session-collab-mcp 0.3.0

package/src/auth/middleware.ts

@@ -0,0 +1,144 @@
+// Authentication middleware
+
+import type { D1Database } from '@cloudflare/workers-types';
+import { verifyJwt } from './jwt';
+import { getApiTokenByHash, updateApiTokenLastUsed } from '../db/auth-queries';
+import { sha256, timingSafeEqual } from '../utils/crypto';
+import type { AuthContext } from './types';
+
+export interface Env {
+  DB: D1Database;
+  JWT_SECRET?: string;
+  API_TOKEN?: string; // Legacy single token support
+}
+
+/**
+ * Validate authentication from request
+ * Supports three modes:
+ * 1. JWT (Bearer ey...) - for web UI
+ * 2. API Token (Bearer mcp_...) - for MCP requests
+ * 3. Legacy (Bearer <API_TOKEN>) - backward compatibility
+ */
+export async function validateAuth(request: Request, env: Env): Promise<AuthContext | null> {
+  const authHeader = request.headers.get('Authorization');
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return null;
+  }
+
+  const token = authHeader.slice(7); // Remove 'Bearer '
+
+  // 1. Try API Token authentication (mcp_xxx)
+  if (token.startsWith('mcp_')) {
+    return await validateApiToken(token, env.DB);
+  }
+
+  // 2. Try JWT authentication (starts with eyJ for base64 encoded JSON)
+  if (token.startsWith('eyJ') && env.JWT_SECRET) {
+    return await validateJwtToken(token, env.JWT_SECRET);
+  }
+
+  // 3. Try legacy API_TOKEN (backward compatibility)
+  if (env.API_TOKEN && timingSafeEqual(token, env.API_TOKEN)) {
+    return {
+      type: 'legacy',
+      userId: 'legacy',
+      scopes: ['mcp'],
+    };
+  }
+
+  return null;
+}
+
+/**
+ * Validate API Token
+ */
+async function validateApiToken(token: string, db: D1Database): Promise<AuthContext | null> {
+  const tokenHash = await sha256(token);
+  const apiToken = await getApiTokenByHash(db, tokenHash);
+
+  if (!apiToken) {
+    return null;
+  }
+
+  // Update last used timestamp (fire and forget)
+  updateApiTokenLastUsed(db, apiToken.id).catch(() => {});
+
+  return {
+    type: 'api_token',
+    userId: apiToken.user_id,
+    tokenId: apiToken.id,
+    scopes: JSON.parse(apiToken.scopes),
+  };
+}
+
+/**
+ * Validate JWT Token
+ */
+async function validateJwtToken(token: string, secret: string): Promise<AuthContext | null> {
+  const payload = await verifyJwt(token, secret);
+
+  if (!payload || payload.type !== 'access') {
+    return null;
+  }
+
+  return {
+    type: 'jwt',
+    userId: payload.sub,
+  };
+}
+
+/**
+ * Check if auth context has required scope
+ */
+export function hasScope(authContext: AuthContext, requiredScope: string): boolean {
+  // JWT users have all scopes
+  if (authContext.type === 'jwt') {
+    return true;
+  }
+
+  // Legacy token has mcp scope
+  if (authContext.type === 'legacy') {
+    return requiredScope === 'mcp';
+  }
+
+  // API Token - check scopes
+  return authContext.scopes?.includes(requiredScope) ?? false;
+}
+
+/**
+ * Create unauthorized response
+ */
+export function unauthorizedResponse(): Response {
+  return new Response(
+    JSON.stringify({
+      error: 'Unauthorized',
+      code: 'ERR_UNAUTHORIZED',
+    }),
+    {
+      status: 401,
+      headers: {
+        'Content-Type': 'application/json',
+        'Access-Control-Allow-Origin': '*',
+      },
+    }
+  );
+}
+
+/**
+ * Create forbidden response
+ */
+export function forbiddenResponse(message = 'Insufficient permissions'): Response {
+  return new Response(
+    JSON.stringify({
+      error: message,
+      code: 'ERR_FORBIDDEN',
+    }),
+    {
+      status: 403,
+      headers: {
+        'Content-Type': 'application/json',
+        'Access-Control-Allow-Origin': '*',
+      },
+    }
+  );
+}

