launchpd 1.0.3 → 1.0.6

package/src/utils/credentials.js

@@ -3,151 +3,154 @@
  * Stores API key and user info in ~/.staticlaunch/credentials.json
  */
 
-import { existsSync } from 'node:fs';
-import { readFile, writeFile, mkdir, unlink } from 'node:fs/promises';
-import { join } from 'node:path';
-import { homedir } from 'node:os';
-import { randomBytes } from 'node:crypto';
+import { existsSync } from 'node:fs'
+import { readFile, writeFile, mkdir, unlink, chmod } from 'node:fs/promises'
+import { join } from 'node:path'
+import { homedir } from 'node:os'
+import { randomBytes } from 'node:crypto'
 
 /**
  * Get the credentials directory path
  */
-function getConfigDir() {
-    return join(homedir(), '.staticlaunch');
+function getConfigDir () {
+  return join(homedir(), '.staticlaunch')
 }
 
 /**
  * Get the credentials file path
  */
-function getCredentialsPath() {
-    return join(getConfigDir(), 'credentials.json');
+function getCredentialsPath () {
+  return join(getConfigDir(), 'credentials.json')
 }
 
 /**
  * Get the client token path (for anonymous tracking)
  */
-function getClientTokenPath() {
-    return join(getConfigDir(), 'client_token');
+function getClientTokenPath () {
+  return join(getConfigDir(), 'client_token')
 }
 
 /**
  * Ensure config directory exists
  */
-async function ensureConfigDir() {
-    const dir = getConfigDir();
-    if (!existsSync(dir)) {
-        await mkdir(dir, { recursive: true });
-    }
+async function ensureConfigDir () {
+  const dir = getConfigDir()
+  if (!existsSync(dir)) {
+    await mkdir(dir, { recursive: true })
+  }
 }
 
 /**
  * Get or create a persistent client token for anonymous tracking
  * This helps identify the same anonymous user across sessions
  */
-export async function getClientToken() {
-    await ensureConfigDir();
-    const tokenPath = getClientTokenPath();
+export async function getClientToken () {
+  await ensureConfigDir()
+  const tokenPath = getClientTokenPath()
 
-    try {
-        if (existsSync(tokenPath)) {
-            return await readFile(tokenPath, 'utf-8');
-        }
-    } catch {
-        // Token file corrupted, regenerate
+  try {
+    if (existsSync(tokenPath)) {
+      return await readFile(tokenPath, 'utf-8')
     }
-
-    // Generate new token
-    const token = `cli_${randomBytes(16).toString('hex')}`;
-    await writeFile(tokenPath, token, 'utf-8');
-    return token;
+  } catch {
+    // Token file corrupted, regenerate
+  }
+
+  // Generate new token
+  const token = `cli_${randomBytes(16).toString('hex')}`
+  await writeFile(tokenPath, token, 'utf-8')
+  return token
 }
 
 /**
  * Get stored credentials
  * @returns {Promise<{apiKey: string, userId: string, email: string, tier: string} | null>}
  */
-export async function getCredentials() {
-    const filePath = getCredentialsPath();
-    try {
-        if (existsSync(filePath)) {
-            const text = await readFile(filePath, 'utf-8');
-            const data = JSON.parse(text);
-
-            // Validate the structure
-            if (data.apiKey) {
-                return {
-                    apiKey: data.apiKey,
-                    apiSecret: data.apiSecret || null,
-                    userId: data.userId || null,
-                    email: data.email || null,
-                    tier: data.tier || 'free',
-                    savedAt: data.savedAt || null,
-                };
-            }
+export async function getCredentials () {
+  const filePath = getCredentialsPath()
+  try {
+    if (existsSync(filePath)) {
+      const text = await readFile(filePath, 'utf-8')
+      const data = JSON.parse(text)
+
+      // Validate the structure
+      if (data.apiKey) {
+        return {
+          apiKey: data.apiKey,
+          apiSecret: data.apiSecret || null,
+          userId: data.userId || null,
+          email: data.email || null,
+          tier: data.tier || 'free',
+          savedAt: data.savedAt || null
         }
-    } catch {
-        // Corrupted or invalid JSON file
+      }
     }
-    return null;
+  } catch {
+    // Corrupted or invalid JSON file
+  }
+  return null
 }
 
