npm - neoagent - Versions diffs - 2.1.18-beta.98 → 2.2.0 - Mend

neoagent 2.1.18-beta.98 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +4 -3
package/package.json +12 -5
package/server/db/database.js +22 -0
package/server/public/assets/NOTICES +33 -0
package/server/public/assets/fonts/MaterialIcons-Regular.otf +0 -0
package/server/public/assets/web/icons/Icon-192.png +0 -0
package/server/public/favicon.png +0 -0
package/server/public/favicon.svg +6 -6
package/server/public/flutter_bootstrap.js +1 -1
package/server/public/icons/Icon-192.png +0 -0
package/server/public/icons/Icon-512.png +0 -0
package/server/public/icons/Icon-maskable-192.png +0 -0
package/server/public/icons/Icon-maskable-512.png +0 -0
package/server/public/main.dart.js +69558 -69369
package/server/routes/account.js +36 -0
package/server/routes/auth.js +91 -0
package/server/routes/mcp.js +16 -3
package/server/routes/scheduler.js +2 -1
package/server/services/account/qr_login.js +388 -0
package/server/services/scheduler/cron.js +15 -2

package/server/routes/account.js CHANGED Viewed

@@ -34,6 +34,10 @@ const {
   sendEmailChangeRequestedNotice,
   sendPasswordChangedNotice,
 } = require('../services/account/service_email');
+const {
+  approveChallenge,
+  resolveChallengeForApproval,
+} = require('../services/account/qr_login');
 const accountLimiter = rateLimit({
   windowMs: 15 * 60 * 1000,
@@ -222,6 +226,38 @@ router.post('/2fa/recovery-codes', accountLimiter, async (req, res) => {
   }
 });
+router.post('/qr-login/resolve', accountLimiter, (req, res) => {
+  try {
+    const challengeId = String(req.body?.challengeId || '').trim();
+    const secret = String(req.body?.secret || '').trim();
+    if (!challengeId || !secret) {
+      return res.status(400).json({ error: 'Challenge id and QR secret are required.' });
+    }
+    res.json(resolveChallengeForApproval({ challengeId, secret }));
+  } catch (err) {
+    sendRouteError(res, err);
+  }
+});
+router.post('/qr-login/approve', accountLimiter, (req, res) => {
+  try {
+    const challengeId = String(req.body?.challengeId || '').trim();
+    const secret = String(req.body?.secret || '').trim();
+    if (!challengeId || !secret) {
+      return res.status(400).json({ error: 'Challenge id and QR secret are required.' });
+    }
+    res.json(approveChallenge({
+      challengeId,
+      secret,
+      userId: req.session.userId,
+      approverSessionId: req.sessionID,
+      approvalMetadata: req.body?.approvalMetadata,
+    }));
+  } catch (err) {
+    sendRouteError(res, err);
+  }
+});
 router.get('/sessions', (req, res) => {
   try {
     res.json({ sessions: listSessions(req, req.session.userId) });

