mirror of
https://github.com/sipeed/picoclaw.git
synced 2026-06-12 18:08:54 +00:00
sky5454
06023c79fa
* feat(launcher): replace token-in-logs auth with standard HTTP login flow
## Problem
Previously users had to find the one-time token from console logs or
log files to access the dashboard - a non-standard, error-prone workflow
with no clear path for changing credentials.
## Solution: standard HTTP API login with bcrypt-backed password store
### Auth flow (new)
1. First run: browser opens, session guard detects uninitialized state,
redirects to /launcher-setup
2. User sets a password (min 8 chars) via POST /api/auth/setup {password, confirm},
bcrypt(cost=12) hash stored in ~/.picoclaw/launcher-auth.db (SQLite)
3. Subsequent logins: POST /api/auth/login {password}, HttpOnly cookie
picoclaw_launcher_auth (HMAC-SHA256 signed, 7-day expiry)
4. 401 on any API call, frontend redirects to /launcher-login
5. Logout: POST /api/auth/logout, cookie cleared, redirect to login
### Backend changes
- web/backend/api/auth.go: renamed Token to Password; added handleSetup;
launcherAuthStatusResponse now includes Initialized bool; PasswordStore
interface wires bcrypt store into handlers
- web/backend/dashboardauth/: new package - Store with New(dir) / Open(path);
SetPassword (bcrypt cost=12), VerifyPassword, IsInitialized
- sql.go: all DB-layer constants (DBFilename, sqliteDriver, bcryptCost,
four SQL query strings) - compile-time constants, zero runtime overhead
- web/backend/middleware/launcher_dashboard_auth.go: /launcher-setup and
/api/auth/setup added to public paths
- web/backend/main.go:
- dashboardauth.New(picoHome) replaces manual path construction
- maskSecret(): suffix only revealed when >=5 chars hidden (length >= 12),
preventing 8-char minimum passwords from leaking their tail
- web/backend/main_test.go: TestMaskSecret updated with boundary cases
### Forward-compatibility: pkg/credential integration
If the dashboard password is later reused as the enc:// passphrase,
the bcrypt hash in launcher-auth.db becomes an offline oracle.
Recommended mitigation (not yet implemented): derive two independent
subkeys via HKDF before use:
bcrypt(HKDF(password, info="picoclaw-dashboard-login-v1")) stored in DB
HKDF(password, info="picoclaw-credential-enc-v1") passed to PassphraseProvider
This isolates the two domains: cracking the bcrypt hash yields only the
login subkey, which is computationally independent of the enc:// subkey.
* fix(auth): replace wastedassign ok := false with var ok bool
* refactor(tray): remove copy-token clipboard feature
Dashboard login now uses standard web auth (bcrypt + session cookie).
The system tray 'Copy dashboard token' menu item is no longer needed.
- Delete tray_offers_copy.go and tray_offers_copy_stub.go
- Remove mCopyTok menu item and clipboard handler from systray.go
- Remove launcherDashboardTokenForClipboard var from main.go
- Remove MenuCopyToken/MenuCopyTokenHint keys from i18n.go
* feat(launcher-ui): standard HTTP login/setup/logout flow for dashboard
Replaces the previous "find token in logs" workflow with a proper
browser-based authentication UI backed by the new /api/auth/* endpoints.
### New pages
- /launcher-setup: first-run password initialization form (password +
confirm, min 8 chars); calls POST /api/auth/setup; redirects to login
on success
- /launcher-login: standard password login form; calls POST /api/auth/login;
sets HttpOnly session cookie on success
### Session guard (src/routes/__root.tsx)
A useEffect on every non-auth page load calls GET /api/auth/status:
- initialized=false -> redirect to /launcher-setup
- authenticated=false -> redirect to /launcher-login
This ensures the setup/login UI is shown even when the ?token= URL
mechanism auto-logs in (first-run case).
### Logout button (src/components/app-header.tsx)
IconLogout button added to the header with a confirm AlertDialog;
calls POST /api/auth/logout then redirects to /launcher-login.
