dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity
Files
8ec22b217710758a06bc4cc4c36e926f3ea02411
Termix/src/backend/database/routes/users.ts
Luke Gustafson 8ec22b2177 v1.8.0 (#429) 
* Dev 1.8.0 (#399)

* Feature request: Add delete confirmation dialog to file manager (#344)

* Feature request: Add delete confirmation dialog to file manager

- Added confirmation dialog before deleting files/folders
- Users must confirm deletion with a warning message
- Works for both Delete key and right-click delete
- Shows different messages for single file, folder, or multiple items
- Includes permanent deletion warning
- Follows existing design patterns using confirmWithToast

* Adds confirmation for deletion of items including folders

Updates the file deletion confirmation logic to distinguish between
deleting multiple items with or without folders. Introduces a new
translation string for a clearer user prompt when folders and their
contents are included in the deletion.

Improves clarity and reduces user error when performing bulk deletions.

* feat: Add Chinese translations for delete confirmation messages

* Adds camelCase support for encrypted field mappings (#342)

Extends encrypted field mappings to include camelCase variants
to support consistency and compatibility with different naming
conventions. Updates reverse mappings for Drizzle ORM to allow
conversion between camelCase and snake_case field names.

Improves integration with systems using mixed naming styles.

* Run code cleanup, add sidebar persistence, fix OIDC credentials, force SSH password.

* Fix snake case mismatching

* Add real client IP

* Fix OIDC credential persistence issue

The issue was that OIDC users were getting a new random Data Encryption Key (DEK)
on every login, which made previously encrypted credentials inaccessible.

Changes:
- Modified setupOIDCUserEncryption() to persist the DEK encrypted with a system-derived key
- Updated authenticateOIDCUser() to properly retrieve and use the persisted DEK
- Ensured OIDC users now have the same encryption persistence as password-based users

This fix ensures that credentials created by OIDC users remain accessible across
multiple login sessions.

* Fix race condition and remove redundant kekSalt for OIDC users

Critical fixes:

1. Race Condition Mitigation:
   - Added read-after-write verification in setupOIDCUserEncryption()
   - Ensures session uses the DEK that's actually in the database
   - Prevents data loss when concurrent logins occur for new OIDC users
   - If race is detected, discards generated DEK and uses stored one

2. Remove Redundant kekSalt Logic:
   - Removed unnecessary kekSalt generation and checks for OIDC users
   - kekSalt is not used in OIDC key derivation (uses userId as salt)
   - Reduces database operations from 4 to 2 per authentication
   - Simplifies code and removes potential confusion

3. Improved Error Handling:
   - systemKey cleanup moved to finally block
   - Ensures sensitive key material is always cleared from memory

These changes ensure data consistency and prevent potential data loss
in high-concurrency scenarios.

* Cleanup OIDC pr and run prettier

* Replace jetbrains mono with caskaydia cove

* Fix alert issues

* Finalize font update

* Feature/german language support (#374)

* v1.7.2 (#364)

* Feature request: Add delete confirmation dialog to file manager (#344)

* Feature request: Add delete confirmation dialog to file manager

- Added confirmation dialog before deleting files/folders
- Users must confirm deletion with a warning message
- Works for both Delete key and right-click delete
- Shows different messages for single file, folder, or multiple items
- Includes permanent deletion warning
- Follows existing design patterns using confirmWithToast

* Adds confirmation for deletion of items including folders

Updates the file deletion confirmation logic to distinguish between
deleting multiple items with or without folders. Introduces a new
translation string for a clearer user prompt when folders and their
contents are included in the deletion.

Improves clarity and reduces user error when performing bulk deletions.

* feat: Add Chinese translations for delete confirmation messages

* Adds camelCase support for encrypted field mappings (#342)

Extends encrypted field mappings to include camelCase variants
to support consistency and compatibility with different naming
conventions. Updates reverse mappings for Drizzle ORM to allow
conversion between camelCase and snake_case field names.

Improves integration with systems using mixed naming styles.

* Run code cleanup, add sidebar persistence, fix OIDC credentials, force SSH password.

* Fix snake case mismatching

* Add real client IP

* Fix OIDC credential persistence issue

The issue was that OIDC users were getting a new random Data Encryption Key (DEK)
on every login, which made previously encrypted credentials inaccessible.

Changes:
- Modified setupOIDCUserEncryption() to persist the DEK encrypted with a system-derived key
- Updated authenticateOIDCUser() to properly retrieve and use the persisted DEK
- Ensured OIDC users now have the same encryption persistence as password-based users

This fix ensures that credentials created by OIDC users remain accessible across
multiple login sessions.

* Fix race condition and remove redundant kekSalt for OIDC users

Critical fixes:

1. Race Condition Mitigation:
   - Added read-after-write verification in setupOIDCUserEncryption()
   - Ensures session uses the DEK that's actually in the database
   - Prevents data loss when concurrent logins occur for new OIDC users
   - If race is detected, discards generated DEK and uses stored one

2. Remove Redundant kekSalt Logic:
   - Removed unnecessary kekSalt generation and checks for OIDC users
   - kekSalt is not used in OIDC key derivation (uses userId as salt)
   - Reduces database operations from 4 to 2 per authentication
   - Simplifies code and removes potential confusion

3. Improved Error Handling:
   - systemKey cleanup moved to finally block
   - Ensures sensitive key material is always cleared from memory

These changes ensure data consistency and prevent potential data loss
in high-concurrency scenarios.

* Cleanup OIDC pr and run prettier

---------

Co-authored-by: Ved Prakash <54140516+thorved@users.noreply.github.com>

* Fix typos and improve wording in README.md

Corrected grammar and punctuation in README.

* Image 7.png

* Rename 3gi3b3os5psf1.png to Image 7.png

* Add video demonstration to README

Added a video demonstration to the README.

* Delete repo-images/Image 7.png

* Add files via upload

* Delete repo-images/Image 7.png

* Add files via upload

* Initial German translation

* German translation (#281)

* German translation (#281)

* Implementation of German language support  (#281)

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: Karmaa <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: Ved Prakash <54140516+thorved@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Add germanm support

* Fix SSH Key Password (keyPassword) Field Naming Mismatch Between Frontend and Backend (#375)

* Refactor key_password to keyPassword for consistency across SSH routes

* Standardizes keyPassword field handling and simplifies auth field logic

Standardizes the handling of the `keyPassword` field by converting
`key_password` to camelCase and ensuring consistent output while
preserving resolved credentials. Removes redundant snake_case
fields to avoid duplication.

Simplifies UI handling of authentication fields by allowing
non-relevant fields to persist, delegating filtering logic to the
backend for cleaner and more maintainable code.

Improves code clarity and aligns with consistent data handling
practices.

* Cleanup code + resolve conversion logic

---------

Co-authored-by: LukeGus <bugattiguy527@gmail.com>

* Feature disable password login (#378)

* Add admin toggle to disable password login

* Update src/backend/database/routes/users.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/ui/main-axios.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/ui/Desktop/Admin/AdminSettings.tsx

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/backend/database/routes/users.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/backend/database/routes/users.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Add SSH TOTP authentication support (#350)

* Add SSH TOTP authentication support

- Implement keyboard-interactive authentication for SSH connections
- Add TOTP dialog component for Terminal and File Manager
- Handle TOTP prompts in WebSocket and HTTP connections
- Disable Server Stats for TOTP-enabled servers
- Add i18n support for TOTP-related messages

* Update src/backend/ssh/server-stats.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/backend/ssh/file-manager.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: Karmaa <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Add terminal snippets feature with sidebar UI (#377)

* Add terminal snippets feature with sidebar UI

- Add snippets CRUD API endpoints and database schema
- Implement snippets sidebar accessible from TopNavbar
- Add copy to clipboard functionality
- Include tooltips and optimized styling
- Add English and Chinese translations

* Update src/backend/database/routes/snippets.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Feature engineering improvements (#376)

* chore: add engineering improvements

- Configure Prettier with unified code style rules
- Add husky + lint-staged for automated pre-commit checks
- Add commitlint to enforce conventional commit messages
- Add PR check workflow for CI automation
- Auto-format all files with Prettier
- Fix TypeScript any types in field-crypto.ts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: enhance development environment

- Add .editorconfig for unified editor settings
- Add .nvmrc to specify Node.js version (20)
- Add useful npm scripts: format, format:check, lint, lint:fix, type-check

* chore: add IDE and Git configuration

- Add VS Code workspace settings for consistent development experience
- Add VS Code extension recommendations (ESLint, Prettier, EditorConfig)
- Add .gitattributes to enforce LF line endings

* refactor: clean up unused variables and empty blocks

- database.ts: Remove unused variables (authManager, format, HTTPS_PORT, etc.)
- database.ts: Fix empty catch blocks with descriptive comments
- database.ts: Add eslint-disable for required middleware parameter
- db/index.ts: Remove unused variables and fix empty catch blocks
- Temporarily remove ESLint from pre-commit to allow incremental fixes

Reduced total errors from 947 to 913 (34 fixes)

* refactor: clean up unused variables and empty blocks in routes

Routes updated:
- credentials.ts: Remove 12 unused variables/imports
- alerts.ts: Remove 1 unused variable
- users.ts: Remove 9 unused variables/imports

Changes:
- Remove unused imports (NextFunction, jwt, UserCrypto, detectKeyType)
- Fix empty catch blocks with descriptive comments
- Prefix reserved parameters with underscore
- Clean up unused error variables in catch blocks

Reduced errors from 913 to 886 (27 fixes)

* refactor: clean up unused variables in routes/ssh.ts

- Remove unused imports (NextFunction, jwt)
- Remove 6 unused variables (result, updateResult, name x3)
- All 8 no-unused-vars errors fixed

* refactor: clean up unused variables and empty blocks in file-manager.ts

- Remove 22 unused variables (linkCount, hostId, userId, content, escapedTempFile, index, code)
- Fix 1 empty catch block
- Simplify multiple route handlers by removing unused destructured parameters

Reduced errors from 878 to 855 (23 fixes)

* refactor: clean up unused variables and empty blocks in utils

database-migration.ts:
- Remove 3 unused variables (encryptedSize, totalOriginalRows, totalMemoryRows)

lazy-field-encryption.ts:
- Fix 6 empty catch blocks with descriptive comments
- Keep error variables where they are used in logging

tunnel.ts:
- Fix multiple empty catch blocks
- Remove empty else blocks
- Partially fixed (10/21 issues resolved)

Reduced errors from 855 to 833 (22 fixes)

* fix: restore error variable in catch block for logging

Fix TypeScript error where error variable was removed from catch block
but still used in logging statements. The error variable is needed for
proper error logging and re-throwing.

* fix: clean up tunnel.ts empty blocks and unused variables

移除了 tunnel.ts 中的空块和未使用的变量:
- 移除 2 个空 else 块
- 修复 2 个空 if 块并添加注释
- 修复空错误处理器并添加注释
- 将未使用的 err 参数重命名为 _err

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty blocks and unused variables in backend utils

修复了后端工具文件中的空块和未使用的变量:
- auth-manager.ts: 移除空 else 块
- system-crypto.ts: 修复空 catch 块并添加注释
- starter.ts: 修复空 catch 块并添加注释
- server-stats.ts: 将未使用的 reject 参数重命名为 _reject
- credentials.ts: 将 connectionTimeout 从 let 改为 const

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty catch blocks in frontend components

修复了前端组件中的空 catch 块:
- Tunnel.tsx: 修复空 catch 块并添加注释
- ServerConfig.tsx: 修复空 catch 块并添加注释
- TerminalKeyboard.tsx: 修复空 catch 块并添加注释
- system-crypto.ts: 修复遗漏的空 catch 块

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty catch blocks in backend utilities

修复了后端工具文件中的 10 个空 catch 块:
- system-crypto.ts: 修复 1 个空 catch 块
- server-stats.ts: 修复 4 个空 catch 块
- auto-ssl-setup.ts: 修复 1 个空 catch 块
- ssh-key-utils.ts: 修复 4 个空 catch 块

所有空块都添加了描述性注释说明为何忽略错误。

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty catch blocks in UI hooks and components

修复了 5 个 UI 组件和 hooks 中的空 catch 块:
- useDragToSystemDesktop.ts: 修复 2 个空 catch 块
- HomepageAuth.tsx: 修复 1 个空 catch 块
- HostManagerEditor.tsx: 修复 2 个空 catch 块

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty blocks in file manager and credential editor

修复了 5 个空块:
- FileManagerGrid.tsx: 移除 1 个空 else 块和 1 个空 if 块
- CredentialEditor.tsx: 修复 1 个空 catch 块,移除 2 个空 if/else 块

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up all empty catch blocks in Terminal components

修复了 Terminal 组件中的所有 8 个空 catch 块:
- Desktop/Apps/Terminal/Terminal.tsx: 修复 5 个空 catch 块
- Mobile/Apps/Terminal/Terminal.tsx: 修复 3 个空 catch 块

所有空块都添加了描述性注释。这是空块修复的最后一批。

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: remove useless try/catch wrappers

移除了 3 个无用的 try/catch 包装器:
- users.ts: 移除只重新抛出错误的外层 try/catch
- FileManager.tsx: 移除只重新抛出错误的内层 try/catch
- DiffViewer.tsx: 移除只重新抛出错误的内层 try/catch

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: remove unused imports and mark unused parameters

移除了未使用的导入和标记未使用的参数:
- auto-ssl-setup.ts: 移除未使用的 crypto 导入
- user-crypto.ts: 移除未使用的 users 导入
- user-data-import.ts: 移除未使用的 nanoid 导入
- simple-db-ops.ts: 标记未使用的 userId 和 tableName 参数

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove unnecessary escape characters in regex patterns

移除了正则表达式中不必要的转义字符:
- users.ts: 修复 5 个 \/ 不必要的转义
- TabContext.tsx: 修复 1 个 \/ 不必要的转义

在字符串形式的正则表达式中,/ 不需要转义。

---------

Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

* feat: enhance server stats widgets and fix TypeScript/ESLint errors (#394)

* feat: add draggable server stats dashboard with customizable widgets

* fix: widget deletion and layout persistence issues

* fix: improve widget deletion UX and add debug logs for persistence

* fix: resolve widget deletion and layout persistence issues

- Add drag handles to widget title bars for precise drag control
- Prevent delete button from triggering drag via event stopPropagation
- Include statsConfig field in all GET/PUT API responses
- Remove debug console logs from production code

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: complete statsConfig field support across all API routes

- Add statsConfig to POST /db/host (create) route
- Add statsConfig to all GET routes for consistent API responses
- Remove incorrect statsConfig schema from HostManagerEditor
- statsConfig is now only managed by Server page layout editor

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: add statsConfig to metrics API response

- Add statsConfig field to SSHHostWithCredentials interface
- Include statsConfig in resolveHostCredentials baseHost object
- Ensures /metrics/:id API returns complete host configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: include statsConfig in SSH host create/update requests

The statsConfig field was being dropped by createSSHHost and updateSSHHost
functions in main-axios.ts, preventing layout customization from persisting.

