mantenimento-app 2.2.8 → 2.3.0

package/frontend/public/autologin.html

@@ -0,0 +1,40 @@
+<!doctype html>
+<html lang="it">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>AutoLogin Redirect - Mantenimento App</title>
+  <meta name="robots" content="noindex,nofollow" />
+</head>
+<body>
+  <noscript>JavaScript richiesto per il redirect di autologin.</noscript>
+  <script>
+    (function () {
+      try {
+        const current = new URL(window.location.href);
+        const query = new URLSearchParams(current.search);
+
+        if (!query.has('autologin')) {
+          query.set('autologin', '1');
+        }
+
+        if ((!query.has('authToken') || !String(query.get('authToken') || '').trim()) && current.hash) {
+          const hashParams = new URLSearchParams(String(current.hash || '').replace(/^#/, ''));
+          const hashToken = String(hashParams.get('authToken') || '').trim();
+          if (hashToken) {
+            query.set('authToken', hashToken);
+          }
+        }
+
+        const target = new URL('./', current);
+        target.search = query.toString();
+        target.hash = '';
+
+        window.location.replace(target.toString());
+      } catch (_) {
+        window.location.replace('./');
+      }
+    })();
+  </script>
+</body>
+</html>

package/frontend/public/index.html

@@ -102,8 +102,8 @@
           <button class="top-actions-trigger" type="button" aria-expanded="false" aria-controls="topActionsMenu">Azioni rapide</button>
           <div class="top-actions-menu" id="topActionsMenu" aria-label="Azioni applicazione">
             <button class="btn-secondary" id="btnReset" type="button">Reset valori</button>
-            <button class="btn-secondary" id="btnExportJson" type="button">Esporta JSON cifrato</button>
-            <button class="btn-secondary" id="btnImportJson" type="button">Carica JSON cifrato</button>
+            <button class="btn-secondary" id="btnExportJson" type="button">Esporta JSON</button>
+            <button class="btn-secondary" id="btnImportJson" type="button">Carica JSON</button>
             <button class="btn-secondary" id="btnPdf" type="button">Genera e scarica PDF</button>
             <input id="fileJson" type="file" accept="application/json,.json" style="display:none" />
           </div>
@@ -364,17 +364,23 @@
                 </label>
                 <input id="primaCasaMutuoImporto" type="number" min="0" step="50" value="0" />
               </div>
-              <div class="field">
+              <div class="field" style="display: none;">
+                <label for="primaCasaValoreLocativo" class="label-row"><span id="lblPrimaCasaValoreLocativo">Casa (valore locativo) ({currency})</span>
+                  <span class="hint" id="hintPrimaCasaValoreLocativo" title="Valore locativo mensile della casa assegnata, usato per valorizzare il beneficio economico implicito.">i</span>
+                </label>
+                <input id="primaCasaValoreLocativo" type="number" min="0" step="50" value="1000" />
+              </div>
+              <div class="field" style="display: none;">
                 <label for="primaCasaAssegnataA" class="label-row"><span id="lblPrimaCasaAssegnataA">Casa assegnata a</span>
                   <span class="hint" id="hintPrimaCasaAssegnataA" title="Seleziona il coniuge a cui e ceduta la prima casa.">i</span>
                 </label>
                 <select id="primaCasaAssegnataA">
                   <option value="">Nessuna cessione</option>
-                  <option value="1">Coniuge 1</option>
+                  <option value="1" selected>Coniuge 1</option>
                   <option value="2">Coniuge 2</option>
                 </select>
               </div>
-              <div class="field">
+              <div class="field" style="display: none;">
                 <div class="mortgage-split-slider" id="primaCasaMutuoSliderWrap">
                   <div class="mortgage-split-side mortgage-split-side-left" id="primaCasaSplitLeft">
                     <div class="mortgage-split-name" id="primaCasaSplitLeftName">Coniuge 1</div>
@@ -596,11 +602,28 @@
     <button class="coffee-float-btn" title="Offrimi un caff&egrave;!">&#9749;</button>
   </div>
 