### API layer
- src/api/launcher-auth.ts: LauncherAuthStatus gains initialized bool;
postLauncherDashboardSetup() added; LauncherAuthTokenHelp removed
- src/api/http.ts: 401 guard uses isLauncherAuthPathname() (covers both
/launcher-login and /launcher-setup) to prevent redirect loops
- src/lib/launcher-login-path.ts: isLauncherSetupPathname() and
isLauncherAuthPathname() added
### Routing
- src/routeTree.gen.ts: /launcher-setup route registered throughout
- src/routes/launcher-login.tsx: tokenHelp UI removed; useEffect added
to redirect to setup when initialized=false
### i18n
- en.json / zh.json: launcherSetup block added; launcherLogin keys
updated to use passwordLabel/passwordPlaceholder
* fix(lint): ts lint fixed 1
* fix(auth): detail auth error handle
* fix(login): frontend web auth error handle
* fix(frontend): auth error handler 5xx
287 lines
9.1 KiB
Go
287 lines
9.1 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"crypto/subtle"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/sipeed/picoclaw/web/backend/middleware"
|
|
)
|
|
|
|
// PasswordStore is the interface for bcrypt-backed dashboard password persistence.
|
|
// Implemented by dashboardauth.Store; a nil value falls back to the legacy
|
|
// static-token comparison.
|
|
type PasswordStore interface {
|
|
IsInitialized(ctx context.Context) (bool, error)
|
|
SetPassword(ctx context.Context, plain string) error
|
|
VerifyPassword(ctx context.Context, plain string) (bool, error)
|
|
}
|
|
|
|
// LauncherAuthRouteOpts configures dashboard auth handlers.
|
|
type LauncherAuthRouteOpts struct {
|
|
// DashboardToken is the fallback plaintext token used when PasswordStore is
|
|
// nil or not yet initialized (env-var / config-file source, and ?token= auto-login).
|
|
DashboardToken string
|
|
SessionCookie string
|
|
SecureCookie func(*http.Request) bool
|
|
// PasswordStore enables bcrypt-backed password persistence. When non-nil and
|
|
// initialized, web-form login verifies against the stored hash instead of
|
|
// the plaintext DashboardToken.
|
|
PasswordStore PasswordStore
|
|
// StoreError holds the error returned when opening the password store. When
|
|
// non-nil and PasswordStore is nil, the auth endpoints surface a recovery
|
|
// message instead of an opaque 501/503.
|
|
StoreError error
|
|
}
|
|
|
|
type launcherAuthLoginBody struct {
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
type launcherAuthSetupBody struct {
|
|
Password string `json:"password"`
|
|
Confirm string `json:"confirm"`
|
|
}
|
|
|
|
type launcherAuthStatusResponse struct {
|
|
Authenticated bool `json:"authenticated"`
|
|
Initialized bool `json:"initialized"`
|
|
}
|
|
|
|
// RegisterLauncherAuthRoutes registers /api/auth/login|logout|status|setup.
|
|
func RegisterLauncherAuthRoutes(mux *http.ServeMux, opts LauncherAuthRouteOpts) {
|
|
secure := opts.SecureCookie
|
|
if secure == nil {
|
|
secure = middleware.DefaultLauncherDashboardSecureCookie
|
|
}
|
|
h := &launcherAuthHandlers{
|
|
token: opts.DashboardToken,
|
|
sessionCookie: opts.SessionCookie,
|
|
secureCookie: secure,
|
|
store: opts.PasswordStore,
|
|
storeErr: opts.StoreError,
|
|
loginLimit: newLoginRateLimiter(),
|
|
}
|
|
mux.HandleFunc("POST /api/auth/login", h.handleLogin)
|
|
mux.HandleFunc("POST /api/auth/logout", h.handleLogout)
|
|
mux.HandleFunc("GET /api/auth/status", h.handleStatus)
|
|
mux.HandleFunc("POST /api/auth/setup", h.handleSetup)
|
|
}
|
|
|
|
type launcherAuthHandlers struct {
|
|
token string
|
|
sessionCookie string
|
|
secureCookie func(*http.Request) bool
|
|
store PasswordStore
|
|
storeErr error // set when the store failed to open; drives recovery messages
|
|
loginLimit *loginRateLimiter
|
|
}
|
|
|
|
// isStoreInitialized safely queries the store.
