@agenticmail/enterprise 0.5.327 → 0.5.329
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agent-tools-F3CYENMK.js +13949 -0
- package/dist/browser-tool-P57PLVW2.js +4002 -0
- package/dist/chunk-3RI3AIJN.js +1519 -0
- package/dist/chunk-AD4DFKHR.js +4928 -0
- package/dist/chunk-UQXPVWXG.js +5101 -0
- package/dist/cli-agent-K6UFZRXC.js +2473 -0
- package/dist/cli-serve-4MT7RDEL.js +260 -0
- package/dist/cli.js +3 -3
- package/dist/dashboard/app.js +1 -1
- package/dist/dashboard/components/transport-encryption.js +0 -62
- package/dist/dashboard/pages/agent-detail/index.js +5 -2
- package/dist/dashboard/pages/agent-detail/manager.js +1 -1
- package/dist/dashboard/pages/agent-detail/overview.js +4 -2
- package/dist/dashboard/pages/agent-detail/tool-security.js +1 -1
- package/dist/dashboard/pages/domain-status.js +3 -6
- package/dist/dashboard/pages/memory-transfer.js +1 -1
- package/dist/dashboard/pages/messages.js +0 -1
- package/dist/dashboard/pages/roles.js +0 -2
- package/dist/dashboard/pages/workforce.js +0 -1
- package/dist/index.js +3 -3
- package/dist/runtime-L5ADJORP.js +45 -0
- package/dist/server-KSN56EZQ.js +28 -0
- package/dist/setup-UUNBBOQH.js +20 -0
- package/logs/cloudflared-error.log +42 -0
- package/logs/enterprise-out.log +6 -0
- package/package.json +1 -1
- package/src/admin/page-registry.ts +0 -290
- package/src/admin/routes.ts +0 -2968
- package/src/agent-tools/common.ts +0 -260
- package/src/agent-tools/index.ts +0 -542
- package/src/agent-tools/merge.ts +0 -62
- package/src/agent-tools/middleware.ts +0 -436
- package/src/agent-tools/schema/typebox.ts +0 -25
- package/src/agent-tools/security.ts +0 -352
- package/src/agent-tools/tool-resolver.ts +0 -1018
- package/src/agent-tools/tools/agenticmail.ts +0 -1017
- package/src/agent-tools/tools/bash.ts +0 -179
- package/src/agent-tools/tools/browser-tool.schema.ts +0 -112
- package/src/agent-tools/tools/browser-tool.ts +0 -388
- package/src/agent-tools/tools/browser.ts +0 -764
- package/src/agent-tools/tools/edit.ts +0 -100
- package/src/agent-tools/tools/enterprise-code-sandbox.ts +0 -395
- package/src/agent-tools/tools/enterprise-database.ts +0 -377
- package/src/agent-tools/tools/enterprise-diff.ts +0 -580
- package/src/agent-tools/tools/enterprise-documents.ts +0 -896
- package/src/agent-tools/tools/enterprise-http.ts +0 -485
- package/src/agent-tools/tools/enterprise-security-scan.ts +0 -528
- package/src/agent-tools/tools/enterprise-spreadsheet.ts +0 -825
- package/src/agent-tools/tools/glob.ts +0 -129
- package/src/agent-tools/tools/google/calendar.ts +0 -230
- package/src/agent-tools/tools/google/chat.ts +0 -725
- package/src/agent-tools/tools/google/contacts.ts +0 -209
- package/src/agent-tools/tools/google/docs.ts +0 -162
- package/src/agent-tools/tools/google/drive.ts +0 -392
- package/src/agent-tools/tools/google/forms.ts +0 -367
- package/src/agent-tools/tools/google/gmail.ts +0 -897
- package/src/agent-tools/tools/google/index.ts +0 -86
- package/src/agent-tools/tools/google/maps.ts +0 -543
- package/src/agent-tools/tools/google/meeting-voice.ts +0 -885
- package/src/agent-tools/tools/google/meetings.ts +0 -1094
- package/src/agent-tools/tools/google/sheets.ts +0 -215
- package/src/agent-tools/tools/google/slides.ts +0 -559
- package/src/agent-tools/tools/google/tasks.ts +0 -200
- package/src/agent-tools/tools/grep.ts +0 -178
- package/src/agent-tools/tools/integrations/_factory.ts +0 -102
- package/src/agent-tools/tools/integrations/activecampaign.ts +0 -14
- package/src/agent-tools/tools/integrations/adobe-sign.ts +0 -14
- package/src/agent-tools/tools/integrations/adp.ts +0 -14
- package/src/agent-tools/tools/integrations/airtable.ts +0 -14
- package/src/agent-tools/tools/integrations/apollo.ts +0 -14
- package/src/agent-tools/tools/integrations/asana.ts +0 -14
- package/src/agent-tools/tools/integrations/auth0.ts +0 -14
- package/src/agent-tools/tools/integrations/aws.ts +0 -14
- package/src/agent-tools/tools/integrations/azure-devops.ts +0 -14
- package/src/agent-tools/tools/integrations/bamboohr.ts +0 -14
- package/src/agent-tools/tools/integrations/basecamp.ts +0 -14
- package/src/agent-tools/tools/integrations/bigcommerce.ts +0 -14
- package/src/agent-tools/tools/integrations/bitbucket.ts +0 -14
- package/src/agent-tools/tools/integrations/box.ts +0 -14
- package/src/agent-tools/tools/integrations/brex.ts +0 -14
- package/src/agent-tools/tools/integrations/buffer.ts +0 -14
- package/src/agent-tools/tools/integrations/calendly.ts +0 -14
- package/src/agent-tools/tools/integrations/canva.ts +0 -14
- package/src/agent-tools/tools/integrations/chargebee.ts +0 -14
- package/src/agent-tools/tools/integrations/circleci.ts +0 -14
- package/src/agent-tools/tools/integrations/clickup.ts +0 -14
- package/src/agent-tools/tools/integrations/close.ts +0 -14
- package/src/agent-tools/tools/integrations/cloudflare.ts +0 -14
- package/src/agent-tools/tools/integrations/confluence.ts +0 -14
- package/src/agent-tools/tools/integrations/contentful.ts +0 -14
- package/src/agent-tools/tools/integrations/copper.ts +0 -14
- package/src/agent-tools/tools/integrations/crisp.ts +0 -14
- package/src/agent-tools/tools/integrations/crowdstrike.ts +0 -14
- package/src/agent-tools/tools/integrations/datadog.ts +0 -14
- package/src/agent-tools/tools/integrations/digitalocean.ts +0 -14
- package/src/agent-tools/tools/integrations/discord.ts +0 -14
- package/src/agent-tools/tools/integrations/docker.ts +0 -14
- package/src/agent-tools/tools/integrations/docusign.ts +0 -14
- package/src/agent-tools/tools/integrations/drift.ts +0 -14
- package/src/agent-tools/tools/integrations/dropbox.ts +0 -14
- package/src/agent-tools/tools/integrations/figma.ts +0 -14
- package/src/agent-tools/tools/integrations/firebase.ts +0 -14
- package/src/agent-tools/tools/integrations/flyio.ts +0 -14
- package/src/agent-tools/tools/integrations/freshbooks.ts +0 -14
- package/src/agent-tools/tools/integrations/freshdesk.ts +0 -14
- package/src/agent-tools/tools/integrations/freshsales.ts +0 -14
- package/src/agent-tools/tools/integrations/freshservice.ts +0 -14
- package/src/agent-tools/tools/integrations/front.ts +0 -14
- package/src/agent-tools/tools/integrations/github-actions.ts +0 -14
- package/src/agent-tools/tools/integrations/github.ts +0 -14
- package/src/agent-tools/tools/integrations/gitlab.ts +0 -14
- package/src/agent-tools/tools/integrations/gong.ts +0 -14
- package/src/agent-tools/tools/integrations/google-ads.ts +0 -14
- package/src/agent-tools/tools/integrations/google-analytics.ts +0 -14
- package/src/agent-tools/tools/integrations/google-cloud.ts +0 -14
- package/src/agent-tools/tools/integrations/gotomeeting.ts +0 -14
- package/src/agent-tools/tools/integrations/grafana.ts +0 -14
- package/src/agent-tools/tools/integrations/greenhouse.ts +0 -14
- package/src/agent-tools/tools/integrations/gusto.ts +0 -14
- package/src/agent-tools/tools/integrations/hashicorp-vault.ts +0 -14
- package/src/agent-tools/tools/integrations/heroku.ts +0 -14
- package/src/agent-tools/tools/integrations/hibob.ts +0 -14
- package/src/agent-tools/tools/integrations/hootsuite.ts +0 -14
- package/src/agent-tools/tools/integrations/hubspot.ts +0 -14
- package/src/agent-tools/tools/integrations/huggingface.ts +0 -14
- package/src/agent-tools/tools/integrations/index.ts +0 -474
- package/src/agent-tools/tools/integrations/intercom.ts +0 -14
- package/src/agent-tools/tools/integrations/jira.ts +0 -14
- package/src/agent-tools/tools/integrations/klaviyo.ts +0 -14
- package/src/agent-tools/tools/integrations/kubernetes.ts +0 -14
- package/src/agent-tools/tools/integrations/lattice.ts +0 -14
- package/src/agent-tools/tools/integrations/launchdarkly.ts +0 -14
- package/src/agent-tools/tools/integrations/lever.ts +0 -14
- package/src/agent-tools/tools/integrations/linear.ts +0 -14
- package/src/agent-tools/tools/integrations/linkedin.ts +0 -14
- package/src/agent-tools/tools/integrations/livechat.ts +0 -14
- package/src/agent-tools/tools/integrations/loom.ts +0 -14
- package/src/agent-tools/tools/integrations/mailchimp.ts +0 -14
- package/src/agent-tools/tools/integrations/mailgun.ts +0 -14
- package/src/agent-tools/tools/integrations/miro.ts +0 -14
- package/src/agent-tools/tools/integrations/mixpanel.ts +0 -14
- package/src/agent-tools/tools/integrations/monday.ts +0 -14
- package/src/agent-tools/tools/integrations/mongodb-atlas.ts +0 -14
- package/src/agent-tools/tools/integrations/neon.ts +0 -14
- package/src/agent-tools/tools/integrations/netlify.ts +0 -14
- package/src/agent-tools/tools/integrations/netsuite.ts +0 -14
- package/src/agent-tools/tools/integrations/newrelic.ts +0 -14
- package/src/agent-tools/tools/integrations/notion.ts +0 -14
- package/src/agent-tools/tools/integrations/okta.ts +0 -14
- package/src/agent-tools/tools/integrations/openai.ts +0 -14
- package/src/agent-tools/tools/integrations/opsgenie.ts +0 -14
- package/src/agent-tools/tools/integrations/outreach.ts +0 -14
- package/src/agent-tools/tools/integrations/paddle.ts +0 -14
- package/src/agent-tools/tools/integrations/pagerduty.ts +0 -14
- package/src/agent-tools/tools/integrations/pandadoc.ts +0 -14
- package/src/agent-tools/tools/integrations/paypal.ts +0 -14
- package/src/agent-tools/tools/integrations/personio.ts +0 -14
- package/src/agent-tools/tools/integrations/pinecone.ts +0 -14
- package/src/agent-tools/tools/integrations/pipedrive.ts +0 -14
- package/src/agent-tools/tools/integrations/plaid.ts +0 -14
- package/src/agent-tools/tools/integrations/postmark.ts +0 -14
- package/src/agent-tools/tools/integrations/power-automate.ts +0 -14
- package/src/agent-tools/tools/integrations/quickbooks.ts +0 -14
- package/src/agent-tools/tools/integrations/recurly.ts +0 -14
- package/src/agent-tools/tools/integrations/reddit.ts +0 -14
- package/src/agent-tools/tools/integrations/render.ts +0 -14
- package/src/agent-tools/tools/integrations/ringcentral.ts +0 -14
- package/src/agent-tools/tools/integrations/rippling.ts +0 -14
- package/src/agent-tools/tools/integrations/salesforce.ts +0 -14
- package/src/agent-tools/tools/integrations/salesloft.ts +0 -14
- package/src/agent-tools/tools/integrations/sanity.ts +0 -14
- package/src/agent-tools/tools/integrations/sap.ts +0 -14
- package/src/agent-tools/tools/integrations/segment.ts +0 -14
- package/src/agent-tools/tools/integrations/sendgrid.ts +0 -14
- package/src/agent-tools/tools/integrations/sentry.ts +0 -14
- package/src/agent-tools/tools/integrations/servicenow.ts +0 -14
- package/src/agent-tools/tools/integrations/shopify.ts +0 -14
- package/src/agent-tools/tools/integrations/shortcut.ts +0 -14
- package/src/agent-tools/tools/integrations/slack.ts +0 -14
- package/src/agent-tools/tools/integrations/smartsheet.ts +0 -14
- package/src/agent-tools/tools/integrations/snowflake.ts +0 -14
- package/src/agent-tools/tools/integrations/snyk.ts +0 -14
- package/src/agent-tools/tools/integrations/splunk.ts +0 -14
- package/src/agent-tools/tools/integrations/square.ts +0 -14
- package/src/agent-tools/tools/integrations/statuspage.ts +0 -14
- package/src/agent-tools/tools/integrations/stripe.ts +0 -14
- package/src/agent-tools/tools/integrations/supabase.ts +0 -14
- package/src/agent-tools/tools/integrations/teamwork.ts +0 -14
- package/src/agent-tools/tools/integrations/telegram.ts +0 -14
- package/src/agent-tools/tools/integrations/terraform.ts +0 -14
- package/src/agent-tools/tools/integrations/todoist.ts +0 -14
- package/src/agent-tools/tools/integrations/trello.ts +0 -14
- package/src/agent-tools/tools/integrations/twilio.ts +0 -14
- package/src/agent-tools/tools/integrations/twitter.ts +0 -14
- package/src/agent-tools/tools/integrations/vercel.ts +0 -14
- package/src/agent-tools/tools/integrations/weaviate.ts +0 -14
- package/src/agent-tools/tools/integrations/webex.ts +0 -14
- package/src/agent-tools/tools/integrations/webflow.ts +0 -14
- package/src/agent-tools/tools/integrations/whatsapp.ts +0 -14
- package/src/agent-tools/tools/integrations/whereby.ts +0 -14
- package/src/agent-tools/tools/integrations/woocommerce.ts +0 -14
- package/src/agent-tools/tools/integrations/wordpress.ts +0 -14
- package/src/agent-tools/tools/integrations/workday.ts +0 -14
- package/src/agent-tools/tools/integrations/wrike.ts +0 -14
- package/src/agent-tools/tools/integrations/xero.ts +0 -14
- package/src/agent-tools/tools/integrations/youtube.ts +0 -14
- package/src/agent-tools/tools/integrations/zendesk.ts +0 -14
- package/src/agent-tools/tools/integrations/zoho-crm.ts +0 -14
- package/src/agent-tools/tools/integrations/zoom.ts +0 -14
- package/src/agent-tools/tools/integrations/zuora.ts +0 -14
- package/src/agent-tools/tools/knowledge-search.ts +0 -318
- package/src/agent-tools/tools/local/coding.ts +0 -626
- package/src/agent-tools/tools/local/dependency-manager.ts +0 -647
- package/src/agent-tools/tools/local/file-edit.ts +0 -31
- package/src/agent-tools/tools/local/file-list.ts +0 -39
- package/src/agent-tools/tools/local/file-ops.ts +0 -48
- package/src/agent-tools/tools/local/file-read.ts +0 -39
- package/src/agent-tools/tools/local/file-search.ts +0 -46
- package/src/agent-tools/tools/local/file-write.ts +0 -28
- package/src/agent-tools/tools/local/filesystem.ts +0 -5
- package/src/agent-tools/tools/local/index.ts +0 -55
- package/src/agent-tools/tools/local/resolve-path.ts +0 -18
- package/src/agent-tools/tools/local/shell.ts +0 -277
- package/src/agent-tools/tools/local/system-info.ts +0 -29
- package/src/agent-tools/tools/management.ts +0 -425
- package/src/agent-tools/tools/mcp-bridge.ts +0 -142
- package/src/agent-tools/tools/mcp-server-tools.ts +0 -91
- package/src/agent-tools/tools/meeting-lifecycle.ts +0 -438
- package/src/agent-tools/tools/memory.ts +0 -509
- package/src/agent-tools/tools/messaging/index.ts +0 -6
- package/src/agent-tools/tools/messaging/telegram.ts +0 -167
- package/src/agent-tools/tools/messaging/whatsapp.ts +0 -651
- package/src/agent-tools/tools/microsoft/contacts.ts +0 -176
- package/src/agent-tools/tools/microsoft/excel-vba.ts +0 -331
- package/src/agent-tools/tools/microsoft/excel.ts +0 -261
- package/src/agent-tools/tools/microsoft/graph-api.ts +0 -161
- package/src/agent-tools/tools/microsoft/index.ts +0 -95
- package/src/agent-tools/tools/microsoft/onedrive.ts +0 -429
- package/src/agent-tools/tools/microsoft/onenote.ts +0 -186
- package/src/agent-tools/tools/microsoft/outlook-calendar.ts +0 -286
- package/src/agent-tools/tools/microsoft/outlook-mail.ts +0 -723
- package/src/agent-tools/tools/microsoft/planner.ts +0 -200
- package/src/agent-tools/tools/microsoft/powerbi.ts +0 -266
- package/src/agent-tools/tools/microsoft/powerpoint.ts +0 -186
- package/src/agent-tools/tools/microsoft/sharepoint.ts +0 -328
- package/src/agent-tools/tools/microsoft/teams.ts +0 -463
- package/src/agent-tools/tools/microsoft/todo.ts +0 -181
- package/src/agent-tools/tools/oauth-token-provider.ts +0 -101
- package/src/agent-tools/tools/read.ts +0 -160
- package/src/agent-tools/tools/visual-memory/capture.ts +0 -217
- package/src/agent-tools/tools/visual-memory/diff.ts +0 -283
- package/src/agent-tools/tools/visual-memory/index.ts +0 -698
- package/src/agent-tools/tools/visual-memory/phash.ts +0 -120
- package/src/agent-tools/tools/visual-memory/similarity.ts +0 -354
- package/src/agent-tools/tools/visual-memory/storage.ts +0 -534
- package/src/agent-tools/tools/visual-memory/types.ts +0 -100
- package/src/agent-tools/tools/web-fetch-utils.ts +0 -202
- package/src/agent-tools/tools/web-fetch.ts +0 -464
- package/src/agent-tools/tools/web-search.ts +0 -480
- package/src/agent-tools/tools/web-shared.ts +0 -232
- package/src/agent-tools/tools/write.ts +0 -68
- package/src/agent-tools/types.ts +0 -214
- package/src/agenticmail/index.ts +0 -34
- package/src/agenticmail/manager.ts +0 -253
- package/src/agenticmail/providers/google.ts +0 -391
- package/src/agenticmail/providers/imap.ts +0 -454
- package/src/agenticmail/providers/index.ts +0 -28
- package/src/agenticmail/providers/microsoft.ts +0 -260
- package/src/agenticmail/types.ts +0 -173
