lsh-framework 1.3.2 → 1.4.1

package/dist/lib/saas-email.js

@@ -0,0 +1,402 @@
+/**
+ * LSH SaaS Email Service
+ * Email sending using Resend API
+ */
+/**
+ * Email Service
+ */
+export class EmailService {
+    config;
+    resendApiUrl = 'https://api.resend.com/emails';
+    constructor(config) {
+        this.config = {
+            apiKey: config?.apiKey || process.env.RESEND_API_KEY || '',
+            fromEmail: config?.fromEmail || process.env.EMAIL_FROM || 'noreply@lsh.dev',
+            fromName: config?.fromName || 'LSH Secrets Manager',
+            baseUrl: config?.baseUrl || process.env.BASE_URL || 'https://app.lsh.dev',
+        };
+        if (!this.config.apiKey) {
+            console.warn('RESEND_API_KEY not set - emails will not be sent');
+        }
+    }
+    /**
+     * Send email using Resend API
+     */
+    async sendEmail(params) {
+        if (!this.config.apiKey) {
+            // Sanitize email parameters to prevent log injection
+            const sanitizedTo = params.to.replace(/[\r\n]/g, '');
+            const sanitizedSubject = params.subject.replace(/[\r\n]/g, '');
+            const sanitizedText = params.text.replace(/[\r\n]/g, ' ');
+            console.log('Email would be sent to:', sanitizedTo);
+            console.log('Subject:', sanitizedSubject);
+            console.log('Text:', sanitizedText);
+            return;
+        }
+        try {
+            const response = await fetch(this.resendApiUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    Authorization: `Bearer ${this.config.apiKey}`,
+                },
+                body: JSON.stringify({
+                    from: `${this.config.fromName} <${this.config.fromEmail}>`,
+                    to: params.to,
+                    subject: params.subject,
+                    html: params.html,
+                    text: params.text,
+                }),
+            });
+            if (!response.ok) {
+                const error = await response.text();
+                throw new Error(`Failed to send email: ${error}`);
+            }
+        }
+        catch (error) {
+            console.error('Email send error:', error);
+            throw error;
+        }
+    }
+    /**
+     * Send email verification
+     */
+    async sendVerificationEmail(to, token, firstName) {
+        const verificationUrl = `${this.config.baseUrl}/verify-email?token=${token}`;
+        const name = firstName || 'there';
+        const template = this.getVerificationEmailTemplate(name, verificationUrl);
+        await this.sendEmail({
+            to,
+            subject: template.subject,
+            html: template.html,
+            text: template.text,
+        });
+    }
+    /**
+     * Send password reset email
+     */
+    async sendPasswordResetEmail(to, token, firstName) {
+        const resetUrl = `${this.config.baseUrl}/reset-password?token=${token}`;
+        const name = firstName || 'there';
+        const template = this.getPasswordResetTemplate(name, resetUrl);
+        await this.sendEmail({
+            to,
+            subject: template.subject,
+            html: template.html,
+            text: template.text,
+        });
+    }
+    /**
+     * Send organization invitation email
+     */
+    async sendOrganizationInvite(to, organizationName, inviterName, inviteUrl) {
+        const template = this.getOrganizationInviteTemplate(organizationName, inviterName, inviteUrl);
+        await this.sendEmail({
+            to,
+            subject: template.subject,
+            html: template.html,
+            text: template.text,
+        });
+    }
+    /**
+     * Send welcome email
+     */
+    async sendWelcomeEmail(to, firstName) {
+        const name = firstName || 'there';
+        const template = this.getWelcomeEmailTemplate(name);
+        await this.sendEmail({
+            to,
+            subject: template.subject,
+            html: template.html,
+            text: template.text,
+        });
+    }
+    /**
+     * Send subscription confirmation
+     */
+    async sendSubscriptionConfirmation(to, tier, firstName) {
+        const name = firstName || 'there';
+        const template = this.getSubscriptionConfirmationTemplate(name, tier);
+        await this.sendEmail({
