claudedesk 1.0.0

package/dist/api/pin-auth.js

@@ -0,0 +1,218 @@
+import { randomInt, timingSafeEqual } from 'crypto';
+// PIN expiration time: 5 minutes
+const PIN_EXPIRATION_MS = 5 * 60 * 1000;
+// Max failed attempts per PIN
+const MAX_PIN_ATTEMPTS = 5;
+// Rate limiting: track validation attempts per IP
+const PIN_RATE_LIMIT_WINDOW_MS = 15 * 60 * 1000; // 15 minutes
+const MAX_ATTEMPTS_PER_IP = 10;
+class PinAuthManager {
+    activePin = null;
+    rateLimitMap = new Map();
+    cleanupInterval = null;
+    constructor() {
+        // Start periodic cleanup of expired PINs and rate limit entries
+        this.startCleanup();
+    }
+    /**
+     * Generate a cryptographically secure 6-digit PIN
+     */
+    generatePin() {
+        // Generate random number between 0 and 999999
+        const num = randomInt(0, 1000000);
+        // Pad with zeros to ensure 6 digits
+        return num.toString().padStart(6, '0');
+    }
+    /**
+     * Generate a new pairing PIN
+     * Invalidates any existing PIN
+     */
+    generatePairingPin(authToken) {
+        const pin = this.generatePin();
+        const now = Date.now();
+        const expiresAt = now + PIN_EXPIRATION_MS;
+        this.activePin = {
+            pin,
+            token: authToken,
+            createdAt: now,
+            expiresAt,
+            attempts: 0,
+        };
+        console.log('[PinAuth] Generated new pairing PIN (expires in 5 minutes)');
+        return {
+            pin,
+            expiresAt,
+            expiresInSeconds: Math.floor(PIN_EXPIRATION_MS / 1000),
+        };
+    }
+    /**
+     * Get status of active PIN
+     */
+    getPinStatus() {
+        if (!this.activePin) {
+            return { hasActivePin: false };
+        }
+        // Check if expired
+        if (Date.now() >= this.activePin.expiresAt) {
+            this.activePin = null;
+            return { hasActivePin: false };
+        }
+        const expiresInMs = this.activePin.expiresAt - Date.now();
+        return {
+            hasActivePin: true,
+            expiresAt: this.activePin.expiresAt,
+            expiresInSeconds: Math.floor(expiresInMs / 1000),
+        };
+    }
+    /**
+     * Invalidate the current PIN
+     */
+    invalidatePin() {
+        if (this.activePin) {
+            this.activePin = null;
+            console.log('[PinAuth] PIN invalidated');
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Check rate limiting for IP
+     */
+    checkRateLimit(ip) {
+        const entry = this.rateLimitMap.get(ip);
+        const now = Date.now();
+        if (!entry) {
+            // First attempt, allow and create entry
+            this.rateLimitMap.set(ip, { attempts: 1, windowStart: now });
+            return { allowed: true, attemptsRemaining: MAX_ATTEMPTS_PER_IP - 1 };
+        }
+        // Check if window expired
+        if (now - entry.windowStart > PIN_RATE_LIMIT_WINDOW_MS) {
+            // Reset window
+            this.rateLimitMap.set(ip, { attempts: 1, windowStart: now });
+            return { allowed: true, attemptsRemaining: MAX_ATTEMPTS_PER_IP - 1 };
+        }
+        // Check if limit reached
+        if (entry.attempts >= MAX_ATTEMPTS_PER_IP) {
+            const timeRemaining = Math.ceil((entry.windowStart + PIN_RATE_LIMIT_WINDOW_MS - now) / 1000);
+            console.warn(`[PinAuth] Rate limit exceeded for IP ${ip} (${timeRemaining}s remaining)`);
+            return { allowed: false };
+        }
+        // Increment attempts
+        entry.attempts++;
+        return { allowed: true, attemptsRemaining: MAX_ATTEMPTS_PER_IP - entry.attempts };
+    }
+    /**
+     * Validate a PIN with constant-time comparison
+     */
+    validatePin(pin, clientIp) {
+        // Check rate limiting first
+        const rateLimit = this.checkRateLimit(clientIp);
+        if (!rateLimit.allowed) {
+            return {
+                success: false,