Fixed by adding statsConfig to the submitData object in both functions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: refactor server stats widgets into modular structure

Created dedicated widgets directory with individual components:
- CpuWidget, MemoryWidget, DiskWidget as separate components
- Widget registry for centralized widget configuration
- AddWidgetDialog for user-friendly widget selection
- Updated Server.tsx to use modular widget system

Benefits:
- Better code organization and maintainability
- Easier to add new widget types in the future
- Centralized widget metadata and configuration
- User can now add widgets via dialog interface

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: exit edit mode after saving layout

* feat: add customizable widget sizes with chart visualizations

Add three-tier size system (small/medium/large) for server stats widgets.
Integrate recharts library for visualizing trends in large widgets with
line charts (CPU), area charts (Memory), and radial bar charts (Disk).
Fix layout overflow issues with proper flexbox patterns.

* refactor: simplify server stats widget system

Replaced complex drag-and-drop grid layout with simple checkbox-based
configuration and static responsive grid display.

- Removed react-grid-layout dependency and 6 related packages
- Simplified StatsConfig from complex Widget objects to simple array
- Added Statistics tab in HostManagerEditor for checkbox selection
- Refactored Server.tsx to use CSS Grid instead of ResponsiveGridLayout
- Simplified widget components by removing edit mode and size selection
- Deleted unused AddWidgetDialog and registry files
- Fixed statsConfig serialization in backend routes

Net result: -787 lines of code, cleaner architecture.

* feat: add system, uptime, network and processes widgets

Add four new server statistics widgets:
- SystemWidget: displays hostname, OS, and kernel information
- UptimeWidget: shows server total uptime with formatted display
- NetworkWidget: lists network interfaces with IP and status
- ProcessesWidget: displays top processes by CPU usage

Backend changes:
- Extended SSH metrics collection to gather network, uptime, process, and system data
- Added commands to parse /proc/uptime, ip addr, ps aux output

Frontend changes:
- Created 4 new widget components with consistent styling
- Updated widget type definitions and HostManagerEditor
- Unified all widget heights to 280px for consistent layout
- Added translations for all new widgets (EN/ZH)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: improve widget styling and UX consistency

Enhance all server stats widgets with improved styling and user experience:

Widget improvements:
- Fix hardcoded titles, now use i18n translations for all widgets
- Improve data formatting with consistent translation keys
- Enhance empty state displays with better visual hierarchy
- Add smooth hover transitions and visual feedback
- Standardize spacing and layout patterns across widgets

Specific optimizations:
- CPU: Use translated load average display
- Memory: Translate "Free" label
- Disk: Translate "Available" label
- System: Improve icon colors and spacing consistency
- Network: Better empty state, enhanced card styling
- Processes: Improved card borders and spacing

Visual polish:
- Unified icon sizing and opacity for empty states
- Consistent border radius (rounded-lg)
- Better hover states with subtle transitions
- Enhanced font weights for improved readability

* fix: replace explicit any types with proper TypeScript types

- Replace 'any' with 'unknown' in catch blocks and add type assertions
- Create explicit interfaces for complex objects (HostConfig, TabData, TerminalHandle)
- Fix window/document object type extensions
- Update Electron API type definitions
- Improve type safety in database routes and utilities
- Add proper types to Terminal components (Desktop & Mobile)
- Fix navigation component types (TopNavbar, LeftSidebar, AppView)

Reduces TypeScript lint errors from 394 to 358 (-36 errors)
Fixes 45 @typescript-eslint/no-explicit-any violations

* fix: replace explicit any types with proper TypeScript types

- Create explicit interfaces for Request extensions (AuthenticatedRequest, RequestWithHeaders)
- Add type definitions for WebSocket messages and SSH connection data
- Use generic types in DataCrypto methods instead of any return types
- Define proper interfaces for file manager data structures
- Replace catch block any types with unknown and proper type assertions
- Add HostConfig and TabData interfaces for Server component

Fixes 32 @typescript-eslint/no-explicit-any violations across 5 files

* fix: resolve 6 TypeScript compilation errors

Fixed field name mismatches and generic type issues:
- database.ts: Changed camelCase to snake_case for key_password, private_key, public_key fields
- simple-db-ops.ts: Added explicit generic type parameters to DataCrypto method calls

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: resolve unused variables in backend utils

Fixed @typescript-eslint/no-unused-vars errors in:
- starter.ts: removed unused error variables (2 fixes)
- auto-ssl-setup.ts: removed unused error variable (1 fix)
- ssh-key-utils.ts: removed unused error variables (3 fixes)
- user-crypto.ts: removed unused error variables (5 fixes)
- data-crypto.ts: removed unused plaintextFields and error variables (2 fixes)
- simple-db-ops.ts: removed unused parameters _userId and _tableName (2 fixes)

Total: 15 unused variable errors fixed

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove unused variable in terminal.ts

Fixed @typescript-eslint/no-unused-vars errors:
- Removed unused userPayload variable (line 123)
- Removed unused cols and rows from destructuring (line 348)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: resolve unused variables in server-stats.ts

Fixed @typescript-eslint/no-unused-vars errors:
- Removed unused _reject parameter in Promise (line 64)
- Removed shadowed now variable in pollStatusesOnce (line 1130)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove unused variables in tunnel.ts

Removed 5 unused variables:
- Removed unused data parameter from stdout event handler
- Removed hasSourcePassword, hasSourceKey, hasEndpointPassword, hasEndpointKey variables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove unused variables in main-axios.ts

Removed 8 unused variables:
- Removed unused type imports (Credential, CredentialData, HostInfo, ApiResponse)
- Removed unused apiPort variable
- Removed unused error variables in 3 catch blocks

* fix: remove unused variables in terminal.ts and starter.ts

Removed 2 unused variables:
- Removed unused JWTPayload type import from terminal.ts
- Removed unused _promise parameter from starter.ts

* fix: remove unused variables in sidebar.tsx

Removed 9 unused variables:
- Removed 5 unused Sheet component imports
- Removed unused SIDEBAR_WIDTH_MOBILE constant
- Removed 3 unused variables from useSidebar destructuring

* fix: remove 13 unused variables in frontend files

- version-check-modal.tsx: removed 4 unused imports and functions
- main.tsx: removed unused isMobile state
- AdminSettings.tsx: removed 8 unused imports and error variables

* fix: remove 28 unused variables across frontend components

Cleaned up unused imports, state variables, and function parameters:
- CredentialsManager.tsx: removed 8 unused variables (Sheet/Select imports)
- FileManager.tsx: removed 10 unused variables (icons, state, functions)
- Terminal.tsx (Desktop): removed 5 unused variables (state, handlers)
- Terminal.tsx (Mobile): removed 5 unused variables (imports, state)

Reduced lint errors from 271 to 236 (35 errors fixed)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 10 unused variables in File Manager and config files

Cleaned up more unused imports, parameters, and variables:
- FileManagerGrid.tsx: removed 4 unused variables (params, function)
- FileManagerContextMenu.tsx: removed Share import
- FileManagerSidebar.tsx: removed onLoadDirectory parameter
- DraggableWindow.tsx: removed Square import
- FileWindow.tsx: removed updateWindow variable
- ServerConfig.tsx: removed 2 unused error parameters

Reduced lint errors from 236 to 222 (14 errors fixed total)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 7 unused variables in widgets and Homepage components

Cleaned up unused imports, parameters, and variables:
- DiskWidget.tsx: removed metricsHistory parameter
- FileManagerContextMenu.tsx: removed ExternalLink import
- Homepage.tsx: removed useTranslation import
- HomepageAlertManager.tsx: removed loading variable
- HomepageAuth.tsx: removed setCookie import (Desktop & Mobile)
- HompageUpdateLog.tsx: removed err parameter

Reduced lint errors from 222 to 216 (6 errors fixed)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 8 unused variables in File Manager and Host Manager components

Cleaned up unused imports, state variables, and function parameters:
- DiffViewer.tsx: removed unused error parameter in catch block
- FileViewer.tsx: removed ReactPlayer import, unused originalContent state,
  node parameters from markdown code components, audio variable
- HostManager.tsx: removed onSelectView and updatedHost parameters
- TunnelViewer.tsx: removed TunnelConnection import

Reduced lint errors from 271 to 208 (63 errors fixed total)

* fix: remove 7 unused variables in UI hooks and components

Cleaned up unused parameters and functions:
- status/index.tsx: removed unused className parameter from StatusIndicator
- useDragToDesktop.ts: removed unused sshHost parameter and from dependency
  arrays (4 occurrences)
- useDragToSystemDesktop.ts: removed unused sshHost parameter and
  getLastSaveDirectory function (29 lines removed)

Continued reducing frontend lint errors

* fix: remove 2 unused variables in hooks and TabContext

- useDragToDesktop.ts: removed unused onSuccess in dragFolderToDesktop
- TabContext.tsx: removed unused useTranslation import and t variable

Continued reducing frontend lint errors

* fix: remove 2 unused variables in Homepage component

- Removed unused isAdmin state variable (changed to setter only)
- Removed unused jwt variable by inlining getCookie check

Continued reducing frontend lint errors

* fix: remove 3 unused variables in Mobile navigation components

- Host.tsx: removed unused Server icon import
- LeftSidebar.tsx: removed unused setHostsLoading setter and err parameter

Continued reducing frontend lint errors

* fix: remove 9 unused variables across multiple files

Fixed unused variables in:
- database-file-encryption.ts: removed currentFingerprint (backend)
- FileManagerContextMenu.tsx: removed ExternalLink import, hasDirectories
- frontend-logger.ts: removed 5 unused shortUrl variables

Continued reducing lint errors

* fix: remove 18 unused variables across 4 files

- HostManagerViewer.tsx: remove 9 unused error variables and parameters
- HostManagerEditor.tsx: remove WidgetType import, hosts/loading states, error variable
- CredentialViewer.tsx: remove 3 unused error variables
- Server.tsx: remove 2 unused error variables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 9 unused variables across 4 files

- SnippetsSidebar.tsx: remove 3 unused err variables in catch blocks
- TunnelViewer.tsx: remove 2 unused parameters from callback
- DesktopApp.tsx: remove getCookie import and unused state variables
- HomepageAlertManager.tsx: remove 2 unused err variables in catch blocks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 10 unused variables and imports across 4 navigation files

- Homepage.tsx: remove unused username state variable
- AppView.tsx: remove 3 unused Lucide icon imports
- TopNavbar.tsx: remove 4 unused Accordion component imports
- LeftSidebar.tsx: remove 2 unused variables (err, jwt)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 5 unused variables across 4 user/credentials files

- PasswordReset.tsx: remove unused result variable
- UserProfile.tsx: remove unused Key import and err variable
- version-check-modal.tsx: remove unused setVersionDismissed setter
- CredentialsManager.tsx: remove unused e parameter from handleDragLeave

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 2 unused variables in FileViewer and TerminalWindow

- FileViewer.tsx: remove unused node parameter from code component
- TerminalWindow.tsx: remove unused handleMinimize function

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 10 unused variables in HomepageAuth.tsx

Removed unused variables:
- getCookie import
- dbError prop
- visibility state and toggleVisibility
- error state variable
- result variable in handleInitiatePasswordReset
- token URL parameter
- err parameters in catch blocks
- retryDatabaseConnection function
- Multiple setError(null) calls

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 9 unused variables across multiple files

Files fixed:
- DesktopApp.tsx: Removed _nextView parameter
- TerminalWindow.tsx: Removed minimizeWindow
- Mobile Host.tsx: Removed Server import
- Mobile LeftSidebar.tsx: Removed setHostsLoading, err in catch
- Desktop LeftSidebar.tsx: Removed getCookie, setCookie, onSelectView, getView, setHostsLoading

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 10 unused variables in Mobile files

Files fixed:
- MobileApp.tsx: Removed getCookie, removeTab, isAdmin, id, err parameters
- Mobile/HomepageAuth.tsx: Removed getCookie, error state, result, token, err parameters

All @typescript-eslint/no-unused-vars errors in frontend now resolved!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove unused t variable in TabContext

Removed useTranslation import and unused t variable
in Mobile TabContext.tsx

All @typescript-eslint/no-unused-vars errors now resolved!
Total fixed: 154 unused variables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: resolve TypeScript and ESLint errors across the codebase

- Fixed @typescript-eslint/no-unused-vars errors (31 instances)
- Fixed @typescript-eslint/no-explicit-any errors in backend (~22 instances)
- Fixed @typescript-eslint/no-explicit-any errors in frontend (~60 instances)
- Fixed prefer-const errors (5 instances)
- Fixed no-empty-object-type and rules-of-hooks errors
- Added proper type assertions for database operations
- Improved type safety in authentication and encryption modules
- Enhanced type definitions for API routes and SSH operations

All TypeScript compilation errors resolved. Application builds and runs successfully.

* fix: disable react-refresh/only-export-components rule for component files

Disable the react-refresh/only-export-components ESLint rule in files
that export both components and related utilities (hooks, types,
constants). This is a pragmatic solution to maintain code organization
without splitting files unnecessarily.

* style: fix prettier formatting issues

Fix code style issues in translation file and TOTP dialog component
to pass CI prettier check.

* chore: fix rollup optional dependencies installation in CI

Add step to force reinstall rollup after npm ci to fix the known npm
bug with optional dependencies on Linux x64 platform.

* chore: fix lightningcss optional dependencies in CI

Add lightningcss to the force reinstall step to fix npm optional
dependencies bug for both rollup and lightningcss on Linux x64.

* chore: fix npm optional dependencies bug in CI

Remove package-lock.json and node_modules before install to properly
handle optional dependencies for rollup, lightningcss, and tailwindcss
native bindings on Linux x64 platform as recommended by npm.

* Update src/types/index.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Set terminal environment variables for SSH

Added environment variables for terminal configuration.

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Karmaa <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* feat: begin macOS support

* Delete .github/ISSUE_TEMPLATE/bug_report.yml

* Delete .github/ISSUE_TEMPLATE/feature_request.yml

* Add issue template configuration for support links

* Revise support instructions in README.md

Updated support section with new issue reporting instructions and clarified Discord support response times.

* Update repository links and badge URLs in README

* Update links to new orgnanization

* Migrate workflows to Blacksmith (#421)

Co-authored-by: blacksmith-sh[bot] <157653362+blacksmith-sh[bot]@users.noreply.github.com>

* Feature request: Add delete confirmation dialog to file manager (#344)

* Feature request: Add delete confirmation dialog to file manager

- Added confirmation dialog before deleting files/folders
- Users must confirm deletion with a warning message
- Works for both Delete key and right-click delete
- Shows different messages for single file, folder, or multiple items
- Includes permanent deletion warning
- Follows existing design patterns using confirmWithToast

* Adds confirmation for deletion of items including folders

Updates the file deletion confirmation logic to distinguish between
deleting multiple items with or without folders. Introduces a new
translation string for a clearer user prompt when folders and their
contents are included in the deletion.

Improves clarity and reduces user error when performing bulk deletions.

* feat: Add Chinese translations for delete confirmation messages

* Adds camelCase support for encrypted field mappings (#342)

Extends encrypted field mappings to include camelCase variants
to support consistency and compatibility with different naming
conventions. Updates reverse mappings for Drizzle ORM to allow
conversion between camelCase and snake_case field names.

