@grapity/grapity 0.3.0 → 0.4.0

package/dist/hub/index.js

@@ -17,15 +17,34 @@ var DEFAULT_REGISTRY_URL = "http://localhost:3750";
 async function startHubServer(userConfig) {
   const config = {
     port: userConfig?.port ?? DEFAULT_PORT,
-    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL
+    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL,
+    auth: userConfig?.auth
   };
   const app = new Hono();
+  app.get("/config.js", (c) => {
+    const clientConfig = {
+      registryUrl: config.registryUrl,
+      auth: config.auth ? {
+        mode: config.auth.mode,
+        serverUrl: config.auth.serverUrl,
+        realm: config.auth.realm,
+        clientId: config.auth.clientId,
+        audience: config.auth.audience
+      } : void 0
+    };
+    c.header("Content-Type", "application/javascript");
+    return c.body(
+      `window.__GRAPITY_CONFIG__ = ${JSON.stringify(clientConfig)};`
+    );
+  });
   app.use("/v1/*", async (c) => {
     const url = new URL(c.req.url);
     const targetUrl = config.registryUrl + url.pathname + url.search;
+    const headers = new Headers(c.req.raw.headers);
+    headers.delete("host");
     const response = await fetch(targetUrl, {
       method: c.req.method,
-      headers: c.req.raw.headers,
+      headers,
       body: c.req.raw.body
     });
     return response;
@@ -33,13 +52,21 @@ async function startHubServer(userConfig) {
   app.use("/*", serveStatic({ root: HUB_DIST_PATH }));
   app.get("/*", async (c) => {
     const indexPath = path.join(HUB_DIST_PATH, "index.html");
-    if (fs.existsSync(indexPath)) {
-      return c.html(fs.readFileSync(indexPath, "utf-8"));
+    if (!fs.existsSync(indexPath)) {
+      return c.text(
+        "index.html not found. Build the project with 'bun run build' first.",
+        404
+      );
     }
-    return c.text(
-      "index.html not found. Build the project with 'bun run build' first.",
-      404
+    const html = fs.readFileSync(indexPath, "utf-8");
+    const configScript = `
+    <script src="/config.js"></script>
+  `;
+    const injected = html.replace(
+      "</head>",
+      `${configScript}</head>`
     );
+    return c.html(injected);
   });
   serve({
     fetch: app.fetch,

package/dist/hub/serve.d.ts

@@ -1,7 +1,15 @@
+interface HubAuthConfig {
+    mode: "keycloak";
+    serverUrl: string;
+    realm: string;
+    clientId: string;
+    audience?: string;
+}
 interface HubConfig {
     port?: number;
     registryUrl?: string;
+    auth?: HubAuthConfig;
 }
 declare function startHubServer(userConfig?: Partial<HubConfig>): Promise<void>;
 
-export { type HubConfig, startHubServer };
+export { type HubAuthConfig, type HubConfig, startHubServer };

package/dist/hub/serve.js

@@ -17,15 +17,34 @@ var DEFAULT_REGISTRY_URL = "http://localhost:3750";
 async function startHubServer(userConfig) {
   const config = {
     port: userConfig?.port ?? DEFAULT_PORT,
-    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL
+    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL,
+    auth: userConfig?.auth
   };
   const app = new Hono();
+  app.get("/config.js", (c) => {
+    const clientConfig = {
+      registryUrl: config.registryUrl,
+      auth: config.auth ? {
+        mode: config.auth.mode,
+        serverUrl: config.auth.serverUrl,
+        realm: config.auth.realm,
+        clientId: config.auth.clientId,
+        audience: config.auth.audience
+      } : void 0
+    };
+    c.header("Content-Type", "application/javascript");
+    return c.body(
+      `window.__GRAPITY_CONFIG__ = ${JSON.stringify(clientConfig)};`
+    );
+  });
   app.use("/v1/*", async (c) => {
     const url = new URL(c.req.url);
     const targetUrl = config.registryUrl + url.pathname + url.search;
+    const headers = new Headers(c.req.raw.headers);
+    headers.delete("host");
     const response = await fetch(targetUrl, {
       method: c.req.method,
-      headers: c.req.raw.headers,
+      headers,
       body: c.req.raw.body
     });
     return response;
@@ -33,13 +52,21 @@ async function startHubServer(userConfig) {
   app.use("/*", serveStatic({ root: HUB_DIST_PATH }));
   app.get("/*", async (c) => {
     const indexPath = path.join(HUB_DIST_PATH, "index.html");
-    if (fs.existsSync(indexPath)) {
-      return c.html(fs.readFileSync(indexPath, "utf-8"));
+    if (!fs.existsSync(indexPath)) {
+      return c.text(
+        "index.html not found. Build the project with 'bun run build' first.",
+        404
+      );
     }
-    return c.text(
-      "index.html not found. Build the project with 'bun run build' first.",
-      404
+    const html = fs.readFileSync(indexPath, "utf-8");
+    const configScript = `
+    <script src="/config.js"></script>
+  `;
+    const injected = html.replace(
+      "</head>",
+      `${configScript}</head>`
     );
+    return c.html(injected);
   });
   serve({
     fetch: app.fetch,

