botschat 0.1.4 → 0.1.7

package/packages/api/src/routes/setup.ts

@@ -1,6 +1,6 @@
 import { Hono } from "hono";
 import type { Env } from "../env.js";
-import { createToken, hashPassword } from "../utils/auth.js";
+import { createToken, hashPassword, verifyPassword, getJwtSecret } from "../utils/auth.js";
 import { verifyFirebaseIdToken } from "../utils/firebase.js";
 import { generateId, generatePairingToken } from "../utils/id.js";
 import { resolveCloudUrlWithHints } from "../utils/resolve-url.js";
@@ -22,6 +22,7 @@ setup.post("/init", async (c) => {
     email?: string;
     password?: string;
     idToken?: string;
+    e2ePassword?: string;
   }>();
 
   let userId: string;
@@ -51,18 +52,30 @@ setup.post("/init", async (c) => {
 
     // Find or create user
     let row = await c.env.DB.prepare(
-      "SELECT id, display_name FROM users WHERE firebase_uid = ?",
-    ).bind(firebaseUid).first<{ id: string; display_name: string | null }>();
+      "SELECT id, display_name, password_hash FROM users WHERE firebase_uid = ?",
+    ).bind(firebaseUid).first<{ id: string; display_name: string | null; password_hash: string }>();
 
     if (!row) {
-      row = await c.env.DB.prepare(
-        "SELECT id, display_name FROM users WHERE email = ?",
-      ).bind(email).first<{ id: string; display_name: string | null }>();
-
-      if (row) {
+      const existing = await c.env.DB.prepare(
+        "SELECT id, display_name, password_hash FROM users WHERE email = ?",
+      ).bind(email).first<{ id: string; display_name: string | null; password_hash: string }>();
+
+      if (existing) {
+        if (existing.password_hash) {
+          // SECURITY: refuse auto-link to password-protected account
+          return c.json(
+            {
+              error: "An account with this email already exists. Use email+password instead.",
+              code: "EMAIL_EXISTS_WITH_PASSWORD",
+            },
+            409,
+          );
+        }
+        // OAuth-only account — safe to link
         await c.env.DB.prepare(
           "UPDATE users SET firebase_uid = ?, updated_at = unixepoch() WHERE id = ?",
-        ).bind(firebaseUid, row.id).run();
+        ).bind(firebaseUid, existing.id).run();
+        row = existing;
       }
     }
 
@@ -75,38 +88,72 @@ setup.post("/init", async (c) => {
         `INSERT INTO users (id, email, password_hash, display_name, auth_provider, firebase_uid)
          VALUES (?, ?, '', ?, ?, ?)`,
       ).bind(id, email, displayName ?? email.split("@")[0], authProvider, firebaseUid).run();
-      row = { id, display_name: displayName };
+      row = { id, display_name: displayName, password_hash: "" };
     }
 
     userId = row.id;
     displayName = row.display_name;
   } else {
-    // ---- Email + password path ----
+    // ---- Email + password path (local dev only) ----
+    if (c.env.ENVIRONMENT !== "development") {
+      return c.json({ error: "Email login is disabled. Please use Google or GitHub sign-in." }, 403);
+    }
+
     if (!body.email?.trim() || !body.password?.trim()) {
       return c.json({ error: "email+password or idToken is required" }, 400);
     }
 
+    // Cap password length to prevent PBKDF2 resource exhaustion (DoS)
+    if (body.password.length > 256) {
+      return c.json({ error: "Invalid email or password" }, 401);
+    }
+
     email = body.email.trim().toLowerCase();
-    const passwordHash = await hashPassword(body.password);
 
     const row = await c.env.DB.prepare(
-      "SELECT id, display_name FROM users WHERE email = ? AND password_hash = ?",
-    ).bind(email, passwordHash).first<{ id: string; display_name: string | null }>();
+      "SELECT id, display_name, password_hash FROM users WHERE email = ?",
+    ).bind(email).first<{ id: string; display_name: string | null; password_hash: string }>();
 
-    if (!row) {
+    if (!row || !row.password_hash) {
       return c.json({ error: "Invalid email or password" }, 401);
     }
 
