Buriburizaemon/nodewarden
1
0
Fork 0
mirror of https://github.com/shuaiplus/nodewarden.git synced 2026-06-20 21:00:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Buriburizaemon/nodewarden:v1.5.2
Branches Tags
Buriburizaemon/nodewarden:main
Buriburizaemon/nodewarden:v1.6.1 Buriburizaemon/nodewarden:v1.6.0 Buriburizaemon/nodewarden:v1.5.2 Buriburizaemon/nodewarden:v1.5.1 Buriburizaemon/nodewarden:v1.5.0 Buriburizaemon/nodewarden:v1.4.6 Buriburizaemon/nodewarden:v1.4.5 Buriburizaemon/nodewarden:v1.4.4 Buriburizaemon/nodewarden:v1.4.3 Buriburizaemon/nodewarden:v1.4.2 Buriburizaemon/nodewarden:v1.4.1 Buriburizaemon/nodewarden:v1.4.0 Buriburizaemon/nodewarden:v1.3.0 Buriburizaemon/nodewarden:v1.2.0 Buriburizaemon/nodewarden:v1.1.0 Buriburizaemon/nodewarden:v1.0.0 Buriburizaemon/nodewarden:0.3.0 Buriburizaemon/nodewarden:v0.2.0 Buriburizaemon/nodewarden:v0.1.0
..
compare: Buriburizaemon/nodewarden:5ed7c949c164e5bc5bb2a2c633d90fdaef16031a
Branches Tags
Buriburizaemon/nodewarden:main
Buriburizaemon/nodewarden:v1.6.1 Buriburizaemon/nodewarden:v1.6.0 Buriburizaemon/nodewarden:v1.5.2 Buriburizaemon/nodewarden:v1.5.1 Buriburizaemon/nodewarden:v1.5.0 Buriburizaemon/nodewarden:v1.4.6 Buriburizaemon/nodewarden:v1.4.5 Buriburizaemon/nodewarden:v1.4.4 Buriburizaemon/nodewarden:v1.4.3 Buriburizaemon/nodewarden:v1.4.2 Buriburizaemon/nodewarden:v1.4.1 Buriburizaemon/nodewarden:v1.4.0 Buriburizaemon/nodewarden:v1.3.0 Buriburizaemon/nodewarden:v1.2.0 Buriburizaemon/nodewarden:v1.1.0 Buriburizaemon/nodewarden:v1.0.0 Buriburizaemon/nodewarden:0.3.0 Buriburizaemon/nodewarden:v0.2.0 Buriburizaemon/nodewarden:v0.1.0

44 Commits
v1.5.2 .. 5ed7c949c1

Author SHA1 Message Date
shuaiplus 5ed7c949c1 feat: add remote backup restore and attachment download functionality 2026-06-07 21:06:34 +08:00
shuaiplus af70cab766 feat: implement BackupTransferRunner for managing backup processes and enhance backup handling 2026-06-07 20:43:43 +08:00
shuaiplus bfea5d0a1c fix: add support for KeePass CSV import format and enhance import parsing logic 2026-06-07 19:18:17 +08:00
shuaiplus cda654e1c3 fix: enhance cipher login URI handling and import format support 2026-06-06 22:43:16 +08:00
shuaiplus 1ee7b0f31b Fix initial i18n render crash on auth pages 
Initialize locale messages before the first app render so the auth page does not diff from the fallback language into the detected locale during startup.

Mark the app root as non-translatable and keep the document language synchronized with the active locale to reduce browser translation DOM mutations.
 2026-06-06 19:30:35 +08:00
shuaiplus 2d2cbea530 fix: add .tmp-bitwarden-clients/ to .gitignore 2026-05-31 21:23:53 +08:00
shuaiplus 4f5d992f10 fix: enhance cipher handling with repairable URI support and sync improvements 2026-05-31 19:53:42 +08:00
52assert 667afa305b fix(deploy): make KV deploy idempotent 
Adapted from #233 with deploy build kept in wrangler config.
 2026-05-31 01:20:14 +08:00
shuaiplus 85bd2fa4bf fix: streamline deployment commands in configuration files 2026-05-31 01:15:00 +08:00
shuaiplus fd9707c396 fix: enable cipher key encryption feature for 2026.4.x clients and streamline key handling 2026-05-31 01:03:32 +08:00
shuaiplus 192071e4a7 fix: enhance cipher key handling and compatibility for secure notes 2026-05-30 02:43:09 +08:00
shuaiplus fcf7c80daa fix: adjust input padding for improved layout in forms and responsive styles 2026-05-30 02:34:45 +08:00
shuaiplus ed9251c014 fix: enhance compatibility for cipher login normalization and uri handling 2026-05-30 02:26:36 +08:00
shuaiplus a75955ca6d fix: update password verification to support legacy client hashes 2026-05-23 23:07:10 +08:00
shuaiplus 03f7fbf601 fix: repair mixed cipher key encryption handling 2026-05-23 12:43:44 +08:00
shuaiplus a63336764f fix: improve lock timeout retrieval by handling null and empty values 2026-05-23 03:19:49 +08:00
shuaiplus f56d7f01ca fix: add content length validation and timeout handling for icon fetching 2026-05-23 03:17:24 +08:00
shuaiplus 8ff60aed24 fix: remove unused change password handling functions from public route 2026-05-23 03:08:21 +08:00
shuaiplus 749de4e2e1 fix: update server hash prefix handling for password hashing and verification 2026-05-23 03:00:58 +08:00
shuaiplus ea9e238aa7 fix: remove checks for portable admins in backup settings saving and normalization 2026-05-23 02:53:03 +08:00
shuaiplus 22d267f5bc fix: remove unused saveRefreshTokenRecord parameter from getRefreshTokenRecord 2026-05-23 02:42:08 +08:00
shuaiplus 18eefd1174 fix: simplify login identifier construction in two-factor recovery and token handling 2026-05-23 02:22:04 +08:00
shuaiplus d468745841 fix: restore ip-scoped password login lockout 2026-05-23 02:12:40 +08:00
shuaiplus 970621c459 fix: remove optional TOTP_SECRET from environment bindings 2026-05-23 02:07:59 +08:00
shuaiplus 385a873e65 fix: improve device validation logic in refresh token handling 2026-05-23 02:00:41 +08:00
shuaiplus 56185ecb69 fix: strip plaintext login helpers from cipher payload 2026-05-23 01:49:34 +08:00
shuaiplus 04ebfc7021 feat: refactor cipher login data type for improved clarity 2026-05-18 02:13:01 +08:00
shuaiplus c50247b8fe feat: add URI checksum repair functionality for ciphers 2026-05-18 01:59:02 +08:00
shuaiplus 776408e9d0 feat: enhance SSH key handling with Ed25519 support and PEM formatting 2026-05-16 16:34:06 +08:00
shuaiplus e641da517d feat: add uriChecksum handling and sha256Base64 function for enhanced security 2026-05-16 16:22:43 +08:00
shuaiplus b7878ffe01 feat: improve scrollbar styles and dark mode compatibility 2026-05-15 19:12:40 +08:00
shuaiplus bbad9d60a7 Merge branch 'main' of https://github.com/shuaiplus/nodewarden 2026-05-15 18:28:09 +08:00
shuaiplus ed58467766 feat: enhance authorized devices table layout and styling 2026-05-15 18:28:05 +08:00
agesky 2f911e66a6 Update README.md 
修改一处描述错误
 2026-05-15 11:12:47 +08:00
shuaiplus d06e050162 feat: Updated visual rapid deployment instructions, added JWT_SECRET settings and Workers custom domain prompts 2026-05-14 22:54:54 +08:00
shuaiplus d0dc31ce86 feat: enhance attachment metadata handling and add change password URI support 2026-05-14 22:46:29 +08:00
shuaiplus f64abaa75d feat: enhance search functionality by including cipher ID in search text 2026-05-14 10:52:11 +08:00
shuaiplus 7312086f92 feat: add restore functionality for deleted items with corresponding UI updates 2026-05-14 10:40:32 +08:00
shuaiplus 3e4c104e1d feat: added logging system 2026-05-14 02:42:15 +08:00
shuaiplus 17ceec45b1 feat: implement user and device cache invalidation in AuthService 2026-05-12 19:12:53 +08:00
shuaiplus 2685741386 feat: add permanent trust functionality for devices with corresponding API and UI updates 2026-05-12 18:01:04 +08:00
shuaiplus 83a1fc2376 feat: enhance TOTP settings UI with improved layout and status indication 2026-05-12 15:55:05 +08:00
shuaiplus 06431c4145 feat: enhance mobile responsiveness for management routes and table layout 2026-05-12 15:16:17 +08:00
shuaiplus 700910099b feat: adjust eye button positioning and hover effect for password toggle 2026-05-12 00:22:48 +08:00
78 changed files with 5954 additions and 610 deletions
Expand all files Collapse all files
.codegraph/.gitignore
+17
View File
@@ -0,0 +1,17 @@
# CodeGraph data files
# These are local to each machine and should not be committed
# Database
*.db
*.db-wal
*.db-shm
# Cache
cache/
# Logs
*.log
# Hook markers
.dirty
*.pid
.gitignore
+3 -1
View File
@@ -26,7 +26,7 @@ Thumbs.db
# Logs
*.log
npm-debug.log*
.vite-tailwind.err
# Environment
.env
.env.local
@@ -40,6 +40,7 @@ npm-debug.log*
tmp/
.tmp/
.tmp-bitwarden-clients/
nodewarden.wiki/
wiki/
@@ -47,3 +48,4 @@ AGENTS.md
settings.json
.claude/
NodeWarden-compat/
.codex-upstream/
README.md
+15 -10
View File
@@ -38,7 +38,7 @@
| 附件上传 / 下载 | ✅ | ✅ | Cloudflare R2 或 KV |
| Send | ✅ | ✅ | 支持文本与文件 Send |
| 导入 / 导出 | ✅ | ✅ | 支持 Bitwarden JSON / CSV / **ZIP 导入(包括附件)** |
| **云端备份中心** | ❌ | ✅ | **支持 WebDAV / E3 定时备份** |
| **云端备份中心** | ❌ | ✅ | **支持 WebDAV / S3 定时备份** |
| 密码提示(网页端) | ⚠️ 有限 | ✅ | **无需发送邮件** |
| TOTP / Steam TOTP | ✅ | ✅ | 含 `steam://` 支持 |
| 多用户 | ✅ | ✅ | 支持邀请码注册 |
@@ -58,16 +58,21 @@
---
## 网页部署
## 可视化快速部署
1. Fork NodeWarden 仓库到自己的 GitHub 账号
2. 进入 [Cloudflare Workers & Pages](https://dash.cloudflare.com/?to=/:account/workers-and-pages/create)
3. 选择 Continue with GitHub 并选择你的仓库
4. 构建命令填 `npm run build`,部署命令填 `npm run deploy`
- 如果你打算用 KV 模式,把部署命令改成 `npm run deploy:kv`
5. 等部署完成后,打开生成的 Workers 域名
- Workers 默认域名在部分网络环境不可直连。如需自定义域名,到 [Workers 设置](https://dash.cloudflare.com/?to=/:account/workers/services/view/nodewarden/production/settings)里添加。
- 页面提示缺少 `JWT_SECRET` 时,到 Workers 设置里添加 Secret。正式环境至少使用 32 个字符以上的随机字符串,不要使用临时值或示例值。
- 这套流程里,用户实际做的是把代码交给 Cloudflare 构建并部署。代码里的 `wrangler.toml``wrangler.kv.toml` 决定绑定名,Worker 第一次处理请求时会自动初始化 D1 schema,不需要用户上传 SQL。
1. Fork `NodeWarden` 仓库到自己的 GitHub 账号
2. 进入 [Cloudflare Workers 创建页面](https://dash.cloudflare.com/?to=/:account/workers-and-pages/create)
3. 选择 `Continue with GitHub`
4. 选择你刚刚 Fork 的仓库
5. 保持默认配置继续部署
6. 如果你打算用 KV 模式,把部署命令改成 `npm run deploy:kv`
7. 等部署完成后,打开生成的 Workers 域名
8. 根据页面提示设置`JWT_SECRET` ,不建议临时乱填。这个值直接关系到令牌签发安全,正式环境至少使用 32 个字符以上的随机字符串。
> [!TIP]
> 默认R2与可选KV的区别:
migrations/0001_init.sql
+4
View File
@@ -154,6 +154,8 @@ CREATE TABLE IF NOT EXISTS audit_logs (
id TEXT PRIMARY KEY,
actor_user_id TEXT,
action TEXT NOT NULL,
category TEXT NOT NULL DEFAULT 'system',
level TEXT NOT NULL DEFAULT 'info',
target_type TEXT,
target_id TEXT,
metadata TEXT,
@@ -162,6 +164,8 @@ CREATE TABLE IF NOT EXISTS audit_logs (
);
CREATE INDEX IF NOT EXISTS idx_audit_logs_created_at ON audit_logs(created_at);
CREATE INDEX IF NOT EXISTS idx_audit_logs_actor_created ON audit_logs(actor_user_id, created_at);
CREATE INDEX IF NOT EXISTS idx_audit_logs_category_created ON audit_logs(category, created_at);
CREATE INDEX IF NOT EXISTS idx_audit_logs_level_created ON audit_logs(level, created_at);
CREATE TABLE IF NOT EXISTS devices (
user_id TEXT NOT NULL,
package.json
+2 -2
View File
@@ -15,8 +15,8 @@
"domains:sync": "node scripts/sync-global-domains.mjs",
"i18n": "node scripts/i18n-validate.cjs",
"i18n:validate": "node scripts/i18n-validate.cjs",
"deploy": "npm run build && wrangler deploy",
"deploy:kv": "npm run build && wrangler deploy -c wrangler.kv.toml",
"deploy": "wrangler deploy",
"deploy:kv": "node scripts/ensure-kv.cjs && wrangler deploy -c wrangler.kv.toml",
"deploy:demo": "npm run build:demo && wrangler pages deploy dist --project-name nw-demo"
},
"keywords": [
scripts/ensure-kv.cjs
+64
View File
@@ -0,0 +1,64 @@
#!/usr/bin/env node
/**
* Make `deploy:kv` idempotent across repeated builds.
*
* KV namespaces are referenced in wrangler config by account-scoped `id`, not
* by name. The template ships without an id so fresh accounts can provision one
* on first deploy. In non-interactive builds, wrangler may try to create the
* same namespace again on later builds and fail with code 10014.
*/
const { execSync } = require('node:child_process');
const fs = require('node:fs');
const path = require('node:path');
const CONFIG = path.resolve(__dirname, '..', 'wrangler.kv.toml');
const BINDING = 'ATTACHMENTS_KV';
const wrangler = (args) =>
execSync(`npx wrangler ${args}`, { encoding: 'utf8', stdio: ['ignore', 'pipe', 'inherit'] });
function bindingBlockHasId(toml) {
const blocks = toml.match(/\[\[kv_namespaces\]\][^[]*/g) || [];
const block = blocks.find((entry) => new RegExp(`binding\\s*=\\s*"${BINDING}"`).test(entry));
return block ? /^\s*id\s*=/m.test(block) : false;
}
function expectedTitle(toml) {
const name = (toml.match(/^\s*name\s*=\s*"([^"]+)"/m) || [])[1] || 'worker';
return `${name}-${BINDING.toLowerCase().replace(/_/g, '-')}`;
}
function resolveId(title) {
const list = JSON.parse(wrangler('kv namespace list'));
const hit =
list.find((namespace) => namespace.title === title) ||
list.find((namespace) => typeof namespace.title === 'string' && namespace.title.endsWith('attachments-kv'));
if (hit) {
console.log(`[ensure-kv] reusing existing namespace "${hit.title}" (${hit.id})`);
return hit.id;
}
const out = wrangler(`kv namespace create "${title}"`);
const id = (out.match(/id\s*=\s*"([0-9a-fA-F]{32})"/) || [])[1];
if (!id) throw new Error(`[ensure-kv] could not parse new namespace id from:\n${out}`);
console.log(`[ensure-kv] created namespace "${title}" (${id})`);
return id;
}
function main() {
let toml = fs.readFileSync(CONFIG, 'utf8');
if (bindingBlockHasId(toml)) {
console.log(`[ensure-kv] ${BINDING} already pinned in wrangler.kv.toml; nothing to do`);
return;
}
const id = resolveId(expectedTitle(toml));
toml = toml.replace(
new RegExp(`(\\[\\[kv_namespaces\\]\\]\\s*\\n\\s*binding\\s*=\\s*"${BINDING}")`),
`$1\nid = "${id}"`
);
fs.writeFileSync(CONFIG, toml);
console.log('[ensure-kv] pinned id into wrangler.kv.toml for this build');
}
main();
scripts/i18n-validate.cjs
+12 -1
View File
@@ -22,6 +22,17 @@ const intentionallyEnglishKeys = new Set([
'txt_dash',
'txt_text_3',
]);
const intentionallyEnglishPrefixes = [
'txt_log_action_',
'txt_log_meta_',
'txt_log_reason_',
'txt_log_target_type_',
'txt_log_trigger_',
];
function isIntentionallyEnglishKey(key) {
return intentionallyEnglishKeys.has(key) || intentionallyEnglishPrefixes.some((prefix) => key.startsWith(prefix));
}
for (const [locale, table] of Object.entries(locales)) {
const keys = Object.keys(table).sort();
@@ -40,7 +51,7 @@ for (const [locale, table] of Object.entries(locales)) {
}
if (locale !== 'en') {
const sameAsEnglish = baseKeys.filter((key) => table[key] === base[key] && !intentionallyEnglishKeys.has(key));
const sameAsEnglish = baseKeys.filter((key) => table[key] === base[key] && !isIntentionallyEnglishKey(key));
if (sameAsEnglish.length > 40) {
errors.push({
locale,
src/config/limits.ts
+11 -3
View File
@@ -5,10 +5,10 @@
accessTokenTtlSeconds: 7200,
// Refresh token lifetime in milliseconds.
// 刷新令牌有效期(毫秒)。
refreshTokenTtlMs: 30 * 24 * 60 * 60 * 1000,
refreshTokenTtlMs: 365 * 24 * 60 * 60 * 1000,
// Grace window for previous refresh token after rotation (ms).
// 刷新令牌轮换后的旧令牌宽限窗口(毫秒)。
refreshTokenOverlapGraceMs: 60 * 1000,
refreshTokenOverlapGraceMs: 30 * 60 * 1000,
// Refresh token random byte length.
// 刷新令牌随机字节长度。
refreshTokenRandomBytes: 32,
@@ -44,6 +44,9 @@
// Public read-only request budget per IP per minute.
// 公开只读接口每 IP 每分钟请求配额。
publicReadRequestsPerMinute: 120,
// Public website icon proxy budget per IP per minute.
// 公开网站图标代理每 IP 每分钟请求配额。
publicIconRequestsPerMinute: 500,
// Sensitive public/auth request budget per IP per minute.
// 敏感公开/认证接口每 IP 每分钟请求配额。
sensitivePublicRequestsPerMinute: 30,
@@ -145,6 +148,11 @@
compatibility: {
// Single source of truth for /config.version and /api/version.
// /config.version 与 /api/version 的统一版本号来源。
bitwardenServerVersion: '2026.1.0',
bitwardenServerVersion: '2026.4.1',
// Official 2026.4.x clients need this flag to receive and use cipher.key.
// Hiding existing item keys makes item-key encrypted vault data unreadable.
// 官方 2026.4.x 客户端需要该开关来接收并使用 cipher.key。
// 隐藏已有逐项密钥会导致逐项密钥加密的密码库数据无法解密。
cipherKeyEncryptionFeatureEnabled: true,
},
} as const;
src/durable/backup-transfer-runner.ts
+465
View File
@@ -0,0 +1,465 @@
import type { Env } from '../types';
import type { BackupDestinationRecord } from '../services/backup-config';
import {
BACKUP_SCHEDULER_WINDOW_MINUTES,
requireBackupDestination,
hasBackupSlotBetween,
isBackupDueNow,
loadBackupSettings,
} from '../services/backup-config';
import {
createRemoteBackupTransferSession,
downloadRemoteBackupFile,
ensureRemoteRestoreCandidate,
} from '../services/backup-uploader';
import { getBlobObject } from '../services/blob-store';
import { StorageService } from '../services/storage';
import { notifyUserBackupProgress, notifyUserBackupRestoreProgress } from './notifications-hub';
import {
executeConfiguredBackup,
importAndAuditRemoteBackupFile,
} from '../handlers/backup';
import { verifyBackupArchiveFileNameChecksum } from '../services/backup-archive';
import { zipSync } from 'fflate';
const BACKUP_JOB_STATE_KEY = 'backup.job.state.v1';
const BACKUP_JOB_LEASE_MS = 10 * 60 * 1000;
const BACKUP_JOB_HEARTBEAT_MS = 30 * 1000;
interface BackupJobState {
token: string;
reason: string;
acquiredAt: string;
touchedAt: string;
expiresAtMs: number;
}
interface RemoteAttachmentChunkRequest {
destination: BackupDestinationRecord;
attachments: Array<{
blobName: string;
}>;
}
interface RemoteAttachmentDownloadRequest {
destination: BackupDestinationRecord;
blobName?: string | null;
}
interface RemoteAttachmentBatchDownloadRequest {
destination: BackupDestinationRecord;
blobNames?: string[] | null;
}
interface ConfiguredBackupRunRequest {
actorUserId?: string | null;
auditMetadata?: Record<string, unknown> | null;
destinationId?: string | null;
targetDeviceIdentifier?: string | null;
trigger?: 'manual' | 'scheduled';
}
interface RemoteBackupRestoreRequest {
actorUserId?: string | null;
allowChecksumMismatch?: boolean;
auditMetadata?: Record<string, unknown> | null;
destinationId?: string | null;
path?: string | null;
replaceExisting?: boolean;
targetDeviceIdentifier?: string | null;
}
function badRequest(message: string, status: number = 400): Response {
return new Response(JSON.stringify({ error: message }), {
status,
headers: {
'Content-Type': 'application/json; charset=utf-8',
'Cache-Control': 'no-store',
},
});
}
export class BackupTransferRunner {
private lastHeartbeatAt = 0;
constructor(
private readonly state: DurableObjectState,
private readonly env: Env
) {
}
private async acquireJob(reason: string): Promise<string | null> {
const nowMs = Date.now();
const current = await this.state.storage.get<BackupJobState>(BACKUP_JOB_STATE_KEY);
if (current?.expiresAtMs && current.expiresAtMs > nowMs) {
return null;
}
const token = crypto.randomUUID();
const nowIso = new Date(nowMs).toISOString();
await this.state.storage.put<BackupJobState>(BACKUP_JOB_STATE_KEY, {
token,
reason,
acquiredAt: nowIso,
touchedAt: nowIso,
expiresAtMs: nowMs + BACKUP_JOB_LEASE_MS,
});
this.lastHeartbeatAt = 0;
return token;
}
private async touchJob(token: string): Promise<void> {
const nowMs = Date.now();
if (nowMs - this.lastHeartbeatAt < BACKUP_JOB_HEARTBEAT_MS) return;
this.lastHeartbeatAt = nowMs;
const current = await this.state.storage.get<BackupJobState>(BACKUP_JOB_STATE_KEY);
if (current?.token !== token) return;
await this.state.storage.put<BackupJobState>(BACKUP_JOB_STATE_KEY, {
...current,
touchedAt: new Date(nowMs).toISOString(),
expiresAtMs: nowMs + BACKUP_JOB_LEASE_MS,
});
}
private async releaseJob(token: string): Promise<void> {
const current = await this.state.storage.get<BackupJobState>(BACKUP_JOB_STATE_KEY);
if (current?.token === token) {
await this.state.storage.delete(BACKUP_JOB_STATE_KEY);
}
}
private async runConfiguredBackup(request: Request): Promise<Response> {
let body: ConfiguredBackupRunRequest;
try {
body = await request.json<ConfiguredBackupRunRequest>();
} catch {
return badRequest('Backup run payload is invalid');
}
const trigger = body.trigger === 'scheduled' ? 'scheduled' : 'manual';
const actorUserId = String(body.actorUserId || '').trim() || null;
if (trigger === 'manual' && !actorUserId) {
return badRequest('Manual backup run requires an actor');
}
const token = await this.acquireJob(`${trigger}:${actorUserId || 'system'}`);
if (!token) {
return badRequest('Another backup run is already in progress', 409);
}
try {
await this.touchJob(token);
const storage = new StorageService(this.env.DB);
const progress = actorUserId
? async (event: {
operation: 'backup-remote-run';
step: string;
fileName: string;
stageTitle: string;
stageDetail: string;
done?: boolean;
ok?: boolean;
error?: string | null;
}) => {
await notifyUserBackupProgress(
this.env,
actorUserId,
event,
String(body.targetDeviceIdentifier || '').trim() || null
);
}
: null;
const result = await executeConfiguredBackup(
this.env,
storage,
actorUserId,
trigger,
body.destinationId || null,
() => this.touchJob(token),
progress,
body.auditMetadata || null
);
const settings = await loadBackupSettings(storage, this.env, 'UTC');
return new Response(JSON.stringify({
object: 'backup-runner-result',
result,
settings,
}), {
status: 200,
headers: {
'Content-Type': 'application/json; charset=utf-8',
'Cache-Control': 'no-store',
},
});
} catch (error) {
return badRequest(error instanceof Error ? error.message : 'Backup run failed', 500);
} finally {
await this.releaseJob(token);
}
}
private async runScheduledBackups(): Promise<Response> {
const token = await this.acquireJob('scheduled');
if (!token) {
return badRequest('Another backup run is already in progress', 409);
}
let completed = 0;
try {
await this.touchJob(token);
const storage = new StorageService(this.env.DB);
let scanStartMs = Date.now();
while (true) {
await this.touchJob(token);
const settings = await loadBackupSettings(storage, this.env, 'UTC');
const now = new Date();
const dueDestinations = settings.destinations.filter((destination) =>
isBackupDueNow(destination, now, BACKUP_SCHEDULER_WINDOW_MINUTES)
|| hasBackupSlotBetween(destination, new Date(scanStartMs), now)
);
if (!dueDestinations.length) {
break;
}
scanStartMs = now.getTime();
for (const destination of dueDestinations) {
await this.touchJob(token);
await executeConfiguredBackup(
this.env,
storage,
null,
'scheduled',
destination.id,
() => this.touchJob(token)
);
completed += 1;
}
}
return new Response(JSON.stringify({
ok: true,
completed,
}), {
status: 200,
headers: {
'Content-Type': 'application/json; charset=utf-8',
'Cache-Control': 'no-store',
},
});
} catch (error) {
return badRequest(error instanceof Error ? error.message : 'Scheduled backup failed', 500);
} finally {
await this.releaseJob(token);
}
}
private async restoreRemoteBackup(request: Request): Promise<Response> {
let body: RemoteBackupRestoreRequest;
try {
body = await request.json<RemoteBackupRestoreRequest>();
} catch {
return badRequest('Remote restore payload is invalid');
}
const actorUserId = String(body.actorUserId || '').trim() || null;
if (!actorUserId) {
return badRequest('Remote restore requires an actor');
}
const token = await this.acquireJob(`restore:${actorUserId}`);
if (!token) {
return badRequest('Another backup or restore run is already in progress', 409);
}
try {
await this.touchJob(token);
const storage = new StorageService(this.env.DB);
const settings = await loadBackupSettings(storage, this.env, 'UTC');
const destination = requireBackupDestination(settings, body.destinationId || null);
const path = ensureRemoteRestoreCandidate(String(body.path || ''));
const restoreFileNameFromPath = path.split('/').pop() || path;
const targetDeviceIdentifier = String(body.targetDeviceIdentifier || '').trim() || null;
const replaceExisting = !!body.replaceExisting;
await notifyUserBackupRestoreProgress(
this.env,
actorUserId,
{
operation: 'backup-restore',
source: 'remote',
step: 'remote_fetch_archive',
fileName: restoreFileNameFromPath,
stageTitle: 'txt_backup_restore_progress_remote_fetch_title',
stageDetail: 'txt_backup_restore_progress_remote_fetch_detail',
replaceExisting,
},
targetDeviceIdentifier
);
const remoteFile = await downloadRemoteBackupFile(destination, path);
const checksumOk = await verifyBackupArchiveFileNameChecksum(remoteFile.bytes, remoteFile.fileName || path);
if (!checksumOk && !body.allowChecksumMismatch) {
return badRequest('Remote backup file checksum does not match its filename');
}
const result = await importAndAuditRemoteBackupFile(
this.env,
storage,
actorUserId,
remoteFile,
destination,
path,
replaceExisting,
!checksumOk,
body.auditMetadata || null,
targetDeviceIdentifier
);
return new Response(JSON.stringify(result.result), {
status: 200,
headers: {
'Content-Type': 'application/json; charset=utf-8',
'Cache-Control': 'no-store',
},
});
} catch (error) {
return badRequest(error instanceof Error ? error.message : 'Remote backup restore failed', 500);
} finally {
await this.releaseJob(token);
}
}
async fetch(request: Request): Promise<Response> {
const url = new URL(request.url);
if (request.method !== 'POST') {
return badRequest('Not found', 404);
}
if (url.pathname === '/internal/run-configured-backup') {
return this.runConfiguredBackup(request);
}
if (url.pathname === '/internal/run-scheduled-backups') {
return this.runScheduledBackups();
}
if (url.pathname === '/internal/restore-remote-backup') {
return this.restoreRemoteBackup(request);
}
if (url.pathname === '/internal/download-remote-attachment') {
let body: RemoteAttachmentDownloadRequest;
try {
body = await request.json<RemoteAttachmentDownloadRequest>();
} catch {
return badRequest('Remote attachment download payload is invalid');
}
const blobName = String(body?.blobName || '').trim();
if (!body?.destination || !blobName) {
return badRequest('Remote attachment download payload is invalid');
}
const file = await downloadRemoteBackupFile(body.destination, `attachments/${blobName}`).catch(() => null);
if (!file) {
return badRequest('Remote attachment not found', 404);
}
return new Response(file.bytes, {
status: 200,
headers: {
'Content-Type': file.contentType || 'application/octet-stream',
'Cache-Control': 'no-store',
},
});
}
if (url.pathname === '/internal/download-remote-attachment-batch') {
let body: RemoteAttachmentBatchDownloadRequest;
try {
body = await request.json<RemoteAttachmentBatchDownloadRequest>();
} catch {
return badRequest('Remote attachment batch download payload is invalid');
}
const blobNames = Array.from(new Set(
(Array.isArray(body?.blobNames) ? body.blobNames : [])
.map((blobName) => String(blobName || '').trim())
.filter(Boolean)
));
if (!body?.destination || !blobNames.length || blobNames.length > 40) {
return badRequest('Remote attachment batch download payload is invalid');
}
const encoder = new TextEncoder();
const entries: Array<{ blobName: string; path: string }> = [];
const files: Record<string, Uint8Array> = {};
for (let i = 0; i < blobNames.length; i += 1) {
const blobName = blobNames[i];
const file = await downloadRemoteBackupFile(body.destination, `attachments/${blobName}`).catch(() => null);
if (!file) continue;
const path = `files/${i}.bin`;
entries.push({ blobName, path });
files[path] = file.bytes;
}
files['manifest.json'] = encoder.encode(JSON.stringify({ version: 1, entries }));
return new Response(zipSync(files), {
status: 200,
headers: {
'Content-Type': 'application/zip',
'Cache-Control': 'no-store',
},
});
}
if (url.pathname !== '/internal/upload-attachment-chunk') {
return badRequest('Not found', 404);
}
let body: RemoteAttachmentChunkRequest;
try {
body = await request.json<RemoteAttachmentChunkRequest>();
} catch {
return badRequest('Attachment chunk payload is invalid');
}
if (!body?.destination || !Array.isArray(body.attachments)) {
return badRequest('Attachment chunk payload is invalid');
}
const remoteSession = createRemoteBackupTransferSession(body.destination);
let uploaded = 0;
for (const attachment of body.attachments) {
const blobName = String(attachment?.blobName || '').trim();
if (!blobName) {
return badRequest('Attachment chunk payload is invalid');
}
const object = await getBlobObject(this.env, blobName);
if (!object) {
return badRequest(`Attachment blob missing for ${blobName}`, 409);
}
const bytes = new Uint8Array(await new Response(object.body).arrayBuffer());
await remoteSession.putFile(`attachments/${blobName}`, bytes, {
contentType: object.contentType,
});
uploaded += 1;
}
return new Response(JSON.stringify({
ok: true,
uploaded,
}), {
status: 200,
headers: {
'Content-Type': 'application/json; charset=utf-8',
'Cache-Control': 'no-store',
},
});
}
}
src/handlers/accounts.ts
+93 -13
View File
@@ -2,6 +2,7 @@ import { Env, User, ProfileResponse, DEFAULT_DEV_SECRET } from '../types';
import { StorageService } from '../services/storage';
import { AuthService } from '../services/auth';
import { RateLimitService, getClientIdentifier } from '../services/ratelimit';
import { auditRequestMetadata, writeAuditEvent, safeWriteAuditEvent } from '../services/audit-events';
import { jsonResponse, errorResponse } from '../utils/response';
import { generateUUID } from '../utils/uuid';
import { LIMITS } from '../config/limits';
@@ -227,14 +228,14 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
return errorResponse('Registration is temporarily unavailable, retry once', 409);
}
await storage.setRegistered();
await storage.createAuditLog({
id: generateUUID(),
await writeAuditEvent(storage, {
actorUserId: user.id,
action: 'user.register.first_admin',
targetType: 'user',
targetId: user.id,
metadata: JSON.stringify({ email: user.email }),
createdAt: now,
category: 'security',
level: 'security',
metadata: { email: user.email, ...auditRequestMetadata(request) },
});
return jsonResponse({ success: true, role: user.role }, 200);
}
@@ -259,14 +260,14 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
return errorResponse('Invite code is invalid or expired', 403);
}
await storage.createAuditLog({
id: generateUUID(),
await writeAuditEvent(storage, {
actorUserId: user.id,
action: 'user.register.invite',
targetType: 'user',
targetId: user.id,
metadata: JSON.stringify({ email: user.email, inviteCode }),
createdAt: now,
category: 'security',
level: 'info',
metadata: { email: user.email, inviteCode, ...auditRequestMetadata(request) },
});
return jsonResponse({ success: true, role: user.role }, 200);
@@ -378,6 +379,18 @@ export async function handleUpdateProfile(request: Request, env: Env, userId: st
user.masterPasswordHint = masterPasswordHint;
user.updatedAt = new Date().toISOString();
await storage.saveUser(user);
await writeAuditEvent(storage, {
actorUserId: user.id,
action: 'account.profile.update',
category: 'security',
level: 'info',
targetType: 'user',
targetId: user.id,
metadata: {
updatedMasterPasswordHint: true,
...auditRequestMetadata(request),
},
});
return jsonResponse(toProfile(user, env));
}
@@ -412,6 +425,18 @@ export async function handleSetVerifyDevices(request: Request, env: Env, userId:
user.verifyDevices = body.verifyDevices;
user.updatedAt = new Date().toISOString();
await storage.saveUser(user);
await writeAuditEvent(storage, {
actorUserId: user.id,
action: 'account.verify_devices.update',
category: 'security',
level: 'security',
targetType: 'user',
targetId: user.id,
metadata: {
verifyDevices: user.verifyDevices,
...auditRequestMetadata(request),
},
});
return new Response(null, { status: 200 });
}
@@ -461,6 +486,20 @@ export async function handleSetKeys(request: Request, env: Env, userId: string):
user.updatedAt = new Date().toISOString();
await storage.saveUser(user);
await writeAuditEvent(storage, {
actorUserId: user.id,
action: 'account.keys.update',
category: 'security',
level: 'security',
targetType: 'user',
targetId: user.id,
metadata: {
updatedKey: !!body.key,
updatedPrivateKey: !!body.encryptedPrivateKey,
updatedPublicKey: !!body.publicKey,
...auditRequestMetadata(request),
},
});
return handleGetProfile(request, env, userId);
}
@@ -526,14 +565,15 @@ export async function handleChangePassword(request: Request, env: Env, userId: s
user.updatedAt = new Date().toISOString();
await storage.saveUser(user);
await storage.deleteRefreshTokensByUserId(user.id);
await storage.createAuditLog({
id: generateUUID(),
AuthService.invalidateUserCache(user.id);
await writeAuditEvent(storage, {
actorUserId: user.id,
action: 'user.password.change',
targetType: 'user',
targetId: user.id,
metadata: JSON.stringify({ email: user.email }),
createdAt: user.updatedAt,
category: 'security',
level: 'security',
metadata: { email: user.email, ...auditRequestMetadata(request) },
});
return new Response(null, { status: 200 });
@@ -587,6 +627,16 @@ export async function handleSetTotpStatus(request: Request, env: Env, userId: st
user.updatedAt = new Date().toISOString();
await storage.saveUser(user);
await storage.deleteRefreshTokensByUserId(user.id);
AuthService.invalidateUserCache(user.id);
await writeAuditEvent(storage, {
actorUserId: user.id,
action: 'account.totp.enable',
category: 'security',
level: 'security',
targetType: 'user',
targetId: user.id,
metadata: auditRequestMetadata(request),
});
return jsonResponse({ enabled: true, recoveryCode: user.totpRecoveryCode, object: 'twoFactor' });
}
@@ -601,6 +651,16 @@ export async function handleSetTotpStatus(request: Request, env: Env, userId: st
user.updatedAt = new Date().toISOString();
await storage.saveUser(user);
await storage.deleteRefreshTokensByUserId(user.id);
AuthService.invalidateUserCache(user.id);
await writeAuditEvent(storage, {
actorUserId: user.id,
action: 'account.totp.disable',
category: 'security',
level: 'security',
targetType: 'user',
targetId: user.id,
metadata: auditRequestMetadata(request),
});
return jsonResponse({ enabled: false, object: 'twoFactor' });
}
@@ -671,7 +731,7 @@ export async function handleRecoverTwoFactor(request: Request, env: Env): Promis
if (!clientIdentifier) {
return errorResponse('Client IP is required', 403);
}
const recoverLimitKey = `${clientIdentifier}:recover-2fa:${email || 'unknown'}`;
const recoverLimitKey = `${clientIdentifier}:recover-2fa`;
const recoverAttemptCheck = await rateLimit.checkLoginAttempt(recoverLimitKey);
if (!recoverAttemptCheck.allowed) {
@@ -708,7 +768,17 @@ export async function handleRecoverTwoFactor(request: Request, env: Env): Promis
user.updatedAt = new Date().toISOString();
await storage.saveUser(user);
await storage.deleteRefreshTokensByUserId(user.id);
AuthService.invalidateUserCache(user.id);
await rateLimit.clearLoginAttempts(recoverLimitKey);
await safeWriteAuditEvent(env, {
actorUserId: user.id,
action: 'account.totp.recover',
category: 'security',
level: 'security',
targetType: 'user',
targetId: user.id,
metadata: auditRequestMetadata(request),
});
return jsonResponse({
success: true,
@@ -801,6 +871,16 @@ async function apiKey(request: Request, env: Env, userId: string, rotate: boolea
}
user.updatedAt = new Date().toISOString();
await storage.saveUser(user);
AuthService.invalidateUserCache(user.id);
await writeAuditEvent(storage, {
actorUserId: user.id,
action: rotate ? 'account.api_key.rotate' : 'account.api_key.create',
category: 'security',
level: rotate ? 'security' : 'info',
targetType: 'user',
targetId: user.id,
metadata: auditRequestMetadata(request),
});
}
return jsonResponse({
src/handlers/admin.ts
+120 -13
View File
@@ -1,8 +1,9 @@
import { Env, User, Invite } from '../types';
import { AuthService } from '../services/auth';
import { StorageService } from '../services/storage';
import { jsonResponse, errorResponse } from '../utils/response';
import { generateUUID } from '../utils/uuid';
import { deleteBlobObject, getAttachmentObjectKey, getSendFileObjectKey } from '../services/blob-store';
import { auditRequestMetadata, getAuditLogSettings, normalizeAuditLogSettings, saveAuditLogSettings, writeAuditEvent } from '../services/audit-events';
function isAdmin(user: User): boolean {
return user.role === 'admin' && user.status === 'active';
@@ -24,16 +25,20 @@ async function writeAuditLog(
action: string,
targetType: string | null,
targetId: string | null,
metadata: Record<string, unknown> | null
metadata: Record<string, unknown> | null,
request?: Request
): Promise<void> {
await storage.createAuditLog({
id: generateUUID(),
await writeAuditEvent(storage, {
actorUserId,
action,
targetType,
targetId,
metadata: metadata ? JSON.stringify(metadata) : null,
createdAt: new Date().toISOString(),
category: action.startsWith('admin.user.') ? 'security' : 'system',
level: action.startsWith('admin.user.') ? 'security' : 'info',
metadata: {
...(metadata || {}),
...(request ? auditRequestMetadata(request) : {}),
},
});
}
@@ -81,6 +86,106 @@ export async function handleAdminListUsers(
});
}
// GET /api/admin/logs
export async function handleAdminListAuditLogs(
request: Request,
env: Env,
actorUser: User
): Promise<Response> {
if (!isAdmin(actorUser)) {
return errorResponse('Forbidden', 403);
}
const url = new URL(request.url);
const limit = Math.max(1, Math.min(200, Number(url.searchParams.get('limit') || 50)));
const offset = Math.max(0, Number(url.searchParams.get('offset') || 0));
const category = String(url.searchParams.get('category') || '').trim() || null;
const level = String(url.searchParams.get('level') || '').trim() || null;
const q = String(url.searchParams.get('q') || '').trim().toLowerCase() || null;
const from = String(url.searchParams.get('from') || '').trim() || null;
const to = String(url.searchParams.get('to') || '').trim() || null;
const storage = new StorageService(env.DB);
const result = await storage.listAuditLogs({ limit, offset, category, level, q, from, to });
return jsonResponse({
data: result.logs.map(log => ({
id: log.id,
actorUserId: log.actorUserId,
actorEmail: log.actorEmail,
action: log.action,
category: log.category,
level: log.level,
targetType: log.targetType,
targetId: log.targetId,
targetUserEmail: log.targetUserEmail,
metadata: log.metadata,
createdAt: log.createdAt,
object: 'auditLog',
})),
total: result.total,
limit,
offset,
hasMore: result.hasMore,
object: 'list',
continuationToken: result.hasMore ? String(offset + result.logs.length) : null,
});
}
// GET /api/admin/logs/settings
export async function handleAdminGetAuditLogSettings(
request: Request,
env: Env,
actorUser: User
): Promise<Response> {
void request;
if (!isAdmin(actorUser)) {
return errorResponse('Forbidden', 403);
}
const storage = new StorageService(env.DB);
return jsonResponse({
object: 'auditLogSettings',
...await getAuditLogSettings(storage),
});
}
// PUT /api/admin/logs/settings
export async function handleAdminUpdateAuditLogSettings(
request: Request,
env: Env,
actorUser: User
): Promise<Response> {
if (!isAdmin(actorUser)) {
return errorResponse('Forbidden', 403);
}
let body: unknown;
try {
body = await request.json();
} catch {
return errorResponse('Invalid JSON', 400);
}
const storage = new StorageService(env.DB);
const settings = await saveAuditLogSettings(storage, normalizeAuditLogSettings(body));
await writeAuditLog(storage, actorUser.id, 'admin.audit.settings.update', 'auditLog', null, { ...settings }, request);
return jsonResponse({
object: 'auditLogSettings',
...settings,
});
}
// DELETE /api/admin/logs
export async function handleAdminClearAuditLogs(
request: Request,
env: Env,
actorUser: User
): Promise<Response> {
if (!isAdmin(actorUser)) {
return errorResponse('Forbidden', 403);
}
const storage = new StorageService(env.DB);
const deleted = await storage.clearAuditLogs();
return jsonResponse({ object: 'auditLogClear', deleted });
}
// POST /api/admin/invites
export async function handleAdminCreateInvite(
request: Request,
@@ -115,9 +220,9 @@ export async function handleAdminCreateInvite(
};
await storage.createInvite(invite);
await writeAuditLog(storage, actorUser.id, 'admin.invite.create', 'invite', invite.code, {
await writeAuditLog(storage, actorUser.id, 'admin.invite.create', 'invite', null, {
expiresInHours,
});
}, request);
return jsonResponse(toInviteResponse(request, invite), 201);
}
@@ -160,7 +265,7 @@ export async function handleAdminRevokeInvite(
return errorResponse('Invite not found or already inactive', 404);
}
await writeAuditLog(storage, actorUser.id, 'admin.invite.revoke', 'invite', code, null);
await writeAuditLog(storage, actorUser.id, 'admin.invite.revoke', 'invite', null, null, request);
return new Response(null, { status: 204 });
}
@@ -179,7 +284,7 @@ export async function handleAdminDeleteAllInvites(
const deleted = await storage.deleteAllInvites();
await writeAuditLog(storage, actorUser.id, 'admin.invite.delete_all', 'invite', null, {
deleted,
});
}, request);
return jsonResponse({ deleted }, 200);
}
@@ -222,9 +327,10 @@ export async function handleAdminSetUserStatus(
if (nextStatus === 'banned') {
await storage.deleteRefreshTokensByUserId(target.id);
}
AuthService.invalidateUserCache(target.id);
await writeAuditLog(storage, actorUser.id, 'admin.user.status', 'user', target.id, {
status: nextStatus,
});
}, request);
return jsonResponse({
id: target.id,
@@ -280,9 +386,10 @@ export async function handleAdminDeleteUser(
await storage.deleteRefreshTokensByUserId(target.id);
await storage.deleteUserById(target.id);
AuthService.invalidateUserCache(target.id);
await writeAuditLog(storage, actorUser.id, 'admin.user.delete', 'user', target.id, {
email: target.email,
});
targetEmail: target.email,
}, request);
return new Response(null, { status: 204 });
}
src/handlers/attachments.ts
+34 -6
View File
@@ -10,7 +10,7 @@ import {
verifyAttachmentUploadToken,
verifyFileDownloadToken,
} from '../utils/jwt';
import { cipherToResponse } from './ciphers';
import { applyCipherEmbeddedAttachmentMetadata, cipherToResponse } from './ciphers';
import { LIMITS } from '../config/limits';
import { readActingDeviceIdentifier } from '../utils/device';
import {
@@ -20,6 +20,7 @@ import {
getBlobStorageMaxBytes,
putBlobObject,
} from '../services/blob-store';
import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
function notifyVaultSyncForRequest(
request: Request,
@@ -30,6 +31,27 @@ function notifyVaultSyncForRequest(
notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
}
async function writeAttachmentAudit(
storage: StorageService,
request: Request,
userId: string,
action: string,
metadata: Record<string, unknown>
): Promise<void> {
await writeAuditEvent(storage, {
actorUserId: userId,
action,
category: 'data',
level: action.includes('delete') ? 'security' : 'info',
targetType: 'attachment',
targetId: typeof metadata.id === 'string' ? metadata.id : null,
metadata: {
...metadata,
...auditRequestMetadata(request),
},
});
}
// Format file size to human readable
function formatSize(bytes: number): string {
if (bytes < 1024) return `${bytes} Bytes`;
@@ -260,6 +282,7 @@ export async function handleGetAttachment(
if (!attachment || attachment.cipherId !== cipherId) {
return errorResponse('Attachment not found', 404);
}
const responseAttachment = applyCipherEmbeddedAttachmentMetadata(cipher, [attachment])[0] || attachment;
// Generate short-lived download token
const token = await createFileDownloadToken(cipherId, attachmentId, env.JWT_SECRET);
@@ -270,12 +293,12 @@ export async function handleGetAttachment(
return jsonResponse({
object: 'attachment',
id: attachment.id,
id: responseAttachment.id,
url: downloadUrl,
fileName: attachment.fileName,
key: attachment.key,
size: String(Number(attachment.size) || 0),
sizeName: attachment.sizeName,
fileName: responseAttachment.fileName,
key: responseAttachment.key,
size: String(Number(responseAttachment.size) || 0),
sizeName: responseAttachment.sizeName,
});
}
@@ -430,6 +453,11 @@ export async function handleDeleteAttachment(
const revisionInfo = await storage.updateCipherRevisionDate(cipherId);
if (revisionInfo) {
notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
await writeAttachmentAudit(storage, request, revisionInfo.userId, 'attachment.delete', {
id: attachmentId,
cipherId,
size: attachment.size,
});
}
// Get updated cipher for response
src/handlers/backup.ts
+395 -242
View File
@@ -1,21 +1,20 @@
import type { Env, User } from '../types';
import { errorResponse, jsonResponse } from '../utils/response';
import { generateUUID } from '../utils/uuid';
import {
type BackupArchiveBundle,
buildBackupArchive,
inspectBackupArchiveFileNameChecksum,
parseBackupArchive,
verifyBackupArchiveFileNameChecksum,
} from '../services/backup-archive';
import {
type BackupDestinationRecord,
type BackupSettingsInput,
BACKUP_SCHEDULER_WINDOW_MINUTES,
type BackupSettings,
type WebDavBackupDestination,
getBackupLocalDateKey,
getDefaultBackupSettings,
getBackupSettingsRepairState,
hasBackupSlotBetween,
isBackupDueNow,
loadBackupSettings,
normalizeBackupSettingsInput,
normalizeImportedBackupSettings,
@@ -31,6 +30,7 @@ import {
} from '../services/backup-import';
import {
type RemoteBackupTransferSession,
type RemoteBackupFile,
createRemoteBackupTransferSession,
deleteRemoteBackupFile,
downloadRemoteBackupFile,
@@ -40,8 +40,10 @@ import {
uploadBackupArchive,
} from '../services/backup-uploader';
import { StorageService } from '../services/storage';
import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
import { getBlobObject } from '../services/blob-store';
import { notifyUserBackupProgress, notifyUserBackupRestoreProgress } from '../durable/notifications-hub';
import { unzipSync } from 'fflate';
function isAdmin(user: User): boolean {
return user.role === 'admin' && user.status === 'active';
@@ -53,16 +55,20 @@ async function writeAuditLog(
action: string,
targetType: string | null,
targetId: string | null,
metadata: Record<string, unknown> | null
metadata: Record<string, unknown> | null,
request?: Request
): Promise<void> {
await storage.createAuditLog({
id: generateUUID(),
await writeAuditEvent(storage, {
actorUserId,
action,
targetType,
targetId,
metadata: metadata ? JSON.stringify(metadata) : null,
createdAt: new Date().toISOString(),
category: 'data',
level: action.endsWith('.failed') ? 'error' : 'info',
metadata: {
...(metadata || {}),
...(request ? auditRequestMetadata(request) : {}),
},
});
}
@@ -81,102 +87,6 @@ function getBackupDestinationSummary(destination: BackupDestinationRecord | null
};
}
const BACKUP_RUNNER_LOCK_KEY = 'backup.runner.lock.v1';
const BACKUP_RUNNER_LEASE_MS = 10 * 60 * 1000;
const BACKUP_RUNNER_HEARTBEAT_MS = 30 * 1000;
// CONTRACT:
// The runner lock is a config-row lease, not a queue. It only prevents two
// backup/restore jobs from overlapping. Manual runs return conflict when the
// lease is held; scheduled runs skip quietly. Never export this row in backups.
interface BackupRunnerLease {
token: string;
touch: () => Promise<void>;
release: () => Promise<void>;
}
async function acquireBackupRunnerLease(env: Env, reason: string): Promise<BackupRunnerLease | null> {
const token = generateUUID();
const nowMs = Date.now();
const expiresAtMs = nowMs + BACKUP_RUNNER_LEASE_MS;
const value = JSON.stringify({
token,
reason,
acquiredAt: new Date(nowMs).toISOString(),
touchedAt: new Date(nowMs).toISOString(),
expiresAtMs,
});
const result = await env.DB
.prepare(
`INSERT INTO config(key, value) VALUES(?, ?)
