botschat 0.1.4 → 0.1.7

package/packages/api/src/index.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import type { Env } from "./env.js";
-import { authMiddleware } from "./utils/auth.js";
+import { authMiddleware, verifyToken, getJwtSecret, verifyMediaSignature } from "./utils/auth.js";
 import { auth } from "./routes/auth.js";
 import { agents } from "./routes/agents.js";
 import { channels } from "./routes/channels.js";
@@ -18,12 +18,67 @@ export { ConnectionDO } from "./do/connection-do.js";
 
 const app = new Hono<{ Bindings: Env }>();
 
-// Global CORS
-app.use("/*", cors({ origin: "*", allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"] }));
+// Production CORS origins
+const PRODUCTION_ORIGINS = [
+  "https://console.botschat.app",
+  "https://botschat.app",
+  "https://botschat-api.auxtenwpc.workers.dev",
+];
+
+// CORS and security headers — skip for WebSocket upgrade requests
+// (101 responses have immutable headers in Cloudflare Workers)
+const corsMiddleware = cors({
+  origin: (origin, c) => {
+    if (PRODUCTION_ORIGINS.includes(origin)) return origin;
+    // Only allow localhost/private IPs in development
+    if ((c as unknown as { env: Env }).env?.ENVIRONMENT === "development") {
+      if (/^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) return origin;
+      if (/^https?:\/\/192\.168\.\d{1,3}\.\d{1,3}(:\d+)?$/.test(origin)) return origin;
+    }
+    return ""; // disallow
+  },
+  allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+});
+
+app.use("/*", async (c, next) => {
+  // WebSocket upgrades return 101 with immutable headers — skip CORS & security headers
+  if (c.req.header("Upgrade")?.toLowerCase() === "websocket") {
+    await next();
+    return;
+  }
+
+  // Apply CORS for regular HTTP requests
+  return corsMiddleware(c, next);
+});
+
+// Security response headers.
+// In Cloudflare Workers, responses from Durable Objects (stub.fetch()) and
+// subrequests have immutable headers. We clone the response first, then set
+// security headers on the mutable clone. This also makes headers mutable for
+// the CORS middleware which runs AFTER this (registered earlier → runs later
+// in the response phase).
+app.use("/*", async (c, next) => {
+  await next();
+  if (c.res.status === 101) return; // WebSocket 101 — can't clone
+  // Clone to ensure mutable headers
+  c.res = new Response(c.res.body, c.res);
+  c.res.headers.set(
+    "Content-Security-Policy",
+    "default-src 'self'; script-src 'self' https://apis.google.com https://*.firebaseapp.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://*.r2.dev https://*.cloudflarestorage.com data: blob:; connect-src 'self' wss://*.botschat.app wss://console.botschat.app https://apis.google.com https://*.googleapis.com; frame-src https://accounts.google.com https://*.firebaseapp.com",
+  );
+  c.res.headers.set("X-Content-Type-Options", "nosniff");
+  c.res.headers.set("X-Frame-Options", "DENY");
+  c.res.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+});
 
 // Health check
 app.get("/api/health", (c) => c.json({ status: "ok", version: "0.1.0" }));
 
+// Rate limiting is handled by Cloudflare WAF Rate Limiting Rules (Dashboard).
+// See the security audit for recommended rule configuration.
+// No in-memory rate limiter — it cannot survive Worker isolate restarts
+// and is not shared across instances.
+
 // ---- Public routes (no auth) ----
 app.route("/api/auth", auth);
 app.route("/api/setup", setup);
@@ -49,11 +104,14 @@ protectedApp.get("/me", async (c) => {
       created_at: number;
     }>();
   if (!row) return c.json({ error: "User not found" }, 404);
+  const settings = JSON.parse(row.settings_json || "{}");
+  // defaultModel is not stored in D1 — it comes from the plugin (connection.status).
+  delete settings.defaultModel;
   return c.json({
     id: row.id,
     email: row.email,
     displayName: row.display_name,
-    settings: JSON.parse(row.settings_json || "{}"),
+    settings,
     createdAt: row.created_at,
   });
 });
@@ -62,6 +120,7 @@ protectedApp.patch("/me", async (c) => {
   const userId = c.get("userId");
   const body = await c.req.json<{ defaultModel?: string }>();
 
