upfynai-code 2.3.0 → 2.4.1

package/server/routes/auth.js

@@ -19,8 +19,12 @@ router.get('/status', async (req, res) => {
   }
 });
 
-// User registration — allows multiple users
-router.post('/register', async (req, res) => {
+// User registration — allows multiple users (rate limited)
+router.post('/register', (req, res, next) => {
+  const rl = req.app.locals.authRateLimit;
+  if (rl) return rl(req, res, next);
+  next();
+}, async (req, res) => {
   try {
     const { username, password, email, phone, firstName, lastName } = req.body;
 
@@ -28,13 +32,16 @@ router.post('/register', async (req, res) => {
     if (!password) {
       return res.status(400).json({ error: 'Password is required' });
     }
-    if (password.length < 6) {
-      return res.status(400).json({ error: 'Password must be at least 6 characters' });
+    if (password.length < 8) {
+      return res.status(400).json({ error: 'Password must be at least 8 characters' });
+    }
+    if (password.length > 128) {
+      return res.status(400).json({ error: 'Password is too long' });
     }
 
-    // Derive display username from firstName + lastName if no username provided
-    const fName = (firstName || '').trim();
-    const lName = (lastName || '').trim();
+    // Sanitize and validate name/phone inputs
+    const fName = (firstName || '').trim().slice(0, 50);
+    const lName = (lastName || '').trim().slice(0, 50);
     const displayName = username || [fName, lName].filter(Boolean).join(' ') || 'User';
 
     if (displayName.length < 2) {
@@ -86,8 +93,12 @@ router.post('/register', async (req, res) => {
   }
 });
 
-// User login
-router.post('/login', async (req, res) => {
+// User login (rate limited)
+router.post('/login', (req, res, next) => {
+  const rl = req.app.locals.authRateLimit;
+  if (rl) return rl(req, res, next);
+  next();
+}, async (req, res) => {
   try {
     const { username, password, firstName, lastName, phone } = req.body;
 
@@ -106,9 +117,9 @@ router.post('/login', async (req, res) => {
     }
 
     // Update name/phone if provided and different from stored values
-    const fName = (firstName || '').trim();
-    const lName = (lastName || '').trim();
-    const ph = (phone || '').trim();
+    const fName = (firstName || '').trim().slice(0, 50);
+    const lName = (lastName || '').trim().slice(0, 50);
+    const ph = (phone || '').trim().slice(0, 20);
     const updates = [];
     const args = [];
     if (fName && fName !== user.first_name) { updates.push('first_name = ?'); args.push(fName); }

package/server/routes/commands.js

@@ -293,7 +293,7 @@ Custom commands can be created in:
     // Read version from package.json
     const packageJsonPath = path.join(path.dirname(__dirname), '..', 'package.json');
     let version = 'unknown';
-    let packageName = 'upfyn-code';
+    let packageName = 'upfynai-code';
 
     try {
       const packageJson = JSON.parse(await fs.readFile(packageJsonPath, 'utf8'));

package/server/routes/settings.js

@@ -175,4 +175,95 @@ router.patch('/credentials/:credentialId/toggle', async (req, res) => {
   }
 });
 