Improves integration with systems using mixed naming styles.

* Run code cleanup, add sidebar persistence, fix OIDC credentials, force SSH password.

* Fix snake case mismatching

* Fix race condition and remove redundant kekSalt for OIDC users

Critical fixes:

1. Race Condition Mitigation:
   - Added read-after-write verification in setupOIDCUserEncryption()
   - Ensures session uses the DEK that's actually in the database
   - Prevents data loss when concurrent logins occur for new OIDC users
   - If race is detected, discards generated DEK and uses stored one

2. Remove Redundant kekSalt Logic:
   - Removed unnecessary kekSalt generation and checks for OIDC users
   - kekSalt is not used in OIDC key derivation (uses userId as salt)
   - Reduces database operations from 4 to 2 per authentication
   - Simplifies code and removes potential confusion

3. Improved Error Handling:
   - systemKey cleanup moved to finally block
   - Ensures sensitive key material is always cleared from memory

These changes ensure data consistency and prevent potential data loss
in high-concurrency scenarios.

* Cleanup OIDC pr and run prettier

* Feature/german language support (#374)

* v1.7.2 (#364)

* Feature request: Add delete confirmation dialog to file manager (#344)

* Feature request: Add delete confirmation dialog to file manager

- Added confirmation dialog before deleting files/folders
- Users must confirm deletion with a warning message
- Works for both Delete key and right-click delete
- Shows different messages for single file, folder, or multiple items
- Includes permanent deletion warning
- Follows existing design patterns using confirmWithToast

* Adds confirmation for deletion of items including folders

Updates the file deletion confirmation logic to distinguish between
deleting multiple items with or without folders. Introduces a new
translation string for a clearer user prompt when folders and their
contents are included in the deletion.

Improves clarity and reduces user error when performing bulk deletions.

* feat: Add Chinese translations for delete confirmation messages

* Adds camelCase support for encrypted field mappings (#342)

Extends encrypted field mappings to include camelCase variants
to support consistency and compatibility with different naming
conventions. Updates reverse mappings for Drizzle ORM to allow
conversion between camelCase and snake_case field names.

Improves integration with systems using mixed naming styles.

* Run code cleanup, add sidebar persistence, fix OIDC credentials, force SSH password.

* Fix snake case mismatching

* Add real client IP

* Fix OIDC credential persistence issue

The issue was that OIDC users were getting a new random Data Encryption Key (DEK)
on every login, which made previously encrypted credentials inaccessible.

Changes:
- Modified setupOIDCUserEncryption() to persist the DEK encrypted with a system-derived key
- Updated authenticateOIDCUser() to properly retrieve and use the persisted DEK
- Ensured OIDC users now have the same encryption persistence as password-based users

This fix ensures that credentials created by OIDC users remain accessible across
multiple login sessions.

* Fix race condition and remove redundant kekSalt for OIDC users

Critical fixes:

1. Race Condition Mitigation:
   - Added read-after-write verification in setupOIDCUserEncryption()
   - Ensures session uses the DEK that's actually in the database
   - Prevents data loss when concurrent logins occur for new OIDC users
   - If race is detected, discards generated DEK and uses stored one

2. Remove Redundant kekSalt Logic:
   - Removed unnecessary kekSalt generation and checks for OIDC users
   - kekSalt is not used in OIDC key derivation (uses userId as salt)
   - Reduces database operations from 4 to 2 per authentication
   - Simplifies code and removes potential confusion

3. Improved Error Handling:
   - systemKey cleanup moved to finally block
   - Ensures sensitive key material is always cleared from memory

These changes ensure data consistency and prevent potential data loss
in high-concurrency scenarios.

* Cleanup OIDC pr and run prettier

---------

Co-authored-by: Ved Prakash <54140516+thorved@users.noreply.github.com>

* Fix typos and improve wording in README.md

Corrected grammar and punctuation in README.

* Image 7.png

* Rename 3gi3b3os5psf1.png to Image 7.png

* Add video demonstration to README

Added a video demonstration to the README.

* Delete repo-images/Image 7.png

* Add files via upload

* Delete repo-images/Image 7.png

* Add files via upload

* Initial German translation

* German translation (#281)

* German translation (#281)

* Implementation of German language support  (#281)

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/locales/de/translation.json

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: Karmaa <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: Ved Prakash <54140516+thorved@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Feature disable password login (#378)

* Add admin toggle to disable password login

* Update src/backend/database/routes/users.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/ui/main-axios.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/ui/Desktop/Admin/AdminSettings.tsx

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/backend/database/routes/users.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/backend/database/routes/users.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Add SSH TOTP authentication support (#350)

* Add SSH TOTP authentication support

- Implement keyboard-interactive authentication for SSH connections
- Add TOTP dialog component for Terminal and File Manager
- Handle TOTP prompts in WebSocket and HTTP connections
- Disable Server Stats for TOTP-enabled servers
- Add i18n support for TOTP-related messages

* Update src/backend/ssh/server-stats.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update src/backend/ssh/file-manager.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: Karmaa <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Add terminal snippets feature with sidebar UI (#377)

* Add terminal snippets feature with sidebar UI

- Add snippets CRUD API endpoints and database schema
- Implement snippets sidebar accessible from TopNavbar
- Add copy to clipboard functionality
- Include tooltips and optimized styling
- Add English and Chinese translations

* Update src/backend/database/routes/snippets.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Feature engineering improvements (#376)

* chore: add engineering improvements

- Configure Prettier with unified code style rules
- Add husky + lint-staged for automated pre-commit checks
- Add commitlint to enforce conventional commit messages
- Add PR check workflow for CI automation
- Auto-format all files with Prettier
- Fix TypeScript any types in field-crypto.ts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: enhance development environment

- Add .editorconfig for unified editor settings
- Add .nvmrc to specify Node.js version (20)
- Add useful npm scripts: format, format:check, lint, lint:fix, type-check

* chore: add IDE and Git configuration

- Add VS Code workspace settings for consistent development experience
- Add VS Code extension recommendations (ESLint, Prettier, EditorConfig)
- Add .gitattributes to enforce LF line endings

* refactor: clean up unused variables and empty blocks

- database.ts: Remove unused variables (authManager, format, HTTPS_PORT, etc.)
- database.ts: Fix empty catch blocks with descriptive comments
- database.ts: Add eslint-disable for required middleware parameter
- db/index.ts: Remove unused variables and fix empty catch blocks
- Temporarily remove ESLint from pre-commit to allow incremental fixes

Reduced total errors from 947 to 913 (34 fixes)

* refactor: clean up unused variables and empty blocks in routes

Routes updated:
- credentials.ts: Remove 12 unused variables/imports
- alerts.ts: Remove 1 unused variable
- users.ts: Remove 9 unused variables/imports

Changes:
- Remove unused imports (NextFunction, jwt, UserCrypto, detectKeyType)
- Fix empty catch blocks with descriptive comments
- Prefix reserved parameters with underscore
- Clean up unused error variables in catch blocks

Reduced errors from 913 to 886 (27 fixes)

* refactor: clean up unused variables in routes/ssh.ts

- Remove unused imports (NextFunction, jwt)
- Remove 6 unused variables (result, updateResult, name x3)
- All 8 no-unused-vars errors fixed

* refactor: clean up unused variables and empty blocks in file-manager.ts

- Remove 22 unused variables (linkCount, hostId, userId, content, escapedTempFile, index, code)
- Fix 1 empty catch block
- Simplify multiple route handlers by removing unused destructured parameters

Reduced errors from 878 to 855 (23 fixes)

* refactor: clean up unused variables and empty blocks in utils

database-migration.ts:
- Remove 3 unused variables (encryptedSize, totalOriginalRows, totalMemoryRows)

lazy-field-encryption.ts:
- Fix 6 empty catch blocks with descriptive comments
- Keep error variables where they are used in logging

tunnel.ts:
- Fix multiple empty catch blocks
- Remove empty else blocks
- Partially fixed (10/21 issues resolved)

Reduced errors from 855 to 833 (22 fixes)

* fix: restore error variable in catch block for logging

Fix TypeScript error where error variable was removed from catch block
but still used in logging statements. The error variable is needed for
proper error logging and re-throwing.

* fix: clean up tunnel.ts empty blocks and unused variables

移除了 tunnel.ts 中的空块和未使用的变量:
- 移除 2 个空 else 块
- 修复 2 个空 if 块并添加注释
- 修复空错误处理器并添加注释
- 将未使用的 err 参数重命名为 _err

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty blocks and unused variables in backend utils

修复了后端工具文件中的空块和未使用的变量:
- auth-manager.ts: 移除空 else 块
- system-crypto.ts: 修复空 catch 块并添加注释
- starter.ts: 修复空 catch 块并添加注释
- server-stats.ts: 将未使用的 reject 参数重命名为 _reject
- credentials.ts: 将 connectionTimeout 从 let 改为 const

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty catch blocks in frontend components

修复了前端组件中的空 catch 块:
- Tunnel.tsx: 修复空 catch 块并添加注释
- ServerConfig.tsx: 修复空 catch 块并添加注释
- TerminalKeyboard.tsx: 修复空 catch 块并添加注释
- system-crypto.ts: 修复遗漏的空 catch 块

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty catch blocks in backend utilities

修复了后端工具文件中的 10 个空 catch 块:
- system-crypto.ts: 修复 1 个空 catch 块
- server-stats.ts: 修复 4 个空 catch 块
- auto-ssl-setup.ts: 修复 1 个空 catch 块
- ssh-key-utils.ts: 修复 4 个空 catch 块

所有空块都添加了描述性注释说明为何忽略错误。

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty catch blocks in UI hooks and components

修复了 5 个 UI 组件和 hooks 中的空 catch 块:
- useDragToSystemDesktop.ts: 修复 2 个空 catch 块
- HomepageAuth.tsx: 修复 1 个空 catch 块
- HostManagerEditor.tsx: 修复 2 个空 catch 块

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up empty blocks in file manager and credential editor

修复了 5 个空块:
- FileManagerGrid.tsx: 移除 1 个空 else 块和 1 个空 if 块
- CredentialEditor.tsx: 修复 1 个空 catch 块,移除 2 个空 if/else 块

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: clean up all empty catch blocks in Terminal components

修复了 Terminal 组件中的所有 8 个空 catch 块:
- Desktop/Apps/Terminal/Terminal.tsx: 修复 5 个空 catch 块
- Mobile/Apps/Terminal/Terminal.tsx: 修复 3 个空 catch 块

所有空块都添加了描述性注释。这是空块修复的最后一批。

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: remove useless try/catch wrappers

移除了 3 个无用的 try/catch 包装器:
- users.ts: 移除只重新抛出错误的外层 try/catch
- FileManager.tsx: 移除只重新抛出错误的内层 try/catch
- DiffViewer.tsx: 移除只重新抛出错误的内层 try/catch

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: remove unused imports and mark unused parameters

移除了未使用的导入和标记未使用的参数:
- auto-ssl-setup.ts: 移除未使用的 crypto 导入
- user-crypto.ts: 移除未使用的 users 导入
- user-data-import.ts: 移除未使用的 nanoid 导入
- simple-db-ops.ts: 标记未使用的 userId 和 tableName 参数

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove unnecessary escape characters in regex patterns

移除了正则表达式中不必要的转义字符:
- users.ts: 修复 5 个 \/ 不必要的转义
- TabContext.tsx: 修复 1 个 \/ 不必要的转义

在字符串形式的正则表达式中,/ 不需要转义。

---------

Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

* feat: enhance server stats widgets and fix TypeScript/ESLint errors (#394)

* feat: add draggable server stats dashboard with customizable widgets

* fix: widget deletion and layout persistence issues

* fix: improve widget deletion UX and add debug logs for persistence

* fix: resolve widget deletion and layout persistence issues

- Add drag handles to widget title bars for precise drag control
- Prevent delete button from triggering drag via event stopPropagation
- Include statsConfig field in all GET/PUT API responses
- Remove debug console logs from production code

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: complete statsConfig field support across all API routes

- Add statsConfig to POST /db/host (create) route
- Add statsConfig to all GET routes for consistent API responses
- Remove incorrect statsConfig schema from HostManagerEditor
- statsConfig is now only managed by Server page layout editor

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: add statsConfig to metrics API response

- Add statsConfig field to SSHHostWithCredentials interface
- Include statsConfig in resolveHostCredentials baseHost object
- Ensures /metrics/:id API returns complete host configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: include statsConfig in SSH host create/update requests

The statsConfig field was being dropped by createSSHHost and updateSSHHost
functions in main-axios.ts, preventing layout customization from persisting.

Fixed by adding statsConfig to the submitData object in both functions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: refactor server stats widgets into modular structure

Created dedicated widgets directory with individual components:
- CpuWidget, MemoryWidget, DiskWidget as separate components
- Widget registry for centralized widget configuration
- AddWidgetDialog for user-friendly widget selection
- Updated Server.tsx to use modular widget system

Benefits:
- Better code organization and maintainability
- Easier to add new widget types in the future
- Centralized widget metadata and configuration
- User can now add widgets via dialog interface

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: exit edit mode after saving layout

* feat: add customizable widget sizes with chart visualizations

Add three-tier size system (small/medium/large) for server stats widgets.
Integrate recharts library for visualizing trends in large widgets with
line charts (CPU), area charts (Memory), and radial bar charts (Disk).
Fix layout overflow issues with proper flexbox patterns.

* refactor: simplify server stats widget system

Replaced complex drag-and-drop grid layout with simple checkbox-based
configuration and static responsive grid display.

- Removed react-grid-layout dependency and 6 related packages
- Simplified StatsConfig from complex Widget objects to simple array
- Added Statistics tab in HostManagerEditor for checkbox selection
- Refactored Server.tsx to use CSS Grid instead of ResponsiveGridLayout
- Simplified widget components by removing edit mode and size selection
- Deleted unused AddWidgetDialog and registry files
- Fixed statsConfig serialization in backend routes

Net result: -787 lines of code, cleaner architecture.