ON CONFLICT(key) DO UPDATE SET value = excluded.value
WHERE COALESCE(CAST(json_extract(config.value, '$.expiresAtMs') AS INTEGER), 0) <= ?`
)
.bind(BACKUP_RUNNER_LOCK_KEY, value, nowMs)
.run();
if ((result.meta?.changes || 0) < 1) {
return null;
}
return {
token,
touch: async () => {
const nextNowMs = Date.now();
const nextValue = JSON.stringify({
token,
reason,
acquiredAt: new Date(nowMs).toISOString(),
touchedAt: new Date(nextNowMs).toISOString(),
expiresAtMs: nextNowMs + BACKUP_RUNNER_LEASE_MS,
});
await env.DB
.prepare(
`UPDATE config
SET value = ?
WHERE key = ?
AND json_extract(value, '$.token') = ?`
)
.bind(nextValue, BACKUP_RUNNER_LOCK_KEY, token)
.run();
},
release: async () => {
await env.DB
.prepare(
`DELETE FROM config
WHERE key = ?
AND json_extract(value, '$.token') = ?`
)
.bind(BACKUP_RUNNER_LOCK_KEY, token)
.run();
},
};
}
async function withBackupRunnerLease<T>(
env: Env,
reason: string,
task: (keepAlive: () => Promise<void>) => Promise<T>
): Promise<T | null> {
const lease = await acquireBackupRunnerLease(env, reason);
if (!lease) return null;
let lastHeartbeatAt = 0;
const keepAlive = async () => {
const nowMs = Date.now();
if (nowMs - lastHeartbeatAt < BACKUP_RUNNER_HEARTBEAT_MS) return;
lastHeartbeatAt = nowMs;
await lease.touch();
};
try {
await keepAlive();
return await task(keepAlive);
} finally {
await lease.release();
}
}
function ensureBackupBlobName(value: string): string {
const normalized = String(value || '').trim().replace(/\\/g, '/').replace(/^\/+|\/+$/g, '');
if (!normalized) {
@@ -196,6 +106,37 @@ interface RemoteAttachmentIndexPayload {
blobs: Record<string, { sizeBytes: number; updatedAt: string }>;
}
const REMOTE_ATTACHMENT_SYNC_EXTERNAL_SUBREQUEST_LIMIT = 50;
const REMOTE_ATTACHMENT_SYNC_SUBREQUEST_RESERVE = 6;
const REMOTE_ATTACHMENT_SYNC_MAX_WEB_DAV_BATCH_SIZE = 18;
const REMOTE_ATTACHMENT_SYNC_MAX_S3_BATCH_SIZE = 40;
const REMOTE_ATTACHMENT_RESTORE_BATCH_SIZE = 40;
function countRemotePathSegments(value: string): number {
return String(value || '').replace(/\\/g, '/').split('/').filter(Boolean).length;
}
function getRemoteAttachmentSyncBatchSize(destination: BackupDestinationRecord): number {
if (destination.type === 's3') {
return REMOTE_ATTACHMENT_SYNC_MAX_S3_BATCH_SIZE;
}
const remotePath = String((destination.destination as WebDavBackupDestination).remotePath || '');
const fixedWebDavDirectoryCalls = countRemotePathSegments(remotePath) + 1; // remotePath plus the shared "attachments" dir.
const available = REMOTE_ATTACHMENT_SYNC_EXTERNAL_SUBREQUEST_LIMIT
- REMOTE_ATTACHMENT_SYNC_SUBREQUEST_RESERVE
- fixedWebDavDirectoryCalls;
if (available < 2) {
throw new Error('WebDAV remote backup path is too deep for safe attachment batching');
}
return Math.max(1, Math.min(
REMOTE_ATTACHMENT_SYNC_MAX_WEB_DAV_BATCH_SIZE,
Math.floor(available / 2)
));
}
async function loadRemoteAttachmentIndex(session: RemoteBackupTransferSession): Promise<Map<string, number>> {
try {
const file = await session.download(REMOTE_ATTACHMENT_INDEX_PATH);
@@ -251,7 +192,39 @@ async function saveRemoteAttachmentIndex(
});
}
async function executeConfiguredBackup(
async function uploadRemoteAttachmentChunk(
env: Env,
destination: BackupDestinationRecord,
attachments: Array<{ blobName: string }>
): Promise<void> {
if (!attachments.length) return;
const id = env.BACKUP_TRANSFER_RUNNER.idFromName('remote-attachment-sync');
const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
const response = await stub.fetch('https://backup-transfer/internal/upload-attachment-chunk', {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=utf-8',
},
body: JSON.stringify({
destination,
attachments,
}),
});
if (!response.ok) {
let message = `Attachment sync failed: ${response.status}`;
try {
const payload = await response.json<{ error?: string }>();
if (payload?.error) {
message = payload.error;
}
} catch {
// Ignore JSON parse failures and preserve the status-based error.
}
throw new Error(message);
}
}
export async function executeConfiguredBackup(
env: Env,
storage: StorageService,
actorUserId: string | null,
@@ -267,7 +240,8 @@ async function executeConfiguredBackup(
done?: boolean;
ok?: boolean;
error?: string | null;
}) => Promise<void>) | null
}) => Promise<void>) | null,
auditMetadata?: Record<string, unknown> | null
): Promise<{ fileName: string; fileSize: number; remotePath: string; provider: string }> {
const maxArchiveUploadAttempts = 3;
const touchLease = async () => {
@@ -325,25 +299,20 @@ async function executeConfiguredBackup(
if (destination.includeAttachments) {
await touchLease();
const remoteAttachmentIndex = await loadRemoteAttachmentIndex(remoteSession);
let attachmentIndexChanged = false;
for (const attachment of archive.manifest.attachmentBlobs || []) {
const pendingAttachments = (archive.manifest.attachmentBlobs || [])
.filter((attachment) => remoteAttachmentIndex.get(attachment.blobName) !== attachment.sizeBytes);
const attachmentSyncBatchSize = getRemoteAttachmentSyncBatchSize(destination);
for (let i = 0; i < pendingAttachments.length; i += attachmentSyncBatchSize) {
await touchLease();
if (remoteAttachmentIndex.get(attachment.blobName) === attachment.sizeBytes) {
continue;
const chunk = pendingAttachments
.slice(i, i + attachmentSyncBatchSize)
.map((attachment) => ({ blobName: attachment.blobName }));
await uploadRemoteAttachmentChunk(env, destination, chunk);
}
const remotePath = `attachments/${attachment.blobName}`;
const object = await getBlobObject(env, attachment.blobName);
if (!object) {
throw new Error(`Attachment blob missing for ${attachment.blobName}`);
}
const bytes = new Uint8Array(await new Response(object.body).arrayBuffer());
await remoteSession.putFile(remotePath, bytes, {
contentType: object.contentType,
});
if (pendingAttachments.length) {
for (const attachment of pendingAttachments) {
remoteAttachmentIndex.set(attachment.blobName, attachment.sizeBytes);
attachmentIndexChanged = true;
}
if (attachmentIndexChanged) {
await touchLease();
await saveRemoteAttachmentIndex(remoteSession, remoteAttachmentIndex);
}
@@ -423,6 +392,7 @@ async function executeConfiguredBackup(
uploadVerificationAttempts: maxArchiveUploadAttempts,
prunedFileCount,
pruneError: pruneErrorMessage,
...(auditMetadata || {}),
});
await progress?.({
@@ -451,6 +421,7 @@ async function executeConfiguredBackup(
await writeAuditLog(storage, actorUserId, `admin.backup.remote.${trigger}.failed`, 'backup', null, {
...getBackupDestinationSummary(destination),
error: destination.runtime.lastErrorMessage,
...(auditMetadata || {}),
});
await progress?.({
operation: 'backup-remote-run',
@@ -466,14 +437,293 @@ async function executeConfiguredBackup(
}
}
interface DurableBackupRunResponse {
result: {
fileName: string;
fileSize: number;
remotePath: string;
provider: string;
};
settings: BackupSettings;
}
async function runConfiguredBackupInDurableObject(
env: Env,
payload: {
actorUserId: string | null;
auditMetadata?: Record<string, unknown> | null;
destinationId?: string | null;
targetDeviceIdentifier?: string | null;
trigger: 'manual' | 'scheduled';
}
): Promise<DurableBackupRunResponse | null> {
const id = env.BACKUP_TRANSFER_RUNNER.idFromName('configured-backup-runner');
const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
const response = await stub.fetch('https://backup-transfer/internal/run-configured-backup', {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=utf-8',
},
body: JSON.stringify(payload),
});
if (response.status === 409) {
return null;
}
if (!response.ok) {
let message = `Backup run failed: ${response.status}`;
try {
const body = await response.json<{ error?: string }>();
if (body?.error) message = body.error;
} catch {
// Preserve the status-based message when the DO returns a non-JSON error.
}
throw new Error(message);
}
const body = await response.json<DurableBackupRunResponse>();
if (!body?.result || !body?.settings) {
throw new Error('Backup run response is invalid');
}
return body;
}
async function runScheduledBackupsInDurableObject(env: Env): Promise<void> {
const id = env.BACKUP_TRANSFER_RUNNER.idFromName('configured-backup-runner');
const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
const response = await stub.fetch('https://backup-transfer/internal/run-scheduled-backups', {
method: 'POST',
});
if (response.status === 409) {
return;
}
if (!response.ok) {
let message = `Scheduled backup failed: ${response.status}`;
try {
const body = await response.json<{ error?: string }>();
if (body?.error) message = body.error;
} catch {
// Preserve the status-based message when the DO returns a non-JSON error.
}
throw new Error(message);
}
}
async function downloadRemoteAttachmentViaDurableObject(
env: Env,
destination: BackupDestinationRecord,
blobName: string
): Promise<Uint8Array | null> {
const id = env.BACKUP_TRANSFER_RUNNER.idFromName('remote-attachment-restore');
const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
const response = await stub.fetch('https://backup-transfer/internal/download-remote-attachment', {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=utf-8',
},
body: JSON.stringify({
destination,
blobName,
}),
});
if (response.status === 404) {
return null;
}
if (!response.ok) {
throw new Error(`Remote attachment download failed: ${response.status}`);
}
return new Uint8Array(await response.arrayBuffer());
}
async function downloadRemoteAttachmentBatchViaDurableObject(
env: Env,
destination: BackupDestinationRecord,
blobNames: string[]
): Promise<Map<string, Uint8Array>> {
const names = Array.from(new Set(blobNames.map((blobName) => String(blobName || '').trim()).filter(Boolean)));
const result = new Map<string, Uint8Array>();
if (!names.length) return result;
const id = env.BACKUP_TRANSFER_RUNNER.idFromName('remote-attachment-restore');
const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
const response = await stub.fetch('https://backup-transfer/internal/download-remote-attachment-batch', {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=utf-8',
},
body: JSON.stringify({
destination,
blobNames: names,
}),
});
if (!response.ok) {
throw new Error(`Remote attachment batch download failed: ${response.status}`);
}
const files = unzipSync(new Uint8Array(await response.arrayBuffer()));
const manifestBytes = files['manifest.json'];
if (!manifestBytes) return result;
const manifest = JSON.parse(new TextDecoder().decode(manifestBytes)) as {
entries?: Array<{ blobName?: string; path?: string }>;
};
for (const entry of manifest.entries || []) {
const blobName = String(entry.blobName || '').trim();
const path = String(entry.path || '').trim();
const bytes = path ? files[path] : null;
if (blobName && bytes) {
result.set(blobName, bytes);
}
}
return result;
}
function collectExternalRemoteAttachmentBlobNames(archiveBytes: Uint8Array): string[] {
const parsed = parseBackupArchive(archiveBytes, { allowExternalAttachmentBlobs: true });
const refs = new Map(
(parsed.payload.manifest.attachmentBlobs || [])
.map((item) => [`${String(item.cipherId || '').trim()}/${String(item.attachmentId || '').trim()}`, item])
);
const names: string[] = [];
const seen = new Set<string>();
for (const row of parsed.payload.db.attachments || []) {
const cipherId = String(row.cipher_id || '').trim();
const attachmentId = String(row.id || '').trim();
const inlinePath = `attachments/${cipherId}/${attachmentId}.bin`;
if (parsed.files[inlinePath]) continue;
const ref = refs.get(`${cipherId}/${attachmentId}`);
const blobName = String(ref?.blobName || '').trim();
if (blobName && !seen.has(blobName)) {
seen.add(blobName);
names.push(blobName);
}
}
return names;
}
function toImportStatusCode(message: string): number {
const lower = message.toLowerCase();
if (lower.includes('checksum')) return 400;
if (lower.includes('invalid backup') || lower.includes('invalid json')) return 400;
if (lower.includes('fresh instance')) return 409;
if (lower.includes('not configured') || lower.includes('kv')) return 409;
return 500;
}
export async function importAndAuditRemoteBackupFile(
env: Env,
storage: StorageService,
actorUserId: string,
remoteFile: RemoteBackupFile,
destination: BackupDestinationRecord,
remotePath: string,
replaceExisting: boolean,
checksumMismatchAccepted: boolean,
auditMetadata: Record<string, unknown> | null = null,
targetDeviceIdentifier: string | null = null
): Promise<BackupImportExecutionResult> {
const restoreFileName = remoteFile.fileName || remotePath.split('/').pop() || remotePath;
const externalAttachmentBlobNames = collectExternalRemoteAttachmentBlobNames(remoteFile.bytes);
const externalAttachmentCache = new Map<string, Uint8Array | null>();
const progress: BackupRestoreProgressReporter = async (event) => {
await notifyUserBackupRestoreProgress(
env,
actorUserId,
{
operation: 'backup-restore',
...event,
},
targetDeviceIdentifier
);
};
const result = await importRemoteBackupArchiveBytes(
remoteFile.bytes,
env,
actorUserId,
replaceExisting,
{
loadAttachment: async (blobName) => {
const normalized = String(blobName || '').trim();
if (!normalized) return null;
if (externalAttachmentCache.has(normalized)) {
return externalAttachmentCache.get(normalized) || null;
}
const start = Math.max(0, externalAttachmentBlobNames.indexOf(normalized));
const batchNames = externalAttachmentBlobNames
.slice(start, start + REMOTE_ATTACHMENT_RESTORE_BATCH_SIZE)
.filter((name) => !externalAttachmentCache.has(name));
if (!batchNames.includes(normalized)) {
batchNames.unshift(normalized);
}
try {
const batch = await downloadRemoteAttachmentBatchViaDurableObject(env, destination, batchNames);
for (const name of batchNames) {
externalAttachmentCache.set(name, batch.get(name) || null);
}
} catch {
externalAttachmentCache.set(normalized, await downloadRemoteAttachmentViaDurableObject(env, destination, normalized).catch(() => null));
}
return externalAttachmentCache.get(normalized) || null;
},
},
progress,
restoreFileName
);
await writeAuditLog(storage, result.auditActorUserId, 'admin.backup.import', 'backup', null, {
users: result.result.imported.users,
ciphers: result.result.imported.ciphers,
attachments: result.result.imported.attachmentFiles,
skippedAttachments: result.result.skipped.attachments,
skippedReason: result.result.skipped.reason,
replaceExisting,
...getBackupDestinationSummary(destination),
remotePath,
bytes: remoteFile.bytes.byteLength,
trigger: 'remote',
checksumMismatchAccepted,
...(auditMetadata || {}),
});
return result;
}
async function restoreRemoteBackupInDurableObject(
env: Env,
payload: {
actorUserId: string;
allowChecksumMismatch?: boolean;
auditMetadata?: Record<string, unknown> | null;
destinationId?: string | null;
path: string;
replaceExisting?: boolean;
targetDeviceIdentifier?: string | null;
}
): Promise<BackupImportExecutionResult['result'] | null> {
const id = env.BACKUP_TRANSFER_RUNNER.idFromName('configured-backup-runner');
const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
const response = await stub.fetch('https://backup-transfer/internal/restore-remote-backup', {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=utf-8',
},
body: JSON.stringify(payload),
});
if (response.status === 409) {
return null;
}
if (!response.ok) {
let message = `Remote backup restore failed: ${response.status}`;
try {
const body = await response.json<{ error?: string }>();
if (body?.error) message = body.error;
} catch {
// Preserve the status-based message when the DO returns a non-JSON error.
}
throw new Error(message);
}
return response.json<BackupImportExecutionResult['result']>();
}
async function runImportAndAudit(
env: Env,
request: Request,
@@ -513,35 +763,12 @@ async function runImportAndAudit(
skippedReason: imported.result.skipped.reason,
replaceExisting,
...metadata,
});
}, request);
return imported;
}
export async function runScheduledBackupIfDue(env: Env): Promise<void> {
await withBackupRunnerLease(env, 'scheduled', async (keepAlive) => {
const storage = new StorageService(env.DB);
let scanStartMs = Date.now();
while (true) {
await keepAlive();
const settings = await loadBackupSettings(storage, env, 'UTC');
const now = new Date();
const dueDestinations = settings.destinations.filter((destination) =>
isBackupDueNow(destination, now, BACKUP_SCHEDULER_WINDOW_MINUTES)
|| hasBackupSlotBetween(destination, new Date(scanStartMs), now)
);
if (!dueDestinations.length) {
return;
}
scanStartMs = now.getTime();
for (const destination of dueDestinations) {
await keepAlive();
await executeConfiguredBackup(env, storage, null, 'scheduled', destination.id, keepAlive);
}
}
});
await runScheduledBackupsInDurableObject(env);
}
export async function handleGetAdminBackupSettings(request: Request, env: Env, actorUser: User): Promise<Response> {
@@ -586,7 +813,7 @@ export async function handleUpdateAdminBackupSettings(request: Request, env: Env
await writeAuditLog(storage, actorUser.id, 'admin.backup.settings.update', 'backup', null, {
destinationCount: next.destinations.length,
scheduledDestinationCount: next.destinations.filter((destination) => destination.schedule.enabled).length,
});
}, request);
return jsonResponse(next);
}
@@ -636,7 +863,7 @@ export async function handleRepairAdminBackupSettings(request: Request, env: Env
await writeAuditLog(storage, actorUser.id, 'admin.backup.settings.repair', 'backup', null, {
destinationCount: next.destinations.length,
scheduledDestinationCount: next.destinations.filter((destination) => destination.schedule.enabled).length,
});
}, request);
return jsonResponse(next);
}
@@ -653,32 +880,12 @@ export async function handleRunAdminConfiguredBackup(request: Request, env: Env,
return errorResponse('Backup run payload is invalid', 400);
}
const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null;
const progress = async (event: {
operation: 'backup-remote-run';
step: string;
fileName: string;
stageTitle: string;
stageDetail: string;
done?: boolean;
ok?: boolean;
error?: string | null;
}) => {
await notifyUserBackupProgress(env, actorUser.id, event, targetDeviceIdentifier);
};
const outcome = await withBackupRunnerLease(env, `manual:${actorUser.id}`, async (keepAlive) => {
const storage = new StorageService(env.DB);
const result = await executeConfiguredBackup(
env,
storage,
actorUser.id,
'manual',
body?.destinationId || null,
keepAlive,
progress
);
const settings = await loadBackupSettings(storage, env, 'UTC');
return { result, settings };
const outcome = await runConfiguredBackupInDurableObject(env, {
actorUserId: actorUser.id,
auditMetadata: auditRequestMetadata(request),
destinationId: body?.destinationId || null,
targetDeviceIdentifier: String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null,
trigger: 'manual',
});
if (!outcome) {
return errorResponse('Another backup run is already in progress', 409);
@@ -777,7 +984,7 @@ export async function handleDeleteAdminRemoteBackup(request: Request, env: Env,
await writeAuditLog(storage, actorUser.id, 'admin.backup.remote.delete', 'backup', null, {
...getBackupDestinationSummary(destination),
remotePath: path,
});
}, request);
return jsonResponse({ object: 'backup-remote-delete', deleted: true, path });
} catch (error) {
return errorResponse(error instanceof Error ? error.message : 'Remote backup delete failed', 409);
@@ -794,76 +1001,22 @@ export async function handleRestoreAdminRemoteBackup(request: Request, env: Env,
return errorResponse('Remote restore payload is invalid', 400);
}
const storage = new StorageService(env.DB);
try {
const settings = await loadBackupSettings(storage, env, 'UTC');
const destination = requireBackupDestination(settings, body.destinationId || null);
const path = ensureRemoteRestoreCandidate(String(body.path || ''));
const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null;
const restoreFileNameFromPath = path.split('/').pop() || path;
await notifyUserBackupRestoreProgress(
env,
actorUser.id,
{
operation: 'backup-restore',
source: 'remote',
step: 'remote_fetch_archive',
fileName: restoreFileNameFromPath,
stageTitle: 'txt_backup_restore_progress_remote_fetch_title',
stageDetail: 'txt_backup_restore_progress_remote_fetch_detail',
const imported = await restoreRemoteBackupInDurableObject(env, {
actorUserId: actorUser.id,
allowChecksumMismatch: !!body.allowChecksumMismatch,
auditMetadata: auditRequestMetadata(request),
destinationId: body.destinationId || null,
path,
replaceExisting: !!body.replaceExisting,
},
targetDeviceIdentifier
);
const remoteFile = await downloadRemoteBackupFile(destination, path);
const checksumOk = await verifyBackupArchiveFileNameChecksum(remoteFile.bytes, remoteFile.fileName || path);
if (!checksumOk && !body.allowChecksumMismatch) {
return errorResponse('Remote backup file checksum does not match its filename', 400);
}
const restoreFileName = remoteFile.fileName || path.split('/').pop() || path;
const progress: BackupRestoreProgressReporter = async (event) => {
await notifyUserBackupRestoreProgress(
env,
actorUser.id,
{
operation: 'backup-restore',
...event,
},
targetDeviceIdentifier
);
};
const imported = await (async () => {
const storage = new StorageService(env.DB);
const result = await importRemoteBackupArchiveBytes(
remoteFile.bytes,
env,
actorUser.id,
!!body.replaceExisting,
{
loadAttachment: async (blobName) => {
const file = await downloadRemoteBackupFile(destination, `attachments/${blobName}`).catch(() => null);
return file?.bytes || null;
},
},
progress,
restoreFileName
);
await writeAuditLog(storage, result.auditActorUserId, 'admin.backup.import', 'backup', null, {
users: result.result.imported.users,
ciphers: result.result.imported.ciphers,
attachments: result.result.imported.attachmentFiles,
skippedAttachments: result.result.skipped.attachments,
skippedReason: result.result.skipped.reason,
replaceExisting: !!body.replaceExisting,
...getBackupDestinationSummary(destination),
remotePath: path,
bytes: remoteFile.bytes.byteLength,
trigger: 'remote',
checksumMismatchAccepted: !checksumOk,
targetDeviceIdentifier,
});
return result;
})();
return jsonResponse(imported.result);
if (!imported) {
return errorResponse('Another backup or restore run is already in progress', 409);
}
return jsonResponse(imported);
} catch (error) {
const message = error instanceof Error ? error.message : 'Remote backup restore failed';
return errorResponse(message, toImportStatusCode(message));
@@ -937,7 +1090,7 @@ export async function handleAdminExportBackup(request: Request, env: Env, actorU
attachments: archive.manifest.tableCounts.attachments,
compressedBytes: archive.bytes.byteLength,
includesAttachments: archive.manifest.includes.attachments,
});
}, request);
return new Response(archive.bytes, {
status: 200,
src/handlers/ciphers.ts
+384 -23
View File
@@ -17,12 +17,25 @@ import { generateUUID } from '../utils/uuid';
import { deleteAllAttachmentsForCipher, deleteAllAttachmentsForCiphers } from './attachments';
import { parsePagination, encodeContinuationToken } from '../utils/pagination';
import { readActingDeviceIdentifier } from '../utils/device';
import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
// CONTRACT:
// Cipher JSON is the highest-risk Bitwarden compatibility surface. Preserve
// unknown/future client fields by default, then override only server-owned
// fields. Any change to cipher response shape must be checked against /api/sync,
// attachments, import/export, and current official clients.
export interface CipherResponseOptions {
preserveRepairableUris?: boolean;
}
export function shouldPreserveRepairableCipherUris(request: Request): boolean {
return request.headers.get('X-NodeWarden-Web') === '1';
}
function cipherResponseOptionsForRequest(request: Request): CipherResponseOptions {
return { preserveRepairableUris: shouldPreserveRepairableCipherUris(request) };
}
function normalizeOptionalId(value: unknown): string | null {
if (value == null) return null;
const normalized = String(value).trim();
@@ -83,6 +96,27 @@ function syncCipherComputedAliases(cipher: Cipher): Cipher {
return cipher;
}
async function writeCipherAudit(
storage: StorageService,
request: Request,
userId: string,
action: string,
metadata: Record<string, unknown>
): Promise<void> {
await writeAuditEvent(storage, {
actorUserId: userId,
action,
category: 'data',
level: action.includes('delete') ? 'security' : 'info',
targetType: 'cipher',
targetId: typeof metadata.id === 'string' ? metadata.id : null,
metadata: {
...metadata,
...auditRequestMetadata(request),
},
});
}
function isValidEncString(value: unknown): value is string {
if (typeof value !== 'string') return false;
const trimmed = value.trim();
@@ -107,6 +141,14 @@ function optionalEncString(value: unknown): string | null {
return isValidEncString(value) ? value.trim() : null;
}
function shouldAcceptCipherKey(value: unknown): boolean {
return value == null || value === '' || isValidEncString(value);
}
function normalizeCipherKeyForStorage(value: unknown): string | null {
return optionalEncString(value);
}
function sanitizeEncryptedObject<T extends Record<string, any>>(
source: T | null | undefined,
encryptedKeys: readonly string[]
@@ -139,20 +181,78 @@ export function normalizeCipherLoginForStorage(login: any): any {
};
}
export function normalizeCipherLoginForCompatibility(login: any): any {
export function normalizeCipherLoginForCompatibility(
login: any,
requiresUriChecksum: boolean = false,
preserveRepairableUris: boolean = false
): any {
const normalized = normalizeCipherLoginForStorage(login);
if (!normalized || typeof normalized !== 'object') return normalized ?? null;
const next = sanitizeEncryptedObject(normalized, ['username', 'password', 'totp', 'uri']);
if (!next) return null;
next.uris = Array.isArray(next.uris)
? next.uris
.map((uri: any) => sanitizeEncryptedObject(uri, ['uri', 'uriChecksum']))
.filter((uri: any) => !!uri && (uri.uri || uri.uriChecksum || uri.match != null))
: null;
next.uris = normalizeCipherLoginUrisForCompatibility(next.uris, {
requiresUriChecksum,
preserveRepairableUris,
});
next.fido2Credentials = normalizeFido2CredentialsForCompatibility(next.fido2Credentials);
return next;
}
function normalizeCipherLoginUrisForCompatibility(
uris: any,
options: { requiresUriChecksum?: boolean; preserveRepairableUris?: boolean } = {}
): any[] | null {
if (!Array.isArray(uris) || uris.length === 0) return null;
const out: any[] = [];
for (const uri of uris) {
if (!uri || typeof uri !== 'object') continue;
const next = sanitizeEncryptedObject(uri, ['uri', 'uriChecksum']);
if (!next) continue;
const hasUri = isValidEncString(next.uri);
const hasChecksum = isValidEncString(next.uriChecksum);
const hasMatch = next.match != null;
if (hasUri && hasChecksum) {
out.push(next);
continue;
}
if (hasUri && !hasChecksum) {
if (options.preserveRepairableUris) {
// Preserve the encrypted URI so NodeWarden Web can decrypt it and repair
// the missing checksum. Dropping it here makes the URI appear lost and
// can turn a display-only compatibility issue into data loss on save.
out.push({ ...next, uriChecksum: null });
continue;
}
// Bitwarden browser clients using the SDK drop item-key encrypted URIs
// whose checksum is missing/invalid. User-key encrypted legacy/import
// entries bypass this validation and can safely keep the URI.
if (options.requiresUriChecksum) continue;
out.push({ ...next, uriChecksum: null });
continue;
}
if (hasChecksum || hasMatch) {
out.push(next);
}
}
return out.length ? out : null;
}
function hasMissingLoginUriChecksum(cipher: Cipher): boolean {
if (!cipher.key || !cipher.login || typeof cipher.login !== 'object') return false;
const uris = (cipher.login as any).uris;
if (!Array.isArray(uris)) return false;
return uris.some((uri: any) => {
if (!uri || typeof uri !== 'object') return false;
return isValidEncString(uri.uri) && !isValidEncString(uri.uriChecksum);
});
}
function normalizeFido2CredentialsForCompatibility(credentials: any): any[] | null {
if (!Array.isArray(credentials) || credentials.length === 0) return null;
const requiredEncryptedKeys = [
@@ -223,6 +323,14 @@ export function normalizeCipherSshKeyForCompatibility(sshKey: any): any {
};
}
function normalizeCipherSecureNoteForCompatibility(secureNote: any): CipherSecureNote | null {
if (!secureNote || typeof secureNote !== 'object') return null;
const type = Number(secureNote?.type ?? secureNote?.Type ?? 0);
return {
type: Number.isFinite(type) ? type : 0,
};
}
// Format attachments for API response
export function formatAttachments(attachments: Attachment[]): any[] | null {
if (attachments.length === 0) return null;
@@ -241,6 +349,196 @@ export function formatAttachments(attachments: Attachment[]): any[] | null {
return formatted.length ? formatted : null;
}
function formatAttachmentSize(bytes: number): string {
if (bytes < 1024) return `${bytes} Bytes`;
if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(2)} KB`;
if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
}
interface IncomingAttachmentMetadata {
id: string;
fileName?: unknown;
key?: unknown;
fileSize?: unknown;
hasFileName: boolean;
hasKey: boolean;
hasFileSize: boolean;
}
function readIncomingAttachmentMetadataMap(
value: unknown,
options: { legacyFileNameMap?: boolean } = {}
): IncomingAttachmentMetadata[] {
if (!value || typeof value !== 'object') return [];
const out: IncomingAttachmentMetadata[] = [];
if (Array.isArray(value)) {
for (const item of value) {
if (!item || typeof item !== 'object') continue;
const row = item as Record<string, unknown>;
const id = String(row.id ?? row.Id ?? '').trim();
if (!id) continue;
const fileName = getAliasedProp(row, ['fileName', 'FileName']);
const key = getAliasedProp(row, ['key', 'Key']);
const fileSize = getAliasedProp(row, ['fileSize', 'FileSize', 'size', 'Size']);
out.push({
id,
fileName: fileName.value,
key: key.value,
fileSize: fileSize.value,
hasFileName: fileName.present,
hasKey: key.present,
hasFileSize: fileSize.present,
});
}
return out;
}
for (const [rawId, rawValue] of Object.entries(value as Record<string, unknown>)) {
const id = String(rawId || '').trim();
if (!id) continue;
if (options.legacyFileNameMap && (typeof rawValue === 'string' || rawValue == null)) {
out.push({
id,
fileName: rawValue,
key: undefined,
fileSize: undefined,
hasFileName: rawValue != null,
hasKey: false,
hasFileSize: false,
});
continue;
}
if (!rawValue || typeof rawValue !== 'object') continue;
const row = rawValue as Record<string, unknown>;
const fileName = getAliasedProp(row, ['fileName', 'FileName']);
const key = getAliasedProp(row, ['key', 'Key']);
const fileSize = getAliasedProp(row, ['fileSize', 'FileSize', 'size', 'Size']);
out.push({
id,
fileName: fileName.value,
key: key.value,
fileSize: fileSize.value,
hasFileName: fileName.present,
hasKey: key.present,
hasFileSize: fileSize.present,
});
}
return out;
}
function readIncomingAttachmentMetadata(source: any): IncomingAttachmentMetadata[] {
const merged = new Map<string, IncomingAttachmentMetadata>();
const legacy = getAliasedProp(source, ['attachments', 'Attachments']);
const current = getAliasedProp(source, ['attachments2', 'Attachments2']);
if (legacy.present) {
for (const item of readIncomingAttachmentMetadataMap(legacy.value, { legacyFileNameMap: true })) {
merged.set(item.id, item);
}
}
if (current.present) {
for (const item of readIncomingAttachmentMetadataMap(current.value)) {
const previous = merged.get(item.id);
merged.set(item.id, {
id: item.id,
fileName: item.hasFileName ? item.fileName : previous?.fileName,
key: item.hasKey ? item.key : previous?.key,
fileSize: item.hasFileSize ? item.fileSize : previous?.fileSize,
hasFileName: item.hasFileName || previous?.hasFileName || false,
hasKey: item.hasKey || previous?.hasKey || false,
hasFileSize: item.hasFileSize || previous?.hasFileSize || false,
});
}
}
return [...merged.values()];
}
function hasIncomingAttachmentMetadata(source: any): boolean {
return readIncomingAttachmentMetadata(source).length > 0;
}
async function syncIncomingAttachmentMetadata(
storage: StorageService,
cipherId: string,
cipherData: any
): Promise<void> {
const incoming = readIncomingAttachmentMetadata(cipherData);
if (!incoming.length) return;
const currentById = new Map((await storage.getAttachmentsByCipher(cipherId)).map((attachment) => [attachment.id, attachment]));
for (const item of incoming) {
const attachment = currentById.get(item.id);
if (!attachment) continue;
let changed = false;
if (item.hasFileName) {
const fileName = String(item.fileName || '').trim();
if (isValidEncString(fileName) && fileName !== attachment.fileName) {
attachment.fileName = fileName;
changed = true;
}
}
if (item.hasKey) {
const key = optionalEncString(item.key);
if (key !== attachment.key) {
attachment.key = key;
changed = true;
}
}
if (item.hasFileSize) {
const size = Number(item.fileSize);
if (Number.isFinite(size) && size >= 0 && size !== Number(attachment.size || 0)) {
attachment.size = size;
attachment.sizeName = formatAttachmentSize(size);
changed = true;
}
}
if (changed) {
await storage.saveAttachment(attachment);
}
}
}
export function applyCipherEmbeddedAttachmentMetadata(cipherData: any, attachments: Attachment[]): Attachment[] {
const incoming = readIncomingAttachmentMetadata(cipherData);
if (!incoming.length || !attachments.length) return attachments;
const incomingById = new Map(incoming.map((item) => [item.id, item]));
return attachments.map((attachment) => {
const item = incomingById.get(attachment.id);
if (!item) return attachment;
const next: Attachment = { ...attachment };
if (item.hasFileName) {
const fileName = String(item.fileName || '').trim();
if (isValidEncString(fileName)) {
next.fileName = fileName;
}
}
if (item.hasKey) {
next.key = optionalEncString(item.key);
}
if (item.hasFileSize) {
const size = Number(item.fileSize);
if (Number.isFinite(size) && size >= 0) {
next.size = size;
next.sizeName = formatAttachmentSize(size);
}
}
return next;
});
}
function normalizeCipherFieldsForCompatibility(fields: any): any[] | null {
if (!Array.isArray(fields) || fields.length === 0) return null;
const out = fields
@@ -280,11 +578,17 @@ export function isCipherResponseSyncCompatible(cipher: CipherResponse): boolean
// survive a round-trip without code changes.
export function cipherToResponse(
cipher: Cipher,
attachments: Attachment[] = []
attachments: Attachment[] = [],
options: CipherResponseOptions = {}
): CipherResponse {
// Strip internal-only fields that must not appear in the API response
const { userId, createdAt, updatedAt, archivedAt, deletedAt, ...passthrough } = cipher;
const normalizedLogin = normalizeCipherLoginForCompatibility((passthrough as any).login ?? null);
const responseCipherKey = optionalEncString(cipher.key);
const normalizedLogin = normalizeCipherLoginForCompatibility(
(passthrough as any).login ?? null,
!!responseCipherKey,
!!options.preserveRepairableUris
);
const normalizedCard = sanitizeEncryptedObject((passthrough as any).card ?? null, ['cardholderName', 'brand', 'number', 'expMonth', 'expYear', 'code']);
const normalizedIdentity = sanitizeEncryptedObject((passthrough as any).identity ?? null, [
'title',
@@ -307,6 +611,10 @@ export function cipherToResponse(
'licenseNumber',
]);
const normalizedSshKey = normalizeCipherSshKeyForCompatibility((passthrough as any).sshKey ?? null);
const normalizedSecureNote = Number(cipher.type) === 2
? normalizeCipherSecureNoteForCompatibility((passthrough as any).secureNote ?? null) ?? { type: 0 }
: null;
const responseAttachments = applyCipherEmbeddedAttachmentMetadata(cipher, attachments);
return {
// Pass through ALL stored cipher fields (known + unknown)
@@ -328,16 +636,17 @@ export function cipherToResponse(
},
object: 'cipherDetails',
collectionIds: Array.isArray((passthrough as any).collectionIds) ? (passthrough as any).collectionIds : [],
attachments: formatAttachments(attachments),
attachments: formatAttachments(responseAttachments),
name: isValidEncString(cipher.name) ? cipher.name.trim() : cipher.name,
notes: optionalEncString(cipher.notes),
login: normalizedLogin,
card: normalizedCard,
identity: normalizedIdentity,
secureNote: normalizedSecureNote,
fields: normalizeCipherFieldsForCompatibility((passthrough as any).fields),
passwordHistory: normalizePasswordHistoryForCompatibility((passthrough as any).passwordHistory),
sshKey: normalizedSshKey,
key: optionalEncString(cipher.key),
key: responseCipherKey,
encryptedFor: (passthrough as any).encryptedFor ?? null,
};
}
@@ -373,10 +682,11 @@ export async function handleGetCiphers(request: Request, env: Env, userId: strin
);
// Build responses only for the current page to keep pagination cheap.
const responseOptions = cipherResponseOptionsForRequest(request);
const cipherResponses: CipherResponse[] = [];
for (const cipher of filteredCiphers) {
const attachments = attachmentsByCipher.get(cipher.id) || [];
cipherResponses.push(cipherToResponse(cipher, attachments));
cipherResponses.push(cipherToResponse(cipher, attachments, responseOptions));
}
return jsonResponse({
@@ -396,8 +706,9 @@ export async function handleGetCipher(request: Request, env: Env, userId: string
}
const attachments = await storage.getAttachmentsByCipher(cipher.id);
const responseOptions = cipherResponseOptionsForRequest(request);
return jsonResponse(
cipherToResponse(cipher, attachments)
cipherToResponse(cipher, attachments, responseOptions)
);
}
@@ -430,6 +741,10 @@ export async function handleCreateCipher(request: Request, env: Env, userId: str
const createSshKey = readCipherProp<CipherSshKey | null>(cipherData, ['sshKey', 'SshKey']);
const createPasswordHistory = readCipherProp<PasswordHistory[] | null>(cipherData, ['passwordHistory', 'PasswordHistory']);
if (createKey.present && !shouldAcceptCipherKey(createKey.value)) {
return errorResponse('Cipher key encryption is not supported by this server. Resync the client and try again.', 400);
}
const now = new Date().toISOString();
// Opaque passthrough: spread ALL client fields to preserve unknown/future ones,
// then override only server-controlled fields.