+  // defaultModel is not stored in D1 — get/set only via plugin (connection.status / push).
   const existing = await c.env.DB.prepare(
     "SELECT settings_json FROM users WHERE id = ?",
   )
@@ -69,18 +128,36 @@ protectedApp.patch("/me", async (c) => {
     .first<{ settings_json: string }>();
 
   const settings = JSON.parse(existing?.settings_json || "{}");
-
-  if (body.defaultModel !== undefined) {
-    settings.defaultModel = body.defaultModel;
-  }
-
+  delete settings.defaultModel;
+  // Persist other settings (if any) to D1; defaultModel is never written.
   await c.env.DB.prepare(
     "UPDATE users SET settings_json = ? WHERE id = ?",
   )
     .bind(JSON.stringify(settings), userId)
     .run();
 
-  return c.json({ ok: true, settings });
+  if (body.defaultModel !== undefined) {
+    try {
+      const doId = c.env.CONNECTION_DO.idFromName(userId);
+      const stub = c.env.CONNECTION_DO.get(doId);
+      await stub.fetch(
+        new Request("https://internal/send", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            type: "settings.defaultModel",
+            defaultModel: body.defaultModel ?? "",
+          }),
+        }),
+      );
+    } catch (err) {
+      console.error("Failed to push default model to OpenClaw:", err);
+    }
+  }
+
+  const outSettings = { ...settings };
+  delete outSettings.defaultModel;
+  return c.json({ ok: true, settings: outSettings });
 });
 
 // OpenClaw scan data — schedule/instructions/model cached in the ConnectionDO.
@@ -196,12 +273,29 @@ protectedApp.route("/channels/:channelId/sessions", sessions);
 protectedApp.route("/pairing-tokens", pairing);
 protectedApp.route("/upload", upload);
 
-// ---- Media serving route (public, no auth) ----
+// ---- Media serving route (signed URL or Bearer auth) ----
 app.get("/api/media/:userId/:filename", async (c) => {
   const userId = c.req.param("userId");
   const filename = c.req.param("filename");
-  const key = `media/${userId}/${filename}`;
 
+  // Verify access: either a valid signed URL or a valid Bearer token
+  const expires = c.req.query("expires");
+  const sig = c.req.query("sig");
+  const secret = getJwtSecret(c.env);
+
+  if (expires && sig) {
+    // Signed URL verification
+    const valid = await verifyMediaSignature(userId, filename, expires, sig, secret);
+    if (!valid) {
+      return c.json({ error: "Invalid or expired media signature" }, 403);
+    }
+  } else {
+    // Fall back to Bearer token auth
+    const denied = await verifyUserAccess(c, userId);
+    if (denied) return denied;
+  }
+
+  const key = `media/${userId}/${filename}`;
   const object = await c.env.MEDIA.get(key);
   if (!object) {
     return c.json({ error: "Not found" }, 404);
@@ -209,11 +303,29 @@ app.get("/api/media/:userId/:filename", async (c) => {
 
   const headers = new Headers();
   headers.set("Content-Type", object.httpMetadata?.contentType ?? "application/octet-stream");
-  headers.set("Cache-Control", "public, max-age=31536000, immutable");
+  headers.set("Cache-Control", "public, max-age=3600"); // 1h cache (matches signature expiry)
 
   return new Response(object.body, { headers });
 });
 
+// ---- Helper: verify JWT and ensure userId matches ----
+async function verifyUserAccess(c: { req: { header: (n: string) => string | undefined; query: (n: string) => string | undefined }; env: Env; json: (data: unknown, status?: number) => Response }, userId: string): Promise<Response | null> {
+  const authHeader = c.req.header("Authorization");
+  const tokenStr = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : c.req.query("token");
+  if (!tokenStr) {
+    return c.json({ error: "Missing Authorization header or token query param" }, 401);
+  }
+  const secret = getJwtSecret(c.env);
+  const payload = await verifyToken(tokenStr, secret);
+  if (!payload) {
+    return c.json({ error: "Invalid or expired token" }, 401);
+  }
+  if (payload.sub !== userId) {
+    return c.json({ error: "Forbidden" }, 403);
+  }
+  return null; // access granted
+}
+
 // ---- WebSocket upgrade routes (BEFORE protected middleware) ----
 
