web-chatter 0.1.0

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "web-chatter",
+  "version": "0.1.0",
+  "description": "Simple Express-based web server for chat bots with user authentication, SQLite persistence per user, admin controls, and customizable authenticated routes",
+  "main": "./web-chatter.js",
+  "type": "module",
+  "exports": {
+    "default": "./web-chatter.js"
+  },
+  "files": [
+    "web-chatter.js",
+    "README.md",
+    "LICENSE"
+  ],
+  "keywords": [
+    "express",
+    "chatbot",
+    "web-server",
+    "authentication",
+    "sqlite",
+    "user-management",
+    "admin-panel",
+    "session",
+    "bcrypt"
+  ],
+  "author": "Dan <littlejustnode@gmail.com>[](https://github.com/littlejustnode)",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/littlejustnode/web-chatter.git"
+  },
+  "bugs": {
+    "url": "https://github.com/littlejustnode/web-chatter/issues"
+  },
+  "homepage": "https://github.com/littlejustnode/web-chatter#readme",
+  "dependencies": {
+    "express": "^4.21.1",
+    "express-session": "^1.18.1",
+    "better-sqlite3": "^11.5.0",
+    "bcryptjs": "^2.4.3"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/web-chatter.js

@@ -0,0 +1,549 @@
+// web-bot.js
+import express from 'express';
+import session from 'express-session';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import Database from 'better-sqlite3';
+import bcrypt from 'bcryptjs';
+import fs from 'fs';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+export class WebChat {
+  static app(options = {}) {
+    return new WebChat(options);
+  }
+
+  #app;
+  #usersDb;
+  #options;
+  #dbDir;
+
+  constructor(options = {}) {
+    this.#options = {
+      dbDir: path.join(process.cwd(), 'data'),
+      sessionSecret: 'super-secret-key-CHANGE-ME-12345',
+      port: 3000,
+      host: '0.0.0.0',
+      staticDir: path.join(__dirname, './public'),
+      onChat: null,
+      trustAuth: ['127.0.0.1', '::1', 'localhost'],
+      ...options,
+    };
+
+    this.#options.trustAuth = this.#options.trustAuth.map(ip => {
+      if (ip === 'localhost') return ['127.0.0.1', '::1'];
+      return ip;
+    }).flat();
+
+    this.#dbDir = this.#options.dbDir;
+
+    if (!fs.existsSync(this.#dbDir)) {
+      fs.mkdirSync(this.#dbDir, { recursive: true });
+      console.log(`Created database directory: ${this.#dbDir}`);
+    }
+
+    this.#app = express();
+
+    this.#initUsersDatabase();
+    this.#setupMiddleware();
+    this.#setupCoreRoutes();
+  }
+
+  #initUsersDatabase() {
+    const usersDbPath = path.join(this.#dbDir, 'users.db');
+    this.#usersDb = new Database(usersDbPath, { verbose: console.log });
+
+    this.#usersDb.exec(`
+      CREATE TABLE IF NOT EXISTS users (
+        id          INTEGER PRIMARY KEY AUTOINCREMENT,
+        username    TEXT UNIQUE NOT NULL,
+        password    TEXT NOT NULL,
+        name        TEXT,
+        role        TEXT NOT NULL DEFAULT 'user',
+        created_at  DATETIME DEFAULT CURRENT_TIMESTAMP
+      );
+    `);
+  }
+
+  #getUserDb(username) {
+    const safeUsername = username.replace(/[^a-zA-Z0-9_-]/g, '_');
+    const userDbPath = path.join(this.#dbDir, `chat-${safeUsername}.db`);
+    return new Database(userDbPath, { verbose: console.log });
+  }
+
+  #setupMiddleware() {
+    this.#app.use(express.static(this.#options.staticDir));
+    this.#app.use(express.json());
+
+    this.#app.use(
+      session({
+        secret: this.#options.sessionSecret,
+        resave: false,
+        saveUninitialized: false,
+        cookie: { maxAge: 1000 * 60 * 60 * 24 * 7 }, // 1 week
+      })
+    );
+  }
+
+  #requireLogin(req, res, next) {
+    if (!req.session.user) {
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+    next();