@@ -447,7 +762,7 @@ export async function handleCreateCipher(request: Request, env: Env, userId: str
deletedAt: null,
};
cipher.folderId = createFolderId.present ? normalizeOptionalId(createFolderId.value) : normalizeOptionalId(cipher.folderId);
cipher.key = createKey.present ? (createKey.value ?? null) : (cipher.key ?? null);
cipher.key = normalizeCipherKeyForStorage(createKey.present ? createKey.value : cipher.key);
cipher.login = createLogin.present ? (createLogin.value ?? null) : (cipher.login ?? null);
cipher.card = createCard.present ? (createCard.value ?? null) : (cipher.card ?? null);
cipher.identity = createIdentity.present ? (createIdentity.value ?? null) : (cipher.identity ?? null);
@@ -464,12 +779,17 @@ export async function handleCreateCipher(request: Request, env: Env, userId: str
if (!folderOk) return errorResponse('Folder not found', 404);
}
if (hasMissingLoginUriChecksum(cipher)) {
return errorResponse('Login URI checksum is required for item-key encrypted ciphers. Refresh NodeWarden and save the item again.', 400);
}
await storage.saveCipher(cipher);
const revisionDate = await storage.updateRevisionDate(userId);
notifyVaultSyncForRequest(request, env, userId, revisionDate);
const responseOptions = cipherResponseOptionsForRequest(request);
return jsonResponse(
cipherToResponse(cipher, []),
cipherToResponse(cipher, [], responseOptions),
200
);
}
@@ -502,11 +822,20 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
const incomingSshKey = readCipherProp<CipherSshKey | null>(cipherData, ['sshKey', 'SshKey']);
const incomingPasswordHistory = readCipherProp<PasswordHistory[] | null>(cipherData, ['passwordHistory', 'PasswordHistory']);
const incomingRevisionDate = readCipherRevisionDate(cipherData);
const hasAttachmentMigrationMetadata = hasIncomingAttachmentMetadata(cipherData);
if (isStaleCipherUpdate(existingCipher.updatedAt, incomingRevisionDate)) {
if (incomingKey.present && !shouldAcceptCipherKey(incomingKey.value)) {
return errorResponse('Cipher key encryption is not supported by this server. Resync the client and try again.', 400);
}
if (!hasAttachmentMigrationMetadata && isStaleCipherUpdate(existingCipher.updatedAt, incomingRevisionDate)) {
return errorResponse('The client copy of this cipher is out of date. Resync the client and try again.', 400);
}
if (!shouldPreserveRepairableCipherUris(request) && incomingLogin.present && hasMissingLoginUriChecksum(existingCipher)) {
return errorResponse('This item has login URIs that must be repaired in NodeWarden Web before updating from this client. Open NodeWarden Web once, then resync.', 400);
}
const nextType = Number(cipherData.type) || existingCipher.type;
// Opaque passthrough: merge existing stored data with ALL incoming client fields.
@@ -529,7 +858,10 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
cipher.folderId = normalizeOptionalId(incomingFolderId.value);
}
if (incomingKey.present) {
cipher.key = incomingKey.value ?? null;
const normalizedIncomingKey = normalizeCipherKeyForStorage(incomingKey.value);
cipher.key = normalizedIncomingKey || normalizeCipherKeyForStorage(existingCipher.key);
} else {
cipher.key = normalizeCipherKeyForStorage(existingCipher.key);
}
cipher.login = nextType === 1 ? (incomingLogin.present ? (incomingLogin.value ?? null) : (existingCipher.login ?? null)) : null;
cipher.secureNote = nextType === 2 ? (incomingSecureNote.present ? (incomingSecureNote.value ?? null) : (existingCipher.secureNote ?? null)) : null;
@@ -558,13 +890,19 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
if (!folderOk) return errorResponse('Folder not found', 404);
}
if (hasMissingLoginUriChecksum(cipher)) {
return errorResponse('Login URI checksum is required for item-key encrypted ciphers. Refresh NodeWarden and save the item again.', 400);
}
await syncIncomingAttachmentMetadata(storage, cipher.id, cipherData);
await storage.saveCipher(cipher);
const revisionDate = await storage.updateRevisionDate(userId);
notifyVaultSyncForRequest(request, env, userId, revisionDate);
const attachments = await storage.getAttachmentsByCipher(cipher.id);
const responseOptions = cipherResponseOptionsForRequest(request);
return jsonResponse(
cipherToResponse(cipher, attachments)
cipherToResponse(cipher, attachments, responseOptions)
);
}
@@ -584,9 +922,14 @@ export async function handleDeleteCipher(request: Request, env: Env, userId: str
await storage.saveCipher(cipher);
const revisionDate = await storage.updateRevisionDate(userId);
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeCipherAudit(storage, request, userId, 'cipher.delete.soft', {
id: cipher.id,
type: cipher.type,
folderId: cipher.folderId ?? null,
});
return jsonResponse(
cipherToResponse(cipher, [])
cipherToResponse(cipher, [], cipherResponseOptionsForRequest(request))
);
}
@@ -608,6 +951,12 @@ export async function handleDeleteCipherCompat(request: Request, env: Env, userI
await storage.deleteCipher(id, userId);
const revisionDate = await storage.updateRevisionDate(userId);
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeCipherAudit(storage, request, userId, 'cipher.delete.permanent', {
id,
type: cipher.type,
folderId: cipher.folderId ?? null,
compat: true,
});
return new Response(null, { status: 204 });
}
@@ -629,6 +978,11 @@ export async function handlePermanentDeleteCipher(request: Request, env: Env, us
await storage.deleteCipher(id, userId);
const revisionDate = await storage.updateRevisionDate(userId);
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeCipherAudit(storage, request, userId, 'cipher.delete.permanent', {
id,
type: cipher.type,
folderId: cipher.folderId ?? null,
});
return new Response(null, { status: 204 });
}
@@ -650,7 +1004,7 @@ export async function handleRestoreCipher(request: Request, env: Env, userId: st
notifyVaultSyncForRequest(request, env, userId, revisionDate);
return jsonResponse(
cipherToResponse(cipher, [])
cipherToResponse(cipher, [], cipherResponseOptionsForRequest(request))
);
}
@@ -689,7 +1043,7 @@ export async function handlePartialUpdateCipher(request: Request, env: Env, user
notifyVaultSyncForRequest(request, env, userId, revisionDate);
return jsonResponse(
cipherToResponse(cipher, [])
cipherToResponse(cipher, [], cipherResponseOptionsForRequest(request))
);
}
@@ -733,7 +1087,7 @@ async function buildCipherListResponse(
return jsonResponse({
data: ciphers.map((cipher) =>
cipherToResponse(cipher, attachmentsByCipher.get(cipher.id) || [])
cipherToResponse(cipher, attachmentsByCipher.get(cipher.id) || [], cipherResponseOptionsForRequest(request))
),
object: 'list',
continuationToken: null,
@@ -766,7 +1120,7 @@ export async function handleArchiveCipher(request: Request, env: Env, userId: st
const attachments = await storage.getAttachmentsByCipher(cipher.id);
return jsonResponse(
cipherToResponse(cipher, attachments)
cipherToResponse(cipher, attachments, cipherResponseOptionsForRequest(request))
);
}
@@ -788,7 +1142,7 @@ export async function handleUnarchiveCipher(request: Request, env: Env, userId:
const attachments = await storage.getAttachmentsByCipher(cipher.id);
return jsonResponse(
cipherToResponse(cipher, attachments)
cipherToResponse(cipher, attachments, cipherResponseOptionsForRequest(request))
);
}
@@ -858,6 +1212,9 @@ export async function handleBulkDeleteCiphers(request: Request, env: Env, userId
const revisionDate = await storage.bulkSoftDeleteCiphers(body.ids, userId);
if (revisionDate) {
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeCipherAudit(storage, request, userId, 'cipher.delete.soft.bulk', {
count: body.ids.length,
});
}
return new Response(null, { status: 204 });
@@ -917,6 +1274,10 @@ export async function handleBulkPermanentDeleteCiphers(request: Request, env: En
const revisionDate = await storage.bulkDeleteCiphers(ownedIds, userId);
if (revisionDate) {
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeCipherAudit(storage, request, userId, 'cipher.delete.permanent.bulk', {
count: ownedIds.length,
requestedCount: ids.length,
});
}
return new Response(null, { status: 204 });
src/handlers/devices.ts
+93
View File
@@ -1,11 +1,15 @@
import type { Device, DevicePendingAuthRequest, DeviceResponse, ProtectedDeviceResponse as ProtectedDeviceWireResponse } from '../types';
import { Env } from '../types';
import { getOnlineUserDevices, notifyUserLogout } from '../durable/notifications-hub';
import { AuthService } from '../services/auth';
import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
import { StorageService } from '../services/storage';
import { errorResponse, jsonResponse } from '../utils/response';
import { readKnownDeviceProbe } from '../utils/device';
import { generateUUID } from '../utils/uuid';
const PERMANENT_TRUST_EXPIRES_AT_MS = Date.UTC(2099, 11, 31, 23, 59, 59);
function normalizeIdentifier(value: string | null | undefined): string {
return String(value || '').trim();
}
@@ -265,9 +269,50 @@ export async function handleRevokeTrustedDevice(
const storage = new StorageService(env.DB);
const removed = await storage.deleteTrustedTwoFactorTokensByDevice(userId, normalized);
await writeAuditEvent(storage, {
actorUserId: userId,
action: 'device.trust.revoke',
category: 'device',
level: 'security',
targetType: 'device',
targetId: normalized,
metadata: { removed, ...auditRequestMetadata(request) },
});
return jsonResponse({ success: true, removed });
}
// POST /api/devices/authorized/:deviceIdentifier/permanent
// Upgrades an existing active 2FA remember-token record to permanent trust.
export async function handleTrustDevicePermanently(
request: Request,
env: Env,
userId: string,
deviceIdentifier: string
): Promise<Response> {
void request;
const normalized = String(deviceIdentifier || '').trim();
if (!normalized) return errorResponse('Invalid device identifier', 400);
const storage = new StorageService(env.DB);
const updated = await storage.updateTrustedTwoFactorTokensExpiryByDevice(userId, normalized, PERMANENT_TRUST_EXPIRES_AT_MS);
if (!updated) return errorResponse('Device is not currently trusted', 409);
await writeAuditEvent(storage, {
actorUserId: userId,
action: 'device.trust.permanent',
category: 'device',
level: 'security',
targetType: 'device',
targetId: normalized,
metadata: { updated, ...auditRequestMetadata(request) },
});
return jsonResponse({
success: true,
updated,
trustedUntil: new Date(PERMANENT_TRUST_EXPIRES_AT_MS).toISOString(),
});
}
// DELETE /api/devices/:deviceIdentifier
export async function handleDeleteDevice(
request: Request,
@@ -284,8 +329,18 @@ export async function handleDeleteDevice(
await storage.deleteRefreshTokensByDevice(userId, normalized);
const deleted = await storage.deleteDevice(userId, normalized);
if (deleted) {
AuthService.invalidateDeviceCache(userId, normalized);
notifyUserLogout(env, userId, normalized);
}
await writeAuditEvent(storage, {
actorUserId: userId,
action: 'device.delete',
category: 'device',
level: 'security',
targetType: 'device',
targetId: normalized,
metadata: { deleted, ...auditRequestMetadata(request) },
});
return jsonResponse({ success: deleted });
}
@@ -309,6 +364,15 @@ export async function handleUpdateDeviceName(
const device = await storage.getDevice(userId, normalized);
if (!device) return errorResponse('Device not found', 404);
await writeAuditEvent(storage, {
actorUserId: userId,
action: 'device.name.update',
category: 'device',
level: 'info',
targetType: 'device',
targetId: normalized,
metadata: { name, ...auditRequestMetadata(request) },
});
return jsonResponse(buildDeviceResponse(device));
}
@@ -327,7 +391,17 @@ export async function handleDeleteAllDevices(request: Request, env: Env, userId:
user.securityStamp = generateUUID();
user.updatedAt = new Date().toISOString();
await storage.saveUser(user);
AuthService.invalidateUserCache(userId);
notifyUserLogout(env, userId, null);
await writeAuditEvent(storage, {
actorUserId: userId,
action: 'device.delete_all',
category: 'device',
level: 'security',
targetType: 'user',
targetId: userId,
metadata: { removedTrusted, removedSessions, removedDevices, ...auditRequestMetadata(request) },
});
return jsonResponse({ success: true, removedTrusted, removedSessions: removedSessions ?? 0, removedDevices });
}
@@ -419,6 +493,15 @@ export async function handleUntrustDevices(
if (!deviceIdentifier) continue;
await storage.deleteTrustedTwoFactorTokensByDevice(userId, deviceIdentifier);
}
await writeAuditEvent(storage, {
actorUserId: userId,
action: 'device.trust.revoke_batch',
category: 'device',
level: 'security',
targetType: 'user',
targetId: userId,
metadata: { requested: devices.length, removed, ...auditRequestMetadata(request) },
});
return jsonResponse({ success: true, removed });
}
@@ -458,8 +541,18 @@ export async function handleDeactivateDevice(
await storage.deleteRefreshTokensByDevice(userId, normalized);
const deleted = await storage.deleteDevice(userId, normalized);
if (deleted) {
AuthService.invalidateDeviceCache(userId, normalized);
notifyUserLogout(env, userId, normalized);
}
await writeAuditEvent(storage, {
actorUserId: userId,
action: 'device.deactivate',
category: 'device',
level: 'security',
targetType: 'device',
targetId: normalized,
metadata: { deleted, ...auditRequestMetadata(request) },
});
return jsonResponse({ success: deleted });
}
src/handlers/folders.ts
+28
View File
@@ -5,6 +5,7 @@ import { jsonResponse, errorResponse } from '../utils/response';
import { readActingDeviceIdentifier } from '../utils/device';
import { generateUUID } from '../utils/uuid';
import { parsePagination, encodeContinuationToken } from '../utils/pagination';
import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
function notifyVaultSyncForRequest(
request: Request,
@@ -15,6 +16,27 @@ function notifyVaultSyncForRequest(
notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
}
async function writeFolderAudit(
storage: StorageService,
request: Request,
userId: string,
action: string,
metadata: Record<string, unknown>
): Promise<void> {
await writeAuditEvent(storage, {
actorUserId: userId,
action,
category: 'data',
level: action.includes('delete') ? 'security' : 'info',
targetType: 'folder',
targetId: typeof metadata.id === 'string' ? metadata.id : null,
metadata: {
...metadata,
...auditRequestMetadata(request),
},
});
}
// Convert internal folder to API response format
function folderToResponse(folder: Folder): FolderResponse {
return {
@@ -134,6 +156,9 @@ export async function handleDeleteFolder(request: Request, env: Env, userId: str
await storage.deleteFolder(id, userId);
const revisionDate = await storage.updateRevisionDate(userId);
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeFolderAudit(storage, request, userId, 'folder.delete', {
id,
});
return new Response(null, { status: 204 });
}
@@ -157,6 +182,9 @@ export async function handleBulkDeleteFolders(request: Request, env: Env, userId
const revisionDate = await storage.bulkDeleteFolders(ids, userId);
if (revisionDate) {
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeFolderAudit(storage, request, userId, 'folder.delete.bulk', {
count: ids.length,
});
}
return new Response(null, { status: 204 });
src/handlers/identity.ts
+114 -12
View File
@@ -14,6 +14,7 @@ import {
buildAccountKeys,
buildUserDecryptionOptions,
} from '../utils/user-decryption';
import { auditRequestMetadata, safeWriteAuditEvent } from '../services/audit-events';
const TWO_FACTOR_REMEMBER_TTL_MS = 30 * 24 * 60 * 60 * 1000;
const TWO_FACTOR_PROVIDER_AUTHENTICATOR = 0;
@@ -32,6 +33,17 @@ function resolveTotpSecret(userSecret: string | null): string | null {
return null;
}
async function resolveDeviceSession(
storage: StorageService,
userId: string,
deviceInfo: ReturnType<typeof readAuthRequestDeviceInfo>
): Promise<{ identifier: string; sessionStamp: string } | null> {
if (!deviceInfo.deviceIdentifier) return null;
const existingDevice = await storage.getDevice(userId, deviceInfo.deviceIdentifier);
const sessionStamp = String(existingDevice?.sessionStamp || '').trim() || generateUUID();
return { identifier: deviceInfo.deviceIdentifier, sessionStamp };
}
function shouldUseWebSession(request: Request): boolean {
return String(request.headers.get('X-NodeWarden-Web-Session') || '').trim() === '1';
}
@@ -215,7 +227,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
const twoFactorToken = body.twoFactorToken;
const twoFactorProvider = body.twoFactorProvider;
const twoFactorRemember = body.twoFactorRemember;
const loginIdentifier = `${clientIdentifier}:${email}`;
const loginIdentifier = clientIdentifier;
const deviceInfo = readAuthRequestDeviceInfo(body, request);
if (!email || !passwordHash) {
@@ -240,11 +252,37 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
}
if (user.status !== 'active') {
await rateLimit.recordFailedLogin(loginIdentifier);
await safeWriteAuditEvent(env, {
actorUserId: user.id,
action: 'auth.login.failed.user_inactive',
category: 'auth',
level: 'warn',
targetType: 'user',
targetId: user.id,
metadata: {
grantType,
deviceIdentifier: deviceInfo.deviceIdentifier,
...auditRequestMetadata(request),
},
});
return identityErrorResponse('Account is disabled', 'invalid_grant', 400);
}
const valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash, user.email);
if (!valid) {
await safeWriteAuditEvent(env, {
actorUserId: user.id,
action: 'auth.login.failed.bad_password',
category: 'auth',
level: 'warn',
targetType: 'user',
targetId: user.id,
metadata: {
grantType,
deviceIdentifier: deviceInfo.deviceIdentifier,
...auditRequestMetadata(request),
},
});
return recordFailedLoginAndBuildResponse(
rateLimit,
loginIdentifier,
@@ -320,10 +358,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
}
// Persist device only after successful password + (optional) 2FA verification.
const deviceSession =
deviceInfo.deviceIdentifier
? { identifier: deviceInfo.deviceIdentifier, sessionStamp: generateUUID() }
: null;
const deviceSession = await resolveDeviceSession(storage, user.id, deviceInfo);
if (deviceSession) {
await storage.upsertDevice(
user.id,
@@ -341,6 +376,21 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
const refreshToken = await auth.generateRefreshToken(user.id, deviceSession);
const accountKeys = buildAccountKeys(user);
const userDecryptionOptions = buildUserDecryptionOptions(user);
await safeWriteAuditEvent(env, {
actorUserId: user.id,
action: 'auth.login.success',
category: 'auth',
level: 'info',
targetType: 'user',
targetId: user.id,
metadata: {
grantType,
webSession: shouldUseWebSession(request),
deviceIdentifier: deviceSession?.identifier ?? deviceInfo.deviceIdentifier,
deviceType: deviceInfo.deviceType,
...auditRequestMetadata(request),
},
});
const response: TokenResponse = {
access_token: accessToken,
@@ -380,7 +430,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
const scope = body.scope;
const deviceInfo = readAuthRequestDeviceInfo(body, request);
const loginIdentifier = `${clientIdentifier}:${clientId}`;
const loginIdentifier = clientIdentifier;
const parmValid = checkClientCredentialsParam(clientId, clientSecret, scope);
if (!parmValid) {
return identityErrorResponse('Parameter error', 'invalid_request', 400);
@@ -404,19 +454,42 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
}
if (user.status !== 'active') {
await rateLimit.recordFailedLogin(loginIdentifier);
await safeWriteAuditEvent(env, {
actorUserId: user.id,
action: 'auth.login.failed.user_inactive',
category: 'auth',
level: 'warn',
targetType: 'user',
targetId: user.id,
metadata: {
grantType,
deviceIdentifier: deviceInfo.deviceIdentifier,
...auditRequestMetadata(request),
},
});
return identityErrorResponse('Account is disabled', 'invalid_grant', 400);
}
if (!user.apiKey || !constantTimeEquals(clientSecret, user.apiKey)) {
await rateLimit.recordFailedLogin(loginIdentifier);
await safeWriteAuditEvent(env, {
actorUserId: user.id,
action: 'auth.login.failed.bad_api_key',
category: 'auth',
level: 'warn',
targetType: 'user',
targetId: user.id,
metadata: {
grantType,
deviceIdentifier: deviceInfo.deviceIdentifier,
...auditRequestMetadata(request),
},
});
return identityErrorResponse('ClientId or clientSecret is incorrect. Try again', 'invalid_grant', 400);
}
// Persist device only after successful client credential verification.
const deviceSession =
deviceInfo.deviceIdentifier
? { identifier: deviceInfo.deviceIdentifier, sessionStamp: generateUUID() }
: null;
const deviceSession = await resolveDeviceSession(storage, user.id, deviceInfo);
if (deviceSession) {
await storage.upsertDevice(
user.id,
@@ -434,6 +507,21 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
const refreshToken = await auth.generateRefreshToken(user.id, deviceSession);
const accountKeys = buildAccountKeys(user);
const userDecryptionOptions = buildUserDecryptionOptions(user);
await safeWriteAuditEvent(env, {
actorUserId: user.id,
action: 'auth.login.success',
category: 'auth',
level: 'info',
targetType: 'user',
targetId: user.id,
metadata: {
grantType,
webSession: shouldUseWebSession(request),
deviceIdentifier: deviceSession?.identifier ?? deviceInfo.deviceIdentifier,
deviceType: deviceInfo.deviceType,
...auditRequestMetadata(request),
},
});
const response: TokenResponse = {
access_token: accessToken,
@@ -538,8 +626,22 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
return identityErrorResponse('Refresh token is required', 'invalid_request', 400);
}
const result = await auth.refreshAccessToken(refreshToken);
if (!result) {
const result = await auth.refreshAccessTokenDetailed(refreshToken);
if (!result.ok) {
await safeWriteAuditEvent(env, {
actorUserId: result.userId ?? null,
action: `auth.refresh.failed.${result.reason}`,
category: 'auth',
level: 'warn',
targetType: result.deviceIdentifier ? 'device' : 'refreshToken',
targetId: result.deviceIdentifier ?? null,
metadata: {
grantType,
reason: result.reason,
webSession: shouldUseWebSession(request),
...auditRequestMetadata(request),
},
});
const invalidResponse = identityErrorResponse('Invalid refresh token', 'invalid_grant', 400);
return shouldUseWebSession(request)
? withWebRefreshCookie(request, invalidResponse, null)
src/handlers/import.ts
+2 -2
View File
@@ -19,7 +19,7 @@ interface CiphersImportRequest {
sshKey?: any | null;
key?: string | null;
login?: {
uris?: Array<{ uri: string | null; match?: number | null }> | null;
uris?: Array<{ uri: string | null; uriChecksum?: string | null; match?: number | null }> | null;
username?: string | null;
password?: string | null;
totp?: string | null;
@@ -195,7 +195,7 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
uris: login.uris?.map((u: any) => ({
...u,
uri: u.uri ?? null,
uriChecksum: null,
uriChecksum: u.uriChecksum ?? null,
match: u.match ?? null,
})) || null,
totp: login.totp ?? null,
src/handlers/sends-private.ts
+38 -3
View File
@@ -29,6 +29,28 @@ import {
setSendPassword,
validateDeletionDate,
} from './sends-shared';
import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
async function writeSendAudit(
storage: StorageService,
request: Request,
userId: string,
action: string,
metadata: Record<string, unknown>
): Promise<void> {
await writeAuditEvent(storage, {
actorUserId: userId,
action,
category: 'data',
level: action.includes('delete') ? 'security' : 'info',
targetType: 'send',
targetId: typeof metadata.id === 'string' ? metadata.id : null,
metadata: {
...metadata,
...auditRequestMetadata(request),
},
});
}
async function processSendFileUpload(
request: Request,
@@ -602,7 +624,6 @@ export async function handleUpdateSend(request: Request, env: Env, userId: strin
}
export async function handleDeleteSend(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
void request;
const storage = new StorageService(env.DB);
const send = await storage.getSend(sendId);
if (!send || send.userId !== userId) {
@@ -620,6 +641,10 @@ export async function handleDeleteSend(request: Request, env: Env, userId: strin
await storage.deleteSend(sendId, userId);
const revisionDate = await storage.updateRevisionDate(userId);
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeSendAudit(storage, request, userId, 'send.delete', {
id: sendId,
type: send.type,
});
return new Response(null, { status: 200 });
}
@@ -651,13 +676,16 @@ export async function handleBulkDeleteSends(request: Request, env: Env, userId:
const revisionDate = await storage.bulkDeleteSends(body.ids, userId);
if (revisionDate) {
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeSendAudit(storage, request, userId, 'send.delete.bulk', {
count: sends.length,
requestedCount: body.ids.length,
});
}
return new Response(null, { status: 200 });
}
export async function handleRemoveSendPassword(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
void request;
const storage = new StorageService(env.DB);
const send = await storage.getSend(sendId);
if (!send || send.userId !== userId) {
@@ -669,12 +697,15 @@ export async function handleRemoveSendPassword(request: Request, env: Env, userI
await storage.saveSend(send);
const revisionDate = await storage.updateRevisionDate(userId);
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeSendAudit(storage, request, userId, 'send.password.remove', {
id: send.id,
type: send.type,
});
return jsonResponse(sendToResponse(send));
}
export async function handleRemoveSendAuth(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
void request;
const storage = new StorageService(env.DB);
const send = await storage.getSend(sendId);
if (!send || send.userId !== userId) {
@@ -687,6 +718,10 @@ export async function handleRemoveSendAuth(request: Request, env: Env, userId: s
await storage.saveSend(send);
const revisionDate = await storage.updateRevisionDate(userId);
notifyVaultSyncForRequest(request, env, userId, revisionDate);
await writeSendAudit(storage, request, userId, 'send.auth.remove', {
id: send.id,
type: send.type,
});
return jsonResponse(sendToResponse(send));
}
src/handlers/sync.ts
+13 -5
View File
@@ -1,7 +1,7 @@
import { Env, SyncResponse, CipherResponse, FolderResponse, ProfileResponse } from '../types';
import { StorageService } from '../services/storage';
import { errorResponse } from '../utils/response';
import { cipherToResponse, isCipherResponseSyncCompatible } from './ciphers';
import { cipherToResponse, isCipherResponseSyncCompatible, shouldPreserveRepairableCipherUris } from './ciphers';
import { sendToResponse } from './sends';
import { LIMITS } from '../config/limits';
import {
@@ -16,10 +16,17 @@ import { buildDomainsResponse } from '../services/domain-rules';
// Filtering invalid cipher responses here protects clients from stored rows that
// would otherwise make official apps fail after an HTTP 200 sync.
// Keep this aligned with src/handlers/ciphers.ts when adding new vault fields.
function buildSyncCacheRequest(request: Request, userId: string, revisionDate: string, excludeDomains: boolean, excludeSends: boolean): Request {
function buildSyncCacheRequest(
request: Request,
userId: string,
revisionDate: string,
excludeDomains: boolean,
excludeSends: boolean,
preserveRepairableUris: boolean
): Request {
const url = new URL(request.url);
const cacheUrl = new URL(
`/__nodewarden/cache/sync/${encodeURIComponent(userId)}/${encodeURIComponent(revisionDate)}/${excludeDomains ? '1' : '0'}/${excludeSends ? '1' : '0'}`,
`/__nodewarden/cache/sync/${encodeURIComponent(userId)}/${encodeURIComponent(revisionDate)}/${excludeDomains ? '1' : '0'}/${excludeSends ? '1' : '0'}/${preserveRepairableUris ? '1' : '0'}`,
url.origin
);
return new Request(cacheUrl.toString(), { method: 'GET' });
@@ -43,6 +50,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
const excludeDomains = excludeDomainsParam !== null && /^(1|true|yes)$/i.test(excludeDomainsParam);
const excludeSendsParam = url.searchParams.get('excludeSends');
const excludeSends = excludeSendsParam !== null && /^(1|true|yes)$/i.test(excludeSendsParam);
const preserveRepairableUris = shouldPreserveRepairableCipherUris(request);
const user = await storage.getUserById(userId);
if (!user) {
@@ -50,7 +58,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
}
const revisionDate = await storage.getRevisionDate(userId);
const cacheRequest = buildSyncCacheRequest(request, userId, revisionDate, excludeDomains, excludeSends);
const cacheRequest = buildSyncCacheRequest(request, userId, revisionDate, excludeDomains, excludeSends, preserveRepairableUris);
const cachedResponse = await readSyncCache(cacheRequest);
if (cachedResponse) {
return cachedResponse;
@@ -93,7 +101,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
const cipherResponses: CipherResponse[] = [];
for (const cipher of ciphers) {
const response = cipherToResponse(cipher, attachmentsByCipher.get(cipher.id) || []);
const response = cipherToResponse(cipher, attachmentsByCipher.get(cipher.id) || [], { preserveRepairableUris });
if (isCipherResponseSyncCompatible(response)) {
cipherResponses.push(response);
}
src/index.ts
+2
View File
@@ -1,5 +1,6 @@
import { Env } from './types';
import { NotificationsHub } from './durable/notifications-hub';
import { BackupTransferRunner } from './durable/backup-transfer-runner';
import { handleRequest } from './router';
import { StorageService } from './services/storage';
import { applyCors, jsonResponse } from './utils/response';
@@ -127,3 +128,4 @@ export default {
};
export { NotificationsHub };
export { BackupTransferRunner };
src/router-admin.ts
+18
View File
@@ -7,6 +7,10 @@ import {
handleAdminRevokeInvite,
handleAdminSetUserStatus,
handleAdminDeleteUser,
handleAdminListAuditLogs,
handleAdminGetAuditLogSettings,
handleAdminUpdateAuditLogSettings,
handleAdminClearAuditLogs,
} from './handlers/admin';
import { handleAdminBackupRoute } from './router-admin-backup';
@@ -21,6 +25,20 @@ export async function handleAdminRoute(
return handleAdminListUsers(request, env, actorUser);
}
if (path === '/api/admin/logs' && method === 'GET') {
return handleAdminListAuditLogs(request, env, actorUser);
}
if (path === '/api/admin/logs' && method === 'DELETE') {
return handleAdminClearAuditLogs(request, env, actorUser);
}
if (path === '/api/admin/logs/settings') {
if (method === 'GET') return handleAdminGetAuditLogSettings(request, env, actorUser);
if (method === 'PUT' || method === 'POST') return handleAdminUpdateAuditLogSettings(request, env, actorUser);
return null;
}
const adminBackupResponse = await handleAdminBackupRoute(request, env, actorUser, path, method);
if (adminBackupResponse) return adminBackupResponse;
src/router-devices.ts
+7
View File
@@ -11,6 +11,7 @@ import {
handleDeactivateDevice,
handleRevokeAllTrustedDevices,
handleRevokeTrustedDevice,
handleTrustDevicePermanently,
handleDeleteAllDevices,
handleDeleteDevice,
handleUpdateDeviceName,
@@ -44,6 +45,12 @@ export async function handleAuthenticatedDeviceRoute(
return handleRevokeTrustedDevice(request, env, userId, deviceIdentifier);
}
const permanentAuthorizedDeviceMatch = path.match(/^\/api\/devices\/authorized\/([^/]+)\/permanent$/i);
if (permanentAuthorizedDeviceMatch && method === 'POST') {
const deviceIdentifier = decodeURIComponent(permanentAuthorizedDeviceMatch[1]);
return handleTrustDevicePermanently(request, env, userId, deviceIdentifier);
}
const deleteDeviceMatch = path.match(/^\/api\/devices\/([^/]+)$/i);
if (deleteDeviceMatch && method === 'GET') {
const deviceIdentifier = decodeURIComponent(deleteDeviceMatch[1]);
src/router-public.ts
+63 -11
View File
@@ -115,7 +115,7 @@ function buildConfigResponse(origin: string) {
_icon_service_url: buildIconServiceTemplate(origin),
_icon_service_csp: buildIconServiceCsp(origin),
featureStates: {
'cipher-key-encryption': true,
'cipher-key-encryption': LIMITS.compatibility.cipherKeyEncryptionFeatureEnabled,
'duo-redirect': true,
'email-verification': true,
'pm-19051-send-email-verification': false,
@@ -144,6 +144,7 @@ function normalizeIconHost(rawHost: string): string | null {
}
const ICON_UPSTREAM_TIMEOUT_MS = 2500;
const ICON_MAX_BUFFER_BYTES = 256 * 1024;
const BITWARDEN_DEFAULT_GLOBE_ICON_BYTES = 500;
const BITWARDEN_DEFAULT_GLOBE_ICON_SHA256 = 'aaa64871332ad5b7d28fe8874efb19c2d9cc2f1e6de75d52b080b438225a0783';
@@ -179,6 +180,55 @@ async function sha256Hex(bytes: ArrayBuffer): Promise<string> {
return Array.from(new Uint8Array(digest), (byte) => byte.toString(16).padStart(2, '0')).join('');
}
function getPositiveContentLength(headers: Headers): number | null {
const raw = headers.get('Content-Length');
if (!raw) return null;
const value = Number(raw);
return Number.isFinite(value) && value > 0 ? value : null;
}
async function readIconBytes(response: Response, maxBytes: number): Promise<ArrayBuffer | null> {
if (!response.body) return null;
const reader = response.body.getReader();
const chunks: Uint8Array[] = [];
let totalBytes = 0;
let timedOut = false;
const timeout = setTimeout(() => {
timedOut = true;
void reader.cancel().catch(() => undefined);
}, ICON_UPSTREAM_TIMEOUT_MS);
try {
while (true) {
const { done, value } = await reader.read();
if (done) break;
if (!value) continue;
totalBytes += value.byteLength;
if (totalBytes > maxBytes) {
await reader.cancel().catch(() => undefined);
return null;
}
chunks.push(value);
}
} catch {
return null;
} finally {
clearTimeout(timeout);
}
if (timedOut || totalBytes === 0) return null;
const output = new ArrayBuffer(totalBytes);
const bytes = new Uint8Array(output);
let offset = 0;
for (const chunk of chunks) {
bytes.set(chunk, offset);
offset += chunk.byteLength;
}
return output;
}
function iconResponse(body: BodyInit | null, contentType: string | null): Response {
return new Response(body, {
status: 200,
@@ -218,19 +268,19 @@ async function handleWebsiteIcon(host: string, fallbackMode: 'default' | 'not-fo
const contentType = String(resp.headers.get('Content-Type') || '').toLowerCase();
if (!contentType.startsWith('image/')) continue;
if (!source.rejectImage) {
return iconResponse(resp.body, resp.headers.get('Content-Type'));
}
const contentLength = getPositiveContentLength(resp.headers);
if (contentLength !== null && contentLength > ICON_MAX_BUFFER_BYTES) continue;
const contentLength = Number(resp.headers.get('Content-Length') || '');
if (Number.isFinite(contentLength) && contentLength > 0 && contentLength !== source.rejectImage.byteLength) {
return iconResponse(resp.body, resp.headers.get('Content-Type'));
const bytes = await readIconBytes(resp, ICON_MAX_BUFFER_BYTES);
if (!bytes) continue;
if (
source.rejectImage &&
bytes.byteLength === source.rejectImage.byteLength &&
(await sha256Hex(bytes)) === source.rejectImage.sha256
) {
continue;
}
const bytes = await resp.arrayBuffer();
if (bytes.byteLength === 0) continue;
if (bytes.byteLength === source.rejectImage.byteLength && (await sha256Hex(bytes)) === source.rejectImage.sha256) continue;
return iconResponse(bytes, resp.headers.get('Content-Type'));
} catch {
continue;
@@ -286,6 +336,8 @@ export async function handlePublicRoute(
const iconMatch = path.match(/^\/icons\/([^/]+)\/icon\.png$/i);
if (iconMatch && method === 'GET') {
const blocked = await enforcePublicRateLimit('public-icon', LIMITS.rateLimit.publicIconRequestsPerMinute);
if (blocked) return blocked;
const fallbackMode = new URL(request.url).searchParams.get('fallback') === '404' ? 'not-found' : 'default';
return handleWebsiteIcon(iconMatch[1], fallbackMode);
}
src/services/audit-events.ts
+209
View File
@@ -0,0 +1,209 @@
import type { Env } from '../types';
import { generateUUID } from '../utils/uuid';
import { StorageService } from './storage';
export type AuditLogCategory = 'auth' | 'security' | 'device' | 'data' | 'system';
export type AuditLogLevel = 'info' | 'warn' | 'error' | 'security';
export interface AuditEventInput {
actorUserId?: string | null;
action: string;
category: AuditLogCategory;
level?: AuditLogLevel;
targetType?: string | null;
targetId?: string | null;
metadata?: Record<string, unknown> | null;
}
const SENSITIVE_KEY_RE = /(token|secret|password|key|hash|code|private)/i;
const MAX_METADATA_BYTES = 2048;
const AUDIT_CLEANUP_INTERVAL_MS = 6 * 60 * 60 * 1000;
const AUDIT_CLEANUP_PROBABILITY = 0.02;
const AUDIT_LOG_SETTINGS_KEY = 'audit.logs.settings.v1';
const DEFAULT_AUDIT_LOG_SETTINGS: AuditLogSettings = {
retentionDays: 90,
maxEntries: null,
};
let lastAuditCleanupAt = 0;
export interface AuditLogSettings {
retentionDays: number | null;
maxEntries: number | null;
}
const ALLOWED_METADATA_KEYS = new Set([
'method',
'path',
'ip',
'userAgent',
'email',
'targetEmail',
'grantType',
'webSession',
'deviceIdentifier',
'deviceType',
'reason',
'status',
'verifyDevices',
'changed',
'removed',
'updated',
'deleted',
'removedTrusted',
'removedSessions',
'removedDevices',
'requested',
'count',
'requestedCount',
'type',
'folderId',
'cipherId',
'size',
'users',
'ciphers',
'attachments',
'skippedAttachments',
'skippedReason',
'replaceExisting',
'provider',
'fileName',
'fileBytes',
'bytes',
'compressedBytes',
'includesAttachments',
'destinationName',
'destinationId',
'destinationType',
'destinationCount',
'scheduledDestinationCount',
'retentionDays',
'maxEntries',
'remotePath',
'trigger',
'prunedFileCount',
'pruneError',
'uploadVerificationAttempts',
'error',
'expiresInHours',
'checksumMismatchAccepted',
]);
function normalizePositiveInteger(value: unknown, allowed: readonly number[]): number | null {
if (value === null || value === 0 || value === '0' || value === 'forever' || value === 'unlimited') return null;
const parsed = Math.floor(Number(value));
return allowed.includes(parsed) ? parsed : null;
}
export function normalizeAuditLogSettings(value: unknown): AuditLogSettings {
const input = value && typeof value === 'object' ? value as Record<string, unknown> : {};
const retentionDays = normalizePositiveInteger(input.retentionDays, [7, 30, 90, 180, 365]);
const maxEntries = normalizePositiveInteger(input.maxEntries, [1_000, 5_000, 10_000, 50_000]);
if (retentionDays) return { retentionDays, maxEntries: null };
if (maxEntries) return { retentionDays: null, maxEntries };
if (input.retentionDays === null || input.retentionDays === 0 || input.retentionDays === '0') {
return { retentionDays: null, maxEntries: null };
}
if (input.maxEntries === null || input.maxEntries === 0 || input.maxEntries === '0') {
return { retentionDays: null, maxEntries: null };
}
return {
...DEFAULT_AUDIT_LOG_SETTINGS,
};
}
export function auditRequestMetadata(request: Request): Record<string, unknown> {
const url = new URL(request.url);
return {
method: request.method,
path: url.pathname,
ip: request.headers.get('CF-Connecting-IP') || request.headers.get('X-Forwarded-For') || null,
userAgent: request.headers.get('User-Agent') || null,
};
}
function sanitizeMetadata(metadata: Record<string, unknown>): Record<string, unknown> {
const clean: Record<string, unknown> = {};
for (const [key, value] of Object.entries(metadata)) {
if (!ALLOWED_METADATA_KEYS.has(key)) continue;
if (value === undefined || value === null || value === '') continue;
if (SENSITIVE_KEY_RE.test(key)) continue;
if (Array.isArray(value)) {
clean[key] = value.length;
continue;
}
if (typeof value === 'object') continue;
clean[key] = value;
}
return clean;
}
export async function getAuditLogSettings(storage: StorageService): Promise<AuditLogSettings> {
const raw = await storage.getConfigValue(AUDIT_LOG_SETTINGS_KEY);
if (!raw) return { ...DEFAULT_AUDIT_LOG_SETTINGS };
try {
return normalizeAuditLogSettings(JSON.parse(raw));
} catch {
return { ...DEFAULT_AUDIT_LOG_SETTINGS };
}
}
export async function saveAuditLogSettings(storage: StorageService, settings: AuditLogSettings): Promise<AuditLogSettings> {
const normalized = normalizeAuditLogSettings(settings);
await storage.setConfigValue(AUDIT_LOG_SETTINGS_KEY, JSON.stringify(normalized));
await applyAuditLogRetention(storage, normalized);
return normalized;
}
export async function applyAuditLogRetention(storage: StorageService, settings?: AuditLogSettings): Promise<void> {
const current = settings || await getAuditLogSettings(storage);
if (current.retentionDays) {
const before = new Date(Date.now() - current.retentionDays * 24 * 60 * 60 * 1000).toISOString();
await storage.pruneAuditLogs(before);
}
if (current.maxEntries) {
await storage.pruneAuditLogsToMax(current.maxEntries);
}
}
async function maybePruneAuditLogs(storage: StorageService): Promise<void> {
const now = Date.now();
if (now - lastAuditCleanupAt < AUDIT_CLEANUP_INTERVAL_MS) return;
if (Math.random() > AUDIT_CLEANUP_PROBABILITY) return;
lastAuditCleanupAt = now;
await applyAuditLogRetention(storage);
}
async function insertAuditEvent(storage: StorageService, event: AuditEventInput): Promise<void> {
const metadata = sanitizeMetadata(event.metadata || {});
let metadataJson = JSON.stringify(metadata);
if (new TextEncoder().encode(metadataJson).byteLength > MAX_METADATA_BYTES) {
metadataJson = JSON.stringify({ truncated: true });
}
await storage.createAuditLog({
id: generateUUID(),
actorUserId: event.actorUserId ?? null,
action: event.action,
category: event.category,
level: event.level || 'info',
targetType: event.targetType ?? null,
targetId: event.targetId ?? null,
metadata: metadataJson,
createdAt: new Date().toISOString(),
});
await maybePruneAuditLogs(storage);
}
export async function writeAuditEvent(storage: StorageService, event: AuditEventInput): Promise<void> {
try {
await insertAuditEvent(storage, event);
} catch (error) {
console.error('audit log write failed', error);
}
}
export async function safeWriteAuditEvent(env: Env, event: AuditEventInput): Promise<void> {
await writeAuditEvent(new StorageService(env.DB), event);
}
src/services/auth.ts
+66 -22
View File
@@ -6,6 +6,7 @@ import { StorageService } from './storage';
// The client already does heavy PBKDF2 (600k iterations).
// This second layer only needs to be non-trivial, not expensive.
const SERVER_HASH_ITERATIONS = 100_000;
const SERVER_HASH_PREFIX = '$s$';
const AUTH_CONTEXT_CACHE_TTL_MS = 15 * 1000;
interface CachedUserEntry {
@@ -23,6 +24,22 @@ export interface VerifiedAccessContext {
user: User;
}
export type RefreshAccessTokenFailureReason =
| 'token_not_found_or_expired'
| 'user_missing'
| 'user_inactive'
| 'device_missing'
| 'device_session_mismatch';
export type RefreshAccessTokenResult =
| { ok: true; accessToken: string; user: User; device: { identifier: string; sessionStamp: string } | null }
| {
ok: false;
reason: RefreshAccessTokenFailureReason;
userId?: string | null;
deviceIdentifier?: string | null;
};
export class AuthService {
private storage: StorageService;
private static userCache = new Map<string, CachedUserEntry>();
@@ -32,6 +49,25 @@ export class AuthService {
this.storage = new StorageService(env.DB);
}
static invalidateUserCache(userId: string): void {
const normalizedUserId = String(userId || '').trim();
if (!normalizedUserId) return;
AuthService.userCache.delete(normalizedUserId);
const prefix = `${normalizedUserId}:`;
for (const key of AuthService.deviceCache.keys()) {
if (key.startsWith(prefix)) {
AuthService.deviceCache.delete(key);
}
}
}
static invalidateDeviceCache(userId: string, deviceId: string): void {
const normalizedUserId = String(userId || '').trim();
const normalizedDeviceId = String(deviceId || '').trim();
if (!normalizedUserId || !normalizedDeviceId) return;
AuthService.deviceCache.delete(`${normalizedUserId}:${normalizedDeviceId}`);
}
private readCachedUser(userId: string): User | null | undefined {
const cached = AuthService.userCache.get(userId);
if (!cached) return undefined;
@@ -98,7 +134,7 @@ export class AuthService {
// Second-layer hash: PBKDF2-SHA256(clientHash, email-salt, iterations).
// Ensures database contents alone cannot be used to authenticate (pass-the-hash defense).
// Result is prefixed with "$s$" to distinguish from legacy raw client hashes.