+            to,
+            subject: template.subject,
+            html: template.html,
+            text: template.text,
+        });
+    }
+    /**
+     * Email verification template
+     */
+    getVerificationEmailTemplate(name, verificationUrl) {
+        return {
+            subject: 'Verify your email address',
+            html: `
+        <!DOCTYPE html>
+        <html>
+        <head>
+          <meta charset="utf-8">
+          <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        </head>
+        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
+            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
+            <p style="color: rgba(255,255,255,0.9); margin: 10px 0 0 0; font-size: 16px;">Secrets Manager</p>
+          </div>
+
+          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
+            <h2 style="color: #333; margin-top: 0;">Hi ${name}! 👋</h2>
+
+            <p>Thanks for signing up for LSH Secrets Manager. Please verify your email address to get started.</p>
+
+            <div style="text-align: center; margin: 30px 0;">
+              <a href="${verificationUrl}" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 14px 32px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block;">
+                Verify Email Address
+              </a>
+            </div>
+
+            <p style="color: #666; font-size: 14px;">Or copy and paste this link into your browser:</p>
+            <p style="color: #667eea; font-size: 12px; word-break: break-all; background: #f5f5f5; padding: 10px; border-radius: 4px;">${verificationUrl}</p>
+
+            <p style="color: #666; font-size: 14px; margin-top: 30px;">This link will expire in 24 hours.</p>
+
+            <hr style="border: none; border-top: 1px solid #e0e0e0; margin: 30px 0;">
+
+            <p style="color: #999; font-size: 12px; margin: 0;">If you didn't create an account, you can safely ignore this email.</p>
+          </div>
+        </body>
+        </html>
+      `,
+            text: `
+Hi ${name}!
+
+Thanks for signing up for LSH Secrets Manager. Please verify your email address to get started.
+
+Verification link: ${verificationUrl}
+
+This link will expire in 24 hours.
+
+If you didn't create an account, you can safely ignore this email.
+
+---
+LSH Secrets Manager
+      `.trim(),
+        };
+    }
+    /**
+     * Password reset template
+     */
+    getPasswordResetTemplate(name, resetUrl) {
+        return {
+            subject: 'Reset your password',
+            html: `
+        <!DOCTYPE html>
+        <html>
+        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
+            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
+            <p style="color: rgba(255,255,255,0.9); margin: 10px 0 0 0;">Secrets Manager</p>
+          </div>
+
+          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
+            <h2 style="color: #333; margin-top: 0;">Hi ${name},</h2>
+
+            <p>We received a request to reset your password. Click the button below to create a new password.</p>
+
+            <div style="text-align: center; margin: 30px 0;">
+              <a href="${resetUrl}" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 14px 32px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block;">
+                Reset Password
+              </a>
+            </div>
+
+            <p style="color: #666; font-size: 14px;">Or copy and paste this link:</p>
+            <p style="color: #667eea; font-size: 12px; word-break: break-all; background: #f5f5f5; padding: 10px; border-radius: 4px;">${resetUrl}</p>
+
+            <p style="color: #666; font-size: 14px; margin-top: 30px;">This link will expire in 1 hour.</p>
+
+            <hr style="border: none; border-top: 1px solid #e0e0e0; margin: 30px 0;">
+
+            <p style="color: #999; font-size: 12px;">If you didn't request a password reset, you can safely ignore this email.</p>
+          </div>
+        </body>
+        </html>
+      `,
+            text: `
+Hi ${name},
+
+We received a request to reset your password. Use the link below to create a new password:
+
+${resetUrl}
+
+This link will expire in 1 hour.
+
+If you didn't request a password reset, you can safely ignore this email.
