@lobu/gateway 2.8.0 → 3.0.6

package/src/auth/oauth/state-store.ts

@@ -0,0 +1,150 @@
+import { randomBytes } from "node:crypto";
+import { createLogger, type Logger } from "@lobu/core";
+import type Redis from "ioredis";
+
+/**
+ * Generic OAuth state store for CSRF protection
+ * Pattern: {keyPrefix}:{state}
+ * TTL: 5 minutes
+ */
+export class OAuthStateStore<T extends object> {
+  private static readonly TTL_SECONDS = 5 * 60; // 5 minutes
+  protected logger: Logger;
+
+  constructor(
+    private redis: Redis,
+    private keyPrefix: string,
+    loggerName: string
+  ) {
+    this.logger = createLogger(loggerName);
+  }
+
+  /**
+   * Create a new OAuth state with data
+   * Returns the state string to use in OAuth flow
+   */
+  async create(data: T): Promise<string> {
+    const state = this.generateState();
+    const key = this.getKey(state);
+
+    const stateData = {
+      ...data,
+      createdAt: Date.now(),
+    };
+
+    await this.redis.setex(
+      key,
+      OAuthStateStore.TTL_SECONDS,
+      JSON.stringify(stateData)
+    );
+
+    const userId =
+      typeof (data as { userId?: unknown }).userId === "string"
+        ? (data as { userId: string }).userId
+        : undefined;
+    this.logger.info(
+      userId ? `Created OAuth state for user ${userId}` : "Created OAuth state",
+      { state }
+    );
+    return state;
+  }
+
+  /**
+   * Validate and consume an OAuth state
+   * Returns the state data if valid, null if invalid or expired
+   * Deletes the state after retrieval (one-time use)
+   */
+  async consume(state: string): Promise<(T & { createdAt: number }) | null> {
+    const key = this.getKey(state);
+
+    // Get and delete in one operation
+    const data = await this.redis.getdel(key);
+
+    if (!data) {
+      this.logger.warn(`Invalid or expired OAuth state: ${state}`);
+      return null;
+    }
+
+    try {
+      const stateData = JSON.parse(data) as T & { createdAt: number };
+      const stateDataWithUser = stateData as unknown as { userId?: unknown };
+      const userId =
+        typeof stateDataWithUser.userId === "string"
+          ? stateDataWithUser.userId
+          : undefined;
+      this.logger.info(
+        userId
+          ? `Consumed OAuth state for user ${userId}`
+          : "Consumed OAuth state",
+        { state }
+      );
+      return stateData;
+    } catch (error) {
+      this.logger.error(`Failed to parse OAuth state: ${state}`, { error });
+      return null;
+    }
+  }
+
+  /**
+   * Generate a cryptographically secure random state string
+   */
+  private generateState(): string {
+    return randomBytes(32).toString("base64url");
+  }
+
+  private getKey(state: string): string {
+    return `${this.keyPrefix}:${state}`;
+  }
+}
+
+// ============================================================================
+// Provider OAuth State Types and Factory
+// ============================================================================
+
+/**
+ * Context for routing auth completion back to the originating platform.
+ */
+export interface OAuthPlatformContext {
+  platform: string;
+  channelId: string; // chatJid for WhatsApp, channel for Slack
+  conversationId?: string;
+}
+
+export interface ProviderOAuthStateData {
+  userId: string;
+  agentId: string;
+  codeVerifier: string;
+  context?: OAuthPlatformContext;
+}
+
+export type ProviderOAuthState = ProviderOAuthStateData & {
+  createdAt: number;
+};
+
+/**
+ * Create a provider OAuth state store for PKCE flow
+ */
+export function createOAuthStateStore(
+  providerId: string,
+  redis: Redis
+): OAuthStateStore<ProviderOAuthStateData> {
+  return new OAuthStateStore(
+    redis,
+    `${providerId}:oauth_state`,
+    `${providerId}-oauth-state`
+  );
+}
+
+export interface SlackInstallStateData {
+  redirectUri: string;
+}
+
+export type SlackInstallState = SlackInstallStateData & { createdAt: number };
+
+export function createSlackInstallStateStore(
+  redis: Redis
+): OAuthStateStore<SlackInstallStateData> {
+  return new OAuthStateStore(redis, "slack:oauth:state", "slack-install-state");
+}
+
+export type ProviderOAuthStateStore = OAuthStateStore<ProviderOAuthStateData>;

