botschat 0.1.2 → 0.1.4

package/README.md

@@ -85,9 +85,17 @@ npm install
 
 ### Step 2: Deploy BotsChat Server
 
-Choose one of the two options below:
+Choose one of the three options below:
 
-#### Option A: Run Locally
+#### Option A: Use Hosted Console (Recommended)
+
+The easiest way to get started — no deployment needed. We run a hosted BotsChat instance at **[console.botschat.app](https://console.botschat.app)**. Just sign up, generate a pairing token, and connect your OpenClaw instance directly.
+
+Your API keys and data still stay on your machine — the hosted console only relays chat messages via WebSocket, exactly the same as a self-hosted deployment.
+
+> Skip to [Step 3](#step-3-install-the-openclaw-plugin) after signing up.
+
+#### Option B: Run Locally
 
 Wrangler uses [Miniflare](https://miniflare.dev) under the hood, so D1, R2, and Durable Objects all run locally — **no Cloudflare account needed**.
 
@@ -116,7 +124,7 @@ Other dev commands:
 ./scripts/dev.sh logs      # Tail remote gateway logs
 ```
 
-#### Option B: Deploy to Cloudflare
+#### Option C: Deploy to Cloudflare
 
 For remote access (e.g. chatting with your agents from your phone), deploy to Cloudflare Workers. The free tier is more than enough for personal use.
 
@@ -156,6 +164,7 @@ Open the BotsChat web UI, register an account, and generate a **pairing token**
 **3. Configure the connection**
 
 ```bash
+# For hosted console, use https://console.botschat.app
 # For local deployment, use http://localhost:8787 or your LAN IP
 # For Cloudflare deployment, use your Workers URL
 openclaw config set channels.botschat.cloudUrl <BOTSCHAT_URL>

package/migrations/0009_google_auth.sql

@@ -0,0 +1,10 @@
+-- Support Firebase OAuth (Google, GitHub, etc.) users who don't have a password.
+
+-- auth_provider: 'email' (default), 'google', 'github'
+ALTER TABLE users ADD COLUMN auth_provider TEXT NOT NULL DEFAULT 'email';
+
+-- Firebase UID — unique across all Firebase auth providers
+ALTER TABLE users ADD COLUMN firebase_uid TEXT;
+
+-- Index for quick lookup by firebase_uid
+CREATE UNIQUE INDEX IF NOT EXISTS idx_users_firebase_uid ON users(firebase_uid) WHERE firebase_uid IS NOT NULL;

package/migrations/0010_pairing_token_security.sql

@@ -0,0 +1,10 @@
+-- Pairing token security enhancements: soft-delete (revoke), audit fields.
+
+-- Soft-delete: revoked tokens are rejected but kept for audit trail
+ALTER TABLE pairing_tokens ADD COLUMN revoked_at INTEGER;
+
+-- Last connecting IP (for audit)
+ALTER TABLE pairing_tokens ADD COLUMN last_ip TEXT;
+
+-- Connection count (for anomaly detection)
+ALTER TABLE pairing_tokens ADD COLUMN connection_count INTEGER NOT NULL DEFAULT 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "botschat",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "A self-hosted chat interface for OpenClaw AI agents",
   "workspaces": [
     "packages/*"

package/packages/api/src/do/connection-do.ts

@@ -36,11 +36,13 @@ export class ConnectionDO implements DurableObject {
     // Route: /gateway/:accountId — OpenClaw plugin connects here
     if (url.pathname.startsWith("/gateway/")) {
       // Extract and store userId from the gateway path
-      const userId = url.pathname.split("/gateway/")[1];
+      const userId = url.pathname.split("/gateway/")[1]?.split("?")[0];
       if (userId) {
         await this.state.storage.put("userId", userId);
       }
-      return this.handleOpenClawConnect(request);
+      // Check if the API worker already verified the token against D1
+      const preVerified = url.searchParams.get("verified") === "1";
+      return this.handleOpenClawConnect(request, preVerified);
     }
 
     // Route: /client/:sessionId — Browser client connects here
@@ -121,7 +123,7 @@ export class ConnectionDO implements DurableObject {
 
   // ---- Connection handlers ----
 
-  private handleOpenClawConnect(request: Request): Response {
+  private handleOpenClawConnect(request: Request, preVerified = false): Response {
     if (request.headers.get("Upgrade") !== "websocket") {
       return new Response("Expected WebSocket upgrade", { status: 426 });
     }
@@ -132,8 +134,10 @@ export class ConnectionDO implements DurableObject {
     // Accept with Hibernation API, tag as "openclaw"
     this.state.acceptWebSocket(server, ["openclaw"]);
 
