From 06023c79fa8ef485dc17e13074b8f8d292bd981b Mon Sep 17 00:00:00 2001 From: sky5454 Date: Wed, 8 Apr 2026 21:43:51 +0800 Subject: [PATCH] feat(launcher): standard HTTP login/setup/logout flow for dashboard, frontend and backend impl. and fix windows pid lock for ws (#2339) * feat(launcher): replace token-in-logs auth with standard HTTP login flow ## Problem Previously users had to find the one-time token from console logs or log files to access the dashboard - a non-standard, error-prone workflow with no clear path for changing credentials. ## Solution: standard HTTP API login with bcrypt-backed password store ### Auth flow (new) 1. First run: browser opens, session guard detects uninitialized state, redirects to /launcher-setup 2. User sets a password (min 8 chars) via POST /api/auth/setup {password, confirm}, bcrypt(cost=12) hash stored in ~/.picoclaw/launcher-auth.db (SQLite) 3. Subsequent logins: POST /api/auth/login {password}, HttpOnly cookie picoclaw_launcher_auth (HMAC-SHA256 signed, 7-day expiry) 4. 401 on any API call, frontend redirects to /launcher-login 5. Logout: POST /api/auth/logout, cookie cleared, redirect to login ### Backend changes - web/backend/api/auth.go: renamed Token to Password; added handleSetup; launcherAuthStatusResponse now includes Initialized bool; PasswordStore interface wires bcrypt store into handlers - web/backend/dashboardauth/: new package - Store with New(dir) / Open(path); SetPassword (bcrypt cost=12), VerifyPassword, IsInitialized - sql.go: all DB-layer constants (DBFilename, sqliteDriver, bcryptCost, four SQL query strings) - compile-time constants, zero runtime overhead - web/backend/middleware/launcher_dashboard_auth.go: /launcher-setup and /api/auth/setup added to public paths - web/backend/main.go: - dashboardauth.New(picoHome) replaces manual path construction - maskSecret(): suffix only revealed when >=5 chars hidden (length >= 12), preventing 8-char minimum passwords from leaking their tail - web/backend/main_test.go: TestMaskSecret updated with boundary cases ### Forward-compatibility: pkg/credential integration If the dashboard password is later reused as the enc:// passphrase, the bcrypt hash in launcher-auth.db becomes an offline oracle. Recommended mitigation (not yet implemented): derive two independent subkeys via HKDF before use: bcrypt(HKDF(password, info="picoclaw-dashboard-login-v1")) stored in DB HKDF(password, info="picoclaw-credential-enc-v1") passed to PassphraseProvider This isolates the two domains: cracking the bcrypt hash yields only the login subkey, which is computationally independent of the enc:// subkey. * fix(auth): replace wastedassign ok := false with var ok bool * refactor(tray): remove copy-token clipboard feature Dashboard login now uses standard web auth (bcrypt + session cookie). The system tray 'Copy dashboard token' menu item is no longer needed. - Delete tray_offers_copy.go and tray_offers_copy_stub.go - Remove mCopyTok menu item and clipboard handler from systray.go - Remove launcherDashboardTokenForClipboard var from main.go - Remove MenuCopyToken/MenuCopyTokenHint keys from i18n.go * feat(launcher-ui): standard HTTP login/setup/logout flow for dashboard Replaces the previous "find token in logs" workflow with a proper browser-based authentication UI backed by the new /api/auth/* endpoints. ### New pages - /launcher-setup: first-run password initialization form (password + confirm, min 8 chars); calls POST /api/auth/setup; redirects to login on success - /launcher-login: standard password login form; calls POST /api/auth/login; sets HttpOnly session cookie on success ### Session guard (src/routes/__root.tsx) A useEffect on every non-auth page load calls GET /api/auth/status: - initialized=false -> redirect to /launcher-setup - authenticated=false -> redirect to /launcher-login This ensures the setup/login UI is shown even when the ?token= URL mechanism auto-logs in (first-run case). ### Logout button (src/components/app-header.tsx) IconLogout button added to the header with a confirm AlertDialog; calls POST /api/auth/logout then redirects to /launcher-login. ### API layer - src/api/launcher-auth.ts: LauncherAuthStatus gains initialized bool; postLauncherDashboardSetup() added; LauncherAuthTokenHelp removed - src/api/http.ts: 401 guard uses isLauncherAuthPathname() (covers both /launcher-login and /launcher-setup) to prevent redirect loops - src/lib/launcher-login-path.ts: isLauncherSetupPathname() and isLauncherAuthPathname() added ### Routing - src/routeTree.gen.ts: /launcher-setup route registered throughout - src/routes/launcher-login.tsx: tokenHelp UI removed; useEffect added to redirect to setup when initialized=false ### i18n - en.json / zh.json: launcherSetup block added; launcherLogin keys updated to use passwordLabel/passwordPlaceholder * fix(lint): ts lint fixed 1 * fix(auth): detail auth error handle * fix(login): frontend web auth error handle * fix(frontend): auth error handler 5xx --- web/backend/api/auth.go | 199 +++++++++++++++--- web/backend/api/auth_test.go | 25 +-- web/backend/dashboardauth/sql.go | 24 +++ web/backend/dashboardauth/store.go | 94 +++++++++ web/backend/i18n.go | 6 - web/backend/main.go | 56 +++-- web/backend/main_test.go | 28 +++ .../middleware/launcher_dashboard_auth.go | 4 +- web/backend/systray.go | 13 -- web/backend/tray_offers_copy.go | 5 - web/backend/tray_offers_copy_stub.go | 5 - web/frontend/src/api/http.ts | 12 +- web/frontend/src/api/launcher-auth.ts | 44 ++-- web/frontend/src/components/app-header.tsx | 114 +++++++--- web/frontend/src/hooks/use-gateway.ts | 11 +- web/frontend/src/i18n/locales/en.json | 38 ++-- web/frontend/src/i18n/locales/zh.json | 38 ++-- web/frontend/src/lib/launcher-login-path.ts | 9 + web/frontend/src/routeTree.gen.ts | 21 ++ web/frontend/src/routes/__root.tsx | 76 +++++-- web/frontend/src/routes/launcher-login.tsx | 64 +----- web/frontend/src/routes/launcher-setup.tsx | 146 +++++++++++++ web/frontend/src/store/gateway.ts | 11 +- 23 files changed, 795 insertions(+), 248 deletions(-) create mode 100644 web/backend/dashboardauth/sql.go create mode 100644 web/backend/dashboardauth/store.go delete mode 100644 web/backend/tray_offers_copy.go delete mode 100644 web/backend/tray_offers_copy_stub.go create mode 100644 web/frontend/src/routes/launcher-setup.tsx diff --git a/web/backend/api/auth.go b/web/backend/api/auth.go index 22f7ec2c2..0790a6b76 100644 --- a/web/backend/api/auth.go +++ b/web/backend/api/auth.go @@ -1,8 +1,10 @@ package api import ( + "context" "crypto/subtle" "encoding/json" + "fmt" "io" "net/http" "strings" @@ -10,34 +12,47 @@ import ( "github.com/sipeed/picoclaw/web/backend/middleware" ) -// LauncherAuthRouteOpts configures dashboard token login handlers. +// PasswordStore is the interface for bcrypt-backed dashboard password persistence. +// Implemented by dashboardauth.Store; a nil value falls back to the legacy +// static-token comparison. +type PasswordStore interface { + IsInitialized(ctx context.Context) (bool, error) + SetPassword(ctx context.Context, plain string) error + VerifyPassword(ctx context.Context, plain string) (bool, error) +} + +// LauncherAuthRouteOpts configures dashboard auth handlers. type LauncherAuthRouteOpts struct { + // DashboardToken is the fallback plaintext token used when PasswordStore is + // nil or not yet initialized (env-var / config-file source, and ?token= auto-login). DashboardToken string SessionCookie string SecureCookie func(*http.Request) bool - // TokenHelp is returned on unauthenticated /api/auth/status responses (no secrets). - TokenHelp LauncherAuthTokenHelp -} - -// LauncherAuthTokenHelp tells the login UI where users can find the dashboard token. -type LauncherAuthTokenHelp struct { - EnvVarName string `json:"env_var_name"` - LogFileAbs string `json:"log_file,omitempty"` - ConfigFileAbs string `json:"config_file,omitempty"` - TrayCopyMenu bool `json:"tray_copy_menu"` - ConsoleStdout bool `json:"console_stdout"` + // PasswordStore enables bcrypt-backed password persistence. When non-nil and + // initialized, web-form login verifies against the stored hash instead of + // the plaintext DashboardToken. + PasswordStore PasswordStore + // StoreError holds the error returned when opening the password store. When + // non-nil and PasswordStore is nil, the auth endpoints surface a recovery + // message instead of an opaque 501/503. + StoreError error } type launcherAuthLoginBody struct { - Token string `json:"token"` + Password string `json:"password"` +} + +type launcherAuthSetupBody struct { + Password string `json:"password"` + Confirm string `json:"confirm"` } type launcherAuthStatusResponse struct { - Authenticated bool `json:"authenticated"` - TokenHelp *LauncherAuthTokenHelp `json:"token_help,omitempty"` + Authenticated bool `json:"authenticated"` + Initialized bool `json:"initialized"` } -// RegisterLauncherAuthRoutes registers /api/auth/login|logout|status. +// RegisterLauncherAuthRoutes registers /api/auth/login|logout|status|setup. func RegisterLauncherAuthRoutes(mux *http.ServeMux, opts LauncherAuthRouteOpts) { secure := opts.SecureCookie if secure == nil { @@ -47,22 +62,44 @@ func RegisterLauncherAuthRoutes(mux *http.ServeMux, opts LauncherAuthRouteOpts) token: opts.DashboardToken, sessionCookie: opts.SessionCookie, secureCookie: secure, - tokenHelp: opts.TokenHelp, + store: opts.PasswordStore, + storeErr: opts.StoreError, loginLimit: newLoginRateLimiter(), } mux.HandleFunc("POST /api/auth/login", h.handleLogin) mux.HandleFunc("POST /api/auth/logout", h.handleLogout) mux.HandleFunc("GET /api/auth/status", h.handleStatus) + mux.HandleFunc("POST /api/auth/setup", h.handleSetup) } type launcherAuthHandlers struct { token string sessionCookie string secureCookie func(*http.Request) bool - tokenHelp LauncherAuthTokenHelp + store PasswordStore + storeErr error // set when the store failed to open; drives recovery messages loginLimit *loginRateLimiter } +// isStoreInitialized safely queries the store. +// Returns (false, nil) when no store is configured (storeErr also nil). +// Returns (false, err) on store errors — callers must treat this as a 5xx, not as +// "uninitialized", to keep auth fail-closed. +// Exception: handleLogin swallows storeErr and falls back to token auth so +// that a