package/src/auth/oauth-templates.ts

@@ -0,0 +1,179 @@
+/**
+ * HTML templates for OAuth flow
+ */
+
+function escapeHtml(value: string): string {
+  return value.replace(/[&<>"'`]/g, (char) => {
+    switch (char) {
+      case "&":
+        return "&amp;";
+      case "<":
+        return "&lt;";
+      case ">":
+        return "&gt;";
+      case '"':
+        return "&quot;";
+      case "'":
+        return "&#39;";
+      case "`":
+        return "&#96;";
+      default:
+        return char;
+    }
+  });
+}
+
+/**
+ * Render a success page that auto-closes the tab (for in-app browsers)
+ * and provides a fallback link to agent configuration when available.
+ */
+export function renderOAuthSuccessPage(
+  name: string,
+  settingsUrl?: string,
+  options?: {
+    title?: string;
+    description?: string;
+    details?: string;
+    closeNote?: string;
+  }
+): string {
+  const safeName = escapeHtml(name);
+  const safeSettingsUrl = settingsUrl ? escapeHtml(settingsUrl) : "";
+  const safeTitle = escapeHtml(options?.title || "Connected!");
+  const safeDescription = escapeHtml(
+    options?.description || `Successfully authenticated with ${name}`
+  );
+  const safeDetails = options?.details ? escapeHtml(options.details) : "";
+  const safeCloseNote = escapeHtml(
+    options?.closeNote || "You can close this tab and return to your chat."
+  );
+
+  return `
+    <!DOCTYPE html>
+    <html>
+      <head>
+        <title>Connected</title>
+        <style>
+          body {
+            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            height: 100vh;
+            margin: 0;
+            background: linear-gradient(135deg, #334155 0%, #0f172a 100%);
+          }
+          .container {
+            background: white;
+            padding: 2.5rem;
+            border-radius: 12px;
+            text-align: center;
+            box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+            max-width: 360px;
+          }
+          .icon { font-size: 3rem; margin-bottom: 0.75rem; }
+          h1 { color: #2d3748; margin: 0 0 0.5rem 0; font-size: 1.25rem; }
+          p { color: #718096; line-height: 1.5; font-size: 0.875rem; margin: 0 0 1rem 0; }
+          .btn {
+            display: inline-block;
+            padding: 0.625rem 1.25rem;
+            background: linear-gradient(to right, #334155, #1e293b);
+            color: white;
+            text-decoration: none;
+            border-radius: 8px;
+            font-size: 0.875rem;
+            font-weight: 600;
+          }
+          .btn:hover { opacity: 0.9; }
+          .close-note { color: #94a3b8; font-size: 0.75rem; margin-top: 1rem; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <div class="icon">&#9989;</div>
+          <h1>${safeTitle}</h1>
+          <p>${safeDescription.includes(safeName) ? safeDescription : `${safeDescription} <strong>${safeName}</strong>`}</p>
+          ${safeDetails ? `<p>${safeDetails}</p>` : ""}
+          ${safeSettingsUrl ? `<a class="btn" href="${safeSettingsUrl}">Open Configuration</a>` : ""}
+          <p class="close-note">${safeCloseNote}</p>
+        </div>
+        <script>
+          // Auto-close for Telegram in-app browser
+          if (window.Telegram && window.Telegram.WebApp) {
+            window.Telegram.WebApp.close();
+          }
+          // Try to close the window/tab after a brief moment
+          setTimeout(function() { window.close(); }, 1500);
+        </script>
+      </body>
+    </html>
+  `;
+}
+
+export function renderOAuthErrorPage(
+  error: string,
+  description?: string
+): string {
+  const safeError = escapeHtml(error);
+  const safeDescription = escapeHtml(
+    description || "An error occurred during authentication"
+  );
+
+  return `
+    <!DOCTYPE html>
+    <html>
+      <head>
+        <title>Authentication Failed</title>
+        <style>
+          body {
+            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            height: 100vh;
+            margin: 0;
+            background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%);
+          }
+          .container {
+            background: white;
+            padding: 3rem;
+            border-radius: 12px;
+            text-align: center;
+            box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+            max-width: 400px;
+          }
+          .error-icon {
+            font-size: 4rem;
+            margin-bottom: 1rem;
+          }
+          h1 {
+            color: #2d3748;
+            margin: 0 0 1rem 0;
+          }
+          p {
+            color: #718096;
+            line-height: 1.6;
+          }
+          .error-code {
+            background: #f7fafc;
+            padding: 0.5rem;
+            border-radius: 6px;
+            font-family: monospace;
+            font-size: 0.875rem;
+            color: #e53e3e;
+            margin-top: 1rem;
+          }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <div class="error-icon">❌</div>
+          <h1>Authentication Failed</h1>
+          <p>${safeDescription}</p>
+          <div class="error-code">${safeError}</div>
+          <p style="margin-top: 2rem;">Please close this window and try again.</p>
+        </div>
+      </body>
+    </html>
+  `;
+}