|
|
// Returns (false, nil) when no store is configured (storeErr also nil).
|
|
// Returns (false, err) on store errors — callers must treat this as a 5xx, not as
|
|
// "uninitialized", to keep auth fail-closed.
|
|
// Exception: handleLogin swallows storeErr and falls back to token auth so
|
|
// that a corrupt DB does not lock out all access.
|
|
func (h *launcherAuthHandlers) isStoreInitialized(ctx context.Context) (bool, error) {
|
|
if h.store == nil {
|
|
if h.storeErr != nil {
|
|
return false, fmt.Errorf(
|
|
"password store unavailable (%w); "+
|
|
"to recover, stop the application, delete the database file and restart ",
|
|
h.storeErr)
|
|
}
|
|
return false, nil
|
|
}
|
|
return h.store.IsInitialized(ctx)
|
|
}
|
|
|
|
func (h *launcherAuthHandlers) handleLogin(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
var body launcherAuthLoginBody
|
|
if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 1<<20)).Decode(&body); err != nil {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_, _ = w.Write([]byte(`{"error":"invalid JSON"}`))
|
|
return
|
|
}
|
|
ip := clientIPForLimiter(r)
|
|
if !h.loginLimit.allow(ip) {
|
|
w.WriteHeader(http.StatusTooManyRequests)
|
|
_, _ = w.Write([]byte(`{"error":"too many login attempts"}`))
|
|
return
|
|
}
|
|
in := strings.TrimSpace(body.Password)
|
|
var ok bool
|
|
|
|
initialized, initErr := h.isStoreInitialized(r.Context())
|
|
if initErr != nil {
|
|
if h.storeErr != nil {
|
|
// Store failed to open at startup — token login remains available.
|
|
initialized = false
|
|
} else {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
writeErrorf(w, "%v", initErr)
|
|
return
|
|
}
|
|
}
|
|
|
|
if initialized {
|
|
// Bcrypt path: verify against the stored hash.
|
|
var err error
|
|
ok, err = h.store.VerifyPassword(r.Context(), in)
|
|
if err != nil {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
writeErrorf(w, "password verification failed: %v", err)
|
|
return
|
|
}
|
|
} else {
|
|
// Fallback: constant-time compare against the plaintext token.
|
|
ok = len(in) == len(h.token) &&
|
|
subtle.ConstantTimeCompare([]byte(in), []byte(h.token)) == 1
|
|
}
|
|
|
|
if !ok {
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
_, _ = w.Write([]byte(`{"error":"invalid password"}`))
|
|
return
|
|
}
|
|
|
|
middleware.SetLauncherDashboardSessionCookie(w, r, h.sessionCookie, h.secureCookie)
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte(`{"status":"ok"}`))
|
|
}
|
|
|
|
func (h *launcherAuthHandlers) handleLogout(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
if r.Method != http.MethodPost {
|
|
w.WriteHeader(http.StatusMethodNotAllowed)
|
|
_, _ = w.Write([]byte(`{"error":"method not allowed"}`))
|
|
return
|
|
}
|
|
ct := strings.ToLower(strings.TrimSpace(r.Header.Get("Content-Type")))
|
|
if !strings.HasPrefix(ct, "application/json") {
|
|
w.WriteHeader(http.StatusUnsupportedMediaType)
|
|
_, _ = w.Write([]byte(`{"error":"Content-Type must be application/json"}`))
|
|
return
|
|
}
|
|
dec := json.NewDecoder(http.MaxBytesReader(w, r.Body, logoutBodyMaxBytes))
|
|
if err := dec.Decode(&struct{}{}); err != nil && err != io.EOF {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_, _ = w.Write([]byte(`{"error":"invalid JSON body"}`))
|
|
return
|
|
}
|
|
if err := dec.Decode(&struct{}{}); err != io.EOF {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_, _ = w.Write([]byte(`{"error":"invalid JSON body"}`))
|
|
return
|
|
}
|
|
|
|