 /**
  * Save credentials
  * @param {object} credentials - Credentials to save
  */
-export async function saveCredentials(credentials) {
-    await ensureConfigDir();
-
-    const data = {
-        apiKey: credentials.apiKey,
-        apiSecret: credentials.apiSecret || null,
-        userId: credentials.userId || null,
-        email: credentials.email || null,
-        tier: credentials.tier || 'free',
-        savedAt: new Date().toISOString(),
-    };
-
-    await writeFile(
-        getCredentialsPath(),
-        JSON.stringify(data, null, 2),
-        'utf-8'
-    );
+export async function saveCredentials (credentials) {
+  await ensureConfigDir()
+
+  const data = {
+    apiKey: credentials.apiKey,
+    apiSecret: credentials.apiSecret || null,
+    userId: credentials.userId || null,
+    email: credentials.email || null,
+    tier: credentials.tier || 'free',
+    savedAt: new Date().toISOString()
+  }
+
+  await writeFile(getCredentialsPath(), JSON.stringify(data, null, 2), 'utf-8')
+
+  // Restrict file permissions to owner only (0o600 = rw-------)
+  try {
+    await chmod(getCredentialsPath(), 0o600)
+  } catch {
+    // chmod may not be fully supported on Windows, ignore gracefully
+  }
 }
 
 /**
  * Delete stored credentials (logout)
  */
-export async function clearCredentials() {
-    const filePath = getCredentialsPath();
-    try {
-        if (existsSync(filePath)) {
-            await unlink(filePath);
-        }
-    } catch {
-        // File doesn't exist or can't be deleted
+export async function clearCredentials () {
+  const filePath = getCredentialsPath()
+  try {
+    if (existsSync(filePath)) {
+      await unlink(filePath)
     }
+  } catch {
+    // File doesn't exist or can't be deleted
+  }
 }
 
 /**
  * Check if user is logged in
  */
-export async function isLoggedIn() {
-    const creds = await getCredentials();
-    return creds !== null && creds.apiKey !== null;
+export async function isLoggedIn () {
+  const creds = await getCredentials()
+  return creds !== null && creds.apiKey !== null
 }
 
 /**
  * Get the API key for requests (falls back to public beta key)
  */
-export async function getApiKey() {
-    const creds = await getCredentials();
-    return creds?.apiKey || process.env.STATICLAUNCH_API_KEY || 'public-beta-key';
+export async function getApiKey () {
+  const creds = await getCredentials()
+  return creds?.apiKey || process.env.STATICLAUNCH_API_KEY || 'public-beta-key'
 }
 
 /**
  * Get the API secret for requests
  */
-export async function getApiSecret() {
-    const creds = await getCredentials();
-    return creds?.apiSecret || process.env.STATICLAUNCH_API_SECRET || null;
+export async function getApiSecret () {
+  const creds = await getCredentials()
+  return creds?.apiSecret || process.env.STATICLAUNCH_API_SECRET || null
 }

package/src/utils/endpoint.js

@@ -0,0 +1,58 @@
+/**
+ * Endpoint validation utility
+ */
+
+import { APIError } from './errors.js'
+
+/**
+ * Validates an endpoint to prevent SSRF vulnerabilities.
+ * It ensures the endpoint is a relative path and does not contain
+ * characters that could lead to path traversal or redirection to another host.
+ *
+ * @param {string} endpoint - The API endpoint to validate.
+ * @throws {APIError} If the endpoint is invalid.
+ */
+export function validateEndpoint (endpoint) {
+  if (typeof endpoint !== 'string' || endpoint.trim() === '') {
+    throw new APIError('Endpoint must be a non-empty string.', 400)
+  }
+
+  // 0. Enforce relative path starting with slash
+  if (!endpoint.startsWith('/')) {
+    throw new APIError(
+      'Endpoint must start with a slash (/), e.g. /api/deploy',
+      400
+    )
+  }
+
+  // 1. Disallow absolute URLs
+  if (endpoint.startsWith('//') || endpoint.includes('://')) {
+    throw new APIError('Endpoint cannot be an absolute URL.', 400)
+  }
+
+  // 2. Prevent path traversal
+  if (endpoint.includes('..')) {
+    throw new APIError(
+      'Endpoint cannot contain path traversal characters (..).',
+      400
+    )
+  }
+
+  // 3. Check for characters that could be used for protocol or host manipulation
+  // Disallow characters like ':', '@', and '\' (encoded as %5C)
+  // We allow '/' for path segments.
+  // The regex checks for any characters that are not:
+  // - alphanumeric (a-z, A-Z, 0-9)
+  // - forward slash (/)
+  // - hyphen (-)
+  // - underscore (_)
+  // - dot (.)
+  // - question mark (?) for query params
+  // - equals (=) for query params
+  // - ampersand (&) for query params
+  // - percent (%) for url encoding
+  const allowedChars = /^[a-zA-Z0-9/\-_.?=&%]+$/
+  if (!allowedChars.test(endpoint)) {
+    throw new APIError('Endpoint contains invalid characters.', 400)
+  }
+}

