catlog22/Claude-Code-Workflow
1
0
Fork 0
mirror of https://github.com/catlog22/Claude-Code-Workflow.git synced 2026-02-10 02:24:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

Issue Queue: issue-exec-20260106-160325 (#52)

Browse Source 
* feat(security): Secure dashboard server by default

## Solution Summary
- Solution-ID: SOL-DSC-002-1
- Issue-ID: DSC-002

## Tasks Completed
- [T1] JWT token manager (24h expiry, persisted secret/token)
- [T2] API auth middleware + localhost token endpoint
- [T3] Default bind 127.0.0.1, add --host with warning
- [T4] Localhost-only CORS with credentials + Vary
- [T5] SECURITY.md documentation + README link

## Verification
- npm run build
- npm test -- ccw/tests/token-manager.test.ts ccw/tests/middleware.test.ts ccw/tests/server-auth.integration.test.ts ccw/tests/server.test.ts ccw/tests/cors.test.ts

* fix(security): Prevent command injection in Windows spawn()

## Solution Summary
- **Solution-ID**: SOL-DSC-001-1
- **Issue-ID**: DSC-001
- **Risk/Impact/Complexity**: high/high/medium

## Tasks Completed
- [T1] Create Windows shell escape utility
- [T2] Escape cli-executor spawn() args on Windows
- [T3] Add command injection regression tests

## Files Modified
- ccw/src/utils/shell-escape.ts
- ccw/src/tools/cli-executor.ts
- ccw/tests/shell-escape.test.ts
- ccw/tests/security/command-injection.test.ts

## Verification
- npm run build
- npm test -- ccw/tests/shell-escape.test.ts ccw/tests/security/command-injection.test.ts

* fix(security): Harden path validation (DSC-005)

## Solution Summary
- Solution-ID: SOL-DSC-005-1
- Issue-ID: DSC-005

## Tasks Completed
- T1: Refactor path validation to pre-resolution checking
- T2: Implement allowlist-based path validation
- T3: Add path validation to API routes
- T4: Add path security regression tests

## Files Modified
- ccw/src/utils/path-resolver.ts
- ccw/src/utils/path-validator.ts
- ccw/src/core/routes/graph-routes.ts
- ccw/src/core/routes/files-routes.ts
- ccw/src/core/routes/skills-routes.ts
- ccw/tests/path-resolver.test.ts
- ccw/tests/graph-routes.test.ts
- ccw/tests/files-routes.test.ts
- ccw/tests/skills-routes.test.ts
- ccw/tests/security/path-traversal.test.ts

## Verification
- npm run build
- npm test -- path-resolver.test.ts
- npm test -- path-validator.test.ts
- npm test -- graph-routes.test.ts
- npm test -- files-routes.test.ts
- npm test -- skills-routes.test.ts
- npm test -- ccw/tests/security/path-traversal.test.ts

* fix(security): Prevent credential leakage (DSC-004)

## Solution Summary
- Solution-ID: SOL-DSC-004-1
- Issue-ID: DSC-004

## Tasks Completed
- T1: Create credential handling security tests
- T2: Add log sanitization tests
- T3: Add env var leakage prevention tests
- T4: Add secure storage tests

## Files Modified
- ccw/src/config/litellm-api-config-manager.ts
- ccw/src/core/routes/litellm-api-routes.ts
- ccw/tests/security/credential-handling.test.ts

## Verification
- npm run build
- node --experimental-strip-types --test ccw/tests/security/credential-handling.test.ts

* test(ranking): expand normalize_weights edge case coverage (ISS-1766920108814-0)

## Solution Summary
- Solution-ID: SOL-20251228113607
- Issue-ID: ISS-1766920108814-0

## Tasks Completed
- T1: Fix NaN and invalid total handling in normalize_weights
- T2: Add unit tests for NaN edge cases in normalize_weights

## Files Modified
- codex-lens/tests/test_rrf_fusion.py

## Verification
- python -m pytest codex-lens/tests/test_rrf_fusion.py::TestNormalizeBM25Score -v
- python -m pytest codex-lens/tests/test_rrf_fusion.py -v -k normalize
- python -m pytest codex-lens/tests/test_rrf_fusion.py::TestReciprocalRankFusion::test_weight_normalization codex-lens/tests/test_cli_hybrid_search.py::TestCLIHybridSearch::test_weights_normalization -v

