@elliotding/ai-agent-mcp 0.1.0

package/src/auth/token-validator.ts

@@ -0,0 +1,294 @@
+/**
+ * Token Validation via CSP API
+ * Validates tokens by calling CSP /user/permissions endpoint
+ */
+
+import { apiClient } from '../api/client';
+import { logger, logError, logAuthAttempt } from '../utils/logger';
+
+/**
+ * Token validation payload structure
+ */
+export interface TokenPayload {
+  userId: string;
+  email: string;
+  groups: string[];  // Changed from 'roles' to 'groups' to match API response
+  // Additional fields for compatibility
+  roles?: string[];  // Alias for groups
+  [key: string]: unknown;
+}
+
+/**
+ * CSP API response for /user/permissions
+ */
+interface PermissionsResponse {
+  code: number;
+  data?: {
+    user_id: string;
+    email: string;
+    groups: string[];
+  };
+  message?: string;
+}
+
+/**
+ * Token validation cache (in-memory, 5 minute TTL)
+ */
+const tokenCache = new Map<string, { payload: TokenPayload; expireAt: number }>();
+
+/**
+ * Cache cleanup interval reference (for cleanup on shutdown)
+ */
+let cacheCleanupInterval: NodeJS.Timeout | null = null;
+
+/**
+ * Clean expired cache entries
+ */
+function cleanExpiredCache(): void {
+  const now = Date.now();
+  let cleaned = 0;
+  
+  for (const [token, entry] of tokenCache.entries()) {
+    if (entry.expireAt < now) {
+      tokenCache.delete(token);
+      cleaned++;
+    }
+  }
+  
+  if (cleaned > 0) {
+    logger.debug(
+      { type: 'cache_cleanup', cleaned, remaining: tokenCache.size },
+      `Cleaned ${cleaned} expired token(s) from cache`
+    );
+  }
+}
+
+/**
+ * Start cache cleanup interval
+ */
+export function startCacheCleanup(): void {
+  if (cacheCleanupInterval) {
+    logger.warn('Cache cleanup interval already running');
+    return;
+  }
+  
+  // Clean cache every minute
+  cacheCleanupInterval = setInterval(cleanExpiredCache, 60000);
+  logger.info('Token cache cleanup interval started (60s)');
+}
+
+/**
+ * Stop cache cleanup interval
+ */
+export function stopCacheCleanup(): void {
+  if (cacheCleanupInterval) {
+    clearInterval(cacheCleanupInterval);
+    cacheCleanupInterval = null;
+    logger.info('Token cache cleanup interval stopped');
+  }
+}
+
+// Start cleanup on module load
+startCacheCleanup();
+
+/**
+ * Verify token by calling CSP API /user/permissions
+ * @param token - The JWT token to verify
+ * @returns Token payload if valid, null otherwise
+ */
+export async function verifyTokenViaAPI(token: string): Promise<TokenPayload | null> {
+  const tokenPreview = token.substring(0, 10) + '...' + token.substring(token.length - 10);
+  const startTime = Date.now();
+  
+  try {
+    logger.debug(
+      { 
+        type: 'auth', 
+        operation: 'verify_token_api',
+        tokenPreview,
+        timestamp: new Date().toISOString()
+      },
+      'Calling CSP API /user/permissions to validate token'
+    );
+
+    // Call CSP API to validate token and get permissions
+    // Note: apiClient already adds Authorization header with CSP_API_TOKEN
+    // But for SSE connection, we might use a different token from the client
+    const response = await apiClient.get<PermissionsResponse>(
+      '/csp/api/user/permissions',
+      {
+        headers: {
+          'Authorization': `Bearer ${token}`,
+        },
+        timeout: 5000, // 5 second timeout for auth check
+      }
+    );
+
+    const duration = Date.now() - startTime;
+
+    // Check response code (2000 means success)
+    if (response.code === 2000 && response.data) {
+      const payload: TokenPayload = {
+        userId: response.data.user_id,
+        email: response.data.email,
+        groups: response.data.groups || [],
+        roles: response.data.groups || [],  // Alias for backward compatibility
+      };
+
+      logger.info(
+        { 
+          type: 'auth', 
+          operation: 'verify_token_api',
+          userId: payload.userId,
