mirror of
https://github.com/sipeed/picoclaw.git
synced 2026-06-12 18:08:54 +00:00
sky5454
06023c79fa
* feat(launcher): replace token-in-logs auth with standard HTTP login flow
## Problem
Previously users had to find the one-time token from console logs or
log files to access the dashboard - a non-standard, error-prone workflow
with no clear path for changing credentials.
## Solution: standard HTTP API login with bcrypt-backed password store
### Auth flow (new)
1. First run: browser opens, session guard detects uninitialized state,
redirects to /launcher-setup
2. User sets a password (min 8 chars) via POST /api/auth/setup {password, confirm},
bcrypt(cost=12) hash stored in ~/.picoclaw/launcher-auth.db (SQLite)
3. Subsequent logins: POST /api/auth/login {password}, HttpOnly cookie
picoclaw_launcher_auth (HMAC-SHA256 signed, 7-day expiry)
4. 401 on any API call, frontend redirects to /launcher-login
5. Logout: POST /api/auth/logout, cookie cleared, redirect to login
### Backend changes
- web/backend/api/auth.go: renamed Token to Password; added handleSetup;
launcherAuthStatusResponse now includes Initialized bool; PasswordStore
interface wires bcrypt store into handlers
- web/backend/dashboardauth/: new package - Store with New(dir) / Open(path);
SetPassword (bcrypt cost=12), VerifyPassword, IsInitialized
- sql.go: all DB-layer constants (DBFilename, sqliteDriver, bcryptCost,
four SQL query strings) - compile-time constants, zero runtime overhead
- web/backend/middleware/launcher_dashboard_auth.go: /launcher-setup and
/api/auth/setup added to public paths
- web/backend/main.go:
- dashboardauth.New(picoHome) replaces manual path construction
- maskSecret(): suffix only revealed when >=5 chars hidden (length >= 12),
preventing 8-char minimum passwords from leaking their tail
- web/backend/main_test.go: TestMaskSecret updated with boundary cases
### Forward-compatibility: pkg/credential integration
If the dashboard password is later reused as the enc:// passphrase,
the bcrypt hash in launcher-auth.db becomes an offline oracle.
Recommended mitigation (not yet implemented): derive two independent
subkeys via HKDF before use:
bcrypt(HKDF(password, info="picoclaw-dashboard-login-v1")) stored in DB
HKDF(password, info="picoclaw-credential-enc-v1") passed to PassphraseProvider
This isolates the two domains: cracking the bcrypt hash yields only the
login subkey, which is computationally independent of the enc:// subkey.
* fix(auth): replace wastedassign ok := false with var ok bool
* refactor(tray): remove copy-token clipboard feature
Dashboard login now uses standard web auth (bcrypt + session cookie).
The system tray 'Copy dashboard token' menu item is no longer needed.
- Delete tray_offers_copy.go and tray_offers_copy_stub.go
- Remove mCopyTok menu item and clipboard handler from systray.go
- Remove launcherDashboardTokenForClipboard var from main.go
- Remove MenuCopyToken/MenuCopyTokenHint keys from i18n.go
* feat(launcher-ui): standard HTTP login/setup/logout flow for dashboard
Replaces the previous "find token in logs" workflow with a proper
browser-based authentication UI backed by the new /api/auth/* endpoints.
### New pages
- /launcher-setup: first-run password initialization form (password +
confirm, min 8 chars); calls POST /api/auth/setup; redirects to login
on success
- /launcher-login: standard password login form; calls POST /api/auth/login;
sets HttpOnly session cookie on success
### Session guard (src/routes/__root.tsx)
A useEffect on every non-auth page load calls GET /api/auth/status:
- initialized=false -> redirect to /launcher-setup
- authenticated=false -> redirect to /launcher-login
This ensures the setup/login UI is shown even when the ?token= URL
mechanism auto-logs in (first-run case).
### Logout button (src/components/app-header.tsx)
IconLogout button added to the header with a confirm AlertDialog;
calls POST /api/auth/logout then redirects to /launcher-login.
