@anby/platform-sdk 0.1.1 → 0.7.0

package/src/apps/publish.ts

@@ -67,6 +67,16 @@ export interface PublishAppResult {
     status: string;
   };
   version: { appId: string; version: string };
+  /**
+   * Ed25519 private key (PEM) returned ONCE on first publish. Used to
+   * assemble the ANBY_APP_TOKEN connection string for the developer to
+   * paste into their app's env. Null on subsequent publishes — the
+   * registry never re-returns the key.
+   *
+   * The CLI uses this to print the assembled token. Programmatic
+   * callers should treat this field as a secret and avoid logging it.
+   */
+  privateKey: string | null;
 }
 
 async function loadManifest(path: string): Promise<AppManifest> {
@@ -81,6 +91,25 @@ async function loadManifest(path: string): Promise<AppManifest> {
   return parsed;
 }
 
+/**
+ * Public helper: load the manifest from disk and return it with all
+ * `provides.entities[].schema` paths resolved to inlined JSON content.
+ *
+ * Used both internally by `publishAppFromManifest` and by services that
+ * want to expose the wire-format manifest over HTTP (e.g. a Remix route
+ * at `/_anby/manifest`) so the Marketplace submit form can fetch it
+ * without requiring the publisher to paste anything by hand.
+ */
+export async function getInlinedManifest(
+  opts: { manifestPath?: string } = {},
+): Promise<AppManifest> {
+  const manifestPath = resolve(
+    opts.manifestPath ?? join(process.cwd(), 'anby-app.manifest.json'),
+  );
+  const raw = await loadManifest(manifestPath);
+  return inlineEntitySchemas(raw, manifestPath);
+}
+
 /**
  * Entity schema inliner (CR-4).
  *
@@ -163,20 +192,30 @@ export async function publishAppFromManifest(
     const manifestPath = resolve(
       opts.manifestPath ?? join(process.cwd(), 'anby-app.manifest.json'),
     );
-    const rawManifest = await loadManifest(manifestPath);
     // CR-4: inline schema content before sending. Manifest on disk uses
     // relative paths for DX; wire format sends the actual JSON object.
-    const manifest = await inlineEntitySchemas(rawManifest, manifestPath);
+    const manifest = await getInlinedManifest({ manifestPath });
 
     const publicUrl =
       opts.publicUrl ??
       process.env.APP_PUBLIC_URL ??
       `http://localhost:${manifest.runtime.port}`;
 
-    const registryUrl =
-      opts.registryUrl ??
-      process.env.REGISTRY_URL ??
-      'http://localhost:3003';
+    // PLAN-app-bootstrap-phase2 PR4: prefer the registry URL discovered
+    // by bootstrapFromToken. Falls back to the explicit option, then env,
+    // then localhost. The discovered value is the registry HOST root
+    // (no /registry suffix), so this code can append /registry/apps below.
+    let registryUrl = opts.registryUrl ?? process.env.REGISTRY_URL;
+    if (!registryUrl) {
+      try {
+        // Lazy require to avoid a circular import at module load time.
+        const { getDiscoveredRegistryBaseUrl } = await import('../bootstrap/index.js');
+        registryUrl = await getDiscoveredRegistryBaseUrl();
+      } catch {
+        // bootstrap not started yet — fall back to localhost dev default.
+        registryUrl = 'http://localhost:3003';
+      }
+    }
 
     const internalApiSecret =
       opts.internalApiSecret ?? process.env.INTERNAL_API_SECRET ?? '';

