upfynai-code 2.6.0 → 2.6.1

package/server/middleware/auth.js

@@ -1,181 +0,0 @@
-import jwt from 'jsonwebtoken';
-import crypto from 'crypto';
-import { userDb, relayTokensDb } from '../database/db.js';
-import { IS_PLATFORM } from '../constants/config.js';
-
-let JWT_SECRET = process.env.JWT_SECRET?.trim();
-if (!JWT_SECRET) {
-  if (IS_PLATFORM) {
-    // In local/self-hosted mode, generate a random secret (auth is bypassed anyway)
-    JWT_SECRET = crypto.randomBytes(32).toString('hex');
-  } else {
-    console.error('[SECURITY] JWT_SECRET environment variable is required. Server cannot start without it.');
-    process.exit(1);
-  }
-}
-
-// Optional static API key middleware
-const validateApiKey = (req, res, next) => {
-  if (!process.env.API_KEY) return next();
-  const apiKey = req.headers['x-api-key'];
-  if (apiKey !== process.env.API_KEY.trim()) {
-    return res.status(401).json({ error: 'Invalid API key' });
-  }
-  next();
-};
-
-// Extract JWT from request: cookie → Bearer header → query param (SSE only)
-const extractToken = (req) => {
-  // 1. httpOnly cookie (browser sessions — primary auth method)
-  if (req.cookies?.session) return req.cookies.session;
-
-  // 2. Bearer header (API clients, MCP)
-  const authHeader = req.headers['authorization'];
-  if (authHeader?.startsWith('Bearer ')) return authHeader.slice(7);
-
-  // 3. Query param — for GET requests (SSE EventSource + iframe embedding)
-  if (req.query?.token && req.method === 'GET') {
-    return req.query.token;
-  }
-
-  return null;
-};
-
-// JWT authentication middleware
-const authenticateToken = async (req, res, next) => {
-  // Platform mode: use first database user
-  if (IS_PLATFORM) {
-    try {
-      const user = await userDb.getFirstUser();
-      if (!user) return res.status(500).json({ error: 'Platform mode: No user found in database' });
-      req.user = user;
-      return next();
-    } catch (error) {
-      console.error('Platform mode error:', error);
-      return res.status(500).json({ error: 'Platform mode: Failed to fetch user' });
-    }
-  }
-
-  const token = extractToken(req);
-  if (!token) {
-    return res.status(401).json({ error: 'Access denied. No token provided.' });
-  }
-
-  try {
-    const decoded = jwt.verify(token, JWT_SECRET);
-    const user = await userDb.getUserById(decoded.userId);
-    if (!user) return res.status(401).json({ error: 'Invalid token. User not found.' });
-    req.user = user;
-    // If token came from query param, set session cookie for subsequent requests (iframe auto-auth)
-    if (req.query?.token && !req.cookies?.session) {
-      res.cookie('session', token, COOKIE_OPTIONS);
-    }
-    next();
-  } catch (error) {
-    return res.status(403).json({ error: 'Invalid or expired token' });
-  }
-};
-
-// Generate JWT token (30-day expiration)
-const generateToken = (user) => {
-  return jwt.sign(
-    { userId: user.id, username: user.username },
-    JWT_SECRET,
-    { expiresIn: '30d' }
-  );
-};
-
-// Cookie config for httpOnly session
-// Works for both self-hosted (same origin) and split deploy (Vercel proxy → Railway)
-const isSecureEnv = process.env.NODE_ENV === 'production' || !!process.env.VERCEL || !!process.env.RAILWAY_ENVIRONMENT;
-const COOKIE_OPTIONS = {
-  httpOnly: true,
-  secure: isSecureEnv,
-  // 'none' required for cross-origin iframe embedding (Vercel frontend → Railway backend)
-  // 'strict' used in local/dev mode where everything is same-origin
-  sameSite: isSecureEnv ? 'none' : 'strict',
-  maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
-  path: '/',
-};
-
-// Set session cookie on response
-const setSessionCookie = (res, token) => {
-  res.cookie('session', token, COOKIE_OPTIONS);
-};
-
-// Clear session cookie
-const clearSessionCookie = (res) => {
-  res.clearCookie('session', { path: '/' });
-};
-
-// WebSocket authentication (parse cookie from upgrade request headers)
-const authenticateWebSocket = async (request) => {
-  // Platform mode: bypass
-  if (IS_PLATFORM) {
-    try {
-      const user = await userDb.getFirstUser();
-      return user ? { userId: user.id, username: user.username } : null;
-    } catch { return null; }
-  }
-
-  let token = null;
-
