nodio-cli 1.1.1 → 1.1.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodio-cli",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "description": "Nodio distributed storage network",
   "main": "src/server/index.js",
   "type": "commonjs",
@@ -26,6 +26,8 @@
   "dependencies": {
     "@filoz/synapse-sdk": "^0.41.0",
     "axios": "^1.11.0",
+    "argon2": "^0.43.0",
+    "bcrypt": "^6.0.0",
     "commander": "^14.0.1",
     "cors": "^2.8.5",
     "dotenv": "^17.4.2",

package/render.yaml

@@ -12,6 +12,14 @@ services:
         value: 20
       - key: NODIO_MONGO_URI
         sync: false
+      - key: NODIO_WALLET_PRIVATE_KEY
+        sync: false
+      - key: NODIO_WALLET_ADDRESS
+        sync: false
+      - key: FILECOIN_NETWORK
+        sync: false
+      - key: FILECOIN_RPC_URL
+        sync: false
       - key: NODIO_HEARTBEAT_INTERVAL_MS
         value: "30000"
       - key: NODIO_OFFLINE_AFTER_MISSES

package/src/cli/session.js

@@ -0,0 +1,93 @@
+const fs = require('fs/promises');
+const path = require('path');
+const os = require('os');
+const crypto = require('crypto');
+const argon2 = require('argon2');
+const { encryptAes256Gcm, decryptAes256Gcm } = require('../common/crypto');
+
+const SESSION_DIR = '.nodio';
+const SESSION_FILE = 'session.json';
+
+function getSessionPath() {
+  return path.join(os.homedir(), SESSION_DIR, SESSION_FILE);
+}
+
+async function loadSession() {
+  try {
+    const raw = await fs.readFile(getSessionPath(), 'utf8');
+    return JSON.parse(raw);
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return null;
+    }
+    throw error;
+  }
+}
+
+async function saveSession(session) {
+  const dir = path.join(os.homedir(), SESSION_DIR);
+  await fs.mkdir(dir, { recursive: true });
+  await fs.writeFile(getSessionPath(), JSON.stringify(session, null, 2));
+}
+
+async function clearSession() {
+  try {
+    await fs.unlink(getSessionPath());
+  } catch (error) {
+    if (error.code !== 'ENOENT') {
+      throw error;
+    }
+  }
+}
+
+async function deriveMasterKey(password, argon2Salt) {
+  const saltBuffer = Buffer.from(argon2Salt, 'hex');
+  return argon2.hash(password, {
+    type: argon2.argon2id,
+    salt: saltBuffer,
+    hashLength: 32,
+    raw: true
+  });
+}
+
+function deriveSessionKey(apiToken) {
+  return crypto.createHash('sha256').update(apiToken).digest();
+}
+
+function packEncryptedKey({ iv, authTag, cipherText }) {
+  return `${iv}:${authTag}:${cipherText.toString('base64')}`;
+}
+
+function unpackEncryptedKey(payload) {
+  const [iv, authTag, cipherText] = String(payload || '').split(':');
+  if (!iv || !authTag || !cipherText) {
+    throw new Error('invalid encryptedMasterKey format');
+  }
+  return {
+    iv,
+    authTag,
+    cipherText: Buffer.from(cipherText, 'base64')
+  };
+}
+
+function encryptMasterKey(masterKeyBuffer, apiToken) {
+  const sessionKey = deriveSessionKey(apiToken);
+  const encrypted = encryptAes256Gcm(masterKeyBuffer, sessionKey);
+  return packEncryptedKey(encrypted);
+}
+
+function decryptMasterKey(encryptedMasterKey, apiToken) {
+  const sessionKey = deriveSessionKey(apiToken);
+  const payload = unpackEncryptedKey(encryptedMasterKey);
+  return decryptAes256Gcm(payload.cipherText, sessionKey, payload.iv, payload.authTag);
+}
+
+module.exports = {
+  getSessionPath,
+  loadSession,
+  saveSession,
+  clearSession,
+  deriveMasterKey,
+  encryptMasterKey,
+  decryptMasterKey
+};