package/dist/index.html

@@ -9,8 +9,9 @@
     <link rel="preconnect" href="https://fonts.googleapis.com" />
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
     <link href="https://fonts.googleapis.com/css2?family=Space+Grotesk:wght@400;500;600;700&family=Inter:wght@400;500;600&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet" />
-    <script type="module" crossorigin src="/assets/index-Dq5tdnlb.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-NJpHAonA.css">
+    <script src="/config.js"></script>
+    <script type="module" crossorigin src="/assets/index-JAhtTTW2.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-LDlidn22.css">
   </head>
   <body>
     <div id="root"></div>

package/dist/registry/{index-DUPbMrAe.d.ts → index-Bx-7YlUF.d.ts}

@@ -191,18 +191,33 @@ interface GatewayConfigStore {
     deleteGatewayLogsOlderThan(days: number): Promise<void>;
 }
 
+type RoleSource = "scope" | "realm_access.roles";
+interface KeycloakAuthConfig {
+    mode: "keycloak";
+    serverUrl: string;
+    realm: string;
+    audience?: string;
+    roleSource?: RoleSource;
+}
+type AuthConfig = {
+    mode: "none";
+} | KeycloakAuthConfig;
+
 type DatabaseBackend = "sqlite" | "postgresql";
 interface ServerConfig {
     port: number;
     database: DatabaseBackend;
     sqlitePath?: string;
     postgresUrl?: string;
+    auth: AuthConfig;
 }
 
 type AppEnv = {
     Variables: {
         store: SpecStore & GatewayConfigStore;
         config: ServerConfig;
+        actor?: string;
+        claims?: Record<string, unknown>;
     };
 };
 declare function createApp(config: ServerConfig, store: SpecStore & GatewayConfigStore): Hono<AppEnv, hono_types.BlankSchema, "/">;

package/dist/registry/index.d.ts

@@ -1,3 +1,3 @@
-export { j as ServerConfig, i as createApp } from './index-DUPbMrAe.js';
+export { j as ServerConfig, i as createApp } from './index-Bx-7YlUF.js';
 import 'hono/types';
 import 'hono';

package/dist/registry/index.js

@@ -1751,6 +1751,7 @@ var pushRoute = new Hono().post("/", async (c) => {
   }
   const store = c.get("store");
   const service = new RegistryService(store);
+  const actor = c.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushSpec(body.content, body.name, {
       type: body.type,
@@ -1759,7 +1760,7 @@ var pushRoute = new Hono().post("/", async (c) => {
       sourceRepo: body.sourceRepo,
       tags: Array.isArray(body.tags) ? body.tags : void 0,
       gitRef: body.gitRef,
-      pushedBy: body.pushedBy,
+      pushedBy: actor,
       prerelease: body.prerelease,
       force: body.force,
       reason: body.reason
@@ -1924,7 +1925,8 @@ var deleteSpecRoute = new Hono5().delete(
     const name = c.req.param("name");
     const store = c.get("store");
     const service = new RegistryService(store);
-    const deleted = await service.deleteSpec(name);
+    const actor = c.get("actor");
+    const deleted = await service.deleteSpec(name, actor);
     if (!deleted) {
       return c.json({ error: "not_found", message: `Spec "${name}" not found`, statusCode: 404 }, 404);
     }
@@ -2665,6 +2667,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c) => {
   }
   const store = c.get("store");
   const service = new GatewayService(store, store);
+  const actor = c.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushGatewayConfig({
       name: body.name,
@@ -2675,7 +2678,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c) => {
       environments: body.environments ?? {},
       callerIdentification: body.callerIdentification,
       content: body.content,
-      pushedBy: body.pushedBy
+      pushedBy: actor
     });
     return c.json({ data: result }, 201);
   } catch (err) {
@@ -2940,7 +2943,137 @@ var gatewayLogStatsRoute = new Hono21().get("/stats", async (c) => {
   });
 });
 
