@juspay/neurolink 9.31.1 → 9.32.0

package/dist/lib/neurolink.js

@@ -246,6 +246,10 @@ export class NeuroLink {
     conversationMemoryConfig;
     // Add orchestration property
     enableOrchestration;
+    // Authentication provider for secure access control
+    authProvider;
+    pendingAuthConfig;
+    authInitPromise;
     // HITL (Human-in-the-Loop) support
     hitlManager;
     // Accumulated cost in USD across all generate() calls on this instance
@@ -451,6 +455,10 @@ export class NeuroLink {
         this.initializeLangfuse(constructorId, constructorStartTime, constructorHrTimeStart);
         this.initializeMetricsListeners();
         this.logConstructorComplete(constructorId, constructorStartTime, constructorHrTimeStart);
+        // Store auth config for lazy initialization
+        if (config?.auth) {
+            this.pendingAuthConfig = config.auth;
+        }
     }
     /**
      * Initialize provider registry with security settings
@@ -2225,6 +2233,61 @@ Current user's request: ${currentInput}`;
                             },
                         };
                     }
+                    // Handle per-call auth token validation
+                    if (options.auth?.token) {
+                        const { AuthError } = await import("./auth/errors.js");
+                        await this.ensureAuthProvider();
+                        if (!this.authProvider) {
+                            throw AuthError.create("PROVIDER_ERROR", "No auth provider configured. Set auth in constructor or via setAuthProvider() before using auth: { token }.");
+                        }
+                        let authResult;
+                        try {
+                            authResult = await withTimeout(this.authProvider.authenticateToken(options.auth.token), 5000, AuthError.create("PROVIDER_ERROR", "Auth token validation timed out after 5000ms"));
+                        }
+                        catch (err) {
+                            // Rethrow auth errors as-is; wrap anything else
+                            if (err instanceof Error &&
+                                "feature" in err &&
+                                err.feature === "Auth") {
+                                throw err;
+                            }
+                            throw AuthError.create("PROVIDER_ERROR", `Auth token validation failed: ${err instanceof Error ? err.message : String(err)}`);
+                        }
+                        if (!authResult.valid) {
+                            throw AuthError.create("INVALID_TOKEN", authResult.error || "Token validation failed");
+                        }
+                        // Fail closed: token valid but no user identity is a provider bug
+                        if (!authResult.user) {
+                            throw AuthError.create("INVALID_TOKEN", "Token validated but no user identity returned");
+                        }
+                        if (!authResult.user.id) {
+                            throw AuthError.create("INVALID_TOKEN", "Token validated but user identity missing required 'id' field");
+                        }
+                        // Merge validated user into context
+                        options.context = {
+                            ...(options.context || {}),
+                            userId: authResult.user.id,
+                            userEmail: authResult.user.email,
+                            userRoles: authResult.user.roles,
+                        };
+                    }
+                    // Handle pre-validated requestContext
+                    if (options.requestContext) {
+                        // When auth token was validated, token-derived identity fields
+                        // MUST take precedence over requestContext to prevent privilege escalation.
+                        const tokenDerivedFields = options.auth?.token && this.authProvider
+                            ? {
+                                userId: options.context?.userId,
+                                userEmail: options.context?.userEmail,
+                                userRoles: options.context?.userRoles,
+                            }
+                            : {};
+                        options.context = {
+                            ...(options.context || {}),
+                            ...options.requestContext,
+                            ...tokenDerivedFields,
+                        };
+                    }
                     // Check if workflow is requested
                     if (options.workflow || options.workflowConfig) {
                         return await this.generateWithWorkflow(options);
@@ -3997,6 +4060,61 @@ Current user's request: ${currentInput}`;
                         },
                     });
                 }
+                // Handle per-call auth token validation
+                if (options.auth?.token) {
+                    const { AuthError } = await import("./auth/errors.js");
+                    await this.ensureAuthProvider();
+                    if (!this.authProvider) {
+                        throw AuthError.create("PROVIDER_ERROR", "No auth provider configured. Set auth in constructor or via setAuthProvider() before using auth: { token }.");
+                    }
+                    let authResult;
+                    try {
+                        authResult = await withTimeout(this.authProvider.authenticateToken(options.auth.token), 5000, AuthError.create("PROVIDER_ERROR", "Auth token validation timed out after 5000ms"));
+                    }
+                    catch (err) {
+                        // Rethrow auth errors as-is; wrap anything else
+                        if (err instanceof Error &&
+                            "feature" in err &&
+                            err.feature === "Auth") {
+                            throw err;
+                        }
+                        throw AuthError.create("PROVIDER_ERROR", `Auth token validation failed: ${err instanceof Error ? err.message : String(err)}`);
+                    }
+                    if (!authResult.valid) {
+                        throw AuthError.create("INVALID_TOKEN", authResult.error || "Token validation failed");
