clay-server 2.27.0-beta.8 → 2.27.0

package/lib/users.js

@@ -3,32 +3,12 @@ var path = require("path");
 var crypto = require("crypto");
 var { execSync } = require("child_process");
 var { CONFIG_DIR } = require("./config");
+var { attachAuth } = require("./users-auth");
+var { DEFAULT_PERMISSIONS, ALL_PERMISSIONS, attachPermissions } = require("./users-permissions");
+var { attachPreferences } = require("./users-preferences");
 
 var USERS_FILE = path.join(CONFIG_DIR, "users.json");
 
-// --- Per-user RBAC permissions (default values for regular users) ---
-var DEFAULT_PERMISSIONS = {
-  terminal: false,
-  fileBrowser: true,
-  createProject: true,
-  deleteProject: false,
-  skills: true,
-  sessionDelete: false,
-  scheduledTasks: false,
-  projectSettings: false,
-};
-
-var ALL_PERMISSIONS = {
-  terminal: true,
-  fileBrowser: true,
-  createProject: true,
-  deleteProject: true,
-  skills: true,
-  sessionDelete: true,
-  scheduledTasks: true,
-  projectSettings: true,
-};
-
 // --- Default data ---
 
 function defaultData() {
@@ -66,88 +46,12 @@ function saveUsers(data) {
   fs.renameSync(tmpPath, USERS_FILE);
 }
 
-// --- Multi-user mode ---
-
-function isMultiUser() {
-  var data = loadUsers();
-  return !!data.multiUser;
-}
-
-function enableMultiUser() {
-  var data = loadUsers();
-  if (data.multiUser) {
-    // Already enabled — check if admin exists
-    var admin = findAdmin(data);
-    if (admin) {
-      return { alreadyEnabled: true, hasAdmin: true, setupCode: null };
-    }
-    // Multi-user enabled but no admin — regenerate setup code
-    var code = generateSetupCode();
-    data.setupCode = code;
-    saveUsers(data);
-    return { alreadyEnabled: true, hasAdmin: false, setupCode: code };
-  }
-  var code = generateSetupCode();
-  data.multiUser = true;
-  data.setupCode = code;
-  saveUsers(data);
-  return { alreadyEnabled: false, hasAdmin: false, setupCode: code };
-}
-
-function disableMultiUser() {
-  var data = loadUsers();
-  data.multiUser = false;
-  data.setupCode = null;
-  saveUsers(data);
-}
-
-// --- Setup code ---
-
-function generateSetupCode() {
-  var chars = "abcdefghijkmnpqrstuvwxyz23456789"; // no ambiguous chars
-  var code = "";
-  var bytes = crypto.randomBytes(6);
-  for (var i = 0; i < 6; i++) {
-    code += chars[bytes[i] % chars.length];
-  }
-  return code;
-}
-
-function getSetupCode() {
-  var data = loadUsers();
-  if (data.setupCode) return data.setupCode;
-  // Defensive: if multi-user is on, no admin, and no code, auto-generate one
-  if (data.multiUser && !findAdmin(data)) {
-    var code = generateSetupCode();
-    data.setupCode = code;
-    saveUsers(data);
-    return code;
-  }
-  return null;
-}
-
-function clearSetupCode() {
-  var data = loadUsers();
-  data.setupCode = null;
-  saveUsers(data);
-}
-
-function validateSetupCode(code) {
-  var data = loadUsers();
-  if (!data.setupCode) return false;
-  return data.setupCode === code;
-}
-
 // --- User CRUD ---
 
 function generateUserId() {
   return crypto.randomUUID();
 }
 
-function hashPin(pin) {
-  return crypto.createHash("sha256").update("clay-user:" + pin).digest("hex");
-}
-
 function createUser(opts) {
   var data = loadUsers();
   // Check username uniqueness
@@ -169,7 +73,7 @@ function createUser(opts) {
     username: opts.username,
     email: opts.email || null,
     displayName: opts.displayName || opts.username,
-    pinHash: hashPin(opts.pin),
+    pinHash: auth.hashPin(opts.pin),
     role: opts.role || "user",
     mustChangePin: !!opts.mustChangePin,
     createdAt: Date.now(),
@@ -244,14 +148,6 @@ function findUserByEmail(email) {
   return null;
 }
 
