jamdesk 1.1.21 → 1.1.23

package/vendored/app/api/jd/unlock/route.ts

@@ -0,0 +1,325 @@
+/**
+ * POST /api/jd/unlock — password verification endpoint.
+ *
+ * Node runtime only — scrypt runs here and nowhere else in the enforcement
+ * path. Must NOT be edge runtime.
+ *
+ * Flow:
+ *   1. Validate inputs (slug, password fields)
+ *   2. Check rate limits (per-IP + per-slug backstop) — BEFORE scrypt
+ *   3. Fetch stored hash from Redis
+ *   4. Always run scrypt (DUMMY_HASH when no hash stored) to prevent timing oracles
+ *   5. On match: sign host-bound cookie, 303 to sanitized `from`
+ *   6. On mismatch: 303 to unlock page with error=1
+ */
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+import { scrypt, randomBytes, timingSafeEqual } from 'crypto';
+import { promisify } from 'util';
+import { redis } from '@/lib/redis';
+import { sanitizeFrom } from '@/lib/sanitize-from';
+import { VALID_SLUG_RE } from '@/lib/middleware-helpers';
+import { signAuthCookie } from '@/shared/auth-cookie';
+
+const scryptAsync = promisify(scrypt) as (
+  password: string,
+  salt: Buffer,
+  keyLen: number,
+  options: { N: number; r: number; p: number; maxmem?: number }
+) => Promise<Buffer>;
+
+// Scrypt baseline — N=16384 is the OWASP baseline; r and p come from the
+// decoded stored hash so we can verify hashes with different cost factors.
+const SCRYPT_N = 16384;
+const KEY_LEN = 64;
+
+// Dummy hash cost MUST match production scrypt params exactly so that the
+// dummy verify path is indistinguishable from a real verify via timing. A
+// disparity in either direction (faster OR slower) gives a network-adjacent
+// attacker a signal to distinguish "no password configured" from "password
+// set, wrong guess". Keep these in sync with the dashboard callable's
+// SCRYPT_R / SCRYPT_P in handlers/projectAuth.ts.
+const DUMMY_N = SCRYPT_N;
+const DUMMY_R = 8;
+const DUMMY_P = 1;
+
+// Rate limit thresholds
+const IP_LIMIT = 10;
+const SLUG_LIMIT = 100;
+const WINDOW_SECONDS = 3600; // 1 hour
+
+// Cookie max age: 30 days
+const COOKIE_MAX_AGE = 30 * 24 * 60 * 60;
+
+// Pre-compute a dummy hash at module load time so we can always run scrypt
+// even when no hash is stored, preventing timing oracles that reveal whether
+// a project has password protection configured.
+// Top-level await is fine in Next.js 16 Node runtime routes.
+const DUMMY_HASH: string = await (async () => {
+  const salt = randomBytes(16);
+  const derived = await scryptAsync('dummy-password-do-not-use', salt, KEY_LEN, {
+    N: DUMMY_N,
+    r: DUMMY_R,
+    p: DUMMY_P,
+    maxmem: 128 * 1024 * 1024,
+  });
+  return `scrypt$${DUMMY_N}$${DUMMY_R}$${DUMMY_P}$${salt.toString('base64')}$${derived.toString('base64')}`;
+})();
+
+interface ScryptHash {
+  N: number;
+  r: number;
+  p: number;
+  salt: Buffer;
+  hash: Buffer;
+}
+
+/**
+ * Parse a stored hash string in the format:
+ *   scrypt$N$r$p$salt_b64$hash_b64
+ *
+ * Returns null if the format is malformed or values are out of bounds.
+ */
+function decodeHash(stored: string): ScryptHash | null {
+  try {
+    const parts = stored.split('$');
+    if (parts.length !== 6) return null;
+    const [prefix, nStr, rStr, pStr, saltB64, hashB64] = parts;
+    if (prefix !== 'scrypt') return null;
+
+    const N = parseInt(nStr, 10);
+    const r = parseInt(rStr, 10);
+    const p = parseInt(pStr, 10);
+
+    // Sanity-check values to prevent DoS via absurd cost factors
+    if (!Number.isSafeInteger(N) || N < 1024 || N > 2 ** 20) return null;
+    if (!Number.isSafeInteger(r) || r < 1 || r > 64) return null;
+    if (!Number.isSafeInteger(p) || p < 1 || p > 64) return null;
+    if (!saltB64 || !hashB64) return null;
+
+    const salt = Buffer.from(saltB64, 'base64');
+    const hash = Buffer.from(hashB64, 'base64');
+