* feat(security): Add CSRF protection and tighten CORS (DSC-006)

## Solution Summary
- Solution-ID: SOL-DSC-006-1
- Issue-ID: DSC-006
- Risk/Impact/Complexity: high/high/medium

## Tasks Completed
- T1: Create CSRF token generation system
- T2: Add CSRF token endpoints
- T3: Implement CSRF validation middleware
- T4: Restrict CORS to trusted origins
- T5: Add CSRF security tests

## Files Modified
- ccw/src/core/auth/csrf-manager.ts
- ccw/src/core/auth/csrf-middleware.ts
- ccw/src/core/routes/auth-routes.ts
- ccw/src/core/server.ts
- ccw/tests/csrf-manager.test.ts
- ccw/tests/auth-routes.test.ts
- ccw/tests/csrf-middleware.test.ts
- ccw/tests/security/csrf.test.ts

## Verification
- npm run build
- node --experimental-strip-types --test ccw/tests/csrf-manager.test.ts
- node --experimental-strip-types --test ccw/tests/auth-routes.test.ts
- node --experimental-strip-types --test ccw/tests/csrf-middleware.test.ts
- node --experimental-strip-types --test ccw/tests/cors.test.ts
- node --experimental-strip-types --test ccw/tests/security/csrf.test.ts

* fix(cli-executor): prevent stale SIGKILL timeouts

## Solution Summary

- Solution-ID: SOL-DSC-007-1

- Issue-ID: DSC-007

- Risk/Impact/Complexity: low/low/low

## Tasks Completed

- [T1] Store timeout handle in killCurrentCliProcess

## Files Modified

- ccw/src/tools/cli-executor.ts

- ccw/tests/cli-executor-kill.test.ts

## Verification

- node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts

* fix(cli-executor): enhance merge validation guards

## Solution Summary

- Solution-ID: SOL-DSC-008-1

- Issue-ID: DSC-008

- Risk/Impact/Complexity: low/low/low

## Tasks Completed

- [T1] Enhance sourceConversations array validation

## Files Modified

- ccw/src/tools/cli-executor.ts

- ccw/tests/cli-executor-merge-validation.test.ts

## Verification

- node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts

* refactor(core): remove @ts-nocheck from core routes

## Solution Summary
- Solution-ID: SOL-DSC-003-1
- Issue-ID: DSC-003
- Queue-ID: QUE-20260106-164500
- Item-ID: S-9

## Tasks Completed
- T1: Create shared RouteContext type definition
- T2: Remove @ts-nocheck from small route files
- T3: Remove @ts-nocheck from medium route files
- T4: Remove @ts-nocheck from large route files
- T5: Remove @ts-nocheck from remaining core files

## Files Modified
- ccw/src/core/dashboard-generator-patch.ts
- ccw/src/core/dashboard-generator.ts
- ccw/src/core/routes/ccw-routes.ts
- ccw/src/core/routes/claude-routes.ts
- ccw/src/core/routes/cli-routes.ts
- ccw/src/core/routes/codexlens-routes.ts
- ccw/src/core/routes/discovery-routes.ts
- ccw/src/core/routes/files-routes.ts
- ccw/src/core/routes/graph-routes.ts
- ccw/src/core/routes/help-routes.ts
- ccw/src/core/routes/hooks-routes.ts
- ccw/src/core/routes/issue-routes.ts
- ccw/src/core/routes/litellm-api-routes.ts
- ccw/src/core/routes/litellm-routes.ts
- ccw/src/core/routes/mcp-routes.ts
- ccw/src/core/routes/mcp-routes.ts.backup
- ccw/src/core/routes/mcp-templates-db.ts
- ccw/src/core/routes/nav-status-routes.ts
- ccw/src/core/routes/rules-routes.ts
- ccw/src/core/routes/session-routes.ts
- ccw/src/core/routes/skills-routes.ts
- ccw/src/core/routes/status-routes.ts
- ccw/src/core/routes/system-routes.ts
- ccw/src/core/routes/types.ts
- ccw/src/core/server.ts
- ccw/src/core/websocket.ts

