@goscribe/server 1.0.11 → 1.1.0

package/src/lib/auth.ts

@@ -1,51 +1,145 @@
-// src/server/auth.ts
+/**
+ * Authentication utilities for custom HMAC-based cookie verification.
+ * 
+ * This module provides secure authentication using HMAC-SHA256 signatures
+ * to verify user identity through signed cookies.
+ * 
+ * @fileoverview Custom authentication system with HMAC cookie verification
+ * @author Scribe Team
+ * @version 1.0.0
+ */
+
 import crypto from "node:crypto";
 
-// Custom HMAC cookie: auth_token = base64(userId).hex(hmacSHA256(base64(userId), secret))
-export function verifyCustomAuthCookie(cookieValue: string | undefined): { userId: string } | null {
+/**
+ * Represents the result of successful authentication verification.
+ */
+export interface AuthResult {
+  /** The authenticated user's unique identifier */
+  userId: string;
+}
+
+/**
+ * Configuration for the authentication system.
+ */
+interface AuthConfig {
+  /** The secret key used for HMAC signing */
+  secret: string;
+}
+
+/**
+ * Verifies a custom HMAC-signed authentication cookie.
+ * 
+ * The cookie format is: `base64(userId).hex(hmacSHA256(base64(userId), secret))`
+ * 
+ * @param cookieValue - The raw cookie value to verify, or undefined if no cookie exists
+ * @returns Authentication result with userId if valid, null if invalid or missing
+ * 
+ * @example
+ * ```typescript
+ * const result = verifyCustomAuthCookie("dXNlcjEyMw.abc123def456...");
+ * if (result) {
+ *   console.log(`Authenticated user: ${result.userId}`);
+ * }
+ * ```
+ * 
+ * @throws {Error} Never throws - returns null for all error conditions
+ */
+export function verifyCustomAuthCookie(cookieValue: string | undefined): AuthResult | null {
+  // Early return for missing cookie
   if (!cookieValue) {
     return null;
   }
   
+  // Get authentication secret from environment
   const secret = process.env.AUTH_SECRET;
-  
   if (!secret) {
     return null;
   }
 
+  // Parse cookie format: base64UserId.signatureHex
   const parts = cookieValue.split(".");
-  
   if (parts.length !== 2) {
     return null;
   }
+  
   const [base64UserId, signatureHex] = parts;
 
-  let userId: string;
-  try {
-    const buf = Buffer.from(base64UserId, "base64url");
-    userId = buf.toString("utf8");
-  } catch (error) {
+  // Decode the user ID from base64url encoding
+  const userId = decodeBase64UrlUserId(base64UserId);
+  if (!userId) {
     return null;
   }
 
-  const hmac = crypto.createHmac("sha256", secret);
-  hmac.update(base64UserId);
-  const expected = hmac.digest("hex");
-  
-  if (!timingSafeEqualHex(signatureHex, expected)) {
+  // Verify the HMAC signature
+  const isValidSignature = verifyHmacSignature(base64UserId, signatureHex, secret);
+  if (!isValidSignature) {
     return null;
   }
 
   return { userId };
 }
 
+/**
+ * Decodes a base64url-encoded user ID string.
+ * 
+ * @param base64UserId - The base64url-encoded user ID
+ * @returns The decoded user ID string, or null if decoding fails
+ * 
+ * @private
+ */
+function decodeBase64UrlUserId(base64UserId: string): string | null {
+  try {
+    const buffer = Buffer.from(base64UserId, "base64url");
+    return buffer.toString("utf8");
+  } catch (error) {
+    return null;
+  }
+}
+
+/**
+ * Verifies an HMAC-SHA256 signature against the expected value.
+ * 
+ * @param data - The data that was signed (base64url-encoded user ID)
+ * @param signatureHex - The hex-encoded signature to verify
+ * @param secret - The secret key used for signing
+ * @returns True if the signature is valid, false otherwise
+ * 
+ * @private
+ */
+function verifyHmacSignature(data: string, signatureHex: string, secret: string): boolean {
+  const hmac = crypto.createHmac("sha256", secret);
+  hmac.update(data);
+  const expectedSignature = hmac.digest("hex");
+  
+  return timingSafeEqualHex(signatureHex, expectedSignature);
+}
+
+/**
+ * Performs a timing-safe comparison of two hex-encoded strings.
+ * 
+ * This function prevents timing attacks by ensuring the comparison
+ * takes the same amount of time regardless of where the strings differ.
+ * 
+ * @param a - First hex string to compare
+ * @param b - Second hex string to compare
+ * @returns True if the strings are equal, false otherwise
+ * 
+ * @private
+ */
 function timingSafeEqualHex(a: string, b: string): boolean {
   try {
-    const ab = Buffer.from(a, "hex");
-    const bb = Buffer.from(b, "hex");
-    if (ab.length !== bb.length) return false;
-    return crypto.timingSafeEqual(ab, bb);
+    const bufferA = Buffer.from(a, "hex");
+    const bufferB = Buffer.from(b, "hex");
+    
+    // Length check prevents timing attacks on different-length inputs
+    if (bufferA.length !== bufferB.length) {
+      return false;
+    }
+    
+    return crypto.timingSafeEqual(bufferA, bufferB);
   } catch {
+    // Return false for any parsing errors
     return false;
   }
 }