package/src/auth/password.ts

@@ -0,0 +1,84 @@
+// Password hashing using PBKDF2-SHA256 (Web Crypto API)
+
+import { bytesToHex, hexToBytes, timingSafeEqual } from '../utils/crypto';
+
+const ITERATIONS = 100000;
+const SALT_LENGTH = 16;
+const HASH_LENGTH = 256; // bits
+
+/**
+ * Hash a password using PBKDF2-SHA256
+ * Format: pbkdf2:sha256:<iterations>$<salt_hex>$<hash_hex>
+ */
+export async function hashPassword(password: string): Promise<string> {
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
+
+  const key = await crypto.subtle.importKey('raw', new TextEncoder().encode(password), 'PBKDF2', false, ['deriveBits']);
+
+  const hash = await crypto.subtle.deriveBits(
+    {
+      name: 'PBKDF2',
+      salt,
+      iterations: ITERATIONS,
+      hash: 'SHA-256',
+    },
+    key,
+    HASH_LENGTH
+  );
+
+  const saltHex = bytesToHex(salt);
+  const hashHex = bytesToHex(new Uint8Array(hash));
+
+  return `pbkdf2:sha256:${ITERATIONS}$${saltHex}$${hashHex}`;
+}
+
+/**
+ * Verify a password against a stored hash
+ */
+export async function verifyPassword(password: string, stored: string): Promise<boolean> {
+  const match = stored.match(/^pbkdf2:sha256:(\d+)\$([a-f0-9]+)\$([a-f0-9]+)$/);
+  if (!match) {
+    return false;
+  }
+
+  const [, iterStr, saltHex, storedHashHex] = match;
+  const iterations = parseInt(iterStr, 10);
+  const salt = hexToBytes(saltHex);
+
+  const key = await crypto.subtle.importKey('raw', new TextEncoder().encode(password), 'PBKDF2', false, ['deriveBits']);
+
+  const hash = await crypto.subtle.deriveBits(
+    {
+      name: 'PBKDF2',
+      salt,
+      iterations,
+      hash: 'SHA-256',
+    },
+    key,
+    HASH_LENGTH
+  );
+
+  const hashHex = bytesToHex(new Uint8Array(hash));
+
+  return timingSafeEqual(hashHex, storedHashHex);
+}
+
+/**
+ * Validate password strength
+ * Returns null if valid, error message if invalid
+ */
+export function validatePasswordStrength(password: string): string | null {
+  if (password.length < 8) {
+    return 'Password must be at least 8 characters';
+  }
+  if (!/[a-z]/.test(password)) {
+    return 'Password must contain at least one lowercase letter';
+  }
+  if (!/[A-Z]/.test(password)) {
+    return 'Password must contain at least one uppercase letter';
+  }
+  if (!/[0-9]/.test(password)) {
+    return 'Password must contain at least one number';
+  }
+  return null;
+}

package/src/auth/types.ts

@@ -0,0 +1,70 @@
+// Authentication types and request/response schemas
+
+import { z } from 'zod';
+
+// Request schemas
+export const RegisterRequestSchema = z.object({
+  email: z.string().email('Invalid email format'),
+  password: z.string().min(8, 'Password must be at least 8 characters'),
+  display_name: z.string().min(1).max(100).optional(),
+});
+
+export const LoginRequestSchema = z.object({
+  email: z.string().email('Invalid email format'),
+  password: z.string().min(1, 'Password is required'),
+});
+
+export const RefreshRequestSchema = z.object({
+  refresh_token: z.string().min(1, 'Refresh token is required'),
+});
+
+export const UpdateProfileRequestSchema = z.object({
+  display_name: z.string().min(1).max(100).optional(),
+});
+
+export const ChangePasswordRequestSchema = z.object({
+  current_password: z.string().min(1, 'Current password is required'),
+  new_password: z.string().min(8, 'New password must be at least 8 characters'),
+});
+
+// Type aliases
+export type RegisterRequest = z.infer<typeof RegisterRequestSchema>;
+export type LoginRequest = z.infer<typeof LoginRequestSchema>;
+export type RefreshRequest = z.infer<typeof RefreshRequestSchema>;
+export type UpdateProfileRequest = z.infer<typeof UpdateProfileRequestSchema>;
+export type ChangePasswordRequest = z.infer<typeof ChangePasswordRequestSchema>;
+
+// Response types
+export interface AuthResponse {
+  user: {
+    id: string;
+    email: string;
+    display_name: string | null;
+    created_at: string;
+  };
+  access_token: string;
+  refresh_token: string;
+  expires_in: number;
+}
+
+export interface UserResponse {
+  id: string;
+  email: string;
+  display_name: string | null;
+  created_at: string;
+}
+
+// Auth context for authenticated requests
+export interface AuthContext {
+  type: 'jwt' | 'api_token' | 'legacy';
+  userId: string;
+  tokenId?: string; // API Token ID
+  scopes?: string[];
+}
+
+// Error types
+export interface AuthError {
+  error: string;
+  code: string;
+  details?: { field: string; message: string }[];
+}