## Verification
- npm run build
- npm test

* refactor: split cli-executor and codexlens routes into modules

## Solution Summary
- Solution-ID: SOL-DSC-012-1
- Issue-ID: DSC-012
- Risk/Impact/Complexity: medium/medium/high

## Tasks Completed
- [T1] Extract execution orchestration from cli-executor.ts (Refactor ccw/src/tools)
- [T2] Extract route handlers from codexlens-routes.ts (Refactor ccw/src/core/routes)
- [T3] Extract prompt concatenation logic from cli-executor (Refactor ccw/src/tools)
- [T4] Document refactored module architecture (Docs)

## Files Modified
- ccw/src/tools/cli-executor.ts
- ccw/src/tools/cli-executor-core.ts
- ccw/src/tools/cli-executor-utils.ts
- ccw/src/tools/cli-executor-state.ts
- ccw/src/tools/cli-prompt-builder.ts
- ccw/src/tools/README.md
- ccw/src/core/routes/codexlens-routes.ts
- ccw/src/core/routes/codexlens/config-handlers.ts
- ccw/src/core/routes/codexlens/index-handlers.ts
- ccw/src/core/routes/codexlens/semantic-handlers.ts
- ccw/src/core/routes/codexlens/watcher-handlers.ts
- ccw/src/core/routes/codexlens/utils.ts
- ccw/src/core/routes/codexlens/README.md

## Verification
- npm run build
- npm test

* test(issue): Add comprehensive issue command tests

## Solution Summary
- **Solution-ID**: SOL-DSC-009-1
- **Issue-ID**: DSC-009
- **Risk/Impact/Complexity**: low/high/medium

## Tasks Completed
- [T1] Create issue command test file structure: Create isolated test harness
- [T2] Add JSONL read/write operation tests: Verify JSONL correctness and errors
- [T3] Add issue lifecycle tests: Verify status transitions and timestamps
- [T4] Add solution binding tests: Verify binding flows and error cases
- [T5] Add queue formation tests: Verify queue creation, IDs, and DAG behavior
- [T6] Add queue execution tests: Verify next/done/retry and status sync

## Files Modified
- ccw/src/commands/issue.ts
- ccw/tests/issue-command.test.ts

## Verification
- node --experimental-strip-types --test ccw/tests/issue-command.test.ts

* test(routes): Add integration tests for route modules

## Solution Summary
- Solution-ID: SOL-DSC-010-1
- Issue-ID: DSC-010
- Queue-ID: QUE-20260106-164500

## Tasks Completed
- [T1] Add tests for ccw-routes.ts
- [T2] Add tests for files-routes.ts
- [T3] Add tests for claude-routes.ts (includes Windows path fix for create)
- [T4] Add tests for issue-routes.ts
- [T5] Add tests for help-routes.ts (avoid hanging watchers)
- [T6] Add tests for nav-status-routes.ts
- [T7] Add tests for hooks/graph/rules/skills/litellm-api routes

## Files Modified
- ccw/src/core/routes/claude-routes.ts
- ccw/src/core/routes/help-routes.ts
- ccw/tests/integration/ccw-routes.test.ts
- ccw/tests/integration/claude-routes.test.ts
- ccw/tests/integration/files-routes.test.ts
- ccw/tests/integration/issue-routes.test.ts
- ccw/tests/integration/help-routes.test.ts
- ccw/tests/integration/nav-status-routes.test.ts
- ccw/tests/integration/hooks-routes.test.ts
- ccw/tests/integration/graph-routes.test.ts
- ccw/tests/integration/rules-routes.test.ts
- ccw/tests/integration/skills-routes.test.ts
- ccw/tests/integration/litellm-api-routes.test.ts

## Verification
- node --experimental-strip-types --test ccw/tests/integration/ccw-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/files-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/claude-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/issue-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/help-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/nav-status-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/hooks-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/graph-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/rules-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/skills-routes.test.ts
- node --experimental-strip-types --test ccw/tests/integration/litellm-api-routes.test.ts

* refactor(core): Switch cache and lite scanning to async fs

## Solution Summary
- Solution-ID: SOL-DSC-013-1
- Issue-ID: DSC-013
- Queue-ID: QUE-20260106-164500

## Tasks Completed
- [T1] Convert cache-manager.ts to async file operations
- [T2] Convert lite-scanner.ts to async file operations
- [T3] Update cache-manager call sites to await async API
- [T4] Update lite-scanner call sites to await async API