package/src/auth/index.test.ts

@@ -0,0 +1,249 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { generateKeyPairSync } from 'node:crypto';
+import jwt from 'jsonwebtoken';
+import {
+  configureAuth,
+  verifyUserJwt,
+  verifyInternalJwt,
+  verifyHmac,
+  signHmac,
+  authenticateRequest,
+  JWT_ISSUER,
+  JWT_AUDIENCE,
+  TYP_USER,
+  TYP_INTERNAL,
+  TYP_OAUTH_STATE,
+} from './index.js';
+
+// Generate a single test keypair shared across all tests in this file.
+// ~50ms one-time cost.
+const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 });
+const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' }).toString();
+const publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' }).toString();
+
+const HMAC_SECRET = 'test-hmac-secret';
+
+function signRS256User(claims: Record<string, unknown> = {}): string {
+  return jwt.sign(
+    { sub: 'user-1', email: 'u@bravebits.vn', tenantId: 't1', typ: TYP_USER, ...claims },
+    privateKeyPem,
+    { algorithm: 'RS256', issuer: JWT_ISSUER, audience: JWT_AUDIENCE, expiresIn: '1h' },
+  );
+}
+
+function signRS256Internal(): string {
+  return jwt.sign(
+    { sub: 'user-1', email: 'u@bravebits.vn', typ: TYP_INTERNAL },
+    privateKeyPem,
+    { algorithm: 'RS256', issuer: JWT_ISSUER, audience: JWT_AUDIENCE, expiresIn: '1h' },
+  );
+}
+
+function signRS256OAuthState(): string {
+  return jwt.sign(
+    { returnUrl: '/dashboard', nonce: 'test-nonce', typ: TYP_OAUTH_STATE },
+    privateKeyPem,
+    { algorithm: 'RS256', issuer: JWT_ISSUER, audience: JWT_AUDIENCE, expiresIn: '5m' },
+  );
+}
+
+describe('configureAuth', () => {
+  it('rejects empty config', () => {
+    expect(() => configureAuth({})).toThrow();
+  });
+
+  it('accepts hmacSecret only (registry use case)', () => {
+    configureAuth({ hmacSecret: HMAC_SECRET });
+    const sig = signHmac('alice@bravebits.vn');
+    expect(verifyHmac('alice@bravebits.vn', sig)).toBe(true);
+  });
+
+  it('accepts jwtPublicKey only (read-only consumer use case)', () => {
+    configureAuth({ jwtPublicKey: publicKeyPem });
+    expect(() => verifyUserJwt(signRS256User())).not.toThrow();
+  });
+});
+
+describe('verifyUserJwt — RS256 path', () => {
+  beforeEach(() => {
+    configureAuth({
+      jwtPublicKey: publicKeyPem,
+      hmacSecret: HMAC_SECRET,
+    });
+  });
+
+  it('accepts a valid RS256 user token', () => {
+    const user = verifyUserJwt(signRS256User());
+    expect(user.id).toBe('user-1');
+    expect(user.email).toBe('u@bravebits.vn');
+    expect(user.tenantId).toBe('t1');
+  });
+
+  it('rejects an expired token', () => {
+    const expired = jwt.sign(
+      { sub: 'u', email: 'u@x.com', typ: TYP_USER },
+      privateKeyPem,
+      { algorithm: 'RS256', issuer: JWT_ISSUER, audience: JWT_AUDIENCE, expiresIn: '-1h' },
+    );
+    expect(() => verifyUserJwt(expired)).toThrow();
+  });
+
+  it('rejects a token signed with a different key', () => {
+    const { privateKey: otherKey } = generateKeyPairSync('rsa', { modulusLength: 2048 });
+    const evil = jwt.sign(
+      { sub: 'u', email: 'u@x.com', typ: TYP_USER },
+      otherKey.export({ type: 'pkcs8', format: 'pem' }).toString(),
+      { algorithm: 'RS256', issuer: JWT_ISSUER, audience: JWT_AUDIENCE, expiresIn: '1h' },
+    );
+    expect(() => verifyUserJwt(evil)).toThrow();
+  });
+
+  it('rejects a token with wrong issuer', () => {
+    const evil = jwt.sign(
+      { sub: 'u', email: 'u@x.com', typ: TYP_USER },
+      privateKeyPem,
+      { algorithm: 'RS256', issuer: 'evil', audience: JWT_AUDIENCE, expiresIn: '1h' },
+    );
+    expect(() => verifyUserJwt(evil)).toThrow();
+  });
+
+  it('rejects a token with wrong audience', () => {
+    const evil = jwt.sign(
+      { sub: 'u', email: 'u@x.com', typ: TYP_USER },
+      privateKeyPem,
+      { algorithm: 'RS256', issuer: JWT_ISSUER, audience: 'evil', expiresIn: '1h' },
+    );
+    expect(() => verifyUserJwt(evil)).toThrow();
+  });
+});
+
+describe('CRITICAL: cross-token confusion', () => {
+  beforeEach(() => {
+    configureAuth({
