@de-otio/chaoskb-server 0.2.0

package/dist/lib/handler/middleware/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../../../lib/handler/middleware/rate-limit.ts"],"names":[],"mappings":";;AAiBA,wCA0CC;AAWD,4CAwCC;AAED,4CAQC;AAxHD,wDAA8E;AAQ9E,MAAM,MAAM,GAA2B;IACrC,GAAG,EAAE,GAAG;IACR,GAAG,EAAE,IAAI;IACT,MAAM,EAAE,GAAG;IACX,IAAI,EAAE,GAAG;CACV,CAAC;AAEF,MAAM,cAAc,GAAG,EAAE,CAAC;AAEnB,KAAK,UAAU,cAAc,CAClC,QAAgB,EAChB,SAAiB,EACjB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,cAAc,CAAC,CAAC;IACnD,MAAM,GAAG,GAAG,SAAS,GAAG,cAAc,GAAG,cAAc,GAAG,GAAG,CAAC,CAAC,wBAAwB;IAEvF,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,4BAAa,CAAC;QAChB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE;YACH,EAAE,EAAE,QAAQ,QAAQ,EAAE;YACtB,EAAE,EAAE,GAAG,SAAS,IAAI,SAAS,EAAE;SAChC;QACD,gBAAgB,EAAE,+DAA+D;QACjF,wBAAwB,EAAE;YACxB,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,KAAK;SACd;QACD,yBAAyB,EAAE;YACzB,OAAO,EAAE,CAAC;YACV,MAAM,EAAE,CAAC;YACT,MAAM,EAAE,GAAG;SACZ;QACD,YAAY,EAAE,aAAa;KAC5B,CAAC,CACH,CAAC;IAEF,MAAM,YAAY,GAAI,MAAM,CAAC,UAAU,EAAE,CAAC,OAAO,CAAY,IAAI,CAAC,CAAC;IACnE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,YAAY,CAAC,CAAC;IAEpD,IAAI,YAAY,GAAG,KAAK,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,CAAC,SAAS,GAAG,CAAC,CAAC,GAAG,cAAc,CAAC;QACnD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,GAAG,CAAC,CAAC;QAChD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC;IACtD,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AACtC,CAAC;AAED,+EAA+E;AAC/E,MAAM,iBAAiB,GAA2B;IAChD,YAAY,EAAE,CAAC;CAChB,CAAC;AAEF;;;GAGG;AACI,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,SAAiB,EACjB,GAA2B,EAC3B,SAAiB,EACjB,KAAK,GAAG,CAAC;IAET,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,iBAAiB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,SAAS,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;IAEtB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,4BAAa,CAAC;QAChB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE;YACH,EAAE,EAAE,WAAW,QAAQ,EAAE;YACzB,EAAE,EAAE,GAAG,SAAS,IAAI,SAAS,EAAE;SAChC;QACD,gBAAgB,EAAE,+DAA+D;QACjF,wBAAwB,EAAE;YACxB,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,KAAK;SACd;QACD,yBAAyB,EAAE;YACzB,OAAO,EAAE,CAAC;YACV,MAAM,EAAE,CAAC;YACT,MAAM,EAAE,GAAG;SACZ;QACD,YAAY,EAAE,aAAa;KAC5B,CAAC,CACH,CAAC;IAEF,MAAM,YAAY,GAAI,MAAM,CAAC,UAAU,EAAE,CAAC,OAAO,CAAY,IAAI,CAAC,CAAC;IACnE,IAAI,YAAY,GAAG,KAAK,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,CAAC,SAAS,GAAG,CAAC,CAAC,GAAG,SAAS,CAAC;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,GAAG,CAAC,CAAC;QAChD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC;IACtD,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,YAAY,CAAC,EAAE,CAAC;AACzE,CAAC;AAED,SAAgB,gBAAgB,CAAC,MAAuB;IACtD,MAAM,OAAO,GAA2B;QACtC,uBAAuB,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC;KAClD,CAAC;IACF,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACvD,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/lib/handler/middleware/rate-limit.ts

@@ -0,0 +1,121 @@
+import { DynamoDBDocumentClient, UpdateCommand } from '@aws-sdk/lib-dynamodb';
+
+export interface RateLimitResult {
+  allowed: boolean;
+  remaining: number;
+  retryAfter?: number;
+}
+
+const LIMITS: Record<string, number> = {
+  PUT: 100,
+  GET: 1000,
+  DELETE: 100,
+  LIST: 100,
+};
+
+const WINDOW_SECONDS = 60;
+
+export async function checkRateLimit(
+  tenantId: string,
+  operation: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<RateLimitResult> {
+  const limit = LIMITS[operation] ?? 300;
