fluxy-bot 0.3.0 → 0.3.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fluxy-bot",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "Self-hosted AI bot — run your own AI assistant from anywhere",
   "type": "module",
   "license": "MIT",

package/supervisor/chat/fluxy-main.tsx

@@ -4,6 +4,8 @@ import { ArrowLeft, MoreVertical, Trash2, Wand2 } from 'lucide-react';
 import { WsClient } from './src/lib/ws-client';
 import { useFluxyChat } from './src/hooks/useFluxyChat';
 import OnboardWizard from './OnboardWizard';
+import LoginScreen from './src/components/LoginScreen';
+import { getAuthToken, setAuthToken, clearAuthToken, authFetch } from './src/lib/auth';
 import MessageList from './src/components/Chat/MessageList';
 import InputBar from './src/components/Chat/InputBar';
 import './src/styles/globals.css';
@@ -19,10 +21,66 @@ function FluxyApp() {
   const menuRef = useRef<HTMLDivElement>(null);
   const wasConnected = useRef(false);
 
+  // Auth state
+  const [authChecked, setAuthChecked] = useState(false);
+  const [authRequired, setAuthRequired] = useState(false);
+  const [authenticated, setAuthenticated] = useState(false);
+
+  // Check auth on mount
   useEffect(() => {
+    (async () => {
+      try {
+        const res = await fetch('/api/onboard/status');
+        const data = await res.json();
+        if (!data.portalConfigured) {
+          // No password set — skip auth entirely
+          setAuthRequired(false);
+          setAuthenticated(true);
+          setAuthChecked(true);
+          return;
+        }
+
+        setAuthRequired(true);
+
+        // Check if we have a valid token in localStorage
+        const token = getAuthToken();
+        if (token) {
+          const vRes = await fetch('/api/portal/validate-token', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ token }),
+          });
+          const vData = await vRes.json();
+          if (vData.valid) {
+            setAuthenticated(true);
+            setAuthChecked(true);
+            return;
+          }
+          clearAuthToken();
+        }
+
+        setAuthenticated(false);
+        setAuthChecked(true);
+      } catch {
+        // Worker not ready — skip auth, let it retry later
+        setAuthenticated(true);
+        setAuthChecked(true);
+      }
+    })();
+  }, []);
+
+  const handleLogin = (token: string) => {
+    setAuthToken(token);
+    setAuthenticated(true);
+  };
+
+  // Connect WebSocket only when authenticated
+  useEffect(() => {
+    if (!authenticated) return;
+
     const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
     const host = location.host;
-    const client = new WsClient(`${proto}//${host}/fluxy/ws`);
+    const client = new WsClient(`${proto}//${host}/fluxy/ws`, getAuthToken);
     clientRef.current = client;
 
     const unsub = client.onStatus((isConnected) => {
@@ -62,18 +120,19 @@ function FluxyApp() {
       unsubHmr();
       client.disconnect();
     };
-  }, []);
+  }, [authenticated]);
 
   // Try to load settings (will work when worker is up, fail silently when down)
   useEffect(() => {
-    fetch('/api/settings')
+    if (!authenticated) return;
+    authFetch('/api/settings')
       .then((r) => r.json())
       .then((s) => {
         if (s.agent_name) setBotName(s.agent_name);
         if (s.whisper_enabled === 'true') setWhisperEnabled(true);
       })
       .catch(() => {});
-  }, []);
+  }, [authenticated]);
 
   // Close menu on outside click
   useEffect(() => {
@@ -88,6 +147,19 @@ function FluxyApp() {
   const { messages, streaming, streamBuffer, tools, sendMessage, stopStreaming, clearContext } =
     useFluxyChat(clientRef.current, reloadTrigger);
 
+  // Auth gate: show spinner while checking, login screen if needed
+  if (!authChecked) {
+    return (
+      <div className="flex items-center justify-center h-dvh">
+        <div className="w-6 h-6 border-2 border-white/10 border-t-white/50 rounded-full animate-spin" />
+      </div>
+    );
+  }
+
+  if (authRequired && !authenticated) {
+    return <LoginScreen onLogin={handleLogin} />;
+  }
+
   return (
     <div className="flex flex-col h-dvh overflow-hidden">
       {/* Header */}
@@ -143,7 +215,7 @@ function FluxyApp() {
           onComplete={() => {
             setShowWizard(false);
             // Reload settings (bot name, whisper, etc.)
-            fetch('/api/settings')
+            authFetch('/api/settings')
               .then((r) => r.json())
               .then((s) => {
                 if (s.agent_name) setBotName(s.agent_name);

