@lateos/npm-scan 0.7.5 → 0.8.0

package/api/api_keys.py

@@ -1,55 +0,0 @@
-"""API key management for the npm-scan hosted tier.
-
-Handles:
-  - Key generation (prefixed + hashed for storage)
-  - Key validation against stored hash
-  - Scope-based access control per key
-  - Key rotation and revocation
-"""
-
-import os
-import uuid
-import hashlib
-import hmac
-import secrets
-from datetime import datetime, timezone, timedelta
-from typing import Optional
-
-
-API_KEY_PREFIX = "npm-scan-api-"
-
-
-def generate_api_key(name: str = "default", scopes: list[str] = None) -> tuple[str, str]:
-    """Generate an API key and return (raw_key, hashed_key).
-    
-    The raw key is returned once for the user to store securely.
-    Only the hashed version is persisted.
-    """
-    raw = API_KEY_PREFIX + secrets.token_urlsafe(32)
-    key_id = str(uuid.uuid4())
-    salt = secrets.token_hex(8)
-    hashed = hashlib.pbkdf2_hmac("sha256", raw.encode(), salt.encode(), 100_000).hex()
-    stored = f"{salt}${hashed}"
-    return raw, stored
-
-
-def validate_api_key(raw_key: str, stored_hash: str) -> bool:
-    """Check a raw key against its stored PBKDF2 hash."""
-    try:
-        salt, hashed = stored_hash.split("$", 1)
-        check = hashlib.pbkdf2_hmac("sha256", raw_key.encode(), salt.encode(), 100_000).hex()
-        return hmac.compare_digest(check, hashed)
-    except (ValueError, IndexError):
-        return False
-
-
-def is_api_key(raw_key: str) -> bool:
-    """Check if a string looks like an npm-scan API key."""
-    return raw_key.startswith(API_KEY_PREFIX)
-
-
-def redact_key(raw_key: str) -> str:
-    """Show only the last 8 chars of a key for logging."""
-    if len(raw_key) <= 16:
-        return "***"
-    return raw_key[-8:].rjust(len(raw_key), "*")