+    const { valid, needsRehash } = await verifyPassword(body.password, row.password_hash);
+    if (!valid) {
+      return c.json({ error: "Invalid email or password" }, 401);
+    }
+
+    // Transparently upgrade legacy SHA-256 hashes to PBKDF2
+    if (needsRehash) {
+      const newHash = await hashPassword(body.password);
+      await c.env.DB.prepare("UPDATE users SET password_hash = ? WHERE id = ?")
+        .bind(newHash, row.id)
+        .run();
+    }
+
     userId = row.id;
     displayName = row.display_name;
   }
 
-  // ---- Create a fresh pairing token for this setup ----
-  const ptId = generateId("pt_");
-  const pairingToken = generatePairingToken();
-  await c.env.DB.prepare(
-    "INSERT INTO pairing_tokens (id, user_id, token, label) VALUES (?, ?, ?, ?)",
-  ).bind(ptId, userId, pairingToken, "CLI setup").run();
+  // ---- Reuse recent token or create a new pairing token ----
+  // If a CLI setup token was created in the last 5 minutes, reuse it
+  let pairingToken: string;
+  const recentToken = await c.env.DB.prepare(
+    `SELECT token FROM pairing_tokens
+     WHERE user_id = ? AND label = 'CLI setup' AND revoked_at IS NULL
+       AND created_at > unixepoch() - 300
+     ORDER BY created_at DESC LIMIT 1`,
+  ).bind(userId).first<{ token: string }>();
+
+  if (recentToken) {
+    pairingToken = recentToken.token;
+  } else {
+    const ptId = generateId("pt_");
+    pairingToken = generatePairingToken();
+    await c.env.DB.prepare(
+      "INSERT INTO pairing_tokens (id, user_id, token, label) VALUES (?, ?, ?, ?)",
+    ).bind(ptId, userId, pairingToken, "CLI setup").run();
+  }
 
   // ---- Ensure a default channel exists ----
   let channel = await c.env.DB.prepare(
@@ -122,7 +169,7 @@ setup.post("/init", async (c) => {
   }
 
   // ---- Issue JWT ----
-  const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const secret = getJwtSecret(c.env);
   const token = await createToken(userId, secret);
 
   // ---- Resolve the best cloud URL for the plugin to connect back ----
@@ -138,9 +185,10 @@ setup.post("/init", async (c) => {
     ...(isLoopback ? { cloudUrlWarning: hint } : {}),
     channel: { id: channel.id, name: channel.name },
     setupCommands: [
-      "openclaw plugins install @botschat/openclaw-plugin",
+      "openclaw plugins install @botschat/botschat",
       `openclaw config set channels.botschat.cloudUrl ${cloudUrl}`,
       `openclaw config set channels.botschat.pairingToken ${pairingToken}`,
+      ...(body.e2ePassword ? [`openclaw config set channels.botschat.e2ePassword "${body.e2ePassword}"`] : []),
       "openclaw config set channels.botschat.enabled true",
       "openclaw gateway restart",
     ],
@@ -171,7 +219,7 @@ setup.get("/status", async (c) => {
   }
 
   const { verifyToken } = await import("../utils/auth.js");
-  const jwtSecret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+  const jwtSecret = getJwtSecret(c.env);
   const payload = await verifyToken(authHeader.slice(7), jwtSecret);
   if (!payload) {
     return c.json({ error: "Invalid or expired token" }, 401);

package/packages/api/src/routes/upload.ts

@@ -1,12 +1,13 @@
 import { Hono } from "hono";
 import type { Env } from "../env.js";
+import { signMediaUrl, getJwtSecret } from "../utils/auth.js";
 
 export const upload = new Hono<{
   Bindings: Env;
   Variables: { userId: string };
 }>();
 
-/** POST / — Upload a file to R2 and return its public URL. */
+/** POST / — Upload a file to R2 and return a signed URL. */
 upload.post("/", async (c) => {
   const userId = c.get("userId");
   const contentType = c.req.header("Content-Type") ?? "";
@@ -22,9 +23,9 @@ upload.post("/", async (c) => {
     return c.json({ error: "No file provided" }, 400);
   }
 
-  // Validate file type — only images allowed
-  if (!file.type.startsWith("image/")) {
-    return c.json({ error: "Only image files are allowed" }, 400);
+  // Validate file type — only raster images allowed (SVG is an XSS vector)
+  if (!file.type.startsWith("image/") || file.type.includes("svg")) {
+    return c.json({ error: "Only image files are allowed (SVG is not permitted)" }, 400);
   }
 
