smart-home-engine 0.10.4 → 0.11.0

package/dist/web/assets/{tsMode-THvwQw-l.js → tsMode-DxTbjAE2.js}

@@ -1,4 +1,4 @@
-import{gU as O}from"./monaco-langs-DZ6hB11b.js";import{t as I}from"./index-Bdf2J0nm.js";/*!-----------------------------------------------------------------------------
+import{gU as O}from"./monaco-langs-DZ6hB11b.js";import{t as I}from"./index-DD-XScWV.js";/*!-----------------------------------------------------------------------------
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Version: 0.52.2(404545bded1df6ffa41ea0af4e8ddb219018c6c1)
  * Released under the MIT license

package/dist/web/index.html

@@ -153,10 +153,10 @@
                 }
             })();
         </script>
-      <script type="module" crossorigin src="/assets/index-Bdf2J0nm.js"></script>
+      <script type="module" crossorigin src="/assets/index-DD-XScWV.js"></script>
       <link rel="modulepreload" crossorigin href="/assets/monaco-langs-DZ6hB11b.js">
       <link rel="stylesheet" crossorigin href="/assets/monaco-langs-DyX1CsEw.css">
-      <link rel="stylesheet" crossorigin href="/assets/index-DkhtWYJx.css">
+      <link rel="stylesheet" crossorigin href="/assets/index-BbwiXmS-.css">
     </head>
     <body>
         <div id="app"></div>

package/package.json

@@ -1,6 +1,6 @@
 {
     "name":  "smart-home-engine",
-    "version":  "0.10.4",
+    "version":  "0.11.0",
     "description":  "Node.js based script runner for use in MQTT based Smart Home environments",
     "main":  "src/index.js",
     "scripts":  {
@@ -26,6 +26,7 @@
     "author":  "Sebastian \u0027hobbyquaker\u0027 Raff \u003chobbyquaker@gmail.com\u003e",
     "license":  "MIT",
     "dependencies":  {
+                         "bcryptjs":  "^2.4.3",
                          "@elastic/elasticsearch":  "^9.4.2",
                          "@influxdata/influxdb-client":  "^1.35.0",
                          "@matter/main":  "^0.17.0",

package/src/config.js

@@ -45,6 +45,9 @@ const config = require('yargs')
         disableWatch: false,
         dbRetain: false,
         dbPrefix: 'she/db/',
+        auth: 'none',
+        proxyHeader: 'X-Remote-User',
+        bindAddress: '0.0.0.0',
     })
     .version()
     .help('help')

package/src/index.js

@@ -53,9 +53,17 @@ log.info('she ' + pkg.version + ' starting');
 log.debug('loaded config: ', config);
 
 if (typeof config.port !== 'undefined') {
+    // Validate: password mode requires a password hash
+    if (config.auth === 'password' && !config.password) {
+        log.error('auth is set to "password" but no password is configured. Set a password via the web UI Config → Authentication section first.');
+        process.exit(1);
+    }
     require('./web/server')
         .startServer(config.port, {
-            apiKey: config.apiKey,
+            auth: config.auth,
+            password: config.password || null,
+            proxyHeader: config.proxyHeader,
+            bindAddress: config.bindAddress,
             configPath: config.config,
             scriptDir: config.dir || null,
         })

