mcpmake 0.1.0

package/dist/cloud/web/auth.js

@@ -0,0 +1,555 @@
+/**
+ * User accounts and session management.
+ *
+ * Uses Node.js built-in crypto for password hashing (scrypt) and
+ * session token generation. Zero external dependencies.
+ */
+import { randomBytes, scrypt, timingSafeEqual, createHash } from 'node:crypto';
+import { isSecureRequest } from '../request-security.js';
+import { getPgUserStore, getPgSessionStore } from '../shared-state.js';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const SESSION_MAX_AGE_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+const SESSION_MAX_AGE_SECONDS = 604800;
+const SCRYPT_KEYLEN = 64;
+const SCRYPT_SALT_BYTES = 16;
+const SCRYPT_COST = 16384; // N
+const SCRYPT_BLOCK_SIZE = 8; // r
+const SCRYPT_PARALLELIZATION = 1; // p
+// ---------------------------------------------------------------------------
+// Password hashing
+// ---------------------------------------------------------------------------
+/**
+ * Hash a password using scrypt.
+ * Returns "salt:hash" where salt is 16 random bytes hex, hash is 64-byte scrypt output hex.
+ */
+export async function hashPassword(password) {
+    const salt = randomBytes(SCRYPT_SALT_BYTES).toString('hex');
+    const hash = await new Promise((resolve, reject) => {
+        scrypt(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_COST, r: SCRYPT_BLOCK_SIZE, p: SCRYPT_PARALLELIZATION }, (err, derived) => {
+            if (err)
+                reject(err);
+            else
+                resolve(derived);
+        });
+    });
+    return `${salt}:${hash.toString('hex')}`;
+}
+/**
+ * Verify a password against a stored "salt:hash" string.
+ * Uses constant-time comparison to prevent timing attacks.
+ */
+export async function verifyPassword(password, stored) {
+    const colonIndex = stored.indexOf(':');
+    if (colonIndex === -1)
+        return false;
+    const salt = stored.slice(0, colonIndex);
+    const storedHash = stored.slice(colonIndex + 1);
+    const computed = await new Promise((resolve, reject) => {
+        scrypt(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_COST, r: SCRYPT_BLOCK_SIZE, p: SCRYPT_PARALLELIZATION }, (err, derived) => {
+            if (err)
+                reject(err);
+            else
+                resolve(derived);
+        });
+    });
+    const storedBuffer = Buffer.from(storedHash, 'hex');
+    const computedBuffer = computed;
+    if (storedBuffer.length !== computedBuffer.length)
+        return false;
+    return timingSafeEqual(storedBuffer, computedBuffer);
+}
+// ---------------------------------------------------------------------------
+// UserStore
+// ---------------------------------------------------------------------------
+export class UserStore {
+    users = new Map();
+    create(record) {
+        // Check email uniqueness (case-insensitive)
+        const normalizedEmail = record.email.toLowerCase().trim();
+        for (const existing of this.users.values()) {
+            if (existing.email === normalizedEmail) {
+                throw new Error(`User with email "${normalizedEmail}" already exists`);
+            }
+        }
+        this.users.set(record.id, { ...record, email: normalizedEmail });
+    }
+    getById(id) {
+        const record = this.users.get(id);
+        return record ? { ...record } : undefined;
+    }
+    getByEmail(email) {
+        const normalized = email.toLowerCase().trim();
+        for (const record of this.users.values()) {
+            if (record.email === normalized) {
+                return { ...record };
+            }
+        }
+        return undefined;
+    }
+    list() {
+        return [...this.users.values()].map((r) => ({ ...r }));
+    }
+    update(id, updates) {
+        const existing = this.users.get(id);
+        if (!existing) {
+            throw new Error(`User with id "${id}" not found`);
+        }
+        // Prevent changing the id via update
+        const { id: _ignored, ...safeUpdates } = updates;
+        this.users.set(id, { ...existing, ...safeUpdates });
+    }
+    delete(id) {
+        this.users.delete(id);
+    }
+    getByResetToken(tokenHash) {
+        for (const record of this.users.values()) {
+            if (record.passwordResetTokenHash === tokenHash &&
+                record.passwordResetExpiresAt &&
+                Date.now() < record.passwordResetExpiresAt) {
+                return { ...record };
+            }
+        }
+        return undefined;
+    }