middleware.ClearLauncherDashboardSessionCookie(w, r, h.secureCookie)
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte(`{"status":"ok"}`))
|
|
}
|
|
|
|
func (h *launcherAuthHandlers) handleStatus(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
authed := false
|
|
if c, err := r.Cookie(middleware.LauncherDashboardCookieName); err == nil {
|
|
authed = subtle.ConstantTimeCompare([]byte(c.Value), []byte(h.sessionCookie)) == 1
|
|
}
|
|
initialized, initErr := h.isStoreInitialized(r.Context())
|
|
if initErr != nil {
|
|
w.WriteHeader(http.StatusServiceUnavailable)
|
|
writeErrorf(w, "%v", initErr)
|
|
return
|
|
}
|
|
resp := launcherAuthStatusResponse{
|
|
Authenticated: authed,
|
|
Initialized: initialized,
|
|
}
|
|
enc, err := json.Marshal(resp)
|
|
if err != nil {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
writeErrorf(w, "marshal response failed: %v", err)
|
|
return
|
|
}
|
|
_, _ = w.Write(enc)
|
|
}
|
|
|
|
// handleSetup sets or changes the dashboard password.
|
|
//
|
|
// Rules:
|
|
// - If the store has no password yet, the endpoint is open (no session required).
|
|
// - If a password is already set, the caller must hold a valid session cookie.
|
|
func (h *launcherAuthHandlers) handleSetup(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
if h.store == nil {
|
|
w.WriteHeader(http.StatusNotImplemented)
|
|
_, _ = w.Write([]byte(`{"error":"password store not configured"}`))
|
|
return
|
|
}
|
|
|
|
initialized, initErr := h.isStoreInitialized(r.Context())
|
|
if initErr != nil {
|
|
w.WriteHeader(http.StatusServiceUnavailable)
|
|
writeErrorf(w, "%v", initErr)
|
|
return
|
|
}
|
|
|
|
// If already initialized, require an active session (change-password flow).
|
|
if initialized {
|
|
authed := false
|
|
if c, err := r.Cookie(middleware.LauncherDashboardCookieName); err == nil {
|
|
authed = subtle.ConstantTimeCompare([]byte(c.Value), []byte(h.sessionCookie)) == 1
|
|
}
|
|
if !authed {
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
_, _ = w.Write([]byte(`{"error":"must be authenticated to change password"}`))
|
|
return
|
|
}
|
|
}
|
|
|
|
var body launcherAuthSetupBody
|
|
if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 1<<20)).Decode(&body); err != nil {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_, _ = w.Write([]byte(`{"error":"invalid JSON"}`))
|
|
return
|
|
}
|
|
|
|
pw := strings.TrimSpace(body.Password)
|
|
if pw == "" {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_, _ = w.Write([]byte(`{"error":"password must not be empty"}`))
|
|
return
|
|
}
|
|
if pw != strings.TrimSpace(body.Confirm) {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_, _ = w.Write([]byte(`{"error":"passwords do not match"}`))
|
|
return
|
|
}
|
|
if len([]rune(pw)) < 8 {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_, _ = w.Write([]byte(`{"error":"password must be at least 8 characters"}`))
|
|
return
|
|
}
|
|
|
|
if err := h.store.SetPassword(r.Context(), pw); err != nil {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
writeErrorf(w, "failed to save password: %v", err)
|
|
return
|
|
}
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte(`{"status":"ok"}`))
|
|
}
|
|
|
|
// writeErrorf writes a JSON error response with a formatted message.
|
|
// json.Marshal is used to safely escape the message string.
|
|
func writeErrorf(w http.ResponseWriter, format string, args ...any) {
|
|
msg, _ := json.Marshal(fmt.Sprintf(format, args...))
|
|
_, _ = w.Write([]byte(`{"error":` + string(msg) + `}`))
|
|
}
|