+    if (salt.length === 0 || hash.length === 0) return null;
+
+    return { N, r, p, salt, hash };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Run scrypt on `password` with params from `stored` and compare
+ * using timingSafeEqual. Returns false on any error (malformed hash, etc.).
+ * Always returns false without throwing.
+ */
+async function verifyScrypt(password: string, stored: string): Promise<boolean> {
+  const params = decodeHash(stored);
+  if (!params) return false;
+
+  try {
+    // Raise maxmem ceiling to 128MB so future param upgrades (higher r, p)
+    // don't hit the default 32MB ceiling. Current OWASP-baseline hashes
+    // (r=8, p=1) need only ~16MB.
+    const derived = await scryptAsync(password, params.salt, params.hash.length, {
+      N: params.N,
+      r: params.r,
+      p: params.p,
+      maxmem: 128 * 1024 * 1024,
+    });
+
+    // timingSafeEqual requires same length — already guaranteed because we
+    // derive exactly params.hash.length bytes above.
+    return timingSafeEqual(derived, params.hash);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Extract the trusted client IP from the request.
+ *
+ * Trust order: x-vercel-forwarded-for → x-real-ip
+ * NEVER use raw x-forwarded-for — it is attacker-controllable.
+ *
+ * x-vercel-forwarded-for contains only the outermost client IP as set by
+ * Vercel's edge network, making it safe for rate-limiting.
+ */
+function getClientIp(req: Request): string {
+  const vff = req.headers.get('x-vercel-forwarded-for');
+  if (vff) {
+    // May be a comma-separated list if there are intermediate proxies —
+    // take the first (leftmost) address, which is the original client.
+    return vff.split(',')[0].trim();
+  }
+  const realIp = req.headers.get('x-real-ip');
+  if (realIp) return realIp.trim();
+  return 'unknown';
+}
+
+/**
+ * Get the request host for cookie host-binding.
+ *
+ * In hostAtDocs mode the ISR middleware injects x-jamdesk-forwarded-host
+ * with the customer's own domain (e.g. docs.acme.com). Fall back to the
+ * raw Host header otherwise (e.g. acme.jamdesk.app).
+ */
+function getRequestHost(req: Request): string {
+  return (
+    req.headers.get('x-jamdesk-forwarded-host') ||
+    req.headers.get('host') ||
+    'unknown'
+  );
+}
+
+/**
+ * Increment a Redis rate-limit counter and set a TTL if this is the first
+ * increment. Returns the new count. Uses incr + expire (not SETEX) so we
+ * only reset the TTL on the first hit within a window.
+ *
+ * Fail-closed: returns Infinity if Redis is unavailable. Callers compare
+ * against their limit with `>` so Infinity always trips the guard and blocks
+ * the attempt. This means a Redis outage rate-limits EVERYONE (including
+ * legitimate users) rather than letting an attacker bypass rate limiting by
+ * disrupting Redis. Do NOT change the sentinel to 0 — that would fail-open.
+ */
+async function rateLimitIncr(key: string): Promise<number> {
+  if (!redis) return Infinity;
+  try {
+    const count = await redis.incr(key);
+    if (count === 1) {
+      await redis.expire(key, WINDOW_SECONDS);
+    }
+    return count;
+  } catch (err) {
+    console.warn('[unlock] rate limit Redis error — failing closed', { key, err });
+    return Infinity;
+  }
+}
+
+interface StoredSecret {
+  hash: string;
+  version: number;
+}
+
+// Returns null only when Redis is unconfigured (local dev). Real errors
+// propagate so POST can fail closed with 503 — matching resolveAuth.
+async function fetchStoredSecret(slug: string): Promise<StoredSecret | null> {
+  if (!redis) return null;
+  return redis.get<StoredSecret>(`projectAuthSecret:${slug}`);
+}
+
+export async function POST(req: Request): Promise<Response> {
+  // Fail-closed: if the signing secret is missing, we cannot issue valid
+  // cookies. Return 503 rather than silently issuing unsigned tokens.
