@grapity/grapity 0.3.0 → 0.4.0

package/dist/registry/serve.js

@@ -1756,6 +1756,7 @@ var pushRoute = new Hono().post("/", async (c) => {
   }
   const store = c.get("store");
   const service = new RegistryService(store);
+  const actor = c.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushSpec(body.content, body.name, {
       type: body.type,
@@ -1764,7 +1765,7 @@ var pushRoute = new Hono().post("/", async (c) => {
       sourceRepo: body.sourceRepo,
       tags: Array.isArray(body.tags) ? body.tags : void 0,
       gitRef: body.gitRef,
-      pushedBy: body.pushedBy,
+      pushedBy: actor,
       prerelease: body.prerelease,
       force: body.force,
       reason: body.reason
@@ -1929,7 +1930,8 @@ var deleteSpecRoute = new Hono5().delete(
     const name = c.req.param("name");
     const store = c.get("store");
     const service = new RegistryService(store);
-    const deleted = await service.deleteSpec(name);
+    const actor = c.get("actor");
+    const deleted = await service.deleteSpec(name, actor);
     if (!deleted) {
       return c.json({ error: "not_found", message: `Spec "${name}" not found`, statusCode: 404 }, 404);
     }
@@ -2670,6 +2672,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c) => {
   }
   const store = c.get("store");
   const service = new GatewayService(store, store);
+  const actor = c.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushGatewayConfig({
       name: body.name,
@@ -2680,7 +2683,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c) => {
       environments: body.environments ?? {},
       callerIdentification: body.callerIdentification,
       content: body.content,
-      pushedBy: body.pushedBy
+      pushedBy: actor
     });
     return c.json({ data: result }, 201);
   } catch (err) {
@@ -2945,7 +2948,137 @@ var gatewayLogStatsRoute = new Hono21().get("/stats", async (c) => {
   });
 });
 
+// src/registry/auth/middleware.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+var AuthError = class extends Error {
+  constructor(statusCode, code, message) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.name = "AuthError";
+  }
+  statusCode;
+  code;
+};
+function buildKeycloakUrls(config) {
+  const base = `${config.serverUrl}/realms/${config.realm}`;
+  return {
+    issuer: base,
+    jwksUri: `${base}/protocol/openid-connect/certs`,
+    tokenUrl: `${base}/protocol/openid-connect/token`
+  };
+}
+function createAuthMiddleware(config, routeScopes) {
+  if (config.auth?.mode !== "keycloak") {
+    return async (_c, next) => await next();
+  }
+  const authConfig = config.auth;
+  const { issuer, jwksUri } = buildKeycloakUrls(authConfig);
+  const jwks = createRemoteJWKSet(new URL(jwksUri));
+  const scopeByRoute = /* @__PURE__ */ new Map();
+  for (const route of routeScopes) {
+    const key = `${route.method.toUpperCase()}:${route.path}`;
+    scopeByRoute.set(key, {
+      operationId: route.operationId,
+      scopes: route.scopes
+    });
+  }
+  return async (c, next) => {
+    const matchedPath = c.req.matchedRoutes.map((r) => r.path).filter((p) => p !== "/*").pop();
+    const routeKey = matchedPath ? `${c.req.method}:${matchedPath}` : `${c.req.method}:${c.req.routePath}`;
+    const required = scopeByRoute.get(routeKey);
+    if (!required || required.scopes.length === 0) {
+      return await next();
+    }
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    const token = authHeader.slice("Bearer ".length).trim();
+    if (!token) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    let payload;
+    try {
+      const result = await jwtVerify(token, jwks, {
+        issuer,
+        audience: authConfig.audience
+      });
+      payload = result.payload;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Invalid token";
+      throw new AuthError(401, "unauthorized", `Invalid or expired token: ${message}`);
+    }
+    const subject = payload.sub;
+    if (!subject) {
+      throw new AuthError(401, "unauthorized", "Token missing subject claim");
+    }
+    const grantedScopes = extractScopes(payload, authConfig.roleSource ?? "scope");
+    const missing = required.scopes.filter((s) => !grantedScopes.has(s));
+    if (missing.length > 0) {
+      throw new AuthError(
+        403,
+        "forbidden",
+        `Missing required scope${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}`
+      );
+    }
+    c.set("actor", subject);
+    c.set("claims", payload);
+    await next();
+  };
+}
+function extractScopes(payload, source) {
+  if (source === "realm_access.roles") {
+    const roles = payload.realm_access?.roles;
+    return new Set(roles ?? []);
+  }
+  const scopeValue = payload.scope;
+  if (typeof scopeValue === "string") {
+    return new Set(scopeValue.split(/\s+/).filter(Boolean));
+  }
+  return /* @__PURE__ */ new Set();
+}
+function parseRouteScopes(spec) {
+  const routes = [];
+  const paths = spec.paths;
+  if (!paths) return routes;
+  for (const [path2, operations] of Object.entries(paths)) {
+    for (const [method, operation] of Object.entries(operations)) {
+      if (typeof operation !== "object" || operation === null) continue;
+      const op = operation;
+      const operationId = op.operationId;
+      if (!operationId) continue;
+      const security = op.security;
+      const scopes = [];
+      if (security) {
+        for (const sec of security) {
+          for (const [name, required] of Object.entries(sec)) {
+            if (name === "keycloak" && Array.isArray(required)) {
+              scopes.push(...required);
+            }
+          }
+        }
+      }
+      routes.push({
+        method: method.toUpperCase(),
+        path: path2.replace(/\{([^}]+)\}/g, ":$1"),
+        operationId,
+        scopes
+      });
+    }
+  }
+  return routes;
+}
+
 // src/registry/server.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import yaml6 from "js-yaml";
+function loadOpenApiSpec() {
+  const path2 = fileURLToPath(new URL("../../openapi.yaml", import.meta.url));
+  const content = readFileSync(path2, "utf-8");
+  return yaml6.load(content);
+}
 function createApp(config, store) {
   const app = new Hono22();
   app.use("*", logger());
@@ -2956,6 +3089,21 @@ function createApp(config, store) {
     c.set("config", config);
     await next();
   });
+  const routeScopes = parseRouteScopes(loadOpenApiSpec());
+  app.use("*", createAuthMiddleware(config, routeScopes));
+  app.onError((err, c) => {
+    if (err instanceof AuthError) {
+      return c.json(
+        { error: err.code, message: err.message, statusCode: err.statusCode },
+        err.statusCode
+      );
+    }
+    console.error("Unhandled error:", err);
+    return c.json(
+      { error: "internal_error", message: "Internal server error", statusCode: 500 },
+      500
+    );
+  });
   app.route("/v1/specs", pushRoute);
   app.route("/v1/specs", validateRoute);
   app.route("/v1/specs", listRoute);
@@ -2983,7 +3131,8 @@ function createApp(config, store) {
 // src/registry/config.ts
 var defaultConfig = {
   port: 3750,
-  database: "sqlite"
+  database: "sqlite",
+  auth: { mode: "none" }
 };
 