package/src/lib/env.ts

@@ -0,0 +1,59 @@
+import { z } from 'zod';
+import dotenv from 'dotenv';
+
+dotenv.config();
+
+/**
+ * Environment variable schema
+ */
+const envSchema = z.object({
+  // Database
+  DATABASE_URL: z.string().url(),
+  DIRECT_URL: z.string().url().optional(),
+  
+  // Server
+  PORT: z.string().regex(/^\d+$/).default('3001').transform(Number),
+  NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
+  
+  // Auth
+  BETTER_AUTH_SECRET: z.string().min(32).optional(),
+  BETTER_AUTH_URL: z.string().url().optional(),
+  
+  // Storage
+  GOOGLE_CLOUD_PROJECT_ID: z.string().optional(),
+  GOOGLE_CLOUD_BUCKET_NAME: z.string().optional(),
+  GOOGLE_APPLICATION_CREDENTIALS: z.string().optional(),
+  
+  // Pusher
+  PUSHER_APP_ID: z.string().optional(),
+  PUSHER_KEY: z.string().optional(),
+  PUSHER_SECRET: z.string().optional(),
+  PUSHER_CLUSTER: z.string().optional(),
+  
+  // Inference
+  INFERENCE_API_URL: z.string().url().optional(),
+  
+  // CORS
+  FRONTEND_URL: z.string().url().default('http://localhost:3000'),
+});
+
+/**
+ * Parsed and validated environment variables
+ */
+export const env = envSchema.parse(process.env);
+
+/**
+ * Check if running in production
+ */
+export const isProduction = env.NODE_ENV === 'production';
+
+/**
+ * Check if running in development
+ */
+export const isDevelopment = env.NODE_ENV === 'development';
+
+/**
+ * Check if running in test
+ */
+export const isTest = env.NODE_ENV === 'test';
+

package/src/lib/errors.ts

@@ -0,0 +1,92 @@
+import { TRPCError } from '@trpc/server';
+
+/**
+ * Custom error classes for better error handling
+ */
+export class AppError extends Error {
+  constructor(
+    message: string,
+    public code: string,
+    public statusCode: number = 500,
+    public isOperational: boolean = true
+  ) {
+    super(message);
+    this.name = this.constructor.name;
+    Error.captureStackTrace(this, this.constructor);
+  }
+}
+
+export class ValidationError extends AppError {
+  constructor(message: string) {
+    super(message, 'VALIDATION_ERROR', 400);
+  }
+}
+
+export class NotFoundError extends AppError {
+  constructor(resource: string = 'Resource') {
+    super(`${resource} not found`, 'NOT_FOUND', 404);
+  }
+}
+
+export class UnauthorizedError extends AppError {
+  constructor(message: string = 'Unauthorized') {
+    super(message, 'UNAUTHORIZED', 401);
+  }
+}
+
+export class ForbiddenError extends AppError {
+  constructor(message: string = 'Forbidden') {
+    super(message, 'FORBIDDEN', 403);
+  }
+}
+
+export class ConflictError extends AppError {
+  constructor(message: string) {
+    super(message, 'CONFLICT', 409);
+  }
+}
+
+/**
+ * Convert AppError to TRPCError
+ */
+export function toTRPCError(error: unknown): TRPCError {
+  if (error instanceof AppError) {
+    const codeMap: Record<number, any> = {
+      400: 'BAD_REQUEST',
+      401: 'UNAUTHORIZED',
+      403: 'FORBIDDEN',
+      404: 'NOT_FOUND',
+      409: 'CONFLICT',
+      500: 'INTERNAL_SERVER_ERROR',
+    };
+    
+    return new TRPCError({
+      code: codeMap[error.statusCode] || 'INTERNAL_SERVER_ERROR',
+      message: error.message,
+      cause: error,
+    });
+  }
+
+  if (error instanceof TRPCError) {
+    return error;
+  }
+
+  // Default error
+  return new TRPCError({
+    code: 'INTERNAL_SERVER_ERROR',
+    message: error instanceof Error ? error.message : 'An unexpected error occurred',
+    cause: error,
+  });
+}
+
+/**
+ * Error handler for async functions
+ */
+export function asyncHandler<T extends (...args: any[]) => Promise<any>>(fn: T): T {
+  return ((...args: Parameters<T>) => {
+    return Promise.resolve(fn(...args)).catch((error) => {
+      throw toTRPCError(error);
+    });
+  }) as T;
+}
+

package/src/lib/inference.ts

@@ -1,15 +1,15 @@
-async function inference(prompt: string, tag: string) {
+import OpenAI from 'openai';
+
+const openai = new OpenAI({
+    apiKey: process.env.INFERENCE_API_KEY,
+    baseURL: process.env.INFERENCE_BASE_URL,
+});
+
+async function inference(prompt: string) {
     try {
-        const response = await fetch("https://proxy-ai.onrender.com/api/cohere/inference", {
-            method: "POST",
-            headers: {
-                "Content-Type": "application/json",
-            },
-            body: JSON.stringify({
-                prompt: prompt,
-                model: "command-r-plus",
-                max_tokens: 2000,
-            }),
+        const response = await openai.chat.completions.create({
+            model: "command-a-03-2025",
+            messages: [{ role: "user", content: prompt }],
         });
         return response;
     } catch (error) {