   // Limit file size to 10 MB
@@ -35,8 +36,10 @@ upload.post("/", async (c) => {
 
   // Generate a unique key: media/{userId}/{timestamp}-{random}.{ext}
   const ext = file.name.split(".").pop()?.toLowerCase() ?? "png";
-  const safeExt = ["jpg", "jpeg", "png", "gif", "webp", "svg", "bmp", "ico"].includes(ext) ? ext : "png";
-  const key = `media/${userId}/${Date.now()}-${crypto.randomUUID().slice(0, 8)}.${safeExt}`;
+  // SVG is excluded — it can contain <script> tags and is a known XSS vector
+  const safeExt = ["jpg", "jpeg", "png", "gif", "webp", "bmp", "ico"].includes(ext) ? ext : "png";
+  const filename = `${Date.now()}-${crypto.randomUUID().slice(0, 8)}.${safeExt}`;
+  const key = `media/${userId}/${filename}`;
 
   // Upload to R2
   await c.env.MEDIA.put(key, file.stream(), {
@@ -45,8 +48,9 @@ upload.post("/", async (c) => {
     },
   });
 
-  // Return the URL for serving through the API
-  const url = `/api/media/${key.replace("media/", "")}`;
+  // Return a signed URL (1 hour expiry)
+  const secret = getJwtSecret(c.env);
+  const url = await signMediaUrl(userId, filename, secret, 3600);
 
   return c.json({ url, key });
 });

package/packages/api/src/utils/auth.ts

@@ -1,8 +1,8 @@
 import type { Context, MiddlewareHandler } from "hono";
 import type { Env } from "../env.js";
+import { SignJWT, jwtVerify } from "jose";
 
-// Simple JWT-like token using HMAC-SHA256.
-// In production, use a proper JWT library or Cloudflare Access.
+// JWT implementation using the `jose` library (timing-safe, standards-compliant).
 
 type TokenPayload = {
   sub: string; // user ID
@@ -11,6 +11,81 @@ type TokenPayload = {
 
 const ENCODER = new TextEncoder();
 
+/** Derive a CryptoKey from a string secret for HMAC-SHA256. */
+function getSecretKey(secret: string): Uint8Array {
+  return ENCODER.encode(secret);
+}
+
+/** Create a short-lived access token (default 30 minutes). */
+export async function createToken(
+  userId: string,
+  secret: string,
+  expiresInSeconds = 1800, // 30 minutes
+): Promise<string> {
+  return new SignJWT({ sub: userId, type: "access" })
+    .setProtectedHeader({ alg: "HS256" })
+    .setIssuedAt()
+    .setIssuer("botschat")
+    .setExpirationTime(`${expiresInSeconds}s`)
+    .sign(getSecretKey(secret));
+}
+
+/** Create a long-lived refresh token (default 7 days). */
+export async function createRefreshToken(
+  userId: string,
+  secret: string,
+  expiresInSeconds = 86400 * 7, // 7 days
+): Promise<string> {
+  return new SignJWT({ sub: userId, type: "refresh" })
+    .setProtectedHeader({ alg: "HS256" })
+    .setIssuedAt()
+    .setIssuer("botschat")
+    .setExpirationTime(`${expiresInSeconds}s`)
+    .sign(getSecretKey(secret));
+}
+
+/** Verify a refresh token and return the payload. */
+export async function verifyRefreshToken(
+  token: string,
+  secret: string,
+): Promise<TokenPayload | null> {
+  try {
+    const { payload } = await jwtVerify(token, getSecretKey(secret), {
+      issuer: "botschat",
+    });
+    if (!payload.sub) return null;
+    // Must be a refresh token
+    if (payload.type !== "refresh") return null;
+    return { sub: payload.sub, exp: payload.exp ?? 0 };
+  } catch {
+    return null;
+  }
+}
+
+export async function verifyToken(
+  token: string,
+  secret: string,
+): Promise<TokenPayload | null> {
+  try {
+    const { payload } = await jwtVerify(token, getSecretKey(secret), {
+      issuer: "botschat",
+    });
+    if (!payload.sub) return null;
+    return { sub: payload.sub, exp: payload.exp ?? 0 };
+  } catch {
+    // Also try verifying without issuer check for backward compatibility
+    // with tokens issued before this migration
+    try {
+      const { payload } = await jwtVerify(token, getSecretKey(secret));
+      if (!payload.sub) return null;
+      return { sub: payload.sub, exp: payload.exp ?? 0 };
+    } catch {
+      return null;
+    }
+  }
+}
+
+// HMAC-SHA256 signing for non-JWT purposes (media URL signing)
 async function hmacSign(secret: string, data: string): Promise<string> {
   const key = await crypto.subtle.importKey(
     "raw",
@@ -26,57 +101,113 @@ async function hmacSign(secret: string, data: string): Promise<string> {
     .replace(/=+$/, "");
 }
 
