@axova/shared 1.0.2 → 1.1.0

package/src/middleware/serviceAuth.ts

@@ -1,328 +1,328 @@
-import type { FastifyReply, FastifyRequest } from "fastify";
-import jwt from "jsonwebtoken";
-import { z } from "zod";
-
-// Service claims schema
-export const ServiceClaimsSchema = z.object({
-	service: z.string(),
-	permissions: z.array(z.string()),
-	iat: z.number(),
-	exp: z.number(),
-	iss: z.literal("axova-platform"),
-});
-
-export type ServiceClaims = z.infer<typeof ServiceClaimsSchema>;
-
-// Service authentication configuration
-export interface ServiceAuthConfig {
-	internalSecret: string;
-	tokenExpiry?: string; // Default: '1h'
-	requiredPermissions?: string[];
-}
-
-// Extended request interface
-export interface AuthenticatedRequest extends FastifyRequest {
-	serviceClaims?: ServiceClaims;
-	isServiceAuthenticated?: boolean;
-}
-
-// Service authentication class
-export class ServiceAuthenticator {
-	private secret: string;
-	private tokenExpiry: string;
-
-	constructor(config: ServiceAuthConfig) {
-		this.secret = config.internalSecret;
-		this.tokenExpiry = config.tokenExpiry || "1h";
-	}
-
-	// Generate service token
-	generateServiceToken(service: string, permissions: string[] = []): string {
-		const payload: Omit<ServiceClaims, "iat" | "exp"> = {
-			service,
-			permissions,
-			iss: "axova-platform",
-		};
-
-		return jwt.sign(payload, this.secret, {
-			expiresIn: this.tokenExpiry,
-			algorithm: "HS256",
-		} as jwt.SignOptions);
-	}
-
-	// Verify service token
-	verifyServiceToken(token: string): ServiceClaims {
-		try {
-			const decoded = jwt.verify(token, this.secret, {
-				algorithms: ["HS256"],
-				issuer: "axova-platform",
-			}) as ServiceClaims;
-
-			// Validate with Zod schema
-			return ServiceClaimsSchema.parse(decoded);
-		} catch (error) {
-			throw new Error(
-				`Invalid service token: ${error instanceof Error ? error.message : "Unknown error"}`,
-			);
-		}
-	}
-
-	// Fastify middleware for service authentication
-	serviceAuthMiddleware(requiredPermissions: string[] = []) {
-		return async (request: AuthenticatedRequest, reply: FastifyReply) => {
-			try {
-				const authHeader = request.headers.authorization;
-				const serviceToken = request.headers["x-service-token"] as string;
-
-				let token: string | null = null;
-
-				// Check for Bearer token in Authorization header
-				if (authHeader?.startsWith("Bearer ")) {
-					token = authHeader.substring(7);
-				}
-				// Check for service token in custom header
-				else if (serviceToken) {
-					token = serviceToken;
-				}
-
-				if (!token) {
-					return reply.code(401).send({
-						error: "Service authentication required",
-						code: "MISSING_SERVICE_TOKEN",
-					});
-				}
-
-				// DEVELOPMENT MODE: Accept simple constant tokens
-				const isDevelopment = process.env.NODE_ENV !== "production";
-				const developmentTokens = [
-					"dev-compliance-token",
-					"development-mode",
-					"compliance-dev-access",
-					"simple-dev-token",
-					"inventory-dev-access",
-					"product-dev-access",
-					"oxa-dev-access",
-				];
-
-				if (isDevelopment && developmentTokens.includes(token)) {
-					// In development, validate against a proper development service registry
-					// instead of using mock claims
-					try {
-						// TODO: Implement proper development service authentication
-						// For now, only allow specific development services with limited permissions
-						let servicePermissions: string[] = [];
-						let serviceName = "unknown-service";
-
-						// Grant permissions based on the specific development token
-						switch (token) {
-							case "inventory-dev-access":
-								serviceName = "inventory-service-dev";
-								servicePermissions = ["store:read", "store:write"];
-								break;
-							case "product-dev-access":
-								serviceName = "product-service-dev";
-								servicePermissions = ["store:read", "store:write"];
-								break;