+  }
+
+  #requireAdmin(req, res, next) {
+    if (!req.session.user) {
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+    const user = this.#usersDb.prepare('SELECT role FROM users WHERE username = ?').get(req.session.user.username);
+    if (!user || user.role !== 'admin') {
+      return res.status(403).json({ error: 'Admin access required' });
+    }
+    next();
+  }
+
+  #isTrustedIP(req) {
+    let ip = req.ip || req.connection.remoteAddress || req.socket.remoteAddress || '';
+    ip = ip.replace(/^::ffff:/, '');
+    return this.#options.trustAuth.includes(ip);
+  }
+
+  #maybeSkipAuth(req, res, next) {
+    if (this.#isTrustedIP(req)) {
+      // Trusted clients do NOT get auto-login — they must send username in body
+      return next();
+    }
+
+    if (!req.session.user) {
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+    next();
+  }
+  
+  
+  #getAuthMiddleware(level) {
+	  level = (level || '').toLowerCase();
+
+	  if (level === 'admin') {
+		return this.#requireAdmin.bind(this);
+	  }
+	  if (level === 'user') {
+		return this.#requireLogin.bind(this);
+	  }
+	  if (level === 'none' || level === '') {
+		return (req, res, next) => next();
+	  }
+
+	  throw new Error(`Invalid access level: "${level}". Use "admin", "user" or "none"`);
+	}
+
+	#mountWithAuth(path, access, handler) {
+	  const authMiddleware = this.#getAuthMiddleware(access);
+	  this.#app.use(path, authMiddleware, handler);
+	}
+
+	  
+	 /**
+	 * Register a custom route with flexible auth level
+	 * 
+	 * @param {string} path - route path (e.g. '/report', '/api/v1/stats')
+	 * @param {string} method - 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'ALL'
+	 * @param {string} access - 'admin' | 'user' | 'none'
+	 * @param {Function} handler - express handler (req, res) => { … }
+	 */
+	use(path, method, access, handler) {
+	  if (typeof handler !== 'function') {
+		throw new Error('handler must be a function (req, res) => { … }');
+	  }
+
+	  const upperMethod = method.toUpperCase();
+
+	  if (upperMethod === 'ALL') {
+		// special case: matches any method
+		this.#mountWithAuth(path, access, (req, res, next) => {
+		  handler(req, res);
+		});
+		return;
+	  }
+
+	  if (!['GET', 'POST', 'PUT', 'PATCH', 'DELETE'].includes(upperMethod)) {
+		throw new Error(`Unsupported method: ${method}. Use GET, POST, PUT, PATCH, DELETE or ALL`);
+	  }
+
+	  const authMiddleware = this.#getAuthMiddleware(access);
+
+	  // Mount under the real path (no forced /api/custom prefix)
+	  this.#app[upperMethod.toLowerCase()](path, authMiddleware, (req, res) => {
+		try {
+		  handler(req, res);
+		} catch (err) {
+		  console.error(`Custom route error [${upperMethod} ${path}]:`, err);
+		  if (!res.headersSent) {
+			res.status(500).json({ error: 'Custom endpoint failed' });
+		  }
+		}
+	  });
+
+	  console.log(`Custom route added: ${upperMethod} ${path}  (access: ${access})`);
+	}
+
+  createUser(username, password, name = null, role = 'user') {
+    if (!username || typeof username !== 'string' || username.length < 3) {
+      throw new Error('Valid username required (≥ 3 characters)');
+    }
+    if (!password || typeof password !== 'string' || password.length < 6) {
+      throw new Error('Valid password required (≥ 6 characters)');
+    }
+    if (!['user', 'admin'].includes(role)) {
+      throw new Error('Role must be "user" or "admin"');
+    }
+
+    const existing = this.#usersDb.prepare('SELECT 1 FROM users WHERE username = ?').get(username);
+    if (existing) {
+      throw new Error(`Username "${username}" already exists`);
+    }
+
+    const hashed = bcrypt.hashSync(password, 10);
+
+    this.#usersDb.prepare(
+      'INSERT INTO users (username, password, name, role) VALUES (?, ?, ?, ?)'