+
+---
+LSH Secrets Manager
+      `.trim(),
+        };
+    }
+    /**
+     * Organization invite template
+     */
+    getOrganizationInviteTemplate(organizationName, inviterName, inviteUrl) {
+        return {
+            subject: `You've been invited to join ${organizationName} on LSH`,
+            html: `
+        <!DOCTYPE html>
+        <html>
+        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
+            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
+          </div>
+
+          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
+            <h2 style="color: #333; margin-top: 0;">You've been invited! 🎉</h2>
+
+            <p><strong>${inviterName}</strong> has invited you to join <strong>${organizationName}</strong> on LSH Secrets Manager.</p>
+
+            <div style="text-align: center; margin: 30px 0;">
+              <a href="${inviteUrl}" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 14px 32px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block;">
+                Accept Invitation
+              </a>
+            </div>
+
+            <p style="color: #666; font-size: 14px;">Or copy and paste this link:</p>
+            <p style="color: #667eea; font-size: 12px; word-break: break-all; background: #f5f5f5; padding: 10px; border-radius: 4px;">${inviteUrl}</p>
+          </div>
+        </body>
+        </html>
+      `,
+            text: `
+You've been invited!
+
+${inviterName} has invited you to join ${organizationName} on LSH Secrets Manager.
+
+Accept invitation: ${inviteUrl}
+
+---
+LSH Secrets Manager
+      `.trim(),
+        };
+    }
+    /**
+     * Welcome email template
+     */
+    getWelcomeEmailTemplate(name) {
+        const dashboardUrl = `${this.config.baseUrl}/dashboard`;
+        const docsUrl = 'https://docs.lsh.dev';
+        return {
+            subject: 'Welcome to LSH Secrets Manager! 🚀',
+            html: `
+        <!DOCTYPE html>
+        <html>
+        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
+            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
+          </div>
+
+          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
+            <h2 style="color: #333; margin-top: 0;">Welcome, ${name}! 🎉</h2>
+
+            <p>Your account is now active. Here's how to get started:</p>
+
+            <ol style="color: #666;">
+              <li><strong>Create a team</strong> - Organize your secrets by project or environment</li>
+              <li><strong>Add secrets</strong> - Securely store API keys, tokens, and credentials</li>
+              <li><strong>Invite team members</strong> - Collaborate securely with your team</li>
+              <li><strong>Install the CLI</strong> - <code>npm install -g lsh</code></li>
+            </ol>
+
+            <div style="text-align: center; margin: 30px 0;">
+              <a href="${dashboardUrl}" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 14px 32px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block; margin-right: 10px;">
+                Go to Dashboard
+              </a>
+              <a href="${docsUrl}" style="background: white; color: #667eea; border: 2px solid #667eea; padding: 12px 30px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block;">
+                View Docs
+              </a>
+            </div>
+
+            <p style="color: #666;">Need help? Reply to this email or check out our <a href="${docsUrl}" style="color: #667eea;">documentation</a>.</p>
+          </div>
+        </body>
+        </html>
+      `,
+            text: `
+Welcome to LSH Secrets Manager, ${name}!
+
+Your account is now active. Here's how to get started:
+
+1. Create a team - Organize your secrets by project or environment
+2. Add secrets - Securely store API keys, tokens, and credentials
+3. Invite team members - Collaborate securely with your team
+4. Install the CLI - npm install -g lsh
+
+Dashboard: ${dashboardUrl}
+Documentation: ${docsUrl}
+
+Need help? Reply to this email or check out our documentation.
+
+---
+LSH Secrets Manager
+      `.trim(),
+        };
+    }
+    /**
+     * Subscription confirmation template
+     */
+    getSubscriptionConfirmationTemplate(name, tier) {
+        return {
+            subject: `Your ${tier} subscription is active! 🎉`,
+            html: `
+        <!DOCTYPE html>
+        <html>
+        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
+            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
+          </div>
+
+          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
+            <h2 style="color: #333; margin-top: 0;">Thanks, ${name}! 🎉</h2>
+
+            <p>Your <strong>${tier}</strong> subscription is now active. You now have access to:</p>
+
+            <ul style="color: #666;">
+              ${tier === 'Pro'
+                ? `
+              <li>Unlimited team members</li>
+              <li>Unlimited secrets</li>
+              <li>Unlimited environments</li>
+              <li>1-year audit log retention</li>
+              <li>Priority support</li>
+              `
+                : `
+              <li>Multiple organizations</li>
+              <li>SSO/SAML integration</li>
+              <li>Unlimited audit log retention</li>
+              <li>SLA support</li>
+              <li>On-premise deployment option</li>
+              `}
+            </ul>
+
+            <p style="color: #666;">Manage your subscription anytime from your account settings.</p>
+          </div>
+        </body>
+        </html>
+      `,
+            text: `
+Thanks, ${name}!
