ijihun-planner-studio 0.1.0

package/server.mjs

@@ -0,0 +1,645 @@
+import { createServer } from "node:http";
+import { chmodSync, createReadStream, existsSync, readFileSync } from "node:fs";
+import { readFile, stat } from "node:fs/promises";
+import { execFile } from "node:child_process";
+import { randomBytes } from "node:crypto";
+import { homedir } from "node:os";
+import { dirname, extname, join, resolve, sep } from "node:path";
+import { fileURLToPath } from "node:url";
+import { signValue, timingSafeStringEqual, verifyPassword } from "./lib/auth.mjs";
+
+const root = dirname(fileURLToPath(import.meta.url));
+loadLocalEnv([resolve(process.cwd(), ".env.local"), join(root, ".env.local")]);
+
+const args = process.argv.slice(2);
+const apiOnly = args.includes("--api-only");
+const portIndex = args.indexOf("--port");
+const hostIndex = args.indexOf("--host");
+const port = portIndex >= 0 ? Number(args[portIndex + 1]) : Number(process.env.PORT || 4179);
+const host = hostIndex >= 0 ? args[hostIndex + 1] : process.env.HOST || "127.0.0.1";
+const dist = join(root, "dist");
+const bridgeRoot = process.env.PLANNER_REMINDERS_BRIDGE_ROOT || "/Users/ijihun/apps/icloud-reminders-google-sync";
+const exportSwift = join(bridgeRoot, "RemindersExport.swift");
+const applySwift = join(bridgeRoot, "RemindersApply.swift");
+const syncPy = join(bridgeRoot, "icloud_reminders_google_sync.py");
+const configPath = join(homedir(), ".config/icloud-reminders-google-sync/config.json");
+const statusPath = join(homedir(), ".config/icloud-reminders-google-sync/status.json");
+const ownerEmail = (process.env.PLANNER_OWNER_EMAIL || "").trim().toLowerCase();
+const passwordHash = (process.env.PLANNER_PASSWORD_HASH || "").trim();
+const sessionSecret = (process.env.PLANNER_SESSION_SECRET || "").trim();
+const authConfigured = Boolean(ownerEmail && passwordHash && sessionSecret);
+const sessionTtlMs = Number(process.env.PLANNER_SESSION_TTL_MINUTES || 480) * 60 * 1000;
+const secureCookies = process.env.PLANNER_COOKIE_SECURE === "1";
+const allowedHosts = new Set(
+  (process.env.PLANNER_ALLOWED_HOSTS || "127.0.0.1,localhost,::1")
+    .split(",")
+    .map((item) => item.trim())
+    .filter(Boolean)
+);
+const trustedOrigins = new Set([
+  `http://127.0.0.1:${port}`,
+  `http://localhost:${port}`,
+  "http://127.0.0.1:5178",
+  "http://localhost:5178",
+  ...(process.env.PLANNER_TRUSTED_ORIGINS || "")
+    .split(",")
+    .map((item) => item.trim())
+    .filter(Boolean)
+]);
+
+const mimeTypes = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "text/javascript; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".svg": "image/svg+xml",
+  ".png": "image/png",
+  ".ico": "image/x-icon"
+};
+
+const sessions = new Map();
+const loginAttempts = new Map();
+
+function loadLocalEnv(files) {
+  for (const filePath of files) {
+    if (!existsSync(filePath)) continue;
+    const text = readFileSync(filePath, "utf8");
+    for (const line of text.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const match = /^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/.exec(trimmed);
+      if (!match || process.env[match[1]] !== undefined) continue;
+      process.env[match[1]] = parseEnvValue(match[2]);
+    }
+    try {
+      chmodSync(filePath, 0o600);
+    } catch {
+      // Best-effort hardening for local secret material.