### API layer
- src/api/launcher-auth.ts: LauncherAuthStatus gains initialized bool;
postLauncherDashboardSetup() added; LauncherAuthTokenHelp removed
- src/api/http.ts: 401 guard uses isLauncherAuthPathname() (covers both
/launcher-login and /launcher-setup) to prevent redirect loops
- src/lib/launcher-login-path.ts: isLauncherSetupPathname() and
isLauncherAuthPathname() added
### Routing
- src/routeTree.gen.ts: /launcher-setup route registered throughout
- src/routes/launcher-login.tsx: tokenHelp UI removed; useEffect added
to redirect to setup when initialized=false
### i18n
- en.json / zh.json: launcherSetup block added; launcherLogin keys
updated to use passwordLabel/passwordPlaceholder
* fix(lint): ts lint fixed 1
* fix(auth): detail auth error handle
* fix(login): frontend web auth error handle
* fix(frontend): auth error handler 5xx
229 lines
6.6 KiB
Go
229 lines
6.6 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/sha256"
|
|
"crypto/subtle"
|
|
"encoding/hex"
|
|
"net/http"
|
|
"path"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
// LauncherDashboardCookieName is the HttpOnly cookie set after a successful token login.
|
|
const LauncherDashboardCookieName = "picoclaw_launcher_auth"
|
|
|
|
// launcherDashboardSessionMaxAgeSec is the session cookie lifetime (7 days).
|
|
const launcherDashboardSessionMaxAgeSec = 7 * 24 * 3600
|
|
|
|
const launcherSessionMACLabel = "picoclaw-launcher-v1"
|
|
|
|
// SessionCookieValue is the expected cookie value for the given signing key and dashboard token.
|
|
func SessionCookieValue(signingKey []byte, dashboardToken string) string {
|
|
mac := hmac.New(sha256.New, signingKey)
|
|
_, _ = mac.Write([]byte(launcherSessionMACLabel))
|
|
_, _ = mac.Write([]byte{0})
|
|
_, _ = mac.Write([]byte(dashboardToken))
|
|
return hex.EncodeToString(mac.Sum(nil))
|
|
}
|
|
|
|
// LauncherDashboardAuthConfig holds runtime material for dashboard access checks.
|
|
type LauncherDashboardAuthConfig struct {
|
|
ExpectedCookie string
|
|
Token string
|
|
// SecureCookie sets the session cookie's Secure flag. If nil, DefaultLauncherDashboardSecureCookie is used.
|
|
SecureCookie func(*http.Request) bool
|
|
}
|
|
|
|
// DefaultLauncherDashboardSecureCookie mirrors typical production HTTPS detection (TLS or X-Forwarded-Proto).
|
|
func DefaultLauncherDashboardSecureCookie(r *http.Request) bool {
|
|
if r.TLS != nil {
|
|
return true
|
|
}
|
|
return strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https")
|
|
}
|
|
|
|
// SetLauncherDashboardSessionCookie writes the HttpOnly session cookie after successful dashboard token login.
|
|
func SetLauncherDashboardSessionCookie(
|
|
w http.ResponseWriter,
|
|
r *http.Request,
|
|
sessionValue string,
|
|
secure func(*http.Request) bool,
|
|
) {
|
|
if secure == nil {
|
|
secure = DefaultLauncherDashboardSecureCookie
|
|
}
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: LauncherDashboardCookieName,
|
|
Value: sessionValue,
|
|
Path: "/",
|
|
MaxAge: launcherDashboardSessionMaxAgeSec,
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
Secure: secure(r),
|
|
})
|
|
}
|
|
|
|
// ClearLauncherDashboardSessionCookie clears the dashboard session (e.g. logout).
|
|
func ClearLauncherDashboardSessionCookie(w http.ResponseWriter, r *http.Request, secure func(*http.Request) bool) {
|
|
if secure == nil {
|
|
secure = DefaultLauncherDashboardSecureCookie
|
|
}
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: LauncherDashboardCookieName,
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
Secure: secure(r),
|
|
Expires: time.Unix(0, 0),
|
|
})
|
|
}
|
|
|
|
// LauncherDashboardAuth requires a valid session cookie or Authorization: Bearer <token>
|
|
// before calling next. Public paths are login page and /api/auth/* handlers.
|
|
func LauncherDashboardAuth(cfg LauncherDashboardAuthConfig, next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
p := canonicalAuthPath(r.URL.Path)
|
|
if handled := tryLauncherQueryTokenLogin(w, r, p, cfg); handled {
|
|
return
|
|
}
|
|
if isPublicLauncherDashboardPath(r.Method, p) {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
if validLauncherDashboardAuth(r, cfg) {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
rejectLauncherDashboardAuth(w, r, p)
|
|
})
|
|
}
|
|
|
|
// canonicalAuthPath matches path cleaning used for routing decisions so
|
|
// prefixes like /assets/../ cannot bypass auth (CVE-class traversal).
|
|
|
|
// tryLauncherQueryTokenLogin validates ?token= on GET only (non-/api), sets the session
|
|
// cookie when correct, and redirects with 303 so the follow-up is a plain GET without side effects.