package/src/server/index.js

@@ -4,6 +4,7 @@ const cors = require('cors');
 const mongoose = require('mongoose');
 const { getServerConfig } = require('./config');
 const { buildRoutes } = require('./routes');
+const authRoutes = require('./routes/auth');
 const { NodeModel } = require('./models');
 const { markNodeOfflineAndRecover } = require('./services');
 const { getWalletBalance } = require('../../services/filecoin');
@@ -29,13 +30,14 @@ async function startServer() {
       callback(new Error('Not allowed by CORS'));
     },
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
-    allowedHeaders: ['Content-Type', 'Authorization'],
+    allowedHeaders: ['Content-Type', 'Authorization', 'x-api-token'],
     optionsSuccessStatus: 200
   };
 
   app.use(cors(corsOptions));
   app.options(/.*/, cors(corsOptions));
   app.use(express.json({ limit: '50mb' }));
+  app.use('/api/auth', authRoutes);
   app.use('/api', buildRoutes(config));
 
   app.use((error, _req, res, _next) => {

package/src/server/middleware/verifyToken.js

@@ -0,0 +1,35 @@
+const { UserModel } = require('../models');
+
+function extractToken(req) {
+  const header = req.headers.authorization || '';
+  if (header.startsWith('Bearer ')) {
+    return header.slice('Bearer '.length).trim();
+  }
+  const apiTokenHeader = req.headers['x-api-token'];
+  if (typeof apiTokenHeader === 'string' && apiTokenHeader.trim()) {
+    return apiTokenHeader.trim();
+  }
+  return null;
+}
+
+async function verifyToken(req, res, next) {
+  try {
+    const token = extractToken(req);
+    if (!token) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
+    const user = await UserModel.findOne({ apiToken: token }).lean();
+    if (!user) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
+    req.userId = user.userId;
+    req.user = user;
+    return next();
+  } catch (error) {
+    return next(error);
+  }
+}
+
+module.exports = verifyToken;

package/src/server/models/user.js

@@ -0,0 +1,17 @@
+const mongoose = require('mongoose');
+
+const userSchema = new mongoose.Schema(
+  {
+    userId: { type: String, required: true, unique: true, index: true },
+    email: { type: String, required: true, unique: true, index: true },
+    passwordHash: { type: String, required: true },
+    argon2Salt: { type: String, required: true },
+    apiToken: { type: String, required: true, unique: true, index: true },
+    createdAt: { type: Date, default: Date.now }
+  },
+  { timestamps: false }
+);
+
+module.exports = {
+  UserModel: mongoose.model('User', userSchema)
+};

package/src/server/models.js

@@ -1,4 +1,5 @@
 const mongoose = require('mongoose');
+const { UserModel } = require('./models/user');
 
 const nodeSchema = new mongoose.Schema(
   {
@@ -23,6 +24,8 @@ const fileSchema = new mongoose.Schema(
     sizeBytes: { type: Number, required: true, min: 0 },
     shardCount: { type: Number, required: true, min: 1 },
     cipher: { type: String, required: true, default: 'aes-256-gcm' },
+    userId: { type: String, default: null, index: true },
+    encryptedAESKey: { type: String, default: null },
     filecoinCid: { type: String, default: null },
     filecoinBackedUp: { type: Boolean, default: false },
     metadata: { type: mongoose.Schema.Types.Mixed, default: {} }
@@ -110,6 +113,7 @@ const relayTaskSchema = new mongoose.Schema(
 relayTaskSchema.index({ opId: 1, nodeId: 1, taskType: 1 });
 
 module.exports = {
+  UserModel,
   NodeModel: mongoose.model('Node', nodeSchema),
   FileModel: mongoose.model('File', fileSchema),
   ShardModel: mongoose.model('Shard', shardSchema),