-  // 1. Parse cookie from upgrade request
-  const cookieHeader = request.headers?.cookie || '';
-  if (cookieHeader) {
-    const cookies = Object.fromEntries(
-      cookieHeader.split(';').map(c => {
-        const [k, ...v] = c.trim().split('=');
-        return [k, v.join('=')];
-      })
-    );
-    token = cookies.session || null;
-  }
-
-  // 2. Fallback: query param (legacy)
-  if (!token) {
-    try {
-      const url = new URL(request.url, 'http://localhost');
-      token = url.searchParams.get('token');
-    } catch { /* ignore */ }
-  }
-
-  if (!token) {
-    console.log('[WS-Auth] No token found in cookies or query params');
-    return null;
-  }
-
-  // Relay token (upfyn_ prefix) — validate against DB, not JWT
-  if (token.startsWith('upfyn_') || token.startsWith('rt_')) {
-    console.log(`[WS-Auth] Relay token detected: ${token.slice(0, 12)}...`);
-    try {
-      const tokenData = await relayTokensDb.validateToken(token);
-      if (tokenData) {
-        console.log(`[WS-Auth] Relay token VALID: userId=${tokenData.user_id} username=${tokenData.username}`);
-        return { userId: Number(tokenData.user_id), username: tokenData.username };
-      }
-      console.log('[WS-Auth] Relay token NOT FOUND in database');
-    } catch (err) {
-      console.error('[WS-Auth] Relay token validation error:', err.message);
-    }
-    return null;
-  }
-
-  try {
-    const decoded = jwt.verify(token, JWT_SECRET);
-    // Validate against Turso — DB is source of truth
-    const user = await userDb.getUserById(decoded.userId);
-    if (!user) return null;
-    return { userId: user.id, username: user.username };
-  } catch { return null; }
-};
-
-export {
-  validateApiKey,
-  authenticateToken,
-  generateToken,
-  authenticateWebSocket,
-  setSessionCookie,
-  clearSessionCookie,
-  JWT_SECRET
-};

package/server/openai-codex.js

@@ -1,403 +0,0 @@
-/**
- * OpenAI Codex SDK Integration
- * =============================
- *
- * This module provides integration with the OpenAI Codex SDK for non-interactive
- * chat sessions. It mirrors the pattern used in claude-sdk.js for consistency.
- *
- * ## Usage
- *
- * - queryCodex(command, options, ws) - Execute a prompt with streaming via WebSocket
- * - abortCodexSession(sessionId) - Cancel an active session
- * - isCodexSessionActive(sessionId) - Check if a session is running
- * - getActiveCodexSessions() - List all active sessions
- */
-
-import { Codex } from '@openai/codex-sdk';
-
-// Track active sessions
-const activeCodexSessions = new Map();
-
-/**
- * Transform Codex SDK event to WebSocket message format
- * @param {object} event - SDK event
- * @returns {object} - Transformed event for WebSocket
- */
-function transformCodexEvent(event) {
-  // Map SDK event types to a consistent format
-  switch (event.type) {
-    case 'item.started':
-    case 'item.updated':
-    case 'item.completed':
-      const item = event.item;
-      if (!item) {
-        return { type: event.type, item: null };
-      }
-
-      // Transform based on item type
-      switch (item.type) {
-        case 'agent_message':
-          return {
-            type: 'item',
-            itemType: 'agent_message',
-            message: {
-              role: 'assistant',
-              content: item.text
-            }
-          };
-
-        case 'reasoning':
-          return {
-            type: 'item',
-            itemType: 'reasoning',
-            message: {
-              role: 'assistant',
-              content: item.text,
-              isReasoning: true
-            }
-          };
-
-        case 'command_execution':
-          return {
-            type: 'item',
-            itemType: 'command_execution',
-            command: item.command,
-            output: item.aggregated_output,
-            exitCode: item.exit_code,
-            status: item.status
-          };
-
-        case 'file_change':
-          return {
-            type: 'item',
-            itemType: 'file_change',
-            changes: item.changes,
-            status: item.status
-          };
-
-        case 'mcp_tool_call':
-          return {
-            type: 'item',
-            itemType: 'mcp_tool_call',
-            server: item.server,
