npm - codeharbor - Versions diffs - 0.1.14 → 0.1.15 - Mend

codeharbor 0.1.14 → 0.1.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/.env.example CHANGED Viewed

@@ -74,6 +74,11 @@ ADMIN_PORT=8787
 # Strongly recommended for any non-localhost access.
 # Required when exposing admin via reverse proxy/tunnel/public domain.
 ADMIN_TOKEN=
+# Optional multi-token RBAC (JSON array).
+# Each item: {"token":"...","role":"admin|viewer","actor":"ops-name"}
+# Example:
+# ADMIN_TOKENS_JSON=[{"token":"admin-secret","role":"admin","actor":"ops-admin"},{"token":"viewer-secret","role":"viewer","actor":"ops-audit"}]
+ADMIN_TOKENS_JSON=
 # Optional IP allowlist (comma-separated, for example: 127.0.0.1,192.168.1.10).
 ADMIN_IP_ALLOWLIST=
 # Optional browser origin allowlist for CORS (comma-separated).

package/README.md CHANGED Viewed

@@ -311,7 +311,7 @@ Optional overrides:
 codeharbor admin serve --host 127.0.0.1 --port 8787
 ```
-If you bind Admin to a non-loopback host and `ADMIN_TOKEN` is empty, startup is rejected by default.
+If you bind Admin to a non-loopback host and both `ADMIN_TOKEN` and `ADMIN_TOKENS_JSON` are empty, startup is rejected by default.
 Explicit bypass exists but is not recommended:
 ```bash
@@ -336,7 +336,7 @@ Main endpoints:
 - `GET /api/admin/health`
 - `GET /api/admin/audit?limit=50`
-When `ADMIN_TOKEN` is set, requests must include:
+When `ADMIN_TOKEN` or `ADMIN_TOKENS_JSON` is set, requests must include:
 ```http
 Authorization: Bearer <ADMIN_TOKEN>
@@ -345,9 +345,16 @@ Authorization: Bearer <ADMIN_TOKEN>
 Access control options:
 - `ADMIN_TOKEN`: require bearer token for `/api/admin/*`
+- `ADMIN_TOKENS_JSON`: optional multi-token RBAC list (supports `admin` and `viewer` roles)
 - `ADMIN_IP_ALLOWLIST`: optional comma-separated client IP whitelist (for example `127.0.0.1,192.168.1.10`)
 - `ADMIN_ALLOWED_ORIGINS`: optional CORS origin allowlist for browser-based cross-origin admin access
+RBAC behavior:
+- `viewer` tokens can call read endpoints (`GET /api/admin/*`)
+- `admin` tokens can call read + write endpoints (`PUT/POST/DELETE /api/admin/*`)
+- for `ADMIN_TOKENS_JSON`, audit actor is derived from token identity (`actor` field), not `x-admin-actor`
 Note: `PUT /api/admin/config/global` writes to `.env` and marks changes as restart-required.
 ### Admin UI Quick Walkthrough

package/dist/cli.js CHANGED Viewed

@@ -646,6 +646,7 @@ var AdminServer = class {
   host;
   port;
   adminToken;
+  adminTokens;
   adminIpAllowlist;
   adminAllowedOrigins;
   cwd;
@@ -662,6 +663,7 @@ var AdminServer = class {
     this.host = options.host;
     this.port = options.port;
     this.adminToken = options.adminToken;
+    this.adminTokens = buildAdminTokenMap(options.adminTokens ?? []);
     this.adminIpAllowlist = normalizeAllowlist(options.adminIpAllowlist ?? []);
     this.adminAllowedOrigins = normalizeOriginAllowlist(options.adminAllowedOrigins ?? []);
     this.cwd = options.cwd ?? process.cwd();
@@ -753,10 +755,19 @@ var AdminServer = class {
         this.sendHtml(res, renderAdminConsoleHtml());
         return;
       }
-      if (url.pathname.startsWith("/api/admin/") && !this.isAuthorized(req)) {
+      const requiredRole = requiredAdminRoleForRequest(req.method, url.pathname);
+      const authIdentity = requiredRole ? this.resolveAdminIdentity(req) : null;
+      if (requiredRole && !authIdentity) {
         this.sendJson(res, 401, {
           ok: false,
-          error: "Unauthorized. Provide Authorization: Bearer <ADMIN_TOKEN>."
+          error: "Unauthorized. Provide Authorization: Bearer <ADMIN_TOKEN> (or token from ADMIN_TOKENS_JSON)."