+  <div id="exportModeModal" class="export-mode-modal is-hidden" aria-hidden="true">
+    <div class="export-mode-modal-backdrop" data-export-modal-close="1"></div>
+    <div class="export-mode-modal-dialog" role="dialog" aria-modal="true" aria-labelledby="exportModeModalTitle">
+      <h3 id="exportModeModalTitle">Esportazione JSON</h3>
+      <p id="exportModeModalWarning">Per impostazione predefinita il file viene cifrato e puo essere importato solo dallo stesso utente KeyLock.</p>
+      <label class="export-mode-checkbox">
+        <input type="checkbox" id="chkExportPlainJson" />
+        <span id="lblExportPlainJson">Esporta JSON non cifrato (compatibile con altri utenti)</span>
+      </label>
+      <p id="exportModeModalRisk" class="export-mode-risk">Conferma esplicita richiesta: il file non cifrato puo essere letto da chiunque.</p>
+      <div class="export-mode-actions">
+        <button type="button" class="btn-secondary" id="btnCancelExportMode">Annulla</button>
+        <button type="button" class="btn-secondary" id="btnConfirmExportMode">Conferma export</button>
+      </div>
+    </div>
+  </div>
+
   <script src="supabase-config.js"></script>
   <script src="supabase.min.js"></script>
   <script src="fabric.min.js"></script>
   <script src="html2pdf.bundle.min.js"></script>
-    <script src="app.js?v=2.2.8"></script>
+    <script src="app.js?v=2.3.0"></script>
 </body>
 </html>
 

package/frontend/public/styles.css

@@ -910,13 +910,14 @@
 
     .mortgage-split-side {
       border: 1px solid #c6ded8;
-      border-radius: 10px;
-      padding: 7px;
-      background: rgba(255, 255, 255, 0.84);
+      border-radius: 12px;
+      padding: 8px;
+      background: linear-gradient(180deg, #ffffff, #f3faf8);
       min-height: 58px;
       display: grid;
       align-content: center;
-      gap: 2px;
+      gap: 3px;
+      box-shadow: 0 1px 3px rgba(17, 74, 68, 0.08);
     }
 
     .mortgage-split-side-left {
@@ -945,6 +946,7 @@
     .mortgage-split-range-wrap {
       position: relative;
       padding: 14px 0 6px;
+      --split-left: 50%;
     }
 
     .mortgage-split-range-wrap input[type="range"] {
@@ -953,9 +955,14 @@
       width: 100%;
       height: 8px;
       border-radius: 999px;
-      background: linear-gradient(90deg, #2b9d8e 0%, #6cb9a9 46%, #dfb264 54%, #cb8a2d 100%);
+      background: linear-gradient(90deg,
+        #2b9d8e 0%,
+        #6cb9a9 var(--split-left),
+        #dfb264 var(--split-left),
+        #cb8a2d 100%);
       outline: none;
       margin: 0;
+      transition: background 0.16s ease;
     }
 
     .mortgage-split-range-wrap input[type="range"]::-webkit-slider-thumb {
@@ -3338,4 +3345,70 @@
         border: 1px solid #cfcfcf;
         background: #fff;
       }
+    }
+
+    .export-mode-modal {
+      position: fixed;
+      inset: 0;
+      z-index: 9999;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 16px;
+    }
+
+    .export-mode-modal.is-hidden {
+      display: none;
+    }
+
+    .export-mode-modal-backdrop {
+      position: absolute;
+      inset: 0;
+      background: rgba(22, 42, 42, 0.48);
+    }
+
+    .export-mode-modal-dialog {
+      position: relative;
+      width: min(540px, 100%);
+      border-radius: var(--radius);
+      border: 1px solid var(--line);
+      background: var(--panel);
+      box-shadow: var(--shadow);
+      padding: 18px;
+      z-index: 1;
+    }
+
+    .export-mode-modal-dialog h3 {
+      margin: 0 0 10px;
+      font-size: 1.05rem;
+    }
+
+    .export-mode-modal-dialog p {
+      margin: 0 0 10px;
+      color: var(--muted);
+    }
+
+    .export-mode-checkbox {
+      display: flex;
+      align-items: flex-start;
+      gap: 8px;
+      margin: 12px 0 8px;
+      color: var(--ink);
+      font-weight: 600;
+    }
+
+    .export-mode-checkbox input {
+      margin-top: 2px;
+    }
+
+    .export-mode-risk {
+      color: var(--warn) !important;
+      font-size: 0.92rem;
+    }
+
+    .export-mode-actions {
+      margin-top: 14px;
+      display: flex;
+      justify-content: flex-end;
+      gap: 8px;
     }