+// src/registry/auth/middleware.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+var AuthError = class extends Error {
+  constructor(statusCode, code, message) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.name = "AuthError";
+  }
+  statusCode;
+  code;
+};
+function buildKeycloakUrls(config) {
+  const base = `${config.serverUrl}/realms/${config.realm}`;
+  return {
+    issuer: base,
+    jwksUri: `${base}/protocol/openid-connect/certs`,
+    tokenUrl: `${base}/protocol/openid-connect/token`
+  };
+}
+function createAuthMiddleware(config, routeScopes) {
+  if (config.auth?.mode !== "keycloak") {
+    return async (_c, next) => await next();
+  }
+  const authConfig = config.auth;
+  const { issuer, jwksUri } = buildKeycloakUrls(authConfig);
+  const jwks = createRemoteJWKSet(new URL(jwksUri));
+  const scopeByRoute = /* @__PURE__ */ new Map();
+  for (const route of routeScopes) {
+    const key = `${route.method.toUpperCase()}:${route.path}`;
+    scopeByRoute.set(key, {
+      operationId: route.operationId,
+      scopes: route.scopes
+    });
+  }
+  return async (c, next) => {
+    const matchedPath = c.req.matchedRoutes.map((r) => r.path).filter((p) => p !== "/*").pop();
+    const routeKey = matchedPath ? `${c.req.method}:${matchedPath}` : `${c.req.method}:${c.req.routePath}`;
+    const required = scopeByRoute.get(routeKey);
+    if (!required || required.scopes.length === 0) {
+      return await next();
+    }
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    const token = authHeader.slice("Bearer ".length).trim();
+    if (!token) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    let payload;
+    try {
+      const result = await jwtVerify(token, jwks, {
+        issuer,
+        audience: authConfig.audience
+      });
+      payload = result.payload;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Invalid token";
+      throw new AuthError(401, "unauthorized", `Invalid or expired token: ${message}`);
+    }
+    const subject = payload.sub;
+    if (!subject) {
+      throw new AuthError(401, "unauthorized", "Token missing subject claim");
+    }
+    const grantedScopes = extractScopes(payload, authConfig.roleSource ?? "scope");
+    const missing = required.scopes.filter((s) => !grantedScopes.has(s));
+    if (missing.length > 0) {
+      throw new AuthError(
+        403,
+        "forbidden",
+        `Missing required scope${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}`
+      );
+    }
+    c.set("actor", subject);
+    c.set("claims", payload);
+    await next();
+  };
+}
+function extractScopes(payload, source) {
+  if (source === "realm_access.roles") {
+    const roles = payload.realm_access?.roles;
+    return new Set(roles ?? []);
+  }
+  const scopeValue = payload.scope;
+  if (typeof scopeValue === "string") {
+    return new Set(scopeValue.split(/\s+/).filter(Boolean));
+  }
+  return /* @__PURE__ */ new Set();
+}
+function parseRouteScopes(spec) {
+  const routes = [];
+  const paths = spec.paths;
+  if (!paths) return routes;
+  for (const [path, operations] of Object.entries(paths)) {
+    for (const [method, operation] of Object.entries(operations)) {
+      if (typeof operation !== "object" || operation === null) continue;
+      const op = operation;
+      const operationId = op.operationId;
+      if (!operationId) continue;
+      const security = op.security;
+      const scopes = [];
+      if (security) {
+        for (const sec of security) {
+          for (const [name, required] of Object.entries(sec)) {
+            if (name === "keycloak" && Array.isArray(required)) {
+              scopes.push(...required);
+            }
+          }
+        }
+      }
+      routes.push({
+        method: method.toUpperCase(),
+        path: path.replace(/\{([^}]+)\}/g, ":$1"),
+        operationId,
+        scopes
+      });
+    }
+  }
+  return routes;
+}
+
 // src/registry/server.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import yaml6 from "js-yaml";
+function loadOpenApiSpec() {
+  const path = fileURLToPath(new URL("../../openapi.yaml", import.meta.url));
+  const content = readFileSync(path, "utf-8");
+  return yaml6.load(content);
+}
 function createApp(config, store) {
   const app = new Hono22();
   app.use("*", logger());
@@ -2951,6 +3084,21 @@ function createApp(config, store) {
     c.set("config", config);
     await next();
   });
+  const routeScopes = parseRouteScopes(loadOpenApiSpec());
+  app.use("*", createAuthMiddleware(config, routeScopes));
+  app.onError((err, c) => {
+    if (err instanceof AuthError) {
+      return c.json(
+        { error: err.code, message: err.message, statusCode: err.statusCode },
+        err.statusCode
+      );
+    }
+    console.error("Unhandled error:", err);
+    return c.json(
+      { error: "internal_error", message: "Internal server error", statusCode: 500 },
+      500
+    );
+  });
   app.route("/v1/specs", pushRoute);
   app.route("/v1/specs", validateRoute);
   app.route("/v1/specs", listRoute);

package/dist/registry/serve.d.ts

@@ -1,5 +1,5 @@
 import { ServerType } from '@hono/node-server';
-import { S as SpecStore, G as GatewayConfigStore, a as Spec, b as SpecVersion, c as SpecFilters, C as CompatReport, A as AuditAction, d as GatewayConfig, e as GatewayConfigVersion, P as Provision, f as GatewayLog, g as GatewayLogFilters, h as GatewayLogStats, i as createApp, j as ServerConfig } from './index-DUPbMrAe.js';
+import { S as SpecStore, G as GatewayConfigStore, a as Spec, b as SpecVersion, c as SpecFilters, C as CompatReport, A as AuditAction, d as GatewayConfig, e as GatewayConfigVersion, P as Provision, f as GatewayLog, g as GatewayLogFilters, h as GatewayLogStats, i as createApp, j as ServerConfig } from './index-Bx-7YlUF.js';
 import 'hono/types';
 import 'hono';
 
@@ -47,6 +47,7 @@ declare class SQLiteSpecStore implements SpecStore, GatewayConfigStore {
 declare class PostgreSQLSpecStore implements SpecStore, GatewayConfigStore {
     private db;
     private pool;
+    private postgresUrl;
     constructor(postgresUrl: string);
     migrate(): Promise<void>;
     end(): Promise<void>;