+// ===============================
+// AI Provider Keys (BYOK)
+// ===============================
+
+const AI_PROVIDER_TYPES = [
+  'anthropic_key',
+  'openai_key',
+  'openrouter_key',
+  'google_key',
+];
+
+// Get all AI provider keys for the authenticated user (masked values)
+router.get('/ai-providers', async (req, res) => {
+  try {
+    const allCreds = [];
+    for (const type of AI_PROVIDER_TYPES) {
+      const creds = await credentialsDb.getCredentials(req.user.id, type);
+      allCreds.push(...creds.map(c => ({
+        id: c.id,
+        credential_name: c.credential_name,
+        credential_type: c.credential_type,
+        description: c.description,
+        is_active: c.is_active,
+        created_at: c.created_at,
+        // Mask the key — show first 8 and last 4 chars
+        masked_value: c.credential_value
+          ? c.credential_value.slice(0, 8) + '...' + c.credential_value.slice(-4)
+          : '***',
+      })));
+    }
+    res.json({ providers: allCreds });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch AI provider keys' });
+  }
+});
+
+// Save an AI provider key
+router.post('/ai-providers', async (req, res) => {
+  try {
+    const { providerType, apiKey, name } = req.body;
+
+    if (!providerType || !AI_PROVIDER_TYPES.includes(providerType)) {
+      return res.status(400).json({ error: `Invalid provider type. Supported: ${AI_PROVIDER_TYPES.join(', ')}` });
+    }
+    if (!apiKey || !apiKey.trim()) {
+      return res.status(400).json({ error: 'API key is required' });
+    }
+    if (apiKey.trim().length < 10 || apiKey.trim().length > 256) {
+      return res.status(400).json({ error: 'Invalid API key length' });
+    }
+
+    const label = providerType.replace('_key', '').replace('_', ' ');
+    const credName = name?.trim() || `${label} API key`;
+
+    // Deactivate existing keys of same type (user should only have one active per provider)
+    const existing = await credentialsDb.getCredentials(req.user.id, providerType);
+    for (const cred of existing) {
+      if (cred.is_active) {
+        await credentialsDb.toggleCredential(req.user.id, cred.id, false);
+      }
+    }
+
+    const result = await credentialsDb.createCredential(
+      req.user.id,
+      credName,
+      providerType,
+      apiKey.trim(),
+      `User-provided ${label} API key`
+    );
+
+    res.json({ success: true, credential: { id: result.id, credential_type: providerType, credential_name: credName } });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to save AI provider key' });
+  }
+});
+
+// Delete an AI provider key
+router.delete('/ai-providers/:credentialId', async (req, res) => {
+  try {
+    const { credentialId } = req.params;
+    const success = await credentialsDb.deleteCredential(req.user.id, parseInt(credentialId));
+    if (success) {
+      res.json({ success: true });
+    } else {
+      res.status(404).json({ error: 'Provider key not found' });
+    }
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to delete provider key' });
+  }
+});
+
 export default router;

package/shared/modelConstants.js

@@ -65,3 +65,32 @@ export const CODEX_MODELS = {
 
   DEFAULT: 'gpt-5.2'
 };
+
+/**
+ * OpenRouter Models (BYOK — user brings their own API key)
+ * Access 200+ models from all major providers through a single API.
+ */
+export const OPENROUTER_MODELS = {
+  OPTIONS: [
+    { value: 'anthropic/claude-sonnet-4', label: 'Claude Sonnet 4' },
+    { value: 'anthropic/claude-opus-4', label: 'Claude Opus 4' },
+    { value: 'openai/gpt-4o', label: 'GPT-4o' },
+    { value: 'openai/o3', label: 'O3' },
+    { value: 'google/gemini-2.5-pro', label: 'Gemini 2.5 Pro' },
+    { value: 'meta-llama/llama-4-maverick', label: 'Llama 4 Maverick' },
+    { value: 'mistralai/mistral-large', label: 'Mistral Large' },
+    { value: 'deepseek/deepseek-r1', label: 'DeepSeek R1' },
+  ],
+
+  DEFAULT: 'anthropic/claude-sonnet-4'
+};
+
+/**
+ * AI Provider types for BYOK (Bring Your Own Key)
+ */
+export const AI_PROVIDER_TYPES = [
+  { type: 'anthropic_key', label: 'Anthropic', prefix: 'sk-ant-', placeholder: 'sk-ant-api03-...' },
+  { type: 'openai_key', label: 'OpenAI', prefix: 'sk-', placeholder: 'sk-...' },
+  { type: 'openrouter_key', label: 'OpenRouter', prefix: 'sk-or-', placeholder: 'sk-or-v1-...' },
+  { type: 'google_key', label: 'Google AI', prefix: 'AI', placeholder: 'AIza...' },
+];