@juspay/neurolink 9.31.2 → 9.32.1

package/dist/lib/neurolink.js

@@ -246,6 +246,10 @@ export class NeuroLink {
     conversationMemoryConfig;
     // Add orchestration property
     enableOrchestration;
+    // Authentication provider for secure access control
+    authProvider;
+    pendingAuthConfig;
+    authInitPromise;
     // HITL (Human-in-the-Loop) support
     hitlManager;
     // Accumulated cost in USD across all generate() calls on this instance
@@ -451,6 +455,10 @@ export class NeuroLink {
         this.initializeLangfuse(constructorId, constructorStartTime, constructorHrTimeStart);
         this.initializeMetricsListeners();
         this.logConstructorComplete(constructorId, constructorStartTime, constructorHrTimeStart);
+        // Store auth config for lazy initialization
+        if (config?.auth) {
+            this.pendingAuthConfig = config.auth;
+        }
     }
     /**
      * Initialize provider registry with security settings
@@ -2225,6 +2233,61 @@ Current user's request: ${currentInput}`;
                             },
                         };
                     }
+                    // Handle per-call auth token validation
+                    if (options.auth?.token) {
+                        const { AuthError } = await import("./auth/errors.js");
+                        await this.ensureAuthProvider();
+                        if (!this.authProvider) {
+                            throw AuthError.create("PROVIDER_ERROR", "No auth provider configured. Set auth in constructor or via setAuthProvider() before using auth: { token }.");
+                        }
+                        let authResult;
+                        try {
+                            authResult = await withTimeout(this.authProvider.authenticateToken(options.auth.token), 5000, AuthError.create("PROVIDER_ERROR", "Auth token validation timed out after 5000ms"));
+                        }
+                        catch (err) {
+                            // Rethrow auth errors as-is; wrap anything else
+                            if (err instanceof Error &&
+                                "feature" in err &&
+                                err.feature === "Auth") {
+                                throw err;
+                            }
+                            throw AuthError.create("PROVIDER_ERROR", `Auth token validation failed: ${err instanceof Error ? err.message : String(err)}`);
+                        }
+                        if (!authResult.valid) {
+                            throw AuthError.create("INVALID_TOKEN", authResult.error || "Token validation failed");
+                        }
+                        // Fail closed: token valid but no user identity is a provider bug
+                        if (!authResult.user) {
+                            throw AuthError.create("INVALID_TOKEN", "Token validated but no user identity returned");
+                        }
+                        if (!authResult.user.id) {
+                            throw AuthError.create("INVALID_TOKEN", "Token validated but user identity missing required 'id' field");
+                        }
+                        // Merge validated user into context
+                        options.context = {
+                            ...(options.context || {}),
+                            userId: authResult.user.id,
+                            userEmail: authResult.user.email,
+                            userRoles: authResult.user.roles,
+                        };
+                    }
+                    // Handle pre-validated requestContext
+                    if (options.requestContext) {
+                        // When auth token was validated, token-derived identity fields
+                        // MUST take precedence over requestContext to prevent privilege escalation.
+                        const tokenDerivedFields = options.auth?.token && this.authProvider
+                            ? {
+                                userId: options.context?.userId,
+                                userEmail: options.context?.userEmail,
+                                userRoles: options.context?.userRoles,
+                            }
+                            : {};
+                        options.context = {
+                            ...(options.context || {}),
+                            ...options.requestContext,
+                            ...tokenDerivedFields,
+                        };
+                    }
                     // Check if workflow is requested
                     if (options.workflow || options.workflowConfig) {
                         return await this.generateWithWorkflow(options);
@@ -3997,6 +4060,61 @@ Current user's request: ${currentInput}`;
                         },
                     });
                 }
+                // Handle per-call auth token validation
+                if (options.auth?.token) {
+                    const { AuthError } = await import("./auth/errors.js");
+                    await this.ensureAuthProvider();
+                    if (!this.authProvider) {
+                        throw AuthError.create("PROVIDER_ERROR", "No auth provider configured. Set auth in constructor or via setAuthProvider() before using auth: { token }.");
+                    }
+                    let authResult;
+                    try {
+                        authResult = await withTimeout(this.authProvider.authenticateToken(options.auth.token), 5000, AuthError.create("PROVIDER_ERROR", "Auth token validation timed out after 5000ms"));
+                    }
+                    catch (err) {
+                        // Rethrow auth errors as-is; wrap anything else
+                        if (err instanceof Error &&
+                            "feature" in err &&
+                            err.feature === "Auth") {
+                            throw err;
+                        }
+                        throw AuthError.create("PROVIDER_ERROR", `Auth token validation failed: ${err instanceof Error ? err.message : String(err)}`);
+                    }
+                    if (!authResult.valid) {
+                        throw AuthError.create("INVALID_TOKEN", authResult.error || "Token validation failed");
