@juspay/neurolink 9.31.1 → 9.32.0

package/dist/lib/auth/sessionManager.js

@@ -0,0 +1,438 @@
+// src/lib/auth/sessionManager.ts
+import { logger } from "../utils/logger.js";
+/** Mask an identifier for safe logging: show first 4 chars + "***" */
+function maskId(id) {
+    if (id.length <= 4) {
+        return "***";
+    }
+    return `${id.slice(0, 4)}***`;
+}
+/**
+ * In-memory session storage
+ *
+ * Simple session storage using Map. Suitable for single-instance deployments
+ * or development. Sessions are lost on restart.
+ */
+export class MemorySessionStorage {
+    sessions = new Map();
+    userSessions = new Map();
+    async get(sessionId) {
+        const session = this.sessions.get(sessionId);
+        if (!session) {
+            return null;
+        }
+        // Check expiration
+        if (session.expiresAt && new Date() > session.expiresAt) {
+            await this.delete(sessionId);
+            return null;
+        }
+        return session;
+    }
+    async set(session) {
+        this.sessions.set(session.id, session);
+        // Track user's sessions
+        if (!this.userSessions.has(session.user.id)) {
+            this.userSessions.set(session.user.id, new Set());
+        }
+        this.userSessions.get(session.user.id).add(session.id);
+    }
+    async delete(sessionId) {
+        const session = this.sessions.get(sessionId);
+        if (session) {
+            const userSessionSet = this.userSessions.get(session.user.id);
+            if (userSessionSet) {
+                userSessionSet.delete(sessionId);
+                if (userSessionSet.size === 0) {
+                    this.userSessions.delete(session.user.id);
+                }
+            }
+            this.sessions.delete(sessionId);
+        }
+    }
+    async getUserSessions(userId) {
+        const sessionIds = this.userSessions.get(userId);
+        if (!sessionIds) {
+            return [];
+        }
+        const sessions = [];
+        for (const sessionId of sessionIds) {
+            const session = await this.get(sessionId);
+            if (session) {
+                sessions.push(session);
+            }
+        }
+        return sessions;
+    }
+    async deleteUserSessions(userId) {
+        const sessionIds = this.userSessions.get(userId);
+        if (sessionIds) {
+            for (const sessionId of sessionIds) {
+                this.sessions.delete(sessionId);
+            }
+            this.userSessions.delete(userId);
+        }
+    }
+    async clear() {
+        this.sessions.clear();
+        this.userSessions.clear();
+    }
+    async isHealthy() {
+        return true;
+    }
+}
+/**
+ * Redis session storage
+ *
+ * Distributed session storage using Redis. Suitable for multi-instance
+ * deployments. Requires ioredis or similar Redis client.
+ *
+ * Note: Redis client must be provided or configured via environment.
+ */
+export class RedisSessionStorage {
+    prefix;
+    ttl;
+    redisUrl;
+    client = null;
+    initPromise = null;
+    constructor(config) {
+        this.redisUrl = config.url;
+        this.prefix = config.prefix || "neurolink:sessions:";
+        this.ttl = config.ttl || 3600;
+    }
+    async getClient() {
+        if (this.client) {
+            return this.client;
+        }
+        if (!this.initPromise) {
+            this.initPromise = this.createClient();
+        }
+        return this.initPromise;
+    }
+    async createClient() {
+        try {
+            // Use variable indirection to prevent TypeScript from resolving the module at compile time
+            const moduleName = "ioredis";
+            const ioredis = await import(/* @vite-ignore */ moduleName);
+            const Redis = ioredis.default || ioredis.Redis;
+            this.client = new Redis(this.redisUrl);
+            return this.client;
+        }
+        catch {
+            this.initPromise = null;
+            logger.error('Redis client (ioredis) not available. Install ioredis package and ensure Redis is reachable when using storage: "redis".');
+            throw new Error("Redis client not available");
+        }
+    }
+    sessionKey(sessionId) {
+        return `${this.prefix}${sessionId}`;
+    }
+    userSessionsKey(userId) {
+        return `${this.prefix}user:${userId}`;
+    }
+    async get(sessionId) {
+        try {
+            const client = await this.getClient();
+            const data = await client.get(this.sessionKey(sessionId));
+            if (!data) {
+                return null;
+            }
+            const session = JSON.parse(data);
+            // Parse dates
+            session.createdAt = new Date(session.createdAt);
+            if (session.expiresAt !== null && session.expiresAt !== undefined) {
+                session.expiresAt = new Date(session.expiresAt);
+            }
+            // Check expiration
+            if (new Date() > session.expiresAt) {
