@johpaz/hive-core 1.0.7 → 1.0.10

package/src/security/pairing.test.ts

@@ -0,0 +1,302 @@
+import { describe, it, expect, beforeEach, vi } from "bun:test";
+import { PairingService, type PairingCode } from "./pairing.ts";
+import { eventBus } from "../events/event-bus.ts";
+
+describe("PairingService", () => {
+  let service: PairingService;
+
+  beforeEach(() => {
+    service = new PairingService({ expirationMs: 1000 });
+    eventBus.removeAllListeners();
+  });
+
+  describe("generateCode", () => {
+    it("should generate unique codes", () => {
+      const code1 = service.generateCode("telegram", "user1");
+      const code2 = service.generateCode("telegram", "user2");
+
+      expect(code1).not.toBe(code2);
+      expect(code1.length).toBe(8);
+    });
+
+    it("should generate uppercase hex codes", () => {
+      const code = service.generateCode("telegram", "user1");
+      expect(/^[A-F0-9]+$/.test(code)).toBe(true);
+    });
+
+    it("should emit pairing:requested event", () => {
+      const handler = vi.fn();
+      eventBus.on("pairing:requested", handler);
+
+      service.generateCode("telegram", "user1");
+
+      expect(handler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          channel: "telegram",
+          userId: "user1",
+          code: expect.any(String),
+        })
+      );
+    });
+  });
+
+  describe("validateCode", () => {
+    it("should return code record for valid code", () => {
+      const code = service.generateCode("telegram", "user1");
+      const record = service.validateCode(code);
+
+      expect(record).toBeDefined();
+      expect(record?.channel).toBe("telegram");
+      expect(record?.userId).toBe("user1");
+    });
+
+    it("should return null for invalid code", () => {
+      expect(service.validateCode("invalid")).toBeNull();
+    });
+
+    it("should return null for expired code", async () => {
+      const code = service.generateCode("telegram", "user1");
+
+      await new Promise((r) => setTimeout(r, 1100));
+
+      expect(service.validateCode(code)).toBeNull();
+    });
+
+    it("should emit pairing:expired event for expired code", async () => {
+      const handler = vi.fn();
+      eventBus.on("pairing:expired", handler);
+
+      const code = service.generateCode("telegram", "user1");
+
+      await new Promise((r) => setTimeout(r, 1100));
+
+      service.validateCode(code);
+
+      expect(handler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          code,
+          channel: "telegram",
+          userId: "user1",
+        })
+      );
+    });
+  });
+
+  describe("approve", () => {
+    it("should approve valid code", () => {
+      const code = service.generateCode("telegram", "user1");
+      const result = service.approve(code);
+
+      expect(result.success).toBe(true);
+      expect(service.isAllowed("telegram", "user1")).toBe(true);
+    });
+
+    it("should fail for invalid code", () => {
+      const result = service.approve("invalid");
+
+      expect(result.success).toBe(false);
+      expect(result.error).toContain("Invalid or expired");
+    });
+
+    it("should fail for expired code", async () => {
+      const code = service.generateCode("telegram", "user1");
+
+      await new Promise((r) => setTimeout(r, 1100));
+
+      const result = service.approve(code);
+      expect(result.success).toBe(false);
+    });
+
+    it("should emit pairing:approved event", () => {
+      const handler = vi.fn();
+      eventBus.on("pairing:approved", handler);
+
+      const code = service.generateCode("telegram", "user1");
+      service.approve(code);
+
+      expect(handler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          channel: "telegram",
+          userId: "user1",
+        })
+      );
+    });
+
+    it("should delete code after approval", () => {
+      const code = service.generateCode("telegram", "user1");