package/api/deps.py

@@ -1,164 +0,0 @@
-"""Shared auth dependencies for the npm-scan API.
-
-Handles:
-  - JWT access + refresh tokens
-  - API key validation
-  - Session management
-  - RBAC enforcement
-  - License feature gating
-"""
-
-import os
-import uuid
-import json
-from datetime import datetime, timedelta, timezone
-from typing import Optional
-from fastapi import Header, HTTPException, status, Depends, Request
-from pydantic import BaseModel
-from jose import jwt, JWTError
-
-JWT_SECRET = os.environ.get("JWT_SECRET", os.urandom(32).hex())
-JWT_ALGORITHM = "HS256"
-ACCESS_TOKEN_EXPIRE_MINUTES = int(os.environ.get("JWT_EXPIRE_MINUTES", "60"))
-REFRESH_TOKEN_EXPIRE_DAYS = int(os.environ.get("JWT_REFRESH_DAYS", "30"))
-
-
-class UserSession(BaseModel):
-    user_id: str
-    email: str
-    name: str
-    team_id: Optional[str] = None
-    role: str = "viewer"
-    auth_method: str = "password"  # password, saml, api_key
-    idp: Optional[str] = None
-
-
-class TokenPayload(BaseModel):
-    sub: str  # user_id
-    email: str
-    role: str
-    team_id: Optional[str] = None
-    exp: datetime
-    iat: datetime
-    jti: str
-
-
-def create_access_token(session: UserSession) -> str:
-    """Create a JWT access token from a user session."""
-    now = datetime.now(timezone.utc)
-    payload = {
-        "sub": session.user_id,
-        "email": session.email,
-        "role": session.role,
-        "team_id": session.team_id,
-        "iat": now,
-        "exp": now + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES),
-        "jti": str(uuid.uuid4()),
-    }
-    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
-
-
-def create_refresh_token(session: UserSession) -> str:
-    """Create a long-lived refresh token."""
-    now = datetime.now(timezone.utc)
-    payload = {
-        "sub": session.user_id,
-        "type": "refresh",
-        "jti": str(uuid.uuid4()),
-        "iat": now,
-        "exp": now + timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS),
-    }
-    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
-
-
-def verify_token(token: str) -> TokenPayload:
-    """Verify and decode a JWT token. Raises 401 on failure."""
-    try:
-        payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
-        return TokenPayload(**payload)
-    except JWTError:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid or expired token",
-            headers={"WWW-Authenticate": "Bearer"},
-        )
-
-
-async def get_current_user(
-    authorization: Optional[str] = Header(None),
-) -> UserSession:
-    """Dependency: extracts authenticated user from Bearer token or API key."""
-    if not authorization:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Missing Authorization header",
-        )
-
-    scheme, _, token = authorization.partition(" ")
-    if scheme.lower() != "bearer" or not token:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid authorization scheme. Use: Bearer <token>",
-        )
-
-    # Try JWT first
-    try:
-        payload = verify_token(token)
-        return UserSession(
-            user_id=payload.sub,
-            email=payload.email,
-            name="",
-            role=payload.role,
-            team_id=payload.team_id,
-            auth_method="token",
-        )
-    except HTTPException:
-        pass
-
-    # Try API key (lookup in-memory or PostgreSQL in production)
-    # For now, validate format and return limited session
-    if token.startswith("npm-scan-api-"):
-        return UserSession(
-            user_id="api-user",
-            email="api@npm-scan.io",
-            name="API User",
-            role="viewer",
-            auth_method="api_key",
-        )
-
-    raise HTTPException(
-        status_code=status.HTTP_401_UNAUTHORIZED,
-        detail="Invalid authentication token",
-    )
-
-
-def require_role(required_roles: list[str]):
-    """Dependency factory: requires one of the specified roles."""
-    async def _check(current_user: UserSession = Depends(get_current_user)):
-        if current_user.role not in required_roles:
-            raise HTTPException(
-                status_code=status.HTTP_403_FORBIDDEN,
-                detail=f"Requires one of these roles: {required_roles}",
-            )
-        return current_user
-    return _check
-
-
-def require_feature(feature: str):
-    """Dependency factory: requires a specific license feature flag."""
-    async def _check():
-        license_key = os.environ.get("NPM_SCAN_LICENSE_KEY", "")
-        if not license_key:
-            raise HTTPException(
-                status_code=status.HTTP_402_PAYMENT_REQUIRED,
-                detail=f"Feature '{feature}' requires a premium/enterprise license key",
-            )
-        # Delegate to Node.js license module via subprocess or bundled validation
-        # For now, check if it's an enterprise key format
-        if not license_key.startswith("npm-scan-"):
-            raise HTTPException(
-                status_code=status.HTTP_402_PAYMENT_REQUIRED,
-                detail="Invalid license key format",
-            )
-        return True
-    return _check

package/api/main.py

@@ -1,44 +0,0 @@
-"""
-npm-scan REST API — FastAPI application.
-Requires premium/enterprise license key for all endpoints.
-"""
-
-from fastapi import FastAPI, Depends, HTTPException, status
-from fastapi.middleware.cors import CORSMiddleware
-import os
-
-from .routers import scans, webhooks, auth, health, sso
-
-app = FastAPI(
-    title="npm-scan API",
-    version=os.environ.get("npm_package_version", "0.5.0"),
-    description="npm supply chain security scanner — REST API",
-)
-
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=["*"],
-    allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
-)
-
-app.include_router(health.router, prefix="/api/v1", tags=["health"])
-app.include_router(auth.router, prefix="/api/v1/auth", tags=["auth"])
-app.include_router(sso.router, prefix="/api/v1", tags=["sso"])
-app.include_router(scans.router, prefix="/api/v1", tags=["scans"])
-app.include_router(webhooks.router, prefix="/api/v1", tags=["webhooks"])
-
-
-def main():
-    import uvicorn
-    uvicorn.run(
-        "api.main:app",
-        host=os.environ.get("API_HOST", "0.0.0.0"),
-        port=int(os.environ.get("API_PORT", "8000")),
-        reload=os.environ.get("API_RELOAD", "false").lower() == "true",
-    )
-
-
-if __name__ == "__main__":
-    main()

package/api/requirements.txt

@@ -1,9 +0,0 @@
-fastapi>=0.115.0
-uvicorn[standard]>=0.32.0
-psycopg2-binary>=2.9.10
-python-jose[cryptography]>=3.3.0
-passlib[bcrypt]>=1.7.4
-httpx>=0.28.0
-pydantic>=2.10.0
-python3-saml>=1.16.0
-python3-saml>=1.16.0

