npm - create-walle - Versions diffs - 0.9.21 → 0.9.23 - Mend

create-walle 0.9.21 → 0.9.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (500) hide show

package/template/claude-task-manager/lib/mobile-auth-api.js CHANGED Viewed

@@ -2,11 +2,12 @@
 const QRCode = require('qrcode');
 const authStore = require('./mobile-auth-store');
-const { requestBrowserOrigin, requestOrigin } = require('./transport-security');
+const { requestBrowserOrigin, requestClientIp, requestOrigin } = require('./transport-security');
 const CLAIM_PUBLIC_ENDPOINTS = new Set([
   'POST /api/auth/claim/begin-passkey',
   'POST /api/auth/claim/finish',
+  'POST /api/auth/logout-local',
 ]);
 let simpleWebAuthnPromise = null;
@@ -17,7 +18,11 @@ function simpleWebAuthn() {
 }
 function isMobileAuthPublicEndpoint(method, pathname) {
-  return CLAIM_PUBLIC_ENDPOINTS.has(`${String(method || '').toUpperCase()} ${pathname}`);
+  const key = `${String(method || '').toUpperCase()} ${pathname}`;
+  if (CLAIM_PUBLIC_ENDPOINTS.has(key)) return true;
+  if (key === 'POST /api/auth/pairing-requests') return true;
+  return String(method || '').toUpperCase() === 'POST'
+    && /^\/api\/auth\/pairing-requests\/[^/]+\/poll$/.test(String(pathname || ''));
 }
 function isSecureWebAuthnOrigin(origin) {
@@ -57,12 +62,15 @@ function isHostedWalleMobileOrigin(origin) {
   return normalizedOrigin(origin) === 'https://m.walle.sh';
 }
-function tokenCookie(token, secure, maxAgeSeconds = 365 * 24 * 60 * 60) {
-  return `ctm_token=${encodeURIComponent(token)}; HttpOnly${secure ? '; Secure' : ''}; SameSite=Strict; Path=/; Max-Age=${maxAgeSeconds}`;
+// Cookie lifetime tracks the server-side ABSOLUTE cap (default 180d), not a flat
+// year: the server hard-rejects the token at the cap, so a longer-lived cookie
+// only guarantees a stale-cookie 401 on day cap+1.
+function tokenCookie(token, secure, maxAgeSeconds = Math.floor(authStore.deviceTokenAbsoluteMaxMs() / 1000)) {
+  return `ctm_token=${encodeURIComponent(token)}; HttpOnly${secure ? '; Secure' : ''}; SameSite=Lax; Path=/; Max-Age=${maxAgeSeconds}`;
 }
 function stepUpCookie(token, secure, maxAgeSeconds = 10 * 60) {
-  return `ctm_step_up=${encodeURIComponent(token)}; HttpOnly${secure ? '; Secure' : ''}; SameSite=Strict; Path=/; Max-Age=${maxAgeSeconds}`;
+  return `ctm_step_up=${encodeURIComponent(token)}; HttpOnly${secure ? '; Secure' : ''}; SameSite=Lax; Path=/; Max-Age=${maxAgeSeconds}`;
 }
 function readJsonBody(req, limit = 1024 * 1024) {
@@ -92,6 +100,15 @@ function errorJson(res, status, code, message) {
   sendJson(res, status, { ok: false, error: code, message: message || code });
 }
+function clearLocalSession(req, res) {
+  sendJson(res, 200, { ok: true }, {
+    'Set-Cookie': [
+      tokenCookie('', requestIsHttps(req), 0),
+      stepUpCookie('', requestIsHttps(req), 0),
+    ],
+  });
+}
 function requestIsHttps(req) {
   return !!req?.socket?.encrypted || String(req?.headers?.['x-forwarded-proto'] || '').split(',')[0].trim().toLowerCase() === 'https';
 }
@@ -173,6 +190,23 @@ function publicCredential(credential) {
   };
 }
+function publicPairingRequest(request) {
+  if (!request) return null;
+  return {
+    id: request.id,
+    code: request.code,
+    label: request.label,
+    scopes: request.scopes,
+    origin: request.origin,
+    device_hint: request.device_hint || '',
+    created_at: request.created_at,
+    expires_at: request.expires_at,
+    approved_at: request.approved_at || null,
+    rejected_at: request.rejected_at || null,
+    status: request.status,
+  };
+}
 function requireDeviceAuth(auth) {
   if (!auth?.authenticated || auth.isLoopback || !auth.deviceId) throw new Error('device_token_required');
   return auth;
@@ -198,6 +232,65 @@ async function beginClaimPasskey(req, res, db) {
     return;
   }
   const rpId = rpIdFromOrigin(origin);
+  const recoveryCredentials = authStore.listClaimRecoveryCredentials(db, {
+    label: claim.label,
