@juspay/neurolink 9.31.2 → 9.32.0

package/dist/client/auth/authContext.js

@@ -0,0 +1,314 @@
+// src/lib/auth/authContext.ts
+import { AsyncLocalStorage } from "async_hooks";
+import { AuthError } from "./errors.js";
+/**
+ * Async local storage for auth context
+ *
+ * Enables access to authentication context throughout the request lifecycle
+ * without explicitly passing it through every function call.
+ */
+const authContextStorage = new AsyncLocalStorage();
+/**
+ * Run a function with authentication context
+ *
+ * Sets up async local storage so getAuthContext() can be called
+ * from anywhere within the callback's execution.
+ *
+ * @param context - The authenticated context
+ * @param callback - Function to run with context available
+ * @returns Result of the callback
+ *
+ * @example
+ * ```typescript
+ * await runWithAuthContext(authContext, async () => {
+ *   // Inside here, getAuthContext() returns the context
+ *   const user = getCurrentUser();
+ *   await processRequest();
+ * });
+ * ```
+ */
+export function runWithAuthContext(context, callback) {
+    return authContextStorage.run(context, callback);
+}
+/**
+ * Get the current authentication context
+ *
+ * Returns the authenticated context for the current request,
+ * or undefined if no context is set.
+ *
+ * @returns Current auth context or undefined
+ *
+ * @example
+ * ```typescript
+ * const context = getAuthContext();
+ * if (context) {
+ *   console.log("Current user:", context.user.email);
+ * }
+ * ```
+ */
+export function getAuthContext() {
+    return authContextStorage.getStore() ?? globalAuthContext.get();
+}
+/**
+ * Get the current authenticated user
+ *
+ * Convenience function to get just the user from context.
+ *
+ * @returns Current user or undefined
+ *
+ * @example
+ * ```typescript
+ * const user = getCurrentUser();
+ * if (user) {
+ *   console.log("Hello,", user.name);
+ * }
+ * ```
+ */
+export function getCurrentUser() {
+    return (authContextStorage.getStore() ?? globalAuthContext.get())?.user;
+}
+/**
+ * Get the current session
+ *
+ * Convenience function to get just the session from context.
+ *
+ * @returns Current session or undefined
+ */
+export function getCurrentSession() {
+    return (authContextStorage.getStore() ?? globalAuthContext.get())?.session;
+}
+/**
+ * Check if the current request is authenticated
+ *
+ * @returns True if authenticated, false otherwise
+ */
+export function isAuthenticated() {
+    return (authContextStorage.getStore() !== undefined ||
+        globalAuthContext.isAuthenticated());
+}
+/**
+ * Require authentication
+ *
+ * Throws if no auth context is available.
+ *
+ * @returns The authenticated context
+ * @throws Error if not authenticated
+ *
+ * @example
+ * ```typescript
+ * const context = requireAuth();
+ * // Safe to use context.user here
+ * ```
+ */
+export function requireAuth() {
+    const context = getAuthContext();
+    if (!context) {
+        throw AuthError.create("MISSING_TOKEN", "Authentication required");
+    }
+    return context;
+}
+/**
+ * Require a specific user
+ *
+ * Throws if no auth context or user doesn't match.
+ *
+ * @param userId - Expected user ID
+ * @returns The authenticated context
+ * @throws Error if not authenticated or wrong user
+ */
+export function requireUser(userId) {
+    const context = requireAuth();
+    if (context.user.id !== userId) {
+        throw AuthError.create("ACCESS_DENIED", "User mismatch");
+    }
+    return context;
+}
+/**
+ * Check if current user has a permission
+ *
+ * @param permission - Permission to check
+ * @returns True if user has permission
+ */
+export function hasPermission(permission) {
+    const user = getCurrentUser();
+    if (!user) {
+        return false;
+    }
+    // Check direct permission
+    if (user.permissions.includes(permission)) {
+        return true;
+    }
+    // Check wildcard
+    if (user.permissions.includes("*")) {
+        return true;
+    }
+    // Check permission hierarchy
+    const parts = permission.split(":");
+    for (let i = parts.length - 1; i > 0; i--) {
+        const wildcardPerm = [...parts.slice(0, i), "*"].join(":");
+        if (user.permissions.includes(wildcardPerm)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if current user has a role
+ *
+ * @param role - Role to check
+ * @returns True if user has role
+ */
+export function hasRole(role) {
+    const user = getCurrentUser();
+    return user?.roles.includes(role) ?? false;
+}
+/**
+ * Check if current user has any of the roles
+ *
+ * @param roles - Roles to check (any of)
+ * @returns True if user has at least one role
+ */
+export function hasAnyRole(roles) {
+    const user = getCurrentUser();
+    if (!user) {
+        return false;
+    }
+    return roles.some((role) => user.roles.includes(role));
+}
+/**
+ * Check if current user has all permissions
+ *
+ * @param permissions - Permissions to check (all of)
+ * @returns True if user has all permissions
+ */
+export function hasAllPermissions(permissions) {
+    return permissions.every((perm) => hasPermission(perm));
+}
+/**
+ * Require a permission
+ *
+ * Throws if user doesn't have the permission.
+ *
+ * @param permission - Required permission
+ * @throws Error if user lacks permission
+ *
+ * @example
+ * ```typescript
+ * requirePermission("admin:write");
+ * // Safe to proceed with admin write operation
+ * ```
+ */
+export function requirePermission(permission) {
+    if (!hasPermission(permission)) {
+        throw AuthError.create("INSUFFICIENT_PERMISSIONS", `Permission denied: ${permission}`);
+    }
+}
+/**
+ * Require a role
+ *
+ * Throws if user doesn't have the role.
+ *
+ * @param role - Required role
+ * @throws Error if user lacks role
+ */
+export function requireRole(role) {
+    if (!hasRole(role)) {
+        throw AuthError.create("INSUFFICIENT_ROLES", `Role required: ${role}`);
+    }
+}
+/**
+ * Create an authenticated context
+ *
+ * Helper to build an AuthenticatedContext object.
+ *
+ * @param user - The authenticated user
+ * @param session - The user's session
+ * @param request - The original request context
+ * @param provider - The auth provider type
+ * @returns Complete authenticated context
+ */
+export function createAuthenticatedContext(user, session, request, provider) {
+    return {
+        ...request,
+        user,
+        session,
+        request,
+        authenticatedAt: new Date(),
+        provider,
+    };
+}
+/**
+ * Context holder for non-async-local-storage environments
+ *
+ * Use this when async local storage is not available.
+ */
+export class AuthContextHolder {
+    context;
+    /**
+     * Set the auth context
+     */
+    set(context) {
+        this.context = context;
+    }
+    /**
+     * Get the auth context
+     */
+    get() {
+        return this.context;
+    }
+    /**
+     * Clear the auth context
+     */
+    clear() {
+        this.context = undefined;
+    }
+    /**
+     * Get the current user
+     */
+    getUser() {
+        return this.context?.user;
+    }
+    /**
+     * Get the current session
+     */
+    getSession() {
+        return this.context?.session;
+    }
+    /**
+     * Check if authenticated
+     */
+    isAuthenticated() {
+        return this.context !== undefined;
+    }
+    /**
+     * Check if user has permission
+     */
+    hasPermission(permission) {
+        const user = this.context?.user;
+        if (!user) {
+            return false;
+        }
+        if (user.permissions.includes(permission) ||
+            user.permissions.includes("*")) {
+            return true;
+        }
+        // Check hierarchy
+        const parts = permission.split(":");
+        for (let i = parts.length - 1; i > 0; i--) {
+            const wildcardPerm = [...parts.slice(0, i), "*"].join(":");
+            if (user.permissions.includes(wildcardPerm)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Check if user has role
+     */
+    hasRole(role) {
+        return this.context?.user.roles.includes(role) ?? false;
+    }
+}
+// Internal: global context holder for non-async environments.
+// Exported for use by neurolink.ts; not part of the public API contract.
+export const globalAuthContext = new AuthContextHolder();