+  const now = Math.floor(Date.now() / 1000);
+  const windowKey = Math.floor(now / WINDOW_SECONDS);
+  const ttl = windowKey * WINDOW_SECONDS + WINDOW_SECONDS + 120; // window + 2 min buffer
+
+  const result = await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: {
+        PK: `RATE#${tenantId}`,
+        SK: `${operation}#${windowKey}`,
+      },
+      UpdateExpression: 'SET #count = if_not_exists(#count, :zero) + :one, #ttl = :ttl',
+      ExpressionAttributeNames: {
+        '#count': 'count',
+        '#ttl': 'ttl',
+      },
+      ExpressionAttributeValues: {
+        ':zero': 0,
+        ':one': 1,
+        ':ttl': ttl,
+      },
+      ReturnValues: 'UPDATED_NEW',
+    }),
+  );
+
+  const currentCount = (result.Attributes?.['count'] as number) ?? 1;
+  const remaining = Math.max(0, limit - currentCount);
+
+  if (currentCount > limit) {
+    const windowEnd = (windowKey + 1) * WINDOW_SECONDS;
+    const retryAfter = Math.max(1, windowEnd - now);
+    return { allowed: false, remaining: 0, retryAfter };
+  }
+
+  return { allowed: true, remaining };
+}
+
+// Per-IP window sizes: LINK_CONFIRM uses 5-second windows, others use 1-second
+const IP_WINDOW_SECONDS: Record<string, number> = {
+  LINK_CONFIRM: 5,
+};
+
+/**
+ * Rate limit by source IP for unauthenticated endpoints (registration, contact).
+ * Default: 1 request per second per IP. LINK_CONFIRM: 1 request per 5 seconds.
+ */
+export async function checkIpRateLimit(
+  sourceIp: string,
+  operation: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+  limit = 1,
+): Promise<RateLimitResult> {
+  const now = Math.floor(Date.now() / 1000);
+  const windowSec = IP_WINDOW_SECONDS[operation] ?? 1;
+  const windowKey = Math.floor(now / windowSec);
+  const ttl = now + 120;
+
+  const result = await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: {
+        PK: `RATE#IP#${sourceIp}`,
+        SK: `${operation}#${windowKey}`,
+      },
+      UpdateExpression: 'SET #count = if_not_exists(#count, :zero) + :one, #ttl = :ttl',
+      ExpressionAttributeNames: {
+        '#count': 'count',
+        '#ttl': 'ttl',
+      },
+      ExpressionAttributeValues: {
+        ':zero': 0,
+        ':one': 1,
+        ':ttl': ttl,
+      },
+      ReturnValues: 'UPDATED_NEW',
+    }),
+  );
+
+  const currentCount = (result.Attributes?.['count'] as number) ?? 1;
+  if (currentCount > limit) {
+    const windowEnd = (windowKey + 1) * windowSec;
+    const retryAfter = Math.max(1, windowEnd - now);
+    return { allowed: false, remaining: 0, retryAfter };
+  }
+  return { allowed: true, remaining: Math.max(0, limit - currentCount) };
+}
+
+export function rateLimitHeaders(result: RateLimitResult): Record<string, string> {
+  const headers: Record<string, string> = {
+    'X-RateLimit-Remaining': String(result.remaining),
+  };
+  if (!result.allowed && result.retryAfter !== undefined) {
+    headers['Retry-After'] = String(result.retryAfter);
+  }
+  return headers;
+}

package/dist/lib/handler/middleware/ssh-auth.d.ts

@@ -0,0 +1,48 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+export interface AuthResult {
+    tenantId: string;
+    publicKey: string;
+    fingerprint: string;
+}
+export declare class AuthError extends Error {
+    readonly statusCode: number;
+    constructor(message: string, statusCode: number);
+}
+interface ParsedAuthHeader {
+    signature: string;
+    timestamp: string;
+    sequence: number;
+}
+/**
+ * Parse the new SSH-Signature authorization scheme.