+
+Your ${tier} subscription is now active.
+
+Manage your subscription anytime from your account settings.
+
+---
+LSH Secrets Manager
+      `.trim(),
+        };
+    }
+}
+/**
+ * Singleton instance
+ */
+export const emailService = new EmailService();

package/dist/lib/saas-encryption.js

@@ -0,0 +1,220 @@
+/**
+ * LSH SaaS Per-Team Encryption Service
+ * Manages encryption keys for each team
+ */
+import { randomBytes, createCipheriv, createDecipheriv, createHash, pbkdf2Sync } from 'crypto';
+import { getSupabaseClient } from './supabase-client.js';
+const ALGORITHM = 'aes-256-cbc';
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 16; // 128 bits
+const SALT_LENGTH = 32;
+const PBKDF2_ITERATIONS = 100000;
+/**
+ * Get master encryption key from environment
+ * This key is used to encrypt/decrypt team encryption keys
+ */
+function getMasterKey() {
+    const masterKeyHex = process.env.LSH_MASTER_KEY || process.env.LSH_SECRETS_KEY;
+    if (!masterKeyHex) {
+        throw new Error('LSH_MASTER_KEY or LSH_SECRETS_KEY environment variable must be set for encryption');
+    }
+    // If it's a hex string, convert it
+    if (/^[0-9a-fA-F]+$/.test(masterKeyHex)) {
+        return Buffer.from(masterKeyHex, 'hex');
+    }
+    // Otherwise, derive a key from it using PBKDF2
+    const salt = createHash('sha256').update('lsh-saas-master-key-salt').digest();
+    return pbkdf2Sync(masterKeyHex, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha256');
+}
+/**
+ * Encryption Service
+ */
+export class EncryptionService {
+    supabase = getSupabaseClient();
+    masterKey;
+    constructor() {
+        this.masterKey = getMasterKey();
+    }
+    /**
+     * Generate a new encryption key for a team
+     */
+    async generateTeamKey(teamId, createdBy) {
+        // Generate random key
+        const teamKey = randomBytes(KEY_LENGTH);
+        // Encrypt the team key with the master key
+        const encryptedKey = this.encryptWithMasterKey(teamKey);
+        // Store in database
+        const { data, error } = await this.supabase
+            .from('encryption_keys')
+            .insert({
+            team_id: teamId,
+            encrypted_key: encryptedKey,
+            key_version: 1,
+            algorithm: ALGORITHM,
+            is_active: true,
+            created_by: createdBy,
+        })
+            .select()
+            .single();
+        if (error) {
+            throw new Error(`Failed to create encryption key: ${error.message}`);
+        }
+        // Update team to use this key
+        await this.supabase
+            .from('teams')
+            .update({ encryption_key_id: data.id })
+            .eq('id', teamId);
+        return this.mapDbKeyToKey(data);
+    }
+    /**
+     * Rotate team encryption key
+     */
+    async rotateTeamKey(teamId, rotatedBy) {
+        // Get current key version
+        const { data: currentKeys } = await this.supabase
+            .from('encryption_keys')
+            .select('key_version')
+            .eq('team_id', teamId)
+            .order('key_version', { ascending: false })
+            .limit(1);
+        const newVersion = currentKeys && currentKeys.length > 0 ? currentKeys[0].key_version + 1 : 1;
+        // Mark old keys as inactive
+        await this.supabase
+            .from('encryption_keys')
+            .update({
+            is_active: false,
+            rotated_at: new Date().toISOString(),
+        })
+            .eq('team_id', teamId)
+            .eq('is_active', true);
+        // Generate new key
+        const teamKey = randomBytes(KEY_LENGTH);
+        const encryptedKey = this.encryptWithMasterKey(teamKey);
+        // Store new key
+        const { data, error } = await this.supabase
+            .from('encryption_keys')
+            .insert({
+            team_id: teamId,
+            encrypted_key: encryptedKey,
+            key_version: newVersion,
+            algorithm: ALGORITHM,
+            is_active: true,
+            created_by: rotatedBy,