+                    }
+                    // Fail closed: token valid but no user identity is a provider bug
+                    if (!authResult.user) {
+                        throw AuthError.create("INVALID_TOKEN", "Token validated but no user identity returned");
+                    }
+                    if (!authResult.user.id) {
+                        throw AuthError.create("INVALID_TOKEN", "Token validated but user identity missing required 'id' field");
+                    }
+                    // Merge validated user into context
+                    options.context = {
+                        ...(options.context || {}),
+                        userId: authResult.user.id,
+                        userEmail: authResult.user.email,
+                        userRoles: authResult.user.roles,
+                    };
+                }
+                // Handle pre-validated requestContext
+                if (options.requestContext) {
+                    // When auth token was validated, token-derived identity fields
+                    // MUST take precedence over requestContext to prevent privilege escalation.
+                    const tokenDerivedFields = options.auth?.token && this.authProvider
+                        ? {
+                            userId: options.context?.userId,
+                            userEmail: options.context?.userEmail,
+                            userRoles: options.context?.userRoles,
+                        }
+                        : {};
+                    options.context = {
+                        ...(options.context || {}),
+                        ...options.requestContext,
+                        ...tokenDerivedFields,
+                    };
+                }
                 this.emitStreamStartEvents(options, startTime);
                 // Auto-inject lifecycle middleware when callbacks are provided
                 // (must happen before workflow early return so that path gets middleware too)
@@ -8001,6 +8119,106 @@ Current user's request: ${currentInput}`;
         });
         return budgetResult.shouldCompact;
     }
+    // ============================================================================
+    // Authentication Methods
+    // ============================================================================
+    /**
+     * Set the authentication provider for the NeuroLink instance
+     *
+     * @param config - Auth provider or configuration to create one
+     */
+    async setAuthProvider(config) {
+        // Clear any pending lazy-init promise so it does not race with this call.
+        this.authInitPromise = undefined;
+        // Duck-type check: direct MastraAuthProvider instance
+        if ("authenticateToken" in config &&
+            typeof config.authenticateToken === "function") {
+            this.authProvider = config;
+            logger.info(`Auth provider set: ${this.authProvider.type}`);
+        }
+        else if ("provider" in config) {
+            this.authProvider = config.provider;
+            logger.info(`Auth provider set: ${this.authProvider.type}`);
+        }
+        else {
+            const typedConfig = config;
+            const { AuthProviderFactory } = await import("./auth/AuthProviderFactory.js");
+            this.authProvider = await AuthProviderFactory.createProvider(typedConfig.type, typedConfig.config);
+            logger.info(`Auth provider created and set: ${typedConfig.type}`);
+        }
+        if (this.authProvider) {
+            this.emitter.emit("auth:provider:set", {
+                type: this.authProvider.type,
+                timestamp: Date.now(),
+            });
+        }
+    }
+    /**
+     * Get the currently configured authentication provider
+     */
+    getAuthProvider() {
+        return this.authProvider;
+    }
+    /**
+     * Lazily initialize the auth provider from pendingAuthConfig.
+     * Called on first use (generate/stream with auth token) to avoid
+     * async work in the synchronous constructor.
+     */
+    async ensureAuthProvider() {
+        if (this.authProvider || !this.pendingAuthConfig) {
+            return;
+        }
+        this.authInitPromise ??= (async () => {
+            try {
+                await this.setAuthProvider(this.pendingAuthConfig);
+                this.pendingAuthConfig = undefined;
+            }
+            catch (err) {
+                this.authInitPromise = undefined;
+                throw err;
+            }
+        })();
+        await this.authInitPromise;
+    }
+    /**
+     * Set the current authentication context for request handling.
+     *
+     * Delegates to the global AuthContextHolder so that auth state is NOT
+     * stored as an instance field (which would leak between concurrent requests
+     * sharing the same NeuroLink singleton). Prefer `runWithAuthContext()` from
+     * `authContext.ts` for proper request-scoped context via AsyncLocalStorage.
+     *
+     * @param context - The authenticated user context
+     */
+    async setAuthContext(context) {
+        const { globalAuthContext } = await import("./auth/authContext.js");
+        globalAuthContext.set(context);
+        logger.debug("Auth context set", {
+            userId: context.user.id,
+            provider: context.provider,
+            sessionId: context.session?.id,
+        });
+    }
+    /**
+     * Get the current authentication context.
+     *
+     * Checks AsyncLocalStorage first, then falls back to the global holder.
+     */
+    async getAuthContext() {
+        const { getAuthContext: getCtx } = await import("./auth/authContext.js");
+        return getCtx();
+    }
+    /**
+     * Clear the current authentication context
+     */
+    async clearAuthContext() {
+        const { globalAuthContext } = await import("./auth/authContext.js");
+        const userId = globalAuthContext.get()?.user.id;
+        globalAuthContext.clear();
+        if (userId) {
+            logger.debug(`Auth context cleared for user: ${userId}`);
+        }
+    }
     /**
      * Get the external server manager instance
      * Used internally by server adapters for external MCP server management

