botschat 0.1.3 → 0.1.6

package/packages/api/src/routes/auth.ts

@@ -1,13 +1,17 @@
 import { Hono } from "hono";
 import type { Env } from "../env.js";
-import { createToken, hashPassword } from "../utils/auth.js";
+import { createToken, createRefreshToken, verifyRefreshToken, hashPassword, verifyPassword, getJwtSecret } from "../utils/auth.js";
 import { verifyFirebaseIdToken } from "../utils/firebase.js";
 import { generateId } from "../utils/id.js";
 
 const auth = new Hono<{ Bindings: Env }>();
 
-/** POST /api/auth/register */
+/** POST /api/auth/register — disabled in production (OAuth only) */
 auth.post("/register", async (c) => {
+  if (c.env.ENVIRONMENT !== "development") {
+    return c.json({ error: "Email registration is disabled. Please sign in with Google or GitHub." }, 403);
+  }
+
   const { email, password, displayName } = await c.req.json<{
     email: string;
     password: string;
@@ -18,6 +22,23 @@ auth.post("/register", async (c) => {
     return c.json({ error: "Email and password are required" }, 400);
   }
 
+  // Basic email format validation
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email.trim())) {
+    return c.json({ error: "Invalid email format" }, 400);
+  }
+
+  // Password strength requirements
+  if (password.length < 8) {
+    return c.json({ error: "Password must be at least 8 characters long" }, 400);
+  }
+  // Cap password length to prevent PBKDF2 resource exhaustion (DoS)
+  if (password.length > 256) {
+    return c.json({ error: "Password must not exceed 256 characters" }, 400);
+  }
+  if (!/[a-zA-Z]/.test(password) || !/[0-9]/.test(password)) {
+    return c.json({ error: "Password must contain both letters and numbers" }, 400);
+  }
+
   const id = generateId("u_");
   const passwordHash = await hashPassword(password);
 
@@ -29,19 +50,25 @@ auth.post("/register", async (c) => {
       .run();
   } catch (err: unknown) {
     if (err instanceof Error && err.message.includes("UNIQUE")) {
-      return c.json({ error: "Email already registered" }, 409);
+      // Generic error to prevent email enumeration
+      return c.json({ error: "Registration failed. Please try a different email or sign in." }, 409);
     }
     throw err;
   }
 
-  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const secret = getJwtSecret(c.env);
   const token = await createToken(id, secret);
+  const refreshToken = await createRefreshToken(id, secret);
 
-  return c.json({ id, email, token }, 201);
+  return c.json({ id, email, token, refreshToken }, 201);
 });
 
-/** POST /api/auth/login */
+/** POST /api/auth/login — disabled in production (OAuth only) */
 auth.post("/login", async (c) => {
+  if (c.env.ENVIRONMENT !== "development") {
+    return c.json({ error: "Email login is disabled. Please sign in with Google or GitHub." }, 403);
+  }
+
   const { email, password } = await c.req.json<{
     email: string;
     password: string;
@@ -51,26 +78,45 @@ auth.post("/login", async (c) => {
     return c.json({ error: "Email and password are required" }, 400);
   }
 
-  const passwordHash = await hashPassword(password);
+  // Cap password length to prevent PBKDF2 resource exhaustion (DoS)
+  if (password.length > 256) {
+    return c.json({ error: "Invalid email or password" }, 401);
+  }
 
+  // Fetch user with password hash — we now verify in application code
   const row = await c.env.DB.prepare(
-    "SELECT id, email, display_name FROM users WHERE email = ? AND password_hash = ?",
+    "SELECT id, email, display_name, password_hash FROM users WHERE email = ?",
   )
-    .bind(email.trim().toLowerCase(), passwordHash)
-    .first<{ id: string; email: string; display_name: string | null }>();
+    .bind(email.trim().toLowerCase())
+    .first<{ id: string; email: string; display_name: string | null; password_hash: string }>();
 
-  if (!row) {
+  if (!row || !row.password_hash) {
     return c.json({ error: "Invalid email or password" }, 401);
   }
 