+        });
+        return;
+      }
+      if (requiredRole && authIdentity && !hasRequiredAdminRole(authIdentity.role, requiredRole)) {
+        this.sendJson(res, 403, {
+          ok: false,
+          error: "Forbidden. This endpoint requires admin write permission."
         });
         return;
       }
@@ -770,7 +781,7 @@ var AdminServer = class {
       }
       if (req.method === "PUT" && url.pathname === "/api/admin/config/global") {
         const body = await readJsonBody(req);
-        const actor = readActor(req);
+        const actor = resolveAuditActor(req, authIdentity);
         const result = this.updateGlobalConfig(body, actor);
         this.sendJson(res, 200, {
           ok: true,
@@ -798,13 +809,13 @@ var AdminServer = class {
         }
         if (req.method === "PUT") {
           const body = await readJsonBody(req);
-          const actor = readActor(req);
+          const actor = resolveAuditActor(req, authIdentity);
           const room = this.updateRoomConfig(roomId, body, actor);
           this.sendJson(res, 200, { ok: true, data: room });
           return;
         }
         if (req.method === "DELETE") {
-          const actor = readActor(req);
+          const actor = resolveAuditActor(req, authIdentity);
           this.configService.deleteRoomSettings(roomId, actor);
           this.sendJson(res, 200, { ok: true, roomId });
           return;
@@ -834,7 +845,7 @@ var AdminServer = class {
       if (req.method === "POST" && url.pathname === "/api/admin/service/restart") {
         const body = asObject(await readJsonBody(req), "service restart payload");
         const restartAdmin = normalizeBoolean(body.withAdmin, false);
-        const actor = readActor(req);
+        const actor = resolveAuditActor(req, authIdentity);
         try {
           const result = await this.restartServices(restartAdmin);
           this.stateStore.appendConfigRevision(
@@ -1092,14 +1103,34 @@ var AdminServer = class {
       summary: normalizeOptionalString(body.summary)
     });
   }
-  isAuthorized(req) {
-    if (!this.adminToken) {
-      return true;
+  resolveAdminIdentity(req) {
+    if (!this.adminToken && this.adminTokens.size === 0) {
+      return {
+        role: "admin",
+        actor: null,
+        source: "open"
+      };
     }
-    const authorization = req.headers.authorization ?? "";
-    const bearer = authorization.startsWith("Bearer ") ? authorization.slice("Bearer ".length).trim() : "";
-    const fromHeader = normalizeHeaderValue(req.headers["x-admin-token"]);
-    return bearer === this.adminToken || fromHeader === this.adminToken;
+    const token = readAdminToken(req);
+    if (!token) {
+      return null;
+    }
+    if (this.adminToken && token === this.adminToken) {
+      return {
+        role: "admin",
+        actor: null,
+        source: "legacy"
+      };
+    }
+    const mappedIdentity = this.adminTokens.get(token);
+    if (!mappedIdentity) {
+      return null;
+    }
+    return {
+      role: mappedIdentity.role,
+      actor: mappedIdentity.actor,
+      source: "scoped"
+    };
   }
   isClientAllowed(req) {
     if (this.adminIpAllowlist.length === 0) {
@@ -1391,10 +1422,54 @@ function normalizeHeaderValue(value) {
   }
   return value.trim();
 }
-function readActor(req) {
+function readAdminToken(req) {
+  const authorization = normalizeHeaderValue(req.headers.authorization);
+  if (authorization) {
+    const match = /^bearer\s+(.+)$/i.exec(authorization);
+    const token = match?.[1]?.trim() ?? "";
+    if (token) {
+      return token;
+    }
+  }
+  const fromHeader = normalizeHeaderValue(req.headers["x-admin-token"]);
+  return fromHeader || null;
+}
+function resolveAuditActor(req, identity) {
+  if (identity?.source === "scoped") {
+    if (identity.actor) {
+      return identity.actor;
+    }
+    return identity.role === "admin" ? "admin-token" : "viewer-token";
+  }