+                error: 'Too many validation attempts. Please try again later.',
+            };
+        }
+        // Validate PIN format (must be exactly 6 digits)
+        if (!/^\d{6}$/.test(pin)) {
+            return {
+                success: false,
+                error: 'Invalid PIN format. Must be 6 digits.',
+                attemptsRemaining: rateLimit.attemptsRemaining,
+            };
+        }
+        // Check if there's an active PIN
+        if (!this.activePin) {
+            return {
+                success: false,
+                error: 'No active pairing PIN. Please generate a new PIN from the desktop.',
+                attemptsRemaining: rateLimit.attemptsRemaining,
+            };
+        }
+        // Check if expired
+        if (Date.now() >= this.activePin.expiresAt) {
+            this.activePin = null;
+            return {
+                success: false,
+                error: 'PIN has expired. Please generate a new PIN.',
+                attemptsRemaining: rateLimit.attemptsRemaining,
+            };
+        }
+        // Check if max attempts reached for this PIN
+        if (this.activePin.attempts >= MAX_PIN_ATTEMPTS) {
+            const attemptsRemaining = 0;
+            this.activePin = null;
+            console.warn('[PinAuth] PIN invalidated due to max attempts');
+            return {
+                success: false,
+                error: 'Maximum attempts exceeded. Please generate a new PIN.',
+                attemptsRemaining,
+            };
+        }
+        // Constant-time comparison
+        const providedBuffer = Buffer.from(pin, 'utf-8');
+        const expectedBuffer = Buffer.from(this.activePin.pin, 'utf-8');
+        let isValid = false;
+        try {
+            // timingSafeEqual requires buffers of same length
+            if (providedBuffer.length === expectedBuffer.length) {
+                isValid = timingSafeEqual(providedBuffer, expectedBuffer);
+            }
+        }
+        catch (error) {
+            isValid = false;
+        }
+        if (!isValid) {
+            // Increment attempts
+            this.activePin.attempts++;
+            const pinAttemptsRemaining = MAX_PIN_ATTEMPTS - this.activePin.attempts;
+            console.warn(`[PinAuth] Invalid PIN attempt from ${clientIp} (${pinAttemptsRemaining} attempts remaining for this PIN)`);
+            return {
+                success: false,
+                error: 'Invalid PIN. Please try again.',
+                attemptsRemaining: pinAttemptsRemaining,
+            };
+        }
+        // Success - return token and delete PIN (single-use)
+        const token = this.activePin.token;
+        this.activePin = null;
+        console.log('[PinAuth] PIN validated successfully');
+        return {
+            success: true,
+            token,
+        };
+    }
+    /**
+     * Start periodic cleanup of expired data
+     */
+    startCleanup() {
+        // Run cleanup every 2 minutes
+        this.cleanupInterval = setInterval(() => {
+            const now = Date.now();
+            // Clean expired PIN
+            if (this.activePin && now >= this.activePin.expiresAt) {
+                console.log('[PinAuth] Cleaned up expired PIN');
+                this.activePin = null;
+            }
+            // Clean expired rate limit entries
+            for (const [ip, entry] of this.rateLimitMap.entries()) {
+                if (now - entry.windowStart > PIN_RATE_LIMIT_WINDOW_MS) {
+                    this.rateLimitMap.delete(ip);
+                }
+            }
+        }, 2 * 60 * 1000); // 2 minutes
+    }
+    /**
+     * Stop cleanup interval (for graceful shutdown)
+     */
+    stopCleanup() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = null;
+        }
+    }
+}
+// Singleton instance
+export const pinAuthManager = new PinAuthManager();
+//# sourceMappingURL=pin-auth.js.map