-  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const { valid, needsRehash } = await verifyPassword(password, row.password_hash);
+  if (!valid) {
+    return c.json({ error: "Invalid email or password" }, 401);
+  }
+
+  // Transparently upgrade legacy SHA-256 hashes to PBKDF2
+  if (needsRehash) {
+    const newHash = await hashPassword(password);
+    await c.env.DB.prepare("UPDATE users SET password_hash = ? WHERE id = ?")
+      .bind(newHash, row.id)
+      .run();
+  }
+
+  const secret = getJwtSecret(c.env);
   const token = await createToken(row.id, secret);
+  const refreshToken = await createRefreshToken(row.id, secret);
 
   return c.json({
     id: row.id,
     email: row.email,
     displayName: row.display_name,
     token,
+    refreshToken,
   });
 });
 
@@ -120,26 +166,41 @@ async function handleFirebaseAuth(c: {
 
   // 2. Look up existing user by firebase_uid first, then by email
   let row = await c.env.DB.prepare(
-    "SELECT id, email, display_name, auth_provider FROM users WHERE firebase_uid = ?",
+    "SELECT id, email, display_name, auth_provider, password_hash FROM users WHERE firebase_uid = ?",
   )
     .bind(firebaseUid)
-    .first<{ id: string; email: string; display_name: string | null; auth_provider: string }>();
+    .first<{ id: string; email: string; display_name: string | null; auth_provider: string; password_hash: string }>();
 
   if (!row) {
-    // Check if there's an existing email-based account — link it
-    row = await c.env.DB.prepare(
-      "SELECT id, email, display_name, auth_provider FROM users WHERE email = ?",
+    // Check if there's an existing account with the same email
+    const existing = await c.env.DB.prepare(
+      "SELECT id, email, display_name, auth_provider, password_hash FROM users WHERE email = ?",
     )
       .bind(email)
-      .first<{ id: string; email: string; display_name: string | null; auth_provider: string }>();
-
-    if (row) {
-      // Link Firebase UID to existing account
+      .first<{ id: string; email: string; display_name: string | null; auth_provider: string; password_hash: string }>();
+
+    if (existing) {
+      if (existing.password_hash) {
+        // SECURITY: existing account has a password — do NOT auto-link.
+        // The user must sign in with their password first, or the admin
+        // must link accounts manually.  Auto-linking would let an
+        // attacker who pre-registered the email access the real owner's
+        // data once they sign in with OAuth.
+        return c.json(
+          {
+            error: "An account with this email already exists. Please sign in with your email and password.",
+            code: "EMAIL_EXISTS_WITH_PASSWORD",
+          },
+          409,
+        );
+      }
+      // Existing account was created via OAuth (no password) — safe to link
       await c.env.DB.prepare(
         "UPDATE users SET firebase_uid = ?, auth_provider = ?, updated_at = unixepoch() WHERE id = ?",
       )
-        .bind(firebaseUid, authProvider, row.id)
+        .bind(firebaseUid, authProvider, existing.id)
         .run();
+      row = existing;
     }
   }
 
@@ -153,18 +214,20 @@ async function handleFirebaseAuth(c: {
       .bind(id, email, displayName, authProvider, firebaseUid)
       .run();
 
-    row = { id, email, display_name: displayName, auth_provider: authProvider };
+    row = { id, email, display_name: displayName, auth_provider: authProvider, password_hash: "" };
   }
 
-  // 4. Issue our own JWT
-  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
-  const token = await createToken(row.id, secret);
+  // 4. Issue our own JWT (access + refresh)
+  const secret = getJwtSecret(c.env);
+  const token = await createToken(row!.id, secret);
+  const refreshToken = await createRefreshToken(row!.id, secret);
 
   return c.json({
-    id: row.id,
-    email: row.email,
-    displayName: row.display_name,
+    id: row!.id,
+    email: row!.email,
+    displayName: row!.display_name,
     token,
+    refreshToken,
   });
 }
 
@@ -173,6 +236,37 @@ auth.post("/firebase", (c) => handleFirebaseAuth(c));
 auth.post("/google", (c) => handleFirebaseAuth(c));
 auth.post("/github", (c) => handleFirebaseAuth(c));
 
