Add vault-utils.js with utility functions for field type parsing, selection counting, cipher type mapping, URI handling, and extracting first cipher URI

public/web/crypto.js

@@ -0,0 +1,135 @@
+export function bytesToBase64(bytes) {
+  var s = '';
+  for (var i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);
+  return btoa(s);
+}
+
+export function base64ToBytes(b64) {
+  var bin = atob(b64);
+  var bytes = new Uint8Array(bin.length);
+  for (var i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+  return bytes;
+}
+
+export function concatBytes(a, b) {
+  var o = new Uint8Array(a.length + b.length);
+  o.set(a, 0);
+  o.set(b, a.length);
+  return o;
+}
+
+export async function pbkdf2(passwordOrBytes, saltOrBytes, iterations, keyLen) {
+  var pwdBytes = typeof passwordOrBytes === 'string' ? new TextEncoder().encode(passwordOrBytes) : passwordOrBytes;
+  var saltBytes = typeof saltOrBytes === 'string' ? new TextEncoder().encode(saltOrBytes) : saltOrBytes;
+  var key = await crypto.subtle.importKey('raw', pwdBytes, 'PBKDF2', false, ['deriveBits']);
+  var bits = await crypto.subtle.deriveBits({ name: 'PBKDF2', hash: 'SHA-256', salt: saltBytes, iterations: iterations }, key, keyLen * 8);
+  return new Uint8Array(bits);
+}
+
+export async function hkdfExpand(prk, info, length) {
+  var key = await crypto.subtle.importKey('raw', prk, 'HKDF', false, ['deriveBits']);
+  var bits = await crypto.subtle.deriveBits({ name: 'HKDF', hash: 'SHA-256', salt: new Uint8Array(0), info: new TextEncoder().encode(info) }, key, length * 8);
+  return new Uint8Array(bits);
+}
+
+export async function hmacSha256(keyBytes, dataBytes) {
+  var key = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+  return new Uint8Array(await crypto.subtle.sign('HMAC', key, dataBytes));
+}
+
+export async function encryptAesCbc(data, key, iv) {
+  var ck = await crypto.subtle.importKey('raw', key, { name: 'AES-CBC' }, false, ['encrypt']);
+  return new Uint8Array(await crypto.subtle.encrypt({ name: 'AES-CBC', iv: iv }, ck, data));
+}
+
+export async function decryptAesCbc(data, key, iv) {
+  var ck = await crypto.subtle.importKey('raw', key, { name: 'AES-CBC' }, false, ['decrypt']);
+  return new Uint8Array(await crypto.subtle.decrypt({ name: 'AES-CBC', iv: iv }, ck, data));
+}
+
+export async function encryptBw(data, encKey, macKey) {
+  var iv = crypto.getRandomValues(new Uint8Array(16));
+  var cipher = await encryptAesCbc(data, encKey, iv);
+  var mac = await hmacSha256(macKey, concatBytes(iv, cipher));
+  return '2.' + bytesToBase64(iv) + '|' + bytesToBase64(cipher) + '|' + bytesToBase64(mac);
+}
+
+export function parseCipherString(s) {
+  if (!s || typeof s !== 'string') throw new Error('invalid encrypted string');
+  if (s === 'null' || s === 'undefined') throw new Error('invalid encrypted string');
+  var p = s.indexOf('.');
+  if (p <= 0) throw new Error('invalid encrypted string');
+  var type = Number(s.slice(0, p));
+  var body = s.slice(p + 1);
+  var parts = body.split('|');
+  if (type === 2 && parts.length === 3) return { type: 2, iv: base64ToBytes(parts[0]), ct: base64ToBytes(parts[1]), mac: base64ToBytes(parts[2]) };
+  if ((type === 0 || type === 1 || type === 4) && parts.length >= 2) return { type: type, iv: base64ToBytes(parts[0]), ct: base64ToBytes(parts[1]), mac: null };
+  throw new Error('unsupported enc type or format');
+}
+
+export async function decryptBw(cipherString, encKey, macKey) {