-function authenticateUser(username, pin) {
-  var user = findUserByUsername(username);
-  if (!user) return null;
-  var pinH = hashPin(pin);
-  if (user.pinHash !== pinH) return null;
-  return user;
-}
-
 function getAllUsers() {
   var data = loadUsers();
   return data.users.map(function (u) {
@@ -300,7 +196,7 @@ function updateUserPin(userId, newPin) {
   var data = loadUsers();
   for (var i = 0; i < data.users.length; i++) {
     if (data.users[i].id === userId) {
-      data.users[i].pinHash = hashPin(newPin);
+      data.users[i].pinHash = auth.hashPin(newPin);
       data.users[i].mustChangePin = false;
       saveUsers(data);
       return { ok: true };
@@ -309,19 +205,9 @@ function updateUserPin(userId, newPin) {
   return { error: "User not found" };
 }
 
-// Generate a random 6-digit PIN
-function generatePin() {
-  var digits = "";
-  var bytes = crypto.randomBytes(6);
-  for (var i = 0; i < 6; i++) {
-    digits += (bytes[i] % 10).toString();
-  }
-  return digits;
-}
-
 // Admin creates a user with a temporary PIN (must be changed on first login)
 function createUserByAdmin(opts) {
-  var tempPin = generatePin();
+  var tempPin = auth.generatePin();
   var result = createUser({
     username: opts.username,
     displayName: opts.displayName || opts.username,
@@ -373,23 +259,6 @@ function updateLinuxUser(userId, linuxUsername) {
   return { error: "User not found" };
 }
 
-// --- Auth tokens ---
-
-function generateUserAuthToken(userId) {
-  var token = crypto.randomBytes(32).toString("hex");
-  return userId + ":" + token;
-}
-
-function parseAuthCookie(cookieValue) {
-  if (!cookieValue) return null;
-  var idx = cookieValue.indexOf(":");
-  if (idx < 0) return null;
-  return {
-    userId: cookieValue.substring(0, idx),
-    token: cookieValue.substring(idx + 1),
-  };
-}
-
 // --- Invite links ---
 
 function createInvite(createdByUserId, targetEmail) {
@@ -507,256 +376,47 @@ function removeExpiredInvites() {
   if (data.invites.length !== before) saveUsers(data);
 }
 
