onbuzz 4.6.2 → 4.6.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "onbuzz",
-  "version": "4.6.2",
+  "version": "4.6.4",
   "description": "Loxia OnBuzz - Your AI Fleet",
   "type": "module",
   "main": "src/index.js",

package/src/interfaces/webServer.js

@@ -32,6 +32,7 @@ import { getCredentialVault } from '../services/credentialVault.js';
 import { getGalleryService } from '../services/galleryService.js';
 import { getUserDataPaths } from '../utilities/userDataDir.js';
 import { projectActiveRuns } from '../utilities/flowRunFilters.js';
+import { recordOAuthResult, recordResolvedUser, projectAuthStatus } from '../utilities/authCache.js';
 
 // Connect visual editor server to bridge (enables element selection forwarding)
 setBridgeGetter(getVisualEditorBridge);
@@ -863,12 +864,17 @@ class WebServer {
         }
 
         // Cache the auth result so the frontend can poll it if the WebSocket
-        // broadcast is missed (e.g. connection drop, race condition)
-        this.lastAuthResult = {
+        // broadcast is missed (e.g. connection drop, race condition).
+        // The JWT MUST be included so the polling fallback in
+        // `/api/auth/status` can hand it back to the FE — without it,
+        // marketplace publish/install/rate calls would 401 because the
+        // FE never got the token into localStorage. Logic lives in
+        // `utilities/authCache.js` so unit tests can lock the contract.
+        this.lastAuthResult = recordOAuthResult({
           user: userInfo,
+          jwt: token,
           hasApiKey: !!apiKey,
-          timestamp: new Date().toISOString()
-        };
+        });
 
         // Broadcast auth success to connected web UI clients
         // Include the raw JWT so the frontend can use it for marketplace API calls
@@ -905,23 +911,13 @@ h2{color:#16a34a;margin-bottom:.5rem;} p{color:#666;}</style></head>
     // Supports ?since=<ISO> for polling: only returns user if auth happened AFTER that timestamp
     this.app.get('/api/auth/status', (req, res) => {
       const hasApiKey = !!(this.apiKeyManager?.getKeysForRequest?.(null, { platformProvided: true })?.loxiaApiKey);
-
-      let user = this.lastAuthResult?.user || null;
-
-      // Polling support: if ?since= is passed, only return user if auth happened after that time
-      const since = req.query.since;
-      if (since && this.lastAuthResult?.timestamp) {
-        if (new Date(this.lastAuthResult.timestamp) <= new Date(since)) {
-          user = null; // Auth happened before the login attempt — not the one we're waiting for
-        }
-      }
-
-      res.json({
-        success: true,
-        authenticated: hasApiKey,
-        user,
-        timestamp: this.lastAuthResult?.timestamp || null
-      });
+      // Projection (staleness gate + jwt/user pair invariant) lives in
+      // utilities/authCache.js so unit tests can exercise it without
+      // standing up Express.
+      res.json(projectAuthStatus(this.lastAuthResult, {
+        since: req.query.since,
+        hasApiKey,
+      }));
     });
 
     // Auth resolve — resolve user account from an existing API key by calling the remote backend
@@ -945,12 +941,14 @@ h2{color:#16a34a;margin-bottom:.5rem;} p{color:#666;}</style></head>
         const data = await response.json();
         const user = data.user || data;
 
-        // Cache the resolved user for subsequent /api/auth/status calls
-        this.lastAuthResult = {
+        // Cache the resolved user for subsequent /api/auth/status calls.
+        // Preserves any JWT from a prior OAuth login (this path mints
+        // no JWT of its own — it just links a user from an existing
+        // API key). See utilities/authCache.js for the invariant.
+        this.lastAuthResult = recordResolvedUser({
           user,
-          hasApiKey: true,
-          timestamp: new Date().toISOString()
-        };
+          prevCache: this.lastAuthResult,
+        });
 
