npm - @blackbelt-technology/pi-agent-dashboard - Versions diffs - 0.5.1 → 0.5.2 - Mend

@blackbelt-technology/pi-agent-dashboard 0.5.1 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (129) hide show

package/packages/server/src/__tests__/model-proxy-api-key-routes.test.ts ADDED Viewed

@@ -0,0 +1,277 @@
+/**
+ * Tests for model proxy API key management routes (task 4.3).
+ *
+ * Covers:
+ * - list: redaction, createdBy filter, admin sees all
+ * - create: cleartext once, hashed storage, default scopes, custom scopes, past expiresAt → 400
+ * - revoke: sets revokedAt, 404 on unknown, 403 non-owner non-admin, 204 admin on others
+ * - purge (DELETE): removes entry, list excludes purged
+ */
+import { describe, it, expect, beforeEach } from "vitest";
+import Fastify from "fastify";
+import { registerModelProxyApiKeyRoutes } from "../routes/model-proxy-api-key-routes.js";
+import { generateKey, hashKey, verifyKey } from "../model-proxy/api-key-store.js";
+import type { ProxyApiKey, ModelProxyConfig } from "@blackbelt-technology/pi-dashboard-shared/config.js";
+// ── Test fixture ────────────────────────────────────────────────────────────
+function makeEntry(id: string, label: string, createdBy: string, overrides: Partial<ProxyApiKey> = {}): ProxyApiKey {
+  return {
+    id,
+    label,
+    createdAt: Date.now(),
+    hash: hashKey(generateKey()),
+    scopes: ["all"],
+    createdBy,
+    ...overrides,
+  };
+}
+async function buildApp(
+  apiKeys: ProxyApiKey[] = [],
+  userEmail = "alice@test.com",
+  adminEmail?: string,
+) {
+  const app = Fastify({ logger: false });
+  let config: ModelProxyConfig = {
+    enabled: true,
+    maxConcurrentStreams: 16,
+    perKeyConcurrentStreams: 4,
+    logRequests: false,
+    apiKeys: [...apiKeys],
+  };
+  const writes: ProxyApiKey[][] = [];
+  app.addHook("onRequest", async (req) => { (req as any).user = { email: userEmail }; });
+  const networkGuard = async () => {};
+  registerModelProxyApiKeyRoutes(app, {
+    networkGuard,
+    getModelProxyConfig: () => config,
+    writeModelProxyApiKeys: async (keys) => { config = { ...config, apiKeys: keys }; writes.push(keys); },
+    getAdminEmail: () => adminEmail,
+  });
+  await app.ready();
+  return { app, writes, getConfig: () => config };
+}
+// ── Tests ───────────────────────────────────────────────────────────────────
+describe("list: GET /api/model-proxy/api-keys (task 4.3)", () => {
+  it("hashes are redacted (shown as ***)", async () => {
+    const key = makeEntry("k1", "Test", "alice@test.com");
+    const { app } = await buildApp([key]);
+    const res = await app.inject({ method: "GET", url: "/api/model-proxy/api-keys" });
+    const body = JSON.parse(res.body);
+    expect(body.data.keys[0].hash).toBe("***");
+  });
+  it("filters list to createdBy === caller", async () => {
+    const aliceKey = makeEntry("k1", "Alice", "alice@test.com");
+    const bobKey = makeEntry("k2", "Bob", "bob@test.com");
+    const { app } = await buildApp([aliceKey, bobKey], "alice@test.com");
+    const res = await app.inject({ method: "GET", url: "/api/model-proxy/api-keys" });
+    const body = JSON.parse(res.body);
+    const ids = body.data.keys.map((k: any) => k.id);
+    expect(ids).toContain("k1");
+    expect(ids).not.toContain("k2");
+  });
+  it("admin sees all keys", async () => {
+    const aliceKey = makeEntry("k1", "Alice", "alice@test.com");
+    const bobKey = makeEntry("k2", "Bob", "bob@test.com");
+    const { app } = await buildApp([aliceKey, bobKey], "admin@test.com", "admin@test.com");