- package/src/auth/routes.ts +0 -1589
- package/src/browser/bridge-auth-registry.ts +0 -34
- package/src/browser/bridge-server.ts +0 -93
- package/src/browser/cdp.helpers.ts +0 -180
- package/src/browser/cdp.ts +0 -466
- package/src/browser/chrome.executables.ts +0 -625
- package/src/browser/chrome.profile-decoration.ts +0 -198
- package/src/browser/chrome.ts +0 -349
- package/src/browser/client-actions-core.ts +0 -259
- package/src/browser/client-actions-observe.ts +0 -184
- package/src/browser/client-actions-state.ts +0 -284
- package/src/browser/client-actions-types.ts +0 -16
- package/src/browser/client-actions-url.ts +0 -11
- package/src/browser/client-actions.ts +0 -4
- package/src/browser/client-fetch.ts +0 -253
- package/src/browser/client.ts +0 -337
- package/src/browser/config.ts +0 -301
- package/src/browser/constants.ts +0 -8
- package/src/browser/control-auth.ts +0 -94
- package/src/browser/control-service.ts +0 -81
- package/src/browser/csrf.ts +0 -87
- package/src/browser/enterprise-compat.ts +0 -562
- package/src/browser/extension-relay.ts +0 -834
- package/src/browser/http-auth.ts +0 -63
- package/src/browser/navigation-guard.ts +0 -50
- package/src/browser/paths.ts +0 -49
- package/src/browser/playwright.d.ts +0 -12
- package/src/browser/profiles-service.ts +0 -187
- package/src/browser/profiles.ts +0 -114
- package/src/browser/proxy-files.ts +0 -41
- package/src/browser/pw-ai-module.ts +0 -52
- package/src/browser/pw-ai-state.ts +0 -9
- package/src/browser/pw-ai.ts +0 -65
- package/src/browser/pw-role-snapshot.ts +0 -434
- package/src/browser/pw-session.ts +0 -810
- package/src/browser/pw-tools-core.activity.ts +0 -68
- package/src/browser/pw-tools-core.downloads.ts +0 -281
- package/src/browser/pw-tools-core.interactions.ts +0 -646
- package/src/browser/pw-tools-core.responses.ts +0 -124
- package/src/browser/pw-tools-core.shared.ts +0 -70
- package/src/browser/pw-tools-core.snapshot.ts +0 -213
- package/src/browser/pw-tools-core.state.ts +0 -209
- package/src/browser/pw-tools-core.storage.ts +0 -128
- package/src/browser/pw-tools-core.trace.ts +0 -37
- package/src/browser/pw-tools-core.ts +0 -8
- package/src/browser/resolved-config-refresh.ts +0 -59
- package/src/browser/routes/agent.act.shared.ts +0 -52
- package/src/browser/routes/agent.act.ts +0 -575
- package/src/browser/routes/agent.debug.ts +0 -149
- package/src/browser/routes/agent.shared.ts +0 -143
- package/src/browser/routes/agent.snapshot.ts +0 -333
- package/src/browser/routes/agent.storage.ts +0 -451
- package/src/browser/routes/agent.ts +0 -13
- package/src/browser/routes/basic.ts +0 -202
- package/src/browser/routes/dispatcher.ts +0 -126
- package/src/browser/routes/index.ts +0 -11
- package/src/browser/routes/path-output.ts +0 -1
- package/src/browser/routes/tabs.ts +0 -217
- package/src/browser/routes/types.ts +0 -26
- package/src/browser/routes/utils.ts +0 -73
- package/src/browser/screenshot.ts +0 -54
- package/src/browser/server-context.ts +0 -688
- package/src/browser/server-context.types.ts +0 -65
- package/src/browser/server-lifecycle.ts +0 -48
- package/src/browser/server-middleware.ts +0 -37
- package/src/browser/server.ts +0 -110
- package/src/browser/target-id.ts +0 -30
- package/src/browser/trash.ts +0 -21
- package/src/cli-agent.ts +0 -2452
- package/src/cli-reset-password.ts +0 -138
- package/src/cli-serve.ts +0 -314
- package/src/cli.ts +0 -103
- package/src/dashboard/app.js +0 -579
- package/src/dashboard/assets/brand-logos.js +0 -350
- package/src/dashboard/assets/icons/emoji-icons.js +0 -893
- package/src/dashboard/assets/logo.png +0 -0
- package/src/dashboard/assets/provider-logos.js +0 -139
- package/src/dashboard/components/error-boundary.js +0 -21
- package/src/dashboard/components/help-button.js +0 -65
- package/src/dashboard/components/icons.js +0 -64
- package/src/dashboard/components/knowledge-link.js +0 -79
- package/src/dashboard/components/modal.js +0 -125
- package/src/dashboard/components/org-switcher.js +0 -156
- package/src/dashboard/components/persona-fields.js +0 -460
- package/src/dashboard/components/settings-help.js +0 -193
- package/src/dashboard/components/tag-input.js +0 -96
- package/src/dashboard/components/timezones.js +0 -352
- package/src/dashboard/components/transport-encryption.js +0 -288
- package/src/dashboard/components/utils.js +0 -205
- package/src/dashboard/data/countries.js +0 -255
- package/src/dashboard/docs/activity.html +0 -253
- package/src/dashboard/docs/agent-activity.html +0 -199
- package/src/dashboard/docs/agent-autonomy.html +0 -161
- package/src/dashboard/docs/agent-budget.html +0 -190
- package/src/dashboard/docs/agent-channels.html +0 -189
- package/src/dashboard/docs/agent-communication.html +0 -171
- package/src/dashboard/docs/agent-configuration.html +0 -194
- package/src/dashboard/docs/agent-deployment.html +0 -323
- package/src/dashboard/docs/agent-email.html +0 -184
- package/src/dashboard/docs/agent-guardrails.html +0 -206
- package/src/dashboard/docs/agent-manager.html +0 -226
- package/src/dashboard/docs/agent-memory.html +0 -215
- package/src/dashboard/docs/agent-overview.html +0 -226
- package/src/dashboard/docs/agent-permissions.html +0 -305
- package/src/dashboard/docs/agent-personal.html +0 -155
- package/src/dashboard/docs/agent-security.html +0 -188
- package/src/dashboard/docs/agent-skills.html +0 -224
- package/src/dashboard/docs/agent-tool-security.html +0 -205
- package/src/dashboard/docs/agent-tools.html +0 -238
- package/src/dashboard/docs/agent-whatsapp.html +0 -210
- package/src/dashboard/docs/agent-workforce.html +0 -199
- package/src/dashboard/docs/agents.html +0 -258
- package/src/dashboard/docs/approvals.html +0 -200
- package/src/dashboard/docs/audit.html +0 -206
- package/src/dashboard/docs/browser-providers.html +0 -313
- package/src/dashboard/docs/cluster.html +0 -285
- package/src/dashboard/docs/community-skills.html +0 -253
- package/src/dashboard/docs/compliance.html +0 -221
- package/src/dashboard/docs/dashboard.html +0 -84
- package/src/dashboard/docs/database-access.html +0 -322
- package/src/dashboard/docs/dlp.html +0 -268
- package/src/dashboard/docs/docs-style.css +0 -26
- package/src/dashboard/docs/domain-status.html +0 -294
- package/src/dashboard/docs/guardrails.html +0 -265
- package/src/dashboard/docs/journal.html +0 -197
- package/src/dashboard/docs/knowledge-contributions.html +0 -286
- package/src/dashboard/docs/knowledge.html +0 -268
- package/src/dashboard/docs/memory-transfer.html +0 -311
- package/src/dashboard/docs/messages.html +0 -217
- package/src/dashboard/docs/multi-tenant.html +0 -311
- package/src/dashboard/docs/org-chart.html +0 -239
- package/src/dashboard/docs/organizations.html +0 -182
- package/src/dashboard/docs/roles.html +0 -195
- package/src/dashboard/docs/settings-network.html +0 -321
- package/src/dashboard/docs/settings-security.html +0 -347
- package/src/dashboard/docs/settings-tool-security.html +0 -176
- package/src/dashboard/docs/settings.html +0 -280
- package/src/dashboard/docs/skill-connections.html +0 -270
- package/src/dashboard/docs/skills.html +0 -206
- package/src/dashboard/docs/task-pipeline.html +0 -261
- package/src/dashboard/docs/transport-encryption.html +0 -359
- package/src/dashboard/docs/users.html +0 -225
- package/src/dashboard/docs/vault.html +0 -260
- package/src/dashboard/docs/workforce.html +0 -245
- package/src/dashboard/index.html +0 -444
- package/src/dashboard/pages/activity.js +0 -379
- package/src/dashboard/pages/agent-detail/activity.js +0 -277
- package/src/dashboard/pages/agent-detail/autonomy.js +0 -244
- package/src/dashboard/pages/agent-detail/budget.js +0 -269
- package/src/dashboard/pages/agent-detail/channels.js +0 -494
- package/src/dashboard/pages/agent-detail/communication.js +0 -296
- package/src/dashboard/pages/agent-detail/configuration.js +0 -882
- package/src/dashboard/pages/agent-detail/deployment.js +0 -958
- package/src/dashboard/pages/agent-detail/email.js +0 -674
- package/src/dashboard/pages/agent-detail/guardrails.js +0 -521
- package/src/dashboard/pages/agent-detail/index.js +0 -261
- package/src/dashboard/pages/agent-detail/manager.js +0 -357
- package/src/dashboard/pages/agent-detail/meeting-browser.js +0 -933
- package/src/dashboard/pages/agent-detail/memory.js +0 -368
- package/src/dashboard/pages/agent-detail/overview.js +0 -844
- package/src/dashboard/pages/agent-detail/permissions.js +0 -1163
- package/src/dashboard/pages/agent-detail/personal-details.js +0 -404
- package/src/dashboard/pages/agent-detail/security.js +0 -409
- package/src/dashboard/pages/agent-detail/shared.js +0 -85
- package/src/dashboard/pages/agent-detail/skills-section.js +0 -183
- package/src/dashboard/pages/agent-detail/tool-security.js +0 -380
- package/src/dashboard/pages/agent-detail/tools.js +0 -322
- package/src/dashboard/pages/agent-detail/whatsapp.js +0 -824
- package/src/dashboard/pages/agent-detail/workforce.js +0 -683
- package/src/dashboard/pages/agents.js +0 -1242
- package/src/dashboard/pages/approvals.js +0 -100
- package/src/dashboard/pages/audit.js +0 -198
- package/src/dashboard/pages/cluster.js +0 -512
- package/src/dashboard/pages/community-skills.js +0 -1219
- package/src/dashboard/pages/compliance.js +0 -475
- package/src/dashboard/pages/dashboard.js +0 -180
- package/src/dashboard/pages/database-access.js +0 -812
- package/src/dashboard/pages/dlp.js +0 -293
- package/src/dashboard/pages/domain-status.js +0 -951
- package/src/dashboard/pages/guardrails.js +0 -1035
- package/src/dashboard/pages/journal.js +0 -172
- package/src/dashboard/pages/knowledge-contributions.js +0 -1682
- package/src/dashboard/pages/knowledge-import.js +0 -455
- package/src/dashboard/pages/knowledge.js +0 -582
- package/src/dashboard/pages/login.js +0 -1056
- package/src/dashboard/pages/memory-transfer.js +0 -631
- package/src/dashboard/pages/messages.js +0 -303
- package/src/dashboard/pages/org-chart.js +0 -349
- package/src/dashboard/pages/organizations.js +0 -1081
- package/src/dashboard/pages/roles.js +0 -780
- package/src/dashboard/pages/settings.js +0 -3790
- package/src/dashboard/pages/skill-connections.js +0 -982
- package/src/dashboard/pages/skills.js +0 -879
- package/src/dashboard/pages/task-pipeline.js +0 -684
- package/src/dashboard/pages/users.js +0 -867
- package/src/dashboard/pages/vault.js +0 -791
- package/src/dashboard/pages/workforce.js +0 -851
- package/src/dashboard/vendor/react-dom.development.js +0 -29924
- package/src/dashboard/vendor/react-dom.production.min.js +0 -267
- package/src/dashboard/vendor/react.development.js +0 -3343
- package/src/dashboard/vendor/react.production.min.js +0 -31
- package/src/database-access/agent-tools.ts +0 -193
- package/src/database-access/connection-manager.ts +0 -1341
- package/src/database-access/index.ts +0 -21
- package/src/database-access/query-sanitizer.ts +0 -220
- package/src/database-access/routes.ts +0 -226
- package/src/database-access/types.ts +0 -226
- package/src/db/adapter.ts +0 -510
- package/src/db/dynamodb.ts +0 -454
- package/src/db/factory.ts +0 -129
- package/src/db/mongodb.ts +0 -360
- package/src/db/mysql.ts +0 -531
- package/src/db/postgres.ts +0 -863
- package/src/db/proxy.ts +0 -39
- package/src/db/resolve-driver.ts +0 -29
- package/src/db/sql-schema.ts +0 -124
- package/src/db/sqlite.ts +0 -493
- package/src/db/turso.ts +0 -470
- package/src/deploy/fly.ts +0 -368
- package/src/deploy/managed.ts +0 -235
- package/src/domain-lock/cli-recover.ts +0 -591
- package/src/domain-lock/cli-verify.ts +0 -190
- package/src/domain-lock/index.ts +0 -220
- package/src/engine/activity-routes.ts +0 -154
- package/src/engine/activity.ts +0 -568
- package/src/engine/agent-autonomy.ts +0 -974
- package/src/engine/agent-config.ts +0 -646
- package/src/engine/agent-heartbeat.ts +0 -720
- package/src/engine/agent-hierarchy.ts +0 -1064
- package/src/engine/agent-memory.ts +0 -806
- package/src/engine/agent-notify.ts +0 -50
- package/src/engine/agent-routes.ts +0 -2583
- package/src/engine/agent-status.ts +0 -311
- package/src/engine/ambient-memory.ts +0 -401
- package/src/engine/approvals.ts +0 -615
- package/src/engine/assets/thinking-hum.mp3 +0 -0
- package/src/engine/catalog-routes.ts +0 -232
- package/src/engine/chat-poller.ts +0 -913
- package/src/engine/chat-webhook-routes.ts +0 -304
- package/src/engine/cli-build-skill.ts +0 -285
- package/src/engine/cli-submit-skill.ts +0 -200
- package/src/engine/cli-validate.ts +0 -188
- package/src/engine/cluster.ts +0 -278
- package/src/engine/communication-routes.ts +0 -139
- package/src/engine/communication.ts +0 -765
- package/src/engine/community-registry.ts +0 -1529
- package/src/engine/community-routes.ts +0 -260
- package/src/engine/compliance-routes.ts +0 -133
- package/src/engine/compliance.ts +0 -1679
- package/src/engine/config-bus.ts +0 -103
- package/src/engine/db-adapter.ts +0 -1156
- package/src/engine/db-schema.ts +0 -1945
- package/src/engine/deploy-schema-routes.ts +0 -176
- package/src/engine/deployer.ts +0 -957
- package/src/engine/dlp-routes.ts +0 -101
- package/src/engine/dlp.ts +0 -410
- package/src/engine/email-poller.ts +0 -855
- package/src/engine/emoji.ts +0 -106
- package/src/engine/guardrail-routes.ts +0 -125
- package/src/engine/guardrails.ts +0 -465
- package/src/engine/index.ts +0 -255
- package/src/engine/journal-routes.ts +0 -56
- package/src/engine/journal.ts +0 -249
- package/src/engine/knowledge-contribution-routes.ts +0 -633
- package/src/engine/knowledge-contribution.ts +0 -1386
- package/src/engine/knowledge-import/chunker.ts +0 -241
- package/src/engine/knowledge-import/import-manager.ts +0 -416
- package/src/engine/knowledge-import/index.ts +0 -27
- package/src/engine/knowledge-import/processors/clean.ts +0 -149
- package/src/engine/knowledge-import/processors/extract-gdrive.ts +0 -102
- package/src/engine/knowledge-import/processors/extract-github.ts +0 -74
- package/src/engine/knowledge-import/processors/extract-sharepoint.ts +0 -69
- package/src/engine/knowledge-import/processors/extract-web.ts +0 -275
- package/src/engine/knowledge-import/processors/index.ts +0 -18
- package/src/engine/knowledge-import/processors/pipeline.ts +0 -171
- package/src/engine/knowledge-import/processors/types.ts +0 -78
- package/src/engine/knowledge-import/processors/validate.ts +0 -150
- package/src/engine/knowledge-import/provider-file-upload.ts +0 -95
- package/src/engine/knowledge-import/provider-github.ts +0 -144
- package/src/engine/knowledge-import/provider-google-sites.ts +0 -323
- package/src/engine/knowledge-import/provider-sharepoint.ts +0 -276
- package/src/engine/knowledge-import/provider-url.ts +0 -218
- package/src/engine/knowledge-import/routes.ts +0 -94
- package/src/engine/knowledge-import/types.ts +0 -92
- package/src/engine/knowledge-routes.ts +0 -231
- package/src/engine/knowledge.ts +0 -587
- package/src/engine/lifecycle.ts +0 -1420
- package/src/engine/mcp-process-manager.ts +0 -573
- package/src/engine/meeting-monitor.ts +0 -483
- package/src/engine/meeting-voice-intelligence.ts +0 -340
- package/src/engine/memory-routes.ts +0 -142
- package/src/engine/memory-transfer-routes.ts +0 -339
- package/src/engine/messaging-history.ts +0 -177
- package/src/engine/messaging-poller.ts +0 -786
- package/src/engine/model-fallback.ts +0 -141
- package/src/engine/oauth-connect-routes.ts +0 -603
- package/src/engine/oauth-connect.ts +0 -304
- package/src/engine/onboarding-routes.ts +0 -148
- package/src/engine/onboarding.ts +0 -574
- package/src/engine/org-approval-routes.ts +0 -146
- package/src/engine/org-integration-routes.ts +0 -399
- package/src/engine/org-integrations.ts +0 -608
- package/src/engine/org-policies.ts +0 -502
- package/src/engine/policy-import-routes.ts +0 -125
- package/src/engine/policy-import.ts +0 -1186
- package/src/engine/policy-routes.ts +0 -163
- package/src/engine/routes.ts +0 -1236
- package/src/engine/screen-unlock.ts +0 -136
- package/src/engine/session-router.ts +0 -212
- package/src/engine/skill-updater-routes.ts +0 -132
