@gagandeep023/api-gateway 0.3.1 → 0.4.0

package/dist/backend/index.d.mts

@@ -1,5 +1,5 @@
 import { Router, Request, Response, NextFunction } from 'express';
-import { RateLimitConfig, RequestLog, GatewayAnalytics, GatewayMiddlewareConfig, ApiKeysConfig, IpRules } from '../types/index.mjs';
+import { RateLimitConfig, RequestLog, GatewayAnalytics, DeviceEntry, GatewayMiddlewareConfig, ApiKeysConfig, IpRules } from '../types/index.mjs';
 
 declare class RateLimiterService {
     private tokenBucket;
@@ -29,9 +29,43 @@ declare class AnalyticsService {
     private getOrderedLogs;
 }
 
+declare class DeviceRegistryService {
+    private devices;
+    private filePath;
+    private writeTimeout;
+    private cleanupInterval;
+    private registrationAttempts;
+    constructor(filePath: string);
+    private loadFromDisk;
+    private saveToDiskSync;
+    private debouncedSave;
+    private cleanupExpired;
+    private getActiveCountByIp;
+    private checkRateLimit;
+    private recordAttempt;
+    registerDevice(browserId: string, ip: string, userAgent: string): {
+        success: true;
+        device: DeviceEntry;
+    } | {
+        success: false;
+        error: string;
+        status: number;
+    };
+    getDevice(browserId: string): DeviceEntry | null;
+    updateLastSeen(browserId: string, ip: string): void;
+    revokeDevice(browserId: string): boolean;
+    getStats(): {
+        total: number;
+        active: number;
+        expired: number;
+    };
+    destroy(): void;
+}
+
 interface GatewayInstances {
     rateLimiterService: RateLimiterService;
     analyticsService: AnalyticsService;
+    deviceRegistry?: DeviceRegistryService;
     middleware: Router;
     config: Required<GatewayMiddlewareConfig>;
 }
@@ -44,7 +78,12 @@ interface GatewayRoutesOptions {
 }
 declare function createGatewayRoutes(options: GatewayRoutesOptions): Router;
 
-declare function createApiKeyAuth(getKeys: () => ApiKeysConfig): (req: Request, res: Response, next: NextFunction) => void;
+interface DeviceAuthRoutesOptions {
+    deviceRegistry: DeviceRegistryService;
+}
+declare function createDeviceAuthRoutes(options: DeviceAuthRoutesOptions): Router;
+
+declare function createApiKeyAuth(getKeys: () => ApiKeysConfig, deviceRegistry?: DeviceRegistryService): (req: Request, res: Response, next: NextFunction) => void;
 
 declare function createIpFilter(getRules: () => IpRules): (req: Request, res: Response, next: NextFunction) => void;
 
@@ -52,4 +91,13 @@ declare function createRateLimiter(service: RateLimiterService): (req: Request,
 
 declare function createRequestLogger(analytics: AnalyticsService): (req: Request, res: Response, next: NextFunction) => void;
 
-export { AnalyticsService, type GatewayInstances, type GatewayRoutesOptions, RateLimiterService, createApiKeyAuth, createGatewayMiddleware, createGatewayRoutes, createIpFilter, createRateLimiter, createRequestLogger };
+declare function generateTOTP(browserId: string, secret: string, timeOffset?: number): string;
+declare function validateTOTP(browserId: string, secret: string, providedCode: string): boolean;
+declare function formatKey(browserId: string, code: string): string;
+declare function parseKey(key: string): {
+    browserId: string;
+    code: string;
+} | null;
+declare function generateSecret(): string;
+
+export { AnalyticsService, type DeviceAuthRoutesOptions, DeviceRegistryService, type GatewayInstances, type GatewayRoutesOptions, RateLimiterService, createApiKeyAuth, createDeviceAuthRoutes, createGatewayMiddleware, createGatewayRoutes, createIpFilter, createRateLimiter, createRequestLogger, formatKey, generateSecret, generateTOTP, parseKey, validateTOTP };

package/dist/backend/index.d.ts

@@ -1,5 +1,5 @@
 import { Router, Request, Response, NextFunction } from 'express';
-import { RateLimitConfig, RequestLog, GatewayAnalytics, GatewayMiddlewareConfig, ApiKeysConfig, IpRules } from '../types/index.js';
+import { RateLimitConfig, RequestLog, GatewayAnalytics, DeviceEntry, GatewayMiddlewareConfig, ApiKeysConfig, IpRules } from '../types/index.js';
 
 declare class RateLimiterService {
     private tokenBucket;
@@ -29,9 +29,43 @@ declare class AnalyticsService {
     private getOrderedLogs;
 }
 