-							case "compliance-dev-access":
-								serviceName = "compliance-service-dev";
-								servicePermissions = ["compliance:read", "compliance:write"];
-								break;
-							case "oxa-dev-access":
-								serviceName = "oxa-service-dev";
-								servicePermissions = ["store:read", "ai:moderate"];
-								break;
-							default:
-								throw new Error("Unknown development token");
-						}
-
-						const devClaims: ServiceClaims = {
-							service: serviceName,
-							permissions: servicePermissions,
-							iss: "axova-platform",
-							iat: Math.floor(Date.now() / 1000),
-							exp: Math.floor(Date.now() / 1000) + 60 * 60 * 24, // 24 hours
-						};
-
-						request.serviceClaims = devClaims;
-						request.isServiceAuthenticated = true;
-						console.log(
-							`🔧 Development mode: Service authenticated with token "${token}"`,
-						);
-						return; // Skip JWT verification in development
-					} catch (error) {
-						return reply.code(401).send({
-							error: "Invalid development token",
-							code: "INVALID_DEVELOPMENT_TOKEN",
-							message: error instanceof Error ? error.message : "Unknown error",
-						});
-					}
-				}
-
-				// Verify the token
-				const claims = this.verifyServiceToken(token);
-
-				// Check required permissions
-				if (requiredPermissions.length > 0) {
-					const hasPermissions = requiredPermissions.every((perm) =>
-						claims.permissions.includes(perm),
-					);
-
-					if (!hasPermissions) {
-						return reply.code(403).send({
-							error: "Insufficient permissions",
-							code: "INSUFFICIENT_PERMISSIONS",
-							required: requiredPermissions,
-							granted: claims.permissions,
-						});
-					}
-				}
-
-				// Attach claims to request
-				request.serviceClaims = claims;
-				request.isServiceAuthenticated = true;
-
-				console.log(`Service authenticated: ${claims.service}`);
-			} catch (error) {
-				return reply.code(401).send({
-					error: "Invalid service token",
-					code: "INVALID_SERVICE_TOKEN",
-					message: error instanceof Error ? error.message : "Unknown error",
-				});
-			}
-		};
-	}
-
-	// Alternative HMAC-based authentication
-	generateHMACSignature(payload: string, timestamp: string): string {
-		const crypto = require("node:crypto");
-		const message = `${timestamp}.${payload}`;
-		return crypto
-			.createHmac("sha256", this.secret)
-			.update(message)
-			.digest("hex");
-	}
-
-	// HMAC middleware
-	hmacAuthMiddleware() {
-		return async (request: AuthenticatedRequest, reply: FastifyReply) => {
-			try {
-				const signature = request.headers["x-signature"] as string;
-				const timestamp = request.headers["x-timestamp"] as string;
-				const service = request.headers["x-service"] as string;
-
-				if (!signature || !timestamp || !service) {
-					return reply.code(401).send({
-						error: "HMAC authentication headers missing",
-						code: "MISSING_HMAC_HEADERS",
-					});
-				}
-
-				// Check timestamp (prevent replay attacks)
-				const now = Date.now();
-				const requestTime = Number.parseInt(timestamp);
-				const timeDiff = Math.abs(now - requestTime);
-
-				// Allow 5 minutes tolerance
-				if (timeDiff > 300000) {
-					return reply.code(401).send({
-						error: "Request timestamp too old",
-						code: "TIMESTAMP_EXPIRED",
-					});
-				}
-
-				// Get request body as string
-				const body = JSON.stringify(request.body || {});
-				const expectedSignature = this.generateHMACSignature(body, timestamp);
-
-				if (signature !== expectedSignature) {
-					return reply.code(401).send({
-						error: "Invalid HMAC signature",
-						code: "INVALID_HMAC_SIGNATURE",
-					});
-				}
-
-				// Set service info on request
-				request.serviceClaims = {
-					service,
-					permissions: [], // HMAC doesn't include permissions by default
-					iat: requestTime,
-					exp: requestTime + 300000, // 5 minutes
-					iss: "axova-platform",
-				};
-				request.isServiceAuthenticated = true;