-            tool: item.tool,
-            arguments: item.arguments,
-            result: item.result,
-            error: item.error,
-            status: item.status
-          };
-
-        case 'web_search':
-          return {
-            type: 'item',
-            itemType: 'web_search',
-            query: item.query
-          };
-
-        case 'todo_list':
-          return {
-            type: 'item',
-            itemType: 'todo_list',
-            items: item.items
-          };
-
-        case 'error':
-          return {
-            type: 'item',
-            itemType: 'error',
-            message: {
-              role: 'error',
-              content: item.message
-            }
-          };
-
-        default:
-          return {
-            type: 'item',
-            itemType: item.type,
-            item: item
-          };
-      }
-
-    case 'turn.started':
-      return {
-        type: 'turn_started'
-      };
-
-    case 'turn.completed':
-      return {
-        type: 'turn_complete',
-        usage: event.usage
-      };
-
-    case 'turn.failed':
-      return {
-        type: 'turn_failed',
-        error: event.error
-      };
-
-    case 'thread.started':
-      return {
-        type: 'thread_started',
-        threadId: event.id
-      };
-
-    case 'error':
-      return {
-        type: 'error',
-        message: event.message
-      };
-
-    default:
-      return {
-        type: event.type,
-        data: event
-      };
-  }
-}
-
-/**
- * Map permission mode to Codex SDK options
- * @param {string} permissionMode - 'default', 'acceptEdits', or 'bypassPermissions'
- * @returns {object} - { sandboxMode, approvalPolicy }
- */
-function mapPermissionModeToCodexOptions(permissionMode) {
-  switch (permissionMode) {
-    case 'acceptEdits':
-      return {
-        sandboxMode: 'workspace-write',
-        approvalPolicy: 'never'
-      };
-    case 'bypassPermissions':
-      return {
-        sandboxMode: 'danger-full-access',
-        approvalPolicy: 'never'
-      };
-    case 'default':
-    default:
-      return {
-        sandboxMode: 'workspace-write',
-        approvalPolicy: 'untrusted'
-      };
-  }
-}
-
-/**
- * Execute a Codex query with streaming
- * @param {string} command - The prompt to send
- * @param {object} options - Options including cwd, sessionId, model, permissionMode
- * @param {WebSocket|object} ws - WebSocket connection or response writer
- */
-export async function queryCodex(command, options = {}, ws) {
-  const {
-    sessionId,
-    cwd,
-    projectPath,
-    model,
-    permissionMode = 'default'
-  } = options;
-
-  const workingDirectory = cwd || projectPath || process.cwd();
-  const { sandboxMode, approvalPolicy } = mapPermissionModeToCodexOptions(permissionMode);
-
-  let codex;
-  let thread;
-  let currentSessionId = sessionId;
-  const abortController = new AbortController();
-
-  try {
-    // Initialize Codex SDK
-    codex = new Codex();
-
-    // Thread options with sandbox and approval settings
-    const threadOptions = {
-      workingDirectory,
-      skipGitRepoCheck: true,
-      sandboxMode,
-      approvalPolicy,
-      model
-    };
-
-    // Start or resume thread
-    if (sessionId) {
-      thread = codex.resumeThread(sessionId, threadOptions);
-    } else {
-      thread = codex.startThread(threadOptions);
-    }
-
-    // Get the thread ID
-    currentSessionId = thread.id || sessionId || `codex-${Date.now()}`;
-
-    // Track the session
-    activeCodexSessions.set(currentSessionId, {
-      thread,
-      codex,
-      status: 'running',
-      abortController,
-      startedAt: new Date().toISOString()
-    });
-
-    // Send session created event
-    sendMessage(ws, {
-      type: 'session-created',
-      sessionId: currentSessionId,
-      provider: 'codex'
-    });
-
-    // Execute with streaming
-    const streamedTurn = await thread.runStreamed(command, {
-      signal: abortController.signal
-    });
-
-    for await (const event of streamedTurn.events) {
-      // Check if session was aborted
-      const session = activeCodexSessions.get(currentSessionId);
-      if (!session || session.status === 'aborted') {
-        break;
-      }
-
