@intx/hub-api 0.1.2

package/src/middleware/git-token-auth.ts

@@ -0,0 +1,315 @@
+import { createHash } from "node:crypto";
+
+import { and, eq } from "drizzle-orm";
+import { createMiddleware } from "hono/factory";
+import type { Context, Env, MiddlewareHandler } from "hono";
+
+import type { DB } from "@intx/db";
+import { parseGitTokenRow } from "@intx/db";
+import { gitToken, principal, tenant } from "@intx/db/schema";
+import { PAT_PREFIX, SVC_PREFIX } from "@intx/hub-common";
+import { getLogger } from "@intx/log";
+import type { RepoAction } from "@intx/hub-sessions";
+
+import type { AppEnv, PrincipalRow, TenantRow } from "../context";
+
+const log = getLogger(["hub", "git-token"]);
+
+const WWW_AUTHENTICATE_HEADER = "WWW-Authenticate";
+const WWW_AUTHENTICATE_VALUE = 'Basic realm="Interchange"';
+
+/**
+ * Claims carried on a successfully authenticated git token. These
+ * mirror the typed columns on the `git_token` row but are the only
+ * shape downstream middleware should rely on; the row itself is not
+ * exposed.
+ */
+export type GitTokenClaims = {
+  resource: string;
+  refPattern: string;
+  actions: RepoAction[];
+  expiresAt: Date;
+};
+
+export type GitTokenAuthEnv = Env & {
+  Variables: {
+    principal: PrincipalRow;
+    tenant: TenantRow;
+    "git-token-claims": GitTokenClaims;
+  };
+};
+
+/**
+ * Hono environment for routes mounted under the bearer middleware.
+ * Combines the tenant-resolution variables with the bearer auth
+ * variables so the smart-HTTP route handlers can read
+ * `git-token-claims` straight from `c.get(...)` without an `as` cast.
+ */
+export type TenantGitTokenEnv = Env & {
+  Variables: AppEnv["Variables"] & {
+    tenant: TenantRow;
+    principal: PrincipalRow;
+    "git-token-claims": GitTokenClaims;
+  };
+};
+
+export type CreateGitTokenAuthDeps = {
+  db: DB["db"];
+};
+
+/**
+ * Bearer-token authentication for the smart-HTTP git endpoints.
+ * Parses `Authorization: Basic` (password is the secret; username is
+ * ignored but logged) or `Authorization: Bearer`, validates the
+ * `itx_pat_` / `itx_svc_` prefix shape, hashes the secret with
+ * SHA-256, looks up the matching `git_token` row, and resolves the
+ * principal and tenant before passing to the next middleware.
+ *
+ * On success, the middleware sets `principal`, `tenant`, and
+ * `git-token-claims` on the request context.
+ */
+export function createGitTokenAuth({
+  db,
+}: CreateGitTokenAuthDeps): MiddlewareHandler<GitTokenAuthEnv> {
+  return createMiddleware<GitTokenAuthEnv>(async (c, next) => {
+    const authHeader = c.req.header("authorization");
+    const parsed = parseAuthorizationHeader(authHeader);
+    if (parsed === null) {
+      log.info("git-token auth: missing or unparseable Authorization header");
+      return unauthorized(c, "Authentication required");
+    }
+
+    const { secret, basicUsername } = parsed;
+    if (basicUsername !== null) {
+      log.info(
+        "git-token auth: Basic username received (ignored for gating) {username}",
+        { username: basicUsername },
+      );
+    }
+
+    if (!hasKnownPrefix(secret)) {
+      log.info("git-token auth: malformed token prefix");
+      return unauthorized(c, "Authentication required");
+    }
+
+    const tokenHash = sha256(secret);
+
+    const tokenRowRaw = await db.query.gitToken.findFirst({
+      where: eq(gitToken.tokenHashSha256, tokenHash),