+                await this.delete(sessionId);
+                return null;
+            }
+            return session;
+        }
+        catch (error) {
+            logger.error("Redis session get error:", error);
+            return null;
+        }
+    }
+    async set(session) {
+        try {
+            const client = await this.getClient();
+            // Calculate TTL from session expiration
+            const ttlSeconds = session.expiresAt
+                ? Math.max(1, Math.floor((session.expiresAt.getTime() - Date.now()) / 1000))
+                : this.ttl;
+            // Store session
+            await client.setex(this.sessionKey(session.id), ttlSeconds, JSON.stringify(session));
+            // Track user's sessions
+            await client.sadd(this.userSessionsKey(session.user.id), session.id);
+            await client.expire(this.userSessionsKey(session.user.id), this.ttl);
+        }
+        catch (error) {
+            logger.error("Redis session set error:", error);
+            throw error;
+        }
+    }
+    async delete(sessionId) {
+        try {
+            const client = await this.getClient();
+            // Read the raw session data directly instead of calling this.get(),
+            // which checks expiration and calls this.delete() — causing infinite
+            // recursion for expired sessions.
+            const data = await client.get(this.sessionKey(sessionId));
+            if (data) {
+                try {
+                    const session = JSON.parse(data);
+                    await client.srem(this.userSessionsKey(session.user.id), sessionId);
+                }
+                catch {
+                    // If parsing fails, we still delete the key below
+                    logger.warn(`Failed to parse session data for cleanup: ${maskId(sessionId)}`);
+                }
+            }
+            await client.del(this.sessionKey(sessionId));
+        }
+        catch (error) {
+            logger.error("Redis session delete error:", error);
+        }
+    }
+    async getUserSessions(userId) {
+        try {
+            const client = await this.getClient();
+            const sessionIds = await client.smembers(this.userSessionsKey(userId));
+            const sessions = [];
+            for (const sessionId of sessionIds) {
+                const session = await this.get(sessionId);
+                if (session) {
+                    sessions.push(session);
+                }
+            }
+            return sessions;
+        }
+        catch (error) {
+            logger.error("Redis getUserSessions error:", error);
+            return [];
+        }
+    }
+    async deleteUserSessions(userId) {
+        try {
+            const client = await this.getClient();
+            const sessionIds = await client.smembers(this.userSessionsKey(userId));
+            for (const sessionId of sessionIds) {
+                await client.del(this.sessionKey(sessionId));
+            }
+            await client.del(this.userSessionsKey(userId));
+        }
+        catch (error) {
+            logger.error("Redis deleteUserSessions error:", error);
+        }
+    }
+    async clear() {
+        try {
+            const client = await this.getClient();
+            // Use SCAN instead of KEYS to avoid blocking Redis in production
+            let cursor = "0";
+            do {
+                const [nextCursor, keys] = await client.scan(cursor, "MATCH", `${this.prefix}*`, "COUNT", "100");
+                cursor = nextCursor;
+                if (keys.length > 0) {
+                    await client.del(...keys);
+                }
+            } while (cursor !== "0");
+        }
+        catch (error) {
+            logger.error("Redis clear error:", error);
+        }
+    }
+    async isHealthy() {
+        try {
+            const client = await this.getClient();
+            const pong = await client.ping();
+            return pong === "PONG";
+        }
+        catch {
+            return false;
+        }
+    }
+    async disconnect() {
+        if (this.client) {
+            await this.client.quit();
+            this.client = null;
+            this.initPromise = null;
+        }
+    }
+}
+/**
+ * Session Manager
+ *
+ * High-level session management that handles session lifecycle,
+ * automatic refresh, and storage abstraction.
+ */
+export class SessionManager {
+    storage;
+    config;
+    constructor(config = {}) {
+        this.config = {
+            ...config,
+            duration: config.duration || 3600,
+            autoRefresh: config.autoRefresh ?? true,
+            refreshThreshold: config.refreshThreshold || 300,
+            storage: config.storage || "memory",
+        };
+        // Initialize storage based on config
+        this.storage = this.createStorage();
+    }
+    createStorage() {