* feat: add system, uptime, network and processes widgets

Add four new server statistics widgets:
- SystemWidget: displays hostname, OS, and kernel information
- UptimeWidget: shows server total uptime with formatted display
- NetworkWidget: lists network interfaces with IP and status
- ProcessesWidget: displays top processes by CPU usage

Backend changes:
- Extended SSH metrics collection to gather network, uptime, process, and system data
- Added commands to parse /proc/uptime, ip addr, ps aux output

Frontend changes:
- Created 4 new widget components with consistent styling
- Updated widget type definitions and HostManagerEditor
- Unified all widget heights to 280px for consistent layout
- Added translations for all new widgets (EN/ZH)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: improve widget styling and UX consistency

Enhance all server stats widgets with improved styling and user experience:

Widget improvements:
- Fix hardcoded titles, now use i18n translations for all widgets
- Improve data formatting with consistent translation keys
- Enhance empty state displays with better visual hierarchy
- Add smooth hover transitions and visual feedback
- Standardize spacing and layout patterns across widgets

Specific optimizations:
- CPU: Use translated load average display
- Memory: Translate "Free" label
- Disk: Translate "Available" label
- System: Improve icon colors and spacing consistency
- Network: Better empty state, enhanced card styling
- Processes: Improved card borders and spacing

Visual polish:
- Unified icon sizing and opacity for empty states
- Consistent border radius (rounded-lg)
- Better hover states with subtle transitions
- Enhanced font weights for improved readability

* fix: replace explicit any types with proper TypeScript types

- Replace 'any' with 'unknown' in catch blocks and add type assertions
- Create explicit interfaces for complex objects (HostConfig, TabData, TerminalHandle)
- Fix window/document object type extensions
- Update Electron API type definitions
- Improve type safety in database routes and utilities
- Add proper types to Terminal components (Desktop & Mobile)
- Fix navigation component types (TopNavbar, LeftSidebar, AppView)

Reduces TypeScript lint errors from 394 to 358 (-36 errors)
Fixes 45 @typescript-eslint/no-explicit-any violations

* fix: replace explicit any types with proper TypeScript types

- Create explicit interfaces for Request extensions (AuthenticatedRequest, RequestWithHeaders)
- Add type definitions for WebSocket messages and SSH connection data
- Use generic types in DataCrypto methods instead of any return types
- Define proper interfaces for file manager data structures
- Replace catch block any types with unknown and proper type assertions
- Add HostConfig and TabData interfaces for Server component

Fixes 32 @typescript-eslint/no-explicit-any violations across 5 files

* fix: resolve 6 TypeScript compilation errors

Fixed field name mismatches and generic type issues:
- database.ts: Changed camelCase to snake_case for key_password, private_key, public_key fields
- simple-db-ops.ts: Added explicit generic type parameters to DataCrypto method calls

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: resolve unused variables in backend utils

Fixed @typescript-eslint/no-unused-vars errors in:
- starter.ts: removed unused error variables (2 fixes)
- auto-ssl-setup.ts: removed unused error variable (1 fix)
- ssh-key-utils.ts: removed unused error variables (3 fixes)
- user-crypto.ts: removed unused error variables (5 fixes)
- data-crypto.ts: removed unused plaintextFields and error variables (2 fixes)
- simple-db-ops.ts: removed unused parameters _userId and _tableName (2 fixes)

Total: 15 unused variable errors fixed

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove unused variable in terminal.ts

Fixed @typescript-eslint/no-unused-vars errors:
- Removed unused userPayload variable (line 123)
- Removed unused cols and rows from destructuring (line 348)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: resolve unused variables in server-stats.ts

Fixed @typescript-eslint/no-unused-vars errors:
- Removed unused _reject parameter in Promise (line 64)
- Removed shadowed now variable in pollStatusesOnce (line 1130)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove unused variables in tunnel.ts

Removed 5 unused variables:
- Removed unused data parameter from stdout event handler
- Removed hasSourcePassword, hasSourceKey, hasEndpointPassword, hasEndpointKey variables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove unused variables in main-axios.ts

Removed 8 unused variables:
- Removed unused type imports (Credential, CredentialData, HostInfo, ApiResponse)
- Removed unused apiPort variable
- Removed unused error variables in 3 catch blocks

* fix: remove unused variables in terminal.ts and starter.ts

Removed 2 unused variables:
- Removed unused JWTPayload type import from terminal.ts
- Removed unused _promise parameter from starter.ts

* fix: remove unused variables in sidebar.tsx

Removed 9 unused variables:
- Removed 5 unused Sheet component imports
- Removed unused SIDEBAR_WIDTH_MOBILE constant
- Removed 3 unused variables from useSidebar destructuring

* fix: remove 13 unused variables in frontend files

- version-check-modal.tsx: removed 4 unused imports and functions
- main.tsx: removed unused isMobile state
- AdminSettings.tsx: removed 8 unused imports and error variables

* fix: remove 28 unused variables across frontend components

Cleaned up unused imports, state variables, and function parameters:
- CredentialsManager.tsx: removed 8 unused variables (Sheet/Select imports)
- FileManager.tsx: removed 10 unused variables (icons, state, functions)
- Terminal.tsx (Desktop): removed 5 unused variables (state, handlers)
- Terminal.tsx (Mobile): removed 5 unused variables (imports, state)

Reduced lint errors from 271 to 236 (35 errors fixed)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 10 unused variables in File Manager and config files

Cleaned up more unused imports, parameters, and variables:
- FileManagerGrid.tsx: removed 4 unused variables (params, function)
- FileManagerContextMenu.tsx: removed Share import
- FileManagerSidebar.tsx: removed onLoadDirectory parameter
- DraggableWindow.tsx: removed Square import
- FileWindow.tsx: removed updateWindow variable
- ServerConfig.tsx: removed 2 unused error parameters

Reduced lint errors from 236 to 222 (14 errors fixed total)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove 7 unused variables in widgets and Homepage components

Cleaned up unused imports, p…

* fix: Improve TOTP reliability, move components around, turn homepage update log into a sheet

* fix: Work more on TOTP, renamed homepage to dashboard and began improvements

* fix: test commit

* fix: Fix server stats login

* feat: Complete layout of Termix dashboard

* feat: Update font for reacent activity

* feat: Connect dashboard to backend and update tab system to be similar to a browser (neither are fully finished)

* feat: Improve dashboard API, improve tab system, various other fixes

* fix: Resize dashboard boxes and reduce server stats size to add scrolling

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix: Improve macOS support

* fix(auth): Fix admin user authentication for /users/db-health endpoint by adding cookie JWT support (#422)

Fixed authentication issue for admin users accessing the /users/db-health endpoint:

- Added JWT token extraction from cookies (req.cookies?.jwt)
- Added support for Bearer token from Authorization header
- Improved error handling for missing and invalid tokens
- Ensured consistent authentication flow for admin users

Changes made:
- Check for JWT token in req.cookies?.jwt
- Support Bearer token from Authorization header
- Return 401 error when token is missing
- Return 401 error when token validation fails

Fixes: https://github.com/Termix-SSH/Support/issues/12

* Update Docker login credentials and image names

* Update docker-image.yml

* Refactor Docker image workflow for registry options

Updated workflow to allow selection of Docker registry and simplified tag handling.

* Update Docker login conditions and tag handling

* Enhance Docker image workflow with better tagging

Updated Docker image workflow to improve tag handling and descriptions.

* Update Docker workflow for tag handling and cleanup

* Update docker-image.yml

* Update Docker workflow inputs and tag logic

Refactor Docker workflow to include version and production inputs, and streamline tag determination.

* Update Docker image workflow for multi-platform builds

* Refactor Docker image tags for clarity

Updated Docker image tags to use multi-line syntax for better readability and added latest tag conditionally.

* Fix typo in exposed ports in Dockerfile

* Update docker-image.yml

* Refactor Docker image workflow for registry handling

Removed registry input and adjusted Docker Hub login condition.

* Handle OIDC users during database import (#424)

* Update Docker image name for GitHub registry

* Fix image name casing in Docker workflow

* Remove untagged image cleanup step from workflow

Removed the step to delete untagged image versions from the workflow.

* Change Docker login to use GHCR credentials

Updated Docker login credentials for GitHub Container Registry.

* Remove cache moving step from Docker workflow

Removed the step to move the build cache in the Docker workflow.

* Refactor Docker image workflow for versioning and builds

* Update docker-image.yml

* Allow OIDC users to import database without password

* Skip import password prompt for OIDC users

* docs: clarify OIDC import unlocking flow

* docs: explain admin import password logic

---------

Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: Nikola Novoselec <nikolanovoselec@users.noreply.github.com>

* fix: Fixed various issues with the dashboard, tab bar, and database issues

* feat: Added none password option and fixed some navbar issues (still present)

* fix: Fix tab reload/state loss whenever moving them to the rigbht

* feat: Make tabs auto expand and contract and scroll

* fix: Remove vertical scrolling in the tab bar and dashboard and reduce scrollbar height in tab bar

* feat: Add many terminal customizations

* feat: Add many terminal customizations

* fix: incorrect macOS logo, termix hangs on macOS, and macOS reporting incorrect version

* fix: fix macOS verison build error

* fix: fix macOS build error

* fix: replaced macOS icon

* feat: Added more output types for electron and streamlined the workflow

* fix: Rollup package issue

* fix: Rollup package issue for macOS

* feat: fix macOS/Linux build error

* fix: fix macOS build error

* fix: fix macOS build error and double folder issues

* fix: fix macOS build error

* fix: fix macOS build error

* fix: fix macOS build error

* fix: fix macOS build error

* fix: files uploading as folders instead of raw executable

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing

* fix: macOS build failing and update workflow options

* fix: macOS build failing

* fix: Upload to release not finding a release

* fix: ChaNge platform for upload to release

* fix: Standardize file naming

* fix: Build error with custom tar.gz naming

* fix: Allow .dmg signing

* fix: Fix .dmg signing

* fix: Fix notarize build error

* fix: Fix notarize build error

* fix: Add app specific password

* fix: add developer ID certificate

* fix: macOS app not closing

* fix: cache error

* Add Brazilian Portuguese translation (#425)

* Update Docker image name for GitHub registry

* Fix image name casing in Docker workflow

* Remove untagged image cleanup step from workflow

Removed the step to delete untagged image versions from the workflow.

* Change Docker login to use GHCR credentials

Updated Docker login credentials for GitHub Container Registry.

* Remove cache moving step from Docker workflow

Removed the step to move the build cache in the Docker workflow.

* Refactor Docker image workflow for versioning and builds

* Update docker-image.yml

* Add Brazilian Portuguese translation

---------

Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com>

* feat: add chocolatey support

* feat: add initial flatpak/homebrew support

* fix: incorrect choco URL

* fix: rename choco package

* fix: updated package lock

* fix: move totp dialog

* feat: centralize SSH tools and allow multi terminal snippets

* fix: Squash commit of several fixes and features for many different elements

* fix: Fix some translations

* fix: pt-BR build error

* fix: npm build error

* fix: npm build error

* feat: rename gh actions

* fix: None auth and Host.tsx edit button issues

* fix: macOS dmg fail

* fix: linux not building x64

* fix: linux not uploading x64

* fix: Password reset issues, ODIC admin auth not filling, and electron x64 build issues

* feat: Squashed commit of fixing "none" authentication and adding a sessions system for mobile, electron, and web

* fix: Replace checkbox in docker build with dropdown

* fix: Issue with electron not displaying site

* fix: Issue with electron not displaying se

* fix: Issue with electron not displaying

* fix: Mobile reporting wrong user-agent

* fix: Nginx runtime error

* fix: JWT not persisting after reboot

* feat: add null to gitnore

* feat: remove sessions after reboot

* fix: File cleanup

* fix: Uncapitalize folder titles and finalize file cleanup

* fix: Build errors after cleanup

* fix: GITHUB_TOKEN issue in electron build

* fix: Random macOS build error

* fix: macOS GH token error

* fix: Incorrect desktop user agent and build issues

* fix: Notarize cleanup

* fix: None auth issues and macOS build failure and rename files for consistency

* fix: Run prettier

* feat: Update readme for iPadOS

* fix: Electron desktop not logging in

* fix: Electron desktop not logging in

* fix: Duplicated CORS headers

* fix: Electron login issues

* fix: Sqlite package fix

* fix: Desktop app login issues and rename version check and host manager folder

* fix: Electron HTTP fix + stripped background fix

* fix: Electron security issues and TOTP/None auth issues

* fix: Server config showing in web view

* fix: Update readme

* fix: Update readme

* [FEATURE] Adjustable Left Menu Width in Web Interface (#427)

#234
Added to LeftSidebar.tsx functionality
Update TopNavbar.tsx to use sidebar dynamic width

Co-authored-by: Robert Coroianu <robert.coroianu@easydo.co>

* fix: Sidebar resize issues and issues with TOTP interfering with password auth

* chore: Run prettier

* fix: Tunnels being same name

* fix: Electron build problems

* fix: Type error

* fix: Linux app image and server conifg issue

* fix: Run linter

* fix: Incorrect android user agent

* fix: No x64 appimage and server config displaying in electron webview

* fix: Electron API and terminal websocket issues

* fix: Android user agent edgecase and electron using web view incorrectly

* feat: Added mobile and electron UI redirecting system

* fix: Fix electron login and mobile redirect

* feat: add Russian translation and readme (#428)

* Update Docker image name for GitHub registry

* Fix image name casing in Docker workflow

* Remove untagged image cleanup step from workflow

Removed the step to delete untagged image versions from the workflow.

* Change Docker login to use GHCR credentials

Updated Docker login credentials for GitHub Container Registry.

* Remove cache moving step from Docker workflow

Removed the step to move the build cache in the Docker workflow.

* Refactor Docker image workflow for versioning and builds

* Update docker-image.yml

* Update print statement from 'Hello' to 'Goodbye'

* Update docker build

* Rename docker-image.yml to docker.yml

* Rename electron-build.yml to electron.yml

* feat: add Russian translation and readme

* feat: Added mobile and electron UI redirecting system

* fix: Fix electron login and mobile redirect

* Update Docker image name for GitHub registry

* Fix image name casing in Docker workflow

* Remove untagged image cleanup step from workflow

Removed the step to delete untagged image versions from the workflow.

* Change Docker login to use GHCR credentials

Updated Docker login credentials for GitHub Container Registry.

* Remove cache moving step from Docker workflow

Removed the step to move the build cache in the Docker workflow.