-    // Store initial state: not yet authenticated
-    server.serializeAttachment({ authenticated: false, tag: "openclaw" });
+    // If the API worker already verified the token against D1, mark as
+    // pre-verified. The plugin still sends an auth message, which we'll
+    // fast-track through without re-validating the token.
+    server.serializeAttachment({ authenticated: false, tag: "openclaw", preVerified });
 
     return new Response(null, { status: 101, webSocket: client });
   }
@@ -162,12 +166,14 @@ export class ConnectionDO implements DurableObject {
     ws: WebSocket,
     msg: Record<string, unknown>,
   ): Promise<void> {
-    const attachment = ws.deserializeAttachment() as { authenticated: boolean; tag: string } | null;
+    const attachment = ws.deserializeAttachment() as { authenticated: boolean; tag: string; preVerified?: boolean } | null;
 
     // Handle auth handshake
     if (msg.type === "auth") {
       const token = msg.token as string;
-      const isValid = await this.validatePairingToken(token);
+      // If the API worker already validated this token against D1, skip
+      // the DO-level check. Otherwise fall back to local validation.
+      const isValid = attachment?.preVerified || await this.validatePairingToken(token);
 
       if (isValid) {
         ws.serializeAttachment({ ...attachment, authenticated: true });

package/packages/api/src/env.ts

@@ -5,4 +5,7 @@ export type Env = {
   CONNECTION_DO: DurableObjectNamespace;
   ENVIRONMENT: string;
   JWT_SECRET?: string;
+  FIREBASE_PROJECT_ID?: string;
+  /** Canonical public URL override — if set, always use this as cloudUrl. */
+  PUBLIC_URL?: string;
 };

package/packages/api/src/index.ts

@@ -11,6 +11,7 @@ import { models } from "./routes/models.js";
 import { pairing } from "./routes/pairing.js";
 import { sessions } from "./routes/sessions.js";
 import { upload } from "./routes/upload.js";
+import { setup } from "./routes/setup.js";
 
 // Re-export the Durable Object class so wrangler can find it
 export { ConnectionDO } from "./do/connection-do.js";
@@ -25,6 +26,7 @@ app.get("/api/health", (c) => c.json({ status: "ok", version: "0.1.0" }));
 
 // ---- Public routes (no auth) ----
 app.route("/api/auth", auth);
+app.route("/api/setup", setup);
 
 // ---- Protected routes (require Bearer token) ----
 const protectedApp = new Hono<{ Bindings: Env; Variables: { userId: string } }>();
@@ -232,9 +234,9 @@ app.all("/api/gateway/:connId", async (c) => {
       return c.json({ error: "Token required for gateway connection" }, 401);
     }
 
-    // Look up user by pairing token
+    // Look up user by pairing token (exclude revoked tokens)
     const row = await c.env.DB.prepare(
-      "SELECT user_id FROM pairing_tokens WHERE token = ?",
+      "SELECT user_id FROM pairing_tokens WHERE token = ? AND revoked_at IS NULL",
     )
       .bind(token)
       .first<{ user_id: string }>();
@@ -244,18 +246,24 @@ app.all("/api/gateway/:connId", async (c) => {
     }
     userId = row.user_id;
 
-    // Update last_connected_at
+    // Update audit fields: last_connected_at, last_ip, connection_count
+    const clientIp = c.req.header("CF-Connecting-IP") ?? c.req.header("X-Forwarded-For") ?? "unknown";
     await c.env.DB.prepare(
-      "UPDATE pairing_tokens SET last_connected_at = unixepoch() WHERE token = ?",
+      `UPDATE pairing_tokens
+       SET last_connected_at = unixepoch(), last_ip = ?, connection_count = connection_count + 1
+       WHERE token = ?`,
     )
-      .bind(token)
+      .bind(clientIp, token)
       .run();
   }
 
   const doId = c.env.CONNECTION_DO.idFromName(userId);
   const stub = c.env.CONNECTION_DO.get(doId);
   const url = new URL(c.req.url);
+  // Pass verified userId to DO — the API worker already validated the token
+  // against D1 above, so DO can trust this.
   url.pathname = `/gateway/${userId}`;
+  url.searchParams.set("verified", "1");
   return stub.fetch(new Request(url.toString(), c.req.raw));
 });
 

package/packages/api/src/routes/auth.ts

@@ -1,6 +1,7 @@
 import { Hono } from "hono";
 import type { Env } from "../env.js";
 import { createToken, hashPassword } from "../utils/auth.js";
+import { verifyFirebaseIdToken } from "../utils/firebase.js";
 import { generateId } from "../utils/id.js";
 
 const auth = new Hono<{ Bindings: Env }>();
@@ -73,6 +74,105 @@ auth.post("/login", async (c) => {
   });
 });
 