package/dist/api/pin-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pin-auth.js","sourceRoot":"","sources":["../../src/api/pin-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAUpD,iCAAiC;AACjC,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAExC,8BAA8B;AAC9B,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAE3B,kDAAkD;AAClD,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AAC9D,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAO/B,MAAM,cAAc;IACV,SAAS,GAAsB,IAAI,CAAC;IACpC,YAAY,GAAgC,IAAI,GAAG,EAAE,CAAC;IACtD,eAAe,GAA0B,IAAI,CAAC;IAEtD;QACE,gEAAgE;QAChE,IAAI,CAAC,YAAY,EAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACK,WAAW;QACjB,8CAA8C;QAC9C,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAClC,oCAAoC;QACpC,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED;;;OAGG;IACH,kBAAkB,CAAC,SAAiB;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,GAAG,GAAG,iBAAiB,CAAC;QAE1C,IAAI,CAAC,SAAS,GAAG;YACf,GAAG;YACH,KAAK,EAAE,SAAS;YAChB,SAAS,EAAE,GAAG;YACd,SAAS;YACT,QAAQ,EAAE,CAAC;SACZ,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAE1E,OAAO;YACL,GAAG;YACH,SAAS;YACT,gBAAgB,EAAE,IAAI,CAAC,KAAK,CAAC,iBAAiB,GAAG,IAAI,CAAC;SACvD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,YAAY;QACV,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;QACjC,CAAC;QAED,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YAC3C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;YACtB,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;QACjC,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1D,OAAO;YACL,YAAY,EAAE,IAAI;YAClB,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS;YACnC,gBAAgB,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC;SACjD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,aAAa;QACX,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,EAAU;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,wCAAwC;YACxC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,mBAAmB,GAAG,CAAC,EAAE,CAAC;QACvE,CAAC;QAED,0BAA0B;QAC1B,IAAI,GAAG,GAAG,KAAK,CAAC,WAAW,GAAG,wBAAwB,EAAE,CAAC;YACvD,eAAe;YACf,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,mBAAmB,GAAG,CAAC,EAAE,CAAC;QACvE,CAAC;QAED,yBAAyB;QACzB,IAAI,KAAK,CAAC,QAAQ,IAAI,mBAAmB,EAAE,CAAC;YAC1C,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,WAAW,GAAG,wBAAwB,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;YAC7F,OAAO,CAAC,IAAI,CAAC,wCAAwC,EAAE,KAAK,aAAa,cAAc,CAAC,CAAC;YACzF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAED,qBAAqB;QACrB,KAAK,CAAC,QAAQ,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,mBAAmB,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;IACpF,CAAC;IAED;;OAEG;IACH,WAAW,CACT,GAAW,EACX,QAAgB;QAOhB,4BAA4B;QAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,uDAAuD;aAC/D,CAAC;QACJ,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,uCAAuC;gBAC9C,iBAAiB,EAAE,SAAS,CAAC,iBAAiB;aAC/C,CAAC;QACJ,CAAC;QAED,iCAAiC;QACjC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,oEAAoE;gBAC3E,iBAAiB,EAAE,SAAS,CAAC,iBAAiB;aAC/C,CAAC;QACJ,CAAC;QAED,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YAC3C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;YACtB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,6CAA6C;gBACpD,iBAAiB,EAAE,SAAS,CAAC,iBAAiB;aAC/C,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,IAAI,gBAAgB,EAAE,CAAC;YAChD,MAAM,iBAAiB,GAAG,CAAC,CAAC;YAC5B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;YACtB,OAAO,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;YAC9D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,uDAAuD;gBAC9D,iBAAiB;aAClB,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAEhE,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC;YACH,kDAAkD;YAClD,IAAI,cAAc,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;gBACpD,OAAO,GAAG,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,GAAG,KAAK,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,qBAAqB;YACrB,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;YAC1B,MAAM,oBAAoB,GAAG,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;YAExE,OAAO,CAAC,IAAI,CACV,sCAAsC,QAAQ,KAAK,oBAAoB,mCAAmC,CAC3G,CAAC;YAEF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,gCAAgC;gBACvC,iBAAiB,EAAE,oBAAoB;aACxC,CAAC;QACJ,CAAC;QAED,qDAAqD;QACrD,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QACnC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;QAEpD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK;SACN,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,YAAY;QAClB,8BAA8B;QAC9B,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE;YACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAEvB,oBAAoB;YACpB,IAAI,IAAI,CAAC,SAAS,IAAI,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;gBACtD,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;gBAChD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;YACxB,CAAC;YAED,mCAAmC;YACnC,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,CAAC;gBACtD,IAAI,GAAG,GAAG,KAAK,CAAC,WAAW,GAAG,wBAAwB,EAAE,CAAC;oBACvD,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBAC/B,CAAC;YACH,CAAC;QACH,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,YAAY;IACjC,CAAC;IAED;;OAEG;IACH,WAAW;QACT,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;QAC9B,CAAC;IACH,CAAC;CACF;AAED,qBAAqB;AACrB,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC"}

package/dist/api/routes.d.ts

@@ -0,0 +1,2 @@
+export declare const apiRouter: import("express-serve-static-core").Router;
+//# sourceMappingURL=routes.d.ts.map

package/dist/api/routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/api/routes.ts"],"names":[],"mappings":"AA0BA,eAAO,MAAM,SAAS,4CAAW,CAAC"}