- package/src/engine/skill-updater.ts +0 -480
- package/src/engine/skill-validator.ts +0 -331
- package/src/engine/skills/agent-management.ts +0 -119
- package/src/engine/skills/agent-memory.ts +0 -19
- package/src/engine/skills/agenticmail.ts +0 -116
- package/src/engine/skills/core-tools.ts +0 -25
- package/src/engine/skills/database-access.ts +0 -78
- package/src/engine/skills/enterprise-code-sandbox.ts +0 -113
- package/src/engine/skills/enterprise-database.ts +0 -123
- package/src/engine/skills/enterprise-diff.ts +0 -95
- package/src/engine/skills/enterprise-documents.ts +0 -162
- package/src/engine/skills/enterprise-http.ts +0 -99
- package/src/engine/skills/enterprise-security-scan.ts +0 -125
- package/src/engine/skills/enterprise-spreadsheet.ts +0 -171
- package/src/engine/skills/gws-admin.ts +0 -18
- package/src/engine/skills/gws-calendar.ts +0 -21
- package/src/engine/skills/gws-chat.ts +0 -29
- package/src/engine/skills/gws-contacts.ts +0 -20
- package/src/engine/skills/gws-docs.ts +0 -18
- package/src/engine/skills/gws-drive.ts +0 -23
- package/src/engine/skills/gws-forms.ts +0 -23
- package/src/engine/skills/gws-gmail.ts +0 -30
- package/src/engine/skills/gws-groups.ts +0 -17
- package/src/engine/skills/gws-keep.ts +0 -17
- package/src/engine/skills/gws-maps.ts +0 -25
- package/src/engine/skills/gws-meet.ts +0 -23
- package/src/engine/skills/gws-sheets.ts +0 -22
- package/src/engine/skills/gws-sites.ts +0 -16
- package/src/engine/skills/gws-slides.ts +0 -27
- package/src/engine/skills/gws-tasks.ts +0 -22
- package/src/engine/skills/gws-vault.ts +0 -17
- package/src/engine/skills/index.ts +0 -159
- package/src/engine/skills/knowledge-search.ts +0 -18
- package/src/engine/skills/local-system.ts +0 -61
- package/src/engine/skills/m365-admin.ts +0 -18
- package/src/engine/skills/m365-bookings.ts +0 -17
- package/src/engine/skills/m365-copilot.ts +0 -17
- package/src/engine/skills/m365-excel.ts +0 -60
- package/src/engine/skills/m365-forms.ts +0 -17
- package/src/engine/skills/m365-onedrive.ts +0 -60
- package/src/engine/skills/m365-onenote.ts +0 -17
- package/src/engine/skills/m365-outlook.ts +0 -27
- package/src/engine/skills/m365-planner.ts +0 -18
- package/src/engine/skills/m365-power-automate.ts +0 -18
- package/src/engine/skills/m365-power-bi.ts +0 -19
- package/src/engine/skills/m365-powerpoint.ts +0 -33
- package/src/engine/skills/m365-sharepoint.ts +0 -20
- package/src/engine/skills/m365-teams.ts +0 -21
- package/src/engine/skills/m365-todo.ts +0 -17
- package/src/engine/skills/m365-whiteboard.ts +0 -16
- package/src/engine/skills/m365-word.ts +0 -42
- package/src/engine/skills/mcp-bridge.ts +0 -45
- package/src/engine/skills/meeting-lifecycle.ts +0 -20
- package/src/engine/skills/messaging.ts +0 -46
- package/src/engine/skills/visual-memory.ts +0 -25
- package/src/engine/skills.ts +0 -688
- package/src/engine/soul-library.ts +0 -142
- package/src/engine/soul-templates.json +0 -1525
- package/src/engine/storage-manager.ts +0 -252
- package/src/engine/storage-routes.ts +0 -113
- package/src/engine/storage.ts +0 -528
- package/src/engine/task-poller.ts +0 -394
- package/src/engine/task-queue-after-spawn.ts +0 -66
- package/src/engine/task-queue-before-spawn.ts +0 -113
- package/src/engine/task-queue-routes.ts +0 -161
- package/src/engine/task-queue.ts +0 -664
- package/src/engine/tenant.ts +0 -409
- package/src/engine/tool-catalog.ts +0 -354
- package/src/engine/vault-routes.ts +0 -134
- package/src/engine/vault.ts +0 -601
- package/src/engine/workforce-routes.ts +0 -331
- package/src/engine/workforce.ts +0 -1161
- package/src/index.ts +0 -77
- package/src/lib/cidr.ts +0 -122
- package/src/lib/config-store.ts +0 -86
- package/src/lib/resilience.ts +0 -326
- package/src/lib/text-search.ts +0 -358
- package/src/mcp/adapters/activecampaign.adapter.ts +0 -391
- package/src/mcp/adapters/adobe-sign.adapter.ts +0 -469
- package/src/mcp/adapters/adp.adapter.ts +0 -358
- package/src/mcp/adapters/airtable.adapter.ts +0 -273
- package/src/mcp/adapters/apollo.adapter.ts +0 -420
- package/src/mcp/adapters/asana.adapter.ts +0 -315
- package/src/mcp/adapters/auth0.adapter.ts +0 -386
- package/src/mcp/adapters/aws.adapter.ts +0 -345
- package/src/mcp/adapters/azure-devops.adapter.ts +0 -389
- package/src/mcp/adapters/bamboohr.adapter.ts +0 -376
- package/src/mcp/adapters/basecamp.adapter.ts +0 -366
- package/src/mcp/adapters/bigcommerce.adapter.ts +0 -429
- package/src/mcp/adapters/bitbucket.adapter.ts +0 -260
- package/src/mcp/adapters/box.adapter.ts +0 -350
- package/src/mcp/adapters/brex.adapter.ts +0 -367
- package/src/mcp/adapters/buffer.adapter.ts +0 -303
- package/src/mcp/adapters/calendly.adapter.ts +0 -262
- package/src/mcp/adapters/canva.adapter.ts +0 -256
- package/src/mcp/adapters/chargebee.adapter.ts +0 -448
- package/src/mcp/adapters/circleci.adapter.ts +0 -216
- package/src/mcp/adapters/clickup.adapter.ts +0 -335
- package/src/mcp/adapters/close.adapter.ts +0 -390
- package/src/mcp/adapters/cloudflare.adapter.ts +0 -378
- package/src/mcp/adapters/confluence.adapter.ts +0 -301
- package/src/mcp/adapters/contentful.adapter.ts +0 -355
- package/src/mcp/adapters/copper.adapter.ts +0 -468
- package/src/mcp/adapters/crisp.adapter.ts +0 -415
- package/src/mcp/adapters/crowdstrike.adapter.ts +0 -413
- package/src/mcp/adapters/datadog.adapter.ts +0 -373
- package/src/mcp/adapters/digitalocean.adapter.ts +0 -336
- package/src/mcp/adapters/discord.adapter.ts +0 -248
- package/src/mcp/adapters/docker.adapter.ts +0 -238
- package/src/mcp/adapters/docusign.adapter.ts +0 -431
- package/src/mcp/adapters/drift.adapter.ts +0 -386
- package/src/mcp/adapters/dropbox.adapter.ts +0 -315
- package/src/mcp/adapters/figma.adapter.ts +0 -302
- package/src/mcp/adapters/firebase.adapter.ts +0 -446
- package/src/mcp/adapters/flyio.adapter.ts +0 -302
- package/src/mcp/adapters/freshbooks.adapter.ts +0 -474
- package/src/mcp/adapters/freshdesk.adapter.ts +0 -441
- package/src/mcp/adapters/freshsales.adapter.ts +0 -457
- package/src/mcp/adapters/freshservice.adapter.ts +0 -481
- package/src/mcp/adapters/front.adapter.ts +0 -357
- package/src/mcp/adapters/github-actions.adapter.ts +0 -329
- package/src/mcp/adapters/github.adapter.ts +0 -387
- package/src/mcp/adapters/gitlab.adapter.ts +0 -368
- package/src/mcp/adapters/gong.adapter.ts +0 -386
- package/src/mcp/adapters/google-ads.adapter.ts +0 -363
- package/src/mcp/adapters/google-analytics.adapter.ts +0 -316
- package/src/mcp/adapters/google-cloud.adapter.ts +0 -312
- package/src/mcp/adapters/gotomeeting.adapter.ts +0 -255
- package/src/mcp/adapters/grafana.adapter.ts +0 -361
- package/src/mcp/adapters/greenhouse.adapter.ts +0 -354
- package/src/mcp/adapters/gusto.adapter.ts +0 -329
- package/src/mcp/adapters/hashicorp-vault.adapter.ts +0 -355
- package/src/mcp/adapters/heroku.adapter.ts +0 -291
- package/src/mcp/adapters/hibob.adapter.ts +0 -334
- package/src/mcp/adapters/hootsuite.adapter.ts +0 -322
- package/src/mcp/adapters/hubspot.adapter.ts +0 -400
- package/src/mcp/adapters/huggingface.adapter.ts +0 -349
- package/src/mcp/adapters/index.ts +0 -524
- package/src/mcp/adapters/intercom.adapter.ts +0 -269
- package/src/mcp/adapters/jira.adapter.ts +0 -482
- package/src/mcp/adapters/klaviyo.adapter.ts +0 -353
- package/src/mcp/adapters/kubernetes.adapter.ts +0 -431
- package/src/mcp/adapters/lattice.adapter.ts +0 -339
- package/src/mcp/adapters/launchdarkly.adapter.ts +0 -368
- package/src/mcp/adapters/lever.adapter.ts +0 -347
- package/src/mcp/adapters/linear.adapter.ts +0 -300
- package/src/mcp/adapters/linkedin.adapter.ts +0 -331
- package/src/mcp/adapters/livechat.adapter.ts +0 -259
- package/src/mcp/adapters/loom.adapter.ts +0 -230
- package/src/mcp/adapters/mailchimp.adapter.ts +0 -394
- package/src/mcp/adapters/mailgun.adapter.ts +0 -425
- package/src/mcp/adapters/miro.adapter.ts +0 -274
- package/src/mcp/adapters/mixpanel.adapter.ts +0 -324
- package/src/mcp/adapters/monday.adapter.ts +0 -308
- package/src/mcp/adapters/mongodb-atlas.adapter.ts +0 -345
- package/src/mcp/adapters/neon.adapter.ts +0 -312
- package/src/mcp/adapters/netlify.adapter.ts +0 -324
- package/src/mcp/adapters/netsuite.adapter.ts +0 -411
- package/src/mcp/adapters/newrelic.adapter.ts +0 -339
- package/src/mcp/adapters/notion.adapter.ts +0 -338
- package/src/mcp/adapters/okta.adapter.ts +0 -394
- package/src/mcp/adapters/openai.adapter.ts +0 -315
- package/src/mcp/adapters/opsgenie.adapter.ts +0 -375
- package/src/mcp/adapters/outreach.adapter.ts +0 -372
- package/src/mcp/adapters/paddle.adapter.ts +0 -467
- package/src/mcp/adapters/pagerduty.adapter.ts +0 -412
- package/src/mcp/adapters/pandadoc.adapter.ts +0 -389
- package/src/mcp/adapters/paypal.adapter.ts +0 -465
- package/src/mcp/adapters/personio.adapter.ts +0 -401
- package/src/mcp/adapters/pinecone.adapter.ts +0 -340
- package/src/mcp/adapters/pipedrive.adapter.ts +0 -324
- package/src/mcp/adapters/plaid.adapter.ts +0 -444
- package/src/mcp/adapters/postmark.adapter.ts +0 -387
- package/src/mcp/adapters/power-automate.adapter.ts +0 -388
- package/src/mcp/adapters/quickbooks.adapter.ts +0 -431
- package/src/mcp/adapters/recurly.adapter.ts +0 -433
- package/src/mcp/adapters/reddit.adapter.ts +0 -371
- package/src/mcp/adapters/render.adapter.ts +0 -332
- package/src/mcp/adapters/ringcentral.adapter.ts +0 -281
- package/src/mcp/adapters/rippling.adapter.ts +0 -287
- package/src/mcp/adapters/salesforce.adapter.ts +0 -321
- package/src/mcp/adapters/salesloft.adapter.ts +0 -413
- package/src/mcp/adapters/sanity.adapter.ts +0 -363
- package/src/mcp/adapters/sap.adapter.ts +0 -483
- package/src/mcp/adapters/segment.adapter.ts +0 -260
- package/src/mcp/adapters/sendgrid.adapter.ts +0 -265
- package/src/mcp/adapters/sentry.adapter.ts +0 -331
- package/src/mcp/adapters/servicenow.adapter.ts +0 -468
- package/src/mcp/adapters/shopify.adapter.ts +0 -451
- package/src/mcp/adapters/shortcut.adapter.ts +0 -290
- package/src/mcp/adapters/slack.adapter.ts +0 -380
- package/src/mcp/adapters/smartsheet.adapter.ts +0 -326
- package/src/mcp/adapters/snowflake.adapter.ts +0 -347
- package/src/mcp/adapters/snyk.adapter.ts +0 -394
- package/src/mcp/adapters/splunk.adapter.ts +0 -403
- package/src/mcp/adapters/square.adapter.ts +0 -467
- package/src/mcp/adapters/statuspage.adapter.ts +0 -401
- package/src/mcp/adapters/stripe.adapter.ts +0 -380
- package/src/mcp/adapters/supabase.adapter.ts +0 -334
- package/src/mcp/adapters/teamwork.adapter.ts +0 -404
- package/src/mcp/adapters/telegram.adapter.ts +0 -299
- package/src/mcp/adapters/terraform.adapter.ts +0 -300
- package/src/mcp/adapters/todoist.adapter.ts +0 -239
- package/src/mcp/adapters/trello.adapter.ts +0 -316
- package/src/mcp/adapters/twilio.adapter.ts +0 -233
- package/src/mcp/adapters/twitter.adapter.ts +0 -348
- package/src/mcp/adapters/vercel.adapter.ts +0 -219
- package/src/mcp/adapters/weaviate.adapter.ts +0 -371
- package/src/mcp/adapters/webex.adapter.ts +0 -237
- package/src/mcp/adapters/webflow.adapter.ts +0 -287
- package/src/mcp/adapters/whatsapp.adapter.ts +0 -273
- package/src/mcp/adapters/whereby.adapter.ts +0 -240
- package/src/mcp/adapters/woocommerce.adapter.ts +0 -454
- package/src/mcp/adapters/wordpress.adapter.ts +0 -455
- package/src/mcp/adapters/workday.adapter.ts +0 -354
- package/src/mcp/adapters/wrike.adapter.ts +0 -349
- package/src/mcp/adapters/xero.adapter.ts +0 -472
- package/src/mcp/adapters/youtube.adapter.ts +0 -401
- package/src/mcp/adapters/zendesk.adapter.ts +0 -399
- package/src/mcp/adapters/zoho-crm.adapter.ts +0 -410
- package/src/mcp/adapters/zoom.adapter.ts +0 -241
- package/src/mcp/adapters/zuora.adapter.ts +0 -476
- package/src/mcp/framework/api-executor.ts +0 -192
- package/src/mcp/framework/aws-sigv4.ts +0 -216
- package/src/mcp/framework/credential-resolver.ts +0 -128
- package/src/mcp/framework/oauth-token-manager.ts +0 -22
- package/src/mcp/framework/skill-mcp-framework.ts +0 -226
- package/src/mcp/framework/types.ts +0 -130
- package/src/mcp/index.ts +0 -124
- package/src/mcp/integration-catalog.ts +0 -178
- package/src/middleware/dns-rebinding.ts +0 -44
- package/src/middleware/egress-filter.ts +0 -104
- package/src/middleware/firewall.ts +0 -192
- package/src/middleware/geo-ip.ts +0 -156
- package/src/middleware/index.ts +0 -390
- package/src/middleware/network-config.ts +0 -90
- package/src/middleware/proxy-config.ts +0 -71
- package/src/middleware/request-limits.ts +0 -59
- package/src/middleware/transport-encryption.ts +0 -398
- package/src/registry/cli.ts +0 -63
- package/src/registry/server.ts +0 -504
- package/src/runtime/agent-loop.ts +0 -779
- package/src/runtime/compaction.ts +0 -638
- package/src/runtime/email-channel.ts +0 -120
- package/src/runtime/environment.ts +0 -300
- package/src/runtime/followup.ts +0 -211
- package/src/runtime/gateway.ts +0 -260
- package/src/runtime/hooks.ts +0 -564
- package/src/runtime/index.ts +0 -1110
- package/src/runtime/llm-client.ts +0 -1056
- package/src/runtime/model-router.ts +0 -97
- package/src/runtime/providers.ts +0 -228
- package/src/runtime/session-manager.ts +0 -345
- package/src/runtime/subagent.ts +0 -153
- package/src/runtime/tool-executor.ts +0 -208
- package/src/runtime/types.ts +0 -255
- package/src/security/brute-force.ts +0 -423
- package/src/security/config.ts +0 -159
- package/src/security/csp.ts +0 -407
- package/src/security/external-content.ts +0 -299
- package/src/security/index.ts +0 -557
- package/src/security/input-sanitizer.ts +0 -452
- package/src/security/output-filter.ts +0 -575
- package/src/security/port-scanner.ts +0 -342
- package/src/security/prompt-guard.ts +0 -387
- package/src/security/sql-guard.ts +0 -338
- package/src/security/threat-logger.ts +0 -484
- package/src/server.ts +0 -828
- package/src/setup/company.ts +0 -183
- package/src/setup/database.ts +0 -153
- package/src/setup/deployment.ts +0 -561
- package/src/setup/domain.ts +0 -112
- package/src/setup/index.ts +0 -171
- package/src/setup/provision.ts +0 -532
- package/src/setup/registration.ts +0 -302
- package/src/system-prompts/catchup.ts +0 -48
- package/src/system-prompts/google/calendar.ts +0 -37
- package/src/system-prompts/google/chat.ts +0 -92
- package/src/system-prompts/google/contacts.ts +0 -25
- package/src/system-prompts/google/docs.ts +0 -29
- package/src/system-prompts/google/drive.ts +0 -34
- package/src/system-prompts/google/forms.ts +0 -25
- package/src/system-prompts/google/gmail.ts +0 -50
- package/src/system-prompts/google/index.ts +0 -23
- package/src/system-prompts/google/maps.ts +0 -20
- package/src/system-prompts/google/meet.ts +0 -130
- package/src/system-prompts/google/sheets.ts +0 -32
- package/src/system-prompts/google/slides.ts +0 -26
- package/src/system-prompts/google/tasks.ts +0 -27
- package/src/system-prompts/index.ts +0 -88
- package/src/system-prompts/microsoft/contacts.ts +0 -34
- package/src/system-prompts/microsoft/excel.ts +0 -52
- package/src/system-prompts/microsoft/index.ts +0 -31
- package/src/system-prompts/microsoft/onedrive.ts +0 -41
- package/src/system-prompts/microsoft/onenote.ts +0 -36
- package/src/system-prompts/microsoft/outlook-calendar.ts +0 -37
- package/src/system-prompts/microsoft/outlook-mail.ts +0 -46
- package/src/system-prompts/microsoft/planner.ts +0 -37
- package/src/system-prompts/microsoft/powerbi.ts +0 -38
- package/src/system-prompts/microsoft/powerpoint.ts +0 -35
- package/src/system-prompts/microsoft/sharepoint.ts +0 -44
- package/src/system-prompts/microsoft/teams.ts +0 -49
- package/src/system-prompts/microsoft/todo.ts +0 -37
- package/src/system-prompts/shared-blocks.ts +0 -87
- package/src/system-prompts/task.ts +0 -21
- package/src/system-prompts/triage.ts +0 -34
- package/src/types/hono-env.ts +0 -18
- package/src/types/optional-deps.d.ts +0 -10
- /package/{src → dist}/dashboard/HELP-TOOLTIPS-GUIDE.md +0 -0
package/src/auth/routes.ts
DELETED
|
@@ -1,1589 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Authentication Routes
|
|
3
|
-
*
|
|
4
|
-
* Handles login (email/password), JWT issuance, SAML 2.0, and OIDC.