package/src/server/routes/auth.js

@@ -0,0 +1,96 @@
+const express = require('express');
+const crypto = require('crypto');
+const bcrypt = require('bcrypt');
+const { v4: uuidv4 } = require('uuid');
+const { UserModel } = require('../models');
+const verifyToken = require('../middleware/verifyToken');
+
+function isValidEmail(email) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+}
+
+const router = express.Router();
+
+router.post('/register', async (req, res, next) => {
+  try {
+    const email = String(req.body?.email || '').trim().toLowerCase();
+    const password = String(req.body?.password || '');
+
+    if (!email || !isValidEmail(email)) {
+      return res.status(400).json({ error: 'Invalid email format' });
+    }
+    if (!password) {
+      return res.status(400).json({ error: 'Password is required' });
+    }
+
+    const existing = await UserModel.findOne({ email }).lean();
+    if (existing) {
+      return res.status(400).json({ error: 'Email already exists' });
+    }
+
+    const passwordHash = await bcrypt.hash(password, 12);
+    const argon2Salt = crypto.randomBytes(32).toString('hex');
+    const apiToken = crypto.randomBytes(64).toString('hex');
+    const userId = uuidv4();
+
+    const user = await UserModel.create({
+      userId,
+      email,
+      passwordHash,
+      argon2Salt,
+      apiToken
+    });
+
+    res.json({
+      userId: user.userId,
+      apiToken: user.apiToken,
+      argon2Salt: user.argon2Salt
+    });
+  } catch (error) {
+    next(error);
+  }
+});
+
+router.post('/login', async (req, res, next) => {
+  try {
+    const email = String(req.body?.email || '').trim().toLowerCase();
+    const password = String(req.body?.password || '');
+
+    if (!email || !password) {
+      return res.status(401).json({ error: 'Invalid email or password' });
+    }
+
+    const user = await UserModel.findOne({ email });
+    if (!user) {
+      return res.status(401).json({ error: 'Invalid email or password' });
+    }
+
+    const matches = await bcrypt.compare(password, user.passwordHash);
+    if (!matches) {
+      return res.status(401).json({ error: 'Invalid email or password' });
+    }
+
+    res.json({
+      userId: user.userId,
+      email: user.email,
+      apiToken: user.apiToken,
+      argon2Salt: user.argon2Salt
+    });
+  } catch (error) {
+    next(error);
+  }
+});
+
+router.get('/me', verifyToken, async (req, res, next) => {
+  try {
+    res.json({
+      userId: req.user?.userId,
+      email: req.user?.email,
+      argon2Salt: req.user?.argon2Salt
+    });
+  } catch (error) {
+    next(error);
+  }
+});
+
+module.exports = router;

package/src/server/routes.js

@@ -9,6 +9,7 @@ const {
   ReplicationTaskModel,
   RelayTaskModel
 } = require('./models');
+const verifyToken = require('./middleware/verifyToken');
 const { uploadToFilecoin } = require('../../services/filecoin');
 const {
   chooseDistinctOnlineNodes,
@@ -511,9 +512,9 @@ function buildRoutes(config) {
     }
   });
 
-  router.post('/files/register', async (req, res, next) => {
+  router.post('/files/register', verifyToken, async (req, res, next) => {
     try {
-      const { fileId, originalName, sizeBytes, shardCount, cipher, metadata } = req.body;
+      const { fileId, originalName, sizeBytes, shardCount, cipher, metadata, encryptedAESKey } = req.body;
       if (!originalName || !Number.isFinite(Number(sizeBytes)) || Number(sizeBytes) < 0) {
         return res.status(400).json({ error: 'originalName and sizeBytes are required' });
       }
@@ -521,17 +522,33 @@ function buildRoutes(config) {
       const normalizedShardCount = parsePositiveInt(shardCount, 1);
       const actualFileId = fileId || uuidv4();
 