+    const res = await app.inject({ method: "GET", url: "/api/model-proxy/api-keys" });
+    const body = JSON.parse(res.body);
+    const ids = body.data.keys.map((k: any) => k.id);
+    expect(ids).toContain("k1");
+    expect(ids).toContain("k2");
+  });
+  it("revoked keys appear in revoked[] not keys[]", async () => {
+    const active = makeEntry("k1", "Active", "alice@test.com");
+    const revoked = makeEntry("k2", "Revoked", "alice@test.com", { revokedAt: Date.now() - 1000 });
+    const { app } = await buildApp([active, revoked]);
+    const res = await app.inject({ method: "GET", url: "/api/model-proxy/api-keys" });
+    const body = JSON.parse(res.body);
+    expect(body.data.keys.map((k: any) => k.id)).toContain("k1");
+    expect(body.data.revoked.map((k: any) => k.id)).toContain("k2");
+    expect(body.data.keys.map((k: any) => k.id)).not.toContain("k2");
+  });
+});
+describe("create: POST /api/model-proxy/api-keys (task 4.3)", () => {
+  it("returns cleartext key once", async () => {
+    const { app } = await buildApp();
+    const res = await app.inject({
+      method: "POST",
+      url: "/api/model-proxy/api-keys",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ label: "My Key" }),
+    });
+    expect(res.statusCode).toBe(201);
+    const body = JSON.parse(res.body);
+    expect(body.data.key).toMatch(/^pi-proxy-/);
+  });
+  it("persists hashed (not cleartext)", async () => {
+    const { app, getConfig } = await buildApp();
+    const res = await app.inject({
+      method: "POST",
+      url: "/api/model-proxy/api-keys",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ label: "My Key" }),
+    });
+    const created = JSON.parse(res.body).data;
+    const stored = getConfig().apiKeys.find((k) => k.id === created.id);
+    expect(stored).toBeDefined();
+    expect(stored!.hash).not.toBe(created.key);
+    // Verify the stored hash matches the cleartext key
+    expect(verifyKey(created.key, stored!.hash)).toBe(true);
+  });
+  it("stamps createdBy from user email", async () => {
+    const { app, getConfig } = await buildApp([], "creator@test.com");
+    await app.inject({
+      method: "POST",
+      url: "/api/model-proxy/api-keys",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ label: "Key" }),
+    });
+    const stored = getConfig().apiKeys[0];
+    expect(stored.createdBy).toBe("creator@test.com");
+  });
+  it("default scopes is [\"all\"]", async () => {
+    const { app, getConfig } = await buildApp();
+    await app.inject({
+      method: "POST",
+      url: "/api/model-proxy/api-keys",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ label: "Key" }),
+    });
+    expect(getConfig().apiKeys[0].scopes).toEqual(["all"]);
+  });
+  it("custom scopes are persisted", async () => {
+    const { app, getConfig } = await buildApp();
+    await app.inject({
+      method: "POST",
+      url: "/api/model-proxy/api-keys",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ label: "Key", scopes: ["models:list", "chat"] }),
+    });
+    expect(getConfig().apiKeys[0].scopes).toEqual(["models:list", "chat"]);
+  });
+  it("past expiresAt → 400", async () => {
+    const { app } = await buildApp();
+    const res = await app.inject({
+      method: "POST",
+      url: "/api/model-proxy/api-keys",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ label: "Key", expiresAt: Date.now() - 1000 }),
+    });
+    expect(res.statusCode).toBe(400);
+  });
+  it("missing label → 400", async () => {
+    const { app } = await buildApp();
+    const res = await app.inject({
+      method: "POST",