// Result is prefixed to distinguish server-hashed credentials from invalid legacy rows.
async hashPasswordServer(clientHash: string, email: string): Promise<string> {
const keyMaterial = await crypto.subtle.importKey(
'raw',
@@ -116,20 +152,17 @@ export class AuthService {
const bytes = new Uint8Array(bits);
let binary = '';
for (const b of bytes) binary += String.fromCharCode(b);
return '$s$' + btoa(binary);
return SERVER_HASH_PREFIX + btoa(binary);
}
// Verify password: hash the input the same way, then constant-time compare.
async verifyPassword(inputHash: string, storedHash: string, email?: string): Promise<boolean> {
// New server-hashed passwords are prefixed with "$s$".
// Legacy accounts (created before the upgrade) store raw client hashes without prefix.
if (email && storedHash.startsWith('$s$')) {
// Verify password: new rows use server-side hashing; legacy rows store the raw client hash.
async verifyPassword(inputHash: string, storedHash: string, email: string): Promise<boolean> {
if (!storedHash.startsWith(SERVER_HASH_PREFIX)) {
return this.constantTimeEquals(inputHash, storedHash);
}
const serverHash = await this.hashPasswordServer(inputHash, email);
return this.constantTimeEquals(serverHash, storedHash);
}
// Legacy path: direct constant-time comparison of raw client hashes.
return this.constantTimeEquals(inputHash, storedHash);
}
private constantTimeEquals(a: string, b: string): boolean {
const encA = new TextEncoder().encode(a);
@@ -204,34 +237,45 @@ export class AuthService {
}
// Refresh access token
async refreshAccessToken(
refreshToken: string
): Promise<{ accessToken: string; user: User; device: { identifier: string; sessionStamp: string } | null } | null> {
async refreshAccessTokenDetailed(refreshToken: string): Promise<RefreshAccessTokenResult> {
const record = await this.storage.getRefreshTokenRecord(refreshToken);
if (!record?.userId) return null;
if (!record?.userId) return { ok: false, reason: 'token_not_found_or_expired' };
const user = await this.storage.getUserById(record.userId);
if (!user) return null;
if (!user) {
await this.storage.deleteRefreshToken(refreshToken);
return { ok: false, reason: 'user_missing', userId: record.userId, deviceIdentifier: record.deviceIdentifier };
}
if (user.status !== 'active') {
await this.storage.deleteRefreshToken(refreshToken);
return null;
return { ok: false, reason: 'user_inactive', userId: user.id, deviceIdentifier: record.deviceIdentifier };
}
let device: { identifier: string; sessionStamp: string } | null = null;
if (record.deviceIdentifier) {
if (!record.deviceIdentifier || !record.deviceSessionStamp) {
await this.storage.deleteRefreshToken(refreshToken);
return { ok: false, reason: 'device_missing', userId: user.id, deviceIdentifier: record.deviceIdentifier };
}
const boundDevice = await this.storage.getDevice(user.id, record.deviceIdentifier);
if (!boundDevice) {
await this.storage.deleteRefreshToken(refreshToken);
return null;
return { ok: false, reason: 'device_missing', userId: user.id, deviceIdentifier: record.deviceIdentifier };
}
if (!record.deviceSessionStamp || boundDevice.sessionStamp !== record.deviceSessionStamp) {
if (boundDevice.sessionStamp !== record.deviceSessionStamp) {
await this.storage.deleteRefreshToken(refreshToken);
return null;
return { ok: false, reason: 'device_session_mismatch', userId: user.id, deviceIdentifier: record.deviceIdentifier };
}
device = { identifier: boundDevice.deviceIdentifier, sessionStamp: boundDevice.sessionStamp };
}
const accessToken = await this.generateAccessToken(user, device);
return { accessToken, user, device };
return { ok: true, accessToken, user, device };
}
async refreshAccessToken(
refreshToken: string
): Promise<{ accessToken: string; user: User; device: { identifier: string; sessionStamp: string } | null } | null> {
const result = await this.refreshAccessTokenDetailed(refreshToken);
return result.ok ? result : null;
}
}
src/services/backup-config.ts
-19
View File
@@ -409,13 +409,6 @@ export async function loadBackupSettings(storage: StorageService, env: Env, fall
export async function saveBackupSettings(storage: StorageService, env: Env, settings: BackupSettings): Promise<void> {
const users = await storage.getAllUsers();
const hasPortableAdmins = users.some(
(user) => user.role === 'admin' && user.status === 'active' && typeof user.publicKey === 'string' && user.publicKey.trim().length > 0
);
if (!hasPortableAdmins) {
await storage.setConfigValue(BACKUP_SETTINGS_CONFIG_KEY, serializeBackupSettings(settings));
return;
}
const encrypted = await encryptBackupSettingsEnvelope(serializeBackupSettings(settings), env, users);
await storage.setConfigValue(BACKUP_SETTINGS_CONFIG_KEY, encrypted);
}
@@ -442,12 +435,6 @@ export async function normalizeImportedBackupSettingsValue(
try {
const decrypted = await decryptBackupSettingsRuntime(raw, env);
const settings = parseBackupSettings(decrypted, fallbackTimezone);
const hasPortableAdmins = users.some(
(user) => user.role === 'admin' && user.status === 'active' && typeof user.publicKey === 'string' && user.publicKey.trim().length > 0
);
if (!hasPortableAdmins) {
return serializeBackupSettings(settings);
}
return encryptBackupSettingsEnvelope(serializeBackupSettings(settings), env, users);
} catch {
// Keep imported portable recovery data intact until an admin signs in and repairs it.
@@ -455,12 +442,6 @@ export async function normalizeImportedBackupSettingsValue(
}
}
const settings = parseBackupSettings(raw, fallbackTimezone);
const hasPortableAdmins = users.some(
(user) => user.role === 'admin' && user.status === 'active' && typeof user.publicKey === 'string' && user.publicKey.trim().length > 0
);
if (!hasPortableAdmins) {
return serializeBackupSettings(settings);
}
return encryptBackupSettingsEnvelope(serializeBackupSettings(settings), env, users);
}
src/services/backup-settings-crypto.ts
+6 -3
View File
@@ -6,6 +6,8 @@ import type { Env, User } from '../types';
// server's scheduled backup runner.
// - portable: AES-GCM encrypted with a random DEK; that DEK is RSA-wrapped for
// active admin public keys so settings can be repaired after restore/migration.
// Historical/imported databases may not have usable admin public keys; in that
// case portable.wraps is empty but the runtime ciphertext is still encrypted.
//
// New admin-entered provider secrets, such as mail API keys, should use this
// pattern or a deliberately documented replacement. Do not store provider
@@ -186,9 +188,6 @@ export async function encryptBackupSettingsEnvelope(
): Promise<string> {
const encoder = new TextEncoder();
const eligibleUsers = getEligiblePortableUsers(users);
if (!eligibleUsers.length) {
throw new Error('No active administrator public keys are available for backup settings recovery');
}
const runtimeKey = await deriveRuntimeKey(env.JWT_SECRET);
const runtime = await encryptAesGcm(encoder.encode(plaintext), runtimeKey);
@@ -205,6 +204,7 @@ export async function encryptBackupSettingsEnvelope(
const wraps: BackupSettingsPortableWrap[] = [];
for (const user of eligibleUsers) {
try {
const publicKey = await importPortablePublicKey(user.publicKey!);
const wrappedKey = new Uint8Array(
await crypto.subtle.encrypt(
@@ -217,6 +217,9 @@ export async function encryptBackupSettingsEnvelope(
userId: user.id,
wrappedKey: bytesToBase64(wrappedKey),
});
} catch {
// Keep runtime settings usable even if an imported admin key is malformed.
}
}
const envelope: BackupSettingsEnvelopeV2 = {
src/services/storage-admin-repo.ts
+121 -2
View File
@@ -1,5 +1,72 @@
import type { AuditLog, Invite } from '../types';
export interface AuditLogListOptions {
limit: number;
offset: number;
category?: string | null;
level?: string | null;
q?: string | null;
from?: string | null;
to?: string | null;
}
export interface AuditLogListResult {
logs: AuditLog[];
total: number;
hasMore: boolean;
}
function auditLogFromRow(row: any): AuditLog {
return {
id: row.id,
actorUserId: row.actor_user_id ?? null,
actorEmail: row.actor_email ?? null,
action: row.action,
category: row.category || 'system',
level: row.level || 'info',
targetType: row.target_type ?? null,
targetId: row.target_id ?? null,
targetUserEmail: row.target_user_email ?? null,
metadata: row.metadata ?? null,
createdAt: row.created_at,
};
}
function buildAuditWhere(options: AuditLogListOptions): { where: string; params: unknown[] } {
const conditions: string[] = [];
const params: unknown[] = [];
if (options.from) {
conditions.push('l.created_at >= ?');
params.push(options.from);
}
if (options.to) {
conditions.push('l.created_at <= ?');
params.push(options.to);
}
if (options.category) {
conditions.push('l.category = ?');
params.push(options.category);
}
if (options.level) {
conditions.push('l.level = ?');
params.push(options.level);
}
if (options.q) {
const q = options.q.toLowerCase().slice(0, 48);
const like = `%${q}%`;
conditions.push(
'(LOWER(l.action) LIKE ? OR LOWER(COALESCE(l.actor_user_id, \'\')) LIKE ? OR LOWER(COALESCE(l.target_type, \'\')) LIKE ? OR LOWER(COALESCE(l.target_id, \'\')) LIKE ? OR LOWER(COALESCE(actor.email, \'\')) LIKE ? OR LOWER(COALESCE(target.email, \'\')) LIKE ?)'
);
params.push(like, like, like, like, like, like);
}
return {
where: conditions.length ? `WHERE ${conditions.join(' AND ')}` : '',
params,
};
}
export async function createInvite(db: D1Database, invite: Invite): Promise<void> {
await db
.prepare(
@@ -77,8 +144,60 @@ export async function deleteAllInvites(db: D1Database): Promise<number> {
export async function createAuditLog(db: D1Database, log: AuditLog): Promise<void> {
await db
.prepare(
'INSERT INTO audit_logs(id, actor_user_id, action, target_type, target_id, metadata, created_at) VALUES(?, ?, ?, ?, ?, ?, ?)'
'INSERT INTO audit_logs(id, actor_user_id, action, category, level, target_type, target_id, metadata, created_at) VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?)'
)
.bind(log.id, log.actorUserId, log.action, log.targetType, log.targetId, log.metadata, log.createdAt)
.bind(log.id, log.actorUserId, log.action, log.category, log.level, log.targetType, log.targetId, log.metadata, log.createdAt)
.run();
}
export async function pruneAuditLogs(db: D1Database, beforeIso: string): Promise<number> {
const result = await db
.prepare('DELETE FROM audit_logs WHERE created_at < ?')
.bind(beforeIso)
.run();
return Number(result.meta.changes ?? 0);
}
export async function pruneAuditLogsToMax(db: D1Database, maxEntries: number): Promise<number> {
const limit = Math.max(1, Math.floor(maxEntries));
const result = await db
.prepare(
'DELETE FROM audit_logs WHERE id IN (' +
'SELECT id FROM audit_logs ORDER BY created_at DESC LIMIT -1 OFFSET ?' +
')'
)
.bind(limit)
.run();
return Number(result.meta.changes ?? 0);
}
export async function clearAuditLogs(db: D1Database): Promise<number> {
const result = await db.prepare('DELETE FROM audit_logs').run();
return Number(result.meta.changes ?? 0);
}
export async function listAuditLogs(db: D1Database, options: AuditLogListOptions): Promise<AuditLogListResult> {
const limit = Math.max(1, Math.min(200, Math.floor(options.limit || 50)));
const offset = Math.max(0, Math.floor(options.offset || 0));
const { where, params } = buildAuditWhere(options);
const rows = await db
.prepare(
'SELECT l.id, l.actor_user_id, actor.email AS actor_email, l.action, l.category, l.level, l.target_type, l.target_id, target.email AS target_user_email, l.metadata, l.created_at ' +
'FROM audit_logs l ' +
'LEFT JOIN users actor ON actor.id = l.actor_user_id ' +
"LEFT JOIN users target ON l.target_type = 'user' AND target.id = l.target_id " +
`${where} ORDER BY l.created_at DESC LIMIT ? OFFSET ?`
)
.bind(...params, limit + 1, offset)
.all<any>();
const results = rows.results || [];
const logs = results.slice(0, limit).map(auditLogFromRow);
const hasMore = results.length > limit;
return {
logs,
total: offset + logs.length + (hasMore ? 1 : 0),
hasMore,
};
}
src/services/storage-cipher-repo.ts
+4
View File
@@ -39,6 +39,10 @@ const CIPHER_SCALAR_DATA_KEYS = new Set([
'favorite',
'reprompt',
'key',
'attachments',
'Attachments',
'attachments2',
'Attachments2',
'createdAt',
'created_at',
'creationDate',
src/services/storage-device-repo.ts
+15
View File
@@ -233,6 +233,21 @@ export async function deleteTrustedTwoFactorTokensByUserId(db: D1Database, userI
return Number(result.meta.changes ?? 0);
}
export async function updateTrustedTwoFactorTokensExpiryByDevice(
db: D1Database,
userId: string,
deviceIdentifier: string,
expiresAtMs: number
): Promise<number> {
const now = Date.now();
await db.prepare('DELETE FROM trusted_two_factor_device_tokens WHERE expires_at < ?').bind(now).run();
const result = await db
.prepare('UPDATE trusted_two_factor_device_tokens SET expires_at = ? WHERE user_id = ? AND device_identifier = ? AND expires_at >= ?')
.bind(expiresAtMs, userId, deviceIdentifier, now)
.run();
return Number(result.meta.changes ?? 0);
}
export async function saveTrustedTwoFactorDeviceToken(
db: D1Database,
trustedTokenKey: TrustedTokenKeyFn,
src/services/storage-refresh-token-repo.ts
+1 -36
View File
@@ -28,13 +28,6 @@ export async function getRefreshTokenRecord(
db: D1Database,
refreshTokenKey: RefreshTokenKeyFn,
maybeCleanupExpiredRefreshTokens: CleanupExpiredFn,
saveRefreshTokenRecord: (
token: string,
userId: string,
expiresAtMs?: number,
deviceIdentifier?: string | null,
deviceSessionStamp?: string | null
) => Promise<void>,
deleteRefreshTokenRecord: (token: string) => Promise<void>,
token: string
): Promise<RefreshTokenRecord | null> {
@@ -42,39 +35,11 @@ export async function getRefreshTokenRecord(
await maybeCleanupExpiredRefreshTokens(now);
const tokenKey = await refreshTokenKey(token);
let row = await db
const row = await db
.prepare('SELECT user_id, expires_at, device_identifier, device_session_stamp FROM refresh_tokens WHERE token = ?')
.bind(tokenKey)
.first<{ user_id: string; expires_at: number; device_identifier: string | null; device_session_stamp: string | null }>();
if (!row) {
const legacyRow = await db
.prepare('SELECT user_id, expires_at, device_identifier, device_session_stamp FROM refresh_tokens WHERE token = ?')
.bind(token)
.first<{ user_id: string; expires_at: number; device_identifier: string | null; device_session_stamp: string | null }>();
if (legacyRow) {
if (legacyRow.expires_at && legacyRow.expires_at < now) {
await deleteRefreshTokenRecord(token);
return null;
}
await saveRefreshTokenRecord(
token,
legacyRow.user_id,
legacyRow.expires_at,
legacyRow.device_identifier ?? null,
legacyRow.device_session_stamp ?? null
);
await db.prepare('DELETE FROM refresh_tokens WHERE token = ?').bind(token).run();
return {
userId: legacyRow.user_id,
expiresAt: legacyRow.expires_at,
deviceIdentifier: legacyRow.device_identifier ?? null,
deviceSessionStamp: legacyRow.device_session_stamp ?? null,
};
}
}
if (!row) return null;
if (row.expires_at && row.expires_at < now) {
await deleteRefreshTokenRecord(token);
src/services/storage-schema.ts
+7 -1
View File
@@ -82,10 +82,16 @@ const SCHEMA_STATEMENTS: readonly string[] = [
'CREATE INDEX IF NOT EXISTS idx_invites_created_by ON invites(created_by, created_at)',
'CREATE TABLE IF NOT EXISTS audit_logs (' +
'id TEXT PRIMARY KEY, actor_user_id TEXT, action TEXT NOT NULL, target_type TEXT, target_id TEXT, metadata TEXT, created_at TEXT NOT NULL, ' +
'id TEXT PRIMARY KEY, actor_user_id TEXT, action TEXT NOT NULL, category TEXT NOT NULL DEFAULT \'system\', level TEXT NOT NULL DEFAULT \'info\', target_type TEXT, target_id TEXT, metadata TEXT, created_at TEXT NOT NULL, ' +
'FOREIGN KEY (actor_user_id) REFERENCES users(id) ON DELETE SET NULL)',
'ALTER TABLE audit_logs ADD COLUMN category TEXT NOT NULL DEFAULT \'system\'',
'ALTER TABLE audit_logs ADD COLUMN level TEXT NOT NULL DEFAULT \'info\'',
'UPDATE audit_logs SET category = json_extract(metadata, \'$.category\') WHERE json_valid(metadata) AND json_extract(metadata, \'$.category\') IN (\'auth\', \'security\', \'device\', \'data\', \'system\')',
'UPDATE audit_logs SET level = json_extract(metadata, \'$.level\') WHERE json_valid(metadata) AND json_extract(metadata, \'$.level\') IN (\'info\', \'warn\', \'error\', \'security\')',
'CREATE INDEX IF NOT EXISTS idx_audit_logs_created_at ON audit_logs(created_at)',
'CREATE INDEX IF NOT EXISTS idx_audit_logs_actor_created ON audit_logs(actor_user_id, created_at)',
'CREATE INDEX IF NOT EXISTS idx_audit_logs_category_created ON audit_logs(category, created_at)',
'CREATE INDEX IF NOT EXISTS idx_audit_logs_level_created ON audit_logs(level, created_at)',
'CREATE TABLE IF NOT EXISTS devices (' +
'user_id TEXT NOT NULL, device_identifier TEXT NOT NULL, name TEXT NOT NULL, type INTEGER NOT NULL, session_stamp TEXT, encrypted_user_key TEXT, encrypted_public_key TEXT, encrypted_private_key TEXT, banned INTEGER NOT NULL DEFAULT 0, banned_at TEXT, device_note TEXT, last_seen_at TEXT, ' +
src/services/storage.ts
+27 -2
View File
@@ -18,12 +18,17 @@ import {
saveUser as saveStoredUser,
} from './storage-user-repo';
import {
type AuditLogListOptions,
createAuditLog as createStoredAuditLog,
clearAuditLogs as clearStoredAuditLogs,
createInvite as createStoredInvite,
deleteAllInvites as deleteStoredInvites,
getInvite as findStoredInvite,
listAuditLogs as listStoredAuditLogs,
listInvites as listStoredInvites,
markInviteUsed as markStoredInviteUsed,
pruneAuditLogs as pruneStoredAuditLogs,
pruneAuditLogsToMax as pruneStoredAuditLogsToMax,
revokeInvite as revokeStoredInvite,
} from './storage-admin-repo';
import {
@@ -96,6 +101,7 @@ import {
upsertDevice as saveStoredDevice,
updateDeviceName as updateStoredDeviceName,
updateDeviceKeys as updateStoredDeviceKeys,
updateTrustedTwoFactorTokensExpiryByDevice as updateStoredTrustedTokensExpiryByDevice,
} from './storage-device-repo';
import {
ensureUsedAttachmentDownloadTokenTable as ensureStoredAttachmentTokenTable,
@@ -116,7 +122,7 @@ const STORAGE_SCHEMA_VERSION_KEY = 'schema.version';
// Bump this whenever src/services/storage-schema.ts or migrations/0001_init.sql
// changes. Existing D1 installs only rerun ensureStorageSchema() when this value
// differs from config.schema.version.
const STORAGE_SCHEMA_VERSION = '2026-05-05-domain-rules-v2';
const STORAGE_SCHEMA_VERSION = '2026-05-14-lightweight-audit-logs';
// D1-backed storage.
// Contract:
@@ -278,6 +284,22 @@ export class StorageService {
await createStoredAuditLog(this.db, log);
}
async listAuditLogs(options: AuditLogListOptions): Promise<{ logs: AuditLog[]; total: number; hasMore: boolean }> {
return listStoredAuditLogs(this.db, options);
}
async pruneAuditLogs(beforeIso: string): Promise<number> {
return pruneStoredAuditLogs(this.db, beforeIso);
}
async pruneAuditLogsToMax(maxEntries: number): Promise<number> {
return pruneStoredAuditLogsToMax(this.db, maxEntries);
}
async clearAuditLogs(): Promise<number> {
return clearStoredAuditLogs(this.db);
}
// --- Domain rules ---
async getUserDomainSettings(userId: string) {
@@ -463,7 +485,6 @@ export class StorageService {
this.db,
this.refreshTokenKey.bind(this),
this.maybeCleanupExpiredRefreshTokens.bind(this),
this.saveRefreshToken.bind(this),
this.deleteRefreshToken.bind(this),
token
);
@@ -614,6 +635,10 @@ export class StorageService {
return deleteStoredTrustedTokensByUserId(this.db, userId);
}
async updateTrustedTwoFactorTokensExpiryByDevice(userId: string, deviceIdentifier: string, expiresAtMs: number): Promise<number> {
return updateStoredTrustedTokensExpiryByDevice(this.db, userId, deviceIdentifier, expiresAtMs);
}
// --- Trusted 2FA remember tokens (device-bound) ---
async saveTrustedTwoFactorDeviceToken(
src/types/index.ts
+5 -1
View File
@@ -2,6 +2,7 @@
export interface Env {
DB: D1Database;
NOTIFICATIONS_HUB: DurableObjectNamespace;
BACKUP_TRANSFER_RUNNER: DurableObjectNamespace;
ASSETS?: {
fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
};
@@ -10,7 +11,6 @@ export interface Env {
// Optional fallback for attachment/send file storage (no credit card required).
ATTACHMENTS_KV?: KVNamespace;
JWT_SECRET: string;
TOTP_SECRET?: string;
}
export type UserRole = 'admin' | 'user';
@@ -96,9 +96,13 @@ export interface Invite {
export interface AuditLog {
id: string;
actorUserId: string | null;
actorEmail?: string | null;
action: string;
category: 'auth' | 'security' | 'device' | 'data' | 'system';
level: 'info' | 'warn' | 'error' | 'security';
targetType: string | null;
targetId: string | null;
targetUserEmail?: string | null;
metadata: string | null;
createdAt: string;
}
src/utils/response.ts
+6 -4
View File
@@ -38,11 +38,10 @@ function isWildcardCorsPath(path: string): boolean {
function getCorsPolicy(request: Request): { allowOrigin: string | null; allowCredentials: boolean } {
const url = new URL(request.url);
const origin = request.headers.get('Origin');
if (isWildcardCorsPath(url.pathname)) {
return { allowOrigin: '*', allowCredentials: false };
}
if (!origin) {
return { allowOrigin: null, allowCredentials: false };
return isWildcardCorsPath(url.pathname)
? { allowOrigin: '*', allowCredentials: false }
: { allowOrigin: null, allowCredentials: false };
}
if (origin === url.origin) {
return { allowOrigin: origin, allowCredentials: true };
@@ -50,6 +49,9 @@ function getCorsPolicy(request: Request): { allowOrigin: string | null; allowCre
if (isExtensionOrigin(origin)) {
return { allowOrigin: origin, allowCredentials: true };
}
if (isWildcardCorsPath(url.pathname)) {
return { allowOrigin: '*', allowCredentials: false };
}
return { allowOrigin: null, allowCredentials: false };
}
webapp/src/App.tsx
+39 -6
View File
@@ -22,10 +22,11 @@ import {
saveSession,
stripProfileSecrets,
} from '@/lib/api/auth';
import { listAdminInvites, listAdminUsers } from '@/lib/api/admin';
import { clearAuditLogs, getAuditLogSettings, listAdminInvites, listAdminUsers, listAuditLogs, saveAuditLogSettings, type AuditLogFilters } from '@/lib/api/admin';
import { getDomainRules, saveDomainRules } from '@/lib/api/domains';
import { getSends } from '@/lib/api/send';
import { getCachedVaultCoreSnapshot, loadVaultCoreSyncSnapshot } from '@/lib/api/vault-sync';
import { repairCipherKeyMismatches, repairCipherUriChecksums } from '@/lib/api/vault';
import { getCachedVaultCoreSnapshot, invalidateVaultCoreSyncSnapshot, loadVaultCoreSyncSnapshot } from '@/lib/api/vault-sync';
import { silentlyRepairBackupSettingsIfNeeded } from '@/lib/backup-settings-repair';
import {
parseSignalRTextFrames,
@@ -69,7 +70,7 @@ import {
createDemoMainRoutesProps,
} from '@/lib/demo';
import type { AdminBackupSettings } from '@/lib/api/backup';
import type { AdminInvite, AdminUser, AppPhase, AuthorizedDevice, Cipher, CustomEquivalentDomain, DomainRules, Folder as VaultFolder, Profile, Send, SessionState } from '@/lib/types';
import type { AdminInvite, AdminUser, AppPhase, AuditLogSettings, AuthorizedDevice, Cipher, CustomEquivalentDomain, DomainRules, Folder as VaultFolder, Profile, Send, SessionState } from '@/lib/types';
import type { VaultCoreSnapshot } from '@/lib/vault-cache';
function isBackupProgressDetail(value: unknown): value is BackupProgressDetail {
@@ -96,6 +97,7 @@ const APP_ROUTE_PATHS = [
'/vault/totp',
'/sends',
'/admin',
'/logs',
'/security/devices',
'/backup',
'/settings',
@@ -144,7 +146,9 @@ function resolveSystemTheme(): 'light' | 'dark' {
function readLockTimeoutMinutes(): LockTimeoutMinutes {
if (typeof window === 'undefined') return 15;
const value = Number(window.localStorage.getItem(LOCK_TIMEOUT_STORAGE_KEY));
const stored = window.localStorage.getItem(LOCK_TIMEOUT_STORAGE_KEY);
if (stored === null || stored.trim() === '') return 15;
const value = Number(stored);
return LOCK_TIMEOUT_VALUES.has(value as LockTimeoutMinutes) ? (value as LockTimeoutMinutes) : 15;
}
@@ -228,6 +232,7 @@ export default function App() {
const silentRefreshVaultRef = useRef<() => Promise<void>>(async () => {});
const refreshAuthorizedDevicesRef = useRef<() => Promise<void>>(async () => {});
const repairAttemptRef = useRef<string>('');
const uriChecksumRepairAttemptRef = useRef<string>('');
const pendingVaultCoreQueryRefreshRef = useRef<Promise<{ data?: VaultCoreSnapshot } | unknown> | null>(null);
const pendingVaultCoreRefreshRef = useRef<Promise<unknown> | null>(null);
const notificationRefreshTimerRef = useRef<number | null>(null);
@@ -1037,6 +1042,7 @@ export default function App() {
useEffect(() => {
if (session?.accessToken) return;
repairAttemptRef.current = '';
uriChecksumRepairAttemptRef.current = '';
}, [session?.accessToken]);
useEffect(() => {
@@ -1077,6 +1083,26 @@ export default function App() {
setDecryptedFolders(result.folders);
setDecryptedCiphers(result.ciphers);
setVaultInitialDecryptDone(true);
const repairKey = `${session.accessToken}:${encryptedCiphers.map((cipher) => `${cipher.id}:${cipher.revisionDate || ''}`).join(',')}`;
if (uriChecksumRepairAttemptRef.current !== repairKey) {
uriChecksumRepairAttemptRef.current = repairKey;
void repairCipherKeyMismatches(authedFetch, session, result.ciphers)
.then(async (keyMismatchCount) => {
if (keyMismatchCount > 0) {
await invalidateVaultCoreSyncSnapshot(vaultCacheKey);
void refetchVaultCoreData();
return;
}
const uriChecksumCount = await repairCipherUriChecksums(authedFetch, session, result.ciphers);
if (uriChecksumCount > 0) {
await invalidateVaultCoreSyncSnapshot(vaultCacheKey);
void refetchVaultCoreData();
}
})
.catch(() => {
// Best-effort compatibility repair must not interrupt normal vault loading.
});
}
} catch (error) {
if (!active) return;
const message = error instanceof Error ? error.message : t('txt_decrypt_failed_2');
@@ -1089,7 +1115,7 @@ export default function App() {
return () => {
active = false;
};
}, [session?.symEncKey, session?.symMacKey, encryptedFolders, encryptedCiphers]);
}, [session?.symEncKey, session?.symMacKey, vaultCacheKey, encryptedFolders, encryptedCiphers]);
useEffect(() => {
if (IS_DEMO_MODE) return;
@@ -1398,6 +1424,7 @@ export default function App() {
if (location === '/vault/totp') return t('txt_verification_code');
if (location === '/sends') return t('nav_sends');
if (location === '/admin') return t('nav_admin_panel');
if (location === '/logs') return t('nav_log_center');
if (location === '/security/devices') return t('nav_device_management');
if (location === SETTINGS_DOMAIN_RULES_ROUTE) return t('nav_domain_rules');
if (location === '/backup') return t('nav_backup_strategy');
@@ -1424,7 +1451,7 @@ export default function App() {
}, [phase, isImportHashRoute, location, navigate]);
useEffect(() => {
if (phase === 'app' && !isAdminProfile(profile) && location === '/backup' && !profileQuery.isFetching) {
if (phase === 'app' && !isAdminProfile(profile) && (location === '/backup' || location === '/logs') && !profileQuery.isFetching) {
navigate('/vault');
}
}, [phase, profile?.role, profileQuery.isFetching, location, navigate]);
@@ -1475,6 +1502,7 @@ export default function App() {
onDeleteVaultItem: vaultSendActions.deleteVaultItem,
onArchiveVaultItem: vaultSendActions.archiveVaultItem,
onUnarchiveVaultItem: vaultSendActions.unarchiveVaultItem,
onRestoreVaultItems: vaultSendActions.bulkRestoreVaultItems,
onBulkDeleteVaultItems: vaultSendActions.bulkDeleteVaultItems,
onBulkPermanentDeleteVaultItems: vaultSendActions.bulkPermanentDeleteVaultItems,
onBulkRestoreVaultItems: vaultSendActions.bulkRestoreVaultItems,
@@ -1517,6 +1545,7 @@ export default function App() {
onSaveDomainRules: handleSaveDomainRules,
onRenameAuthorizedDevice: accountSecurityActions.renameAuthorizedDevice,
onRevokeDeviceTrust: accountSecurityActions.openRevokeDeviceTrust,
onTrustDevicePermanently: accountSecurityActions.openTrustDevicePermanently,
onRemoveDevice: accountSecurityActions.openRemoveDevice,
onRevokeAllDeviceTrust: accountSecurityActions.openRevokeAllDeviceTrust,
onRemoveAllDevices: accountSecurityActions.openRemoveAllDevices,
@@ -1526,6 +1555,10 @@ export default function App() {
onToggleUserStatus: adminActions.toggleUserStatus,
onDeleteUser: adminActions.deleteUser,
onRevokeInvite: adminActions.revokeInvite,
onLoadAuditLogs: (filters: AuditLogFilters) => listAuditLogs(authedFetch, filters),
onLoadAuditLogSettings: () => getAuditLogSettings(authedFetch),
onSaveAuditLogSettings: (settings: AuditLogSettings) => saveAuditLogSettings(authedFetch, settings),
onClearAuditLogs: () => clearAuditLogs(authedFetch),
onExportBackup: backupActions.exportBackup,
onImportBackup: backupActions.importBackup,
onImportBackupAllowingChecksumMismatch: backupActions.importBackupAllowingChecksumMismatch,
webapp/src/components/AppAuthenticatedShell.tsx
+7 -3
View File
@@ -1,4 +1,4 @@
import { ArrowUpDown, Check, ChevronDown, Clock3, Cloud, Folder as FolderIcon, Globe2, KeyRound, Lock, LogOut, MonitorSmartphone, Send as SendIcon, Settings as SettingsIcon, ShieldUser, SlidersHorizontal, Users } from 'lucide-preact';
import { ArrowUpDown, Check, ChevronDown, Clock3, Cloud, FileClock, Folder as FolderIcon, Globe2, KeyRound, Lock, LogOut, MonitorSmartphone, Send as SendIcon, Settings as SettingsIcon, ShieldUser, SlidersHorizontal, Users } from 'lucide-preact';
import type { ComponentChildren } from 'preact';
import { useEffect, useRef, useState } from 'preact/hooks';
import { Link } from 'wouter';
@@ -48,11 +48,13 @@ function isAdminProfile(profile: Profile | null): boolean {
export default function AppAuthenticatedShell(props: AppAuthenticatedShellProps) {
const routeAnimationKey = props.isImportRoute ? props.importRoute : props.location;
const isDomainRulesRoute = props.location === '/settings/domain-rules';
const isLogRoute = props.location === '/logs';
const isAdmin = isAdminProfile(props.profile);
const vaultActive = props.location === '/vault' || props.location === '/vault/totp';
const settingsActive = props.location === props.settingsAccountRoute || props.location === '/settings/domain-rules';
const dataActive = props.location === '/backup' || props.isImportRoute;
const managementActive = props.location === '/admin' || props.location === '/security/devices';
const managementActive = props.location === '/admin' || props.location === '/security/devices' || props.location === '/logs';
const [navLayoutMode, setNavLayoutMode] = useState<NavLayoutMode>(readNavLayoutMode);
const [navLayoutPickerOpen, setNavLayoutPickerOpen] = useState(false);
const navLayoutPickerRef = useRef<HTMLDivElement | null>(null);
@@ -173,6 +175,7 @@ export default function AppAuthenticatedShell(props: AppAuthenticatedShellProps)
{isAdmin && renderSideLink('/backup', props.location === '/backup', <Cloud size={16} />, t('nav_backup_strategy'))}
{renderSideLink(props.importRoute, props.isImportRoute, <ArrowUpDown size={16} />, t('nav_import_export'))}
{isAdmin && renderSideLink('/admin', props.location === '/admin', <Users size={16} />, t('nav_admin_panel'))}
{isAdmin && renderSideLink('/logs', props.location === '/logs', <FileClock size={16} />, t('nav_log_center'))}
{renderSideLink('/security/devices', props.location === '/security/devices', <MonitorSmartphone size={16} />, t('nav_device_management'))}
</>
);
@@ -217,6 +220,7 @@ export default function AppAuthenticatedShell(props: AppAuthenticatedShellProps)
managementActive,
<>
{isAdmin && renderSubLink('/admin', props.location === '/admin', t('nav_admin_panel'))}
{isAdmin && renderSubLink('/logs', props.location === '/logs', t('nav_log_center'))}
{renderSubLink('/security/devices', props.location === '/security/devices', t('nav_device_management'))}
</>
)}
@@ -302,7 +306,7 @@ export default function AppAuthenticatedShell(props: AppAuthenticatedShellProps)
</div>
</aside>
<main className="content">
<div key={routeAnimationKey} className={`route-stage ${props.location === '/settings/domain-rules' ? 'route-stage-fixed' : ''}`}>
<div key={routeAnimationKey} className={`route-stage ${isDomainRulesRoute ? 'route-stage-fixed' : ''} ${isLogRoute ? 'route-stage-log-fixed' : ''}`}>
<AppMainRoutes {...props.mainRoutesProps} />
</div>
</main>
webapp/src/components/AppMainRoutes.tsx
+35 -2
View File
@@ -1,13 +1,14 @@
import { lazy, Suspense } from 'preact/compat';
import { useEffect } from 'preact/hooks';
import { Link, Route, Switch } from 'wouter';
import { ArrowUpDown, Cloud, Globe2, LogOut, Settings as SettingsIcon, Shield, ShieldUser } from 'lucide-preact';
import { ArrowUpDown, Cloud, FileClock, Globe2, LogOut, Settings as SettingsIcon, Shield, ShieldUser } from 'lucide-preact';
import type { ImportAttachmentFile, ImportResultSummary } from '@/components/ImportPage';
import LoadingState from '@/components/LoadingState';
import type { AdminBackupImportResponse, AdminBackupRunResponse, AdminBackupSettings, RemoteBackupBrowserResponse } from '@/lib/api/backup';
import type { AuditLogFilters } from '@/lib/api/admin';
import type { CiphersImportPayload } from '@/lib/api/vault';
import { t } from '@/lib/i18n';
import type { AdminInvite, AdminUser, AuthorizedDevice, Cipher, CustomEquivalentDomain, DomainRules, Folder as VaultFolder, Profile, Send, SendDraft, SessionState, VaultDraft } from '@/lib/types';
import type { AdminInvite, AdminUser, AuditLogListResult, AuditLogSettings, AuthorizedDevice, Cipher, CustomEquivalentDomain, DomainRules, Folder as VaultFolder, Profile, Send, SendDraft, SessionState, VaultDraft } from '@/lib/types';
import type { ExportRequest } from '@/lib/export-formats';
const VaultPage = lazy(() => import('@/components/VaultPage'));
@@ -17,6 +18,7 @@ const SettingsPage = lazy(() => import('@/components/SettingsPage'));
const DomainRulesPage = lazy(() => import('@/components/DomainRulesPage'));
const SecurityDevicesPage = lazy(() => import('@/components/SecurityDevicesPage'));
const AdminPage = lazy(() => import('@/components/AdminPage'));
const LogCenterPage = lazy(() => import('@/components/LogCenterPage'));
const BackupCenterPage = lazy(() => import('@/components/BackupCenterPage'));
const ImportPage = lazy(() => import('@/components/ImportPage'));
@@ -79,6 +81,7 @@ export interface AppMainRoutesProps {
onDeleteVaultItem: (cipher: Cipher) => Promise<void>;
onArchiveVaultItem: (cipher: Cipher) => Promise<void>;
onUnarchiveVaultItem: (cipher: Cipher) => Promise<void>;
onRestoreVaultItems: (ids: string[]) => Promise<void>;
onBulkDeleteVaultItems: (ids: string[]) => Promise<void>;
onBulkPermanentDeleteVaultItems: (ids: string[]) => Promise<void>;
onBulkRestoreVaultItems: (ids: string[]) => Promise<void>;
@@ -116,6 +119,7 @@ export interface AppMainRoutesProps {
onSaveDomainRules: (customEquivalentDomains: CustomEquivalentDomain[], excludedGlobalEquivalentDomains: number[]) => Promise<void>;
onRenameAuthorizedDevice: (device: AuthorizedDevice, name: string) => Promise<void>;
onRevokeDeviceTrust: (device: AuthorizedDevice) => void;
onTrustDevicePermanently: (device: AuthorizedDevice) => void;
onRemoveDevice: (device: AuthorizedDevice) => void;
onRevokeAllDeviceTrust: () => void;
onRemoveAllDevices: () => void;
@@ -125,6 +129,10 @@ export interface AppMainRoutesProps {
onToggleUserStatus: (userId: string, status: 'active' | 'banned') => Promise<void>;
onDeleteUser: (userId: string) => Promise<void>;
onRevokeInvite: (code: string) => Promise<void>;
onLoadAuditLogs: (filters: AuditLogFilters) => Promise<AuditLogListResult>;
onLoadAuditLogSettings: () => Promise<AuditLogSettings>;
onSaveAuditLogSettings: (settings: AuditLogSettings) => Promise<AuditLogSettings>;
onClearAuditLogs: () => Promise<number>;
onExportBackup: (includeAttachments?: boolean) => Promise<void>;
onImportBackup: (file: File, replaceExisting?: boolean) => Promise<AdminBackupImportResponse>;
onImportBackupAllowingChecksumMismatch: (file: File, replaceExisting?: boolean) => Promise<AdminBackupImportResponse>;
@@ -207,6 +215,7 @@ export default function AppMainRoutes(props: AppMainRoutesProps) {
onDelete={props.onDeleteVaultItem}
onArchive={props.onArchiveVaultItem}
onUnarchive={props.onUnarchiveVaultItem}
onRestore={props.onRestoreVaultItems}
onBulkDelete={props.onBulkDeleteVaultItems}
onBulkPermanentDelete={props.onBulkPermanentDeleteVaultItems}
onBulkRestore={props.onBulkRestoreVaultItems}
@@ -288,6 +297,12 @@ export default function AppMainRoutes(props: AppMainRoutesProps) {
<span>{t('nav_admin_panel')}</span>
</Link>
)}
{isAdmin && (
<Link href="/logs" className="mobile-settings-link">
<FileClock size={18} />
<span>{t('nav_log_center')}</span>
</Link>
)}
{isAdmin && (
<Link href="/backup" className="mobile-settings-link">
<Cloud size={18} />
@@ -322,6 +337,7 @@ export default function AppMainRoutes(props: AppMainRoutesProps) {
onRefresh={() => void props.onRefreshAuthorizedDevices()}
onRenameDevice={props.onRenameAuthorizedDevice}
onRevokeTrust={props.onRevokeDeviceTrust}
onTrustPermanently={props.onTrustDevicePermanently}
onRemoveDevice={props.onRemoveDevice}
onRevokeAll={props.onRevokeAllDeviceTrust}
onRemoveAll={props.onRemoveAllDevices}
@@ -378,6 +394,23 @@ export default function AppMainRoutes(props: AppMainRoutesProps) {
</Suspense>
</div>
</Route>
<Route path="/logs">
{isAdmin ? (
<div className="stack">
<Suspense fallback={<RouteContentFallback />}>
<LogCenterPage
onLoadLogs={props.onLoadAuditLogs}
onLoadSettings={props.onLoadAuditLogSettings}
onSaveSettings={props.onSaveAuditLogSettings}
onClearLogs={props.onClearAuditLogs}
onNotify={props.onNotify}
mobileLayout={props.mobileLayout}
onMobileBack={() => props.onNavigate(props.settingsHomeRoute)}
/>
</Suspense>
</div>
) : null}
</Route>
{importRoutePaths.map((path) => (
<Route key={path} path={path}>
{renderImportPageRoute()}
webapp/src/components/ImportPage.tsx
+1
View File
@@ -91,6 +91,7 @@ const COMMON_IMPORT_SOURCE_IDS: ImportSourceId[] = [
'lastpass',
'dashlane_csv',
'dashlane_json',
'keepass_csv',
'keepass_xml',
'keepassx_csv',
];
webapp/src/components/LogCenterPage.tsx
+578
View File
@@ -0,0 +1,578 @@
import { useCallback, useEffect, useMemo, useState } from 'preact/hooks';
import { ChevronLeft, ChevronRight, Database, RefreshCw, Save, Search, Server, Settings2, ShieldAlert, Smartphone, Trash2, UserRound } from 'lucide-preact';
import LoadingState from '@/components/LoadingState';
import type { AuditLogFilters } from '@/lib/api/admin';
import { t } from '@/lib/i18n';
import type { AuditLogCategory, AuditLogEntry, AuditLogLevel, AuditLogListResult, AuditLogSettings } from '@/lib/types';
interface LogCenterPageProps {
onLoadLogs: (filters: AuditLogFilters) => Promise<AuditLogListResult>;
onLoadSettings: () => Promise<AuditLogSettings>;
onSaveSettings: (settings: AuditLogSettings) => Promise<AuditLogSettings>;
onClearLogs: () => Promise<number>;
onNotify: (type: 'success' | 'error' | 'warning', text: string) => void;
mobileLayout?: boolean;
onMobileBack?: () => void;
}
type TimeRange = '24h' | '7d' | '30d' | 'all';
type FilterCategory = AuditLogCategory | 'all';
type FilterLevel = AuditLogLevel | 'all';
type RetentionMode = 'days' | 'entries';
const PAGE_SIZE = 50;
const CATEGORY_OPTIONS: Array<{ value: FilterCategory; labelKey: string }> = [
{ value: 'all', labelKey: 'txt_all_logs' },
{ value: 'auth', labelKey: 'txt_log_category_auth' },
{ value: 'security', labelKey: 'txt_log_category_security' },
{ value: 'device', labelKey: 'txt_log_category_device' },
{ value: 'data', labelKey: 'txt_log_category_data' },
{ value: 'system', labelKey: 'txt_log_category_system' },
];
const LEVEL_OPTIONS: Array<{ value: FilterLevel; labelKey: string }> = [
{ value: 'all', labelKey: 'txt_all_levels' },
{ value: 'info', labelKey: 'txt_log_level_info' },
{ value: 'warn', labelKey: 'txt_log_level_warn' },
{ value: 'error', labelKey: 'txt_log_level_error' },
{ value: 'security', labelKey: 'txt_log_level_security' },
];
const RANGE_OPTIONS: Array<{ value: TimeRange; labelKey: string }> = [
{ value: '24h', labelKey: 'txt_last_24_hours' },
{ value: '7d', labelKey: 'txt_last_7_days' },
{ value: '30d', labelKey: 'txt_last_30_days' },
{ value: 'all', labelKey: 'txt_all_time' },
];
const RETENTION_OPTIONS: Array<{ value: string; labelKey: string }> = [
{ value: '7', labelKey: 'txt_log_retention_7d' },
{ value: '30', labelKey: 'txt_log_retention_30d' },
{ value: '90', labelKey: 'txt_log_retention_90d' },
{ value: '180', labelKey: 'txt_log_retention_180d' },
{ value: '365', labelKey: 'txt_log_retention_365d' },
{ value: '0', labelKey: 'txt_log_retention_forever' },
];
const MAX_ENTRY_OPTIONS: Array<{ value: string; labelKey: string }> = [
{ value: '1000', labelKey: 'txt_log_max_1000' },
{ value: '5000', labelKey: 'txt_log_max_5000' },
{ value: '10000', labelKey: 'txt_log_max_10000' },
{ value: '50000', labelKey: 'txt_log_max_50000' },
{ value: '0', labelKey: 'txt_log_max_unlimited' },
];
function parseMetadata(log: AuditLogEntry): Record<string, unknown> {
if (!log.metadata) return {};
try {
const parsed = JSON.parse(log.metadata);
return parsed && typeof parsed === 'object' && !Array.isArray(parsed) ? parsed as Record<string, unknown> : {};
} catch {
return { raw: log.metadata };
}
}
function inferCategory(log: AuditLogEntry, metadata: Record<string, unknown>): AuditLogCategory {
if (log.category === 'auth' || log.category === 'security' || log.category === 'device' || log.category === 'data' || log.category === 'system') {
return log.category;
}
const category = metadata.category;
if (category === 'auth' || category === 'security' || category === 'device' || category === 'data' || category === 'system') {
return category;
}
if (log.action.startsWith('auth.')) return 'auth';
if (log.action.startsWith('device.')) return 'device';
if (log.action.startsWith('admin.backup.')) return 'data';
if (log.action.startsWith('account.') || log.action.startsWith('user.password.') || log.action.startsWith('user.register.') || log.action.startsWith('admin.user.')) return 'security';
return 'system';
}
function inferLevel(log: AuditLogEntry, metadata: Record<string, unknown>): AuditLogLevel {
if (log.level === 'info' || log.level === 'warn' || log.level === 'error' || log.level === 'security') {
return log.level;
}
const level = metadata.level;
if (level === 'info' || level === 'warn' || level === 'error' || level === 'security') return level;
if (log.action.includes('.failed') || log.action.includes('.error')) return 'error';
if (log.action.includes('password') || log.action.includes('totp') || log.action.includes('delete') || log.action.includes('ban')) return 'security';
return 'info';
}
function humanizeIdentifier(value: string): string {
return value
.replace(/([a-z0-9])([A-Z])/g, '$1 $2')
.split('.')
