+  ]);
+
+  const attestationObject = cborEncode({
+    fmt: 'none',
+    attStmt: {},
+    authData,
+  });
+
+  const sensitiveFields: CredentialField[] = [
+    { key: 'privateKey', value: base64urlEncode(privateKey as Buffer), type: 'secret', sensitive: true },
+  ];
+
+  const meta: Record<string, unknown> = {
+    rpId: opts.rpId,
+    rpName: opts.rpName || opts.rpId,
+    credentialId,
+    publicKey: base64urlEncode(publicKey as Buffer),
+    publicKeyCose: base64urlEncode(cosePublicKey),
+    userHandle: opts.userHandle,
+    userName: opts.userName || '',
+    displayName: opts.displayName || '',
+    signCount: 0,
+    transports: ['internal'],
+    discoverable: true,
+  };
+
+  const name = `${opts.rpId} — ${opts.displayName || opts.userName || 'passkey'}`;
+  const cred = createCredential(opts.vaultId, 'passkey', name, meta, sensitiveFields);
+
+  return {
+    credentialId,
+    attestationObject: base64urlEncode(Buffer.from(attestationObject)),
+    clientDataJSON: opts.clientDataJSON,
+    publicKey: base64urlEncode(publicKey as Buffer),
+    publicKeyCose: base64urlEncode(cosePublicKey),
+    transports: ['internal'],
+    auraCredentialId: cred.id,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Authentication (navigator.credentials.get)
+// ---------------------------------------------------------------------------
+
+export interface PasskeyAuthOptions {
+  auraCredentialId: string; // internal cred-xxx id
+  rpId: string;
+  challenge: string;
+  origin?: string;
+  clientDataJSON: string;   // base64url — raw from browser
+}
+
+export interface PasskeyAuthResult {
+  credentialId: string;       // base64url
+  authenticatorData: string;  // base64url
+  signature: string;          // base64url
+  userHandle: string;         // base64url
+}
+
+export function authenticatePasskey(opts: PasskeyAuthOptions): PasskeyAuthResult {
+  parseAndValidateClientDataJSON({
+    clientDataJSON: opts.clientDataJSON,
+    expectedType: 'webauthn.get',
+    expectedChallenge: opts.challenge,
+    rpId: opts.rpId,
+    expectedOrigin: opts.origin,
+  });
+  consumeFreshChallenge(opts.challenge);
+
+  const cred = getCredential(opts.auraCredentialId);
+  if (!cred || cred.type !== 'passkey') {
+    throw new Error('Passkey credential not found');
+  }
+
+  if (cred.meta.rpId !== opts.rpId) {
+    throw new Error('rpId mismatch');
+  }
+
+  const secrets = readCredentialSecrets(opts.auraCredentialId);
+  const privateKeyField = secrets.find(f => f.key === 'privateKey');
+  if (!privateKeyField) {
+    throw new Error('Private key not found in credential');
+  }
+
+  const privateKeyDer = base64urlDecode(privateKeyField.value);
+  const privateKey = crypto.createPrivateKey({ key: privateKeyDer, format: 'der', type: 'pkcs8' });
+
+  const currentCount = (cred.meta.signCount as number) || 0;
+  const newCount = currentCount + 1;
+
+  const rpIdHash = sha256(opts.rpId);
+  const flags = Buffer.from([0x05]); // UP + UV
+  const signCountBuf = Buffer.alloc(4);
+  signCountBuf.writeUInt32BE(newCount);
+
+  const authenticatorData = Buffer.concat([rpIdHash, flags, signCountBuf]);
+
+  const clientDataHash = sha256(base64urlDecode(opts.clientDataJSON));
+  const signedData = Buffer.concat([authenticatorData, clientDataHash]);
+  const signature = crypto.sign('sha256', signedData, privateKey);
+
+  updateCredential(opts.auraCredentialId, {
+    meta: { ...cred.meta, signCount: newCount },
+  });
+
+  return {
+    credentialId: cred.meta.credentialId as string,
+    authenticatorData: base64urlEncode(authenticatorData),
+    signature: base64urlEncode(signature),
+    userHandle: (cred.meta.userHandle as string) || '',
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Match — find passkeys for an rpId
+// ---------------------------------------------------------------------------
+
+export interface PasskeyMatch {
+  auraCredentialId: string;
+  credentialId: string;
+  rpId: string;
+  userName: string;
+  displayName: string;
+}
+
+export function matchPasskeys(rpId: string, vaultId?: string): PasskeyMatch[] {
+  const creds = listCredentials({ type: 'passkey', vaultId });
+  return creds
+    .filter(c => c.meta.rpId === rpId)
+    .map(c => ({
+      auraCredentialId: c.id,
+      credentialId: c.meta.credentialId as string,
+      rpId: c.meta.rpId as string,
+      userName: (c.meta.userName as string) || '',
+      displayName: (c.meta.displayName as string) || '',
+    }))
+    .sort((a, b) => a.auraCredentialId.localeCompare(b.auraCredentialId));
+}