+      service.approve(code);
+
+      const result = service.approve(code);
+      expect(result.success).toBe(false);
+    });
+  });
+
+  describe("reject", () => {
+    it("should reject pending code", () => {
+      const code = service.generateCode("telegram", "user1");
+      const result = service.reject(code, "Blocked");
+
+      expect(result).toBe(true);
+      expect(service.validateCode(code)).toBeNull();
+    });
+
+    it("should emit pairing:rejected event", () => {
+      const handler = vi.fn();
+      eventBus.on("pairing:rejected", handler);
+
+      const code = service.generateCode("telegram", "user1");
+      service.reject(code, "Blocked");
+
+      expect(handler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          channel: "telegram",
+          userId: "user1",
+          reason: "Blocked",
+        })
+      );
+    });
+
+    it("should return false for invalid code", () => {
+      expect(service.reject("invalid", "reason")).toBe(false);
+    });
+  });
+
+  describe("attempt", () => {
+    it("should increment attempt count", () => {
+      const code = service.generateCode("telegram", "user1");
+
+      service.attempt(code);
+      service.attempt(code);
+
+      const pending = service.listPending();
+      const record = pending.find((p) => p.code === code);
+      expect(record?.attempts).toBe(2);
+    });
+
+    it("should delete code after max attempts", () => {
+      const serviceWithLowAttempts = new PairingService({
+        expirationMs: 60000,
+        maxAttempts: 2,
+      });
+
+      const code = serviceWithLowAttempts.generateCode("telegram", "user1");
+
+      serviceWithLowAttempts.attempt(code);
+      const result = serviceWithLowAttempts.attempt(code);
+
+      expect(result).toBe(false);
+      expect(serviceWithLowAttempts.validateCode(code)).toBeNull();
+    });
+  });
+
+  describe("isAllowed", () => {
+    it("should return false for non-approved user", () => {
+      expect(service.isAllowed("telegram", "user1")).toBe(false);
+    });
+
+    it("should return true for approved user", () => {
+      const code = service.generateCode("telegram", "user1");
+      service.approve(code);
+
+      expect(service.isAllowed("telegram", "user1")).toBe(true);
+    });
+
+    it("should work per channel", () => {
+      const code = service.generateCode("telegram", "user1");
+      service.approve(code);
+
+      expect(service.isAllowed("telegram", "user1")).toBe(true);
+      expect(service.isAllowed("discord", "user1")).toBe(false);
+    });
+  });
+
+  describe("removeFromAllowlist", () => {
+    it("should remove user from allowlist", () => {
+      const code = service.generateCode("telegram", "user1");
+      service.approve(code);
+
+      const result = service.removeFromAllowlist("telegram", "user1");
+
+      expect(result).toBe(true);
+      expect(service.isAllowed("telegram", "user1")).toBe(false);
+    });
+
+    it("should return false if user not in allowlist", () => {
+      expect(service.removeFromAllowlist("telegram", "unknown")).toBe(false);
+    });
+  });
+
+  describe("listAllowed", () => {
+    it("should list all allowed users", () => {
+      const code1 = service.generateCode("telegram", "user1");
+      const code2 = service.generateCode("discord", "user2");
+      service.approve(code1);
+      service.approve(code2);
+
+      const list = service.listAllowed();
+
+      expect(list.length).toBe(2);
+      expect(list).toContainEqual({ channel: "telegram", userId: "user1" });
+      expect(list).toContainEqual({ channel: "discord", userId: "user2" });
+    });
+
+    it("should filter by channel", () => {
+      const code1 = service.generateCode("telegram", "user1");
+      const code2 = service.generateCode("discord", "user2");
+      service.approve(code1);
+      service.approve(code2);
+
+      const list = service.listAllowed("telegram");
+