.flatMap((part) => part.split('_'))
.filter(Boolean)
.map((part) => part.charAt(0).toUpperCase() + part.slice(1))
.join(' / ');
}
function keyFor(prefix: string, value: string): string {
return `${prefix}${value.replace(/([a-z0-9])([A-Z])/g, '$1_$2').replace(/[^A-Za-z0-9]+/g, '_').toLowerCase()}`;
}
function translatedOrHumanized(key: string, fallback: string): string {
const translated = t(key);
return translated === key ? humanizeIdentifier(fallback) : translated;
}
function formatAction(action: string): string {
if (action.startsWith('auth.refresh.failed.')) {
const reason = formatReason(action.slice('auth.refresh.failed.'.length));
return t('txt_log_action_auth_refresh_failed', { reason });
}
return translatedOrHumanized(keyFor('txt_log_action_', action), action);
}
function formatMetaKey(key: string): string {
return translatedOrHumanized(keyFor('txt_log_meta_', key), key);
}
function formatReason(reason: string): string {
return translatedOrHumanized(keyFor('txt_log_reason_', reason), reason);
}
function formatTime(value: string): string {
const date = new Date(value);
return Number.isNaN(date.getTime()) ? value : date.toLocaleString();
}
function formatMetaValue(value: unknown): string {
if (value === null || value === undefined || value === '') return t('txt_dash');
if (typeof value === 'boolean') return value ? t('txt_yes') : t('txt_no');
if (typeof value === 'string') return value;
if (typeof value === 'number') return String(value);
return JSON.stringify(value);
}
function formatMetaValueForKey(key: string, value: unknown): string {
if (key === 'reason' && typeof value === 'string') return formatReason(value);
if (key === 'trigger' && typeof value === 'string') {
return translatedOrHumanized(keyFor('txt_log_trigger_', value), value);
}
if (key === 'type' && typeof value === 'string') {
return translatedOrHumanized(keyFor('txt_log_target_type_', value), value);
}
return formatMetaValue(value);
}
function iconForCategory(category: AuditLogCategory) {
if (category === 'auth') return <ShieldAlert size={16} />;
if (category === 'security') return <UserRound size={16} />;
if (category === 'device') return <Smartphone size={16} />;
if (category === 'data') return <Database size={16} />;
return <Server size={16} />;
}
function buildRange(range: TimeRange): { from?: string; to?: string } {
if (range === 'all') return {};
const now = Date.now();
const hours = range === '24h' ? 24 : range === '7d' ? 24 * 7 : 24 * 30;
return {
from: new Date(now - hours * 60 * 60 * 1000).toISOString(),
to: new Date(now).toISOString(),
};
}
function inferRetentionMode(settings: AuditLogSettings): RetentionMode {
return settings.retentionDays === null && settings.maxEntries !== null ? 'entries' : 'days';
}
export default function LogCenterPage(props: LogCenterPageProps) {
const [logs, setLogs] = useState<AuditLogEntry[]>([]);
const [total, setTotal] = useState(0);
const [hasMore, setHasMore] = useState(false);
const [offset, setOffset] = useState(0);
const [search, setSearch] = useState('');
const [category, setCategory] = useState<FilterCategory>('all');
const [level, setLevel] = useState<FilterLevel>('all');
const [range, setRange] = useState<TimeRange>('7d');
const [loading, setLoading] = useState(false);
const [settingsLoading, setSettingsLoading] = useState(false);
const [settingsSaving, setSettingsSaving] = useState(false);
const [settingsOpen, setSettingsOpen] = useState(false);
const [clearConfirmOpen, setClearConfirmOpen] = useState(false);
const [retentionMode, setRetentionMode] = useState<RetentionMode>('days');
const [settings, setSettings] = useState<AuditLogSettings>({ retentionDays: 90, maxEntries: null });
const [error, setError] = useState('');
const [selectedId, setSelectedId] = useState<string | null>(null);
const [mobileDetailOpen, setMobileDetailOpen] = useState(false);
const selectedLog = useMemo(() => logs.find((log) => log.id === selectedId) || logs[0] || null, [logs, selectedId]);
const selectedMetadata = useMemo(() => selectedLog ? parseMetadata(selectedLog) : {}, [selectedLog]);
const selectedCategory = selectedLog ? inferCategory(selectedLog, selectedMetadata) : 'system';
const selectedLevel = selectedLog ? inferLevel(selectedLog, selectedMetadata) : 'info';
const page = Math.floor(offset / PAGE_SIZE) + 1;
const totalPages = Math.max(1, Math.ceil(total / PAGE_SIZE));
const load = useCallback(async (nextOffset = offset) => {
setLoading(true);
setError('');
try {
const rangeFilter = buildRange(range);
const result = await props.onLoadLogs({
limit: PAGE_SIZE,
offset: nextOffset,
category,
level,
q: search,
...rangeFilter,
});
setLogs(result.logs);
setTotal(result.total);
setHasMore(result.hasMore);
setOffset(result.offset);
setSelectedId((current) => current && result.logs.some((log) => log.id === current) ? current : result.logs[0]?.id || null);
setMobileDetailOpen(false);
} catch {
setError(t('txt_load_logs_failed'));
props.onNotify('error', t('txt_load_logs_failed'));
} finally {
setLoading(false);
}
}, [category, level, offset, props, range, search]);
useEffect(() => {
void load(0);
}, [category, level, range]);
useEffect(() => {
let cancelled = false;
setSettingsLoading(true);
props.onLoadSettings()
.then((next) => {
if (!cancelled) {
setSettings(next);
setRetentionMode(inferRetentionMode(next));
}
})
.catch(() => {
if (!cancelled) props.onNotify('error', t('txt_load_log_settings_failed'));
})
.finally(() => {
if (!cancelled) setSettingsLoading(false);
});
return () => {
cancelled = true;
};
}, []);
function submitFilters(event: Event): void {
event.preventDefault();
void load(0);
}
async function saveSettings(): Promise<void> {
setSettingsSaving(true);
try {
const next = await props.onSaveSettings(settings);
setSettings(next);
setRetentionMode(inferRetentionMode(next));
setSettingsOpen(false);
setClearConfirmOpen(false);
props.onNotify('success', t('txt_log_settings_saved'));
void load(0);
} catch {
props.onNotify('error', t('txt_log_settings_save_failed'));
} finally {
setSettingsSaving(false);
}
}
async function clearLogs(): Promise<void> {
setSettingsSaving(true);
try {
await props.onClearLogs();
setLogs([]);
setTotal(0);
setHasMore(false);
setOffset(0);
setSelectedId(null);
setMobileDetailOpen(false);
setClearConfirmOpen(false);
setSettingsOpen(false);
props.onNotify('success', t('txt_logs_cleared'));
} catch {
props.onNotify('error', t('txt_clear_logs_failed'));
} finally {
setSettingsSaving(false);
}
}
function selectRetentionMode(nextMode: RetentionMode): void {
setRetentionMode(nextMode);
setSettings((current) => nextMode === 'days'
? { retentionDays: current.retentionDays ?? 90, maxEntries: null }
: { retentionDays: null, maxEntries: current.maxEntries ?? 10_000 });
}
const visibleMetaEntries = selectedLog
? Object.entries(selectedMetadata).filter(([key]) => key !== 'category' && key !== 'level')
: [];
function selectLog(logId: string): void {
setSelectedId(logId);
setSettingsOpen(false);
setClearConfirmOpen(false);
setMobileDetailOpen(true);
}
function handleMobileBack(): void {
if (mobileDetailOpen) {
setMobileDetailOpen(false);
return;
}
props.onMobileBack?.();
}
return (
<div className={`log-center-page ${mobileDetailOpen ? 'log-mobile-detail-open' : ''}`}>
{props.mobileLayout && (
<div className="log-mobile-subhead">
<button type="button" className="btn btn-secondary small mobile-settings-back" onClick={handleMobileBack}>
<ChevronLeft size={14} className="btn-icon" />
{t('txt_back')}
</button>
<button
type="button"
className={`btn btn-secondary log-mobile-settings-trigger ${settingsOpen ? 'active' : ''}`}
aria-label={t('txt_log_settings')}
title={t('txt_log_settings')}
aria-expanded={settingsOpen}
onClick={() => {
setSettingsOpen((open) => !open);
setClearConfirmOpen(false);
}}
>
<Settings2 size={18} />
</button>
</div>
)}
<section className="card log-center-toolbar">
<form className="log-filter-form" onSubmit={submitFilters}>
<label className="field log-search-field">
<span>{t('txt_search')}</span>
<div className="input-action-wrap">
<Search size={15} className="input-leading-icon" />
<input
className="input log-search-input"
value={search}
placeholder={t('txt_log_search_placeholder')}
onInput={(event) => setSearch((event.currentTarget as HTMLInputElement).value)}
/>
</div>
</label>
<label className="field">
<span>{t('txt_log_category')}</span>
<select className="input" value={category} onChange={(event) => setCategory((event.currentTarget as HTMLSelectElement).value as FilterCategory)}>
{CATEGORY_OPTIONS.map((option) => <option key={option.value} value={option.value}>{t(option.labelKey)}</option>)}
</select>
</label>
<label className="field">
<span>{t('txt_log_level')}</span>
<select className="input" value={level} onChange={(event) => setLevel((event.currentTarget as HTMLSelectElement).value as FilterLevel)}>
{LEVEL_OPTIONS.map((option) => <option key={option.value} value={option.value}>{t(option.labelKey)}</option>)}
</select>
</label>
<label className="field">
<span>{t('txt_time_range')}</span>
<select className="input" value={range} onChange={(event) => setRange((event.currentTarget as HTMLSelectElement).value as TimeRange)}>
{RANGE_OPTIONS.map((option) => <option key={option.value} value={option.value}>{t(option.labelKey)}</option>)}
</select>
</label>
<div className="actions log-filter-actions">
<button type="button" className="btn btn-secondary" disabled={loading} onClick={() => void load(offset)}>
<RefreshCw size={14} className="btn-icon" />
{t('txt_refresh')}
</button>
<button
type="button"
className={`btn btn-secondary ${settingsOpen ? 'active' : ''}`}
aria-expanded={settingsOpen}
onClick={() => {
setSettingsOpen((open) => !open);
setClearConfirmOpen(false);
}}
>
<Settings2 size={14} className="btn-icon" />
{t('txt_log_settings')}
</button>
</div>
</form>
{settingsOpen && (
<div className="log-settings-popover">
<div className="section-head log-settings-popover-head">
<h3>{t('txt_log_retention_settings')}</h3>
</div>
<div className="log-settings-mode" role="group" aria-label={t('txt_log_retention_mode')}>
<button
type="button"
className={`log-mode-option ${retentionMode === 'days' ? 'active' : ''}`}
disabled={settingsLoading || settingsSaving}
onClick={() => selectRetentionMode('days')}
>
{t('txt_log_retention_mode_days')}
</button>
<button
type="button"
className={`log-mode-option ${retentionMode === 'entries' ? 'active' : ''}`}
disabled={settingsLoading || settingsSaving}
onClick={() => selectRetentionMode('entries')}
>
{t('txt_log_retention_mode_entries')}
</button>
</div>
{retentionMode === 'days' ? (
<div className="log-settings-retention-block">
<label className="log-settings-label" htmlFor="log-retention-days-select">{t('txt_log_retention_days')}</label>
<div className="log-settings-retention-row">
<select
id="log-retention-days-select"
className="input"
value={String(settings.retentionDays ?? 0)}
disabled={settingsLoading || settingsSaving}
onChange={(event) => setSettings({
retentionDays: Number((event.currentTarget as HTMLSelectElement).value) || null,
maxEntries: null,
})}
>
{RETENTION_OPTIONS.map((option) => <option key={option.value} value={option.value}>{t(option.labelKey)}</option>)}
</select>
<button type="button" className="btn btn-primary log-settings-save-btn" disabled={settingsLoading || settingsSaving} onClick={() => void saveSettings()}>
<Save size={14} className="btn-icon" />
{t('txt_save')}
</button>
</div>
</div>
) : (
<div className="log-settings-retention-block">
<label className="log-settings-label" htmlFor="log-max-entries-select">{t('txt_log_max_entries')}</label>
<div className="log-settings-retention-row">
<select
id="log-max-entries-select"
className="input"
value={String(settings.maxEntries ?? 0)}
disabled={settingsLoading || settingsSaving}
onChange={(event) => setSettings({
retentionDays: null,
maxEntries: Number((event.currentTarget as HTMLSelectElement).value) || null,
})}
>
{MAX_ENTRY_OPTIONS.map((option) => <option key={option.value} value={option.value}>{t(option.labelKey)}</option>)}
</select>
<button type="button" className="btn btn-primary log-settings-save-btn" disabled={settingsLoading || settingsSaving} onClick={() => void saveSettings()}>
<Save size={14} className="btn-icon" />
{t('txt_save')}
</button>
</div>
</div>
)}
<div className="log-settings-danger">
{clearConfirmOpen ? (
<>
<p>{t('txt_clear_logs_confirm')}</p>
<div className="actions log-clear-confirm-actions">
<button type="button" className="btn btn-secondary" disabled={settingsSaving} onClick={() => setClearConfirmOpen(false)}>
{t('txt_cancel')}
</button>
<button type="button" className="btn btn-danger" disabled={settingsSaving} onClick={() => void clearLogs()}>
<Trash2 size={14} className="btn-icon" />
{t('txt_clear_all_logs')}
</button>
</div>
</>
) : (
<button type="button" className="btn btn-danger ghost-danger" disabled={settingsLoading || settingsSaving} onClick={() => setClearConfirmOpen(true)}>
<Trash2 size={14} className="btn-icon" />
{t('txt_clear_all_logs')}
</button>
)}
</div>
</div>
)}
</section>
<div className="log-center-grid">
<section className="card log-list-panel">
<div className="section-head">
<h3>{t('txt_audit_events')}</h3>
<span className="muted-inline">{page} / {totalPages}</span>
</div>
<div className="log-list">
{logs.map((log) => {
const metadata = parseMetadata(log);
const logCategory = inferCategory(log, metadata);
const logLevel = inferLevel(log, metadata);
return (
<button
key={log.id}
type="button"
className={`log-row ${selectedLog?.id === log.id ? 'active' : ''}`}
onClick={() => selectLog(log.id)}
>
<span className={`log-row-icon log-category-${logCategory}`}>{iconForCategory(logCategory)}</span>
<span className="log-row-main">
<strong>{formatAction(log.action)}</strong>
<small>{formatTime(log.createdAt)}</small>
</span>
<span className={`log-level-pill log-level-${logLevel}`}>{t(`txt_log_level_${logLevel}`)}</span>
</button>
);
})}
{loading && !logs.length && <LoadingState lines={5} compact />}
{!loading && !logs.length && <div className="empty empty-comfortable">{t('txt_no_logs_found')}</div>}
{!!error && <div className="local-error">{error}</div>}
</div>
<div className="actions log-pagination">
<button type="button" className="btn btn-secondary small" disabled={loading || offset <= 0} onClick={() => void load(Math.max(0, offset - PAGE_SIZE))}>
<ChevronLeft size={14} className="btn-icon" />
{t('txt_prev')}
</button>
<span className="log-pagination-count">
{Math.min(offset + logs.length, total)} / {total}
</span>
<button type="button" className="btn btn-secondary small" disabled={loading || !hasMore} onClick={() => void load(offset + PAGE_SIZE)}>
{t('txt_next')}
<ChevronRight size={14} className="btn-icon" />
</button>
</div>
</section>
<section className="card log-detail-panel">
{selectedLog ? (
<>
<div className="section-head log-detail-head">
<div>
<h3>{formatAction(selectedLog.action)}</h3>
<p className="muted-inline">{selectedLog.action}</p>
</div>
<span className={`log-level-pill log-level-${selectedLevel}`}>{t(`txt_log_level_${selectedLevel}`)}</span>
</div>
<div className="log-detail-meta">
<div><span>{t('txt_time')}</span><strong>{formatTime(selectedLog.createdAt)}</strong></div>
<div><span>{t('txt_log_category')}</span><strong>{t(`txt_log_category_${selectedCategory}`)}</strong></div>
<div><span>{t('txt_actor')}</span><strong>{selectedLog.actorEmail || selectedLog.actorUserId || t('txt_dash')}</strong></div>
<div><span>{t('txt_target')}</span><strong>{selectedLog.targetUserEmail || String(selectedMetadata.targetEmail || '') || selectedLog.targetId || selectedLog.targetType || t('txt_dash')}</strong></div>
</div>
<div className="log-detail-json">
<h4>{t('txt_metadata')}</h4>
{visibleMetaEntries.length ? (
<dl>
{visibleMetaEntries.map(([key, value]) => (
<div key={key}>
<dt>{formatMetaKey(key)}</dt>
<dd>{formatMetaValueForKey(key, value)}</dd>
</div>
))}
</dl>
) : (
<div className="empty">{t('txt_no_metadata')}</div>
)}
</div>
</>
) : (
<div className="empty empty-comfortable">{t('txt_no_logs_found')}</div>
)}
</section>
</div>
</div>
);
}
webapp/src/components/SecurityDevicesPage.tsx
+29 -4
View File
@@ -1,5 +1,5 @@
import { useState } from 'preact/hooks';
import { Clock3, Pencil, RefreshCw, ShieldOff, Trash2 } from 'lucide-preact';
import { Clock3, Pencil, RefreshCw, ShieldCheck, ShieldOff, Trash2 } from 'lucide-preact';
import ConfirmDialog from '@/components/ConfirmDialog';
import LoadingState from '@/components/LoadingState';
import type { AuthorizedDevice } from '@/lib/types';
@@ -12,6 +12,7 @@ interface SecurityDevicesPageProps {
onRefresh: () => void;
onRenameDevice: (device: AuthorizedDevice, name: string) => Promise<void>;
onRevokeTrust: (device: AuthorizedDevice) => void;
onTrustPermanently: (device: AuthorizedDevice) => void;
onRemoveDevice: (device: AuthorizedDevice) => void;
onRevokeAll: () => void;
onRemoveAll: () => void;
@@ -24,6 +25,12 @@ function formatDateTime(value: string | null | undefined): string {
return date.toLocaleString();
}
function isPermanentTrust(value: string | null | undefined): boolean {
if (!value) return false;
const date = new Date(value);
return !Number.isNaN(date.getTime()) && date.getUTCFullYear() >= 2099;
}
function mapDeviceTypeName(type: number): string {
switch (type) {
case 0: return t('txt_android');
@@ -101,7 +108,16 @@ export default function SecurityDevicesPage(props: SecurityDevicesPageProps) {
</button>
</div>
)}
<table className="table">
<table className="table authorized-devices-table">
<colgroup>
<col className="authorized-devices-col-device" />
<col className="authorized-devices-col-type" />
<col className="authorized-devices-col-status" />
<col className="authorized-devices-col-date" />
<col className="authorized-devices-col-date" />
<col className="authorized-devices-col-trust" />
<col className="authorized-devices-col-actions" />
</colgroup>
<thead>
<tr>
<th>{t('txt_device')}</th>
@@ -135,14 +151,14 @@ export default function SecurityDevicesPage(props: SecurityDevicesPageProps) {
{device.trusted ? (
<div className="trusted-cell">
<Clock3 size={13} />
<span>{formatDateTime(device.trustedUntil)}</span>
<span>{isPermanentTrust(device.trustedUntil) ? t('txt_permanent_trust') : formatDateTime(device.trustedUntil)}</span>
</div>
) : (
<span className="muted-inline">{t('txt_not_trusted')}</span>
)}
</td>
<td data-label={t('txt_actions')}>
<div className="actions">
<div className="actions authorized-devices-actions">
<button
type="button"
className="btn btn-secondary small"
@@ -152,6 +168,15 @@ export default function SecurityDevicesPage(props: SecurityDevicesPageProps) {
<ShieldOff size={14} className="btn-icon" />
{t('txt_untrust')}
</button>
<button
type="button"
className="btn btn-secondary small"
disabled={!device.trusted || !device.trustedUntil || isPermanentTrust(device.trustedUntil)}
onClick={() => props.onTrustPermanently(device)}
>
<ShieldCheck size={14} className="btn-icon" />
{t('txt_trust_permanently')}
</button>
<button
type="button"
className="btn btn-secondary small"
webapp/src/components/SettingsPage.tsx
+8 -1
View File
@@ -281,8 +281,15 @@ export default function SettingsPage(props: SettingsPageProps) {
</section>
<section className="card settings-module">
<div className="settings-module-head">
<h3>{t('txt_totp')}</h3>
{totpLocked && <div className="status-ok">{t('txt_totp_is_enabled_for_this_account')}</div>}
{totpLocked && (
<span className="totp-status-pill">
<ShieldCheck size={14} aria-hidden="true" />
{t('txt_enabled')}
</span>
)}
</div>
<div className="totp-grid">
<div className="totp-qr">
<img src={qrDataUrl} alt="TOTP QR" />
webapp/src/components/VaultPage.tsx
+16 -1
View File
@@ -45,6 +45,7 @@ interface VaultPageProps {
onDelete: (cipher: Cipher) => Promise<void>;
onArchive: (cipher: Cipher) => Promise<void>;
onUnarchive: (cipher: Cipher) => Promise<void>;
onRestore: (ids: string[]) => Promise<void>;
onBulkDelete: (ids: string[]) => Promise<void>;
onBulkPermanentDelete: (ids: string[]) => Promise<void>;
onBulkRestore: (ids: string[]) => Promise<void>;
@@ -305,9 +306,10 @@ export default function VaultPage(props: VaultPageProps) {
const name = String(cipher.decName || cipher.name || '');
const username = String(cipher.login?.decUsername || '');
const uri = firstCipherUri(cipher);
const cipherId = String(cipher.id || '').trim();
meta.set(cipher.id, {
name,
searchText: `${name}\n${username}\n${uri}`.toLowerCase(),
searchText: `${cipherId}\n${cipherId.replace(/-/g, '')}\n${name}\n${username}\n${uri}`.toLowerCase(),
firstUri: uri,
typeKey: cipherTypeKey(Number(cipher.type || 1)),
sortTime: sortTimeValue(cipher),
@@ -732,6 +734,18 @@ const folderName = useCallback((id: string | null | undefined): string => {
}
}
async function handleRestoreSelected(cipher: Cipher): Promise<void> {
setBusy(true);
try {
await props.onRestore([cipher.id]);
if (isMobileLayout && selectedCipherId === cipher.id) {
setMobilePanel('list');
}
} finally {
setBusy(false);
}
}
async function confirmBulkDelete(): Promise<void> {
const ids = Object.entries(selectedMap)
.filter(([, selected]) => selected)
@@ -1148,6 +1162,7 @@ const folderName = useCallback((id: string | null | undefined): string => {
attachmentDownloadPercent={props.attachmentDownloadPercent}
onStartEdit={startEdit}
onDelete={setPendingDelete}
onRestore={(cipher) => void handleRestoreSelected(cipher)}
onArchive={(cipher) => setPendingArchive(cipher)}
onUnarchive={(cipher) => void handleUnarchiveSelected(cipher)}
/>
webapp/src/components/vault/VaultDetailView.tsx
+12 -1
View File
@@ -14,6 +14,7 @@ import {
formatAttachmentSize,
formatHistoryTime,
formatTotp,
isCipherDeleted,
maskSecret,
openUri,
parseFieldType,
@@ -36,6 +37,7 @@ interface VaultDetailViewProps {
onDownloadAttachment: (cipher: Cipher, attachmentId: string) => void;
onStartEdit: () => void;
onDelete: (cipher: Cipher) => void;
onRestore: (cipher: Cipher) => void | Promise<void>;
onArchive: (cipher: Cipher) => void | Promise<void>;
onUnarchive: (cipher: Cipher) => void | Promise<void>;
}
@@ -84,6 +86,7 @@ export default function VaultDetailView(props: VaultDetailViewProps) {
const [showSshPrivateKey, setShowSshPrivateKey] = useState(false);
const [passwordHistoryOpen, setPasswordHistoryOpen] = useState(false);
const isArchived = !!(props.selectedCipher.archivedDate || (props.selectedCipher as { archivedAt?: string | null }).archivedAt);
const isDeleted = isCipherDeleted(props.selectedCipher);
const passwordHistoryEntries = useMemo(
() =>
(props.selectedCipher.passwordHistory || [])
@@ -446,6 +449,12 @@ export default function VaultDetailView(props: VaultDetailViewProps) {
<div className="detail-actions">
<div className="actions">
{isDeleted ? (
<button type="button" className="btn btn-secondary" onClick={() => void props.onRestore(props.selectedCipher)}>
<RotateCcw size={14} className="btn-icon" /> {t('txt_restore')}
</button>
) : (
<>
<button type="button" className="btn btn-secondary" onClick={props.onStartEdit}>
<Pencil size={14} className="btn-icon" /> {t('txt_edit')}
</button>
@@ -458,9 +467,11 @@ export default function VaultDetailView(props: VaultDetailViewProps) {
<Archive size={14} className="btn-icon" /> {t('txt_archive')}
</button>
)}
</>
)}
</div>
<button type="button" className="btn btn-danger" onClick={() => props.onDelete(props.selectedCipher)}>
<Trash2 size={14} className="btn-icon" /> {t('txt_delete')}
<Trash2 size={14} className="btn-icon" /> {isDeleted ? t('txt_delete_permanently') : t('txt_delete')}
</button>
</div>
</>
webapp/src/hooks/useAccountSecurityActions.ts
+21
View File
@@ -11,6 +11,7 @@ import {
revokeAuthorizedDeviceTrust,
revokeAllAuthorizedDeviceTrust,
setTotp,
trustAuthorizedDevicePermanently,
updateAuthorizedDeviceName,
updateProfile,
} from '@/lib/api/auth';
@@ -208,6 +209,26 @@ export default function useAccountSecurityActions(options: UseAccountSecurityAct
});
},
openTrustDevicePermanently(device: AuthorizedDevice) {
onSetConfirm({
title: t('txt_trust_device_permanently'),
message: t('txt_trust_device_permanently_for_name', { name: device.name }),
danger: false,
onConfirm: () => {
onSetConfirm(null);
void (async () => {
try {
await trustAuthorizedDevicePermanently(authedFetch, device.identifier);
await refetchAuthorizedDevices();
onNotify('success', t('txt_device_trusted_permanently'));
} catch (error) {
onNotify('error', error instanceof Error ? error.message : t('txt_trust_device_permanently_failed'));
}
})();
},
});
},
openRemoveDevice(device: AuthorizedDevice) {
onSetConfirm({
title: t('txt_remove_device'),
webapp/src/hooks/useVaultSendActions.ts
+66
View File
@@ -41,6 +41,7 @@ import {
encryptFolderImportName,
getAttachmentDownloadInfo,
importCiphers,
permanentDeleteCipher,
type CiphersImportPayload,
type ImportedCipherMapEntry,
updateCipher,
@@ -223,6 +224,56 @@ function optimisticCipherFromDraft(draft: VaultDraft, current?: Cipher | null):
return next;
}
function isEncryptedFieldUnresolved(raw: unknown, decrypted: unknown): boolean {
const encrypted = String(raw || '').trim();
if (!looksLikeCipherString(encrypted)) return false;
const plain = String(decrypted || '').trim();
return !plain || looksLikeCipherString(plain);
}
function hasUnresolvedCipherData(cipher: Cipher): boolean {
const checks: Array<[unknown, unknown]> = [
[cipher.name, cipher.decName],
[cipher.notes, cipher.decNotes],
[cipher.login?.username, cipher.login?.decUsername],
[cipher.login?.password, cipher.login?.decPassword],
[cipher.login?.totp, cipher.login?.decTotp],
...(cipher.login?.uris || []).map((uri) => [uri.uri, uri.decUri] as [unknown, unknown]),
[cipher.card?.cardholderName, cipher.card?.decCardholderName],
[cipher.card?.number, cipher.card?.decNumber],
[cipher.card?.brand, cipher.card?.decBrand],
[cipher.card?.expMonth, cipher.card?.decExpMonth],
[cipher.card?.expYear, cipher.card?.decExpYear],
[cipher.card?.code, cipher.card?.decCode],
[cipher.identity?.title, cipher.identity?.decTitle],
[cipher.identity?.firstName, cipher.identity?.decFirstName],
[cipher.identity?.middleName, cipher.identity?.decMiddleName],
[cipher.identity?.lastName, cipher.identity?.decLastName],
[cipher.identity?.username, cipher.identity?.decUsername],
[cipher.identity?.company, cipher.identity?.decCompany],
[cipher.identity?.ssn, cipher.identity?.decSsn],
[cipher.identity?.passportNumber, cipher.identity?.decPassportNumber],
[cipher.identity?.licenseNumber, cipher.identity?.decLicenseNumber],
[cipher.identity?.email, cipher.identity?.decEmail],
[cipher.identity?.phone, cipher.identity?.decPhone],
[cipher.identity?.address1, cipher.identity?.decAddress1],
[cipher.identity?.address2, cipher.identity?.decAddress2],
[cipher.identity?.address3, cipher.identity?.decAddress3],
[cipher.identity?.city, cipher.identity?.decCity],
[cipher.identity?.state, cipher.identity?.decState],
[cipher.identity?.postalCode, cipher.identity?.decPostalCode],
[cipher.identity?.country, cipher.identity?.decCountry],
[cipher.sshKey?.privateKey, cipher.sshKey?.decPrivateKey],
[cipher.sshKey?.publicKey, cipher.sshKey?.decPublicKey],
[cipher.sshKey?.keyFingerprint || cipher.sshKey?.fingerprint, cipher.sshKey?.decFingerprint],
...(cipher.fields || []).flatMap((field) => [
[field.name, field.decName] as [unknown, unknown],
[field.value, field.decValue] as [unknown, unknown],
]),
];
return checks.some(([raw, decrypted]) => isEncryptedFieldUnresolved(raw, decrypted));
}
export default function useVaultSendActions(options: UseVaultSendActionsOptions) {
const {
authedFetch,
@@ -420,6 +471,9 @@ export default function useVaultSendActions(options: UseVaultSendActionsOptions)
async updateVaultItem(cipher: Cipher, draft: VaultDraft, options?: { addFiles?: File[]; removeAttachmentIds?: string[] }) {
if (!session) return;
if (hasUnresolvedCipherData(cipher)) {
throw new Error(t('txt_decrypt_failed_2'));
}
const addFiles = Array.isArray(options?.addFiles) ? options.addFiles : [];
const removeAttachmentIds = Array.isArray(options?.removeAttachmentIds) ? options.removeAttachmentIds : [];
const previousCipher: Cipher = {
@@ -490,6 +544,18 @@ export default function useVaultSendActions(options: UseVaultSendActionsOptions)
async deleteVaultItem(cipher: Cipher) {
const previousCipher = { ...cipher };
if (cipher.deletedDate || (cipher as { deletedAt?: string | null }).deletedAt) {
try {
await permanentDeleteCipher(authedFetch, cipher.id);
patchCipherBatch([cipher.id], () => null);
syncVaultCoreInBackground({ includeFolders: true });
onNotify('success', t('txt_item_deleted_permanently'));
} catch (error) {
onNotify('error', error instanceof Error ? error.message : t('txt_permanent_delete_item_failed'));
throw error;
}
return;
}
const deletedDate = new Date().toISOString();
patchCipherBatch([cipher.id], (current) => ({ ...current, deletedDate, archivedDate: null, revisionDate: deletedDate }));
try {
webapp/src/lib/api/admin.ts
+64 -1
View File
@@ -1,4 +1,4 @@
import type { AdminInvite, AdminUser, ListResponse } from '../types';
import type { AdminInvite, AdminUser, AuditLogCategory, AuditLogEntry, AuditLogLevel, AuditLogListResult, AuditLogSettings, ListResponse } from '../types';
import { parseJson, type AuthedFetch } from './shared';
export async function listAdminUsers(authedFetch: AuthedFetch): Promise<AdminUser[]> {
@@ -51,3 +51,66 @@ export async function deleteUser(authedFetch: AuthedFetch, userId: string): Prom
const resp = await authedFetch(`/api/admin/users/${encodeURIComponent(userId)}`, { method: 'DELETE' });
if (!resp.ok) throw new Error('Delete user failed');
}
export interface AuditLogFilters {
limit?: number;
offset?: number;
category?: AuditLogCategory | 'all';
level?: AuditLogLevel | 'all';
q?: string;
from?: string;
to?: string;
}
export async function listAuditLogs(authedFetch: AuthedFetch, filters: AuditLogFilters = {}): Promise<AuditLogListResult> {
const params = new URLSearchParams();
params.set('limit', String(filters.limit || 50));
params.set('offset', String(filters.offset || 0));
if (filters.category && filters.category !== 'all') params.set('category', filters.category);
if (filters.level && filters.level !== 'all') params.set('level', filters.level);
if (filters.q?.trim()) params.set('q', filters.q.trim());
if (filters.from) params.set('from', filters.from);
if (filters.to) params.set('to', filters.to);
const resp = await authedFetch(`/api/admin/logs?${params.toString()}`);
if (!resp.ok) throw new Error('Failed to load audit logs');
const body = await parseJson<ListResponse<AuditLogEntry>>(resp);
return {
logs: body?.data || [],
total: body?.total || 0,
limit: body?.limit || filters.limit || 50,
offset: body?.offset || filters.offset || 0,
hasMore: !!body?.hasMore,
};
}
export async function getAuditLogSettings(authedFetch: AuthedFetch): Promise<AuditLogSettings> {
const resp = await authedFetch('/api/admin/logs/settings');
if (!resp.ok) throw new Error('Failed to load audit log settings');
const body = await parseJson<AuditLogSettings & { object?: string }>(resp);
return {
retentionDays: body?.retentionDays ?? null,
maxEntries: body?.maxEntries ?? null,
};
}
export async function saveAuditLogSettings(authedFetch: AuthedFetch, settings: AuditLogSettings): Promise<AuditLogSettings> {
const resp = await authedFetch('/api/admin/logs/settings', {
method: 'PUT',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(settings),
});
if (!resp.ok) throw new Error('Failed to save audit log settings');
const body = await parseJson<AuditLogSettings & { object?: string }>(resp);
return {
retentionDays: body?.retentionDays ?? null,
maxEntries: body?.maxEntries ?? null,
};
}
export async function clearAuditLogs(authedFetch: AuthedFetch): Promise<number> {
const resp = await authedFetch('/api/admin/logs', { method: 'DELETE' });
if (!resp.ok) throw new Error('Failed to clear audit logs');
const body = await parseJson<{ deleted?: number }>(resp);
return Number(body?.deleted || 0);
}
webapp/src/lib/api/auth.ts
+11
View File
@@ -453,6 +453,7 @@ export function createAuthedFetch(getSession: () => SessionState | null, setSess
if (!session?.accessToken) throw new Error('Unauthorized');
const headers = new Headers(init.headers || {});
headers.set('Authorization', `Bearer ${session.accessToken}`);
headers.set('X-NodeWarden-Web', '1');
let resp = await retryableRequest(headers);
if (resp.status !== 401 || (!session.refreshToken && session.authMode !== 'web-cookie')) return resp;
@@ -461,6 +462,7 @@ export function createAuthedFetch(getSession: () => SessionState | null, setSess
if (latest?.accessToken && latest.accessToken !== session.accessToken) {
const latestHeaders = new Headers(init.headers || {});
latestHeaders.set('Authorization', `Bearer ${latest.accessToken}`);
latestHeaders.set('X-NodeWarden-Web', '1');
resp = await retryableRequest(latestHeaders);
if (resp.status !== 401) return resp;
}
@@ -486,6 +488,7 @@ export function createAuthedFetch(getSession: () => SessionState | null, setSess
const retryHeaders = new Headers(init.headers || {});
retryHeaders.set('Authorization', `Bearer ${nextSession.accessToken}`);
retryHeaders.set('X-NodeWarden-Web', '1');
resp = await retryableRequest(retryHeaders);
return resp;
};
@@ -667,6 +670,14 @@ export async function revokeAuthorizedDeviceTrust(
if (!resp.ok) throw new Error(t('txt_revoke_device_trust_failed'));
}
export async function trustAuthorizedDevicePermanently(
authedFetch: AuthedFetch,
deviceIdentifier: string
): Promise<void> {
const resp = await authedFetch(`/api/devices/authorized/${encodeURIComponent(deviceIdentifier)}/permanent`, { method: 'POST' });
if (!resp.ok) throw new Error(t('txt_trust_device_permanently_failed'));
}
export async function revokeAllAuthorizedDeviceTrust(authedFetch: AuthedFetch): Promise<void> {
const resp = await authedFetch('/api/devices/authorized', { method: 'DELETE' });
if (!resp.ok) throw new Error(t('txt_revoke_all_device_trust_failed'));
webapp/src/lib/api/vault-sync.ts
+9 -1
View File
@@ -1,6 +1,6 @@
import type { Cipher, Folder, Send } from '../types';
import { getVaultRevisionDate } from './auth';
import { loadCachedVaultCoreSnapshot, saveCachedVaultCoreSnapshot, type VaultCoreSnapshot } from '../vault-cache';
import { clearCachedVaultCoreSnapshot, loadCachedVaultCoreSnapshot, saveCachedVaultCoreSnapshot, type VaultCoreSnapshot } from '../vault-cache';
import { parseJson, type AuthedFetch } from './shared';
interface VaultSyncResponse {
@@ -43,6 +43,14 @@ export async function getCachedVaultCoreSnapshot(cacheKey: string): Promise<Vaul
return snapshot;
}
export async function invalidateVaultCoreSyncSnapshot(cacheKey: string): Promise<void> {
const normalizedKey = String(cacheKey || '').trim();
if (!normalizedKey) return;
pendingVaultCoreRequests.delete(normalizedKey);
memoryVaultCoreCache.delete(normalizedKey);
await clearCachedVaultCoreSnapshot(normalizedKey);
}
export async function loadVaultCoreSyncSnapshot(authedFetch: AuthedFetch, cacheKey: string): Promise<VaultCoreSnapshot> {
const normalizedKey = String(cacheKey || '').trim();
if (!normalizedKey) return { ciphers: [], folders: [], sends: [] };
webapp/src/lib/api/vault.ts
+451 -3
View File
@@ -1,4 +1,4 @@
import { base64ToBytes, decryptBw, decryptBwFileData, decryptStr, encryptBw, encryptBwFileData } from '../crypto';
import { base64ToBytes, decryptBw, decryptBwFileData, decryptStr, encryptBw, encryptBwFileData, sha256Base64 } from '../crypto';
import type {
Cipher,
CipherPasswordHistoryEntry,
@@ -19,6 +19,8 @@ import {
import { readResponseBytesWithProgress } from '../download';
import { loadVaultCoreSyncSnapshot } from './vault-sync';
type CipherLoginData = NonNullable<Cipher['login']>;
export async function getFolders(authedFetch: AuthedFetch, cacheKey: string): Promise<Folder[]> {
const body = await loadVaultCoreSyncSnapshot(authedFetch, cacheKey);
return body.folders || [];
@@ -494,8 +496,11 @@ async function encryptPasswordHistory(
const out: CipherPasswordHistoryEntry[] = [];
for (const entry of entries) {
const rawPassword = String(entry?.password || '');
const hasDecryptedPassword = typeof entry?.decPassword === 'string';
const plainPassword = entry?.decPassword ?? rawPassword;
const encryptedPassword = looksLikeCipherString(rawPassword)
const encryptedPassword = hasDecryptedPassword
? await encryptTextValue(plainPassword, enc, mac)
: looksLikeCipherString(rawPassword)
? rawPassword
: await encryptTextValue(plainPassword, enc, mac);
if (!encryptedPassword) continue;
@@ -508,6 +513,133 @@ async function encryptPasswordHistory(
return out.length ? out : null;
}
function plainCipherValue(decrypted: unknown, raw: unknown = ''): string {
if (typeof decrypted === 'string' && !looksLikeCipherString(decrypted)) return decrypted;
const value = String(raw ?? '');
return looksLikeCipherString(value) ? '' : value;
}
function draftFromDecryptedCipher(cipher: Cipher): VaultDraft {
const type = Number(cipher.type || 1) || 1;
const draft: VaultDraft = {
type,
name: plainCipherValue(cipher.decName, cipher.name).trim() || 'Untitled',
notes: plainCipherValue(cipher.decNotes, cipher.notes),
favorite: !!cipher.favorite,
reprompt: Number(cipher.reprompt || 0) === 1,
folderId: cipher.folderId || '',
loginUsername: '',
loginPassword: '',
loginTotp: '',
loginUris: [{ uri: '', match: null, originalUri: '', extra: {} }],
loginFido2Credentials: [],
cardholderName: '',
cardNumber: '',
cardBrand: '',
cardExpMonth: '',
cardExpYear: '',
cardCode: '',
identTitle: '',
identFirstName: '',
identMiddleName: '',
identLastName: '',
identUsername: '',
identCompany: '',
identSsn: '',
identPassportNumber: '',
identLicenseNumber: '',
identEmail: '',
identPhone: '',
identAddress1: '',
identAddress2: '',
identAddress3: '',
identCity: '',
identState: '',
identPostalCode: '',
identCountry: '',
sshPrivateKey: '',
sshPublicKey: '',
sshFingerprint: '',
customFields: [],
};
draft.customFields = (cipher.fields || [])
.map((field) => ({
type: parseFieldType(field.type ?? 0),
label: plainCipherValue(field.decName, field.name).trim(),
value: plainCipherValue(field.decValue, field.value),
}))
.filter((field) => field.label);
if (type === 1 && cipher.login) {
draft.loginUsername = plainCipherValue(cipher.login.decUsername, cipher.login.username);
draft.loginPassword = plainCipherValue(cipher.login.decPassword, cipher.login.password);
draft.loginTotp = plainCipherValue(cipher.login.decTotp, cipher.login.totp);
draft.loginFido2Credentials = Array.isArray(cipher.login.fido2Credentials)
? cipher.login.fido2Credentials.filter((item): item is Record<string, unknown> => !!item && typeof item === 'object')
: [];
const seenUris = new Set<string>();
const uris = (cipher.login.uris || [])
.map((entry) => {
const uri = plainCipherValue(entry.decUri, entry.uri).trim();
const extra = { ...(entry as Record<string, unknown>) };
delete extra.uri;
delete extra.uriChecksum;
delete extra.match;
delete extra.decUri;
return {
uri,
match: typeof entry.match === 'number' && Number.isFinite(entry.match) ? entry.match : null,
originalUri: '',
extra,
};
})
.filter((entry) => {
if (!entry.uri) return false;
const key = entry.uri.toLowerCase();
if (seenUris.has(key)) return false;
seenUris.add(key);
return true;
});
draft.loginUris = uris.length ? uris : draft.loginUris;
} else if (type === 3 && cipher.card) {
draft.cardholderName = plainCipherValue(cipher.card.decCardholderName, cipher.card.cardholderName);
draft.cardNumber = plainCipherValue(cipher.card.decNumber, cipher.card.number);
draft.cardBrand = plainCipherValue(cipher.card.decBrand, cipher.card.brand);
draft.cardExpMonth = plainCipherValue(cipher.card.decExpMonth, cipher.card.expMonth);
draft.cardExpYear = plainCipherValue(cipher.card.decExpYear, cipher.card.expYear);
draft.cardCode = plainCipherValue(cipher.card.decCode, cipher.card.code);
} else if (type === 4 && cipher.identity) {
draft.identTitle = plainCipherValue(cipher.identity.decTitle, cipher.identity.title);
draft.identFirstName = plainCipherValue(cipher.identity.decFirstName, cipher.identity.firstName);
draft.identMiddleName = plainCipherValue(cipher.identity.decMiddleName, cipher.identity.middleName);
draft.identLastName = plainCipherValue(cipher.identity.decLastName, cipher.identity.lastName);
draft.identUsername = plainCipherValue(cipher.identity.decUsername, cipher.identity.username);
draft.identCompany = plainCipherValue(cipher.identity.decCompany, cipher.identity.company);
draft.identSsn = plainCipherValue(cipher.identity.decSsn, cipher.identity.ssn);
draft.identPassportNumber = plainCipherValue(cipher.identity.decPassportNumber, cipher.identity.passportNumber);
draft.identLicenseNumber = plainCipherValue(cipher.identity.decLicenseNumber, cipher.identity.licenseNumber);
draft.identEmail = plainCipherValue(cipher.identity.decEmail, cipher.identity.email);
draft.identPhone = plainCipherValue(cipher.identity.decPhone, cipher.identity.phone);
draft.identAddress1 = plainCipherValue(cipher.identity.decAddress1, cipher.identity.address1);
draft.identAddress2 = plainCipherValue(cipher.identity.decAddress2, cipher.identity.address2);
draft.identAddress3 = plainCipherValue(cipher.identity.decAddress3, cipher.identity.address3);
draft.identCity = plainCipherValue(cipher.identity.decCity, cipher.identity.city);
draft.identState = plainCipherValue(cipher.identity.decState, cipher.identity.state);
draft.identPostalCode = plainCipherValue(cipher.identity.decPostalCode, cipher.identity.postalCode);
draft.identCountry = plainCipherValue(cipher.identity.decCountry, cipher.identity.country);
} else if (type === 5 && cipher.sshKey) {
draft.sshPrivateKey = plainCipherValue(cipher.sshKey.decPrivateKey, cipher.sshKey.privateKey);
draft.sshPublicKey = plainCipherValue(cipher.sshKey.decPublicKey, cipher.sshKey.publicKey);
draft.sshFingerprint = plainCipherValue(
cipher.sshKey.decFingerprint,
cipher.sshKey.keyFingerprint || cipher.sshKey.fingerprint
);
}
return draft;
}
async function buildUpdatedPasswordHistory(
cipher: Cipher | null,
draft: VaultDraft,
@@ -574,12 +706,18 @@ async function encryptUris(
entry?.extra && typeof entry.extra === 'object'
? { ...entry.extra }
: {};
if (String(entry?.originalUri || '').trim() !== trimmed) {
const canReuseChecksum = String(entry?.originalUri || '').trim() === trimmed;
if (!canReuseChecksum) {
delete preservedExtra.uriChecksum;
}
const preservedChecksum = typeof preservedExtra.uriChecksum === 'string' && looksLikeCipherString(preservedExtra.uriChecksum)
? preservedExtra.uriChecksum
: null;
const uriChecksum = preservedChecksum || await encryptTextValue(await sha256Base64(trimmed), enc, mac);
out.push({
...preservedExtra,
uri: await encryptTextValue(trimmed, enc, mac),
uriChecksum,
match: typeof entry?.match === 'number' && Number.isFinite(entry.match) ? entry.match : null,
});
}
@@ -660,6 +798,306 @@ async function getCipherKeys(
return { enc: userEnc, mac: userMac, key: null };
}
async function repairCipherLoginUris(
cipher: Cipher,
enc: Uint8Array,
mac: Uint8Array
): Promise<{ login: Cipher['login']; changed: boolean }> {
if (!cipher.login || !Array.isArray(cipher.login.uris)) {
return { login: cipher.login ?? null, changed: false };
}
let changed = false;
const uris: Array<Record<string, unknown>> = [];
for (const entry of cipher.login.uris) {
if (!entry || typeof entry !== 'object') continue;
const { decUri: _decUri, ...encryptedEntry } = entry as Record<string, unknown>;
const rawUri = typeof entry.uri === 'string' ? entry.uri.trim() : '';
if (!looksLikeCipherString(rawUri)) {
uris.push({ ...encryptedEntry });
continue;
}
let clearUri = '';
let rawUriUsesCurrentKey = false;
try {
clearUri = (await decryptStr(rawUri, enc, mac)).trim();
rawUriUsesCurrentKey = !!clearUri;
} catch {
const fallbackUri = String(entry.decUri || '').trim();
if (fallbackUri && !looksLikeCipherString(fallbackUri)) {
clearUri = fallbackUri;
}
}
if (!clearUri) {
uris.push({ ...encryptedEntry });
continue;
}
const expectedChecksum = await sha256Base64(clearUri);
let currentChecksumOk = false;
const rawChecksum = typeof entry.uriChecksum === 'string' ? entry.uriChecksum.trim() : '';
if (looksLikeCipherString(rawChecksum)) {
try {
currentChecksumOk = (await decryptStr(rawChecksum, enc, mac)) === expectedChecksum;
} catch {
currentChecksumOk = false;
}
}
if (currentChecksumOk && rawUriUsesCurrentKey) {
uris.push({ ...encryptedEntry });
continue;
}
const repairedUri = rawUriUsesCurrentKey ? rawUri : await encryptTextValue(clearUri, enc, mac);
const repairedChecksum = currentChecksumOk
? rawChecksum
: await encryptTextValue(expectedChecksum, enc, mac);
uris.push({
...encryptedEntry,
uri: repairedUri || rawUri,
uriChecksum: repairedChecksum,
match: typeof entry.match === 'number' && Number.isFinite(entry.match) ? entry.match : null,
});
changed = true;
}
const {
decUsername: _decUsername,
decPassword: _decPassword,
decTotp: _decTotp,
...encryptedLogin
} = cipher.login as Record<string, unknown>;
return {
login: {
...encryptedLogin,
uris: uris as CipherLoginData['uris'],
} as CipherLoginData,
changed,
};
}
export async function repairCipherUriChecksums(
authedFetch: AuthedFetch,
session: SessionState,
ciphers: Cipher[]
): Promise<number> {
if (!session.symEncKey || !session.symMacKey || !Array.isArray(ciphers) || ciphers.length === 0) {
return 0;
}
const userEnc = base64ToBytes(session.symEncKey);
const userMac = base64ToBytes(session.symMacKey);
let repaired = 0;
for (const cipher of ciphers) {
if (!cipher?.id || cipher.type !== 1 || !cipher.login || !Array.isArray(cipher.login.uris)) continue;
let keys: { enc: Uint8Array; mac: Uint8Array; key: string | null } = {
enc: userEnc,
mac: userMac,
key: null,
};
if (looksLikeCipherString(cipher.key)) {
let itemKey: Uint8Array;
try {
itemKey = await decryptBw(String(cipher.key).trim(), userEnc, userMac);
} catch {
continue;
}
if (itemKey.length < 64) continue;
keys = { enc: itemKey.slice(0, 32), mac: itemKey.slice(32, 64), key: String(cipher.key).trim() };
}
const repair = await repairCipherLoginUris(cipher, keys.enc, keys.mac);
if (!repair.changed) continue;
const payload: Record<string, unknown> = {
type: cipher.type,
folderId: cipher.folderId ?? null,
favorite: !!cipher.favorite,
reprompt: cipher.reprompt ?? 0,
name: cipher.name ?? null,
notes: cipher.notes ?? null,
login: repair.login,
fields: Array.isArray(cipher.fields)
? cipher.fields.map(({ decName: _decName, decValue: _decValue, ...field }) => field)
: null,
lastKnownRevisionDate: cipher.revisionDate ?? null,
};
if (keys.key) payload.key = keys.key;
const resp = await authedFetch(`/api/ciphers/${encodeURIComponent(cipher.id)}`, {
method: 'PUT',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(payload),
});
if (!resp.ok) throw new Error(await parseErrorMessage(resp, 'Repair URI checksum failed'));
repaired += 1;
}
return repaired;
}
function getCipherKeyMismatchProbes(cipher: Cipher): string[] {
const candidates = [
cipher.name,
cipher.notes,
cipher.login?.username,
cipher.login?.password,
cipher.login?.totp,
...(cipher.login?.uris || []).map((uri) => uri.uri),
cipher.card?.cardholderName,
cipher.card?.number,
cipher.identity?.title,
cipher.identity?.firstName,
cipher.sshKey?.privateKey,
...(cipher.fields || []).flatMap((field) => [field.name, field.value]),
];
const probes: string[] = [];
const seen = new Set<string>();
for (const value of candidates) {
const probe = String(value || '').trim();
if (!looksLikeCipherString(probe) || seen.has(probe)) continue;
seen.add(probe);
probes.push(probe);
}
return probes;
}
function isResolvedEncryptedField(raw: unknown, decrypted: unknown): boolean {
const encrypted = String(raw || '').trim();
if (!looksLikeCipherString(encrypted)) return true;
const plain = typeof decrypted === 'string' ? decrypted.trim() : '';
return !!plain && !looksLikeCipherString(plain);
}
function hasUnresolvedEncryptedFields(cipher: Cipher): boolean {
const fido2EncryptedFields = (cipher.login?.fido2Credentials || []).flatMap((credential) => [
credential?.credentialId,
credential?.keyType,
credential?.keyAlgorithm,
credential?.keyCurve,
credential?.keyValue,
credential?.rpId,
credential?.rpName,
credential?.userHandle,
credential?.userName,
credential?.userDisplayName,
credential?.counter,
credential?.discoverable,
]);
const checks: Array<[unknown, unknown]> = [
[cipher.name, cipher.decName],
[cipher.notes, cipher.decNotes],
[cipher.login?.username, cipher.login?.decUsername],
[cipher.login?.password, cipher.login?.decPassword],
[cipher.login?.totp, cipher.login?.decTotp],
...(cipher.login?.uris || []).map((uri) => [uri.uri, uri.decUri] as [unknown, unknown]),
[cipher.card?.cardholderName, cipher.card?.decCardholderName],
[cipher.card?.number, cipher.card?.decNumber],
[cipher.card?.brand, cipher.card?.decBrand],
[cipher.card?.expMonth, cipher.card?.decExpMonth],
[cipher.card?.expYear, cipher.card?.decExpYear],
[cipher.card?.code, cipher.card?.decCode],
[cipher.identity?.title, cipher.identity?.decTitle],
[cipher.identity?.firstName, cipher.identity?.decFirstName],
[cipher.identity?.middleName, cipher.identity?.decMiddleName],
[cipher.identity?.lastName, cipher.identity?.decLastName],
[cipher.identity?.username, cipher.identity?.decUsername],
[cipher.identity?.company, cipher.identity?.decCompany],
[cipher.identity?.ssn, cipher.identity?.decSsn],
[cipher.identity?.passportNumber, cipher.identity?.decPassportNumber],
[cipher.identity?.licenseNumber, cipher.identity?.decLicenseNumber],
[cipher.identity?.email, cipher.identity?.decEmail],
[cipher.identity?.phone, cipher.identity?.decPhone],
[cipher.identity?.address1, cipher.identity?.decAddress1],
[cipher.identity?.address2, cipher.identity?.decAddress2],
[cipher.identity?.address3, cipher.identity?.decAddress3],
[cipher.identity?.city, cipher.identity?.decCity],
[cipher.identity?.state, cipher.identity?.decState],
[cipher.identity?.postalCode, cipher.identity?.decPostalCode],
[cipher.identity?.country, cipher.identity?.decCountry],
[cipher.sshKey?.privateKey, cipher.sshKey?.decPrivateKey],
[cipher.sshKey?.publicKey, cipher.sshKey?.decPublicKey],
[cipher.sshKey?.keyFingerprint || cipher.sshKey?.fingerprint, cipher.sshKey?.decFingerprint],
...(cipher.fields || []).flatMap((field) => [
[field.name, field.decName] as [unknown, unknown],
[field.value, field.decValue] as [unknown, unknown],
]),
...(cipher.passwordHistory || []).map((entry) => [entry.password, entry.decPassword] as [unknown, unknown]),
...fido2EncryptedFields.map((value) => [value, undefined] as [unknown, unknown]),
];
return checks.some(([raw, decrypted]) => !isResolvedEncryptedField(raw, decrypted));
}
async function hasItemKeyFieldMismatch(
cipher: Cipher,
userEnc: Uint8Array,
userMac: Uint8Array
): Promise<boolean> {
if (!looksLikeCipherString(cipher.key)) return false;
const probes = getCipherKeyMismatchProbes(cipher);
if (probes.length === 0) return false;
let itemKey: Uint8Array;
try {
itemKey = await decryptBw(String(cipher.key).trim(), userEnc, userMac);
} catch {
return false;
}
if (itemKey.length < 64) return false;
const itemEnc = itemKey.slice(0, 32);
const itemMac = itemKey.slice(32, 64);
for (const probe of probes) {
try {
await decryptStr(probe, itemEnc, itemMac);
continue;
} catch {
// Try the legacy user-key field path below.