         res.json({ success: true, user });
       } catch (error) {

package/src/utilities/__tests__/authCache.test.js

@@ -0,0 +1,266 @@
+/**
+ * Tests for the auth-cache shape + state transitions used by the
+ * webServer's /auth/callback, /api/auth/status, and /api/auth/resolve
+ * routes.
+ *
+ * These lock the marketplace-auth bug we fixed in 2026-05: a user who
+ * missed the OAuth WS broadcast (page reload, dropped connection)
+ * would recover their user account via the polling fallback but lose
+ * the JWT, leading to 401 "Authentication required" on every
+ * marketplace publish/install/rate call.
+ */
+import { describe, test, expect } from '@jest/globals';
+import {
+  recordOAuthResult,
+  recordResolvedUser,
+  projectAuthStatus,
+} from '../authCache.js';
+
+// ─── recordOAuthResult ────────────────────────────────────────────────
+
+describe('recordOAuthResult', () => {
+  test('captures user, jwt, hasApiKey + a timestamp on the cache row', () => {
+    const row = recordOAuthResult({
+      user: { id: 'u1', email: 'a@b.com' },
+      jwt: 'eyJhbG...real-jwt',
+      hasApiKey: true,
+    });
+    expect(row.user).toEqual({ id: 'u1', email: 'a@b.com' });
+    expect(row.jwt).toBe('eyJhbG...real-jwt');
+    expect(row.hasApiKey).toBe(true);
+    expect(typeof row.timestamp).toBe('string');
+    // Must be a valid ISO datetime
+    expect(new Date(row.timestamp).toString()).not.toBe('Invalid Date');
+  });
+
+  test('CRITICAL: jwt is on the cache row — this is the contract that prevents 401-on-marketplace', () => {
+    // The bug we're guarding against: previously this function
+    // implicitly did `{user, hasApiKey, timestamp}` and forgot the JWT.
+    // Polling fallback then returned no JWT and marketplace auth broke.
+    const row = recordOAuthResult({ user: { id: 'u' }, jwt: 'tok', hasApiKey: true });
+    expect(row).toHaveProperty('jwt', 'tok');
+  });
+
+  test('non-string jwt collapses to null (defensive against malformed input)', () => {
+    expect(recordOAuthResult({ user: {}, jwt: null, hasApiKey: false }).jwt).toBeNull();
+    expect(recordOAuthResult({ user: {}, jwt: undefined, hasApiKey: false }).jwt).toBeNull();
+    expect(recordOAuthResult({ user: {}, jwt: '', hasApiKey: false }).jwt).toBeNull();
+    expect(recordOAuthResult({ user: {}, jwt: 12345, hasApiKey: false }).jwt).toBeNull();
+    expect(recordOAuthResult({ user: {}, jwt: { token: 'x' }, hasApiKey: false }).jwt).toBeNull();
+  });
+
+  test('hasApiKey coerces to bool', () => {
+    expect(recordOAuthResult({ hasApiKey: 1 }).hasApiKey).toBe(true);
+    expect(recordOAuthResult({ hasApiKey: 0 }).hasApiKey).toBe(false);
+    expect(recordOAuthResult({ hasApiKey: 'yes' }).hasApiKey).toBe(true);
+    expect(recordOAuthResult({}).hasApiKey).toBe(false);
+  });
+
+  test('null user passes through as null (degraded but valid cache row)', () => {
+    expect(recordOAuthResult({ user: null, jwt: 'x', hasApiKey: true }).user).toBeNull();
+  });
+
+  test('explicit timestamp wins (useful for deterministic tests)', () => {
+    const row = recordOAuthResult({ user: {}, timestamp: '2026-05-01T00:00:00Z' });
+    expect(row.timestamp).toBe('2026-05-01T00:00:00Z');
+  });
+});
+
+// ─── recordResolvedUser ───────────────────────────────────────────────
+
+describe('recordResolvedUser', () => {
+  test('CRITICAL: preserves a JWT from a previous OAuth cache row', () => {
+    // Resolve happens AFTER /auth/callback when the FE loads with an
+    // existing API key. Earlier code overwrote lastAuthResult and
+    // silently wiped the OAuth-minted JWT, breaking marketplace auth.
+    const prev = recordOAuthResult({ user: { id: 'u1' }, jwt: 'oauth-token', hasApiKey: true });
+    const next = recordResolvedUser({ user: { id: 'u1', email: 'a@b' }, prevCache: prev });
+    expect(next.jwt).toBe('oauth-token');
+    expect(next.user).toEqual({ id: 'u1', email: 'a@b' });
+  });
+