+      expect(list.length).toBe(1);
+      expect(list[0]).toEqual({ channel: "telegram", userId: "user1" });
+    });
+  });
+
+  describe("listPending", () => {
+    it("should list pending codes", () => {
+      service.generateCode("telegram", "user1");
+      service.generateCode("discord", "user2");
+
+      const pending = service.listPending();
+
+      expect(pending.length).toBe(2);
+    });
+
+    it("should not include expired codes", async () => {
+      service.generateCode("telegram", "user1");
+
+      await new Promise((r) => setTimeout(r, 1100));
+
+      const pending = service.listPending();
+      expect(pending.length).toBe(0);
+    });
+  });
+
+  describe("getStats", () => {
+    it("should return correct stats", () => {
+      const code1 = service.generateCode("telegram", "user1");
+      service.approve(code1);
+      service.generateCode("discord", "user2");
+
+      const stats = service.getStats();
+
+      expect(stats.pendingCodes).toBe(1);
+      expect(stats.totalAllowlist).toBe(1);
+      expect(stats.byChannel.telegram.allowed).toBe(1);
+      expect(stats.byChannel.discord.pending).toBe(1);
+    });
+  });
+
+  describe("clear", () => {
+    it("should clear all data", () => {
+      const code = service.generateCode("telegram", "user1");
+      service.approve(code);
+
+      service.clear();
+
+      expect(service.listPending().length).toBe(0);
+      expect(service.listAllowed().length).toBe(0);
+    });
+  });
+});

package/src/security/pairing.ts

@@ -0,0 +1,250 @@
+import crypto from "crypto";
+import { eventBus } from "../events/event-bus.ts";
+import { logger } from "../utils/logger.ts";
+
+export interface PairingCode {
+  code: string;
+  channel: string;
+  userId: string;
+  createdAt: number;
+  expiresAt: number;
+  attempts: number;
+}
+
+export interface PairingConfig {
+  codeLength?: number;
+  expirationMs?: number;
+  maxAttempts?: number;
+}
+
+export interface PairingStats {
+  pendingCodes: number;
+  totalAllowlist: number;
+  byChannel: Record<string, { pending: number; allowed: number }>;
+}
+
+export class PairingService {
+  private codes: Map<string, PairingCode> = new Map();
+  private allowlist: Map<string, Set<string>> = new Map();
+  private config: Required<PairingConfig>;
+  private log = logger.child("pairing");
+
+  constructor(config: PairingConfig = {}) {
+    this.config = {
+      codeLength: config.codeLength ?? 8,
+      expirationMs: config.expirationMs ?? 10 * 60 * 1000,
+      maxAttempts: config.maxAttempts ?? 3,
+    };
+
+    this.startCleanup();
+  }
+
+  generateCode(channel: string, userId: string): string {
+    this.cleanup();
+
+    const code = this.generateSecureCode();
+    const now = Date.now();
+
+    const record: PairingCode = {
+      code,
+      channel,
+      userId,
+      createdAt: now,
+      expiresAt: now + this.config.expirationMs,
+      attempts: 0,
+    };
+
+    this.codes.set(code, record);
+
+    this.log.info(`Generated pairing code for ${channel}:${userId}`);
+
+    eventBus.emit("pairing:requested", {
+      channel,
+      userId,
+      code,
+      expiresAt: record.expiresAt,
+    });
+
+    return code;
+  }
+
+  validateCode(code: string): PairingCode | null {
+    const record = this.codes.get(code);
+    if (!record) return null;
+
+    if (Date.now() > record.expiresAt) {
+      this.codes.delete(code);
+      eventBus.emit("pairing:expired", {
+        code,
+        channel: record.channel,
+        userId: record.userId,
+      });
+      return null;
+    }
+
+    return record;
+  }
+
+  approve(code: string): { success: boolean; error?: string } {
+    const record = this.validateCode(code);
+    if (!record) {
+      return { success: false, error: "Invalid or expired code" };
+    }
+
+    if (!this.allowlist.has(record.channel)) {
+      this.allowlist.set(record.channel, new Set());
+    }