+    }
+  }
+}
+
+function parseEnvValue(value) {
+  const trimmed = value.trim();
+  if ((trimmed.startsWith("\"") && trimmed.endsWith("\"")) || (trimmed.startsWith("'") && trimmed.endsWith("'"))) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+
+function securityHeaders(extra = {}) {
+  return {
+    "content-security-policy": [
+      "default-src 'self'",
+      "script-src 'self'",
+      "style-src 'self'",
+      "img-src 'self' data:",
+      "font-src 'self'",
+      "connect-src 'self'",
+      "object-src 'none'",
+      "base-uri 'none'",
+      "frame-ancestors 'none'",
+      "form-action 'self'"
+    ].join("; "),
+    "x-content-type-options": "nosniff",
+    "x-frame-options": "DENY",
+    "referrer-policy": "no-referrer",
+    "permissions-policy": "camera=(), microphone=(), geolocation=(), payment=(), usb=(), bluetooth=()",
+    ...extra
+  };
+}
+
+function sendJson(res, status, payload, headers = {}) {
+  res.writeHead(status, securityHeaders({
+    "content-type": "application/json; charset=utf-8",
+    "cache-control": "no-store",
+    ...headers
+  }));
+  res.end(JSON.stringify(payload, null, 2));
+}
+
+function redirect(res, location) {
+  res.writeHead(303, securityHeaders({
+    location,
+    "cache-control": "no-store"
+  }));
+  res.end();
+}
+
+function runFile(command, commandArgs, options = {}) {
+  return new Promise((resolveRun, rejectRun) => {
+    const child = execFile(command, commandArgs, {
+      cwd: options.cwd || root,
+      timeout: options.timeout || 120000,
+      maxBuffer: 1024 * 1024 * 12
+    }, (error, stdout, stderr) => {
+      if (error) {
+        rejectRun(Object.assign(error, { stdout, stderr }));
+        return;
+      }
+      resolveRun({ stdout, stderr });
+    });
+
+    if (options.stdin) {
+      child.stdin?.write(options.stdin);
+      child.stdin?.end();
+    }
+  });
+}
+
+async function readRawBody(req, limit = 1024 * 1024) {
+  const chunks = [];
+  let size = 0;
+  for await (const chunk of req) {
+    size += chunk.length;
+    if (size > limit) throw new Error("Request body too large");
+    chunks.push(chunk);
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}
+
+async function readBody(req) {
+  const text = await readRawBody(req);
+  if (!text) return {};
+  const contentType = String(req.headers["content-type"] || "").split(";")[0].trim();
+  if (contentType === "application/x-www-form-urlencoded") {
+    return Object.fromEntries(new URLSearchParams(text));
+  }
+  if (!contentType || contentType === "application/json") {
+    return JSON.parse(text);
+  }
+  const error = new Error("Unsupported content type");
+  error.statusCode = 415;
+  throw error;
+}
+
+function safeMessage(error) {
+  return {
+    message: error.message || "Unknown error",
+    stderr: error.stderr || "",
+    stdout: error.stdout || ""
+  };
+}
+
+async function loadStatus() {
+  if (!existsSync(statusPath)) return null;
+  try {
+    return JSON.parse(await readFile(statusPath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+
+function parseCookies(req) {
+  const cookieHeader = String(req.headers.cookie || "");
+  const cookies = new Map();
+  for (const part of cookieHeader.split(";")) {
+    const index = part.indexOf("=");
+    if (index < 0) continue;
+    const key = part.slice(0, index).trim();
+    const value = part.slice(index + 1).trim();
+    if (key) cookies.set(key, decodeURIComponent(value));
+  }
+  return cookies;
+}
+
+function serializeCookie(name, value, options = {}) {
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+  parts.push(`Path=${options.path || "/"}`);
+  if (options.maxAge !== undefined) parts.push(`Max-Age=${options.maxAge}`);
+  if (options.httpOnly !== false) parts.push("HttpOnly");
+  parts.push(`SameSite=${options.sameSite || "Lax"}`);
