mirror of
https://github.com/sipeed/picoclaw.git
synced 2026-06-12 18:08:54 +00:00
sky5454
06023c79fa
* feat(launcher): replace token-in-logs auth with standard HTTP login flow
## Problem
Previously users had to find the one-time token from console logs or
log files to access the dashboard - a non-standard, error-prone workflow
with no clear path for changing credentials.
## Solution: standard HTTP API login with bcrypt-backed password store
### Auth flow (new)
1. First run: browser opens, session guard detects uninitialized state,
redirects to /launcher-setup
2. User sets a password (min 8 chars) via POST /api/auth/setup {password, confirm},
bcrypt(cost=12) hash stored in ~/.picoclaw/launcher-auth.db (SQLite)
3. Subsequent logins: POST /api/auth/login {password}, HttpOnly cookie
picoclaw_launcher_auth (HMAC-SHA256 signed, 7-day expiry)
4. 401 on any API call, frontend redirects to /launcher-login
5. Logout: POST /api/auth/logout, cookie cleared, redirect to login
### Backend changes
- web/backend/api/auth.go: renamed Token to Password; added handleSetup;
launcherAuthStatusResponse now includes Initialized bool; PasswordStore
interface wires bcrypt store into handlers
- web/backend/dashboardauth/: new package - Store with New(dir) / Open(path);
SetPassword (bcrypt cost=12), VerifyPassword, IsInitialized
- sql.go: all DB-layer constants (DBFilename, sqliteDriver, bcryptCost,
four SQL query strings) - compile-time constants, zero runtime overhead
- web/backend/middleware/launcher_dashboard_auth.go: /launcher-setup and
/api/auth/setup added to public paths
- web/backend/main.go:
- dashboardauth.New(picoHome) replaces manual path construction
- maskSecret(): suffix only revealed when >=5 chars hidden (length >= 12),
preventing 8-char minimum passwords from leaking their tail
- web/backend/main_test.go: TestMaskSecret updated with boundary cases
### Forward-compatibility: pkg/credential integration
If the dashboard password is later reused as the enc:// passphrase,
the bcrypt hash in launcher-auth.db becomes an offline oracle.
Recommended mitigation (not yet implemented): derive two independent
subkeys via HKDF before use:
bcrypt(HKDF(password, info="picoclaw-dashboard-login-v1")) stored in DB
HKDF(password, info="picoclaw-credential-enc-v1") passed to PassphraseProvider
This isolates the two domains: cracking the bcrypt hash yields only the
login subkey, which is computationally independent of the enc:// subkey.
* fix(auth): replace wastedassign ok := false with var ok bool
* refactor(tray): remove copy-token clipboard feature
Dashboard login now uses standard web auth (bcrypt + session cookie).
The system tray 'Copy dashboard token' menu item is no longer needed.
- Delete tray_offers_copy.go and tray_offers_copy_stub.go
- Remove mCopyTok menu item and clipboard handler from systray.go
- Remove launcherDashboardTokenForClipboard var from main.go
- Remove MenuCopyToken/MenuCopyTokenHint keys from i18n.go
* feat(launcher-ui): standard HTTP login/setup/logout flow for dashboard
Replaces the previous "find token in logs" workflow with a proper
browser-based authentication UI backed by the new /api/auth/* endpoints.
### New pages
- /launcher-setup: first-run password initialization form (password +
confirm, min 8 chars); calls POST /api/auth/setup; redirects to login
on success
- /launcher-login: standard password login form; calls POST /api/auth/login;
sets HttpOnly session cookie on success
### Session guard (src/routes/__root.tsx)
A useEffect on every non-auth page load calls GET /api/auth/status:
- initialized=false -> redirect to /launcher-setup
- authenticated=false -> redirect to /launcher-login
This ensures the setup/login UI is shown even when the ?token= URL
mechanism auto-logs in (first-run case).
### Logout button (src/components/app-header.tsx)
IconLogout button added to the header with a confirm AlertDialog;
calls POST /api/auth/logout then redirects to /launcher-login.
