upfynai-code 2.3.0 → 2.4.0

package/server/index.js

@@ -54,6 +54,7 @@ import { getProjects, getSessions, getSessionMessages, renameProject, deleteSess
 import { queryClaudeSDK, abortClaudeSDKSession, isClaudeSDKSessionActive, getActiveClaudeSDKSessions, resolveToolApproval } from './claude-sdk.js';
 import { spawnCursor, abortCursorSession, isCursorSessionActive, getActiveCursorSessions } from './cursor-cli.js';
 import { queryCodex, abortCodexSession, isCodexSessionActive, getActiveCodexSessions } from './openai-codex.js';
+import { queryOpenRouter, OPENROUTER_MODELS } from './openrouter.js';
 import { createMcpServer, mountMcpServer } from './mcp-server.js';
 import gitRoutes from './routes/git.js';
 import authRoutes from './routes/auth.js';
@@ -69,7 +70,7 @@ import cliAuthRoutes from './routes/cli-auth.js';
 import userRoutes from './routes/user.js';
 import codexRoutes from './routes/codex.js';
 import paymentRoutes from './routes/payments.js';
-import { initializeDatabase, relayTokensDb, subscriptionDb } from './database/db.js';
+import { initializeDatabase, relayTokensDb, subscriptionDb, credentialsDb } from './database/db.js';
 import { validateApiKey, authenticateToken, authenticateWebSocket } from './middleware/auth.js';
 import { IS_PLATFORM } from './constants/config.js';
 
@@ -348,6 +349,18 @@ if (server) {
 // Make WebSocket server available to routes
 app.locals.wss = wss;
 
+// Security headers — protect against common web attacks
+app.use((req, res, next) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'DENY');
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+  if (process.env.NODE_ENV === 'production') {
+    res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+  }
+  next();
+});
+
 // CORS: require explicit CORS_ORIGINS in production, restrict to same-origin otherwise
 const CORS_ORIGINS = process.env.CORS_ORIGINS
   ? process.env.CORS_ORIGINS.split(',').map(o => o.trim())
@@ -367,6 +380,44 @@ app.use(express.json({
 }));
 app.use(express.urlencoded({ limit: '50mb', extended: true }));
 
+// Rate limiting for auth endpoints — prevent brute force attacks
+const authRateLimitMap = new Map();
+const AUTH_RATE_WINDOW = 15 * 60 * 1000; // 15 minutes
+const AUTH_RATE_MAX = 10; // max attempts per window
+
+function authRateLimit(req, res, next) {
+  const key = req.ip || req.connection.remoteAddress || 'unknown';
+  const now = Date.now();
+  const entry = authRateLimitMap.get(key);
+
+  if (entry) {
+    // Clean expired entries
+    if (now - entry.windowStart > AUTH_RATE_WINDOW) {
+      authRateLimitMap.set(key, { windowStart: now, count: 1 });
+      return next();
+    }
+    entry.count++;
+    if (entry.count > AUTH_RATE_MAX) {
+      return res.status(429).json({ error: 'Too many attempts. Please try again later.' });
+    }
+  } else {
+    authRateLimitMap.set(key, { windowStart: now, count: 1 });
+  }
+  next();
+}
+
+// Clean up stale rate limit entries every 30 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, entry] of authRateLimitMap) {
+    if (now - entry.windowStart > AUTH_RATE_WINDOW) {
+      authRateLimitMap.delete(key);
+    }
+  }
+}, 30 * 60 * 1000);
+
+app.locals.authRateLimit = authRateLimit;
+
 // Vercel serverless: lazy DB initialization on first request
 let dbInitialized = false;
 if (process.env.VERCEL) {
@@ -520,77 +571,15 @@ app.use(express.static(path.join(__dirname, '../client/dist'), {
 // /api/config endpoint removed - no longer needed
 // Frontend now uses window.location for WebSocket URLs
 
