botschat 0.1.4 → 0.1.6

package/README.md

@@ -1,7 +1,7 @@
 # BotsChat
 
 [![npm](https://img.shields.io/npm/v/botschat)](https://www.npmjs.com/package/botschat)
-[![npm](https://img.shields.io/npm/v/@botschat/openclaw-plugin)](https://www.npmjs.com/package/@botschat/openclaw-plugin)
+[![npm](https://img.shields.io/npm/v/@botschat/botschat)](https://www.npmjs.com/package/@botschat/botschat)
 [![License](https://img.shields.io/badge/license-Apache--2.0-blue)](LICENSE)
 
 A self-hosted chat interface for [OpenClaw](https://github.com/openclaw/openclaw) AI agents.
@@ -154,7 +154,7 @@ After the BotsChat server is running, connect your OpenClaw instance to it.
 **1. Install the plugin**
 
 ```bash
-openclaw plugins install @botschat/openclaw-plugin
+openclaw plugins install @botschat/botschat
 ```
 
 **2. Create a pairing token**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "botschat",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "A self-hosted chat interface for OpenClaw AI agents",
   "workspaces": [
     "packages/*"
@@ -49,5 +49,8 @@
   "devDependencies": {
     "typescript": "^5.7.0",
     "wrangler": "^3.100.0"
+  },
+  "dependencies": {
+    "react-resizable-panels": "^4.6.2"
   }
 }

package/packages/api/package.json

@@ -8,7 +8,8 @@
     "deploy": "wrangler deploy --config ../../wrangler.toml"
   },
   "dependencies": {
-    "hono": "^4.6.0"
+    "hono": "^4.6.0",
+    "jose": "^6.1.3"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20250109.0",

package/packages/api/src/do/connection-do.ts

@@ -1,4 +1,6 @@
 import type { Env } from "../env.js";
+import { verifyToken, getJwtSecret } from "../utils/auth.js";
+import { generateId as generateIdUtil } from "../utils/id.js";
 
 /**
  * ConnectionDO — one Durable Object instance per BotsChat user.
@@ -283,10 +285,31 @@ export class ConnectionDO implements DurableObject {
   ): Promise<void> {
     const attachment = ws.deserializeAttachment() as { authenticated: boolean; tag: string } | null;
 
-    // Handle browser auth (session cookie/token validation)
+    // Handle browser auth — verify JWT token
     if (msg.type === "auth") {
-      // For now, accept browser connections. In production, validate
-      // the session token against D1.
+      const token = msg.token as string | undefined;
+      if (!token) {
+        ws.send(JSON.stringify({ type: "auth.fail", reason: "Missing token" }));
+        ws.close(4001, "Missing auth token");
+        return;
+      }
+
+      const secret = getJwtSecret(this.env);
+      const payload = await verifyToken(token, secret);
+      if (!payload) {
+        ws.send(JSON.stringify({ type: "auth.fail", reason: "Invalid or expired token" }));
+        ws.close(4001, "Authentication failed");
+        return;
+      }
+
+      // Verify the token's userId matches this DO's userId
+      const doUserId = await this.state.storage.get<string>("userId");
+      if (doUserId && payload.sub !== doUserId) {
+        ws.send(JSON.stringify({ type: "auth.fail", reason: "User mismatch" }));
+        ws.close(4001, "User mismatch");
+        return;
+      }
+
       ws.serializeAttachment({ ...attachment, authenticated: true });
       ws.send(JSON.stringify({ type: "auth.ok" }));
 
@@ -472,6 +495,37 @@ export class ConnectionDO implements DurableObject {
 
   // ---- Media caching ----
 
+  // ---- SSRF protection ----
+
+  /** Check if a URL is safe to fetch (not pointing to private/internal networks). */
+  private isUrlSafeToFetch(urlStr: string): boolean {
+    try {
+      const parsed = new URL(urlStr);
+      // Only allow https (block http, ftp, file, etc.)
+      if (parsed.protocol !== "https:") return false;
+
+      const hostname = parsed.hostname;
+      // Block private/reserved IP ranges and localhost
+      if (
+        hostname === "localhost" ||
+        hostname === "127.0.0.1" ||
+        hostname === "[::1]" ||
+        hostname.endsWith(".local") ||
+        /^10\./.test(hostname) ||
+        /^172\.(1[6-9]|2\d|3[01])\./.test(hostname) ||
+        /^192\.168\./.test(hostname) ||
+        /^169\.254\./.test(hostname) || // link-local
+        /^0\./.test(hostname) ||
+        hostname === "[::ffff:127.0.0.1]"
+      ) {
+        return false;
+      }
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
   /**
    * Download an external image and cache it in R2. Returns the local
    * API URL (e.g. /api/media/...) or null if caching fails.
@@ -483,17 +537,28 @@ export class ConnectionDO implements DurableObject {
     // Also skip URLs that point back to our own media endpoint (absolute form)
     if (/\/api\/media\//.test(url)) return null;
 