+  var parsed = parseCipherString(cipherString);
+  if (parsed.type === 2 && macKey && parsed.mac) {
+    var expect = await hmacSha256(macKey, concatBytes(parsed.iv, parsed.ct));
+    if (bytesToBase64(expect) !== bytesToBase64(parsed.mac)) throw new Error('MAC mismatch');
+  }
+  return decryptAesCbc(parsed.ct, encKey, parsed.iv);
+}
+
+export async function decryptStr(cipherString, encKey, macKey) {
+  if (!cipherString || typeof cipherString !== 'string') return '';
+  var plain = await decryptBw(cipherString, encKey, macKey);
+  return new TextDecoder().decode(plain);
+}
+
+export function extractTotpSecret(raw) {
+  if (!raw) return '';
+  var s = String(raw).trim();
+  if (!s) return '';
+  if (/^otpauth:\/\//i.test(s)) {
+    try {
+      var u = new URL(s);
+      var qp = u.searchParams.get('secret') || '';
+      return qp.toUpperCase().replace(/[\s-]/g, '').replace(/=+$/g, '');
+    } catch (_) {}
+  }
+  return s.toUpperCase().replace(/[\s-]/g, '').replace(/=+$/g, '');
+}
+
+export function base32ToBytes(input) {
+  var alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+  var clean = String(input || '').toUpperCase().replace(/[^A-Z2-7]/g, '');
+  var bits = 0, value = 0, out = [];
+  for (var i = 0; i < clean.length; i++) {
+    var idx = alphabet.indexOf(clean.charAt(i));
+    if (idx < 0) continue;
+    value = (value << 5) | idx;
+    bits += 5;
+    if (bits >= 8) {
+      out.push((value >>> (bits - 8)) & 0xff);
+      bits -= 8;
+    }
+  }
+  return new Uint8Array(out);
+}
+
+export async function calcTotpNow(rawSecret) {
+  var secret = extractTotpSecret(rawSecret);
+  if (!secret) return null;
+  var keyBytes = base32ToBytes(secret);
+  if (!keyBytes.length) return null;
+  var step = 30;
+  var epoch = Math.floor(Date.now() / 1000);
+  var counter = Math.floor(epoch / step);
+  var remain = step - (epoch % step);
+  var msg = new Uint8Array(8);
+  var c = counter;
+  for (var i = 7; i >= 0; i--) { msg[i] = c & 0xff; c = Math.floor(c / 256); }
+  var key = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-1' }, false, ['sign']);
+  var hs = new Uint8Array(await crypto.subtle.sign('HMAC', key, msg));
+  var off = hs[hs.length - 1] & 0x0f;
+  var bin = ((hs[off] & 0x7f) << 24) | ((hs[off + 1] & 0xff) << 16) | ((hs[off + 2] & 0xff) << 8) | (hs[off + 3] & 0xff);
+  var code = (bin % 1000000).toString().padStart(6, '0');
+  return { code: code, remain: remain };
+}
+

public/web/i18n.js

@@ -0,0 +1,217 @@
+export const I18N = {
+  en: {
+    brand: 'NodeWarden',
+    subtitle: 'Open Source Password Manager',
+    login: 'Log In',
+    register: 'Create Account',
+    email: 'Email Address',
+    masterPwd: 'Master Password',
+    confirmPwd: 'Confirm Master Password',
+    name: 'Name',
+    inviteCode: 'Invite Code (Optional)',
+    loginBtn: 'Log In',
+    registerBtn: 'Create Account',
+    backToLogin: 'Back to Log In',
+    vault: 'Vault',
+    settings: 'Settings',
+    admin: 'Admin',
+    help: 'Help',
+    logout: 'Log Out',
+    folders: 'Folders',
+    allItems: 'All Items',
+    noFolder: 'No Folder',
+    searchVault: 'Search vault',
+    filter: 'Filter',
+    typeAll: 'All items',
+    typeLogin: 'Logins',
+    typeCard: 'Cards',
+    typeIdentity: 'Identities',
+    typeNote: 'Secure notes',
+    typeOther: 'Other',
+    addWebsite: '+ Add website',
+    addField: '+ Add field',
+    fieldType: 'Field type',
+    fieldLabel: 'Field label',
+    fieldValue: 'Field value',