package/server/routes/auth.js CHANGED Viewed

@@ -24,6 +24,11 @@ const {
   sendSignupConfirmation,
   sendUnusualLoginNotice,
 } = require('../services/account/service_email');
+const {
+  claimApprovedChallenge,
+  createChallenge,
+  getChallengeStatusForPoll,
+} = require('../services/account/qr_login');
 const authLimiter = rateLimit({
   windowMs: 15 * 60 * 1000,
@@ -33,6 +38,22 @@ const authLimiter = rateLimit({
   legacyHeaders: false,
 });
+const qrLoginPollLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 180,
+  message: { error: 'Too many QR login status checks, try again shortly' },
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+const qrLoginClaimLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 40,
+  message: { error: 'Too many QR login completion attempts, try again shortly' },
+  standardHeaders: true,
+  legacyHeaders: false,
+});
 const passwordResetLimiter = rateLimit({
   windowMs: 15 * 60 * 1000,
   max: 8,
@@ -87,6 +108,12 @@ function establishSession(req, res, user) {
   });
 }
+function baseUrlFor(req) {
+  const configured = req.app?.locals?.httpRuntimeConfig?.publicUrl || process.env.PUBLIC_URL || '';
+  if (configured) return String(configured).replace(/\/+$/, '');
+  return `${req.protocol}://${req.get('host')}`;
+}
 function readAuthenticatedUser(req) {
   if (!req.session || !req.session.userId) {
     return null;
@@ -550,6 +577,70 @@ router.post('/api/auth/password/forgot', authLimiter, async (req, res) => {
   }
 });
+router.post('/api/auth/qr-login/challenge', authLimiter, (req, res) => {
+  try {
+    const challenge = createChallenge(req, {
+      requestMetadata: req.body?.requestMetadata,
+    });
+    const payload = new URL('neoagent://qr-login');
+    payload.searchParams.set('v', '1');
+    payload.searchParams.set('backend', baseUrlFor(req));
+    payload.searchParams.set('challenge', challenge.challengeId);
+    payload.searchParams.set('secret', challenge.approveSecret);
+    res.json({
+      challengeId: challenge.challengeId,
+      pollToken: challenge.pollToken,
+      expiresAt: challenge.expiresAt,
+      status: challenge.status,
+      qrPayload: payload.toString(),
+      backendUrl: baseUrlFor(req),
+    });
+  } catch (error) {
+    res.status(Number(error?.statusCode || 500)).json({
+      error: error?.message || 'Could not create QR login request.',
+    });
+  }
+});
+router.post('/api/auth/qr-login/challenge/:id/status', qrLoginPollLimiter, (req, res) => {
+  try {
+    const pollToken = String(req.body?.token || '').trim();
+    if (!pollToken) {
+      return res.status(400).json({ error: 'QR login poll token is required.' });
+    }
+    res.json(
+      getChallengeStatusForPoll({
+        challengeId: req.params.id,
+        pollToken,
+      }),
+    );
+  } catch (error) {
+    res.status(Number(error?.statusCode || 500)).json({
+      error: error?.message || 'Could not read QR login status.',
+    });
+  }
+});
+router.post('/api/auth/qr-login/challenge/:id/claim', qrLoginClaimLimiter, (req, res) => {
+  try {
+    const pollToken = String(req.body?.token || '').trim();
+    if (!pollToken) {
+      return res.status(400).json({ error: 'QR login poll token is required.' });
+    }
+    const result = claimApprovedChallenge({
+      challengeId: req.params.id,
+      pollToken,
+    });
+    updateLastLogin(result.user.id);
+    return establishSession(req, res, result.user);
+  } catch (error) {
+    const statusCode = Number(error?.statusCode || 500);
+    return res.status(statusCode).json({
+      error: error?.message || 'Could not complete QR login.',
+    });
+  }
+});
 router.get('/api/auth/password/reset', (req, res) => {
   const token = String(req.query?.token || '').trim();
   if (!token) {

package/server/routes/mcp.js CHANGED Viewed

@@ -4,7 +4,7 @@ const db = require('../db/database');
 const { requireAuth } = require('../middleware/auth');
 const { sanitizeError } = require('../utils/security');
 const { validateRemoteMcpEndpoint } = require('../services/runtime/mcp');
-const { getAgentIdFromRequest, resolveAgentId } = require('../services/agents/manager');
+const { getAgentIdFromRequest, isMainAgent, resolveAgentId } = require('../services/agents/manager');
 const { resolvePublicBaseUrl } = require('../services/integrations/env');
 const MCP_OAUTH_STATE_RE = /^(\d+)::[a-f0-9]{32}$/;
@@ -21,9 +21,22 @@ router.use(requireAuth);
 // List configured MCP servers
 router.get('/', (req, res) => {
-  const servers = db.prepare('SELECT * FROM mcp_servers WHERE user_id = ? ORDER BY name ASC').all(req.session.userId);
+  const agentId = resolveAgentId(req.session.userId, getAgentIdFromRequest(req));
+  const includeLegacyMainServers = isMainAgent(req.session.userId, agentId);
+  const servers = includeLegacyMainServers
+    ? db.prepare(
+      `SELECT * FROM mcp_servers
+       WHERE user_id = ?
+         AND (agent_id = ? OR agent_id IS NULL)
+       ORDER BY name ASC`
+    ).all(req.session.userId, agentId)
+    : db.prepare(
+      `SELECT * FROM mcp_servers
+       WHERE user_id = ? AND agent_id = ?
+       ORDER BY name ASC`
+    ).all(req.session.userId, agentId);
   const mcpClient = req.app.locals.mcpClient;
-  const liveStatuses = mcpClient.getStatus(req.session.userId);
+  const liveStatuses = mcpClient.getStatus(req.session.userId, { agentId });
   const result = servers.map(s => ({
     id: s.id,