## Files Modified
- ccw/src/core/cache-manager.ts
- ccw/src/core/lite-scanner.ts
- ccw/src/core/data-aggregator.ts

## Verification
- npm run build
- npm test

* fix(exec): Add timeout protection for execSync

## Solution Summary
- Solution-ID: SOL-DSC-014-1
- Issue-ID: DSC-014
- Queue-ID: QUE-20260106-164500

## Tasks Completed
- [T1] Add timeout to execSync calls in python-utils.ts
- [T2] Add timeout to execSync calls in detect-changed-modules.ts
- [T3] Add timeout to execSync calls in claude-freshness.ts
- [T4] Add timeout to execSync calls in issue.ts
- [T5] Consolidate execSync timeout constants and audit coverage

## Files Modified
- ccw/src/utils/exec-constants.ts
- ccw/src/utils/python-utils.ts
- ccw/src/tools/detect-changed-modules.ts
- ccw/src/core/claude-freshness.ts
- ccw/src/commands/issue.ts
- ccw/src/tools/smart-search.ts
- ccw/src/tools/codex-lens.ts
- ccw/src/core/routes/codexlens/config-handlers.ts

## Verification
- npm run build
- npm test
- node --experimental-strip-types --test ccw/tests/issue-command.test.ts

* feat(cli): Add progress spinner with elapsed time for long-running operations

## Solution Summary
- Solution-ID: SOL-DSC-015-1
- Issue-ID: DSC-015
- Queue-Item: S-15
- Risk/Impact/Complexity: low/medium/low

## Tasks Completed
- [T1] Add progress spinner to CLI execution: Update ccw/src/commands/cli.ts

## Files Modified
- ccw/src/commands/cli.ts
- ccw/tests/cli-command.test.ts

## Verification
- node --experimental-strip-types --test ccw/tests/cli-command.test.ts
- node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts
- node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts

* fix(cli): Move full output hint immediately after truncation notice

## Solution Summary
- Solution-ID: SOL-DSC-016-1
- Issue-ID: DSC-016
- Queue-Item: S-16
- Risk/Impact/Complexity: low/high/low

## Tasks Completed
- [T1] Relocate output hint after truncation: Update ccw/src/commands/cli.ts

## Files Modified
- ccw/src/commands/cli.ts
- ccw/tests/cli-command.test.ts

## Verification
- npm run build
- node --experimental-strip-types --test ccw/tests/cli-command.test.ts

* feat(cli): Add confirmation prompts for destructive operations

## Solution Summary
- Solution-ID: SOL-DSC-017-1
- Issue-ID: DSC-017
- Queue-Item: S-17
- Risk/Impact/Complexity: low/high/low

## Tasks Completed
- [T1] Add confirmation to storage clean operations: Update ccw/src/commands/cli.ts
- [T2] Add confirmation to issue queue delete: Update ccw/src/commands/issue.ts

## Files Modified
- ccw/src/commands/cli.ts
- ccw/src/commands/issue.ts
- ccw/tests/cli-command.test.ts
- ccw/tests/issue-command.test.ts

## Verification
- npm run build
- node --experimental-strip-types --test ccw/tests/cli-command.test.ts
- node --experimental-strip-types --test ccw/tests/issue-command.test.ts

* feat(cli): Improve multi-line prompt guidance

## Solution Summary
- Solution-ID: SOL-DSC-018-1
- Issue-ID: DSC-018
- Queue-Item: S-18
- Risk/Impact/Complexity: low/medium/low

## Tasks Completed
- [T1] Update CLI help to emphasize --file option: Update ccw/src/commands/cli.ts
- [T2] Add inline hint for multi-line detection: Update ccw/src/commands/cli.ts

## Files Modified
- ccw/src/commands/cli.ts
- ccw/tests/cli-command.test.ts

## Verification
- npm run build
- node --experimental-strip-types --test ccw/tests/cli-command.test.ts

---------

Co-authored-by: catlog22 <catlog22@github.com>
This commit is contained in:
catlog22
2026-01-07 22:35:46 +08:00
committed by GitHub
parent fae2f7e279
commit 09d99abee6
100 changed files with 14300 additions and 6456 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
ccw/src/core/auth/csrf-manager.ts Normal file
View File