+declare class DeviceRegistryService {
+    private devices;
+    private filePath;
+    private writeTimeout;
+    private cleanupInterval;
+    private registrationAttempts;
+    constructor(filePath: string);
+    private loadFromDisk;
+    private saveToDiskSync;
+    private debouncedSave;
+    private cleanupExpired;
+    private getActiveCountByIp;
+    private checkRateLimit;
+    private recordAttempt;
+    registerDevice(browserId: string, ip: string, userAgent: string): {
+        success: true;
+        device: DeviceEntry;
+    } | {
+        success: false;
+        error: string;
+        status: number;
+    };
+    getDevice(browserId: string): DeviceEntry | null;
+    updateLastSeen(browserId: string, ip: string): void;
+    revokeDevice(browserId: string): boolean;
+    getStats(): {
+        total: number;
+        active: number;
+        expired: number;
+    };
+    destroy(): void;
+}
+
 interface GatewayInstances {
     rateLimiterService: RateLimiterService;
     analyticsService: AnalyticsService;
+    deviceRegistry?: DeviceRegistryService;
     middleware: Router;
     config: Required<GatewayMiddlewareConfig>;
 }
@@ -44,7 +78,12 @@ interface GatewayRoutesOptions {
 }
 declare function createGatewayRoutes(options: GatewayRoutesOptions): Router;
 
-declare function createApiKeyAuth(getKeys: () => ApiKeysConfig): (req: Request, res: Response, next: NextFunction) => void;
+interface DeviceAuthRoutesOptions {
+    deviceRegistry: DeviceRegistryService;
+}
+declare function createDeviceAuthRoutes(options: DeviceAuthRoutesOptions): Router;
+
+declare function createApiKeyAuth(getKeys: () => ApiKeysConfig, deviceRegistry?: DeviceRegistryService): (req: Request, res: Response, next: NextFunction) => void;
 
 declare function createIpFilter(getRules: () => IpRules): (req: Request, res: Response, next: NextFunction) => void;
 
@@ -52,4 +91,13 @@ declare function createRateLimiter(service: RateLimiterService): (req: Request,
 
 declare function createRequestLogger(analytics: AnalyticsService): (req: Request, res: Response, next: NextFunction) => void;
 
-export { AnalyticsService, type GatewayInstances, type GatewayRoutesOptions, RateLimiterService, createApiKeyAuth, createGatewayMiddleware, createGatewayRoutes, createIpFilter, createRateLimiter, createRequestLogger };
+declare function generateTOTP(browserId: string, secret: string, timeOffset?: number): string;
+declare function validateTOTP(browserId: string, secret: string, providedCode: string): boolean;
+declare function formatKey(browserId: string, code: string): string;
+declare function parseKey(key: string): {
+    browserId: string;
+    code: string;
+} | null;
+declare function generateSecret(): string;
+
+export { AnalyticsService, type DeviceAuthRoutesOptions, DeviceRegistryService, type GatewayInstances, type GatewayRoutesOptions, RateLimiterService, createApiKeyAuth, createDeviceAuthRoutes, createGatewayMiddleware, createGatewayRoutes, createIpFilter, createRateLimiter, createRequestLogger, formatKey, generateSecret, generateTOTP, parseKey, validateTOTP };