package/dist/lib/rag/ChunkerRegistry.js

@@ -280,8 +280,8 @@ export class ChunkerRegistry extends BaseRegistry {
      * Register a chunker with aliases
      */
     registerChunker(strategy, factory, metadata) {
-        this.register(strategy, factory, metadata);
-        // Register aliases
+        this.register(strategy, factory, metadata.aliases ?? [], { metadata });
+        // Register aliases in local alias map for strategy resolution
         if (metadata.aliases) {
             for (const alias of metadata.aliases) {
                 this.aliasMap.set(alias.toLowerCase(), strategy);

package/dist/lib/rag/metadata/MetadataExtractorRegistry.js

@@ -212,8 +212,8 @@ export class MetadataExtractorRegistry extends BaseRegistry {
      * Register an extractor with aliases
      */
     registerExtractor(type, factory, metadata) {
-        this.register(type, factory, metadata);
-        // Register aliases
+        this.register(type, factory, metadata.aliases, { metadata });
+        // Register aliases in local alias map for type resolution
         for (const alias of metadata.aliases) {
             this.aliasMap.set(alias.toLowerCase(), type);
             logger.debug(`[MetadataExtractorRegistry] Registered alias '${alias}' -> '${type}'`);

package/dist/lib/rag/reranker/RerankerRegistry.js

@@ -237,8 +237,8 @@ export class RerankerRegistry extends BaseRegistry {
      * Register a reranker with aliases
      */
     registerReranker(type, factory, metadata) {
-        this.register(type, factory, metadata);
-        // Register aliases
+        this.register(type, factory, metadata.aliases, { metadata });
+        // Register aliases in local alias map for type resolution
         for (const alias of metadata.aliases) {
             this.aliasMap.set(alias.toLowerCase(), type);
             logger.debug(`[RerankerRegistry] Registered alias '${alias}' -> '${type}'`);