+        switch (this.config.storage) {
+            case "redis":
+                if (!this.config.redis?.url) {
+                    logger.warn("Redis URL not provided, falling back to memory storage");
+                    return new MemorySessionStorage();
+                }
+                return new RedisSessionStorage({
+                    url: this.config.redis.url,
+                    prefix: this.config.redis.prefix,
+                    ttl: this.config.redis.ttl || this.config.duration,
+                });
+            case "memory":
+            default:
+                return new MemorySessionStorage();
+        }
+    }
+    /**
+     * Create a new session
+     */
+    async createSession(user, metadata) {
+        const sessionId = crypto.randomUUID();
+        const now = new Date();
+        const duration = this.config.duration || 3600;
+        const session = {
+            id: sessionId,
+            user,
+            createdAt: now,
+            expiresAt: new Date(now.getTime() + duration * 1000),
+            isValid: true,
+            ipAddress: metadata?.ipAddress,
+            userAgent: metadata?.userAgent,
+            deviceId: metadata?.deviceId,
+        };
+        await this.storage.set(session);
+        logger.debug(`Session created: ${maskId(sessionId)} for user: ${maskId(user.id)}`);
+        return session;
+    }
+    /**
+     * Get a session by ID
+     *
+     * Optionally auto-refreshes if close to expiration.
+     */
+    async getSession(sessionId, autoRefresh = this.config.autoRefresh) {
+        const session = await this.storage.get(sessionId);
+        if (!session) {
+            return null;
+        }
+        // Auto-refresh if close to expiration
+        if (autoRefresh && this.shouldRefresh(session)) {
+            return this.refreshSession(sessionId);
+        }
+        return session;
+    }
+    /**
+     * Check if session should be refreshed
+     */
+    shouldRefresh(session) {
+        if (!session.expiresAt) {
+            return false;
+        }
+        const threshold = this.config.refreshThreshold || 300;
+        const timeUntilExpiry = (session.expiresAt.getTime() - Date.now()) / 1000;
+        return timeUntilExpiry < threshold;
+    }
+    /**
+     * Refresh a session
+     */
+    async refreshSession(sessionId) {
+        const session = await this.storage.get(sessionId);
+        if (!session) {
+            return null;
+        }
+        const duration = this.config.duration || 3600;
+        session.expiresAt = new Date(Date.now() + duration * 1000);
+        await this.storage.set(session);
+        logger.debug(`Session refreshed: ${maskId(sessionId)}`);
+        return session;
+    }
+    /**
+     * Destroy a session
+     */
+    async destroySession(sessionId) {
+        await this.storage.delete(sessionId);
+        logger.debug(`Session destroyed: ${maskId(sessionId)}`);
+    }
+    /**
+     * Get all sessions for a user
+     */
+    async getUserSessions(userId) {
+        return this.storage.getUserSessions(userId);
+    }
+    /**
+     * Destroy all sessions for a user (global logout)
+     */
+    async destroyAllUserSessions(userId) {
+        await this.storage.deleteUserSessions(userId);
+        logger.debug(`All sessions destroyed for user: ${maskId(userId)}`);
+    }
+    /**
+     * Validate a session is still active
+     */
+    async validateSession(sessionId) {
+        const session = await this.storage.get(sessionId);
+        return session !== null && session.isValid;
+    }
+    /**
+     * Update session metadata
+     */
+    async updateSessionMetadata(sessionId, metadata) {
+        const session = await this.storage.get(sessionId);
+        if (!session) {
+            return null;
+        }
+        session.metadata = {
+            ...session.metadata,
+            ...metadata,
+        };
+        await this.storage.set(session);
+        return session;
+    }
+    /**
+     * Health check
+     */
+    async isHealthy() {
+        return this.storage.isHealthy();
+    }
+    /**
+     * Clear all sessions (for testing/cleanup)
+     */
+    async clear() {
+        await this.storage.clear();
+    }
+}
+/**
+ * Create session storage based on configuration
+ */
+export function createSessionStorage(config) {
+    switch (config.storage) {
+        case "redis":
+            if (!config.redis?.url) {
+                logger.warn("Redis URL not provided, falling back to memory storage");
+                return new MemorySessionStorage();
+            }
+            return new RedisSessionStorage({
+                url: config.redis.url,
+                prefix: config.redis.prefix,
+                ttl: config.redis.ttl || config.duration,
+            });
+        case "memory":
+        default:
+            return new MemorySessionStorage();
+    }
+}
+//# sourceMappingURL=sessionManager.js.map