package/supervisor/chat/src/components/LoginScreen.tsx

@@ -0,0 +1,87 @@
+import { useState, type KeyboardEvent } from 'react';
+import { Lock, LoaderCircle, ArrowRight } from 'lucide-react';
+
+interface Props {
+  onLogin: (token: string) => void;
+}
+
+export default function LoginScreen({ onLogin }: Props) {
+  const [password, setPassword] = useState('');
+  const [error, setError] = useState('');
+  const [loading, setLoading] = useState(false);
+
+  const handleSubmit = async () => {
+    if (!password.trim() || loading) return;
+    setLoading(true);
+    setError('');
+
+    try {
+      const res = await fetch('/api/portal/login', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ password }),
+      });
+      const data = await res.json();
+
+      if (res.ok && data.token) {
+        onLogin(data.token);
+      } else {
+        setError(data.error || 'Invalid password');
+      }
+    } catch {
+      setError('Could not reach server');
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const handleKeyDown = (e: KeyboardEvent) => {
+    if (e.key === 'Enter') handleSubmit();
+  };
+
+  return (
+    <div className="flex flex-col items-center justify-center h-dvh px-6">
+      <div className="w-full max-w-[320px] flex flex-col items-center">
+        <div className="w-14 h-14 rounded-2xl bg-white/[0.04] border border-white/[0.08] flex items-center justify-center mb-5">
+          <Lock className="h-6 w-6 text-white/40" />
+        </div>
+
+        <h1 className="text-xl font-bold text-white tracking-tight mb-1">
+          Welcome back
+        </h1>
+        <p className="text-white/40 text-[13px] mb-6">
+          Enter your portal password to continue.
+        </p>
+
+        {error && (
+          <div className="w-full bg-red-500/8 border border-red-500/15 rounded-xl px-4 py-2.5 mb-4">
+            <p className="text-red-400/90 text-[12px]">{error}</p>
+          </div>
+        )}
+
+        <input
+          type="password"
+          value={password}
+          onChange={(e) => setPassword(e.target.value)}
+          onKeyDown={handleKeyDown}
+          placeholder="Password"
+          autoFocus
+          autoComplete="current-password"
+          className="w-full bg-white/[0.05] border border-white/[0.08] text-white rounded-xl px-4 py-3 text-base outline-none input-glow placeholder:text-white/20 transition-all"
+        />
+
+        <button
+          onClick={handleSubmit}
+          disabled={!password.trim() || loading}
+          className="w-full mt-4 py-3 bg-gradient-brand hover:opacity-90 text-white text-[14px] font-semibold rounded-full transition-colors flex items-center justify-center gap-2 disabled:opacity-40"
+        >
+          {loading ? (
+            <><LoaderCircle className="h-4 w-4 animate-spin" />Signing in...</>
+          ) : (
+            <>Sign In<ArrowRight className="h-4 w-4" /></>
+          )}
+        </button>
+      </div>
+    </div>
+  );
+}

package/supervisor/chat/src/hooks/useFluxyChat.ts

@@ -1,6 +1,7 @@
 import { useCallback, useEffect, useRef, useState } from 'react';
 import type { WsClient } from '../lib/ws-client';
 import type { ChatMessage, ToolActivity, Attachment, StoredAttachment } from './useChat';
+import { authFetch } from '../lib/auth';
 
 /**
  * Chat hook for the standalone Fluxy chat app.
@@ -18,11 +19,11 @@ export function useFluxyChat(ws: WsClient | null, triggerReload?: number) {
   // Load current conversation from DB
   const loadFromDb = useCallback(async () => {
     try {
-      const ctx = await fetch('/api/context/current').then((r) => r.json());
+      const ctx = await authFetch('/api/context/current').then((r) => r.json());
       if (!ctx.conversationId) return;
       setConversationId(ctx.conversationId);
 
-      const res = await fetch(`/api/conversations/${ctx.conversationId}`);
+      const res = await authFetch(`/api/conversations/${ctx.conversationId}`);
       if (!res.ok) return;
       const data = await res.json();
       if (!data.messages?.length) return;

package/supervisor/chat/src/lib/auth.ts

@@ -0,0 +1,30 @@
+const TOKEN_KEY = 'fluxy_token';
+
+export function getAuthToken(): string | null {
+  return localStorage.getItem(TOKEN_KEY);
+}
+
+export function setAuthToken(token: string): void {
+  localStorage.setItem(TOKEN_KEY, token);
+}
+
+export function clearAuthToken(): void {
+  localStorage.removeItem(TOKEN_KEY);
+}
+
+export async function authFetch(url: string, options: RequestInit = {}): Promise<Response> {
+  const token = getAuthToken();
+  const headers = new Headers(options.headers);
+  if (token) {
+    headers.set('Authorization', `Bearer ${token}`);
+  }
+
+  const res = await fetch(url, { ...options, headers });
+
+  if (res.status === 401) {
+    clearAuthToken();
+    window.location.reload();
+  }
+
+  return res;
+}

package/supervisor/chat/src/lib/ws-client.ts

@@ -17,16 +17,26 @@ export class WsClient {
   private intentionalClose = false;
   private reconnectDelay = 1000;
   private static MAX_RECONNECT_DELAY = 8000;
+  private tokenGetter: (() => string | null) | null = null;
 
