tabminal 3.0.29 → 3.0.30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tabminal",
-  "version": "3.0.29",
+  "version": "3.0.30",
   "description": "Tab(ter)minal, a Cloud-Native terminal and ACP agent workspace for desktop, tablet, and phone.",
   "type": "module",
   "bin": {

package/public/app.js

@@ -19,7 +19,7 @@ const {
     buildAuthStateStorageKey,
     makeSessionKey,
     splitSessionKey,
-    hashPassword
+    buildLoginChallengeResponse
 } = await import(`./modules/url-auth.js${LOCAL_MODULE_VERSION}`);
 const {
     shortenPath,
@@ -33,6 +33,8 @@ const {
 } = await import(`./modules/notifications.js${LOCAL_MODULE_VERSION}`);
 
 const DEPRECATED_AUTH_TOKEN_STORAGE_PREFIX = 'tabminal_auth_token:';
+const WEBSOCKET_PROTOCOL = 'tabminal.v1';
+const WEBSOCKET_AUTH_PROTOCOL_PREFIX = 'tabminal.auth.';
 
 function clearDeprecatedPasswordHashAuthStorage() {
     try {
@@ -440,6 +442,7 @@ function buildTerminalBaseOptions(overrides = {}) {
         convertEol: true,
         fontFamily: TERMINAL_FONT_FAMILY,
         fontSize: getTerminalFontSize(),
+        lineHeight: 1.25,
         fontWeight: '450',
         fontWeightBold: '700',
         customGlyphs: true,
@@ -1023,7 +1026,7 @@ class ServerClient {
         return new URL(path, `${this.baseUrl}/`).toString();
     }
 
-    resolveWsUrl(sessionId, token = '') {
+    resolveWsUrl(sessionId) {
         const base = new URL(this.baseUrl);
         const shouldUseSecureWs = (
             base.protocol === 'https:'
@@ -1031,13 +1034,10 @@ class ServerClient {
         );
         const wsProtocol = shouldUseSecureWs ? 'wss:' : 'ws:';
         const wsUrl = new URL(`/ws/${sessionId}`, `${wsProtocol}//${base.host}`);
-        if (token) {
-            wsUrl.searchParams.set('token', token);
-        }
         return wsUrl.toString();
     }
 
-    resolveAgentWsUrl(tabId, token = '') {
+    resolveAgentWsUrl(tabId) {
         const base = new URL(this.baseUrl);
         const shouldUseSecureWs = (
             base.protocol === 'https:'
@@ -1048,18 +1048,40 @@ class ServerClient {
             `/ws/agents/${tabId}`,
             `${wsProtocol}//${base.host}`
         );
-        if (token) {
-            wsUrl.searchParams.set('token', token);
-        }
         return wsUrl.toString();
     }
 
+    getWebSocketProtocols() {
+        return this.token
+            ? [
+                WEBSOCKET_PROTOCOL,
+                `${WEBSOCKET_AUTH_PROTOCOL_PREFIX}${this.token}`
+            ]
+            : [WEBSOCKET_PROTOCOL];
+    }
+
     async login(password) {
-        const passwordHash = await hashPassword(password);
+        const challengeResponse = await this.fetchWithoutAuth(
+            '/api/auth/challenge',
+            {
+                method: 'POST'
+            }
+        );
+        if (!challengeResponse.ok) {
+            throw new Error('Unable to start authentication.');
+        }
+        const challenge = await challengeResponse.json();
+        const responseValue = await buildLoginChallengeResponse(
+            password,
+            challenge
+        );
         const response = await this.fetchWithoutAuth('/api/auth/login', {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({ passwordHash })
+            body: JSON.stringify({
+                challengeId: challenge.challengeId || '',
+                response: responseValue
+            })
         });
         if (!response.ok) {
             const data = await response.json().catch(() => ({}));
@@ -9512,12 +9534,12 @@ class Session {
                 return;
             }
 