-function base64UrlEncode(obj: unknown): string {
-  return btoa(JSON.stringify(obj))
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
+// ---- Password hashing (PBKDF2 with migration support) ----
+
+const PBKDF2_ITERATIONS = 600_000; // OWASP 2023 recommendation
+const SALT_LENGTH = 16; // 128-bit salt
+
+function toHex(buf: ArrayBuffer): string {
+  return Array.from(new Uint8Array(buf))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
 }
 
-function base64UrlDecode(str: string): unknown {
-  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
-  return JSON.parse(atob(padded));
+function fromHex(hex: string): Uint8Array {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes;
 }
 
-export async function createToken(
-  userId: string,
-  secret: string,
-  expiresInSeconds = 86400 * 7, // 7 days
-): Promise<string> {
-  const payload: TokenPayload = {
-    sub: userId,
-    exp: Math.floor(Date.now() / 1000) + expiresInSeconds,
-  };
-  const header = base64UrlEncode({ alg: "HS256", typ: "JWT" });
-  const body = base64UrlEncode(payload);
-  const signature = await hmacSign(secret, `${header}.${body}`);
-  return `${header}.${body}.${signature}`;
+/** Check if a stored hash is the legacy SHA-256 format (64-char hex string). */
+function isLegacyHash(hash: string): boolean {
+  return /^[0-9a-f]{64}$/.test(hash);
 }
 
-export async function verifyToken(
-  token: string,
-  secret: string,
-): Promise<TokenPayload | null> {
-  const parts = token.split(".");
-  if (parts.length !== 3) return null;
+/** Legacy SHA-256 hash (for migration comparison only). */
+async function legacySha256(password: string): Promise<string> {
+  const data = ENCODER.encode(password);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return toHex(hash);
+}
 
-  const [header, body, signature] = parts;
-  const expected = await hmacSign(secret, `${header}.${body}`);
-  if (signature !== expected) return null;
+/** Hash a password using PBKDF2-SHA256 with a random salt. */
+export async function hashPassword(password: string): Promise<string> {
+  const salt = new Uint8Array(SALT_LENGTH);
+  crypto.getRandomValues(salt);
+  const saltHex = toHex(salt.buffer);
 
-  const payload = base64UrlDecode(body) as TokenPayload;
-  if (payload.exp < Math.floor(Date.now() / 1000)) return null;
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    ENCODER.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits"],
+  );
+  const derived = await crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt, iterations: PBKDF2_ITERATIONS, hash: "SHA-256" },
+    keyMaterial,
+    256,
+  );
+  const hashHex = toHex(derived);
 
-  return payload;
+  return `pbkdf2:${PBKDF2_ITERATIONS}:${saltHex}:${hashHex}`;
 }
 