package/dist/client/auth/errors.js

@@ -0,0 +1,39 @@
+// src/lib/auth/errors.ts — Unified auth error codes (Phase 1 of auth error redesign)
+import { createErrorFactory } from "../core/infrastructure/baseError.js";
+export const AuthErrorCodes = {
+    // Token errors
+    INVALID_TOKEN: "AUTH-001",
+    EXPIRED_TOKEN: "AUTH-002",
+    MISSING_TOKEN: "AUTH-003",
+    TOKEN_DECODE_FAILED: "AUTH-004",
+    INVALID_SIGNATURE: "AUTH-005",
+    // Session errors
+    SESSION_NOT_FOUND: "AUTH-010",
+    SESSION_EXPIRED: "AUTH-011",
+    SESSION_REVOKED: "AUTH-012",
+    // Authorization errors
+    INSUFFICIENT_PERMISSIONS: "AUTH-020",
+    INSUFFICIENT_ROLES: "AUTH-021",
+    ACCESS_DENIED: "AUTH-022",
+    // User errors
+    USER_NOT_FOUND: "AUTH-030",
+    USER_DISABLED: "AUTH-031",
+    EMAIL_NOT_VERIFIED: "AUTH-032",
+    MFA_REQUIRED: "AUTH-033",
+    // Provider errors
+    PROVIDER_ERROR: "AUTH-040",
+    PROVIDER_NOT_FOUND: "AUTH-041",
+    PROVIDER_INIT_FAILED: "AUTH-042",
+    CONFIGURATION_ERROR: "AUTH-043",
+    // Factory/Registry errors
+    CREATION_FAILED: "AUTH-050",
+    REGISTRATION_FAILED: "AUTH-051",
+    DUPLICATE_REGISTRATION: "AUTH-052",
+    // Middleware errors
+    MIDDLEWARE_ERROR: "AUTH-060",
+    RATE_LIMITED: "AUTH-061",
+    // JWKS errors
+    JWKS_FETCH_FAILED: "AUTH-070",
+    JWKS_KEY_NOT_FOUND: "AUTH-071",
+};
+export const AuthError = createErrorFactory("Auth", AuthErrorCodes);