package/src/utils/errors.js

@@ -7,71 +7,74 @@
  * Base API Error class
  */
 export class APIError extends Error {
-    constructor(message, statusCode = 500, data = {}) {
-        super(message);
-        this.name = 'APIError';
-        this.statusCode = statusCode;
-        this.data = data;
-        this.isAPIError = true;
-    }
+  constructor (message, statusCode = 500, data = {}) {
+    super(message)
+    this.name = 'APIError'
+    this.statusCode = statusCode
+    this.data = data
+    this.isAPIError = true
+  }
 }
 
 /**
  * Maintenance mode error - thrown when backend is under maintenance
  */
 export class MaintenanceError extends APIError {
-    constructor(message = 'LaunchPd is under maintenance') {
-        super(message, 503);
-        this.name = 'MaintenanceError';
-        this.isMaintenanceError = true;
-    }
+  constructor (message = 'LaunchPd is under maintenance') {
+    super(message, 503)
+    this.name = 'MaintenanceError'
+    this.isMaintenanceError = true
+  }
 }
 
 /**
  * Authentication error - thrown for 401 responses
  */
 export class AuthError extends APIError {
-    constructor(message = 'Authentication failed', data = {}) {
-        super(message, 401, data);
-        this.name = 'AuthError';
-        this.isAuthError = true;
-        this.requires2FA = data.requires_2fa || false;
-        this.twoFactorType = data.two_factor_type || null;
-    }
+  constructor (message = 'Authentication failed', data = {}) {
+    super(message, 401, data)
+    this.name = 'AuthError'
+    this.isAuthError = true
+    this.requires2FA = data.requires_2fa || false
+    this.twoFactorType = data.two_factor_type || null
+  }
 }
 
 /**
  * Quota error - thrown when user exceeds limits
  */
 export class QuotaError extends APIError {
-    constructor(message = 'Quota exceeded', data = {}) {
-        super(message, 429, data);
-        this.name = 'QuotaError';
-        this.isQuotaError = true;
-    }
+  constructor (message = 'Quota exceeded', data = {}) {
+    super(message, 429, data)
+    this.name = 'QuotaError'
+    this.isQuotaError = true
+  }
 }
 
 /**
  * Network error - thrown for connection failures
  */
 export class NetworkError extends Error {
-    constructor(message = 'Unable to connect to LaunchPd servers') {
-        super(message);
-        this.name = 'NetworkError';
-        this.isNetworkError = true;
-    }
+  constructor (message = 'Unable to connect to LaunchPd servers') {
+    super(message)
+    this.name = 'NetworkError'
+    this.isNetworkError = true
+  }
 }
 
 /**
  * Two-factor authentication required error
  */
 export class TwoFactorRequiredError extends APIError {
-    constructor(twoFactorType = 'totp', message = 'Two-factor authentication required') {
-        super(message, 200);
-        this.name = 'TwoFactorRequiredError';
-        this.isTwoFactorRequired = true;
-        this.twoFactorType = twoFactorType;
-    }
+  constructor (
+    twoFactorType = 'totp',
+    message = 'Two-factor authentication required'
+  ) {
+    super(message, 200)
+    this.name = 'TwoFactorRequiredError'
+    this.isTwoFactorRequired = true
+    this.twoFactorType = twoFactorType
+  }
 }
 