+  const secret = process.env.EDGE_AUTH_SECRET;
+  if (!secret) {
+    return new Response('Service temporarily unavailable', {
+      status: 503,
+      headers: { 'Retry-After': '30' },
+    });
+  }
+
+  // Parse form body
+  let formData: FormData;
+  try {
+    formData = await req.formData();
+  } catch {
+    return new Response('Bad Request: invalid form data', { status: 400 });
+  }
+
+  const password = formData.get('password');
+  const rawFrom = formData.get('from');
+
+  if (!password || typeof password !== 'string') {
+    return new Response('Bad Request: missing password', { status: 400 });
+  }
+  // Mirror the 256-char cap from the dashboard callable. Prevents a caller
+  // from forcing a very slow scrypt by submitting a multi-MB "password".
+  if (password.length > 256) {
+    return new Response('Bad Request: password too long', { status: 400 });
+  }
+
+  const slug = req.headers.get('x-project-slug');
+  if (!slug) {
+    return new Response('Bad Request: missing x-project-slug', { status: 400 });
+  }
+  // Defense-in-depth: middleware validates, but a malformed header would
+  // otherwise leak into `projectAuthSecret:${slug}`.
+  if (!VALID_SLUG_RE.test(slug)) {
+    return new Response('Bad Request: invalid project slug', { status: 400 });
+  }
+
+  const from = sanitizeFrom(typeof rawFrom === 'string' ? rawFrom : null);
+  const clientIp = getClientIp(req);
+
+  // Two-tier rate limiting — both checked BEFORE scrypt to avoid letting
+  // attackers use the endpoint as a free scrypt oracle. Run in parallel:
+  // every request increments both counters regardless of which one trips,
+  // so there's no ordering dependency and the wall-clock cost is one
+  // Upstash RTT instead of two.
+  const ipKey = `unlock:ip:${clientIp}`;
+  const slugKey = `unlock:slug:${slug}`;
+
+  const [ipCount, slugCount] = await Promise.all([
+    rateLimitIncr(ipKey),
+    rateLimitIncr(slugKey),
+  ]);
+  if (ipCount > IP_LIMIT || slugCount > SLUG_LIMIT) {
+    return new Response('Too Many Requests', {
+      status: 429,
+      headers: { 'Retry-After': String(WINDOW_SECONDS) },
+    });
+  }
+
+  let stored: StoredSecret | null;
+  try {
+    stored = await fetchStoredSecret(slug);
+  } catch (err) {
+    console.error('[unlock] Redis fetch failed — failing closed', {
+      slug,
+      error: (err as Error)?.message ?? String(err),
+    });
+    return new Response('Service temporarily unavailable', {
+      status: 503,
+      headers: { 'Retry-After': '30' },
+    });
+  }
+  const hashToVerify = stored?.hash ?? DUMMY_HASH;
+
+  // Always run scrypt — even with DUMMY_HASH when no password is set — to
+  // prevent timing-based detection of whether a project has auth configured.
+  const match = await verifyScrypt(password, hashToVerify);
+
+  if (!match || !stored) {
+    // Wrong password, no hash configured, or malformed hash.
+    // Redirect back to unlock page with error indicator.
+    const unlockUrl = `/jd/unlock?slug=${encodeURIComponent(slug)}&from=${encodeURIComponent(from)}&error=1`;
+    return new Response(null, {
+      status: 303,
+      headers: { Location: unlockUrl },
+    });
+  }
+
+  // Correct password — sign a host-bound cookie and redirect to destination.
+  const host = getRequestHost(req);
+  const expiresAt = Date.now() + COOKIE_MAX_AGE * 1000;
+
+  const cookieValue = await signAuthCookie(
+    { slug, host, version: stored.version, expiresAt },
+    secret
+  );
+
+  const cookieName = `jd_auth_${slug}`;
+  const cookieHeader = `${cookieName}=${cookieValue}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=${COOKIE_MAX_AGE}`;
+
+  return new Response(null, {
+    status: 303,
+    headers: {
+      Location: from,
+      'Set-Cookie': cookieHeader,
+    },
+  });
+}