+      jwtPublicKey: publicKeyPem,
+      hmacSecret: HMAC_SECRET,
+    });
+  });
+
+  it('verifyUserJwt MUST reject an internal JWT', () => {
+    expect(() => verifyUserJwt(signRS256Internal())).toThrow();
+  });
+
+  it('verifyUserJwt MUST reject an OAuth state token', () => {
+    expect(() => verifyUserJwt(signRS256OAuthState())).toThrow();
+  });
+
+  it('verifyInternalJwt MUST reject a user JWT', () => {
+    expect(() => verifyInternalJwt(signRS256User())).toThrow();
+  });
+
+  it('verifyInternalJwt MUST reject an OAuth state token', () => {
+    expect(() => verifyInternalJwt(signRS256OAuthState())).toThrow();
+  });
+
+});
+
+describe('CRITICAL: algorithm confusion', () => {
+  beforeEach(() => {
+    configureAuth({
+      jwtPublicKey: publicKeyPem,
+      hmacSecret: HMAC_SECRET,
+    });
+  });
+
+  it('rejects alg:none tokens', () => {
+    const header = Buffer.from(JSON.stringify({ alg: 'none', typ: 'JWT' })).toString('base64url');
+    const payload = Buffer.from(
+      JSON.stringify({
+        sub: 'attacker',
+        email: 'a@evil.com',
+        typ: TYP_USER,
+        iss: JWT_ISSUER,
+        aud: JWT_AUDIENCE,
+        exp: Math.floor(Date.now() / 1000) + 3600,
+      }),
+    ).toString('base64url');
+    expect(() => verifyUserJwt(`${header}.${payload}.`)).toThrow();
+  });
+
+  it('rejects HS256 tokens signed with the public key as the secret (alg confusion)', () => {
+    const evil = jwt.sign(
+      { sub: 'attacker', email: 'a@evil.com', typ: TYP_USER },
+      publicKeyPem,
+      { algorithm: 'HS256', expiresIn: '1h' },
+    );
+    expect(() => verifyUserJwt(evil)).toThrow();
+  });
+});
+
+// PR4: dual-verify and HS256-only mode tests removed alongside the fallback paths.
+// SDK is RS256-only post-PR4. The verifyUserJwt — RS256 path tests above cover
+// the canonical happy path and edge cases.
+
+describe('HMAC service-to-service (regression)', () => {
+  beforeEach(() => {
+    configureAuth({
+      jwtPublicKey: publicKeyPem,
+      hmacSecret: HMAC_SECRET,
+    });
+  });
+
+  it('signHmac and verifyHmac round-trip', () => {
+    const sig = signHmac('alice@bravebits.vn');
+    expect(verifyHmac('alice@bravebits.vn', sig)).toBe(true);
+  });
+
+  it('verifyHmac rejects tampered user value', () => {
+    const sig = signHmac('alice@bravebits.vn');
+    expect(verifyHmac('bob@bravebits.vn', sig)).toBe(false);
+  });
+
+  it('verifyHmac rejects wrong-length signature without throwing', () => {
+    expect(verifyHmac('alice@bravebits.vn', 'short')).toBe(false);
+  });
+});
+
+describe('authenticateRequest', () => {
+  beforeEach(() => {
+    configureAuth({
+      jwtPublicKey: publicKeyPem,
+      hmacSecret: HMAC_SECRET,
+    });
+  });
+
+  function makeRequest(headers: Record<string, string>): Request {
+    return new Request('http://localhost/test', { headers });
+  }
+
+  it('authenticates RS256 Bearer token', () => {
+    const req = makeRequest({ authorization: `Bearer ${signRS256User()}` });
+    const user = authenticateRequest(req);
+    expect(user?.id).toBe('user-1');
+  });
+
+  it('authenticates RS256 cookie token (Remix SSR path)', () => {
+    const req = makeRequest({ cookie: `auth-token=${signRS256User()}` });
+    const user = authenticateRequest(req);
+    expect(user?.id).toBe('user-1');
+  });
+
+  it('rejects internal JWT presented as Bearer (cross-token confusion)', () => {
+    const req = makeRequest({ authorization: `Bearer ${signRS256Internal()}` });
+    expect(authenticateRequest(req)).toBeNull();
+  });
+
+  it('authenticates HMAC service-to-service via x-internal-* headers', () => {
+    const sig = signHmac('worker@svc');
+    const req = makeRequest({
+      'x-internal-user': 'worker@svc',
+      'x-internal-signature': sig,
+    });
+    const user = authenticateRequest(req);
+    expect(user?.id).toBe('internal');
+    expect(user?.email).toBe('worker@svc');
+  });
+
+  it('returns null for unauthenticated request', () => {
+    expect(authenticateRequest(makeRequest({}))).toBeNull();
+  });
+});