 // OpenClaw plugin connects to: /api/gateway/:connId
@@ -268,6 +380,9 @@ app.all("/api/gateway/:connId", async (c) => {
 });
 
 // Browser client connects to: /api/ws/:userId/:sessionId
+// Auth is handled entirely inside the DO via the "auth" message after
+// the WebSocket connection is established. This avoids putting the JWT
+// in the URL query string (which would leak it in logs/browser history).
 app.all("/api/ws/:userId/:sessionId", async (c) => {
   const userId = c.req.param("userId");
   const sessionId = c.req.param("sessionId");
@@ -281,6 +396,8 @@ app.all("/api/ws/:userId/:sessionId", async (c) => {
 // Connection status: /api/connection/:userId/status
 app.get("/api/connection/:userId/status", async (c) => {
   const userId = c.req.param("userId");
+  const denied = await verifyUserAccess(c, userId);
+  if (denied) return denied;
   const doId = c.env.CONNECTION_DO.idFromName(userId);
   const stub = c.env.CONNECTION_DO.get(doId);
   const url = new URL(c.req.url);
@@ -291,6 +408,8 @@ app.get("/api/connection/:userId/status", async (c) => {
 // Message history: /api/messages/:userId?sessionKey=xxx
 app.get("/api/messages/:userId", async (c) => {
   const userId = c.req.param("userId");
+  const denied = await verifyUserAccess(c, userId);
+  if (denied) return denied;
   const doId = c.env.CONNECTION_DO.idFromName(userId);
   const stub = c.env.CONNECTION_DO.get(doId);
   const url = new URL(c.req.url);

package/packages/api/src/routes/auth.ts

@@ -1,13 +1,17 @@
 import { Hono } from "hono";
 import type { Env } from "../env.js";
-import { createToken, hashPassword } from "../utils/auth.js";
+import { createToken, createRefreshToken, verifyRefreshToken, hashPassword, verifyPassword, getJwtSecret } from "../utils/auth.js";
 import { verifyFirebaseIdToken } from "../utils/firebase.js";
 import { generateId } from "../utils/id.js";
 
 const auth = new Hono<{ Bindings: Env }>();
 
-/** POST /api/auth/register */
+/** POST /api/auth/register — disabled in production (OAuth only) */
 auth.post("/register", async (c) => {
+  if (c.env.ENVIRONMENT !== "development") {
+    return c.json({ error: "Email registration is disabled. Please sign in with Google or GitHub." }, 403);
+  }
+
   const { email, password, displayName } = await c.req.json<{
     email: string;
     password: string;
@@ -18,6 +22,23 @@ auth.post("/register", async (c) => {
     return c.json({ error: "Email and password are required" }, 400);
   }
 
+  // Basic email format validation
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email.trim())) {
+    return c.json({ error: "Invalid email format" }, 400);
+  }
+
+  // Password strength requirements
+  if (password.length < 8) {
+    return c.json({ error: "Password must be at least 8 characters long" }, 400);
+  }
+  // Cap password length to prevent PBKDF2 resource exhaustion (DoS)
+  if (password.length > 256) {
+    return c.json({ error: "Password must not exceed 256 characters" }, 400);
+  }
+  if (!/[a-zA-Z]/.test(password) || !/[0-9]/.test(password)) {
+    return c.json({ error: "Password must contain both letters and numbers" }, 400);
+  }
+
   const id = generateId("u_");
   const passwordHash = await hashPassword(password);
 
@@ -29,19 +50,25 @@ auth.post("/register", async (c) => {
       .run();
   } catch (err: unknown) {
     if (err instanceof Error && err.message.includes("UNIQUE")) {
-      return c.json({ error: "Email already registered" }, 409);
+      // Generic error to prevent email enumeration
+      return c.json({ error: "Registration failed. Please try a different email or sign in." }, 409);
     }
     throw err;
   }
 
-  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const secret = getJwtSecret(c.env);
   const token = await createToken(id, secret);
+  const refreshToken = await createRefreshToken(id, secret);
 
-  return c.json({ id, email, token }, 201);
+  return c.json({ id, email, token, refreshToken }, 201);
 });
 