-/** Hash a password using SHA-256 (for simplicity; production should use bcrypt/scrypt). */
-export async function hashPassword(password: string): Promise<string> {
-  const data = ENCODER.encode(password);
-  const hash = await crypto.subtle.digest("SHA-256", data);
-  return Array.from(new Uint8Array(hash))
-    .map((b) => b.toString(16).padStart(2, "0"))
-    .join("");
+/**
+ * Verify a password against a stored hash (supports both PBKDF2 and legacy SHA-256).
+ * Returns { valid, needsRehash } — if needsRehash is true, the caller should
+ * update the stored hash to the new PBKDF2 format.
+ */
+export async function verifyPassword(
+  password: string,
+  storedHash: string,
+): Promise<{ valid: boolean; needsRehash: boolean }> {
+  // Legacy SHA-256 format: 64-char hex
+  if (isLegacyHash(storedHash)) {
+    const computed = await legacySha256(password);
+    return { valid: computed === storedHash, needsRehash: true };
+  }
+
+  // PBKDF2 format: pbkdf2:<iterations>:<salt>:<hash>
+  const parts = storedHash.split(":");
+  if (parts.length !== 4 || parts[0] !== "pbkdf2") {
+    return { valid: false, needsRehash: false };
+  }
+
+  const [, iterStr, saltHex, expectedHash] = parts;
+  const iterations = parseInt(iterStr, 10);
+  const salt = fromHex(saltHex);
+
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    ENCODER.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits"],
+  );
+  const derived = await crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt, iterations, hash: "SHA-256" },
+    keyMaterial,
+    256,
+  );
+  const computedHash = toHex(derived);
+
+  const valid = computedHash === expectedHash;
+  // If using fewer iterations than current standard, suggest rehash
+  const needsRehash = valid && iterations < PBKDF2_ITERATIONS;
+  return { valid, needsRehash };
+}
+
+/**
+ * Get the JWT secret from environment, throwing a clear error if not set.
+ * In development (wrangler dev), falls back to a dev-only secret.
+ */
+export function getJwtSecret(env: Env): string {
+  if (env.JWT_SECRET) return env.JWT_SECRET;
+  if (env.ENVIRONMENT === "development") return "botschat-dev-secret-local-only";
+  throw new Error("JWT_SECRET environment variable is not set. Configure it via `wrangler secret put JWT_SECRET`.");
 }
 
 /** Auth middleware: extracts user ID from Bearer token and sets it on context. */
@@ -88,7 +219,7 @@ export function authMiddleware(): MiddlewareHandler<{ Bindings: Env; Variables:
     }
 
     const token = authHeader.slice(7);
-    const secret = c.env.JWT_SECRET ?? "botschat-dev-secret";
+    const secret = getJwtSecret(c.env);
     const payload = await verifyToken(token, secret);
 
     if (!payload) {
@@ -99,3 +230,41 @@ export function authMiddleware(): MiddlewareHandler<{ Bindings: Env; Variables:
     await next();
   };
 }
+
+// ---- Signed media URLs ----
+
+/**
+ * Generate a signed media URL path with expiry.
+ * Format: /api/media/:userId/:filename?expires=<ts>&sig=<hex>
+ */
+export async function signMediaUrl(
+  userId: string,
+  filename: string,
+  secret: string,
+  expiresInSeconds = 3600,
+): Promise<string> {
+  const expires = Math.floor(Date.now() / 1000) + expiresInSeconds;
+  const data = `${userId}/${filename}:${expires}`;
+  const sig = await hmacSign(secret, data);
+  return `/api/media/${userId}/${encodeURIComponent(filename)}?expires=${expires}&sig=${encodeURIComponent(sig)}`;
+}
+
+/**
+ * Verify a signed media URL.
+ * Returns true if the signature is valid and the URL has not expired.
+ */
+export async function verifyMediaSignature(
+  userId: string,
+  filename: string,
+  expires: string,
+  sig: string,
+  secret: string,
+): Promise<boolean> {
+  const now = Math.floor(Date.now() / 1000);
+  const expiresNum = parseInt(expires, 10);
+  if (isNaN(expiresNum) || expiresNum < now) return false;
+
+  const data = `${userId}/${filename}:${expires}`;
+  const expected = await hmacSign(secret, data);
+  return sig === expected;
+}

package/packages/api/src/utils/id.ts

@@ -1,19 +1,35 @@
-/** Generate a short random ID (URL-safe). */
-export function generateId(prefix = ""): string {
-  const chars = "abcdefghijklmnopqrstuvwxyz0123456789";
-  let id = prefix;
-  for (let i = 0; i < 16; i++) {
-    id += chars[Math.floor(Math.random() * chars.length)];
+/**
+ * Pick a uniformly random character from `chars` using rejection sampling.
+ * Avoids modulo bias that occurs when 256 % chars.length !== 0.
+ */
+const CHARS = "abcdefghijklmnopqrstuvwxyz0123456789"; // 36 chars
+const CHARS_LEN = CHARS.length;
+// Largest multiple of CHARS_LEN that fits in a byte (252 = 36 * 7)
+const MAX_VALID = CHARS_LEN * Math.floor(256 / CHARS_LEN) - 1; // 251
+
+function uniformRandomChars(count: number): string {
+  let result = "";
+  // Allocate extra bytes to reduce the chance of needing multiple rounds
+  const buf = new Uint8Array(count + 16);
+  let pos = 0;
+  while (result.length < count) {
+    crypto.getRandomValues(buf);
+    for (pos = 0; pos < buf.length && result.length < count; pos++) {
+      if (buf[pos] <= MAX_VALID) {
+        result += CHARS[buf[pos] % CHARS_LEN];
+      }
+      // else: reject and continue (bias-free)
+    }
   }
-  return id;
+  return result;
+}
+
+/** Generate a short random ID (URL-safe) using CSPRNG. */
+export function generateId(prefix = ""): string {
+  return prefix + uniformRandomChars(16);
 }
 