-  constructor(url?: string) {
+  constructor(url?: string, tokenGetter?: (() => string | null) | null) {
     const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
     const host = import.meta.env.DEV ? 'localhost:3000' : location.host;
     this.url = url ?? `${proto}//${host}/ws`;
+    this.tokenGetter = tokenGetter ?? null;
   }
 
   connect(): void {
     this.intentionalClose = false;
-    this.ws = new WebSocket(this.url);
+    let wsUrl = this.url;
+    if (this.tokenGetter) {
+      const token = this.tokenGetter();
+      if (token) {
+        const sep = wsUrl.includes('?') ? '&' : '?';
+        wsUrl = `${wsUrl}${sep}token=${token}`;
+      }
+    }
+    this.ws = new WebSocket(wsUrl);
 
     this.ws.onopen = () => {
       this.reconnectDelay = 1000;

package/supervisor/index.ts

@@ -89,8 +89,65 @@ export async function startSupervisor() {
     }
   }
 
+  // ── Auth middleware ──
+  const tokenCache = new Map<string, number>(); // token → expiry timestamp
+  const TOKEN_CACHE_TTL = 60_000; // 60s
+
+  async function validateToken(token: string): Promise<boolean> {
+    const cached = tokenCache.get(token);
+    if (cached && cached > Date.now()) return true;
+
+    try {
+      const res = await fetch(`http://127.0.0.1:${workerPort}/api/portal/validate-token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ token }),
+      });
+      const data = await res.json() as { valid: boolean };
+      if (data.valid) {
+        tokenCache.set(token, Date.now() + TOKEN_CACHE_TTL);
+        return true;
+      }
+      tokenCache.delete(token);
+      return false;
+    } catch {
+      return false;
+    }
+  }
+
+  let authRequiredCache: { value: boolean; expires: number } | null = null;
+
+  async function isAuthRequired(): Promise<boolean> {
+    if (authRequiredCache && authRequiredCache.expires > Date.now()) return authRequiredCache.value;
+    try {
+      const res = await fetch(`http://127.0.0.1:${workerPort}/api/onboard/status`);
+      const data = await res.json() as { portalConfigured: boolean };
+      const required = !!data.portalConfigured;
+      authRequiredCache = { value: required, expires: Date.now() + 30_000 };
+      return required;
+    } catch {
+      return false;
+    }
+  }
+
+  const AUTH_EXEMPT_ROUTES = [
+    'POST /api/portal/login',
+    'POST /api/portal/validate-token',
+    'GET /api/onboard/status',
+    'GET /api/health',
+    'POST /api/onboard',
+  ];
+
+  function isExemptRoute(method: string, url: string): boolean {
+    const path = url.split('?')[0];
+    return AUTH_EXEMPT_ROUTES.some((r) => {
+      const [m, p] = r.split(' ');
+      return method === m && path === p;
+    });
+  }
+
   // HTTP server — proxies to Vite dev servers + worker API
-  const server = http.createServer((req, res) => {
+  const server = http.createServer(async (req, res) => {
     // Fluxy widget — served directly (not part of Vite build)
     if (req.url === '/fluxy/widget.js') {
       console.log('[supervisor] Serving /fluxy/widget.js directly');
@@ -136,6 +193,20 @@ export async function startSupervisor() {
         return;
       }
 
+      // Auth check for API routes
+      if (!isExemptRoute(req.method || 'GET', req.url || '')) {
+        const needsAuth = await isAuthRequired();
+        if (needsAuth) {
+          const authHeader = req.headers['authorization'];
+          const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null;
+          if (!token || !(await validateToken(token))) {
+            res.writeHead(401, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Unauthorized' }));
+            return;
+          }
+        }
+      }
+
       const proxy = http.request(
         { host: '127.0.0.1', port: workerPort, path: req.url, method: req.method, headers: req.headers },
         (proxyRes) => {
@@ -384,10 +455,23 @@ export async function startSupervisor() {
     });
   });
 
