npm - upfynai-code - Versions diffs - 3.0.4 → 3.1.0 - Mend

upfynai-code 3.0.4 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (246) hide show

package/server/middleware/auth.js DELETED Viewed

@@ -1,184 +0,0 @@
-import jwt from 'jsonwebtoken';
-import crypto from 'crypto';
-import { userDb, relayTokensDb } from '../database/db.js';
-import { IS_PLATFORM } from '../constants/config.js';
-let JWT_SECRET = process.env.JWT_SECRET?.trim();
-if (!JWT_SECRET) {
-  if (IS_PLATFORM) {
-    // In local/self-hosted mode, generate a random secret (auth is bypassed anyway)
-    JWT_SECRET = crypto.randomBytes(32).toString('hex');
-  } else {
-    console.error('[SECURITY] JWT_SECRET environment variable is required. Server cannot start without it.');
-    process.exit(1);
-  }
-}
-// Optional static API key middleware
-const validateApiKey = (req, res, next) => {
-  if (!process.env.API_KEY) return next();
-  const apiKey = req.headers['x-api-key'];
-  if (apiKey !== process.env.API_KEY.trim()) {
-    return res.status(401).json({ error: 'Invalid API key' });
-  }
-  next();
-};
-// Extract JWT from request: cookie → Bearer header → query param (SSE only)
-const extractToken = (req) => {
-  // 1. httpOnly cookie (browser sessions — primary auth method)
-  if (req.cookies?.session) return req.cookies.session;
-  // 2. Bearer header (API clients, MCP)
-  const authHeader = req.headers['authorization'];
-  if (authHeader?.startsWith('Bearer ')) return authHeader.slice(7);
-  // 3. Query param — for GET requests (SSE EventSource + iframe embedding)
-  if (req.query?.token && req.method === 'GET') {
-    return req.query.token;
-  }
-  return null;
-};
-// JWT authentication middleware
-const authenticateToken = async (req, res, next) => {
-  // Platform mode: use first database user
-  if (IS_PLATFORM) {
-    try {
-      const user = await userDb.getFirstUser();
-      if (!user) return res.status(500).json({ error: 'Platform mode: No user found in database' });
-      req.user = user;
-      return next();
-    } catch (error) {
-      console.error('Platform mode error:', error);
-      return res.status(500).json({ error: 'Platform mode: Failed to fetch user' });
-    }
-  }
-  const token = extractToken(req);
-  if (!token) {
-    return res.status(401).json({ error: 'Access denied. No token provided.' });
-  }
-  try {
-    const decoded = jwt.verify(token, JWT_SECRET);
-    const user = await userDb.getUserById(decoded.userId);
-    if (!user) return res.status(401).json({ error: 'Invalid token. User not found.' });
-    req.user = user;
-    // If token came from query param, set session cookie for subsequent requests (iframe auto-auth)
-    if (req.query?.token && !req.cookies?.session) {
-      res.cookie('session', token, COOKIE_OPTIONS);
-    }
-    next();
-  } catch (error) {
-    return res.status(403).json({ error: 'Invalid or expired token' });
-  }
-};
-// Generate JWT token (30-day expiration)
-const generateToken = (user) => {
-  return jwt.sign(
-    { userId: user.id, username: user.username },
-    JWT_SECRET,
-    { expiresIn: '30d' }
-  );
-};
-// Cookie config for httpOnly session
-// Works for both self-hosted (same origin) and split deploy (Vercel proxy → Railway)
-const isSecureEnv = process.env.NODE_ENV === 'production' || !!process.env.VERCEL || !!process.env.RAILWAY_ENVIRONMENT;
-const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
-const COOKIE_OPTIONS = {
-  httpOnly: true,
-  secure: isSecureEnv,
-  // 'lax' — Vercel reverse-proxies to Railway (same domain from browser's perspective)
-  // 'strict' used in local/dev mode where everything is same-origin
-  sameSite: isSecureEnv ? 'lax' : 'strict',
-  maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
-  path: '/',
-  // Set domain for cross-subdomain cookie sharing (e.g., '.upfyn.com')
-  ...(isSecureEnv && cookieDomain ? { domain: cookieDomain } : {}),
-};
-// Set session cookie on response
-const setSessionCookie = (res, token) => {
-  res.cookie('session', token, COOKIE_OPTIONS);
-};
-// Clear session cookie
-const clearSessionCookie = (res) => {
-  res.clearCookie('session', { path: '/' });
-};
-// WebSocket authentication (parse cookie from upgrade request headers)
-const authenticateWebSocket = async (request) => {
-  // Platform mode: bypass
-  if (IS_PLATFORM) {
-    try {
-      const user = await userDb.getFirstUser();
-      return user ? { userId: user.id, username: user.username } : null;
-    } catch { return null; }
-  }
-  let token = null;
-  // 1. Parse cookie from upgrade request
-  const cookieHeader = request.headers?.cookie || '';
-  if (cookieHeader) {
-    const cookies = Object.fromEntries(
-      cookieHeader.split(';').map(c => {
-        const [k, ...v] = c.trim().split('=');
-        return [k, v.join('=')];
-      })
-    );
-    token = cookies.session || null;
-  }
-  // 2. Fallback: query param (legacy)
-  if (!token) {
-    try {
-      const url = new URL(request.url, 'http://localhost');
-      token = url.searchParams.get('token');
-    } catch { /* ignore */ }
-  }
-  if (!token) {
-    return null;
-  }
-  // Relay token (upfyn_ prefix) — validate against DB, not JWT
-  if (token.startsWith('upfyn_') || token.startsWith('rt_')) {
-    try {
-      // Timeout relay token validation to prevent hung WebSocket upgrades when Turso is slow
-      const tokenData = await Promise.race([
-        relayTokensDb.validateToken(token),
-        new Promise((_, reject) => setTimeout(() => reject(new Error('Token validation timeout')), 10000))
-      ]);
-      if (tokenData) {
-        return { userId: Number(tokenData.user_id), username: tokenData.username };
-      }
-    } catch (err) {
-      console.warn('[WS] Relay token validation failed:', err.message);
-    }
-    return null;
-  }
-  try {
-    const decoded = jwt.verify(token, JWT_SECRET);
-    // Validate against Turso — DB is source of truth
-    const user = await userDb.getUserById(decoded.userId);
-    if (!user) return null;
-    return { userId: user.id, username: user.username };
-  } catch { return null; }
-};
-export {
-  validateApiKey,
-  authenticateToken,
-  generateToken,
-  authenticateWebSocket,
-  setSessionCookie,
-  clearSessionCookie,
-  JWT_SECRET
-};