-// --- DM Favorites ---
-
-function getDmFavorites(userId) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      return data.users[i].dmFavorites || [];
-    }
-  }
-  return [];
-}
-
-function addDmFavorite(userId, targetUserId) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      if (!data.users[i].dmFavorites) data.users[i].dmFavorites = [];
-      if (data.users[i].dmFavorites.indexOf(targetUserId) === -1) {
-        data.users[i].dmFavorites.push(targetUserId);
-        saveUsers(data);
-      }
-      return data.users[i].dmFavorites;
-    }
-  }
-  return [];
-}
-
-function removeDmFavorite(userId, targetUserId) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      if (!data.users[i].dmFavorites) data.users[i].dmFavorites = [];
-      data.users[i].dmFavorites = data.users[i].dmFavorites.filter(function (id) {
-        return id !== targetUserId;
-      });
-      saveUsers(data);
-      return data.users[i].dmFavorites;
-    }
-  }
-  return [];
-}
-
-// --- DM Hidden (dismissed from strip) ---
-
-function getDmHidden(userId) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      return data.users[i].dmHidden || [];
-    }
-  }
-  return [];
-}
-
-function addDmHidden(userId, targetUserId) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      if (!data.users[i].dmHidden) data.users[i].dmHidden = [];
-      if (data.users[i].dmHidden.indexOf(targetUserId) === -1) {
-        data.users[i].dmHidden.push(targetUserId);
-        saveUsers(data);
-      }
-      return data.users[i].dmHidden;
-    }
-  }
-  return [];
-}
-
-function removeDmHidden(userId, targetUserId) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      if (!data.users[i].dmHidden) data.users[i].dmHidden = [];
-      data.users[i].dmHidden = data.users[i].dmHidden.filter(function (id) {
-        return id !== targetUserId;
-      });
-      saveUsers(data);
-      return data.users[i].dmHidden;
-    }
-  }
-  return [];
-}
-
-// --- Deleted built-in mate keys tracking ---
-
-function getDeletedBuiltinKeys(userId) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      return data.users[i].deletedBuiltinKeys || [];
-    }
-  }
-  return [];
-}
-
-function addDeletedBuiltinKey(userId, key) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      if (!data.users[i].deletedBuiltinKeys) data.users[i].deletedBuiltinKeys = [];
-      if (data.users[i].deletedBuiltinKeys.indexOf(key) === -1) {
-        data.users[i].deletedBuiltinKeys.push(key);
-        saveUsers(data);
-      }
-      return;
-    }
-  }
-}
-
-function removeDeletedBuiltinKey(userId, key) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      if (!data.users[i].deletedBuiltinKeys) return;
-      data.users[i].deletedBuiltinKeys = data.users[i].deletedBuiltinKeys.filter(function (k) {
-        return k !== key;
-      });
-      saveUsers(data);
-      return;
-    }
-  }
-}
-
-// --- RBAC permissions ---
-
-function getEffectivePermissions(user, osUsersMode) {
-  // OS-mode users with linuxUser are exempt from RBAC (OS handles isolation)
-  if (osUsersMode && user && user.linuxUser) return ALL_PERMISSIONS;
-  // Admin always has full permissions
-  if (user && user.role === "admin") return ALL_PERMISSIONS;
-  // Merge stored permissions with defaults (handles missing keys for forward-compat)
-  var stored = (user && user.permissions) || {};
-  var result = {};
-  var keys = Object.keys(DEFAULT_PERMISSIONS);
-  for (var i = 0; i < keys.length; i++) {
-    var k = keys[i];
-    result[k] = stored[k] !== undefined ? stored[k] : DEFAULT_PERMISSIONS[k];
-  }
-  return result;
-}
-
-function updateUserPermissions(userId, permissions) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      // Validate: only allow known permission keys with boolean values
-      var clean = {};
-      var keys = Object.keys(DEFAULT_PERMISSIONS);
-      for (var j = 0; j < keys.length; j++) {
-        var k = keys[j];
-        clean[k] = permissions[k] === true;
-      }
-      data.users[i].permissions = clean;
-      saveUsers(data);
-      return { ok: true, permissions: clean };
-    }
-  }
-  return { error: "User not found" };
-}
-
-// --- Project access helpers ---
-
-function canAccessProject(userId, project) {
-  if (!project) return false;
-  // Public projects are accessible to all authenticated users
-  if (!project.visibility || project.visibility === "public") return true;
-  // Admin always has access
-  var user = findUserById(userId);
-  if (user && user.role === "admin") return true;
-  // Owner always has access to their own project
-  if (project.ownerId && project.ownerId === userId) return true;
-  // Private project — check allowedUsers