package/server/routes/scheduler.js CHANGED Viewed

@@ -10,7 +10,8 @@ router.use(requireAuth);
 // List scheduled tasks
 router.get('/', (req, res) => {
   const scheduler = req.app.locals.scheduler;
-  res.json(scheduler.listTasks(req.session.userId));
+  const agentId = resolveAgentId(req.session.userId, getAgentIdFromRequest(req));
+  res.json(scheduler.listTasks(req.session.userId, { agentId }));
 });
 // Create a new scheduled task

package/server/services/account/qr_login.js ADDED Viewed

@@ -0,0 +1,388 @@
+'use strict';
+const crypto = require('crypto');
+const { randomUUID } = require('crypto');
+const db = require('../../db/database');
+const { clientIpFromRequest, lookupIpLocation } = require('./geoip');
+const { sessionHash } = require('./sessions');
+const QR_LOGIN_TTL_MS = 2 * 60 * 1000;
+const QR_LOGIN_TERMINAL_RETENTION_MS = 60 * 60 * 1000;
+function sqliteDateFromMs(ms) {
+  return new Date(ms).toISOString().replace('T', ' ').replace(/\.\d{3}Z$/, '');
+}
+function tokenHash(token) {
+  return crypto.createHash('sha256').update(String(token || '')).digest('hex');
+}
+function parseSqliteUtcMs(value) {
+  const raw = String(value || '').trim();
+  if (!raw) return Number.NaN;
+  const normalized = raw.includes('T') ? raw : raw.replace(' ', 'T');
+  const utcValue = /(?:Z|[+-]\d{2}:\d{2})$/.test(normalized)
+    ? normalized
+    : `${normalized}Z`;
+  return Date.parse(utcValue);
+}
+function randomToken(bytes = 24) {
+  return crypto.randomBytes(bytes).toString('base64url');
+}
+function trimmedString(value, maxLength = 160) {
+  return String(value || '').trim().slice(0, maxLength);
+}
+function userAgentFromRequest(req) {
+  return trimmedString(req.get?.('user-agent') || req.headers?.['user-agent'] || '', 500);
+}
+function parseJsonObject(value) {
+  try {
+    const parsed = JSON.parse(value || '{}');
+    return parsed && typeof parsed === 'object' && !Array.isArray(parsed) ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+function normalizeMetadata(value) {
+  const raw = value && typeof value === 'object' && !Array.isArray(value) ? value : {};
+  const metadata = {
+    deviceLabel: trimmedString(raw.deviceLabel, 120),
+    platformLabel: trimmedString(raw.platformLabel, 60),
+    browserLabel: trimmedString(raw.browserLabel, 60),
+    deviceClass: trimmedString(raw.deviceClass, 24).toLowerCase(),
+    appMode: trimmedString(raw.appMode, 24).toLowerCase(),
+    platform: trimmedString(raw.platform, 32).toLowerCase(),
+  };
+  if (!['mobile', 'tablet', 'desktop', 'server', 'unknown'].includes(metadata.deviceClass)) {
+    metadata.deviceClass = '';
+  }
+  return metadata;
+}
+function parseClientDescriptor(userAgent, metadata = {}) {
+  const lower = String(userAgent || '').toLowerCase();
+  const isTablet = lower.includes('ipad') || lower.includes('tablet');
+  const isMobile = !isTablet && (
+    lower.includes('iphone')
+    || lower.includes('android') && lower.includes('mobile')
+  );
+  const platformLabel = metadata.platformLabel || (() => {
+    if (lower.includes('iphone')) return 'iPhone';
+    if (lower.includes('ipad')) return 'iPad';
+    if (lower.includes('android')) return 'Android';
+    if (lower.includes('mac os x') || lower.includes('macintosh')) return 'macOS';
+    if (lower.includes('windows nt')) return 'Windows';
+    if (lower.includes('linux') || lower.includes('x11')) return 'Linux';
+    if (lower.includes('curl/') || lower.includes('wget/') || lower.includes('httpie/')) return 'CLI session';