|
|
5
|
-
* Uses httpOnly secure cookies for session management (enterprise-grade security).
|
|
6
|
-
* Also supports Bearer token + API key auth for programmatic access.
|
|
7
|
-
*/
|
|
8
|
-
|
|
9
|
-
import { Hono } from 'hono';
|
|
10
|
-
import { setCookie, getCookie, deleteCookie } from 'hono/cookie';
|
|
11
|
-
import { createVerify } from 'node:crypto';
|
|
12
|
-
import type { DatabaseAdapter, SsoConfig } from '../db/adapter.js';
|
|
13
|
-
import { transportEncryptionMiddleware } from '../middleware/index.js';
|
|
14
|
-
|
|
15
|
-
const COOKIE_NAME = 'em_session';
|
|
16
|
-
const REFRESH_COOKIE = 'em_refresh';
|
|
17
|
-
const CSRF_COOKIE = 'em_csrf';
|
|
18
|
-
const TOKEN_TTL = '24h';
|
|
19
|
-
const REFRESH_TTL = '7d';
|
|
20
|
-
|
|
21
|
-
function cookieOpts(maxAge: number, isSecure: boolean) {
|
|
22
|
-
return {
|
|
23
|
-
httpOnly: true,
|
|
24
|
-
secure: isSecure,
|
|
25
|
-
sameSite: 'Lax' as const,
|
|
26
|
-
path: '/',
|
|
27
|
-
maxAge,
|
|
28
|
-
};
|
|
29
|
-
}
|
|
30
|
-
|
|
31
|
-
function generateCsrf(): string {
|
|
32
|
-
const bytes = new Uint8Array(32);
|
|
33
|
-
crypto.getRandomValues(bytes);
|
|
34
|
-
return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
|
|
35
|
-
}
|
|
36
|
-
|
|
37
|
-
function generateState(): string {
|
|
38
|
-
const bytes = new Uint8Array(32);
|
|
39
|
-
crypto.getRandomValues(bytes);
|
|
40
|
-
return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
|
|
41
|
-
}
|
|
42
|
-
|
|
43
|
-
function generateCodeVerifier(): string {
|
|
44
|
-
const bytes = new Uint8Array(32);
|
|
45
|
-
crypto.getRandomValues(bytes);
|
|
46
|
-
return Array.from(bytes)
|
|
47
|
-
.map(b => 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~'[b % 66])
|
|
48
|
-
.join('');
|
|
49
|
-
}
|
|
50
|
-
|
|
51
|
-
async function generateCodeChallenge(verifier: string): Promise<string> {
|
|
52
|
-
const encoder = new TextEncoder();
|
|
53
|
-
const data = encoder.encode(verifier);
|
|
54
|
-
const digest = await crypto.subtle.digest('SHA-256', data);
|
|
55
|
-
return btoa(String.fromCharCode(...new Uint8Array(digest)))
|
|
56
|
-
.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
|
|
57
|
-
}
|
|
58
|
-
|
|
59
|
-
export function createAuthRoutes(
|
|
60
|
-
db: DatabaseAdapter,
|
|
61
|
-
jwtSecret: string,
|
|
62
|
-
opts?: {
|
|
63
|
-
onBootstrap?: () => void;
|
|
64
|
-
onDbConfigure?: (newAdapter: DatabaseAdapter) => DatabaseAdapter;
|
|
65
|
-
},
|
|
66
|
-
) {
|
|
67
|
-
const auth = new Hono();
|
|
68
|
-
|
|
69
|
-
// Transport encryption middleware — decrypts incoming, encrypts outgoing
|
|
70
|
-
auth.use('*', transportEncryptionMiddleware());
|
|
71
|
-
|
|
72
|
-
const isSecure = () => {
|
|
73
|
-
return process.env.NODE_ENV === 'production' || process.env.SECURE_COOKIES === '1';
|
|
74
|
-
};
|
|
75
|
-
|
|
76
|
-
async function issueTokens(userId: string, email: string, role: string, clientOrgId?: string | null) {
|
|
77
|
-
const { SignJWT } = await import('jose');
|
|
78
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
79
|
-
|
|
80
|
-
const payload: Record<string, any> = { sub: userId, email, role };
|
|
81
|
-
if (clientOrgId) payload.clientOrgId = clientOrgId;
|
|
82
|
-
|
|
83
|
-
const token = await new SignJWT(payload)
|
|
84
|
-
.setProtectedHeader({ alg: 'HS256' })
|
|
85
|
-
.setIssuedAt()
|
|
86
|
-
.setExpirationTime(TOKEN_TTL)
|
|
87
|
-
.sign(secret);
|
|
88
|
-
|
|
89
|
-
const refreshToken = await new SignJWT({ sub: userId, type: 'refresh' })
|
|
90
|
-
.setProtectedHeader({ alg: 'HS256' })
|
|
91
|
-
.setIssuedAt()
|
|
92
|
-
.setExpirationTime(REFRESH_TTL)
|
|
93
|
-
.sign(secret);
|
|
94
|
-
|
|
95
|
-
return { token, refreshToken };
|
|
96
|
-
}
|
|
97
|
-
|
|
98
|
-
/** Set session cookies and return token info */
|
|
99
|
-
async function setSessionCookies(c: any, userId: string, email: string, role: string, method: string, clientOrgId?: string | null) {
|
|
100
|
-
const { token, refreshToken } = await issueTokens(userId, email, role, clientOrgId);
|
|
101
|
-
const csrf = generateCsrf();
|
|
102
|
-
const secure = isSecure();
|
|
103
|
-
|
|
104
|
-
setCookie(c, COOKIE_NAME, token, cookieOpts(86400, secure));
|
|
105
|
-
setCookie(c, REFRESH_COOKIE, refreshToken, cookieOpts(604800, secure));
|
|
106
|
-
setCookie(c, CSRF_COOKIE, csrf, { ...cookieOpts(86400, secure), httpOnly: false });
|
|
107
|
-
|
|
108
|
-
await db.updateUser(userId, { lastLoginAt: new Date() } as any).catch(() => {});
|
|
109
|
-
await db.logEvent({
|
|
110
|
-
actor: userId, actorType: 'user', action: 'auth.login',
|
|
111
|
-
resource: `user:${userId}`, details: { method },
|
|
112
|
-
ip: c.req.header('x-forwarded-for') || c.req.header('x-real-ip'),
|
|
113
|
-
}).catch(() => {});
|
|
114
|
-
|
|
115
|
-
return { token, refreshToken, csrf };
|
|
116
|
-
}
|
|
117
|
-
|
|
118
|
-
/** Find or auto-provision an SSO user */
|
|
119
|
-
async function findOrProvisionSsoUser(
|
|
120
|
-
provider: string,
|
|
121
|
-
subject: string,
|
|
122
|
-
email: string,
|
|
123
|
-
name: string,
|
|
124
|
-
config: { autoProvision?: boolean; defaultRole?: string; allowedDomains?: string[] },
|
|
125
|
-
) {
|
|
126
|
-
// Check domain allowlist
|
|
127
|
-
if (config.allowedDomains?.length) {
|
|
128
|
-
const domain = email.split('@')[1]?.toLowerCase();
|
|
129
|
-
if (!config.allowedDomains.some(d => d.toLowerCase() === domain)) {
|
|
130
|
-
return { error: `Email domain "${domain}" not allowed for SSO login` };
|
|
131
|
-
}
|
|
132
|
-
}
|
|
133
|
-
|
|
134
|
-
// Try to find existing SSO user
|
|
135
|
-
let user = await db.getUserBySso(provider, subject);
|
|
136
|
-
if (user) return { user };
|
|
137
|
-
|
|
138
|
-
// Try to find by email (link existing account)
|
|
139
|
-
user = await db.getUserByEmail(email);
|
|
140
|
-
if (user) {
|
|
141
|
-
// Link SSO to existing account
|
|
142
|
-
await db.updateUser(user.id, { ssoProvider: provider, ssoSubject: subject } as any);
|
|
143
|
-
return { user };
|
|
144
|
-
}
|
|
145
|
-
|
|
146
|
-
// Auto-provision if enabled
|
|
147
|
-
if (!config.autoProvision) {
|
|
148
|
-
return { error: 'No account found. Contact your administrator to create an account.' };
|
|
149
|
-
}
|
|
150
|
-
|
|
151
|
-
const newUser = await db.createUser({
|
|
152
|
-
email,
|
|
153
|
-
name: name || email.split('@')[0],
|
|
154
|
-
role: (config.defaultRole as any) || 'member',
|
|
155
|
-
ssoProvider: provider,
|
|
156
|
-
ssoSubject: subject,
|
|
157
|
-
});
|
|
158
|
-
return { user: newUser };
|
|
159
|
-
}
|
|
160
|
-
|
|
161
|
-
// Helper: extract JWT from cookie OR Authorization header
|
|
162
|
-
async function extractToken(c: any): Promise<string | null> {
|
|
163
|
-
const cookieToken = getCookie(c, COOKIE_NAME);
|
|
164
|
-
if (cookieToken) return cookieToken;
|
|
165
|
-
const authHeader = c.req.header('Authorization');
|
|
166
|
-
if (authHeader?.startsWith('Bearer ')) return authHeader.slice(7);
|
|
167
|
-
return null;
|
|
168
|
-
}
|
|
169
|
-
|
|
170
|
-
/** Load SSO config from company settings */
|
|
171
|
-
async function getSsoConfig(): Promise<SsoConfig | null> {
|
|
172
|
-
try {
|
|
173
|
-
const settings = await db.getSettings();
|
|
174
|
-
return settings?.ssoConfig || null;
|
|
175
|
-
} catch {
|
|
176
|
-
return null;
|
|
177
|
-
}
|
|
178
|
-
}
|
|
179
|
-
|
|
180
|
-
// ─── TOTP Helpers ────────────────────────────────────────
|
|
181
|
-
|
|
182
|
-
function generateTotpSecret(): string {
|
|
183
|
-
const bytes = new Uint8Array(20);
|
|
184
|
-
crypto.getRandomValues(bytes);
|
|
185
|
-
return base32Encode(bytes);
|
|
186
|
-
}
|
|
187
|
-
|
|
188
|
-
function base32Encode(bytes: Uint8Array): string {
|
|
189
|
-
const alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
|
|
190
|
-
let result = '';
|
|
191
|
-
let bits = 0;
|
|
192
|
-
let value = 0;
|
|
193
|
-
for (const byte of bytes) {
|
|
194
|
-
value = (value << 8) | byte;
|
|
195
|
-
bits += 8;
|
|
196
|
-
while (bits >= 5) {
|
|
197
|
-
result += alphabet[(value >>> (bits - 5)) & 31];
|
|
198
|
-
bits -= 5;
|
|
199
|
-
}
|
|
200
|
-
}
|
|
201
|
-
if (bits > 0) {
|
|
202
|
-
result += alphabet[(value << (5 - bits)) & 31];
|
|
203
|
-
}
|
|
204
|
-
return result;
|
|
205
|
-
}
|
|
206
|
-
|
|
207
|
-
function base32Decode(input: string): Uint8Array {
|
|
208
|
-
const alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
|
|
209
|
-
const cleaned = input.replace(/[=\s]/g, '').toUpperCase();
|
|
210
|
-
const bytes: number[] = [];
|
|
211
|
-
let bits = 0;
|
|
212
|
-
let value = 0;
|
|
213
|
-
for (const char of cleaned) {
|
|
214
|
-
const idx = alphabet.indexOf(char);
|
|
215
|
-
if (idx === -1) continue;
|
|
216
|
-
value = (value << 5) | idx;
|
|
217
|
-
bits += 5;
|
|
218
|
-
if (bits >= 8) {
|
|
219
|
-
bytes.push((value >>> (bits - 8)) & 0xff);
|
|
220
|
-
bits -= 8;
|
|
221
|
-
}
|
|
222
|
-
}
|
|
223
|
-
return new Uint8Array(bytes);
|
|
224
|
-
}
|
|
225
|
-
|
|
226
|
-
async function generateTotp(secret: string, timeStep = 30, digits = 6, offsetSteps = 0): Promise<string> {
|
|
227
|
-
const keyBytes = base32Decode(secret);
|
|
228
|
-
const time = Math.floor(Date.now() / 1000 / timeStep) + offsetSteps;
|
|
229
|
-
const timeBytes = new Uint8Array(8);
|
|
230
|
-
let t = time;
|
|
231
|
-
for (let i = 7; i >= 0; i--) {
|
|
232
|
-
timeBytes[i] = t & 0xff;
|
|
233
|
-
t = Math.floor(t / 256);
|
|
234
|
-
}
|
|
235
|
-
const key = await crypto.subtle.importKey('raw', keyBytes.buffer as ArrayBuffer, { name: 'HMAC', hash: 'SHA-1' }, false, ['sign']);
|
|
236
|
-
const sig = new Uint8Array(await crypto.subtle.sign('HMAC', key, timeBytes));
|
|
237
|
-
const offset = sig[sig.length - 1] & 0x0f;
|
|
238
|
-
const code = ((sig[offset] & 0x7f) << 24 | sig[offset + 1] << 16 | sig[offset + 2] << 8 | sig[offset + 3]) % (10 ** digits);
|
|
239
|
-
return String(code).padStart(digits, '0');
|
|
240
|
-
}
|
|
241
|
-
|
|
242
|
-
async function verifyTotp(secret: string, token: string): Promise<boolean> {
|
|
243
|
-
// Allow 1 step drift in either direction
|
|
244
|
-
for (const offset of [0, -1, 1]) {
|
|
245
|
-
const expected = await generateTotp(secret, 30, 6, offset);
|
|
246
|
-
if (expected === token) return true;
|
|
247
|
-
}
|
|
248
|
-
return false;
|
|
249
|
-
}
|
|
250
|
-
|
|
251
|
-
function generateBackupCodes(count = 8): string[] {
|
|
252
|
-
const codes: string[] = [];
|
|
253
|
-
for (let i = 0; i < count; i++) {
|
|
254
|
-
const bytes = new Uint8Array(4);
|
|
255
|
-
crypto.getRandomValues(bytes);
|
|
256
|
-
codes.push(Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('').toUpperCase());
|
|
257
|
-
}
|
|
258
|
-
return codes;
|
|
259
|
-
}
|
|
260
|
-
|
|
261
|
-
// Pending 2FA challenges — short-lived, keyed by a challenge token
|
|
262
|
-
const pending2fa = new Map<string, { userId: string; expiresAt: number }>();
|
|
263
|
-
|
|
264
|
-
// Cleanup expired challenges periodically
|
|
265
|
-
setInterval(() => {
|
|
266
|
-
const now = Date.now();
|
|
267
|
-
for (const [k, v] of pending2fa) {
|
|
268
|
-
if (v.expiresAt < now) pending2fa.delete(k);
|
|
269
|
-
}
|
|
270
|
-
}, 60_000);
|
|
271
|
-
|
|
272
|
-
// ─── Email/Password Login ───────────────────────────────
|
|
273
|
-
|
|
274
|
-
auth.post('/login', async (c) => {
|
|
275
|
-
const { email, password } = await c.req.json();
|
|
276
|
-
if (!email || !password) {
|
|
277
|
-
return c.json({ error: 'Email and password required' }, 400);
|
|
278
|
-
}
|
|
279
|
-
|
|
280
|
-
const user = await db.getUserByEmail(email);
|
|
281
|
-
if (!user || !user.passwordHash) {
|
|
282
|
-
return c.json({ error: 'Invalid credentials' }, 401);
|
|
283
|
-
}
|
|
284
|
-
|
|
285
|
-
// Check if account is deactivated
|
|
286
|
-
if (user.isActive === false) {
|
|
287
|
-
return c.json({ error: 'Your account has been deactivated by your organization. Please contact your organization administrator to restore access.' }, 403);
|
|
288
|
-
}
|
|
289
|
-
|
|
290
|
-
const { default: bcrypt } = await import('bcryptjs');
|
|
291
|
-
const valid = await bcrypt.compare(password, user.passwordHash);
|
|
292
|
-
if (!valid) {
|
|
293
|
-
return c.json({ error: 'Invalid credentials' }, 401);
|
|
294
|
-
}
|
|
295
|
-
|
|
296
|
-
// If 2FA enabled, return challenge instead of session
|
|
297
|
-
if (user.totpEnabled && user.totpSecret) {
|
|
298
|
-
const challengeToken = generateCsrf(); // reuse the random generator
|
|
299
|
-
pending2fa.set(challengeToken, { userId: user.id, expiresAt: Date.now() + 5 * 60 * 1000 });
|
|
300
|
-
return c.json({
|
|
301
|
-
requires2fa: true,
|
|
302
|
-
challengeToken,
|
|
303
|
-
message: 'Enter your 2FA code to continue',
|
|
304
|
-
});
|
|
305
|
-
}
|
|
306
|
-
|
|
307
|
-
const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'password', user.clientOrgId);
|
|
308
|
-
|
|
309
|
-
return c.json({
|
|
310
|
-
token,
|
|
311
|
-
refreshToken,
|
|
312
|
-
csrf,
|
|
313
|
-
user: { id: user.id, email: user.email, name: user.name, role: user.role, totpEnabled: !!user.totpEnabled, clientOrgId: user.clientOrgId || null },
|
|
314
|
-
mustResetPassword: !!user.mustResetPassword,
|
|
315
|
-
});
|
|
316
|
-
});
|
|
317
|
-
|
|
318
|
-
// ─── 2FA Verification (during login) ───────────────────
|
|
319
|
-
|
|
320
|
-
auth.post('/2fa/verify', async (c) => {
|
|
321
|
-
const { challengeToken, code } = await c.req.json();
|
|
322
|
-
if (!challengeToken || !code) {
|
|
323
|
-
return c.json({ error: 'Challenge token and code required' }, 400);
|
|
324
|
-
}
|
|
325
|
-
|
|
326
|
-
const challenge = pending2fa.get(challengeToken);
|
|
327
|
-
if (!challenge || challenge.expiresAt < Date.now()) {
|
|
328
|
-
pending2fa.delete(challengeToken);
|
|
329
|
-
return c.json({ error: 'Challenge expired. Please login again.' }, 401);
|
|
330
|
-
}
|
|
331
|
-
|
|
332
|
-
const user = await db.getUser(challenge.userId);
|
|
333
|
-
if (!user || !user.totpSecret) {
|
|
334
|
-
pending2fa.delete(challengeToken);
|
|
335
|
-
return c.json({ error: 'User not found' }, 401);
|
|
336
|
-
}
|
|
337
|
-
|
|
338
|
-
// Try TOTP code first
|
|
339
|
-
const totpValid = await verifyTotp(user.totpSecret, code.replace(/\s/g, ''));
|
|
340
|
-
|
|
341
|
-
// Try backup codes if TOTP fails
|
|
342
|
-
let backupUsed = false;
|
|
343
|
-
if (!totpValid && user.totpBackupCodes) {
|
|
344
|
-
try {
|
|
345
|
-
const { default: bcrypt } = await import('bcryptjs');
|
|
346
|
-
const backupCodes: string[] = JSON.parse(user.totpBackupCodes);
|
|
347
|
-
for (let i = 0; i < backupCodes.length; i++) {
|
|
348
|
-
const match = await bcrypt.compare(code.toUpperCase().replace(/\s/g, ''), backupCodes[i]);
|
|
349
|
-
if (match) {
|
|
350
|
-
// Remove used backup code
|
|
351
|
-
backupCodes.splice(i, 1);
|
|
352
|
-
await db.updateUser(user.id, { totpBackupCodes: JSON.stringify(backupCodes) } as any);
|
|
353
|
-
backupUsed = true;
|
|
354
|
-
break;
|
|
355
|
-
}
|
|
356
|
-
}
|
|
357
|
-
} catch { /* invalid backup codes JSON */ }
|
|
358
|
-
}
|
|
359
|
-
|
|
360
|
-
if (!totpValid && !backupUsed) {
|
|
361
|
-
return c.json({ error: 'Invalid 2FA code' }, 401);
|
|
362
|
-
}
|
|
363
|
-
|
|
364
|
-
pending2fa.delete(challengeToken);
|
|
365
|
-
|
|
366
|
-
const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'password+2fa', user.clientOrgId);
|
|
367
|
-
|
|
368
|
-
return c.json({
|
|
369
|
-
token,
|
|
370
|
-
refreshToken,
|
|
371
|
-
csrf,
|
|
372
|
-