-/** POST /api/auth/login */
+/** POST /api/auth/login — disabled in production (OAuth only) */
 auth.post("/login", async (c) => {
+  if (c.env.ENVIRONMENT !== "development") {
+    return c.json({ error: "Email login is disabled. Please sign in with Google or GitHub." }, 403);
+  }
+
   const { email, password } = await c.req.json<{
     email: string;
     password: string;
@@ -51,26 +78,45 @@ auth.post("/login", async (c) => {
     return c.json({ error: "Email and password are required" }, 400);
   }
 
-  const passwordHash = await hashPassword(password);
+  // Cap password length to prevent PBKDF2 resource exhaustion (DoS)
+  if (password.length > 256) {
+    return c.json({ error: "Invalid email or password" }, 401);
+  }
 
+  // Fetch user with password hash — we now verify in application code
   const row = await c.env.DB.prepare(
-    "SELECT id, email, display_name FROM users WHERE email = ? AND password_hash = ?",
+    "SELECT id, email, display_name, password_hash FROM users WHERE email = ?",
   )
-    .bind(email.trim().toLowerCase(), passwordHash)
-    .first<{ id: string; email: string; display_name: string | null }>();
+    .bind(email.trim().toLowerCase())
+    .first<{ id: string; email: string; display_name: string | null; password_hash: string }>();
 
-  if (!row) {
+  if (!row || !row.password_hash) {
+    return c.json({ error: "Invalid email or password" }, 401);
+  }
+
+  const { valid, needsRehash } = await verifyPassword(password, row.password_hash);
+  if (!valid) {
     return c.json({ error: "Invalid email or password" }, 401);
   }
 
-  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  // Transparently upgrade legacy SHA-256 hashes to PBKDF2
+  if (needsRehash) {
+    const newHash = await hashPassword(password);
+    await c.env.DB.prepare("UPDATE users SET password_hash = ? WHERE id = ?")
+      .bind(newHash, row.id)
+      .run();
+  }
+
+  const secret = getJwtSecret(c.env);
   const token = await createToken(row.id, secret);
+  const refreshToken = await createRefreshToken(row.id, secret);
 
   return c.json({
     id: row.id,
     email: row.email,
     displayName: row.display_name,
     token,
+    refreshToken,
   });
 });
 
@@ -120,26 +166,41 @@ async function handleFirebaseAuth(c: {
 
   // 2. Look up existing user by firebase_uid first, then by email
   let row = await c.env.DB.prepare(
-    "SELECT id, email, display_name, auth_provider FROM users WHERE firebase_uid = ?",
+    "SELECT id, email, display_name, auth_provider, password_hash FROM users WHERE firebase_uid = ?",
   )
     .bind(firebaseUid)
-    .first<{ id: string; email: string; display_name: string | null; auth_provider: string }>();
+    .first<{ id: string; email: string; display_name: string | null; auth_provider: string; password_hash: string }>();
 
   if (!row) {
-    // Check if there's an existing email-based account — link it
-    row = await c.env.DB.prepare(
-      "SELECT id, email, display_name, auth_provider FROM users WHERE email = ?",
+    // Check if there's an existing account with the same email
+    const existing = await c.env.DB.prepare(
+      "SELECT id, email, display_name, auth_provider, password_hash FROM users WHERE email = ?",
     )
       .bind(email)
-      .first<{ id: string; email: string; display_name: string | null; auth_provider: string }>();
-
-    if (row) {
-      // Link Firebase UID to existing account
+      .first<{ id: string; email: string; display_name: string | null; auth_provider: string; password_hash: string }>();
+
+    if (existing) {
+      if (existing.password_hash) {
+        // SECURITY: existing account has a password — do NOT auto-link.
+        // The user must sign in with their password first, or the admin
+        // must link accounts manually.  Auto-linking would let an
+        // attacker who pre-registered the email access the real owner's
+        // data once they sign in with OAuth.
+        return c.json(
+          {
+            error: "An account with this email already exists. Please sign in with your email and password.",
+            code: "EMAIL_EXISTS_WITH_PASSWORD",
+          },
+          409,
+        );
+      }
+      // Existing account was created via OAuth (no password) — safe to link
       await c.env.DB.prepare(
         "UPDATE users SET firebase_uid = ?, auth_provider = ?, updated_at = unixepoch() WHERE id = ?",
       )
-        .bind(firebaseUid, authProvider, row.id)
+        .bind(firebaseUid, authProvider, existing.id)
         .run();
+      row = existing;
     }
   }
 