+    userAgent: req.headers?.['user-agent'] || '',
+    rpId,
+  });
+  if (recoveryCredentials.length) {
+    const { generateAuthenticationOptions } = await simpleWebAuthn();
+    const options = await generateAuthenticationOptions({
+      rpID: rpId,
+      allowCredentials: recoveryCredentials.map(({ credential }) => ({
+        id: credential.credential_id,
+        transports: credential.transports,
+      })),
+      userVerification: 'required',
+      timeout: 5 * 60 * 1000,
+    });
+    authStore.saveWebAuthnChallenge(db, {
+      kind: 'claim_recovery',
+      claimId: claim.id,
+      challenge: options.challenge,
+      rpId,
+      origin,
+      ttlMs: 5 * 60 * 1000,
+    });
+    sendJson(res, 200, {
+      ok: true,
+      mode: 'recover',
+      options,
+      recovery: {
+        device_count: new Set(recoveryCredentials.map(({ device }) => device.id)).size,
+      },
+      claim: {
+        id: claim.id,
+        label: claim.label,
+        scopes: claim.scopes,
+        expires_at: claim.expires_at,
+      },
+    });
+    return;
+  }
+  const samePhoneProfiles = authStore.listActiveDeviceProfiles(db, {
+    label: claim.label,
+    userAgent: req.headers?.['user-agent'] || '',
+  });
+  const samePhoneOtherOrigin = samePhoneProfiles.find((device) => {
+    const credentials = authStore.listCredentialsForDevice(db, device.id);
+    return credentials.length && !credentials.some((credential) => credential.rp_id === rpId);
+  });
+  if (samePhoneOtherOrigin) {
+    errorJson(
+      res,
+      409,
+      'phone_origin_rotation_required',
+      'This phone already has an active CTM passkey for another origin. Open that stable phone URL, or revoke/replace the old phone pairing from CTM Settings before creating a new passkey.'
+    );
+    return;
+  }
   const { generateRegistrationOptions } = await simpleWebAuthn();
   const options = await generateRegistrationOptions({
     rpName: 'CTM',
@@ -223,6 +316,7 @@ async function beginClaimPasskey(req, res, db) {
   });
   sendJson(res, 200, {
     ok: true,
+    mode: 'register',
     options,
     claim: {
       id: claim.id,
@@ -233,6 +327,68 @@ async function beginClaimPasskey(req, res, db) {
   });
 }
+async function finishClaimRecovery(req, res, db, body, claim, challengeRow, challenge) {
+  const credentialId = String(body.testCredential?.id || body.response?.id || '');
+  const entry = authStore.getClaimRecoveryCredential(db, {
+    label: claim.label,
+    userAgent: req.headers?.['user-agent'] || '',
+    rpId: challengeRow.rp_id,
+    credentialId,
+  });
+  if (!entry) {
+    errorJson(res, 401, 'credential_not_found');
+    return;
+  }
+  let newCounter = entry.credential.counter;
+  if (process.env.CTM_AUTH_TEST_WEBAUTHN === '1' && body.testCredential) {
+    newCounter = Number(body.testCredential.counter || entry.credential.counter);
+  } else {
+    const { verifyAuthenticationResponse } = await simpleWebAuthn();
+    const verification = await verifyAuthenticationResponse({
+      response: body.response,
+      expectedChallenge: challengeRow.challenge,
+      expectedOrigin: challengeRow.origin,
+      expectedRPID: challengeRow.rp_id,
+      credential: {
+        id: entry.credential.credential_id,
+        publicKey: entry.credential.public_key,
+        counter: entry.credential.counter,
+        transports: entry.credential.transports,
+      },
+      requireUserVerification: true,
+    });
+    if (!verification.verified) {
+      errorJson(res, 401, 'passkey_verification_failed');
+      return;
+    }
+    newCounter = verification.authenticationInfo.newCounter;
+  }
+  authStore.consumeWebAuthnChallenge(db, {
+    kind: 'claim_recovery',
+    claimId: claim.id,
+    challenge,
+  });
+  authStore.updateCredentialCounter(db, entry.credential.id, newCounter);
+  const issued = authStore.recoverDeviceClaim(db, {
+    claimId: claim.id,
+    secret: body.secret,
+    deviceId: entry.device.id,