+    return 'Unknown device';
+  })();
+  const browserLabel = metadata.browserLabel || (() => {
+    if (lower.includes('edg/')) return 'Edge';
+    if (lower.includes('opr/') || lower.includes('opera/')) return 'Opera';
+    if (lower.includes('brave/')) return 'Brave';
+    if (lower.includes('firefox/')) return 'Firefox';
+    if (lower.includes('chrome/') || lower.includes('crios/') || lower.includes('chromium/')) return 'Chrome';
+    if (lower.includes('safari/') && lower.includes('version/')) return 'Safari';
+    if (lower.includes('dart/')) return 'Flutter app';
+    if (lower.includes('curl/')) return 'curl';
+    if (lower.includes('wget/')) return 'wget';
+    if (lower.includes('httpie/')) return 'HTTPie';
+    return 'Unknown browser';
+  })();
+  const deviceClass = metadata.deviceClass || (() => {
+    if (platformLabel === 'CLI session') return 'server';
+    if (isTablet) return 'tablet';
+    if (isMobile) return 'mobile';
+    if (['macOS', 'Windows', 'Linux'].includes(platformLabel)) return 'desktop';
+    return 'unknown';
+  })();
+  const primaryLabel = metadata.deviceLabel || (() => {
+    const parts = [platformLabel];
+    if (browserLabel && browserLabel !== 'Unknown browser' && browserLabel !== 'Flutter app') {
+      parts.push(browserLabel);
+    } else if (browserLabel === 'Flutter app') {
+      parts.push('App');
+    }
+    return parts.join(' · ');
+  })();
+  return {
+    label: primaryLabel,
+    platformLabel,
+    browserLabel,
+    deviceClass,
+  };
+}
+function challengeIsExpired(row, nowMs = Date.now()) {
+  const expiresAtMs = parseSqliteUtcMs(row?.expires_at);
+  return !Number.isFinite(expiresAtMs) || expiresAtMs <= nowMs;
+}
+function challengeNotFoundError() {
+  const error = new Error('QR login request was not found or has expired.');
+  error.statusCode = 404;
+  return error;
+}
+function challengeStateError(message, statusCode = 409) {
+  const error = new Error(message);
+  error.statusCode = statusCode;
+  return error;
+}
+function pruneExpiredChallenges() {
+  db.prepare(`
+    UPDATE user_qr_login_challenges
+    SET status = 'expired'
+    WHERE status IN ('pending', 'approved')
+      AND datetime(expires_at) <= datetime('now')
+  `).run();
+  const retentionCutoff = sqliteDateFromMs(
+    Date.now() - QR_LOGIN_TERMINAL_RETENTION_MS,
+  );
+  db.prepare(`
+    DELETE FROM user_qr_login_challenges
+    WHERE status IN ('expired', 'claimed')
+      AND datetime(COALESCE(claimed_at, expires_at, created_at)) <= datetime(?)
+  `).run(retentionCutoff);
+}
+function getChallengeRowByApproveSecret(challengeId, secret) {
+  pruneExpiredChallenges();
+  return db.prepare(`
+    SELECT *
+    FROM user_qr_login_challenges
+    WHERE id = ?
+      AND approve_secret_hash = ?
+    LIMIT 1
+  `).get(String(challengeId || '').trim(), tokenHash(secret));
+}
+function getChallengeRowByPollToken(challengeId, pollToken) {
+  pruneExpiredChallenges();
+  return db.prepare(`
+    SELECT *
+    FROM user_qr_login_challenges
+    WHERE id = ?
+      AND poll_token_hash = ?
+    LIMIT 1
+  `).get(String(challengeId || '').trim(), tokenHash(pollToken));
+}
+function serializeChallenge(row) {
+  const requestMetadata = parseJsonObject(row.request_metadata_json);
+  const approvedMetadata = parseJsonObject(row.approved_metadata_json);
+  const requestLocation = parseJsonObject(row.request_location_json);
+  const descriptor = parseClientDescriptor(row.request_user_agent, requestMetadata);
