src/apppasswords.js

'use strict';

exports = module.exports = {
    get,
    add,
    list,
    del,

    removePrivateFields
};

const assert = require('node:assert'),
    BoxError = require('./boxerror.js'),
    crypto = require('node:crypto'),
    database = require('./database.js'),
    hat = require('./hat.js'),
    safe = require('safetydance'),
    _ = require('./underscore.js');

const APP_PASSWORD_FIELDS = [ 'id', 'name', 'userId', 'identifier', 'hashedPassword', 'creationTime', 'expiresAt' ].join(',');

function validateAppPasswordName(name) {
    assert.strictEqual(typeof name, 'string');

    if (name.length < 1) return new BoxError(BoxError.BAD_FIELD, 'name must be atleast 1 char');
    if (name.length >= 200) return new BoxError(BoxError.BAD_FIELD, 'name too long');

    return null;
}

function removePrivateFields(appPassword) {
    return _.pick(appPassword, ['id', 'name', 'userId', 'identifier', 'creationTime', 'expiresAt']);
}

async function get(id) {
    assert.strictEqual(typeof id, 'string');

    const result = await database.query('SELECT ' + APP_PASSWORD_FIELDS + ' FROM appPasswords WHERE id = ?', [ id ]);
    if (result.length === 0) return null;
    return result[0];
}

async function add(userId, identifier, name, expiresAt) {
    assert.strictEqual(typeof userId, 'string');
    assert.strictEqual(typeof identifier, 'string');
    assert.strictEqual(typeof name, 'string');
    assert(expiresAt === null || typeof expiresAt === 'string');

    let error = validateAppPasswordName(name);
    if (error) throw error;

    if (identifier.length < 1) throw new BoxError(BoxError.BAD_FIELD, 'identifier must be atleast 1 char');

    const password = hat(16 * 4);
    const hashedPassword = crypto.createHash('sha256').update(password).digest('base64');

    const appPassword = {
        id: 'uid-' + crypto.randomUUID(),
        name,
        userId,
        identifier,
        password,
        hashedPassword,
        expiresAt
    };

    const query = 'INSERT INTO appPasswords (id, userId, identifier, name, hashedPassword, expiresAt) VALUES (?, ?, ?, ?, ?, ?)';
    const args = [ appPassword.id, appPassword.userId, appPassword.identifier, appPassword.name, appPassword.hashedPassword, appPassword.expiresAt ? new Date(appPassword.expiresAt) : null ];

    [error] = await safe(database.query(query, args));
    if (error && error.sqlCode === 'ER_DUP_ENTRY' && error.sqlMessage.indexOf('appPasswords_name_userId_identifier') !== -1) throw new BoxError(BoxError.ALREADY_EXISTS, 'name/app combination already exists');
    if (error && error.sqlCode === 'ER_NO_REFERENCED_ROW_2' && error.sqlMessage.indexOf('userId')) throw new BoxError(BoxError.NOT_FOUND, 'user not found');
    if (error) throw error;

    return { id: appPassword.id, password: appPassword.password };
}

async function list(userId) {
    assert.strictEqual(typeof userId, 'string');

    return await database.query('SELECT ' + APP_PASSWORD_FIELDS + ' FROM appPasswords WHERE userId = ?', [ userId ]);
}

async function del(id) {
    assert.strictEqual(typeof id, 'string');

    const result = await database.query('DELETE FROM appPasswords WHERE id = ?', [ id ]);
    if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'password not found');
}
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`'use strict';`

			`exports = module.exports = {`
			`get,`
			`add,`
			`list,`
			`del,`

			`removePrivateFields`
			`};`

use node: prefix for requires mostly because code is being autogenerated by all the AI stuff using this prefix. it's also used in the stack trace. 2025-08-14 11:17:38 +05:30			`const assert = require('node:assert'),`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`BoxError = require('./boxerror.js'),`
use node: prefix for requires mostly because code is being autogenerated by all the AI stuff using this prefix. it's also used in the stack trace. 2025-08-14 11:17:38 +05:30			`crypto = require('node:crypto'),`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`database = require('./database.js'),`
			`hat = require('./hat.js'),`
			`safe = require('safetydance'),`
replace underscore with our own we only need like 5 simple functions 2025-02-13 14:03:25 +01:00			`_ = require('./underscore.js');`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00
appPassword: add expiry 2026-02-12 12:58:50 +01:00			`const APP_PASSWORD_FIELDS = [ 'id', 'name', 'userId', 'identifier', 'hashedPassword', 'creationTime', 'expiresAt' ].join(',');`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00
			`function validateAppPasswordName(name) {`
			`assert.strictEqual(typeof name, 'string');`