+ *
+ * Headers:
+ *   Authorization: SSH-Signature <base64-signature>
+ *   X-ChaosKB-Timestamp: <ISO 8601>
+ *   X-ChaosKB-Sequence: <monotonic counter>
+ */
+export declare function parseAuthHeaders(headers: Record<string, string>): ParsedAuthHeader;
+/** Compute SSH key fingerprint (SHA-256 of raw public key, base64). */
+export declare function fingerprintFromPublicKey(publicKeyBase64: string): string;
+export declare function verifyTimestamp(timestamp: string): void;
+export declare function buildCanonicalString(method: string, path: string, timestamp: string, sequence: number, body?: string | null): string;
+/**
+ * Check and update the per-device sequence counter for replay protection.
+ *
+ * Uses a DynamoDB conditional write: only succeeds if the new sequence
+ * is strictly greater than the stored highest-seen sequence.
+ */
+export declare function checkSequence(ddb: DynamoDBDocumentClient, tableName: string, tenantId: string, fingerprint: string, sequence: number): Promise<void>;
+export declare function verifyEd25519Signature(publicKeyBase64: string, canonicalString: string, signatureBase64: string): boolean;
+export declare function authenticateRequest(event: {
+    requestContext: {
+        http: {
+            method: string;
+            path: string;
+        };
+    };
+    headers: Record<string, string>;
+    body?: string | null;
+}, ddb: DynamoDBDocumentClient, tableName: string): Promise<AuthResult>;
+export {};
+//# sourceMappingURL=ssh-auth.d.ts.map

package/dist/lib/handler/middleware/ssh-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-auth.d.ts","sourceRoot":"","sources":["../../../../lib/handler/middleware/ssh-auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,sBAAsB,EAA+B,MAAM,uBAAuB,CAAC;AAG5F,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,SAAU,SAAQ,KAAK;aAGhB,UAAU,EAAE,MAAM;gBADlC,OAAO,EAAE,MAAM,EACC,UAAU,EAAE,MAAM;CAKrC;AAED,UAAU,gBAAgB;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAKD;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,gBAAgB,CA4BlF;AA6BD,uEAAuE;AACvE,wBAAgB,wBAAwB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAExE;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAWvD;AAED,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,GACnB,MAAM,CAKR;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAqCf;AAED,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,GACtB,OAAO,CAqBT;AAOD,wBAAsB,mBAAmB,CACvC,KAAK,EAAE;IACL,cAAc,EAAE;QAAE,IAAI,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC;IAC3D,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,EACD,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,UAAU,CAAC,CA2DrB"}

package/dist/lib/handler/middleware/ssh-auth.js

@@ -0,0 +1,256 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthError = void 0;
+exports.parseAuthHeaders = parseAuthHeaders;
+exports.fingerprintFromPublicKey = fingerprintFromPublicKey;
+exports.verifyTimestamp = verifyTimestamp;
+exports.buildCanonicalString = buildCanonicalString;
+exports.checkSequence = checkSequence;
+exports.verifyEd25519Signature = verifyEd25519Signature;
+exports.authenticateRequest = authenticateRequest;
+const crypto = __importStar(require("crypto"));
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const logger_js_1 = require("../logger.js");
+class AuthError extends Error {
+    statusCode;
+    constructor(message, statusCode) {
+        super(message);
+        this.statusCode = statusCode;
+        this.name = 'AuthError';
+    }
+}
+exports.AuthError = AuthError;
+/** Timestamp tolerance: 30 seconds (replay protection is primarily sequence-based). */
+const TIMESTAMP_TOLERANCE_MS = 30 * 1000;
+/**
+ * Parse the new SSH-Signature authorization scheme.