-/** Generate a pairing token with bc_pat_ prefix. */
+/** Generate a pairing token with bc_pat_ prefix using CSPRNG. */
 export function generatePairingToken(): string {
-  const chars = "abcdefghijklmnopqrstuvwxyz0123456789";
-  let token = "bc_pat_";
-  for (let i = 0; i < 32; i++) {
-    token += chars[Math.floor(Math.random() * chars.length)];
-  }
-  return token;
+  return "bc_pat_" + uniformRandomChars(32);
 }

package/packages/api/src/utils/rate-limit.ts

@@ -0,0 +1,73 @@
+import type { MiddlewareHandler } from "hono";
+import type { Env } from "../env.js";
+
+/**
+ * Simple in-memory sliding-window rate limiter for Cloudflare Workers.
+ *
+ * Note: Each CF Worker isolate has its own memory, so this is per-isolate.
+ * For stronger guarantees, use Cloudflare Rate Limiting Rules in the Dashboard.
+ * This middleware provides a best-effort defense against brute-force attacks.
+ */
+
+type RateLimitEntry = {
+  timestamps: number[];
+};
+
+const store = new Map<string, RateLimitEntry>();
+
+// Periodically clean up old entries to prevent memory leaks
+let lastCleanup = Date.now();
+function cleanup(windowMs: number): void {
+  const now = Date.now();
+  if (now - lastCleanup < windowMs) return;
+  lastCleanup = now;
+  const cutoff = now - windowMs;
+  for (const [key, entry] of store) {
+    entry.timestamps = entry.timestamps.filter((t) => t > cutoff);
+    if (entry.timestamps.length === 0) store.delete(key);
+  }
+}
+
+/**
+ * Create a rate-limiting middleware.
+ * @param maxRequests Maximum requests allowed in the window
+ * @param windowMs Time window in milliseconds (default: 60_000 = 1 minute)
+ */
+export function rateLimit(
+  maxRequests: number,
+  windowMs = 60_000,
+): MiddlewareHandler<{ Bindings: Env }> {
+  return async (c, next) => {
+    // Use CF-Connecting-IP (real client IP behind Cloudflare)
+    const ip =
+      c.req.header("CF-Connecting-IP") ??
+      c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ??
+      "unknown";
+
+    const key = `${c.req.path}:${ip}`;
+    const now = Date.now();
+    const cutoff = now - windowMs;
+
+    cleanup(windowMs);
+
+    let entry = store.get(key);
+    if (!entry) {
+      entry = { timestamps: [] };
+      store.set(key, entry);
+    }
+
+    // Remove timestamps outside the window
+    entry.timestamps = entry.timestamps.filter((t) => t > cutoff);
+
+    if (entry.timestamps.length >= maxRequests) {
+      const retryAfter = Math.ceil((entry.timestamps[0] + windowMs - now) / 1000);
+      return c.json(
+        { error: "Too many requests. Please try again later." },
+        { status: 429, headers: { "Retry-After": String(retryAfter) } },
+      );
+    }
+
+    entry.timestamps.push(now);
+    await next();
+  };
+}