+    });
+
+    if (!tokenRowRaw) {
+      log.info("git-token auth: unknown token");
+      return unauthorized(c, "Authentication required");
+    }
+
+    const tokenRow = parseGitTokenRow(tokenRowRaw);
+
+    if (tokenRow.revokedAt !== null) {
+      log.info("git-token auth: token revoked {tokenId}", {
+        tokenId: tokenRow.id,
+      });
+      return forbidden(c, "token_revoked", "Token has been revoked");
+    }
+
+    const now = new Date();
+    if (tokenRow.expiresAt.getTime() <= now.getTime()) {
+      log.info("git-token auth: token expired {tokenId}", {
+        tokenId: tokenRow.id,
+      });
+      return forbidden(c, "token_expired", "Token has expired");
+    }
+
+    const urlTenantId = c.req.param("tenantId");
+
+    if (tokenRow.tenantId !== null) {
+      if (urlTenantId !== undefined && urlTenantId !== tokenRow.tenantId) {
+        log.info(
+          "git-token auth: tenant mismatch {tokenId} token={tokenTenantId} url={urlTenantId}",
+          {
+            tokenId: tokenRow.id,
+            tokenTenantId: tokenRow.tenantId,
+            urlTenantId,
+          },
+        );
+        return forbidden(
+          c,
+          "tenant_mismatch",
+          "Token is not valid for this tenant",
+        );
+      }
+    }
+
+    const resolvedTenantId =
+      tokenRow.tenantId !== null ? tokenRow.tenantId : urlTenantId;
+    if (resolvedTenantId === undefined) {
+      log.info(
+        "git-token auth: tenant cannot be resolved (token not tenant-bound and URL has no :tenantId) {tokenId}",
+        { tokenId: tokenRow.id },
+      );
+      return forbidden(
+        c,
+        "tenant_mismatch",
+        "Token is not valid for this request",
+      );
+    }
+
+    const tenantRow = await db.query.tenant.findFirst({
+      where: eq(tenant.id, resolvedTenantId),
+    });
+
+    if (!tenantRow) {
+      log.info("git-token auth: tenant not found {tenantId}", {
+        tenantId: resolvedTenantId,
+      });
+      return forbidden(
+        c,
+        "tenant_mismatch",
+        "Token is not valid for this tenant",
+      );
+    }
+
+    const principalRow = await resolvePrincipal(db, tokenRow, resolvedTenantId);
+
+    if (!principalRow) {
+      log.info(
+        "git-token auth: principal not found {tokenId} userId={userId} tenantId={tenantId}",
+        {
+          tokenId: tokenRow.id,
+          userId: tokenRow.userId,
+          tenantId: resolvedTenantId,
+        },
+      );
+      return forbidden(
+        c,
+        "principal_not_found",
+        "No principal is registered for this token in the target tenant",
+      );
+    }
+
+    if (principalRow.status !== "active") {
+      log.info(
+        "git-token auth: principal suspended {principalId} status={status}",
+        {
+          principalId: principalRow.id,
+          status: principalRow.status,
+        },
+      );
+      return forbidden(c, "principal_suspended", "Principal is not active");
+    }
+
+    log.info(
+      "git-token auth: success {tokenId} principal={principalId} tenant={tenantId}",
+      {
+        tokenId: tokenRow.id,
+        principalId: principalRow.id,
+        tenantId: tenantRow.id,
+      },
+    );
+
+    c.set("principal", principalRow);
+    c.set("tenant", tenantRow);
+    c.set("git-token-claims", {
+      resource: tokenRow.resource,
+      refPattern: tokenRow.refPattern,
+      actions: tokenRow.actions,