package/src/auth/index.ts

@@ -1,6 +1,17 @@
 import jwt from 'jsonwebtoken';
 import crypto from 'crypto';
 
+// JWT claim conventions for the asymmetric (RS256) auth path. Must match
+// anby-auth-service/src/auth/auth.service.ts. All RS256 tokens carry these
+// iss/aud/typ claims; all RS256 verifiers enforce them.
+//
+// PR4 cleanup: HS256 fallback paths removed. SDK is RS256-only.
+export const JWT_ISSUER = 'anby-auth-service';
+export const JWT_AUDIENCE = 'anby-platform';
+export const TYP_USER = 'user';
+export const TYP_INTERNAL = 'internal';
+export const TYP_OAUTH_STATE = 'oauth-state';
+
 export interface AuthUser {
   id: string;
   email: string;
@@ -8,30 +19,51 @@ export interface AuthUser {
   tenantId: string;
 }
 
+/**
+ * Auth SDK config. Pass via configureAuth() before any verify* call.
+ *
+ * After PR4 cleanup, only the RS256 + HMAC fields exist:
+ *  - jwtPublicKey: REQUIRED for any user/internal token verification
+ *  - hmacSecret: REQUIRED for service-to-service HMAC (registry use case)
+ *
+ * For services that only verify JWTs and never use HMAC, pass only jwtPublicKey.
+ * For services that only use HMAC (e.g. app-registry), pass only hmacSecret.
+ */
 export interface AuthConfig {
-  jwtSecret: string;
-  internalApiSecret: string;
+  jwtPublicKey?: string; // RSA-2048 PEM
+  hmacSecret?: string; // service-to-service HMAC secret
+}
+
+interface InternalConfig {
+  jwtPublicKey: string | null;
+  hmacSecret: string | null;
 }
 
-let _config: AuthConfig | null = null;
+let _config: InternalConfig | null = null;
 
+/**
+ * Configure the SDK's auth state. Call once at service boot, before any
+ * verify* call.
+ */
 export function configureAuth(config: AuthConfig): void {
-  _config = config;
+  const jwtPublicKey = config.jwtPublicKey ?? null;
+  const hmacSecret = config.hmacSecret ?? null;
+
+  if (!jwtPublicKey && !hmacSecret) {
+    throw new Error(
+      'configureAuth: at least one of jwtPublicKey or hmacSecret must be set',
+    );
+  }
+
+  _config = { jwtPublicKey, hmacSecret };
 }
 
-function getConfig(): AuthConfig {
+function getConfig(): InternalConfig {
   if (!_config) throw new Error('Auth not configured. Call configureAuth() first.');
   return _config;
 }
 