package/dist/backend/index.js

@@ -31,13 +31,20 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var backend_exports = {};
 __export(backend_exports, {
   AnalyticsService: () => AnalyticsService,
+  DeviceRegistryService: () => DeviceRegistryService,
   RateLimiterService: () => RateLimiterService,
   createApiKeyAuth: () => createApiKeyAuth,
+  createDeviceAuthRoutes: () => createDeviceAuthRoutes,
   createGatewayMiddleware: () => createGatewayMiddleware,
   createGatewayRoutes: () => createGatewayRoutes,
   createIpFilter: () => createIpFilter,
   createRateLimiter: () => createRateLimiter,
-  createRequestLogger: () => createRequestLogger
+  createRequestLogger: () => createRequestLogger,
+  formatKey: () => formatKey,
+  generateSecret: () => generateSecret,
+  generateTOTP: () => generateTOTP,
+  parseKey: () => parseKey,
+  validateTOTP: () => validateTOTP
 });
 module.exports = __toCommonJS(backend_exports);
 
@@ -201,7 +208,7 @@ var AnalyticsService = class {
       const current = endpointCounts.get(log.path) || 0;
       endpointCounts.set(log.path, current + 1);
     }
-    const topEndpoints = Array.from(endpointCounts.entries()).map(([path, count]) => ({ path, count })).sort((a, b) => b.count - a.count).slice(0, 5);
+    const topEndpoints = Array.from(endpointCounts.entries()).map(([path2, count]) => ({ path: path2, count })).sort((a, b) => b.count - a.count).slice(0, 5);
     const errorCount = ordered.filter((l) => l.statusCode >= 400).length;
     const errorRate = this.count > 0 ? errorCount / this.count * 100 : 0;
     const totalResponseTime = ordered.reduce((sum, l) => sum + l.responseTime, 0);
@@ -235,6 +242,226 @@ var AnalyticsService = class {
   }
 };
 