+ *
+ * Headers:
+ *   Authorization: SSH-Signature <base64-signature>
+ *   X-ChaosKB-Timestamp: <ISO 8601>
+ *   X-ChaosKB-Sequence: <monotonic counter>
+ */
+function parseAuthHeaders(headers) {
+    const authHeader = headers['authorization'] || headers['Authorization'];
+    if (!authHeader) {
+        throw new AuthError('Missing Authorization header', 401);
+    }
+    if (!authHeader.startsWith('SSH-Signature ')) {
+        // Support legacy format during migration
+        if (authHeader.startsWith('ChaosKB-SSH ')) {
+            return parseLegacyAuthHeader(authHeader, headers);
+        }
+        throw new AuthError('Invalid authorization scheme', 401);
+    }
+    const signature = authHeader.slice('SSH-Signature '.length);
+    const timestamp = headers['x-chaoskb-timestamp'] || headers['X-ChaosKB-Timestamp'];
+    const sequenceStr = headers['x-chaoskb-sequence'] || headers['X-ChaosKB-Sequence'];
+    if (!signature || !timestamp) {
+        throw new AuthError('Missing required headers (X-ChaosKB-Timestamp)', 401);
+    }
+    const sequence = sequenceStr ? parseInt(sequenceStr, 10) : 0;
+    if (isNaN(sequence)) {
+        throw new AuthError('Invalid sequence number', 401);
+    }
+    return { signature, timestamp, sequence };
+}
+/** Parse legacy ChaosKB-SSH format for backwards compatibility. */
+function parseLegacyAuthHeader(header, headers) {
+    const params = header.slice('ChaosKB-SSH '.length);
+    const fields = {};
+    for (const part of params.split(', ')) {
+        const eqIndex = part.indexOf('=');
+        if (eqIndex === -1)
+            continue;
+        fields[part.slice(0, eqIndex)] = part.slice(eqIndex + 1);
+    }
+    if (!fields['sig'] || !fields['ts']) {
+        throw new AuthError('Missing required authorization fields', 401);
+    }
+    const sequenceStr = headers['x-chaoskb-sequence'] || headers['X-ChaosKB-Sequence'];
+    return {
+        signature: fields['sig'],
+        timestamp: fields['ts'],
+        sequence: sequenceStr ? parseInt(sequenceStr, 10) : 0,
+    };
+}
+/** Compute SSH key fingerprint (SHA-256 of raw public key, base64). */
+function fingerprintFromPublicKey(publicKeyBase64) {
+    return crypto.createHash('sha256').update(Buffer.from(publicKeyBase64, 'base64')).digest('base64');
+}
+function verifyTimestamp(timestamp) {
+    const requestTime = new Date(timestamp).getTime();
+    if (isNaN(requestTime)) {
+        throw new AuthError('Invalid timestamp format', 401);
+    }
+    const now = Date.now();
+    const diff = Math.abs(now - requestTime);
+    if (diff > TIMESTAMP_TOLERANCE_MS) {
+        throw new AuthError('Request timestamp expired', 401);
+    }
+}
+function buildCanonicalString(method, path, timestamp, sequence, body) {
+    const bodyHash = body
+        ? crypto.createHash('sha256').update(body).digest('hex')
+        : '';
+    return `chaoskb-auth\n${method} ${path}\n${timestamp}\n${sequence}\n${bodyHash}`;
+}
+/**
+ * Check and update the per-device sequence counter for replay protection.
+ *
+ * Uses a DynamoDB conditional write: only succeeds if the new sequence
+ * is strictly greater than the stored highest-seen sequence.