+    ).run(username, hashed, name || null, role);
+
+    const userDb = this.#getUserDb(username);
+    userDb.exec(`
+      CREATE TABLE IF NOT EXISTS chat (
+        id          INTEGER PRIMARY KEY AUTOINCREMENT,
+        text        TEXT NOT NULL,
+        response    TEXT,
+        time        TEXT NOT NULL,
+        created_at  DATETIME DEFAULT CURRENT_TIMESTAMP
+      );
+    `);
+    userDb.close();
+
+    console.log(`Created user: ${username} (${role})${name ? ` - "${name}"` : ''}`);
+  }
+
+  setOnChat(handler) {
+    if (handler !== null && typeof handler !== 'function') {
+      throw new Error('onChat handler must be a function or null');
+    }
+    this.#options.onChat = handler;
+    console.log(
+      handler
+        ? `onChat handler set (${handler.name || 'anonymous function'})`
+        : 'onChat handler cleared (now null)'
+    );
+  }
+
+  getOnChat() {
+    return this.#options.onChat;
+  }
+
+  #setupCoreRoutes() {
+    const { staticDir } = this.#options;
+
+    // ── Public ──────────────────────────────────────────────────
+    this.#app.get('/', (req, res) => {
+      if (req.session.user) return res.redirect('/chat');
+      res.sendFile(path.join(staticDir, 'index.html'));
+    });
+
+    this.#app.post('/login', (req, res) => {
+      let { username, password } = req.body;
+	  
+
+	  
+	  if (!username) 
+		  username = req.query.username;
+	  if (!password)
+		password = req.query.password;
+
+      if (!username || !password) {
+        return res.status(400).json({ error: 'username and password are required in JSON body' });
+      }
+
+      const user = this.#usersDb.prepare('SELECT * FROM users WHERE username = ?').get(username);
+
+      if (!user || !bcrypt.compareSync(password, user.password)) {
+        return res.status(401).json({ error: 'Invalid username or password' });
+      }
+
+      req.session.user = {
+        username,
+        role: user.role,
+        name: user.name || username,
+      };
+
+      res.json({ success: true });
+    });
+
+    this.#app.get('/logout', (req, res) => {
+      req.session.destroy(() => {
+        res.json({ success: true });
+      });
+    });
+
+    this.#app.get('/chat', this.#requireLogin.bind(this), (req, res) => {
+      res.sendFile(path.join(staticDir, 'chat.html'));
+    });
+
+    // ── /api/chat ───────────────────────────────────────────────
+	this.#app.post('/api/chat', this.#maybeSkipAuth.bind(this), async (req, res) => {
+	  let { username, message } = req.body;
+	  
+	  if (!username)
+		  username = req.session.user.username;
+	  
+	  console.log(req.session);
+
+	  if (typeof message !== 'string' || !message.trim()) {
+		return res.status(400).json({ 
+		  error: 'Field "message" is required and must be a non-empty string' 
+		});
+	  }
+
+	  let targetUsername;
+
+	  if (this.#isTrustedIP(req)) {
+		if (!username || typeof username !== 'string' || username.trim() === '') {
+		  return res.status(400).json({ 
+			error: 'Trusted clients must provide "username" in JSON body' 
+		  });
+		}
+		targetUsername = username.trim();
+	  } else {
+		if (!req.session.user || !req.session.user.username) {
+		  return res.status(401).json({ error: 'Authentication required' });
+		}
+		if (username && username !== req.session.user.username) {
+		  return res.status(403).json({ error: 'Cannot impersonate another user' });
+		}
+		targetUsername = req.session.user.username;
+	  }
+
+	  // ──────────────── Add this check ─────────────────────────────
+	  const userExists = this.#usersDb
+		.prepare('SELECT 1 FROM users WHERE username = ?')
+		.get(targetUsername);
+
+	  if (!userExists) {
+		return res.status(404).json({ 
+		  error: `User '${targetUsername}' does not exist` 
+		});
+	  }
+	  // ─────────────────────────────────────────────────────────────
+
+	  const cleanMessage = message.trim();
+	  const time = new Date().toLocaleTimeString([], { hour: '2-digit', minute: '2-digit' });
+
+	  const userDb = this.#getUserDb(targetUsername);
+
+	  try {
+		const insert = userDb.prepare(`
+		  INSERT INTO chat (text, response, time)
+		  VALUES (?, NULL, ?)
+		`);
+		const info = insert.run(cleanMessage, time);
+
+		const entry = {
+		  id: info.lastInsertRowid,
+		  username: targetUsername,
+		  text: cleanMessage,
+		  response: null,
+		  time,
+		};
+
+		if (typeof this.#options.onChat === 'function') {
+		  try {
+			const response = await this.#options.onChat(targetUsername, cleanMessage);
+
+			if (typeof response === 'string' && response.trim()) {
+			  userDb.prepare('UPDATE chat SET response = ? WHERE id = ?').run(
+				response.trim(),
+				entry.id
+			  );
+			  entry.response = response.trim();
+			}
+		  } catch (err) {
+			console.error('Error in onChat handler:', err);
+		  }
+		}
+
+		res.json({ success: true, result: entry.response });
+	  } finally {
+		userDb.close();
+	  }
+	});
+
+    // ── Admin routes ────────────────────────────────────────────
+    this.#app.get('/api/admin/users', this.#requireAdmin.bind(this), (req, res) => {
+      const users = this.#usersDb
+        .prepare('SELECT id, username, name, role, created_at FROM users ORDER BY created_at ASC')
+        .all();
+      res.json(users);
+    });
+
+    this.#app.get('/api/admin/user', this.#requireAdmin.bind(this), (req, res) => {
+      const { username: paramUsername } = req.params;
+      const { username: bodyUsername } = req.body;
+      const target = bodyUsername || paramUsername;
+
+      if (!target) return res.status(400).json({ error: 'username required' });
+
+      const user = this.#usersDb
+        .prepare('SELECT id, username, name, role, created_at FROM users WHERE username = ?')