-// System update endpoint
-app.post('/api/system/update', authenticateToken, async (req, res) => {
-    try {
-        // Get the project root directory (parent of server directory)
-        const projectRoot = path.join(__dirname, '..');
-
-        console.log('Starting system update from directory:', projectRoot);
-
-        // Run the update command
-        const updateCommand = 'git checkout main && git pull && npm install';
-
-        const child = spawn('sh', ['-c', updateCommand], {
-            cwd: projectRoot,
-            env: process.env
-        });
-
-        let output = '';
-        let errorOutput = '';
-
-        child.stdout.on('data', (data) => {
-            const text = data.toString();
-            output += text;
-            console.log('Update output:', text);
-        });
-
-        child.stderr.on('data', (data) => {
-            const text = data.toString();
-            errorOutput += text;
-            console.error('Update error:', text);
-        });
-
-        child.on('close', (code) => {
-            if (code === 0) {
-                res.json({
-                    success: true,
-                    output: output || 'Update completed successfully',
-                    message: 'Update completed. Please restart the server to apply changes.'
-                });
-            } else {
-                res.status(500).json({
-                    success: false,
-                    error: 'Update command failed',
-                    output: output,
-                    errorOutput: errorOutput
-                });
-            }
-        });
-
-        child.on('error', (error) => {
-            console.error('Update process error:', error);
-            res.status(500).json({
-                success: false,
-                error: error.message
-            });
-        });
-
-    } catch (error) {
-        console.error('System update error:', error);
-        res.status(500).json({
-            success: false,
-            error: error.message
-        });
-    }
-});
+// System update endpoint — REMOVED for security (shell command execution risk)
+// Use `uc update` from CLI instead
 
 app.get('/api/projects', authenticateToken, async (req, res) => {
     try {
         const projects = await getProjects(broadcastProgress);
         res.json(projects);
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -600,7 +589,7 @@ app.get('/api/projects/:projectName/sessions', authenticateToken, async (req, re
         const result = await getSessions(req.params.projectName, parseInt(limit), parseInt(offset));
         res.json(result);
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -625,7 +614,7 @@ app.get('/api/projects/:projectName/sessions/:sessionId/messages', authenticateT
             res.json(result);
         }
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -636,7 +625,7 @@ app.put('/api/projects/:projectName/rename', authenticateToken, async (req, res)
         await renameProject(req.params.projectName, displayName);
         res.json({ success: true });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -650,7 +639,7 @@ app.delete('/api/projects/:projectName/sessions/:sessionId', authenticateToken,
         res.json({ success: true });
     } catch (error) {
         // session delete error
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -662,7 +651,7 @@ app.delete('/api/projects/:projectName', authenticateToken, async (req, res) =>
         await deleteProject(projectName, force);
         res.json({ success: true });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -679,7 +668,7 @@ app.post('/api/projects/create', authenticateToken, async (req, res) => {
         res.json({ success: true, project });
     } catch (error) {
         console.error('Error creating project:', error);
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -832,13 +821,11 @@ app.get('/api/projects/:projectName/file', authenticateToken, async (req, res) =
             return res.status(404).json({ error: 'Project not found' });
         }
 
-        // Handle both absolute and relative paths
-        const resolved = path.isAbsolute(filePath)
-            ? path.resolve(filePath)
-            : path.resolve(projectRoot, filePath);
+        // Always resolve relative to project root to prevent path traversal
+        const resolved = path.resolve(projectRoot, filePath);
         const normalizedRoot = path.resolve(projectRoot) + path.sep;
-        if (!resolved.startsWith(normalizedRoot)) {
-            return res.status(403).json({ error: 'Path must be under project root' });
+        if (!resolved.startsWith(normalizedRoot) && resolved !== path.resolve(projectRoot)) {
+            return res.status(403).json({ error: 'Access denied' });
         }
 
         const content = await fsPromises.readFile(resolved, 'utf8');
@@ -850,7 +837,7 @@ app.get('/api/projects/:projectName/file', authenticateToken, async (req, res) =
         } else if (error.code === 'EACCES') {
             res.status(403).json({ error: 'Permission denied' });
         } else {
-            res.status(500).json({ error: error.message });
+            res.status(500).json({ error: 'Internal server error' });
         }
     }
 });
@@ -872,10 +859,11 @@ app.get('/api/projects/:projectName/files/content', authenticateToken, async (re
             return res.status(404).json({ error: 'Project not found' });
         }
 