+        })
+            .select()
+            .single();
+        if (error) {
+            throw new Error(`Failed to rotate encryption key: ${error.message}`);
+        }
+        // Update team
+        await this.supabase
+            .from('teams')
+            .update({ encryption_key_id: data.id })
+            .eq('id', teamId);
+        return this.mapDbKeyToKey(data);
+    }
+    /**
+     * Get active encryption key for a team
+     */
+    async getTeamKey(teamId) {
+        const { data, error } = await this.supabase
+            .from('encryption_keys')
+            .select('*')
+            .eq('team_id', teamId)
+            .eq('is_active', true)
+            .single();
+        if (error || !data) {
+            return null;
+        }
+        return this.mapDbKeyToKey(data);
+    }
+    /**
+     * Get decrypted team key (for encryption/decryption operations)
+     */
+    async getDecryptedTeamKey(teamId) {
+        const key = await this.getTeamKey(teamId);
+        if (!key) {
+            throw new Error('No active encryption key found for team');
+        }
+        return this.decryptWithMasterKey(key.encryptedKey);
+    }
+    /**
+     * Encrypt data with team's key
+     */
+    async encryptForTeam(teamId, data) {
+        const teamKey = await this.getDecryptedTeamKey(teamId);
+        // Generate random IV
+        const iv = randomBytes(IV_LENGTH);
+        // Encrypt
+        const cipher = createCipheriv(ALGORITHM, teamKey, iv);
+        let encrypted = cipher.update(data, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        // Return IV + encrypted data
+        return iv.toString('hex') + ':' + encrypted;
+    }
+    /**
+     * Decrypt data with team's key
+     */
+    async decryptForTeam(teamId, encryptedData) {
+        const teamKey = await this.getDecryptedTeamKey(teamId);
+        // Split IV and encrypted data
+        const parts = encryptedData.split(':');
+        if (parts.length !== 2) {
+            throw new Error('Invalid encrypted data format');
+        }
+        const iv = Buffer.from(parts[0], 'hex');
+        const encrypted = parts[1];
+        // Decrypt
+        const decipher = createDecipheriv(ALGORITHM, teamKey, iv);
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    /**
+     * Encrypt team key with master key
+     */
+    encryptWithMasterKey(teamKey) {
+        const iv = randomBytes(IV_LENGTH);
+        const cipher = createCipheriv(ALGORITHM, this.masterKey, iv);
+        let encrypted = cipher.update(teamKey);
+        encrypted = Buffer.concat([encrypted, cipher.final()]);
+        // Return IV + encrypted key
+        return iv.toString('hex') + ':' + encrypted.toString('hex');
+    }
+    /**
+     * Decrypt team key with master key
+     */
+    decryptWithMasterKey(encryptedKey) {
+        const parts = encryptedKey.split(':');
+        if (parts.length !== 2) {
+            throw new Error('Invalid encrypted key format');
+        }
+        const iv = Buffer.from(parts[0], 'hex');
+        const encrypted = Buffer.from(parts[1], 'hex');
+        const decipher = createDecipheriv(ALGORITHM, this.masterKey, iv);
+        let decrypted = decipher.update(encrypted);
+        decrypted = Buffer.concat([decrypted, decipher.final()]);
+        return decrypted;
+    }
+    /**
+     * Map database key to EncryptionKey type
+     */
+    mapDbKeyToKey(dbKey) {
+        return {
+            id: dbKey.id,
+            teamId: dbKey.team_id,
+            encryptedKey: dbKey.encrypted_key,
+            keyVersion: dbKey.key_version,
+            algorithm: dbKey.algorithm,
+            isActive: dbKey.is_active,
+            rotatedAt: dbKey.rotated_at ? new Date(dbKey.rotated_at) : null,
+            expiresAt: dbKey.expires_at ? new Date(dbKey.expires_at) : null,
+            createdAt: new Date(dbKey.created_at),
+            createdBy: dbKey.created_by,
+        };
+    }
+}
+/**
+ * Singleton instance
+ */
+export const encryptionService = new EncryptionService();