+    // SSRF protection: only allow HTTPS URLs to public hosts
+    if (!this.isUrlSafeToFetch(url)) {
+      console.warn(`[DO] cacheExternalMedia: blocked unsafe URL ${url.slice(0, 120)}`);
+      return null;
+    }
+
     console.log(`[DO] cacheExternalMedia: attempting to cache ${url.slice(0, 120)}`);
 
+    const MAX_MEDIA_SIZE = 20 * 1024 * 1024; // 20 MB max
+
     try {
       const userId = (await this.state.storage.get<string>("userId")) ?? "unknown";
 
       // Download the external image — use arrayBuffer to avoid stream issues
       const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), 30_000);
+      const timeoutId = setTimeout(() => controller.abort(), 15_000); // 15s timeout
       let response: Response;
       try {
-        response = await fetch(url, { signal: controller.signal });
+        response = await fetch(url, {
+          signal: controller.signal,
+          redirect: "follow",   // follow redirects, but URL was already validated
+        });
       } finally {
         clearTimeout(timeoutId);
       }
@@ -506,8 +571,21 @@ export class ConnectionDO implements DurableObject {
       const contentType = response.headers.get("Content-Type") ?? "image/png";
       // Validate that the response is actually an image
       if (!contentType.startsWith("image/")) {
-        console.warn(`[DO] cacheExternalMedia: unexpected Content-Type "${contentType}" for ${url.slice(0, 120)}`);
-        // Still try to cache it — some servers return wrong content types
+        console.warn(`[DO] cacheExternalMedia: non-image Content-Type "${contentType}", skipping ${url.slice(0, 120)}`);
+        return null;
+      }
+
+      // Reject SVG (can contain scripts — XSS vector)
+      if (contentType.includes("svg")) {
+        console.warn(`[DO] cacheExternalMedia: blocked SVG content from ${url.slice(0, 120)}`);
+        return null;
+      }
+
+      // Check Content-Length header early if available
+      const contentLength = parseInt(response.headers.get("Content-Length") ?? "0", 10);
+      if (contentLength > MAX_MEDIA_SIZE) {
+        console.warn(`[DO] cacheExternalMedia: Content-Length ${contentLength} exceeds limit for ${url.slice(0, 120)}`);
+        return null;
       }
 
       // Read the body as ArrayBuffer for maximum compatibility with R2
@@ -516,14 +594,17 @@ export class ConnectionDO implements DurableObject {
         console.warn(`[DO] cacheExternalMedia: empty body for ${url.slice(0, 120)}`);
         return null;
       }
+      if (body.byteLength > MAX_MEDIA_SIZE) {
+        console.warn(`[DO] cacheExternalMedia: body size ${body.byteLength} exceeds limit for ${url.slice(0, 120)}`);
+        return null;
+      }
 
-      // Determine extension from Content-Type
+      // Determine extension from Content-Type (no SVG)
       const extMap: Record<string, string> = {
         "image/png": "png",
         "image/jpeg": "jpg",
         "image/gif": "gif",
         "image/webp": "webp",
-        "image/svg+xml": "svg",
       };
       const ext = extMap[contentType] ?? "png";
       const key = `media/${userId}/${Date.now()}-${crypto.randomUUID().slice(0, 8)}.${ext}`;
@@ -853,14 +934,9 @@ export class ConnectionDO implements DurableObject {
     return channelId;
   }
 
-  /** Generate a short random ID (URL-safe). */
+  /** Generate a short random ID (URL-safe) using CSPRNG (bias-free). */
   private generateId(prefix = ""): string {
-    const chars = "abcdefghijklmnopqrstuvwxyz0123456789";
-    let id = prefix;
-    for (let i = 0; i < 16; i++) {
-      id += chars[Math.floor(Math.random() * chars.length)];
-    }
-    return id;
+    return generateIdUtil(prefix);
   }
 
   /**
@@ -913,23 +989,42 @@ export class ConnectionDO implements DurableObject {
   }
 