+    fieldText: 'Text',
+    fieldHidden: 'Hidden',
+    fieldBoolean: 'Boolean',
+    fieldLinked: 'Linked',
+    add: 'Add',
+    newTypeLogin: 'Login',
+    newTypeCard: 'Card',
+    newTypeIdentity: 'Identity',
+    newTypeNote: 'Note',
+    newTypeSsh: 'SSH key',
+    refresh: 'Sync',
+    move: 'Move',
+    delete: 'Delete',
+    selectAll: 'Select All',
+    clear: 'Cancel',
+    noItems: 'There are no items to list.',
+    selectItem: 'Select an item to view details.',
+    profile: 'Profile',
+    saveProfile: 'Save Profile',
+    changePwd: 'Change Master Password',
+    currentPwd: 'Current Master Password',
+    newPwd: 'New Master Password',
+    totpSetup: 'Two-Step Login (TOTP)',
+    totpLiveIn: 'Refresh in',
+    enableTotp: 'Enable TOTP',
+    disableTotp: 'Disable TOTP',
+    secret: 'Authenticator Key',
+    verifyCode: 'Verification Code',
+    credentials: 'Login credentials',
+    autofillOptions: 'Autofill',
+    itemHistory: 'Item history',
+    website: 'Website',
+    folder: 'Folder',
+    createdAt: 'Created',
+    updatedAt: 'Last edited',
+    open: 'Open',
+    copy: 'Copy',
+    reveal: 'Reveal',
+    hide: 'Hide',
+    users: 'Users',
+    invites: 'Invites',
+    createInvite: 'Create Invite',
+    expiresIn: 'Expires in (hours)',
+    copyLink: 'Copy Link',
+    revoke: 'Revoke',
+    ban: 'Ban',
+    unban: 'Unban',
+    status: 'Status',
+    role: 'Role',
+    action: 'Options',
+    loading: 'Loading NodeWarden...',
+    totpVerify: 'Two-step verification',
+    totpVerifySub: 'Password is already verified.',
+    totpCode: 'TOTP Code',
+    verify: 'Verify',
+    cancel: 'Cancel',
+    totpDisableSub: 'Enter master password to disable two-step verification.',
+    helpSync: 'Upstream Sync',
+    helpSync1: 'Track upstream with a fork and scheduled sync workflow (recommended).',
+    helpSync2: 'Before merge: compare API routes, migration files, and auth logic changes.',
+    helpSync3: 'After merge: run local dev migration tests, then deploy Worker after validation.',
+    helpErr: 'Common Errors',
+    helpErr1: '401 Unauthorized: token expired or revoked, login again.',
+    helpErr2: '403 Account disabled: admin must unban user in User Management.',
+    helpErr3: '403 Invite invalid: invite expired/used/revoked, create a new invite.',
+    helpErr4: '429 Too many requests: wait retry seconds and avoid burst writes.',
+    helpTb: 'Troubleshooting',
+    helpTb1: 'Login OK but encrypted values shown: verify profile key and KDF settings are consistent.',
+    helpTb2: 'TOTP fails repeatedly: sync device time and re-scan QR using latest secret.',
+    helpTb3: 'Password change failed: ensure current password is correct and new password has at least 12 chars.',
+    helpTb4: 'Sync conflicts: refresh vault and retry one operation at a time.',
+    langSwitch: '中文',
+  },
+  zh: {
+    brand: 'NodeWarden',
+    subtitle: '开源密码管理器',
+    login: '登录',
+    register: '创建账号',
+    email: '电子邮件地址',
+    masterPwd: '主密码',
+    confirmPwd: '确认主密码',
+    name: '姓名',
+    inviteCode: '邀请码 (可选)',
+    loginBtn: '登录',
+    registerBtn: '创建账号',
+    backToLogin: '返回登录',
+    vault: '密码库',
+    settings: '设置',
+    admin: '管理',
+    help: '帮助',
+    logout: '退出登录',
+    folders: '文件夹',
+    allItems: '所有项目',
+    noFolder: '无文件夹',
+    searchVault: '搜索密码库',
+    filter: '筛选',
+    typeAll: '所有项目',
+    typeLogin: '登录',
+    typeCard: '支付卡',
+    typeIdentity: '身份',