+  if (options.secure) parts.push("Secure");
+  return parts.join("; ");
+}
+
+function signedSessionValue(sessionId) {
+  return `${sessionId}.${signValue(sessionId, sessionSecret)}`;
+}
+
+function getSession(req) {
+  if (!authConfigured) return null;
+  const raw = parseCookies(req).get("planner_session");
+  if (!raw) return null;
+  const [sessionId, signature] = raw.split(".");
+  if (!sessionId || !signature) return null;
+  if (!timingSafeStringEqual(signValue(sessionId, sessionSecret), signature)) return null;
+  const session = sessions.get(sessionId);
+  if (!session || session.expiresAt <= Date.now()) {
+    sessions.delete(sessionId);
+    return null;
+  }
+  session.lastSeenAt = Date.now();
+  return { ...session, id: sessionId };
+}
+
+function createSession(res) {
+  pruneSessions();
+  const sessionId = randomBytes(32).toString("base64url");
+  const session = {
+    email: ownerEmail,
+    csrfToken: randomBytes(32).toString("base64url"),
+    createdAt: Date.now(),
+    lastSeenAt: Date.now(),
+    expiresAt: Date.now() + sessionTtlMs
+  };
+  sessions.set(sessionId, session);
+  res.setHeader("set-cookie", serializeCookie("planner_session", signedSessionValue(sessionId), {
+    maxAge: Math.floor(sessionTtlMs / 1000),
+    secure: secureCookies
+  }));
+  return { ...session, id: sessionId };
+}
+
+function clearSession(req, res) {
+  const session = getSession(req);
+  if (session) sessions.delete(session.id);
+  res.setHeader("set-cookie", serializeCookie("planner_session", "", {
+    maxAge: 0,
+    secure: secureCookies
+  }));
+}
+
+function pruneSessions() {
+  const now = Date.now();
+  for (const [sessionId, session] of sessions) {
+    if (session.expiresAt <= now) sessions.delete(sessionId);
+  }
+}
+
+function getClientKey(req, email) {
+  return `${req.socket.remoteAddress || "unknown"}:${String(email || "").toLowerCase()}`;
+}
+
+function getAttemptState(req, email) {
+  const key = getClientKey(req, email);
+  const current = loginAttempts.get(key) || { count: 0, lockedUntil: 0, firstFailureAt: 0 };
+  const now = Date.now();
+  if (current.firstFailureAt && now - current.firstFailureAt > 15 * 60 * 1000) {
+    loginAttempts.delete(key);
+    return { key, state: { count: 0, lockedUntil: 0, firstFailureAt: 0 } };
+  }
+  return { key, state: current };
+}
+
+function recordLoginFailure(req, email) {
+  const { key, state } = getAttemptState(req, email);
+  const now = Date.now();
+  const count = state.count + 1;
+  loginAttempts.set(key, {
+    count,
+    firstFailureAt: state.firstFailureAt || now,
+    lockedUntil: count >= 5 ? now + 15 * 60 * 1000 : state.lockedUntil
+  });
+}
+
+function clearLoginFailures(req, email) {
+  loginAttempts.delete(getClientKey(req, email));
+}
+
+function isLockedOut(req, email) {
+  const { state } = getAttemptState(req, email);
+  return state.lockedUntil > Date.now();
+}
+
+function sessionPayload(session) {
+  return {
+    configured: authConfigured,
+    authenticated: Boolean(session),
+    ownerEmail,
+    csrfToken: session?.csrfToken || null,
+    expiresAt: session ? new Date(session.expiresAt).toISOString() : null
+  };
+}
+
+function acceptsJson(req) {
+  return String(req.headers.accept || "").includes("application/json");
+}
+
+function isUnsafeMethod(method) {
+  return !["GET", "HEAD", "OPTIONS"].includes(method || "GET");
+}
+
+function originAllowed(req) {
+  const origin = req.headers.origin;
+  if (!origin) return true;
+  return trustedOrigins.has(origin);
+}
+
+function csrfAllowed(req, session) {
+  if (!isUnsafeMethod(req.method)) return true;
+  const token = String(req.headers["x-csrf-token"] || "");
+  return Boolean(token && session?.csrfToken && timingSafeStringEqual(token, session.csrfToken));
+}
+
+function rejectUnauthenticated(req, res) {