package/dist/lib/core/infrastructure/baseRegistry.d.ts

@@ -10,7 +10,9 @@ export declare abstract class BaseRegistry<TItem, TMetadata = unknown> {
     protected initPromise: Promise<void> | null;
     protected abstract registerAll(): Promise<void>;
     ensureInitialized(): Promise<void>;
-    register(id: string, factory: () => Promise<TItem>, metadata: TMetadata): void;
+    register(id: string, factory: () => Promise<TItem>, aliases?: string[], options?: {
+        metadata: TMetadata;
+    }): void;
     get(id: string): Promise<TItem | undefined>;
     has(id: string): boolean;
     list(): Array<{

package/dist/lib/core/infrastructure/baseRegistry.js

@@ -14,8 +14,12 @@ export class BaseRegistry {
         await this.initPromise;
         this.initialized = true;
     }
-    register(id, factory, metadata) {
+    register(id, factory, aliases = [], options) {
+        const metadata = options?.metadata ?? {};
         this.items.set(id, { factory, metadata });
+        for (const alias of aliases) {
+            this.items.set(alias.toLowerCase(), { factory, metadata });
+        }
         logger.debug(`Registered ${id} in registry`);
     }
     async get(id) {

package/dist/lib/index.d.ts

@@ -374,3 +374,4 @@ export { RAGASEvaluator } from "./evaluation/ragasEvaluator.js";
 export { RetryManager } from "./evaluation/retryManager.js";
 export { mapToEvaluationData } from "./evaluation/scoring.js";
 export type { EnhancedConversationTurn, EnhancedEvaluationContext, EvaluationConfig, EvaluationResult, GetPromptFunction, QualityErrorDetails, QueryIntentAnalysis, } from "./types/evaluationTypes.js";
+export { AuthProviderFactory, createAuthProvider, AuthProviderRegistry, AuthError as AuthErrorFactory, AuthErrorCodes, BaseAuthProvider, InMemorySessionStorage, AuthProviderError, createAuthMiddleware as createAuthProviderMiddleware, createRBACMiddleware, createProtectedMiddleware, createExpressAuthMiddleware, createRequestContext, extractToken, AuthMiddlewareError, AuthMiddlewareErrorCodes, type MiddlewareHandler as AuthMiddlewareHandler, type MiddlewareResult, type NextFunction, type ExpressMiddleware, UserRateLimiter, MemoryRateLimitStorage, RedisRateLimitStorage, createRateLimitByUserMiddleware, createAuthenticatedRateLimitMiddleware, createRateLimitStorage, type RateLimitConfig as AuthRateLimitConfig, type RateLimitResult, type RateLimitMiddlewareResult, type RateLimitStorage, SessionManager, MemorySessionStorage, RedisSessionStorage, createSessionStorage, type SessionStorageInterface, AuthContextHolder, globalAuthContext, getAuthContext, getCurrentUser, getCurrentSession, isAuthenticated, hasRole, hasAnyRole, hasPermission, hasAllPermissions, requireAuth, requireRole, requirePermission, requireUser, runWithAuthContext, createAuthenticatedContext, RequestContext, NEUROLINK_RESOURCE_ID_KEY, NEUROLINK_THREAD_ID_KEY, createAuthValidatorFromProvider, } from "./auth/index.js";