package/src/web/auth.js

@@ -0,0 +1,186 @@
+'use strict';
+
+/**
+ * Authentication module for the she web server.
+ *
+ * Supports three modes (configured via config.json `auth` field):
+ *   'none'     — no auth, all /she/* routes are open (default)
+ *   'password' — single-password session auth with an HttpOnly cookie
+ *   'proxy'    — trust a header set by nginx/authentik (e.g. X-Remote-User)
+ *
+ * Public endpoints (no auth required in any mode):
+ *   GET  /she/auth/mode    — returns current mode
+ *   POST /she/auth/login   — password mode only; sets session cookie
+ *   POST /she/auth/logout  — clears session cookie
+ *
+ * Protected endpoint (auth required):
+ *   POST /she/auth/setup   — change auth mode / password / proxyHeader
+ */
+
+const crypto = require('crypto');
+const bcrypt = require('bcryptjs');
+const express = require('express');
+const fs = require('fs');
+const path = require('path');
+
+const BCRYPT_ROUNDS = 10;
+const SESSION_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+// In-memory session store — intentionally cleared on restart
+const _sessions = new Map(); // token (hex64) → { createdAt: number }
+
+let _mode = 'none';
+let _passwordHash = null; // bcrypt hash, only used in 'password' mode
+let _proxyHeader = 'x-remote-user'; // lowercase for req.headers lookup
+let _configPath = null;
+
+/**
+ * Initialise auth state. Called once from startServer().
+ */
+function init({ auth = 'none', password = null, proxyHeader = 'X-Remote-User', configPath = null } = {}) {
+    _mode = auth;
+    _passwordHash = password || null;
+    _proxyHeader = proxyHeader.toLowerCase();
+    _configPath = configPath;
+}
+
+function getMode() {
+    return _mode;
+}
+
+// ── Session helpers ─────────────────────────────────────────────────────────
+
+function _getSessionToken(req) {
+    const cookie = req.headers.cookie || '';
+    const m = cookie.match(/(?:^|;\s*)she_session=([a-f0-9]{64})/);
+    return m ? m[1] : null;
+}
+
+function _validateSession(token) {
+    if (!token) return false;
+    const s = _sessions.get(token);
+    if (!s) return false;
+    if (Date.now() - s.createdAt > SESSION_TTL_MS) {
+        _sessions.delete(token);
+        return false;
+    }
+    return true;
+}
+
+// ── Auth check (used by middleware and WS gate) ─────────────────────────────
+
+/**
+ * Returns true if the request is authenticated according to the current mode.
+ * @param {import('http').IncomingMessage} req
+ */
+function checkAuth(req) {
+    if (_mode === 'none') return true;
+    if (_mode === 'proxy') return !!req.headers[_proxyHeader];
+    if (_mode === 'password') return _validateSession(_getSessionToken(req));
+    return true;
+}
+
+/**
+ * Express middleware that enforces auth on /she/* routes.
+ * Mount this AFTER the public auth router so login/mode/logout bypass it.
+ */
+function authMiddleware(req, res, next) {
+    if (checkAuth(req)) return next();
+    res.status(401).json({ error: 'Unauthorized' });
+}
+
+// ── Auth API router ─────────────────────────────────────────────────────────
+
+const router = express.Router();
+
+/** GET /she/auth/mode — always public */
+router.get('/mode', (req, res) => {
+    res.json({ mode: _mode });
+});
+
+/** POST /she/auth/login — always public; only meaningful in password mode */
+router.post('/login', async (req, res) => {
+    if (_mode !== 'password') return res.status(400).json({ error: 'Not in password mode' });
+    const { password } = req.body || {};
+    if (!password || !_passwordHash) return res.status(401).json({ error: 'Unauthorized' });
+    try {
+        const ok = await bcrypt.compare(password, _passwordHash);
+        if (!ok) return res.status(401).json({ error: 'Invalid password' });
+        const token = crypto.randomBytes(32).toString('hex');
+        _sessions.set(token, { createdAt: Date.now() });
+        res.setHeader('Set-Cookie', `she_session=${token}; HttpOnly; SameSite=Strict; Path=/`);
+        res.json({ ok: true });
+    } catch {
+        res.status(500).json({ error: 'Internal error' });
+    }
+});
+
+/** POST /she/auth/logout — always public; clears cookie */
+router.post('/logout', (req, res) => {
+    const token = _getSessionToken(req);
+    if (token) _sessions.delete(token);
+    res.setHeader('Set-Cookie', 'she_session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0');
+    res.json({ ok: true });
+});
+
+/**
+ * POST /she/auth/setup — protected; change auth mode / password / proxyHeader.
+ * Body: { mode: 'none'|'password'|'proxy', password?: string, proxyHeader?: string }
+ *
+ * Self-guards when in password mode (requires valid session).
+ */
+router.post('/setup', async (req, res) => {
+    // Self-guard: in password mode the caller must be authenticated
+    if (_mode === 'password' && !_validateSession(_getSessionToken(req))) {
+        return res.status(401).json({ error: 'Unauthorized' });
+    }
+
+    const { mode, password, proxyHeader } = req.body || {};
+
+    if (!['none', 'password', 'proxy'].includes(mode)) {
+        return res.status(400).json({ error: 'Invalid auth mode. Must be none, password, or proxy.' });
+    }
+    if (mode === 'password' && !password) {
+        return res.status(400).json({ error: 'A non-empty password is required for password mode.' });
+    }
+
+    try {
+        // Read existing config
+        let cfg = {};
+        try {
+            cfg = JSON.parse(fs.readFileSync(_configPath, 'utf8'));
+        } catch {
+            // config file does not exist yet — start from empty
+        }
+
+        // Update auth fields, remove stale ones
+        cfg.auth = mode;
+        delete cfg.password;
+        delete cfg.proxyHeader;
+
+        if (mode === 'password') {
+            cfg.password = await bcrypt.hash(password, BCRYPT_ROUNDS);
+        }
+        if (mode === 'proxy') {
+            cfg.proxyHeader = proxyHeader || 'X-Remote-User';
+        }
+
+        // Write back
+        fs.mkdirSync(path.dirname(_configPath), { recursive: true });
+        fs.writeFileSync(_configPath, JSON.stringify(cfg, null, 2), 'utf8');
+
+        // Apply in-memory (no restart needed)
+        _mode = mode;
+        _passwordHash = cfg.password || null;
+        _proxyHeader = (cfg.proxyHeader || 'X-Remote-User').toLowerCase();
+
+        // Invalidate all existing sessions when switching away from password mode
+        if (mode !== 'password') _sessions.clear();
+
+        res.json({ ok: true });
+    } catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+
+module.exports = { init, authMiddleware, checkAuth, getMode, router };