@@ -0,0 +1,104 @@
import { randomBytes } from 'crypto';
export interface CsrfTokenManagerOptions {
tokenTtlMs?: number;
cleanupIntervalMs?: number;
}
type CsrfTokenRecord = {
sessionId: string;
expiresAtMs: number;
used: boolean;
};
const DEFAULT_TOKEN_TTL_MS = 15 * 60 * 1000; // 15 minutes
const DEFAULT_CLEANUP_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes
export class CsrfTokenManager {
private readonly tokenTtlMs: number;
private readonly records = new Map<string, CsrfTokenRecord>();
private readonly cleanupTimer: NodeJS.Timeout | null;
constructor(options: CsrfTokenManagerOptions = {}) {
this.tokenTtlMs = options.tokenTtlMs ?? DEFAULT_TOKEN_TTL_MS;
const cleanupIntervalMs = options.cleanupIntervalMs ?? DEFAULT_CLEANUP_INTERVAL_MS;
if (cleanupIntervalMs > 0) {
this.cleanupTimer = setInterval(() => {
this.cleanupExpiredTokens();
}, cleanupIntervalMs);
if (this.cleanupTimer.unref) {
this.cleanupTimer.unref();
}
} else {
this.cleanupTimer = null;
}
}
dispose(): void {
if (this.cleanupTimer) {
clearInterval(this.cleanupTimer);
}
this.records.clear();
}
generateToken(sessionId: string): string {
const token = randomBytes(32).toString('hex');
this.records.set(token, {
sessionId,
expiresAtMs: Date.now() + this.tokenTtlMs,
used: false,
});
return token;
}
validateToken(token: string, sessionId: string): boolean {
const record = this.records.get(token);
if (!record) return false;
if (record.used) return false;
if (record.sessionId !== sessionId) return false;
if (Date.now() > record.expiresAtMs) {
this.records.delete(token);
return false;
}
record.used = true;
return true;
}
cleanupExpiredTokens(nowMs: number = Date.now()): number {
let removed = 0;
for (const [token, record] of this.records.entries()) {
if (record.used || nowMs > record.expiresAtMs) {
this.records.delete(token);
removed += 1;
}
}
return removed;
}
getActiveTokenCount(): number {
return this.records.size;
}
}
let csrfManagerInstance: CsrfTokenManager | null = null;
export function getCsrfTokenManager(options?: CsrfTokenManagerOptions): CsrfTokenManager {
if (!csrfManagerInstance) {
csrfManagerInstance = new CsrfTokenManager(options);
}
return csrfManagerInstance;
}
export function resetCsrfTokenManager(): void {
if (csrfManagerInstance) {
csrfManagerInstance.dispose();
}
csrfManagerInstance = null;
}

