@juspay/neurolink 9.31.2 → 9.32.0

package/dist/client/auth/AuthProviderFactory.js

@@ -0,0 +1,111 @@
+/**
+ * AuthProviderFactory - Static factory for authentication providers
+ *
+ * Matches the ProviderFactory pattern: all-static class, no BaseFactory
+ * extension, no singleton instance. Providers are registered by
+ * AuthProviderRegistry using dynamic imports to avoid circular dependencies.
+ */
+import { logger } from "../utils/logger.js";
+import { AuthError } from "./errors.js";
+// =============================================================================
+// FACTORY IMPLEMENTATION
+// =============================================================================
+/**
+ * AuthProviderFactory - Creates authentication provider instances
+ *
+ * Pure static factory with no hardcoded imports. All providers are
+ * registered dynamically by AuthProviderRegistry to avoid circular
+ * dependencies and enable lazy loading.
+ *
+ * @example
+ * ```typescript
+ * // Create a provider (after AuthProviderRegistry.registerAllProviders())
+ * const provider = await AuthProviderFactory.createProvider("auth0", {
+ *   type: "auth0",
+ *   domain: "your-tenant.auth0.com",
+ *   clientId: "your-client-id",
+ * });
+ * ```
+ */
+export class AuthProviderFactory {
+    static providers = new Map();
+    static aliasMap = new Map();
+    /**
+     * Register a provider with the factory
+     */
+    static registerProvider(type, factory, aliases = [], metadata) {
+        AuthProviderFactory.providers.set(type, { factory, aliases, metadata });
+        for (const alias of aliases) {
+            AuthProviderFactory.aliasMap.set(alias.toLowerCase(), type);
+        }
+        logger.debug(`Registered auth provider: ${type}`);
+    }
+    /**
+     * Create a provider instance
+     */
+    static async createProvider(typeOrAlias, config) {
+        const resolvedType = AuthProviderFactory.resolveType(typeOrAlias);
+        const registration = AuthProviderFactory.providers.get(resolvedType);
+        if (!registration) {
+            throw AuthError.create("PROVIDER_NOT_FOUND", `Auth provider not found: ${typeOrAlias}. Available: ${AuthProviderFactory.getAvailableProviders().join(", ")}`);
+        }
+        try {
+            return await registration.factory(config);
+        }
+        catch (error) {
+            throw AuthError.create("CREATION_FAILED", `Failed to create auth provider ${typeOrAlias}: ${error instanceof Error ? error.message : String(error)}`, { cause: error instanceof Error ? error : undefined });
+        }
+    }
+    /**
+     * Check if a provider is registered
+     */
+    static hasProvider(typeOrAlias) {
+        return (AuthProviderFactory.providers.has(typeOrAlias) ||
+            AuthProviderFactory.aliasMap.has(typeOrAlias.toLowerCase()));
+    }
+    /**
+     * Get list of available provider types (excludes aliases)
+     */
+    static getAvailableProviders() {
+        return Array.from(AuthProviderFactory.providers.keys());
+    }
+    /**
+     * Get provider metadata
+     */
+    static getProviderMetadata(typeOrAlias) {
+        const resolvedType = AuthProviderFactory.resolveType(typeOrAlias);
+        return AuthProviderFactory.providers.get(resolvedType)?.metadata;
+    }
+    /**
+     * Get all registered providers with their metadata
+     */
+    static getAllProviderInfo() {
+        return Array.from(AuthProviderFactory.providers.entries()).map(([type, reg]) => ({
+            type,
+            aliases: reg.aliases,
+            metadata: reg.metadata,
+        }));
+    }
+    /**
+     * Clear all registrations (for testing)
+     */
+    static clearRegistrations() {
+        AuthProviderFactory.providers.clear();
+        AuthProviderFactory.aliasMap.clear();
+    }
+    /**
+     * Resolve an alias to its canonical provider type
+     */
+    static resolveType(typeOrAlias) {
+        return (AuthProviderFactory.aliasMap.get(typeOrAlias.toLowerCase()) || typeOrAlias);
+    }
+}
+// =============================================================================
+// CONVENIENCE EXPORTS
+// =============================================================================
+/**
+ * Create an auth provider using the factory
+ */
+export async function createAuthProvider(type, config) {
+    return AuthProviderFactory.createProvider(type, config);
+}

package/dist/client/auth/AuthProviderRegistry.js

@@ -0,0 +1,190 @@
+/**
+ * AuthProviderRegistry - Static one-shot registry for authentication providers
+ *
+ * Matches the ProviderRegistry pattern: static class with a single
+ * `registerAllProviders()` entry point that registers all 11 auth
+ * providers with AuthProviderFactory using dynamic imports.