+    credentialId: entry.credential.credential_id,
+    remoteIp: req.socket?.remoteAddress || '',
+    userAgent: req.headers?.['user-agent'] || '',
+  });
+  sendJson(res, 200, {
+    ok: true,
+    mode: 'recover',
+    device: publicDevice(issued.device),
+    credential: publicCredential(entry.credential),
+  }, {
+    'Set-Cookie': tokenCookie(issued.token, requestIsHttps(req)),
+  });
+}
 async function finishClaimPasskey(req, res, db) {
   const body = await readJsonBody(req, 2 * 1024 * 1024);
   const claim = authStore.verifyDeviceClaimSecret(db, body.claim, body.secret);
@@ -243,8 +399,9 @@ async function finishClaimPasskey(req, res, db) {
     errorJson(res, 400, 'challenge_missing');
     return;
   }
+  const mode = String(body.mode || '').toLowerCase() === 'recover' ? 'recover' : 'register';
   const challengeRow = authStore.getWebAuthnChallenge(db, {
-    kind: 'registration',
+    kind: mode === 'recover' ? 'claim_recovery' : 'registration',
     claimId: claim.id,
     challenge,
   });
@@ -252,6 +409,10 @@ async function finishClaimPasskey(req, res, db) {
     errorJson(res, 400, 'challenge_not_found');
     return;
   }
+  if (mode === 'recover') {
+    await finishClaimRecovery(req, res, db, body, claim, challengeRow, challenge);
+    return;
+  }
   let credential;
   if (process.env.CTM_AUTH_TEST_WEBAUTHN === '1' && body.testCredential) {
@@ -518,6 +679,64 @@ async function registerPasskey(req, res, db, auth) {
   sendJson(res, 200, { ok: true, credential: publicCredential(added) });
 }
+async function createPairingRequest(req, res, db) {
+  const body = await readJsonBody(req, 64 * 1024);
+  const origin = requestWebAuthnOrigin(req);
+  if (isHostedWalleMobileOrigin(origin)) {
+    errorJson(
+      res,
+      400,
+      'hosted_walle_origin_not_direct_pairing',
+      'm.walle.sh is the Walle Remote app. Open the direct CTM tunnel URL before requesting phone pairing.'
+    );
+    return;
+  }
+  if (!isSecureWebAuthnOrigin(origin)) {
+    errorJson(res, 400, 'secure_context_required', 'Phone pairing requires HTTPS, except localhost development.');
+    return;
+  }
+  const created = authStore.createPairingRequest(db, {
+    label: body.label || '',
+    scopes: body.scopes || ['read', 'respond'],
+    origin,
+    remoteIp: requestClientIp(req),
+    userAgent: req.headers?.['user-agent'] || '',
+  });
+  sendJson(res, 200, {
+    ok: true,
+    request: publicPairingRequest(created.request),
+    secret: created.secret,
+  });
+}
+async function pollPairingRequest(req, res, db, requestId) {
+  const body = await readJsonBody(req, 64 * 1024);
+  const result = authStore.ensurePairingRequestClaim(db, requestId, body.secret);
+  const payload = {
+    ok: true,
+    status: result.status,
+    request: publicPairingRequest(result.request),
+  };
+  if (result.status === 'approved' && result.claim) payload.claim = result.claim;
+  sendJson(res, 200, payload);
+}
+async function approvePairingRequest(req, res, db, auth, requestId) {
+  const body = await readJsonBody(req, 64 * 1024);
+  const patch = { decisionBy: auth?.deviceId || 'loopback' };
+  if (Object.prototype.hasOwnProperty.call(body, 'label')) patch.label = body.label;
+  if (Object.prototype.hasOwnProperty.call(body, 'scopes')) patch.scopes = body.scopes;
+  const request = authStore.approvePairingRequest(db, requestId, patch);
+  sendJson(res, 200, { ok: true, request: publicPairingRequest(request) });
+}
+async function rejectPairingRequest(req, res, db, auth, requestId) {
+  const request = authStore.rejectPairingRequest(db, requestId, {
+    decisionBy: auth?.deviceId || 'loopback',
+  });
+  sendJson(res, 200, { ok: true, request: publicPairingRequest(request) });
+}
 async function handleMobileAuthApi(req, res, url, options = {}) {
   const db = options.db;
   if (!db) return false;
@@ -532,6 +751,20 @@ async function handleMobileAuthApi(req, res, url, options = {}) {