+      url: "/api/model-proxy/api-keys",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({}),
+    });
+    expect(res.statusCode).toBe(400);
+  });
+});
+describe("revoke: POST /api/model-proxy/api-keys/:id/revoke (task 4.3)", () => {
+  it("sets revokedAt", async () => {
+    const key = makeEntry("k1", "Key", "alice@test.com");
+    const { app, getConfig } = await buildApp([key]);
+    const res = await app.inject({ method: "POST", url: "/api/model-proxy/api-keys/k1/revoke" });
+    expect(res.statusCode).toBe(204);
+    expect(getConfig().apiKeys[0].revokedAt).toBeDefined();
+  });
+  it("unknown id → 404", async () => {
+    const { app } = await buildApp();
+    const res = await app.inject({ method: "POST", url: "/api/model-proxy/api-keys/unknown/revoke" });
+    expect(res.statusCode).toBe(404);
+  });
+  it("revoke other user's key as non-admin → 403", async () => {
+    const bobKey = makeEntry("k1", "Bob Key", "bob@test.com");
+    const { app } = await buildApp([bobKey], "alice@test.com");
+    const res = await app.inject({ method: "POST", url: "/api/model-proxy/api-keys/k1/revoke" });
+    expect(res.statusCode).toBe(403);
+  });
+  it("admin can revoke other user's key → 204", async () => {
+    const bobKey = makeEntry("k1", "Bob Key", "bob@test.com");
+    const { app } = await buildApp([bobKey], "admin@test.com", "admin@test.com");
+    const res = await app.inject({ method: "POST", url: "/api/model-proxy/api-keys/k1/revoke" });
+    expect(res.statusCode).toBe(204);
+  });
+});
+describe("purge: DELETE /api/model-proxy/api-keys/:id (task 4.3)", () => {
+  it("purge after revoke removes entry", async () => {
+    const key = makeEntry("k1", "Key", "alice@test.com", { revokedAt: Date.now() });
+    const { app, getConfig } = await buildApp([key]);
+    const res = await app.inject({ method: "DELETE", url: "/api/model-proxy/api-keys/k1" });
+    expect(res.statusCode).toBe(204);
+    expect(getConfig().apiKeys.find((k) => k.id === "k1")).toBeUndefined();
+  });
+  it("list excludes purged keys", async () => {
+    const key = makeEntry("k1", "Key", "alice@test.com");
+    const { app, getConfig } = await buildApp([key]);
+    await app.inject({ method: "DELETE", url: "/api/model-proxy/api-keys/k1" });
+    const listRes = await app.inject({ method: "GET", url: "/api/model-proxy/api-keys" });
+    const body = JSON.parse(listRes.body);
+    const allIds = [
+      ...body.data.keys.map((k: any) => k.id),
+      ...body.data.revoked.map((k: any) => k.id),
+    ];
+    expect(allIds).not.toContain("k1");
+  });
+  it("purge non-owner's key as non-admin → 403", async () => {
+    const bobKey = makeEntry("k1", "Bob", "bob@test.com");
+    const { app } = await buildApp([bobKey], "alice@test.com");
+    const res = await app.inject({ method: "DELETE", url: "/api/model-proxy/api-keys/k1" });
+    expect(res.statusCode).toBe(403);
+  });
+});

package/packages/server/src/__tests__/model-proxy-auth-gate.test.ts ADDED Viewed

@@ -0,0 +1,263 @@
+/**
+ * Integration tests for the model proxy auth gate (task 3.9).
+ *
+ * Tests every auth scenario from spec.md:
+ * - valid key → 200 (models endpoint)
+ * - JWT rejected uniformly
+ * - no header → 401 AUTH_REQUIRED
+ * - scope insufficient → 403
+ * - expired → 401 AUTH_EXPIRED
+ * - revoked → 401 AUTH_REVOKED
+ * - missing → 401 AUTH_REQUIRED
+ * - malformed → 401 AUTH_MALFORMED
+ * - backoff increments and caps
+ * - backoff resets on success
+ * - per-IP isolation
+ *
+ * Uses Fastify directly without the full test server to keep tests fast.