* Refactor Docker image workflow for versioning and builds

* Update docker-image.yml

* Update print statement from 'Hello' to 'Goodbye'

* Update docker build

* Rename docker-image.yml to docker.yml

* Rename electron-build.yml to electron.yml

* feat: add Russian translation and readme

* fix: Add russian

---------

Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: root <root@codeserver.192.168.0.5>
Co-authored-by: LukeGus <bugattiguy527@gmail.com>

* fix: remove russian readme

* fix: Revert workflows back to normal

* fix: Session invoking all sessions and mobile success redirect not displaying

* fix: Logging out on one device logs out all on same user

* fix: Improve session clearing (possible RC)

* fix: Linux portable naming incorrect

* fix: Linux desktop not opening

* fix: Linux build failure

* fix: Linux build failure

* fix: Linux build failure

* fix: Linux build failure

* fix: Linux sandbox issue

* fix: Linux sandbox issue

* fix: Linux sandbox issue

* fix: Finalize electron

* fix: Database check failure (release cantidate)

* fix: Run cleanup and final fix for electron

---------

Co-authored-by: Ved Prakash <54140516+thorved@users.noreply.github.com>
Co-authored-by: P3RF3CTION <herzmaximilian@gmail.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: ZacharyZcR <2903735704@qq.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: blacksmith-sh[bot] <157653362+blacksmith-sh[bot]@users.noreply.github.com>
Co-authored-by: suraimu-team <team@suraimu.com>
Co-authored-by: Nikola Novoselec <12149536+nikolanovoselec@users.noreply.github.com>
Co-authored-by: Nikola Novoselec <nikolanovoselec@users.noreply.github.com>
Co-authored-by: xhemp <13650956+xhemp@users.noreply.github.com>
Co-authored-by: Robert Coroianu <robert.coroianu@gmail.com>
Co-authored-by: Robert Coroianu <robert.coroianu@easydo.co>
Co-authored-by: shizaterrorblade <shizaterrorblayde@gmail.com>
Co-authored-by: root <root@codeserver.192.168.0.5>
2025-11-05 10:36:16 -06:00