-            const endpoint = this.server.resolveWsUrl(
-                this.id,
-                this.server.token
-            );
+            const endpoint = this.server.resolveWsUrl(this.id);
             try {
-                this.socket = new WebSocket(endpoint);
+                this.socket = new WebSocket(
+                    endpoint,
+                    this.server.getWebSocketProtocols()
+                );
             } catch (error) {
                 const hostName = getDisplayHost(this.server);
                 console.error(`[WS] Failed to connect ${hostName}:`, error);
@@ -10088,11 +10110,11 @@ class AgentTab {
                 return;
             }
 
-            const endpoint = this.server.resolveAgentWsUrl(
-                this.id,
-                this.server.token
+            const endpoint = this.server.resolveAgentWsUrl(this.id);
+            this.socket = new WebSocket(
+                endpoint,
+                this.server.getWebSocketProtocols()
             );
-            this.socket = new WebSocket(endpoint);
             this.socket.addEventListener('message', (event) => {
                 try {
                     this.handleMessage(JSON.parse(event.data));

package/public/modules/url-auth.js

@@ -85,6 +85,90 @@ export async function hashPassword(password) {
     return sha256Fallback(normalized);
 }
 
+export function buildLoginChallengeMessage(challenge) {
+    return [
+        'tabminal-login-v1',
+        challenge?.challengeId || challenge?.id || '',
+        challenge?.salt || '',
+        challenge?.expiresAt || ''
+    ].join(':');
+}
+
+export async function buildLoginChallengeResponse(password, challenge) {
+    const passwordHash = await hashPassword(password);
+    const message = buildLoginChallengeMessage(challenge);
+    return hmacSha256Hex(passwordHash, message);
+}
+
+async function hmacSha256Hex(keyHex, message) {
+    if (window.crypto && window.crypto.subtle) {
+        try {
+            const key = await window.crypto.subtle.importKey(
+                'raw',
+                hexToBytes(keyHex),
+                { name: 'HMAC', hash: 'SHA-256' },
+                false,
+                ['sign']
+            );
+            const signature = await window.crypto.subtle.sign(
+                'HMAC',
+                key,
+                new TextEncoder().encode(message)
+            );
+            return bytesToHex(new Uint8Array(signature));
+        } catch (error) {
+            console.warn('Web Crypto HMAC failed, falling back to JS', error);
+        }
+    }
+    return hmacSha256Fallback(keyHex, message);
+}
+
+function hmacSha256Fallback(keyHex, message) {
+    const blockSize = 64;
+    let keyBytes = hexToBytes(keyHex);
+    if (keyBytes.length > blockSize) {
+        keyBytes = hexToBytes(sha256Fallback(bytesToBinary(keyBytes)));
+    }
+    const paddedKey = new Uint8Array(blockSize);
+    paddedKey.set(keyBytes);
+    const innerPad = new Uint8Array(blockSize);
+    const outerPad = new Uint8Array(blockSize);
+    for (let index = 0; index < blockSize; index += 1) {
+        innerPad[index] = paddedKey[index] ^ 0x36;
+        outerPad[index] = paddedKey[index] ^ 0x5c;
+    }
+    const innerHash = sha256Fallback(bytesToBinary(innerPad) + message);
+    return sha256Fallback(
+        bytesToBinary(outerPad) + bytesToBinary(hexToBytes(innerHash))
+    );
+}
+
+function hexToBytes(hex) {
+    const normalized = String(hex || '').trim().toLowerCase();
+    const bytes = new Uint8Array(normalized.length / 2);
+    for (let index = 0; index < bytes.length; index += 1) {
+        bytes[index] = Number.parseInt(
+            normalized.slice(index * 2, index * 2 + 2),
+            16
+        );
+    }
+    return bytes;
+}
+
+function bytesToHex(bytes) {
+    return Array.from(bytes, (byte) => {
+        return byte.toString(16).padStart(2, '0');
+    }).join('');
+}
+
+function bytesToBinary(bytes) {
+    let result = '';
+    for (const byte of bytes) {
+        result += String.fromCharCode(byte);
+    }
+    return result;
+}
+
 function sha256Fallback(ascii) {
     function rightRotate(value, amount) {
         return (value >>> amount) | (value << (32 - amount));

package/public/styles.css

@@ -482,7 +482,7 @@ body {
 }
 
 .server-row.has-auth-sessions .server-main-button {
-    padding-right: 42px;
+    padding-right: 48px;
 }
 