}
try {
await decryptStr(probe, userEnc, userMac);
return true;
} catch {
// Keep scanning in case another field reveals a repairable mismatch.
}
}
return false;
}
export async function repairCipherKeyMismatches(
authedFetch: AuthedFetch,
session: SessionState,
ciphers: Cipher[]
): Promise<number> {
if (!session.symEncKey || !session.symMacKey || !Array.isArray(ciphers) || ciphers.length === 0) {
return 0;
}
const userEnc = base64ToBytes(session.symEncKey);
const userMac = base64ToBytes(session.symMacKey);
let repaired = 0;
for (const cipher of ciphers) {
if (!cipher?.id || !looksLikeCipherString(cipher.key)) continue;
if (!(await hasItemKeyFieldMismatch(cipher, userEnc, userMac))) continue;
if (hasUnresolvedEncryptedFields(cipher)) continue;
await updateCipher(authedFetch, session, cipher, draftFromDecryptedCipher(cipher));
repaired += 1;
}
return repaired;
}
async function buildCipherPayload(
session: SessionState,
draft: VaultDraft,
@@ -703,6 +1141,9 @@ async function buildCipherPayload(
cipher?.login && typeof cipher.login === 'object'
? { ...(cipher.login as Record<string, unknown>) }
: {};
delete existingLogin.decUsername;
delete existingLogin.decPassword;
delete existingLogin.decTotp;
payload.login = {
...existingLogin,
username: await encryptTextValue(draft.loginUsername, keys.enc, keys.mac),
@@ -803,6 +1244,13 @@ export async function deleteCipher(authedFetch: AuthedFetch, cipherId: string):
return (await parseJson<Cipher>(resp))!;
}
export async function permanentDeleteCipher(authedFetch: AuthedFetch, cipherId: string): Promise<void> {
const id = String(cipherId || '').trim();
if (!id) throw new Error('Cipher id is required');
const resp = await authedFetch(`/api/ciphers/${encodeURIComponent(id)}/delete`, { method: 'DELETE' });
if (!resp.ok) throw new Error('Permanent delete item failed');
}
export async function archiveCipher(authedFetch: AuthedFetch, cipherId: string): Promise<Cipher> {
const id = String(cipherId || '').trim();
if (!id) throw new Error('Cipher id is required');
webapp/src/lib/crypto.ts
+6
View File
@@ -22,6 +22,12 @@ export function toBufferSource(bytes: Uint8Array): ArrayBuffer {
return new Uint8Array(bytes).buffer;
}
export async function sha256Base64(value: string): Promise<string> {
const bytes = new TextEncoder().encode(value);
const hash = await crypto.subtle.digest('SHA-256', toBufferSource(bytes));
return bytesToBase64(new Uint8Array(hash));
}
const hmacSha256KeyCache = new WeakMap<Uint8Array, Promise<CryptoKey>>();
const aesCbcEncryptKeyCache = new WeakMap<Uint8Array, Promise<CryptoKey>>();
const aesCbcDecryptKeyCache = new WeakMap<Uint8Array, Promise<CryptoKey>>();
webapp/src/lib/decrypt-cipher.ts
+62 -40
View File
@@ -1,13 +1,29 @@
import { decryptStr, decryptBw } from './crypto';
import { looksLikeCipherString } from './app-support';
import type { Cipher } from './types';
async function decryptField(
async function decryptCipherField(
value: string | null | undefined,
enc: Uint8Array,
mac: Uint8Array,
itemEnc: Uint8Array,
itemMac: Uint8Array,
userEnc: Uint8Array,
userMac: Uint8Array,
canFallbackToUserKey: boolean,
): Promise<string> {
if (!value || typeof value !== 'string') return '';
try { return await decryptStr(value, enc, mac); } catch { return value; }
try {
return await decryptStr(value, itemEnc, itemMac);
} catch {
// Try the legacy user-key path for mixed key/field ciphers.
}
if (canFallbackToUserKey) {
try {
return await decryptStr(value, userEnc, userMac);
} catch {
// Preserve the old raw fallback for fields that are genuinely unreadable.
}
}
return looksLikeCipherString(value) ? '' : value;
}
export async function decryptSingleCipher(
@@ -17,29 +33,35 @@ export async function decryptSingleCipher(
): Promise<Cipher> {
let itemEnc = userEnc;
let itemMac = userMac;
let usesItemKey = false;
if (encrypted.key) {
try {
const itemKey = await decryptBw(encrypted.key, userEnc, userMac);
if (itemKey.length >= 64) {
itemEnc = itemKey.slice(0, 32);
itemMac = itemKey.slice(32, 64);
usesItemKey = true;
}
} catch { /* keep user key */ }
}
const canFallbackToUserKey = usesItemKey;
const decrypted: Cipher = {
...encrypted,
decName: await decryptField(encrypted.name, itemEnc, itemMac),
decNotes: await decryptField(encrypted.notes, itemEnc, itemMac),
decName: await decryptCipherField(encrypted.name, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decNotes: await decryptCipherField(encrypted.notes, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
};
if (encrypted.login) {
decrypted.login = {
...encrypted.login,
decUsername: await decryptField(encrypted.login.username, itemEnc, itemMac),
decPassword: await decryptField(encrypted.login.password, itemEnc, itemMac),
decTotp: await decryptField(encrypted.login.totp, itemEnc, itemMac),
decUsername: await decryptCipherField(encrypted.login.username, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPassword: await decryptCipherField(encrypted.login.password, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decTotp: await decryptCipherField(encrypted.login.totp, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
uris: await Promise.all((encrypted.login.uris || []).map(async (u) => ({
...u,
decUri: await decryptField(u.uri, itemEnc, itemMac),
decUri: await decryptCipherField(u.uri, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
}))),
};
}
@@ -48,7 +70,7 @@ export async function decryptSingleCipher(
decrypted.passwordHistory = await Promise.all(
encrypted.passwordHistory.map(async (entry) => ({
...entry,
decPassword: await decryptField(entry?.password, itemEnc, itemMac),
decPassword: await decryptCipherField(entry?.password, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
}))
);
}
@@ -56,36 +78,36 @@ export async function decryptSingleCipher(
if (encrypted.card) {
decrypted.card = {
...encrypted.card,
decCardholderName: await decryptField(encrypted.card.cardholderName, itemEnc, itemMac),
decNumber: await decryptField(encrypted.card.number, itemEnc, itemMac),
decBrand: await decryptField(encrypted.card.brand, itemEnc, itemMac),
decExpMonth: await decryptField(encrypted.card.expMonth, itemEnc, itemMac),
decExpYear: await decryptField(encrypted.card.expYear, itemEnc, itemMac),
decCode: await decryptField(encrypted.card.code, itemEnc, itemMac),
decCardholderName: await decryptCipherField(encrypted.card.cardholderName, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decNumber: await decryptCipherField(encrypted.card.number, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decBrand: await decryptCipherField(encrypted.card.brand, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decExpMonth: await decryptCipherField(encrypted.card.expMonth, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decExpYear: await decryptCipherField(encrypted.card.expYear, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decCode: await decryptCipherField(encrypted.card.code, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
};
}
if (encrypted.identity) {
decrypted.identity = {
...encrypted.identity,
decTitle: await decryptField(encrypted.identity.title, itemEnc, itemMac),
decFirstName: await decryptField(encrypted.identity.firstName, itemEnc, itemMac),
decMiddleName: await decryptField(encrypted.identity.middleName, itemEnc, itemMac),
decLastName: await decryptField(encrypted.identity.lastName, itemEnc, itemMac),
decUsername: await decryptField(encrypted.identity.username, itemEnc, itemMac),
decCompany: await decryptField(encrypted.identity.company, itemEnc, itemMac),
decSsn: await decryptField(encrypted.identity.ssn, itemEnc, itemMac),
decPassportNumber: await decryptField(encrypted.identity.passportNumber, itemEnc, itemMac),
decLicenseNumber: await decryptField(encrypted.identity.licenseNumber, itemEnc, itemMac),
decEmail: await decryptField(encrypted.identity.email, itemEnc, itemMac),
decPhone: await decryptField(encrypted.identity.phone, itemEnc, itemMac),
decAddress1: await decryptField(encrypted.identity.address1, itemEnc, itemMac),
decAddress2: await decryptField(encrypted.identity.address2, itemEnc, itemMac),
decAddress3: await decryptField(encrypted.identity.address3, itemEnc, itemMac),
decCity: await decryptField(encrypted.identity.city, itemEnc, itemMac),
decState: await decryptField(encrypted.identity.state, itemEnc, itemMac),
decPostalCode: await decryptField(encrypted.identity.postalCode, itemEnc, itemMac),
decCountry: await decryptField(encrypted.identity.country, itemEnc, itemMac),
decTitle: await decryptCipherField(encrypted.identity.title, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decFirstName: await decryptCipherField(encrypted.identity.firstName, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decMiddleName: await decryptCipherField(encrypted.identity.middleName, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decLastName: await decryptCipherField(encrypted.identity.lastName, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decUsername: await decryptCipherField(encrypted.identity.username, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decCompany: await decryptCipherField(encrypted.identity.company, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decSsn: await decryptCipherField(encrypted.identity.ssn, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPassportNumber: await decryptCipherField(encrypted.identity.passportNumber, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decLicenseNumber: await decryptCipherField(encrypted.identity.licenseNumber, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decEmail: await decryptCipherField(encrypted.identity.email, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPhone: await decryptCipherField(encrypted.identity.phone, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decAddress1: await decryptCipherField(encrypted.identity.address1, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decAddress2: await decryptCipherField(encrypted.identity.address2, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decAddress3: await decryptCipherField(encrypted.identity.address3, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decCity: await decryptCipherField(encrypted.identity.city, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decState: await decryptCipherField(encrypted.identity.state, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPostalCode: await decryptCipherField(encrypted.identity.postalCode, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decCountry: await decryptCipherField(encrypted.identity.country, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
};
}
@@ -93,11 +115,11 @@ export async function decryptSingleCipher(
const fingerprint = encrypted.sshKey.keyFingerprint || encrypted.sshKey.fingerprint || '';
decrypted.sshKey = {
...encrypted.sshKey,
decPrivateKey: await decryptField(encrypted.sshKey.privateKey, itemEnc, itemMac),
decPublicKey: await decryptField(encrypted.sshKey.publicKey, itemEnc, itemMac),
decPrivateKey: await decryptCipherField(encrypted.sshKey.privateKey, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPublicKey: await decryptCipherField(encrypted.sshKey.publicKey, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
keyFingerprint: fingerprint || null,
fingerprint: fingerprint || null,
decFingerprint: await decryptField(fingerprint, itemEnc, itemMac),
decFingerprint: await decryptCipherField(fingerprint, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
};
}
@@ -105,8 +127,8 @@ export async function decryptSingleCipher(
decrypted.fields = await Promise.all(
encrypted.fields.map(async (field) => ({
...field,
decName: await decryptField(field.name, itemEnc, itemMac),
decValue: await decryptField(field.value, itemEnc, itemMac),
decName: await decryptCipherField(field.name, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decValue: await decryptCipherField(field.value, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
}))
);
}
webapp/src/lib/demo.ts
+27
View File
@@ -932,6 +932,11 @@ export function createDemoMainRoutesProps(base: AppMainRoutesProps, notify: Noti
notify('success', t('txt_item_updated'));
},
onDeleteVaultItem: async (cipher) => {
if (cipher.deletedDate || (cipher as { deletedAt?: string | null }).deletedAt) {
state.setCiphers((prev) => prev.filter((item) => item.id !== cipher.id));
notify('success', t('txt_item_deleted_permanently'));
return;
}
const deletedDate = new Date().toISOString();
state.setCiphers((prev) => prev.map((item) => (
item.id === cipher.id ? { ...item, deletedDate, archivedDate: null, revisionDate: deletedDate } : item
@@ -965,6 +970,11 @@ export function createDemoMainRoutesProps(base: AppMainRoutesProps, notify: Noti
state.setCiphers((prev) => prev.filter((item) => !idSet.has(item.id)));
notify('success', t('txt_deleted_selected_items_permanently'));
},
onRestoreVaultItems: async (ids) => {
const idSet = new Set(ids);
state.setCiphers((prev) => prev.map((item) => (idSet.has(item.id) ? { ...item, deletedDate: null } : item)));
notify('success', t('txt_restored_selected_items'));
},
onBulkRestoreVaultItems: async (ids) => {
const idSet = new Set(ids);
state.setCiphers((prev) => prev.map((item) => (idSet.has(item.id) ? { ...item, deletedDate: null } : item)));
@@ -1083,6 +1093,14 @@ export function createDemoMainRoutesProps(base: AppMainRoutesProps, notify: Noti
)));
notify('success', t('txt_device_authorization_revoked'));
},
onTrustDevicePermanently: (device) => {
state.setAuthorizedDevices((prev) => prev.map((item) => (
item.identifier === device.identifier && item.trusted
? { ...item, trustedUntil: '2099-12-31T23:59:59.000Z', revisionDate: new Date().toISOString() }
: item
)));
notify('success', t('txt_device_trusted_permanently'));
},
onRemoveDevice: (device) => {
state.setAuthorizedDevices((prev) => prev.filter((item) => item.identifier !== device.identifier));
notify('success', t('txt_device_removed'));
@@ -1129,6 +1147,15 @@ export function createDemoMainRoutesProps(base: AppMainRoutesProps, notify: Noti
)));
notify('success', t('txt_invite_revoked'));
},
onLoadAuditLogSettings: async () => ({ retentionDays: 90, maxEntries: null }),
onSaveAuditLogSettings: async (settings) => {
notify('success', t('txt_log_settings_saved'));
return settings;
},
onClearAuditLogs: async () => {
notify('success', t('txt_logs_cleared'));
return 0;
},
onExportBackup: async () => {
notify('success', t('txt_backup_export_success'));
},
webapp/src/lib/export-formats.ts
+3
View File
@@ -189,12 +189,15 @@ function mapCipherEncrypted(cipher: Cipher): Record<string, unknown> {
const login = cipher.login;
out.login = login
? {
...cloneValue(login),
username: login.username ?? null,
password: login.password ?? null,
totp: login.totp ?? null,
uris: Array.isArray(login.uris)
? login.uris.map((uri) => ({
...cloneValue(uri),
uri: uri?.uri ?? null,
uriChecksum: uri?.uriChecksum ?? null,
match: (uri as { match?: unknown })?.match ?? null,
}))
: [],
webapp/src/lib/i18n.ts
+12
View File
@@ -62,6 +62,15 @@ const localeLoaders: Record<Locale, () => Promise<{ default: MessageTable }>> =
es: () => import('./i18n/locales/es'),
};
function localeToHtmlLang(value: Locale): string {
return value;
}
function syncDocumentLanguage(): void {
if (typeof document === 'undefined') return;
document.documentElement.lang = localeToHtmlLang(locale);
}
async function loadLocaleMessages(next: Locale): Promise<MessageTable> {
const cached = loadedMessages.get(next);
if (cached) return cached;
@@ -84,6 +93,8 @@ export async function initI18n(): Promise<void> {
console.error('Failed to load locale, falling back to English:', error);
locale = 'en';
activeMessages = await loadFallbackMessages();
} finally {
syncDocumentLanguage();
}
}
@@ -143,6 +154,7 @@ export async function setLocale(next: Locale): Promise<void> {
}
locale = next;
activeMessages = nextMessages;
syncDocumentLanguage();
try {
localStorage.setItem(LOCALE_STORAGE_KEY, next);
} catch {
webapp/src/lib/i18n/locales/en.ts
+193
View File
@@ -2,6 +2,7 @@
const en: Record<string, string> = {
"nav_account_settings": "Account Settings",
"nav_admin_panel": "Admin Panel",
"nav_log_center": "Log Center",
"nav_device_management": "Device Management",
"nav_my_vault": "My Vault",
"nav_vault_items": "Vault",
@@ -368,6 +369,7 @@ const en: Record<string, string> = {
"txt_delete_item": "Delete Item",
"txt_delete_passkey": "Delete Passkey",
"txt_delete_item_failed": "Delete item failed",
"txt_permanent_delete_item_failed": "Permanent delete item failed",
"txt_delete_permanently": "Delete Permanently",
"txt_archive": "Archive",
"txt_archive_item": "Archive Item",
@@ -500,6 +502,7 @@ const en: Record<string, string> = {
"txt_item": "Item",
"txt_item_created": "Item created",
"txt_item_deleted": "Item deleted",
"txt_item_deleted_permanently": "Item permanently deleted",
"txt_item_history": "Item History",
"txt_password_history": "Password History",
"txt_password_updated_value": "Password updated: {value}",
@@ -690,6 +693,12 @@ const en: Record<string, string> = {
"txt_revoke_all_device_trust_failed": "Failed to revoke all device trust",
"txt_revoke_trust": "Revoke Trust",
"txt_untrust": "Untrust",
"txt_trust_permanently": "Trust permanently",
"txt_trust_device_permanently": "Trust device permanently",
"txt_trust_device_permanently_for_name": "Upgrade \"{name}\" from 30-day trust to permanent trust?",
"txt_trust_device_permanently_failed": "Failed to trust device permanently",
"txt_device_trusted_permanently": "Device trusted permanently",
"txt_permanent_trust": "Permanent trust",
"txt_update_device_note_failed": "Update device note failed",
"txt_role": "Role",
"txt_save": "Save",
@@ -935,6 +944,190 @@ const en: Record<string, string> = {
"txt_nav_layout_grouped_expanded_desc": "Keep all groups expanded",
"txt_nav_layout_grouped_smart": "Smart groups",
"txt_nav_layout_grouped_smart_desc": "Open active groups as needed",
"txt_actor": "Actor",
"txt_all_levels": "All levels",
"txt_all_logs": "All logs",
"txt_all_time": "All time",
"txt_audit_events": "Log list",
"txt_filter": "Filter",
"txt_last_24_hours": "Last 24 hours",
"txt_last_7_days": "Last 7 days",
"txt_last_30_days": "Last 30 days",
"txt_load_logs_failed": "Failed to load logs",
"txt_load_log_settings_failed": "Failed to load log settings",
"txt_log_category": "Category",
"txt_log_category_auth": "Auth & sessions",
"txt_log_category_data": "Data operations",
"txt_log_category_device": "Devices",
"txt_log_category_security": "Account security",
"txt_log_category_system": "System",
"txt_log_center_description": "Trace sign-ins, refresh failures, device events, security changes, backup actions, and admin operations.",
"txt_log_center_title": "Log Center",
"txt_log_level": "Level",
"txt_log_level_error": "Error",
"txt_log_level_info": "Info",
"txt_log_level_security": "Security",
"txt_log_level_warn": "Warn",
"txt_log_action_account_api_key_create": "Create API key",
"txt_log_action_account_api_key_rotate": "Rotate API key",
"txt_log_action_account_keys_update": "Update account keys",
"txt_log_action_account_profile_update": "Update account profile",
"txt_log_action_account_totp_disable": "Disable two-step login",
"txt_log_action_account_totp_enable": "Enable two-step login",
"txt_log_action_account_totp_recover": "Recover two-step login",
"txt_log_action_account_verify_devices_update": "Update device verification",
"txt_log_action_admin_audit_settings_update": "Update log retention settings",
"txt_log_action_admin_backup_export": "Export backup",
"txt_log_action_admin_backup_import": "Import backup",
"txt_log_action_admin_backup_remote_delete": "Delete remote backup",
"txt_log_action_admin_backup_remote_manual": "Manual remote backup succeeded",
"txt_log_action_admin_backup_remote_manual_failed": "Manual remote backup failed",
"txt_log_action_admin_backup_remote_scheduled": "Scheduled remote backup succeeded",
"txt_log_action_admin_backup_remote_scheduled_failed": "Scheduled remote backup failed",
"txt_log_action_admin_backup_settings_repair": "Repair backup settings",
"txt_log_action_admin_backup_settings_update": "Update backup settings",
"txt_log_action_admin_invite_create": "Create invite",
"txt_log_action_admin_invite_delete_all": "Clear invites",
"txt_log_action_admin_invite_revoke": "Revoke invite",
"txt_log_action_admin_user_delete": "Delete user",
"txt_log_action_admin_user_status": "Change user status",
"txt_log_action_attachment_delete": "Delete attachment",
"txt_log_action_auth_login_failed_bad_api_key": "Login failed: bad API key",
"txt_log_action_auth_login_failed_bad_password": "Login failed: bad password",
"txt_log_action_auth_login_failed_user_inactive": "Login failed: inactive account",
"txt_log_action_auth_login_success": "Login succeeded",
"txt_log_action_auth_refresh_failed": "Refresh login failed: {reason}",
"txt_log_action_cipher_delete_permanent": "Permanently delete vault item",
"txt_log_action_cipher_delete_permanent_bulk": "Permanently delete vault items",
"txt_log_action_cipher_delete_soft": "Move vault item to trash",
"txt_log_action_cipher_delete_soft_bulk": "Move vault items to trash",
"txt_log_action_device_deactivate": "Deactivate device",
"txt_log_action_device_delete": "Delete device",
"txt_log_action_device_delete_all": "Delete all devices",
"txt_log_action_device_name_update": "Update device name",
"txt_log_action_device_trust_permanent": "Trust device permanently",
"txt_log_action_device_trust_revoke": "Revoke device trust",
"txt_log_action_device_trust_revoke_batch": "Revoke device trust in bulk",
"txt_log_action_folder_delete": "Delete folder",
"txt_log_action_folder_delete_bulk": "Delete folders",
"txt_log_action_send_auth_remove": "Remove Send authentication",
"txt_log_action_send_delete": "Delete Send",
"txt_log_action_send_delete_bulk": "Delete Sends",
"txt_log_action_send_password_remove": "Remove Send password",
"txt_log_action_user_password_change": "Change master password",
"txt_log_action_user_register_first_admin": "Register first admin",
"txt_log_action_user_register_invite": "Register by invite",
"txt_log_meta_attachments": "Attachments",
"txt_log_meta_bytes": "Bytes",
"txt_log_meta_changed": "Changed fields",
"txt_log_meta_checksum_mismatch_accepted": "Accepted checksum mismatch",
"txt_log_meta_cipher_id": "Vault item ID",
"txt_log_meta_ciphers": "Vault items",
"txt_log_meta_compat": "Compatibility",
"txt_log_meta_compressed_bytes": "Compressed bytes",
"txt_log_meta_count": "Count",
"txt_log_meta_deleted": "Deleted count",
"txt_log_meta_destination_count": "Destination count",
"txt_log_meta_destination_id": "Destination ID",
"txt_log_meta_destination_name": "Destination name",
"txt_log_meta_destination_type": "Destination type",
"txt_log_meta_device_identifier": "Device ID",
"txt_log_meta_device_type": "Device type",
"txt_log_meta_email": "Email",
"txt_log_meta_error": "Error",
"txt_log_meta_expires_in_hours": "Expires in hours",
"txt_log_meta_file_bytes": "File bytes",
"txt_log_meta_file_name": "File name",
"txt_log_meta_folder_id": "Folder ID",
"txt_log_meta_grant_type": "Login method",
"txt_log_meta_includes_attachments": "Includes attachments",
"txt_log_meta_ip": "IP address",
"txt_log_meta_max_entries": "Entry limit",
"txt_log_meta_method": "Request method",
"txt_log_meta_path": "Request path",
"txt_log_meta_provider": "Provider",
"txt_log_meta_prune_error": "Cleanup error",
"txt_log_meta_pruned_file_count": "Cleaned files",
"txt_log_meta_raw": "Raw data",
"txt_log_meta_reason": "Reason",
"txt_log_meta_remote_path": "Remote path",
"txt_log_meta_removed": "Removed count",
"txt_log_meta_removed_devices": "Removed devices",
"txt_log_meta_removed_sessions": "Removed sessions",
"txt_log_meta_removed_trusted": "Trust removals",
"txt_log_meta_replace_existing": "Replace existing data",
"txt_log_meta_requested": "Requested count",
"txt_log_meta_requested_count": "Requested count",
"txt_log_meta_retention_days": "Retention days",
"txt_log_meta_scheduled_destination_count": "Scheduled destinations",
"txt_log_meta_size": "Size",
"txt_log_meta_skipped_attachments": "Skipped attachments",
"txt_log_meta_skipped_reason": "Skip reason",
"txt_log_meta_status": "Status",
"txt_log_meta_target_email": "Target email",
"txt_log_meta_trigger": "Trigger",
"txt_log_meta_type": "Type",
"txt_log_meta_updated": "Updated count",
"txt_log_meta_upload_verification_attempts": "Upload verification attempts",
"txt_log_meta_user_agent": "Browser/client",
"txt_log_meta_users": "Users",
"txt_log_meta_verify_devices": "Verify devices",
"txt_log_meta_web_session": "Web session",
"txt_log_reason_bad_api_key": "Bad API key",
"txt_log_reason_bad_password": "Bad password",
"txt_log_reason_device_missing": "Device missing",
"txt_log_reason_device_session_mismatch": "Device session mismatch",
"txt_log_reason_token_not_found_or_expired": "Token missing or expired",
"txt_log_reason_user_inactive": "User inactive",
"txt_log_reason_user_missing": "User missing",
"txt_log_target_type_attachment": "Attachment",
"txt_log_target_type_audit_log": "Log",
"txt_log_target_type_backup": "Backup",
"txt_log_target_type_cipher": "Vault item",
"txt_log_target_type_device": "Device",
"txt_log_target_type_folder": "Folder",
"txt_log_target_type_invite": "Invite",
"txt_log_target_type_refresh_token": "Refresh token",
"txt_log_target_type_send": "Send",
"txt_log_target_type_user": "User",
"txt_log_trigger_manual": "Manual",
"txt_log_trigger_remote": "Remote",
"txt_log_trigger_scheduled": "Scheduled",
"txt_log_max_1000": "Up to 1,000 entries",
"txt_log_max_5000": "Up to 5,000 entries",
"txt_log_max_10000": "Up to 10,000 entries",
"txt_log_max_50000": "Up to 50,000 entries",
"txt_log_max_entries": "Storage cap",
"txt_log_max_unlimited": "Unlimited entries",
"txt_log_retention_7d": "Keep 7 days",
"txt_log_retention_30d": "Keep 30 days",
"txt_log_retention_90d": "Keep 90 days",
"txt_log_retention_180d": "Keep 180 days",
"txt_log_retention_365d": "Keep 365 days",
"txt_log_retention_days": "Retention",
"txt_log_retention_forever": "Keep forever",
"txt_log_retention_hint": "Automatically trims by age and entry count to reduce D1 storage use.",
"txt_log_retention_mode": "Retention mode",
"txt_log_retention_mode_days": "By time",
"txt_log_retention_mode_entries": "By count",
"txt_log_retention_settings": "Log retention",
"txt_log_settings": "Settings",
"txt_log_settings_save_failed": "Failed to save log settings",
"txt_log_settings_saved": "Log settings saved",
"txt_log_search_placeholder": "Search action, actor, target, request path, or metadata",
"txt_log_total": " total",
"txt_log_visible": " visible",
"txt_metadata": "Metadata",
"txt_no_logs_found": "No logs found",
"txt_no_metadata": "No metadata",
"txt_clear_all_logs": "Clear logs",
"txt_clear_logs_confirm": "Clear all logs? This cannot be undone.",
"txt_clear_logs_failed": "Failed to clear logs",
"txt_logs_cleared": "Logs cleared",
"txt_search": "Search",
"txt_target": "Target",
"txt_time": "Time",
"txt_time_range": "Time range",
"txt_remove_domain": "Remove domain"
};
webapp/src/lib/i18n/locales/es.ts
+193
View File
@@ -2,6 +2,7 @@
const es: Record<string, string> = {
"nav_account_settings": "Configuración de la cuenta",
"nav_admin_panel": "Panel de administración",
"nav_log_center": "Centro de registros",
"nav_device_management": "Gestión de dispositivos",
"nav_my_vault": "Mi bóveda",
"nav_vault_items": "Bóveda",
@@ -368,6 +369,7 @@ const es: Record<string, string> = {
"txt_delete_item": "Eliminar elemento",
"txt_delete_passkey": "Eliminar clave de acceso",
"txt_delete_item_failed": "Error al eliminar elemento",
"txt_permanent_delete_item_failed": "Error al eliminar elemento permanentemente",
"txt_delete_permanently": "Eliminar permanentemente",
"txt_archive": "Archivar",
"txt_archive_item": "Archivar elemento",
@@ -500,6 +502,7 @@ const es: Record<string, string> = {
"txt_item": "Elemento",
"txt_item_created": "Elemento creado",
"txt_item_deleted": "Elemento eliminado",
"txt_item_deleted_permanently": "Elemento eliminado permanentemente",
"txt_item_history": "Historial del elemento",
"txt_password_history": "Historial de contraseñas",
"txt_password_updated_value": "Contraseña actualizada: {value}",
@@ -690,6 +693,12 @@ const es: Record<string, string> = {
"txt_revoke_all_device_trust_failed": "Error al revocar la confianza de todos los dispositivos",
"txt_revoke_trust": "Revocar confianza",
"txt_untrust": "Quitar confianza",
"txt_trust_permanently": "Confiar permanentemente",
"txt_trust_device_permanently": "Confiar permanentemente en el dispositivo",
"txt_trust_device_permanently_for_name": "¿Actualizar \"{name}\" de confianza de 30 días a confianza permanente?",
"txt_trust_device_permanently_failed": "Error al confiar permanentemente en el dispositivo",
"txt_device_trusted_permanently": "Dispositivo confiado permanentemente",
"txt_permanent_trust": "Confianza permanente",
"txt_update_device_note_failed": "Error al actualizar la nota del dispositivo",
"txt_role": "Rol",
"txt_save": "Guardar",
@@ -935,6 +944,190 @@ const es: Record<string, string> = {
"txt_nav_layout_grouped_expanded_desc": "Mantener todos los grupos abiertos",
"txt_nav_layout_grouped_smart": "Grupos inteligentes",
"txt_nav_layout_grouped_smart_desc": "Abrir grupos activos cuando haga falta",
"txt_actor": "Actor",
"txt_all_levels": "Todos los niveles",
"txt_all_logs": "Todos los registros",
"txt_all_time": "Todo el tiempo",
"txt_audit_events": "Lista de registros",
"txt_filter": "Filtrar",
"txt_last_24_hours": "Últimas 24 horas",
"txt_last_7_days": "Últimos 7 días",
"txt_last_30_days": "Últimos 30 días",
"txt_load_logs_failed": "No se pudieron cargar los registros",
"txt_load_log_settings_failed": "No se pudo cargar la configuración de registros",
"txt_log_category": "Categoría",
"txt_log_category_auth": "Acceso y sesiones",
"txt_log_category_data": "Operaciones de datos",
"txt_log_category_device": "Dispositivos",
"txt_log_category_security": "Seguridad de cuenta",
"txt_log_category_system": "Sistema",
"txt_log_center_description": "Revisa inicios de sesión, fallos de renovación, eventos de dispositivos, cambios de seguridad, copias y acciones de administración.",
"txt_log_center_title": "Centro de registros",
"txt_log_level": "Nivel",
"txt_log_level_error": "Error",
"txt_log_level_info": "Info",
"txt_log_level_security": "Seguridad",
"txt_log_level_warn": "Aviso",
"txt_log_action_account_api_key_create": "Create API key",
"txt_log_action_account_api_key_rotate": "Rotate API key",
"txt_log_action_account_keys_update": "Update account keys",
"txt_log_action_account_profile_update": "Update account profile",
"txt_log_action_account_totp_disable": "Disable two-step login",
"txt_log_action_account_totp_enable": "Enable two-step login",
"txt_log_action_account_totp_recover": "Recover two-step login",
"txt_log_action_account_verify_devices_update": "Update device verification",
"txt_log_action_admin_audit_settings_update": "Update log retention settings",
"txt_log_action_admin_backup_export": "Export backup",
"txt_log_action_admin_backup_import": "Import backup",
"txt_log_action_admin_backup_remote_delete": "Delete remote backup",
"txt_log_action_admin_backup_remote_manual": "Manual remote backup succeeded",
"txt_log_action_admin_backup_remote_manual_failed": "Manual remote backup failed",
"txt_log_action_admin_backup_remote_scheduled": "Scheduled remote backup succeeded",
"txt_log_action_admin_backup_remote_scheduled_failed": "Scheduled remote backup failed",
"txt_log_action_admin_backup_settings_repair": "Repair backup settings",
"txt_log_action_admin_backup_settings_update": "Update backup settings",
"txt_log_action_admin_invite_create": "Create invite",
"txt_log_action_admin_invite_delete_all": "Clear invites",
"txt_log_action_admin_invite_revoke": "Revoke invite",
"txt_log_action_admin_user_delete": "Delete user",
"txt_log_action_admin_user_status": "Change user status",
"txt_log_action_attachment_delete": "Delete attachment",
"txt_log_action_auth_login_failed_bad_api_key": "Login failed: bad API key",
"txt_log_action_auth_login_failed_bad_password": "Login failed: bad password",
"txt_log_action_auth_login_failed_user_inactive": "Login failed: inactive account",
"txt_log_action_auth_login_success": "Login succeeded",
"txt_log_action_auth_refresh_failed": "Refresh login failed: {reason}",
"txt_log_action_cipher_delete_permanent": "Permanently delete vault item",
"txt_log_action_cipher_delete_permanent_bulk": "Permanently delete vault items",
"txt_log_action_cipher_delete_soft": "Move vault item to trash",
"txt_log_action_cipher_delete_soft_bulk": "Move vault items to trash",
"txt_log_action_device_deactivate": "Deactivate device",
"txt_log_action_device_delete": "Delete device",
"txt_log_action_device_delete_all": "Delete all devices",
"txt_log_action_device_name_update": "Update device name",
"txt_log_action_device_trust_permanent": "Trust device permanently",
"txt_log_action_device_trust_revoke": "Revoke device trust",
"txt_log_action_device_trust_revoke_batch": "Revoke device trust in bulk",
"txt_log_action_folder_delete": "Delete folder",
"txt_log_action_folder_delete_bulk": "Delete folders",
"txt_log_action_send_auth_remove": "Remove Send authentication",
"txt_log_action_send_delete": "Delete Send",
"txt_log_action_send_delete_bulk": "Delete Sends",
"txt_log_action_send_password_remove": "Remove Send password",
"txt_log_action_user_password_change": "Change master password",
"txt_log_action_user_register_first_admin": "Register first admin",
"txt_log_action_user_register_invite": "Register by invite",
"txt_log_meta_attachments": "Attachments",
"txt_log_meta_bytes": "Bytes",
"txt_log_meta_changed": "Changed fields",
"txt_log_meta_checksum_mismatch_accepted": "Accepted checksum mismatch",
"txt_log_meta_cipher_id": "Vault item ID",
"txt_log_meta_ciphers": "Vault items",
"txt_log_meta_compat": "Compatibility",
"txt_log_meta_compressed_bytes": "Compressed bytes",
"txt_log_meta_count": "Count",
"txt_log_meta_deleted": "Deleted count",
"txt_log_meta_destination_count": "Destination count",
"txt_log_meta_destination_id": "Destination ID",
"txt_log_meta_destination_name": "Destination name",
"txt_log_meta_destination_type": "Destination type",
"txt_log_meta_device_identifier": "Device ID",
"txt_log_meta_device_type": "Device type",
"txt_log_meta_email": "Email",
"txt_log_meta_error": "Error",
"txt_log_meta_expires_in_hours": "Expires in hours",
"txt_log_meta_file_bytes": "File bytes",
"txt_log_meta_file_name": "File name",
"txt_log_meta_folder_id": "Folder ID",
"txt_log_meta_grant_type": "Login method",
"txt_log_meta_includes_attachments": "Includes attachments",
"txt_log_meta_ip": "IP address",
"txt_log_meta_max_entries": "Entry limit",
"txt_log_meta_method": "Request method",
"txt_log_meta_path": "Request path",
"txt_log_meta_provider": "Provider",
"txt_log_meta_prune_error": "Cleanup error",
"txt_log_meta_pruned_file_count": "Cleaned files",
"txt_log_meta_raw": "Raw data",
"txt_log_meta_reason": "Reason",
"txt_log_meta_remote_path": "Remote path",
"txt_log_meta_removed": "Removed count",
"txt_log_meta_removed_devices": "Removed devices",
"txt_log_meta_removed_sessions": "Removed sessions",
"txt_log_meta_removed_trusted": "Trust removals",
"txt_log_meta_replace_existing": "Replace existing data",
"txt_log_meta_requested": "Requested count",
"txt_log_meta_requested_count": "Requested count",
"txt_log_meta_retention_days": "Retention days",
"txt_log_meta_scheduled_destination_count": "Scheduled destinations",
"txt_log_meta_size": "Size",
"txt_log_meta_skipped_attachments": "Skipped attachments",
"txt_log_meta_skipped_reason": "Skip reason",
"txt_log_meta_status": "Status",
"txt_log_meta_target_email": "Target email",
"txt_log_meta_trigger": "Trigger",
"txt_log_meta_type": "Type",
"txt_log_meta_updated": "Updated count",
"txt_log_meta_upload_verification_attempts": "Upload verification attempts",
"txt_log_meta_user_agent": "Browser/client",
"txt_log_meta_users": "Users",
"txt_log_meta_verify_devices": "Verify devices",
"txt_log_meta_web_session": "Web session",
"txt_log_reason_bad_api_key": "Bad API key",
"txt_log_reason_bad_password": "Bad password",
"txt_log_reason_device_missing": "Device missing",
"txt_log_reason_device_session_mismatch": "Device session mismatch",
"txt_log_reason_token_not_found_or_expired": "Token missing or expired",
"txt_log_reason_user_inactive": "User inactive",
"txt_log_reason_user_missing": "User missing",
"txt_log_target_type_attachment": "Attachment",
"txt_log_target_type_audit_log": "Log",
"txt_log_target_type_backup": "Backup",
"txt_log_target_type_cipher": "Vault item",
"txt_log_target_type_device": "Device",
"txt_log_target_type_folder": "Folder",
"txt_log_target_type_invite": "Invite",
"txt_log_target_type_refresh_token": "Refresh token",
"txt_log_target_type_send": "Send",
"txt_log_target_type_user": "User",
"txt_log_trigger_manual": "Manual",
"txt_log_trigger_remote": "Remote",
"txt_log_trigger_scheduled": "Scheduled",
"txt_log_max_1000": "Hasta 1000 entradas",
"txt_log_max_5000": "Hasta 5000 entradas",
"txt_log_max_10000": "Hasta 10 000 entradas",
"txt_log_max_50000": "Hasta 50 000 entradas",
"txt_log_max_entries": "Límite de almacenamiento",
"txt_log_max_unlimited": "Entradas ilimitadas",
"txt_log_retention_7d": "Conservar 7 días",
"txt_log_retention_30d": "Conservar 30 días",
"txt_log_retention_90d": "Conservar 90 días",
"txt_log_retention_180d": "Conservar 180 días",
"txt_log_retention_365d": "Conservar 365 días",
"txt_log_retention_days": "Retención",
"txt_log_retention_forever": "Conservar siempre",
"txt_log_retention_hint": "Recorta automáticamente por antigüedad y cantidad para reducir el uso de D1.",
"txt_log_retention_mode": "Modo de retención",
"txt_log_retention_mode_days": "Por tiempo",
"txt_log_retention_mode_entries": "Por cantidad",
"txt_log_retention_settings": "Retención de registros",
"txt_log_settings": "Configuración",
"txt_log_settings_save_failed": "No se pudo guardar la configuración de registros",
"txt_log_settings_saved": "Configuración de registros guardada",
"txt_log_search_placeholder": "Buscar acción, actor, destino, ruta o metadatos",
"txt_log_total": " total",
"txt_log_visible": " visibles",
"txt_metadata": "Metadatos",
"txt_no_logs_found": "No se encontraron registros",
"txt_no_metadata": "Sin metadatos",
"txt_clear_all_logs": "Borrar registros",
"txt_clear_logs_confirm": "¿Borrar todos los registros? Esta acción no se puede deshacer.",
"txt_clear_logs_failed": "No se pudieron borrar los registros",
"txt_logs_cleared": "Registros borrados",
"txt_search": "Buscar",
"txt_target": "Destino",
"txt_time": "Hora",
"txt_time_range": "Rango de tiempo",
"txt_remove_domain": "Quitar dominio"
};
webapp/src/lib/i18n/locales/ru.ts
+193
View File
@@ -3,6 +3,7 @@ const ru: Record<string, string> = {
"txt_backup_destination_detail_note": "",
"nav_account_settings": "Настройки учетной записи",
"nav_admin_panel": "Панель администратора",
"nav_log_center": "Центр журналов",
"nav_device_management": "Управление устройствами",
"nav_my_vault": "Мое хранилище",
"nav_vault_items": "Хранилище",
@@ -368,6 +369,7 @@ const ru: Record<string, string> = {
"txt_delete_item": "Удалить элемент",
"txt_delete_passkey": "Удалить пароль",
"txt_delete_item_failed": "Удалить элемент не удалось",