-
-				console.log(`Service authenticated via HMAC: ${service}`);
-			} catch (error) {
-				return reply.code(401).send({
-					error: "HMAC authentication failed",
-					code: "HMAC_AUTH_FAILED",
-					message: error instanceof Error ? error.message : "Unknown error",
-				});
-			}
-		};
-	}
-}
-
-// Singleton factory
-let serviceAuthInstance: ServiceAuthenticator | null = null;
-
-export function createServiceAuthenticator(
-	config: ServiceAuthConfig,
-): ServiceAuthenticator {
-	if (!serviceAuthInstance) {
-		serviceAuthInstance = new ServiceAuthenticator(config);
-	}
-	return serviceAuthInstance;
-}
-
-export function getServiceAuthenticator(): ServiceAuthenticator {
-	if (!serviceAuthInstance) {
-		throw new Error(
-			"Service authenticator not created. Call createServiceAuthenticator() first.",
-		);
-	}
-	return serviceAuthInstance;
-}
-
-// Utility to get auth config from environment
-export function getServiceAuthConfigFromEnv(): ServiceAuthConfig {
-	const internalSecret = process.env.INTERNAL_SECRET;
-
-	if (!internalSecret) {
-		throw new Error("INTERNAL_SECRET environment variable is required");
-	}
-
-	return {
-		internalSecret,
-		tokenExpiry: process.env.SERVICE_TOKEN_EXPIRY || "1h",
-	};
-}
-
-// Common service permissions
-export const SERVICE_PERMISSIONS = {
-	// Store service permissions
-	STORE_READ: "store:read",
-	STORE_WRITE: "store:write",
-	STORE_DELETE: "store:delete",
-
-	// Compliance service permissions
-	COMPLIANCE_READ: "compliance:read",
-	COMPLIANCE_WRITE: "compliance:write",
-	COMPLIANCE_BAN: "compliance:ban",
-	COMPLIANCE_APPEAL: "compliance:appeal",
-
-	// Notification service permissions
-	NOTIFICATION_SEND: "notification:send",
-	NOTIFICATION_READ: "notification:read",
-
-	// Audit service permissions
-	AUDIT_READ: "audit:read",
-	AUDIT_WRITE: "audit:write",
-
-	// Admin service permissions
-	ADMIN_OVERRIDE: "admin:override",
-	ADMIN_REVIEW: "admin:review",
-
-	// AI moderation permissions
-	AI_MODERATE: "ai:moderate",
-} as const;
+import type { FastifyReply, FastifyRequest } from "fastify";
+import jwt from "jsonwebtoken";
+import { z } from "zod";
+
+// Service claims schema
+export const ServiceClaimsSchema = z.object({
+	service: z.string(),
+	permissions: z.array(z.string()),
+	iat: z.number(),
+	exp: z.number(),
+	iss: z.literal("axova-platform"),
+});
+
+export type ServiceClaims = z.infer<typeof ServiceClaimsSchema>;
+
+// Service authentication configuration
+export interface ServiceAuthConfig {
+	internalSecret: string;
+	tokenExpiry?: string; // Default: '1h'
+	requiredPermissions?: string[];
+}
+
+// Extended request interface
+export interface AuthenticatedRequest extends FastifyRequest {
+	serviceClaims?: ServiceClaims;
+	isServiceAuthenticated?: boolean;
+}
+
+// Service authentication class
+export class ServiceAuthenticator {
+	private secret: string;
+	private tokenExpiry: string;
+
+	constructor(config: ServiceAuthConfig) {
+		this.secret = config.internalSecret;
+		this.tokenExpiry = config.tokenExpiry || "1h";
+	}
+
+	// Generate service token
+	generateServiceToken(service: string, permissions: string[] = []): string {
+		const payload: Omit<ServiceClaims, "iat" | "exp"> = {
+			service,
+			permissions,
+			iss: "axova-platform",
+		};
+
+		return jwt.sign(payload, this.secret, {
+			expiresIn: this.tokenExpiry,
+			algorithm: "HS256",
+		} as jwt.SignOptions);
+	}
+
+	// Verify service token
+	verifyServiceToken(token: string): ServiceClaims {
+		try {
+			const decoded = jwt.verify(token, this.secret, {
+				algorithms: ["HS256"],
+				issuer: "axova-platform",
+			}) as ServiceClaims;
+
+			// Validate with Zod schema
+			return ServiceClaimsSchema.parse(decoded);
+		} catch (error) {
+			throw new Error(
+				`Invalid service token: ${error instanceof Error ? error.message : "Unknown error"}`,
+			);
+		}
+	}
+
+	// Fastify middleware for service authentication
+	serviceAuthMiddleware(requiredPermissions: string[] = []) {
