@lobu/gateway 2.8.0 → 3.0.6

package/src/routes/internal/audio.ts

@@ -0,0 +1,141 @@
+/**
+ * Internal Audio Routes
+ *
+ * Worker-facing endpoints for audio generation (TTS).
+ * Used by the GenerateAudio custom MCP tool.
+ */
+
+import { createLogger } from "@lobu/core";
+import { Hono } from "hono";
+import type { TranscriptionService } from "../../services/transcription-service";
+import { authenticateWorker } from "./middleware";
+import type { WorkerContext } from "./types";
+
+const logger = createLogger("internal-audio-routes");
+
+/**
+ * Create internal audio routes (Hono)
+ */
+export function createAudioRoutes(
+  transcriptionService: TranscriptionService
+): Hono<WorkerContext> {
+  const router = new Hono<WorkerContext>();
+
+  /**
+   * Generate audio from text (TTS)
+   * POST /internal/audio/synthesize
+   *
+   * Body: {
+   *   text: string (required) - Text to convert to speech
+   *   voice?: string - Provider-specific voice ID
+   *   speed?: number - Speech speed (0.5-2.0)
+   * }
+   *
+   * Response: Audio file (binary) with Content-Type header
+   */
+  router.post("/internal/audio/synthesize", authenticateWorker, async (c) => {
+    try {
+      const worker = c.get("worker");
+      const { text, voice, speed } = await c.req.json();
+
+      if (!text || typeof text !== "string") {
+        return c.json({ error: "text is required and must be a string" }, 400);
+      }
+
+      if (text.length > 4096) {
+        return c.json({ error: "text must be 4096 characters or less" }, 400);
+      }
+
+      const agentId = worker.agentId;
+      if (!agentId) {
+        return c.json({ error: "Missing agentId in worker context" }, 400);
+      }
+
+      logger.info("Synthesizing audio", {
+        agentId,
+        textLength: text.length,
+        voice,
+      });
+
+      const result = await transcriptionService.synthesize(text, agentId, {
+        voice,
+        speed,
+      });
+
+      if ("error" in result) {
+        logger.warn("Audio synthesis failed", { error: result.error });
+        return c.json(
+          {
+            error: result.error,
+            availableProviders: result.availableProviders,
+          },
+          400
+        );
+      }
+
+      // Return audio as binary response
+      return new Response(result.audioBuffer, {
+        headers: {
+          "Content-Type": result.mimeType,
+          "Content-Length": result.audioBuffer.length.toString(),
+          "X-Audio-Provider": result.provider,
+        },
+      });
+    } catch (error) {
+      logger.error("Audio synthesis error", { error });
+      return c.json(
+        {
+          error:
+            error instanceof Error
+              ? error.message
+              : "Failed to synthesize audio",
+        },
+        500
+      );
+    }
+  });
+
+  /**
+   * Check audio capabilities for current agent
+   * GET /internal/audio/capabilities
+   *
+   * Response: {
+   *   available: boolean,
+   *   provider?: string,
+   *   features: { transcription: boolean, synthesis: boolean }
+   * }
+   */
+  router.get("/internal/audio/capabilities", authenticateWorker, async (c) => {
+    try {
+      const worker = c.get("worker");
+      const agentId = worker.agentId;
+
+      if (!agentId) {
+        return c.json({ error: "Missing agentId in worker context" }, 400);
+      }
+
+      const config = await transcriptionService.getConfig(agentId);
+
+      if (!config) {
+        return c.json({
+          available: false,
+          features: { transcription: false, synthesis: false },
+          providers: transcriptionService.getProviderInfo(),
+        });
+      }
+
+      return c.json({
+        available: true,
+        provider: config.provider,
+        features: { transcription: true, synthesis: true },
+      });
+    } catch (error) {
+      logger.error("Capabilities check error", { error });
+      return c.json({ error: "Failed to check capabilities" }, 500);
+    }
+  });
+
+  logger.debug("Internal audio routes registered");
+
+  return router;
+}

package/src/routes/internal/device-auth.ts

@@ -0,0 +1,566 @@
+import { createLogger, decrypt, encrypt } from "@lobu/core";
+import { Hono } from "hono";
+import type Redis from "ioredis";
+import { GenericDeviceCodeClient } from "../../auth/external/device-code-client";
+import type { McpConfigService } from "../../auth/mcp/config-service";