158
ccw/src/core/auth/csrf-middleware.ts Normal file
View File

@@ -0,0 +1,158 @@
import type http from 'http';
import type { IncomingMessage, ServerResponse } from 'http';
import { randomBytes } from 'crypto';
import { getCsrfTokenManager } from './csrf-manager.js';
export interface CsrfMiddlewareContext {
pathname: string;
req: IncomingMessage;
res: ServerResponse;
}
function getHeaderValue(header: string | string[] | undefined): string | null {
if (!header) return null;
if (Array.isArray(header)) return header[0] ?? null;
return header;
}
function parseCookieHeader(cookieHeader: string | null | undefined): Record<string, string> {
if (!cookieHeader) return {};
const cookies: Record<string, string> = {};
for (const part of cookieHeader.split(';')) {
const [rawName, ...rawValueParts] = part.trim().split('=');
if (!rawName) continue;
const rawValue = rawValueParts.join('=');
try {
cookies[rawName] = decodeURIComponent(rawValue);
} catch {
cookies[rawName] = rawValue;
}
}
return cookies;
}
function appendSetCookie(res: ServerResponse, cookie: string): void {
const existing = res.getHeader('Set-Cookie');
if (!existing) {
res.setHeader('Set-Cookie', cookie);
return;
}
if (Array.isArray(existing)) {
res.setHeader('Set-Cookie', [...existing, cookie]);
return;
}
res.setHeader('Set-Cookie', [String(existing), cookie]);
}
function setCsrfCookie(res: ServerResponse, token: string, maxAgeSeconds: number): void {
const attributes = [
`XSRF-TOKEN=${encodeURIComponent(token)}`,
'Path=/',
'HttpOnly',
'SameSite=Strict',
`Max-Age=${maxAgeSeconds}`,
];
appendSetCookie(res, attributes.join('; '));
}
function envFlagEnabled(name: string): boolean {
const value = process.env[name];
if (!value) return false;
return ['1', 'true', 'yes', 'on'].includes(value.trim().toLowerCase());
}
async function readRawBody(req: IncomingMessage): Promise<string> {
const withCache = req as http.IncomingMessage & { __ccwRawBody?: string };
if (typeof withCache.__ccwRawBody === 'string') return withCache.__ccwRawBody;
return new Promise((resolve, reject) => {
let body = '';
req.on('data', (chunk) => {
body += chunk.toString();
});
req.on('end', () => {
withCache.__ccwRawBody = body;
resolve(body);
});
req.on('error', reject);
});
}
async function readJsonBody(req: IncomingMessage): Promise<unknown> {
const withCache = req as http.IncomingMessage & { body?: unknown };
if (withCache.body !== undefined) return withCache.body;
const raw = await readRawBody(req);
if (!raw) return undefined;
try {
const parsed = JSON.parse(raw) as unknown;
withCache.body = parsed;
return parsed;
} catch {
return undefined;
}
}
function extractCsrfTokenFromBody(body: unknown): string | null {
if (!body || typeof body !== 'object') return null;
const record = body as Record<string, unknown>;
const token = record.csrfToken;
return typeof token === 'string' && token ? token : null;
}
function writeJson(res: ServerResponse, status: number, body: Record<string, unknown>): void {
res.writeHead(status, { 'Content-Type': 'application/json; charset=utf-8' });
res.end(JSON.stringify(body));
}
export async function csrfValidation(ctx: CsrfMiddlewareContext): Promise<boolean> {
const { pathname, req, res } = ctx;
if (!pathname.startsWith('/api/')) return true;
if (envFlagEnabled('CCW_DISABLE_CSRF')) return true;
const method = (req.method || 'GET').toUpperCase();
if (!['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) return true;
// Always allow token acquisition routes.
if (pathname === '/api/auth/token') return true;
// Requests authenticated via Authorization header do not require CSRF protection.
const authorization = getHeaderValue(req.headers.authorization);
if (authorization && /^Bearer\s+.+$/i.test(authorization)) return true;
const headerToken = getHeaderValue(req.headers['x-csrf-token']);
const cookies = parseCookieHeader(getHeaderValue(req.headers.cookie));
const cookieToken = cookies['XSRF-TOKEN'];
let bodyToken: string | null = null;
if (!headerToken && !cookieToken) {
const body = await readJsonBody(req);
bodyToken = extractCsrfTokenFromBody(body);
}
const token = headerToken || bodyToken || cookieToken || null;
const sessionId = cookies.ccw_session_id;
if (!token || !sessionId) {
writeJson(res, 403, { error: 'CSRF validation failed' });
return false;
}
const tokenManager = getCsrfTokenManager();
const ok = tokenManager.validateToken(token, sessionId);
if (!ok) {
writeJson(res, 403, { error: 'CSRF validation failed' });
return false;
}
const nextToken = tokenManager.generateToken(sessionId);
res.setHeader('X-CSRF-Token', nextToken);
setCsrfCookie(res, nextToken, 15 * 60);
return true;
}