       await finishClaimPasskey(req, res, db);
       return true;
     }
+    if (url.pathname === '/api/auth/logout-local' && req.method === 'POST') {
+      clearLocalSession(req, res);
+      return true;
+    }
+    if (url.pathname === '/api/auth/pairing-requests' && req.method === 'POST') {
+      await createPairingRequest(req, res, db);
+      return true;
+    }
+    const pairingPollMatch = url.pathname.match(/^\/api\/auth\/pairing-requests\/([^/]+)\/poll$/);
+    if (pairingPollMatch && req.method === 'POST') {
+      await pollPairingRequest(req, res, db, decodeURIComponent(pairingPollMatch[1]));
+      return true;
+    }
     if (url.pathname === '/api/auth/device-claims' && req.method === 'POST') {
       const body = await readJsonBody(req);
@@ -556,6 +789,27 @@ async function handleMobileAuthApi(req, res, url, options = {}) {
       return true;
     }
+    if (url.pathname === '/api/auth/pairing-requests' && req.method === 'GET') {
+      const limit = Math.max(1, Math.min(50, Number(url.searchParams.get('limit') || 20)));
+      const includeResolved = url.searchParams.get('include_resolved') === '1';
+      sendJson(res, 200, {
+        ok: true,
+        requests: authStore.listPairingRequests(db, { limit, includeResolved }).map(publicPairingRequest),
+      });
+      return true;
+    }
+    const pairingDecisionMatch = url.pathname.match(/^\/api\/auth\/pairing-requests\/([^/]+)\/(approve|reject)$/);
+    if (pairingDecisionMatch && req.method === 'POST') {
+      const requestId = decodeURIComponent(pairingDecisionMatch[1]);
+      if (pairingDecisionMatch[2] === 'approve') {
+        await approvePairingRequest(req, res, db, options.auth, requestId);
+      } else {
+        await rejectPairingRequest(req, res, db, options.auth, requestId);
+      }
+      return true;
+    }
     const claimMatch = url.pathname.match(/^\/api\/auth\/device-claims\/([^/]+)$/);
     if (claimMatch && req.method === 'PATCH') {
       const body = await readJsonBody(req);
@@ -571,6 +825,7 @@ async function handleMobileAuthApi(req, res, url, options = {}) {
     }
     if (url.pathname === '/api/auth/devices' && req.method === 'GET') {
+      authStore.cleanupMobileAuthArtifacts(db);
       const connectedDeviceIds = typeof options.connectedDeviceIds === 'function'
         ? options.connectedDeviceIds()
         : (options.connectedDeviceIds || []);
@@ -585,6 +840,16 @@ async function handleMobileAuthApi(req, res, url, options = {}) {
       return true;
     }
+    if (url.pathname === '/api/auth/device-duplicates/revoke' && req.method === 'POST') {
+      const body = await readJsonBody(req, 64 * 1024);
+      const result = authStore.revokeDuplicateDeviceTokens(db, body.keep_device_id || body.device_id || '', {
+        reason: 'manual_keep_newest',
+      });
+      if (typeof options.onDeviceRevoked === 'function') options.onDeviceRevoked(result.deviceIds);
+      sendJson(res, 200, { ok: true, revoked: result.count, device_ids: result.deviceIds });
+      return true;
+    }
     if (url.pathname === '/api/auth/begin-step-up' && req.method === 'POST') {
       await beginStepUp(req, res, db, options.auth);
       return true;
@@ -650,7 +915,8 @@ async function handleMobileAuthApi(req, res, url, options = {}) {
     const status = /not_found/.test(code) ? 404
       : /step_up_required|device_token_required/.test(code) ? 403
       : /passkey_not_registered/.test(code) ? 409
-      : /expired|canceled|already|bad_json|too_large|required|missing|revoked/.test(code) ? 400
+      : /rate_limited/.test(code) ? 429
+      : /expired|canceled|already|bad_json|too_large|required|missing|revoked|rejected/.test(code) ? 400
       : 500;
     errorJson(res, status, code);
     return true;
@@ -664,6 +930,7 @@ module.exports = {
   handleMobileAuthApi,
   isHostedWalleMobileOrigin,
   isMobileAuthPublicEndpoint,
+  requestIsHttps,
   isSecureWebAuthnOrigin,
   readJsonBody,
   requestWebAuthnOrigin,