 .server-main-button:hover {
@@ -544,8 +544,8 @@ body {
 
 .server-auth-button {
     position: absolute;
-    top: 4px;
-    right: 4px;
+    top: 8px;
+    right: 8px;
     width: 28px;
     height: 28px;
     border-radius: 4px;

package/src/auth.mjs

@@ -10,6 +10,13 @@ const MAX_ATTEMPTS = 30;
 const ACCESS_TOKEN_TTL_MS = 15 * 60 * 1000;
 const REFRESH_TOKEN_TTL_MS = 90 * 24 * 60 * 60 * 1000;
 const ACCESS_TOKEN_REPLAY_LEEWAY_MS = 30 * 1000;
+const AUTH_CHALLENGE_TTL_MS = 30 * 1000;
+const AUTH_CHALLENGE_CLEANUP_MS = 15 * 1000;
+const AUTH_CHALLENGE_MAX = 1000;
+export const AUTH_CHALLENGE_ALGORITHM = 'tabminal-hmac-sha256-login-v1';
+export const AUTH_CHALLENGE_MESSAGE_PREFIX = 'tabminal-login-v1';
+export const WEBSOCKET_PROTOCOL = 'tabminal.v1';
+export const WEBSOCKET_AUTH_PROTOCOL_PREFIX = 'tabminal.auth.';
 
 let failedAttempts = 0;
 let isLocked = false;
@@ -17,6 +24,8 @@ let authStoreInitialized = false;
 let authStoreInitPromise = null;
 const refreshSessions = new Map();
 const accessTokens = new Map();
+const authChallenges = new Map();
+let authChallengeCleanupTimer = null;
 
 function nowTimestamp() {
     return Date.now();
@@ -48,6 +57,10 @@ function generateOpaqueToken(prefix) {
     return `${prefix}_${crypto.randomBytes(32).toString('base64url')}`;
 }
 
+function generateAuthChallengeSalt() {
+    return crypto.randomBytes(32).toString('base64url');
+}
+
 function normalizeAuthHeader(value) {
     const raw = typeof value === 'string' ? value.trim() : '';
     if (!raw) {
@@ -59,6 +72,41 @@ function normalizeAuthHeader(value) {
     return raw;
 }
 
+function parseWebSocketProtocols(value) {
+    return String(value || '')
+        .split(',')
+        .map((entry) => entry.trim())
+        .filter(Boolean);
+}
+
+export function extractWebSocketAuthToken(req) {
+    const authHeader = req?.headers?.authorization || '';
+    if (authHeader) {
+        return normalizeAuthHeader(authHeader);
+    }
+
+    const protocols = parseWebSocketProtocols(
+        req?.headers?.['sec-websocket-protocol']
+    );
+    const authProtocol = protocols.find((protocol) => (
+        protocol.startsWith(WEBSOCKET_AUTH_PROTOCOL_PREFIX)
+    ));
+    if (authProtocol) {
+        return authProtocol.slice(WEBSOCKET_AUTH_PROTOCOL_PREFIX.length);
+    }
+
+    if (req?.url) {
+        try {
+            const url = new URL(req.url, `http://${req.headers.host}`);
+            return normalizeAuthHeader(url.searchParams.get('token'));
+        } catch {
+            // Ignore malformed URL.
+        }
+    }
+
+    return '';
+}
+
 function normalizeUserAgent(value) {
     const raw = typeof value === 'string' ? value.trim() : '';
     return raw.length > 500 ? raw.slice(0, 500) : raw;
@@ -79,6 +127,36 @@ function toIsoOffset(baseMs, deltaMs) {
     return new Date(baseMs + deltaMs).toISOString();
 }
 