+      const existing = await FileModel.findOne({ fileId: actualFileId }).lean();
+      if (existing?.userId && existing.userId !== req.userId) {
+        return res.status(403).json({ error: 'Forbidden' });
+      }
+
+      const nextMetadata = metadata === undefined ? existing?.metadata || {} : metadata;
+      const update = {
+        fileId: actualFileId,
+        originalName,
+        sizeBytes: Number(sizeBytes),
+        shardCount: normalizedShardCount,
+        cipher: cipher || 'aes-256-gcm',
+        metadata: nextMetadata
+      };
+
+      if (!existing?.userId) {
+        update.userId = req.userId;
+      }
+
+      if (typeof encryptedAESKey === 'string' && encryptedAESKey.trim()) {
+        update.encryptedAESKey = encryptedAESKey.trim();
+      }
+
       const file = await FileModel.findOneAndUpdate(
         { fileId: actualFileId },
         {
-          $set: {
-            fileId: actualFileId,
-            originalName,
-            sizeBytes: Number(sizeBytes),
-            shardCount: normalizedShardCount,
-            cipher: cipher || 'aes-256-gcm',
-            metadata: metadata || {}
-          }
+          $set: update
         },
         { upsert: true, new: true, setDefaultsOnInsert: true }
       );
@@ -542,7 +559,7 @@ function buildRoutes(config) {
     }
   });
 
-  router.post('/files/:fileId/filecoin', async (req, res, next) => {
+  router.post('/files/:fileId/filecoin', verifyToken, async (req, res, next) => {
     try {
       const { fileId } = req.params;
       const { filecoinCid, filecoinBackedUp } = req.body;
@@ -554,7 +571,15 @@ function buildRoutes(config) {
         return res.status(400).json({ error: 'filecoinCid is required' });
       }
 
-      const file = await FileModel.findOneAndUpdate(
+      const file = await FileModel.findOne({ fileId });
+      if (!file) {
+        return res.status(404).json({ error: 'file not found' });
+      }
+      if (file.userId && file.userId !== req.userId) {
+        return res.status(403).json({ error: 'Forbidden' });
+      }
+
+      const updated = await FileModel.findOneAndUpdate(
         { fileId },
         {
           $set: {
@@ -565,17 +590,13 @@ function buildRoutes(config) {
         { new: true }
       );
 
-      if (!file) {
-        return res.status(404).json({ error: 'file not found' });
-      }
-
-      res.json({ ok: true, fileId: file.fileId, filecoinCid: file.filecoinCid });
+      res.json({ ok: true, fileId: updated.fileId, filecoinCid: updated.filecoinCid });
     } catch (error) {
       next(error);
     }
   });
 
-  router.post('/files/:fileId/filecoin/upload', async (req, res, next) => {
+  router.post('/files/:fileId/filecoin/upload', verifyToken, async (req, res, next) => {
     try {
       const { fileId } = req.params;
       const { dataBase64 } = req.body;
@@ -597,7 +618,15 @@ function buildRoutes(config) {
         return res.status(502).json({ error: 'filecoin upload failed' });
       }
 
-      const file = await FileModel.findOneAndUpdate(
+      const file = await FileModel.findOne({ fileId });
+      if (!file) {
+        return res.status(404).json({ error: 'file not found' });
+      }
+      if (file.userId && file.userId !== req.userId) {
+        return res.status(403).json({ error: 'Forbidden' });
+      }
+
+      const updated = await FileModel.findOneAndUpdate(
         { fileId },
         {
           $set: {
@@ -608,11 +637,7 @@ function buildRoutes(config) {
         { new: true }
       );
 
-      if (!file) {
-        return res.status(404).json({ error: 'file not found' });
-      }
-
-      res.json({ ok: true, fileId: file.fileId, filecoinCid: cid });
+      res.json({ ok: true, fileId: updated.fileId, filecoinCid: cid });
     } catch (error) {
       next(error);
     }
@@ -696,13 +721,16 @@ function buildRoutes(config) {
     }
   });
 