-      if (event.type === 'item.started' || event.type === 'item.updated') {
-        continue;
-      }
-
-      const transformed = transformCodexEvent(event);
-
-      sendMessage(ws, {
-        type: 'codex-response',
-        data: transformed,
-        sessionId: currentSessionId
-      });
-
-      // Extract and send token usage if available (normalized to match Claude format)
-      if (event.type === 'turn.completed' && event.usage) {
-        const totalTokens = (event.usage.input_tokens || 0) + (event.usage.output_tokens || 0);
-        sendMessage(ws, {
-          type: 'token-budget',
-          data: {
-            used: totalTokens,
-            total: 200000 // Default context window for Codex models
-          },
-          sessionId: currentSessionId
-        });
-      }
-    }
-
-    // Send completion event
-    sendMessage(ws, {
-      type: 'codex-complete',
-      sessionId: currentSessionId,
-      actualSessionId: thread.id
-    });
-
-  } catch (error) {
-    const session = currentSessionId ? activeCodexSessions.get(currentSessionId) : null;
-    const wasAborted =
-      session?.status === 'aborted' ||
-      error?.name === 'AbortError' ||
-      String(error?.message || '').toLowerCase().includes('aborted');
-
-    if (!wasAborted) {
-      console.error('[Codex] Error:', error);
-      sendMessage(ws, {
-        type: 'codex-error',
-        error: error.message,
-        sessionId: currentSessionId
-      });
-    }
-
-  } finally {
-    // Update session status
-    if (currentSessionId) {
-      const session = activeCodexSessions.get(currentSessionId);
-      if (session) {
-        session.status = session.status === 'aborted' ? 'aborted' : 'completed';
-      }
-    }
-  }
-}
-
-/**
- * Abort an active Codex session
- * @param {string} sessionId - Session ID to abort
- * @returns {boolean} - Whether abort was successful
- */
-export function abortCodexSession(sessionId) {
-  const session = activeCodexSessions.get(sessionId);
-
-  if (!session) {
-    return false;
-  }
-
-  session.status = 'aborted';
-  try {
-    session.abortController?.abort();
-  } catch (error) {
-    console.warn(`[Codex] Failed to abort session ${sessionId}:`, error);
-  }
-
-  return true;
-}
-
-/**
- * Check if a session is active
- * @param {string} sessionId - Session ID to check
- * @returns {boolean} - Whether session is active
- */
-export function isCodexSessionActive(sessionId) {
-  const session = activeCodexSessions.get(sessionId);
-  return session?.status === 'running';
-}
-
-/**
- * Get all active sessions
- * @returns {Array} - Array of active session info
- */
-export function getActiveCodexSessions() {
-  const sessions = [];
-
-  for (const [id, session] of activeCodexSessions.entries()) {
-    if (session.status === 'running') {
-      sessions.push({
-        id,
-        status: session.status,
-        startedAt: session.startedAt
-      });
-    }
-  }
-
-  return sessions;
-}
-
-/**
- * Helper to send message via WebSocket or writer
- * @param {WebSocket|object} ws - WebSocket or response writer
- * @param {object} data - Data to send
- */
-function sendMessage(ws, data) {
-  try {
-    if (ws.isSSEStreamWriter || ws.isWebSocketWriter) {
-      // Writer handles stringification (SSEStreamWriter or WebSocketWriter)
-      ws.send(data);
-    } else if (typeof ws.send === 'function') {
-      // Raw WebSocket - stringify here
-      ws.send(JSON.stringify(data));
-    }
-  } catch (error) {
-    console.error('[Codex] Error sending message:', error);
-  }
-}
-
-// Clean up old completed sessions periodically
-setInterval(() => {
-  const now = Date.now();
-  const maxAge = 30 * 60 * 1000; // 30 minutes
-
-  for (const [id, session] of activeCodexSessions.entries()) {
-    if (session.status !== 'running') {
-      const startedAt = new Date(session.startedAt).getTime();
-      if (now - startedAt > maxAge) {
-        activeCodexSessions.delete(id);
-      }
-    }
-  }
-}, 5 * 60 * 1000); // Every 5 minutes

package/server/openrouter.js

@@ -1,137 +0,0 @@
-/**
- * OpenRouter Integration
- *
- * Lightweight wrapper for OpenRouter API, which provides access to
- * hundreds of AI models (GPT-4, Claude, Gemini, Llama, Mistral, etc.)