package/src/cli.ts

@@ -0,0 +1,140 @@
+#!/usr/bin/env node
+// Local MCP server for session collaboration
+// Runs via stdio, stores data in ~/.claude/session-collab/collab.db
+
+import { createInterface } from 'readline';
+import { createLocalDatabase, getDefaultDbPath } from './db/sqlite-adapter.js';
+import { handleMcpRequest, getMcpTools } from './mcp/server.js';
+import { readFileSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+// Load migrations
+function loadMigrations(): string[] {
+  const migrationsDir = join(__dirname, '..', 'migrations');
+  return [
+    readFileSync(join(migrationsDir, '0001_init.sql'), 'utf-8'),
+    readFileSync(join(migrationsDir, '0002_auth.sql'), 'utf-8'),
+  ];
+}
+
+// Parse command line arguments
+function parseArgs(): { dbPath?: string } {
+  const args = process.argv.slice(2);
+  let dbPath: string | undefined;
+
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--db' && args[i + 1]) {
+      dbPath = args[i + 1];
+      i++;
+    }
+  }
+
+  return { dbPath };
+}
+
+// JSON-RPC response helpers
+function jsonRpcResponse(id: number | string | null, result: unknown): string {
+  return JSON.stringify({ jsonrpc: '2.0', id, result });
+}
+
+function jsonRpcError(id: number | string | null, code: number, message: string): string {
+  return JSON.stringify({ jsonrpc: '2.0', id, error: { code, message } });
+}
+
+async function main(): Promise<void> {
+  const { dbPath } = parseArgs();
+  const db = createLocalDatabase(dbPath);
+
+  // Initialize schema
+  try {
+    const migrations = loadMigrations();
+    db.initSchema(migrations);
+  } catch (error) {
+    // Schema might already exist, that's fine
+    if (!(error instanceof Error && error.message.includes('already exists'))) {
+      console.error('Warning: Migration error:', error);
+    }
+  }
+
+  // Log startup to stderr (stdout is for JSON-RPC)
+  console.error(`Session Collab MCP Server (local)`);
+  console.error(`Database: ${dbPath ?? getDefaultDbPath()}`);
+
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+    terminal: false,
+  });
+
+  rl.on('line', async (line) => {
+    if (!line.trim()) return;
+
+    try {
+      const request = JSON.parse(line);
+      const { id, method, params } = request;
+
+      // Handle MCP protocol methods
+      switch (method) {
+        case 'initialize': {
+          const response = jsonRpcResponse(id, {
+            protocolVersion: '2024-11-05',
+            capabilities: {
+              tools: {},
+            },
+            serverInfo: {
+              name: 'session-collab-mcp',
+              version: '0.3.0',
+            },
+          });
+          console.log(response);
+          break;
+        }
+
+        case 'notifications/initialized': {
+          // No response needed for notifications
+          break;
+        }
+
+        case 'tools/list': {
+          const tools = getMcpTools();
+          const response = jsonRpcResponse(id, { tools });
+          console.log(response);
+          break;
+        }
+
+        case 'tools/call': {
+          const result = await handleMcpRequest(
+            db as unknown as import('@cloudflare/workers-types').D1Database,
+            params.name,
+            params.arguments ?? {}
+          );
+          const response = jsonRpcResponse(id, result);
+          console.log(response);
+          break;
+        }
+
+        default: {
+          const errorResponse = jsonRpcError(id, -32601, `Method not found: ${method}`);
+          console.log(errorResponse);
+        }
+      }
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+      const errorResponse = jsonRpcError(null, -32700, `Parse error: ${errorMessage}`);
+      console.log(errorResponse);
+    }
+  });
+
+  rl.on('close', () => {
+    db.close();
+    process.exit(0);
+  });
+}
+
+main().catch((error) => {
+  console.error('Fatal error:', error);
+  process.exit(1);
+});