package/dist/lib/server/routes/agentRoutes.js

@@ -36,8 +36,15 @@ export function createAgentRoutes(basePath = "/api") {
                         // Note: tools should be passed as Record<string, Tool> in generate options
                         // If request.tools is an array of tool names, we skip them
                         context: {
-                            sessionId: request.sessionId,
-                            userId: request.userId,
+                            // When an authenticated user context exists (set by auth middleware),
+                            // always use its IDs to prevent caller-supplied impersonation.
+                            sessionId: ctx.user
+                                ? ctx.session?.id
+                                : (ctx.session?.id ?? request.sessionId),
+                            userId: ctx.user ? ctx.user.id : request.userId,
+                            userEmail: ctx.user?.email,
+                            userRoles: ctx.user?.roles,
+                            requestId: ctx.requestId,
                         },
                     });
                     // Map tool calls from SDK format to API format
@@ -78,6 +85,17 @@ export function createAgentRoutes(basePath = "/api") {
                         systemPrompt: request.systemPrompt,
                         temperature: request.temperature,
                         maxTokens: request.maxTokens,
+                        context: {
+                            // When an authenticated user context exists (set by auth middleware),
+                            // always use its IDs to prevent caller-supplied impersonation.
+                            sessionId: ctx.user
+                                ? ctx.session?.id
+                                : (ctx.session?.id ?? request.sessionId),
+                            userId: ctx.user ? ctx.user.id : request.userId,
+                            userEmail: ctx.user?.email,
+                            userRoles: ctx.user?.roles,
+                            requestId: ctx.requestId,
+                        },
                     });
                     // Create redactor (no-op if redaction is not enabled)
                     const redactor = createStreamRedactor(ctx.redaction);