   private async validatePairingToken(token: string): Promise<boolean> {
-    // Query D1 to validate the pairing token
-    // The DO receives the env via constructor, but D1 queries from DO
-    // require fetching through the API worker. For simplicity in the DO,
-    // we store validated tokens in DO storage after first validation.
-    //
-    // Check DO-local cache first:
-    const cached = await this.state.storage.get<boolean>(`token:${token}`);
-    if (cached === true) return true;
-    if (cached === false) return false;
-
-    // If not cached, we accept the token optimistically and let the
-    // API worker validate it on the next REST call. In production,
-    // the API worker should validate before routing to the DO.
+    // The API worker validates pairing tokens against D1 before routing
+    // to the DO (and passes ?verified=1). Connections that arrive here
+    // pre-verified are fast-tracked in handleOpenClawMessage.
     //
-    // For now, accept any non-empty bc_pat_ token:
-    const isValid = token.startsWith("bc_pat_") && token.length > 10;
-    await this.state.storage.put(`token:${token}`, isValid);
-    return isValid;
+    // For tokens that arrive WITHOUT pre-verification (e.g. direct DO
+    // access, which shouldn't happen in normal flow), we validate
+    // against D1 ourselves and cache the result with a TTL.
+
+    if (!token || !token.startsWith("bc_pat_") || token.length < 20) {
+      return false;
+    }
+
+    // Check DO-local cache first (with 30-second TTL — short to ensure
+    // revoked tokens are invalidated quickly)
+    const cacheKey = `token:${token}`;
+    const cached = await this.state.storage.get<{ valid: boolean; cachedAt: number }>(cacheKey);
+    if (cached) {
+      const ageMs = Date.now() - cached.cachedAt;
+      if (ageMs < 30_000) return cached.valid; // 30-second TTL
+      // Expired — fall through to re-validate
+    }
+
+    // Validate against D1
+    try {
+      const row = await this.env.DB.prepare(
+        "SELECT user_id FROM pairing_tokens WHERE token = ? AND revoked_at IS NULL",
+      )
+        .bind(token)
+        .first<{ user_id: string }>();
+
+      const isValid = !!row;
+      await this.state.storage.put(cacheKey, { valid: isValid, cachedAt: Date.now() });
+      return isValid;
+    } catch (err) {
+      console.error("[DO] Failed to validate pairing token against D1:", err);
+      return false;
+    }
   }
 }

package/packages/api/src/index.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import type { Env } from "./env.js";
-import { authMiddleware } from "./utils/auth.js";
+import { authMiddleware, verifyToken, getJwtSecret, verifyMediaSignature } from "./utils/auth.js";
 import { auth } from "./routes/auth.js";
 import { agents } from "./routes/agents.js";
 import { channels } from "./routes/channels.js";
@@ -18,12 +18,67 @@ export { ConnectionDO } from "./do/connection-do.js";
 
 const app = new Hono<{ Bindings: Env }>();
 
-// Global CORS
-app.use("/*", cors({ origin: "*", allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"] }));
+// Production CORS origins
+const PRODUCTION_ORIGINS = [
+  "https://console.botschat.app",
+  "https://botschat.app",
+  "https://botschat-api.auxtenwpc.workers.dev",
+];
+
+// CORS and security headers — skip for WebSocket upgrade requests
+// (101 responses have immutable headers in Cloudflare Workers)
+const corsMiddleware = cors({
+  origin: (origin, c) => {
+    if (PRODUCTION_ORIGINS.includes(origin)) return origin;
+    // Only allow localhost/private IPs in development
+    if ((c as unknown as { env: Env }).env?.ENVIRONMENT === "development") {
+      if (/^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) return origin;
+      if (/^https?:\/\/192\.168\.\d{1,3}\.\d{1,3}(:\d+)?$/.test(origin)) return origin;
+    }
+    return ""; // disallow
+  },
+  allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+});
+
+app.use("/*", async (c, next) => {
+  // WebSocket upgrades return 101 with immutable headers — skip CORS & security headers
+  if (c.req.header("Upgrade")?.toLowerCase() === "websocket") {
+    await next();
+    return;
+  }
+
+  // Apply CORS for regular HTTP requests
+  return corsMiddleware(c, next);
+});
+
+// Security response headers.
+// In Cloudflare Workers, responses from Durable Objects (stub.fetch()) and
+// subrequests have immutable headers. We clone the response first, then set
+// security headers on the mutable clone. This also makes headers mutable for
+// the CORS middleware which runs AFTER this (registered earlier → runs later
+// in the response phase).
+app.use("/*", async (c, next) => {
+  await next();
+  if (c.res.status === 101) return; // WebSocket 101 — can't clone
+  // Clone to ensure mutable headers
+  c.res = new Response(c.res.body, c.res);
+  c.res.headers.set(
+    "Content-Security-Policy",
+    "default-src 'self'; script-src 'self' https://apis.google.com https://*.firebaseapp.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://*.r2.dev https://*.cloudflarestorage.com data: blob:; connect-src 'self' wss://*.botschat.app wss://console.botschat.app https://apis.google.com https://*.googleapis.com; frame-src https://accounts.google.com https://*.firebaseapp.com",
+  );
+  c.res.headers.set("X-Content-Type-Options", "nosniff");
+  c.res.headers.set("X-Frame-Options", "DENY");
+  c.res.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+});
 