package/dist/lib/index.js

@@ -509,4 +509,29 @@ export { PromptBuilder } from "./evaluation/prompts.js";
 export { RAGASEvaluator } from "./evaluation/ragasEvaluator.js";
 export { RetryManager } from "./evaluation/retryManager.js";
 export { mapToEvaluationData } from "./evaluation/scoring.js";
+// ============================================================================
+// AUTHENTICATION PROVIDERS - Multi-provider Auth Integration
+// ============================================================================
+// Single-sourced from ./auth/index.js.  Only aliases that differ from the
+// canonical export name are listed explicitly; everything else is re-exported
+// as-is.
+export { 
+// Factory & Registry
+AuthProviderFactory, createAuthProvider, AuthProviderRegistry, 
+// Unified error factory
+AuthError as AuthErrorFactory, AuthErrorCodes, 
+// Base Provider
+BaseAuthProvider, InMemorySessionStorage, AuthProviderError, 
+// Auth Middleware (aliased to avoid conflict with server createAuthMiddleware)
+createAuthMiddleware as createAuthProviderMiddleware, createRBACMiddleware, createProtectedMiddleware, createExpressAuthMiddleware, createRequestContext, extractToken, AuthMiddlewareError, AuthMiddlewareErrorCodes, 
+// Rate Limiting Middleware
+UserRateLimiter, MemoryRateLimitStorage, RedisRateLimitStorage, createRateLimitByUserMiddleware, createAuthenticatedRateLimitMiddleware, createRateLimitStorage, 
+// Session Management
+SessionManager, MemorySessionStorage, RedisSessionStorage, createSessionStorage, 
+// Auth Context
+AuthContextHolder, globalAuthContext, getAuthContext, getCurrentUser, getCurrentSession, isAuthenticated, hasRole, hasAnyRole, hasPermission, hasAllPermissions, requireAuth, requireRole, requirePermission, requireUser, runWithAuthContext, createAuthenticatedContext, 
+// Request Context
+RequestContext, NEUROLINK_RESOURCE_ID_KEY, NEUROLINK_THREAD_ID_KEY, 
+// Server Bridge
+createAuthValidatorFromProvider, } from "./auth/index.js";
 //# sourceMappingURL=index.js.map