+		return async (request: AuthenticatedRequest, reply: FastifyReply) => {
+			try {
+				const authHeader = request.headers.authorization;
+				const serviceToken = request.headers["x-service-token"] as string;
+
+				let token: string | null = null;
+
+				// Check for Bearer token in Authorization header
+				if (authHeader?.startsWith("Bearer ")) {
+					token = authHeader.substring(7);
+				}
+				// Check for service token in custom header
+				else if (serviceToken) {
+					token = serviceToken;
+				}
+
+				if (!token) {
+					return reply.code(401).send({
+						error: "Service authentication required",
+						code: "MISSING_SERVICE_TOKEN",
+					});
+				}
+
+				// DEVELOPMENT MODE: Accept simple constant tokens
+				const isDevelopment = process.env.NODE_ENV !== "production";
+				const developmentTokens = [
+					"dev-compliance-token",
+					"development-mode",
+					"compliance-dev-access",
+					"simple-dev-token",
+					"inventory-dev-access",
+					"product-dev-access",
+					"oxa-dev-access",
+				];
+
+				if (isDevelopment && developmentTokens.includes(token)) {
+					// In development, validate against a proper development service registry
+					// instead of using mock claims
+					try {
+						// TODO: Implement proper development service authentication
+						// For now, only allow specific development services with limited permissions
+						let servicePermissions: string[] = [];
+						let serviceName = "unknown-service";
+
+						// Grant permissions based on the specific development token
+						switch (token) {
+							case "inventory-dev-access":
+								serviceName = "inventory-service-dev";
+								servicePermissions = ["store:read", "store:write"];
+								break;
+							case "product-dev-access":
+								serviceName = "product-service-dev";
+								servicePermissions = ["store:read", "store:write"];
+								break;
+							case "compliance-dev-access":
+								serviceName = "compliance-service-dev";
+								servicePermissions = ["compliance:read", "compliance:write"];
+								break;
+							case "oxa-dev-access":
+								serviceName = "oxa-service-dev";
+								servicePermissions = ["store:read", "ai:moderate"];
+								break;
+							default:
+								throw new Error("Unknown development token");
+						}
+
+						const devClaims: ServiceClaims = {
+							service: serviceName,
+							permissions: servicePermissions,
+							iss: "axova-platform",
+							iat: Math.floor(Date.now() / 1000),
+							exp: Math.floor(Date.now() / 1000) + 60 * 60 * 24, // 24 hours
+						};
+
+						request.serviceClaims = devClaims;
+						request.isServiceAuthenticated = true;
+						console.log(
+							`🔧 Development mode: Service authenticated with token "${token}"`,
+						);
+						return; // Skip JWT verification in development
+					} catch (error) {
+						return reply.code(401).send({
+							error: "Invalid development token",
+							code: "INVALID_DEVELOPMENT_TOKEN",
+							message: error instanceof Error ? error.message : "Unknown error",
+						});
+					}
+				}
+
+				// Verify the token
+				const claims = this.verifyServiceToken(token);
+
+				// Check required permissions
+				if (requiredPermissions.length > 0) {
+					const hasPermissions = requiredPermissions.every((perm) =>
+						claims.permissions.includes(perm),
+					);
+
+					if (!hasPermissions) {
+						return reply.code(403).send({
+							error: "Insufficient permissions",
+							code: "INSUFFICIENT_PERMISSIONS",
+							required: requiredPermissions,
+							granted: claims.permissions,
+						});
+					}
+				}
+
+				// Attach claims to request
+				request.serviceClaims = claims;
+				request.isServiceAuthenticated = true;
+
+				console.log(`Service authenticated: ${claims.service}`);
+			} catch (error) {
+				return reply.code(401).send({
+					error: "Invalid service token",
+					code: "INVALID_SERVICE_TOKEN",
