npm - create-ekka-desktop-app - Versions diffs - 0.3.4 → 0.3.6 - Mend

create-ekka-desktop-app 0.3.4 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +1 -1
package/template/src-tauri/src/commands.rs +49 -9
package/template/src-tauri/src/main.rs +3 -9
package/template/src-tauri/src/node_credentials.rs +3 -13
package/template/src-tauri/src/security_epoch.rs +128 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "create-ekka-desktop-app",
-  "version": "0.3.4",
+  "version": "0.3.6",
   "description": "Create an EKKA desktop app with built-in demo backend. No setup required.",
   "type": "module",
   "bin": {

package/template/src-tauri/src/commands.rs CHANGED Viewed

@@ -763,8 +763,7 @@ fn handle_bootstrap_node_session(payload: &Value, state: &EngineState) -> Engine
         Err(e) => return EngineResponse::err("INTERNAL_ERROR", &e.to_string()),
     };
-    // REQUIRE node auth token (from startup auth via node_id + node_secret)
-    // Do NOT fall back to user auth or Ed25519 flow
+    // Get node auth token - try auto-auth if not available
     let node_token = match state.get_node_auth_token() {
         Some(token) => {
             tracing::info!(
@@ -776,14 +775,55 @@ fn handle_bootstrap_node_session(payload: &Value, state: &EngineState) -> Engine
             token
         }
         None => {
-            tracing::error!(
-                op = "node_session.no_token",
-                "Node auth token not available - authenticate node at startup first"
-            );
-            return EngineResponse::err(
-                "NODE_NOT_AUTHENTICATED",
-                "Node not authenticated. Restart app with valid node credentials.",
+            // Token missing - try auto-auth from vault (single-flight)
+            // Check prerequisites BEFORE acquiring lock
+            if !node_credentials::has_credentials() {
+                tracing::error!(
+                    op = "node_session.no_credentials",
+                    "Node credentials not configured"
+                );
+                return EngineResponse::err(
+                    "NODE_CREDENTIALS_MISSING",
+                    "Node credentials not configured. Complete setup first.",
+                );
+            }
+            // Get engine URL from baked config (same source as everywhere else)
+            let engine_url = config::engine_url();
+            // Now acquire single-flight lock (after all prerequisite checks)
+            if !state.node_auth_state.try_start() {
+                return EngineResponse::err("NODE_AUTH_IN_PROGRESS", "Authentication in progress, please wait");
+            }
+            // From here, ALL paths must call set_authenticated() or set_failed()
+            tracing::info!(
+                op = "node_session.auto_auth",
+                "Auto-authenticating node after setup"
             );
+            match node_credentials::authenticate_node(engine_url) {
+                Ok(token) => {
+                    state.node_auth_token.set(token.clone());
+                    state.node_auth_state.set_authenticated();
+                    tracing::info!(
+                        op = "node_session.auto_auth_success",
+                        node_id = %token.node_id,
+                        "Node auto-authenticated successfully"
+                    );
+                    token
+                }
+                Err(e) => {
+                    let error_msg = format!("Node authentication failed: {}", e);
+                    tracing::error!(
+                        op = "node_session.auto_auth_failed",
+                        error = %e,
+                        "Node auto-authentication failed"
+                    );
+                    state.node_auth_state.set_failed(error_msg.clone());
+                    return EngineResponse::err("NODE_NOT_AUTHENTICATED", &error_msg);
+                }
+            }
         }
     };

package/template/src-tauri/src/main.rs CHANGED Viewed

@@ -19,6 +19,7 @@ mod node_runner;
 mod node_vault_crypto;
 mod node_vault_store;
 mod ops;
+mod security_epoch;
 mod state;
 mod types;
@@ -31,7 +32,8 @@ use tauri::Manager;
 fn main() {
     // Load .env.local for development (before anything else)
-    // This provides EKKA_SECURITY_EPOCH and other dev-time overrides.
+    // This provides optional dev-time overrides (EKKA_SECURITY_EPOCH, etc).
+    // Note: EKKA_SECURITY_EPOCH is optional - epoch is resolved from marker file by default.
     // Note: ENGINE_GRANT_VERIFY_KEY_B64 is now fetched from /.well-known/ekka-configuration
     if let Err(_) = dotenvy::from_filename(".env.local") {
         // Also try parent directory (when running from src-tauri)
@@ -63,14 +65,6 @@ fn main() {
             // Attempt to spawn engine process
             tracing::info!(op = "desktop.startup", "EKKA Desktop starting");
-            // Log security epoch status (still needed for home bootstrap)
-            let security_epoch_set = std::env::var("EKKA_SECURITY_EPOCH").is_ok();
-            tracing::info!(
-                op = "desktop.required_env.loaded",
-                EKKA_SECURITY_EPOCH = security_epoch_set,
-                "Security epoch env var status"
-            );
             // Log build-time baked engine URL presence (not the URL itself)
             let engine_url_baked = option_env!("EKKA_ENGINE_URL").is_some();
             tracing::info!(