+  if (req.url?.startsWith("/api/") || acceptsJson(req)) {
+    sendJson(res, 401, { ok: false, error: "Authentication required" });
+    return;
+  }
+  redirect(res, "/login");
+}
+
+function publicPath(pathname) {
+  return pathname === "/login" || pathname === "/auth.css" || pathname.startsWith("/api/auth/");
+}
+
+function hostAllowed(req) {
+  const hostHeader = req.headers.host;
+  if (!hostHeader) return true;
+  try {
+    const hostname = new URL(`http://${hostHeader}`).hostname;
+    return allowedHosts.has(hostname);
+  } catch {
+    return false;
+  }
+}
+
+function htmlEscape(value) {
+  return String(value)
+    .replaceAll("&", "&amp;")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll("\"", "&quot;");
+}
+
+function sendLoginPage(req, res, url) {
+  const session = getSession(req);
+  if (session) {
+    redirect(res, "/");
+    return;
+  }
+  const error = url.searchParams.get("error") === "1";
+  const locked = url.searchParams.get("locked") === "1";
+  const setup = !authConfigured;
+  res.writeHead(200, securityHeaders({
+    "content-type": "text/html; charset=utf-8",
+    "cache-control": "no-store"
+  }));
+  res.end(`<!doctype html>
+<html lang="ko">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Planner Studio Login</title>
+    <link rel="stylesheet" href="/auth.css" />
+  </head>
+  <body>
+    <main class="login-shell">
+      <section class="login-card" aria-labelledby="login-title">
+        <div class="mark">PS</div>
+        <p class="eyebrow">Owner access</p>
+        <h1 id="login-title">Planner Studio</h1>
+        <p class="copy">등록된 소유자 계정으로만 플래너와 Reminders 연동을 사용할 수 있습니다.</p>
+        ${setup ? `<p class="alert">서버 소유자 비밀번호가 아직 설정되지 않았습니다. <code>.env.local</code>을 먼저 생성하세요.</p>` : ""}
+        ${error ? `<p class="alert">아이디 또는 비밀번호가 올바르지 않습니다.</p>` : ""}
+        ${locked ? `<p class="alert">로그인 시도가 잠시 제한되었습니다. 15분 뒤 다시 시도하세요.</p>` : ""}
+        <form method="post" action="/api/auth/login">
+          <label>
+            <span>아이디</span>
+            <input name="email" type="email" autocomplete="username" value="${htmlEscape(ownerEmail)}" required />
+          </label>
+          <label>
+            <span>비밀번호</span>
+            <input name="password" type="password" autocomplete="current-password" required autofocus />
+          </label>
+          <button type="submit" ${setup ? "disabled" : ""}>로그인</button>
+        </form>
+      </section>
+    </main>
+  </body>
+</html>`);
+}
+
+function sendAuthCss(res) {
+  res.writeHead(200, securityHeaders({
+    "content-type": "text/css; charset=utf-8",
+    "cache-control": "no-store"
+  }));
+  res.end(`:root{font-family:Inter,ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,"Apple SD Gothic Neo","Noto Sans KR","Segoe UI",sans-serif;color:#202124;background:#eef2f7}*{box-sizing:border-box}body{margin:0;min-height:100vh}.login-shell{min-height:100vh;display:grid;place-items:center;padding:24px}.login-card{width:min(420px,100%);background:#fff;border:1px solid #d7dbe3;border-radius:8px;padding:28px;box-shadow:0 20px 50px rgba(24,28,38,.14)}.mark{width:46px;height:46px;border:2px solid #202124;border-radius:8px;display:grid;place-items:center;font-weight:900;margin-bottom:18px}.eyebrow{margin:0 0 6px;color:#72737a;font-size:12px;font-weight:800;text-transform:uppercase;letter-spacing:.04em}h1{margin:0;font-size:30px;line-height:1.08}.copy{color:#72737a;line-height:1.5;margin:12px 0 20px}.alert{border:1px solid #f0b8b8;background:#fff6f6;color:#9c2f2f;border-radius:8px;padding:10px 12px;font-size:13px;line-height:1.45}form{display:grid;gap:12px}label{display:grid;gap:6px;font-size:13px;font-weight:800;color:#4f5159}input,button{font:inherit;border-radius:8px;min-height:42px}input{border:1px solid #d7dbe3;padding:0 12px}button{border:1px solid #202124;background:#202124;color:#fff;font-weight:850;cursor:pointer}button:disabled{opacity:.5;cursor:not-allowed}code{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace}`);