package/packages/plugin/dist/src/accounts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"accounts.d.ts","sourceRoot":"","sources":["../../src/accounts.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAGV,uBAAuB,EACxB,MAAM,YAAY,CAAC;AAUpB,uCAAuC;AACvC,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,EAAE,CAgB7D;AAED,kCAAkC;AAClC,wBAAgB,+BAA+B,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAGpE;AAED,sCAAsC;AACtC,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,OAAO,EACZ,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,uBAAuB,CA6BzB;AAED,mEAAmE;AACnE,wBAAgB,qBAAqB,CACnC,GAAG,EAAE,OAAO,EACZ,SAAS,EAAE,MAAM,GAChB,OAAO,CAsBT;AAED,8DAA8D;AAC9D,wBAAgB,yBAAyB,CACvC,GAAG,EAAE,OAAO,EACZ,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,GACf,OAAO,CAoBT"}
+{"version":3,"file":"accounts.d.ts","sourceRoot":"","sources":["../../src/accounts.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAGV,uBAAuB,EACxB,MAAM,YAAY,CAAC;AAUpB,uCAAuC;AACvC,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,EAAE,CAgB7D;AAED,kCAAkC;AAClC,wBAAgB,+BAA+B,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAGpE;AAED,sCAAsC;AACtC,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,OAAO,EACZ,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,uBAAuB,CA8BzB;AAED,mEAAmE;AACnE,wBAAgB,qBAAqB,CACnC,GAAG,EAAE,OAAO,EACZ,SAAS,EAAE,MAAM,GAChB,OAAO,CAsBT;AAED,8DAA8D;AAC9D,wBAAgB,yBAAyB,CACvC,GAAG,EAAE,OAAO,EACZ,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,GACf,OAAO,CAoBT"}

package/packages/plugin/dist/src/accounts.js

@@ -39,6 +39,7 @@ export function resolveBotsChatAccount(cfg, accountId) {
             name: s.name,
             cloudUrl: s.cloudUrl,
             pairingToken: s.pairingToken,
+            e2ePassword: s.e2ePassword,
         };
     }
     else {