+ */
+import { logger } from "../utils/logger.js";
+import { AuthProviderFactory } from "./AuthProviderFactory.js";
+/**
+ * Narrow `AuthProviderConfig` to a specific provider variant.
+ *
+ * Each factory lambda calls this to assert the config is the expected
+ * variant — safe because the factory is only ever invoked with a config
+ * whose `type` matches the registered provider key.
+ */
+function narrowConfig(config) {
+    return config;
+}
+/**
+ * AuthProviderRegistry - registers all auth providers with the factory
+ *
+ * Call `AuthProviderRegistry.registerAllProviders()` once during
+ * application startup. The method is idempotent and concurrency-safe.
+ */
+export class AuthProviderRegistry {
+    static registered = false;
+    static registrationPromise = null;
+    /**
+     * Register all auth providers with the factory
+     */
+    static async registerAllProviders() {
+        if (AuthProviderRegistry.registered) {
+            return;
+        }
+        if (AuthProviderRegistry.registrationPromise) {
+            return AuthProviderRegistry.registrationPromise;
+        }
+        AuthProviderRegistry.registrationPromise =
+            AuthProviderRegistry._doRegister();
+        try {
+            await AuthProviderRegistry.registrationPromise;
+            AuthProviderRegistry.registered = true;
+        }
+        catch (error) {
+            AuthProviderRegistry.registrationPromise = null;
+            throw error;
+        }
+    }
+    /**
+     * Internal registration implementation
+     */
+    static async _doRegister() {
+        // Auth0 Provider
+        AuthProviderFactory.registerProvider("auth0", async (config) => {
+            const { Auth0Provider } = await import("./providers/auth0.js");
+            return new Auth0Provider(narrowConfig(config));
+        }, ["auth0-jwt", "auth0-oauth"], {
+            type: "auth0",
+            name: "Auth0",
+            description: "Auth0 identity platform integration",
+            documentation: "https://auth0.com/docs",
+            aliases: ["auth0-jwt", "auth0-oauth"],
+        });
+        // Clerk Provider
+        AuthProviderFactory.registerProvider("clerk", async (config) => {
+            const { ClerkProvider } = await import("./providers/clerk.js");
+            return new ClerkProvider(narrowConfig(config));
+        }, ["clerk-jwt"], {
+            type: "clerk",
+            name: "Clerk",
+            description: "Clerk authentication platform integration",
+            documentation: "https://clerk.com/docs",
+            aliases: ["clerk-jwt"],
+        });
+        // Firebase Provider
+        AuthProviderFactory.registerProvider("firebase", async (config) => {
+            const { FirebaseAuthProvider } = await import("./providers/firebase.js");
+            return new FirebaseAuthProvider(narrowConfig(config));
+        }, ["firebase-auth", "google-firebase"], {
+            type: "firebase",
+            name: "Firebase",
+            description: "Firebase Authentication integration",
+            documentation: "https://firebase.google.com/docs/auth",
+            aliases: ["firebase-auth", "google-firebase"],
+        });
+        // Supabase Provider
+        AuthProviderFactory.registerProvider("supabase", async (config) => {
+            const { SupabaseAuthProvider } = await import("./providers/supabase.js");
+            return new SupabaseAuthProvider(narrowConfig(config));
+        }, ["supabase-auth"], {
+            type: "supabase",
+            name: "Supabase",
+            description: "Supabase Auth integration",
+            documentation: "https://supabase.com/docs/guides/auth",
+            aliases: ["supabase-auth"],
+        });
+        // AWS Cognito Provider
+        AuthProviderFactory.registerProvider("cognito", async (config) => {
+            const { CognitoProvider } = await import("./providers/CognitoProvider.js");
+            return new CognitoProvider(config);
+        }, ["aws-cognito", "amazon-cognito"], {
+            type: "cognito",
+            name: "AWS Cognito",
+            description: "Amazon Cognito User Pools integration",