-  server.on('upgrade', (req, socket: net.Socket, head) => {
+  server.on('upgrade', async (req, socket: net.Socket, head) => {
     console.log(`[supervisor] WebSocket upgrade: ${req.url}`);
 
-    if (req.url === '/fluxy/ws') {
+    if (req.url?.startsWith('/fluxy/ws')) {
+      // Auth check for WebSocket
+      const needsAuth = await isAuthRequired();
+      if (needsAuth) {
+        const urlObj = new URL(req.url, `http://${req.headers.host}`);
+        const token = urlObj.searchParams.get('token');
+        if (!token || !(await validateToken(token))) {
+          console.log('[supervisor] WS auth failed — rejecting');
+          socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+          socket.destroy();
+          return;
+        }
+      }
+
       console.log('[supervisor] → Fluxy chat WebSocket');
       fluxyWss.handleUpgrade(req, socket, head, (ws) => fluxyWss.emit('connection', ws, req));
       return;

package/worker/db.ts

@@ -27,6 +27,11 @@ CREATE TABLE IF NOT EXISTS settings (
   value TEXT NOT NULL,
   updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
+CREATE TABLE IF NOT EXISTS sessions (
+  token TEXT PRIMARY KEY,
+  created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+  expires_at DATETIME NOT NULL
+);
 `;
 
 let db: Database.Database;
@@ -93,6 +98,20 @@ export function getAllSettings() {
   return Object.fromEntries(rows.map((r) => [r.key, r.value]));
 }
 
+// Auth sessions
+export function createSession(token: string, expiresAt: string) {
+  db.prepare('INSERT INTO sessions (token, expires_at) VALUES (?, ?)').run(token, expiresAt);
+}
+export function getSession(token: string): { token: string; created_at: string; expires_at: string } | undefined {
+  return db.prepare('SELECT * FROM sessions WHERE token = ? AND expires_at > datetime(\'now\')').get(token) as any;
+}
+export function deleteSession(token: string) {
+  db.prepare('DELETE FROM sessions WHERE token = ?').run(token);
+}
+export function deleteExpiredSessions() {
+  db.prepare('DELETE FROM sessions WHERE expires_at <= datetime(\'now\')').run();
+}
+
 // Session ID (Agent SDK)
 export function getSessionId(convId: string): string | null {
   const row = db.prepare('SELECT session_id FROM conversations WHERE id = ?').get(convId) as any;

package/worker/index.ts

@@ -3,7 +3,7 @@ import crypto from 'crypto';
 import { loadConfig, saveConfig } from '../shared/config.js';
 import { paths } from '../shared/paths.js';
 import { log } from '../shared/logger.js';
-import { initDb, closeDb, listConversations, createConversation, deleteConversation, getMessages, addMessage, getSetting, getAllSettings, setSetting } from './db.js';
+import { initDb, closeDb, listConversations, createConversation, deleteConversation, getMessages, addMessage, getSetting, getAllSettings, setSetting, createSession, getSession, deleteExpiredSessions } from './db.js';
 import { startCodexOAuth, cancelCodexOAuth, getCodexAuthStatus, readCodexAccessToken } from './codex-auth.js';
 import { startClaudeOAuth, exchangeClaudeCode, getClaudeAuthStatus, readClaudeAccessToken } from './claude-auth.js';
 import { checkAvailability, registerHandle, releaseHandle, updateTunnelUrl, startHeartbeat, stopHeartbeat } from '../shared/relay.js';
@@ -251,6 +251,29 @@ app.post('/api/portal/verify-password', (req, res) => {
   res.json({ valid: verifyPassword(password, stored) });
 });
 
+app.post('/api/portal/login', (req, res) => {
+  const { password } = req.body;
+  if (!password) { res.status(400).json({ error: 'Password required' }); return; }
+  const stored = getSetting('portal_pass');
+  if (!stored) { res.status(400).json({ error: 'No password set' }); return; }
+  if (!verifyPassword(password, stored)) { res.status(401).json({ error: 'Invalid password' }); return; }
+
+  // Clean up expired sessions opportunistically
+  deleteExpiredSessions();
+
+  const token = crypto.randomBytes(64).toString('hex');
+  const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
+  createSession(token, expiresAt);
+  res.json({ token, expiresAt });
+});
+
+app.post('/api/portal/validate-token', (req, res) => {
+  const { token } = req.body;
+  if (!token) { res.json({ valid: false }); return; }
+  const session = getSession(token);
+  res.json({ valid: !!session });
+});
+
 app.post('/api/onboard', (req, res) => {
   const { userName, agentName, provider, model, apiKey, baseUrl, portalUser, portalPass, whisperEnabled, whisperKey } = req.body;
   setSetting('user_name', userName || '');