+                    }
+                    // Fail closed: token valid but no user identity is a provider bug
+                    if (!authResult.user) {
+                        throw AuthError.create("INVALID_TOKEN", "Token validated but no user identity returned");
+                    }
+                    if (!authResult.user.id) {
+                        throw AuthError.create("INVALID_TOKEN", "Token validated but user identity missing required 'id' field");
+                    }
+                    // Merge validated user into context
+                    options.context = {
+                        ...(options.context || {}),
+                        userId: authResult.user.id,
+                        userEmail: authResult.user.email,
+                        userRoles: authResult.user.roles,
+                    };
+                }
+                // Handle pre-validated requestContext
+                if (options.requestContext) {
+                    // When auth token was validated, token-derived identity fields
+                    // MUST take precedence over requestContext to prevent privilege escalation.
+                    const tokenDerivedFields = options.auth?.token && this.authProvider
+                        ? {
+                            userId: options.context?.userId,
+                            userEmail: options.context?.userEmail,
+                            userRoles: options.context?.userRoles,
+                        }
+                        : {};
+                    options.context = {
+                        ...(options.context || {}),
+                        ...options.requestContext,
+                        ...tokenDerivedFields,
+                    };
+                }
                 this.emitStreamStartEvents(options, startTime);
                 // Auto-inject lifecycle middleware when callbacks are provided
                 // (must happen before workflow early return so that path gets middleware too)
@@ -8001,6 +8119,106 @@ Current user's request: ${currentInput}`;
         });
         return budgetResult.shouldCompact;
     }
+    // ============================================================================
+    // Authentication Methods
+    // ============================================================================
+    /**
+     * Set the authentication provider for the NeuroLink instance
+     *
+     * @param config - Auth provider or configuration to create one
+     */
+    async setAuthProvider(config) {
+        // Clear any pending lazy-init promise so it does not race with this call.
+        this.authInitPromise = undefined;
+        // Duck-type check: direct MastraAuthProvider instance
+        if ("authenticateToken" in config &&
+            typeof config.authenticateToken === "function") {
+            this.authProvider = config;
+            logger.info(`Auth provider set: ${this.authProvider.type}`);
+        }
+        else if ("provider" in config) {
+            this.authProvider = config.provider;
+            logger.info(`Auth provider set: ${this.authProvider.type}`);
+        }
+        else {
+            const typedConfig = config;
+            const { AuthProviderFactory } = await import("./auth/AuthProviderFactory.js");
+            this.authProvider = await AuthProviderFactory.createProvider(typedConfig.type, typedConfig.config);
+            logger.info(`Auth provider created and set: ${typedConfig.type}`);
+        }
+        if (this.authProvider) {
+            this.emitter.emit("auth:provider:set", {
+                type: this.authProvider.type,
+                timestamp: Date.now(),
+            });
+        }
+    }
+    /**
+     * Get the currently configured authentication provider
+     */
+    getAuthProvider() {
+        return this.authProvider;
+    }
+    /**
+     * Lazily initialize the auth provider from pendingAuthConfig.
+     * Called on first use (generate/stream with auth token) to avoid
+     * async work in the synchronous constructor.
+     */
+    async ensureAuthProvider() {
+        if (this.authProvider || !this.pendingAuthConfig) {
+            return;
+        }
+        this.authInitPromise ??= (async () => {
+            try {
+                await this.setAuthProvider(this.pendingAuthConfig);
+                this.pendingAuthConfig = undefined;
+            }
+            catch (err) {
+                this.authInitPromise = undefined;
+                throw err;
+            }
+        })();
+        await this.authInitPromise;
+    }
+    /**
+     * Set the current authentication context for request handling.
+     *
+     * Delegates to the global AuthContextHolder so that auth state is NOT
+     * stored as an instance field (which would leak between concurrent requests
+     * sharing the same NeuroLink singleton). Prefer `runWithAuthContext()` from
+     * `authContext.ts` for proper request-scoped context via AsyncLocalStorage.
+     *
+     * @param context - The authenticated user context
+     */
+    async setAuthContext(context) {
+        const { globalAuthContext } = await import("./auth/authContext.js");
+        globalAuthContext.set(context);
+        logger.debug("Auth context set", {
+            userId: context.user.id,
+            provider: context.provider,
+            sessionId: context.session?.id,
+        });
+    }
+    /**
+     * Get the current authentication context.
+     *
+     * Checks AsyncLocalStorage first, then falls back to the global holder.
+     */
+    async getAuthContext() {
+        const { getAuthContext: getCtx } = await import("./auth/authContext.js");
+        return getCtx();
+    }
+    /**
+     * Clear the current authentication context
+     */
+    async clearAuthContext() {
+        const { globalAuthContext } = await import("./auth/authContext.js");
+        const userId = globalAuthContext.get()?.user.id;
+        globalAuthContext.clear();
+        if (userId) {
+            logger.debug(`Auth context cleared for user: ${userId}`);
+        }
+    }
     /**
      * Get the external server manager instance
      * Used internally by server adapters for external MCP server management