+  test('hasApiKey is always true on this path (resolve requires an API key)', () => {
+    expect(recordResolvedUser({ user: { id: 'u' }, prevCache: null }).hasApiKey).toBe(true);
+  });
+
+  test('no prior JWT → cache row has jwt: null (no marketplace auth available)', () => {
+    const next = recordResolvedUser({ user: { id: 'u' }, prevCache: null });
+    expect(next.jwt).toBeNull();
+  });
+
+  test('prior cache without jwt → null (matches the no-prior case)', () => {
+    const prev = { user: { id: 'u' }, hasApiKey: true, timestamp: '2026-01-01T00:00:00Z' };
+    const next = recordResolvedUser({ user: { id: 'u' }, prevCache: prev });
+    expect(next.jwt).toBeNull();
+  });
+
+  test('prior cache with empty/non-string jwt is treated as no jwt', () => {
+    for (const badJwt of [null, undefined, '', 0, {}, []]) {
+      const prev = { user: {}, hasApiKey: true, jwt: badJwt, timestamp: '2026-01-01T00:00:00Z' };
+      expect(recordResolvedUser({ user: {}, prevCache: prev }).jwt).toBeNull();
+    }
+  });
+
+  test('explicit timestamp wins (deterministic tests)', () => {
+    const next = recordResolvedUser({
+      user: { id: 'u' },
+      prevCache: null,
+      timestamp: '2026-05-03T12:00:00Z',
+    });
+    expect(next.timestamp).toBe('2026-05-03T12:00:00Z');
+  });
+});
+
+// ─── projectAuthStatus ────────────────────────────────────────────────
+
+describe('projectAuthStatus', () => {
+  test('returns null user + null jwt when no cache exists yet', () => {
+    const r = projectAuthStatus(null);
+    expect(r.user).toBeNull();
+    expect(r.jwt).toBeNull();
+    expect(r.success).toBe(true);
+  });
+
+  test('returns the cached user + jwt when fresh', () => {
+    const cache = recordOAuthResult({
+      user: { id: 'u1' }, jwt: 'tok', hasApiKey: true,
+    });
+    const r = projectAuthStatus(cache);
+    expect(r.user).toEqual({ id: 'u1' });
+    expect(r.jwt).toBe('tok');
+    expect(r.authenticated).toBe(true);
+  });
+
+  test('CRITICAL: jwt round-trips from recordOAuthResult through projectAuthStatus', () => {
+    // The full bug-fix contract: callback → cache → status → FE can read JWT.
+    const cache = recordOAuthResult({
+      user: { id: 'u' }, jwt: 'the-jwt-value', hasApiKey: true,
+    });
+    const status = projectAuthStatus(cache);
+    expect(status.jwt).toBe('the-jwt-value');
+  });
+
+  test('staleness gate: cache predating ?since= reports user=null (and jwt=null)', () => {
+    const cache = recordOAuthResult({
+      user: { id: 'u' }, jwt: 'old-tok', hasApiKey: true,
+      timestamp: '2026-05-01T10:00:00Z',
+    });
+    // Caller asking about an auth event AFTER the cache was written.
+    const r = projectAuthStatus(cache, { since: '2026-05-01T11:00:00Z' });
+    expect(r.user).toBeNull();
+    expect(r.jwt).toBeNull();
+  });
+
+  test('staleness gate: cache POST-DATING ?since= passes through', () => {
+    const cache = recordOAuthResult({
+      user: { id: 'u' }, jwt: 'fresh-tok', hasApiKey: true,
+      timestamp: '2026-05-01T11:00:00Z',
+    });
+    const r = projectAuthStatus(cache, { since: '2026-05-01T10:00:00Z' });
+    expect(r.user).toEqual({ id: 'u' });
+    expect(r.jwt).toBe('fresh-tok');
+  });
+
+  test('staleness gate: equal timestamps → stale (strict <=)', () => {
+    const cache = recordOAuthResult({
+      user: { id: 'u' }, jwt: 'tok', hasApiKey: true,
+      timestamp: '2026-05-01T10:00:00Z',
+    });
+    const r = projectAuthStatus(cache, { since: '2026-05-01T10:00:00Z' });
+    expect(r.user).toBeNull();
+  });
+
+  test('PAIR INVARIANT: when user is null, jwt MUST be null too (never user=null with jwt=set)', () => {
+    // Cache exists but is stale → user=null. JWT must follow.
+    const cache = recordOAuthResult({
+      user: { id: 'u' }, jwt: 'tok',
+      timestamp: '2026-05-01T00:00:00Z',
+    });
+    const r = projectAuthStatus(cache, { since: '2026-05-02T00:00:00Z' });
+    expect(r.user).toBeNull();