corrupt DB does not lock out all access. +func (h *launcherAuthHandlers) isStoreInitialized(ctx context.Context) (bool, error) { + if h.store == nil { + if h.storeErr != nil { + return false, fmt.Errorf( + "password store unavailable (%w); "+ + "to recover, stop the application, delete the database file and restart ", + h.storeErr) + } + return false, nil + } + return h.store.IsInitialized(ctx) +} + func (h *launcherAuthHandlers) handleLogin(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") var body launcherAuthLoginBody @@ -77,10 +114,39 @@ func (h *launcherAuthHandlers) handleLogin(w http.ResponseWriter, r *http.Reques _, _ = w.Write([]byte(`{"error":"too many login attempts"}`)) return } - in := strings.TrimSpace(body.Token) - if len(in) != len(h.token) || subtle.ConstantTimeCompare([]byte(in), []byte(h.token)) != 1 { + in := strings.TrimSpace(body.Password) + var ok bool + + initialized, initErr := h.isStoreInitialized(r.Context()) + if initErr != nil { + if h.storeErr != nil { + // Store failed to open at startup — token login remains available. + initialized = false + } else { + w.WriteHeader(http.StatusInternalServerError) + writeErrorf(w, "%v", initErr) + return + } + } + + if initialized { + // Bcrypt path: verify against the stored hash. + var err error + ok, err = h.store.VerifyPassword(r.Context(), in) + if err != nil { + w.WriteHeader(http.StatusInternalServerError) + writeErrorf(w, "password verification failed: %v", err) + return + } + } else { + // Fallback: constant-time compare against the plaintext token. + ok = len(in) == len(h.token) && + subtle.ConstantTimeCompare([]byte(in), []byte(h.token)) == 1 + } + + if !ok { w.WriteHeader(http.StatusUnauthorized) - _, _ = w.Write([]byte(`{"error":"invalid token"}`)) + _, _ = w.Write([]byte(`{"error":"invalid password"}`)) return } @@ -121,23 +187,100 @@ func (h *launcherAuthHandlers) handleLogout(w http.ResponseWriter, r *http.Reque func (h *launcherAuthHandlers) handleStatus(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") - ok := false + authed := false if c, err := r.Cookie(middleware.LauncherDashboardCookieName); err == nil { - ok = subtle.ConstantTimeCompare([]byte(c.Value), []byte(h.sessionCookie)) == 1 + authed = subtle.ConstantTimeCompare([]byte(c.Value), []byte(h.sessionCookie)) == 1 } - if ok { - _, _ = w.Write([]byte(`{"authenticated":true}`)) + initialized, initErr := h.isStoreInitialized(r.Context()) + if initErr != nil { + w.WriteHeader(http.StatusServiceUnavailable) + writeErrorf(w, "%v", initErr) return } resp := launcherAuthStatusResponse{ - Authenticated: false, - TokenHelp: &h.tokenHelp, + Authenticated: authed, + Initialized: initialized, } enc, err := json.Marshal(resp) if err != nil { w.WriteHeader(http.StatusInternalServerError) - _, _ = w.Write([]byte(`{"error":"internal error"}`)) + writeErrorf(w, "marshal response failed: %v", err) return } _, _ = w.Write(enc) } + +// handleSetup sets or changes the dashboard password. +// +// Rules: +// - If the store has no password yet, the endpoint is open (no session required). +// - If a password is already set, the caller must hold a valid session cookie. +func (h *launcherAuthHandlers) handleSetup(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + + if h.store == nil { + w.WriteHeader(http.StatusNotImplemented) + _, _ = w.Write([]byte(`{"error":"password store not configured"}`)) + return + } + + initialized, initErr := h.isStoreInitialized(r.Context()) + if initErr != nil { + w.WriteHeader(http.StatusServiceUnavailable) + writeErrorf(w, "%v", initErr) + return + } + + // If already initialized, require an active session (change-password flow). + if initialized { + authed := false + if c, err := r.Cookie(middleware.LauncherDashboardCookieName); err == nil { + authed = subtle.ConstantTimeCompare([]byte(c.Value), []byte(h.sessionCookie)) == 1 + } + if !authed { + w.WriteHeader(http.StatusUnauthorized) + _, _ = w.Write([]byte(`{"error":"must be authenticated to change password"}`)) + return + } + } + + var body launcherAuthSetupBody + if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 1<<20)).Decode(&body); err != nil { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"invalid JSON"}`)) + return + } + + pw := strings.TrimSpace(body.Password) + if pw == "" { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"password must not be empty"}`)) + return + } + if pw != strings.TrimSpace(body.Confirm) { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"passwords do not match"}`)) + return + } + if len([]rune(pw)) < 8 { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"password must be at least 8 characters"}`)) + return + } + + if err := h.store.SetPassword(r.Context(), pw); err != nil { + w.WriteHeader(http.StatusInternalServerError) + writeErrorf(w, "failed to save password: %v", err) + return + } + + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(`{"status":"ok"}`)) +} + +// writeErrorf writes a JSON error response with a formatted message. +// json.Marshal is used to safely escape the message string. +func writeErrorf(w http.ResponseWriter, format string, args ...any) { + msg, _ := json.Marshal(fmt.Sprintf(format, args...)) + _, _ = w.Write([]byte(`{"error":` + string(msg) + `}`)) +} diff --git a/web/backend/api/auth_test.go b/web/backend/api/auth_test.go index d2624a440..58ffb823a 100644 --- a/web/backend/api/auth_test.go +++ b/web/backend/api/auth_test.go @@ -23,12 +23,6 @@ func TestLauncherAuthLoginAndStatus(t *testing.T) { RegisterLauncherAuthRoutes(mux, LauncherAuthRouteOpts{ DashboardToken: tok, SessionCookie: sess, - TokenHelp: LauncherAuthTokenHelp{ - EnvVarName: "PICOCLAW_LAUNCHER_TOKEN", - LogFileAbs: "/tmp/launcher.log", - TrayCopyMenu: true, - ConsoleStdout: false, - }, }) t.Run("status_unauthenticated", func(t *testing.T) { @@ -38,23 +32,20 @@ func TestLauncherAuthLoginAndStatus(t *testing.T) { t.Fatalf("status code = %d", rec.Code) } var body struct { - Authenticated bool `json:"authenticated"` - TokenHelp *LauncherAuthTokenHelp `json:"token_help"` + Authenticated bool `json:"authenticated"` + Initialized bool `json:"initialized"` } if err := json.NewDecoder(rec.Body).Decode(&body); err != nil { t.Fatal(err) } - if body.Authenticated || body.TokenHelp == nil { - t.Fatalf("unexpected body: %+v", body) - } - if body.TokenHelp.EnvVarName != "PICOCLAW_LAUNCHER_TOKEN" || body.TokenHelp.LogFileAbs != "/tmp/launcher.log" { - t.Fatalf("token_help = %+v", body.TokenHelp) + if body.Authenticated { + t.Fatalf("unexpected authenticated=true: %+v", body) } }) t.Run("login_ok", func(t *testing.T) { rec := httptest.NewRecorder() - req := httptest.NewRequest(http.MethodPost, "/api/auth/login", strings.NewReader(`{"token":"`+tok+`"}`)) + req := httptest.NewRequest(http.MethodPost, "/api/auth/login", strings.NewReader(`{"password":"`+tok+`"}`)) req.Header.Set("Content-Type", "application/json") req.RemoteAddr = "127.0.0.1:12345" mux.ServeHTTP(rec, req) @@ -91,7 +82,6 @@ func TestLauncherAuthLogoutRequiresPostAndJSON(t *testing.T) { RegisterLauncherAuthRoutes(mux, LauncherAuthRouteOpts{ DashboardToken: "tok", SessionCookie: sess, - TokenHelp: LauncherAuthTokenHelp{EnvVarName: "PICOCLAW_LAUNCHER_TOKEN"}, }) rec := httptest.NewRecorder() @@ -125,11 +115,10 @@ func TestLauncherAuthLoginRateLimit(t *testing.T) { RegisterLauncherAuthRoutes(mux, LauncherAuthRouteOpts{ DashboardToken: tok, SessionCookie: sess, - TokenHelp: LauncherAuthTokenHelp{EnvVarName: "X"}, }) // 11 failing logins by wrong token; each consumes allow() slot after valid JSON. - wrongBody := `{"token":"wrong"}` + wrongBody := `{"password":"wrong"}` for i := 0; i < loginAttemptsPerIP; i++ { rec := httptest.NewRecorder() req := httptest.NewRequest(http.MethodPost, "/api/auth/login", strings.NewReader(wrongBody)) @@ -187,7 +176,6 @@ func TestLauncherAuthLogoutEmptyBody(t *testing.T) { RegisterLauncherAuthRoutes(mux, LauncherAuthRouteOpts{ DashboardToken: "tok", SessionCookie: sess, - TokenHelp: LauncherAuthTokenHelp{EnvVarName: "X"}, }) rec := httptest.NewRecorder() req := httptest.NewRequest(http.MethodPost, "/api/auth/logout", nil) @@ -206,7 +194,6 @@ func TestLauncherAuthLogoutRejectsTrailingJSON(t *testing.T) { RegisterLauncherAuthRoutes(mux, LauncherAuthRouteOpts{ DashboardToken: "tok", SessionCookie: sess, - TokenHelp: LauncherAuthTokenHelp{EnvVarName: "X"}, }) rec := httptest.NewRecorder() req := httptest.NewRequest(http.MethodPost, "/api/auth/logout", strings.NewReader(`{}{}`)) diff --git a/web/backend/dashboardauth/sql.go b/web/backend/dashboardauth/sql.go new file mode 100644 index 000000000..94886072b --- /dev/null +++ b/web/backend/dashboardauth/sql.go @@ -0,0 +1,24 @@ +package dashboardauth + +const ( + // DBFilename is the SQLite database file stored under the PicoClaw home directory. + DBFilename = "launcher-auth.db" + + sqliteDriver = "sqlite" + // bcryptCost is deliberately high enough to slow brute-force attempts. + bcryptCost = 12 + + sqlCreateTable = ` + CREATE TABLE IF NOT EXISTS dashboard_credentials ( + id INTEGER PRIMARY KEY CHECK (id = 1), + bcrypt_hash TEXT NOT NULL + )` + + sqlCountCredentials = `SELECT COUNT(*) FROM dashboard_credentials WHERE id = 1` + + sqlUpsertHash = ` + INSERT INTO dashboard_credentials (id, bcrypt_hash) VALUES (1, ?) + ON CONFLICT(id) DO UPDATE SET bcrypt_hash = excluded.bcrypt_hash` + + sqlSelectHash = `SELECT bcrypt_hash FROM dashboard_credentials WHERE id = 1` +) diff --git a/web/backend/dashboardauth/store.go b/web/backend/dashboardauth/store.go new file mode 100644 index 000000000..44605ba22 --- /dev/null +++ b/web/backend/dashboardauth/store.go @@ -0,0 +1,94 @@ +// Package dashboardauth provides a bcrypt-backed SQLite store for the +// launcher dashboard password. The database contains a single row (id=1) +// with the bcrypt hash; no plaintext is ever persisted. +package dashboardauth + +import ( + "context" + "database/sql" + "errors" + "fmt" + "path/filepath" + + "golang.org/x/crypto/bcrypt" + _ "modernc.org/sqlite" // register "sqlite" driver +) + +// Store holds a handle to the SQLite database that stores the bcrypt hash. +type Store struct { + db *sql.DB + path string // absolute path to the SQLite file +} + +// New opens (or creates) the database inside dir, using the package's +// canonical filename. This is the preferred