+// src/backend/services/DeviceRegistryService.ts
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+
+// src/backend/utils/totp.ts
+var import_crypto = __toESM(require("crypto"));
+var TIME_WINDOW_MS = 3600 * 1e3;
+var CODE_LENGTH = 16;
+function generateTOTP(browserId, secret, timeOffset = 0) {
+  const timeWindow = Math.floor(Date.now() / TIME_WINDOW_MS) + timeOffset;
+  const message = `${browserId}:${timeWindow}`;
+  const hmac = import_crypto.default.createHmac("sha256", secret).update(message).digest("hex");
+  return hmac.substring(0, CODE_LENGTH);
+}
+function validateTOTP(browserId, secret, providedCode) {
+  const currentCode = generateTOTP(browserId, secret, 0);
+  const previousCode = generateTOTP(browserId, secret, -1);
+  return timingSafeEqual(providedCode, currentCode) || timingSafeEqual(providedCode, previousCode);
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  const bufA = Buffer.from(a);
+  const bufB = Buffer.from(b);
+  return import_crypto.default.timingSafeEqual(bufA, bufB);
+}
+function formatKey(browserId, code) {
+  return `totp_${browserId}_${code}`;
+}
+function parseKey(key) {
+  if (!key.startsWith("totp_")) return null;
+  const parts = key.slice(5).split("_");
+  if (parts.length < 2) return null;
+  const code = parts[parts.length - 1];
+  const browserId = parts.slice(0, -1).join("_");
+  if (!browserId || !code) return null;
+  return { browserId, code };
+}
+function generateSecret() {
+  return import_crypto.default.randomBytes(32).toString("hex");
+}
+
+// src/backend/services/DeviceRegistryService.ts
+var ONE_WEEK_MS = 7 * 24 * 60 * 60 * 1e3;
+var CLEANUP_INTERVAL_MS = 60 * 60 * 1e3;
+var DEBOUNCE_WRITE_MS = 2e3;
+var MAX_REGISTRATIONS_PER_IP_PER_MIN = 10;
+var MAX_REGISTRATIONS_PER_IP_TOTAL = 30;
+var RATE_WINDOW_MS = 60 * 1e3;
+var DeviceRegistryService = class {
+  devices = /* @__PURE__ */ new Map();
+  filePath;
+  writeTimeout = null;
+  cleanupInterval = null;
+  // In-memory rate tracking: ip -> timestamps of recent registration attempts
+  registrationAttempts = /* @__PURE__ */ new Map();
+  constructor(filePath) {
+    this.filePath = filePath;
+    this.loadFromDisk();
+    this.cleanupExpired();
+    this.cleanupInterval = setInterval(() => this.cleanupExpired(), CLEANUP_INTERVAL_MS);
+  }
+  loadFromDisk() {
+    try {
+      if (import_fs.default.existsSync(this.filePath)) {
+        const raw = import_fs.default.readFileSync(this.filePath, "utf-8");
+        const data = JSON.parse(raw);
+        for (const device of data.devices) {
+          this.devices.set(device.browserId, device);
+        }
+        console.log(`[DeviceRegistry] Loaded ${this.devices.size} devices from ${this.filePath}`);
+      } else {
+        const dir = import_path.default.dirname(this.filePath);
+        if (!import_fs.default.existsSync(dir)) {
+          import_fs.default.mkdirSync(dir, { recursive: true });
+        }
+        this.saveToDiskSync();
+        console.log(`[DeviceRegistry] Created new devices file at ${this.filePath}`);
+      }
+    } catch (err) {
+      console.error("[DeviceRegistry] Failed to load devices file:", err);
+    }
+  }
+  saveToDiskSync() {
+    const data = {
+      devices: Array.from(this.devices.values())
+    };
+    import_fs.default.writeFileSync(this.filePath, JSON.stringify(data, null, 2), "utf-8");
+  }
+  debouncedSave() {
+    if (this.writeTimeout) clearTimeout(this.writeTimeout);
+    this.writeTimeout = setTimeout(() => {
+      this.saveToDiskSync();
+    }, DEBOUNCE_WRITE_MS);
+  }
+  cleanupExpired() {
+    const now = Date.now();
+    let removed = 0;
+    for (const [id, device] of this.devices) {
+      if (new Date(device.expiresAt).getTime() <= now) {
+        this.devices.delete(id);
+        removed++;
+      }
+    }
+    if (removed > 0) {
+      console.log(`[DeviceRegistry] Cleaned up ${removed} expired devices`);
+      this.debouncedSave();
+    }
+  }
+  getActiveCountByIp(ip) {
+    const now = Date.now();
+    let count = 0;
+    for (const device of this.devices.values()) {
+      if (device.ip === ip && device.active && new Date(device.expiresAt).getTime() > now) {
+        count++;
+      }
+    }
+    return count;
+  }
+  checkRateLimit(ip) {
+    const now = Date.now();
+    const attempts = this.registrationAttempts.get(ip) || [];
+    const recent = attempts.filter((t) => now - t < RATE_WINDOW_MS);
+    this.registrationAttempts.set(ip, recent);
+    return recent.length < MAX_REGISTRATIONS_PER_IP_PER_MIN;
+  }
+  recordAttempt(ip) {
+    const attempts = this.registrationAttempts.get(ip) || [];
+    attempts.push(Date.now());
+    this.registrationAttempts.set(ip, attempts);
+  }
+  registerDevice(browserId, ip, userAgent) {
+    if (!this.checkRateLimit(ip)) {
+      return {
+        success: false,
+        error: "Registration rate limit exceeded. Max 10 per minute per IP.",
+        status: 429
+      };
+    }
+    this.recordAttempt(ip);
+    if (this.getActiveCountByIp(ip) >= MAX_REGISTRATIONS_PER_IP_TOTAL) {
+      return {
+        success: false,
+        error: "Maximum device registrations reached for this IP. Max 30 per IP.",
+        status: 403
+      };
+    }
+    const existing = this.devices.get(browserId);
+    if (existing && existing.active && new Date(existing.expiresAt).getTime() > Date.now()) {
+      existing.expiresAt = new Date(Date.now() + ONE_WEEK_MS).toISOString();
+      existing.lastSeen = (/* @__PURE__ */ new Date()).toISOString();
+      existing.lastIp = ip;
+      this.debouncedSave();
+      return { success: true, device: existing };
+    }
+    const now = /* @__PURE__ */ new Date();
+    const device = {
+      browserId,
+      sharedSecret: generateSecret(),
+      ip,
+      userAgent,
+      registeredAt: now.toISOString(),
+      expiresAt: new Date(now.getTime() + ONE_WEEK_MS).toISOString(),
+      lastSeen: now.toISOString(),
+      lastIp: ip,
+      active: true
+    };
+    this.devices.set(browserId, device);
+    this.debouncedSave();
+    return { success: true, device };
+  }
+  getDevice(browserId) {
+    const device = this.devices.get(browserId) || null;
+    if (!device) return null;
+    if (new Date(device.expiresAt).getTime() <= Date.now()) {
+      this.devices.delete(browserId);
+      this.debouncedSave();
+      return null;
+    }
+    if (!device.active) return null;
+    return device;
+  }
+  updateLastSeen(browserId, ip) {
+    const device = this.devices.get(browserId);
+    if (!device) return;
+    device.lastSeen = (/* @__PURE__ */ new Date()).toISOString();
+    if (device.lastIp !== ip) {
+      console.log(`[DeviceRegistry] IP change for ${browserId}: ${device.lastIp} -> ${ip}`);
+      device.lastIp = ip;
+    }
+    this.debouncedSave();
+  }
+  revokeDevice(browserId) {
+    const device = this.devices.get(browserId);
+    if (!device) return false;
+    device.active = false;
+    this.debouncedSave();
+    return true;
+  }
+  getStats() {
+    const now = Date.now();
+    let active = 0;
+    let expired = 0;
+    for (const device of this.devices.values()) {
+      if (!device.active || new Date(device.expiresAt).getTime() <= now) {
+        expired++;
+      } else {
+        active++;
+      }
+    }
+    return { total: this.devices.size, active, expired };
+  }
+  destroy() {
+    if (this.cleanupInterval) clearInterval(this.cleanupInterval);
+    if (this.writeTimeout) {
+      clearTimeout(this.writeTimeout);
+      this.saveToDiskSync();
+    }
+  }
+};
+
 // src/config/defaults.ts
 var DEFAULT_RATE_LIMIT_CONFIG = {
   tiers: {
@@ -255,7 +482,7 @@ var DEFAULT_API_KEYS = {
 };
 