package/src/web/log-ws.js

@@ -12,11 +12,18 @@ const _clients = new Set();
  *   - { type: 'ping' }               — keepalive every 30 s
  *
  * @param {import('http').Server} httpServer
+ * @param {(req: import('http').IncomingMessage) => boolean} [authCheck]
+ *   Optional function that receives the upgrade request and returns true if
+ *   the connection should be allowed. Defaults to always-allow.
  */
-function attachWss(httpServer) {
+function attachWss(httpServer, authCheck = () => true) {
     _wss = new WebSocketServer({ server: httpServer, path: '/she/ws' });
 
-    _wss.on('connection', (ws) => {
+    _wss.on('connection', (ws, req) => {
+        if (!authCheck(req)) {
+            ws.close(1008, 'Unauthorized');
+            return;
+        }
         _clients.add(ws);
         ws.on('close', () => _clients.delete(ws));
         ws.on('error', () => _clients.delete(ws));

package/src/web/server.js

@@ -11,18 +11,21 @@ const { router: depsRouter } = require('./deps-api');
 const { router: gitRouter } = require('./git-api');
 const { router: aiRouter } = require('./ai-api');
 const { attachWss, closeWss } = require('./log-ws');
+const { init: initAuth, authMiddleware, checkAuth, router: authRouter } = require('./auth');
 
 const app = express();
 app.use(express.json());
 
-// Lazy auth check — _apiKey is populated by startServer(); null = auth disabled.
-// Covers both /she/* (internal system routes) and /api/* (user-script routes).
-let _apiKey = null;
-app.use(['/she', '/api'], (req, res, next) => {
-    if (!_apiKey) return next();
-    const auth = req.headers['authorization'];
-    if (auth === `Bearer ${_apiKey}`) return next();
-    res.status(401).json({ error: 'Unauthorized' });
+// Public auth routes — always accessible regardless of auth mode.
+// Must be mounted BEFORE the auth middleware.
+app.use('/she/auth', authRouter);
+
+// Auth middleware for all /she/* routes except the public auth endpoints above.
+// /api/* is intentionally excluded — user scripts control their own auth.
+const OPEN_SHE_PATHS = new Set(['/she/auth/mode', '/she/auth/login', '/she/auth/logout']);
+app.use('/she', (req, res, next) => {
+    if (OPEN_SHE_PATHS.has(req.originalUrl.split('?')[0])) return next();
+    authMiddleware(req, res, next);
 });
 
 // Config REST endpoints: GET /she/config and PUT /she/config
@@ -90,20 +93,26 @@ let httpServer = null;
 /**
  * Start listening. Resolves with the actual port (useful when port 0 is given).
  * @param {number} port
- * @param {{ apiKey?: string, configPath?: string, scriptDir?: string }} [options]
+ * @param {{ auth?: string, password?: string, proxyHeader?: string, bindAddress?: string, configPath?: string, scriptDir?: string }} [options]
  * @returns {Promise<number>}
  */
 function startServer(port, options = {}) {
-    _apiKey = options.apiKey || null;
+    initAuth({
+        auth: options.auth || 'none',
+        password: options.password || null,
+        proxyHeader: options.proxyHeader || 'X-Remote-User',
+        configPath: options.configPath || null,
+    });
     if (options.configPath) {
         app.locals.configPath = options.configPath;
     }
     if (options.scriptDir) {
         app.locals.scriptDir = options.scriptDir;
     }
+    const host = options.bindAddress || '0.0.0.0';
     return new Promise((resolve, reject) => {
-        httpServer = app.listen(port, () => {
-            attachWss(httpServer);
+        httpServer = app.listen(port, host, () => {
+            attachWss(httpServer, checkAuth);
             resolve(httpServer.address().port);
         });
         httpServer.on('error', reject);