+    getByVerificationToken(tokenHash) {
+        for (const record of this.users.values()) {
+            if (record.emailVerificationTokenHash === tokenHash) {
+                return { ...record };
+            }
+        }
+        return undefined;
+    }
+    getByStripeCustomerId(customerId) {
+        for (const record of this.users.values()) {
+            if (record.stripeCustomerId === customerId) {
+                return { ...record };
+            }
+        }
+        return undefined;
+    }
+    count() {
+        return this.users.size;
+    }
+}
+// ---------------------------------------------------------------------------
+// SessionStore
+// ---------------------------------------------------------------------------
+export class SessionStore {
+    sessions = new Map();
+    create(userId) {
+        const token = randomBytes(32).toString('hex');
+        const csrfToken = randomBytes(16).toString('hex');
+        const now = Date.now();
+        const session = {
+            token,
+            userId,
+            csrfToken,
+            createdAt: now,
+            expiresAt: now + SESSION_MAX_AGE_MS,
+        };
+        this.sessions.set(token, session);
+        return session;
+    }
+    get(token) {
+        const session = this.sessions.get(token);
+        if (!session)
+            return undefined;
+        // Check expiry
+        if (Date.now() > session.expiresAt) {
+            this.sessions.delete(token);
+            return undefined;
+        }
+        return session;
+    }
+    destroy(token) {
+        this.sessions.delete(token);
+    }
+    setPendingServerToken(sessionToken, slug, token) {
+        const session = this.sessions.get(sessionToken);
+        if (!session)
+            return;
+        session.pendingServerTokens ??= {};
+        session.pendingServerTokens[slug] = token;
+    }
+    consumePendingServerToken(sessionToken, slug) {
+        const session = this.sessions.get(sessionToken);
+        if (!session?.pendingServerTokens)
+            return undefined;
+        const token = session.pendingServerTokens[slug];
+        delete session.pendingServerTokens[slug];
+        if (Object.keys(session.pendingServerTokens).length === 0) {
+            delete session.pendingServerTokens;
+        }
+        return token;
+    }
+    cleanup() {
+        const now = Date.now();
+        for (const [token, session] of this.sessions) {
+            if (now > session.expiresAt) {
+                this.sessions.delete(token);
+            }
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// Singleton instances
+// ---------------------------------------------------------------------------
+export const userStore = new UserStore();
+export const sessionStore = new SessionStore();
+// ---------------------------------------------------------------------------
+// Pg-aware store helpers (try Pg first, fall back to in-memory)
+// ---------------------------------------------------------------------------
+/**
+ * Look up a user by ID, preferring the Pg store when available.
+ */
+export async function getUserById(id) {
+    const pg = getPgUserStore();
+    if (pg) {
+        return await pg.getById(id);
+    }
+    return userStore.getById(id);
+}
+/**
+ * Look up a user by email, preferring the Pg store when available.
+ */
+export async function getUserByEmail(email) {
+    const pg = getPgUserStore();
+    if (pg) {
+        return await pg.getByEmail(email);
+    }
+    return userStore.getByEmail(email);
+}
+/**
+ * Look up a user by Stripe customer ID, preferring the Pg store when available.
+ */
+export async function getUserByStripeCustomerId(customerId) {
+    const pg = getPgUserStore();
+    if (pg) {
+        return await pg.getByStripeCustomerId(customerId);
+    }
+    return userStore.getByStripeCustomerId(customerId);
+}
+/**
+ * Look up a user by email verification token hash.
+ */
+export async function getUserByVerificationToken(tokenHash) {
+    const pg = getPgUserStore();
+    if (pg) {
+        return await pg.getByVerificationToken(tokenHash);
+    }
+    return userStore.getByVerificationToken(tokenHash);
+}
+/**
+ * Create a user, persisting to Pg when available, otherwise in-memory.
+ */
+export async function createUser(record) {
+    const pg = getPgUserStore();
+    if (pg) {
+        await pg.create(record);
+        return;
+    }
+    userStore.create(record);
+}
+/**
+ * Update a user, persisting to Pg when available, otherwise in-memory.