+import { authenticateWorker } from "./middleware";
+import type { WorkerContext } from "./types";
+
+const logger = createLogger("device-auth");
+
+const DEFAULT_MCP_SCOPE = "mcp:read mcp:write profile:read";
+const DEVICE_CODE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+
+interface StoredCredential {
+  accessToken: string;
+  refreshToken?: string;
+  expiresAt: number;
+  clientId: string;
+  clientSecret?: string;
+  tokenUrl: string;
+}
+
+interface StoredDeviceAuth {
+  deviceCode: string;
+  userCode?: string;
+  clientId: string;
+  clientSecret?: string;
+  interval: number;
+  expiresAt: number;
+  tokenUrl: string;
+  issuer: string;
+}
+
+interface StoredClient {
+  clientId: string;
+  clientSecret?: string;
+}
+
+export interface DeviceAuthConfig {
+  redis: Redis;
+  mcpConfigService: McpConfigService;
+}
+
+function credentialKey(agentId: string, userId: string, mcpId: string): string {
+  return `auth:credential:${agentId}:${userId}:${mcpId}`;
+}
+
+function deviceAuthKey(agentId: string, userId: string, mcpId: string): string {
+  return `device-auth:${agentId}:${userId}:${mcpId}`;
+}
+
+function clientCacheKey(mcpId: string): string {
+  return `device-auth:client:${mcpId}`;
+}
+
+function refreshLockKey(
+  agentId: string,
+  userId: string,
+  mcpId: string
+): string {
+  return `auth:refresh-lock:${agentId}:${userId}:${mcpId}`;
+}
+
+export async function getStoredCredential(
+  redis: Redis,
+  agentId: string,
+  userId: string,
+  mcpId: string
+): Promise<StoredCredential | null> {
+  const raw = await redis.get(credentialKey(agentId, userId, mcpId));
+  if (!raw) return null;
+  try {
+    return JSON.parse(decrypt(raw)) as StoredCredential;
+  } catch {
+    return null;
+  }
+}
+
+async function storeCredential(
+  redis: Redis,
+  agentId: string,
+  userId: string,
+  mcpId: string,
+  credential: StoredCredential
+): Promise<void> {
+  const encrypted = encrypt(JSON.stringify(credential));
+  // Store with 90-day TTL (tokens can be refreshed before expiry)
+  await redis.set(
+    credentialKey(agentId, userId, mcpId),
+    encrypted,
+    "EX",
+    90 * 24 * 60 * 60
+  );
+}
+
+export async function refreshCredential(
+  redis: Redis,
+  agentId: string,
+  userId: string,
+  mcpId: string,
+  credential: StoredCredential
+): Promise<StoredCredential | null> {
+  if (!credential.refreshToken) return null;
+
+  const lockKey = refreshLockKey(agentId, userId, mcpId);
+  const acquired = await redis.set(lockKey, "1", "EX", 30, "NX");
+
+  if (!acquired) {
+    // Another request is refreshing — wait briefly and re-read
+    await new Promise((r) => setTimeout(r, 150));
+    return getStoredCredential(redis, agentId, userId, mcpId);
+  }
+
+  try {
+    const body: Record<string, string> = {
+      grant_type: "refresh_token",
+      client_id: credential.clientId,
+      refresh_token: credential.refreshToken,
+    };
+    if (credential.clientSecret) {
+      body.client_secret = credential.clientSecret;
+    }
+
+    const response = await fetch(credential.tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+      },
+      body: JSON.stringify(body),
+    });
+
+    if (!response.ok) {
+      logger.error("Token refresh failed", {
+        status: response.status,
+        agentId,
+        userId,
+        mcpId,
+      });
+      return null;
+    }
+
+    const data = (await response.json()) as Record<string, unknown>;
+    if (typeof data.access_token !== "string") return null;
+
+    const refreshed: StoredCredential = {
+      accessToken: data.access_token,
+      refreshToken:
+        typeof data.refresh_token === "string"
+          ? data.refresh_token
+          : credential.refreshToken,
+      expiresAt:
+        typeof data.expires_in === "number"
+          ? Date.now() + data.expires_in * 1000
+          : Date.now() + 3_600_000,
+      clientId: credential.clientId,
+      clientSecret: credential.clientSecret,
+      tokenUrl: credential.tokenUrl,
+    };
+
+    await storeCredential(redis, agentId, userId, mcpId, refreshed);
+    logger.info("Token refreshed", { agentId, userId, mcpId });
+    return refreshed;
+  } catch (error) {
+    logger.error("Token refresh error", { error, agentId, userId, mcpId });
+    return null;
+  } finally {
+    await redis.del(lockKey).catch(() => undefined);
+  }
+}
+
+/**
+ * Try to complete a pending device-code auth flow.