constructor for most callers. +// Any error is wrapped with the resolved path so callers get actionable output. +func New(dir string) (*Store, error) { + path := filepath.Join(dir, DBFilename) + s, err := Open(path) + if err != nil { + return nil, fmt.Errorf("open %q: %w", path, err) + } + return s, nil +} + +// Open opens (or creates) the SQLite database at path and migrates the schema. +func Open(path string) (*Store, error) { + db, err := sql.Open(sqliteDriver, path) + if err != nil { + return nil, err + } + if _, err = db.Exec(sqlCreateTable); err != nil { + _ = db.Close() + return nil, err + } + return &Store{db: db, path: path}, nil +} + +// Close releases the database handle. +func (s *Store) Close() error { return s.db.Close() } + +// DBPath returns the absolute path to the SQLite database file. +func (s *Store) DBPath() string { return s.path } + +// IsInitialized reports whether a password hash has been stored. +func (s *Store) IsInitialized(ctx context.Context) (bool, error) { + var n int + err := s.db.QueryRowContext(ctx, sqlCountCredentials).Scan(&n) + if err != nil { + return false, err + } + return n > 0, nil +} + +// SetPassword hashes plain with bcrypt (cost 12) and stores (or replaces) it. +// The plaintext is never written to disk. +func (s *Store) SetPassword(ctx context.Context, plain string) error { + if len([]rune(plain)) == 0 { + return errors.New("password must not be empty") + } + hash, err := bcrypt.GenerateFromPassword([]byte(plain), bcryptCost) + if err != nil { + return err + } + _, err = s.db.ExecContext(ctx, sqlUpsertHash, string(hash)) + return err +} + +// VerifyPassword returns true iff plain matches the stored bcrypt hash. +// Returns (false, nil) when no password has been set yet. +func (s *Store) VerifyPassword(ctx context.Context, plain string) (bool, error) { + var hash string + err := s.db.QueryRowContext(ctx, sqlSelectHash).Scan(&hash) + if errors.Is(err, sql.ErrNoRows) { + return false, nil + } + if err != nil { + return false, err + } + err = bcrypt.CompareHashAndPassword([]byte(hash), []byte(plain)) + if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) { + return false, nil + } + return err == nil, err +} diff --git a/web/backend/i18n.go b/web/backend/i18n.go index 106df8506..9cda9e5d5 100644 --- a/web/backend/i18n.go +++ b/web/backend/i18n.go @@ -24,8 +24,6 @@ const ( AppTooltip TranslationKey = "AppTooltip" MenuOpen TranslationKey = "MenuOpen" MenuOpenTooltip TranslationKey = "MenuOpenTooltip" - MenuCopyToken TranslationKey = "MenuCopyToken" - MenuCopyTokenHint TranslationKey = "MenuCopyTokenHint" MenuAbout TranslationKey = "MenuAbout" MenuAboutTooltip TranslationKey = "MenuAboutTooltip" MenuVersion TranslationKey = "MenuVersion" @@ -49,8 +47,6 @@ var translations = map[Language]map[TranslationKey]string{ AppTooltip: "%s - Web Console", MenuOpen: "Open Console", MenuOpenTooltip: "Open PicoClaw console in browser", - MenuCopyToken: "Copy dashboard token", - MenuCopyTokenHint: "Copy the current web console access token to the clipboard", MenuAbout: "About", MenuAboutTooltip: "About PicoClaw", MenuVersion: "Version: %s", @@ -68,8 +64,6 @@ var translations = map[Language]map[TranslationKey]string{ AppTooltip: "%s - Web Console", MenuOpen: "打开控制台", MenuOpenTooltip: "在浏览器中打开 PicoClaw 控制台", - MenuCopyToken: "复制控制台口令", - MenuCopyTokenHint: "将当前 Web 控制台访问口令复制到剪贴板", MenuAbout: "关于", MenuAboutTooltip: "关于 PicoClaw", MenuVersion: "版本: %s", diff --git a/web/backend/main.go b/web/backend/main.go index 5e9f3315f..d9ea3474c 100644 --- a/web/backend/main.go +++ b/web/backend/main.go @@ -27,6 +27,7 @@ import ( "github.com/sipeed/picoclaw/pkg/config" "github.com/sipeed/picoclaw/pkg/logger" "github.com/sipeed/picoclaw/web/backend/api" + "github.com/sipeed/picoclaw/web/backend/dashboardauth" "github.com/sipeed/picoclaw/web/backend/launcherconfig" "github.com/sipeed/picoclaw/web/backend/middleware" "github.com/sipeed/picoclaw/web/backend/utils" @@ -49,8 +50,6 @@ var ( // Includes ?token= for same-machine dashboard login; keep serverAddr without secrets for other use. browserLaunchURL string apiHandler *api.Handler - // launcherDashboardTokenForClipboard is read by the system tray "copy token" action (GUI mode). - launcherDashboardTokenForClipboard string noBrowser *bool ) @@ -66,6 +65,24 @@ func dashboardTokenConfigHelpPath(source launcherconfig.DashboardTokenSource, la return launcherPath } +// maskSecret masks a secret for display. It always shows up to the first 3 +// runes. The last 4 runes are only appended when at least 5 runes remain +// hidden in the middle (i.e. string length >= 12), so an 8-char minimum +// password never exposes its tail. Strings of 3 chars or fewer are fully +// masked. +func maskSecret(s string) string { + runes := []rune(s) + n := len(runes) + const prefixLen, suffixLen, minHidden = 3, 4, 5 + if n < prefixLen+suffixLen+minHidden { + if n <= prefixLen { + return "**********" + } + return string(runes[:prefixLen]) + "**********" + } + return string(runes[:prefixLen]) + "**********" + string(runes[n-suffixLen:]) +} + func main() { port := flag.String("port", "18800", "Port to listen on") public := flag.Bool("public", false, "Listen on all interfaces (0.0.0.0) instead of localhost only") @@ -209,7 +226,15 @@ func main() { logger.Fatalf("Dashboard auth setup failed: %v", dashErr) } dashboardSessionCookie := middleware.SessionCookieValue(dashboardSigningKey, dashboardToken) - launcherDashboardTokenForClipboard = dashboardToken + + // Open the bcrypt password store (creates the DB file on first run). + authStore, authStoreErr := dashboardauth.New(picoHome) + if authStoreErr != nil { + logger.ErrorC("web", fmt.Sprintf("Warning: could not open auth store: %v", authStoreErr)) + authStore = nil + } else { + defer authStore.Close() + } // Determine listen address var addr string @@ -222,20 +247,11 @@ func main() { // Initialize Server components mux := http.NewServeMux() - tokenLogFileAbs := "" - if fileLoggingEnabled { - tokenLogFileAbs = filepath.Join(picoHome, logPath, logFile) - } api.RegisterLauncherAuthRoutes(mux, api.LauncherAuthRouteOpts{ DashboardToken: dashboardToken, SessionCookie: dashboardSessionCookie, - TokenHelp: api.LauncherAuthTokenHelp{ - EnvVarName: "PICOCLAW_LAUNCHER_TOKEN", - LogFileAbs: tokenLogFileAbs, - ConfigFileAbs: dashboardTokenConfigHelpPath(dashboardTokenSource, launcherPath), - TrayCopyMenu: trayOffersDashboardTokenCopy(), - ConsoleStdout: enableConsole, - }, + PasswordStore: authStore, + StoreError: authStoreErr, }) // API Routes (e.g. /api/status) @@ -284,23 +300,23 @@ func main() { fmt.Println() switch dashboardTokenSource { case launcherconfig.DashboardTokenSourceRandom: - fmt.Printf(" Dashboard token (this run): %s\n", dashboardToken) + fmt.Printf(" Dashboard password (this run): %s\n", maskSecret(dashboardToken)) case launcherconfig.DashboardTokenSourceEnv: - fmt.Printf(" Dashboard token: %s (from PICOCLAW_LAUNCHER_TOKEN)\n", dashboardToken) + fmt.Printf(" Dashboard password: from environment variable PICOCLAW_LAUNCHER_TOKEN\n") case launcherconfig.DashboardTokenSourceConfig: - fmt.Printf(" Dashboard token: %s (from %s)\n", dashboardToken, launcherPath) + fmt.Printf(" Dashboard password: configured in %s\n", launcherPath) } fmt.Println() } switch dashboardTokenSource { case launcherconfig.DashboardTokenSourceEnv: - logger.InfoC("web", "Dashboard token: environment PICOCLAW_LAUNCHER_TOKEN") + logger.InfoC("web", "Dashboard password: environment PICOCLAW_LAUNCHER_TOKEN") case launcherconfig.DashboardTokenSourceConfig: - logger.InfoC("web", fmt.Sprintf("Dashboard token: configured in %s", launcherPath)) + logger.InfoC("web", fmt.Sprintf("Dashboard password: configured in %s", launcherPath)) case launcherconfig.DashboardTokenSourceRandom: if !enableConsole { - logger.InfoC("web", "Dashboard token (this run): "+dashboardToken) + logger.InfoC("web", "Dashboard password (this run): "+maskSecret(dashboardToken)) } } diff --git a/web/backend/main_test.go b/web/backend/main_test.go index f69705179..82bf12b40 100644 --- a/web/backend/main_test.go +++ b/web/backend/main_test.go @@ -67,3 +67,31 @@ func TestDashboardTokenConfigHelpPath(t *testing.T) { }) } } + +func TestMaskSecret(t *testing.T) { + tests := []struct { + input string + want string + }{ + // Long token (>=12 chars): first 3 + 10 stars + last 4 + {"sdhjflsjdflksdf", "sdh**********ksdf"}, + {"abcdefghijklmnopqrstuvwxyz", "abc**********wxyz"}, + // Exactly 12 chars (3+4+5 hidden): suffix shown + {"abcdefghijkl", "abc**********ijkl"}, + // 8 chars (minimum password length): suffix NOT shown — only prefix+stars + {"abcdefgh", "abc**********"}, + // 11 chars (one below threshold): suffix NOT shown + {"abcdefghijk", "abc**********"}, + // 4..3 chars: prefix shown, no suffix + {"abcdefg", "abc**********"}, + {"abcd", "abc**********"}, + // <=3 chars: fully masked + {"abc", "**********"}, + {"", "**********"}, + } + for _, tt := range tests { + if got := maskSecret(tt.input); got != tt.want { + t.Errorf("maskSecret(%q) = %q, want %q", tt.input, got, tt.want) + } + } +} diff --git a/web/backend/middleware/launcher_dashboard_auth.go b/web/backend/middleware/launcher_dashboard_auth.go index 7e92fca22..c1c4c19c6 100644 --- a/web/backend/middleware/launcher_dashboard_auth.go +++ b/web/backend/middleware/launcher_dashboard_auth.go @@ -173,6 +173,8 @@ func isPublicLauncherDashboardPath(method, p string) bool { return method == http.MethodPost case "/api/auth/status": return method == http.MethodGet + case "/api/auth/setup": + return method == http.MethodPost } return false } @@ -183,7 +185,7 @@ func isPublicLauncherDashboardStatic(method, p string) bool { if method != http.MethodGet && method != http.MethodHead { return false } - if p == "/launcher-login" { + if p == "/launcher-login" || p == "/launcher-setup" { return true } if strings.HasPrefix(p, "/assets/") { diff --git a/web/backend/systray.go b/web/backend/systray.go index 744ea4611..9dcc025df 100644 --- a/web/backend/systray.go +++ b/web/backend/systray.go @@ -6,7 +6,6 @@ import ( "fmt" "fyne.io/systray" - "github.com/atotto/clipboard" "github.com/sipeed/picoclaw/pkg/logger" "github.com/sipeed/picoclaw/web/backend/utils" @@ -24,7 +23,6 @@ func onReady() { // Create menu items mOpen := systray.AddMenuItem(T(MenuOpen), T(MenuOpenTooltip)) - mCopyTok := systray.AddMenuItem(T(MenuCopyToken), T(MenuCopyTokenHint)) mAbout := systray.AddMenuItem(T(MenuAbout), T(MenuAboutTooltip)) // Add version info under About menu @@ -52,17 +50,6 @@ func onReady() { logger.Errorf("Failed to open browser: %v", err) } - case <-mCopyTok.ClickedCh: - if launcherDashboardTokenForClipboard == "" { - logger.WarnC("web", "Dashboard token is empty; cannot copy") - continue - } - if err := clipboard.WriteAll(launcherDashboardTokenForClipboard); err != nil { - logger.Errorf("Failed to copy dashboard token: %v", err) - } else { - logger.InfoC("web", "Dashboard token copied to clipboard") - } - case <-mVersion.ClickedCh: // Version info - do nothing, just shows current version diff --git a/web/backend/tray_offers_copy.go b/web/backend/tray_offers_copy.go deleted file mode 100644 index 6b7d17412..000000000 --- a/web/backend/tray_offers_copy.go +++ /dev/null @@ -1,5 +0,0 @@ -//go:build (!darwin && !freebsd) || cgo - -package main - -func trayOffersDashboardTokenCopy() bool { return true } diff --git a/web/backend/tray_offers_copy_stub.go b/web/backend/tray_offers_copy_stub.go deleted file mode 100644 index 9312700f3..000000000 --- a/web/backend/tray_offers_copy_stub.go +++ /dev/null @@ -1,5 +0,0 @@ -//go:build (darwin || freebsd) && !cgo - -package main - -func trayOffersDashboardTokenCopy() bool { return false } diff --git a/web/frontend/src/api/http.ts b/web/frontend/src/api/http.ts index 0eb872f3f..347dd9373 100644 --- a/web/frontend/src/api/http.ts +++ b/web/frontend/src/api/http.ts @@ -1,14 +1,14 @@ -import { isLauncherLoginPathname } from "@/lib/launcher-login-path" +import { isLauncherAuthPathname } from "@/lib/launcher-login-path" -function isLauncherLoginPath(): boolean { +function isLauncherAuthPath(): boolean { if (typeof globalThis.location === "undefined") { return false } - if (isLauncherLoginPathname(globalThis.location.pathname || "/")) { + if (isLauncherAuthPathname(globalThis.location.pathname || "/")) { return true } try { - return isLauncherLoginPathname( + return isLauncherAuthPathname( new URL(globalThis.location.href).pathname || "/", ) } catch { @@ -18,7 +18,7 @@ function isLauncherLoginPath(): boolean { /** * Same-origin fetch that sends cookies; redirects to launcher login on 401 JSON responses. - * Skips redirect while already on the login page to avoid reload loops (e.g. gateway poll). + * Skips redirect while already on an auth page (login or setup) to avoid reload loops. */ export async function launcherFetch( input: RequestInfo | URL, @@ -33,7 +33,7 @@ export async function launcherFetch( if ( ct.includes("application/json") && typeof globalThis.location !== "undefined" && - !isLauncherLoginPath() + !isLauncherAuthPath() ) { globalThis.location.assign("/launcher-login") } diff --git a/web/frontend/src/api/launcher-auth.ts b/web/frontend/src/api/launcher-auth.ts index 4ca51993b..ed2e30687 100644 --- a/web/frontend/src/api/launcher-auth.ts +++ b/web/frontend/src/api/launcher-auth.ts @@ -1,30 +1,23 @@ /** - * Dashboard launcher token login. Uses plain fetch (not launcherFetch) to avoid - * redirect loops on 401 while on the login page. + * Dashboard launcher auth API. + * Uses plain fetch (not launcherFetch) to avoid redirect loops on auth pages. */ export async function postLauncherDashboardLogin( - token: string, + password: string, ): Promise { const res = await fetch("/api/auth/login", { method: "POST", headers: { "Content-Type": "application/json" }, credentials: "same-origin", - body: JSON.stringify({ token: token.trim() }), + body: JSON.stringify({ password: password.trim() }), }) return res.ok } -export type LauncherAuthTokenHelp = { - env_var_name: string - log_file?: string - config_file?: string - tray_copy_menu: boolean - console_stdout: boolean -} - export type LauncherAuthStatus = { authenticated: boolean - token_help?: LauncherAuthTokenHelp + /** true when a bcrypt password has been stored in the DB */ + initialized: boolean } export async function getLauncherAuthStatus(): Promise { @@ -47,3 +40,28 @@ export async function postLauncherDashboardLogout(): Promise { }) return res.ok } + +export type SetupResult = + | { ok: true } + | { ok: false; error: string } + +export async function postLauncherDashboardSetup( + password: string, + confirm: string, +): Promise { + const res = await fetch("/api/auth/setup", { + method: "POST", + headers: { "Content-Type": "application/json" }, + credentials: "same-origin", + body: JSON.stringify({ password: password.trim(), confirm: confirm.trim() }), + }) + if (res.ok) return { ok: true } + let msg = "Unknown error" + try { + const j = (await res.json()) as { error?: string } + if (j.error) msg = j.error + } catch { + /* ignore */ + } + return { ok: false, error: msg } +} diff --git a/web/frontend/src/components/app-header.tsx b/web/frontend/src/components/app-header.tsx index fa1b5a488..798ac8ad5 100644 --- a/web/frontend/src/components/app-header.tsx +++ b/web/frontend/src/components/app-header.tsx @@ -2,6 +2,7 @@ import { IconBook, IconLanguage, IconLoader2, + IconLogout, IconMenu2, IconMoon, IconPlayerPlay, @@ -39,6 +40,7 @@ import { } from "@/components/ui/tooltip" import { useGateway } from "@/hooks/use-gateway.ts" import { useTheme } from "@/hooks/use-theme.ts" +import { postLauncherDashboardLogout } from "@/api/launcher-auth" export function AppHeader() { const { i18n, t } = useTranslation() @@ -47,10 +49,12 @@ export function AppHeader() { state: gwState, loading: gwLoading, canStart, + startReason, restartRequired, start, restart, stop, + error: gwError, } = useGateway() const isRunning = gwState === "running" @@ -65,6 +69,12 @@ export function AppHeader() { (gwState === "stopped" || gwState === "error") const [showStopDialog, setShowStopDialog] = React.useState(false) + const [showLogoutDialog, setShowLogoutDialog] = React.useState(false) + + const handleLogout = async () => { + await postLauncherDashboardLogout() + globalThis.location.assign("/launcher-login") + } const handleGatewayToggle = () => { if (gwLoading || isRestarting || isStopping || (!isRunning && !canStart)) { @@ -134,6 +144,23 @@ export function AppHeader() { + + + + {t("header.logout.tooltip")} + + {t("header.logout.description")} + + + + {t("common.cancel")} + void handleLogout()}> + {t("header.logout.confirm")} + + + + +
{restartRequired && ( @@ -171,38 +198,50 @@ export function AppHeader() { - {t("header.gateway.action.stop")} + {gwError ?? t("header.gateway.action.stop")} ) : ( - + + + {/* Wrap in span so the tooltip still fires when the button is disabled */} + + + + + {(gwError || (!canStart && startReason)) ? ( + {gwError ?? startReason} + ) : null} + )} {/* Theme Toggle */} + + + + + {t("header.logout.tooltip")} + + +
+ )} + + + {import.meta.env.DEV ? : null} + + ) } diff --git a/web/frontend/src/routes/launcher-login.tsx b/web/frontend/src/routes/launcher-login.tsx index f5cdd105f..c5626fbb0 100644 --- a/web/frontend/src/routes/launcher-login.tsx +++ b/web/frontend/src/routes/launcher-login.tsx @@ -3,11 +3,7 @@ import { createFileRoute } from "@tanstack/react-router" import * as React from "react" import { useTranslation } from "react-i18next" -import { - type LauncherAuthTokenHelp, - getLauncherAuthStatus, - postLauncherDashboardLogin, -} from "@/api/launcher-auth" +import { postLauncherDashboardLogin, getLauncherAuthStatus } from "@/api/launcher-auth" import { Button } from "@/components/ui/button" import { Card, @@ -32,24 +28,16 @@ function LauncherLoginPage() { const [token, setToken] = React.useState("") const [submitting, setSubmitting] = React.useState(false) const [error, setError] = React.useState("") - const [tokenHelp, setTokenHelp] = - React.useState(null) + // If the password store has never been initialized, go to setup instead. React.useEffect(() => { - let cancelled = false void getLauncherAuthStatus() .then((s) => { - if (cancelled || s.authenticated || !s.token_help) { - return + if (!s.initialized) { + globalThis.location.assign("/launcher-setup") } - setTokenHelp(s.token_help) }) - .catch(() => { - /* ignore; login form still usable */ - }) - return () => { - cancelled = true - } + .catch(() => { /* network error — stay on login page */ }) }, []) const loginWithToken = React.useCallback( @@ -120,17 +108,17 @@ function LauncherLoginPage() {
setToken(e.target.value)} - placeholder={t("launcherLogin.tokenPlaceholder")} + placeholder={t("launcherLogin.passwordPlaceholder")} />
+ + + i18n.changeLanguage("en")}> + English + + i18n.changeLanguage("zh")}> + 简体中文 + + + + + + +
+ + + {t("launcherSetup.title")} + {t("launcherSetup.description")} + + +
+
+ + setPassword(e.target.value)} + placeholder={t("launcherSetup.passwordPlaceholder")} + /> +
+
+ + setConfirm(e.target.value)} + placeholder={t("launcherSetup.confirmPlaceholder")} + /> +
+ + {error ? ( +

+ {error} +

+ ) : null} +
+ + +
+ + ) +} + +export const Route = createFileRoute("/launcher-setup")({ + component: LauncherSetupPage, +}) diff --git a/web/frontend/src/store/gateway.ts b/web/frontend/src/store/gateway.ts index 1bdec6220..5bf6f3897 100644 --- a/web/frontend/src/store/gateway.ts +++ b/web/frontend/src/store/gateway.ts @@ -14,6 +14,7 @@ export type GatewayState = export interface GatewayStoreState { status: GatewayState canStart: boolean + startReason?: string restartRequired: boolean } @@ -57,6 +58,7 @@ function normalizeGatewayStoreState( if ( next.status === prev.status && next.canStart === prev.canStart && + next.startReason === prev.startReason && next.restartRequired === prev.restartRequired ) { return prev @@ -108,7 +110,10 @@ export function applyGatewayStatusToStore( data: Partial< Pick< GatewayStatusResponse, - "gateway_status" | "gateway_start_allowed" | "gateway_restart_required" + | "gateway_status" + | "gateway_start_allowed" + | "gateway_start_reason" + | "gateway_restart_required" > >, ) { @@ -121,6 +126,10 @@ export function applyGatewayStatusToStore( prev.status === "stopping" && data.gateway_status === "running" ? false : (data.gateway_start_allowed ?? prev.canStart), + startReason: + prev.status === "stopping" && data.gateway_status === "running" + ? prev.startReason + : (data.gateway_start_reason ?? prev.startReason), restartRequired: prev.status === "stopping" && data.gateway_status === "running" ? false