package/api/routers/auth.py

@@ -1,80 +0,0 @@
-"""Authentication endpoints — login, register, API key management, SAML status."""
-
-from fastapi import APIRouter, HTTPException, Depends
-from fastapi.responses import RedirectResponse
-from pydantic import BaseModel, EmailStr
-from typing import Optional
-import os
-
-from ..deps import get_current_user, UserSession
-from ..saml import get_saml_config
-
-router = APIRouter()
-
-
-class RegisterRequest(BaseModel):
-    email: EmailStr
-    name: str
-    password: str
-    team_name: Optional[str] = None
-
-
-class LoginRequest(BaseModel):
-    email: EmailStr
-    password: str
-
-
-class TokenResponse(BaseModel):
-    access_token: str
-    token_type: str = "bearer"
-
-
-class AuthMethodsResponse(BaseModel):
-    password: bool
-    saml: bool
-    saml_entity_id: Optional[str] = None
-    saml_login_url: Optional[str] = None
-
-
-@router.get("/methods")
-async def auth_methods():
-    """List available authentication methods for this instance."""
-    saml_cfg = get_saml_config()
-    saml_configured = saml_cfg.is_configured()
-    return AuthMethodsResponse(
-        password=True,
-        saml=saml_configured,
-        saml_entity_id=saml_cfg.entity_id if saml_configured else None,
-        saml_login_url="/api/v1/sso/login" if saml_configured else None,
-    )
-
-
-@router.get("/me")
-async def get_me(current_user: UserSession = Depends(get_current_user)):
-    """Get the current authenticated user's profile."""
-    return {
-        "user_id": current_user.user_id,
-        "email": current_user.email,
-        "name": current_user.name,
-        "role": current_user.role,
-        "auth_method": current_user.auth_method,
-    }
-
-
-@router.post("/register", response_model=TokenResponse)
-async def register(req: RegisterRequest):
-    raise HTTPException(status_code=501, detail="Registration requires PostgreSQL backend — not yet connected")
-
-
-@router.post("/login", response_model=TokenResponse)
-async def login(req: LoginRequest):
-    raise HTTPException(status_code=501, detail="Login requires PostgreSQL backend — not yet connected")
-
-
-@router.get("/saml")
-async def saml_redirect():
-    """Convenience redirect to SAML login."""
-    saml_cfg = get_saml_config()
-    if not saml_cfg.is_configured():
-        raise HTTPException(status_code=501, detail="SAML not configured")
-    return RedirectResponse(url="/api/v1/sso/login")

package/api/routers/health.py

@@ -1,10 +0,0 @@
-"""Health check endpoint."""
-
-from fastapi import APIRouter
-
-router = APIRouter()
-
-
-@router.get("/health")
-async def health_check():
-    return {"status": "ok", "version": "0.5.0"}

package/api/routers/scans.py

@@ -1,66 +0,0 @@
-"""Scan endpoints — submit, list, retrieve scans and findings."""
-
-from fastapi import APIRouter, HTTPException, Query
-from pydantic import BaseModel
-from typing import Optional, List
-from datetime import datetime
-
-router = APIRouter()
-
-
-class ScanRequest(BaseModel):
-    package_name: str
-    version: Optional[str] = "latest"
-
-
-class Finding(BaseModel):
-    atk_id: str
-    severity: str
-    title: Optional[str] = None
-    description: Optional[str] = None
-    evidence: Optional[str] = None
-
-
-class Scan(BaseModel):
-    id: str
-    package_name: str
-    version: str
-    status: str
-    scanned_at: datetime
-    findings: List[Finding] = []
-
-
-SCANS_DB: list[Scan] = []
-
-
-@router.post("/scan", status_code=201)
-async def submit_scan(req: ScanRequest):
-    """Submit a package for scanning (delegates to Node.js CLI)."""
-    raise HTTPException(
-        status_code=501,
-        detail="Scan execution requires async worker — use `npm-scan scan <package>` via CLI"
-    )
-
-
-@router.get("/scans", response_model=List[Scan])
-async def list_scans(limit: int = Query(10, ge=1, le=100)):
-    """List recent scans."""
-    return SCANS_DB[-limit:][::-1]
-
-
-@router.get("/scans/{scan_id}")
-async def get_scan(scan_id: str):
-    """Get scan details by ID."""
-    for scan in SCANS_DB:
-        if scan.id == scan_id:
-            return scan
-    raise HTTPException(status_code=404, detail=f"Scan {scan_id} not found")
-
-
-@router.get("/scans/{scan_id}/findings")
-async def get_findings(scan_id: str):
-    """Get findings for a specific scan."""
-    for scan in SCANS_DB:
-        if scan.id == scan_id:
-            return scan.findings
-    raise HTTPException(status_code=404, detail=f"Scan {scan_id} not found")