- * through a single API key and endpoint.
- *
- * Users provide their own OpenRouter API key via BYOK settings.
- */
-
-const OPENROUTER_BASE_URL = 'https://openrouter.ai/api/v1';
-
-// Popular models available on OpenRouter
-export const OPENROUTER_MODELS = {
-  OPTIONS: [
-    { value: 'anthropic/claude-sonnet-4', label: 'Claude Sonnet 4' },
-    { value: 'anthropic/claude-opus-4', label: 'Claude Opus 4' },
-    { value: 'openai/gpt-4o', label: 'GPT-4o' },
-    { value: 'openai/o3', label: 'O3' },
-    { value: 'google/gemini-2.5-pro', label: 'Gemini 2.5 Pro' },
-    { value: 'meta-llama/llama-4-maverick', label: 'Llama 4 Maverick' },
-    { value: 'mistralai/mistral-large', label: 'Mistral Large' },
-    { value: 'deepseek/deepseek-r1', label: 'DeepSeek R1' },
-  ],
-  DEFAULT: 'anthropic/claude-sonnet-4',
-};
-
-/**
- * Query OpenRouter API with streaming support
- * @param {string} message - User message
- * @param {Object} options - { model, apiKey, systemPrompt }
- * @param {Object} writer - WebSocketWriter or SSEStreamWriter
- */
-export async function queryOpenRouter(message, options = {}, writer) {
-  const {
-    model = OPENROUTER_MODELS.DEFAULT,
-    apiKey,
-    systemPrompt,
-    sessionId,
-  } = options;
-
-  if (!apiKey) {
-    writer.send({
-      type: 'error',
-      error: 'OpenRouter API key required. Add your key in Settings > AI Providers.',
-    });
-    return;
-  }
-
-  // Generate session ID
-  const sid = sessionId || `or-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
-  writer.send({ type: 'session-created', sessionId: sid });
-
-  const messages = [];
-  if (systemPrompt) {
-    messages.push({ role: 'system', content: systemPrompt });
-  }
-  messages.push({ role: 'user', content: message });
-
-  try {
-    const response = await fetch(`${OPENROUTER_BASE_URL}/chat/completions`, {
-      method: 'POST',
-      headers: {
-        'Authorization': `Bearer ${apiKey}`,
-        'Content-Type': 'application/json',
-        'HTTP-Referer': 'https://cli.upfyn.com',
-        'X-Title': 'Upfyn-Code',
-      },
-      body: JSON.stringify({
-        model,
-        messages,
-        stream: true,
-      }),
-    });
-
-    if (!response.ok) {
-      const errBody = await response.text();
-      let errMsg = `OpenRouter API error (${response.status})`;
-      try {
-        const parsed = JSON.parse(errBody);
-        errMsg = parsed.error?.message || errMsg;
-      } catch {}
-      writer.send({ type: 'error', error: errMsg, sessionId: sid });
-      return;
-    }
-
-    // Stream SSE response
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let buffer = '';
-    let fullContent = '';
-
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done) break;
-
-      buffer += decoder.decode(value, { stream: true });
-      const lines = buffer.split('\n');
-      buffer = lines.pop() || '';
-
-      for (const line of lines) {
-        if (!line.startsWith('data: ')) continue;
-        const data = line.slice(6).trim();
-        if (data === '[DONE]') break;
-
-        try {
-          const parsed = JSON.parse(data);
-          const delta = parsed.choices?.[0]?.delta?.content;
-          if (delta) {
-            fullContent += delta;
-            writer.send({
-              type: 'assistant',
-              content: delta,
-              sessionId: sid,
-            });
-          }
-        } catch {}
-      }
-    }
-
-    // Send completion
-    writer.send({
-      type: 'result',
-      subtype: 'success',
-      sessionId: sid,
-      content: fullContent,
-      model,
-      provider: 'openrouter',
-    });
-  } catch (error) {
-    writer.send({
-      type: 'error',
-      error: `OpenRouter request failed: ${error.message}`,
-      sessionId: sid,
-    });
-  }
-}