package/packages/plugin/dist/src/accounts.js.map

@@ -1 +1 @@
-{"version":3,"file":"accounts.js","sourceRoot":"","sources":["../../src/accounts.ts"],"names":[],"mappings":"AAMA,MAAM,kBAAkB,GAAG,SAAS,CAAC;AAErC,yDAAyD;AACzD,SAAS,OAAO,CAAC,GAAY;IAC3B,MAAM,CAAC,GAAG,GAA4B,CAAC;IACvC,OAAO,CAAC,EAAE,QAAQ,EAAE,QAAQ,IAAI,EAAE,CAAC;AACrC,CAAC;AAED,uCAAuC;AACvC,MAAM,UAAU,sBAAsB,CAAC,GAAY;IACjD,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACvB,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,mDAAmD;IACnD,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;QACf,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/B,CAAC;IACD,iBAAiB;IACjB,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;QACf,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzC,IAAI,EAAE,KAAK,kBAAkB,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;gBAC7C,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC;AACrD,CAAC;AAED,kCAAkC;AAClC,MAAM,UAAU,+BAA+B,CAAC,GAAY;IAC1D,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IACxC,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,kBAAkB,CAAC;AACtC,CAAC;AAED,sCAAsC;AACtC,MAAM,UAAU,sBAAsB,CACpC,GAAY,EACZ,SAAyB;IAEzB,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACvB,MAAM,EAAE,GAAG,SAAS,IAAI,+BAA+B,CAAC,GAAG,CAAC,CAAC;IAC7D,IAAI,IAA2B,CAAC;IAEhC,IAAI,EAAE,KAAK,kBAAkB,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QACnD,uBAAuB;QACvB,IAAI,GAAG;YACL,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,YAAY,EAAE,CAAC,CAAC,YAAY;SAC7B,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IACrC,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC;IAE7C,OAAO;QACL,SAAS,EAAE,EAAE;QACb,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,IAAI,CAAC,OAAO,KAAK,KAAK;QAC/B,UAAU,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,YAAY;QACxC,QAAQ;QACR,YAAY;QACZ,MAAM,EAAE,IAAI;KACb,CAAC;AACJ,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,qBAAqB,CACnC,GAAY,EACZ,SAAiB;IAEjB,MAAM,CAAC,GAAG,GAA4B,CAAC;IACvC,MAAM,QAAQ,GAAG,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAE9C,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;QACrC,OAAO,QAAQ,CAAC,QAAQ,CAAC;QACzB,OAAO,QAAQ,CAAC,YAAY,CAAC;QAC7B,OAAO,QAAQ,CAAC,IAAI,CAAC;QACrB,QAAQ,CAAC,OAAO,GAAG,KAAK,CAAC;IAC3B,CAAC;SAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC1C,OAAO,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC3B,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,GAAI,CAA6B;QACjC,QAAQ,EAAE;YACR,GAAI,CAA2B,CAAC,QAAQ;YACxC,QAAQ;SACT;KACF,CAAC;AACJ,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,yBAAyB,CACvC,GAAY,EACZ,SAAiB,EACjB,OAAgB;IAEhB,MAAM,CAAC,GAAG,GAA4B,CAAC;IACvC,MAAM,QAAQ,GAAG,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAE9C,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;QACrC,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;IAC7B,CAAC;SAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC7B,QAAQ,CAAC,QAAQ,GAAG;YAClB,GAAG,QAAQ,CAAC,QAAQ;YACpB,CAAC,SAAS,CAAC,EAAE,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE;SAC1D,CAAC;IACJ,CAAC;IAED,OAAO;QACL,GAAI,CAA6B;QACjC,QAAQ,EAAE;YACR,GAAI,CAA2B,CAAC,QAAQ;YACxC,QAAQ;SACT;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"accounts.js","sourceRoot":"","sources":["../../src/accounts.ts"],"names":[],"mappings":"AAMA,MAAM,kBAAkB,GAAG,SAAS,CAAC;AAErC,yDAAyD;AACzD,SAAS,OAAO,CAAC,GAAY;IAC3B,MAAM,CAAC,GAAG,GAA4B,CAAC;IACvC,OAAO,CAAC,EAAE,QAAQ,EAAE,QAAQ,IAAI,EAAE,CAAC;AACrC,CAAC;AAED,uCAAuC;AACvC,MAAM,UAAU,sBAAsB,CAAC,GAAY;IACjD,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACvB,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,mDAAmD;IACnD,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;QACf,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/B,CAAC;IACD,iBAAiB;IACjB,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;QACf,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzC,IAAI,EAAE,KAAK,kBAAkB,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;gBAC7C,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC;AACrD,CAAC;AAED,kCAAkC;AAClC,MAAM,UAAU,+BAA+B,CAAC,GAAY;IAC1D,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IACxC,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,kBAAkB,CAAC;AACtC,CAAC;AAED,sCAAsC;AACtC,MAAM,UAAU,sBAAsB,CACpC,GAAY,EACZ,SAAyB;IAEzB,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACvB,MAAM,EAAE,GAAG,SAAS,IAAI,+BAA+B,CAAC,GAAG,CAAC,CAAC;IAC7D,IAAI,IAA2B,CAAC;IAEhC,IAAI,EAAE,KAAK,kBAAkB,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QACnD,uBAAuB;QACvB,IAAI,GAAG;YACL,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,YAAY,EAAE,CAAC,CAAC,YAAY;YAC5B,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3B,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IACrC,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC;IAE7C,OAAO;QACL,SAAS,EAAE,EAAE;QACb,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,IAAI,CAAC,OAAO,KAAK,KAAK;QAC/B,UAAU,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,YAAY;QACxC,QAAQ;QACR,YAAY;QACZ,MAAM,EAAE,IAAI;KACb,CAAC;AACJ,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,qBAAqB,CACnC,GAAY,EACZ,SAAiB;IAEjB,MAAM,CAAC,GAAG,GAA4B,CAAC;IACvC,MAAM,QAAQ,GAAG,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAE9C,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;QACrC,OAAO,QAAQ,CAAC,QAAQ,CAAC;QACzB,OAAO,QAAQ,CAAC,YAAY,CAAC;QAC7B,OAAO,QAAQ,CAAC,IAAI,CAAC;QACrB,QAAQ,CAAC,OAAO,GAAG,KAAK,CAAC;IAC3B,CAAC;SAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC1C,OAAO,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC3B,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,GAAI,CAA6B;QACjC,QAAQ,EAAE;YACR,GAAI,CAA2B,CAAC,QAAQ;YACxC,QAAQ;SACT;KACF,CAAC;AACJ,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,yBAAyB,CACvC,GAAY,EACZ,SAAiB,EACjB,OAAgB;IAEhB,MAAM,CAAC,GAAG,GAA4B,CAAC;IACvC,MAAM,QAAQ,GAAG,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAE9C,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;QACrC,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;IAC7B,CAAC;SAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC7B,QAAQ,CAAC,QAAQ,GAAG;YAClB,GAAG,QAAQ,CAAC,QAAQ;YACpB,CAAC,SAAS,CAAC,EAAE,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE;SAC1D,CAAC;IACJ,CAAC;IAED,OAAO;QACL,GAAI,CAA6B;QACjC,QAAQ,EAAE;YACR,GAAI,CAA2B,CAAC,QAAQ;YACxC,QAAQ;SACT;KACF,CAAC;AACJ,CAAC"}