tuitbot-core 0.1.47

Core library for Tuitbot autonomous X growth assistant
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389

//! Passphrase generation and verification.
//!
//! Generates 4-word passphrases from the EFF short wordlist (1,296 words).
//! Passphrases are hashed with bcrypt before storage.

use std::path::Path;

use rand::seq::IndexedRandom;

use super::error::AuthError;

/// EFF short wordlist (1,296 words), one per line.
const WORDLIST: &str = include_str!("../../assets/eff_short_wordlist.txt");

/// Number of words in the generated passphrase.
const PASSPHRASE_WORD_COUNT: usize = 4;

/// Bcrypt cost factor (12 = ~250ms on modern hardware).
const BCRYPT_COST: u32 = 12;

/// Generate a random 4-word passphrase from the EFF short wordlist.
pub fn generate_passphrase() -> String {
    let words: Vec<&str> = WORDLIST.lines().filter(|l| !l.is_empty()).collect();
    let mut rng = rand::rng();
    let selected: Vec<&&str> = words
        .choose_multiple(&mut rng, PASSPHRASE_WORD_COUNT)
        .collect();
    selected
        .into_iter()
        .copied()
        .collect::<Vec<&str>>()
        .join(" ")
}

/// Hash a passphrase with bcrypt.
pub fn hash_passphrase(passphrase: &str) -> Result<String, AuthError> {
    bcrypt::hash(passphrase, BCRYPT_COST).map_err(|e| AuthError::HashError {
        message: e.to_string(),
    })
}

/// Verify a passphrase against a bcrypt hash.
pub fn verify_passphrase(passphrase: &str, hash: &str) -> Result<bool, AuthError> {
    bcrypt::verify(passphrase, hash).map_err(|e| AuthError::HashError {
        message: e.to_string(),
    })
}

/// Ensure a passphrase hash file exists in the data directory.
///
/// If the file doesn't exist, generates a new passphrase, hashes it, writes
/// the hash to `passphrase_hash`, and returns `Ok(Some(plaintext))` so the
/// caller can print it to the terminal.
///
/// If the file already exists, returns `Ok(None)`.
pub fn ensure_passphrase(data_dir: &Path) -> Result<Option<String>, AuthError> {
    let hash_path = data_dir.join("passphrase_hash");

    if hash_path.exists() {
        let existing = std::fs::read_to_string(&hash_path).map_err(|e| AuthError::Storage {
            message: format!("failed to read passphrase hash: {e}"),
        })?;
        if !existing.trim().is_empty() {
            return Ok(None);
        }
    }

    let passphrase = generate_passphrase();
    let hash = hash_passphrase(&passphrase)?;

    std::fs::create_dir_all(data_dir).map_err(|e| AuthError::Storage {
        message: format!("failed to create data directory: {e}"),
    })?;
    std::fs::write(&hash_path, &hash).map_err(|e| AuthError::Storage {
        message: format!("failed to write passphrase hash: {e}"),
    })?;

    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let _ = std::fs::set_permissions(&hash_path, std::fs::Permissions::from_mode(0o600));
    }

    Ok(Some(passphrase))
}

/// Load the passphrase hash from disk. Returns `None` if the file doesn't exist.
pub fn load_passphrase_hash(data_dir: &Path) -> Result<Option<String>, AuthError> {
    let hash_path = data_dir.join("passphrase_hash");
    if !hash_path.exists() {
        return Ok(None);
    }
    let hash = std::fs::read_to_string(&hash_path).map_err(|e| AuthError::Storage {
        message: format!("failed to read passphrase hash: {e}"),
    })?;
    let trimmed = hash.trim().to_string();
    if trimmed.is_empty() {
        return Ok(None);
    }
    Ok(Some(trimmed))
}

/// Check if a passphrase hash file exists (i.e., the instance has been claimed).
pub fn is_claimed(data_dir: &Path) -> bool {
    let hash_path = data_dir.join("passphrase_hash");
    if !hash_path.exists() {
        return false;
    }
    std::fs::read_to_string(&hash_path)
        .map(|s| !s.trim().is_empty())
        .unwrap_or(false)
}

/// Create a passphrase hash from a user-provided plaintext.
///
/// This is the "claim" operation for first-time web setup. It:
/// - Validates the passphrase (minimum 8 characters)
/// - Checks that no hash file exists (returns `AlreadyClaimed` if it does)
/// - Hashes with bcrypt (cost 12)
/// - Writes the hash to `data_dir/passphrase_hash` with 0600 permissions
///
/// The plaintext is never logged or persisted.
pub fn create_passphrase_hash(data_dir: &Path, plaintext: &str) -> Result<(), AuthError> {
    if plaintext.len() < 8 {
        return Err(AuthError::Storage {
            message: "passphrase must be at least 8 characters".to_string(),
        });
    }

    let hash_path = data_dir.join("passphrase_hash");