user: { id: user.id, email: user.email, name: user.name, role: user.role, totpEnabled: true, clientOrgId: user.clientOrgId || null },
|
|
373
|
-
mustResetPassword: !!user.mustResetPassword,
|
|
374
|
-
...(backupUsed ? { warning: 'Backup code used. You have fewer backup codes remaining.' } : {}),
|
|
375
|
-
});
|
|
376
|
-
});
|
|
377
|
-
|
|
378
|
-
// ─── Self-Service Password Reset (email + 2FA) ─────────
|
|
379
|
-
|
|
380
|
-
auth.post('/reset-password-self', async (c) => {
|
|
381
|
-
const { email, totpCode, newPassword } = await c.req.json();
|
|
382
|
-
if (!email || !newPassword) {
|
|
383
|
-
return c.json({ error: 'Email and new password are required' }, 400);
|
|
384
|
-
}
|
|
385
|
-
if (typeof newPassword !== 'string' || newPassword.length < 8) {
|
|
386
|
-
return c.json({ error: 'Password must be at least 8 characters' }, 400);
|
|
387
|
-
}
|
|
388
|
-
|
|
389
|
-
const user = await db.getUserByEmail(email);
|
|
390
|
-
if (!user) {
|
|
391
|
-
// Don't reveal whether email exists
|
|
392
|
-
return c.json({ error: 'If this email exists with 2FA enabled, a reset will be processed' }, 200);
|
|
393
|
-
}
|
|
394
|
-
|
|
395
|
-
// If user has 2FA, require code
|
|
396
|
-
if (user.totpEnabled && user.totpSecret) {
|
|
397
|
-
if (!totpCode) {
|
|
398
|
-
return c.json({ has2fa: true, message: 'Enter your 2FA code to reset password' });
|
|
399
|
-
}
|
|
400
|
-
const valid = await verifyTotp(user.totpSecret, totpCode.replace(/\s/g, ''));
|
|
401
|
-
if (!valid) {
|
|
402
|
-
// Try backup codes
|
|
403
|
-
let backupValid = false;
|
|
404
|
-
if (user.totpBackupCodes) {
|
|
405
|
-
try {
|
|
406
|
-
const { default: bcrypt } = await import('bcryptjs');
|
|
407
|
-
const codes: string[] = JSON.parse(user.totpBackupCodes);
|
|
408
|
-
for (let i = 0; i < codes.length; i++) {
|
|
409
|
-
if (await bcrypt.compare(totpCode.toUpperCase().replace(/\s/g, ''), codes[i])) {
|
|
410
|
-
codes.splice(i, 1);
|
|
411
|
-
await db.updateUser(user.id, { totpBackupCodes: JSON.stringify(codes) } as any);
|
|
412
|
-
backupValid = true;
|
|
413
|
-
break;
|
|
414
|
-
}
|
|
415
|
-
}
|
|
416
|
-
} catch { /* ignore */ }
|
|
417
|
-
}
|
|
418
|
-
if (!backupValid) {
|
|
419
|
-
return c.json({ error: 'Invalid 2FA code' }, 401);
|
|
420
|
-
}
|
|
421
|
-
}
|
|
422
|
-
} else {
|
|
423
|
-
// No 2FA — cannot self-reset
|
|
424
|
-
return c.json({ no2fa: true, error: 'Two-factor authentication is not enabled on this account. Please contact your organization administrator to reset your password.' }, 403);
|
|
425
|
-
}
|
|
426
|
-
|
|
427
|
-
// Reset password
|
|
428
|
-
const { default: bcrypt } = await import('bcryptjs');
|
|
429
|
-
const passwordHash = await bcrypt.hash(newPassword, 12);
|
|
430
|
-
try {
|
|
431
|
-
await (db as any).pool.query(
|
|
432
|
-
'UPDATE users SET password_hash = $1, must_reset_password = FALSE, updated_at = NOW() WHERE id = $2',
|
|
433
|
-
[passwordHash, user.id]
|
|
434
|
-
);
|
|
435
|
-
} catch {
|
|
436
|
-
const edb = (db as any).db;
|
|
437
|
-
if (edb?.prepare) edb.prepare('UPDATE users SET password_hash = ?, must_reset_password = 0, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(passwordHash, user.id);
|
|
438
|
-
}
|
|
439
|
-
|
|
440
|
-
return c.json({ ok: true, message: 'Password reset successfully. You can now sign in.' });
|
|
441
|
-
});
|
|
442
|
-
|
|
443
|
-
// ─── Force Password Reset (authenticated, must-reset users) ──
|
|
444
|
-
|
|
445
|
-
auth.post('/force-reset-password', async (c) => {
|
|
446
|
-
const token = await extractToken(c);
|
|
447
|
-
if (!token) return c.json({ error: 'Authentication required' }, 401);
|
|
448
|
-
|
|
449
|
-
let userId: string;
|
|
450
|
-
try {
|
|
451
|
-
const { jwtVerify } = await import('jose');
|
|
452
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
453
|
-
const { payload } = await jwtVerify(token, secret);
|
|
454
|
-
userId = payload.sub as string;
|
|
455
|
-
} catch {
|
|
456
|
-
return c.json({ error: 'Invalid session' }, 401);
|
|
457
|
-
}
|
|
458
|
-
|
|
459
|
-
const { newPassword } = await c.req.json();
|
|
460
|
-
if (!newPassword || typeof newPassword !== 'string' || newPassword.length < 8) {
|
|
461
|
-
return c.json({ error: 'Password must be at least 8 characters' }, 400);
|
|
462
|
-
}
|
|
463
|
-
|
|
464
|
-
const { default: bcrypt } = await import('bcryptjs');
|
|
465
|
-
const passwordHash = await bcrypt.hash(newPassword, 12);
|
|
466
|
-
try {
|
|
467
|
-
await (db as any).pool.query(
|
|
468
|
-
'UPDATE users SET password_hash = $1, must_reset_password = FALSE, updated_at = NOW() WHERE id = $2',
|
|
469
|
-
[passwordHash, userId]
|
|
470
|
-
);
|
|
471
|
-
} catch {
|
|
472
|
-
const edb = (db as any).db;
|
|
473
|
-
if (edb?.prepare) edb.prepare('UPDATE users SET password_hash = ?, must_reset_password = 0, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(passwordHash, userId);
|
|
474
|
-
}
|
|
475
|
-
|
|
476
|
-
return c.json({ ok: true });
|
|
477
|
-
});
|
|
478
|
-
|
|
479
|
-
// ─── 2FA Setup (authenticated users) ───────────────────
|
|
480
|
-
|
|
481
|
-
auth.post('/2fa/setup', async (c) => {
|
|
482
|
-
const token = await extractToken(c);
|
|
483
|
-
if (!token) return c.json({ error: 'Authentication required' }, 401);
|
|
484
|
-
|
|
485
|
-
let userId: string;
|
|
486
|
-
try {
|
|
487
|
-
const { jwtVerify } = await import('jose');
|
|
488
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
489
|
-
const { payload } = await jwtVerify(token, secret);
|
|
490
|
-
userId = payload.sub as string;
|
|
491
|
-
} catch {
|
|
492
|
-
return c.json({ error: 'Invalid token' }, 401);
|
|
493
|
-
}
|
|
494
|
-
|
|
495
|
-
const user = await db.getUser(userId);
|
|
496
|
-
if (!user) return c.json({ error: 'User not found' }, 404);
|
|
497
|
-
|
|
498
|
-
if (user.totpEnabled) {
|
|
499
|
-
return c.json({ error: '2FA is already enabled. Disable it first to re-enroll.' }, 400);
|
|
500
|
-
}
|
|
501
|
-
|
|
502
|
-
const totpSecret = generateTotpSecret();
|
|
503
|
-
const settings = await db.getSettings();
|
|
504
|
-
const issuer = settings?.name || 'AgenticMail Enterprise';
|
|
505
|
-
const otpauthUrl = `otpauth://totp/${encodeURIComponent(issuer)}:${encodeURIComponent(user.email)}?secret=${totpSecret}&issuer=${encodeURIComponent(issuer)}&algorithm=SHA1&digits=6&period=30`;
|
|
506
|
-
|
|
507
|
-
// Save secret (not yet enabled — user must verify first)
|
|
508
|
-
await db.updateUser(userId, { totpSecret } as any);
|
|
509
|
-
|
|
510
|
-
return c.json({
|
|
511
|
-
secret: totpSecret,
|
|
512
|
-
otpauthUrl,
|
|
513
|
-
qrData: otpauthUrl, // Frontend can render QR from this
|
|
514
|
-
});
|
|
515
|
-
});
|
|
516
|
-
|
|
517
|
-
auth.post('/2fa/confirm', async (c) => {
|
|
518
|
-
const token = await extractToken(c);
|
|
519
|
-
if (!token) return c.json({ error: 'Authentication required' }, 401);
|
|
520
|
-
|
|
521
|
-
let userId: string;
|
|
522
|
-
try {
|
|
523
|
-
const { jwtVerify } = await import('jose');
|
|
524
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
525
|
-
const { payload } = await jwtVerify(token, secret);
|
|
526
|
-
userId = payload.sub as string;
|
|
527
|
-
} catch {
|
|
528
|
-
return c.json({ error: 'Invalid token' }, 401);
|
|
529
|
-
}
|
|
530
|
-
|
|
531
|
-
const { code } = await c.req.json();
|
|
532
|
-
if (!code) return c.json({ error: 'Verification code required' }, 400);
|
|
533
|
-
|
|
534
|
-
const user = await db.getUser(userId);
|
|
535
|
-
if (!user || !user.totpSecret) return c.json({ error: 'No 2FA setup in progress' }, 400);
|
|
536
|
-
if (user.totpEnabled) return c.json({ error: '2FA is already enabled' }, 400);
|
|
537
|
-
|
|
538
|
-
const valid = await verifyTotp(user.totpSecret, code.replace(/\s/g, ''));
|
|
539
|
-
if (!valid) return c.json({ error: 'Invalid code. Make sure your authenticator app time is synced.' }, 400);
|
|
540
|
-
|
|
541
|
-
// Generate backup codes
|
|
542
|
-
const plainBackupCodes = generateBackupCodes(8);
|
|
543
|
-
const { default: bcrypt } = await import('bcryptjs');
|
|
544
|
-
const hashedCodes = await Promise.all(plainBackupCodes.map(c => bcrypt.hash(c, 10)));
|
|
545
|
-
|
|
546
|
-
await db.updateUser(userId, {
|
|
547
|
-
totpEnabled: true,
|
|
548
|
-
totpBackupCodes: JSON.stringify(hashedCodes),
|
|
549
|
-
} as any);
|
|
550
|
-
|
|
551
|
-
return c.json({
|
|
552
|
-
enabled: true,
|
|
553
|
-
backupCodes: plainBackupCodes,
|
|
554
|
-
warning: 'Save these backup codes securely. They will not be shown again.',
|
|
555
|
-
});
|
|
556
|
-
});
|
|
557
|
-
|
|
558
|
-
auth.post('/2fa/disable', async (c) => {
|
|
559
|
-
const token = await extractToken(c);
|
|
560
|
-
if (!token) return c.json({ error: 'Authentication required' }, 401);
|
|
561
|
-
|
|
562
|
-
let userId: string;
|
|
563
|
-
try {
|
|
564
|
-
const { jwtVerify } = await import('jose');
|
|
565
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
566
|
-
const { payload } = await jwtVerify(token, secret);
|
|
567
|
-
userId = payload.sub as string;
|
|
568
|
-
} catch {
|
|
569
|
-
return c.json({ error: 'Invalid token' }, 401);
|
|
570
|
-
}
|
|
571
|
-
|
|
572
|
-
const { password } = await c.req.json();
|
|
573
|
-
if (!password) return c.json({ error: 'Password required to disable 2FA' }, 400);
|
|
574
|
-
|
|
575
|
-
const user = await db.getUser(userId);
|
|
576
|
-
if (!user || !user.passwordHash) return c.json({ error: 'User not found' }, 404);
|
|
577
|
-
|
|
578
|
-
const { default: bcrypt } = await import('bcryptjs');
|
|
579
|
-
const valid = await bcrypt.compare(password, user.passwordHash);
|
|
580
|
-
if (!valid) return c.json({ error: 'Invalid password' }, 401);
|
|
581
|
-
|
|
582
|
-
await db.updateUser(userId, {
|
|
583
|
-
totpEnabled: false,
|
|
584
|
-
totpSecret: undefined,
|
|
585
|
-
totpBackupCodes: undefined,
|
|
586
|
-
} as any);
|
|
587
|
-
|
|
588
|
-
return c.json({ disabled: true });
|
|
589
|
-
});
|
|
590
|
-
|
|
591
|
-
auth.get('/2fa/status', async (c) => {
|
|
592
|
-
const token = await extractToken(c);
|
|
593
|
-
if (!token) return c.json({ error: 'Authentication required' }, 401);
|
|
594
|
-
|
|
595
|
-
try {
|
|
596
|
-
const { jwtVerify } = await import('jose');
|
|
597
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
598
|
-
const { payload } = await jwtVerify(token, secret);
|
|
599
|
-
const user = await db.getUser(payload.sub as string);
|
|
600
|
-
if (!user) return c.json({ error: 'User not found' }, 404);
|
|
601
|
-
return c.json({ enabled: !!user.totpEnabled });
|
|
602
|
-
} catch {
|
|
603
|
-
return c.json({ error: 'Invalid token' }, 401);
|
|
604
|
-
}
|
|
605
|
-
});
|
|
606
|
-
|
|
607
|
-
// ─── API Key Login ──────────────────────────────────────
|
|
608
|
-
|
|
609
|
-
auth.post('/login/api-key', async (c) => {
|
|
610
|
-
const { apiKey } = await c.req.json();
|
|
611
|
-
if (!apiKey) return c.json({ error: 'API key required' }, 400);
|
|
612
|
-
|
|
613
|
-
const key = await db.validateApiKey(apiKey);
|
|
614
|
-
if (!key) return c.json({ error: 'Invalid or revoked API key' }, 401);
|
|
615
|
-
|
|
616
|
-
// Get the user who created this key
|
|
617
|
-
const user = await db.getUser(key.createdBy);
|
|
618
|
-
if (!user) return c.json({ error: 'API key owner not found' }, 401);
|
|
619
|
-
|
|
620
|
-
const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'api-key', user.clientOrgId);
|
|
621
|
-
|
|
622
|
-
return c.json({
|
|
623
|
-
token,
|
|
624
|
-
refreshToken,
|
|
625
|
-
csrf,
|
|
626
|
-
user: { id: user.id, email: user.email, name: user.name, role: user.role },
|
|
627
|
-
keyName: key.name,
|
|
628
|
-
});
|
|
629
|
-
});
|
|
630
|
-
|
|
631
|
-
// ─── Token Refresh ──────────────────────────────────────
|
|
632
|
-
|
|
633
|
-
auth.post('/refresh', async (c) => {
|
|
634
|
-
const refreshJwt = getCookie(c, REFRESH_COOKIE) || c.req.header('Authorization')?.slice(7);
|
|
635
|
-
if (!refreshJwt) {
|
|
636
|
-
return c.json({ error: 'Refresh token required' }, 401);
|
|
637
|
-
}
|
|
638
|
-
|
|
639
|
-
try {
|
|
640
|
-
const { jwtVerify } = await import('jose');
|
|
641
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
642
|
-
const { payload } = await jwtVerify(refreshJwt, secret);
|
|
643
|
-
|
|
644
|
-
if (payload.type !== 'refresh') return c.json({ error: 'Invalid token type' }, 401);
|
|
645
|
-
|
|
646
|
-
const user = await db.getUser(payload.sub as string);
|
|
647
|
-
if (!user) return c.json({ error: 'User not found' }, 401);
|
|
648
|
-
|
|
649
|
-
// Check if current session is impersonated — preserve the claim in the new token
|
|
650
|
-
const currentSessionJwt = getCookie(c, COOKIE_NAME);
|
|
651
|
-
let impersonatedBy: string | undefined;
|
|
652
|
-
if (currentSessionJwt) {
|
|
653
|
-
try {
|
|
654
|
-
const { jwtVerify: jv } = await import('jose');
|
|
655
|
-
const { payload: sp } = await jv(currentSessionJwt, secret);
|
|
656
|
-
if (sp.impersonatedBy) impersonatedBy = sp.impersonatedBy as string;
|
|
657
|
-
} catch {} // expired session token is expected — that's why we're refreshing
|
|
658
|
-
}
|
|
659
|
-
|
|
660
|
-
if (impersonatedBy) {
|
|
661
|
-
// Re-issue impersonation token (preserving the claim)
|
|
662
|
-
const { SignJWT: SJ } = await import('jose');
|
|
663
|
-
const impersonateToken = await new SJ({ sub: user.id, role: user.role, impersonatedBy, clientOrgId: user.clientOrgId || undefined, orgId: user.clientOrgId || (user as any).org_id || undefined })
|
|
664
|
-
.setProtectedHeader({ alg: 'HS256' })
|
|
665
|
-
.setIssuedAt()
|
|
666
|
-
.setExpirationTime('1h')
|
|
667
|
-
.sign(secret);
|
|
668
|
-
setCookie(c, COOKIE_NAME, impersonateToken, { path: '/', httpOnly: true, secure: isSecure(), sameSite: 'Lax', maxAge: 3600 });
|
|
669
|
-
// Don't update refresh cookie — it's the owner's
|
|
670
|
-
const csrf = generateCsrf();
|
|
671
|
-
setCookie(c, CSRF_COOKIE, csrf, { ...cookieOpts(86400, isSecure()), httpOnly: false });
|
|
672
|
-
return c.json({ token: impersonateToken, csrf });
|
|
673
|
-
}
|
|
674
|
-
|
|
675
|
-
const { token, refreshToken } = await issueTokens(user.id, user.email, user.role, user.clientOrgId);
|
|
676
|
-
const csrf = generateCsrf();
|
|
677
|
-
const secure = isSecure();
|
|
678
|
-
|
|
679
|
-
setCookie(c, COOKIE_NAME, token, cookieOpts(86400, secure));
|
|
680
|
-
setCookie(c, REFRESH_COOKIE, refreshToken, cookieOpts(604800, secure));
|
|
681
|
-
setCookie(c, CSRF_COOKIE, csrf, { ...cookieOpts(86400, secure), httpOnly: false });
|
|
682
|
-
|
|
683
|
-
return c.json({ token, csrf });
|
|
684
|
-
} catch {
|
|
685
|
-
return c.json({ error: 'Invalid or expired refresh token' }, 401);
|
|
686
|
-
}
|
|
687
|
-
});
|
|
688
|
-
|
|
689
|
-
// ─── Current User ───────────────────────────────────────
|
|
690
|
-
|
|
691
|
-
auth.get('/me', async (c) => {
|
|
692
|
-
const token = await extractToken(c);
|
|
693
|
-
if (!token) return c.json({ error: 'Authentication required' }, 401);
|
|
694
|
-
|
|
695
|
-
try {
|
|
696
|
-
const { jwtVerify } = await import('jose');
|
|
697
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
698
|
-
const { payload } = await jwtVerify(token, secret);
|
|
699
|
-
const user = await db.getUser(payload.sub as string);
|
|
700
|
-
if (!user) return c.json({ error: 'User not found' }, 404);
|
|
701
|
-
const { passwordHash, ...safe } = user;
|
|
702
|
-
return c.json(safe);
|
|
703
|
-
} catch {
|
|
704
|
-
return c.json({ error: 'Invalid or expired token' }, 401);
|
|
705
|
-
}
|
|
706
|
-
});
|
|
707
|
-
|
|
708
|
-