+          email: payload.email,
+          groups: payload.groups,
+          duration,
+          timestamp: new Date().toISOString()
+        },
+        `Token validated successfully for user ${payload.userId}`
+      );
+
+      logAuthAttempt('token_validation', true, {
+        userId: payload.userId,
+        email: payload.email,
+        groups: payload.groups,
+        duration
+      });
+
+      return payload;
+    }
+
+    logger.warn(
+      { 
+        type: 'auth', 
+        operation: 'verify_token_api', 
+        code: response.code,
+        message: response.message,
+        tokenPreview,
+        duration,
+        timestamp: new Date().toISOString()
+      },
+      'Token validation failed - invalid or expired token'
+    );
+    
+    logAuthAttempt('token_validation', false, {
+      code: response.code,
+      message: response.message,
+      duration
+    });
+    
+    return null;
+  } catch (error) {
+    const duration = Date.now() - startTime;
+    
+    logError(error as Error, {
+      type: 'auth',
+      operation: 'verify_token_api',
+      tokenPreview,
+      duration,
+      timestamp: new Date().toISOString()
+    });
+    
+    logAuthAttempt('token_validation', false, {
+      error: error instanceof Error ? error.message : String(error),
+      duration
+    });
+    
+    return null;
+  }
+}
+
+/**
+ * Verify token with caching
+ * Uses cached result if available to reduce API calls
+ * @param token - The token to verify
+ * @returns Token payload if valid, null otherwise
+ */
+export async function verifyToken(token: string): Promise<TokenPayload | null> {
+  const tokenPreview = token.substring(0, 10) + '...' + token.substring(token.length - 10);
+  
+  // Check cache first
+  const cached = tokenCache.get(token);
+  if (cached && cached.expireAt > Date.now()) {
+    logger.debug(
+      { 
+        type: 'auth', 
+        operation: 'verify_token', 
+        userId: cached.payload.userId,
+        email: cached.payload.email,
+        cacheHit: true,
+        tokenPreview,
+        timestamp: new Date().toISOString()
+      },
+      'Token validation cache hit'
+    );
+    return cached.payload;
+  }
+
+  logger.debug(
+    {
+      type: 'auth',
+      operation: 'verify_token',
+      cacheHit: false,
+      tokenPreview,
+      timestamp: new Date().toISOString()
+    },
+    'Token validation cache miss, calling API'
+  );
+
+  // Validate via API
+  const payload = await verifyTokenViaAPI(token);
+
+  // Cache the result if valid (5 minute TTL)
+  if (payload) {
+    const expireAt = Date.now() + 5 * 60 * 1000; // 5 minutes
+    tokenCache.set(token, { payload, expireAt });
+    logger.debug(
+      { 
+        type: 'auth', 
+        operation: 'verify_token', 
+        userId: payload.userId,
+        email: payload.email,
+        cacheTTL: '5min',
+        timestamp: new Date().toISOString()
+      },
+      'Token validation result cached (5 min TTL)'
+    );
+  }
+
+  return payload;
+}
+
+/**
+ * Clear token from cache (e.g., after logout)
+ * @param token - The token to invalidate
+ */
+export function invalidateToken(token: string): void {
+  tokenCache.delete(token);
+  logger.debug(
+    { type: 'auth', operation: 'invalidate_token' },
+    'Token removed from cache'
+  );
+}
+
+/**
+ * Clear all cached tokens
+ */
+export function clearTokenCache(): void {
+  tokenCache.clear();
+  logger.info(
+    { type: 'auth', operation: 'clear_cache' },
+    'All cached tokens cleared'
+  );
+}
+
+/**
+ * Get cache statistics
+ */
+export function getTokenCacheStats() {
+  cleanExpiredCache();
+  return {
+    size: tokenCache.size,
+    tokens: Array.from(tokenCache.keys()).map(t => t.substring(0, 10) + '...'),
+  };
+}

package/src/cache/cache-manager.ts

@@ -0,0 +1,243 @@
+/**
+ * Multi-Layer Cache Manager
+ * L1: In-memory LRU cache
+ * L2: Redis persistent cache
+ */
+
+import { LRUCache } from 'lru-cache';