+ */
+export async function updateUser(id, updates) {
+    const pg = getPgUserStore();
+    if (pg) {
+        await pg.update(id, updates);
+        return;
+    }
+    userStore.update(id, updates);
+}
+/**
+ * Delete a user, removing from Pg when available, otherwise in-memory.
+ */
+export async function deleteUser(id) {
+    const pg = getPgUserStore();
+    if (pg) {
+        await pg.delete(id);
+        return;
+    }
+    userStore.delete(id);
+}
+/**
+ * Count users, preferring Pg when available.
+ */
+export async function countUsers() {
+    const pg = getPgUserStore();
+    if (pg) {
+        return await pg.count();
+    }
+    return userStore.count();
+}
+/**
+ * List all users, preferring Pg when available.
+ */
+export async function listUsers() {
+    const pg = getPgUserStore();
+    if (pg) {
+        return await pg.list();
+    }
+    return userStore.list();
+}
+/**
+ * Get a session by token, preferring Pg when available.
+ */
+export async function getSession(token) {
+    // Check in-memory first (anon sessions always live here, even when Pg is active)
+    const inMemory = sessionStore.get(token);
+    if (inMemory)
+        return inMemory;
+    const pg = getPgSessionStore();
+    if (pg) {
+        return await pg.get(token);
+    }
+    return undefined;
+}
+/**
+ * Create a session, persisting to Pg when available, otherwise in-memory.
+ * Note: anonymous sessions (userId === '__anon__') always use in-memory
+ * because the Pg sessions table has a FK constraint on users(id).
+ */
+export async function createSession(userId) {
+    if (userId === '__anon__') {
+        return sessionStore.create(userId);
+    }
+    const pg = getPgSessionStore();
+    if (pg) {
+        return await pg.create(userId);
+    }
+    return sessionStore.create(userId);
+}
+/**
+ * Destroy a session, removing from Pg when available, otherwise in-memory.
+ * Destroys from both stores to handle sessions that may have been created
+ * in-memory (anon sessions) even when Pg is available.
+ */
+export async function destroySession(token) {
+    const pg = getPgSessionStore();
+    if (pg) {
+        await pg.destroy(token);
+    }
+    // Always also clean in-memory (anon sessions live there even when Pg is active)
+    sessionStore.destroy(token);
+}
+/**
+ * Set a pending server token on a session.
+ */
+export async function setPendingToken(sessionToken, slug, serverBearerToken) {
+    const pg = getPgSessionStore();
+    if (pg) {
+        await pg.setPendingServerToken(sessionToken, slug, serverBearerToken);
+        return;
+    }
+    sessionStore.setPendingServerToken(sessionToken, slug, serverBearerToken);
+}
+/**
+ * Consume a pending server token from a session.
+ */
+export async function consumePendingToken(sessionToken, slug) {
+    const pg = getPgSessionStore();
+    if (pg) {
+        return await pg.consumePendingServerToken(sessionToken, slug);
+    }
+    return sessionStore.consumePendingServerToken(sessionToken, slug);
+}
+/**
+ * Clean up expired sessions from both stores.
+ */
+export async function cleanupSessions() {
+    const pg = getPgSessionStore();
+    if (pg) {
+        await pg.cleanup();
+    }
+    sessionStore.cleanup();
+}
+// ---------------------------------------------------------------------------
+// Password reset helpers
+// ---------------------------------------------------------------------------
+const RESET_TOKEN_EXPIRY_MS = 60 * 60 * 1000; // 1 hour
+/**
+ * Generate a password reset token.
+ * Returns the raw token (for the email link) and its SHA-256 hash (for storage).
+ */
+export function generateResetToken() {
+    const token = randomBytes(32).toString('hex');
+    const hash = createHash('sha256').update(token).digest('hex');
+    return { token, hash };
+}
+/**
+ * Hash a reset token for lookup.
+ */
+export function hashResetToken(token) {
+    return createHash('sha256').update(token).digest('hex');
+}
+/**
+ * Store a password reset token for a user.
+ */
+export async function setPasswordResetToken(userId, tokenHash) {
+    await updateUser(userId, {
+        passwordResetTokenHash: tokenHash,
+        passwordResetExpiresAt: Date.now() + RESET_TOKEN_EXPIRY_MS,
+    });
+}
+/**
+ * Look up a user by their password reset token hash.