// ─── Impersonation (owner-only) ──────────────────────────
|
|
709
|
-
|
|
710
|
-
auth.post('/impersonate/:userId', async (c) => {
|
|
711
|
-
// Only owners can impersonate
|
|
712
|
-
const token = await extractToken(c);
|
|
713
|
-
if (!token) return c.json({ error: 'Authentication required' }, 401);
|
|
714
|
-
try {
|
|
715
|
-
const { jwtVerify, SignJWT } = await import('jose');
|
|
716
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
717
|
-
const { payload } = await jwtVerify(token, secret);
|
|
718
|
-
const caller = await db.getUser(payload.sub as string);
|
|
719
|
-
if (!caller || caller.role !== 'owner') return c.json({ error: 'Only owners can impersonate users' }, 403);
|
|
720
|
-
|
|
721
|
-
const targetId = c.req.param('userId');
|
|
722
|
-
const target = await db.getUser(targetId);
|
|
723
|
-
if (!target) return c.json({ error: 'User not found' }, 404);
|
|
724
|
-
|
|
725
|
-
// Generate a short-lived token (1 hour) for the target user with impersonation flag
|
|
726
|
-
const impersonateToken = await new SignJWT({ sub: target.id, role: target.role, impersonatedBy: caller.id, clientOrgId: target.clientOrgId || undefined, orgId: target.clientOrgId || (target as any).org_id || undefined })
|
|
727
|
-
.setProtectedHeader({ alg: 'HS256' })
|
|
728
|
-
.setIssuedAt()
|
|
729
|
-
.setExpirationTime('1h')
|
|
730
|
-
.sign(secret);
|
|
731
|
-
|
|
732
|
-
// Set the impersonation token as the session cookie so all subsequent requests use it
|
|
733
|
-
setCookie(c, 'em_session', impersonateToken, { path: '/', httpOnly: true, secure: isSecure(), sameSite: 'Lax', maxAge: 3600 });
|
|
734
|
-
|
|
735
|
-
return c.json({
|
|
736
|
-
token: impersonateToken,
|
|
737
|
-
user: { id: target.id, email: target.email, name: target.name, role: target.role, totpEnabled: !!(target as any).totpEnabled, clientOrgId: (target as any).clientOrgId || null, permissions: (target as any).permissions },
|
|
738
|
-
impersonatedBy: { id: caller.id, name: caller.name, email: caller.email },
|
|
739
|
-
});
|
|
740
|
-
} catch (e: any) {
|
|
741
|
-
return c.json({ error: e.message || 'Impersonation failed' }, 500);
|
|
742
|
-
}
|
|
743
|
-
});
|
|
744
|
-
|
|
745
|
-
auth.post('/stop-impersonate', async (c) => {
|
|
746
|
-
try {
|
|
747
|
-
const impersonatedBy = (c as any).get('impersonatedBy');
|
|
748
|
-
if (!impersonatedBy) return c.json({ error: 'Not impersonating' }, 400);
|
|
749
|
-
const owner = await db.getUser(impersonatedBy);
|
|
750
|
-
if (!owner) return c.json({ error: 'Original user not found' }, 404);
|
|
751
|
-
await setSessionCookies(c, owner.id, owner.email, owner.role, 'stop-impersonate', (owner as any).clientOrgId);
|
|
752
|
-
return c.json({ ok: true, user: { id: owner.id, email: owner.email, name: owner.name, role: owner.role } });
|
|
753
|
-
} catch (e: any) {
|
|
754
|
-
return c.json({ error: e.message }, 500);
|
|
755
|
-
}
|
|
756
|
-
});
|
|
757
|
-
|
|
758
|
-
// ─── Logout ─────────────────────────────────────────────
|
|
759
|
-
|
|
760
|
-
auth.post('/logout', (c) => {
|
|
761
|
-
deleteCookie(c, COOKIE_NAME, { path: '/' });
|
|
762
|
-
deleteCookie(c, REFRESH_COOKIE, { path: '/' });
|
|
763
|
-
deleteCookie(c, CSRF_COOKIE, { path: '/' });
|
|
764
|
-
return c.json({ ok: true });
|
|
765
|
-
});
|
|
766
|
-
|
|
767
|
-
// ─── SSO Config Info (public — tells frontend what's available) ──
|
|
768
|
-
|
|
769
|
-
auth.get('/sso/providers', async (c) => {
|
|
770
|
-
const sso = await getSsoConfig();
|
|
771
|
-
const providers: { type: string; name: string; url: string }[] = [];
|
|
772
|
-
|
|
773
|
-
if (sso?.saml?.entityId && sso?.saml?.ssoUrl) {
|
|
774
|
-
providers.push({ type: 'saml', name: 'SAML SSO', url: '/auth/saml/login' });
|
|
775
|
-
}
|
|
776
|
-
if (sso?.oidc?.clientId && sso?.oidc?.discoveryUrl) {
|
|
777
|
-
providers.push({ type: 'oidc', name: 'OpenID Connect', url: '/auth/oidc/authorize' });
|
|
778
|
-
}
|
|
779
|
-
|
|
780
|
-
return c.json({ providers, ssoEnabled: providers.length > 0 });
|
|
781
|
-
});
|
|
782
|
-
|
|
783
|
-
// ─── Setup Status (public — tells frontend if onboarding is needed) ──
|
|
784
|
-
|
|
785
|
-
auth.get('/setup-status', async (c) => {
|
|
786
|
-
try {
|
|
787
|
-
const stats = await db.getStats();
|
|
788
|
-
const settings = await db.getSettings();
|
|
789
|
-
|
|
790
|
-
const hasUsers = stats.totalUsers > 0;
|
|
791
|
-
const hasCompanyName = !!(settings?.name && settings.name !== '' && settings.name !== 'My Company');
|
|
792
|
-
const hasAgents = stats.totalAgents > 0;
|
|
793
|
-
|
|
794
|
-
return c.json({
|
|
795
|
-
setupComplete: hasUsers,
|
|
796
|
-
needsBootstrap: !hasUsers,
|
|
797
|
-
checklist: {
|
|
798
|
-
adminCreated: hasUsers,
|
|
799
|
-
companyConfigured: hasCompanyName,
|
|
800
|
-
agentCreated: hasAgents,
|
|
801
|
-
},
|
|
802
|
-
});
|
|
803
|
-
} catch {
|
|
804
|
-
return c.json({ setupComplete: false, needsBootstrap: true, checklist: { adminCreated: false, companyConfigured: false, emailConfigured: false, agentCreated: false } });
|
|
805
|
-
}
|
|
806
|
-
});
|
|
807
|
-
|
|
808
|
-
// ─── Database Configuration (only during initial setup) ──────────
|
|
809
|
-
|
|
810
|
-
auth.post('/test-db', async (c) => {
|
|
811
|
-
const stats = await db.getStats();
|
|
812
|
-
if (stats.totalUsers > 0) {
|
|
813
|
-
return c.json({ error: 'Setup already complete. Database configuration is disabled.' }, 403);
|
|
814
|
-
}
|
|
815
|
-
|
|
816
|
-
const body = await c.req.json();
|
|
817
|
-
if (!body.type) {
|
|
818
|
-
return c.json({ error: 'Database type is required' }, 400);
|
|
819
|
-
}
|
|
820
|
-
|
|
821
|
-
try {
|
|
822
|
-
const { createAdapter } = await import('../db/factory.js');
|
|
823
|
-
const testAdapter = await createAdapter(body);
|
|
824
|
-
await testAdapter.getStats();
|
|
825
|
-
await testAdapter.disconnect();
|
|
826
|
-
return c.json({ success: true });
|
|
827
|
-
} catch (err: any) {
|
|
828
|
-
return c.json({ success: false, error: err.message || 'Connection failed' }, 400);
|
|
829
|
-
}
|
|
830
|
-
});
|
|
831
|
-
|
|
832
|
-
auth.post('/configure-db', async (c) => {
|
|
833
|
-
const stats = await db.getStats();
|
|
834
|
-
if (stats.totalUsers > 0) {
|
|
835
|
-
return c.json({ error: 'Setup already complete. Database configuration is disabled.' }, 403);
|
|
836
|
-
}
|
|
837
|
-
|
|
838
|
-
if (!opts?.onDbConfigure) {
|
|
839
|
-
return c.json({ error: 'Database hot-swap not available' }, 501);
|
|
840
|
-
}
|
|
841
|
-
|
|
842
|
-
const body = await c.req.json();
|
|
843
|
-
if (!body.type) {
|
|
844
|
-
return c.json({ error: 'Database type is required' }, 400);
|
|
845
|
-
}
|
|
846
|
-
|
|
847
|
-
try {
|
|
848
|
-
const { createAdapter } = await import('../db/factory.js');
|
|
849
|
-
const newAdapter = await createAdapter(body);
|
|
850
|
-
|
|
851
|
-
// Run migrations on new adapter
|
|
852
|
-
await newAdapter.migrate();
|
|
853
|
-
|
|
854
|
-
// Hot-swap the live DB connection
|
|
855
|
-
const oldAdapter = opts.onDbConfigure(newAdapter);
|
|
856
|
-
|
|
857
|
-
// Disconnect old (temp) adapter
|
|
858
|
-
try { await oldAdapter.disconnect(); } catch { /* best effort */ }
|
|
859
|
-
|
|
860
|
-
// Save encrypted config
|
|
861
|
-
try {
|
|
862
|
-
const { saveDbConfig } = await import('../lib/config-store.js');
|
|
863
|
-
await saveDbConfig(body, jwtSecret);
|
|
864
|
-
} catch { /* non-fatal — config won't auto-restore on restart */ }
|
|
865
|
-
|
|
866
|
-
return c.json({ success: true, type: body.type });
|
|
867
|
-
} catch (err: any) {
|
|
868
|
-
return c.json({ success: false, error: err.message || 'Configuration failed' }, 400);
|
|
869
|
-
}
|
|
870
|
-
});
|
|
871
|
-
|
|
872
|
-
// ─── Bootstrap (first admin creation — only works when no users exist) ──
|
|
873
|
-
|
|
874
|
-
const bootstrapAttempts = new Map<string, { count: number; resetAt: number }>();
|
|
875
|
-
|
|
876
|
-
auth.post('/bootstrap', async (c) => {
|
|
877
|
-
// Per-IP rate limit: max 5 bootstrap attempts per minute
|
|
878
|
-
const clientIp = c.req.header('x-forwarded-for')?.split(',')[0]?.trim() || c.req.header('x-real-ip') || 'unknown';
|
|
879
|
-
const now = Date.now();
|
|
880
|
-
const attempt = bootstrapAttempts.get(clientIp);
|
|
881
|
-
if (attempt && attempt.resetAt > now && attempt.count >= 5) {
|
|
882
|
-
return c.json({ error: 'Too many attempts. Try again later.' }, 429);
|
|
883
|
-
}
|
|
884
|
-
if (!attempt || attempt.resetAt <= now) {
|
|
885
|
-
bootstrapAttempts.set(clientIp, { count: 1, resetAt: now + 60000 });
|
|
886
|
-
} else {
|
|
887
|
-
attempt.count++;
|
|
888
|
-
}
|
|
889
|
-
|
|
890
|
-
// SECURITY: Only works when zero users exist
|
|
891
|
-
const stats = await db.getStats();
|
|
892
|
-
if (stats.totalUsers > 0) {
|
|
893
|
-
return c.json({ error: 'Setup already complete. Bootstrap is disabled.' }, 403);
|
|
894
|
-
}
|
|
895
|
-
|
|
896
|
-
const { name, email, password, companyName, subdomain } = await c.req.json();
|
|
897
|
-
|
|
898
|
-
if (!email || !password || !name) {
|
|
899
|
-
return c.json({ error: 'Name, email, and password are required' }, 400);
|
|
900
|
-
}
|
|
901
|
-
if (password.length < 8) {
|
|
902
|
-
return c.json({ error: 'Password must be at least 8 characters' }, 400);
|
|
903
|
-
}
|
|
904
|
-
if (!email.includes('@') || !email.includes('.')) {
|
|
905
|
-
return c.json({ error: 'Invalid email address' }, 400);
|
|
906
|
-
}
|
|
907
|
-
|
|
908
|
-
try {
|
|
909
|
-
const user = await db.createUser({
|
|
910
|
-
email,
|
|
911
|
-
name,
|
|
912
|
-
role: 'owner',
|
|
913
|
-
password,
|
|
914
|
-
});
|
|
915
|
-
|
|
916
|
-
if (companyName || subdomain) {
|
|
917
|
-
const updates: Record<string, any> = {};
|
|
918
|
-
if (companyName) updates.name = companyName;
|
|
919
|
-
if (subdomain) {
|
|
920
|
-
updates.subdomain = subdomain
|
|
921
|
-
.toLowerCase()
|
|
922
|
-
.replace(/[^a-z0-9]+/g, '-')
|
|
923
|
-
.replace(/^-|-$/g, '')
|
|
924
|
-
.slice(0, 63);
|
|
925
|
-
}
|
|
926
|
-
await db.updateSettings(updates);
|
|
927
|
-
}
|
|
928
|
-
|
|
929
|
-
await db.logEvent({
|
|
930
|
-
actor: user.id,
|
|
931
|
-
actorType: 'system',
|
|
932
|
-
action: 'setup.bootstrap',
|
|
933
|
-
resource: `user:${user.id}`,
|
|
934
|
-
details: { method: 'web-wizard', companyName },
|
|
935
|
-
ip: c.req.header('x-forwarded-for') || c.req.header('x-real-ip'),
|
|
936
|
-
});
|
|
937
|
-
|
|
938
|
-
const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'bootstrap', user.clientOrgId);
|
|
939
|
-
|
|
940
|
-
// Notify server that setup is complete (flips the dashboard latch)
|
|
941
|
-
opts?.onBootstrap?.();
|
|
942
|
-
|
|
943
|
-
// Auto-install required SDKs in background (non-blocking)
|
|
944
|
-
(async () => {
|
|
945
|
-
try {
|
|
946
|
-
const { execSync } = await import('child_process');
|
|
947
|
-
const cwd = process.cwd();
|
|
948
|
-
const deps = ['@anthropic-ai/sdk', 'openai', 'elevenlabs'];
|
|
949
|
-
const missing = deps.filter(d => { try { require.resolve(d); return false; } catch { return true; } });
|
|
950
|
-
if (missing.length > 0) {
|
|
951
|
-
console.log(`[setup] Auto-installing SDKs: ${missing.join(', ')}...`);
|
|
952
|
-
execSync(`npm install --no-save ${missing.join(' ')}`, { cwd, timeout: 120000, stdio: 'pipe' });
|
|
953
|
-
console.log(`[setup] ✅ SDKs installed: ${missing.join(', ')}`);
|
|
954
|
-
}
|
|
955
|
-
} catch (e: any) {
|
|
956
|
-
console.error(`[setup] SDK install failed (non-fatal): ${e.message}`);
|
|
957
|
-
}
|
|
958
|
-
})();
|
|
959
|
-
|
|
960
|
-
// Generate security keys, set in process.env, and try to persist to .env
|
|
961
|
-
let generatedKeys: Record<string, string> = {};
|
|
962
|
-
let envPersisted = false;
|
|
963
|
-
try {
|
|
964
|
-
const { randomBytes } = await import('node:crypto');
|
|
965
|
-
|
|
966
|
-
const keysToGenerate = [
|
|
967
|
-
'TRANSPORT_ENCRYPTION_KEY',
|
|
968
|
-
'ENCRYPTION_KEY',
|
|
969
|
-
];
|
|
970
|
-
// Also check JWT_SECRET — if it's a weak default, regenerate
|
|
971
|
-
if (!process.env.JWT_SECRET || process.env.JWT_SECRET.length < 32) {
|
|
972
|
-
keysToGenerate.push('JWT_SECRET');
|
|
973
|
-
}
|
|
974
|
-
|
|
975
|
-
for (const envVar of keysToGenerate) {
|
|
976
|
-
if (!process.env[envVar]) {
|
|
977
|
-
const val = randomBytes(32).toString('hex');
|
|
978
|
-
generatedKeys[envVar] = val;
|
|
979
|
-
process.env[envVar] = val;
|
|
980
|
-
} else {
|
|
981
|
-
generatedKeys[envVar] = process.env[envVar]!;
|
|
982
|
-
}
|
|
983
|
-
}
|
|
984
|
-
// Always include JWT_SECRET in backup even if pre-existing
|
|
985
|
-
if (!generatedKeys.JWT_SECRET && process.env.JWT_SECRET) {
|
|
986
|
-
generatedKeys.JWT_SECRET = process.env.JWT_SECRET;
|
|
987
|
-
}
|
|
988
|
-
|
|
989
|
-
// Try to persist to .env file (will fail silently on ephemeral platforms)
|
|
990
|
-
try {
|
|
991
|
-
const { readFileSync, writeFileSync, existsSync, accessSync, constants } = await import('node:fs');
|
|
992
|
-
const { resolve } = await import('node:path');
|
|
993
|
-
const envPath = resolve(process.cwd(), '.env');
|
|
994
|
-
|
|
995
|
-
// Check if filesystem is writable
|
|
996
|
-
let envContent = '';
|
|
997
|
-
if (existsSync(envPath)) {
|
|
998
|
-
envContent = readFileSync(envPath, 'utf-8');
|
|
999
|
-
}
|
|
1000
|
-
|
|
1001
|
-
// Only append keys that aren't already in the file
|
|
1002
|
-
let appended = false;
|
|
1003
|
-
for (const [envVar, val] of Object.entries(generatedKeys)) {
|
|
1004
|
-
const pattern = new RegExp(`^${envVar}=`, 'm');
|
|
1005
|
-
if (!pattern.test(envContent)) {
|
|
1006
|
-
if (envContent && !envContent.endsWith('\n')) envContent += '\n';
|
|
1007
|
-
envContent += `${envVar}=${val}\n`;
|
|
1008
|
-
appended = true;
|
|
1009
|
-
}
|
|
1010
|
-
}
|
|
1011
|
-
|
|
1012
|
-
if (appended) {
|
|
1013
|
-
writeFileSync(envPath, envContent, 'utf-8');
|
|
1014
|
-
envPersisted = true;
|
|
1015
|
-
console.log('[bootstrap] Security keys saved to .env');
|
|
1016
|
-
} else {
|
|
1017
|
-
envPersisted = true; // Keys already in file
|
|
1018
|
-
}
|
|
1019
|
-
} catch (fsErr: any) {
|
|
1020
|
-
console.warn('[bootstrap] Could not write .env (ephemeral filesystem?) — keys returned to user for manual setup:', fsErr.message);
|
|
1021
|
-
}
|
|
1022
|
-
|
|
1023
|
-
// Also store keys in database as encrypted backup (recoverable even if .env is lost)
|
|
1024
|
-
try {
|
|
1025
|
-
const keysBackup = { ...generatedKeys, _createdAt: new Date().toISOString(), _envPersisted: envPersisted };
|
|
1026
|
-
await db.updateSettings({ _securityKeysBackup: keysBackup } as any);
|
|
1027
|
-
} catch { /* non-fatal */ }
|
|
1028
|
-
} catch (e: any) {
|
|
1029
|
-
console.warn('[bootstrap] Failed to generate encryption keys:', e.message);
|
|
1030
|
-
}
|
|
1031
|
-
|
|
1032
|
-
return c.json({
|
|
1033
|
-
token,
|
|
1034
|
-
refreshToken,
|
|
1035
|
-
csrf,
|
|
1036
|
-
user: { id: user.id, email: user.email, name: user.name, role: user.role },
|
|
1037
|
-
generatedKeys, // Returned ONCE during bootstrap for user to backup
|
|
1038
|
-
envPersisted, // Whether keys were saved to .env file (false on ephemeral platforms)
|
|
1039
|
-
});
|
|
1040
|
-
} catch (err: any) {
|
|
1041
|
-
return c.json({ error: err.message || 'Bootstrap failed' }, 500);
|
|
1042
|
-
}
|
|
1043
|
-
});
|
|
1044
|
-
|
|
1045
|
-
// ─── OIDC Authorization Code Flow ────────────────────────
|
|
1046
|
-
|
|
1047
|
-
/**
|
|
1048
|
-
* Step 1: Redirect user to the OIDC provider's authorization endpoint.