package/template/src-tauri/src/node_credentials.rs CHANGED Viewed

@@ -16,6 +16,7 @@ use crate::node_vault_store::{
     delete_node_secret, has_node_secret, read_node_secret, write_node_secret,
     SECRET_ID_NODE_CREDENTIALS,
 };
+use crate::security_epoch::resolve_security_epoch;
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use std::sync::RwLock;
@@ -134,17 +135,6 @@ impl std::fmt::Display for CredentialsError {
 impl std::error::Error for CredentialsError {}
-// =============================================================================
-// Helper: Get epoch for vault operations
-// =============================================================================
-/// Get the security epoch from environment
-fn get_security_epoch() -> u32 {
-    std::env::var("EKKA_SECURITY_EPOCH")
-        .ok()
-        .and_then(|s| s.parse().ok())
-        .unwrap_or(1)
-}
 // =============================================================================
 // Core Functions
@@ -170,7 +160,7 @@ pub fn store_credentials(node_id: &Uuid, node_secret: &str) -> Result<(), Creden
     // Initialize home if needed
     let bootstrap = initialize_home().map_err(|e| CredentialsError::VaultError(e))?;
     let home = bootstrap.home_path();
-    let epoch = get_security_epoch();
+    let epoch = resolve_security_epoch(home);
     // Store node_id + node_secret as JSON
     let creds = NodeCredentials {
@@ -202,7 +192,7 @@ pub fn store_credentials(node_id: &Uuid, node_secret: &str) -> Result<(), Creden
 /// * `Err(CredentialsError)` if not found or invalid
 pub fn load_credentials() -> Result<(Uuid, String), CredentialsError> {
     let home = resolve_home_path().map_err(|e| CredentialsError::VaultError(e))?;
-    let epoch = get_security_epoch();
+    let epoch = resolve_security_epoch(&home);
     // Key derivation uses device_secret + epoch only (not node_id)
     let plaintext = read_node_secret(&home, epoch, SECRET_ID_NODE_CREDENTIALS)

package/template/src-tauri/src/security_epoch.rs ADDED Viewed

@@ -0,0 +1,128 @@
+//! Security Epoch Resolution
+//!
+//! Resolves the security epoch used for vault key derivation.
+//! Resolution order:
+//! 1. EKKA_SECURITY_EPOCH env var (override for dev/testing)
+//! 2. Marker file epoch_seen field (canonical source)
+//! 3. Default to 1 (new installations)
+use std::path::Path;
+use std::sync::OnceLock;
+/// Cached resolved epoch (env var source only - marker is read fresh)
+static ENV_EPOCH_CACHE: OnceLock<Option<u32>> = OnceLock::new();
+/// Source of the resolved epoch
+#[derive(Debug, Clone, Copy, PartialEq)]
+pub enum EpochSource {
+    Env,
+    Marker,
+    Default,
+}
+impl std::fmt::Display for EpochSource {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            EpochSource::Env => write!(f, "env"),
+            EpochSource::Marker => write!(f, "marker"),
+            EpochSource::Default => write!(f, "default"),
+        }
+    }
+}
+/// Resolve security epoch from env var
+fn try_env_epoch() -> Option<u32> {
+    *ENV_EPOCH_CACHE.get_or_init(|| {
+        std::env::var("EKKA_SECURITY_EPOCH")
+            .ok()
+            .and_then(|s| s.parse().ok())
+    })
+}
+/// Read epoch_seen from marker file
+fn try_marker_epoch(home: &Path) -> Option<u32> {
+    let marker_path = home.join(".ekka-marker.json");
+    let content = std::fs::read_to_string(&marker_path).ok()?;
+    let marker: serde_json::Value = serde_json::from_str(&content).ok()?;
+    marker.get("epoch_seen").and_then(|v| v.as_u64()).map(|v| v as u32)
+}
+/// Resolve security epoch with precedence: env > marker > default
+///
+/// Logs the resolution once per unique (home, source) combination.
+pub fn resolve_security_epoch(home: &Path) -> u32 {
+    let (epoch, source) = resolve_with_source(home);
+    // Log resolution (only first time per call site in practice)
+    tracing::info!(
+        op = "security_epoch.resolved",
+        source = %source,
+        value = epoch,
+        "Security epoch resolved"
+    );
+    epoch
+}
+/// Resolve epoch and return both value and source
+pub fn resolve_with_source(home: &Path) -> (u32, EpochSource) {
+    // 1. Check env var override
+    if let Some(epoch) = try_env_epoch() {
+        return (epoch, EpochSource::Env);
+    }
+    // 2. Read from marker file
+    if let Some(epoch) = try_marker_epoch(home) {
+        return (epoch, EpochSource::Marker);
+    }
+    // 3. Default
+    (1, EpochSource::Default)
+}
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+    use std::fs;
+    #[test]
+    fn test_marker_epoch_read() {
+        let temp = TempDir::new().unwrap();
+        let marker = serde_json::json!({
+            "schema_version": "1.0",
+            "app_name": "test",
+            "instance_id": "00000000-0000-0000-0000-000000000000",
+            "device_id_fingerprint": "sha256:test",
+            "created_at": "2024-01-01T00:00:00Z",
+            "last_seen_at": "2024-01-01T00:00:00Z",
+            "epoch_seen": 42,
+            "storage_layout_version": "v1"
+        });
+        fs::write(temp.path().join(".ekka-marker.json"), marker.to_string()).unwrap();
+        let epoch = try_marker_epoch(temp.path());
+        assert_eq!(epoch, Some(42));
+    }
+    #[test]
+    fn test_default_when_no_marker() {
+        let temp = TempDir::new().unwrap();
+        let (epoch, source) = resolve_with_source(temp.path());
+        assert_eq!(epoch, 1);
+        assert_eq!(source, EpochSource::Default);
+    }
+    #[test]
+    fn test_marker_source() {
+        let temp = TempDir::new().unwrap();
+        let marker = serde_json::json!({
+            "epoch_seen": 5
+        });
+        fs::write(temp.path().join(".ekka-marker.json"), marker.to_string()).unwrap();
+        let (epoch, source) = resolve_with_source(temp.path());
+        assert_eq!(epoch, 5);
+        assert_eq!(source, EpochSource::Marker);
+    }
+}