+ */
+import { describe, it, expect, beforeEach } from "vitest";
+import Fastify from "fastify";
+import { createModelProxyAuthGate } from "../model-proxy/auth-gate.js";
+import { generateKey, hashKey } from "../model-proxy/api-key-store.js";
+import type { ModelProxyConfig } from "@blackbelt-technology/pi-dashboard-shared/config.js";
+// ── Helpers ────────────────────────────────────────────────────────────────
+function makeConfig(apiKeys: any[] = []): ModelProxyConfig {
+  return {
+    enabled: true,
+    maxConcurrentStreams: 16,
+    perKeyConcurrentStreams: 4,
+    logRequests: false,
+    apiKeys,
+  };
+}
+function makeKey(overrides: Partial<any> = {}) {
+  const cleartext = generateKey();
+  const entry = {
+    id: "key-1",
+    label: "test",
+    createdAt: Date.now(),
+    hash: hashKey(cleartext),
+    scopes: ["all"],
+    revokedAt: undefined,
+    expiresAt: undefined,
+    ...overrides,
+  };
+  return { cleartext, entry };
+}
+async function buildApp(config: ModelProxyConfig) {
+  const app = Fastify({ logger: false });
+  const gate = createModelProxyAuthGate({ getConfig: () => config });
+  app.addHook("onRequest", gate);
+  app.get("/v1/models", async () => ({ object: "list", data: [] }));
+  app.post("/v1/chat/completions", async () => ({ ok: true }));
+  app.post("/v1/messages", async () => ({ ok: true }));
+  app.get("/api/health", async () => ({ ok: true })); // non-proxied route
+  await app.ready();
+  return app;
+}
+// ── Tests ──────────────────────────────────────────────────────────────────
+describe("model proxy auth gate (task 3.9)", () => {
+  it("valid key → 200 on /v1/models", async () => {
+    const { cleartext, entry } = makeKey();
+    const config = makeConfig([entry]);
+    const app = await buildApp(config);
+    const res = await app.inject({
+      method: "GET",
+      url: "/v1/models",
+      headers: { authorization: `Bearer ${cleartext}` },
+    });
+    expect(res.statusCode).toBe(200);
+  });
+  it("valid key on /v1/chat/completions", async () => {
+    const { cleartext, entry } = makeKey();
+    const config = makeConfig([entry]);
+    const app = await buildApp(config);
+    const res = await app.inject({
+      method: "POST",
+      url: "/v1/chat/completions",
+      headers: { authorization: `Bearer ${cleartext}`, "content-type": "application/json" },
+      body: JSON.stringify({}),
+    });
+    expect(res.statusCode).not.toBe(401);
+    expect(res.statusCode).not.toBe(403);
+  });
+  it("JWT-style token rejected with PROXY_KEY_REQUIRED", async () => {
+    const config = makeConfig([]);
+    const app = await buildApp(config);
+    const res = await app.inject({
+      method: "GET",
+      url: "/v1/models",
+      headers: { authorization: "Bearer eyJhbGciOiJIUzI1NiJ9.test.fake" },
+    });
+    expect(res.statusCode).toBe(401);
+    expect(JSON.parse(res.body).code).toBe("PROXY_KEY_REQUIRED");
+  });
+  it("no authorization header → 401 AUTH_REQUIRED", async () => {
+    const config = makeConfig([]);
+    const app = await buildApp(config);
+    const res = await app.inject({ method: "GET", url: "/v1/models" });
+    expect(res.statusCode).toBe(401);
+    expect(JSON.parse(res.body).code).toBe("AUTH_REQUIRED");
+  });
+  it("malformed Bearer (no token) → 401 AUTH_MALFORMED", async () => {
+    const config = makeConfig([]);
+    const app = await buildApp(config);
+    const res = await app.inject({
+      method: "GET",
+      url: "/v1/models",
+      headers: { authorization: "Bearer " },
+    });
+    expect(res.statusCode).toBe(401);
+    expect(JSON.parse(res.body).code).toBe("AUTH_MALFORMED");
+  });
+  it("missing (unknown) proxy key → 401 AUTH_REQUIRED", async () => {
+    const config = makeConfig([]);
+    const app = await buildApp(config);
+    const res = await app.inject({
+      method: "GET",
+      url: "/v1/models",
+      headers: { authorization: `Bearer pi-proxy-unknownkeyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` },
+    });
+    expect(res.statusCode).toBe(401);
+    expect(JSON.parse(res.body).code).toBe("AUTH_REQUIRED");