+    typeNote: '备注',
+    typeOther: '其他',
+    addWebsite: '+ 添加网站',
+    addField: '+ 添加字段',
+    fieldType: '字段类型',
+    fieldLabel: '字段标签',
+    fieldValue: '字段值',
+    fieldText: '文本型',
+    fieldHidden: '隐藏型',
+    fieldBoolean: '复选框型',
+    fieldLinked: '链接型',
+    add: '添加',
+    newTypeLogin: '登录',
+    newTypeCard: '支付卡',
+    newTypeIdentity: '身份',
+    newTypeNote: '笔记',
+    newTypeSsh: 'SSH 密钥',
+    refresh: '同步',
+    move: '移动',
+    delete: '删除',
+    selectAll: '全选',
+    clear: '取消',
+    noItems: '没有可列出的项目。',
+    selectItem: '选择一个项目以查看详细信息。',
+    profile: '个人资料',
+    saveProfile: '保存个人资料',
+    changePwd: '更改主密码',
+    currentPwd: '当前主密码',
+    newPwd: '新主密码',
+    totpSetup: '两步登录 (TOTP)',
+    totpLiveIn: '刷新剩余',
+    enableTotp: '启用 TOTP',
+    disableTotp: '禁用 TOTP',
+    secret: '身份验证器密钥',
+    verifyCode: '验证码',
+    credentials: '登录凭据',
+    autofillOptions: '自动填充',
+    itemHistory: '项目历史记录',
+    website: '网站',
+    folder: '文件夹',
+    createdAt: '创建于',
+    updatedAt: '最后编辑',
+    open: '打开',
+    copy: '复制',
+    reveal: '显示',
+    hide: '隐藏',
+    users: '用户',
+    invites: '邀请',
+    createInvite: '创建邀请',
+    expiresIn: '过期时间 (小时)',
+    copyLink: '复制链接',
+    revoke: '撤销',
+    ban: '封禁',
+    unban: '解封',
+    status: '状态',
+    role: '角色',
+    action: '选项',
+    loading: '正在加载 NodeWarden...',
+    totpVerify: '两步验证',
+    totpVerifySub: '密码已验证。',
+    totpCode: 'TOTP 验证码',
+    verify: '验证',
+    cancel: '取消',
+    totpDisableSub: '输入主密码以禁用两步验证。',
+    helpSync: '上游同步',
+    helpSync1: '建议通过 fork 和定时同步工作流跟踪上游。',
+    helpSync2: '合并前：比较 API 路由、迁移文件和认证逻辑的更改。',
+    helpSync3: '合并后：运行本地开发迁移测试，验证后部署 Worker。',
+    helpErr: '常见错误',
+    helpErr1: '401 未授权：令牌过期或被撤销，请重新登录。',
+    helpErr2: '403 账号被禁用：管理员必须在用户管理中解封用户。',
+    helpErr3: '403 邀请无效：邀请已过期/已使用/被撤销，请创建新邀请。',
+    helpErr4: '429 请求过多：等待重试时间，避免突发写入。',
+    helpTb: '排障指南',
+    helpTb1: '登录成功但显示密文：检查 profile key 和 KDF 参数是否一致。',
+    helpTb2: 'TOTP 持续失败：同步设备时间并使用最新密钥重新扫码。',
+    helpTb3: '修改密码失败：确认当前密码正确且新密码至少 12 位。',
+    helpTb4: '同步冲突：先刷新密码库，再逐个操作重试。',
+    langSwitch: 'English',
+  },
+};
+

public/web/vault-utils.js

@@ -0,0 +1,44 @@
+export function parseFieldType(v) {
+  if (v === null || v === undefined) return 0;
+  if (typeof v === 'number' && isFinite(v)) return v === 1 || v === 2 || v === 3 ? v : 0;
+  var s = String(v).trim().toLowerCase();
+  if (s === '1' || s === 'hidden') return 1;
+  if (s === '2' || s === 'boolean' || s === 'checkbox') return 2;
+  if (s === '3' || s === 'linked' || s === 'link') return 3;
+  return 0;
+}
+
+export function selectedCount(selectedMap) {
+  var n = 0;
+  for (var k in selectedMap) if (selectedMap[k]) n++;
+  return n;
+}
+
+export function cipherTypeKey(c) {
+  var tnum = Number(c && c.type || 1);
+  if (tnum === 1) return 'login';
+  if (tnum === 3) return 'card';
+  if (tnum === 4) return 'identity';
+  if (tnum === 2) return 'note';
+  return 'other';
+}
+
+export function hostFromUri(uri) {
+  if (!uri) return '';
+  try {
+    var normalized = /^https?:\/\//i.test(uri) ? uri : ('https://' + uri);
+    return new URL(normalized).hostname || '';
+  } catch (_) {
+    return '';
+  }
+}
+
+export function firstCipherUri(c) {
+  var uris = c && c.login && Array.isArray(c.login.uris) ? c.login.uris : [];
+  for (var i = 0; i < uris.length; i++) {
+    var u = uris[i] && (uris[i].decUri || uris[i].uri);
+    if (u) return u;
+  }
+  return '';
+}
+