+/** POST /api/auth/refresh — exchange a refresh token for a new access token */
+auth.post("/refresh", async (c) => {
+  const { refreshToken } = await c.req.json<{ refreshToken: string }>();
+
+  if (!refreshToken?.trim()) {
+    return c.json({ error: "refreshToken is required" }, 400);
+  }
+
+  const secret = getJwtSecret(c.env);
+  const payload = await verifyRefreshToken(refreshToken, secret);
+
+  if (!payload) {
+    return c.json({ error: "Invalid or expired refresh token" }, 401);
+  }
+
+  // Issue a new short-lived access token
+  const token = await createToken(payload.sub, secret);
+
+  return c.json({ token });
+});
+
+/** GET /api/auth/config — public endpoint returning allowed auth methods */
+auth.get("/config", (c) => {
+  const isDev = c.env.ENVIRONMENT === "development";
+  return c.json({
+    emailEnabled: isDev,
+    googleEnabled: !!c.env.FIREBASE_PROJECT_ID,
+    githubEnabled: !!c.env.FIREBASE_PROJECT_ID,
+  });
+});
+
 /** GET /api/auth/me — returns current user info */
 auth.get("/me", async (c) => {
   // This route requires auth middleware to be applied upstream

package/packages/api/src/routes/pairing.ts

@@ -28,7 +28,8 @@ pairing.get("/", async (c) => {
   return c.json({
     tokens: (results ?? []).map((r) => ({
       id: r.id,
-      token: r.token,
+      // SECURITY: never expose the full token in list responses.
+      // Full token is only returned once at creation time (POST).
       tokenPreview: `bc_pat_...${r.token.slice(-8)}`,
       label: r.label,
       lastConnectedAt: r.last_connected_at,
@@ -46,6 +47,18 @@ pairing.post("/", async (c) => {
     label: undefined,
   }));
 
+  // Limit active (non-revoked) tokens per user
+  const MAX_ACTIVE_TOKENS = 10;
+  const countRow = await c.env.DB.prepare(
+    "SELECT COUNT(*) as cnt FROM pairing_tokens WHERE user_id = ? AND revoked_at IS NULL",
+  )
+    .bind(userId)
+    .first<{ cnt: number }>();
+
+  if (countRow && countRow.cnt >= MAX_ACTIVE_TOKENS) {
+    return c.json({ error: `Maximum of ${MAX_ACTIVE_TOKENS} active pairing tokens reached. Revoke an existing token first.` }, 400);
+  }
+
   const id = generateId("pt_");
   const token = generatePairingToken();
 

package/packages/api/src/routes/setup.ts

@@ -1,6 +1,6 @@
 import { Hono } from "hono";
 import type { Env } from "../env.js";
-import { createToken, hashPassword } from "../utils/auth.js";
+import { createToken, hashPassword, verifyPassword, getJwtSecret } from "../utils/auth.js";
 import { verifyFirebaseIdToken } from "../utils/firebase.js";
 import { generateId, generatePairingToken } from "../utils/id.js";
 import { resolveCloudUrlWithHints } from "../utils/resolve-url.js";
@@ -51,18 +51,30 @@ setup.post("/init", async (c) => {
 
     // Find or create user
     let row = await c.env.DB.prepare(
-      "SELECT id, display_name FROM users WHERE firebase_uid = ?",
-    ).bind(firebaseUid).first<{ id: string; display_name: string | null }>();
+      "SELECT id, display_name, password_hash FROM users WHERE firebase_uid = ?",
+    ).bind(firebaseUid).first<{ id: string; display_name: string | null; password_hash: string }>();
 