			`if (name.length < 1) return new BoxError(BoxError.BAD_FIELD, 'name must be atleast 1 char');`
			`if (name.length >= 200) return new BoxError(BoxError.BAD_FIELD, 'name too long');`

			`return null;`
			`}`

			`function removePrivateFields(appPassword) {`
appPassword: add expiry 2026-02-12 12:58:50 +01:00			`return _.pick(appPassword, ['id', 'name', 'userId', 'identifier', 'creationTime', 'expiresAt']);`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`}`

			`async function get(id) {`
			`assert.strictEqual(typeof id, 'string');`

			`const result = await database.query('SELECT ' + APP_PASSWORD_FIELDS + ' FROM appPasswords WHERE id = ?', [ id ]);`
			`if (result.length === 0) return null;`
			`return result[0];`
			`}`

appPassword: add expiry 2026-02-12 12:58:50 +01:00			`async function add(userId, identifier, name, expiresAt) {`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`assert.strictEqual(typeof userId, 'string');`
			`assert.strictEqual(typeof identifier, 'string');`
			`assert.strictEqual(typeof name, 'string');`
appPassword: add expiry 2026-02-12 12:58:50 +01:00			`assert(expiresAt === null \|\| typeof expiresAt === 'string');`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00
			`let error = validateAppPasswordName(name);`
			`if (error) throw error;`

			`if (identifier.length < 1) throw new BoxError(BoxError.BAD_FIELD, 'identifier must be atleast 1 char');`

			`const password = hat(16 * 4);`
			`const hashedPassword = crypto.createHash('sha256').update(password).digest('base64');`

			`const appPassword = {`
remove uuid module built into node.js now 2025-07-28 12:53:27 +02:00			`id: 'uid-' + crypto.randomUUID(),`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`name,`
			`userId,`
			`identifier,`
			`password,`
appPassword: add expiry 2026-02-12 12:58:50 +01:00			`hashedPassword,`
			`expiresAt`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`};`

appPassword: add expiry 2026-02-12 12:58:50 +01:00			`const query = 'INSERT INTO appPasswords (id, userId, identifier, name, hashedPassword, expiresAt) VALUES (?, ?, ?, ?, ?, ?)';`
			`const args = [ appPassword.id, appPassword.userId, appPassword.identifier, appPassword.name, appPassword.hashedPassword, appPassword.expiresAt ? new Date(appPassword.expiresAt) : null ];`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00
			`[error] = await safe(database.query(query, args));`
code -> sqlCode 2025-09-29 11:55:15 +02:00			`if (error && error.sqlCode === 'ER_DUP_ENTRY' && error.sqlMessage.indexOf('appPasswords_name_userId_identifier') !== -1) throw new BoxError(BoxError.ALREADY_EXISTS, 'name/app combination already exists');`
			`if (error && error.sqlCode === 'ER_NO_REFERENCED_ROW_2' && error.sqlMessage.indexOf('userId')) throw new BoxError(BoxError.NOT_FOUND, 'user not found');`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`if (error) throw error;`

			`return { id: appPassword.id, password: appPassword.password };`
			`}`

			`async function list(userId) {`
			`assert.strictEqual(typeof userId, 'string');`

			`return await database.query('SELECT ' + APP_PASSWORD_FIELDS + ' FROM appPasswords WHERE userId = ?', [ userId ]);`
			`}`

			`async function del(id) {`
			`assert.strictEqual(typeof id, 'string');`

			`const result = await database.query('DELETE FROM appPasswords WHERE id = ?', [ id ]);`
			`if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'password not found');`
			`}`