package/src/auth/provider-catalog.ts

@@ -0,0 +1,220 @@
+import { createLogger, type InstalledProvider } from "@lobu/core";
+import {
+  getModelProviderModules,
+  type ModelProviderModule,
+} from "../modules/module-system";
+import type { AgentSettingsStore } from "./settings/agent-settings-store";
+import type { AuthProfilesManager } from "./settings/auth-profiles-manager";
+import { reconcileModelSelectionForInstalledProviders } from "./settings/model-selection";
+
+const logger = createLogger("provider-catalog");
+
+/**
+ * Resolve an agent's installed providers, falling back to the base agent's
+ * providers for sandbox agents that have none of their own.
+ */
+export async function resolveInstalledProviders(
+  agentSettingsStore: AgentSettingsStore,
+  agentId: string
+): Promise<InstalledProvider[]> {
+  const settings = await agentSettingsStore.getEffectiveSettings(agentId);
+  return settings?.installedProviders || [];
+}
+
+/**
+ * ProviderCatalogService wraps the module registry to provide
+ * per-agent provider install/uninstall/reorder operations.
+ *
+ * Providers are registered globally in the module registry,
+ * but each agent chooses which providers to install from the catalog.
+ */
+export class ProviderCatalogService {
+  constructor(
+    private agentSettingsStore: AgentSettingsStore,
+    private authProfilesManager: AuthProfilesManager
+  ) {}
+
+  /**
+   * List all catalog-visible providers from the module registry.
+   */
+  listCatalogProviders(): ModelProviderModule[] {
+    return getModelProviderModules().filter((m) => m.catalogVisible !== false);
+  }
+
+  /**
+   * Resolve an agent's installedProviders to their module instances.
+   * Returns modules in the agent's install order.
+   */
+  async getInstalledModules(agentId: string): Promise<ModelProviderModule[]> {
+    const installed = await resolveInstalledProviders(
+      this.agentSettingsStore,
+      agentId
+    );
+    if (installed.length === 0) return [];
+
+    const allModules = getModelProviderModules();
+    const moduleMap = new Map(allModules.map((m) => [m.providerId, m]));
+
+    return installed
+      .map((ip) => moduleMap.get(ip.providerId))
+      .filter((m): m is ModelProviderModule => m !== undefined);
+  }
+
+  /**
+   * Get raw installed provider entries for an agent.
+   */
+  async getInstalledProviders(agentId: string): Promise<InstalledProvider[]> {
+    return resolveInstalledProviders(this.agentSettingsStore, agentId);
+  }
+
+  /**
+   * Install a provider for an agent. Appends to the end of the list.
+   */
+  async installProvider(
+    agentId: string,
+    providerId: string,
+    config?: InstalledProvider["config"]
+  ): Promise<void> {
+    const allModules = getModelProviderModules();
+    const module = allModules.find((m) => m.providerId === providerId);
+    if (!module) {
+      throw new Error(`Unknown provider: ${providerId}`);
+    }
+
+    const { localSettings, effectiveSettings } =
+      await this.agentSettingsStore.getSettingsContext(agentId);
+    const installed = effectiveSettings?.installedProviders || [];
+
+    if (installed.some((ip) => ip.providerId === providerId)) {
+      logger.info(
+        `Provider ${providerId} already installed for agent ${agentId}`
+      );
+      return;
+    }
+
+    const entry: InstalledProvider = {
+      providerId,
+      installedAt: Date.now(),
+      ...(config ? { config } : {}),
+    };
+    const nextInstalledProviders = [...installed, entry];
+    const reconciled = reconcileModelSelectionForInstalledProviders({
+      model: localSettings?.model ?? effectiveSettings?.model,
+      modelSelection:
+        localSettings?.modelSelection ?? effectiveSettings?.modelSelection,
+      providerModelPreferences:
+        localSettings?.providerModelPreferences ??
+        effectiveSettings?.providerModelPreferences,
+      installedProviders: nextInstalledProviders,
+    });
+
+    await this.agentSettingsStore.updateSettings(agentId, {
+      installedProviders: nextInstalledProviders,
+      ...reconciled,
+    });
+
+    logger.info(`Installed provider ${providerId} for agent ${agentId}`);
+  }
+
+  /**
+   * Uninstall a provider from an agent. Also cleans up auth profiles.
+   */
+  async uninstallProvider(agentId: string, providerId: string): Promise<void> {
+    const { localSettings, effectiveSettings } =
+      await this.agentSettingsStore.getSettingsContext(agentId);
+    const installed = effectiveSettings?.installedProviders || [];
+