package/server/middleware/relayHelpers.js DELETED Viewed

@@ -1,44 +0,0 @@
-import { IS_CLOUD } from '../constants/config.js';
-/**
- * Creates middleware that injects relay helper functions onto req.
- * Must be applied AFTER authenticateToken.
- *
- * Security model:
- *   - All relay commands go through sendRelayCommand which validates action allowlist
- *   - Shell commands are restricted to known-safe prefixes (git, mkdir, rm, wmic)
- *   - Dangerous shell patterns (pipes to bash, backtick injection, etc.) are blocked
- *   - IP pinning: relay connection records the CLI's IP; only the authenticated user can send commands
- *   - The relay token is validated at WebSocket connect time; commands flow only to the token owner's machine
- *
- * Adds to req:
- *   - req.isCloud: boolean — true when running on Railway/Vercel/Render
- *   - req.hasRelay(): boolean — true when user's machine is connected
- *   - req.sendRelay(action, payload, timeout): Promise — send command to user's machine
- *   - req.requireRelay(): returns false + sends 503 if cloud mode and no relay connected
- */
-export function createRelayMiddleware(hasActiveRelay, sendRelayCommand, withRetry) {
-  return (req, res, next) => {
-    const userId = Number(req.user?.id);
-    req.isCloud = IS_CLOUD;
-    req.hasRelay = () => hasActiveRelay(userId);
-    // Retry transient relay failures (opencode pattern: exponential backoff)
-    req.sendRelay = (action, payload, timeout) =>
-      withRetry(() => sendRelayCommand(userId, action, payload, null, timeout || 15000), { maxRetries: 2 });
-    // Helper: return 503 if cloud mode and no relay connected
-    req.requireRelay = () => {
-      if (IS_CLOUD && !hasActiveRelay(userId)) {
-        res.status(503).json({
-          error: 'Machine not connected',
-          message: 'Run "uc connect" on your local machine to use this feature.',
-          code: 'RELAY_NOT_CONNECTED'
-        });
-        return false;
-      }
-      return true;
-    };
-    next();
-  };
-}