2430 lines
72 KiB
TypeScript
Raw Blame History

import type { AuthenticatedRequest } from "../../../types/index.js";
import express from "express";
import crypto from "crypto";
import { db } from "../db/index.js";
import {
users,
sessions,
sshData,
sshCredentials,
fileManagerRecent,
fileManagerPinned,
fileManagerShortcuts,
dismissedAlerts,
settings,
sshCredentialUsage,
recentActivity,
snippets,
} from "../db/schema.js";
import { eq, and } from "drizzle-orm";
import bcrypt from "bcryptjs";
import { nanoid } from "nanoid";
import speakeasy from "speakeasy";
import QRCode from "qrcode";
import type { Request, Response } from "express";
import { authLogger } from "../../utils/logger.js";
import { AuthManager } from "../../utils/auth-manager.js";
import { DataCrypto } from "../../utils/data-crypto.js";
import { LazyFieldEncryption } from "../../utils/lazy-field-encryption.js";
import { parseUserAgent } from "../../utils/user-agent-parser.js";
const authManager = AuthManager.getInstance();
async function verifyOIDCToken(
idToken: string,
issuerUrl: string,
clientId: string,
): Promise<Record<string, unknown>> {
const normalizedIssuerUrl = issuerUrl.endsWith("/")
? issuerUrl.slice(0, -1)
: issuerUrl;
const possibleIssuers = [
issuerUrl,
normalizedIssuerUrl,
issuerUrl.replace(/\/application\/o\/[^/]+$/, ""),
normalizedIssuerUrl.replace(/\/application\/o\/[^/]+$/, ""),
];
const jwksUrls = [
`${normalizedIssuerUrl}/.well-known/jwks.json`,
`${normalizedIssuerUrl}/jwks/`,
`${normalizedIssuerUrl.replace(/\/application\/o\/[^/]+$/, "")}/.well-known/jwks.json`,
];
try {
const discoveryUrl = `${normalizedIssuerUrl}/.well-known/openid-configuration`;
const discoveryResponse = await fetch(discoveryUrl);
if (discoveryResponse.ok) {
const discovery = (await discoveryResponse.json()) as Record<
string,
unknown
>;
if (discovery.jwks_uri) {
jwksUrls.unshift(discovery.jwks_uri as string);
}
}
} catch (discoveryError) {
authLogger.error(`OIDC discovery failed: ${discoveryError}`);
}
let jwks: Record<string, unknown> | null = null;
for (const url of jwksUrls) {
try {
const response = await fetch(url);
if (response.ok) {
const jwksData = (await response.json()) as Record<string, unknown>;
if (jwksData && jwksData.keys && Array.isArray(jwksData.keys)) {
jwks = jwksData;
break;
} else {
authLogger.error(
`Invalid JWKS structure from ${url}: ${JSON.stringify(jwksData)}`,
);
}
} else {
}
} catch {
continue;
}
}
if (!jwks) {
throw new Error("Failed to fetch JWKS from any URL");
}
if (!jwks.keys || !Array.isArray(jwks.keys)) {
throw new Error(
`Invalid JWKS response structure. Expected 'keys' array, got: ${JSON.stringify(jwks)}`,
);
}
const header = JSON.parse(
Buffer.from(idToken.split(".")[0], "base64").toString(),
);
const keyId = header.kid;
const publicKey = jwks.keys.find(
(key: Record<string, unknown>) => key.kid === keyId,
);
if (!publicKey) {
throw new Error(
`No matching public key found for key ID: ${keyId}. Available keys: ${jwks.keys.map((k: Record<string, unknown>) => k.kid).join(", ")}`,
);
}
const { importJWK, jwtVerify } = await import("jose");
const key = await importJWK(publicKey);
const { payload } = await jwtVerify(idToken, key, {
issuer: possibleIssuers,
audience: clientId,
});
return payload;
}
const router = express.Router();
function isNonEmptyString(val: unknown): val is string {
return typeof val === "string" && val.trim().length > 0;
}
const authenticateJWT = authManager.createAuthMiddleware();
const requireAdmin = authManager.createAdminMiddleware();
// Route: Create traditional user (username/password)
// POST /users/create
router.post("/create", async (req, res) => {
try {
const row = db.$client
.prepare("SELECT value FROM settings WHERE key = 'allow_registration'")
.get();
if (row && (row as Record<string, unknown>).value !== "true") {
return res
.status(403)
.json({ error: "Registration is currently disabled" });
}
} catch (e) {
authLogger.warn("Failed to check registration status", {
operation: "registration_check",
error: e,
});
}
const { username, password } = req.body;
if (!isNonEmptyString(username) || !isNonEmptyString(password)) {
authLogger.warn(
"Invalid user creation attempt - missing username or password",
{
operation: "user_create",
hasUsername: !!username,
hasPassword: !!password,
},
);
return res
.status(400)
.json({ error: "Username and password are required" });
}
try {
const existing = await db
.select()
.from(users)
.where(eq(users.username, username));
if (existing && existing.length > 0) {
authLogger.warn(`Attempt to create duplicate username: ${username}`, {
operation: "user_create",
username,
});
return res.status(409).json({ error: "Username already exists" });
}
let isFirstUser = false;
const countResult = db.$client
.prepare("SELECT COUNT(*) as count FROM users")
.get();
isFirstUser = ((countResult as { count?: number })?.count || 0) === 0;
const saltRounds = parseInt(process.env.SALT || "10", 10);
const password_hash = await bcrypt.hash(password, saltRounds);
const id = nanoid();
await db.insert(users).values({
id,
username,
password_hash,
is_admin: isFirstUser,
is_oidc: false,
client_id: "",
client_secret: "",
issuer_url: "",
authorization_url: "",
token_url: "",
identifier_path: "",
name_path: "",
scopes: "openid email profile",
totp_secret: null,
totp_enabled: false,
totp_backup_codes: null,
});
try {
await authManager.registerUser(id, password);
} catch (encryptionError) {
await db.delete(users).where(eq(users.id, id));
authLogger.error(
"Failed to setup user encryption, user creation rolled back",
encryptionError,
{
operation: "user_create_encryption_failed",
userId: id,
},
);
return res.status(500).json({
error: "Failed to setup user security - user creation cancelled",
});
}
authLogger.success(
`Traditional user created: ${username} (is_admin: ${isFirstUser})`,
{
operation: "user_create",
username,
isAdmin: isFirstUser,
userId: id,
},
);
res.json({
message: "User created",
is_admin: isFirstUser,
toast: { type: "success", message: `User created: ${username}` },
});
} catch (err) {
authLogger.error("Failed to create user", err);
res.status(500).json({ error: "Failed to create user" });
}
});
// Route: Create OIDC provider configuration (admin only)
// POST /users/oidc-config
router.post("/oidc-config", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0 || !user[0].is_admin) {
return res.status(403).json({ error: "Not authorized" });
}
const {
client_id,
client_secret,
issuer_url,
authorization_url,
token_url,
userinfo_url,
identifier_path,
name_path,
scopes,
} = req.body;
const isDisableRequest =
(client_id === "" || client_id === null || client_id === undefined) &&
(client_secret === "" ||
client_secret === null ||
client_secret === undefined) &&
(issuer_url === "" || issuer_url === null || issuer_url === undefined) &&
(authorization_url === "" ||
authorization_url === null ||
authorization_url === undefined) &&
(token_url === "" || token_url === null || token_url === undefined);
const isEnableRequest =
isNonEmptyString(client_id) &&
isNonEmptyString(client_secret) &&
isNonEmptyString(issuer_url) &&
isNonEmptyString(authorization_url) &&
isNonEmptyString(token_url) &&
isNonEmptyString(identifier_path) &&
isNonEmptyString(name_path);
if (!isDisableRequest && !isEnableRequest) {
authLogger.warn(
"OIDC validation failed - neither disable nor enable request",
{
operation: "oidc_config_update",
userId,
isDisableRequest,
isEnableRequest,
},
);
return res
.status(400)
.json({ error: "All OIDC configuration fields are required" });
}
if (isDisableRequest) {
db.$client
.prepare("DELETE FROM settings WHERE key = 'oidc_config'")
.run();
authLogger.info("OIDC configuration disabled", {
operation: "oidc_disable",
userId,
});
res.json({ message: "OIDC configuration disabled" });
} else {
const config = {
client_id,
client_secret,
issuer_url,
authorization_url,
token_url,
userinfo_url: userinfo_url || "",
identifier_path,
name_path,
scopes: scopes || "openid email profile",
};
let encryptedConfig;
try {
const adminDataKey = DataCrypto.getUserDataKey(userId);
if (adminDataKey) {
const configWithId = { ...config, id: `oidc-config-${userId}` };
encryptedConfig = DataCrypto.encryptRecord(
"settings",
configWithId,
userId,
adminDataKey,
);
} else {
encryptedConfig = {
...config,
client_secret: `encrypted:${Buffer.from(client_secret).toString("base64")}`,
};
authLogger.warn(
"OIDC configuration stored with basic encoding - admin should re-save with password",
{
operation: "oidc_config_basic_encoding",
userId,
},
);
}
} catch (encryptError) {
authLogger.error(
"Failed to encrypt OIDC configuration, storing with basic encoding",
encryptError,
{
operation: "oidc_config_encrypt_failed",
userId,
},
);
encryptedConfig = {
...config,
client_secret: `encoded:${Buffer.from(client_secret).toString("base64")}`,
};
}
db.$client
.prepare(
"INSERT OR REPLACE INTO settings (key, value) VALUES ('oidc_config', ?)",
)
.run(JSON.stringify(encryptedConfig));
authLogger.info("OIDC configuration updated", {
operation: "oidc_update",
userId,
hasUserinfoUrl: !!userinfo_url,
});
res.json({ message: "OIDC configuration updated" });
}
} catch (err) {
authLogger.error("Failed to update OIDC config", err);
res.status(500).json({ error: "Failed to update OIDC config" });
}
});
// Route: Disable OIDC configuration (admin only)
// DELETE /users/oidc-config
router.delete("/oidc-config", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0 || !user[0].is_admin) {
return res.status(403).json({ error: "Not authorized" });
}
db.$client.prepare("DELETE FROM settings WHERE key = 'oidc_config'").run();
authLogger.success("OIDC configuration disabled", {
operation: "oidc_disable",
userId,
});
res.json({ message: "OIDC configuration disabled" });
} catch (err) {
authLogger.error("Failed to disable OIDC config", err);
res.status(500).json({ error: "Failed to disable OIDC config" });
}
});
// Route: Get OIDC configuration (public - needed for login page)
// GET /users/oidc-config
router.get("/oidc-config", async (req, res) => {
try {
const row = db.$client
.prepare("SELECT value FROM settings WHERE key = 'oidc_config'")
.get();
if (!row) {
return res.json(null);
}
const config = JSON.parse((row as Record<string, unknown>).value as string);
const publicConfig = {
client_id: config.client_id,
issuer_url: config.issuer_url,
authorization_url: config.authorization_url,
scopes: config.scopes,
};
return res.json(publicConfig);
} catch (err) {
authLogger.error("Failed to get OIDC config", err);
res.status(500).json({ error: "Failed to get OIDC config" });
}
});
// Route: Get OIDC configuration for Admin (admin only)
// GET /users/oidc-config/admin
router.get("/oidc-config/admin", requireAdmin, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
const row = db.$client
.prepare("SELECT value FROM settings WHERE key = 'oidc_config'")
.get();
if (!row) {
return res.json(null);
}
let config = JSON.parse((row as Record<string, unknown>).value as string);
if (config.client_secret?.startsWith("encrypted:")) {
try {
const adminDataKey = DataCrypto.getUserDataKey(userId);
if (adminDataKey) {
config = DataCrypto.decryptRecord(
"settings",
config,
userId,
adminDataKey,
);
} else {
config.client_secret = "[ENCRYPTED - PASSWORD REQUIRED]";
}
} catch (decryptError) {
authLogger.warn("Failed to decrypt OIDC config for admin", {
operation: "oidc_config_decrypt_failed",
userId,
});
config.client_secret = "[ENCRYPTED - DECRYPTION FAILED]";
}
} else if (config.client_secret?.startsWith("encoded:")) {
try {
const decoded = Buffer.from(
config.client_secret.substring(8),
"base64",
).toString("utf8");
config.client_secret = decoded;
} catch (decodeError) {
authLogger.warn("Failed to decode OIDC config for admin", {
operation: "oidc_config_decode_failed",
userId,
});
config.client_secret = "[ENCODING ERROR]";
}
}
res.json(config);
} catch (err) {
authLogger.error("Failed to get OIDC config for admin", err);
res.status(500).json({ error: "Failed to get OIDC config for admin" });
}
});
// Route: Get OIDC authorization URL
// GET /users/oidc/authorize
router.get("/oidc/authorize", async (req, res) => {
try {
const row = db.$client
.prepare("SELECT value FROM settings WHERE key = 'oidc_config'")
.get();
if (!row) {
return res.status(404).json({ error: "OIDC not configured" });
}
const config = JSON.parse((row as Record<string, unknown>).value as string);
const state = nanoid();
const nonce = nanoid();
let origin =
req.get("Origin") ||
req.get("Referer")?.replace(/\/[^/]*$/, "") ||
"http://localhost:5173";
if (origin.includes("localhost")) {
origin = "http://localhost:30001";
}
const redirectUri = `${origin}/users/oidc/callback`;
db.$client
.prepare("INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)")
.run(`oidc_state_${state}`, nonce);
db.$client
.prepare("INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)")
.run(`oidc_redirect_${state}`, redirectUri);
const authUrl = new URL(config.authorization_url);
authUrl.searchParams.set("client_id", config.client_id);
authUrl.searchParams.set("redirect_uri", redirectUri);
authUrl.searchParams.set("response_type", "code");
authUrl.searchParams.set("scope", config.scopes);
authUrl.searchParams.set("state", state);
authUrl.searchParams.set("nonce", nonce);
res.json({ auth_url: authUrl.toString(), state, nonce });
} catch (err) {
authLogger.error("Failed to generate OIDC auth URL", err);
res.status(500).json({ error: "Failed to generate authorization URL" });
}
});
// Route: OIDC callback - exchange code for token and create/login user
// GET /users/oidc/callback
router.get("/oidc/callback", async (req, res) => {
const { code, state } = req.query;
if (!isNonEmptyString(code) || !isNonEmptyString(state)) {
return res.status(400).json({ error: "Code and state are required" });
}
const storedRedirectRow = db.$client
.prepare("SELECT value FROM settings WHERE key = ?")
.get(`oidc_redirect_${state}`);
if (!storedRedirectRow) {
return res
.status(400)
.json({ error: "Invalid state parameter - redirect URI not found" });
}
const redirectUri = (storedRedirectRow as Record<string, unknown>)
.value as string;
try {
const storedNonce = db.$client
.prepare("SELECT value FROM settings WHERE key = ?")
.get(`oidc_state_${state}`);
if (!storedNonce) {
return res.status(400).json({ error: "Invalid state parameter" });
}
db.$client
.prepare("DELETE FROM settings WHERE key = ?")
.run(`oidc_state_${state}`);
db.$client
.prepare("DELETE FROM settings WHERE key = ?")
.run(`oidc_redirect_${state}`);
const configRow = db.$client
.prepare("SELECT value FROM settings WHERE key = 'oidc_config'")
.get();
if (!configRow) {
return res.status(500).json({ error: "OIDC not configured" });
}
const config = JSON.parse(
(configRow as Record<string, unknown>).value as string,
);
const tokenResponse = await fetch(config.token_url, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: new URLSearchParams({
grant_type: "authorization_code",
client_id: config.client_id,
client_secret: config.client_secret,
code: code,
redirect_uri: redirectUri,
}),
});
if (!tokenResponse.ok) {
authLogger.error(
"OIDC token exchange failed",
await tokenResponse.text(),
);
return res
.status(400)
.json({ error: "Failed to exchange authorization code" });
}
const tokenData = (await tokenResponse.json()) as Record<string, unknown>;
let userInfo: Record<string, unknown> = null;
const userInfoUrls: string[] = [];
const normalizedIssuerUrl = config.issuer_url.endsWith("/")
? config.issuer_url.slice(0, -1)
: config.issuer_url;
const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^/]+$/, "");
try {
const discoveryUrl = `${normalizedIssuerUrl}/.well-known/openid-configuration`;
const discoveryResponse = await fetch(discoveryUrl);
if (discoveryResponse.ok) {
const discovery = (await discoveryResponse.json()) as Record<
string,
unknown
>;
if (discovery.userinfo_endpoint) {
userInfoUrls.push(discovery.userinfo_endpoint as string);
}
}
} catch (discoveryError) {
authLogger.error(`OIDC discovery failed: ${discoveryError}`);
}
if (config.userinfo_url) {
userInfoUrls.unshift(config.userinfo_url);
}
userInfoUrls.push(
`${baseUrl}/userinfo/`,
`${baseUrl}/userinfo`,
`${normalizedIssuerUrl}/userinfo/`,
`${normalizedIssuerUrl}/userinfo`,
`${baseUrl}/oauth2/userinfo/`,
`${baseUrl}/oauth2/userinfo`,
`${normalizedIssuerUrl}/oauth2/userinfo/`,
`${normalizedIssuerUrl}/oauth2/userinfo`,
);
if (tokenData.id_token) {
try {
userInfo = await verifyOIDCToken(
tokenData.id_token as string,
config.issuer_url,
config.client_id,
);
} catch {
try {
const parts = (tokenData.id_token as string).split(".");
if (parts.length === 3) {
const payload = JSON.parse(
Buffer.from(parts[1], "base64").toString(),
);
userInfo = payload;
}
} catch (decodeError) {
authLogger.error("Failed to decode ID token payload:", decodeError);
}
}
}
if (!userInfo && tokenData.access_token) {
for (const userInfoUrl of userInfoUrls) {
try {
const userInfoResponse = await fetch(userInfoUrl, {
headers: {
Authorization: `Bearer ${tokenData.access_token}`,
},
});
if (userInfoResponse.ok) {
userInfo = (await userInfoResponse.json()) as Record<
string,
unknown
>;
break;
} else {
authLogger.error(
`Userinfo endpoint ${userInfoUrl} failed with status: ${userInfoResponse.status}`,
);
}
} catch (error) {
authLogger.error(`Userinfo endpoint ${userInfoUrl} failed:`, error);
continue;
}
}
}
if (!userInfo) {
authLogger.error("Failed to get user information from all sources");
authLogger.error(`Tried userinfo URLs: ${userInfoUrls.join(", ")}`);
authLogger.error(`Token data keys: ${Object.keys(tokenData).join(", ")}`);
authLogger.error(`Has id_token: ${!!tokenData.id_token}`);
authLogger.error(`Has access_token: ${!!tokenData.access_token}`);
return res.status(400).json({ error: "Failed to get user information" });
}
const getNestedValue = (
obj: Record<string, unknown>,
path: string,
): unknown => {
if (!path || !obj) return null;
return path.split(".").reduce((current, key) => current?.[key], obj);
};
const identifier = (getNestedValue(userInfo, config.identifier_path) ||
userInfo[config.identifier_path] ||
userInfo.sub ||
userInfo.email ||
userInfo.preferred_username) as string;
const name = (getNestedValue(userInfo, config.name_path) ||
userInfo[config.name_path] ||
userInfo.name ||
userInfo.given_name ||
identifier) as string;
if (!identifier) {
authLogger.error(
`Identifier not found at path: ${config.identifier_path}`,
);
authLogger.error(`Available fields: ${Object.keys(userInfo).join(", ")}`);
return res.status(400).json({
error: `User identifier not found at path: ${config.identifier_path}. Available fields: ${Object.keys(userInfo).join(", ")}`,
});
}
let user = await db
.select()
.from(users)
.where(
and(eq(users.is_oidc, true), eq(users.oidc_identifier, identifier)),
);
let isFirstUser = false;
if (!user || user.length === 0) {
const countResult = db.$client
.prepare("SELECT COUNT(*) as count FROM users")
.get();
isFirstUser = ((countResult as { count?: number })?.count || 0) === 0;
const id = nanoid();
await db.insert(users).values({
id,
username: name,
password_hash: "",
is_admin: isFirstUser,
is_oidc: true,
oidc_identifier: identifier,
client_id: String(config.client_id),
client_secret: String(config.client_secret),
issuer_url: String(config.issuer_url),
authorization_url: String(config.authorization_url),
token_url: String(config.token_url),
identifier_path: String(config.identifier_path),
name_path: String(config.name_path),
scopes: String(config.scopes),
});
try {
await authManager.registerOIDCUser(id);
} catch (encryptionError) {
await db.delete(users).where(eq(users.id, id));
authLogger.error(
"Failed to setup OIDC user encryption, user creation rolled back",
encryptionError,
{
operation: "oidc_user_create_encryption_failed",
userId: id,
},
);
return res.status(500).json({
error: "Failed to setup user security - user creation cancelled",