+      expiresAt: tokenRow.expiresAt,
+    });
+
+    await next();
+  });
+}
+
+type ParsedAuthorization = {
+  secret: string;
+  basicUsername: string | null;
+};
+
+function parseAuthorizationHeader(
+  header: string | undefined,
+): ParsedAuthorization | null {
+  if (header === undefined) return null;
+
+  const trimmed = header.trim();
+  if (trimmed.length === 0) return null;
+
+  const spaceIdx = trimmed.indexOf(" ");
+  if (spaceIdx === -1) return null;
+
+  const scheme = trimmed.slice(0, spaceIdx).toLowerCase();
+  const rest = trimmed.slice(spaceIdx + 1).trim();
+  if (rest.length === 0) return null;
+
+  if (scheme === "bearer") {
+    return { secret: rest, basicUsername: null };
+  }
+
+  if (scheme === "basic") {
+    const decoded = decodeBase64Utf8(rest);
+    if (decoded === null) return null;
+    const colonIdx = decoded.indexOf(":");
+    if (colonIdx === -1) return null;
+    const username = decoded.slice(0, colonIdx);
+    const password = decoded.slice(colonIdx + 1);
+    if (password.length === 0) return null;
+    return { secret: password, basicUsername: username };
+  }
+
+  return null;
+}
+
+function decodeBase64Utf8(input: string): string | null {
+  try {
+    return Buffer.from(input, "base64").toString("utf8");
+  } catch {
+    return null;
+  }
+}
+
+function hasKnownPrefix(secret: string): boolean {
+  return secret.startsWith(PAT_PREFIX) || secret.startsWith(SVC_PREFIX);
+}
+
+function sha256(input: string): Uint8Array {
+  const hash = createHash("sha256");
+  hash.update(input, "utf8");
+  return new Uint8Array(hash.digest());
+}
+
+async function resolvePrincipal(
+  db: DB["db"],
+  tokenRow: ReturnType<typeof parseGitTokenRow>,
+  resolvedTenantId: string,
+): Promise<PrincipalRow | undefined> {
+  if (tokenRow.principalId !== null) {
+    return await db.query.principal.findFirst({
+      where: eq(principal.id, tokenRow.principalId),
+    });
+  }
+
+  return await db.query.principal.findFirst({
+    where: and(
+      eq(principal.tenantId, resolvedTenantId),
+      eq(principal.kind, "user"),
+      eq(principal.refId, tokenRow.userId),
+    ),
+  });
+}
+
+function unauthorized(c: Context, message: string): Response {
+  c.header(WWW_AUTHENTICATE_HEADER, WWW_AUTHENTICATE_VALUE);
+  return c.json({ error: { code: "unauthorized", message } }, 401);
+}
+
+function forbidden(
+  c: Context,
+  code:
+    | "token_revoked"
+    | "token_expired"
+    | "tenant_mismatch"
+    | "principal_not_found"
+    | "principal_suspended",
+  message: string,
+): Response {
+  return c.json({ error: { code, message } }, 403);
+}

package/src/middleware/grant.ts

@@ -0,0 +1,106 @@
+import { createMiddleware } from "hono/factory";
+import type { MiddlewareHandler } from "hono";
+
+import { authorize } from "@intx/authz";
+import { getLogger } from "@intx/log";
+import type { ConditionRegistry, GrantStore } from "@intx/types/authz";
+
+import type { TenantEnv } from "../context";
+
+const log = getLogger(["hub", "middleware", "grant"]);
+
+type ResourceFn = (c: {
+  param: (name: string) => string | undefined;
+}) => string;
+
+/**
+ * Closure-bound grant-check middleware factory returned by
+ * `createRequireGrant`. Returns a Hono middleware that authorizes the
+ * current principal against the given resource and action. The function
+ * form of `resource` is intended to be built with `idResource(...)`.