-export function verifyJwt(token: string): AuthUser {
-  const config = getConfig();
-  const payload = jwt.verify(token, config.jwtSecret) as {
-    sub: string;
-    email: string;
-    name?: string;
-    tenantId?: string;
-  };
+function payloadToAuthUser(payload: any): AuthUser {
   return {
     id: payload.sub,
     email: payload.email,
@@ -40,13 +72,69 @@ export function verifyJwt(token: string): AuthUser {
   };
 }
 
+/**
+ * Verify a user session JWT (RS256). CRITICAL (cross-token confusion fix):
+ * rejects tokens with typ != "user". An internal-token (typ:internal) or
+ * oauth-state token (typ:oauth-state) presented as a user session is rejected
+ * even if the signature, iss, aud, and exp would all validate.
+ */
+export function verifyUserJwt(token: string): AuthUser {
+  const config = getConfig();
+  if (!config.jwtPublicKey) {
+    throw new Error('jwtPublicKey not configured');
+  }
+  if (!token || token.split('.').length !== 3) {
+    throw new Error('Invalid token format');
+  }
+  const payload = jwt.verify(token, config.jwtPublicKey, {
+    algorithms: ['RS256'],
+    issuer: JWT_ISSUER,
+    audience: JWT_AUDIENCE,
+    clockTolerance: 30,
+  }) as any;
+  if (payload.typ !== TYP_USER) {
+    throw new Error('Wrong token class for user verifier');
+  }
+  return payloadToAuthUser(payload);
+}
+
+/**
+ * Verify an internal-service JWT (RS256). CRITICAL: rejects tokens with
+ * typ != "internal".
+ */
+export function verifyInternalJwt(token: string): AuthUser {
+  const config = getConfig();
+  if (!config.jwtPublicKey) {
+    throw new Error('jwtPublicKey not configured');
+  }
+  if (!token || token.split('.').length !== 3) {
+    throw new Error('Invalid token format');
+  }
+  const payload = jwt.verify(token, config.jwtPublicKey, {
+    algorithms: ['RS256'],
+    issuer: JWT_ISSUER,
+    audience: JWT_AUDIENCE,
+    clockTolerance: 30,
+  }) as any;
+  if (payload.typ !== TYP_INTERNAL) {
+    throw new Error('Wrong token class for internal verifier');
+  }
+  return payloadToAuthUser(payload);
+}
+
 export function verifyHmac(userValue: string, signature: string): boolean {
   const config = getConfig();
+  if (!config.hmacSecret) {
+    throw new Error('HMAC not configured. Set hmacSecret in configureAuth().');
+  }
   const expected = crypto
-    .createHmac('sha256', config.internalApiSecret)
+    .createHmac('sha256', config.hmacSecret)
     .update(userValue)
     .digest('hex');
-  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
+  const expectedBuf = Buffer.from(expected);
+  const actualBuf = Buffer.from(signature);
+  if (expectedBuf.length !== actualBuf.length) return false;
+  return crypto.timingSafeEqual(expectedBuf, actualBuf);
 }
 
 /**
@@ -55,48 +143,54 @@ export function verifyHmac(userValue: string, signature: string): boolean {
  * the receiving side calls `verifyHmac` with the same pair.
  */
 export function signHmac(userValue: string, secret?: string): string {
-  const internalApiSecret = secret ?? getConfig().internalApiSecret;
-  return crypto
-    .createHmac('sha256', internalApiSecret)
-    .update(userValue)
-    .digest('hex');
+  const hmacSecret = secret ?? getConfig().hmacSecret;
+  if (!hmacSecret) {
+    throw new Error('HMAC not configured. Set hmacSecret in configureAuth().');
+  }
+  return crypto.createHmac('sha256', hmacSecret).update(userValue).digest('hex');
 }
 
 export function authenticateRequest(request: Request): AuthUser | null {
-  // Try JWT from Authorization header
+  // Try JWT from Authorization header (user session)
   const authHeader = request.headers.get('authorization');
   if (authHeader?.startsWith('Bearer ')) {
     try {
-      return verifyJwt(authHeader.slice(7));
+      return verifyUserJwt(authHeader.slice(7));
     } catch {
       return null;
     }
   }
 