});
}
user = await db.select().from(users).where(eq(users.id, id));
} else {
await db
.update(users)
.set({ username: name })
.where(eq(users.id, user[0].id));
user = await db.select().from(users).where(eq(users.id, user[0].id));
}
const userRecord = user[0];
try {
await authManager.authenticateOIDCUser(userRecord.id);
} catch (setupError) {
authLogger.error("Failed to setup OIDC user encryption", setupError, {
operation: "oidc_user_encryption_setup_failed",
userId: userRecord.id,
});
}
const deviceInfo = parseUserAgent(req);
const token = await authManager.generateJWTToken(userRecord.id, {
deviceType: deviceInfo.type,
deviceInfo: deviceInfo.deviceInfo,
});
authLogger.success("OIDC user authenticated", {
operation: "oidc_login_success",
userId: userRecord.id,
deviceType: deviceInfo.type,
deviceInfo: deviceInfo.deviceInfo,
});
let frontendUrl = (redirectUri as string).replace(
"/users/oidc/callback",
"",
);
if (frontendUrl.includes("localhost")) {
frontendUrl = "http://localhost:5173";
}
const redirectUrl = new URL(frontendUrl);
redirectUrl.searchParams.set("success", "true");
const maxAge =
deviceInfo.type === "desktop" || deviceInfo.type === "mobile"
? 30 * 24 * 60 * 60 * 1000
: 7 * 24 * 60 * 60 * 1000;
return res
.cookie("jwt", token, authManager.getSecureCookieOptions(req, maxAge))
.redirect(redirectUrl.toString());
} catch (err) {
authLogger.error("OIDC callback failed", err);
let frontendUrl = (redirectUri as string).replace(
"/users/oidc/callback",
"",
);
if (frontendUrl.includes("localhost")) {
frontendUrl = "http://localhost:5173";
}
const redirectUrl = new URL(frontendUrl);
redirectUrl.searchParams.set("error", "OIDC authentication failed");
res.redirect(redirectUrl.toString());
}
});
// Route: Get user JWT by username and password (traditional login)
// POST /users/login
router.post("/login", async (req, res) => {
const { username, password } = req.body;
if (!isNonEmptyString(username) || !isNonEmptyString(password)) {
authLogger.warn("Invalid traditional login attempt", {
operation: "user_login",
hasUsername: !!username,
hasPassword: !!password,
});
return res.status(400).json({ error: "Invalid username or password" });
}
try {
const row = db.$client
.prepare("SELECT value FROM settings WHERE key = 'allow_password_login'")
.get();
if (row && (row as { value: string }).value !== "true") {
return res
.status(403)
.json({ error: "Password authentication is currently disabled" });
}
} catch (e) {
authLogger.error("Failed to check password login status", {
operation: "login_check",
error: e,
});
return res.status(500).json({ error: "Failed to check login status" });
}
try {
const user = await db
.select()
.from(users)
.where(eq(users.username, username));
if (!user || user.length === 0) {
authLogger.warn(`User not found: ${username}`, {
operation: "user_login",
username,
});
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
if (userRecord.is_oidc) {
authLogger.warn("OIDC user attempted traditional login", {
operation: "user_login",
username,
userId: userRecord.id,
});
return res
.status(403)
.json({ error: "This user uses external authentication" });
}
const isMatch = await bcrypt.compare(password, userRecord.password_hash);
if (!isMatch) {
authLogger.warn(`Incorrect password for user: ${username}`, {
operation: "user_login",
username,
userId: userRecord.id,
});
return res.status(401).json({ error: "Incorrect password" });
}
try {
const kekSalt = await db
.select()
.from(settings)
.where(eq(settings.key, `user_kek_salt_${userRecord.id}`));
if (kekSalt.length === 0) {
await authManager.registerUser(userRecord.id, password);
}
} catch {}
const dataUnlocked = await authManager.authenticateUser(
userRecord.id,
password,
);
if (!dataUnlocked) {
return res.status(401).json({ error: "Incorrect password" });
}
if (userRecord.totp_enabled) {
const tempToken = await authManager.generateJWTToken(userRecord.id, {
pendingTOTP: true,
expiresIn: "10m",
});
return res.json({
success: true,
requires_totp: true,
temp_token: tempToken,
});
}
const deviceInfo = parseUserAgent(req);
const token = await authManager.generateJWTToken(userRecord.id, {
deviceType: deviceInfo.type,
deviceInfo: deviceInfo.deviceInfo,
});
authLogger.success(`User logged in successfully: ${username}`, {
operation: "user_login_success",
username,
userId: userRecord.id,
dataUnlocked: true,
deviceType: deviceInfo.type,
deviceInfo: deviceInfo.deviceInfo,
});
const response: Record<string, unknown> = {
success: true,
is_admin: !!userRecord.is_admin,
username: userRecord.username,
};
const isElectron =
req.headers["x-electron-app"] === "true" ||
req.headers["X-Electron-App"] === "true";
if (isElectron) {
response.token = token;
}
const maxAge =
deviceInfo.type === "desktop" || deviceInfo.type === "mobile"
? 30 * 24 * 60 * 60 * 1000
: 7 * 24 * 60 * 60 * 1000;
return res
.cookie("jwt", token, authManager.getSecureCookieOptions(req, maxAge))
.json(response);
} catch (err) {
authLogger.error("Failed to log in user", err);
return res.status(500).json({ error: "Login failed" });
}
});
// Route: Logout user
// POST /users/logout
router.post("/logout", authenticateJWT, async (req, res) => {
try {
const authReq = req as AuthenticatedRequest;
const userId = authReq.userId;
if (userId) {
const token =
req.cookies?.jwt || req.headers["authorization"]?.split(" ")[1];
let sessionId: string | undefined;
if (token) {
try {
const payload = await authManager.verifyJWTToken(token);
sessionId = payload?.sessionId;
} catch (error) {}
}
await authManager.logoutUser(userId, sessionId);
authLogger.info("User logged out", {
operation: "user_logout",
userId,
sessionId,
});
}
return res
.clearCookie("jwt", authManager.getSecureCookieOptions(req))
.json({ success: true, message: "Logged out successfully" });
} catch (err) {
authLogger.error("Logout failed", err);
return res.status(500).json({ error: "Logout failed" });
}
});
// Route: Get current user's info using JWT
// GET /users/me
router.get("/me", authenticateJWT, async (req: Request, res: Response) => {
const userId = (req as AuthenticatedRequest).userId;
if (!isNonEmptyString(userId)) {
authLogger.warn("Invalid userId in JWT for /users/me");
return res.status(401).json({ error: "Invalid userId" });
}
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
authLogger.warn(`User not found for /users/me: ${userId}`);
return res.status(401).json({ error: "User not found" });
}
res.json({
userId: user[0].id,
username: user[0].username,
is_admin: !!user[0].is_admin,
is_oidc: !!user[0].is_oidc,
totp_enabled: !!user[0].totp_enabled,
});
} catch (err) {
authLogger.error("Failed to get username", err);
res.status(500).json({ error: "Failed to get username" });
}
});
// Route: Check if system requires initial setup (public - for first-time setup detection)
// GET /users/setup-required
router.get("/setup-required", async (req, res) => {
try {
const countResult = db.$client
.prepare("SELECT COUNT(*) as count FROM users")
.get();
const count = (countResult as { count?: number })?.count || 0;
res.json({
setup_required: count === 0,
});
} catch (err) {
authLogger.error("Failed to check setup status", err);
res.status(500).json({ error: "Failed to check setup status" });
}
});
// Route: Count users (admin only - for dashboard statistics)
// GET /users/count
router.get("/count", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user[0] || !user[0].is_admin) {
return res.status(403).json({ error: "Admin access required" });
}
const countResult = db.$client
.prepare("SELECT COUNT(*) as count FROM users")
.get();
const count = (countResult as { count?: number })?.count || 0;
res.json({ count });
} catch (err) {
authLogger.error("Failed to count users", err);
res.status(500).json({ error: "Failed to count users" });
}
});
// Route: DB health check (actually queries DB)
// GET /users/db-health
router.get("/db-health", requireAdmin, async (req, res) => {
try {
db.$client.prepare("SELECT 1").get();
res.json({ status: "ok" });
} catch (err) {
authLogger.error("DB health check failed", err);
res.status(500).json({ error: "Database not accessible" });
}
});
// Route: Get registration allowed status (public - needed for login page)
// GET /users/registration-allowed
router.get("/registration-allowed", async (req, res) => {
try {
const row = db.$client
.prepare("SELECT value FROM settings WHERE key = 'allow_registration'")
.get();
res.json({
allowed: row ? (row as Record<string, unknown>).value === "true" : true,
});
} catch (err) {
authLogger.error("Failed to get registration allowed", err);
res.status(500).json({ error: "Failed to get registration allowed" });
}
});
// Route: Set registration allowed status (admin only)
// PATCH /users/registration-allowed
router.patch("/registration-allowed", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0 || !user[0].is_admin) {
return res.status(403).json({ error: "Not authorized" });
}
const { allowed } = req.body;
if (typeof allowed !== "boolean") {
return res.status(400).json({ error: "Invalid value for allowed" });
}
db.$client
.prepare("UPDATE settings SET value = ? WHERE key = 'allow_registration'")
.run(allowed ? "true" : "false");
res.json({ allowed });
} catch (err) {
authLogger.error("Failed to set registration allowed", err);
res.status(500).json({ error: "Failed to set registration allowed" });
}
});
// Route: Get password login allowed status (public - needed for login page)
// GET /users/password-login-allowed
router.get("/password-login-allowed", async (req, res) => {
try {
const row = db.$client
.prepare("SELECT value FROM settings WHERE key = 'allow_password_login'")
.get();
res.json({
allowed: row ? (row as { value: string }).value === "true" : true,
});
} catch (err) {
authLogger.error("Failed to get password login allowed", err);
res.status(500).json({ error: "Failed to get password login allowed" });
}
});
// Route: Set password login allowed status (admin only)
// PATCH /users/password-login-allowed
router.patch("/password-login-allowed", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0 || !user[0].is_admin) {
return res.status(403).json({ error: "Not authorized" });
}
const { allowed } = req.body;
if (typeof allowed !== "boolean") {
return res.status(400).json({ error: "Invalid value for allowed" });
}
db.$client
.prepare(
"INSERT OR REPLACE INTO settings (key, value) VALUES ('allow_password_login', ?)",
)
.run(allowed ? "true" : "false");
res.json({ allowed });
} catch (err) {
authLogger.error("Failed to set password login allowed", err);
res.status(500).json({ error: "Failed to set password login allowed" });
}
});
// Route: Delete user account
// DELETE /users/delete-account
router.delete("/delete-account", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { password } = req.body;
if (!isNonEmptyString(password)) {
return res
.status(400)
.json({ error: "Password is required to delete account" });
}
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
if (userRecord.is_oidc) {
return res.status(403).json({
error:
"Cannot delete external authentication accounts through this endpoint",
});
}
const isMatch = await bcrypt.compare(password, userRecord.password_hash);
if (!isMatch) {
authLogger.warn(
`Incorrect password provided for account deletion: ${userRecord.username}`,
);
return res.status(401).json({ error: "Incorrect password" });
}
if (userRecord.is_admin) {
const adminCount = db.$client
.prepare("SELECT COUNT(*) as count FROM users WHERE is_admin = 1")
.get();
if (((adminCount as { count?: number })?.count || 0) <= 1) {
return res
.status(403)
.json({ error: "Cannot delete the last admin user" });
}
}
await db.delete(users).where(eq(users.id, userId));
authLogger.success(`User account deleted: ${userRecord.username}`);
res.json({ message: "Account deleted successfully" });
} catch (err) {
authLogger.error("Failed to delete user account", err);
res.status(500).json({ error: "Failed to delete account" });
}
});
// Route: Initiate password reset
// POST /users/initiate-reset
router.post("/initiate-reset", async (req, res) => {
const { username } = req.body;
if (!isNonEmptyString(username)) {
return res.status(400).json({ error: "Username is required" });
}
try {
const user = await db
.select()
.from(users)
.where(eq(users.username, username));
if (!user || user.length === 0) {
authLogger.warn(
`Password reset attempted for non-existent user: ${username}`,
);
return res.status(404).json({ error: "User not found" });
}
if (user[0].is_oidc) {
return res.status(403).json({
error: "Password reset not available for external authentication users",
});
}
const resetCode = crypto.randomInt(100000, 1000000).toString();
const expiresAt = new Date(Date.now() + 15 * 60 * 1000);
db.$client
.prepare("INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)")
.run(
`reset_code_${username}`,
JSON.stringify({ code: resetCode, expiresAt: expiresAt.toISOString() }),
);
authLogger.info(
`Password reset code for user ${username}: ${resetCode} (expires at ${expiresAt.toLocaleString()})`,
);
res.json({
message:
"Password reset code has been generated and logged. Check docker logs for the code.",
});
} catch (err) {
authLogger.error("Failed to initiate password reset", err);
res.status(500).json({ error: "Failed to initiate password reset" });
}
});
// Route: Verify reset code
// POST /users/verify-reset-code
router.post("/verify-reset-code", async (req, res) => {
const { username, resetCode } = req.body;
if (!isNonEmptyString(username) || !isNonEmptyString(resetCode)) {
return res
.status(400)
.json({ error: "Username and reset code are required" });
}
try {
const resetDataRow = db.$client
.prepare("SELECT value FROM settings WHERE key = ?")
.get(`reset_code_${username}`);
if (!resetDataRow) {
return res
.status(400)
.json({ error: "No reset code found for this user" });
}
const resetData = JSON.parse(
(resetDataRow as Record<string, unknown>).value as string,
);
const now = new Date();
const expiresAt = new Date(resetData.expiresAt);
if (now > expiresAt) {
db.$client
.prepare("DELETE FROM settings WHERE key = ?")
.run(`reset_code_${username}`);
return res.status(400).json({ error: "Reset code has expired" });
}
if (resetData.code !== resetCode) {
return res.status(400).json({ error: "Invalid reset code" });
}
const tempToken = nanoid();
const tempTokenExpiry = new Date(Date.now() + 10 * 60 * 1000);
db.$client
.prepare("INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)")
.run(
`temp_reset_token_${username}`,
JSON.stringify({
token: tempToken,
expiresAt: tempTokenExpiry.toISOString(),
}),
);
res.json({ message: "Reset code verified", tempToken });
} catch (err) {
authLogger.error("Failed to verify reset code", err);
res.status(500).json({ error: "Failed to verify reset code" });
}
});
// Route: Complete password reset
// POST /users/complete-reset
router.post("/complete-reset", async (req, res) => {
const { username, tempToken, newPassword } = req.body;
if (
!isNonEmptyString(username) ||
!isNonEmptyString(tempToken) ||
!isNonEmptyString(newPassword)
) {
return res.status(400).json({
error: "Username, temporary token, and new password are required",
});
}
try {
const tempTokenRow = db.$client
.prepare("SELECT value FROM settings WHERE key = ?")
.get(`temp_reset_token_${username}`);
if (!tempTokenRow) {
return res.status(400).json({ error: "No temporary token found" });
}
const tempTokenData = JSON.parse(
(tempTokenRow as Record<string, unknown>).value as string,
);
const now = new Date();
const expiresAt = new Date(tempTokenData.expiresAt);
if (now > expiresAt) {
db.$client
.prepare("DELETE FROM settings WHERE key = ?")
.run(`temp_reset_token_${username}`);
return res.status(400).json({ error: "Temporary token has expired" });
}
if (tempTokenData.token !== tempToken) {
return res.status(400).json({ error: "Invalid temporary token" });
}
const user = await db
.select()
.from(users)
.where(eq(users.username, username));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userId = user[0].id;
const saltRounds = parseInt(process.env.SALT || "10", 10);
const password_hash = await bcrypt.hash(newPassword, saltRounds);
let userIdFromJwt: string | null = null;
const cookie = req.cookies?.jwt;
let header: string | undefined;
if (req.headers?.authorization?.startsWith("Bearer ")) {
header = req.headers?.authorization?.split(" ")[1];
}
const token = cookie || header;
if (token) {
const payload = await authManager.verifyJWTToken(token);
if (payload) {
userIdFromJwt = payload.userId;
}
}
if (userIdFromJwt === userId) {
try {
const success = await authManager.resetUserPasswordWithPreservedDEK(
userId,
newPassword,
);
if (!success) {
throw new Error("Failed to re-encrypt user data with new password.");
}
await db
.update(users)
.set({ password_hash })
.where(eq(users.id, userId));
authManager.logoutUser(userId);
authLogger.success(
`Password reset (data preserved) for user: ${username}`,
{
operation: "password_reset_preserved",
userId,
username,
},
);
} catch (encryptionError) {
authLogger.error(
"Failed to setup user data encryption after password reset",
encryptionError,
{
operation: "password_reset_encryption_failed_preserved",
userId,
username,
},
);
return res.status(500).json({
error: "Password reset failed. Please contact administrator.",
});
}
} else {
await db
.update(users)
.set({ password_hash })
.where(eq(users.username, username));
try {
await db
.delete(sshCredentialUsage)
.where(eq(sshCredentialUsage.userId, userId));
await db
.delete(fileManagerRecent)
.where(eq(fileManagerRecent.userId, userId));
await db
.delete(fileManagerPinned)
.where(eq(fileManagerPinned.userId, userId));
await db
.delete(fileManagerShortcuts)
.where(eq(fileManagerShortcuts.userId, userId));
await db
.delete(recentActivity)
.where(eq(recentActivity.userId, userId));
await db
.delete(dismissedAlerts)
.where(eq(dismissedAlerts.userId, userId));
await db.delete(snippets).where(eq(snippets.userId, userId));
await db.delete(sshData).where(eq(sshData.userId, userId));
await db
.delete(sshCredentials)
.where(eq(sshCredentials.userId, userId));
await authManager.registerUser(userId, newPassword);
authManager.logoutUser(userId);
await db
.update(users)
.set({
totp_enabled: false,
totp_secret: null,
totp_backup_codes: null,
})
.where(eq(users.id, userId));
authLogger.warn(
`Password reset completed for user: ${username}. All encrypted data has been deleted due to lost encryption key.`,
{
operation: "password_reset_data_deleted",
userId,
username,
},
);
} catch (encryptionError) {
authLogger.error(
"Failed to setup user data encryption after password reset",
encryptionError,
{
operation: "password_reset_encryption_failed",
userId,
username,
},
);
return res.status(500).json({
error: "Password reset failed. Please contact administrator.",
});
}
}
authLogger.success(`Password successfully reset for user: ${username}`);
db.$client
.prepare("DELETE FROM settings WHERE key = ?")
.run(`reset_code_${username}`);
db.$client
.prepare("DELETE FROM settings WHERE key = ?")
.run(`temp_reset_token_${username}`);
res.json({ message: "Password has been successfully reset" });
} catch (err) {
authLogger.error("Failed to complete password reset", err);
res.status(500).json({ error: "Failed to complete password reset" });
}
});
router.post("/change-password", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { oldPassword, newPassword } = req.body;
if (!userId) {
return res.status(401).json({ error: "User not authenticated" });
}
if (!oldPassword || !newPassword) {
return res
.status(400)
.json({ error: "Old and new passwords are required." });
}
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const isMatch = await bcrypt.compare(oldPassword, user[0].password_hash);
if (!isMatch) {
return res.status(401).json({ error: "Incorrect current password" });
}
const success = await authManager.changeUserPassword(