   const actor = normalizeHeaderValue(req.headers["x-admin-actor"]);
   return actor || null;
 }
+function requiredAdminRoleForRequest(method, pathname) {
+  if (!pathname.startsWith("/api/admin/")) {
+    return null;
+  }
+  const normalizedMethod = (method ?? "GET").toUpperCase();
+  if (normalizedMethod === "GET" || normalizedMethod === "HEAD") {
+    return "viewer";
+  }
+  return "admin";
+}
+function hasRequiredAdminRole(role, requiredRole) {
+  if (requiredRole === "viewer") {
+    return role === "viewer" || role === "admin";
+  }
+  return role === "admin";
+}
+function buildAdminTokenMap(tokens) {
+  const mapped = /* @__PURE__ */ new Map();
+  for (const token of tokens) {
+    mapped.set(token.token, {
+      role: token.role,
+      actor: token.actor
+    });
+  }
+  return mapped;
+}
 function formatError(error) {
   if (error instanceof Error) {
     return error.message;
@@ -5573,6 +5648,7 @@ var CodeHarborAdminApp = class {
       host: options?.host ?? config.adminBindHost,
       port: options?.port ?? config.adminPort,
       adminToken: config.adminToken,
+      adminTokens: config.adminTokens,
       adminIpAllowlist: config.adminIpAllowlist,
       adminAllowedOrigins: config.adminAllowedOrigins
     });
@@ -5583,7 +5659,7 @@ var CodeHarborAdminApp = class {
     this.logger.info("CodeHarbor admin server started", {
       host: address?.host ?? this.config.adminBindHost,
       port: address?.port ?? this.config.adminPort,
-      tokenProtected: Boolean(this.config.adminToken)
+      tokenProtected: Boolean(this.config.adminToken) || this.config.adminTokens.length > 0
     });
   }
   async stop() {
@@ -5688,6 +5764,7 @@ var configSchema = import_zod.z.object({
   ADMIN_BIND_HOST: import_zod.z.string().default("127.0.0.1"),
   ADMIN_PORT: import_zod.z.string().default("8787").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().min(1).max(65535)),
   ADMIN_TOKEN: import_zod.z.string().default(""),
+  ADMIN_TOKENS_JSON: import_zod.z.string().default(""),
   ADMIN_IP_ALLOWLIST: import_zod.z.string().default(""),
   ADMIN_ALLOWED_ORIGINS: import_zod.z.string().default(""),
   LOG_LEVEL: import_zod.z.enum(["debug", "info", "warn", "error"]).default("info")
@@ -5747,6 +5824,7 @@ var configSchema = import_zod.z.object({
   adminBindHost: v.ADMIN_BIND_HOST.trim() || "127.0.0.1",
   adminPort: v.ADMIN_PORT,
   adminToken: v.ADMIN_TOKEN.trim() || null,
+  adminTokens: parseAdminTokens(v.ADMIN_TOKENS_JSON),
   adminIpAllowlist: parseCsvList(v.ADMIN_IP_ALLOWLIST),
   adminAllowedOrigins: parseCsvList(v.ADMIN_ALLOWED_ORIGINS),
   logLevel: v.LOG_LEVEL
@@ -5837,6 +5915,53 @@ function parseExtraEnv(raw) {
 function parseCsvList(raw) {
   return raw.split(",").map((entry) => entry.trim()).filter((entry) => entry.length > 0);
 }
+function parseAdminTokens(raw) {
+  const trimmed = raw.trim();
+  if (!trimmed) {
+    return [];
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(trimmed);
+  } catch {
+    throw new Error("ADMIN_TOKENS_JSON must be valid JSON.");
+  }
+  if (!Array.isArray(parsed)) {
+    throw new Error("ADMIN_TOKENS_JSON must be a JSON array.");
+  }
+  const seenTokens = /* @__PURE__ */ new Set();
+  return parsed.map((entry, index) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+      throw new Error(`ADMIN_TOKENS_JSON[${index}] must be an object.`);
+    }
+    const payload = entry;
+    const tokenValue = payload.token;
+    if (typeof tokenValue !== "string" || !tokenValue.trim()) {
+      throw new Error(`ADMIN_TOKENS_JSON[${index}].token must be a non-empty string.`);
+    }
+    const token = tokenValue.trim();
+    if (seenTokens.has(token)) {
+      throw new Error(`ADMIN_TOKENS_JSON contains duplicated token at index ${index}.`);
+    }
+    seenTokens.add(token);
+    let role = "admin";
+    if (payload.role !== void 0) {
+      if (payload.role !== "admin" && payload.role !== "viewer") {
+        throw new Error(`ADMIN_TOKENS_JSON[${index}].role must be "admin" or "viewer".`);