+ * Called by the MCP proxy's resolveCredentialToken when no stored credential
+ * exists but a device-auth flow may have been started earlier.
+ * Returns the access token on success, null if pending or no flow in progress.
+ */
+export async function tryCompletePendingDeviceAuth(
+  redis: Redis,
+  agentId: string,
+  userId: string,
+  mcpId: string
+): Promise<string | null> {
+  const raw = await redis.get(deviceAuthKey(agentId, userId, mcpId));
+  if (!raw) return null;
+
+  let deviceState: StoredDeviceAuth;
+  try {
+    deviceState = JSON.parse(raw) as StoredDeviceAuth;
+  } catch {
+    return null;
+  }
+
+  if (Date.now() > deviceState.expiresAt) {
+    await redis.del(deviceAuthKey(agentId, userId, mcpId));
+    return null;
+  }
+
+  try {
+    const deviceCodeClient = new GenericDeviceCodeClient({
+      clientId: deviceState.clientId,
+      clientSecret: deviceState.clientSecret,
+      tokenUrl: deviceState.tokenUrl,
+      deviceAuthorizationUrl: `${deviceState.issuer}/oauth/device_authorization`,
+      scope: DEFAULT_MCP_SCOPE,
+      tokenEndpointAuthMethod: deviceState.clientSecret
+        ? "client_secret_post"
+        : "none",
+    });
+
+    const pollResult = await deviceCodeClient.pollForToken(
+      deviceState.deviceCode,
+      deviceState.interval
+    );
+
+    if (pollResult.status === "pending") {
+      return null;
+    }
+
+    if (pollResult.status === "error") {
+      await redis.del(deviceAuthKey(agentId, userId, mcpId));
+      return null;
+    }
+
+    // Success — store credential and clean up
+    const { credentials } = pollResult;
+    const storedCred: StoredCredential = {
+      accessToken: credentials.accessToken,
+      refreshToken: credentials.refreshToken,
+      expiresAt: credentials.expiresAt,
+      clientId: deviceState.clientId,
+      clientSecret: deviceState.clientSecret,
+      tokenUrl: deviceState.tokenUrl,
+    };
+
+    await storeCredential(redis, agentId, userId, mcpId, storedCred);
+    await redis.del(deviceAuthKey(agentId, userId, mcpId));
+
+    logger.info("Device auth auto-completed by proxy", {
+      mcpId,
+      agentId,
+      userId,
+    });
+    return credentials.accessToken;
+  } catch (error) {
+    logger.warn("Auto-complete device auth failed", {
+      mcpId,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    return null;
+  }
+}
+
+function deriveOAuthBaseUrl(upstreamUrl: string): string {
+  const url = new URL(upstreamUrl);
+  url.pathname = "/";
+  url.search = "";
+  url.hash = "";
+  return url.toString().replace(/\/$/, "");
+}
+
+/**
+ * Start device-code auth flow for a given MCP server.
+ * Reusable by the MCP proxy to auto-initiate auth on "unauthorized" errors.
+ */
+export async function startDeviceAuth(
+  redis: Redis,
+  mcpConfigService: {
+    getHttpServer: (
+      id: string,
+      agentId?: string
+    ) => Promise<{ upstreamUrl: string } | undefined>;
+  },
+  mcpId: string,
+  agentId: string,
+  userId: string
+): Promise<{
+  userCode: string;
+  verificationUri: string;
+  verificationUriComplete?: string;
+  expiresIn: number;
+} | null> {
+  // Reuse existing pending device auth flow if not expired
+  const existingRaw = await redis.get(deviceAuthKey(agentId, userId, mcpId));
+  if (existingRaw) {
+    try {
+      const existing = JSON.parse(existingRaw) as StoredDeviceAuth;
+      if (existing.expiresAt > Date.now()) {
+        const httpServer = await mcpConfigService.getHttpServer(mcpId, agentId);
+        const issuer = httpServer
+          ? deriveOAuthBaseUrl(httpServer.upstreamUrl)
+          : existing.issuer;
+        const verificationUri = `${issuer}/oauth/device`;
+        logger.info("Reusing existing pending device auth", {
+          mcpId,
+          agentId,
+          userId,
+        });
+        return {
+          userCode: existing.userCode || "",
+          verificationUri,
+          verificationUriComplete: existing.userCode
+            ? `${verificationUri}?user_code=${existing.userCode}`
+            : verificationUri,
+          expiresIn: Math.floor((existing.expiresAt - Date.now()) / 1000),
+        };
+      }
+    } catch {
+      // Corrupted state — fall through to start new flow
+    }
+  }
+