     if (!row) {
-      row = await c.env.DB.prepare(
-        "SELECT id, display_name FROM users WHERE email = ?",
-      ).bind(email).first<{ id: string; display_name: string | null }>();
-
-      if (row) {
+      const existing = await c.env.DB.prepare(
+        "SELECT id, display_name, password_hash FROM users WHERE email = ?",
+      ).bind(email).first<{ id: string; display_name: string | null; password_hash: string }>();
+
+      if (existing) {
+        if (existing.password_hash) {
+          // SECURITY: refuse auto-link to password-protected account
+          return c.json(
+            {
+              error: "An account with this email already exists. Use email+password instead.",
+              code: "EMAIL_EXISTS_WITH_PASSWORD",
+            },
+            409,
+          );
+        }
+        // OAuth-only account — safe to link
         await c.env.DB.prepare(
           "UPDATE users SET firebase_uid = ?, updated_at = unixepoch() WHERE id = ?",
-        ).bind(firebaseUid, row.id).run();
+        ).bind(firebaseUid, existing.id).run();
+        row = existing;
       }
     }
 
@@ -75,38 +87,72 @@ setup.post("/init", async (c) => {
         `INSERT INTO users (id, email, password_hash, display_name, auth_provider, firebase_uid)
          VALUES (?, ?, '', ?, ?, ?)`,
       ).bind(id, email, displayName ?? email.split("@")[0], authProvider, firebaseUid).run();
-      row = { id, display_name: displayName };
+      row = { id, display_name: displayName, password_hash: "" };
     }
 
     userId = row.id;
     displayName = row.display_name;
   } else {
-    // ---- Email + password path ----
+    // ---- Email + password path (local dev only) ----
+    if (c.env.ENVIRONMENT !== "development") {
+      return c.json({ error: "Email login is disabled. Please use Google or GitHub sign-in." }, 403);
+    }
+
     if (!body.email?.trim() || !body.password?.trim()) {
       return c.json({ error: "email+password or idToken is required" }, 400);
     }
 
+    // Cap password length to prevent PBKDF2 resource exhaustion (DoS)
+    if (body.password.length > 256) {
+      return c.json({ error: "Invalid email or password" }, 401);
+    }
+
     email = body.email.trim().toLowerCase();
-    const passwordHash = await hashPassword(body.password);
 
     const row = await c.env.DB.prepare(
-      "SELECT id, display_name FROM users WHERE email = ? AND password_hash = ?",
-    ).bind(email, passwordHash).first<{ id: string; display_name: string | null }>();
+      "SELECT id, display_name, password_hash FROM users WHERE email = ?",
+    ).bind(email).first<{ id: string; display_name: string | null; password_hash: string }>();
 
-    if (!row) {
+    if (!row || !row.password_hash) {
       return c.json({ error: "Invalid email or password" }, 401);
     }
 
+    const { valid, needsRehash } = await verifyPassword(body.password, row.password_hash);
+    if (!valid) {
+      return c.json({ error: "Invalid email or password" }, 401);
+    }
+
+    // Transparently upgrade legacy SHA-256 hashes to PBKDF2
+    if (needsRehash) {
+      const newHash = await hashPassword(body.password);
+      await c.env.DB.prepare("UPDATE users SET password_hash = ? WHERE id = ?")
+        .bind(newHash, row.id)
+        .run();
+    }
+
     userId = row.id;
     displayName = row.display_name;
   }
 
-  // ---- Create a fresh pairing token for this setup ----
-  const ptId = generateId("pt_");
-  const pairingToken = generatePairingToken();
-  await c.env.DB.prepare(
-    "INSERT INTO pairing_tokens (id, user_id, token, label) VALUES (?, ?, ?, ?)",
-  ).bind(ptId, userId, pairingToken, "CLI setup").run();
+  // ---- Reuse recent token or create a new pairing token ----
+  // If a CLI setup token was created in the last 5 minutes, reuse it
+  let pairingToken: string;
+  const recentToken = await c.env.DB.prepare(
+    `SELECT token FROM pairing_tokens
+     WHERE user_id = ? AND label = 'CLI setup' AND revoked_at IS NULL
+       AND created_at > unixepoch() - 300
+     ORDER BY created_at DESC LIMIT 1`,
+  ).bind(userId).first<{ token: string }>();
+
+  if (recentToken) {
+    pairingToken = recentToken.token;
+  } else {
+    const ptId = generateId("pt_");
+    pairingToken = generatePairingToken();
+    await c.env.DB.prepare(
+      "INSERT INTO pairing_tokens (id, user_id, token, label) VALUES (?, ?, ?, ?)",
+    ).bind(ptId, userId, pairingToken, "CLI setup").run();
+  }
 