 // src/backend/middleware/apiKeyAuth.ts
-function createApiKeyAuth(getKeys) {
+function createApiKeyAuth(getKeys, deviceRegistry) {
   return function apiKeyAuth(req, res, next) {
     const apiKey = req.header("X-API-Key") || req.query.apiKey;
     if (!apiKey) {
@@ -264,6 +491,29 @@ function createApiKeyAuth(getKeys) {
       next();
       return;
     }
+    if (apiKey.startsWith("totp_") && deviceRegistry) {
+      const parsed = parseKey(apiKey);
+      if (!parsed) {
+        res.status(401).json({ error: "Malformed TOTP key" });
+        return;
+      }
+      const device = deviceRegistry.getDevice(parsed.browserId);
+      if (!device) {
+        res.status(401).json({ error: "Device not registered or expired" });
+        return;
+      }
+      if (!validateTOTP(parsed.browserId, device.sharedSecret, parsed.code)) {
+        res.status(401).json({ error: "Invalid or expired TOTP code" });
+        return;
+      }
+      const ip = req.ip || req.socket.remoteAddress || "unknown";
+      deviceRegistry.updateLastSeen(parsed.browserId, ip);
+      req.clientId = parsed.browserId;
+      req.tier = "free";
+      req.apiKeyValue = apiKey;
+      next();
+      return;
+    }
     const config = getKeys();
     const keyEntry = config.keys.find((k) => k.key === apiKey && k.active);
     if (!keyEntry) {
@@ -348,18 +598,24 @@ function createGatewayMiddleware(userConfig) {
   const config = {
     rateLimits: userConfig?.rateLimits ?? DEFAULT_RATE_LIMIT_CONFIG,
     ipRules: userConfig?.ipRules ?? DEFAULT_IP_RULES,
-    apiKeys: userConfig?.apiKeys ?? DEFAULT_API_KEYS
+    apiKeys: userConfig?.apiKeys ?? DEFAULT_API_KEYS,
+    deviceRegistryPath: userConfig?.deviceRegistryPath ?? ""
   };
   const rateLimiterService = new RateLimiterService(config.rateLimits);
   const analyticsService = new AnalyticsService();
+  let deviceRegistry;
+  if (config.deviceRegistryPath) {
+    deviceRegistry = new DeviceRegistryService(config.deviceRegistryPath);
+  }
   const router = (0, import_express.Router)();
   router.use(createRequestLogger(analyticsService));
-  router.use(createApiKeyAuth(() => config.apiKeys));
+  router.use(createApiKeyAuth(() => config.apiKeys, deviceRegistry));
   router.use(createIpFilter(() => config.ipRules));
   router.use(createRateLimiter(rateLimiterService));
   return {
     rateLimiterService,
     analyticsService,
+    deviceRegistry,
     middleware: router,
     config
   };
@@ -367,7 +623,7 @@ function createGatewayMiddleware(userConfig) {
 