+function buildAuthChallengeMessage(challenge) {
+    return [
+        AUTH_CHALLENGE_MESSAGE_PREFIX,
+        challenge.id,
+        challenge.salt,
+        challenge.expiresAt
+    ].join(':');
+}
+
+function hmacSha256Hex(keyHex, message) {
+    return crypto
+        .createHmac('sha256', Buffer.from(keyHex, 'hex'))
+        .update(message)
+        .digest('hex');
+}
+
+export function buildAuthChallengeResponse(passwordHash, challenge) {
+    const normalizedPasswordHash = typeof passwordHash === 'string'
+        ? passwordHash.trim().toLowerCase()
+        : '';
+    return hmacSha256Hex(
+        normalizedPasswordHash,
+        buildAuthChallengeMessage({
+            id: challenge?.challengeId || challenge?.id || '',
+            salt: challenge?.salt || '',
+            expiresAt: challenge?.expiresAt || ''
+        })
+    );
+}
+
 function serializeRefreshSessions() {
     return Array.from(refreshSessions.values())
         .sort((left, right) => {
@@ -108,6 +186,37 @@ function pruneExpiredAccessTokens(now = nowTimestamp()) {
     }
 }
 
+export function pruneExpiredAuthChallenges(now = nowTimestamp()) {
+    let removed = 0;
+    for (const [challengeId, challenge] of authChallenges.entries()) {
+        if (!challenge || isIsoExpired(challenge.expiresAt, now)) {
+            authChallenges.delete(challengeId);
+            removed += 1;
+        }
+    }
+    while (authChallenges.size > AUTH_CHALLENGE_MAX) {
+        const oldestKey = authChallenges.keys().next().value;
+        if (!oldestKey) {
+            break;
+        }
+        authChallenges.delete(oldestKey);
+        removed += 1;
+    }
+    return removed;
+}
+
+function startAuthChallengeCleanup() {
+    if (authChallengeCleanupTimer) {
+        return;
+    }
+    authChallengeCleanupTimer = setInterval(() => {
+        pruneExpiredAuthChallenges();
+    }, AUTH_CHALLENGE_CLEANUP_MS);
+    if (typeof authChallengeCleanupTimer.unref === 'function') {
+        authChallengeCleanupTimer.unref();
+    }
+}
+
 function pruneExpiredRefreshSessions(now = nowTimestamp()) {
     let changed = false;
     for (const [sessionId, session] of refreshSessions.entries()) {
@@ -140,6 +249,7 @@ async function ensureAuthStoreInitialized() {
             if (changed) {
                 await persistRefreshSessions();
             }
+            startAuthChallengeCleanup();
             authStoreInitialized = true;
         })().finally(() => {
             authStoreInitPromise = null;
@@ -148,16 +258,20 @@ async function ensureAuthStoreInitialized() {
     await authStoreInitPromise;
 }
 
-function verifyPasswordHash(passwordHash) {
+function verifyAuthChallengeResponse(challenge, response) {
     if (isLocked) {
         return { success: false, locked: true };
     }
-    const normalized = typeof passwordHash === 'string'
-        ? passwordHash.trim().toLowerCase()
+    const normalized = typeof response === 'string'
+        ? response.trim().toLowerCase()
         : '';
+    const expected = hmacSha256Hex(
+        config.passwordHash,
+        buildAuthChallengeMessage(challenge)
+    );
     if (
         !/^[0-9a-f]{64}$/.test(normalized)
-        || !safeEqualHex(normalized, config.passwordHash)
+        || !safeEqualHex(normalized, expected)
     ) {
         failedAttempts += 1;
         if (failedAttempts >= MAX_ATTEMPTS) {
@@ -181,6 +295,37 @@ function buildAuthPayload(rawAccessToken, rawRefreshToken, now = nowTimestamp())
     };
 }
 
+async function issueAuthTokensForVerifiedPassword({
+    userAgent = ''
+} = {}) {
+    const now = nowTimestamp();
+    const sessionId = crypto.randomUUID();
+    const rawRefreshToken = generateOpaqueToken('tr');
+    const refreshTokenHash = sha256(rawRefreshToken);
+    const createdAt = nowIso();
+    const session = {
+        id: sessionId,
+        passwordFingerprint: getPasswordFingerprint(),
+        refreshTokenHash,
+        createdAt,
+        lastSeenAt: createdAt,
+        refreshExpiresAt: toIsoOffset(now, REFRESH_TOKEN_TTL_MS),
+        rotatedAt: createdAt,
+        revokedAt: '',
+        userAgent: normalizeUserAgent(userAgent)
+    };
+    refreshSessions.set(sessionId, session);
+    await persistRefreshSessions();
+
+    const rawAccessToken = issueAccessToken(sessionId, now);
+    return {
+        ok: true,
+        status: 200,
+        sessionId,
+        ...buildAuthPayload(rawAccessToken, rawRefreshToken, now)
+    };
+}
+
 function issueAccessToken(sessionId, now = nowTimestamp()) {
     removeAccessTokensForSession(sessionId);
     const rawAccessToken = generateOpaqueToken('ta');
@@ -217,12 +362,86 @@ export async function initAuthStore() {
     await ensureAuthStoreInitialized();
 }
 