+            documentation: "https://docs.aws.amazon.com/cognito",
+            aliases: ["aws-cognito", "amazon-cognito"],
+        });
+        // Keycloak Provider
+        AuthProviderFactory.registerProvider("keycloak", async (config) => {
+            const { KeycloakProvider } = await import("./providers/KeycloakProvider.js");
+            return new KeycloakProvider(config);
+        }, ["keycloak-oidc"], {
+            type: "keycloak",
+            name: "Keycloak",
+            description: "Keycloak OpenID Connect integration",
+            documentation: "https://www.keycloak.org/documentation",
+            aliases: ["keycloak-oidc"],
+        });
+        // Better Auth Provider
+        AuthProviderFactory.registerProvider("better-auth", async (config) => {
+            const { BetterAuthProvider } = await import("./providers/betterAuth.js");
+            return new BetterAuthProvider(narrowConfig(config));
+        }, ["betterauth", "better_auth"], {
+            type: "better-auth",
+            name: "Better Auth",
+            description: "Self-hosted open-source authentication solution",
+            documentation: "https://better-auth.com/docs",
+            aliases: ["betterauth", "better_auth"],
+        });
+        // WorkOS Provider
+        AuthProviderFactory.registerProvider("workos", async (config) => {
+            const { WorkOSProvider } = await import("./providers/workos.js");
+            return new WorkOSProvider(narrowConfig(config));
+        }, ["workos-sso", "work-os"], {
+            type: "workos",
+            name: "WorkOS",
+            description: "Enterprise SSO and user management",
+            documentation: "https://workos.com/docs",
+            aliases: ["workos-sso", "work-os"],
+        });
+        // OAuth2 Provider
+        AuthProviderFactory.registerProvider("oauth2", async (config) => {
+            const { OAuth2Provider } = await import("./providers/oauth2.js");
+            return new OAuth2Provider(narrowConfig(config));
+        }, ["oauth", "oidc", "openid-connect"], {
+            type: "oauth2",
+            name: "OAuth2",
+            description: "Generic OAuth2/OIDC provider with JWKS and userinfo support",
+            documentation: "https://oauth.net/2/",
+            aliases: ["oauth", "oidc", "openid-connect"],
+        });
+        // JWT Provider
+        AuthProviderFactory.registerProvider("jwt", async (config) => {
+            const { JWTProvider } = await import("./providers/jwt.js");
+            return new JWTProvider(narrowConfig(config));
+        }, ["jwt-auth", "jwt-token"], {
+            type: "jwt",
+            name: "JWT",
+            description: "Generic JWT token validation with symmetric/asymmetric keys",
+            documentation: "https://jwt.io/",
+            aliases: ["jwt-auth", "jwt-token"],
+        });
+        // Custom Provider
+        AuthProviderFactory.registerProvider("custom", async (config) => {
+            const { CustomAuthProvider } = await import("./providers/custom.js");
+            return new CustomAuthProvider(narrowConfig(config));
+        }, ["custom-auth"], {
+            type: "custom",
+            name: "Custom",
+            description: "Custom authentication with user-provided validation logic",
+            aliases: ["custom-auth"],
+        });
+        logger.debug("All auth providers registered");
+    }
+    /**
+     * Check if providers are registered
+     */
+    static isRegistered() {
+        return AuthProviderRegistry.registered;
+    }
+    /**
+     * Clear registrations (for testing)
+     */
+    static clearRegistrations() {
+        AuthProviderRegistry.registered = false;
+        AuthProviderRegistry.registrationPromise = null;
+        AuthProviderFactory.clearRegistrations();
+    }
+}

package/dist/client/auth/RequestContext.js

@@ -0,0 +1,78 @@
+// src/lib/auth/RequestContext.ts
+/**
+ * Type-safe Map wrapper for request-scoped context.
+ * Flows from auth middleware through generate/stream/tools/memory.
+ * Reserved keys (prefixed neurolink__) cannot be overridden by client code.