-        const resolved = path.resolve(filePath);
+        // Resolve path relative to project root to prevent path traversal
+        const resolved = path.resolve(projectRoot, filePath);
         const normalizedRoot = path.resolve(projectRoot) + path.sep;
-        if (!resolved.startsWith(normalizedRoot)) {
-            return res.status(403).json({ error: 'Path must be under project root' });
+        if (!resolved.startsWith(normalizedRoot) && resolved !== path.resolve(projectRoot)) {
+            return res.status(403).json({ error: 'Access denied' });
         }
 
         // Check if file exists
@@ -903,7 +891,7 @@ app.get('/api/projects/:projectName/files/content', authenticateToken, async (re
     } catch (error) {
         console.error('Error serving binary file:', error);
         if (!res.headersSent) {
-            res.status(500).json({ error: error.message });
+            res.status(500).json({ error: 'Internal server error' });
         }
     }
 });
@@ -929,13 +917,11 @@ app.put('/api/projects/:projectName/file', authenticateToken, async (req, res) =
             return res.status(404).json({ error: 'Project not found' });
         }
 
-        // Handle both absolute and relative paths
-        const resolved = path.isAbsolute(filePath)
-            ? path.resolve(filePath)
-            : path.resolve(projectRoot, filePath);
+        // Always resolve relative to project root to prevent path traversal
+        const resolved = path.resolve(projectRoot, filePath);
         const normalizedRoot = path.resolve(projectRoot) + path.sep;
-        if (!resolved.startsWith(normalizedRoot)) {
-            return res.status(403).json({ error: 'Path must be under project root' });
+        if (!resolved.startsWith(normalizedRoot) && resolved !== path.resolve(projectRoot)) {
+            return res.status(403).json({ error: 'Access denied' });
         }
 
         // Write the new content
@@ -953,7 +939,7 @@ app.put('/api/projects/:projectName/file', authenticateToken, async (req, res) =
         } else if (error.code === 'EACCES') {
             res.status(403).json({ error: 'Permission denied' });
         } else {
-            res.status(500).json({ error: error.message });
+            res.status(500).json({ error: 'Internal server error' });
         }
     }
 });
@@ -985,7 +971,7 @@ app.get('/api/projects/:projectName/files', authenticateToken, async (req, res)
         res.json(files);
     } catch (error) {
         console.error('[ERROR] File tree error:', error.message);
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -1001,9 +987,9 @@ if (wss) wss.on('connection', (ws, request) => {
     if (pathname === '/shell') {
         handleShellConnection(ws);
     } else if (pathname === '/ws') {
-        handleChatConnection(ws);
+        handleChatConnection(ws, request);
     } else if (pathname === '/relay') {
-        handleRelayConnection(ws, urlObj.searchParams.get('token'));
+        handleRelayConnection(ws, urlObj.searchParams.get('token'), request);
     } else {
         // unknown WebSocket path
         ws.close();
@@ -1036,9 +1022,44 @@ class WebSocketWriter {
   }
 }
 