-export async function issueAuthTokensFromPasswordHash(
-    passwordHash,
+export async function createAuthChallenge() {
+    await ensureAuthStoreInitialized();
+    const now = nowTimestamp();
+    pruneExpiredAuthChallenges(now);
+    while (authChallenges.size >= AUTH_CHALLENGE_MAX) {
+        const oldestKey = authChallenges.keys().next().value;
+        if (!oldestKey) {
+            break;
+        }
+        authChallenges.delete(oldestKey);
+    }
+    const id = crypto.randomUUID();
+    const salt = generateAuthChallengeSalt();
+    const createdAt = new Date(now).toISOString();
+    const expiresAt = toIsoOffset(now, AUTH_CHALLENGE_TTL_MS);
+    authChallenges.set(id, {
+        id,
+        salt,
+        createdAt,
+        expiresAt
+    });
+    return {
+        challengeId: id,
+        salt,
+        expiresAt,
+        algorithm: AUTH_CHALLENGE_ALGORITHM
+    };
+}
+
+function consumeAuthChallenge(challengeId) {
+    const normalizedChallengeId = typeof challengeId === 'string'
+        ? challengeId.trim()
+        : '';
+    if (!normalizedChallengeId) {
+        return null;
+    }
+    const challenge = authChallenges.get(normalizedChallengeId) || null;
+    if (challenge) {
+        authChallenges.delete(normalizedChallengeId);
+    }
+    return challenge;
+}
+
+export async function issueAuthTokensFromChallenge(
+    { challengeId = '', response = '' } = {},
     { userAgent = '' } = {}
 ) {
     await ensureAuthStoreInitialized();
-    const { success, locked } = verifyPasswordHash(passwordHash);
+    if (typeof challengeId !== 'string' || !challengeId.trim()) {
+        return {
+            ok: false,
+            status: 400,
+            error: 'Invalid login challenge.'
+        };
+    }
+
+    const challenge = consumeAuthChallenge(challengeId);
+    if (!challenge || isIsoExpired(challenge.expiresAt)) {
+        return {
+            ok: false,
+            status: 401,
+            error: 'Login challenge expired. Please try again.'
+        };
+    }
+
+    const normalizedResponse = typeof response === 'string'
+        ? response.trim().toLowerCase()
+        : '';
+    if (!/^[0-9a-f]{64}$/.test(normalizedResponse)) {
+        return {
+            ok: false,
+            status: 400,
+            error: 'Invalid login challenge.'
+        };
+    }
+
+    const { success, locked } = verifyAuthChallengeResponse(
+        challenge,
+        normalizedResponse
+    );
     if (locked) {
         return {
             ok: false,
@@ -238,31 +457,7 @@ export async function issueAuthTokensFromPasswordHash(
         };
     }
 
-    const now = nowTimestamp();
-    const sessionId = crypto.randomUUID();
-    const rawRefreshToken = generateOpaqueToken('tr');
-    const refreshTokenHash = sha256(rawRefreshToken);
-    const session = {
-        id: sessionId,
-        passwordFingerprint: getPasswordFingerprint(),
-        refreshTokenHash,
-        createdAt: nowIso(),
-        lastSeenAt: nowIso(),
-        refreshExpiresAt: toIsoOffset(now, REFRESH_TOKEN_TTL_MS),
-        rotatedAt: nowIso(),
-        revokedAt: '',
-        userAgent: normalizeUserAgent(userAgent)
-    };
-    refreshSessions.set(sessionId, session);
-    await persistRefreshSessions();
-
-    const rawAccessToken = issueAccessToken(sessionId, now);
-    return {
-        ok: true,
-        status: 200,
-        sessionId,
-        ...buildAuthPayload(rawAccessToken, rawRefreshToken, now)
-    };
+    return issueAuthTokensForVerifiedPassword({ userAgent });
 }
 