+  });
+  it("revoked key → 401 AUTH_REVOKED", async () => {
+    const { cleartext, entry } = makeKey({ revokedAt: Date.now() - 1000 });
+    const config = makeConfig([entry]);
+    const app = await buildApp(config);
+    const res = await app.inject({
+      method: "GET",
+      url: "/v1/models",
+      headers: { authorization: `Bearer ${cleartext}` },
+    });
+    expect(res.statusCode).toBe(401);
+    expect(JSON.parse(res.body).code).toBe("AUTH_REVOKED");
+  });
+  it("expired key → 401 AUTH_EXPIRED", async () => {
+    const { cleartext, entry } = makeKey({ expiresAt: Date.now() - 1000 });
+    const config = makeConfig([entry]);
+    const app = await buildApp(config);
+    const res = await app.inject({
+      method: "GET",
+      url: "/v1/models",
+      headers: { authorization: `Bearer ${cleartext}` },
+    });
+    expect(res.statusCode).toBe(401);
+    expect(JSON.parse(res.body).code).toBe("AUTH_EXPIRED");
+  });
+  it("scope insufficient → 403 SCOPE_INSUFFICIENT", async () => {
+    const { cleartext, entry } = makeKey({ scopes: ["models:list"] });
+    const config = makeConfig([entry]);
+    const app = await buildApp(config);
+    // /v1/chat/completions requires "chat" scope
+    const res = await app.inject({
+      method: "POST",
+      url: "/v1/chat/completions",
+      headers: { authorization: `Bearer ${cleartext}`, "content-type": "application/json" },
+      body: JSON.stringify({}),
+    });
+    expect(res.statusCode).toBe(403);
+    expect(JSON.parse(res.body).code).toBe("SCOPE_INSUFFICIENT");
+  });
+  it("non-/v1/ routes NOT gated by auth gate", async () => {
+    const config = makeConfig([]);
+    const app = await buildApp(config);
+    // /api/health should pass through without auth
+    const res = await app.inject({ method: "GET", url: "/api/health" });
+    expect(res.statusCode).toBe(200);
+  });
+  it("task 3.7: /v1/* does NOT inherit isLoopback bypass (loopback without key → 401)", async () => {
+    // In the auth gate, /v1/* always requires a proxy key — no loopback carve-out.
+    // We simulate this by simply not providing an Authorization header.
+    const config = makeConfig([]);
+    const app = await buildApp(config);
+    // Even from "loopback" (Fastify inject defaults to 127.0.0.1)
+    const res = await app.inject({ method: "GET", url: "/v1/models" });
+    expect(res.statusCode).toBe(401);
+  });
+  it("task 3.7: /v1/* does NOT inherit bypassHosts bypass (no header → 401)", async () => {
+    // bypassHosts typically allows any LAN IP — /v1/* must not inherit this.
+    // The gate checks path prefix first; no Authorization → 401 regardless.
+    const config = makeConfig([]);
+    const app = await buildApp(config);
+    const res = await app.inject({
+      method: "GET",
+      url: "/v1/models",
+      remoteAddress: "192.168.1.50", // simulated LAN IP
+    });
+    expect(res.statusCode).toBe(401);
+  });
+  it("task 3.7: /v1/* does NOT inherit bypassUrls (no header → 401 even if URL were in bypass list)", async () => {
+    const config = makeConfig([]);
+    const app = await buildApp(config);
+    const res = await app.inject({ method: "GET", url: "/v1/models" });
+    expect(res.statusCode).toBe(401);
+  });
+});
+describe("model proxy auth gate — backoff (task 3.9)", () => {
+  it("repeated failures from same IP accumulate (backoff state per instance)", async () => {
+    // We can only verify that the gate records failures by observing that
+    // a valid key immediately after failures still resets and returns 200.
+    const { cleartext, entry } = makeKey();
+    const config = makeConfig([entry]);
+    const app = await buildApp(config);
+    // 3 failed attempts
+    for (let i = 0; i < 3; i++) {
+      await app.inject({ method: "GET", url: "/v1/models" });
+    }
+    // Success resets — valid key still works (though may be delayed by backoff)
+    const res = await app.inject({
+      method: "GET",
+      url: "/v1/models",
+      headers: { authorization: `Bearer ${cleartext}` },
+    });
+    expect(res.statusCode).toBe(200);
+  });
+});