-  // Try JWT from cookie
+  // Try JWT from cookie (Remix/SSR path)
   const cookies = request.headers.get('cookie') || '';
   const authCookie = cookies.split(';').find(c => c.trim().startsWith('auth-token='));
   if (authCookie) {
     const token = authCookie.split('=')[1]?.trim();
     if (token) {
       try {
-        return verifyJwt(token);
+        return verifyUserJwt(token);
       } catch {
         return null;
       }
     }
   }
 
-  // Try HMAC (service-to-service)
+  // Try HMAC (service-to-service). Only if hmacSecret is configured.
   const internalUser = request.headers.get('x-internal-user');
   const internalSig = request.headers.get('x-internal-signature');
-  if (internalUser && internalSig && verifyHmac(internalUser, internalSig)) {
-    return {
-      id: 'internal',
-      email: internalUser,
-      name: 'Internal Service',
-      tenantId: request.headers.get('x-tenant-id') || 'default',
-    };
+  if (internalUser && internalSig) {
+    try {
+      if (verifyHmac(internalUser, internalSig)) {
+        return {
+          id: 'internal',
+          email: internalUser,
+          name: 'Internal Service',
+          tenantId: request.headers.get('x-tenant-id') || 'default',
+        };
+      }
+    } catch {
+      // hmacSecret not configured — fall through
+    }
   }
 
   return null;

package/src/bootstrap/cache.ts

@@ -0,0 +1,60 @@
+import { promises as fs } from 'node:fs';
+import { dirname, join } from 'node:path';
+import type { CachedBootstrap } from './types.js';
+
+/**
+ * Disk cache for the bootstrap discovery response. Used to make cold
+ * starts resilient when the platform discovery endpoint is briefly
+ * unreachable.
+ *
+ * Cache is per-app (keyed by appId so multiple apps in the same workdir
+ * don't collide). Atomic write via temp file + rename. File mode 0600 so
+ * the cache file is owner-only on POSIX systems.
+ *
+ * Format: JSON. Contains the discovery response and the auth public key
+ * PEM. Does NOT contain the per-app private key — that comes from the
+ * connection-string token at every boot.
+ */
+
+function cacheFilePath(cacheDir: string, appId: string): string {
+  // Sanitize appId for filename safety: keep alphanumerics + dashes + dots,
+  // replace everything else with underscore.
+  const safeId = appId.replace(/[^a-zA-Z0-9.\-_]/g, '_');
+  return join(cacheDir, `bootstrap-${safeId}.json`);
+}
+
+export async function readCache(
+  cacheDir: string,
+  appId: string,
+): Promise<CachedBootstrap | null> {
+  try {
+    const path = cacheFilePath(cacheDir, appId);
+    const raw = await fs.readFile(path, 'utf-8');
+    const parsed = JSON.parse(raw) as CachedBootstrap;
+    if (
+      typeof parsed?.fetchedAt !== 'string' ||
+      typeof parsed?.staleAt !== 'string' ||
+      !parsed?.discovery?.endpoints ||
+      typeof parsed?.authPublicKeyPem !== 'string'
+    ) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    // ENOENT, parse error, anything — fall back to fresh fetch
+    return null;
+  }
+}
+
+export async function writeCache(
+  cacheDir: string,
+  appId: string,
+  entry: CachedBootstrap,
+): Promise<void> {
+  const path = cacheFilePath(cacheDir, appId);
+  await fs.mkdir(dirname(path), { recursive: true });
+  // Atomic write: stage to temp, rename. Rename is atomic on POSIX.
+  const tmp = `${path}.tmp.${process.pid}`;
+  await fs.writeFile(tmp, JSON.stringify(entry, null, 2), { mode: 0o600 });
+  await fs.rename(tmp, path);
+}