package/src/db/auth-queries.ts

@@ -0,0 +1,256 @@
+// Database queries for authentication
+
+import type { D1Database } from '@cloudflare/workers-types';
+import type { User, UserPublic, ApiToken, ApiTokenPublic, RefreshToken } from './types';
+import { generateId, sha256 } from '../utils/crypto';
+
+// ============ User Queries ============
+
+export async function createUser(
+  db: D1Database,
+  params: {
+    email: string;
+    password_hash: string;
+    display_name?: string;
+  }
+): Promise<User> {
+  const id = generateId();
+  const now = new Date().toISOString();
+
+  await db
+    .prepare(
+      `INSERT INTO users (id, email, password_hash, display_name, created_at, updated_at, status)
+       VALUES (?, ?, ?, ?, ?, ?, 'active')`
+    )
+    .bind(id, params.email.toLowerCase(), params.password_hash, params.display_name ?? null, now, now)
+    .run();
+
+  return {
+    id,
+    email: params.email.toLowerCase(),
+    password_hash: params.password_hash,
+    display_name: params.display_name ?? null,
+    created_at: now,
+    updated_at: now,
+    last_login_at: null,
+    status: 'active',
+  };
+}
+
+export async function getUserByEmail(db: D1Database, email: string): Promise<User | null> {
+  const result = await db.prepare('SELECT * FROM users WHERE email = ? AND status = ?').bind(email.toLowerCase(), 'active').first<User>();
+  return result ?? null;
+}
+
+export async function getUserById(db: D1Database, id: string): Promise<User | null> {
+  const result = await db.prepare('SELECT * FROM users WHERE id = ? AND status = ?').bind(id, 'active').first<User>();
+  return result ?? null;
+}
+
+export async function updateUserLastLogin(db: D1Database, id: string): Promise<void> {
+  const now = new Date().toISOString();
+  await db.prepare('UPDATE users SET last_login_at = ?, updated_at = ? WHERE id = ?').bind(now, now, id).run();
+}
+
+export async function updateUserPassword(db: D1Database, id: string, password_hash: string): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db.prepare('UPDATE users SET password_hash = ?, updated_at = ? WHERE id = ?').bind(password_hash, now, id).run();
+  return result.meta.changes > 0;
+}
+
+export async function updateUserProfile(
+  db: D1Database,
+  id: string,
+  params: { display_name?: string }
+): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db.prepare('UPDATE users SET display_name = ?, updated_at = ? WHERE id = ?').bind(params.display_name ?? null, now, id).run();
+  return result.meta.changes > 0;
+}
+
+export function toUserPublic(user: User): UserPublic {
+  return {
+    id: user.id,
+    email: user.email,
+    display_name: user.display_name,
+    created_at: user.created_at,
+  };
+}
+
+// ============ API Token Queries ============
+
+export async function createApiToken(
+  db: D1Database,
+  params: {
+    user_id: string;
+    name: string;
+    token: string; // raw token, will be hashed
+    scopes?: string[];
+    expires_in_days?: number;
+  }
+): Promise<{ token: ApiToken; raw_token: string }> {
+  const id = generateId();
+  const now = new Date().toISOString();
+  const tokenHash = await sha256(params.token);
+  const tokenPrefix = params.token.substring(0, 12); // "mcp_" + first 8 chars
+  const scopes = JSON.stringify(params.scopes ?? ['mcp']);
+  const expiresAt = params.expires_in_days ? new Date(Date.now() + params.expires_in_days * 24 * 60 * 60 * 1000).toISOString() : null;
+
+  await db
+    .prepare(
+      `INSERT INTO api_tokens (id, user_id, name, token_hash, token_prefix, scopes, expires_at, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    )
+    .bind(id, params.user_id, params.name, tokenHash, tokenPrefix, scopes, expiresAt, now)
+    .run();
+
+  return {
+    token: {
+      id,
+      user_id: params.user_id,
+      name: params.name,
+      token_hash: tokenHash,
+      token_prefix: tokenPrefix,
+      scopes,
+      last_used_at: null,
+      expires_at: expiresAt,
+      created_at: now,
+      revoked_at: null,
+    },
+    raw_token: params.token,
+  };
+}
+
+export async function getApiTokenByHash(db: D1Database, tokenHash: string): Promise<ApiToken | null> {
+  const result = await db