+/**
+ * Look up a user's stored API key for a given provider.
+ * Falls back to server env vars if user has none stored.
+ * @param {number} userId
+ * @param {string} providerType - e.g. 'anthropic_key', 'openai_key', 'openrouter_key', 'google_key'
+ * @returns {Promise<string|null>}
+ */
+async function getUserProviderKey(userId, providerType) {
+    if (!userId) return null;
+    try {
+        const creds = await credentialsDb.getCredentials(userId, providerType);
+        const active = creds.find(c => c.is_active);
+        return active?.credential_value || null;
+    } catch { return null; }
+}
+
+/**
+ * Temporarily set environment variable for an AI SDK call, then restore.
+ * @param {string} envKey - e.g. 'ANTHROPIC_API_KEY'
+ * @param {string|null} userKey - user's BYOK key, null to skip
+ * @param {Function} fn - async function to execute with the key set
+ */
+async function withUserApiKey(envKey, userKey, fn) {
+    if (!userKey) return fn();
+    const prev = process.env[envKey];
+    process.env[envKey] = userKey;
+    try {
+        return await fn();
+    } finally {
+        if (prev !== undefined) process.env[envKey] = prev;
+        else delete process.env[envKey];
+    }
+}
+
 // Handle chat WebSocket connections
-function handleChatConnection(ws) {
+function handleChatConnection(ws, request) {
     // chat WebSocket connected
+    const wsUser = request?.user || null;
 
     // Add to connected clients for project updates
     connectedClients.add(ws);
@@ -1109,22 +1130,46 @@ function handleChatConnection(ws) {
 
                 console.log('[DEBUG] User message:', data.command || '[Continue/Resume]');
                 console.log('📁 Project:', data.options?.projectPath || 'Unknown');
-                // session message received
 
-                // Use Claude Agents SDK
-                await queryClaudeSDK(data.command, data.options, writer);
+                // BYOK: look up user's Anthropic API key, inject if available
+                const userAnthropicKey = wsUser?.userId
+                    ? await getUserProviderKey(wsUser.userId, 'anthropic_key')
+                    : null;
+
+                await withUserApiKey('ANTHROPIC_API_KEY', userAnthropicKey, () =>
+                    queryClaudeSDK(data.command, data.options, writer)
+                );
             } else if (data.type === 'cursor-command') {
                 console.log('[DEBUG] Cursor message:', data.command || '[Continue/Resume]');
                 console.log('📁 Project:', data.options?.cwd || 'Unknown');
-                // session message received
                 console.log('🤖 Model:', data.options?.model || 'default');
                 await spawnCursor(data.command, data.options, writer);
             } else if (data.type === 'codex-command') {
                 console.log('[DEBUG] Codex message:', data.command || '[Continue/Resume]');
                 console.log('📁 Project:', data.options?.projectPath || data.options?.cwd || 'Unknown');
-                // session message received
                 console.log('🤖 Model:', data.options?.model || 'default');
-                await queryCodex(data.command, data.options, writer);
+
+                // BYOK: look up user's OpenAI API key, inject if available
+                const userOpenaiKey = wsUser?.userId
+                    ? await getUserProviderKey(wsUser.userId, 'openai_key')
+                    : null;
+
+                await withUserApiKey('OPENAI_API_KEY', userOpenaiKey, () =>
+                    queryCodex(data.command, data.options, writer)
+                );
+            } else if (data.type === 'openrouter-command') {
+                console.log('[DEBUG] OpenRouter message:', data.command?.slice(0, 60) || '[empty]');
+                console.log('🤖 Model:', data.options?.model || OPENROUTER_MODELS.DEFAULT);
+
+                // BYOK: OpenRouter requires user's own API key
+                const userOrKey = wsUser?.userId
+                    ? await getUserProviderKey(wsUser.userId, 'openrouter_key')
+                    : null;
+
+                await queryOpenRouter(data.command, {
+                    ...data.options,
+                    apiKey: userOrKey,
+                }, writer);
             } else if (data.type === 'cursor-resume') {
                 // Backward compatibility: treat as cursor-command with resume and no prompt
                 // cursor resume session
@@ -1226,7 +1271,7 @@ function handleChatConnection(ws) {
 }
 