-  router.delete('/files/:fileId', async (req, res, next) => {
+  router.delete('/files/:fileId', verifyToken, async (req, res, next) => {
     try {
       const { fileId } = req.params;
       const file = await FileModel.findOne({ fileId }).lean();
       if (!file) {
         return res.status(404).json({ error: 'file not found' });
       }
+      if (file.userId && file.userId !== req.userId) {
+        return res.status(403).json({ error: 'Forbidden' });
+      }
 
       const shards = await ShardModel.find({ fileId }).select('shardId').lean();
       const shardIds = shards.map((shard) => shard.shardId);
@@ -771,13 +799,16 @@ function buildRoutes(config) {
     }
   });
 
-  router.get('/files/:fileId/manifest', async (req, res, next) => {
+  router.get('/files/:fileId/manifest', verifyToken, async (req, res, next) => {
     try {
       const { fileId } = req.params;
       const file = await FileModel.findOne({ fileId }).lean();
       if (!file) {
         return res.status(404).json({ error: 'file not found' });
       }
+      if (file.userId && file.userId !== req.userId) {
+        return res.status(403).json({ error: 'Forbidden' });
+      }
 
       const shards = await ShardModel.find({ fileId }).sort({ order: 1 }).lean();
       const placements = await ShardPlacementModel.find({ fileId, status: 'available' }).lean();
@@ -813,6 +844,8 @@ function buildRoutes(config) {
           sizeBytes: file.sizeBytes,
           shardCount: file.shardCount,
           cipher: file.cipher,
+          userId: file.userId || null,
+          encryptedAESKey: file.encryptedAESKey || null,
           metadata: file.metadata,
           filecoinCid: file.filecoinCid || null,
           filecoinBackedUp: Boolean(file.filecoinBackedUp)

package/src/user/commands.js

@@ -2,10 +2,132 @@ const fs = require('fs/promises');
 const path = require('path');
 const crypto = require('crypto');
 const axios = require('axios');
+const readline = require('readline');
 const { v4: uuidv4 } = require('uuid');
 const { createApiClient, normalizeUrl } = require('./client');
 const { encryptAes256Gcm, decryptAes256Gcm, sha256Hex } = require('../common/crypto');
 const { retrieveFromFilecoin } = require('../../services/filecoin');
+const {
+  loadSession,
+  saveSession,
+  clearSession,
+  deriveMasterKey,
+  encryptMasterKey,
+  decryptMasterKey
+} = require('../cli/session');
+
+function promptInput(promptText) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+    rl.question(promptText, (answer) => {
+      rl.close();
+      resolve(String(answer || '').trim());
+    });
+  });
+}
+
+function promptHiddenInput(promptText) {
+  return new Promise((resolve) => {
+    process.stdout.write(promptText);
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+    rl.stdoutMuted = true;
+    rl._writeToOutput = function _writeToOutput(stringToWrite) {
+      if (rl.stdoutMuted) {
+        rl.output.write('*');
+      } else {
+        rl.output.write(stringToWrite);
+      }
+    };
+    rl.question('', (answer) => {
+      rl.history = rl.history.slice(1);
+      rl.close();
+      process.stdout.write('\n');
+      resolve(String(answer || ''));
+    });
+  });
+}
+
+async function requireSession() {
+  const session = await loadSession();
+  if (!session) {
+    console.log('Please login first using: npx nodio-cli nodio login');
+    process.exit(1);
+  }
+  return session;
+}
+
+function attachSessionToken(api, session) {
+  if (session?.apiToken) {
+    api.defaults.headers['x-api-token'] = session.apiToken;
+  }
+}
+
+function packEncryptedKey({ iv, authTag, cipherText }) {
+  return `${iv}:${authTag}:${cipherText.toString('base64')}`;
+}
+
+function unpackEncryptedKey(payload) {
+  const [iv, authTag, cipherText] = String(payload || '').split(':');
+  if (!iv || !authTag || !cipherText) {
+    throw new Error('invalid encrypted key format');
+  }
+  return {
+    iv,
+    authTag,
+    cipherText: Buffer.from(cipherText, 'base64')
+  };
+}
+
+async function buildSessionPayload(authResponse, password) {
+  const masterKey = await deriveMasterKey(password, authResponse.argon2Salt);
+  const encryptedMasterKey = encryptMasterKey(masterKey, authResponse.apiToken);
+  return {
+    apiToken: authResponse.apiToken,
+    argon2Salt: authResponse.argon2Salt,
+    userId: authResponse.userId,
+    email: authResponse.email || null,
+    encryptedMasterKey
+  };
+}
+
+async function login(options) {
+  const serverUrl = options.server;
+  const email = await promptInput('Email: ');
+  const password = await promptHiddenInput('Password: ');
+
+  const api = createApiClient(serverUrl);
+  const response = await api.post('/auth/login', { email, password });
+  const session = await buildSessionPayload(response.data, password);
+  await saveSession(session);
+  console.log('Logged in ✅');
+}
+
+async function register(options) {
+  const serverUrl = options.server;
+  const email = await promptInput('Email: ');
+  const password = await promptHiddenInput('Password: ');
+
+  const api = createApiClient(serverUrl);
+  const response = await api.post('/auth/register', { email, password });
+  const session = await buildSessionPayload({ ...response.data, email }, password);
+  await saveSession(session);
+  console.log('Registered ✅');
+}
+
+async function logout() {
+  await clearSession();
+  console.log('Logged out ✅');
+}
+
+async function whoami(options) {
+  const serverUrl = options.server;
+  const session = await requireSession();
+  const api = createApiClient(serverUrl);
+  attachSessionToken(api, session);
+  const response = await api.get('/auth/me');
+  console.log(`email: ${response.data?.email || session.email || 'unknown'}`);
+  console.log(`userId: ${response.data?.userId || session.userId || 'unknown'}`);
+}
 