"txt_permanent_delete_item_failed": "Не удалось окончательно удалить элемент",
"txt_delete_permanently": "Удалить навсегда",
"txt_archive": "Архив",
"txt_archive_item": "Архивный элемент",
@@ -500,6 +502,7 @@ const ru: Record<string, string> = {
"txt_item": "Товар",
"txt_item_created": "Объект создан",
"txt_item_deleted": "Объект удален.",
"txt_item_deleted_permanently": "Объект окончательно удален.",
"txt_item_history": "История предмета",
"txt_password_history": "История паролей",
"txt_password_updated_value": "Пароль обновлен: {value}",
@@ -690,6 +693,12 @@ const ru: Record<string, string> = {
"txt_revoke_all_device_trust_failed": "Не удалось отозвать все доверие устройств.",
"txt_revoke_trust": "Отозвать доверие",
"txt_untrust": "Не доверять",
"txt_trust_permanently": "Доверять постоянно",
"txt_trust_device_permanently": "Постоянно доверять устройству",
"txt_trust_device_permanently_for_name": "Повысить доверие к «{name}» с 30 дней до постоянного?",
"txt_trust_device_permanently_failed": "Не удалось постоянно доверять устройству.",
"txt_device_trusted_permanently": "Устройство постоянно доверено",
"txt_permanent_trust": "Постоянное доверие",
"txt_update_device_note_failed": "Не удалось обновить примечание об устройстве.",
"txt_role": "Роль",
"txt_save": "Сохранить",
@@ -935,6 +944,190 @@ const ru: Record<string, string> = {
"txt_nav_layout_grouped_expanded_desc": "Держать все группы открытыми",
"txt_nav_layout_grouped_smart": "Умные группы",
"txt_nav_layout_grouped_smart_desc": "Открывать активные группы по необходимости",
"txt_actor": "Инициатор",
"txt_all_levels": "Все уровни",
"txt_all_logs": "Все журналы",
"txt_all_time": "Все время",
"txt_audit_events": "Список журналов",
"txt_filter": "Фильтр",
"txt_last_24_hours": "Последние 24 часа",
"txt_last_7_days": "Последние 7 дней",
"txt_last_30_days": "Последние 30 дней",
"txt_load_logs_failed": "Не удалось загрузить журналы",
"txt_load_log_settings_failed": "Не удалось загрузить настройки журналов",
"txt_log_category": "Категория",
"txt_log_category_auth": "Вход и сессии",
"txt_log_category_data": "Операции с данными",
"txt_log_category_device": "Устройства",
"txt_log_category_security": "Безопасность учетной записи",
"txt_log_category_system": "Система",
"txt_log_center_description": "Просматривайте входы, сбои обновления, события устройств, изменения безопасности, резервные копии и действия администратора.",
"txt_log_center_title": "Центр журналов",
"txt_log_level": "Уровень",
"txt_log_level_error": "Ошибка",
"txt_log_level_info": "Инфо",
"txt_log_level_security": "Безопасность",
"txt_log_level_warn": "Предупреждение",
"txt_log_action_account_api_key_create": "Create API key",
"txt_log_action_account_api_key_rotate": "Rotate API key",
"txt_log_action_account_keys_update": "Update account keys",
"txt_log_action_account_profile_update": "Update account profile",
"txt_log_action_account_totp_disable": "Disable two-step login",
"txt_log_action_account_totp_enable": "Enable two-step login",
"txt_log_action_account_totp_recover": "Recover two-step login",
"txt_log_action_account_verify_devices_update": "Update device verification",
"txt_log_action_admin_audit_settings_update": "Update log retention settings",
"txt_log_action_admin_backup_export": "Export backup",
"txt_log_action_admin_backup_import": "Import backup",
"txt_log_action_admin_backup_remote_delete": "Delete remote backup",
"txt_log_action_admin_backup_remote_manual": "Manual remote backup succeeded",
"txt_log_action_admin_backup_remote_manual_failed": "Manual remote backup failed",
"txt_log_action_admin_backup_remote_scheduled": "Scheduled remote backup succeeded",
"txt_log_action_admin_backup_remote_scheduled_failed": "Scheduled remote backup failed",
"txt_log_action_admin_backup_settings_repair": "Repair backup settings",
"txt_log_action_admin_backup_settings_update": "Update backup settings",
"txt_log_action_admin_invite_create": "Create invite",
"txt_log_action_admin_invite_delete_all": "Clear invites",
"txt_log_action_admin_invite_revoke": "Revoke invite",
"txt_log_action_admin_user_delete": "Delete user",
"txt_log_action_admin_user_status": "Change user status",
"txt_log_action_attachment_delete": "Delete attachment",
"txt_log_action_auth_login_failed_bad_api_key": "Login failed: bad API key",
"txt_log_action_auth_login_failed_bad_password": "Login failed: bad password",
"txt_log_action_auth_login_failed_user_inactive": "Login failed: inactive account",
"txt_log_action_auth_login_success": "Login succeeded",
"txt_log_action_auth_refresh_failed": "Refresh login failed: {reason}",
"txt_log_action_cipher_delete_permanent": "Permanently delete vault item",
"txt_log_action_cipher_delete_permanent_bulk": "Permanently delete vault items",
"txt_log_action_cipher_delete_soft": "Move vault item to trash",
"txt_log_action_cipher_delete_soft_bulk": "Move vault items to trash",
"txt_log_action_device_deactivate": "Deactivate device",
"txt_log_action_device_delete": "Delete device",
"txt_log_action_device_delete_all": "Delete all devices",
"txt_log_action_device_name_update": "Update device name",
"txt_log_action_device_trust_permanent": "Trust device permanently",
"txt_log_action_device_trust_revoke": "Revoke device trust",
"txt_log_action_device_trust_revoke_batch": "Revoke device trust in bulk",
"txt_log_action_folder_delete": "Delete folder",
"txt_log_action_folder_delete_bulk": "Delete folders",
"txt_log_action_send_auth_remove": "Remove Send authentication",
"txt_log_action_send_delete": "Delete Send",
"txt_log_action_send_delete_bulk": "Delete Sends",
"txt_log_action_send_password_remove": "Remove Send password",
"txt_log_action_user_password_change": "Change master password",
"txt_log_action_user_register_first_admin": "Register first admin",
"txt_log_action_user_register_invite": "Register by invite",
"txt_log_meta_attachments": "Attachments",
"txt_log_meta_bytes": "Bytes",
"txt_log_meta_changed": "Changed fields",
"txt_log_meta_checksum_mismatch_accepted": "Accepted checksum mismatch",
"txt_log_meta_cipher_id": "Vault item ID",
"txt_log_meta_ciphers": "Vault items",
"txt_log_meta_compat": "Compatibility",
"txt_log_meta_compressed_bytes": "Compressed bytes",
"txt_log_meta_count": "Count",
"txt_log_meta_deleted": "Deleted count",
"txt_log_meta_destination_count": "Destination count",
"txt_log_meta_destination_id": "Destination ID",
"txt_log_meta_destination_name": "Destination name",
"txt_log_meta_destination_type": "Destination type",
"txt_log_meta_device_identifier": "Device ID",
"txt_log_meta_device_type": "Device type",
"txt_log_meta_email": "Email",
"txt_log_meta_error": "Error",
"txt_log_meta_expires_in_hours": "Expires in hours",
"txt_log_meta_file_bytes": "File bytes",
"txt_log_meta_file_name": "File name",
"txt_log_meta_folder_id": "Folder ID",
"txt_log_meta_grant_type": "Login method",
"txt_log_meta_includes_attachments": "Includes attachments",
"txt_log_meta_ip": "IP address",
"txt_log_meta_max_entries": "Entry limit",
"txt_log_meta_method": "Request method",
"txt_log_meta_path": "Request path",
"txt_log_meta_provider": "Provider",
"txt_log_meta_prune_error": "Cleanup error",
"txt_log_meta_pruned_file_count": "Cleaned files",
"txt_log_meta_raw": "Raw data",
"txt_log_meta_reason": "Reason",
"txt_log_meta_remote_path": "Remote path",
"txt_log_meta_removed": "Removed count",
"txt_log_meta_removed_devices": "Removed devices",
"txt_log_meta_removed_sessions": "Removed sessions",
"txt_log_meta_removed_trusted": "Trust removals",
"txt_log_meta_replace_existing": "Replace existing data",
"txt_log_meta_requested": "Requested count",
"txt_log_meta_requested_count": "Requested count",
"txt_log_meta_retention_days": "Retention days",
"txt_log_meta_scheduled_destination_count": "Scheduled destinations",
"txt_log_meta_size": "Size",
"txt_log_meta_skipped_attachments": "Skipped attachments",
"txt_log_meta_skipped_reason": "Skip reason",
"txt_log_meta_status": "Status",
"txt_log_meta_target_email": "Target email",
"txt_log_meta_trigger": "Trigger",
"txt_log_meta_type": "Type",
"txt_log_meta_updated": "Updated count",
"txt_log_meta_upload_verification_attempts": "Upload verification attempts",
"txt_log_meta_user_agent": "Browser/client",
"txt_log_meta_users": "Users",
"txt_log_meta_verify_devices": "Verify devices",
"txt_log_meta_web_session": "Web session",
"txt_log_reason_bad_api_key": "Bad API key",
"txt_log_reason_bad_password": "Bad password",
"txt_log_reason_device_missing": "Device missing",
"txt_log_reason_device_session_mismatch": "Device session mismatch",
"txt_log_reason_token_not_found_or_expired": "Token missing or expired",
"txt_log_reason_user_inactive": "User inactive",
"txt_log_reason_user_missing": "User missing",
"txt_log_target_type_attachment": "Attachment",
"txt_log_target_type_audit_log": "Log",
"txt_log_target_type_backup": "Backup",
"txt_log_target_type_cipher": "Vault item",
"txt_log_target_type_device": "Device",
"txt_log_target_type_folder": "Folder",
"txt_log_target_type_invite": "Invite",
"txt_log_target_type_refresh_token": "Refresh token",
"txt_log_target_type_send": "Send",
"txt_log_target_type_user": "User",
"txt_log_trigger_manual": "Manual",
"txt_log_trigger_remote": "Remote",
"txt_log_trigger_scheduled": "Scheduled",
"txt_log_max_1000": "До 1 000 записей",
"txt_log_max_5000": "До 5 000 записей",
"txt_log_max_10000": "До 10 000 записей",
"txt_log_max_50000": "До 50 000 записей",
"txt_log_max_entries": "Лимит хранения",
"txt_log_max_unlimited": "Без ограничения записей",
"txt_log_retention_7d": "Хранить 7 дней",
"txt_log_retention_30d": "Хранить 30 дней",
"txt_log_retention_90d": "Хранить 90 дней",
"txt_log_retention_180d": "Хранить 180 дней",
"txt_log_retention_365d": "Хранить 365 дней",
"txt_log_retention_days": "Срок хранения",
"txt_log_retention_forever": "Хранить всегда",
"txt_log_retention_hint": "Автоматически обрезает по возрасту и количеству, чтобы уменьшить использование D1.",
"txt_log_retention_mode": "Режим хранения",
"txt_log_retention_mode_days": "По времени",
"txt_log_retention_mode_entries": "По количеству",
"txt_log_retention_settings": "Хранение журналов",
"txt_log_settings": "Настройки",
"txt_log_settings_save_failed": "Не удалось сохранить настройки журналов",
"txt_log_settings_saved": "Настройки журналов сохранены",
"txt_log_search_placeholder": "Поиск действия, инициатора, цели, пути или метаданных",
"txt_log_total": " всего",
"txt_log_visible": " показано",
"txt_metadata": "Метаданные",
"txt_no_logs_found": "Журналы не найдены",
"txt_no_metadata": "Нет метаданных",
"txt_clear_all_logs": "Очистить журналы",
"txt_clear_logs_confirm": "Очистить все журналы? Это действие нельзя отменить.",
"txt_clear_logs_failed": "Не удалось очистить журналы",
"txt_logs_cleared": "Журналы очищены",
"txt_search": "Поиск",
"txt_target": "Цель",
"txt_time": "Время",
"txt_time_range": "Период",
"txt_remove_domain": "Удалить домен"
};
webapp/src/lib/i18n/locales/zh-CN.ts
+193
View File
@@ -2,6 +2,7 @@
const zhCN: Record<string, string> = {
"nav_account_settings": "账户设置",
"nav_admin_panel": "用户管理",
"nav_log_center": "日志中心",
"nav_device_management": "设备管理",
"nav_my_vault": "我的密码库",
"nav_vault_items": "密码库",
@@ -368,6 +369,7 @@ const zhCN: Record<string, string> = {
"txt_delete_item": "删除项目",
"txt_delete_passkey": "删除通行密钥",
"txt_delete_item_failed": "删除项目失败",
"txt_permanent_delete_item_failed": "永久删除项目失败",
"txt_delete_permanently": "永久删除",
"txt_archive": "归档",
"txt_archive_item": "归档项目",
@@ -500,6 +502,7 @@ const zhCN: Record<string, string> = {
"txt_item": "项目",
"txt_item_created": "项目已创建",
"txt_item_deleted": "项目已删除",
"txt_item_deleted_permanently": "项目已永久删除",
"txt_item_history": "项目历史",
"txt_password_history": "密码历史记录",
"txt_password_updated_value": "密码更新于: {value}",
@@ -690,6 +693,12 @@ const zhCN: Record<string, string> = {
"txt_revoke_all_device_trust_failed": "撤销所有设备信任失败",
"txt_revoke_trust": "撤销信任",
"txt_untrust": "不信任",
"txt_trust_permanently": "永久信任",
"txt_trust_device_permanently": "永久信任设备",
"txt_trust_device_permanently_for_name": "确认把“{name}”从 30 天信任升级为永久信任吗?",
"txt_trust_device_permanently_failed": "永久信任设备失败",
"txt_device_trusted_permanently": "设备已永久信任",
"txt_permanent_trust": "永久信任",
"txt_update_device_note_failed": "更新设备备注失败",
"txt_role": "角色",
"txt_save": "保存",
@@ -935,6 +944,190 @@ const zhCN: Record<string, string> = {
"txt_nav_layout_grouped_expanded_desc": "父子菜单全部展开",
"txt_nav_layout_grouped_smart": "智能分组",
"txt_nav_layout_grouped_smart_desc": "当前相关分组自动展开",
"txt_actor": "操作者",
"txt_all_levels": "全部级别",
"txt_all_logs": "全部日志",
"txt_all_time": "全部时间",
"txt_audit_events": "日志列表",
"txt_filter": "筛选",
"txt_last_24_hours": "最近 24 小时",
"txt_last_7_days": "最近 7 天",
"txt_last_30_days": "最近 30 天",
"txt_load_logs_failed": "加载日志失败",
"txt_load_log_settings_failed": "加载日志设置失败",
"txt_log_category": "分类",
"txt_log_category_auth": "登录与会话",
"txt_log_category_data": "数据操作",
"txt_log_category_device": "设备",
"txt_log_category_security": "账户安全",
"txt_log_category_system": "系统",
"txt_log_center_description": "查看登录、刷新失败、设备事件、安全变更、备份操作和管理员操作。",
"txt_log_center_title": "日志中心",
"txt_log_level": "级别",
"txt_log_level_error": "错误",
"txt_log_level_info": "信息",
"txt_log_level_security": "安全",
"txt_log_level_warn": "警告",
"txt_log_action_account_api_key_create": "创建 API 密钥",
"txt_log_action_account_api_key_rotate": "轮换 API 密钥",
"txt_log_action_account_keys_update": "更新账户密钥",
"txt_log_action_account_profile_update": "更新账户资料",
"txt_log_action_account_totp_disable": "关闭两步验证",
"txt_log_action_account_totp_enable": "开启两步验证",
"txt_log_action_account_totp_recover": "恢复两步验证",
"txt_log_action_account_verify_devices_update": "更新设备验证设置",
"txt_log_action_admin_audit_settings_update": "更新日志保留设置",
"txt_log_action_admin_backup_export": "导出备份",
"txt_log_action_admin_backup_import": "导入备份",
"txt_log_action_admin_backup_remote_delete": "删除远程备份",
"txt_log_action_admin_backup_remote_manual": "手动远程备份成功",
"txt_log_action_admin_backup_remote_manual_failed": "手动远程备份失败",
"txt_log_action_admin_backup_remote_scheduled": "计划远程备份成功",
"txt_log_action_admin_backup_remote_scheduled_failed": "计划远程备份失败",
"txt_log_action_admin_backup_settings_repair": "修复备份设置",
"txt_log_action_admin_backup_settings_update": "更新备份设置",
"txt_log_action_admin_invite_create": "创建邀请",
"txt_log_action_admin_invite_delete_all": "清空邀请",
"txt_log_action_admin_invite_revoke": "撤销邀请",
"txt_log_action_admin_user_delete": "删除用户",
"txt_log_action_admin_user_status": "修改用户状态",
"txt_log_action_attachment_delete": "删除附件",
"txt_log_action_auth_login_failed_bad_api_key": "API 密钥错误登录失败",
"txt_log_action_auth_login_failed_bad_password": "密码错误登录失败",
"txt_log_action_auth_login_failed_user_inactive": "账号停用登录失败",
"txt_log_action_auth_login_success": "登录成功",
"txt_log_action_auth_refresh_failed": "刷新登录失败:{reason}",
"txt_log_action_cipher_delete_permanent": "永久删除密码项",
"txt_log_action_cipher_delete_permanent_bulk": "批量永久删除密码项",
"txt_log_action_cipher_delete_soft": "删除到回收站",
"txt_log_action_cipher_delete_soft_bulk": "批量删除到回收站",
"txt_log_action_device_deactivate": "停用设备",
"txt_log_action_device_delete": "删除设备",
"txt_log_action_device_delete_all": "删除全部设备",
"txt_log_action_device_name_update": "修改设备名称",
"txt_log_action_device_trust_permanent": "永久信任设备",
"txt_log_action_device_trust_revoke": "撤销设备信任",
"txt_log_action_device_trust_revoke_batch": "批量撤销设备信任",
"txt_log_action_folder_delete": "删除文件夹",
"txt_log_action_folder_delete_bulk": "批量删除文件夹",
"txt_log_action_send_auth_remove": "移除 Send 验证",
"txt_log_action_send_delete": "删除 Send",
"txt_log_action_send_delete_bulk": "批量删除 Send",
"txt_log_action_send_password_remove": "移除 Send 密码",
"txt_log_action_user_password_change": "修改主密码",
"txt_log_action_user_register_first_admin": "注册首个管理员",
"txt_log_action_user_register_invite": "通过邀请注册",
"txt_log_meta_attachments": "附件数",
"txt_log_meta_bytes": "字节数",
"txt_log_meta_changed": "变更项",
"txt_log_meta_checksum_mismatch_accepted": "已接受校验不一致",
"txt_log_meta_cipher_id": "密码项 ID",
"txt_log_meta_ciphers": "密码项数量",
"txt_log_meta_compat": "兼容信息",
"txt_log_meta_compressed_bytes": "压缩后字节数",
"txt_log_meta_count": "数量",
"txt_log_meta_deleted": "已删除数量",
"txt_log_meta_destination_count": "备份目标数量",
"txt_log_meta_destination_id": "备份目标 ID",
"txt_log_meta_destination_name": "备份目标名称",
"txt_log_meta_destination_type": "备份目标类型",
"txt_log_meta_device_identifier": "设备 ID",
"txt_log_meta_device_type": "设备类型",
"txt_log_meta_email": "邮箱",
"txt_log_meta_error": "错误",
"txt_log_meta_expires_in_hours": "过期小时数",
"txt_log_meta_file_bytes": "文件字节数",
"txt_log_meta_file_name": "文件名",
"txt_log_meta_folder_id": "文件夹 ID",
"txt_log_meta_grant_type": "登录方式",
"txt_log_meta_includes_attachments": "包含附件",
"txt_log_meta_ip": "IP 地址",
"txt_log_meta_max_entries": "条数上限",
"txt_log_meta_method": "请求方法",
"txt_log_meta_path": "请求路径",
"txt_log_meta_provider": "服务提供方",
"txt_log_meta_prune_error": "清理错误",
"txt_log_meta_pruned_file_count": "已清理文件数",
"txt_log_meta_raw": "原始数据",
"txt_log_meta_reason": "原因",
"txt_log_meta_remote_path": "远程路径",
"txt_log_meta_removed": "已移除数量",
"txt_log_meta_removed_devices": "已移除设备数",
"txt_log_meta_removed_sessions": "已移除会话数",
"txt_log_meta_removed_trusted": "已撤销信任数",
"txt_log_meta_replace_existing": "覆盖现有数据",
"txt_log_meta_requested": "请求数量",
"txt_log_meta_requested_count": "请求数量",
"txt_log_meta_retention_days": "保留天数",
"txt_log_meta_scheduled_destination_count": "已计划备份目标数",
"txt_log_meta_size": "大小",
"txt_log_meta_skipped_attachments": "跳过附件数",
"txt_log_meta_skipped_reason": "跳过原因",
"txt_log_meta_status": "状态",
"txt_log_meta_target_email": "目标邮箱",
"txt_log_meta_trigger": "触发方式",
"txt_log_meta_type": "类型",
"txt_log_meta_updated": "已更新数量",
"txt_log_meta_upload_verification_attempts": "上传校验次数",
"txt_log_meta_user_agent": "浏览器/客户端",
"txt_log_meta_users": "用户数量",
"txt_log_meta_verify_devices": "验证设备",
"txt_log_meta_web_session": "网页会话",
"txt_log_reason_bad_api_key": "API 密钥错误",
"txt_log_reason_bad_password": "密码错误",
"txt_log_reason_device_missing": "设备不存在",
"txt_log_reason_device_session_mismatch": "设备会话不匹配",
"txt_log_reason_token_not_found_or_expired": "令牌不存在或已过期",
"txt_log_reason_user_inactive": "用户未启用",
"txt_log_reason_user_missing": "用户不存在",
"txt_log_target_type_attachment": "附件",
"txt_log_target_type_audit_log": "日志",
"txt_log_target_type_backup": "备份",
"txt_log_target_type_cipher": "密码项",
"txt_log_target_type_device": "设备",
"txt_log_target_type_folder": "文件夹",
"txt_log_target_type_invite": "邀请",
"txt_log_target_type_refresh_token": "刷新令牌",
"txt_log_target_type_send": "Send",
"txt_log_target_type_user": "用户",
"txt_log_trigger_manual": "手动",
"txt_log_trigger_remote": "远程",
"txt_log_trigger_scheduled": "计划任务",
"txt_log_max_1000": "最多 1,000 条",
"txt_log_max_5000": "最多 5,000 条",
"txt_log_max_10000": "最多 10,000 条",
"txt_log_max_50000": "最多 50,000 条",
"txt_log_max_entries": "容量上限",
"txt_log_max_unlimited": "不限制条数",
"txt_log_retention_7d": "保留 7 天",
"txt_log_retention_30d": "保留 30 天",
"txt_log_retention_90d": "保留 90 天",
"txt_log_retention_180d": "保留 180 天",
"txt_log_retention_365d": "保留 365 天",
"txt_log_retention_days": "保留时间",
"txt_log_retention_forever": "永久保留",
"txt_log_retention_hint": "按时间和最大条数自动收缩,减少 D1 存储占用。",
"txt_log_retention_mode": "保留方式",
"txt_log_retention_mode_days": "按时间",
"txt_log_retention_mode_entries": "按条数",
"txt_log_retention_settings": "日志保留",
"txt_log_settings": "设置",
"txt_log_settings_save_failed": "保存日志设置失败",
"txt_log_settings_saved": "日志设置已保存",
"txt_log_search_placeholder": "搜索动作、操作者、目标、请求路径或元数据",
"txt_log_total": " 条总数",
"txt_log_visible": " 条显示",
"txt_metadata": "元数据",
"txt_no_logs_found": "没有找到日志",
"txt_no_metadata": "没有元数据",
"txt_clear_all_logs": "清空日志",
"txt_clear_logs_confirm": "确定清空全部日志吗?此操作无法撤销。",
"txt_clear_logs_failed": "清空日志失败",
"txt_logs_cleared": "日志已清空",
"txt_search": "搜索",
"txt_target": "目标",
"txt_time": "时间",
"txt_time_range": "时间范围",
"txt_remove_domain": "移除域名"
};
webapp/src/lib/i18n/locales/zh-TW.ts
+193
View File
@@ -2,6 +2,7 @@
const zhTW: Record<string, string> = {
"nav_account_settings": "賬戶設置",
"nav_admin_panel": "用戶管理",
"nav_log_center": "日誌中心",
"nav_device_management": "設備管理",
"nav_my_vault": "我的密碼庫",
"nav_vault_items": "密碼庫",
@@ -368,6 +369,7 @@ const zhTW: Record<string, string> = {
"txt_delete_item": "刪除項目",
"txt_delete_passkey": "刪除通行密鑰",
"txt_delete_item_failed": "刪除項目失敗",
"txt_permanent_delete_item_failed": "永久刪除項目失敗",
"txt_delete_permanently": "永久刪除",
"txt_archive": "歸檔",
"txt_archive_item": "歸檔項目",
@@ -500,6 +502,7 @@ const zhTW: Record<string, string> = {
"txt_item": "項目",
"txt_item_created": "項目已創建",
"txt_item_deleted": "項目已刪除",
"txt_item_deleted_permanently": "項目已永久刪除",
"txt_item_history": "項目歷史",
"txt_password_history": "密碼歷史記錄",
"txt_password_updated_value": "密碼更新新於: {value}",
@@ -690,6 +693,12 @@ const zhTW: Record<string, string> = {
"txt_revoke_all_device_trust_failed": "撤銷所有設備信任失敗",
"txt_revoke_trust": "撤銷信任",
"txt_untrust": "不信任",
"txt_trust_permanently": "永久信任",
"txt_trust_device_permanently": "永久信任設備",
"txt_trust_device_permanently_for_name": "確認把“{name}”從 30 天信任升級為永久信任嗎?",
"txt_trust_device_permanently_failed": "永久信任設備失敗",
"txt_device_trusted_permanently": "設備已永久信任",
"txt_permanent_trust": "永久信任",
"txt_update_device_note_failed": "更新設備備註失敗",
"txt_role": "角色",
"txt_save": "保存",
@@ -935,6 +944,190 @@ const zhTW: Record<string, string> = {
"txt_nav_layout_grouped_expanded_desc": "父子選單全部展開",
"txt_nav_layout_grouped_smart": "智能分組",
"txt_nav_layout_grouped_smart_desc": "目前相關分組自動展開",
"txt_actor": "操作者",
"txt_all_levels": "全部級別",
"txt_all_logs": "全部日誌",
"txt_all_time": "全部時間",
"txt_audit_events": "日誌列表",
"txt_filter": "篩選",
"txt_last_24_hours": "最近 24 小時",
"txt_last_7_days": "最近 7 天",
"txt_last_30_days": "最近 30 天",
"txt_load_logs_failed": "載入日誌失敗",
"txt_load_log_settings_failed": "載入日誌設定失敗",
"txt_log_category": "分類",
"txt_log_category_auth": "登入與會話",
"txt_log_category_data": "資料操作",
"txt_log_category_device": "設備",
"txt_log_category_security": "賬戶安全",
"txt_log_category_system": "系統",
"txt_log_center_description": "查看登入、刷新失敗、設備事件、安全變更、備份操作和管理員操作。",
"txt_log_center_title": "日誌中心",
"txt_log_level": "級別",
"txt_log_level_error": "錯誤",
"txt_log_level_info": "資訊",
"txt_log_level_security": "安全",
"txt_log_level_warn": "警告",
"txt_log_action_account_api_key_create": "建立 API 金鑰",
"txt_log_action_account_api_key_rotate": "輪換 API 金鑰",
"txt_log_action_account_keys_update": "更新帳戶金鑰",
"txt_log_action_account_profile_update": "更新帳戶資料",
"txt_log_action_account_totp_disable": "關閉兩步驟登入",
"txt_log_action_account_totp_enable": "開啟兩步驟登入",
"txt_log_action_account_totp_recover": "復原兩步驟登入",
"txt_log_action_account_verify_devices_update": "更新裝置驗證設定",
"txt_log_action_admin_audit_settings_update": "更新日誌保留設定",
"txt_log_action_admin_backup_export": "匯出備份",
"txt_log_action_admin_backup_import": "匯入備份",
"txt_log_action_admin_backup_remote_delete": "刪除遠端備份",
"txt_log_action_admin_backup_remote_manual": "手動遠端備份成功",
"txt_log_action_admin_backup_remote_manual_failed": "手動遠端備份失敗",
"txt_log_action_admin_backup_remote_scheduled": "排程遠端備份成功",
"txt_log_action_admin_backup_remote_scheduled_failed": "排程遠端備份失敗",
"txt_log_action_admin_backup_settings_repair": "修復備份設定",
"txt_log_action_admin_backup_settings_update": "更新備份設定",
"txt_log_action_admin_invite_create": "建立邀請",
"txt_log_action_admin_invite_delete_all": "清空邀請",
"txt_log_action_admin_invite_revoke": "撤銷邀請",
"txt_log_action_admin_user_delete": "刪除使用者",
"txt_log_action_admin_user_status": "修改使用者狀態",
"txt_log_action_attachment_delete": "刪除附件",
"txt_log_action_auth_login_failed_bad_api_key": "API 金鑰錯誤登入失敗",
"txt_log_action_auth_login_failed_bad_password": "密碼錯誤登入失敗",
"txt_log_action_auth_login_failed_user_inactive": "帳號停用登入失敗",
"txt_log_action_auth_login_success": "登入成功",
"txt_log_action_auth_refresh_failed": "刷新登入失敗:{reason}",
"txt_log_action_cipher_delete_permanent": "永久刪除密碼項",
"txt_log_action_cipher_delete_permanent_bulk": "批次永久刪除密碼項",
"txt_log_action_cipher_delete_soft": "刪除到回收桶",
"txt_log_action_cipher_delete_soft_bulk": "批次刪除到回收桶",
"txt_log_action_device_deactivate": "停用裝置",
"txt_log_action_device_delete": "刪除裝置",
"txt_log_action_device_delete_all": "刪除全部裝置",
"txt_log_action_device_name_update": "修改裝置名稱",
"txt_log_action_device_trust_permanent": "永久信任裝置",
"txt_log_action_device_trust_revoke": "撤銷裝置信任",
"txt_log_action_device_trust_revoke_batch": "批次撤銷裝置信任",
"txt_log_action_folder_delete": "刪除資料夾",
"txt_log_action_folder_delete_bulk": "批次刪除資料夾",
"txt_log_action_send_auth_remove": "移除 Send 驗證",
"txt_log_action_send_delete": "刪除 Send",
"txt_log_action_send_delete_bulk": "批次刪除 Send",
"txt_log_action_send_password_remove": "移除 Send 密碼",
"txt_log_action_user_password_change": "修改主密碼",
"txt_log_action_user_register_first_admin": "註冊首個管理員",
"txt_log_action_user_register_invite": "透過邀請註冊",
"txt_log_meta_attachments": "附件數",
"txt_log_meta_bytes": "位元組數",
"txt_log_meta_changed": "變更項",
"txt_log_meta_checksum_mismatch_accepted": "已接受校驗不一致",
"txt_log_meta_cipher_id": "密碼項 ID",
"txt_log_meta_ciphers": "密碼項數量",
"txt_log_meta_compat": "相容資訊",
"txt_log_meta_compressed_bytes": "壓縮後位元組數",
"txt_log_meta_count": "數量",
"txt_log_meta_deleted": "已刪除數量",
"txt_log_meta_destination_count": "備份目標數量",
"txt_log_meta_destination_id": "備份目標 ID",
"txt_log_meta_destination_name": "備份目標名稱",
"txt_log_meta_destination_type": "備份目標類型",
"txt_log_meta_device_identifier": "裝置 ID",
"txt_log_meta_device_type": "裝置類型",
"txt_log_meta_email": "信箱",
"txt_log_meta_error": "錯誤",
"txt_log_meta_expires_in_hours": "過期小時數",
"txt_log_meta_file_bytes": "檔案位元組數",
"txt_log_meta_file_name": "檔案名稱",
"txt_log_meta_folder_id": "資料夾 ID",
"txt_log_meta_grant_type": "登入方式",
"txt_log_meta_includes_attachments": "包含附件",
"txt_log_meta_ip": "IP 位址",
"txt_log_meta_max_entries": "筆數上限",
"txt_log_meta_method": "請求方法",
"txt_log_meta_path": "請求路徑",
"txt_log_meta_provider": "服務提供方",
"txt_log_meta_prune_error": "清理錯誤",
"txt_log_meta_pruned_file_count": "已清理檔案數",
"txt_log_meta_raw": "原始資料",
"txt_log_meta_reason": "原因",
"txt_log_meta_remote_path": "遠端路徑",
"txt_log_meta_removed": "已移除數量",
"txt_log_meta_removed_devices": "已移除裝置數",
"txt_log_meta_removed_sessions": "已移除工作階段數",
"txt_log_meta_removed_trusted": "已撤銷信任數",
"txt_log_meta_replace_existing": "覆蓋現有資料",
"txt_log_meta_requested": "請求數量",
"txt_log_meta_requested_count": "請求數量",
"txt_log_meta_retention_days": "保留天數",
"txt_log_meta_scheduled_destination_count": "已排程備份目標數",
"txt_log_meta_size": "大小",
"txt_log_meta_skipped_attachments": "略過附件數",
"txt_log_meta_skipped_reason": "略過原因",
"txt_log_meta_status": "狀態",
"txt_log_meta_target_email": "目標信箱",
"txt_log_meta_trigger": "觸發方式",
"txt_log_meta_type": "類型",
"txt_log_meta_updated": "已更新數量",
"txt_log_meta_upload_verification_attempts": "上傳校驗次數",
"txt_log_meta_user_agent": "瀏覽器/用戶端",
"txt_log_meta_users": "使用者數量",
"txt_log_meta_verify_devices": "驗證裝置",
"txt_log_meta_web_session": "網頁工作階段",
"txt_log_reason_bad_api_key": "API 金鑰錯誤",
"txt_log_reason_bad_password": "密碼錯誤",
"txt_log_reason_device_missing": "裝置不存在",
"txt_log_reason_device_session_mismatch": "裝置工作階段不相符",
"txt_log_reason_token_not_found_or_expired": "權杖不存在或已過期",
"txt_log_reason_user_inactive": "使用者未啟用",
"txt_log_reason_user_missing": "使用者不存在",
"txt_log_target_type_attachment": "附件",
"txt_log_target_type_audit_log": "日誌",
"txt_log_target_type_backup": "備份",
"txt_log_target_type_cipher": "密碼項",
"txt_log_target_type_device": "裝置",
"txt_log_target_type_folder": "資料夾",
"txt_log_target_type_invite": "邀請",
"txt_log_target_type_refresh_token": "刷新權杖",
"txt_log_target_type_send": "Send",
"txt_log_target_type_user": "使用者",
"txt_log_trigger_manual": "手動",
"txt_log_trigger_remote": "遠端",
"txt_log_trigger_scheduled": "排程工作",
"txt_log_max_1000": "最多 1,000 筆",
"txt_log_max_5000": "最多 5,000 筆",
"txt_log_max_10000": "最多 10,000 筆",
"txt_log_max_50000": "最多 50,000 筆",
"txt_log_max_entries": "容量上限",
"txt_log_max_unlimited": "不限制筆數",
"txt_log_retention_7d": "保留 7 天",
"txt_log_retention_30d": "保留 30 天",
"txt_log_retention_90d": "保留 90 天",
"txt_log_retention_180d": "保留 180 天",
"txt_log_retention_365d": "保留 365 天",
"txt_log_retention_days": "保留時間",
"txt_log_retention_forever": "永久保留",
"txt_log_retention_hint": "按時間和最大筆數自動收縮,減少 D1 儲存占用。",
"txt_log_retention_mode": "保留方式",
"txt_log_retention_mode_days": "按時間",
"txt_log_retention_mode_entries": "按筆數",
"txt_log_retention_settings": "日誌保留",
"txt_log_settings": "設定",
"txt_log_settings_save_failed": "儲存日誌設定失敗",
"txt_log_settings_saved": "日誌設定已儲存",
"txt_log_search_placeholder": "搜尋動作、操作者、目標、請求路徑或元資料",
"txt_log_total": " 條總數",
"txt_log_visible": " 條顯示",
"txt_metadata": "元資料",
"txt_no_logs_found": "沒有找到日誌",
"txt_no_metadata": "沒有元資料",
"txt_clear_all_logs": "清空日誌",
"txt_clear_logs_confirm": "確定清空全部日誌嗎?此操作無法復原。",
"txt_clear_logs_failed": "清空日誌失敗",
"txt_logs_cleared": "日誌已清空",
"txt_search": "搜尋",
"txt_target": "目標",
"txt_time": "時間",
"txt_time_range": "時間範圍",
"txt_remove_domain": "移除域名"
};
webapp/src/lib/import-format-sources.ts
+1
View File
@@ -23,6 +23,7 @@ export const IMPORT_SOURCES = [
{ id: 'lastpass', label: 'LastPass (csv)' },
{ id: 'dashlane_csv', label: 'Dashlane (csv)' },
{ id: 'dashlane_json', label: 'Dashlane (json)' },
{ id: 'keepass_csv', label: 'KeePass 1.x (csv)' },
{ id: 'keepass_xml', label: 'KeePass 2 (xml)' },
{ id: 'keepassx_csv', label: 'KeePassX (csv)' },
{ id: 'arc_csv', label: 'Arc (csv)' },
webapp/src/lib/import-formats-bitwarden.ts
+1
View File
@@ -7,6 +7,7 @@ export interface BitwardenFolderInput {
export interface BitwardenUriInput {
uri?: string | null;
uriChecksum?: string | null;
match?: number | null;
}
webapp/src/lib/import-formats-csv-misc.ts
+30 -1
View File
@@ -198,6 +198,7 @@ export function parseEncryptrCsv(textRaw: string): CiphersImportPayload {
export function parseKeePassXCsv(textRaw: string): CiphersImportPayload {
const rows = parseCsv(textRaw);
const result: CiphersImportPayload = { ciphers: [], folders: [], folderRelationships: [] };
const standardColumns = new Set(['Group', 'Title', 'Username', 'Password', 'URL', 'Notes', 'TOTP']);
for (const row of rows) {
if (!txt(row.Title)) continue;
const cipher = makeLoginCipher();
@@ -209,12 +210,34 @@ export function parseKeePassXCsv(textRaw: string): CiphersImportPayload {
login.totp = val(row.TOTP);
const uri = normalizeUri(row.URL || '');
login.uris = uri ? [{ uri, match: null }] : null;
for (const [key, value] of Object.entries(row)) {
if (standardColumns.has(key)) continue;
processKvp(cipher, key, value, false);
}
const idx = result.ciphers.push(cipher) - 1;
addFolder(result, txt(row.Group).replace(/^Root\//, ''), idx);
}
return result;
}
export function parseKeePassCsv(textRaw: string): CiphersImportPayload {
const rows = parseCsv(textRaw);
const result: CiphersImportPayload = { ciphers: [], folders: [], folderRelationships: [] };
for (const row of rows) {
if (!txt(row.Account)) continue;
const cipher = makeLoginCipher();
cipher.name = val(row.Account, '--');
cipher.notes = val(row.Comments);
const login = cipher.login as Record<string, unknown>;
login.username = val(row['Login Name']);
login.password = val(row.Password);
const uri = normalizeUri(row['Web Site'] || '');
login.uris = uri ? [{ uri, match: null }] : null;
result.ciphers.push(cipher);
}
return result;
}
export function parseLastPassCsv(textRaw: string): CiphersImportPayload {
const rows = parseCsv(textRaw);
const result: CiphersImportPayload = { ciphers: [], folders: [], folderRelationships: [] };
@@ -350,7 +373,8 @@ export function parseKeePassXml(textRaw: string): CiphersImportPayload {
const cipher = makeLoginCipher();
for (const s of qd(entry, 'String')) {
const key = txt(qd(s, 'Key')[0]?.textContent);
const value = txt(qd(s, 'Value')[0]?.textContent);
const valueNode = qd(s, 'Value')[0];
const value = txt(valueNode?.textContent);
if (!value) continue;
const login = cipher.login as Record<string, unknown>;
if (key === 'Title') cipher.name = value;
@@ -361,6 +385,11 @@ export function parseKeePassXml(textRaw: string): CiphersImportPayload {
login.uris = uri ? [{ uri, match: null }] : null;
} else if (key === 'otp') login.totp = value.replace('key=', '');
else if (key === 'Notes') cipher.notes = `${txt(cipher.notes)}${txt(cipher.notes) ? '\n' : ''}${value}`;
else {
const hidden = ['True', 'true', '1'].includes(valueNode?.getAttribute('ProtectInMemory') || '')
|| ['True', 'true', '1'].includes(valueNode?.getAttribute('Protected') || '');
processKvp(cipher, key, value, hidden);
}
}
const idx = result.ciphers.push(cipher) - 1;
if (!isRoot && folder >= 0) result.folderRelationships.push({ key: idx, value: folder });
webapp/src/lib/import-formats.ts
+2
View File
@@ -10,6 +10,7 @@ import {
parseDashlaneCsv,
parseDashlaneJson,
parseEncryptrCsv,
parseKeePassCsv,
parseKeePassXCsv,
parseKeePassXml,
parseLastPassCsv,
@@ -75,6 +76,7 @@ const IMPORT_SOURCE_PARSERS: Record<ImportSourceId, (textRaw: string) => Ciphers
lastpass: parseLastPassCsv,
dashlane_csv: parseDashlaneCsv,
dashlane_json: parseDashlaneJson,
keepass_csv: parseKeePassCsv,
keepass_xml: parseKeePassXml,
keepassx_csv: parseKeePassXCsv,
arc_csv: parseArcCsv,
webapp/src/lib/ssh.ts
+58 -9
View File
@@ -30,14 +30,16 @@ function concatBytes(...parts: Uint8Array[]): Uint8Array {
return out;
}
function encodeSshString(value: Uint8Array): Uint8Array {
const out = new Uint8Array(4 + value.length);
const view = new DataView(out.buffer);
view.setUint32(0, value.length, false);
out.set(value, 4);
function encodeUint32(value: number): Uint8Array {
const out = new Uint8Array(4);
new DataView(out.buffer).setUint32(0, value >>> 0, false);
return out;
}
function encodeSshString(value: Uint8Array): Uint8Array {
return concatBytes(encodeUint32(value.length), value);
}
function extractSshBlobFromPublicKey(publicKey: string): Uint8Array | null {
const text = String(publicKey || '').trim();
if (!text) return null;
@@ -59,11 +61,11 @@ export async function computeSshFingerprint(publicKey: string): Promise<string>
return `SHA256:${bytesToBase64(digest).replace(/=+$/g, '')}`;
}
function toPem(tag: string, bytes: Uint8Array): string {
function toOpenSshPrivateKeyPem(bytes: Uint8Array): string {
const b64 = bytesToBase64(bytes);
const chunks: string[] = [];
for (let i = 0; i < b64.length; i += 64) chunks.push(b64.slice(i, i + 64));
return `-----BEGIN ${tag}-----\n${chunks.join('\n')}\n-----END ${tag}-----`;
for (let i = 0; i < b64.length; i += 70) chunks.push(b64.slice(i, i + 70));
return `-----BEGIN OPENSSH PRIVATE KEY-----\n${chunks.join('\n')}\n-----END OPENSSH PRIVATE KEY-----\n`;
}
function extractEd25519RawPublicKey(spki: Uint8Array): Uint8Array | null {
@@ -74,17 +76,64 @@ function extractEd25519RawPublicKey(spki: Uint8Array): Uint8Array | null {
return null;
}
function extractEd25519SeedFromPkcs8(pkcs8: Uint8Array): Uint8Array | null {
const prefix = new Uint8Array([0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20]);
const hasPrefix = pkcs8.length >= prefix.length + 32 && prefix.every((value, idx) => pkcs8[idx] === value);
if (hasPrefix) return pkcs8.slice(prefix.length, prefix.length + 32);
for (let i = 0; i <= pkcs8.length - 34; i += 1) {
if (pkcs8[i] === 0x04 && pkcs8[i + 1] === 0x20) {
return pkcs8.slice(i + 2, i + 34);
}
}
return null;
}
function buildOpenSshEd25519PrivateKey(seed: Uint8Array, rawPublic: Uint8Array, comment = ''): string {
const encoder = new TextEncoder();
const keyType = encoder.encode('ssh-ed25519');
const sshBlob = concatBytes(encodeSshString(keyType), encodeSshString(rawPublic));
const privateKey = concatBytes(seed, rawPublic);
const check = crypto.getRandomValues(new Uint8Array(4));
let privateBlock = concatBytes(
check,
check,
encodeSshString(keyType),
encodeSshString(rawPublic),
encodeSshString(privateKey),
encodeSshString(encoder.encode(comment))
);
const paddingLength = (8 - (privateBlock.length % 8)) % 8 || 8;
const padding = new Uint8Array(paddingLength);
for (let i = 0; i < paddingLength; i += 1) padding[i] = i + 1;
privateBlock = concatBytes(privateBlock, padding);
const authMagic = encoder.encode('openssh-key-v1\0');
const payload = concatBytes(
authMagic,
encodeSshString(encoder.encode('none')),
encodeSshString(encoder.encode('none')),
encodeSshString(new Uint8Array(0)),
encodeUint32(1),
encodeSshString(sshBlob),
encodeSshString(privateBlock)
);
return toOpenSshPrivateKeyPem(payload);
}
export async function generateDefaultSshKeyMaterial(): Promise<{ privateKey: string; publicKey: string; fingerprint: string }> {
const keyPair = await crypto.subtle.generateKey({ name: 'Ed25519' }, true, ['sign', 'verify']);
const pkcs8 = new Uint8Array(await crypto.subtle.exportKey('pkcs8', keyPair.privateKey));
const spki = new Uint8Array(await crypto.subtle.exportKey('spki', keyPair.publicKey));
const rawPublic = extractEd25519RawPublicKey(spki);
if (!rawPublic) throw new Error('Cannot export Ed25519 public key');
const seed = extractEd25519SeedFromPkcs8(pkcs8);
if (!seed) throw new Error('Cannot export Ed25519 private key');
const encoder = new TextEncoder();
const sshBlob = concatBytes(encodeSshString(encoder.encode('ssh-ed25519')), encodeSshString(rawPublic));
const publicKey = `ssh-ed25519 ${bytesToBase64(sshBlob)}`;
const privateKey = toPem('PRIVATE KEY', pkcs8);
const privateKey = buildOpenSshEd25519PrivateKey(seed, rawPublic);
const fingerprint = await computeSshFingerprint(publicKey);
return { privateKey, publicKey, fingerprint };
}
webapp/src/lib/types.ts
+36
View File
@@ -281,6 +281,11 @@ export interface VaultDraft {
export interface ListResponse<T> {
object: 'list';
data: T[];
total?: number;
limit?: number;
offset?: number;
hasMore?: boolean;
continuationToken?: string | null;
}
export interface WebBootstrapResponse {
@@ -344,6 +349,37 @@ export interface AdminInvite {
expiresAt?: string;
}
export type AuditLogCategory = 'auth' | 'security' | 'device' | 'data' | 'system';
export type AuditLogLevel = 'info' | 'warn' | 'error' | 'security';
export interface AuditLogEntry {
id: string;
actorUserId: string | null;
actorEmail?: string | null;
action: string;
category: AuditLogCategory;
level: AuditLogLevel;
targetType: string | null;
targetId: string | null;
targetUserEmail?: string | null;
metadata: string | null;
createdAt: string;
object?: 'auditLog';
}
export interface AuditLogSettings {
retentionDays: number | null;
maxEntries: number | null;
}
export interface AuditLogListResult {
logs: AuditLogEntry[];
total: number;
limit: number;
offset: number;
hasMore: boolean;
}
export interface AuthorizedDevice {
id: string;
name: string;
webapp/src/lib/vault-decrypt.ts
+69 -39
View File
@@ -1,5 +1,5 @@
import { base64ToBytes, decryptBw, decryptStr } from './crypto';
import { deriveSendKeyParts } from './app-support';
import { deriveSendKeyParts, looksLikeCipherString } from './app-support';
import type { Cipher, Folder, Send } from './types';
export interface DecryptVaultCoreArgs {
@@ -38,10 +38,34 @@ async function decryptField(
try {
return await decryptStr(value, enc, mac);
} catch {
return value;
return looksLikeCipherString(value) ? '' : value;
}
}
async function decryptCipherField(
value: string | null | undefined,
itemEnc: Uint8Array,
itemMac: Uint8Array,
userEnc: Uint8Array,
userMac: Uint8Array,
canFallbackToUserKey: boolean
): Promise<string> {
if (!value || typeof value !== 'string') return '';
try {
return await decryptStr(value, itemEnc, itemMac);
} catch {
// Try the legacy user-key path for mixed key/field ciphers.