    // Reject if already claimed.
    if hash_path.exists() {
        let existing = std::fs::read_to_string(&hash_path).map_err(|e| AuthError::Storage {
            message: format!("failed to read passphrase hash: {e}"),
        })?;
        if !existing.trim().is_empty() {
            return Err(AuthError::AlreadyClaimed);
        }
    }

    let hash = hash_passphrase(plaintext)?;

    std::fs::create_dir_all(data_dir).map_err(|e| AuthError::Storage {
        message: format!("failed to create data directory: {e}"),
    })?;
    std::fs::write(&hash_path, &hash).map_err(|e| AuthError::Storage {
        message: format!("failed to write passphrase hash: {e}"),
    })?;

    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let _ = std::fs::set_permissions(&hash_path, std::fs::Permissions::from_mode(0o600));
    }

    Ok(())
}

/// Return the modification time of the `passphrase_hash` file.
///
/// Returns `None` if the file does not exist or its metadata cannot be read.
pub fn passphrase_hash_mtime(data_dir: &Path) -> Option<std::time::SystemTime> {
    let hash_path = data_dir.join("passphrase_hash");
    std::fs::metadata(&hash_path)
        .ok()
        .and_then(|m| m.modified().ok())
}

/// Re-generate a passphrase (for `--reset-passphrase`).
///
/// Overwrites the existing hash file and returns the new plaintext passphrase.
pub fn reset_passphrase(data_dir: &Path) -> Result<String, AuthError> {
    let hash_path = data_dir.join("passphrase_hash");
    let passphrase = generate_passphrase();
    let hash = hash_passphrase(&passphrase)?;

    std::fs::write(&hash_path, &hash).map_err(|e| AuthError::Storage {
        message: format!("failed to write passphrase hash: {e}"),
    })?;

    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let _ = std::fs::set_permissions(&hash_path, std::fs::Permissions::from_mode(0o600));
    }

    Ok(passphrase)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn generate_passphrase_has_four_words() {
        let passphrase = generate_passphrase();
        let words: Vec<&str> = passphrase.split_whitespace().collect();
        assert_eq!(words.len(), 4);
    }

    #[test]
    fn generate_passphrase_uses_wordlist_words() {
        let valid_words: Vec<&str> = WORDLIST.lines().filter(|l| !l.is_empty()).collect();
        let passphrase = generate_passphrase();
        for word in passphrase.split_whitespace() {
            assert!(valid_words.contains(&word), "word not in wordlist: {word}");
        }
    }

    #[test]
    fn hash_and_verify_roundtrip() {
        let passphrase = "alpha bravo charlie delta";
        let hash = hash_passphrase(passphrase).unwrap();
        assert!(verify_passphrase(passphrase, &hash).unwrap());
        assert!(!verify_passphrase("wrong passphrase here", &hash).unwrap());
    }

    #[test]
    fn ensure_passphrase_creates_file() {
        let dir = tempfile::tempdir().unwrap();
        let result = ensure_passphrase(dir.path()).unwrap();
        assert!(result.is_some());
        let passphrase = result.unwrap();
        assert_eq!(passphrase.split_whitespace().count(), 4);

        // Second call should return None (already exists)
        let result2 = ensure_passphrase(dir.path()).unwrap();
        assert!(result2.is_none());
    }

    #[test]
    fn ensure_passphrase_verifies_against_hash() {
        let dir = tempfile::tempdir().unwrap();
        let passphrase = ensure_passphrase(dir.path()).unwrap().unwrap();
        let hash = load_passphrase_hash(dir.path()).unwrap().unwrap();
        assert!(verify_passphrase(&passphrase, &hash).unwrap());
    }

    #[test]
    fn is_claimed_returns_false_on_empty_dir() {
        let dir = tempfile::tempdir().unwrap();
        assert!(!is_claimed(dir.path()));
    }

    #[test]
    fn is_claimed_returns_true_after_create() {
        let dir = tempfile::tempdir().unwrap();
        create_passphrase_hash(dir.path(), "test passphrase here").unwrap();
        assert!(is_claimed(dir.path()));
    }

    #[test]
    fn create_passphrase_hash_creates_file() {
        let dir = tempfile::tempdir().unwrap();
        let plaintext = "alpha bravo charlie delta";
        create_passphrase_hash(dir.path(), plaintext).unwrap();

        let hash = load_passphrase_hash(dir.path()).unwrap().unwrap();
        assert!(verify_passphrase(plaintext, &hash).unwrap());
    }

    #[test]
    fn create_passphrase_hash_rejects_short_passphrase() {
        let dir = tempfile::tempdir().unwrap();
        let result = create_passphrase_hash(dir.path(), "short");
        assert!(result.is_err());
        let err = result.unwrap_err();
        assert!(
            err.to_string().contains("at least 8 characters"),
            "unexpected error: {err}"
        );
    }