@@ -153,18 +214,20 @@ async function handleFirebaseAuth(c: {
       .bind(id, email, displayName, authProvider, firebaseUid)
       .run();
 
-    row = { id, email, display_name: displayName, auth_provider: authProvider };
+    row = { id, email, display_name: displayName, auth_provider: authProvider, password_hash: "" };
   }
 
-  // 4. Issue our own JWT
-  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
-  const token = await createToken(row.id, secret);
+  // 4. Issue our own JWT (access + refresh)
+  const secret = getJwtSecret(c.env);
+  const token = await createToken(row!.id, secret);
+  const refreshToken = await createRefreshToken(row!.id, secret);
 
   return c.json({
-    id: row.id,
-    email: row.email,
-    displayName: row.display_name,
+    id: row!.id,
+    email: row!.email,
+    displayName: row!.display_name,
     token,
+    refreshToken,
   });
 }
 
@@ -173,6 +236,37 @@ auth.post("/firebase", (c) => handleFirebaseAuth(c));
 auth.post("/google", (c) => handleFirebaseAuth(c));
 auth.post("/github", (c) => handleFirebaseAuth(c));
 
+/** POST /api/auth/refresh — exchange a refresh token for a new access token */
+auth.post("/refresh", async (c) => {
+  const { refreshToken } = await c.req.json<{ refreshToken: string }>();
+
+  if (!refreshToken?.trim()) {
+    return c.json({ error: "refreshToken is required" }, 400);
+  }
+
+  const secret = getJwtSecret(c.env);
+  const payload = await verifyRefreshToken(refreshToken, secret);
+
+  if (!payload) {
+    return c.json({ error: "Invalid or expired refresh token" }, 401);
+  }
+
+  // Issue a new short-lived access token
+  const token = await createToken(payload.sub, secret);
+
+  return c.json({ token });
+});
+
+/** GET /api/auth/config — public endpoint returning allowed auth methods */
+auth.get("/config", (c) => {
+  const isDev = c.env.ENVIRONMENT === "development";
+  return c.json({
+    emailEnabled: isDev,
+    googleEnabled: !!c.env.FIREBASE_PROJECT_ID,
+    githubEnabled: !!c.env.FIREBASE_PROJECT_ID,
+  });
+});
+
 /** GET /api/auth/me — returns current user info */
 auth.get("/me", async (c) => {
   // This route requires auth middleware to be applied upstream
@@ -193,11 +287,14 @@ auth.get("/me", async (c) => {
 
   if (!row) return c.json({ error: "User not found" }, 404);
 
+  const settings = JSON.parse(row.settings_json || "{}");
+  delete settings.defaultModel; // not in D1 — comes from plugin (connection.status)
+
   return c.json({
     id: row.id,
     email: row.email,
     displayName: row.display_name,
-    settings: JSON.parse(row.settings_json || "{}"),
+    settings,
     createdAt: row.created_at,
   });
 });

package/packages/api/src/routes/pairing.ts

@@ -28,7 +28,8 @@ pairing.get("/", async (c) => {
   return c.json({
     tokens: (results ?? []).map((r) => ({
       id: r.id,
-      token: r.token,
+      // SECURITY: never expose the full token in list responses.
+      // Full token is only returned once at creation time (POST).
       tokenPreview: `bc_pat_...${r.token.slice(-8)}`,
       label: r.label,
       lastConnectedAt: r.last_connected_at,
@@ -46,6 +47,18 @@ pairing.post("/", async (c) => {
     label: undefined,
   }));
 
+  // Limit active (non-revoked) tokens per user
+  const MAX_ACTIVE_TOKENS = 10;
+  const countRow = await c.env.DB.prepare(
+    "SELECT COUNT(*) as cnt FROM pairing_tokens WHERE user_id = ? AND revoked_at IS NULL",
+  )
+    .bind(userId)
+    .first<{ cnt: number }>();
+
+  if (countRow && countRow.cnt >= MAX_ACTIVE_TOKENS) {
+    return c.json({ error: `Maximum of ${MAX_ACTIVE_TOKENS} active pairing tokens reached. Revoke an existing token first.` }, 400);
+  }
+
   const id = generateId("pt_");
   const token = generatePairingToken();