package/server/middleware/sandboxRouter.js DELETED Viewed

@@ -1,174 +0,0 @@
-/**
- * Sandbox Command Router Middleware
- * Intercepts REST API commands when no relay is connected,
- * routing them to the sandbox service instead.
- */
-import { sandboxClient } from '../sandbox.js';
-/**
- * Middleware that routes file/git/exec commands to sandbox when no relay.
- * Used on routes that normally proxy to the relay (file ops, git, etc.)
- *
- * Usage: app.use('/api/sandbox-proxy', authenticateToken, sandboxCommandRouter);
- */
-export function sandboxCommandRouter(req, res, next) {
-  // If relay is connected, let the normal relay flow handle it
-  if (req.hasRelay && req.hasRelay()) {
-    return next();
-  }
-  // No relay — check if sandbox is available
-  handleSandboxCommand(req, res).catch(() => {
-    res.status(503).json({ error: 'No machine connected and sandbox unavailable' });
-  });
-}
-async function handleSandboxCommand(req, res) {
-  const userId = req.user.id;
-  const { action, ...params } = req.body;
-  // Verify sandbox is available
-  const available = await sandboxClient.isAvailable();
-  if (!available) {
-    return res.status(503).json({ error: 'No machine connected and sandbox service unreachable' });
-  }
-  // Check if user has an active sandbox
-  const status = await sandboxClient.getStatus(userId);
-  if (!status.exists) {
-    // Auto-init sandbox for the user
-    await sandboxClient.initSandbox(userId);
-  }
-  // Route based on action
-  switch (action) {
-    case 'file-read': {
-      const result = await sandboxClient.readFile(userId, params.filePath);
-      return res.json(result);
-    }
-    case 'file-write': {
-      const result = await sandboxClient.writeFile(userId, params.filePath, params.content);
-      return res.json(result);
-    }
-    case 'file-tree': {
-      const result = await sandboxClient.getFileTree(userId, params.dirPath, params.depth);
-      return res.json(result);
-    }
-    case 'exec': {
-      const result = await sandboxClient.exec(userId, params.command, {
-        cwd: params.cwd,
-        timeout: params.timeout,
-        userKeys: params.userKeys,
-      });
-      return res.json(result);
-    }
-    case 'git': {
-      const result = await sandboxClient.gitOperation(userId, params.gitCommand, params.cwd);
-      return res.json(result);
-    }
-    default:
-      return res.status(400).json({ error: `Unknown sandbox action: ${action}` });
-  }
-}
-/**
- * WebSocket sandbox bridge — used in the WS handler for routing
- * claude-command/shell-command/file-* when no relay is connected.
- *
- * @param {string} userId
- * @param {string} messageType - WS message type (e.g. 'claude-command')
- * @param {object} data - WS message data
- * @param {object} writer - WebSocketWriter for sending responses
- * @returns {boolean} true if handled by sandbox, false if not
- */
-export async function handleSandboxWebSocketCommand(userId, messageType, data, writer) {
-  const available = await sandboxClient.isAvailable();
-  if (!available) return false;
-  try {
-    // Ensure sandbox exists
-    const status = await sandboxClient.getStatus(userId);
-    if (!status.exists) {
-      await sandboxClient.initSandbox(userId);
-    }
-    switch (messageType) {
-      case 'claude-command': {
-        // Execute claude CLI command in sandbox
-        writer.send({ type: 'session-created', sessionId: data.sessionId || `sandbox-${Date.now()}` });
-        writer.send({ type: 'stream', content: '[Sandbox] Executing in cloud sandbox...\n' });
-        const result = await sandboxClient.exec(userId, `claude --print "${data.command}"`, {
-          cwd: data.cwd,
-          timeout: 120000,
-          userKeys: data.userKeys,
-        });
-        writer.send({
-          type: 'stream',
-          content: result.stdout || '',
-        });
-        if (result.stderr) {
-          writer.send({ type: 'stream', content: `\n${result.stderr}` });
-        }
-        writer.send({
-          type: 'session-complete',
-          sessionId: data.sessionId,
-          exitCode: result.exitCode,
-        });
-        return true;
-      }
-      case 'shell-command': {
-        const result = await sandboxClient.exec(userId, data.command, {
-          cwd: data.cwd,
-          timeout: data.timeout || 30000,
-        });
-        writer.send({
-          type: 'shell-output',
-          stdout: result.stdout,
-          stderr: result.stderr,
-          exitCode: result.exitCode,
-        });
-        return true;
-      }
-      case 'file-read': {
-        const result = await sandboxClient.readFile(userId, data.filePath);
-        writer.send({ type: 'file-content', ...result });
-        return true;
-      }
-      case 'file-write': {
-        const result = await sandboxClient.writeFile(userId, data.filePath, data.content);
-        writer.send({ type: 'file-written', ...result });
-        return true;
-      }
-      case 'file-tree': {
-        const result = await sandboxClient.getFileTree(userId, data.dirPath, data.depth);
-        writer.send({ type: 'file-tree', ...result });
-        return true;
-      }
-      case 'git-operation': {
-        const result = await sandboxClient.gitOperation(userId, data.gitCommand, data.cwd);
-        writer.send({ type: 'git-result', ...result });
-        return true;
-      }
-      default:
-        return false;
-    }
-  } catch (error) {
-    writer.send({
-      type: 'error',
-      error: `Sandbox error: ${error.message || 'Unknown error'}`,
-    });
-    return true; // Handled (with error)
-  }
-}