    #[test]
    fn create_passphrase_hash_rejects_already_claimed() {
        let dir = tempfile::tempdir().unwrap();
        create_passphrase_hash(dir.path(), "first passphrase ok").unwrap();
        let result = create_passphrase_hash(dir.path(), "second passphrase ok");
        assert!(result.is_err());
        assert!(
            matches!(result.unwrap_err(), AuthError::AlreadyClaimed),
            "expected AlreadyClaimed error"
        );
    }

    #[test]
    fn passphrase_hash_mtime_returns_some_after_create() {
        let dir = tempfile::tempdir().unwrap();
        assert!(passphrase_hash_mtime(dir.path()).is_none());
        ensure_passphrase(dir.path()).unwrap();
        assert!(passphrase_hash_mtime(dir.path()).is_some());
    }

    #[test]
    fn passphrase_hash_mtime_changes_after_reset() {
        let dir = tempfile::tempdir().unwrap();
        ensure_passphrase(dir.path()).unwrap();
        let mtime1 = passphrase_hash_mtime(dir.path()).unwrap();
        // Small sleep to ensure filesystem mtime granularity advances.
        std::thread::sleep(std::time::Duration::from_millis(50));
        reset_passphrase(dir.path()).unwrap();
        let mtime2 = passphrase_hash_mtime(dir.path()).unwrap();
        assert!(mtime2 >= mtime1);
    }

    #[test]
    fn reset_passphrase_overwrites() {
        let dir = tempfile::tempdir().unwrap();
        let first = ensure_passphrase(dir.path()).unwrap().unwrap();
        let second = reset_passphrase(dir.path()).unwrap();
        assert_ne!(first, second);
        let hash = load_passphrase_hash(dir.path()).unwrap().unwrap();
        assert!(verify_passphrase(&second, &hash).unwrap());
        assert!(!verify_passphrase(&first, &hash).unwrap());
    }

    #[test]
    fn load_passphrase_hash_nonexistent_dir() {
        let dir = tempfile::tempdir().unwrap();
        let result = load_passphrase_hash(dir.path()).unwrap();
        assert!(result.is_none());
    }

    #[test]
    fn load_passphrase_hash_empty_file() {
        let dir = tempfile::tempdir().unwrap();
        std::fs::write(dir.path().join("passphrase_hash"), "").unwrap();
        let result = load_passphrase_hash(dir.path()).unwrap();
        assert!(result.is_none(), "empty hash file should return None");
    }

    #[test]
    fn load_passphrase_hash_whitespace_only_file() {
        let dir = tempfile::tempdir().unwrap();
        std::fs::write(dir.path().join("passphrase_hash"), "   \n  ").unwrap();
        let result = load_passphrase_hash(dir.path()).unwrap();
        assert!(result.is_none(), "whitespace-only should return None");
    }

    #[test]
    fn is_claimed_false_on_empty_hash_file() {
        let dir = tempfile::tempdir().unwrap();
        std::fs::write(dir.path().join("passphrase_hash"), "").unwrap();
        assert!(!is_claimed(dir.path()));
    }

    #[test]
    fn generate_passphrase_produces_different_values() {
        let p1 = generate_passphrase();
        let p2 = generate_passphrase();
        // Extremely unlikely to collide with 1296^4 possibilities
        assert_ne!(p1, p2, "two generated passphrases should differ");
    }

    #[test]
    fn verify_passphrase_wrong_input_returns_false() {
        let hash = hash_passphrase("correct horse battery staple").unwrap();
        assert!(!verify_passphrase("wrong phrase entirely", &hash).unwrap());
    }

    #[test]
    fn create_passphrase_hash_exactly_8_chars() {
        let dir = tempfile::tempdir().unwrap();
        // 8 characters should be accepted
        create_passphrase_hash(dir.path(), "12345678").unwrap();
        assert!(is_claimed(dir.path()));
    }

    #[test]
    fn ensure_passphrase_on_empty_hash_file_regenerates() {
        let dir = tempfile::tempdir().unwrap();
        std::fs::write(dir.path().join("passphrase_hash"), "").unwrap();
        let result = ensure_passphrase(dir.path()).unwrap();
        assert!(
            result.is_some(),
            "empty hash file should trigger regeneration"
        );
    }

    #[test]
    fn reset_passphrase_verifies_against_new_hash() {
        let dir = tempfile::tempdir().unwrap();
        ensure_passphrase(dir.path()).unwrap();
        let new_passphrase = reset_passphrase(dir.path()).unwrap();
        let hash = load_passphrase_hash(dir.path()).unwrap().unwrap();
        assert!(verify_passphrase(&new_passphrase, &hash).unwrap());
    }
}