 // Handle relay WebSocket connections (local machine ↔ server bridge)
-async function handleRelayConnection(ws, token) {
+async function handleRelayConnection(ws, token, request) {
     if (!token) {
         ws.send(JSON.stringify({ type: 'error', error: 'Relay token required. Use ?token=upfyn_xxx' }));
         ws.close();
@@ -1243,9 +1288,12 @@ async function handleRelayConnection(ws, token) {
     const userId = Number(tokenData.user_id);
     const username = tokenData.username;
 
-    // Store relay connection (use Number() to ensure consistent Map key type)
-    relayConnections.set(userId, { ws, user: tokenData, connectedAt: Date.now() });
-    // relay connection established
+    // Extract optional Anthropic API key from relay handshake headers
+    const anthropicApiKey = request?.headers?.['x-anthropic-api-key'] || null;
+
+    // Store relay connection with API key in memory only (use Number() for consistent Map key type)
+    // API key is held per-user in the relay connection, NOT in process.env
+    relayConnections.set(userId, { ws, user: tokenData, connectedAt: Date.now(), anthropicApiKey });
 
     ws.send(JSON.stringify({
         type: 'relay-connected',
@@ -1707,9 +1755,13 @@ app.post('/api/transcribe', authenticateToken, async (req, res) => {
                 return res.status(400).json({ error: 'No audio file provided' });
             }
 
-            const apiKey = process.env.OPENAI_API_KEY;
+            // BYOK: check user's stored OpenAI key first, fall back to server env
+            const userOpenaiKey = req.user?.id
+                ? await getUserProviderKey(req.user.id, 'openai_key')
+                : null;
+            const apiKey = userOpenaiKey || process.env.OPENAI_API_KEY;
             if (!apiKey) {
-                return res.status(500).json({ error: 'OpenAI API key not configured. Please set OPENAI_API_KEY in server environment.' });
+                return res.status(500).json({ error: 'OpenAI API key not configured. Add your key in Settings > AI Providers, or ask the admin to set OPENAI_API_KEY.' });
             }
 
             try {
@@ -1831,7 +1883,7 @@ Agent instructions:`;
 
             } catch (error) {
                 console.error('Transcription error:', error);
-                res.status(500).json({ error: error.message });
+                res.status(500).json({ error: 'Internal server error' });
             }
         });
     } catch (error) {

package/server/middleware/auth.js

@@ -18,17 +18,21 @@ const validateApiKey = (req, res, next) => {
   next();
 };
 
-// Extract JWT from request: cookie → Bearer header → query param
+// Extract JWT from request: cookie → Bearer header → query param (SSE only)
 const extractToken = (req) => {
-  // 1. httpOnly cookie (browser sessions)
+  // 1. httpOnly cookie (browser sessions — primary auth method)
   if (req.cookies?.session) return req.cookies.session;
 
-  // 2. Bearer header (API clients, MCP, backward compat)
+  // 2. Bearer header (API clients, MCP)
   const authHeader = req.headers['authorization'];
   if (authHeader?.startsWith('Bearer ')) return authHeader.slice(7);
 
-  // 3. Query param (SSE EventSource fallback)
-  if (req.query?.token) return req.query.token;
+  // 3. Query param — ONLY for SSE EventSource (which cannot set custom headers)
+  // Restricted to GET requests with Accept: text/event-stream to minimize exposure
+  if (req.query?.token && req.method === 'GET' &&
+      (req.headers.accept || '').includes('text/event-stream')) {
+    return req.query.token;
+  }
 
   return null;
 };

