feat: añadir soporte para /t web con tokens de login y util crypto

Co-authored-by: aider (openrouter/openai/gpt-5) <aider@aider.chat>
2 weeks ago · c8c4fdd927
parent 1e188c2e96
commit c8c4fdd927
3 changed files with 207 additions and 0 deletions
--- a/src/services/command.ts
+++ b/src/services/command.ts
@ -9,6 +9,7 @@ import { padTaskId, codeId, formatDDMM, bold, italic } from '../utils/formatting
 import { IdentityService } from './identity';
 import { AllowedGroups } from './allowed-groups';
 import { Metrics } from './metrics';
+import { randomTokenBase64Url, sha256Hex } from '../utils/crypto';

 type CommandContext = {
 	sender: string;     // normalized user id (digits only), but accept raw too
@ -955,6 +956,61 @@ export class CommandService {
 			}];
 		}

+		// Enlace de acceso a la web (/t web)
+		if (action === 'web') {
+			// Solo por DM
+			if (isGroupId(context.groupId)) {
+				return [{
+					recipient: context.sender,
+					message: 'ℹ️ Este comando se usa por privado. Envíame `/t web` por DM.'
+				}];
+			}
+
+			const base = (process.env.WEB_BASE_URL || '').trim();
+			if (!base) {
+				return [{
+					recipient: context.sender,
+					message: '⚠️ La web no está configurada todavía. Contacta con el administrador (falta WEB_BASE_URL).'
+				}];
+			}
+
+			const ensured = ensureUserExists(context.sender, this.dbInstance);
+			if (!ensured) {
+				throw new Error('No se pudo asegurar el usuario');
+			}
+
+			const toIso = (d: Date) => d.toISOString().replace('T', ' ').replace('Z', '');
+			const now = new Date();
+			const nowIso = toIso(now);
+			const expiresIso = toIso(new Date(now.getTime() + 10 * 60 * 1000)); // 10 minutos
+
+			// Invalidar tokens vigentes (uso único)
+			this.dbInstance.prepare(`
+        UPDATE web_tokens
+        SET used_at = ?
+        WHERE user_id = ?
+          AND used_at IS NULL
+          AND expires_at > ?
+      `).run(nowIso, ensured, nowIso);
+
+			// Generar nuevo token y guardar solo el hash
+			const token = randomTokenBase64Url(32);
+			const tokenHash = await sha256Hex(token);
+
+			this.dbInstance.prepare(`
+        INSERT INTO web_tokens (user_id, token_hash, expires_at, metadata)
+        VALUES (?, ?, ?, NULL)
+      `).run(ensured, tokenHash, expiresIso);
+
+			try { Metrics.inc('web_tokens_issued_total'); } catch {}
+
+			const url = new URL(`/login?token=${encodeURIComponent(token)}`, base).toString();
+			return [{
+				recipient: context.sender,
+				message: `Acceso web: ${url}\nVálido durante 10 minutos. Si caduca, vuelve a enviar "/t web".`
+			}];
+		}
+
 		if (action !== 'nueva') {
 			return [{
 				recipient: context.sender,
--- a/src/utils/crypto.ts
+++ b/src/utils/crypto.ts
@ -0,0 +1,20 @@
+/**
+ * Utilidades criptográficas sin dependencias externas.
+ * - randomTokenBase64Url: genera un token aleatorio (base64url, sin relleno).
+ * - sha256Hex: calcula SHA-256 y devuelve en hex.
+ */
+
+export function randomTokenBase64Url(bytes: number = 32): string {
+  const arr = new Uint8Array(bytes);
+  crypto.getRandomValues(arr);
+  const b64 = Buffer.from(arr).toString('base64');
+  // base64url (RFC 4648) sin padding
+  return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}
+
+export async function sha256Hex(input: string): Promise<string> {
+  const data = new TextEncoder().encode(input);
+  const hashBuf = await crypto.subtle.digest('SHA-256', data);
+  const bytes = new Uint8Array(hashBuf);
+  return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+}
--- a/tests/unit/services/command.web-login.test.ts
+++ b/tests/unit/services/command.web-login.test.ts
@ -0,0 +1,131 @@
+import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { Database } from 'bun:sqlite';
+import { initializeDatabase } from '../../../src/db';
+import { CommandService } from '../../../src/services/command';
+import { sha256Hex } from '../../../src/utils/crypto';
+import { Metrics } from '../../../src/services/metrics';
+
+const envBackup = { ...process.env };
+let memdb: Database;
+