+ */
+export const NEUROLINK_RESOURCE_ID_KEY = "neurolink__resourceId";
+export const NEUROLINK_THREAD_ID_KEY = "neurolink__threadId";
+const RESERVED_PREFIX = "neurolink__";
+export class RequestContext {
+    registry = new Map();
+    constructor(initial) {
+        if (Array.isArray(initial)) {
+            for (const [key, value] of initial) {
+                this.registry.set(key, value);
+            }
+        }
+        else if (initial) {
+            for (const [key, value] of Object.entries(initial)) {
+                this.registry.set(key, value);
+            }
+        }
+    }
+    set(key, value) {
+        this.registry.set(key, value);
+    }
+    get(key) {
+        return this.registry.get(key);
+    }
+    has(key) {
+        return this.registry.has(key);
+    }
+    delete(key) {
+        return this.registry.delete(key);
+    }
+    get size() {
+        return this.registry.size;
+    }
+    /**
+     * Merge client-provided values, but SKIP reserved keys that are already set.
+     * This prevents clients from overriding auth middleware values.
+     */
+    mergeClientContext(clientContext) {
+        for (const [key, value] of Object.entries(clientContext)) {
+            if (key.startsWith(RESERVED_PREFIX) && this.registry.has(key)) {
+                continue; // Server-set reserved keys cannot be overridden
+            }
+            if (!this.registry.has(key)) {
+                this.registry.set(key, value);
+            }
+        }
+    }
+    toJSON() {
+        const result = {};
+        for (const [key, value] of this.registry.entries()) {
+            if (this.isSerializable(value)) {
+                result[key] = value;
+            }
+        }
+        return result;
+    }
+    isSerializable(value) {
+        if (value === null || value === undefined) {
+            return true;
+        }
+        const type = typeof value;
+        if (type === "function" || type === "symbol") {
+            return false;
+        }
+        try {
+            JSON.stringify(value);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}

package/dist/client/auth/accountPool.js

@@ -0,0 +1,178 @@
+/**
+ * AccountPool — manages a pool of proxy accounts with round-robin / fill-first
+ * selection and exponential-backoff cooldowns for quota-exceeded accounts.
+ *
+ * @module auth/accountPool
+ */
+import { tokenStore } from "./tokenStore.js";
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+const DEFAULT_COOLDOWN_MS = 300_000;
+const DEFAULT_MAX_COOLDOWN_MS = 1_800_000;
+// =============================================================================
+// IMPLEMENTATION
+// =============================================================================
+export class AccountPool {
+    accounts = new Map();
+    cursor = 0;
+    config;
+    constructor(config = {}) {
+        this.config = {
+            strategy: config.strategy ?? "round-robin",
+            defaultCooldownMs: config.defaultCooldownMs ?? DEFAULT_COOLDOWN_MS,
+            maxCooldownMs: config.maxCooldownMs ?? DEFAULT_MAX_COOLDOWN_MS,
+            maxRetryAccounts: config.maxRetryAccounts ?? 0,
+        };
+    }
+    /** Add (or replace) an account in the pool. */
+    addAccount(account) {
+        // Clear any stale token refresher for a previously-registered account
+        // with the same id — wireTokenRefresh() captures the old account object
+        // in its closure, so leaving it behind would refresh the wrong tokens.
+        tokenStore.clearTokenRefresher(account.id);
+        this.accounts.set(account.id, { ...account });
+    }
+    /** Remove an account from the pool by id. */
+    removeAccount(id) {
+        tokenStore.clearTokenRefresher(id);
+        this.accounts.delete(id);
+    }
+    /**
+     * Return the next healthy account according to the configured strategy.
+     * Returns `null` when no healthy accounts are available.
+     */
+    getNextAccount() {
+        this._expireCooldowns();
+        const healthy = this._getHealthyAccounts();
+        if (healthy.length === 0) {
+            return null;
+        }
+        if (this.config.strategy === "fill-first") {
+            const account = healthy[0];
+            account.requestCount++;
+            account.lastUsed = Date.now();
+            return account;
+        }
+        // round-robin
+        const index = this.cursor % healthy.length;
+        this.cursor++;
+        const account = healthy[index];
+        account.requestCount++;
+        account.lastUsed = Date.now();
+        return account;
+    }
+    /**
+     * Mark an account as quota-exceeded.  The account enters a cooldown state
+     * with exponential backoff capped at `maxCooldownMs`.