+    expect(r.jwt).toBeNull();
+  });
+
+  test('user without jwt (resolve-via-api-key path) returns user but jwt=null', () => {
+    // /auth/resolve sets user but no JWT. Marketplace will 401 — correct
+    // behavior, not this fix's job to mint a JWT here.
+    const cache = recordResolvedUser({ user: { id: 'u' }, prevCache: null });
+    const r = projectAuthStatus(cache);
+    expect(r.user).toEqual({ id: 'u' });
+    expect(r.jwt).toBeNull();
+  });
+
+  test('authenticated reflects the live hasApiKey override (not the cache value)', () => {
+    // The route passes the apiKeyManager's CURRENT view; cache might be stale.
+    const cache = recordOAuthResult({ user: { id: 'u' }, jwt: 'x', hasApiKey: true });
+    const r = projectAuthStatus(cache, { hasApiKey: false });
+    expect(r.authenticated).toBe(false);
+  });
+
+  test('falls back to cache.hasApiKey when no override given', () => {
+    const cache = recordOAuthResult({ user: { id: 'u' }, jwt: 'x', hasApiKey: true });
+    const r = projectAuthStatus(cache);
+    expect(r.authenticated).toBe(true);
+  });
+});
+
+// ─── End-to-end scenario coverage (the actual bug story) ──────────────
+
+describe('full scenario: OAuth → resolve → polling fallback (the bug we fixed)', () => {
+  test('happy path: OAuth callback → poll status → JWT returned', () => {
+    // 1. User signs in via OAuth. /auth/callback runs:
+    let cache = recordOAuthResult({
+      user: { id: 'u1', email: 'alice@example.com' },
+      jwt: 'oauth-issued-jwt',
+      hasApiKey: true,
+    });
+    // 2. WebSocket broadcast misses (page reload). FE polls /api/auth/status:
+    const status = projectAuthStatus(cache, { hasApiKey: true });
+    // 3. Polling response now contains jwt → FE writes to localStorage → marketplace auth works
+    expect(status.user.email).toBe('alice@example.com');
+    expect(status.jwt).toBe('oauth-issued-jwt');
+  });
+
+  test('OAuth then resolve: JWT survives the resolve-overwrite', () => {
+    // 1. OAuth login caches everything including the JWT.
+    let cache = recordOAuthResult({
+      user: { id: 'u1' }, jwt: 'oauth-jwt', hasApiKey: true,
+    });
+    // 2. Frontend later hits /auth/resolve (e.g. on a fresh page load
+    //    where API key is already set). Without the fix this would have
+    //    overwritten cache.jwt = undefined.
+    cache = recordResolvedUser({
+      user: { id: 'u1', email: 'alice@example.com' },
+      prevCache: cache,
+    });
+    // 3. Subsequent /api/auth/status caller still gets the JWT.
+    const status = projectAuthStatus(cache);
+    expect(status.jwt).toBe('oauth-jwt');
+    expect(status.user.email).toBe('alice@example.com');
+  });
+
+  test('API-key-only flow: user resolves but no marketplace auth available', () => {
+    // No prior OAuth — the user pasted an API key in Settings and the
+    // /auth/resolve path linked their account from the backend.
+    let cache = recordResolvedUser({ user: { id: 'u' }, prevCache: null });
+    const status = projectAuthStatus(cache);
+    expect(status.user).toEqual({ id: 'u' });
+    expect(status.jwt).toBeNull();
+    // Marketplace will 401 with "Authentication required" — the fix
+    // for that case is server-to-server JWT minting in /auth/resolve,
+    // out of scope for this PR.
+  });
+
+  test('polling for a NEW login but cache is from an OLDER one: not the auth we\'re waiting for', () => {
+    // A previous user signed out, a new user is mid-login, FE polls.
+    const oldCache = recordOAuthResult({
+      user: { id: 'old-user' }, jwt: 'old-jwt', hasApiKey: true,
+      timestamp: '2026-01-01T00:00:00Z',
+    });
+    // FE called /api/auth/status?since=<just-now>
+    const status = projectAuthStatus(oldCache, { since: '2026-05-03T12:00:00Z' });
+    // user=null + jwt=null so the FE keeps polling, doesn't sign in as the wrong user.
+    expect(status.user).toBeNull();
+    expect(status.jwt).toBeNull();
+  });
+});