 export async function refreshAuthTokens(
@@ -465,6 +660,7 @@ export async function authMiddleware(ctx, next) {
     if (
         ctx.path === '/healthz'
         || ctx.path === '/api/version'
+        || ctx.path === '/api/auth/challenge'
         || ctx.path === '/api/auth/login'
         || ctx.path === '/api/auth/refresh'
         || ctx.path === '/api/auth/logout'
@@ -486,18 +682,7 @@ export async function authMiddleware(ctx, next) {
 
 export function verifyClient(info, cb) {
     const { req } = info;
-    let authHeader = req.headers['authorization'];
-
-    if (!authHeader && req.url) {
-        try {
-            const url = new URL(req.url, `http://${req.headers.host}`);
-            authHeader = url.searchParams.get('token');
-        } catch {
-            // Ignore malformed URL.
-        }
-    }
-
-    const normalizedToken = normalizeAuthHeader(authHeader);
+    const normalizedToken = extractWebSocketAuthToken(req);
     if (!normalizedToken) {
         cb(false, 401, 'Unauthorized');
         return;

package/src/server.mjs

@@ -20,14 +20,16 @@ import { SystemMonitor } from './system-monitor.mjs';
 import { config } from './config.mjs';
 import {
     authMiddleware,
+    createAuthChallenge,
     initAuthStore,
-    issueAuthTokensFromPasswordHash,
+    issueAuthTokensFromChallenge,
     listAuthSessions,
     refreshAuthTokens,
     revokeAuthSessionById,
     revokeOtherAuthSessions,
     revokeAuthTokens,
-    verifyClient
+    verifyClient,
+    WEBSOCKET_PROTOCOL
 } from './auth.mjs';
 import {
     setupFsRoutes,
@@ -184,12 +186,22 @@ router.get('/healthz', (ctx) => {
     ctx.body = { status: 'ok' };
 });
 
+router.post('/api/auth/challenge', async (ctx) => {
+    ctx.body = await createAuthChallenge();
+});
+
 router.post('/api/auth/login', async (ctx) => {
     const body = ctx.request.body || {};
-    const passwordHash = typeof body.passwordHash === 'string'
-        ? body.passwordHash
+    const challengeId = typeof body.challengeId === 'string'
+        ? body.challengeId
+        : '';
+    const response = typeof body.response === 'string'
+        ? body.response
         : '';
-    const result = await issueAuthTokensFromPasswordHash(passwordHash, {
+    const result = await issueAuthTokensFromChallenge({
+        challengeId,
+        response
+    }, {
         userAgent: ctx.get('user-agent')
     });
     ctx.status = result.status;
@@ -765,7 +777,16 @@ app.use(router.routes());
 app.use(router.allowedMethods());
 
 const httpServer = createServer(app.callback());
-const wss = new WebSocketServer({ noServer: true, verifyClient });
+const wss = new WebSocketServer({
+    noServer: true,
+    verifyClient,
+    handleProtocols: (protocols) => {
+        if (protocols.has(WEBSOCKET_PROTOCOL)) {
+            return WEBSOCKET_PROTOCOL;
+        }
+        return false;
+    }
+});
 const httpConnections = new Set();
 
 httpServer.on('connection', (socket) => {

package/src/terminal-session.mjs

@@ -1001,7 +1001,9 @@ export class TerminalSession {
         });
 
         // Auto-Fix: If command failed, ask AI for help
-        if (exitCode !== 0 && entry.command && this._isAiEnabled()) {
+        const hasCapturedInput =
+            typeof entry.input === 'string' && entry.input.trim().length > 0;
+        if (exitCode !== 0 && entry.command && hasCapturedInput && this._isAiEnabled()) {
             // Don't trigger on simple interruptions (SIGINT=130) or common non-errors?
             // 130 = Ctrl+C. Usually user intention.
             if (exitCode !== 130) {