package/vendored/app/globals.css

@@ -1,5 +1,19 @@
 @import "tailwindcss";
 
+/* Import base shared styles */
+@import "../themes/base.css";
+
+/*
+ * Theme loading strategy:
+ * - Jam theme (default): loaded here via @import
+ * - Other themes: loaded dynamically via <style> tag in layout.tsx
+ *
+ * This means jam's CSS is always present, but jam-specific styles (like the
+ * background gradient) are scoped to body[data-theme="jam"] so they don't
+ * affect other themes.
+ */
+@import "../themes/jam/variables.css";
+
 /*
  * Light/Dark mode image utilities
  * These utilities enable showing different images based on theme.
@@ -21,17 +35,3 @@ img.inline-block { display: inline-block !important; }
 .dark img.dark\:inline-block, .dark .dark\:inline-block { display: inline-block !important; }
 
 /* Shiki handles syntax highlighting via CSS variables - no theme import needed */
-
-/* Import base shared styles */
-@import "../themes/base.css";
-
-/*
- * Theme loading strategy:
- * - Jam theme (default): loaded here via @import
- * - Other themes: loaded dynamically via <style> tag in layout.tsx
- *
- * This means jam's CSS is always present, but jam-specific styles (like the
- * background gradient) are scoped to body[data-theme="jam"] so they don't
- * affect other themes.
- */
-@import "../themes/jam/variables.css";

package/vendored/app/layout.tsx

@@ -263,11 +263,36 @@ export default async function RootLayout({
 }: {
   children: React.ReactNode;
 }) {
+  // Unlock-mode short-circuit: middleware sets x-jd-unlock-mode when
+  // rewriting to /jd/unlock so we skip docs chrome, analytics, and R2 config
+  // fetch. The unlock page owns its own visuals.
+  const headersList = await headers();
+  if (headersList.get('x-jd-unlock-mode') === '1') {
+    return (
+      <html lang="en">
+        <head>
+          <meta name="viewport" content="width=device-width, initial-scale=1" />
+          <meta name="robots" content="noindex, nofollow" />
+        </head>
+        <body
+          style={{
+            margin: 0,
+            minHeight: '100vh',
+            fontFamily:
+              'ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, sans-serif',
+            backgroundColor: '#f7f7f8',
+          }}
+        >
+          {children}
+        </body>
+      </html>
+    );
+  }
+
   // Get config - from R2 in ISR mode, from filesystem in static mode
   let config: DocsConfig;
   let resolvedProjectSlug: string | null = null;
   if (isIsrMode()) {
-    const headersList = await headers();
     const projectSlug = getProjectFromRequest(headersList);
     resolvedProjectSlug = projectSlug;
     const hostAtDocs = getHostAtDocs(headersList);
@@ -389,7 +414,7 @@ export default async function RootLayout({
         {config.integrations?.posthog && (
           <link rel="dns-prefetch" href={config.integrations.posthog.apiHost || "https://app.posthog.com"} />
         )}
-        {(config.integrations?.plausible?.domain || config.integrations?.plausible?.scriptUrl) && (
+        {process.env.NODE_ENV === 'production' && (config.integrations?.plausible?.domain || config.integrations?.plausible?.scriptUrl) && (
           <link rel="dns-prefetch" href={(() => {
             try {
               return config.integrations!.plausible!.scriptUrl
@@ -504,8 +529,8 @@ export default async function RootLayout({
         {customCss && (
           <style dangerouslySetInnerHTML={{ __html: customCss }} />
         )}
-        {/* Plausible Analytics */}
-        {(config.integrations?.plausible?.domain || config.integrations?.plausible?.scriptUrl) && (
+        {/* Plausible Analytics — production only; dev injection would spam "Ignoring Event: localhost" */}
+        {process.env.NODE_ENV === 'production' && (config.integrations?.plausible?.domain || config.integrations?.plausible?.scriptUrl) && (
           <PlausibleScript
             domain={config.integrations.plausible.domain}
             server={config.integrations.plausible.server}

