meyi-vault-server 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/README.md +95 -0
  2. package/dist/index.mjs +37038 -0
  3. package/package.json +33 -0
  4. package/src/database/migrate.mjs +110 -0
  5. package/src/database/schema.mjs +89 -0
  6. package/src/index.mjs +139 -0
  7. package/src/routes/audit.mjs +75 -0
  8. package/src/routes/domains.mjs +80 -0
  9. package/src/routes/entries.mjs +170 -0
  10. package/src/routes/grants.mjs +141 -0
  11. package/src/routes/groups.mjs +127 -0
  12. package/src/routes/stats.mjs +50 -0
  13. package/src/routes/vaults.mjs +156 -0
  14. package/src/utils/audit.mjs +57 -0
  15. package/src/utils/auth.mjs +60 -0
  16. package/src/utils/crypto.mjs +97 -0
package/README.md ADDED
@@ -0,0 +1,95 @@
1
+ # vault-server
2
+
3
+ > Self-hosted AES-256-GCM encrypted password manager — Express plugin for MeyiConnect
4
+
5
+ ## Installation
6
+
7
+ ```bash
8
+ npm install vault-server
9
+ ```
10
+
11
+ ## MeyiConnect plugin integration
12
+
13
+ Copy the wrapper into your MeyiConnect backend:
14
+
15
+ ```
16
+ backend/src/plugins/vault/index.mjs
17
+ ```
18
+
19
+ ```js
20
+ import { install, start, stop } from 'vault-server'
21
+ import { verifyToken } from '../../middleware/auth.mjs'
22
+
23
+ export async function install() {
24
+ await install()
25
+ }
26
+
27
+ export async function start(app, config, db) {
28
+ await start(app, config, db, verifyToken)
29
+ }
30
+
31
+ export async function stop() {
32
+ await stop()
33
+ }
34
+ ```
35
+
36
+ MeyiConnect's `pluginService` will call `install()` once and `start()` on each boot.
37
+
38
+ ## Standalone usage
39
+
40
+ ```js
41
+ import express from 'express'
42
+ import { install, start } from 'vault-server'
43
+
44
+ const app = express()
45
+
46
+ // Your own auth middleware that sets req.user = { id, role, email }
47
+ const myAuth = (req, res, next) => { /* ... */ next() }
48
+
49
+ await install() // create DB tables
50
+ await start(app, {}, null, myAuth) // mount at /api/v1/vault
51
+
52
+ app.listen(4000)
53
+ ```
54
+
55
+ ## Environment variables
56
+
57
+ | Variable | Default | Description |
58
+ |-------------------|------------------|--------------------------------------|
59
+ | `DATABASE_URL` | required | PostgreSQL connection string |
60
+ | `VAULT_DB_SCHEMA` | `meyiconnect` | PostgreSQL schema for vault tables |
61
+ | `VAULT_MOUNT_PATH`| `/api/v1/vault` | Express mount path |
62
+
63
+ ## API routes
64
+
65
+ All routes require `req.user` set by the injected auth middleware.
66
+
67
+ ```
68
+ GET /api/v1/vault/vaults
69
+ POST /api/v1/vault/vaults
70
+ DELETE /api/v1/vault/vaults/:id
71
+
72
+ GET /api/v1/vault/vaults/:vaultId/groups
73
+ POST /api/v1/vault/vaults/:vaultId/groups
74
+ PUT /api/v1/vault/vaults/:vaultId/groups/:id
75
+ DELETE /api/v1/vault/vaults/:vaultId/groups/:id
76
+
77
+ GET /api/v1/vault/groups/:groupId/entries
78
+ POST /api/v1/vault/groups/:groupId/entries
79
+ PUT /api/v1/vault/groups/:groupId/entries/:id
80
+ DELETE /api/v1/vault/groups/:groupId/entries/:id (soft delete)
81
+
82
+ POST /api/v1/vault/grants
83
+ GET /api/v1/vault/grants
84
+ GET /api/v1/vault/grants/received
85
+ DELETE /api/v1/vault/grants/:id
86
+
87
+ GET /api/v1/vault/stats
88
+ ```
89
+
90
+ ## Security
91
+
92
+ - **AES-256-GCM** — authenticated encryption, throws on tampered ciphertext
93
+ - **Per-vault keys** — each vault has its own random 32-byte key
94
+ - **Soft deletes** — entries are never hard-deleted; `deleted_at` timestamp set
95
+ - **No auth code** — delegates entirely to the host's auth middleware via `verifyToken` injection