94
ccw/src/core/auth/middleware.ts Normal file
View File

@@ -0,0 +1,94 @@
import type http from 'http';
import type { IncomingMessage, ServerResponse } from 'http';
import type { TokenManager } from './token-manager.js';
export interface AuthMiddlewareContext {
pathname: string;
req: IncomingMessage;
res: ServerResponse;
tokenManager: TokenManager;
secretKey: string;
unauthenticatedPaths?: Set<string>;
}
function parseCookieHeader(cookieHeader: string | null | undefined): Record<string, string> {
if (!cookieHeader) return {};
const cookies: Record<string, string> = {};
for (const part of cookieHeader.split(';')) {
const [rawName, ...rawValueParts] = part.trim().split('=');
if (!rawName) continue;
const rawValue = rawValueParts.join('=');
try {
cookies[rawName] = decodeURIComponent(rawValue);
} catch {
cookies[rawName] = rawValue;
}
}
return cookies;
}
function getHeaderValue(header: string | string[] | undefined): string | null {
if (!header) return null;
if (Array.isArray(header)) return header[0] ?? null;
return header;
}
export function extractAuthToken(req: IncomingMessage): string | null {
const authorization = getHeaderValue(req.headers.authorization);
if (authorization) {
const match = authorization.match(/^Bearer\s+(.+)$/i);
if (match?.[1]) return match[1].trim();
}
const cookies = parseCookieHeader(getHeaderValue(req.headers.cookie));
if (cookies.auth_token) return cookies.auth_token;
return null;
}
export function isLocalhostRequest(req: IncomingMessage): boolean {
const remote = req.socket?.remoteAddress ?? '';
return remote === '127.0.0.1' || remote === '::1' || remote === '::ffff:127.0.0.1';
}
export function setAuthCookie(res: ServerResponse, token: string, expiresAt: Date): void {
const maxAgeSeconds = Math.max(0, Math.floor((expiresAt.getTime() - Date.now()) / 1000));
const attributes = [
`auth_token=${encodeURIComponent(token)}`,
'Path=/',
'HttpOnly',
'SameSite=Strict',
`Max-Age=${maxAgeSeconds}`,
];
res.setHeader('Set-Cookie', attributes.join('; '));
}
function writeJson(res: ServerResponse, status: number, body: Record<string, unknown>): void {
res.writeHead(status, { 'Content-Type': 'application/json; charset=utf-8' });
res.end(JSON.stringify(body));
}
export function authMiddleware(ctx: AuthMiddlewareContext): boolean {
const { pathname, req, res, tokenManager, secretKey, unauthenticatedPaths } = ctx;
if (!pathname.startsWith('/api/')) return true;
if (unauthenticatedPaths?.has(pathname)) return true;
const token = extractAuthToken(req);
if (!token) {
writeJson(res, 401, { error: 'Unauthorized' });
return false;
}
const ok = tokenManager.validateToken(token, secretKey);
if (!ok) {
writeJson(res, 401, { error: 'Unauthorized' });
return false;
}
(req as http.IncomingMessage & { authenticated?: boolean }).authenticated = true;
return true;
}