package/vendored/lib/auth-resolver.ts

@@ -0,0 +1,109 @@
+import { redis } from './redis';
+import { matchPublicPath } from './glob-match';
+
+export { matchPublicPath };
+
+export interface ResolvedAuth {
+  hash: string;
+  version: number;
+  publicPaths: string[];
+}
+
+interface AuthSecret {
+  hash: string;
+  version: number;
+}
+
+interface AuthPublic {
+  enabled?: boolean;
+  publicPaths?: string[];
+}
+
+/**
+ * Resolve active password protection for a project.
+ *
+ * Truth table (both sides must agree for gating to be active):
+ *   projectAuthPublic.enabled=true AND projectAuthSecret has a hash → gate
+ *   projectAuthPublic missing OR enabled!==true                     → no gate (return null)
+ *   projectAuthSecret missing                                       → no gate (return null)
+ *
+ * Both project-level keys fail-CLOSED: if either read throws, this throws
+ * `AuthResolutionError` so middleware returns 503 instead of serving gated
+ * content without a check. A partial Upstash outage taking down one key
+ * while the other is reachable would otherwise create a fail-open window.
+ *
+ * We intentionally do NOT read `domainAuthSecret` here even though it is
+ * mirrored on every password write. The dashboard fan-out is best-effort,
+ * so a failed mirror write can leave the domain key pointing at a stale
+ * version. Reading the mirror would then accept old session cookies on
+ * that host. Always reading the project-level key keeps a single source
+ * of truth and costs one fewer Redis GET per request on custom domains.
+ *
+ * When `redis` is null (local dev without Upstash configured), returns
+ * null immediately so the CLI dev server doesn't try to gate anything.
+ */
+export class AuthResolutionError extends Error {
+  constructor(message: string, public readonly cause?: unknown) {
+    super(message);
+    this.name = 'AuthResolutionError';
+  }
+}
+
+export async function resolveAuth(
+  projectSlug: string,
+): Promise<ResolvedAuth | null> {
+  if (!redis) return null;
+  const r = redis;
+
+  let projectSecret: AuthSecret | null;
+  let projectPublic: AuthPublic | null;
+
+  try {
+    const [projectSecretResult, projectPublicResult] = await Promise.all([
+      r.get(`projectAuthSecret:${projectSlug}`),
+      r.get(`projectAuthPublic:${projectSlug}`),
+    ]);
+    projectSecret = projectSecretResult as AuthSecret | null;
+    projectPublic = projectPublicResult as AuthPublic | null;
+  } catch (e) {
+    throw new AuthResolutionError(
+      'Failed to read project auth keys from Redis',
+      e,
+    );
+  }
+
+  const secret = projectSecret;
+  const pub = projectPublic;
+
+  if (
+    !secret ||
+    typeof secret.hash !== 'string' ||
+    typeof secret.version !== 'number'
+  ) {
+    return null;
+  }
+
+  if (!pub || pub.enabled !== true) {
+    return null;
+  }
+
+  // setProjectAuthPublic filters publicPaths to strings on the write
+  // side, so we can trust the shape here and pass the array straight
+  // through. This keeps the array reference stable across requests so
+  // the matchPublicPath WeakMap cache actually amortizes the regex
+  // compile cost. (Defense-in-depth: still guard against non-array.)
+  const publicPaths: string[] = Array.isArray(pub.publicPaths)
+    ? (pub.publicPaths as string[])
+    : [];
+
+  return {
+    hash: secret.hash,
+    version: secret.version,
+    publicPaths,
+  };
+}
+
+// matchPublicPath is implemented in glob-match.ts and re-exported above
+// for backwards compatibility. The split keeps the matcher (a pure
+// function with no Redis dependency) importable from build-time modules
+// like public-paths-resolver without dragging in the Redis client.

package/vendored/lib/docs-isr.ts

@@ -10,6 +10,8 @@
  *   Then use getDocsConfig, getAllDocPaths, getMdxContent as needed.
  */
 
+import fs from 'fs';
+import path from 'path';
 import {
   fetchDocsConfig,
   fetchMdxContent,
@@ -31,6 +33,45 @@ function requireIsrMode(): void {
   }
 }
 