}
if (canFallbackToUserKey) {
try {
return await decryptStr(value, userEnc, userMac);
} catch {
// Preserve the old raw fallback for fields that are genuinely unreadable.
}
}
return looksLikeCipherString(value) ? '' : value;
}
async function decryptFieldWithSource(
value: string | null | undefined,
itemEnc: Uint8Array,
@@ -64,7 +88,7 @@ async function decryptFieldWithSource(
// Keep plain fallback.
}
}
return { text: raw, source: 'plain' };
return { text: looksLikeCipherString(raw) ? '' : raw, source: 'plain' };
}
export async function decryptVaultCore(args: DecryptVaultCoreArgs): Promise<DecryptVaultCoreResult> {
@@ -82,32 +106,38 @@ export async function decryptVaultCore(args: DecryptVaultCoreArgs): Promise<Decr
args.ciphers.map(async (cipher) => {
let itemEnc = userEnc;
let itemMac = userMac;
let usesItemKey = false;
if (cipher.key) {
try {
const itemKey = await decryptBw(cipher.key, userEnc, userMac);
if (itemKey.length >= 64) {
itemEnc = itemKey.slice(0, 32);
itemMac = itemKey.slice(32, 64);
usesItemKey = true;
}
} catch {
// Keep user key fallback.
}
}
const itemUsesUserKey = sameBytes(itemEnc, userEnc) && sameBytes(itemMac, userMac);
const canFallbackToUserKey = usesItemKey;
const nextCipher: Cipher = {
...cipher,
decName: await decryptField(cipher.name || '', itemEnc, itemMac),
decNotes: await decryptField(cipher.notes || '', itemEnc, itemMac),
decName: await decryptCipherField(cipher.name || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decNotes: await decryptCipherField(cipher.notes || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
};
if (cipher.login) {
nextCipher.login = {
...cipher.login,
decUsername: await decryptField(cipher.login.username || '', itemEnc, itemMac),
decPassword: await decryptField(cipher.login.password || '', itemEnc, itemMac),
decTotp: await decryptField(cipher.login.totp || '', itemEnc, itemMac),
decUsername: await decryptCipherField(cipher.login.username || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPassword: await decryptCipherField(cipher.login.password || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decTotp: await decryptCipherField(cipher.login.totp || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
uris: await Promise.all(
(cipher.login.uris || []).map(async (uri) => ({
...uri,
decUri: await decryptField(uri.uri || '', itemEnc, itemMac),
decUri: await decryptCipherField(uri.uri || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
}))
),
};
@@ -117,7 +147,7 @@ export async function decryptVaultCore(args: DecryptVaultCoreArgs): Promise<Decr
nextCipher.passwordHistory = await Promise.all(
cipher.passwordHistory.map(async (entry) => ({
...entry,
decPassword: await decryptField(entry?.password || '', itemEnc, itemMac),
decPassword: await decryptCipherField(entry?.password || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
}))
);
}
@@ -125,36 +155,36 @@ export async function decryptVaultCore(args: DecryptVaultCoreArgs): Promise<Decr
if (cipher.card) {
nextCipher.card = {
...cipher.card,
decCardholderName: await decryptField(cipher.card.cardholderName || '', itemEnc, itemMac),
decNumber: await decryptField(cipher.card.number || '', itemEnc, itemMac),
decBrand: await decryptField(cipher.card.brand || '', itemEnc, itemMac),
decExpMonth: await decryptField(cipher.card.expMonth || '', itemEnc, itemMac),
decExpYear: await decryptField(cipher.card.expYear || '', itemEnc, itemMac),
decCode: await decryptField(cipher.card.code || '', itemEnc, itemMac),
decCardholderName: await decryptCipherField(cipher.card.cardholderName || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decNumber: await decryptCipherField(cipher.card.number || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decBrand: await decryptCipherField(cipher.card.brand || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decExpMonth: await decryptCipherField(cipher.card.expMonth || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decExpYear: await decryptCipherField(cipher.card.expYear || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decCode: await decryptCipherField(cipher.card.code || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
};
}
if (cipher.identity) {
nextCipher.identity = {
...cipher.identity,
decTitle: await decryptField(cipher.identity.title || '', itemEnc, itemMac),
decFirstName: await decryptField(cipher.identity.firstName || '', itemEnc, itemMac),
decMiddleName: await decryptField(cipher.identity.middleName || '', itemEnc, itemMac),
decLastName: await decryptField(cipher.identity.lastName || '', itemEnc, itemMac),
decUsername: await decryptField(cipher.identity.username || '', itemEnc, itemMac),
decCompany: await decryptField(cipher.identity.company || '', itemEnc, itemMac),
decSsn: await decryptField(cipher.identity.ssn || '', itemEnc, itemMac),
decPassportNumber: await decryptField(cipher.identity.passportNumber || '', itemEnc, itemMac),
decLicenseNumber: await decryptField(cipher.identity.licenseNumber || '', itemEnc, itemMac),
decEmail: await decryptField(cipher.identity.email || '', itemEnc, itemMac),
decPhone: await decryptField(cipher.identity.phone || '', itemEnc, itemMac),
decAddress1: await decryptField(cipher.identity.address1 || '', itemEnc, itemMac),
decAddress2: await decryptField(cipher.identity.address2 || '', itemEnc, itemMac),
decAddress3: await decryptField(cipher.identity.address3 || '', itemEnc, itemMac),
decCity: await decryptField(cipher.identity.city || '', itemEnc, itemMac),
decState: await decryptField(cipher.identity.state || '', itemEnc, itemMac),
decPostalCode: await decryptField(cipher.identity.postalCode || '', itemEnc, itemMac),
decCountry: await decryptField(cipher.identity.country || '', itemEnc, itemMac),
decTitle: await decryptCipherField(cipher.identity.title || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decFirstName: await decryptCipherField(cipher.identity.firstName || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decMiddleName: await decryptCipherField(cipher.identity.middleName || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decLastName: await decryptCipherField(cipher.identity.lastName || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decUsername: await decryptCipherField(cipher.identity.username || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decCompany: await decryptCipherField(cipher.identity.company || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decSsn: await decryptCipherField(cipher.identity.ssn || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPassportNumber: await decryptCipherField(cipher.identity.passportNumber || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decLicenseNumber: await decryptCipherField(cipher.identity.licenseNumber || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decEmail: await decryptCipherField(cipher.identity.email || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPhone: await decryptCipherField(cipher.identity.phone || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decAddress1: await decryptCipherField(cipher.identity.address1 || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decAddress2: await decryptCipherField(cipher.identity.address2 || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decAddress3: await decryptCipherField(cipher.identity.address3 || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decCity: await decryptCipherField(cipher.identity.city || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decState: await decryptCipherField(cipher.identity.state || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPostalCode: await decryptCipherField(cipher.identity.postalCode || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decCountry: await decryptCipherField(cipher.identity.country || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
};
}
@@ -162,11 +192,11 @@ export async function decryptVaultCore(args: DecryptVaultCoreArgs): Promise<Decr
const encryptedFingerprint = cipher.sshKey.keyFingerprint || cipher.sshKey.fingerprint || '';
nextCipher.sshKey = {
...cipher.sshKey,
decPrivateKey: await decryptField(cipher.sshKey.privateKey || '', itemEnc, itemMac),
decPublicKey: await decryptField(cipher.sshKey.publicKey || '', itemEnc, itemMac),
decPrivateKey: await decryptCipherField(cipher.sshKey.privateKey || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decPublicKey: await decryptCipherField(cipher.sshKey.publicKey || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
keyFingerprint: encryptedFingerprint || null,
fingerprint: encryptedFingerprint || null,
decFingerprint: await decryptField(encryptedFingerprint, itemEnc, itemMac),
decFingerprint: await decryptCipherField(encryptedFingerprint, itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
};
}
@@ -174,8 +204,8 @@ export async function decryptVaultCore(args: DecryptVaultCoreArgs): Promise<Decr
nextCipher.fields = await Promise.all(
cipher.fields.map(async (field) => ({
...field,
decName: await decryptField(field.name || '', itemEnc, itemMac),
decValue: await decryptField(field.value || '', itemEnc, itemMac),
decName: await decryptCipherField(field.name || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
decValue: await decryptCipherField(field.value || '', itemEnc, itemMac, userEnc, userMac, canFallbackToUserKey),
}))
);
}
webapp/src/main.tsx
+2 -3
View File
@@ -16,6 +16,7 @@ const queryClient = new QueryClient({
});
const root = document.getElementById('root')!;
root.setAttribute('translate', 'no');
function renderApp(): void {
render(
@@ -26,8 +27,6 @@ function renderApp(): void {
);
}
renderApp();
void initI18n().then(() => {
void initI18n().finally(() => {
renderApp();
});
webapp/src/styles.css
+143 -9
View File
@@ -18,8 +18,6 @@
.dialog-card,
.card,
.list-panel,
.sidebar-block,
.settings-subcard,
.backup-operations-sidebar,
.backup-destination-sidebar,
.backup-detail-panel,
@@ -110,7 +108,6 @@
:root[data-theme='dark'] .dialog-card,
:root[data-theme='dark'] .card,
:root[data-theme='dark'] .list-panel,
:root[data-theme='dark'] .sidebar-block,
:root[data-theme='dark'] .settings-subcard,
:root[data-theme='dark'] .backup-operations-sidebar,
:root[data-theme='dark'] .backup-destination-sidebar,
@@ -423,7 +420,6 @@ h4 {
.dialog-card,
.card,
.list-panel,
.sidebar-block,
.settings-subcard,
.backup-operations-sidebar,
.backup-destination-sidebar,
@@ -659,6 +655,40 @@ h4 {
padding: 14px;
}
.route-stage,
.sidebar,
.list-panel,
.detail-col,
.log-list,
.card.log-detail-panel,
.domain-rules-table,
.route-stage-fixed {
scrollbar-gutter: stable;
}
.route-stage,
.sidebar {
margin-right: -4px;
padding-right: 4px;
}
.list-panel,
.detail-col {
margin-right: -4px;
padding-right: 12px;
}
.log-list,
.domain-rules-table {
margin-right: -4px;
padding-right: calc(0.125rem + 4px);
}
.card.log-detail-panel {
margin-right: -4px;
padding-right: 18px;
}
.card h4,
.settings-module h3,
.section-head h3,
@@ -687,11 +717,16 @@ h4 {
color: var(--muted);
}
.settings-modules-grid,
.import-export-panels,
.backup-grid,
.domain-rules-grid {
gap: 10px;
gap: 2px 10px;
}
.settings-modules-grid {
--settings-grid-gap: 10px;
gap: 2px var(--settings-grid-gap);
grid-template-columns: repeat(2, minmax(0, calc((100% - var(--settings-grid-gap)) / 2)));
}
.settings-module h3 {
@@ -793,7 +828,6 @@ h4 {
:root[data-theme='dark'] .dialog-card,
:root[data-theme='dark'] .card,
:root[data-theme='dark'] .list-panel,
:root[data-theme='dark'] .sidebar-block,
:root[data-theme='dark'] .settings-subcard,
:root[data-theme='dark'] .backup-operations-sidebar,
:root[data-theme='dark'] .backup-destination-sidebar,
@@ -889,6 +923,36 @@ h4 {
gap: 8px;
}
.route-stage,
.sidebar,
.list-panel,
.detail-col,
.log-list,
.card.log-detail-panel,
.domain-rules-table,
.route-stage-fixed {
margin-right: 0;
scrollbar-gutter: auto;
}
.route-stage,
.sidebar {
padding-right: 0;
}
.log-list,
.domain-rules-table {
padding-right: 0.125rem;
}
.card.log-detail-panel {
padding-right: 14px;
}
.settings-modules-grid {
grid-template-columns: minmax(0, 1fr);
}
.mobile-detail-sheet {
background: var(--panel-soft);
}
@@ -1089,7 +1153,6 @@ input[type='file'].input::file-selector-button {
padding: 12px;
border: 1px solid var(--line-soft);
border-radius: var(--radius-lg);
background: var(--panel-soft);
}
.invite-create-group {
@@ -1122,7 +1185,6 @@ input[type='file'].input::file-selector-button {
.invite-table th {
height: 42px;
padding: 9px 10px;
background: var(--panel-soft);
font-size: 13px;
font-weight: 800;
}
@@ -1236,3 +1298,75 @@ input[type='file'].input::file-selector-button {
grid-template-columns: 1fr auto 1fr;
}
}
/* Keep management routes mobile-first after the final polish layer overrides. */
@media (max-width: 1180px) {
.content,
.route-stage,
.stack,
.backup-grid {
min-width: 0;
max-width: 100%;
}
.route-stage {
overflow-x: hidden;
}
.backup-grid {
grid-template-columns: minmax(0, 1fr);
gap: 8px;
padding: 0;
}
.backup-operations-sidebar,
.backup-destination-sidebar,
.backup-detail-panel {
width: 100%;
}
}
@media (max-width: 760px) {
.table,
.table tbody,
.table tr,
.table td {
display: block;
width: 100%;
}
.table thead {
display: none;
}
.table {
border-spacing: 0;
}
.table tr {
margin-bottom: 10px;
padding: 10px 12px;
border: 1px solid var(--line);
border-radius: var(--radius-md);
}
.table td {
padding: 10px 0;
border-bottom: 1px solid var(--line-soft);
overflow-wrap: anywhere;
}
.table td:last-child {
padding-bottom: 0;
border-bottom: 0;
}
.table td::before {
display: block;
content: attr(data-label);
margin-bottom: 4px;
color: var(--muted);
font-size: 12px;
font-weight: 800;
}
}
webapp/src/styles/base.css
+13 -4
View File
@@ -36,9 +36,14 @@ body.dialog-open {
}
/* --- custom scrollbar --- */
* {
scrollbar-color: color-mix(in srgb, var(--muted) 34%, transparent) transparent;
scrollbar-width: thin;
}
::-webkit-scrollbar {
width: 6px;
height: 6px;
width: 10px;
height: 10px;
}
::-webkit-scrollbar-track {
@@ -46,12 +51,16 @@ body.dialog-open {
}
::-webkit-scrollbar-thumb {
background: color-mix(in srgb, var(--muted) 30%, transparent);
min-height: 44px;
border: 3px solid transparent;
border-radius: 999px;
background: color-mix(in srgb, var(--muted) 30%, transparent);
background-clip: content-box;
}
::-webkit-scrollbar-thumb:hover {
background: color-mix(in srgb, var(--muted) 50%, transparent);
background: color-mix(in srgb, var(--primary) 38%, var(--muted) 22%);
background-clip: content-box;
}
::-webkit-scrollbar-corner {
webapp/src/styles/dark.css
+34 -2
View File
@@ -151,11 +151,13 @@
/* ── dark mode scrollbar ── */
:root[data-theme='dark'] ::-webkit-scrollbar-thumb {
background: color-mix(in srgb, var(--muted) 24%, transparent);
background: color-mix(in srgb, var(--muted) 30%, transparent);
background-clip: content-box;
}
:root[data-theme='dark'] ::-webkit-scrollbar-thumb:hover {
background: color-mix(in srgb, var(--muted) 44%, transparent);
background: color-mix(in srgb, var(--primary) 40%, var(--muted) 22%);
background-clip: content-box;
}
/* ── dark mode backdrop-filter ── */
@@ -336,3 +338,33 @@
background: color-mix(in srgb, var(--primary) 18%, var(--panel));
color: var(--primary-strong);
}
:root[data-theme='dark'] .log-detail-head h3,
:root[data-theme='dark'] .log-row-main strong,
:root[data-theme='dark'] .log-detail-meta strong,
:root[data-theme='dark'] .log-detail-json dd,
:root[data-theme='dark'] .log-detail-json h4,
:root[data-theme='dark'] .log-pagination-count {
color: var(--text);
}
:root[data-theme='dark'] .log-row-main small,
:root[data-theme='dark'] .log-detail-meta span,
:root[data-theme='dark'] .log-detail-json dt {
color: var(--muted);
}
:root[data-theme='dark'] .log-row,
:root[data-theme='dark'] .log-detail-meta > div,
:root[data-theme='dark'] .log-detail-json dl > div,
:root[data-theme='dark'] .log-pagination-count {
background: var(--panel-muted);
border-color: var(--line);
color: var(--text);
}
:root[data-theme='dark'] .log-row:hover,
:root[data-theme='dark'] .log-row.active {
background: color-mix(in srgb, var(--primary) 12%, var(--panel));
border-color: color-mix(in srgb, var(--primary) 34%, var(--line));
}
webapp/src/styles/forms.css
+6 -4
View File
@@ -11,14 +11,15 @@
}
.input {
@apply h-12 w-full rounded-xl border px-3.5 py-2.5 text-base text-ink outline-none transition;
@apply h-12 w-full rounded-xl border px-3.5 py-2.5 text-base leading-normal text-ink outline-none transition;
background: var(--panel);
border-color: rgba(74, 103, 150, 0.34);
box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.82);
}
select.input {
@apply pr-[42px];
@apply py-0 pr-[42px];
line-height: 1.5;
appearance: none;
-webkit-appearance: none;
-moz-appearance: none;
@@ -103,13 +104,14 @@ input[type='file'].input::file-selector-button:hover {
}
.eye-btn {
@apply absolute bottom-2.5 right-2.5 grid h-8 w-8 cursor-pointer place-items-center border-0 bg-transparent text-slate-700 transition;
@apply absolute right-2.5 top-1/2 grid h-8 w-8 cursor-pointer place-items-center border-0 bg-transparent text-slate-700 transition;
transform: translateY(-50%);
}
.password-toggle:hover,
.eye-btn:hover {
color: var(--primary);
transform: translateY(-1px) scale(1.04);
transform: translateY(-50%) scale(1.04);
}
.btn {
webapp/src/styles/management.css
+591 -3
View File
@@ -425,7 +425,7 @@
}
.totp-grid {
@apply mb-3.5 grid gap-3.5;
@apply grid gap-3.5;
grid-template-columns: 220px 1fr;
}
@@ -497,12 +497,542 @@
}
.settings-modules-grid {
@apply grid gap-3;
--settings-grid-gap: 12px;
@apply grid;
gap: var(--settings-grid-gap);
grid-template-columns: repeat(2, minmax(0, calc((100% - var(--settings-grid-gap)) / 2)));
}
.log-center-page {
@apply grid h-full min-h-0 gap-3;
height: 100%;
max-height: 100%;
grid-template-rows: auto minmax(0, 1fr);
overflow: hidden;
}
.card.log-center-toolbar {
@apply relative;
margin-bottom: 0;
}
.log-mobile-subhead {
display: none;
}
.log-detail-head h3 {
@apply m-0 text-base font-extrabold;
color: #0f172a;
}
.log-filter-form {
@apply grid items-end gap-3;
grid-template-columns: minmax(260px, 1.5fr) repeat(3, minmax(150px, 0.66fr)) auto;
}
.log-filter-form .field {
@apply mb-0;
}
.log-filter-form .input,
.log-filter-form .btn {
min-height: 42px;
}
.log-search-field {
@apply min-w-0;
}
.input-leading-icon {
@apply pointer-events-none absolute left-3 top-1/2 -translate-y-1/2;
color: #64748b;
}
.log-search-input {
padding-left: 2.25rem;
}
.log-filter-actions {
@apply flex-nowrap items-end;
align-self: end;
}
.log-filter-actions .btn {
white-space: nowrap;
}
.log-settings-popover {
@apply absolute right-3 z-30 grid gap-3 rounded-xl border p-3;
top: calc(100% + 8px);
width: min(390px, calc(100vw - 32px));
border-color: var(--line);
background: #ffffff;
box-shadow: 0 18px 44px rgba(15, 23, 42, 0.16);
}
.log-settings-popover-head {
@apply mb-0;
}
.log-settings-popover-head h3 {
@apply m-0 text-base font-extrabold;
color: #0f172a;
}
.log-settings-mode {
@apply grid rounded-lg p-1;
grid-template-columns: repeat(2, minmax(0, 1fr));
background: #f1f5f9;
}
.log-mode-option {
@apply h-9 cursor-pointer rounded-md border-0 px-2 text-sm font-extrabold;
background: transparent;
color: #475569;
transition: background 0.15s ease, color 0.15s ease, box-shadow 0.15s ease;
}
.log-mode-option.active {
background: #ffffff;
color: #1d4ed8;
box-shadow: 0 1px 4px rgba(15, 23, 42, 0.12);
}
.log-mode-option:disabled {
cursor: not-allowed;
opacity: 0.58;
}
.log-settings-retention-block {
@apply grid gap-1.5;
}
.log-settings-label {
@apply block text-[13px] font-bold;
color: var(--muted-strong);
}
.log-settings-retention-row {
@apply grid items-center gap-2.5;
grid-template-columns: minmax(0, 1fr) 82px;
}
.log-settings-retention-row .input {
width: 100%;
min-width: 0;
height: 42px;
min-height: 42px;
}
.log-settings-save-btn.btn {
width: 82px;
height: 42px;
min-height: 42px;
align-self: center;
justify-content: center;
padding-inline: 10px;
white-space: nowrap;
transform: none;
}
.log-settings-save-btn.btn:hover:not(:disabled),
.log-settings-save-btn.btn:active:not(:disabled) {
transform: none;
}
.log-settings-danger {
@apply grid gap-2 border-t pt-3;
border-color: var(--line);
}
.log-settings-danger p {
@apply m-0 text-sm font-semibold leading-5;
color: #7f1d1d;
}
.ghost-danger {
@apply w-full justify-center;
}
.log-clear-confirm-actions {
@apply grid grid-cols-2;
}
.log-center-grid {
@apply grid min-h-0 items-stretch gap-3;
height: 100%;
max-height: 100%;
grid-template-columns: repeat(2, minmax(0, 1fr));
overflow: hidden;
}
.card.log-list-panel,
.card.log-detail-panel {
height: 100%;
max-height: 100%;
margin-bottom: 0;
min-height: 0;
min-width: 0;
}
.card.log-list-panel {
display: grid;
grid-template-rows: auto minmax(0, 1fr) auto;
overflow: hidden;
}
.card.log-detail-panel {
overflow: auto;
overscroll-behavior: contain;
-webkit-overflow-scrolling: touch;
touch-action: pan-y;
}
.log-list {
@apply grid content-start gap-2 overflow-auto pr-0.5;
min-height: 0;
overscroll-behavior: contain;
-webkit-overflow-scrolling: touch;
touch-action: pan-y;
}
.log-list-panel > .section-head,
.log-pagination {
flex-shrink: 0;
}
.log-row {
@apply grid w-full cursor-pointer items-center gap-3 rounded-xl p-3 text-left;
grid-template-columns: auto minmax(0, 1fr) auto;
border: 1px solid var(--line);
background: #ffffff;
transition: border-color 0.15s ease, background 0.15s ease, box-shadow 0.15s ease;
}
.log-row:hover,
.log-row.active {
border-color: #93c5fd;
background: #f8fbff;
box-shadow: 0 10px 22px rgba(37, 99, 235, 0.08);
}
.log-row-icon {
@apply flex h-9 w-9 items-center justify-center rounded-xl;
}
.log-category-auth {
background: #eff6ff;
color: #1d4ed8;
}
.log-category-security {
background: #fff1f2;
color: #be123c;
}
.log-category-device {
background: #ecfdf5;
color: #047857;
}
.log-category-data {
background: #f5f3ff;
color: #6d28d9;
}
.log-category-system {
background: #f8fafc;
color: #475467;
}
.log-row-main {
@apply grid min-w-0 gap-1;
}
.log-row-main strong {
@apply truncate text-sm;
color: #0f172a;
}
.log-row-main small {
@apply text-xs;
color: #64748b;
}
.log-level-pill {
@apply inline-flex whitespace-nowrap rounded-full px-2.5 py-1 text-xs font-extrabold;
}
.log-level-info {
background: #eef4ff;
color: #1d4ed8;
}
.log-level-warn {
background: #fff7ed;
color: #c2410c;
}
.log-level-error {
background: #fef2f2;
color: #b91c1c;
}
.log-level-security {
background: #fff1f2;
color: #be123c;
}
.log-pagination {
@apply mt-3 items-center justify-between;
}
.log-pagination-count {
@apply inline-flex min-w-24 items-center justify-center rounded-full px-3 py-1.5 text-sm font-extrabold;
border: 1px solid var(--line);
background: #f8fafc;
color: #0f172a;
}
.log-detail-meta {
@apply grid gap-2;
}
.log-detail-meta > div,
.log-detail-json dl > div {
@apply grid gap-1 rounded-xl px-3 py-2.5;
border: 1px solid var(--line);
background: #f8fafc;
}
.log-detail-meta span,
.log-detail-json dt {
@apply text-xs font-bold uppercase;
color: #64748b;
}
.log-detail-meta strong,
.log-detail-json dd {
@apply m-0 min-w-0 text-sm font-semibold;
color: #0f172a;
overflow-wrap: anywhere;
}
.log-detail-json {
@apply mt-3 grid gap-2;
}
.log-detail-json h4 {
@apply m-0 text-sm font-extrabold;
color: #0f172a;
}
.log-detail-json dl {
@apply m-0 grid gap-2;
}
@media (max-width: 1120px) {
.log-filter-form {
grid-template-columns: repeat(2, minmax(0, 1fr));
}
.log-filter-actions {
@apply col-span-2;
}
.log-center-grid {
grid-template-columns: 1fr;
grid-template-rows: repeat(2, minmax(220px, 1fr));
}
}
@media (max-width: 760px) {
.route-stage-log-fixed {
overflow: hidden;
}
.log-center-page {
gap: 8px;
grid-template-rows: auto auto minmax(0, 1fr);
}
.log-center-page.log-mobile-detail-open {
grid-template-rows: auto minmax(0, 1fr);
}
.log-mobile-subhead {
display: flex;
align-items: center;
gap: 8px;
justify-content: flex-end;
min-height: 38px;
flex-shrink: 0;
padding-top: 2px;
}
.log-mobile-subhead .mobile-settings-back {
margin-right: auto;
}
.log-mobile-settings-trigger {
width: 42px;
height: 38px;
justify-content: center;
padding: 0;
}
.log-mobile-settings-trigger .btn-icon {
margin: 0;
}
.log-mobile-detail-open .log-mobile-settings-trigger {
display: none;
}
.card.log-center-toolbar {
padding: 10px 12px;
}
.log-mobile-detail-open .card.log-center-toolbar {
display: none;
}
.log-filter-form {
gap: 6px;
grid-template-columns: repeat(3, minmax(0, 1fr));
}
.log-filter-actions {
display: none;
}
.log-search-field > span {
position: absolute;
width: 1px;
height: 1px;
margin: -1px;
padding: 0;
overflow: hidden;
clip: rect(0, 0, 0, 0);
white-space: nowrap;
border: 0;
}
.log-search-field {
grid-column: 1 / -1;
}
.log-filter-form .field {
margin-bottom: 0;
min-width: 0;
}
.log-filter-form > .field:not(.log-search-field) > span {
position: absolute;
width: 1px;
height: 1px;
margin: -1px;
padding: 0;
overflow: hidden;
clip: rect(0, 0, 0, 0);
white-space: nowrap;
border: 0;
}
.log-filter-form .input {
min-height: 40px;
height: 40px;
width: 100%;
min-width: 0;
font-size: 13px;
padding-inline: 9px 26px;
}
.log-search-input {
font-size: 14px;
padding-left: 2.15rem;
padding-right: 10px;
}
.log-filter-form select.input {
text-overflow: ellipsis;
}
.log-center-grid {
grid-template-columns: minmax(0, 1fr);
grid-template-rows: minmax(0, 1fr);
}
.card.log-list-panel {
grid-template-rows: minmax(0, 1fr);
padding: 8px;
}
.log-list-panel > .section-head,
.log-pagination {
display: none;
}
.card.log-detail-panel {
display: none;
}
.log-mobile-detail-open .card.log-list-panel {
display: none;
}
.log-mobile-detail-open .card.log-detail-panel {
display: block;
height: 100%;
max-height: 100%;
overflow: auto;
padding: 10px 12px 14px;
}
.log-settings-popover {
@apply static mt-3 w-full;
}
.log-settings-retention-row {
grid-template-columns: minmax(0, 1fr) 82px;
}
.log-row {
min-height: 66px;
gap: 12px;
grid-template-columns: 38px minmax(0, 1fr) auto;
padding: 10px 12px;
}
.log-row .log-level-pill {
grid-column: auto;
justify-self: end;
}
.log-row-icon {
width: 38px;
height: 38px;
border-radius: 12px;
}
.log-row-main {
justify-items: center;
text-align: center;
}
.log-row-main strong {
max-width: 100%;
font-size: 14px;
}
.log-row-main small {
font-size: 12px;
}
}
.settings-module {
@apply min-w-0;
width: 100%;
}
.sensitive-actions-module {
@@ -517,6 +1047,21 @@
color: var(--text);
}
.settings-module-head {
@apply mb-[5px] flex items-center justify-between gap-3;
}
.settings-module-head h3 {
@apply m-0;
}
.totp-status-pill {
@apply inline-flex min-h-8 shrink-0 items-center gap-1.5 rounded-full px-3 text-sm font-extrabold;
border: 1px solid color-mix(in srgb, var(--success) 26%, var(--line));
background: color-mix(in srgb, var(--success) 9%, var(--panel));
color: var(--success);
}
.settings-module-placeholder {
@apply flex min-h-[150px] flex-col items-center justify-center gap-3 text-base font-extrabold;
color: var(--muted);
@@ -536,7 +1081,7 @@
}
.sensitive-actions-grid {
@apply grid gap-3;
@apply grid gap-[3px];
}
.sensitive-action {
@@ -868,6 +1413,49 @@
color: #667085;
}
.authorized-devices-table {
table-layout: fixed;
}
.authorized-devices-col-device {
width: 28%;
}
.authorized-devices-col-type {
width: 7%;
}
.authorized-devices-col-status {
width: 6%;
}
.authorized-devices-col-date {
width: 11%;
}
.authorized-devices-col-trust {
width: 11%;
}
.authorized-devices-col-actions {
width: 26%;
}
.authorized-devices-table td:first-child {
overflow-wrap: anywhere;
}
.authorized-devices-actions {
flex-wrap: nowrap;
gap: 6px;
}
.authorized-devices-actions .btn.small {
flex: 0 0 auto;
padding-inline: 8px;
white-space: nowrap;
}
.input.small {
@apply w-[120px];
}
webapp/src/styles/responsive.css
+18
View File
@@ -855,6 +855,22 @@
line-height: 1.25;
}
.settings-module-head {
margin-bottom: 8px;
align-items: center;
gap: 8px;
}
.settings-module-head h3 {
margin: 0;
}
.totp-status-pill {
min-height: 30px;
padding: 0 10px;
font-size: 13px;
}
.settings-module .field,
.auth-card .field {
margin-bottom: 8px;
@@ -882,6 +898,8 @@
}
.settings-module select.input {
padding-top: 0;
padding-bottom: 0;
padding-right: 30px;
background-position:
calc(100% - 15px) calc(50% - 3px),
webapp/src/styles/shell.css
+6
View File
@@ -316,6 +316,12 @@
overflow: hidden;
}
.route-stage-log-fixed {
display: grid;
grid-template-rows: minmax(0, 1fr);
overflow: hidden;
}
.mobile-sidebar-mask {
@apply pointer-events-none invisible fixed inset-0 opacity-0;
background: rgba(15, 23, 42, 0.36);
wrangler.kv.toml
+11
View File
@@ -2,6 +2,9 @@ name = "nodewarden"
main = "src/index.ts"
compatibility_date = "2024-01-01"
[build]
command = "npm run build"
[assets]
binding = "ASSETS"
directory = "./dist"
@@ -19,9 +22,17 @@ database_name = "nodewarden-db"
name = "NOTIFICATIONS_HUB"
class_name = "NotificationsHub"
[[durable_objects.bindings]]
name = "BACKUP_TRANSFER_RUNNER"
class_name = "BackupTransferRunner"
[[kv_namespaces]]
binding = "ATTACHMENTS_KV"
[[migrations]]
tag = "v1-notifications-hub"
new_sqlite_classes = [ "NotificationsHub" ]
[[migrations]]
tag = "v2-backup-transfer-runner"
new_sqlite_classes = [ "BackupTransferRunner" ]
wrangler.toml
+11
View File
@@ -2,6 +2,9 @@ name = "nodewarden"
main = "src/index.ts"
compatibility_date = "2024-01-01"
[build]
command = "npm run build"
[assets]
binding = "ASSETS"
directory = "./dist"
@@ -19,6 +22,10 @@ database_name = "nodewarden-db"
name = "NOTIFICATIONS_HUB"
class_name = "NotificationsHub"
[[durable_objects.bindings]]
name = "BACKUP_TRANSFER_RUNNER"
class_name = "BackupTransferRunner"
[[r2_buckets]]
binding = "ATTACHMENTS"
bucket_name = "nodewarden-attachments"
@@ -26,3 +33,7 @@ bucket_name = "nodewarden-attachments"
[[migrations]]
tag = "v1-notifications-hub"
new_sqlite_classes = [ "NotificationsHub" ]
[[migrations]]
tag = "v2-backup-transfer-runner"
new_sqlite_classes = [ "BackupTransferRunner" ]