219
ccw/src/core/auth/token-manager.ts Normal file
View File

@@ -0,0 +1,219 @@
import { randomBytes } from 'crypto';
import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync } from 'fs';
import { dirname, join } from 'path';
import jwt from 'jsonwebtoken';
import type { Algorithm } from 'jsonwebtoken';
import { getCCWHome } from '../../config/storage-paths.js';
export interface TokenResult {
token: string;
expiresAt: Date;
}
export interface TokenInfo extends TokenResult {
issuedAt: Date;
revokedAt?: Date;
rotatedAt?: Date;
replacedBy?: string;
}
export interface TokenManagerOptions {
authDir?: string;
secretKeyPath?: string;
tokenPath?: string;
tokenTtlMs?: number;
rotateBeforeExpiryMs?: number;
}
const DEFAULT_TOKEN_TTL_MS = 24 * 60 * 60 * 1000;
const DEFAULT_ROTATE_BEFORE_EXPIRY_MS = 60 * 60 * 1000;
const JWT_ALGORITHM: Algorithm = 'HS256';
function ensureDirectory(dirPath: string): void {
if (!existsSync(dirPath)) {
mkdirSync(dirPath, { recursive: true });
}
}
function bestEffortRestrictPermissions(filePath: string, mode: number): void {
try {
chmodSync(filePath, mode);
} catch {
// Ignore permission errors (e.g., Windows or restrictive environments)
}
}
function writeSecretFile(filePath: string, content: string): void {
ensureDirectory(dirname(filePath));
writeFileSync(filePath, content, { encoding: 'utf8', mode: 0o600 });
bestEffortRestrictPermissions(filePath, 0o600);
}
function writeTokenFile(filePath: string, content: string): void {
ensureDirectory(dirname(filePath));
writeFileSync(filePath, content, { encoding: 'utf8', mode: 0o600 });
bestEffortRestrictPermissions(filePath, 0o600);
}
function parseJwtExpiry(token: string): Date | null {
const decoded = jwt.decode(token);
if (!decoded || typeof decoded !== 'object') return null;
if (typeof decoded.exp !== 'number') return null;
return new Date(decoded.exp * 1000);
}
export class TokenManager {
private readonly authDir: string;
private readonly secretKeyPath: string;
private readonly tokenPath: string;
private readonly tokenTtlMs: number;
private readonly rotateBeforeExpiryMs: number;
private secretKey: string | null = null;
private readonly activeTokens = new Map<string, TokenInfo>();
constructor(options: TokenManagerOptions = {}) {
this.authDir = options.authDir ?? join(getCCWHome(), 'auth');
this.secretKeyPath = options.secretKeyPath ?? join(this.authDir, 'secret.key');
this.tokenPath = options.tokenPath ?? join(this.authDir, 'token.jwt');
this.tokenTtlMs = options.tokenTtlMs ?? DEFAULT_TOKEN_TTL_MS;
this.rotateBeforeExpiryMs = options.rotateBeforeExpiryMs ?? DEFAULT_ROTATE_BEFORE_EXPIRY_MS;
}
getSecretKey(): string {
if (this.secretKey) return this.secretKey;
ensureDirectory(this.authDir);
if (existsSync(this.secretKeyPath)) {
const loaded = readFileSync(this.secretKeyPath, 'utf8').trim();
if (!loaded) {
throw new Error('Auth secret key file is empty');
}
this.secretKey = loaded;
return loaded;
}
const generated = randomBytes(32).toString('hex');
writeSecretFile(this.secretKeyPath, generated);
this.secretKey = generated;
return generated;
}
generateToken(secretKey: string): TokenResult {
const token = jwt.sign(
{
typ: 'ccw-api',
jti: randomBytes(16).toString('hex'),
},
secretKey,
{
algorithm: JWT_ALGORITHM,
expiresIn: Math.floor(this.tokenTtlMs / 1000),
}
);
const expiresAt = parseJwtExpiry(token) ?? new Date(Date.now() + this.tokenTtlMs);
this.activeTokens.set(token, { token, expiresAt, issuedAt: new Date() });
return { token, expiresAt };
}
validateToken(token: string, secretKey: string): boolean {
const info = this.activeTokens.get(token);
if (info?.revokedAt) return false;
try {
jwt.verify(token, secretKey, { algorithms: [JWT_ALGORITHM] });
return true;
} catch {
return false;
}
}
refreshToken(token: string, secretKey: string): TokenResult {
const existing = this.activeTokens.get(token);
if (existing) {
existing.revokedAt = new Date();
}
const next = this.generateToken(secretKey);
if (existing) {
existing.rotatedAt = new Date();
existing.replacedBy = next.token;
}
return next;
}
/**
* Read an existing persisted token or create a new one.
* If the existing token is nearing expiry, rotate it.
*/
getOrCreateAuthToken(): TokenResult {
const secretKey = this.getSecretKey();
if (existsSync(this.tokenPath)) {
const persisted = readFileSync(this.tokenPath, 'utf8').trim();
if (persisted && this.validateToken(persisted, secretKey)) {
const expiresAt = parseJwtExpiry(persisted);
if (expiresAt) {
// Ensure persisted token is tracked for revocation support
if (!this.activeTokens.has(persisted)) {
this.activeTokens.set(persisted, { token: persisted, expiresAt, issuedAt: new Date() });
}
const msUntilExpiry = expiresAt.getTime() - Date.now();
if (msUntilExpiry > this.rotateBeforeExpiryMs) {
return { token: persisted, expiresAt };
}
}
// Token exists but is expiring soon (or expiry missing) → rotate
const rotated = this.generateToken(secretKey);
writeTokenFile(this.tokenPath, rotated.token);
const existing = this.activeTokens.get(persisted);
if (existing) {
existing.rotatedAt = new Date();
existing.replacedBy = rotated.token;
}
return rotated;
}
}
const created = this.generateToken(secretKey);
writeTokenFile(this.tokenPath, created.token);
return created;
}
revokeToken(token: string): void {
const info = this.activeTokens.get(token);
if (info) {
info.revokedAt = new Date();
} else {
this.activeTokens.set(token, {
token,
issuedAt: new Date(),
expiresAt: new Date(0),
revokedAt: new Date(),
});
}
}
}
let tokenManagerInstance: TokenManager | null = null;
export function getTokenManager(options?: TokenManagerOptions): TokenManager {
if (!tokenManagerInstance) {
tokenManagerInstance = new TokenManager(options);
}
return tokenManagerInstance;
}
export function resetTokenManager(): void {
tokenManagerInstance = null;
}
export function getOrCreateAuthToken(): TokenResult {
return getTokenManager().getOrCreateAuthToken();
}