 // Health check
 app.get("/api/health", (c) => c.json({ status: "ok", version: "0.1.0" }));
 
+// Rate limiting is handled by Cloudflare WAF Rate Limiting Rules (Dashboard).
+// See the security audit for recommended rule configuration.
+// No in-memory rate limiter — it cannot survive Worker isolate restarts
+// and is not shared across instances.
+
 // ---- Public routes (no auth) ----
 app.route("/api/auth", auth);
 app.route("/api/setup", setup);
@@ -196,12 +251,29 @@ protectedApp.route("/channels/:channelId/sessions", sessions);
 protectedApp.route("/pairing-tokens", pairing);
 protectedApp.route("/upload", upload);
 
-// ---- Media serving route (public, no auth) ----
+// ---- Media serving route (signed URL or Bearer auth) ----
 app.get("/api/media/:userId/:filename", async (c) => {
   const userId = c.req.param("userId");
   const filename = c.req.param("filename");
-  const key = `media/${userId}/${filename}`;
 
+  // Verify access: either a valid signed URL or a valid Bearer token
+  const expires = c.req.query("expires");
+  const sig = c.req.query("sig");
+  const secret = getJwtSecret(c.env);
+
+  if (expires && sig) {
+    // Signed URL verification
+    const valid = await verifyMediaSignature(userId, filename, expires, sig, secret);
+    if (!valid) {
+      return c.json({ error: "Invalid or expired media signature" }, 403);
+    }
+  } else {
+    // Fall back to Bearer token auth
+    const denied = await verifyUserAccess(c, userId);
+    if (denied) return denied;
+  }
+
+  const key = `media/${userId}/${filename}`;
   const object = await c.env.MEDIA.get(key);
   if (!object) {
     return c.json({ error: "Not found" }, 404);
@@ -209,11 +281,29 @@ app.get("/api/media/:userId/:filename", async (c) => {
 
   const headers = new Headers();
   headers.set("Content-Type", object.httpMetadata?.contentType ?? "application/octet-stream");
-  headers.set("Cache-Control", "public, max-age=31536000, immutable");
+  headers.set("Cache-Control", "public, max-age=3600"); // 1h cache (matches signature expiry)
 
   return new Response(object.body, { headers });
 });
 
+// ---- Helper: verify JWT and ensure userId matches ----
+async function verifyUserAccess(c: { req: { header: (n: string) => string | undefined; query: (n: string) => string | undefined }; env: Env; json: (data: unknown, status?: number) => Response }, userId: string): Promise<Response | null> {
+  const authHeader = c.req.header("Authorization");
+  const tokenStr = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : c.req.query("token");
+  if (!tokenStr) {
+    return c.json({ error: "Missing Authorization header or token query param" }, 401);
+  }
+  const secret = getJwtSecret(c.env);
+  const payload = await verifyToken(tokenStr, secret);
+  if (!payload) {
+    return c.json({ error: "Invalid or expired token" }, 401);
+  }
+  if (payload.sub !== userId) {
+    return c.json({ error: "Forbidden" }, 403);
+  }
+  return null; // access granted
+}
+
 // ---- WebSocket upgrade routes (BEFORE protected middleware) ----
 
 // OpenClaw plugin connects to: /api/gateway/:connId
@@ -268,6 +358,9 @@ app.all("/api/gateway/:connId", async (c) => {
 });
 
 // Browser client connects to: /api/ws/:userId/:sessionId
+// Auth is handled entirely inside the DO via the "auth" message after
+// the WebSocket connection is established. This avoids putting the JWT
+// in the URL query string (which would leak it in logs/browser history).
 app.all("/api/ws/:userId/:sessionId", async (c) => {
   const userId = c.req.param("userId");
   const sessionId = c.req.param("sessionId");
@@ -281,6 +374,8 @@ app.all("/api/ws/:userId/:sessionId", async (c) => {
 // Connection status: /api/connection/:userId/status
 app.get("/api/connection/:userId/status", async (c) => {
   const userId = c.req.param("userId");
+  const denied = await verifyUserAccess(c, userId);
+  if (denied) return denied;
   const doId = c.env.CONNECTION_DO.idFromName(userId);
   const stub = c.env.CONNECTION_DO.get(doId);
   const url = new URL(c.req.url);
@@ -291,6 +386,8 @@ app.get("/api/connection/:userId/status", async (c) => {
 // Message history: /api/messages/:userId?sessionKey=xxx
 app.get("/api/messages/:userId", async (c) => {
   const userId = c.req.param("userId");
+  const denied = await verifyUserAccess(c, userId);
+  if (denied) return denied;
   const doId = c.env.CONNECTION_DO.idFromName(userId);
   const stub = c.env.CONNECTION_DO.get(doId);
   const url = new URL(c.req.url);