package/server/openrouter.js

@@ -0,0 +1,137 @@
+/**
+ * OpenRouter Integration
+ *
+ * Lightweight wrapper for OpenRouter API, which provides access to
+ * hundreds of AI models (GPT-4, Claude, Gemini, Llama, Mistral, etc.)
+ * through a single API key and endpoint.
+ *
+ * Users provide their own OpenRouter API key via BYOK settings.
+ */
+
+const OPENROUTER_BASE_URL = 'https://openrouter.ai/api/v1';
+
+// Popular models available on OpenRouter
+export const OPENROUTER_MODELS = {
+  OPTIONS: [
+    { value: 'anthropic/claude-sonnet-4', label: 'Claude Sonnet 4' },
+    { value: 'anthropic/claude-opus-4', label: 'Claude Opus 4' },
+    { value: 'openai/gpt-4o', label: 'GPT-4o' },
+    { value: 'openai/o3', label: 'O3' },
+    { value: 'google/gemini-2.5-pro', label: 'Gemini 2.5 Pro' },
+    { value: 'meta-llama/llama-4-maverick', label: 'Llama 4 Maverick' },
+    { value: 'mistralai/mistral-large', label: 'Mistral Large' },
+    { value: 'deepseek/deepseek-r1', label: 'DeepSeek R1' },
+  ],
+  DEFAULT: 'anthropic/claude-sonnet-4',
+};
+
+/**
+ * Query OpenRouter API with streaming support
+ * @param {string} message - User message
+ * @param {Object} options - { model, apiKey, systemPrompt }
+ * @param {Object} writer - WebSocketWriter or SSEStreamWriter
+ */
+export async function queryOpenRouter(message, options = {}, writer) {
+  const {
+    model = OPENROUTER_MODELS.DEFAULT,
+    apiKey,
+    systemPrompt,
+    sessionId,
+  } = options;
+
+  if (!apiKey) {
+    writer.send({
+      type: 'error',
+      error: 'OpenRouter API key required. Add your key in Settings > AI Providers.',
+    });
+    return;
+  }
+
+  // Generate session ID
+  const sid = sessionId || `or-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+  writer.send({ type: 'session-created', sessionId: sid });
+
+  const messages = [];
+  if (systemPrompt) {
+    messages.push({ role: 'system', content: systemPrompt });
+  }
+  messages.push({ role: 'user', content: message });
+
+  try {
+    const response = await fetch(`${OPENROUTER_BASE_URL}/chat/completions`, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${apiKey}`,
+        'Content-Type': 'application/json',
+        'HTTP-Referer': 'https://cli.upfyn.com',
+        'X-Title': 'Upfyn-Code',
+      },
+      body: JSON.stringify({
+        model,
+        messages,
+        stream: true,
+      }),
+    });
+
+    if (!response.ok) {
+      const errBody = await response.text();
+      let errMsg = `OpenRouter API error (${response.status})`;
+      try {
+        const parsed = JSON.parse(errBody);
+        errMsg = parsed.error?.message || errMsg;
+      } catch {}
+      writer.send({ type: 'error', error: errMsg, sessionId: sid });
+      return;
+    }
+
+    // Stream SSE response
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = '';
+    let fullContent = '';
+
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split('\n');
+      buffer = lines.pop() || '';
+
+      for (const line of lines) {
+        if (!line.startsWith('data: ')) continue;
+        const data = line.slice(6).trim();
+        if (data === '[DONE]') break;
+
+        try {
+          const parsed = JSON.parse(data);
+          const delta = parsed.choices?.[0]?.delta?.content;
+          if (delta) {
+            fullContent += delta;
+            writer.send({
+              type: 'assistant',
+              content: delta,
+              sessionId: sid,
+            });
+          }
+        } catch {}
+      }
+    }
+
+    // Send completion
+    writer.send({
+      type: 'result',
+      subtype: 'success',
+      sessionId: sid,
+      content: fullContent,
+      model,
+      provider: 'openrouter',
+    });
+  } catch (error) {
+    writer.send({
+      type: 'error',
+      error: `OpenRouter request failed: ${error.message}`,
+      sessionId: sid,
+    });
+  }
+}