userId,
oldPassword,
newPassword,
);
if (!success) {
return res
.status(500)
.json({ error: "Failed to update password and re-encrypt data." });
}
const saltRounds = parseInt(process.env.SALT || "10", 10);
const password_hash = await bcrypt.hash(newPassword, saltRounds);
await db.update(users).set({ password_hash }).where(eq(users.id, userId));
authManager.logoutUser(userId);
res.json({ message: "Password changed successfully. Please log in again." });
});
// Route: List all users (admin only)
// GET /users/list
router.get("/list", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0 || !user[0].is_admin) {
return res.status(403).json({ error: "Not authorized" });
}
const allUsers = await db
.select({
id: users.id,
username: users.username,
is_admin: users.is_admin,
is_oidc: users.is_oidc,
})
.from(users);
res.json({ users: allUsers });
} catch (err) {
authLogger.error("Failed to list users", err);
res.status(500).json({ error: "Failed to list users" });
}
});
// Route: Make user admin (admin only)
// POST /users/make-admin
router.post("/make-admin", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { username } = req.body;
if (!isNonEmptyString(username)) {
return res.status(400).json({ error: "Username is required" });
}
try {
const adminUser = await db.select().from(users).where(eq(users.id, userId));
if (!adminUser || adminUser.length === 0 || !adminUser[0].is_admin) {
return res.status(403).json({ error: "Not authorized" });
}
const targetUser = await db
.select()
.from(users)
.where(eq(users.username, username));
if (!targetUser || targetUser.length === 0) {
return res.status(404).json({ error: "User not found" });
}
if (targetUser[0].is_admin) {
return res.status(400).json({ error: "User is already an admin" });
}
await db
.update(users)
.set({ is_admin: true })
.where(eq(users.username, username));
authLogger.success(
`User ${username} made admin by ${adminUser[0].username}`,
);
res.json({ message: `User ${username} is now an admin` });
} catch (err) {
authLogger.error("Failed to make user admin", err);
res.status(500).json({ error: "Failed to make user admin" });
}
});
// Route: Remove admin status (admin only)
// POST /users/remove-admin
router.post("/remove-admin", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { username } = req.body;
if (!isNonEmptyString(username)) {
return res.status(400).json({ error: "Username is required" });
}
try {
const adminUser = await db.select().from(users).where(eq(users.id, userId));
if (!adminUser || adminUser.length === 0 || !adminUser[0].is_admin) {
return res.status(403).json({ error: "Not authorized" });
}
if (adminUser[0].username === username) {
return res
.status(400)
.json({ error: "Cannot remove your own admin status" });
}
const targetUser = await db
.select()
.from(users)
.where(eq(users.username, username));
if (!targetUser || targetUser.length === 0) {
return res.status(404).json({ error: "User not found" });
}
if (!targetUser[0].is_admin) {
return res.status(400).json({ error: "User is not an admin" });
}
await db
.update(users)
.set({ is_admin: false })
.where(eq(users.username, username));
authLogger.success(
`Admin status removed from ${username} by ${adminUser[0].username}`,
);
res.json({ message: `Admin status removed from ${username}` });
} catch (err) {
authLogger.error("Failed to remove admin status", err);
res.status(500).json({ error: "Failed to remove admin status" });
}
});
// Route: Verify TOTP during login
// POST /users/totp/verify-login
router.post("/totp/verify-login", async (req, res) => {
const { temp_token, totp_code } = req.body;
if (!temp_token || !totp_code) {
return res.status(400).json({ error: "Token and TOTP code are required" });
}
try {
const decoded = await authManager.verifyJWTToken(temp_token);
if (!decoded || !decoded.pendingTOTP) {
return res.status(401).json({ error: "Invalid temporary token" });
}
const user = await db
.select()
.from(users)
.where(eq(users.id, decoded.userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
if (!userRecord.totp_enabled || !userRecord.totp_secret) {
return res.status(400).json({ error: "TOTP not enabled for this user" });
}
const userDataKey = authManager.getUserDataKey(userRecord.id);
if (!userDataKey) {
return res.status(401).json({
error: "Session expired - please log in again",
code: "SESSION_EXPIRED",
});
}
const totpSecret = LazyFieldEncryption.safeGetFieldValue(
userRecord.totp_secret,
userDataKey,
userRecord.id,
"totp_secret",
);
if (!totpSecret) {
await db
.update(users)
.set({
totp_enabled: false,
totp_secret: null,
totp_backup_codes: null,
})
.where(eq(users.id, userRecord.id));
return res.status(400).json({
error:
"TOTP has been disabled due to password reset. Please set up TOTP again.",
});
}
const verified = speakeasy.totp.verify({
secret: totpSecret,
encoding: "base32",
token: totp_code,
window: 2,
});
if (!verified) {
let backupCodes = [];
try {
backupCodes = userRecord.totp_backup_codes
? JSON.parse(userRecord.totp_backup_codes)
: [];
} catch {
backupCodes = [];
}
if (!Array.isArray(backupCodes)) {
backupCodes = [];
}
const backupIndex = backupCodes.indexOf(totp_code);
if (backupIndex === -1) {
return res.status(401).json({ error: "Invalid TOTP code" });
}
backupCodes.splice(backupIndex, 1);
await db
.update(users)
.set({ totp_backup_codes: JSON.stringify(backupCodes) })
.where(eq(users.id, userRecord.id));
}
const deviceInfo = parseUserAgent(req);
const token = await authManager.generateJWTToken(userRecord.id, {
deviceType: deviceInfo.type,
deviceInfo: deviceInfo.deviceInfo,
});
const isElectron =
req.headers["x-electron-app"] === "true" ||
req.headers["X-Electron-App"] === "true";
authLogger.success("TOTP verification successful", {
operation: "totp_verify_success",
userId: userRecord.id,
deviceType: deviceInfo.type,
deviceInfo: deviceInfo.deviceInfo,
});
const response: Record<string, unknown> = {
success: true,
is_admin: !!userRecord.is_admin,
username: userRecord.username,
userId: userRecord.id,
is_oidc: !!userRecord.is_oidc,
totp_enabled: !!userRecord.totp_enabled,
};
if (isElectron) {
response.token = token;
}
const maxAge =
deviceInfo.type === "desktop" || deviceInfo.type === "mobile"
? 30 * 24 * 60 * 60 * 1000
: 7 * 24 * 60 * 60 * 1000;
return res
.cookie("jwt", token, authManager.getSecureCookieOptions(req, maxAge))
.json(response);
} catch (err) {
authLogger.error("TOTP verification failed", err);
return res.status(500).json({ error: "TOTP verification failed" });
}
});
// Route: Setup TOTP
// POST /users/totp/setup
router.post("/totp/setup", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
if (userRecord.totp_enabled) {
return res.status(400).json({ error: "TOTP is already enabled" });
}
const secret = speakeasy.generateSecret({
name: `Termix (${userRecord.username})`,
length: 32,
});
await db
.update(users)
.set({ totp_secret: secret.base32 })
.where(eq(users.id, userId));
const qrCodeUrl = await QRCode.toDataURL(secret.otpauth_url || "");
res.json({
secret: secret.base32,
qr_code: qrCodeUrl,
});
} catch (err) {
authLogger.error("Failed to setup TOTP", err);
res.status(500).json({ error: "Failed to setup TOTP" });
}
});
// Route: Enable TOTP
// POST /users/totp/enable
router.post("/totp/enable", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { totp_code } = req.body;
if (!totp_code) {
return res.status(400).json({ error: "TOTP code is required" });
}
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
if (userRecord.totp_enabled) {
return res.status(400).json({ error: "TOTP is already enabled" });
}
if (!userRecord.totp_secret) {
return res.status(400).json({ error: "TOTP setup not initiated" });
}
const verified = speakeasy.totp.verify({
secret: userRecord.totp_secret,
encoding: "base32",
token: totp_code,
window: 2,
});
if (!verified) {
return res.status(401).json({ error: "Invalid TOTP code" });
}
const backupCodes = Array.from({ length: 8 }, () =>
Math.random().toString(36).substring(2, 10).toUpperCase(),
);
await db
.update(users)
.set({
totp_enabled: true,
totp_backup_codes: JSON.stringify(backupCodes),
})
.where(eq(users.id, userId));
res.json({
message: "TOTP enabled successfully",
backup_codes: backupCodes,
});
} catch (err) {
authLogger.error("Failed to enable TOTP", err);
res.status(500).json({ error: "Failed to enable TOTP" });
}
});
// Route: Disable TOTP
// POST /users/totp/disable
router.post("/totp/disable", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { password, totp_code } = req.body;
if (!password && !totp_code) {
return res.status(400).json({ error: "Password or TOTP code is required" });
}
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
if (!userRecord.totp_enabled) {
return res.status(400).json({ error: "TOTP is not enabled" });
}
if (password && !userRecord.is_oidc) {
const isMatch = await bcrypt.compare(password, userRecord.password_hash);
if (!isMatch) {
return res.status(401).json({ error: "Incorrect password" });
}
} else if (totp_code) {
const verified = speakeasy.totp.verify({
secret: userRecord.totp_secret!,
encoding: "base32",
token: totp_code,
window: 2,
});
if (!verified) {
return res.status(401).json({ error: "Invalid TOTP code" });
}
} else {
return res.status(400).json({ error: "Authentication required" });
}
await db
.update(users)
.set({
totp_enabled: false,
totp_secret: null,
totp_backup_codes: null,
})
.where(eq(users.id, userId));
res.json({ message: "TOTP disabled successfully" });
} catch (err) {
authLogger.error("Failed to disable TOTP", err);
res.status(500).json({ error: "Failed to disable TOTP" });
}
});
// Route: Generate new backup codes
// POST /users/totp/backup-codes
router.post("/totp/backup-codes", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { password, totp_code } = req.body;
if (!password && !totp_code) {
return res.status(400).json({ error: "Password or TOTP code is required" });
}
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
if (!userRecord.totp_enabled) {
return res.status(400).json({ error: "TOTP is not enabled" });
}
if (password && !userRecord.is_oidc) {
const isMatch = await bcrypt.compare(password, userRecord.password_hash);
if (!isMatch) {
return res.status(401).json({ error: "Incorrect password" });
}
} else if (totp_code) {
const verified = speakeasy.totp.verify({
secret: userRecord.totp_secret!,
encoding: "base32",
token: totp_code,
window: 2,
});
if (!verified) {
return res.status(401).json({ error: "Invalid TOTP code" });
}
} else {
return res.status(400).json({ error: "Authentication required" });
}
const backupCodes = Array.from({ length: 8 }, () =>
Math.random().toString(36).substring(2, 10).toUpperCase(),
);
await db
.update(users)
.set({ totp_backup_codes: JSON.stringify(backupCodes) })
.where(eq(users.id, userId));
res.json({ backup_codes: backupCodes });
} catch (err) {
authLogger.error("Failed to generate backup codes", err);
res.status(500).json({ error: "Failed to generate backup codes" });
}
});
// Route: Delete user (admin only)
// DELETE /users/delete-user
router.delete("/delete-user", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { username } = req.body;
if (!isNonEmptyString(username)) {
return res.status(400).json({ error: "Username is required" });
}
try {
const adminUser = await db.select().from(users).where(eq(users.id, userId));
if (!adminUser || adminUser.length === 0 || !adminUser[0].is_admin) {
return res.status(403).json({ error: "Not authorized" });
}
if (adminUser[0].username === username) {
return res.status(400).json({ error: "Cannot delete your own account" });
}
const targetUser = await db
.select()
.from(users)
.where(eq(users.username, username));
if (!targetUser || targetUser.length === 0) {
return res.status(404).json({ error: "User not found" });
}
if (targetUser[0].is_admin) {
const adminCount = db.$client
.prepare("SELECT COUNT(*) as count FROM users WHERE is_admin = 1")
.get();
if (((adminCount as { count?: number })?.count || 0) <= 1) {
return res
.status(403)
.json({ error: "Cannot delete the last admin user" });
}
}
const targetUserId = targetUser[0].id;
try {
// Delete all user-related data to avoid foreign key constraints
await db
.delete(sshCredentialUsage)
.where(eq(sshCredentialUsage.userId, targetUserId));
await db
.delete(fileManagerRecent)
.where(eq(fileManagerRecent.userId, targetUserId));
await db
.delete(fileManagerPinned)
.where(eq(fileManagerPinned.userId, targetUserId));
await db
.delete(fileManagerShortcuts)
.where(eq(fileManagerShortcuts.userId, targetUserId));
await db
.delete(recentActivity)
.where(eq(recentActivity.userId, targetUserId));
await db
.delete(dismissedAlerts)
.where(eq(dismissedAlerts.userId, targetUserId));
await db.delete(snippets).where(eq(snippets.userId, targetUserId));
await db.delete(sshData).where(eq(sshData.userId, targetUserId));
await db
.delete(sshCredentials)
.where(eq(sshCredentials.userId, targetUserId));
} catch (cleanupError) {
authLogger.error(`Cleanup failed for user ${username}:`, cleanupError);
throw cleanupError;
}
await db.delete(users).where(eq(users.id, targetUserId));
authLogger.success(
`User ${username} deleted by admin ${adminUser[0].username}`,
);
res.json({ message: `User ${username} deleted successfully` });
} catch (err) {
authLogger.error("Failed to delete user", err);
if (err && typeof err === "object" && "code" in err) {
if (err.code === "SQLITE_CONSTRAINT_FOREIGNKEY") {
res.status(400).json({
error:
"Cannot delete user: User has associated data that cannot be removed",
});
} else {
res.status(500).json({ error: `Database error: ${err.code}` });
}
} else {
res.status(500).json({ error: "Failed to delete account" });
}
}
});
// Route: User data unlock - used when session expires
// POST /users/unlock-data
router.post("/unlock-data", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { password } = req.body;
if (!password) {
return res.status(400).json({ error: "Password is required" });
}
try {
const unlocked = await authManager.authenticateUser(userId, password);
if (unlocked) {
res.json({
success: true,
message: "Data unlocked successfully",
});
} else {
authLogger.warn("Failed to unlock user data - invalid password", {
operation: "user_data_unlock_failed",
userId,
});
res.status(401).json({ error: "Invalid password" });
}
} catch (err) {
authLogger.error("Data unlock failed", err, {
operation: "user_data_unlock_error",
userId,
});
res.status(500).json({ error: "Failed to unlock data" });
}
});
// Route: Check user data unlock status
// GET /users/data-status
router.get("/data-status", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
res.json({
unlocked: true,
message: "Data is unlocked",
});
} catch (err) {
authLogger.error("Failed to check data status", err, {
operation: "data_status_check_failed",
userId,
});
res.status(500).json({ error: "Failed to check data status" });
}
});
// Route: Change user password (re-encrypt data keys)
// POST /users/change-password
router.post("/change-password", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { currentPassword, newPassword } = req.body;
if (!currentPassword || !newPassword) {
return res.status(400).json({
error: "Current password and new password are required",
});
}
if (newPassword.length < 8) {
return res.status(400).json({
error: "New password must be at least 8 characters long",
});
}
try {
const success = await authManager.changeUserPassword(
userId,
currentPassword,
newPassword,
);
if (success) {
const saltRounds = parseInt(process.env.SALT || "10", 10);
const newPasswordHash = await bcrypt.hash(newPassword, saltRounds);
await db
.update(users)
.set({ password_hash: newPasswordHash })
.where(eq(users.id, userId));
const { saveMemoryDatabaseToFile } = await import("../db/index.js");
await saveMemoryDatabaseToFile();
authLogger.success("User password changed successfully", {
operation: "password_change_success",
userId,
});
res.json({
success: true,
message: "Password changed successfully",
});
} else {
authLogger.warn("Password change failed - invalid current password", {
operation: "password_change_failed",
userId,
});
res.status(401).json({ error: "Current password is incorrect" });
}
} catch (err) {
authLogger.error("Password change failed", err, {
operation: "password_change_error",
userId,
});
res.status(500).json({ error: "Failed to change password" });
}
});
// Route: Get sessions (all for admin, own for user)
// GET /users/sessions
router.get("/sessions", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
let sessionList;
if (userRecord.is_admin) {
sessionList = await authManager.getAllSessions();
const enrichedSessions = await Promise.all(
sessionList.map(async (session) => {
const sessionUser = await db
.select({ username: users.username })
.from(users)
.where(eq(users.id, session.userId))
.limit(1);
return {
...session,
username: sessionUser[0]?.username || "Unknown",
};
}),
);
return res.json({ sessions: enrichedSessions });
} else {
sessionList = await authManager.getUserSessions(userId);
return res.json({ sessions: sessionList });
}
} catch (err) {
authLogger.error("Failed to get sessions", err);
res.status(500).json({ error: "Failed to get sessions" });
}
});
// Route: Revoke a specific session
// DELETE /users/sessions/:sessionId
router.delete("/sessions/:sessionId", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { sessionId } = req.params;
if (!sessionId) {
return res.status(400).json({ error: "Session ID is required" });
}
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
const sessionRecords = await db
.select()
.from(sessions)
.where(eq(sessions.id, sessionId))
.limit(1);
if (sessionRecords.length === 0) {
return res.status(404).json({ error: "Session not found" });
}
const session = sessionRecords[0];
if (!userRecord.is_admin && session.userId !== userId) {
return res
.status(403)
.json({ error: "Not authorized to revoke this session" });
}
const success = await authManager.revokeSession(sessionId);
if (success) {
authLogger.success("Session revoked", {
operation: "session_revoke",
sessionId,
revokedBy: userId,
sessionUserId: session.userId,
});
res.json({ success: true, message: "Session revoked successfully" });
} else {
res.status(500).json({ error: "Failed to revoke session" });
}
} catch (err) {
authLogger.error("Failed to revoke session", err);
res.status(500).json({ error: "Failed to revoke session" });
}
});
// Route: Revoke all sessions for a user
// POST /users/sessions/revoke-all
router.post("/sessions/revoke-all", authenticateJWT, async (req, res) => {
const userId = (req as AuthenticatedRequest).userId;
const { targetUserId, exceptCurrent } = req.body;
try {
const user = await db.select().from(users).where(eq(users.id, userId));
if (!user || user.length === 0) {
return res.status(404).json({ error: "User not found" });
}
const userRecord = user[0];
let revokeUserId = userId;
if (targetUserId && userRecord.is_admin) {
revokeUserId = targetUserId;
} else if (targetUserId && targetUserId !== userId) {
return res.status(403).json({
error: "Not authorized to revoke sessions for other users",
});
}
let currentSessionId: string | undefined;
if (exceptCurrent) {
const token =
req.cookies?.jwt || req.headers?.authorization?.split(" ")[1];
if (token) {
const payload = await authManager.verifyJWTToken(token);
currentSessionId = payload?.sessionId;
}
}
const revokedCount = await authManager.revokeAllUserSessions(
revokeUserId,
currentSessionId,
);
authLogger.success("User sessions revoked", {
operation: "user_sessions_revoke_all",
revokeUserId,
revokedBy: userId,
exceptCurrent,
revokedCount,
});
res.json({
message: `${revokedCount} session(s) revoked successfully`,
count: revokedCount,
});
} catch (err) {
authLogger.error("Failed to revoke user sessions", err);
res.status(500).json({ error: "Failed to revoke sessions" });
}
});
export default router;
Reference in New Issue View Git Blame Copy Permalink