 // src/backend/routes/gateway.ts
 var import_express2 = require("express");
-var import_crypto = __toESM(require("crypto"));
+var import_crypto2 = __toESM(require("crypto"));
 function createGatewayRoutes(options) {
   const { rateLimiterService, analyticsService, config } = options;
   const router = (0, import_express2.Router)();
@@ -410,7 +666,7 @@ function createGatewayRoutes(options) {
     }
     const newKey = {
       id: `key_${String(config.apiKeys.keys.length + 1).padStart(3, "0")}`,
-      key: `gw_live_${import_crypto.default.randomBytes(16).toString("hex")}`,
+      key: `gw_live_${import_crypto2.default.randomBytes(16).toString("hex")}`,
       name,
       tier: tier || "free",
       createdAt: (/* @__PURE__ */ new Date()).toISOString(),
@@ -437,15 +693,80 @@ function createGatewayRoutes(options) {
   });
   return router;
 }
+
+// src/backend/routes/deviceAuth.ts
+var import_express3 = require("express");
+function createDeviceAuthRoutes(options) {
+  const { deviceRegistry } = options;
+  const router = (0, import_express3.Router)();
+  router.post("/register", (req, res) => {
+    const { browserId } = req.body;
+    if (!browserId || typeof browserId !== "string") {
+      res.status(400).json({ error: "browserId is required" });
+      return;
+    }
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    if (!uuidRegex.test(browserId)) {
+      res.status(400).json({ error: "browserId must be a valid UUID" });
+      return;
+    }
+    const ip = req.ip || req.socket.remoteAddress || "unknown";
+    const userAgent = req.headers["user-agent"] || "unknown";
+    const result = deviceRegistry.registerDevice(browserId, ip, userAgent);
+    if (!result.success) {
+      res.status(result.status).json({ error: result.error });
+      return;
+    }
+    res.status(201).json({
+      browserId: result.device.browserId,
+      sharedSecret: result.device.sharedSecret,
+      expiresAt: result.device.expiresAt
+    });
+  });
+  router.get("/status/:browserId", (req, res) => {
+    const browserId = req.params.browserId;
+    const device = deviceRegistry.getDevice(browserId);
+    if (!device) {
+      res.status(404).json({ registered: false });
+      return;
+    }
+    res.json({
+      registered: true,
+      browserId: device.browserId,
+      expiresAt: device.expiresAt,
+      registeredAt: device.registeredAt
+    });
+  });
+  router.delete("/:browserId", (req, res) => {
+    const browserId = req.params.browserId;
+    const revoked = deviceRegistry.revokeDevice(browserId);
+    if (!revoked) {
+      res.status(404).json({ error: "Device not found" });
+      return;
+    }
+    res.json({ message: "Device revoked", browserId });
+  });
+  router.get("/stats", (_req, res) => {
+    res.json(deviceRegistry.getStats());
+  });
+  return router;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AnalyticsService,
+  DeviceRegistryService,
   RateLimiterService,
   createApiKeyAuth,
+  createDeviceAuthRoutes,
   createGatewayMiddleware,
   createGatewayRoutes,
   createIpFilter,
   createRateLimiter,
-  createRequestLogger
+  createRequestLogger,
+  formatKey,
+  generateSecret,
+  generateTOTP,
+  parseKey,
+  validateTOTP
 });
 //# sourceMappingURL=index.js.map