+    .prepare('SELECT * FROM api_tokens WHERE token_hash = ? AND revoked_at IS NULL')
+    .bind(tokenHash)
+    .first<ApiToken>();
+
+  if (!result) return null;
+
+  // Check expiration
+  if (result.expires_at && new Date(result.expires_at) < new Date()) {
+    return null;
+  }
+
+  return result;
+}
+
+export async function listApiTokens(db: D1Database, userId: string): Promise<ApiTokenPublic[]> {
+  const result = await db
+    .prepare('SELECT * FROM api_tokens WHERE user_id = ? AND revoked_at IS NULL ORDER BY created_at DESC')
+    .bind(userId)
+    .all<ApiToken>();
+
+  return result.results.map(toApiTokenPublic);
+}
+
+export async function revokeApiToken(db: D1Database, id: string, userId: string): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db.prepare('UPDATE api_tokens SET revoked_at = ? WHERE id = ? AND user_id = ?').bind(now, id, userId).run();
+  return result.meta.changes > 0;
+}
+
+export async function updateApiTokenLastUsed(db: D1Database, id: string): Promise<void> {
+  const now = new Date().toISOString();
+  await db.prepare('UPDATE api_tokens SET last_used_at = ? WHERE id = ?').bind(now, id).run();
+}
+
+export function toApiTokenPublic(token: ApiToken): ApiTokenPublic {
+  return {
+    id: token.id,
+    name: token.name,
+    token_prefix: token.token_prefix,
+    scopes: JSON.parse(token.scopes),
+    last_used_at: token.last_used_at,
+    expires_at: token.expires_at,
+    created_at: token.created_at,
+  };
+}
+
+// ============ Refresh Token Queries ============
+
+export async function createRefreshToken(
+  db: D1Database,
+  params: {
+    user_id: string;
+    token_hash: string;
+    expires_at: string;
+    user_agent?: string;
+    ip_address?: string;
+  }
+): Promise<RefreshToken> {
+  const id = generateId();
+  const now = new Date().toISOString();
+
+  await db
+    .prepare(
+      `INSERT INTO refresh_tokens (id, user_id, token_hash, expires_at, created_at, user_agent, ip_address)
+       VALUES (?, ?, ?, ?, ?, ?, ?)`
+    )
+    .bind(id, params.user_id, params.token_hash, params.expires_at, now, params.user_agent ?? null, params.ip_address ?? null)
+    .run();
+
+  return {
+    id,
+    user_id: params.user_id,
+    token_hash: params.token_hash,
+    expires_at: params.expires_at,
+    created_at: now,
+    revoked_at: null,
+    user_agent: params.user_agent ?? null,
+    ip_address: params.ip_address ?? null,
+  };
+}
+
+export async function getRefreshTokenByHash(db: D1Database, tokenHash: string): Promise<RefreshToken | null> {
+  const result = await db
+    .prepare('SELECT * FROM refresh_tokens WHERE token_hash = ? AND revoked_at IS NULL')
+    .bind(tokenHash)
+    .first<RefreshToken>();
+
+  if (!result) return null;
+
+  // Check expiration
+  if (new Date(result.expires_at) < new Date()) {
+    return null;
+  }
+
+  return result;
+}
+
+export async function revokeRefreshToken(db: D1Database, id: string): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db.prepare('UPDATE refresh_tokens SET revoked_at = ? WHERE id = ?').bind(now, id).run();
+  return result.meta.changes > 0;
+}
+
+export async function revokeAllUserRefreshTokens(db: D1Database, userId: string): Promise<number> {
+  const now = new Date().toISOString();
+  const result = await db.prepare('UPDATE refresh_tokens SET revoked_at = ? WHERE user_id = ? AND revoked_at IS NULL').bind(now, userId).run();
+  return result.meta.changes;
+}
+
+// ============ Cleanup Queries ============
+
+export async function cleanupExpiredTokens(db: D1Database): Promise<{ apiTokens: number; refreshTokens: number }> {
+  const now = new Date().toISOString();
+
+  // Mark expired API tokens as revoked
+  const apiResult = await db
+    .prepare("UPDATE api_tokens SET revoked_at = ? WHERE expires_at < ? AND revoked_at IS NULL")
+    .bind(now, now)
+    .run();
+
+  // Mark expired refresh tokens as revoked
+  const refreshResult = await db
+    .prepare("UPDATE refresh_tokens SET revoked_at = ? WHERE expires_at < ? AND revoked_at IS NULL")
+    .bind(now, now)
+    .run();
+
+  return {
+    apiTokens: apiResult.meta.changes,
+    refreshTokens: refreshResult.meta.changes,
+  };
+}