 /**
@@ -80,45 +83,52 @@ export class TwoFactorRequiredError extends APIError {
  * @param {object} logger - Logger with error, info, warning functions
  * @returns {boolean} - True if error was handled, false otherwise
  */
-export function handleCommonError(err, logger) {
-    const { error, info } = logger;
+export function handleCommonError (err, logger) {
+  const { error, info } = logger
 
-    if (err instanceof MaintenanceError || err.isMaintenanceError) {
-        error('⚠️  LaunchPd is under maintenance');
-        info('Please try again in a few minutes');
-        info('Check status at: https://status.launchpd.cloud');
-        return true;
-    }
+  if (err instanceof MaintenanceError || err.isMaintenanceError) {
+    error('⚠️  LaunchPd is under maintenance')
+    info('Please try again in a few minutes')
+    info('Check status at: https://status.launchpd.cloud')
+    return true
+  }
 
-    if (err instanceof AuthError || err.isAuthError) {
-        error('Authentication failed');
-        info('Run "launchpd login" to authenticate');
-        return true;
-    }
+  if (err instanceof AuthError || err.isAuthError) {
+    error('Authentication failed')
+    info('Run "launchpd login" to authenticate')
+    return true
+  }
 
-    if (err instanceof NetworkError || err.isNetworkError) {
-        error('Unable to connect to LaunchPd');
-        info('Check your internet connection');
-        info('If the problem persists, check https://status.launchpd.cloud');
-        return true;
-    }
+  if (err instanceof NetworkError || err.isNetworkError) {
+    error('Unable to connect to LaunchPd')
+    info('Check your internet connection')
+    info('If the problem persists, check https://status.launchpd.cloud')
+    return true
+  }
 
-    if (err instanceof QuotaError || err.isQuotaError) {
-        error('Quota limit reached');
-        info('Upgrade your plan or delete old deployments');
-        info('Run "launchpd quota" to check your usage');
-        return true;
-    }
+  if (err.name === 'AbortError') {
+    error('Request timed out')
+    info('The server did not respond in time')
+    info('Check your internet connection or try again later')
+    return true
+  }
 
-    return false;
+  if (err instanceof QuotaError || err.isQuotaError) {
+    error('Quota limit reached')
+    info('Upgrade your plan or delete old deployments')
+    info('Run "launchpd quota" to check your usage')
+    return true
+  }
+
+  return false
 }
 
 export default {
-    APIError,
-    MaintenanceError,
-    AuthError,
-    QuotaError,
-    NetworkError,
-    TwoFactorRequiredError,
-    handleCommonError,
-};
+  APIError,
+  MaintenanceError,
+  AuthError,
+  QuotaError,
+  NetworkError,
+  TwoFactorRequiredError,
+  handleCommonError
+}

package/src/utils/expiration.js

@@ -4,39 +4,41 @@
  * Minimum: 30 minutes
  */
 
-export const MIN_EXPIRATION_MS = 30 * 60 * 1000;
+export const MIN_EXPIRATION_MS = 30 * 60 * 1000
 export function parseTimeString(timeStr) {
-    const regex = /^(\d+)([mhd])$/i;
-    const match = regex.exec(timeStr);
+  const regex = /^(\d+)([a-z]+)$/i
+  const match = regex.exec(timeStr)
 
-    if (!match) {
-        throw new Error(`Invalid time format: "${timeStr}". Use format like 30m, 2h, 1d`);
-    }
+  if (!match) {
+    throw new Error(
+      `Invalid time format: "${timeStr}". Use format like 30m, 2h, 1d`
+    )
+  }
 
-    const value = Number.parseInt(match[1], 10);
-    const unit = match[2].toLowerCase();
+  const value = Number.parseInt(match[1], 10)
+  const unit = match[2].toLowerCase()
 