+        .get(target);
+
+      if (!user) return res.status(404).json({ error: 'User not found' });
+      res.json(user);
+    });
+
+    this.#app.post('/api/admin/addUser', this.#requireAdmin.bind(this), (req, res) => {
+      const { username, password, name, role = 'user' } = req.body;
+
+      if (!username || !password) {
+        return res.status(400).json({ error: 'username and password are required' });
+      }
+
+      try {
+        this.createUser(username, password, name, role);
+        res.status(201).json({ success: true, username });
+      } catch (err) {
+        res.status(400).json({ error: err.message });
+      }
+    });
+
+    this.#app.patch('/api/admin/user', this.#requireAdmin.bind(this), (req, res) => {
+      const { username: paramUsername } = req.params;
+      const { username: bodyUsername, name, role } = req.body;
+
+      const target = bodyUsername || paramUsername;
+
+      if (!target) {
+        return res.status(400).json({ error: 'username required in JSON body or path' });
+      }
+
+      if (name === undefined && role === undefined) {
+        return res.status(400).json({ error: 'Provide at least "name" or "role"' });
+      }
+
+      const user = this.#usersDb
+        .prepare('SELECT role FROM users WHERE username = ?')
+        .get(target);
+
+      if (!user) return res.status(404).json({ error: 'User not found' });
+
+      const updates = [];
+      const params = [];
+
+      if (name !== undefined) {
+        updates.push('name = ?');
+        params.push(name || null);
+      }
+
+      if (role !== undefined) {
+        if (!['user', 'admin'].includes(role)) {
+          return res.status(400).json({ error: 'Role must be "user" or "admin"' });
+        }
+
+        if (role !== 'admin' && user.role === 'admin') {
+          const adminCount = this.#usersDb
+            .prepare('SELECT COUNT(*) as cnt FROM users WHERE role = "admin"')
+            .get().cnt;
+          if (adminCount <= 1) {
+            return res.status(403).json({ error: 'Cannot demote the last admin account' });
+          }
+        }
+
+        updates.push('role = ?');
+        params.push(role);
+      }
+
+      if (updates.length === 0) {
+        return res.status(400).json({ error: 'No valid fields to update' });
+      }
+
+      params.push(target);
+
+      this.#usersDb.prepare(`
+        UPDATE users
+        SET ${updates.join(', ')}
+        WHERE username = ?
+      `).run(...params);
+
+      res.json({ success: true });
+    });
+
+    
+	
+    this.#app.delete('/api/admin/user', this.#requireAdmin.bind(this), (req, res) => {
+      const { username: paramUsername } = req.params;
+      const { username: bodyUsername } = req.body;
+
+      const target = bodyUsername || paramUsername;
+
+      if (!target) {
+        return res.status(400).json({ error: 'username required in JSON body or path' });
+      }
+
+      if (req.session.user.username === target) {
+        return res.status(403).json({ error: 'Cannot delete your own account' });
+      }
+
+      const user = this.#usersDb
+        .prepare('SELECT role FROM users WHERE username = ?')
+        .get(target);
+
+      if (!user) {
+        return res.status(404).json({ error: 'User not found' });
+      }
+
+      // ── Changed logic: block deletion of ANY admin ───────────────
+      if (user.role === 'admin') {
+        return res.status(403).json({ 
+          error: 'Admin accounts cannot be deleted through this endpoint' 
+        });
+      }
+      // ──────────────────────────────────────────────────────────────
+
+      const safeUsername = target.replace(/[^a-zA-Z0-9_-]/g, '_');
+      const userDbPath = path.join(this.#dbDir, `chat-${safeUsername}.db`);
+      if (fs.existsSync(userDbPath)) {
+        try {
+          fs.unlinkSync(userDbPath);
+          console.log(`Deleted user chat DB: ${userDbPath}`);
+        } catch (err) {
+          console.warn(`Failed to delete user chat DB ${userDbPath}:`, err.message);
+        }
+      }
+
+      this.#usersDb.prepare('DELETE FROM users WHERE username = ?').run(target);
+
+      res.json({ success: true, deleted: target });
+    });	
+	
+	
+  }
+
+  start(port = this.#options.port, host = this.#options.host) {
+    this.#app.listen(port, host, () => {
+      console.log(
+        `WebChat server listening on http://${host === '0.0.0.0' ? 'localhost' : host}:${port}`
+      );
+      console.log(`Users DB:          ${path.join(this.#dbDir, 'users.db')}`);
+      console.log(`User chat DBs in:  ${this.#dbDir}`);
+      if (this.#options.trustAuth?.length) {
+        console.log(`Trusted IPs:       ${this.#options.trustAuth.join(', ')}`);
+      }
+      if (this.#options.onChat) {
+        console.log(`onChat handler:    ${this.#options.onChat.name || 'anonymous'}`);
+      }
+    });
+
+    return this.#app;
+  }
+}