+ */
+async function checkSequence(ddb, tableName, tenantId, fingerprint, sequence) {
+    if (sequence <= 0) {
+        throw new AuthError('Sequence number must be positive', 401);
+    }
+    try {
+        await ddb.send(new lib_dynamodb_1.UpdateCommand({
+            TableName: tableName,
+            Key: {
+                PK: `TENANT#${tenantId}`,
+                SK: `SEQUENCE#${fingerprint}`,
+            },
+            UpdateExpression: 'SET highestSeq = :new',
+            ConditionExpression: 'attribute_not_exists(highestSeq) OR highestSeq < :new',
+            ExpressionAttributeValues: {
+                ':new': sequence,
+            },
+        }));
+    }
+    catch (error) {
+        if (error &&
+            typeof error === 'object' &&
+            'name' in error &&
+            error.name === 'ConditionalCheckFailedException') {
+            logger_js_1.logger.warn('Replay detected: sequence number already seen', {
+                tenantId,
+                fingerprint,
+                sequence,
+            });
+            throw new AuthError('Replay detected: sequence number already used', 401);
+        }
+        throw error;
+    }
+}
+function verifyEd25519Signature(publicKeyBase64, canonicalString, signatureBase64) {
+    try {
+        const publicKeyBuffer = Buffer.from(publicKeyBase64, 'base64');
+        const signatureBuffer = Buffer.from(signatureBase64, 'base64');
+        const data = Buffer.from(canonicalString);
+        // Create Ed25519 public key object from raw bytes
+        const keyObject = crypto.createPublicKey({
+            key: Buffer.concat([
+                // Ed25519 DER prefix for a 32-byte public key
+                Buffer.from('302a300506032b6570032100', 'hex'),
+                publicKeyBuffer,
+            ]),
+            format: 'der',
+            type: 'spki',
+        });
+        return crypto.verify(null, data, keyObject, signatureBuffer);
+    }
+    catch {
+        return false;
+    }
+}
+function tenantIdFromPublicKey(publicKeyBase64) {
+    const hash = crypto.createHash('sha256').update(publicKeyBase64).digest('hex');
+    return hash.slice(0, 32);
+}
+async function authenticateRequest(event, ddb, tableName) {
+    const parsed = parseAuthHeaders(event.headers);
+    verifyTimestamp(parsed.timestamp);
+    // Look up the public key by querying tenant META records
+    // The public key is identified from the request — we need to find which tenant it belongs to
+    // For now, extract from legacy header or from a separate header
+    const publicKey = extractPublicKey(event.headers);
+    const tenantId = tenantIdFromPublicKey(publicKey);
+    const fingerprint = fingerprintFromPublicKey(publicKey);
+    // Look up the registered public key in DynamoDB
+    const result = await ddb.send(new lib_dynamodb_1.QueryCommand({
+        TableName: tableName,
+        KeyConditionExpression: 'PK = :pk AND SK = :sk',
+        ExpressionAttributeValues: {
+            ':pk': `TENANT#${tenantId}`,
+            ':sk': 'META',
+        },
+        Limit: 1,
+    }));
+    if (!result.Items || result.Items.length === 0) {
+        throw new AuthError('Unknown public key', 401);
+    }
+    const tenant = result.Items[0];
+    if (tenant['publicKey'] !== publicKey) {
+        throw new AuthError('Public key mismatch', 401);
+    }
+    // Verify the SSH signature against the canonical string (includes sequence)
+    const canonicalString = buildCanonicalString(event.requestContext.http.method, event.requestContext.http.path, parsed.timestamp, parsed.sequence, event.body);
+    const valid = verifyEd25519Signature(publicKey, canonicalString, parsed.signature);
+    if (!valid) {
+        logger_js_1.logger.warn('Signature verification failed', { tenantId });
+        throw new AuthError('Invalid signature', 401);
+    }
+    // Check sequence number for replay protection (after signature verification)
+    if (parsed.sequence > 0) {
+        await checkSequence(ddb, tableName, tenantId, fingerprint, parsed.sequence);
+    }
+    return { tenantId, publicKey, fingerprint };
+}
+/**
+ * Extract the public key from request headers.