   // ---- Ensure a default channel exists ----
   let channel = await c.env.DB.prepare(
@@ -122,7 +168,7 @@ setup.post("/init", async (c) => {
   }
 
   // ---- Issue JWT ----
-  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const secret = getJwtSecret(c.env);
   const token = await createToken(userId, secret);
 
   // ---- Resolve the best cloud URL for the plugin to connect back ----
@@ -138,7 +184,7 @@ setup.post("/init", async (c) => {
     ...(isLoopback ? { cloudUrlWarning: hint } : {}),
     channel: { id: channel.id, name: channel.name },
     setupCommands: [
-      "openclaw plugins install @botschat/openclaw-plugin",
+      "openclaw plugins install @botschat/botschat",
       `openclaw config set channels.botschat.cloudUrl ${cloudUrl}`,
       `openclaw config set channels.botschat.pairingToken ${pairingToken}`,
       "openclaw config set channels.botschat.enabled true",
@@ -171,7 +217,7 @@ setup.get("/status", async (c) => {
   }
 
   const { verifyToken } = await import("../utils/auth.js");
-  const jwtSecret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const jwtSecret = getJwtSecret(c.env);
   const payload = await verifyToken(authHeader.slice(7), jwtSecret);
   if (!payload) {
     return c.json({ error: "Invalid or expired token" }, 401);

package/packages/api/src/routes/upload.ts

@@ -1,12 +1,13 @@
 import { Hono } from "hono";
 import type { Env } from "../env.js";
+import { signMediaUrl, getJwtSecret } from "../utils/auth.js";
 
 export const upload = new Hono<{
   Bindings: Env;
   Variables: { userId: string };
 }>();
 
-/** POST / — Upload a file to R2 and return its public URL. */
+/** POST / — Upload a file to R2 and return a signed URL. */
 upload.post("/", async (c) => {
   const userId = c.get("userId");
   const contentType = c.req.header("Content-Type") ?? "";
@@ -22,9 +23,9 @@ upload.post("/", async (c) => {
     return c.json({ error: "No file provided" }, 400);
   }
 
-  // Validate file type — only images allowed
-  if (!file.type.startsWith("image/")) {
-    return c.json({ error: "Only image files are allowed" }, 400);
+  // Validate file type — only raster images allowed (SVG is an XSS vector)
+  if (!file.type.startsWith("image/") || file.type.includes("svg")) {
+    return c.json({ error: "Only image files are allowed (SVG is not permitted)" }, 400);
   }
 
   // Limit file size to 10 MB
@@ -35,8 +36,10 @@ upload.post("/", async (c) => {
 
   // Generate a unique key: media/{userId}/{timestamp}-{random}.{ext}
   const ext = file.name.split(".").pop()?.toLowerCase() ?? "png";
-  const safeExt = ["jpg", "jpeg", "png", "gif", "webp", "svg", "bmp", "ico"].includes(ext) ? ext : "png";
-  const key = `media/${userId}/${Date.now()}-${crypto.randomUUID().slice(0, 8)}.${safeExt}`;
+  // SVG is excluded — it can contain <script> tags and is a known XSS vector
+  const safeExt = ["jpg", "jpeg", "png", "gif", "webp", "bmp", "ico"].includes(ext) ? ext : "png";
+  const filename = `${Date.now()}-${crypto.randomUUID().slice(0, 8)}.${safeExt}`;
+  const key = `media/${userId}/${filename}`;
 
   // Upload to R2
   await c.env.MEDIA.put(key, file.stream(), {
@@ -45,8 +48,9 @@ upload.post("/", async (c) => {
     },
   });
 
-  // Return the URL for serving through the API
-  const url = `/api/media/${key.replace("media/", "")}`;
+  // Return a signed URL (1 hour expiry)
+  const secret = getJwtSecret(c.env);
+  const url = await signMediaUrl(userId, filename, secret, 3600);
 
   return c.json({ url, key });
 });