+}
+
+async function handleAuth(req, res, url) {
+  if (req.method === "GET" && url.pathname === "/api/auth/session") {
+    sendJson(res, 200, sessionPayload(getSession(req)));
+    return true;
+  }
+
+  if (req.method === "POST" && url.pathname === "/api/auth/login") {
+    const formLogin = String(req.headers["content-type"] || "").startsWith("application/x-www-form-urlencoded");
+    if (!authConfigured) {
+      if (formLogin) redirect(res, "/login?error=1");
+      else sendJson(res, 503, { ok: false, error: "Owner authentication is not configured" });
+      return true;
+    }
+    if (!originAllowed(req)) {
+      sendJson(res, 403, { ok: false, error: "Origin not allowed" });
+      return true;
+    }
+
+    const payload = await readBody(req);
+    const email = String(payload.email || "").trim().toLowerCase();
+    const password = String(payload.password || "");
+    if (isLockedOut(req, email)) {
+      if (formLogin) redirect(res, "/login?locked=1");
+      else sendJson(res, 429, { ok: false, error: "Too many login attempts" });
+      return true;
+    }
+
+    const ok = email === ownerEmail && await verifyPassword(password, passwordHash);
+    if (!ok) {
+      recordLoginFailure(req, email || ownerEmail);
+      if (formLogin) redirect(res, "/login?error=1");
+      else sendJson(res, 401, { ok: false, error: "Invalid credentials" });
+      return true;
+    }
+
+    clearLoginFailures(req, email);
+    const session = createSession(res);
+    if (formLogin) redirect(res, "/");
+    else sendJson(res, 200, sessionPayload(session));
+    return true;
+  }
+
+  if (req.method === "POST" && url.pathname === "/api/auth/logout") {
+    const session = getSession(req);
+    if (session && !csrfAllowed(req, session)) {
+      sendJson(res, 403, { ok: false, error: "CSRF token required" });
+      return true;
+    }
+    clearSession(req, res);
+    sendJson(res, 200, { ok: true });
+    return true;
+  }
+
+  return false;
+}
+
+async function handleApi(req, res, url) {
+  try {
+    if (await handleAuth(req, res, url)) return;
+
+    const session = getSession(req);
+    if (!session) {
+      rejectUnauthenticated(req, res);
+      return;
+    }
+    if (!originAllowed(req)) {
+      sendJson(res, 403, { ok: false, error: "Origin not allowed" });
+      return;
+    }
+    if (!csrfAllowed(req, session)) {
+      sendJson(res, 403, { ok: false, error: "CSRF token required" });
+      return;
+    }
+
+    if (req.method === "GET" && url.pathname === "/api/health") {
+      const status = await loadStatus();
+      sendJson(res, 200, {
+        ok: true,
+        apiOnly,
+        bridgeRoot,
+        remindersBridge: existsSync(exportSwift) && existsSync(applySwift),
+        googleTasksBridge: existsSync(syncPy),
+        googleSyncStatus: status
+      });
+      return;
+    }
+
+    if (req.method === "GET" && url.pathname === "/api/reminders/lists") {
+      const result = await runFile("/usr/bin/swift", [exportSwift, "--lists-only"], { cwd: bridgeRoot });
+      sendJson(res, 200, JSON.parse(result.stdout));
+      return;
+    }
+
+    if (req.method === "GET" && url.pathname === "/api/reminders") {
+      const lookahead = Math.min(Math.max(Number(url.searchParams.get("lookaheadDays") || 14), 0), 3650);
+      const commandArgs = [exportSwift, "--lookahead-days", String(lookahead)];
+      if (url.searchParams.get("includeUndated") === "1") commandArgs.push("--include-undated");
+      const lists = url.searchParams.getAll("list").filter(Boolean);
+      for (const list of lists) commandArgs.push("--list", list);
+      const result = await runFile("/usr/bin/swift", commandArgs, { cwd: bridgeRoot });