+ * Returns undefined if token is invalid or expired.
+ */
+export async function getUserByResetToken(tokenHash) {
+    const pg = getPgUserStore();
+    if (pg) {
+        return await pg.getByResetToken(tokenHash);
+    }
+    return userStore.getByResetToken(tokenHash);
+}
+// ---------------------------------------------------------------------------
+// Email verification helpers
+// ---------------------------------------------------------------------------
+/**
+ * Whether email verification is enforced for this deployment. Enforced when a
+ * mailer is configured (production) or explicitly requested. In pure dev (no
+ * SMTP) the flow still works — the link is logged to the console — but server
+ * creation is not blocked, so local testing isn't impeded.
+ */
+export function isEmailVerificationRequired() {
+    return process.env.REQUIRE_EMAIL_VERIFICATION === 'true' || !!process.env.SMTP_HOST;
+}
+/**
+ * Generate an email verification token. Returns the raw token (for the link)
+ * and its SHA-256 hash (for storage).
+ */
+export function generateVerificationToken() {
+    const token = randomBytes(32).toString('hex');
+    const hash = createHash('sha256').update(token).digest('hex');
+    return { token, hash };
+}
+/** Hash a verification token for lookup. */
+export function hashVerificationToken(token) {
+    return createHash('sha256').update(token).digest('hex');
+}
+/** Store a pending email verification token hash for a user. */
+export async function setEmailVerificationToken(userId, tokenHash) {
+    await updateUser(userId, { emailVerified: false, emailVerificationTokenHash: tokenHash });
+}
+/** Mark a user's email as verified and clear the pending token. */
+export async function markEmailVerified(userId) {
+    const pg = getPgUserStore();
+    if (pg) {
+        await pg.update(userId, { emailVerified: true });
+        // Clear the token hash explicitly (NULL) so it can't be reused.
+        await pg.clearVerificationToken(userId);
+        return;
+    }
+    userStore.update(userId, { emailVerified: true, emailVerificationTokenHash: undefined });
+}
+/** Clear a user's email verification token. */
+export async function clearEmailVerificationToken(userId) {
+    const pg = getPgUserStore();
+    if (pg) {
+        await pg.clearVerificationToken(userId);
+        return;
+    }
+    userStore.update(userId, { emailVerificationTokenHash: undefined });
+}
+/**
+ * Clear a user's password reset token after successful reset.
+ */
+export async function clearPasswordResetToken(userId) {
+    const pg = getPgUserStore();
+    if (pg) {
+        await pg.clearResetToken(userId);
+        return;
+    }
+    const user = userStore.getById(userId);
+    if (user) {
+        userStore.update(userId, {
+            passwordResetTokenHash: undefined,
+            passwordResetExpiresAt: undefined,
+        });
+    }
+}
+// ---------------------------------------------------------------------------
+// Session helpers
+// ---------------------------------------------------------------------------
+/**
+ * Parse the mf_session cookie from request headers.
+ */
+export function getSessionToken(req) {
+    const cookie = req.headers.cookie;
+    if (!cookie)
+        return undefined;
+    const parts = cookie.split(';');
+    for (const part of parts) {
+        const trimmed = part.trim();
+        if (trimmed.startsWith('mf_session=')) {
+            return trimmed.slice('mf_session='.length);
+        }
+    }
+    return undefined;
+}
+/**
+ * Set session cookie on response.
+ * Cookie: mf_session={token}; HttpOnly; SameSite=Strict; Path=/; Max-Age=604800
+ * Adds Secure when the request is HTTPS or forwarded as HTTPS.
+ */
+export function setSessionCookie(res, req, token) {
+    const secure = isSecureRequest(req) ? '; Secure' : '';
+    const cookie = `mf_session=${token}; HttpOnly; SameSite=Strict; Path=/; Max-Age=${SESSION_MAX_AGE_SECONDS}${secure}`;
+    res.setHeader('Set-Cookie', cookie);
+}
+/**
+ * Clear session cookie on response.
+ */
+export function clearSessionCookie(res, req) {
+    const secure = isSecureRequest(req) ? '; Secure' : '';
+    res.setHeader('Set-Cookie', `mf_session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0${secure}`);
+}
+/**
+ * Get authenticated user from request, or null.