+import { config } from '../config';
+import { logger } from '../utils/logger';
+import { redisClient } from './redis-client';
+
+const CACHE_KEY_PREFIX = 'csp:cache';
+
+/** JSON-serializable cache value type (satisfies LRUCache V extends {}) */
+type CacheValue = object | string | number | boolean;
+
+export interface CacheStats {
+  l1Hits: number;
+  l2Hits: number;
+  misses: number;
+  hitRate: number;
+}
+
+export class CacheManager {
+  private static instance: CacheManager | null = null;
+  private readonly l1: LRUCache<string, CacheValue>;
+  private readonly l2: typeof redisClient;
+  private readonly defaultTtlSeconds: number;
+  private readonly defaultNamespace: string;
+
+  private l1Hits = 0;
+  private l2Hits = 0;
+  private misses = 0;
+
+  private constructor(options?: { namespace?: string }) {
+    const ttlMs = (config.cache.redis?.ttl ?? 900) * 1000;
+    this.defaultTtlSeconds = config.cache.redis?.ttl ?? 900;
+    this.defaultNamespace = options?.namespace ?? 'default';
+
+    this.l1 = new LRUCache<string, CacheValue>({
+      max: 100,
+      ttl: ttlMs,
+      ttlAutopurge: true,
+    });
+
+    this.l2 = redisClient;
+
+    logger.info(
+      {
+        type: 'cache',
+        message: 'CacheManager initialized',
+        l1Max: 100,
+        ttlSeconds: this.defaultTtlSeconds,
+        namespace: this.defaultNamespace,
+      },
+      'Multi-layer cache initialized'
+    );
+  }
+
+  static getInstance(options?: { namespace?: string }): CacheManager {
+    if (CacheManager.instance === null) {
+      CacheManager.instance = new CacheManager(options);
+    }
+    return CacheManager.instance;
+  }
+
+  static async resetInstance(): Promise<void> {
+    if (CacheManager.instance) {
+      await CacheManager.instance.clear();
+      await CacheManager.instance.l2.disconnect();
+      CacheManager.instance = null;
+    }
+  }
+
+  private buildKey(key: string, namespace?: string): string {
+    const ns = namespace ?? this.defaultNamespace;
+    return `${CACHE_KEY_PREFIX}:${ns}:${key}`;
+  }
+
+  private getRedisPattern(namespace?: string): string {
+    const ns = namespace ?? this.defaultNamespace;
+    return `${CACHE_KEY_PREFIX}:${ns}:*`;
+  }
+
+  async connect(): Promise<void> {
+    await this.l2.connect();
+  }
+
+  /**
+   * Get value from cache. Checks L1 first, then L2.
+   * On L2 hit, promotes value to L1.
+   */
+  async get(key: string, namespace?: string): Promise<unknown | null> {
+    const fullKey = this.buildKey(key, namespace);
+
+    const l1Value = this.l1.get(fullKey);
+    if (l1Value !== undefined) {
+      this.l1Hits++;
+      logger.debug({ type: 'cache', key: fullKey, layer: 'L1' }, 'Cache L1 hit');
+      return l1Value;
+    }
+
+    let l2Value: string | null = null;
+    try {
+      l2Value = await this.l2.get(fullKey);
+    } catch (error) {
+      logger.debug(
+        { type: 'cache', key: fullKey, error: (error as Error).message },
+        'L2 get failed, Redis may be unavailable'
+      );
+    }
+
+    if (l2Value !== null) {
+      this.l2Hits++;
+      try {
+        const parsed = JSON.parse(l2Value) as unknown;
+        if (parsed !== null && parsed !== undefined) {
+          this.l1.set(fullKey, parsed as CacheValue);
+        }
+        logger.debug({ type: 'cache', key: fullKey, layer: 'L2' }, 'Cache L2 hit, promoted to L1');
+        return parsed;
+      } catch (error) {
+        logger.warn(
+          { type: 'cache', key: fullKey, error: (error as Error).message },
+          'Failed to parse L2 cache value'
+        );
+        try {
+          await this.l2.del(fullKey);
+        } catch {
+          /* Redis may be unavailable */
+        }
+        this.misses++;
+        return null;
+      }
+    }
+
+    this.misses++;
+    logger.debug({ type: 'cache', key: fullKey }, 'Cache miss');
+    return null;
+  }
+
+  /**
+   * Set value in both L1 and L2 caches.