-  var allowed = project.allowedUsers || [];
-  return allowed.indexOf(userId) >= 0;
-}
-
-function getAccessibleProjects(userId, projects) {
-  if (!projects) return [];
-  return projects.filter(function (p) {
-    return canAccessProject(userId, p);
-  });
-}
-
-// --- Session visibility helpers ---
-
-function canAccessSession(userId, session, project) {
-  // Must have project access first
-  if (!canAccessProject(userId, project)) return false;
-  // Sessions without ownerId are legacy — only admin can see them
-  if (!session.ownerId) {
-    var user = findUserById(userId);
-    return !!(user && user.role === "admin");
-  }
-  // Owner can always see their own sessions
-  if (session.ownerId === userId) return true;
-  // Shared sessions are visible to all project members (default)
-  if (!session.sessionVisibility || session.sessionVisibility === "shared") return true;
-  // Private sessions are only visible to the owner
-  return false;
-}
-
-// --- Per-user chat layout setting ---
-
-function getChatLayout(userId) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      return data.users[i].chatLayout || "channel";
-    }
-  }
-  return "channel";
-}
-
-function setChatLayout(userId, layout) {
-  var val = (layout === "bubble") ? "bubble" : "channel";
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      data.users[i].chatLayout = val;
-      saveUsers(data);
-      return { ok: true, chatLayout: val };
-    }
-  }
-  return { error: "User not found" };
-}
-
-// --- Per-user auto-continue setting ---
-
-function getAutoContinue(userId) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      return !!data.users[i].autoContinueOnRateLimit;
-    }
-  }
-  return false;
-}
-
-function setAutoContinue(userId, enabled) {
-  var data = loadUsers();
-  for (var i = 0; i < data.users.length; i++) {
-    if (data.users[i].id === userId) {
-      data.users[i].autoContinueOnRateLimit = !!enabled;
-      saveUsers(data);
-      return { ok: true, autoContinueOnRateLimit: !!enabled };
-    }
-  }
-  return { error: "User not found" };
-}
+// --- Wire extracted modules ---
+
+var auth = attachAuth({ loadUsers: loadUsers, saveUsers: saveUsers, findAdmin: findAdmin });
+var permissions = attachPermissions({ loadUsers: loadUsers, saveUsers: saveUsers, findUserById: findUserById });
+var preferences = attachPreferences({ loadUsers: loadUsers, saveUsers: saveUsers });
+
+// Alias auth functions
+var isMultiUser = auth.isMultiUser;
+var enableMultiUser = auth.enableMultiUser;
+var disableMultiUser = auth.disableMultiUser;
+var getSetupCode = auth.getSetupCode;
+var clearSetupCode = auth.clearSetupCode;
+var validateSetupCode = auth.validateSetupCode;
+var hashPin = auth.hashPin;
+var generatePin = auth.generatePin;
+var authenticateUser = auth.authenticateUser;
+var generateUserAuthToken = auth.generateUserAuthToken;
+var parseAuthCookie = auth.parseAuthCookie;
+
+// Alias permissions functions
+var getEffectivePermissions = permissions.getEffectivePermissions;
+var updateUserPermissions = permissions.updateUserPermissions;
+var canAccessProject = permissions.canAccessProject;
+var getAccessibleProjects = permissions.getAccessibleProjects;
+var canAccessSession = permissions.canAccessSession;
+
+// Alias preferences functions
+var getDmFavorites = preferences.getDmFavorites;
+var addDmFavorite = preferences.addDmFavorite;
+var removeDmFavorite = preferences.removeDmFavorite;
+var getDmHidden = preferences.getDmHidden;
+var addDmHidden = preferences.addDmHidden;
+var removeDmHidden = preferences.removeDmHidden;
+var getDeletedBuiltinKeys = preferences.getDeletedBuiltinKeys;
+var addDeletedBuiltinKey = preferences.addDeletedBuiltinKey;
+var removeDeletedBuiltinKey = preferences.removeDeletedBuiltinKey;
+var getChatLayout = preferences.getChatLayout;
+var setChatLayout = preferences.setChatLayout;
+var getAutoContinue = preferences.getAutoContinue;
+var setAutoContinue = preferences.setAutoContinue;
+var setMateOnboarded = preferences.setMateOnboarded;
 
 module.exports = {
   USERS_FILE: USERS_FILE,
@@ -810,17 +470,7 @@ module.exports = {
   removeDmHidden: removeDmHidden,
   getChatLayout: getChatLayout,
   setChatLayout: setChatLayout,
-  setMateOnboarded: function (userId) {
-    var data = loadUsers();
-    for (var i = 0; i < data.users.length; i++) {
-      if (data.users[i].id === userId) {
-        data.users[i].mateOnboardingShown = true;
-        saveUsers(data);
-        return { ok: true };
-      }
-    }
-    return { error: "User not found" };
-  },
+  setMateOnboarded: setMateOnboarded,
   getAutoContinue: getAutoContinue,
   setAutoContinue: setAutoContinue,
   getDeletedBuiltinKeys: getDeletedBuiltinKeys,