+ * Reads the mf_session cookie, looks up the session, then the user.
+ * Tries Pg stores first when available, falls back to in-memory.
+ */
+export async function getAuthenticatedUser(req) {
+    const token = getSessionToken(req);
+    if (!token)
+        return null;
+    const session = await getSession(token);
+    if (!session)
+        return null;
+    const user = await getUserById(session.userId);
+    if (!user)
+        return null;
+    return { user, session };
+}
+/**
+ * Require authentication. Returns user+session or sends 302 redirect to /login.
+ * Returns null if the redirect was sent (caller should stop processing).
+ */
+export async function requireAuth(req, res) {
+    const auth = await getAuthenticatedUser(req);
+    if (!auth) {
+        res.writeHead(302, { Location: '/login' });
+        res.end();
+        return null;
+    }
+    return auth;
+}
+/**
+ * Require admin. Returns user+session or sends 403.
+ * Returns null if the error response was sent (caller should stop processing).
+ */
+export async function requireAdmin(req, res) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return null;
+    if (!auth.user.isAdmin) {
+        res.writeHead(403, { 'Content-Type': 'text/html; charset=utf-8' });
+        res.end('<h1>403 — Forbidden</h1>');
+        return null;
+    }
+    return auth;
+}

package/dist/cloud/web/charts.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Server-rendered inline-SVG charts for the admin dashboard.
+ *
+ * The admin CSP forbids inline scripts and `unsafe-inline` (see `sendHtml` in
+ * router.ts), so charts MUST be pure static SVG: no `<script>`, no `onclick`,
+ * no inline JS. Hover values are exposed only via `<title>` elements.
+ *
+ * Every function is a pure `(numbers) -> string`, so they are trivially unit
+ * testable and have no runtime dependencies. SVGs use a fixed `viewBox` and NO
+ * width/height attributes — they scale to their container via CSS.
+ *
+ * SECURITY / CORRECTNESS: every numeric input is clamped to a finite number
+ * (NaN / Infinity / non-number -> 0) BEFORE it is interpolated into any
+ * `points=""`, `d=""`, or coordinate attribute. This is both a correctness
+ * guard (a single bad sample can't blow up the whole path) and an injection
+ * guard (no caller-controlled string ever reaches the SVG markup; only numbers
+ * we produced ourselves are emitted).
+ */
+export interface SparklineOptions {
+    /** viewBox width (logical units). */
+    width?: number;
+    /** viewBox height (logical units). */
+    height?: number;
+    /** Stroke colour (must be a CSS colour literal). */
+    color?: string;
+    /** Optional label shown in the `<title>` (e.g. "Requests / 5min"). */
+    label?: string;
+    /** Optional unit suffix for hover values (e.g. "%"). */
+    unit?: string;
+}
+/**
+ * A single-series trend line (`<polyline>`).
+ *
+ * Y is scaled to the data's own min/max so small variations stay visible. With
+ * 0 or 1 points an empty-but-valid SVG is returned (no NaN coordinates).
+ */
+export declare function renderSparkline(values: number[], opts?: SparklineOptions): string;
+export interface BarsOptions {
+    width?: number;
+    height?: number;
+    color?: string;
+    /** Per-bar labels for `<title>` hover (aligned by index). */
+    labels?: string[];
+    /** Unit suffix for hover values. */
+    unit?: string;
+    /** Optional aria/title prefix for the whole chart. */
+    label?: string;
+}
+/**
+ * A simple vertical bar chart. Bars are scaled to the data max (0-baselined).
+ */
+export declare function renderBars(values: number[], opts?: BarsOptions): string;
+export interface DualLineOptions {
+    width?: number;
+    height?: number;
+    /** Colour of series A. */
+    colorA?: string;
+    /** Colour of series B. */
+    colorB?: string;
+    /** Names of each series (used in hover titles + aria). */
+    labelA?: string;
+    labelB?: string;
+    unit?: string;
+}
+/**
+ * Two overlaid trend lines on a shared Y scale — built for the
+ * requests-vs-errors time series. Both series share one min/max so they are
+ * visually comparable. Missing / short series degrade gracefully.
+ */
+export declare function renderDualLine(seriesA: number[], seriesB: number[], opts?: DualLineOptions): string;