package/frontend/public/supabase-config.js

@@ -3,17 +3,10 @@
 window.KEYLOCK_SUPABASE_URL = "https://xyluwvzuogdsgzyganqp.supabase.co";
 window.KEYLOCK_SUPABASE_ANON_KEY = "sb_publishable_f6_mJK6kgHKTjUMY7V9YJg_i6QCzG3g";
 
-// Optional named backends for the published frontend.
-// Example usage:
-//   https://favagit.github.io/mantenimento-app/?env=dev
-//   https://favagit.github.io/mantenimento-app/?env=prod
+// Default backend used when no ?env / ?apiBase override is provided.
+window.KEYLOCK_CALC_API_BASE = "https://mantenimento-app.onrender.com";
+
 window.KEYLOCK_CALC_API_ENVS = {
 	dev: "",
-	prod: ""
-};
-
-// Optional frontend variants (used by ?frontend=dev on the published app).
-// The dev URL can point to the feature branch static preview.
-window.KEYLOCK_FRONTEND_VARIANT_ENVS = {
-	dev: "https://raw.githack.com/FaVaGit/mantenimento-app/feature/v2-scenario-lab/frontend/public/index.html"
+	prod: "https://mantenimento-app.onrender.com"
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mantenimento-app",
-  "version": "2.2.8",
+  "version": "2.3.0",
   "description": "Frontend + backend architecture for the mantenimento calculator",
   "type": "commonjs",
   "main": "backend/calculate-model.js",
@@ -14,6 +14,10 @@
     "dev": "node scripts/dev-server.mjs",
     "dev:watch": "node scripts/build-frontend.mjs --watch",
     "build:frontend": "node scripts/build-frontend.mjs",
+    "auth:url-token": "node scripts/create-url-login-token.mjs",
+    "auth:url-check": "node scripts/auth-url-check.mjs",
+    "donor:grant": "node scripts/manage-donor-users.mjs --mode=grant",
+    "donor:revoke": "node scripts/manage-donor-users.mjs --mode=revoke",
     "start": "npm run build:frontend && node backend/server.js"
   },
   "keywords": [