 function splitBuffer(buffer, shardSizeBytes) {
   if (shardSizeBytes <= 0) {
@@ -261,6 +383,9 @@ async function uploadFile(options) {
   const directTimeoutMs = Number(options.directTimeoutMs || 1200);
   const relayFirst = Boolean(options.relayFirst);
 
+  const session = await requireSession();
+  const masterKey = decryptMasterKey(session.encryptedMasterKey, session.apiToken);
+
   if (!Number.isFinite(shardSizeMb) || shardSizeMb <= 0) {
     throw new Error('shard-size-mb must be greater than 0');
   }
@@ -277,8 +402,11 @@ async function uploadFile(options) {
 
   const keyBuffer = options.keyBase64 ? parseAesKey(options.keyBase64) : crypto.randomBytes(32);
   const keyBase64 = keyBuffer.toString('base64');
+  const encryptedKeyPayload = encryptAes256Gcm(keyBuffer, masterKey);
+  const encryptedAESKey = packEncryptedKey(encryptedKeyPayload);
 
   const api = createApiClient(serverUrl);
+  attachSessionToken(api, session);
   const fileId = options.fileId || uuidv4();
   const originalName = path.basename(filePath);
 
@@ -288,6 +416,7 @@ async function uploadFile(options) {
     sizeBytes: plainBuffer.length,
     shardCount: chunks.length,
     cipher: 'aes-256-gcm',
+    encryptedAESKey,
     metadata: {
       encryption: {
         algorithm: 'aes-256-gcm',
@@ -415,6 +544,7 @@ async function uploadFile(options) {
     sizeBytes: plainBuffer.length,
     shardCount: chunks.length,
     cipher: 'aes-256-gcm',
+    encryptedAESKey,
     metadata: {
       encryption: {
         algorithm: 'aes-256-gcm',
@@ -443,20 +573,43 @@ async function downloadFile(options) {
   const fileId = options.fileId;
   const serverUrl = options.server;
   const output = options.output ? path.resolve(options.output) : path.resolve(`./${fileId}.downloaded`);
-  const keyBuffer = parseAesKey(options.keyBase64);
   const directTimeoutMs = Number(options.directTimeoutMs || 1200);
   const relayFirst = Boolean(options.relayFirst);
 