+    this.allowlist.get(record.channel)!.add(record.userId);
+
+    this.codes.delete(code);
+
+    this.log.info(`Approved pairing for ${record.channel}:${record.userId}`);
+
+    eventBus.emit("pairing:approved", {
+      channel: record.channel,
+      userId: record.userId,
+    });
+
+    return { success: true };
+  }
+
+  reject(code: string, reason: string): boolean {
+    const record = this.codes.get(code);
+    if (!record) return false;
+
+    this.codes.delete(code);
+
+    this.log.info(`Rejected pairing for ${record.channel}:${record.userId}: ${reason}`);
+
+    eventBus.emit("pairing:rejected", {
+      channel: record.channel,
+      userId: record.userId,
+      reason,
+    });
+
+    return true;
+  }
+
+  attempt(code: string): boolean {
+    const record = this.codes.get(code);
+    if (!record) return false;
+
+    record.attempts++;
+
+    if (record.attempts >= this.config.maxAttempts) {
+      this.codes.delete(code);
+      this.log.warn(`Code ${code} exhausted attempts`);
+      return false;
+    }
+
+    return true;
+  }
+
+  isAllowed(channel: string, userId: string): boolean {
+    const channelAllowlist = this.allowlist.get(channel);
+    return channelAllowlist?.has(userId) ?? false;
+  }
+
+  removeFromAllowlist(channel: string, userId: string): boolean {
+    const channelAllowlist = this.allowlist.get(channel);
+    if (!channelAllowlist) return false;
+
+    const removed = channelAllowlist.delete(userId);
+
+    if (channelAllowlist.size === 0) {
+      this.allowlist.delete(channel);
+    }
+
+    if (removed) {
+      this.log.info(`Removed ${userId} from allowlist for ${channel}`);
+    }
+
+    return removed;
+  }
+
+  listAllowed(channel?: string): { channel: string; userId: string }[] {
+    const result: { channel: string; userId: string }[] = [];
+
+    if (channel) {
+      const channelAllowlist = this.allowlist.get(channel);
+      if (channelAllowlist) {
+        for (const userId of channelAllowlist) {
+          result.push({ channel, userId });
+        }
+      }
+    } else {
+      for (const [ch, users] of this.allowlist) {
+        for (const userId of users) {
+          result.push({ channel: ch, userId });
+        }
+      }
+    }
+
+    return result;
+  }
+
+  listPending(): PairingCode[] {
+    this.cleanup();
+    return Array.from(this.codes.values());
+  }
+
+  getStats(): PairingStats {
+    const byChannel: Record<string, { pending: number; allowed: number }> = {};
+
+    for (const [channel, users] of this.allowlist) {
+      byChannel[channel] = {
+        pending: 0,
+        allowed: users.size,
+      };
+    }
+
+    for (const record of this.codes.values()) {
+      if (!byChannel[record.channel]) {
+        byChannel[record.channel] = { pending: 0, allowed: 0 };
+      }
+      byChannel[record.channel]!.pending++;
+    }
+
+    return {
+      pendingCodes: this.codes.size,
+      totalAllowlist: Array.from(this.allowlist.values()).reduce(
+        (sum, set) => sum + set.size,
+        0
+      ),
+      byChannel,
+    };
+  }
+
+  clear(): void {
+    this.codes.clear();
+    this.allowlist.clear();
+    this.log.info("All pairing data cleared");
+  }
+
+  private generateSecureCode(): string {
+    const bytes = crypto.randomBytes(Math.ceil(this.config.codeLength / 2));
+    return bytes.toString("hex").toUpperCase().slice(0, this.config.codeLength);
+  }
+
+  private cleanup(): void {
+    const now = Date.now();
+    for (const [code, record] of this.codes) {
+      if (now > record.expiresAt) {
+        this.codes.delete(code);
+        eventBus.emit("pairing:expired", {
+          code,
+          channel: record.channel,
+          userId: record.userId,
+        });
+      }
+    }
+  }
+
+  private startCleanup(): void {
+    setInterval(() => {
+      this.cleanup();
+    }, 60 * 1000);
+  }
+}
+
+export const pairingService = new PairingService();