+describe('CommandService - /t web (emisión de token de login)', () => {
+  beforeEach(() => {
+    process.env = {
+      ...envBackup,
+      NODE_ENV: 'test',
+      TZ: 'Europe/Madrid',
+      WEB_BASE_URL: 'https://app.example.test'
+    };
+    Metrics.reset?.();
+    memdb = new Database(':memory:');
+    initializeDatabase(memdb);
+    (CommandService as any).dbInstance = memdb;
+  });
+
+  afterEach(() => {
+    process.env = envBackup;
+    try { memdb.close(); } catch {}
+  });
+
+  test('DM feliz: devuelve URL con token y persiste hash en web_tokens', async () => {
+    const res = await CommandService.handle({
+      sender: '34600123456',
+      groupId: '34600123456@s.whatsapp.net', // DM (no @g.us)
+      message: '/t web',
+      mentions: []
+    });
+    expect(Array.isArray(res)).toBe(true);
+    expect(res.length).toBe(1);
+    expect(res[0].recipient).toBe('34600123456');
+    expect(res[0].message).toContain('https://app.example.test');
+
+    const m = res[0].message.match(/https?:\/\/\S+/);
+    expect(m).toBeTruthy();
+    const url = new URL(m![0]);
+    expect(url.pathname).toBe('/login');
+    const token = url.searchParams.get('token') || '';
+    expect(token.length).toBeGreaterThan(0);
+
+    const hash = await sha256Hex(token);
+    const row = memdb.prepare(`
+      SELECT user_id, token_hash, used_at, expires_at
+      FROM web_tokens
+      WHERE user_id = ? AND token_hash = ?
+    `).get('34600123456', hash) as any;
+
+    expect(row).toBeTruthy();
+    expect(row.user_id).toBe('34600123456');
+    expect(row.token_hash).toBe(hash);
+    expect(row.used_at).toBeNull();
+    // expires_at debe ser en el futuro
+    const now = new Date();
+    const exp = new Date(String(row.expires_at).replace(' ', 'T') + 'Z');
+    expect(exp.getTime()).toBeGreaterThan(now.getTime() + 9 * 60 * 1000 - 10 * 1000); // ~>= 9min50s
+    expect(Metrics.get('web_tokens_issued_total')).toBe(1);
+  });
+
+  test('En grupo: responde que debe usarse por privado y no inserta token', async () => {
+    const res = await CommandService.handle({
+      sender: '34600123456',
+      groupId: '123@g.us',
+      message: '/t web',
+      mentions: []
+    });
+    expect(res.length).toBe(1);
+    expect(res[0].recipient).toBe('34600123456');
+    expect(res[0].message.toLowerCase()).toContain('privado');
+
+    const cnt = memdb.prepare(`SELECT COUNT(*) AS c FROM web_tokens WHERE user_id = ?`).get('34600123456') as any;
+    expect(Number(cnt.c)).toBe(0);
+  });
+
+  test('Sin WEB_BASE_URL: error claro y no inserta token', async () => {
+    delete process.env.WEB_BASE_URL;
+
+    const res = await CommandService.handle({
+      sender: '34600123456',
+      groupId: '34600123456@s.whatsapp.net',
+      message: '/t web',
+      mentions: []
+    });
+    expect(res.length).toBe(1);
+    expect(res[0].message).toContain('no está configurada');
+    const cnt = memdb.prepare(`SELECT COUNT(*) AS c FROM web_tokens WHERE user_id = ?`).get('34600123456') as any;
+    expect(Number(cnt.c)).toBe(0);
+  });
+
+  test('Token vigente: se invalida y se emite uno nuevo (queda solo 1 activo)', async () => {
+    // Primera emisión
+    {
+      const r1 = await CommandService.handle({
+        sender: '34600123456',
+        groupId: '34600123456@s.whatsapp.net',
+        message: '/t web',
+        mentions: []
+      });
+      expect(r1.length).toBe(1);
+    }
+
+    // Segunda emisión (debe invalidar el anterior)
+    {
+      const r2 = await CommandService.handle({
+        sender: '34600123456',
+        groupId: '34600123456@s.whatsapp.net',
+        message: '/t web',
+        mentions: []
+      });
+      expect(r2.length).toBe(1);
+    }
+
+    const counts = memdb.prepare(`
+      SELECT
+        SUM(CASE WHEN used_at IS NULL THEN 1 ELSE 0 END) AS active,
+        COUNT(*) AS total
+      FROM web_tokens
+      WHERE user_id = ?
+    `).get('34600123456') as any;
+
+    expect(Number(counts.total)).toBeGreaterThanOrEqual(2);
+    expect(Number(counts.active)).toBe(1);
+  });
+});