+  const session = await requireSession();
+  const masterKey = decryptMasterKey(session.encryptedMasterKey, session.apiToken);
+
   if (!Number.isFinite(directTimeoutMs) || directTimeoutMs <= 0) {
     throw new Error('direct-timeout-ms must be greater than 0');
   }
 
   const api = createApiClient(serverUrl);
+  attachSessionToken(api, session);
   const manifestResponse = await api.get(`/files/${fileId}/manifest`);
   const manifest = manifestResponse.data;
   const metadata = manifest.file?.metadata || {};
   const encryption = metadata.encryption;
 
+  let keyBuffer = null;
+  if (options.keyBase64) {
+    keyBuffer = parseAesKey(options.keyBase64);
+  } else if (manifest.file?.encryptedAESKey) {
+    const encryptedKeyPayload = unpackEncryptedKey(manifest.file.encryptedAESKey);
+    keyBuffer = decryptAes256Gcm(
+      encryptedKeyPayload.cipherText,
+      masterKey,
+      encryptedKeyPayload.iv,
+      encryptedKeyPayload.authTag
+    );
+    if (!Buffer.isBuffer(keyBuffer) || keyBuffer.length !== 32) {
+      throw new Error('invalid decrypted AES key length');
+    }
+  }
+
+  if (!keyBuffer) {
+    throw new Error('missing encryption key; provide --key-base64 or login to access encrypted keys');
+  }
+
   if (!encryption || encryption.algorithm !== 'aes-256-gcm') {
     throw new Error('missing or unsupported encryption metadata');
   }
@@ -566,6 +719,8 @@ async function deleteFile(options) {
   const serverUrl = options.server;
 
   const api = createApiClient(serverUrl);
+  const session = await requireSession();
+  attachSessionToken(api, session);
   const response = await api.delete(`/files/${fileId}`);
   const payload = response.data || {};
 
@@ -582,5 +737,9 @@ async function deleteFile(options) {
 module.exports = {
   uploadFile,
   downloadFile,
-  deleteFile
+  deleteFile,
+  login,
+  register,
+  logout,
+  whoami
 };

package/src/user/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 const { Command } = require('commander');
-const { uploadFile, downloadFile, deleteFile } = require('./commands');
+const { uploadFile, downloadFile, deleteFile, login, logout, register, whoami } = require('./commands');
 
 const program = new Command();
 
@@ -25,7 +25,7 @@ program
   .command('download')
   .description('Download, verify, decrypt, and reconstruct a file')
   .requiredOption('--file-id <id>', 'file ID to download')
-  .requiredOption('--key-base64 <key>', '32-byte AES key in base64 from upload output')
+  .option('--key-base64 <key>', '32-byte AES key in base64 from upload output')
   .option('--server <url>', 'central server URL', 'https://api.nodio.me')
   .option('--output <path>', 'output file path')
   .option('--direct-timeout-ms <ms>', 'timeout for each direct donor attempt before relay fallback', '1200')
@@ -43,6 +43,37 @@ program
     await deleteFile(options);
   });
 
+program
+  .command('login')
+  .description('Login and persist a session locally')
+  .option('--server <url>', 'central server URL', 'https://api.nodio.me')
+  .action(async (options) => {
+    await login(options);
+  });
+
+program
+  .command('logout')
+  .description('Clear local session data')
+  .action(async () => {
+    await logout();
+  });
+
+program
+  .command('register')
+  .description('Create an account and persist a session locally')
+  .option('--server <url>', 'central server URL', 'https://api.nodio.me')
+  .action(async (options) => {
+    await register(options);
+  });
+
+program
+  .command('whoami')
+  .description('Show the current authenticated user')
+  .option('--server <url>', 'central server URL', 'https://api.nodio.me')
+  .action(async (options) => {
+    await whoami(options);
+  });
+
 program.parseAsync(process.argv).catch((error) => {
   const apiErrorMessage = error.response?.data?.error;
   if (apiErrorMessage) {