+  return {
+    challengeId: row.id,
+    status: row.status || 'pending',
+    requestedAt: row.created_at || null,
+    expiresAt: row.expires_at || null,
+    approvedAt: row.approved_at || null,
+    claimedAt: row.claimed_at || null,
+    requestedDevice: {
+      label: descriptor.label,
+      platformLabel: descriptor.platformLabel,
+      browserLabel: descriptor.browserLabel,
+      deviceClass: descriptor.deviceClass,
+      userAgent: row.request_user_agent || '',
+      metadata: requestMetadata,
+    },
+    requestLocation: {
+      label: row.request_location_label || 'Unknown',
+      ipAddress: row.request_ip_address || null,
+      city: trimmedString(requestLocation.city, 80) || null,
+      region: trimmedString(requestLocation.region, 80) || null,
+      country: trimmedString(requestLocation.country, 80) || null,
+      timezone: trimmedString(requestLocation.timezone, 80) || null,
+    },
+    approval: row.approved_by_user_id ? {
+      userId: Number(row.approved_by_user_id),
+      metadata: approvedMetadata,
+    } : null,
+  };
+}
+function createChallenge(req, options = {}) {
+  pruneExpiredChallenges();
+  const requestMetadata = normalizeMetadata(options.requestMetadata);
+  const geo = lookupIpLocation(clientIpFromRequest(req));
+  const userAgent = userAgentFromRequest(req);
+  const challengeId = randomUUID();
+  const pollToken = randomToken();
+  const approveSecret = randomToken();
+  const expiresAt = sqliteDateFromMs(Date.now() + QR_LOGIN_TTL_MS);
+  db.prepare(`
+    INSERT INTO user_qr_login_challenges (
+      id,
+      poll_token_hash,
+      approve_secret_hash,
+      status,
+      request_user_agent,
+      request_ip_address,
+      request_location_label,
+      request_location_json,
+      request_metadata_json,
+      expires_at
+    )
+    VALUES (?, ?, ?, 'pending', ?, ?, ?, ?, ?, ?)
+  `).run(
+    challengeId,
+    tokenHash(pollToken),
+    tokenHash(approveSecret),
+    userAgent,
+    geo.ipAddress,
+    geo.label,
+    JSON.stringify(geo.data || {}),
+    JSON.stringify(requestMetadata),
+    expiresAt,
+  );
+  return {
+    challengeId,
+    pollToken,
+    approveSecret,
+    expiresAt,
+    status: 'pending',
+  };
+}
+function resolveChallengeForApproval({ challengeId, secret }) {
+  const row = getChallengeRowByApproveSecret(challengeId, secret);
+  if (!row || challengeIsExpired(row) || row.status === 'expired') {
+    throw challengeNotFoundError();
+  }
+  return serializeChallenge(row);
+}
+function approveChallenge({
+  challengeId,
+  secret,
+  userId,
+  approverSessionId,
+  approvalMetadata,
+}) {
+  const metadata = normalizeMetadata(approvalMetadata);
+  const row = getChallengeRowByApproveSecret(challengeId, secret);
+  if (!row || challengeIsExpired(row) || row.status === 'expired') {
+    throw challengeNotFoundError();
+  }
+  if (row.status === 'claimed') {
+    throw challengeStateError('This QR login request was already used.');
+  }
+  if (row.status === 'approved' &&
+      row.approved_by_user_id &&
+      Number(row.approved_by_user_id) !== Number(userId)) {
+    throw challengeStateError('This QR login request was already approved.');
+  }
+  const approvedSessionHash = approverSessionId ? sessionHash(approverSessionId) : null;
+  const now = sqliteDateFromMs(Date.now());
+  db.prepare(`
+    UPDATE user_qr_login_challenges
+    SET status = 'approved',
+        approved_by_user_id = ?,