|
|
1049
|
-
* Uses PKCE (S256) for security.
|
|
1050
|
-
*/
|
|
1051
|
-
auth.get('/oidc/authorize', async (c) => {
|
|
1052
|
-
const sso = await getSsoConfig();
|
|
1053
|
-
if (!sso?.oidc?.clientId || !sso?.oidc?.discoveryUrl) {
|
|
1054
|
-
return c.json({ error: 'OIDC not configured. Set up OIDC in Settings > SSO.' }, 400);
|
|
1055
|
-
}
|
|
1056
|
-
|
|
1057
|
-
const oidc = sso.oidc;
|
|
1058
|
-
|
|
1059
|
-
// Fetch OIDC discovery document
|
|
1060
|
-
let discovery: any;
|
|
1061
|
-
try {
|
|
1062
|
-
const res = await fetch(oidc.discoveryUrl);
|
|
1063
|
-
if (!res.ok) throw new Error(`Discovery fetch failed: ${res.status}`);
|
|
1064
|
-
discovery = await res.json();
|
|
1065
|
-
} catch (e: any) {
|
|
1066
|
-
return c.json({ error: `Failed to fetch OIDC discovery: ${e.message}` }, 502);
|
|
1067
|
-
}
|
|
1068
|
-
|
|
1069
|
-
if (!discovery.authorization_endpoint) {
|
|
1070
|
-
return c.json({ error: 'Invalid OIDC discovery: missing authorization_endpoint' }, 502);
|
|
1071
|
-
}
|
|
1072
|
-
|
|
1073
|
-
// Generate PKCE + state
|
|
1074
|
-
const state = generateState();
|
|
1075
|
-
const nonce = generateState();
|
|
1076
|
-
const codeVerifier = generateCodeVerifier();
|
|
1077
|
-
const codeChallenge = await generateCodeChallenge(codeVerifier);
|
|
1078
|
-
|
|
1079
|
-
// Determine callback URL
|
|
1080
|
-
const protocol = c.req.header('x-forwarded-proto') || 'http';
|
|
1081
|
-
const host = c.req.header('host') || 'localhost';
|
|
1082
|
-
const redirectUri = `${protocol}://${host}/auth/oidc/callback`;
|
|
1083
|
-
|
|
1084
|
-
// Store state for verification in callback (10 min TTL)
|
|
1085
|
-
// We store it in a signed JWT since we may not have engine DB available at auth level
|
|
1086
|
-
const { SignJWT } = await import('jose');
|
|
1087
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
1088
|
-
const stateToken = await new SignJWT({
|
|
1089
|
-
state, nonce, codeVerifier, redirectUri,
|
|
1090
|
-
discoveryUrl: oidc.discoveryUrl,
|
|
1091
|
-
})
|
|
1092
|
-
.setProtectedHeader({ alg: 'HS256' })
|
|
1093
|
-
.setIssuedAt()
|
|
1094
|
-
.setExpirationTime('10m')
|
|
1095
|
-
.sign(secret);
|
|
1096
|
-
|
|
1097
|
-
// Store state token in a cookie
|
|
1098
|
-
setCookie(c, 'em_oidc_state', stateToken, {
|
|
1099
|
-
httpOnly: true,
|
|
1100
|
-
secure: isSecure(),
|
|
1101
|
-
sameSite: 'Lax',
|
|
1102
|
-
path: '/auth/oidc',
|
|
1103
|
-
maxAge: 600,
|
|
1104
|
-
});
|
|
1105
|
-
|
|
1106
|
-
// Build authorization URL
|
|
1107
|
-
const scopes = oidc.scopes?.join(' ') || 'openid email profile';
|
|
1108
|
-
const authUrl = new URL(discovery.authorization_endpoint);
|
|
1109
|
-
authUrl.searchParams.set('client_id', oidc.clientId);
|
|
1110
|
-
authUrl.searchParams.set('response_type', 'code');
|
|
1111
|
-
authUrl.searchParams.set('scope', scopes);
|
|
1112
|
-
authUrl.searchParams.set('redirect_uri', redirectUri);
|
|
1113
|
-
authUrl.searchParams.set('state', state);
|
|
1114
|
-
authUrl.searchParams.set('nonce', nonce);
|
|
1115
|
-
authUrl.searchParams.set('code_challenge', codeChallenge);
|
|
1116
|
-
authUrl.searchParams.set('code_challenge_method', 'S256');
|
|
1117
|
-
|
|
1118
|
-
return c.redirect(authUrl.toString());
|
|
1119
|
-
});
|
|
1120
|
-
|
|
1121
|
-
/**
|
|
1122
|
-
* Step 2: OIDC callback — exchange code for tokens, extract user info, create session.
|
|
1123
|
-
*/
|
|
1124
|
-
auth.get('/oidc/callback', async (c) => {
|
|
1125
|
-
const code = c.req.query('code');
|
|
1126
|
-
const returnedState = c.req.query('state');
|
|
1127
|
-
const error = c.req.query('error');
|
|
1128
|
-
const errorDesc = c.req.query('error_description');
|
|
1129
|
-
|
|
1130
|
-
if (error) {
|
|
1131
|
-
return c.html(ssoErrorPage('OIDC Error', errorDesc || error));
|
|
1132
|
-
}
|
|
1133
|
-
|
|
1134
|
-
if (!code || !returnedState) {
|
|
1135
|
-
return c.html(ssoErrorPage('OIDC Error', 'Missing code or state parameter'));
|
|
1136
|
-
}
|
|
1137
|
-
|
|
1138
|
-
// Verify state from cookie
|
|
1139
|
-
const stateCookie = getCookie(c, 'em_oidc_state');
|
|
1140
|
-
if (!stateCookie) {
|
|
1141
|
-
return c.html(ssoErrorPage('OIDC Error', 'Session expired. Please try again.'));
|
|
1142
|
-
}
|
|
1143
|
-
|
|
1144
|
-
// Delete the state cookie
|
|
1145
|
-
deleteCookie(c, 'em_oidc_state', { path: '/auth/oidc' });
|
|
1146
|
-
|
|
1147
|
-
let statePayload: any;
|
|
1148
|
-
try {
|
|
1149
|
-
const { jwtVerify } = await import('jose');
|
|
1150
|
-
const secret = new TextEncoder().encode(jwtSecret);
|
|
1151
|
-
const { payload } = await jwtVerify(stateCookie, secret);
|
|
1152
|
-
statePayload = payload;
|
|
1153
|
-
} catch {
|
|
1154
|
-
return c.html(ssoErrorPage('OIDC Error', 'Invalid or expired state. Please try again.'));
|
|
1155
|
-
}
|
|
1156
|
-
|
|
1157
|
-
if (statePayload.state !== returnedState) {
|
|
1158
|
-
return c.html(ssoErrorPage('OIDC Error', 'State mismatch. Possible CSRF attack.'));
|
|
1159
|
-
}
|
|
1160
|
-
|
|
1161
|
-
const sso = await getSsoConfig();
|
|
1162
|
-
if (!sso?.oidc) {
|
|
1163
|
-
return c.html(ssoErrorPage('OIDC Error', 'OIDC is no longer configured.'));
|
|
1164
|
-
}
|
|
1165
|
-
|
|
1166
|
-
const oidc = sso.oidc;
|
|
1167
|
-
|
|
1168
|
-
// Fetch discovery for token endpoint
|
|
1169
|
-
let discovery: any;
|
|
1170
|
-
try {
|
|
1171
|
-
const res = await fetch(oidc.discoveryUrl);
|
|
1172
|
-
discovery = await res.json();
|
|
1173
|
-
} catch (e: any) {
|
|
1174
|
-
return c.html(ssoErrorPage('OIDC Error', `Discovery fetch failed: ${e.message}`));
|
|
1175
|
-
}
|
|
1176
|
-
|
|
1177
|
-
// Exchange code for tokens
|
|
1178
|
-
let tokenResponse: any;
|
|
1179
|
-
try {
|
|
1180
|
-
const tokenRes = await fetch(discovery.token_endpoint, {
|
|
1181
|
-
method: 'POST',
|
|
1182
|
-
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
|
|
1183
|
-
body: new URLSearchParams({
|
|
1184
|
-
grant_type: 'authorization_code',
|
|
1185
|
-
code,
|
|
1186
|
-
redirect_uri: statePayload.redirectUri,
|
|
1187
|
-
client_id: oidc.clientId,
|
|
1188
|
-
client_secret: oidc.clientSecret,
|
|
1189
|
-
code_verifier: statePayload.codeVerifier,
|
|
1190
|
-
}).toString(),
|
|
1191
|
-
});
|
|
1192
|
-
|
|
1193
|
-
if (!tokenRes.ok) {
|
|
1194
|
-
const errBody = await tokenRes.text();
|
|
1195
|
-
throw new Error(`Token exchange failed (${tokenRes.status}): ${errBody}`);
|
|
1196
|
-
}
|
|
1197
|
-
tokenResponse = await tokenRes.json();
|
|
1198
|
-
} catch (e: any) {
|
|
1199
|
-
return c.html(ssoErrorPage('OIDC Error', e.message));
|
|
1200
|
-
}
|
|
1201
|
-
|
|
1202
|
-
// Extract user info from id_token or userinfo endpoint
|
|
1203
|
-
let email: string;
|
|
1204
|
-
let name: string;
|
|
1205
|
-
let sub: string;
|
|
1206
|
-
|
|
1207
|
-
if (tokenResponse.id_token) {
|
|
1208
|
-
// Decode the id_token (header.payload.signature)
|
|
1209
|
-
const parts = tokenResponse.id_token.split('.');
|
|
1210
|
-
if (parts.length !== 3) {
|
|
1211
|
-
return c.html(ssoErrorPage('OIDC Error', 'Invalid id_token format'));
|
|
1212
|
-
}
|
|
1213
|
-
|
|
1214
|
-
try {
|
|
1215
|
-
// Verify the id_token signature using the provider's JWKS
|
|
1216
|
-
const { jwtVerify, createRemoteJWKSet } = await import('jose');
|
|
1217
|
-
const jwks = createRemoteJWKSet(new URL(discovery.jwks_uri));
|
|
1218
|
-
const { payload } = await jwtVerify(tokenResponse.id_token, jwks, {
|
|
1219
|
-
issuer: discovery.issuer,
|
|
1220
|
-
audience: oidc.clientId,
|
|
1221
|
-
});
|
|
1222
|
-
|
|
1223
|
-
// Verify nonce
|
|
1224
|
-
if (payload.nonce !== statePayload.nonce) {
|
|
1225
|
-
return c.html(ssoErrorPage('OIDC Error', 'Nonce mismatch. Possible replay attack.'));
|
|
1226
|
-
}
|
|
1227
|
-
|
|
1228
|
-
sub = payload.sub as string;
|
|
1229
|
-
email = (payload.email as string) || '';
|
|
1230
|
-
name = (payload.name as string) || (payload.preferred_username as string) || '';
|
|
1231
|
-
} catch (e: any) {
|
|
1232
|
-
return c.html(ssoErrorPage('OIDC Error', `ID token verification failed: ${e.message}`));
|
|
1233
|
-
}
|
|
1234
|
-
} else if (discovery.userinfo_endpoint) {
|
|
1235
|
-
// Fallback: fetch userinfo
|
|
1236
|
-
try {
|
|
1237
|
-
const uiRes = await fetch(discovery.userinfo_endpoint, {
|
|
1238
|
-
headers: { Authorization: `Bearer ${tokenResponse.access_token}` },
|
|
1239
|
-
});
|
|
1240
|
-
const userinfo = await uiRes.json();
|
|
1241
|
-
sub = userinfo.sub;
|
|
1242
|
-
email = userinfo.email || '';
|
|
1243
|
-
name = userinfo.name || userinfo.preferred_username || '';
|
|
1244
|
-
} catch (e: any) {
|
|
1245
|
-
return c.html(ssoErrorPage('OIDC Error', `Userinfo fetch failed: ${e.message}`));
|
|
1246
|
-
}
|
|
1247
|
-
} else {
|
|
1248
|
-
return c.html(ssoErrorPage('OIDC Error', 'No id_token or userinfo endpoint available'));
|
|
1249
|
-
}
|
|
1250
|
-
|
|
1251
|
-
if (!email) {
|
|
1252
|
-
return c.html(ssoErrorPage('OIDC Error', 'No email claim in the token. Ensure "email" scope is granted.'));
|
|
1253
|
-
}
|
|
1254
|
-
|
|
1255
|
-
// Find or provision user
|
|
1256
|
-
const result = await findOrProvisionSsoUser('oidc', sub, email, name, oidc);
|
|
1257
|
-
if ('error' in result) {
|
|
1258
|
-
return c.html(ssoErrorPage('OIDC Error', result.error ?? 'Unknown error'));
|
|
1259
|
-
}
|
|
1260
|
-
|
|
1261
|
-
// Issue session
|
|
1262
|
-
await setSessionCookies(c, result.user.id, result.user.email, result.user.role, 'oidc', result.user.clientOrgId);
|
|
1263
|
-
|
|
1264
|
-
// Redirect to dashboard
|
|
1265
|
-
return c.redirect('/dashboard');
|
|
1266
|
-
});
|
|
1267
|
-
|
|
1268
|
-
// ─── SAML 2.0 ────────────────────────────────────────────
|
|
1269
|
-
|
|
1270
|
-
/**
|
|
1271
|
-
* SP-initiated SAML login — redirects to IdP SSO URL
|
|
1272
|
-
*/
|
|
1273
|
-
auth.get('/saml/login', async (c) => {
|
|
1274
|
-
const sso = await getSsoConfig();
|
|
1275
|
-
if (!sso?.saml?.ssoUrl || !sso?.saml?.entityId) {
|
|
1276
|
-
return c.json({ error: 'SAML not configured. Set up SAML in Settings > SSO.' }, 400);
|
|
1277
|
-
}
|
|
1278
|
-
|
|
1279
|
-
const saml = sso.saml;
|
|
1280
|
-
const protocol = c.req.header('x-forwarded-proto') || 'http';
|
|
1281
|
-
const host = c.req.header('host') || 'localhost';
|
|
1282
|
-
const acsUrl = `${protocol}://${host}/auth/saml/callback`;
|
|
1283
|
-
|
|
1284
|
-
// Generate SAML AuthnRequest
|
|
1285
|
-
const requestId = '_' + crypto.randomUUID().replace(/-/g, '');
|
|
1286
|
-
const issueInstant = new Date().toISOString();
|
|
1287
|
-
|
|
1288
|
-
const authnRequest = `<samlp:AuthnRequest
|
|
1289
|
-
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
|
1290
|
-
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
|
1291
|
-
ID="${requestId}"
|
|
1292
|
-
Version="2.0"
|
|
1293
|
-
IssueInstant="${issueInstant}"
|
|
1294
|
-
Destination="${saml.ssoUrl}"
|
|
1295
|
-
AssertionConsumerServiceURL="${acsUrl}"
|
|
1296
|
-
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
|
|
1297
|
-
<saml:Issuer>${saml.entityId}</saml:Issuer>
|
|
1298
|
-
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
|
|
1299
|
-
</samlp:AuthnRequest>`;
|
|
1300
|
-
|
|
1301
|
-
// Deflate and base64 encode for HTTP-Redirect binding
|
|
1302
|
-
const { deflateRawSync } = await import('zlib');
|
|
1303
|
-
const deflated = deflateRawSync(Buffer.from(authnRequest, 'utf-8'));
|
|
1304
|
-
const encoded = deflated.toString('base64');
|
|
1305
|
-
|
|
1306
|
-
const redirectUrl = new URL(saml.ssoUrl);
|
|
1307
|
-
redirectUrl.searchParams.set('SAMLRequest', encoded);
|
|
1308
|
-
redirectUrl.searchParams.set('RelayState', '/dashboard');
|
|
1309
|
-
|
|
1310
|
-
return c.redirect(redirectUrl.toString());
|
|
1311
|
-
});
|
|
1312
|
-
|
|
1313
|
-
/**
|
|
1314
|
-
* SP metadata endpoint — provides IdP the SP configuration
|
|
1315
|
-
*/
|
|
1316
|
-
auth.get('/saml/metadata', async (c) => {
|
|
1317
|
-
const sso = await getSsoConfig();
|
|
1318
|
-
const entityId = sso?.saml?.entityId || 'agenticmail-enterprise';
|
|
1319
|
-
|
|
1320
|
-