 // src/registry/storage/sqlite.ts
@@ -3596,17 +3745,63 @@ var provisions2 = pgTable("provisions", {
 // src/registry/storage/postgresql.ts
 import { v4 as uuid6 } from "uuid";
 var MIGRATIONS_FOLDER2 = PG_MIGRATIONS_FOLDER;
+var DatabaseConnectionError = class extends Error {
+  constructor(message, postgresUrl, options) {
+    super(message, options);
+    this.postgresUrl = postgresUrl;
+    this.name = "DatabaseConnectionError";
+  }
+  postgresUrl;
+};
+function isConnectionError(err) {
+  if (typeof err !== "object" || err === null) return false;
+  if ("code" in err) {
+    const code = err.code;
+    if (code === "ECONNREFUSED" || code === "ETIMEDOUT" || code === "ENOTFOUND") {
+      return true;
+    }
+  }
+  if (err instanceof AggregateError) {
+    if (err.errors.some(isConnectionError)) return true;
+  }
+  if ("cause" in err && err.cause) {
+    return isConnectionError(err.cause);
+  }
+  return false;
+}
+function maskPostgresPassword(url) {
+  try {
+    const parsed = new URL(url);
+    if (parsed.password) parsed.password = "***";
+    return parsed.toString();
+  } catch {
+    return url;
+  }
+}
 var PostgreSQLSpecStore = class {
   db;
   pool;
+  postgresUrl;
   constructor(postgresUrl) {
+    this.postgresUrl = postgresUrl;
     this.pool = new Pool({ connectionString: postgresUrl });
     this.db = drizzle2(this.pool);
   }
   async migrate() {
-    await migrate2(this.db, {
-      migrationsFolder: MIGRATIONS_FOLDER2
-    });
+    try {
+      await migrate2(this.db, {
+        migrationsFolder: MIGRATIONS_FOLDER2
+      });
+    } catch (err) {
+      if (isConnectionError(err)) {
+        throw new DatabaseConnectionError(
+          `PostgreSQL is not reachable at ${maskPostgresPassword(this.postgresUrl)}`,
+          this.postgresUrl,
+          { cause: err }
+        );
+      }
+      throw err;
+    }
   }
   async end() {
     await this.pool.end();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@grapity/grapity",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "type": "module",
   "description": "grapity - API spec registry and compatibility guardian",
   "license": "Apache-2.0",
@@ -66,26 +66,28 @@
     "provenance": true
   },
   "dependencies": {
-    "commander": "^13.1.0",
-    "js-yaml": "^4.1.0",
-    "chalk": "^5.4.0",
-    "ora": "^8.2.0",
+    "@apidevtools/swagger-parser": "^10.1.0",
     "@hono/node-server": "^2.0.4",
+    "better-sqlite3": "^12.10.0",
+    "chalk": "^5.4.0",
+    "commander": "^13.1.0",
+    "drizzle-orm": "^0.44.0",
     "hono": "^4.12.22",
+    "jose": "^6.2.3",
+    "js-yaml": "^4.1.0",
     "lucide-react": "^0.475.0",
+    "ora": "^8.2.0",
+    "pg": "^8.16.0",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "react-router-dom": "^7.4.0",
     "shiki": "^4.2.0",
-    "drizzle-orm": "^0.44.0",
-    "better-sqlite3": "^12.10.0",
-    "pg": "^8.16.0",
-    "@apidevtools/swagger-parser": "^10.1.0",
     "uuid": "^11.1.0",
     "zod": "^3.24.0"
   },
   "devDependencies": {
     "@tailwindcss/vite": "^4.3.0",
+    "@testcontainers/postgresql": "^11.14.0",
     "@testing-library/dom": "^10.4.0",
     "@testing-library/jest-dom": "^6.6.0",
     "@testing-library/react": "^16.2.0",
@@ -103,10 +105,10 @@
     "openapi-typescript": "^7.13.0",
     "postcss": "^8.5.3",
     "tailwindcss": "^4.0.0",
+    "testcontainers": "11.14.0",
     "tsup": "^8.4.0",
     "tsx": "^4.19.0",
     "typescript": "^5.8.0",
-    "vite": "^6.3.0",
-    "@testcontainers/postgresql": "^11.14.0"
+    "vite": "^6.3.0"
   }
 }