+					message: error instanceof Error ? error.message : "Unknown error",
+				});
+			}
+		};
+	}
+
+	// Alternative HMAC-based authentication
+	generateHMACSignature(payload: string, timestamp: string): string {
+		const crypto = require("node:crypto");
+		const message = `${timestamp}.${payload}`;
+		return crypto
+			.createHmac("sha256", this.secret)
+			.update(message)
+			.digest("hex");
+	}
+
+	// HMAC middleware
+	hmacAuthMiddleware() {
+		return async (request: AuthenticatedRequest, reply: FastifyReply) => {
+			try {
+				const signature = request.headers["x-signature"] as string;
+				const timestamp = request.headers["x-timestamp"] as string;
+				const service = request.headers["x-service"] as string;
+
+				if (!signature || !timestamp || !service) {
+					return reply.code(401).send({
+						error: "HMAC authentication headers missing",
+						code: "MISSING_HMAC_HEADERS",
+					});
+				}
+
+				// Check timestamp (prevent replay attacks)
+				const now = Date.now();
+				const requestTime = Number.parseInt(timestamp);
+				const timeDiff = Math.abs(now - requestTime);
+
+				// Allow 5 minutes tolerance
+				if (timeDiff > 300000) {
+					return reply.code(401).send({
+						error: "Request timestamp too old",
+						code: "TIMESTAMP_EXPIRED",
+					});
+				}
+
+				// Get request body as string
+				const body = JSON.stringify(request.body || {});
+				const expectedSignature = this.generateHMACSignature(body, timestamp);
+
+				if (signature !== expectedSignature) {
+					return reply.code(401).send({
+						error: "Invalid HMAC signature",
+						code: "INVALID_HMAC_SIGNATURE",
+					});
+				}
+
+				// Set service info on request
+				request.serviceClaims = {
+					service,
+					permissions: [], // HMAC doesn't include permissions by default
+					iat: requestTime,
+					exp: requestTime + 300000, // 5 minutes
+					iss: "axova-platform",
+				};
+				request.isServiceAuthenticated = true;
+
+				console.log(`Service authenticated via HMAC: ${service}`);
+			} catch (error) {
+				return reply.code(401).send({
+					error: "HMAC authentication failed",
+					code: "HMAC_AUTH_FAILED",
+					message: error instanceof Error ? error.message : "Unknown error",
+				});
+			}
+		};
+	}
+}
+
+// Singleton factory
+let serviceAuthInstance: ServiceAuthenticator | null = null;
+
+export function createServiceAuthenticator(
+	config: ServiceAuthConfig,
+): ServiceAuthenticator {
+	if (!serviceAuthInstance) {
+		serviceAuthInstance = new ServiceAuthenticator(config);
+	}
+	return serviceAuthInstance;
+}
+
+export function getServiceAuthenticator(): ServiceAuthenticator {
+	if (!serviceAuthInstance) {
+		throw new Error(
+			"Service authenticator not created. Call createServiceAuthenticator() first.",
+		);
+	}
+	return serviceAuthInstance;
+}
+
+// Utility to get auth config from environment
+export function getServiceAuthConfigFromEnv(): ServiceAuthConfig {
+	const internalSecret = process.env.INTERNAL_SECRET;
+
+	if (!internalSecret) {
+		throw new Error("INTERNAL_SECRET environment variable is required");
+	}
+
+	return {
+		internalSecret,
+		tokenExpiry: process.env.SERVICE_TOKEN_EXPIRY || "1h",
+	};
+}
+
+// Common service permissions
+export const SERVICE_PERMISSIONS = {
+	// Store service permissions
+	STORE_READ: "store:read",
+	STORE_WRITE: "store:write",
+	STORE_DELETE: "store:delete",
+
+	// Compliance service permissions
+	COMPLIANCE_READ: "compliance:read",
+	COMPLIANCE_WRITE: "compliance:write",
+	COMPLIANCE_BAN: "compliance:ban",
+	COMPLIANCE_APPEAL: "compliance:appeal",
+
+	// Notification service permissions
+	NOTIFICATION_SEND: "notification:send",
+	NOTIFICATION_READ: "notification:read",
+
+	// Audit service permissions
+	AUDIT_READ: "audit:read",
+	AUDIT_WRITE: "audit:write",
+
+	// Admin service permissions
+	ADMIN_OVERRIDE: "admin:override",
+	ADMIN_REVIEW: "admin:review",
+
+	// AI moderation permissions
+	AI_MODERATE: "ai:moderate",
+} as const;