package/dist/lib/mcp/toolRegistry.js

@@ -11,6 +11,7 @@ import { detectCategory, createMCPServerInfo } from "../utils/mcpDefaults.js";
 import { FlexibleToolValidator } from "./flexibleToolValidator.js";
 import { HITLUserRejectedError, HITLTimeoutError } from "../hitl/hitlErrors.js";
 import { withSpan, tracers, ATTR } from "../telemetry/index.js";
+import { getAuthContext } from "../auth/authContext.js";
 export class MCPToolRegistry extends MCPRegistry {
     tools = new Map();
     toolImplementations = new Map(); // Store actual tool implementations
@@ -290,11 +291,20 @@ export class MCPToolRegistry extends MCPRegistry {
                         : "mcp";
                 span.setAttribute("tool.type", toolType);
                 span.setAttribute(ATTR.MCP_SERVER_ID, serverId);
+                // Try to get auth context if available
+                let authUserId;
+                try {
+                    const authCtx = getAuthContext();
+                    authUserId = authCtx?.user?.id;
+                }
+                catch {
+                    // Auth context not available — that's fine
+                }
                 // Create execution context if not provided
                 const execContext = {
                     ...context,
                     sessionId: context?.sessionId ?? randomUUID(),
-                    userId: context?.userId,
+                    userId: context?.userId ?? authUserId,
                 };
                 // Get the tool implementation using the resolved toolId
                 const toolImpl = this.toolImplementations.get(toolId);

package/dist/lib/neurolink.d.ts

@@ -14,7 +14,8 @@ import { MCPToolRegistry } from "./mcp/toolRegistry.js";
 import type { MetricsSummary, TraceView } from "./observability/metricsAggregator.js";
 import type { SpanData } from "./observability/types/spanTypes.js";
 import type { JsonObject, NeuroLinkEvents, TypedEventEmitter } from "./types/common.js";
-import type { MCPEnhancementsConfig, NeurolinkConstructorConfig } from "./types/configTypes.js";
+import type { AuthenticatedContext, MastraAuthProvider } from "./types/authTypes.js";
+import type { MCPEnhancementsConfig, NeuroLinkAuthConfig, NeurolinkConstructorConfig } from "./types/configTypes.js";
 import type { ChatMessage } from "./types/conversation.js";
 import type { ExternalMCPOperationResult, ExternalMCPServerInstance, ExternalMCPToolInfo } from "./types/externalMcp.js";
 import type { GenerateOptions, GenerateResult } from "./types/generateTypes.js";
@@ -64,6 +65,9 @@ export declare class NeuroLink {
     private conversationMemoryNeedsInit;
     private conversationMemoryConfig?;
     private enableOrchestration;
+    private authProvider?;
+    private pendingAuthConfig?;
+    private authInitPromise?;
     private hitlManager?;
     private _sessionCostUsd;
     private fileRegistry;
@@ -1664,6 +1668,43 @@ export declare class NeuroLink {
      * Check if a session needs compaction.
      */
     needsCompaction(sessionId: string, provider?: string, model?: string): boolean;
+    /**
+     * Set the authentication provider for the NeuroLink instance
+     *
+     * @param config - Auth provider or configuration to create one
+     */
+    setAuthProvider(config: NeuroLinkAuthConfig): Promise<void>;
+    /**
+     * Get the currently configured authentication provider
+     */
+    getAuthProvider(): MastraAuthProvider | undefined;
+    /**
+     * Lazily initialize the auth provider from pendingAuthConfig.
+     * Called on first use (generate/stream with auth token) to avoid
+     * async work in the synchronous constructor.
+     */
+    private ensureAuthProvider;
+    /**
+     * Set the current authentication context for request handling.
+     *
+     * Delegates to the global AuthContextHolder so that auth state is NOT
+     * stored as an instance field (which would leak between concurrent requests
+     * sharing the same NeuroLink singleton). Prefer `runWithAuthContext()` from
+     * `authContext.ts` for proper request-scoped context via AsyncLocalStorage.
+     *
+     * @param context - The authenticated user context
+     */
+    setAuthContext(context: AuthenticatedContext): Promise<void>;
+    /**
+     * Get the current authentication context.
+     *
+     * Checks AsyncLocalStorage first, then falls back to the global holder.
+     */
+    getAuthContext(): Promise<AuthenticatedContext | undefined>;
+    /**
+     * Clear the current authentication context
+     */
+    clearAuthContext(): Promise<void>;
     /**
      * Get the external server manager instance
      * Used internally by server adapters for external MCP server management