+      }
+      role = payload.role;
+    }
+    if (payload.actor !== void 0 && payload.actor !== null && typeof payload.actor !== "string") {
+      throw new Error(`ADMIN_TOKENS_JSON[${index}].actor must be a string when provided.`);
+    }
+    const actor = typeof payload.actor === "string" ? payload.actor.trim() || null : null;
+    return {
+      token,
+      role,
+      actor
+    };
+  });
+}
 // src/config-snapshot.ts
 var import_node_fs9 = __toESM(require("fs"));
@@ -5891,6 +6016,7 @@ var CONFIG_SNAPSHOT_ENV_KEYS = [
   "ADMIN_BIND_HOST",
   "ADMIN_PORT",
   "ADMIN_TOKEN",
+  "ADMIN_TOKENS_JSON",
   "ADMIN_IP_ALLOWLIST",
   "ADMIN_ALLOWED_ORIGINS",
   "LOG_LEVEL"
@@ -5955,6 +6081,7 @@ var envSnapshotSchema = import_zod2.z.object({
   ADMIN_BIND_HOST: import_zod2.z.string(),
   ADMIN_PORT: integerStringSchema("ADMIN_PORT", 1, 65535),
   ADMIN_TOKEN: import_zod2.z.string(),
+  ADMIN_TOKENS_JSON: jsonArrayStringSchema("ADMIN_TOKENS_JSON", true).default(""),
   ADMIN_IP_ALLOWLIST: import_zod2.z.string(),
   ADMIN_ALLOWED_ORIGINS: import_zod2.z.string().default(""),
   LOG_LEVEL: import_zod2.z.enum(LOG_LEVELS)
@@ -6143,6 +6270,7 @@ function buildSnapshotEnv(config) {
     ADMIN_BIND_HOST: config.adminBindHost,
     ADMIN_PORT: String(config.adminPort),
     ADMIN_TOKEN: config.adminToken ?? "",
+    ADMIN_TOKENS_JSON: serializeAdminTokens(config.adminTokens),
     ADMIN_IP_ALLOWLIST: config.adminIpAllowlist.join(","),
     ADMIN_ALLOWED_ORIGINS: config.adminAllowedOrigins.join(","),
     LOG_LEVEL: config.logLevel
@@ -6232,6 +6360,9 @@ function parseIntStrict(raw) {
 function serializeJsonObject(value) {
   return Object.keys(value).length > 0 ? JSON.stringify(value) : "";
 }
+function serializeAdminTokens(tokens) {
+  return tokens.length > 0 ? JSON.stringify(tokens) : "";
+}
 function booleanStringSchema(key) {
   return import_zod2.z.string().refine((value) => BOOLEAN_STRING.test(value), {
     message: `${key} must be a boolean string (true/false).`
@@ -6269,6 +6400,23 @@ function jsonObjectStringSchema(key, allowEmpty) {
     message: `${key} must be an empty string or a JSON object string.`
   });
 }
+function jsonArrayStringSchema(key, allowEmpty) {
+  return import_zod2.z.string().refine((value) => {
+    const trimmed = value.trim();
+    if (!trimmed) {
+      return allowEmpty;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(trimmed);
+    } catch {
+      return false;
+    }
+    return Array.isArray(parsed);
+  }, {
+    message: `${key} must be an empty string or a JSON array string.`
+  });
+}
 // src/preflight.ts
 var import_node_child_process6 = require("child_process");
@@ -6461,11 +6609,12 @@ admin.command("serve").description("Start admin config API server").option("--ho
   const host = options.host?.trim() || config.adminBindHost;
   const port = options.port ? parsePortOption(options.port, config.adminPort) : config.adminPort;
   const allowInsecureNoToken = options.allowInsecureNoToken ?? false;
-  if (!config.adminToken && !allowInsecureNoToken && isNonLoopbackHost(host)) {
+  const hasAdminAuth = Boolean(config.adminToken) || config.adminTokens.length > 0;
+  if (!hasAdminAuth && !allowInsecureNoToken && isNonLoopbackHost(host)) {
     process.stderr.write(
       [
-        "Refusing to start admin server on non-loopback host without ADMIN_TOKEN.",
-        "Fix: set ADMIN_TOKEN in .env, or explicitly pass --allow-insecure-no-token.",
+        "Refusing to start admin server on non-loopback host without admin auth token.",
+        "Fix: set ADMIN_TOKEN or ADMIN_TOKENS_JSON in .env, or explicitly pass --allow-insecure-no-token.",
         ""
       ].join("\n")
     );

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "codeharbor",
-  "version": "0.1.14",
+  "version": "0.1.15",
   "description": "Instant-messaging bridge for Codex CLI sessions",
   "license": "MIT",
   "main": "dist/cli.js",