+ */
+export type RequireGrant = (
+  resource: string | ResourceFn,
+  action: string,
+) => MiddlewareHandler<TenantEnv>;
+
+export type CreateRequireGrantDeps = {
+  grantStore: GrantStore;
+  conditionRegistry: ConditionRegistry;
+};
+
+/**
+ * Builds a `requireGrant` middleware factory bound to the application's
+ * grant store and condition registry. Usage:
+ *
+ *   const requireGrant = createRequireGrant({ grantStore, conditionRegistry });
+ *   app.get("/", requireGrant("agent:*", "read"), handler);
+ */
+export function createRequireGrant({
+  grantStore,
+  conditionRegistry,
+}: CreateRequireGrantDeps): RequireGrant {
+  return function requireGrant(resource, action) {
+    return createMiddleware<TenantEnv>(async (c, next) => {
+      const principal = c.get("principal");
+      const tenant = c.get("tenant");
+
+      const resolvedResource =
+        typeof resource === "function"
+          ? resource({ param: (name) => c.req.param(name) })
+          : resource;
+
+      const result = await authorize(
+        grantStore,
+        principal.id,
+        tenant.id,
+        resolvedResource,
+        action,
+        conditionRegistry,
+      );
+
+      if (result.effect === "allow") {
+        await next();
+        return;
+      }
+
+      log.info(
+        "Authorization denied for {principalId}: {resource} {action} -> {effect}",
+        {
+          principalId: principal.id,
+          resource: resolvedResource,
+          action,
+          effect: result.effect ?? "no_match",
+          resolvedBy: result.resolvedBy?.id ?? null,
+        },
+      );
+
+      return c.json(
+        {
+          error: {
+            code: "forbidden",
+            message: "You do not have permission to perform this action",
+          },
+        },
+        403,
+      );
+    });
+  };
+}
+
+/**
+ * Helper that builds a resource string from a URL parameter.
+ *
+ * Usage:
+ *   requireGrant(idResource("agent", "agentId"), "manage")
+ *   // resolves to "agent:agt_abc123" from the URL
+ */
+export function idResource(
+  resourceType: string,
+  paramName: string,
+): ResourceFn {
+  return (c) => {
+    const id = c.param(paramName);
+    return id ? `${resourceType}:${id}` : `${resourceType}:*`;
+  };
+}

package/src/middleware/session.ts

@@ -0,0 +1,13 @@
+import type { Context, Next } from "hono";
+
+import type { AppEnv } from "../context";
+import type { GetSession } from "../session";
+
+export function createSessionMiddleware(getSession: GetSession) {
+  return async function sessionMiddleware(c: Context<AppEnv>, next: Next) {
+    const result = await getSession(c.req.raw.headers);
+    c.set("user", result?.user ?? null);
+    c.set("session", result?.session ?? null);
+    await next();
+  };
+}

package/src/middleware/tenant.test.ts

@@ -0,0 +1,192 @@
+import { describe, expect, test } from "bun:test";
+import { Hono } from "hono";
+import type { MiddlewareHandler } from "hono";
+
+import type { DB } from "@intx/db";
+
+import type { PrincipalRow, TenantEnv, TenantRow } from "../context";
+import { createResolveTenant } from "./tenant";
+
+const NOW = new Date("2025-01-15T00:00:00Z");
+
+function makeTenant(id: string): TenantRow {
+  return {
+    id,
+    name: `Tenant ${id}`,
+    slug: id,
+    domain: `${id}.example.com`,
+    parentId: null,
+    config: null,
+    createdAt: NOW,
+    updatedAt: NOW,
+  };
+}
+
+function makePrincipal(
+  id: string,
+  tenantId: string,
+  status: PrincipalRow["status"] = "active",
+): PrincipalRow {
+  return {
+    id,
+    tenantId,
+    kind: "user",
+    refId: "user_alice",
+    status,
+    createdAt: NOW,
+    updatedAt: NOW,
+  };
+}
+
+function notImplemented(path: string) {
+  return () => {
+    throw new Error(`mock: ${path} not implemented`);
+  };
+}
+
+type MockDBOpts = {
+  tenant?: TenantRow | undefined;
+  principal?: PrincipalRow | undefined;
+};
+
+function createMockDB(opts: MockDBOpts): DB["db"] {
+  const mock = {
+    query: {
+      tenant: {
+        findFirst: async () => opts.tenant,
+        findMany: notImplemented("db.query.tenant.findMany"),
+      },
+      principal: {