package/dist/lib/rag/ChunkerRegistry.js

@@ -280,8 +280,8 @@ export class ChunkerRegistry extends BaseRegistry {
      * Register a chunker with aliases
      */
     registerChunker(strategy, factory, metadata) {
-        this.register(strategy, factory, metadata);
-        // Register aliases
+        this.register(strategy, factory, metadata.aliases ?? [], { metadata });
+        // Register aliases in local alias map for strategy resolution
         if (metadata.aliases) {
             for (const alias of metadata.aliases) {
                 this.aliasMap.set(alias.toLowerCase(), strategy);

package/dist/lib/rag/metadata/MetadataExtractorRegistry.js

@@ -212,8 +212,8 @@ export class MetadataExtractorRegistry extends BaseRegistry {
      * Register an extractor with aliases
      */
     registerExtractor(type, factory, metadata) {
-        this.register(type, factory, metadata);
-        // Register aliases
+        this.register(type, factory, metadata.aliases, { metadata });
+        // Register aliases in local alias map for type resolution
         for (const alias of metadata.aliases) {
             this.aliasMap.set(alias.toLowerCase(), type);
             logger.debug(`[MetadataExtractorRegistry] Registered alias '${alias}' -> '${type}'`);

package/dist/lib/rag/reranker/RerankerRegistry.js

@@ -237,8 +237,8 @@ export class RerankerRegistry extends BaseRegistry {
      * Register a reranker with aliases
      */
     registerReranker(type, factory, metadata) {
-        this.register(type, factory, metadata);
-        // Register aliases
+        this.register(type, factory, metadata.aliases, { metadata });
+        // Register aliases in local alias map for type resolution
         for (const alias of metadata.aliases) {
             this.aliasMap.set(alias.toLowerCase(), type);
             logger.debug(`[RerankerRegistry] Registered alias '${alias}' -> '${type}'`);

package/dist/lib/server/routes/agentRoutes.js

@@ -36,8 +36,15 @@ export function createAgentRoutes(basePath = "/api") {
                         // Note: tools should be passed as Record<string, Tool> in generate options
                         // If request.tools is an array of tool names, we skip them
                         context: {
-                            sessionId: request.sessionId,
-                            userId: request.userId,
+                            // When an authenticated user context exists (set by auth middleware),
+                            // always use its IDs to prevent caller-supplied impersonation.
+                            sessionId: ctx.user
+                                ? ctx.session?.id
+                                : (ctx.session?.id ?? request.sessionId),
+                            userId: ctx.user ? ctx.user.id : request.userId,
+                            userEmail: ctx.user?.email,
+                            userRoles: ctx.user?.roles,
+                            requestId: ctx.requestId,
                         },
                     });
                     // Map tool calls from SDK format to API format
@@ -78,6 +85,17 @@ export function createAgentRoutes(basePath = "/api") {
                         systemPrompt: request.systemPrompt,
                         temperature: request.temperature,
                         maxTokens: request.maxTokens,
+                        context: {
+                            // When an authenticated user context exists (set by auth middleware),
+                            // always use its IDs to prevent caller-supplied impersonation.
+                            sessionId: ctx.user
+                                ? ctx.session?.id
+                                : (ctx.session?.id ?? request.sessionId),
+                            userId: ctx.user ? ctx.user.id : request.userId,
+                            userEmail: ctx.user?.email,
+                            userRoles: ctx.user?.roles,
+                            requestId: ctx.requestId,
+                        },
                     });
                     // Create redactor (no-op if redaction is not enabled)
                     const redactor = createStreamRedactor(ctx.redaction);