|
|
// Invalid token is rejected like any other unauthenticated browser request.
|
|
func tryLauncherQueryTokenLogin(
|
|
w http.ResponseWriter,
|
|
r *http.Request,
|
|
canonicalPath string,
|
|
cfg LauncherDashboardAuthConfig,
|
|
) bool {
|
|
if r.Method != http.MethodGet {
|
|
return false
|
|
}
|
|
if canonicalPath == "/api" || strings.HasPrefix(canonicalPath, "/api/") {
|
|
return false
|
|
}
|
|
qToken := strings.TrimSpace(r.URL.Query().Get("token"))
|
|
if qToken == "" {
|
|
return false
|
|
}
|
|
if len(qToken) != len(cfg.Token) || subtle.ConstantTimeCompare([]byte(qToken), []byte(cfg.Token)) != 1 {
|
|
rejectLauncherDashboardAuth(w, r, canonicalPath)
|
|
return true
|
|
}
|
|
SetLauncherDashboardSessionCookie(w, r, cfg.ExpectedCookie, cfg.SecureCookie)
|
|
http.Redirect(w, r, redirectAfterQueryTokenLogin(r, canonicalPath), http.StatusSeeOther)
|
|
return true
|
|
}
|
|
|
|
func redirectAfterQueryTokenLogin(r *http.Request, canonicalPath string) string {
|
|
if canonicalPath == "/launcher-login" {
|
|
return "/"
|
|
}
|
|
q := r.URL.Query()
|
|
q.Del("token")
|
|
enc := q.Encode()
|
|
if enc != "" {
|
|
return canonicalPath + "?" + enc
|
|
}
|
|
return canonicalPath
|
|
}
|
|
|
|
func canonicalAuthPath(raw string) string {
|
|
if raw == "" {
|
|
return "/"
|
|
}
|
|
c := path.Clean(raw)
|
|
switch c {
|
|
case ".", "":
|
|
return "/"
|
|
default:
|
|
if c[0] != '/' {
|
|
return "/" + c
|
|
}
|
|
return c
|
|
}
|
|
}
|
|
|
|
func isPublicLauncherDashboardPath(method, p string) bool {
|
|
if isPublicLauncherDashboardStatic(method, p) {
|
|
return true
|
|
}
|
|
switch p {
|
|
case "/api/auth/login":
|
|
return method == http.MethodPost
|
|
case "/api/auth/logout":
|
|
return method == http.MethodPost
|
|
case "/api/auth/status":
|
|
return method == http.MethodGet
|
|
case "/api/auth/setup":
|
|
return method == http.MethodPost
|
|
}
|
|
return false
|
|
}
|
|
|
|
// isPublicLauncherDashboardStatic allows the SPA login route and embedded
|
|
// frontend assets without a session (GET/HEAD only).
|
|
func isPublicLauncherDashboardStatic(method, p string) bool {
|
|
if method != http.MethodGet && method != http.MethodHead {
|
|
return false
|
|
}
|
|
if p == "/launcher-login" || p == "/launcher-setup" {
|
|
return true
|
|
}
|
|
if strings.HasPrefix(p, "/assets/") {
|
|
return true
|
|
}
|
|
switch p {
|
|
case "/favicon.ico", "/favicon.svg", "/favicon-96x96.png",
|
|
"/apple-touch-icon.png", "/site.webmanifest", "/robots.txt":
|
|
return true
|
|
default:
|
|
return false
|
|
}
|
|
}
|
|
|
|
func validLauncherDashboardAuth(r *http.Request, cfg LauncherDashboardAuthConfig) bool {
|
|
if c, err := r.Cookie(LauncherDashboardCookieName); err == nil {
|
|
if subtle.ConstantTimeCompare([]byte(c.Value), []byte(cfg.ExpectedCookie)) == 1 {
|
|
return true
|
|
}
|
|
}
|
|
auth := r.Header.Get("Authorization")
|
|
const prefix = "Bearer "
|
|
if strings.HasPrefix(auth, prefix) {
|
|
token := strings.TrimSpace(auth[len(prefix):])
|
|
if len(token) == len(cfg.Token) && subtle.ConstantTimeCompare([]byte(token), []byte(cfg.Token)) == 1 {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func rejectLauncherDashboardAuth(w http.ResponseWriter, r *http.Request, canonicalPath string) {
|
|
if strings.HasPrefix(canonicalPath, "/api/") {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
_, _ = w.Write([]byte(`{"error":"unauthorized"}`))
|
|
return
|
|
}
|
|
http.Redirect(w, r, "/launcher-login", http.StatusFound)
|
|
}
|