+      sendJson(res, 200, JSON.parse(result.stdout));
+      return;
+    }
+
+    if (req.method === "POST" && url.pathname === "/api/reminders/apply") {
+      const payload = await readBody(req);
+      const operations = Array.isArray(payload) ? payload : payload.operations;
+      if (!Array.isArray(operations) || operations.length > 100) {
+        sendJson(res, 400, { ok: false, error: "Expected operations array with at most 100 items." });
+        return;
+      }
+      const result = await runFile("/usr/bin/swift", [applySwift], {
+        cwd: bridgeRoot,
+        stdin: JSON.stringify(operations)
+      });
+      sendJson(res, 200, JSON.parse(result.stdout));
+      return;
+    }
+
+    if (req.method === "GET" && url.pathname === "/api/google-sync/status") {
+      const status = await loadStatus();
+      sendJson(res, 200, {
+        configured: existsSync(configPath),
+        bridgeRoot,
+        status
+      });
+      return;
+    }
+
+    if (req.method === "POST" && url.pathname === "/api/google-sync/run") {
+      const payload = await readBody(req);
+      const dryRun = payload.dryRun !== false;
+      const commandArgs = [syncPy, "--config", configPath, "sync"];
+      if (dryRun) commandArgs.push("--dry-run");
+      const result = await runFile("/opt/homebrew/bin/python3", commandArgs, {
+        cwd: bridgeRoot,
+        timeout: 180000
+      });
+      sendJson(res, 200, {
+        ok: true,
+        dryRun,
+        stdout: result.stdout,
+        stderr: result.stderr,
+        status: await loadStatus()
+      });
+      return;
+    }
+
+    sendJson(res, 404, { ok: false, error: "Unknown API route" });
+  } catch (error) {
+    sendJson(res, error.statusCode || 500, { ok: false, error: safeMessage(error) });
+  }
+}
+
+function resolveStaticPath(pathname) {
+  let decoded;
+  try {
+    decoded = decodeURIComponent(pathname);
+  } catch {
+    return null;
+  }
+  const target = decoded === "/" ? "/index.html" : decoded;
+  const filePath = resolve(dist, `.${target}`);
+  if (filePath !== dist && !filePath.startsWith(`${dist}${sep}`)) return null;
+  return filePath;
+}
+
+async function handleStatic(req, res, url) {
+  const requested = resolveStaticPath(url.pathname);
+  if (!requested) {
+    sendJson(res, 400, { ok: false, error: "Invalid path" });
+    return;
+  }
+
+  let filePath = requested;
+  try {
+    const fileStat = await stat(filePath);
+    if (fileStat.isDirectory()) filePath = join(filePath, "index.html");
+  } catch {
+    filePath = join(dist, "index.html");
+  }
+
+  const ext = extname(filePath);
+  res.writeHead(200, securityHeaders({
+    "content-type": mimeTypes[ext] || "application/octet-stream",
+    "cache-control": ext === ".html" ? "no-store" : "private, max-age=3600"
+  }));
+  createReadStream(filePath).pipe(res);
+}
+
+const server = createServer(async (req, res) => {
+  if (!hostAllowed(req)) {
+    sendJson(res, 400, { ok: false, error: "Host not allowed" });
+    return;
+  }
+
+  const url = new URL(req.url || "/", `http://${req.headers.host || "127.0.0.1"}`);
+
+  if (req.method === "GET" && url.pathname === "/login") {
+    sendLoginPage(req, res, url);
+    return;
+  }
+  if (req.method === "GET" && url.pathname === "/auth.css") {
+    sendAuthCss(res);
+    return;
+  }
+  if (url.pathname.startsWith("/api/")) {
+    await handleApi(req, res, url);
+    return;
+  }
+  if (apiOnly) {
+    sendJson(res, 404, { ok: false, error: "API server only" });
+    return;
+  }
+  if (!publicPath(url.pathname) && !getSession(req)) {
+    rejectUnauthenticated(req, res);
+    return;
+  }
+  await handleStatic(req, res, url);
+});
+
+server.listen(port, host, () => {
+  console.log(`Planner server listening on http://${host}:${port}`);
+});