package/dist/client/auth/index.js

@@ -0,0 +1,61 @@
+/**
+ * NeuroLink Authentication Module
+ *
+ * Exports the full multi-provider authentication system including:
+ * - Anthropic OAuth 2.0 flow (PKCE, token storage, callback server)
+ * - Multi-provider auth (Auth0, Clerk, Firebase, Supabase, Cognito,
+ *   Keycloak, Better Auth, WorkOS, JWT, OAuth2, Custom)
+ * - AuthProviderFactory / AuthProviderRegistry for lazy-loaded provider creation
+ * - Auth middleware (token extraction, RBAC, rate limiting)
+ * - Session management (memory, Redis)
+ * - Auth context (AsyncLocalStorage-based request scoping)
+ */
+// =============================================================================
+// ANTHROPIC OAUTH - OAuth 2.0 Authentication
+// =============================================================================
+// OAuth Constants
+export { ANTHROPIC_OAUTH_BASE_URL, DEFAULT_SCOPES, DEFAULT_REDIRECT_URI, DEFAULT_CALLBACK_PORT, } from "./anthropicOAuth.js";
+// Main OAuth class
+export { AnthropicOAuth } from "./anthropicOAuth.js";
+// OAuth error classes (canonical definitions in types/errors.ts)
+export { OAuthError, OAuthConfigurationError, OAuthTokenExchangeError, OAuthTokenRefreshError, OAuthTokenValidationError, OAuthTokenRevocationError, OAuthCallbackServerError, } from "../types/errors.js";
+// OAuth helper functions
+export { createAnthropicOAuth, createAnthropicOAuthConfig, hasAnthropicOAuthCredentials, startCallbackServer, stopCallbackServer, performOAuthFlow, } from "./anthropicOAuth.js";
+// =============================================================================
+// TOKEN STORE - Secure Token Storage
+// =============================================================================
+// Main TokenStore class and instances
+export { TokenStore, tokenStore, defaultTokenStore } from "./tokenStore.js";
+// Token store error class (canonical definition in types/errors.ts)
+export { TokenStoreError } from "../types/errors.js";
+// =============================================================================
+// ACCOUNT POOL - Multi-account rotation with cooldowns
+// =============================================================================
+export { AccountPool } from "./accountPool.js";
+// =============================================================================
+// MULTI-PROVIDER AUTH SYSTEM
+// =============================================================================
+// Factory and Registry
+export { AuthProviderFactory, createAuthProvider, } from "./AuthProviderFactory.js";
+export { AuthProviderRegistry } from "./AuthProviderRegistry.js";
+// Unified error factory
+export { AuthError, AuthErrorCodes } from "./errors.js";
+// Base Provider
+export { AuthProviderError, BaseAuthProvider, InMemorySessionStorage, } from "./providers/BaseAuthProvider.js";
+// Provider Implementations
+// NOTE: Concrete provider classes are NOT re-exported here to preserve lazy
+// loading via dynamic imports in AuthProviderFactory.  Obtain provider
+// instances through the factory instead:
+//   const provider = await AuthProviderFactory.create("auth0", config);
+// Auth Middleware
+export { AuthMiddlewareError, AuthMiddlewareErrorCodes, createAuthMiddleware, createExpressAuthMiddleware, createProtectedMiddleware, createRBACMiddleware, createRequestContext, extractToken, } from "./middleware/AuthMiddleware.js";
+// Rate Limiting Middleware
+export { createAuthenticatedRateLimitMiddleware, createRateLimitByUserMiddleware, createRateLimitStorage, MemoryRateLimitStorage, RedisRateLimitStorage, UserRateLimiter, } from "./middleware/rateLimitByUser.js";
+// Session Management
+export { createSessionStorage, MemorySessionStorage, RedisSessionStorage, SessionManager, } from "./sessionManager.js";
+// Auth Context
+export { AuthContextHolder, createAuthenticatedContext, getAuthContext, getCurrentSession, getCurrentUser, globalAuthContext, hasAllPermissions, hasAnyRole, hasPermission, hasRole, isAuthenticated, requireAuth, requirePermission, requireRole, requireUser, runWithAuthContext, } from "./authContext.js";
+// Request Context
+export { RequestContext, NEUROLINK_RESOURCE_ID_KEY, NEUROLINK_THREAD_ID_KEY, } from "./RequestContext.js";
+// Server Bridge
+export { createAuthValidatorFromProvider } from "./serverBridge.js";