package/dist/lib/server/routes/claudeProxyRoutes.js

@@ -51,15 +51,18 @@ function redactSensitiveHeaders(headers) {
 /** Fill-first: index of the current primary account. Only advances when
  *  the current account hits a 429 or auth failure that puts it on cooldown. */
 let primaryAccountIndex = 0;
+/** Track account count so we can reset primaryAccountIndex when it changes. */
+let lastKnownAccountCount = 0;
 const MAX_AUTH_RETRIES = 5;
 const MAX_CONSECUTIVE_REFRESH_FAILURES = 15;
 /** Decision 8: Cooldowns only for 401 and 429. */
 const AUTH_COOLDOWN_MS = 5 * 60 * 1000; // 5 minutes for 401
 const RATE_LIMIT_BACKOFF_BASE_MS = 1000; // 1 second base for 429
 const RATE_LIMIT_BACKOFF_CAP_MS = 10 * 60 * 1000; // 10 minute cap for 429
-/** Timeout for upstream requests to Anthropic. Generous to allow long-running
- *  streaming responses to start, but prevents infinite hangs. */
-const UPSTREAM_FETCH_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+/** Timeout for upstream requests to Anthropic. Must be generous enough
+ *  to cover the full lifecycle of streaming responses, including extended
+ *  thinking from Opus models (which can exceed 5 minutes for large contexts). */
+const UPSTREAM_FETCH_TIMEOUT_MS = 15 * 60 * 1000; // 15 minutes
 const accountRuntimeState = new Map();
 /** Track whether we've run the one-time startup prune. */
 let startupPruneDone = false;
@@ -329,6 +332,15 @@ export function createClaudeProxyRoutes(modelRouter, basePath = "", accountStrat
                             // - round-robin: rotate the starting index on every request
                             //   so traffic is spread evenly across accounts.
                             const orderedAccounts = [...enabledAccounts];
+                            // Reset round-robin index when account list size changes
+                            // (e.g. a new account was authenticated while the proxy was running).
+                            // Only applies to round-robin; fill-first uses primaryAccountIndex
+                            // as a sticky primary and should not be disrupted.
+                            if (accountStrategy === "round-robin" &&
+                                orderedAccounts.length !== lastKnownAccountCount) {
+                                primaryAccountIndex = 0;
+                                lastKnownAccountCount = orderedAccounts.length;
+                            }
                             if (orderedAccounts.length > 1) {
                                 if (accountStrategy === "round-robin") {
                                     // Advance the index on every request for even distribution
@@ -559,11 +571,19 @@ export function createClaudeProxyRoutes(modelRouter, basePath = "", accountStrat
                                                 // eslint-disable-next-line max-depth
                                                 if (body.stream && retryResp.body) {
                                                     const retryReader = retryResp.body.getReader();
+                                                    let retryStreamClosed = false;
                                                     const retryStream = new ReadableStream({
                                                         async pull(controller) {
+                                                            if (retryStreamClosed) {
+                                                                return;
+                                                            }
                                                             try {
                                                                 const { done, value } = await retryReader.read();
+                                                                if (retryStreamClosed) {
+                                                                    return;
+                                                                }
                                                                 if (done) {
+                                                                    retryStreamClosed = true;
                                                                     controller.close();
                                                                     return;
                                                                 }
@@ -582,12 +602,16 @@ export function createClaudeProxyRoutes(modelRouter, basePath = "", accountStrat
                                                                     errorMessage: errMsg,
                                                                     durationMs: Date.now() - fetchStartMs,
                                                                 });
-                                                                const errorEvent = `event: error\ndata: ${JSON.stringify({ type: "error", error: { type: "api_error", message: `Upstream stream interrupted: ${errMsg}` } })}\n\n`;
-                                                                controller.enqueue(new TextEncoder().encode(errorEvent));
-                                                                controller.close();
+                                                                if (!retryStreamClosed) {
+                                                                    retryStreamClosed = true;
+                                                                    const errorEvent = `event: error\ndata: ${JSON.stringify({ type: "error", error: { type: "api_error", message: `Upstream stream interrupted: ${errMsg}` } })}\n\n`;
+                                                                    controller.enqueue(new TextEncoder().encode(errorEvent));
+                                                                    controller.close();
+                                                                }
                                                             }
                                                         },
                                                         cancel() {
+                                                            retryStreamClosed = true;
                                                             retryReader.cancel();
                                                         },
                                                     });
@@ -866,14 +890,22 @@ export function createClaudeProxyRoutes(modelRouter, basePath = "", accountStrat
                                             continue;
                                         }
                                         // Stream is valid — create a new ReadableStream with first chunk prepended.
+                                        let mainStreamClosed = false;
                                         const remainingStream = new ReadableStream({
                                             start(controller) {
                                                 controller.enqueue(firstChunk.value);
                                             },
                                             async pull(controller) {
+                                                if (mainStreamClosed) {
+                                                    return;
+                                                }
                                                 try {
                                                     const { done, value } = await reader.read();
+                                                    if (mainStreamClosed) {
+                                                        return;
+                                                    }
                                                     if (done) {
+                                                        mainStreamClosed = true;
                                                         controller.close();
                                                         return;
                                                     }
@@ -894,12 +926,16 @@ export function createClaudeProxyRoutes(modelRouter, basePath = "", accountStrat
                                                     });
                                                     // Send SSE error event so the client gets a meaningful error
                                                     // instead of a raw connection drop
-                                                    const errorEvent = `event: error\ndata: ${JSON.stringify({ type: "error", error: { type: "api_error", message: `Upstream stream interrupted: ${errMsg}` } })}\n\n`;
-                                                    controller.enqueue(new TextEncoder().encode(errorEvent));
-                                                    controller.close();
+                                                    if (!mainStreamClosed) {
+                                                        mainStreamClosed = true;
+                                                        const errorEvent = `event: error\ndata: ${JSON.stringify({ type: "error", error: { type: "api_error", message: `Upstream stream interrupted: ${errMsg}` } })}\n\n`;
+                                                        controller.enqueue(new TextEncoder().encode(errorEvent));
+                                                        controller.close();
+                                                    }
                                                 }
                                             },
                                             cancel() {
+                                                mainStreamClosed = true;
                                                 reader.cancel();
                                             },
                                         });