+    const filtered = installed.filter((ip) => ip.providerId !== providerId);
+    if (filtered.length === installed.length) {
+      logger.info(
+        `Provider ${providerId} not installed for agent ${agentId}, nothing to uninstall`
+      );
+      return;
+    }
+
+    // Clean up auth profiles for this provider
+    await this.authProfilesManager.deleteProviderProfiles(agentId, providerId);
+    const reconciled = reconcileModelSelectionForInstalledProviders({
+      model: localSettings?.model ?? effectiveSettings?.model,
+      modelSelection:
+        localSettings?.modelSelection ?? effectiveSettings?.modelSelection,
+      providerModelPreferences:
+        localSettings?.providerModelPreferences ??
+        effectiveSettings?.providerModelPreferences,
+      installedProviders: filtered,
+    });
+
+    await this.agentSettingsStore.updateSettings(agentId, {
+      installedProviders: filtered,
+      ...reconciled,
+    });
+
+    logger.info(`Uninstalled provider ${providerId} for agent ${agentId}`);
+  }
+
+  /**
+   * Find the provider module whose model options include the given model string.
+   */
+  async findProviderForModel(
+    model: string,
+    providers?: ModelProviderModule[]
+  ): Promise<ModelProviderModule | undefined> {
+    const candidates = providers || getModelProviderModules();
+    for (const provider of candidates) {
+      if (!provider.getModelOptions) continue;
+      const options = await provider.getModelOptions("", "");
+      if (options.some((opt) => opt.value === model)) {
+        return provider;
+      }
+    }
+    return undefined;
+  }
+
+  /**
+   * Reorder installed providers. The orderedIds must contain
+   * exactly the same provider IDs as currently installed.
+   */
+  async reorderProviders(agentId: string, orderedIds: string[]): Promise<void> {
+    const { localSettings, effectiveSettings } =
+      await this.agentSettingsStore.getSettingsContext(agentId);
+    const installed = effectiveSettings?.installedProviders || [];
+
+    const installedMap = new Map(installed.map((ip) => [ip.providerId, ip]));
+
+    // Validate all ordered IDs exist in installed
+    for (const id of orderedIds) {
+      if (!installedMap.has(id)) {
+        throw new Error(`Provider ${id} is not installed`);
+      }
+    }
+
+    const reordered = orderedIds
+      .map((id) => installedMap.get(id))
+      .filter((ip): ip is InstalledProvider => ip !== undefined);
+
+    // Append any installed providers not in orderedIds (shouldn't happen but safety)
+    for (const ip of installed) {
+      if (!orderedIds.includes(ip.providerId)) {
+        reordered.push(ip);
+      }
+    }
+    const reconciled = reconcileModelSelectionForInstalledProviders({
+      model: localSettings?.model ?? effectiveSettings?.model,
+      modelSelection:
+        localSettings?.modelSelection ?? effectiveSettings?.modelSelection,
+      providerModelPreferences:
+        localSettings?.providerModelPreferences ??
+        effectiveSettings?.providerModelPreferences,
+      installedProviders: reordered,
+    });
+
+    await this.agentSettingsStore.updateSettings(agentId, {
+      installedProviders: reordered,
+      ...reconciled,
+    });
+
+    logger.info(
+      `Reordered providers for agent ${agentId}: ${orderedIds.join(", ")}`
+    );
+  }
+}

package/src/auth/provider-model-options.ts

@@ -0,0 +1,41 @@
+import { createLogger } from "@lobu/core";
+import {
+  getModelProviderModules,
+  type ModelOption,
+} from "../modules/module-system";
+
+const logger = createLogger("provider-model-options");
+
+export async function collectProviderModelOptions(
+  agentId: string,
+  userId: string
+): Promise<Record<string, ModelOption[]>> {
+  const modules = getModelProviderModules();
+
+  const results: Record<string, ModelOption[]> = {};
+
+  await Promise.all(
+    modules.map(async (mod) => {
+      try {
+        if (typeof mod.getModelOptions !== "function") {
+          results[mod.providerId] = [];
+          return;
+        }
+
+        const options = await mod.getModelOptions(agentId, userId);
+        results[mod.providerId] = Array.isArray(options) ? options : [];
+      } catch (error) {
+        results[mod.providerId] = [];
+        logger.warn(
+          {
+            providerId: mod.providerId,
+            error: error instanceof Error ? error.message : String(error),
+          },
+          "Failed to collect model options for provider"
+        );
+      }
+    })
+  );
+
+  return results;
+}