+/**
+ * POST /api/auth/firebase — sign in (or register) with a Firebase ID token.
+ * Works for all Firebase-backed providers (Google, GitHub, etc.).
+ */
+async function handleFirebaseAuth(c: {
+  req: { json: <T>() => Promise<T> };
+  env: Env;
+  json: (data: unknown, status?: number) => Response;
+}) {
+  const { idToken } = await c.req.json<{ idToken: string }>();
+
+  if (!idToken?.trim()) {
+    return c.json({ error: "idToken is required" }, 400);
+  }
+
+  const projectId = c.env.FIREBASE_PROJECT_ID;
+  if (!projectId) {
+    return c.json({ error: "Firebase sign-in is not configured" }, 500);
+  }
+
+  // 1. Verify the Firebase ID token
+  let firebaseUser;
+  try {
+    firebaseUser = await verifyFirebaseIdToken(idToken, projectId);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : "Token verification failed";
+    return c.json({ error: msg }, 401);
+  }
+
+  const email = firebaseUser.email?.toLowerCase();
+  if (!email) {
+    return c.json({ error: "Account has no email address" }, 400);
+  }
+
+  const firebaseUid = firebaseUser.sub;
+  // Determine provider from Firebase token (google.com, github.com, etc.)
+  const signInProvider = firebaseUser.firebase?.sign_in_provider ?? "unknown";
+  const authProvider = signInProvider.includes("google")
+    ? "google"
+    : signInProvider.includes("github")
+      ? "github"
+      : signInProvider;
+  const displayName = firebaseUser.name ?? email.split("@")[0];
+
+  // 2. Look up existing user by firebase_uid first, then by email
+  let row = await c.env.DB.prepare(
+    "SELECT id, email, display_name, auth_provider FROM users WHERE firebase_uid = ?",
+  )
+    .bind(firebaseUid)
+    .first<{ id: string; email: string; display_name: string | null; auth_provider: string }>();
+
+  if (!row) {
+    // Check if there's an existing email-based account — link it
+    row = await c.env.DB.prepare(
+      "SELECT id, email, display_name, auth_provider FROM users WHERE email = ?",
+    )
+      .bind(email)
+      .first<{ id: string; email: string; display_name: string | null; auth_provider: string }>();
+
+    if (row) {
+      // Link Firebase UID to existing account
+      await c.env.DB.prepare(
+        "UPDATE users SET firebase_uid = ?, auth_provider = ?, updated_at = unixepoch() WHERE id = ?",
+      )
+        .bind(firebaseUid, authProvider, row.id)
+        .run();
+    }
+  }
+
+  if (!row) {
+    // 3. Create a new user (OAuth-only, no password)
+    const id = generateId("u_");
+    await c.env.DB.prepare(
+      `INSERT INTO users (id, email, password_hash, display_name, auth_provider, firebase_uid)
+       VALUES (?, ?, '', ?, ?, ?)`,
+    )
+      .bind(id, email, displayName, authProvider, firebaseUid)
+      .run();
+
+    row = { id, email, display_name: displayName, auth_provider: authProvider };
+  }
+
+  // 4. Issue our own JWT
+  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const token = await createToken(row.id, secret);
+
+  return c.json({
+    id: row.id,
+    email: row.email,
+    displayName: row.display_name,
+    token,
+  });
+}
+
+// Register the unified Firebase auth handler and provider-specific aliases
+auth.post("/firebase", (c) => handleFirebaseAuth(c));
+auth.post("/google", (c) => handleFirebaseAuth(c));
+auth.post("/github", (c) => handleFirebaseAuth(c));
+
 /** GET /api/auth/me — returns current user info */
 auth.get("/me", async (c) => {
   // This route requires auth middleware to be applied upstream

package/packages/api/src/routes/pairing.ts

@@ -4,12 +4,15 @@ import { generateId, generatePairingToken } from "../utils/id.js";
 
 const pairing = new Hono<{ Bindings: Env; Variables: { userId: string } }>();
 