+        findFirst: async () => opts.principal,
+        findMany: notImplemented("db.query.principal.findMany"),
+      },
+    },
+  };
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- drizzle PgDatabase type cannot be structurally satisfied in tests
+  return mock as unknown as DB["db"];
+}
+
+describe("createResolveTenant", () => {
+  test("short-circuits when principal and tenant are already set on context", async () => {
+    const dbMock = {
+      query: {
+        tenant: { findFirst: notImplemented("tenant.findFirst") },
+        principal: { findFirst: notImplemented("principal.findFirst") },
+      },
+    };
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- drizzle PgDatabase type cannot be structurally satisfied in tests
+    const db = dbMock as unknown as DB["db"];
+
+    const tenantRow = makeTenant("ten_a");
+    const principalRow = makePrincipal("prin_1", "ten_a");
+
+    const app = new Hono<TenantEnv>();
+    const preset: MiddlewareHandler<TenantEnv> = async (c, next) => {
+      c.set("tenant", tenantRow);
+      c.set("principal", principalRow);
+      await next();
+    };
+    app.get(
+      "/tenants/:tenantId/probe",
+      preset,
+      createResolveTenant({ db }),
+      (c) => {
+        const t = c.get("tenant");
+        const p = c.get("principal");
+        return c.json({ tenantId: t.id, principalId: p.id });
+      },
+    );
+
+    const res = await app.request("/tenants/ten_a/probe");
+    expect(res.status).toBe(200);
+    const body: unknown = await res.json();
+    expect(body).toEqual({ tenantId: "ten_a", principalId: "prin_1" });
+  });
+
+  test("normal path runs when context is not pre-populated", async () => {
+    const tenantRow = makeTenant("ten_a");
+    const principalRow = makePrincipal("prin_alice", "ten_a");
+    const db = createMockDB({
+      tenant: tenantRow,
+      principal: principalRow,
+    });
+
+    const app = new Hono<TenantEnv>();
+    const setUser: MiddlewareHandler<TenantEnv> = async (c, next) => {
+      c.set("user", {
+        id: "user_alice",
+        createdAt: NOW,
+        updatedAt: NOW,
+        email: "alice@example.com",
+        emailVerified: true,
+        name: "Alice",
+      });
+      c.set("session", null);
+      await next();
+    };
+    app.get(
+      "/tenants/:tenantId/probe",
+      setUser,
+      createResolveTenant({ db }),
+      (c) => {
+        const t = c.get("tenant");
+        const p = c.get("principal");
+        return c.json({ tenantId: t.id, principalId: p.id });
+      },
+    );
+
+    const res = await app.request("/tenants/ten_a/probe");
+    expect(res.status).toBe(200);
+    const body: unknown = await res.json();
+    expect(body).toEqual({ tenantId: "ten_a", principalId: "prin_alice" });
+  });
+
+  test("normal path returns 401 when there is no user", async () => {
+    const db = createMockDB({});
+    const app = new Hono<TenantEnv>();
+    const setNoUser: MiddlewareHandler<TenantEnv> = async (c, next) => {
+      c.set("user", null);
+      c.set("session", null);
+      await next();
+    };
+    app.get(
+      "/tenants/:tenantId/probe",
+      setNoUser,
+      createResolveTenant({ db }),
+      (c) => c.text("ok"),
+    );
+
+    const res = await app.request("/tenants/ten_a/probe");
+    expect(res.status).toBe(401);
+  });
+
+  test("normal path returns 403 when the principal is suspended", async () => {
+    const db = createMockDB({
+      tenant: makeTenant("ten_a"),
+      principal: makePrincipal("prin_alice", "ten_a", "suspended"),
+    });
+
+    const app = new Hono<TenantEnv>();
+    const setUser: MiddlewareHandler<TenantEnv> = async (c, next) => {
+      c.set("user", {
+        id: "user_alice",
+        createdAt: NOW,
+        updatedAt: NOW,
+        email: "alice@example.com",
+        emailVerified: true,
+        name: "Alice",
+      });
+      c.set("session", null);
+      await next();
+    };
+    app.get(
+      "/tenants/:tenantId/probe",
+      setUser,
+      createResolveTenant({ db }),
+      (c) => c.text("ok"),
+    );
+
+    const res = await app.request("/tenants/ten_a/probe");
+    expect(res.status).toBe(403);
+  });
+});