Conversation
- Add src/lib/auth.ts core module (generateToken, hashToken, verifyToken with timingSafeEqual, parseDuration, parseCookies, createRateLimiter) - Add src/middleware.ts for Next.js request authentication - Add auth API routes (login, logout, status) - Add login page with i18n, rate limit display, and redirect logic - Add WebSocket authentication via Cookie header in ws-server.ts - Add HTTPS support in server.ts with certificate validation - Add CLI options: --auth, --auth-expire, --cert, --key, --allow-http - Add LogoutButton component in sidebar (desktop + mobile drawer) - Add auth i18n namespace (en/ja) - Update .env.example with auth/HTTPS documentation - All 89 new tests pass (unit + integration) - All 3724 existing unit tests pass Resolves #331 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Apply DRY, readability, and maintainability improvements to Issue #331 code: - Extract buildAuthCookieOptions() to centralize cookie security settings (login/logout DRY) - Extract isHttpsEnabled() helper for CM_HTTPS_CERT environment check - Extract DEFAULT_COOKIE_MAX_AGE_SECONDS constant (remove magic number 86400) - Extract MS_PER_MINUTE/MS_PER_HOUR/MS_PER_DAY time constants (eliminate magic numbers) - Replace switch-case in parseDuration() with data-driven unitMultipliers lookup - Simplify rate limiter cleanup condition (remove redundant null check) - Remove dead code (empty if-body) in daemon.ts auth env forwarding - Add 'as const' to authEnvKeys array in daemon.ts for type narrowing - Extract displayAuthToken() in start.ts (remove duplicated token display logic) - Extract isExpectedWebSocketError() in ws-server.ts (remove duplicated error patterns) - Add JSDoc to getClientIp(), displayAuthToken(), isExpectedWebSocketError() - Add AuthCookieOptions interface with C001 constraint documentation Security constraints maintained: - S001: crypto.timingSafeEqual() for token verification - S002: AUTH_EXCLUDED_PATHS exact match (===) - C001: No Next.js module dependencies in auth.ts Quality: tsc 0 errors, ESLint 0 errors, 3724/3724 tests pass Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add Quick Start section for token auth + HTTPS to security-guide.md - Add mkcert certificate generation instructions for macOS and Linux - Add Linux CA certificate distribution procedures - Update Security Checklist with built-in auth options - Update Migration from CM_AUTH_TOKEN section (--auth warning note) - Add src/lib/auth.ts and src/middleware.ts to CLAUDE.md module list Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add design policy: issue-331-token-auth-design-policy.md - Add multi-stage design review reports (stage1-4) - Add multi-stage issue review reports - Add work plan: work-plan.md - Add pm-auto-dev iteration-1 reports Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Issue #331 の実装:トークン認証(ログイン機能)と HTTPS 直接配信モードの追加。
commandmate start(認証なし)は従来と同じ動作commandmate start --authでランダムトークンを生成・表示し、全 API ルート・WebSocket 接続を保護--cert/--keyオプションで HTTPS サーバーとして起動crypto.timingSafeEqual()によるタイミング攻撃対策、パスの完全一致マッチング主な変更ファイル
新規作成
src/lib/auth.ts— コア認証モジュール(トークン生成・検証・レート制限・Cookie パース)src/middleware.ts— Next.js 認証ミドルウェア(CM_AUTH_TOKEN_HASH未設定時は即NextResponse.next())src/app/api/auth/login/route.ts— ログイン APIsrc/app/api/auth/logout/route.ts— ログアウト APIsrc/app/api/auth/status/route.ts— 認証状態確認 APIsrc/app/login/page.tsx— ログイン画面(i18n 対応・ロックアウト表示)src/components/common/LogoutButton.tsx— ログアウトボタン(認証有効時のみ表示)locales/en/auth.json/locales/ja/auth.json— 認証関連翻訳主要変更
server.ts—https.createServer()条件分岐・証明書バリデーション・gracefulShutdown 拡張src/lib/ws-server.ts— WebSocket 接続認証追加・引数型をhttp.Server | https.Serverに拡張src/cli/commands/start.ts—--auth/--auth-expire/--https/--cert/--key/--allow-httpオプション追加src/cli/utils/daemon.ts— 認証・HTTPS 環境変数を子プロセスに伝達src/cli/types/index.ts—StartOptionsに認証フィールド追加src/i18n.ts—auth名前空間追加tsconfig.server.json—src/lib/auth.tsを include に追加docs/security-guide.md— mkcert 手順・クイックスタート追記Test plan
npm run test:unit— 3724 tests pass(新規 89 テスト追加)npm run test:integration— auth-middleware / ws-auth / i18n 統合テスト passnpx tsc --noEmit— 型エラー 0 件npm run lint— ESLint エラー 0 件npm run build/build:server/build:cli— ビルド成功Security
crypto.timingSafeEqual()によるタイミング攻撃対策 ✅===完全一致マッチング(startsWith禁止)✅src/lib/auth.tsに Next.js 固有モジュール依存なし(CLI ビルド互換性)✅HttpOnly+SameSite=Strict+ HTTPS 時Secure✅SameSite=Strictにより防止 ✅Commits
feat(auth): implement token authentication and HTTPS supportrefactor(auth): improve code quality of token auth and HTTPS modulesdocs(auth): add token authentication and HTTPS setup documentationchore(deps): update vitest to 4.0.16🤖 Generated with Claude Code