package/scripts/auth-url-check.mjs

@@ -0,0 +1,166 @@
+#!/usr/bin/env node
+/**
+ * auth-url-check.mjs
+ *
+ * Validates the full autologin URL-login pipeline end-to-end:
+ *   1. Calls /api/auth/url-login/start  (generates token on server)
+ *   2. Calls /api/auth/url-login/exchange  (redeems token for session)
+ *   3. Reports ok / error with details
+ *
+ * Usage:
+ *   node scripts/auth-url-check.mjs \
+ *     --backendUrl=https://mantenimento-app.onrender.com \
+ *     --bootstrapKey=<BOOTSTRAP_KEY> \
+ *     [--sub=favagit] [--verbose]
+ *
+ * Env vars (used as fallback if CLI args are absent):
+ *   AUTH_URL_LOGIN_BOOTSTRAP_KEY
+ *   AUTH_URL_LOGIN_BACKEND_URL   (defaults to http://localhost:3001)
+ *   AUTH_URL_LOGIN_ALLOWED_USER  (first in comma-separated list used as default sub)
+ */
+
+import { readFileSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+
+// ── Load .env from project root (best-effort, no hard dep on dotenv) ──────────
+const __dir = dirname(fileURLToPath(import.meta.url));
+const envPath = resolve(__dir, '..', '.env');
+try {
+  const envContent = readFileSync(envPath, 'utf8');
+  for (const line of envContent.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eqIdx = trimmed.indexOf('=');
+    if (eqIdx < 1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    const raw = trimmed.slice(eqIdx + 1).trim();
+    const val = raw.replace(/^['"]|['"]$/g, '');
+    if (!(key in process.env)) process.env[key] = val;
+  }
+} catch {
+  // .env not found — ok, rely on environment
+}
+
+// ── CLI args ──────────────────────────────────────────────────────────────────
+const args = process.argv.slice(2);
+const getArg = (name, fallback = '') => {
+  const prefix = `--${name}=`;
+  const found = args.find((a) => a.startsWith(prefix));
+  return found ? found.slice(prefix.length) : fallback;
+};
+const hasFlag = (name) => args.includes(`--${name}`);
+
+const backendUrl = (
+  getArg('backendUrl',
+    process.env.AUTH_URL_LOGIN_BACKEND_URL || 'http://localhost:3001'
+  )
+).replace(/\/$/, '');
+
+const bootstrapKey = getArg(
+  'bootstrapKey',
+  process.env.AUTH_URL_LOGIN_BOOTSTRAP_KEY || ''
+);
+
+const defaultSub = (process.env.AUTH_URL_LOGIN_ALLOWED_USER || 'favagit')
+  .split(',')[0].trim();
+const sub = getArg('sub', defaultSub);
+const verbose = hasFlag('verbose');
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+const ok  = (msg) => console.log(`  \x1b[32m✓\x1b[0m  ${msg}`);
+const err = (msg) => console.log(`  \x1b[31m✗\x1b[0m  ${msg}`);
+const inf = (msg) => verbose && console.log(`  \x1b[90m→  ${msg}\x1b[0m`);
+
+// ── Pre-flight checks ─────────────────────────────────────────────────────────
+console.log('\n\x1b[1mauth:url-check\x1b[0m — autologin pipeline validation');
+console.log('─'.repeat(50));
+console.log(`  backend : ${backendUrl}`);
+console.log(`  subject : ${sub}`);
+console.log('─'.repeat(50));
+
+let exitCode = 0;
+
+if (!bootstrapKey) {
+  err('AUTH_URL_LOGIN_BOOTSTRAP_KEY is not set (--bootstrapKey= or env var)');
+  process.exit(1);
+}
+
+// ── Step 1: generate token via /start ─────────────────────────────────────────
+let loginUrl = '';
+let authToken = '';
+
+try {
+  const startUrl = `${backendUrl}/api/auth/url-login/start?k=${encodeURIComponent(bootstrapKey)}&sub=${encodeURIComponent(sub)}&format=json`;
+  inf(`GET ${startUrl.replace(bootstrapKey, '<BOOTSTRAP_KEY>')}`);
+
+  const res = await fetch(startUrl);
+  const body = await res.json().catch(() => null);
+
+  if (!res.ok || !body?.ok) {
+    err(`/start returned ${res.status}: ${JSON.stringify(body)}`);
+    process.exit(1);
+  }
+
+  loginUrl = body.url || '';
+  ok(`/api/auth/url-login/start → ${res.status} ok`);
+  inf(`returned url: ${loginUrl}`);
+
+  // Extract authToken from returned URL
+  const urlObj = new URL(loginUrl);
+  authToken = urlObj.searchParams.get('authToken') || '';
+  if (!authToken) {
+    // Try hash fragment
+    const hash = urlObj.hash.slice(1);
+    authToken = new URLSearchParams(hash).get('authToken') || '';
+  }
+
+  if (!authToken) {
+    err('authToken not found in the URL returned by /start');
+    process.exit(1);
+  }
+  ok(`authToken extracted (${authToken.length} chars)`);
+} catch (e) {
+  err(`/start request failed: ${e.message}`);
+  process.exit(1);
+}
+
+// ── Step 2: exchange token via /exchange ─────────────────────────────────────
+try {
+  const exchangeUrl = `${backendUrl}/api/auth/url-login/exchange`;
+  inf(`POST ${exchangeUrl}  token length=${authToken.length}`);
+
+  const res = await fetch(exchangeUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ token: authToken }),
+  });
+
+  const body = await res.json().catch(() => null);
+
+  if (!res.ok || !body?.ok) {
+    err(`/exchange returned ${res.status}: ${JSON.stringify(body)}`);
+    exitCode = 1;
+  } else {
+    const email = body.session?.user?.email || body.user?.email || '(unknown)';
+    ok(`/api/auth/url-login/exchange → ${res.status} ok`);
+    ok(`Logged in as: ${email}`);
+    if (verbose && body.session?.access_token) {
+      inf(`access_token (first 32): ${body.session.access_token.slice(0, 32)}...`);
+    }
+  }
+} catch (e) {
+  err(`/exchange request failed: ${e.message}`);
+  exitCode = 1;
+}
+
+// ── Summary ───────────────────────────────────────────────────────────────────
+console.log('─'.repeat(50));
+if (exitCode === 0) {
+  console.log('\x1b[32m\x1b[1m  PASSED\x1b[0m — autologin pipeline is functional');
+  console.log(`\n  Share this link (valid for ~120 s):\n  ${loginUrl}\n`);
+} else {
+  console.log('\x1b[31m\x1b[1m  FAILED\x1b[0m — see errors above');
+}
+console.log();
+process.exit(exitCode);