+     *
+     * @deprecated Proxy routes now use `RuntimeAccountState` in `claudeProxyRoutes.ts`
+     * for runtime account state management. This method is retained for public API compatibility.
+     *
+     * @param id             Account id
+     * @param retryAfterMs   Optional explicit retry-after duration (from server header)
+     */
+    markQuotaExceeded(id, retryAfterMs) {
+        const account = this.accounts.get(id);
+        if (!account) {
+            return;
+        }
+        account.consecutiveFailures++;
+        const backoff = Math.min(this.config.defaultCooldownMs *
+            Math.pow(2, account.consecutiveFailures - 1), this.config.maxCooldownMs);
+        account.cooldownUntil = Date.now() + (retryAfterMs ?? backoff);
+        account.status = "cooling";
+    }
+    /**
+     * Manually mark an account as available (healthy), clearing its cooldown.
+     *
+     * @deprecated Proxy routes now use `RuntimeAccountState` in `claudeProxyRoutes.ts`
+     * for runtime account state management. This method is retained for public API compatibility.
+     */
+    markAvailable(id) {
+        const account = this.accounts.get(id);
+        if (!account) {
+            return;
+        }
+        account.status = "healthy";
+        account.cooldownUntil = undefined;
+    }
+    /**
+     * Mark an account as having completed a request successfully.
+     *
+     * @deprecated Proxy routes now use `RuntimeAccountState` in `claudeProxyRoutes.ts`
+     * for runtime account state management. This method is retained for public API compatibility.
+     */
+    markSuccess(id) {
+        const account = this.accounts.get(id);
+        if (!account) {
+            return;
+        }
+        account.status = "healthy";
+        account.cooldownUntil = undefined;
+        account.consecutiveFailures = 0;
+    }
+    /** Return the number of currently healthy (not cooling/disabled) accounts. */
+    getHealthyCount() {
+        this._expireCooldowns();
+        return this._getHealthyAccounts().length;
+    }
+    /** Return a snapshot of all accounts in the pool. */
+    getAllAccounts() {
+        return Array.from(this.accounts.values());
+    }
+    /** Return the configured selection strategy. */
+    getStrategy() {
+        return this.config.strategy;
+    }
+    /**
+     * Wire automatic token refresh for an OAuth account.
+     * Call after addAccount() for OAuth accounts that have a refresh token.
+     *
+     * @param accountId  The account id to wire refresh for
+     * @param refreshFn  Function that takes a refresh token and returns new token data
+     */
+    wireTokenRefresh(accountId, refreshFn) {
+        const account = this.accounts.get(accountId);
+        if (!account || account.type !== "oauth" || !account.tokens?.refreshToken) {
+            return;
+        }
+        tokenStore.setTokenRefresher(accountId, async (refreshToken) => {
+            const result = await refreshFn(refreshToken);
+            const newTokens = {
+                accessToken: result.accessToken,
+                refreshToken: result.refreshToken ?? refreshToken,
+                expiresAt: result.expiresAt instanceof Date
+                    ? result.expiresAt.getTime()
+                    : result.expiresAt,
+                tokenType: result.tokenType ?? "Bearer",
+            };
+            // Update in-memory account
+            if (account.tokens) {
+                account.tokens.accessToken = newTokens.accessToken;
+                account.tokens.expiresAt = newTokens.expiresAt;
+                if (newTokens.refreshToken) {
+                    account.tokens.refreshToken = newTokens.refreshToken;
+                }
+            }
+            return newTokens;
+        });
+    }
+    // ---------------------------------------------------------------------------
+    // Private helpers
+    // ---------------------------------------------------------------------------
+    _getHealthyAccounts() {
+        return Array.from(this.accounts.values()).filter((a) => a.status === "healthy");
+    }
+    _expireCooldowns() {
+        const now = Date.now();
+        for (const account of this.accounts.values()) {
+            if (account.status === "cooling" &&
+                account.cooldownUntil &&
+                now >= account.cooldownUntil) {
+                account.status = "healthy";
+                account.cooldownUntil = undefined;
+            }
+        }
+    }
+}