+/**
+ * Gated on JAMDESK_PROJECTS_DIR (only set by local dev flows) so prod deploys
+ * can never leak filesystem content. NODE_ENV is unreliable here — Next.js's
+ * server-render worker reports NODE_ENV=production inside `next dev`.
+ */
+function devFallbackDir(projectSlug: string): string | null {
+  const projectsDir = process.env.JAMDESK_PROJECTS_DIR;
+  if (!projectsDir) return null;
+  const dir = path.join(projectsDir, projectSlug);
+  try {
+    return fs.existsSync(dir) ? dir : null;
+  } catch {
+    return null;
+  }
+}
+
+function walkMdx(dir: string): string[] {
+  const out: string[] = [];
+  const walk = (current: string, prefix: string) => {
+    let entries: fs.Dirent[];
+    try {
+      entries = fs.readdirSync(current, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (entry.name.startsWith('.')) continue;
+      if (entry.isDirectory()) {
+        if (entry.name === 'images' || entry.name === 'node_modules') continue;
+        walk(path.join(current, entry.name), path.join(prefix, entry.name));
+      } else if (entry.name.endsWith('.mdx')) {
+        out.push(path.join(prefix, entry.name.replace(/\.mdx$/, '')));
+      }
+    }
+  };
+  walk(dir, '');
+  return out;
+}
+
 /**
  * Get docs.json configuration for a project.
  *
@@ -44,10 +85,18 @@ function requireIsrMode(): void {
 export async function getDocsConfig(projectSlug: string): Promise<DocsConfig> {
   requireIsrMode();
   const config = await fetchDocsConfig(projectSlug);
-  if (!config) {
-    throw new Error(`Project not found in R2: ${projectSlug}`);
+  if (config) return config;
+
+  const localDir = devFallbackDir(projectSlug);
+  if (localDir) {
+    try {
+      const raw = fs.readFileSync(path.join(localDir, 'docs.json'), 'utf8');
+      return JSON.parse(raw) as DocsConfig;
+    } catch {
+      // fall through to throw below
+    }
   }
-  return config;
+  throw new Error(`Project not found in R2: ${projectSlug}`);
 }
 
 /**
@@ -60,6 +109,8 @@ export async function getDocsConfig(projectSlug: string): Promise<DocsConfig> {
  */
 export async function getAllDocPaths(projectSlug: string): Promise<string[]> {
   requireIsrMode();
+  const localDir = devFallbackDir(projectSlug);
+  if (localDir) return walkMdx(localDir);
   return listAllPaths(projectSlug);
 }
 
@@ -75,7 +126,19 @@ export async function getMdxContent(
   pagePath: string
 ): Promise<string> {
   requireIsrMode();
-  return fetchMdxContent(projectSlug, pagePath);
+  try {
+    return await fetchMdxContent(projectSlug, pagePath);
+  } catch (err) {
+    const localDir = devFallbackDir(projectSlug);
+    if (localDir) {
+      try {
+        return fs.readFileSync(path.join(localDir, pagePath + '.mdx'), 'utf8');
+      } catch {
+        // fall through to re-throw below
+      }
+    }
+    throw err;
+  }
 }
 
 /**
@@ -90,7 +153,19 @@ export async function getSnippet(
   snippetPath: string
 ): Promise<string> {
   requireIsrMode();
-  return fetchSnippet(projectSlug, snippetPath);
+  try {
+    return await fetchSnippet(projectSlug, snippetPath);
+  } catch (err) {
+    const localDir = devFallbackDir(projectSlug);
+    if (localDir) {
+      try {
+        return fs.readFileSync(path.join(localDir, 'snippets', snippetPath), 'utf8');
+      } catch {
+        // fall through to re-throw
+      }
+    }
+    throw err;
+  }
 }
 
 /**
@@ -104,7 +179,8 @@ export async function getSnippet(
 export async function projectExists(projectSlug: string): Promise<boolean> {
   requireIsrMode();
   const config = await fetchDocsConfig(projectSlug);
-  return config !== null;
+  if (config !== null) return true;
+  return devFallbackDir(projectSlug) !== null;
 }
 
 /**