-    let ms;
-    switch (unit) {
-        case 'm':
-            ms = value * 60 * 1000;
-            break;
-        case 'h':
-            ms = value * 60 * 60 * 1000;
-            break;
-        case 'd':
-            ms = value * 24 * 60 * 60 * 1000;
-            break;
-        default:
-            throw new Error(`Unknown time unit: ${unit}`);
-    }
+  let ms = 0
+  switch (unit) {
+    case 'm':
+      ms = value * 60 * 1000
+      break
+    case 'h':
+      ms = value * 60 * 60 * 1000
+      break
+    case 'd':
+      ms = value * 24 * 60 * 60 * 1000
+      break
+    default:
+      throw new Error(`Unknown time unit: ${unit}`)
+  }
 
-    // Minimum 30 minutes
-    if (ms < MIN_EXPIRATION_MS) {
-        throw new Error('Minimum expiration time is 30 minutes (30m)');
-    }
+  // Minimum 30 minutes
+  if (ms < MIN_EXPIRATION_MS) {
+    throw new Error('Minimum expiration time is 30 minutes (30m)')
+  }
 
-    return ms;
+  return ms
 }
 
 /**
@@ -45,8 +47,8 @@ export function parseTimeString(timeStr) {
  * @returns {Date} Date object of expiration
  */
 export function calculateExpiresAt(timeStr) {
-    const ms = parseTimeString(timeStr);
-    return new Date(Date.now() + ms);
+  const ms = parseTimeString(timeStr)
+  return new Date(Date.now() + ms)
 }
 
 /**
@@ -55,25 +57,25 @@ export function calculateExpiresAt(timeStr) {
  * @returns {string} Human-readable time remaining
  */
 export function formatTimeRemaining(expiresAt) {
-    const now = Date.now();
-    const expiry = new Date(expiresAt).getTime();
-    const remaining = expiry - now;
+  const now = Date.now()
+  const expiry = new Date(expiresAt).getTime()
+  const remaining = expiry - now
 
-    if (remaining <= 0) {
-        return 'expired';
-    }
+  if (remaining <= 0) {
+    return 'expired'
+  }
 
-    const minutes = Math.floor(remaining / (60 * 1000));
-    const hours = Math.floor(remaining / (60 * 60 * 1000));
-    const days = Math.floor(remaining / (24 * 60 * 60 * 1000));
+  const minutes = Math.floor(remaining / (60 * 1000))
+  const hours = Math.floor(remaining / (60 * 60 * 1000))
+  const days = Math.floor(remaining / (24 * 60 * 60 * 1000))
 
-    if (days > 0) {
-        return `${days}d ${hours % 24}h remaining`;
-    } else if (hours > 0) {
-        return `${hours}h ${minutes % 60}m remaining`;
-    } else {
-        return `${minutes}m remaining`;
-    }
+  if (days > 0) {
+    return `${days}d ${hours % 24}h remaining`
+  } else if (hours > 0) {
+    return `${hours}h ${minutes % 60}m remaining`
+  } else {
+    return `${minutes}m remaining`
+  }
 }
 
 /**
@@ -82,6 +84,6 @@ export function formatTimeRemaining(expiresAt) {
  * @returns {boolean}
  */
 export function isExpired(expiresAt) {
-    if (!expiresAt) return false;
-    return new Date(expiresAt).getTime() < Date.now();
+  if (!expiresAt) return false
+  return new Date(expiresAt).getTime() < Date.now()
 }

package/src/utils/id.js

@@ -1,17 +1,17 @@
-import { customAlphabet } from 'nanoid';
+import { customAlphabet } from 'nanoid'
 
 /**
  * Generate a subdomain-safe unique ID
  * Uses lowercase alphanumeric characters only (valid for DNS)
  * 12 characters provides ~62 bits of entropy
  */
-const alphabet = 'abcdefghijklmnopqrstuvwxyz0123456789';
-const nanoid = customAlphabet(alphabet, 12);
+const alphabet = 'abcdefghijklmnopqrstuvwxyz0123456789'
+const nanoid = customAlphabet(alphabet, 12)
 
 /**
  * Generate a unique subdomain ID
  * @returns {string} A 12-character lowercase alphanumeric string
  */
-export function generateSubdomain() {
-    return nanoid();
+export function generateSubdomain () {
+  return nanoid()
 }