package/src/utilities/authCache.js

@@ -0,0 +1,121 @@
+/**
+ * Auth-result cache shape + transitions.
+ *
+ * The webServer caches the most recent auth event in `lastAuthResult` so
+ * a frontend that missed the WS broadcast (page reload, dropped
+ * connection, race) can recover via polling `/api/auth/status`. The
+ * cache shape and three state transitions live here so they're
+ * testable without standing up Express.
+ *
+ * Cache shape:
+ *   { user, hasApiKey, jwt, timestamp }
+ *
+ *   - user       — { id, email, ... } or null
+ *   - hasApiKey  — bool
+ *   - jwt        — raw bearer token from OAuth, or null. Mandatory for
+ *                  marketplace publish/install/rate calls (the marketplace
+ *                  service verifies JWTs directly, not lx_* keys).
+ *   - timestamp  — ISO of when this cache row was written; used for
+ *                  staleness checks via `?since=` polling.
+ *
+ * Bug history this guards against:
+ *   - 2026-05: marketplace publish 401 "Authentication required" because
+ *     OAuth callback cached only {user, hasApiKey, timestamp} without
+ *     the JWT, then a page reload triggered the polling fallback which
+ *     returned the user but no JWT. The FE thought "I'm signed in" but
+ *     localStorage.loxia-auth-token stayed empty → no Bearer header on
+ *     marketplace calls → 401.
+ */
+
+/**
+ * Build a cache row for a successful OAuth callback. The JWT is the
+ * critical field — without it, the polling fallback can't restore
+ * marketplace auth on a refresh.
+ *
+ * @param {Object} input
+ * @param {Object} input.user      - User account object
+ * @param {string|null} input.jwt  - Raw JWT from the OAuth callback
+ * @param {boolean} input.hasApiKey
+ * @param {string} [input.timestamp] - Override (for tests); defaults to now
+ * @returns {Object} cache row
+ */
+export function recordOAuthResult({ user, jwt, hasApiKey, timestamp } = {}) {
+  return {
+    user: user || null,
+    hasApiKey: !!hasApiKey,
+    jwt: typeof jwt === 'string' && jwt.length > 0 ? jwt : null,
+    timestamp: timestamp || new Date().toISOString(),
+  };
+}
+
+/**
+ * Build a cache row when a user is resolved from an API key alone (no
+ * OAuth event, so no JWT minted in this flow). PRESERVES any JWT from
+ * a previous OAuth login — overwriting `lastAuthResult` with no `jwt`
+ * field would silently wipe marketplace auth for users who hit
+ * /auth/resolve after /auth/callback.
+ *
+ * @param {Object} input
+ * @param {Object} input.user
+ * @param {Object|null} input.prevCache - previous lastAuthResult
+ * @param {string} [input.timestamp]
+ * @returns {Object} cache row
+ */
+export function recordResolvedUser({ user, prevCache, timestamp } = {}) {
+  const carriedJwt = prevCache && typeof prevCache.jwt === 'string' && prevCache.jwt.length > 0
+    ? prevCache.jwt
+    : null;
+  return {
+    user: user || null,
+    hasApiKey: true,                        // resolve path requires an API key
+    jwt: carriedJwt,
+    timestamp: timestamp || new Date().toISOString(),
+  };
+}
+
+/**
+ * Project a cache row into the JSON the `/api/auth/status` endpoint
+ * returns. Implements two pieces of business logic:
+ *
+ *   1. Staleness gate via `?since=`: if the caller is polling for an
+ *      auth event AFTER a known timestamp, but the cache row predates
+ *      that timestamp, the row is considered "not the auth we're
+ *      waiting for" and the user is reported as null. Prevents a
+ *      previously-cached login from masquerading as the in-flight one.
+ *
+ *   2. JWT only flows out when a fresh user is reported. When `user`
+ *      is null (no cached row, or stale), `jwt` is also null — the
+ *      pair is always coherent so the FE never sees user=null with
+ *      jwt=<something>.
+ *
+ * @param {Object|null} cache - lastAuthResult value
+ * @param {Object} [options]
+ * @param {string} [options.since] - ISO timestamp from the caller
+ * @param {boolean} [options.hasApiKey] - hasApiKey value at request time
+ *   (cache.hasApiKey is the value AT CACHE TIME — the live answer comes
+ *   from the apiKeyManager). The route passes the live one in.
+ * @returns {{ success: true, authenticated: boolean, user: Object|null, jwt: string|null, timestamp: string|null }}
+ */
+export function projectAuthStatus(cache, options = {}) {
+  const since = options.since;
+  const liveHasApiKey = options.hasApiKey === undefined ? !!cache?.hasApiKey : !!options.hasApiKey;
+
+  let user = cache?.user || null;
+  if (since && cache?.timestamp) {
+    if (new Date(cache.timestamp).getTime() <= new Date(since).getTime()) {
+      // Cache predates the login attempt the caller is polling for.
+      user = null;
+    }
+  }
+
+  // Pair invariant: jwt is null whenever user is null.
+  const jwt = user ? (cache?.jwt || null) : null;
+
+  return {
+    success: true,
+    authenticated: liveHasApiKey,
+    user,
+    jwt,
+    timestamp: cache?.timestamp || null,
+  };
+}