package/scripts/create-url-login-token.mjs

@@ -0,0 +1,52 @@
+#!/usr/bin/env node
+import crypto from 'crypto';
+
+const args = process.argv.slice(2);
+const getArg = (name, fallback = '') => {
+  const prefix = `--${name}=`;
+  const found = args.find((arg) => arg.startsWith(prefix));
+  return found ? found.slice(prefix.length) : fallback;
+};
+
+const secret = String(getArg('secret', process.env.AUTH_URL_LOGIN_SECRET || '')).trim();
+const subject = String(getArg('sub', process.env.AUTH_URL_LOGIN_ALLOWED_USER || 'favagit')).trim().toLowerCase();
+const ttlSecRaw = Number(getArg('ttl', process.env.AUTH_URL_LOGIN_TTL_SEC || '120'));
+const ttlSec = Number.isFinite(ttlSecRaw) ? Math.max(30, Math.min(180, Math.floor(ttlSecRaw))) : 120;
+const baseUrl = String(getArg('baseUrl', 'https://favagit.github.io/mantenimento-app/')).trim();
+
+if (!secret) {
+  console.error('Missing AUTH_URL_LOGIN_SECRET (env or --secret=...).');
+  process.exit(1);
+}
+if (!subject) {
+  console.error('Missing subject (--sub=...).');
+  process.exit(1);
+}
+
+const toBase64Url = (value) => Buffer.from(value)
+  .toString('base64')
+  .replace(/\+/g, '-')
+  .replace(/\//g, '_')
+  .replace(/=+$/g, '');
+
+const now = Math.floor(Date.now() / 1000);
+const payload = {
+  sub: subject,
+  aud: 'url-login',
+  iat: now,
+  exp: now + ttlSec,
+  jti: typeof crypto.randomUUID === 'function'
+    ? crypto.randomUUID()
+    : crypto.randomBytes(16).toString('hex')
+};
+
+const payloadPart = toBase64Url(JSON.stringify(payload));
+const signatureHex = crypto.createHmac('sha256', secret).update(payloadPart).digest('hex');
+const signaturePart = toBase64Url(Buffer.from(signatureHex, 'hex'));
+const token = `${payloadPart}.${signaturePart}`;
+
+const joiner = baseUrl.includes('?') ? '&' : '?';
+const url = `${baseUrl}${joiner}autologin=1&authToken=${encodeURIComponent(token)}`;
+
+console.log('token:', token);
+console.log('url  :', url);