-/** GET /api/pairing-tokens — list pairing tokens for the current user */
+/** GET /api/pairing-tokens — list active (non-revoked) pairing tokens for the current user */
 pairing.get("/", async (c) => {
   const userId = c.get("userId");
 
   const { results } = await c.env.DB.prepare(
-    "SELECT id, token, label, last_connected_at, created_at FROM pairing_tokens WHERE user_id = ? ORDER BY created_at DESC",
+    `SELECT id, token, label, last_connected_at, last_ip, connection_count, created_at
+     FROM pairing_tokens
+     WHERE user_id = ? AND revoked_at IS NULL
+     ORDER BY created_at DESC`,
   )
     .bind(userId)
     .all<{
@@ -17,17 +20,20 @@ pairing.get("/", async (c) => {
       token: string;
       label: string | null;
       last_connected_at: number | null;
+      last_ip: string | null;
+      connection_count: number;
       created_at: number;
     }>();
 
   return c.json({
     tokens: (results ?? []).map((r) => ({
       id: r.id,
-      // Show only last 8 chars for security
       token: r.token,
       tokenPreview: `bc_pat_...${r.token.slice(-8)}`,
       label: r.label,
       lastConnectedAt: r.last_connected_at,
+      lastIp: r.last_ip,
+      connectionCount: r.connection_count,
       createdAt: r.created_at,
     })),
   });
@@ -59,13 +65,14 @@ pairing.post("/", async (c) => {
   );
 });
 
-/** DELETE /api/pairing-tokens/:id — revoke a pairing token */
+/** DELETE /api/pairing-tokens/:id — soft-revoke a pairing token */
 pairing.delete("/:id", async (c) => {
   const userId = c.get("userId");
   const tokenId = c.req.param("id");
 
+  // Soft-delete: set revoked_at instead of removing the row
   await c.env.DB.prepare(
-    "DELETE FROM pairing_tokens WHERE id = ? AND user_id = ?",
+    "UPDATE pairing_tokens SET revoked_at = unixepoch() WHERE id = ? AND user_id = ? AND revoked_at IS NULL",
   )
     .bind(tokenId, userId)
     .run();