const protocol = c.req.header('x-forwarded-proto') || 'http';
|
|
1321
|
-
const host = c.req.header('host') || 'localhost';
|
|
1322
|
-
const acsUrl = `${protocol}://${host}/auth/saml/callback`;
|
|
1323
|
-
const sloUrl = `${protocol}://${host}/auth/saml/logout`;
|
|
1324
|
-
|
|
1325
|
-
const metadata = `<?xml version="1.0" encoding="UTF-8"?>
|
|
1326
|
-
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
|
1327
|
-
entityID="${entityId}">
|
|
1328
|
-
<md:SPSSODescriptor
|
|
1329
|
-
AuthnRequestsSigned="false"
|
|
1330
|
-
WantAssertionsSigned="true"
|
|
1331
|
-
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
|
1332
|
-
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
|
|
1333
|
-
<md:AssertionConsumerService
|
|
1334
|
-
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
1335
|
-
Location="${acsUrl}"
|
|
1336
|
-
index="0"
|
|
1337
|
-
isDefault="true"/>
|
|
1338
|
-
<md:SingleLogoutService
|
|
1339
|
-
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
1340
|
-
Location="${sloUrl}"/>
|
|
1341
|
-
</md:SPSSODescriptor>
|
|
1342
|
-
</md:EntityDescriptor>`;
|
|
1343
|
-
|
|
1344
|
-
return c.body(metadata, 200, {
|
|
1345
|
-
'Content-Type': 'application/xml',
|
|
1346
|
-
});
|
|
1347
|
-
});
|
|
1348
|
-
|
|
1349
|
-
/**
|
|
1350
|
-
* SAML Assertion Consumer Service (ACS) — receives POST from IdP after auth
|
|
1351
|
-
*/
|
|
1352
|
-
auth.post('/saml/callback', async (c) => {
|
|
1353
|
-
const sso = await getSsoConfig();
|
|
1354
|
-
if (!sso?.saml?.certificate) {
|
|
1355
|
-
return c.html(ssoErrorPage('SAML Error', 'SAML not configured.'));
|
|
1356
|
-
}
|
|
1357
|
-
|
|
1358
|
-
const saml = sso.saml;
|
|
1359
|
-
let samlResponse: string;
|
|
1360
|
-
|
|
1361
|
-
const contentType = c.req.header('content-type') || '';
|
|
1362
|
-
|
|
1363
|
-
if (contentType.includes('application/x-www-form-urlencoded')) {
|
|
1364
|
-
const body = await c.req.parseBody();
|
|
1365
|
-
samlResponse = body['SAMLResponse'] as string;
|
|
1366
|
-
} else {
|
|
1367
|
-
const body = await c.req.json().catch(() => ({}));
|
|
1368
|
-
samlResponse = body.SAMLResponse;
|
|
1369
|
-
}
|
|
1370
|
-
|
|
1371
|
-
if (!samlResponse) {
|
|
1372
|
-
return c.html(ssoErrorPage('SAML Error', 'Missing SAMLResponse'));
|
|
1373
|
-
}
|
|
1374
|
-
|
|
1375
|
-
// Decode the SAML response
|
|
1376
|
-
let xml: string;
|
|
1377
|
-
try {
|
|
1378
|
-
xml = Buffer.from(samlResponse, 'base64').toString('utf-8');
|
|
1379
|
-
} catch {
|
|
1380
|
-
return c.html(ssoErrorPage('SAML Error', 'Invalid base64 encoding'));
|
|
1381
|
-
}
|
|
1382
|
-
|
|
1383
|
-
// Parse the SAML assertion
|
|
1384
|
-
// We do lightweight XML parsing without a full XML library
|
|
1385
|
-
const assertion = parseSamlAssertion(xml, saml.certificate);
|
|
1386
|
-
|
|
1387
|
-
if (assertion.error) {
|
|
1388
|
-
return c.html(ssoErrorPage('SAML Error', assertion.error));
|
|
1389
|
-
}
|
|
1390
|
-
|
|
1391
|
-
if (!assertion.email) {
|
|
1392
|
-
return c.html(ssoErrorPage('SAML Error', 'No email found in SAML assertion. Check your IdP attribute mapping.'));
|
|
1393
|
-
}
|
|
1394
|
-
|
|
1395
|
-
// Check conditions (time validity)
|
|
1396
|
-
if (assertion.notBefore && new Date(assertion.notBefore) > new Date()) {
|
|
1397
|
-
return c.html(ssoErrorPage('SAML Error', 'Assertion not yet valid'));
|
|
1398
|
-
}
|
|
1399
|
-
if (assertion.notOnOrAfter && new Date(assertion.notOnOrAfter) <= new Date()) {
|
|
1400
|
-
return c.html(ssoErrorPage('SAML Error', 'Assertion has expired'));
|
|
1401
|
-
}
|
|
1402
|
-
|
|
1403
|
-
// Find or provision user
|
|
1404
|
-
const subject = assertion.nameId || assertion.email;
|
|
1405
|
-
const result = await findOrProvisionSsoUser('saml', subject, assertion.email, assertion.name || '', saml);
|
|
1406
|
-
if ('error' in result) {
|
|
1407
|
-
return c.html(ssoErrorPage('SAML Error', result.error ?? 'Unknown error'));
|
|
1408
|
-
}
|
|
1409
|
-
|
|
1410
|
-
// Issue session
|
|
1411
|
-
await setSessionCookies(c, result.user.id, result.user.email, result.user.role, 'saml', result.user.clientOrgId);
|
|
1412
|
-
|
|
1413
|
-
// Redirect to dashboard (or RelayState)
|
|
1414
|
-
return c.redirect('/dashboard');
|
|
1415
|
-
});
|
|
1416
|
-
|
|
1417
|
-
return auth;
|
|
1418
|
-
}
|
|
1419
|
-
|
|
1420
|
-
// ─── SAML Assertion Parser ───────────────────────────────
|
|
1421
|
-
|
|
1422
|
-
interface SamlAssertionResult {
|
|
1423
|
-
nameId?: string;
|
|
1424
|
-
email?: string;
|
|
1425
|
-
name?: string;
|
|
1426
|
-
firstName?: string;
|
|
1427
|
-
lastName?: string;
|
|
1428
|
-
sessionIndex?: string;
|
|
1429
|
-
notBefore?: string;
|
|
1430
|
-
notOnOrAfter?: string;
|
|
1431
|
-
issuer?: string;
|
|
1432
|
-
signatureValid?: boolean;
|
|
1433
|
-
error?: string;
|
|
1434
|
-
}
|
|
1435
|
-
|
|
1436
|
-
/**
|
|
1437
|
-
* Lightweight SAML assertion parser.
|
|
1438
|
-
* Extracts user attributes from the SAML Response XML without a full XML parser library.
|
|
1439
|
-
* Validates the assertion signature if a certificate is provided.
|
|
1440
|
-
*/
|
|
1441
|
-
function parseSamlAssertion(xml: string, certificate: string): SamlAssertionResult {
|
|
1442
|
-
const result: SamlAssertionResult = {};
|
|
1443
|
-
|
|
1444
|
-
try {
|
|
1445
|
-
// Check for successful status
|
|
1446
|
-
const statusMatch = xml.match(/<samlp?:StatusCode[^>]*Value="([^"]+)"/);
|
|
1447
|
-
if (statusMatch) {
|
|
1448
|
-
const statusValue = statusMatch[1];
|
|
1449
|
-
if (!statusValue.includes(':Success')) {
|
|
1450
|
-
result.error = `SAML authentication failed with status: ${statusValue}`;
|
|
1451
|
-
return result;
|
|
1452
|
-
}
|
|
1453
|
-
}
|
|
1454
|
-
|
|
1455
|
-
// Extract NameID
|
|
1456
|
-
const nameIdMatch = xml.match(/<(?:saml2?:)?NameID[^>]*>([^<]+)<\/(?:saml2?:)?NameID>/);
|
|
1457
|
-
if (nameIdMatch) {
|
|
1458
|
-
result.nameId = nameIdMatch[1].trim();
|
|
1459
|
-
}
|
|
1460
|
-
|
|
1461
|
-
// Extract Issuer
|
|
1462
|
-
const issuerMatch = xml.match(/<(?:saml2?:)?Issuer[^>]*>([^<]+)<\/(?:saml2?:)?Issuer>/);
|
|
1463
|
-
if (issuerMatch) {
|
|
1464
|
-
result.issuer = issuerMatch[1].trim();
|
|
1465
|
-
}
|
|
1466
|
-
|
|
1467
|
-
// Extract Conditions
|
|
1468
|
-
const condMatch = xml.match(/<(?:saml2?:)?Conditions\s+NotBefore="([^"]+)"\s+NotOnOrAfter="([^"]+)"/);
|
|
1469
|
-
if (condMatch) {
|
|
1470
|
-
result.notBefore = condMatch[1];
|
|
1471
|
-
result.notOnOrAfter = condMatch[2];
|
|
1472
|
-
}
|
|
1473
|
-
|
|
1474
|
-
// Extract SessionIndex
|
|
1475
|
-
const sessionMatch = xml.match(/SessionIndex="([^"]+)"/);
|
|
1476
|
-
if (sessionMatch) {
|
|
1477
|
-
result.sessionIndex = sessionMatch[1];
|
|
1478
|
-
}
|
|
1479
|
-
|
|
1480
|
-
// Extract attributes
|
|
1481
|
-
const attrRegex = /<(?:saml2?:)?Attribute\s+Name="([^"]+)"[^>]*>[\s\S]*?<(?:saml2?:)?AttributeValue[^>]*>([^<]*)<\/(?:saml2?:)?AttributeValue>/g;
|
|
1482
|
-
let match;
|
|
1483
|
-
while ((match = attrRegex.exec(xml)) !== null) {
|
|
1484
|
-
const attrName = match[1].toLowerCase();
|
|
1485
|
-
const attrValue = match[2].trim();
|
|
1486
|
-
|
|
1487
|
-
// Map common attribute names
|
|
1488
|
-
if (attrName.includes('emailaddress') || attrName.includes('email') || attrName === 'mail') {
|
|
1489
|
-
result.email = attrValue;
|
|
1490
|
-
} else if (attrName.includes('displayname') || attrName === 'name') {
|
|
1491
|
-
result.name = attrValue;
|
|
1492
|
-
} else if (attrName.includes('givenname') || attrName.includes('firstname')) {
|
|
1493
|
-
result.firstName = attrValue;
|
|
1494
|
-
} else if (attrName.includes('surname') || attrName.includes('lastname')) {
|
|
1495
|
-
result.lastName = attrValue;
|
|
1496
|
-
}
|
|
1497
|
-
}
|
|
1498
|
-
|
|
1499
|
-
// If no explicit email attribute, use NameID if it looks like an email
|
|
1500
|
-
if (!result.email && result.nameId?.includes('@')) {
|
|
1501
|
-
result.email = result.nameId;
|
|
1502
|
-
}
|
|
1503
|
-
|
|
1504
|
-
// Build name from first/last if not provided
|
|
1505
|
-
if (!result.name && (result.firstName || result.lastName)) {
|
|
1506
|
-
result.name = [result.firstName, result.lastName].filter(Boolean).join(' ');
|
|
1507
|
-
}
|
|
1508
|
-
|
|
1509
|
-
// Validate signature
|
|
1510
|
-
// We verify the digest of the SignedInfo against the IdP certificate
|
|
1511
|
-
result.signatureValid = verifySamlSignature(xml, certificate);
|
|
1512
|
-
if (!result.signatureValid) {
|
|
1513
|
-
result.error = 'SAML assertion signature verification failed. Check IdP certificate.';
|
|
1514
|
-
return result;
|
|
1515
|
-
}
|
|
1516
|
-
|
|
1517
|
-
} catch (e: any) {
|
|
1518
|
-
result.error = `Failed to parse SAML assertion: ${e.message}`;
|
|
1519
|
-
}
|
|
1520
|
-
|
|
1521
|
-
return result;
|
|
1522
|
-
}
|
|
1523
|
-
|
|
1524
|
-
/**
|
|
1525
|
-
* Verify the SAML response signature using the IdP's X.509 certificate.
|
|
1526
|
-
* Uses Node.js crypto for signature verification.
|
|
1527
|
-
*/
|
|
1528
|
-
function verifySamlSignature(xml: string, certPem: string): boolean {
|
|
1529
|
-
try {
|
|
1530
|
-
// Extract SignatureValue
|
|
1531
|
-
const sigMatch = xml.match(/<(?:ds:)?SignatureValue[^>]*>([\s\S]*?)<\/(?:ds:)?SignatureValue>/);
|
|
1532
|
-
if (!sigMatch) return true; // No signature = skip verification (some IdPs don't sign)
|
|
1533
|
-
|
|
1534
|
-
// Extract SignedInfo block
|
|
1535
|
-
const signedInfoMatch = xml.match(/<(?:ds:)?SignedInfo[^>]*>[\s\S]*?<\/(?:ds:)?SignedInfo>/);
|
|
1536
|
-
if (!signedInfoMatch) return false;
|
|
1537
|
-
|
|
1538
|
-
// Normalize the certificate
|
|
1539
|
-
let cert = certPem.trim();
|
|
1540
|
-
if (!cert.startsWith('-----BEGIN CERTIFICATE-----')) {
|
|
1541
|
-
// Strip whitespace and reformat
|
|
1542
|
-
cert = cert.replace(/\s/g, '');
|
|
1543
|
-
cert = `-----BEGIN CERTIFICATE-----\n${cert.match(/.{1,64}/g)?.join('\n')}\n-----END CERTIFICATE-----`;
|
|
1544
|
-
}
|
|
1545
|
-
|
|
1546
|
-
// Determine algorithm from SignatureMethod
|
|
1547
|
-
const algMatch = xml.match(/SignatureMethod\s+Algorithm="([^"]+)"/);
|
|
1548
|
-
const algorithm = algMatch?.[1]?.includes('rsa-sha256') ? 'RSA-SHA256' : 'RSA-SHA1';
|
|
1549
|
-
|
|
1550
|
-
const signature = Buffer.from(sigMatch[1].replace(/\s/g, ''), 'base64');
|
|
1551
|
-
const signedInfo = signedInfoMatch[0];
|
|
1552
|
-
|
|
1553
|
-
// Canonicalize SignedInfo (exclusive C14N — we do a simplified version)
|
|
1554
|
-
const canonicalized = signedInfo
|
|
1555
|
-
.replace(/\r\n/g, '\n')
|
|
1556
|
-
.replace(/\r/g, '\n')
|
|
1557
|
-
.trim();
|
|
1558
|
-
|
|
1559
|
-
const verifier = createVerify(algorithm);
|
|
1560
|
-
verifier.update(canonicalized);
|
|
1561
|
-
return verifier.verify(cert, signature);
|
|
1562
|
-
} catch {
|
|
1563
|
-
// If verification fails for any reason, reject
|
|
1564
|
-
return false;
|
|
1565
|
-
}
|
|
1566
|
-
}
|
|
1567
|
-
|
|
1568
|
-
// ─── SSO Error Page ──────────────────────────────────────
|
|
1569
|
-
|
|
1570
|
-
function ssoErrorPage(title: string, message: string): string {
|
|
1571
|
-
return `<!DOCTYPE html>
|
|
1572
|
-
<html>
|
|
1573
|
-
<head><title>${title}</title>
|
|
1574
|
-
<style>
|
|
1575
|
-
body { font-family: system-ui, -apple-system, sans-serif; display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; background: #f8f9fa; }
|
|
1576
|
-
.card { background: white; border-radius: 12px; padding: 40px; max-width: 480px; box-shadow: 0 2px 8px rgba(0,0,0,0.1); text-align: center; }
|
|
1577
|
-
h1 { color: #dc2626; font-size: 1.5rem; margin: 0 0 16px; }
|
|
1578
|
-
p { color: #4b5563; margin: 0 0 24px; line-height: 1.5; }
|
|
1579
|
-
a { display: inline-block; padding: 10px 24px; background: #6366f1; color: white; border-radius: 8px; text-decoration: none; }
|
|
1580
|
-
a:hover { background: #4f46e5; }
|
|
1581
|
-
</style></head>
|
|
1582
|
-
<body>
|
|
1583
|
-
<div class="card">
|
|
1584
|
-
<h1>${title}</h1>
|
|
1585
|
-
<p>${message}</p>
|
|
1586
|
-
<a href="/dashboard">Back to Dashboard</a>
|
|
1587
|
-
</div>
|
|
1588
|
-
</body></html>`;
|
|
1589
|
-
}
|