+   */
+  async set(
+    key: string,
+    value: unknown,
+    ttl?: number,
+    namespace?: string
+  ): Promise<void> {
+    const fullKey = this.buildKey(key, namespace);
+    const ttlSeconds = ttl ?? this.defaultTtlSeconds;
+    const ttlMs = ttlSeconds * 1000;
+
+    if (value !== null && value !== undefined) {
+      this.l1.set(fullKey, value as CacheValue, { ttl: ttlMs });
+    }
+
+    const serialized = JSON.stringify(value);
+    try {
+      await this.l2.set(fullKey, serialized, ttlSeconds);
+    } catch (error) {
+      logger.debug(
+        { type: 'cache', key: fullKey, error: (error as Error).message },
+        'L2 set failed, Redis may be unavailable'
+      );
+    }
+
+    logger.debug(
+      { type: 'cache', key: fullKey, ttlSeconds },
+      'Cache set'
+    );
+  }
+
+  /**
+   * Delete key from both caches.
+   */
+  async del(key: string, namespace?: string): Promise<void> {
+    const fullKey = this.buildKey(key, namespace);
+    this.l1.delete(fullKey);
+    try {
+      await this.l2.del(fullKey);
+    } catch (error) {
+      logger.debug(
+        { type: 'cache', key: fullKey, error: (error as Error).message },
+        'L2 del failed, Redis may be unavailable'
+      );
+    }
+    logger.debug({ type: 'cache', key: fullKey }, 'Cache del');
+  }
+
+  /**
+   * Clear all cache layers. If namespace provided, clear only that namespace.
+   */
+  async clear(namespace?: string): Promise<void> {
+    if (namespace !== undefined) {
+      const pattern = this.getRedisPattern(namespace);
+      const prefix = `${CACHE_KEY_PREFIX}:${namespace}:`;
+      for (const k of this.l1.keys()) {
+        if (k.startsWith(prefix)) {
+          this.l1.delete(k);
+        }
+      }
+      try {
+        await this.l2.clear(pattern);
+      } catch (error) {
+        logger.debug(
+          { type: 'cache', namespace, error: (error as Error).message },
+          'L2 clear failed, Redis may be unavailable'
+        );
+      }
+      logger.info({ type: 'cache', namespace }, 'Cache cleared for namespace');
+    } else {
+      this.l1.clear();
+      try {
+        await this.l2.clear(`${CACHE_KEY_PREFIX}:*`);
+      } catch (error) {
+        logger.debug(
+          { type: 'cache', error: (error as Error).message },
+          'L2 clear failed, Redis may be unavailable'
+        );
+      }
+      logger.info({ type: 'cache' }, 'Cache cleared');
+    }
+  }
+
+  getStats(): CacheStats {
+    const total = this.l1Hits + this.l2Hits + this.misses;
+    const hitRate = total > 0 ? (this.l1Hits + this.l2Hits) / total : 0;
+    return {
+      l1Hits: this.l1Hits,
+      l2Hits: this.l2Hits,
+      misses: this.misses,
+      hitRate,
+    };
+  }
+
+  resetStats(): void {
+    this.l1Hits = 0;
+    this.l2Hits = 0;
+    this.misses = 0;
+  }
+}

package/src/cache/index.ts

@@ -0,0 +1,6 @@
+/**
+ * Cache module exports
+ */
+
+export { CacheManager, type CacheStats } from './cache-manager';
+export { redisClient, RedisClient } from './redis-client';