package/packages/api/src/routes/setup.ts

@@ -0,0 +1,199 @@
+import { Hono } from "hono";
+import type { Env } from "../env.js";
+import { createToken, hashPassword } from "../utils/auth.js";
+import { verifyFirebaseIdToken } from "../utils/firebase.js";
+import { generateId, generatePairingToken } from "../utils/id.js";
+import { resolveCloudUrlWithHints } from "../utils/resolve-url.js";
+
+const setup = new Hono<{ Bindings: Env }>();
+
+/**
+ * POST /api/setup/init — One-shot CLI onboarding endpoint.
+ *
+ * Accepts email+password OR a Firebase idToken.
+ * Returns everything the CLI needs to configure the OpenClaw plugin:
+ *   - userId, JWT token, pairing token, cloud URL, ready-to-run commands.
+ *
+ * Idempotent: if the user already has a pairing token, a new one is created
+ * for this setup session (old ones remain valid).
+ */
+setup.post("/init", async (c) => {
+  const body = await c.req.json<{
+    email?: string;
+    password?: string;
+    idToken?: string;
+  }>();
+
+  let userId: string;
+  let email: string;
+  let displayName: string | null = null;
+
+  if (body.idToken) {
+    // ---- Firebase auth path ----
+    const projectId = c.env.FIREBASE_PROJECT_ID;
+    if (!projectId) {
+      return c.json({ error: "Firebase sign-in is not configured" }, 500);
+    }
+
+    let firebaseUser;
+    try {
+      firebaseUser = await verifyFirebaseIdToken(body.idToken, projectId);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : "Token verification failed";
+      return c.json({ error: msg }, 401);
+    }
+
+    email = firebaseUser.email?.toLowerCase() ?? "";
+    if (!email) return c.json({ error: "Account has no email" }, 400);
+
+    displayName = firebaseUser.name ?? null;
+    const firebaseUid = firebaseUser.sub;
+
+    // Find or create user
+    let row = await c.env.DB.prepare(
+      "SELECT id, display_name FROM users WHERE firebase_uid = ?",
+    ).bind(firebaseUid).first<{ id: string; display_name: string | null }>();
+
+    if (!row) {
+      row = await c.env.DB.prepare(
+        "SELECT id, display_name FROM users WHERE email = ?",
+      ).bind(email).first<{ id: string; display_name: string | null }>();
+
+      if (row) {
+        await c.env.DB.prepare(
+          "UPDATE users SET firebase_uid = ?, updated_at = unixepoch() WHERE id = ?",
+        ).bind(firebaseUid, row.id).run();
+      }
+    }
+
+    if (!row) {
+      const id = generateId("u_");
+      const signInProvider = firebaseUser.firebase?.sign_in_provider ?? "unknown";
+      const authProvider = signInProvider.includes("google") ? "google"
+        : signInProvider.includes("github") ? "github" : signInProvider;
+      await c.env.DB.prepare(
+        `INSERT INTO users (id, email, password_hash, display_name, auth_provider, firebase_uid)
+         VALUES (?, ?, '', ?, ?, ?)`,
+      ).bind(id, email, displayName ?? email.split("@")[0], authProvider, firebaseUid).run();
+      row = { id, display_name: displayName };
+    }
+
+    userId = row.id;
+    displayName = row.display_name;
+  } else {
+    // ---- Email + password path ----
+    if (!body.email?.trim() || !body.password?.trim()) {
+      return c.json({ error: "email+password or idToken is required" }, 400);
+    }
+
+    email = body.email.trim().toLowerCase();
+    const passwordHash = await hashPassword(body.password);
+
+    const row = await c.env.DB.prepare(
+      "SELECT id, display_name FROM users WHERE email = ? AND password_hash = ?",
+    ).bind(email, passwordHash).first<{ id: string; display_name: string | null }>();
+
+    if (!row) {
+      return c.json({ error: "Invalid email or password" }, 401);
+    }
+
+    userId = row.id;
+    displayName = row.display_name;
+  }
+
+  // ---- Create a fresh pairing token for this setup ----
+  const ptId = generateId("pt_");
+  const pairingToken = generatePairingToken();
+  await c.env.DB.prepare(
+    "INSERT INTO pairing_tokens (id, user_id, token, label) VALUES (?, ?, ?, ?)",
+  ).bind(ptId, userId, pairingToken, "CLI setup").run();
+
+  // ---- Ensure a default channel exists ----
+  let channel = await c.env.DB.prepare(
+    "SELECT id, name FROM channels WHERE user_id = ? LIMIT 1",
+  ).bind(userId).first<{ id: string; name: string }>();
+
+  if (!channel) {
+    const chId = generateId("ch_");
+    await c.env.DB.prepare(
+      "INSERT INTO channels (id, user_id, name, description) VALUES (?, ?, ?, ?)",
+    ).bind(chId, userId, "My Agent", "Default channel").run();
+    channel = { id: chId, name: "My Agent" };
+  }
+
+  // ---- Issue JWT ----
+  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const token = await createToken(userId, secret);
+
+  // ---- Resolve the best cloud URL for the plugin to connect back ----
+  const { cloudUrl, isLoopback, hint } = resolveCloudUrlWithHints(c.req.raw, c.env);
+
+  return c.json({
+    userId,
+    email,
+    displayName,
+    token,
+    pairingToken,
+    cloudUrl,
+    ...(isLoopback ? { cloudUrlWarning: hint } : {}),
+    channel: { id: channel.id, name: channel.name },
+    setupCommands: [
+      "openclaw plugins install @botschat/openclaw-plugin",
+      `openclaw config set channels.botschat.cloudUrl ${cloudUrl}`,
+      `openclaw config set channels.botschat.pairingToken ${pairingToken}`,
+      "openclaw config set channels.botschat.enabled true",
+      "openclaw gateway restart",
+    ],
+  });
+});
+
+/**
+ * GET /api/setup/cloud-url — Returns the recommended cloudUrl for the plugin.
+ *
+ * Used by the web onboarding page to display the correct URL in commands.
+ * No auth required (the URL is not secret).
+ */
+setup.get("/cloud-url", async (c) => {
+  const { cloudUrl, isLoopback, hint } = resolveCloudUrlWithHints(c.req.raw, c.env);
+  return c.json({ cloudUrl, isLoopback, ...(hint ? { hint } : {}) });
+});
+
+/**
+ * GET /api/setup/status — Check if the user's OpenClaw is connected.
+ *
+ * Used by CLI to verify the setup was successful.
+ * Requires Bearer token auth.
+ */
+setup.get("/status", async (c) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    return c.json({ error: "Missing Authorization header" }, 401);
+  }
+
+  const { verifyToken } = await import("../utils/auth.js");
+  const jwtSecret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const payload = await verifyToken(authHeader.slice(7), jwtSecret);
+  if (!payload) {
+    return c.json({ error: "Invalid or expired token" }, 401);
+  }
+
+  const userId = payload.sub;
+
+  // Query the DO for connection status
+  const doId = c.env.CONNECTION_DO.idFromName(userId);
+  const stub = c.env.CONNECTION_DO.get(doId);
+  const resp = await stub.fetch(new Request("https://internal/status"));
+
+  if (!resp.ok) {
+    return c.json({ connected: false });
+  }
+
+  const status = await resp.json() as { openclawConnected?: boolean };
+
+  return c.json({
+    connected: !!status.openclawConnected,
+    userId,
+  });
+});
+
+export { setup };