+ * New format uses X-ChaosKB-PublicKey header; legacy embeds it in the auth header.
+ */
+function extractPublicKey(headers) {
+    // New header format
+    const pubKeyHeader = headers['x-chaoskb-publickey'] || headers['X-ChaosKB-PublicKey'];
+    if (pubKeyHeader)
+        return pubKeyHeader;
+    // Legacy format: ChaosKB-SSH pubkey=..., ts=..., sig=...
+    const authHeader = headers['authorization'] || headers['Authorization'];
+    if (authHeader?.startsWith('ChaosKB-SSH ')) {
+        const params = authHeader.slice('ChaosKB-SSH '.length);
+        for (const part of params.split(', ')) {
+            const eqIndex = part.indexOf('=');
+            if (eqIndex !== -1 && part.slice(0, eqIndex) === 'pubkey') {
+                return part.slice(eqIndex + 1);
+            }
+        }
+    }
+    throw new AuthError('Missing public key in request headers', 401);
+}
+//# sourceMappingURL=ssh-auth.js.map

package/dist/lib/handler/middleware/ssh-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-auth.js","sourceRoot":"","sources":["../../../../lib/handler/middleware/ssh-auth.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqCA,4CA4BC;AA8BD,4DAEC;AAED,0CAWC;AAED,oDAWC;AAQD,sCA2CC;AAED,wDAyBC;AAOD,kDAmEC;AAnRD,+CAAiC;AACjC,wDAA4F;AAC5F,4CAAsC;AAQtC,MAAa,SAAU,SAAQ,KAAK;IAGhB;IAFlB,YACE,OAAe,EACC,UAAkB;QAElC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,eAAU,GAAV,UAAU,CAAQ;QAGlC,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AARD,8BAQC;AAQD,uFAAuF;AACvF,MAAM,sBAAsB,GAAG,EAAE,GAAG,IAAI,CAAC;AAEzC;;;;;;;GAOG;AACH,SAAgB,gBAAgB,CAAC,OAA+B;IAC9D,MAAM,UAAU,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACxE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,SAAS,CAAC,8BAA8B,EAAE,GAAG,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC7C,yCAAyC;QACzC,IAAI,UAAU,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YAC1C,OAAO,qBAAqB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,8BAA8B,EAAE,GAAG,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,OAAO,CAAC,qBAAqB,CAAC,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACnF,MAAM,WAAW,GAAG,OAAO,CAAC,oBAAoB,CAAC,IAAI,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAEnF,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,SAAS,CAAC,gDAAgD,EAAE,GAAG,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7D,IAAI,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,SAAS,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAC5C,CAAC;AAED,mEAAmE;AACnE,SAAS,qBAAqB,CAC5B,MAAc,EACd,OAA+B;IAE/B,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAE1C,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAC7B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,SAAS,CAAC,uCAAuC,EAAE,GAAG,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,oBAAoB,CAAC,IAAI,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAEnF,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC;QACvB,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;KACtD,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,SAAgB,wBAAwB,CAAC,eAAuB;IAC9D,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;AACrG,CAAC;AAED,SAAgB,eAAe,CAAC,SAAiB;IAC/C,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;IAClD,IAAI,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,SAAS,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,WAAW,CAAC,CAAC;IACzC,IAAI,IAAI,GAAG,sBAAsB,EAAE,CAAC;QAClC,MAAM,IAAI,SAAS,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAC;IACxD,CAAC;AACH,CAAC;AAED,SAAgB,oBAAoB,CAClC,MAAc,EACd,IAAY,EACZ,SAAiB,EACjB,QAAgB,EAChB,IAAoB;IAEpB,MAAM,QAAQ,GAAG,IAAI;QACnB,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACxD,CAAC,CAAC,EAAE,CAAC;IACP,OAAO,iBAAiB,MAAM,IAAI,IAAI,KAAK,SAAS,KAAK,QAAQ,KAAK,QAAQ,EAAE,CAAC;AACnF,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,aAAa,CACjC,GAA2B,EAC3B,SAAiB,EACjB,QAAgB,EAChB,WAAmB,EACnB,QAAgB;IAEhB,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAClB,MAAM,IAAI,SAAS,CAAC,kCAAkC,EAAE,GAAG,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,4BAAa,CAAC;YAChB,SAAS,EAAE,SAAS;YACpB,GAAG,EAAE;gBACH,EAAE,EAAE,UAAU,QAAQ,EAAE;gBACxB,EAAE,EAAE,YAAY,WAAW,EAAE;aAC9B;YACD,gBAAgB,EAAE,uBAAuB;YACzC,mBAAmB,EACjB,uDAAuD;YACzD,yBAAyB,EAAE;gBACzB,MAAM,EAAE,QAAQ;aACjB;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,IACE,KAAK;YACL,OAAO,KAAK,KAAK,QAAQ;YACzB,MAAM,IAAI,KAAK;YACf,KAAK,CAAC,IAAI,KAAK,iCAAiC,EAChD,CAAC;YACD,kBAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE;gBAC3D,QAAQ;gBACR,WAAW;gBACX,QAAQ;aACT,CAAC,CAAC;YACH,MAAM,IAAI,SAAS,CAAC,+CAA+C,EAAE,GAAG,CAAC,CAAC;QAC5E,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAgB,sBAAsB,CACpC,eAAuB,EACvB,eAAuB,EACvB,eAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAC/D,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAE1C,kDAAkD;QAClD,MAAM,SAAS,GAAG,MAAM,CAAC,eAAe,CAAC;YACvC,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC;gBACjB,8CAA8C;gBAC9C,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,CAAC;gBAC9C,eAAe;aAChB,CAAC;YACF,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,MAAM;SACb,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,eAAuB;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/E,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC;AAEM,KAAK,UAAU,mBAAmB,CACvC,KAIC,EACD,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/C,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAElC,yDAAyD;IACzD,6FAA6F;IAC7F,gEAAgE;IAChE,MAAM,SAAS,GAAG,gBAAgB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,wBAAwB,CAAC,SAAS,CAAC,CAAC;IAExD,gDAAgD;IAChD,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,2BAAY,CAAC;QACf,SAAS,EAAE,SAAS;QACpB,sBAAsB,EAAE,uBAAuB;QAC/C,yBAAyB,EAAE;YACzB,KAAK,EAAE,UAAU,QAAQ,EAAE;YAC3B,KAAK,EAAE,MAAM;SACd;QACD,KAAK,EAAE,CAAC;KACT,CAAC,CACH,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,MAAM,CAAC,WAAW,CAAC,KAAK,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,GAAG,CAAC,CAAC;IAClD,CAAC;IAED,4EAA4E;IAC5E,MAAM,eAAe,GAAG,oBAAoB,CAC1C,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,EAChC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,EAC9B,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,QAAQ,EACf,KAAK,CAAC,IAAI,CACX,CAAC;IAEF,MAAM,KAAK,GAAG,sBAAsB,CAClC,SAAS,EACT,eAAe,EACf,MAAM,CAAC,SAAS,CACjB,CAAC;IAEF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,kBAAM,CAAC,IAAI,CAAC,+BAA+B,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC3D,MAAM,IAAI,SAAS,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;IAChD,CAAC;IAED,6EAA6E;IAC7E,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,aAAa,CAAC,GAAG,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC9E,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,OAA+B;IACvD,oBAAoB;IACpB,MAAM,YAAY,GAAG,OAAO,CAAC,qBAAqB,CAAC,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACtF,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,yDAAyD;IACzD,MAAM,UAAU,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACxE,IAAI,UAAU,EAAE,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QACvD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,OAAO,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAC1D,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,IAAI,SAAS,CAAC,uCAAuC,EAAE,GAAG,CAAC,CAAC;AACpE,CAAC"}