import path from "node:path"; import { normalizeDeviceBootstrapProfile, PAIRING_SETUP_BOOTSTRAP_PROFILE, sameDeviceBootstrapProfile, type DeviceBootstrapProfile, type DeviceBootstrapProfileInput, } from "../shared/device-bootstrap-profile.js"; import { resolvePairingPaths } from "./pairing-files.js"; import { createAsyncLock, pruneExpiredPending, readJsonFile, writeJsonAtomic, } from "./pairing-files.js"; import { generatePairingToken, verifyPairingToken } from "./pairing-token.js"; export const DEVICE_BOOTSTRAP_TOKEN_TTL_MS = 10 * 60 * 1000; export type DeviceBootstrapTokenRecord = { token: string; ts: number; deviceId?: string; publicKey?: string; profile?: DeviceBootstrapProfile; roles?: string[]; scopes?: string[]; issuedAtMs: number; lastUsedAtMs?: number; }; type DeviceBootstrapStateFile = Record; const withLock = createAsyncLock(); function resolveBootstrapPath(baseDir?: string): string { return path.join(resolvePairingPaths(baseDir, "devices").dir, "bootstrap.json"); } function resolvePersistedBootstrapProfile( record: Partial, ): DeviceBootstrapProfile { return normalizeDeviceBootstrapProfile(record.profile ?? record); } function resolveIssuedBootstrapProfile(params: { profile?: DeviceBootstrapProfileInput; roles?: readonly string[]; scopes?: readonly string[]; }): DeviceBootstrapProfile { if (params.profile) { return normalizeDeviceBootstrapProfile(params.profile); } if (params.roles || params.scopes) { return normalizeDeviceBootstrapProfile({ roles: params.roles, scopes: params.scopes, }); } return PAIRING_SETUP_BOOTSTRAP_PROFILE; } async function loadState(baseDir?: string): Promise { const bootstrapPath = resolveBootstrapPath(baseDir); const rawState = (await readJsonFile(bootstrapPath)) ?? {}; const state: DeviceBootstrapStateFile = {}; if (!rawState || typeof rawState !== "object" || Array.isArray(rawState)) { return state; } for (const [tokenKey, entry] of Object.entries(rawState)) { if (!entry || typeof entry !== "object" || Array.isArray(entry)) { continue; } const record = entry as Partial; const token = typeof record.token === "string" && record.token.trim().length > 0 ? record.token : tokenKey; const issuedAtMs = typeof record.issuedAtMs === "number" ? record.issuedAtMs : 0; const profile = resolvePersistedBootstrapProfile(record); state[tokenKey] = { token, profile, deviceId: typeof record.deviceId === "string" ? record.deviceId : undefined, publicKey: typeof record.publicKey === "string" ? record.publicKey : undefined, issuedAtMs, ts: typeof record.ts === "number" ? record.ts : issuedAtMs, lastUsedAtMs: typeof record.lastUsedAtMs === "number" ? record.lastUsedAtMs : undefined, }; } pruneExpiredPending(state, Date.now(), DEVICE_BOOTSTRAP_TOKEN_TTL_MS); return state; } async function persistState(state: DeviceBootstrapStateFile, baseDir?: string): Promise { const bootstrapPath = resolveBootstrapPath(baseDir); await writeJsonAtomic(bootstrapPath, state); } export async function issueDeviceBootstrapToken( params: { baseDir?: string; profile?: DeviceBootstrapProfileInput; roles?: readonly string[]; scopes?: readonly string[]; } = {}, ): Promise<{ token: string; expiresAtMs: number }> { return await withLock(async () => { const state = await loadState(params.baseDir); const token = generatePairingToken(); const issuedAtMs = Date.now(); const profile = resolveIssuedBootstrapProfile(params); state[token] = { token, ts: issuedAtMs, profile, issuedAtMs, }; await persistState(state, params.baseDir); return { token, expiresAtMs: issuedAtMs + DEVICE_BOOTSTRAP_TOKEN_TTL_MS }; }); } export async function clearDeviceBootstrapTokens( params: { baseDir?: string; } = {}, ): Promise<{ removed: number }> { return await withLock(async () => { const state = await loadState(params.baseDir); const removed = Object.keys(state).length; await persistState({}, params.baseDir); return { removed }; }); } export async function revokeDeviceBootstrapToken(params: { token: string; baseDir?: string; }): Promise<{ removed: boolean }> { return await withLock(async () => { const providedToken = params.token.trim(); if (!providedToken) { return { removed: false }; } const state = await loadState(params.baseDir); const found = Object.entries(state).find(([, candidate]) => verifyPairingToken(providedToken, candidate.token), ); if (!found) { return { removed: false }; } delete state[found[0]]; await persistState(state, params.baseDir); return { removed: true }; }); } export async function verifyDeviceBootstrapToken(params: { token: string; deviceId: string; publicKey: string; role: string; scopes: readonly string[]; baseDir?: string; }): Promise<{ ok: true } | { ok: false; reason: string }> { return await withLock(async () => { const state = await loadState(params.baseDir); const providedToken = params.token.trim(); if (!providedToken) { return { ok: false, reason: "bootstrap_token_invalid" }; } const found = Object.entries(state).find(([, candidate]) => verifyPairingToken(providedToken, candidate.token), ); if (!found) { return { ok: false, reason: "bootstrap_token_invalid" }; } const [tokenKey, record] = found; const deviceId = params.deviceId.trim(); const publicKey = params.publicKey.trim(); const role = params.role.trim(); if (!deviceId || !publicKey || !role) { return { ok: false, reason: "bootstrap_token_invalid" }; } const requestedProfile = normalizeDeviceBootstrapProfile({ roles: [role], scopes: params.scopes, }); const allowedProfile = resolvePersistedBootstrapProfile(record); // Fail closed for unbound legacy setup codes and for any attempt to redeem // the token outside the exact role/scope profile it was issued for. if ( allowedProfile.roles.length === 0 || !sameDeviceBootstrapProfile(requestedProfile, allowedProfile) ) { return { ok: false, reason: "bootstrap_token_invalid" }; } // Bootstrap setup codes are single-use. Consume the record before returning // success so the same token cannot be replayed to mutate a pending request. delete state[tokenKey]; await persistState(state, params.baseDir); return { ok: true }; }); }