+        approved_session_hash = ?,
+        approved_metadata_json = ?,
+        approved_at = ?
+    WHERE id = ?
+      AND status IN ('pending', 'approved')
+  `).run(
+    userId,
+    approvedSessionHash,
+    JSON.stringify(metadata),
+    now,
+    row.id,
+  );
+  return resolveChallengeForApproval({ challengeId, secret });
+}
+function getChallengeStatusForPoll({ challengeId, pollToken }) {
+  const row = getChallengeRowByPollToken(challengeId, pollToken);
+  if (!row || challengeIsExpired(row) || row.status === 'expired') {
+    return {
+      challengeId: String(challengeId || '').trim(),
+      status: 'expired',
+      expiresAt: row?.expires_at || null,
+    };
+  }
+  return {
+    challengeId: row.id,
+    status: row.status || 'pending',
+    expiresAt: row.expires_at || null,
+    approvedAt: row.approved_at || null,
+    claimedAt: row.claimed_at || null,
+  };
+}
+function claimApprovedChallenge({ challengeId, pollToken }) {
+  const row = getChallengeRowByPollToken(challengeId, pollToken);
+  if (!row || challengeIsExpired(row) || row.status === 'expired') {
+    throw challengeNotFoundError();
+  }
+  if (row.status === 'claimed') {
+    throw challengeStateError('This QR login request was already used.');
+  }
+  if (row.status !== 'approved' || !row.approved_by_user_id) {
+    throw challengeStateError('This QR login request is not approved yet.', 409);
+  }
+  const now = sqliteDateFromMs(Date.now());
+  const result = db.prepare(`
+    UPDATE user_qr_login_challenges
+    SET status = 'claimed',
+        claimed_at = ?
+    WHERE id = ?
+      AND poll_token_hash = ?
+      AND status = 'approved'
+  `).run(now, row.id, tokenHash(pollToken));
+  if (result.changes !== 1) {
+    throw challengeStateError('This QR login request is no longer available.');
+  }
+  const user = db.prepare(`
+    SELECT id, username, email, email_verified_at, password_login_enabled, created_at, last_login
+    FROM users
+    WHERE id = ?
+  `).get(row.approved_by_user_id);
+  if (!user) {
+    throw challengeStateError('The approving account is no longer available.', 404);
+  }
+  return {
+    user,
+    challenge: serializeChallenge({
+      ...row,
+      status: 'claimed',
+      claimed_at: now,
+    }),
+  };
+}
+module.exports = {
+  createChallenge,
+  approveChallenge,
+  claimApprovedChallenge,
+  getChallengeStatusForPoll,
+  resolveChallengeForApproval,
+  __test: {
+    challengeIsExpired,
+    parseSqliteUtcMs,
+  },
+};

package/server/services/scheduler/cron.js CHANGED Viewed

@@ -177,8 +177,21 @@ class Scheduler {
     return { deleted: true };
   }
-  listTasks(userId) {
-    const tasks = db.prepare('SELECT * FROM scheduled_tasks WHERE user_id = ? ORDER BY created_at DESC').all(userId);
+  listTasks(userId, options = {}) {
+    const agentId = resolveAgentId(userId, options.agentId || options.agent_id || null);
+    const includeLegacyMainTasks = isMainAgent(userId, agentId);
+    const tasks = includeLegacyMainTasks
+      ? db.prepare(
+        `SELECT * FROM scheduled_tasks
+         WHERE user_id = ?
+           AND (agent_id = ? OR agent_id IS NULL)
+         ORDER BY created_at DESC`
+      ).all(userId, agentId)
+      : db.prepare(
+        `SELECT * FROM scheduled_tasks
+         WHERE user_id = ? AND agent_id = ?
+         ORDER BY created_at DESC`
+      ).all(userId, agentId);
     return tasks.map(t => {
       const config = this._normalizeTaskConfig(t.task_config);
       return {