### API layer
- src/api/launcher-auth.ts: LauncherAuthStatus gains initialized bool;
postLauncherDashboardSetup() added; LauncherAuthTokenHelp removed
- src/api/http.ts: 401 guard uses isLauncherAuthPathname() (covers both
/launcher-login and /launcher-setup) to prevent redirect loops
- src/lib/launcher-login-path.ts: isLauncherSetupPathname() and
isLauncherAuthPathname() added
### Routing
- src/routeTree.gen.ts: /launcher-setup route registered throughout
- src/routes/launcher-login.tsx: tokenHelp UI removed; useEffect added
to redirect to setup when initialized=false
### i18n
- en.json / zh.json: launcherSetup block added; launcherLogin keys
updated to use passwordLabel/passwordPlaceholder
* fix(lint): ts lint fixed 1
* fix(auth): detail auth error handle
* fix(login): frontend web auth error handle
* fix(frontend): auth error handler 5xx
98 lines
2.6 KiB
Go
98 lines
2.6 KiB
Go
package main
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/sipeed/picoclaw/web/backend/launcherconfig"
|
|
)
|
|
|
|
func TestShouldEnableLauncherFileLogging(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
enableConsole bool
|
|
debug bool
|
|
want bool
|
|
}{
|
|
{name: "gui mode", enableConsole: false, debug: false, want: true},
|
|
{name: "console mode", enableConsole: true, debug: false, want: false},
|
|
{name: "debug gui mode", enableConsole: false, debug: true, want: true},
|
|
{name: "debug console mode", enableConsole: true, debug: true, want: true},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if got := shouldEnableLauncherFileLogging(tt.enableConsole, tt.debug); got != tt.want {
|
|
t.Fatalf(
|
|
"shouldEnableLauncherFileLogging(%t, %t) = %t, want %t",
|
|
tt.enableConsole,
|
|
tt.debug,
|
|
got,
|
|
tt.want,
|
|
)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestDashboardTokenConfigHelpPath(t *testing.T) {
|
|
const launcherPath = "/tmp/launcher-config.json"
|
|
|
|
tests := []struct {
|
|
name string
|
|
source launcherconfig.DashboardTokenSource
|
|
want string
|
|
}{
|
|
{
|
|
name: "env token does not expose config path",
|
|
source: launcherconfig.DashboardTokenSourceEnv,
|
|
want: "",
|
|
},
|
|
{
|
|
name: "config token exposes config path",
|
|
source: launcherconfig.DashboardTokenSourceConfig,
|
|
want: launcherPath,
|
|
},
|
|
{
|
|
name: "random token does not expose config path",
|
|
source: launcherconfig.DashboardTokenSourceRandom,
|
|
want: "",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if got := dashboardTokenConfigHelpPath(tt.source, launcherPath); got != tt.want {
|
|
t.Fatalf("dashboardTokenConfigHelpPath(%q, %q) = %q, want %q", tt.source, launcherPath, got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestMaskSecret(t *testing.T) {
|
|
tests := []struct {
|
|
input string
|
|
want string
|
|
}{
|
|
// Long token (>=12 chars): first 3 + 10 stars + last 4
|
|
{"sdhjflsjdflksdf", "sdh**********ksdf"},
|
|
{"abcdefghijklmnopqrstuvwxyz", "abc**********wxyz"},
|
|
// Exactly 12 chars (3+4+5 hidden): suffix shown
|
|
{"abcdefghijkl", "abc**********ijkl"},
|
|
// 8 chars (minimum password length): suffix NOT shown — only prefix+stars
|
|
{"abcdefgh", "abc**********"},
|
|
// 11 chars (one below threshold): suffix NOT shown
|
|
{"abcdefghijk", "abc**********"},
|
|
// 4..3 chars: prefix shown, no suffix
|
|
{"abcdefg", "abc**********"},
|
|
{"abcd", "abc**********"},
|
|
// <=3 chars: fully masked
|
|
{"abc", "**********"},
|
|
{"", "**********"},
|
|
}
|
|
for _, tt := range tests {
|
|
if got := maskSecret(tt.input); got != tt.want {
|
|
t.Errorf("maskSecret(%q) = %q, want %q", tt.input, got, tt.want)
|
|
}
|
|
}
|
|
}
|