+  const httpServer = await mcpConfigService.getHttpServer(mcpId, agentId);
+  if (!httpServer) {
+    logger.warn("startDeviceAuth: httpServer not found", { mcpId, agentId });
+    return null;
+  }
+
+  const issuer = deriveOAuthBaseUrl(httpServer.upstreamUrl);
+
+  // Check cached client registration
+  let client: StoredClient | null = null;
+  const cachedClient = await redis.get(clientCacheKey(mcpId));
+  if (cachedClient) {
+    try {
+      client = JSON.parse(cachedClient) as StoredClient;
+    } catch {
+      client = null;
+    }
+  }
+
+  // Register a new client if needed
+  if (!client) {
+    const regResponse = await fetch(`${issuer}/oauth/register`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_types: [DEVICE_CODE_GRANT_TYPE, "refresh_token"],
+        token_endpoint_auth_method: "none",
+        client_name: "Lobu Gateway Device Auth",
+        scope: DEFAULT_MCP_SCOPE,
+      }),
+    });
+
+    if (!regResponse.ok) return null;
+
+    const registration = (await regResponse.json()) as {
+      client_id: string;
+      client_secret?: string;
+    };
+
+    client = {
+      clientId: registration.client_id,
+      clientSecret: registration.client_secret,
+    };
+
+    await redis.set(clientCacheKey(mcpId), JSON.stringify(client));
+  }
+
+  const deviceCodeClient = new GenericDeviceCodeClient({
+    clientId: client.clientId,
+    clientSecret: client.clientSecret,
+    tokenUrl: `${issuer}/oauth/token`,
+    deviceAuthorizationUrl: `${issuer}/oauth/device_authorization`,
+    scope: DEFAULT_MCP_SCOPE,
+    tokenEndpointAuthMethod: client.clientSecret
+      ? "client_secret_post"
+      : "none",
+  });
+
+  const started = await deviceCodeClient.requestDeviceCode();
+
+  const deviceState: StoredDeviceAuth = {
+    deviceCode: started.deviceAuthId,
+    userCode: started.userCode,
+    clientId: client.clientId,
+    clientSecret: client.clientSecret,
+    interval: started.interval,
+    expiresAt: Date.now() + started.expiresIn * 1000,
+    tokenUrl: `${issuer}/oauth/token`,
+    issuer,
+  };
+
+  await redis.set(
+    deviceAuthKey(agentId, userId, mcpId),
+    JSON.stringify(deviceState),
+    "EX",
+    started.expiresIn
+  );
+
+  logger.info("Device auth started (auto)", { mcpId, agentId, userId });
+
+  return {
+    userCode: started.userCode,
+    verificationUri: started.verificationUri,
+    verificationUriComplete: started.verificationUriComplete,
+    expiresIn: started.expiresIn,
+  };
+}
+
+export function createDeviceAuthRoutes(
+  config: DeviceAuthConfig
+): Hono<WorkerContext> {
+  const { redis, mcpConfigService } = config;
+  const router = new Hono<WorkerContext>();
+
+  // POST /internal/device-auth/start
+  router.post("/internal/device-auth/start", authenticateWorker, async (c) => {
+    const body = await c.req.json<{ mcpId: string }>();
+    const mcpId = body?.mcpId;
+    if (!mcpId) {
+      return c.json({ error: "Missing required field: mcpId" }, 400);
+    }
+
+    const worker = c.get("worker");
+    const agentId = worker.agentId || worker.userId;
+    const userId = worker.userId;
+
+    try {
+      const result = await startDeviceAuth(
+        redis,
+        mcpConfigService,
+        mcpId,
+        agentId,
+        userId
+      );
+
+      if (!result) {
+        return c.json(
+          {
+            error: `MCP server '${mcpId}' not found or client registration failed`,
+          },
+          404
+        );
+      }
+
+      return c.json(result);
+    } catch (error) {
+      logger.error("Failed to start device auth", {
+        mcpId,
+        error: error instanceof Error ? error.message : String(error),
+        stack: error instanceof Error ? error.stack : undefined,
+      });
+      return c.json({ error: "Failed to start device authentication" }, 500);
+    }
+  });
+
+  // POST /internal/device-auth/poll
+  router.post("/internal/device-auth/poll", authenticateWorker, async (c) => {
+    const body = await c.req.json<{ mcpId: string }>();
+    const mcpId = body?.mcpId;
+    if (!mcpId) {
+      return c.json({ error: "Missing required field: mcpId" }, 400);
+    }
+
+    const worker = c.get("worker");
+    const agentId = worker.agentId || worker.userId;
+    const userId = worker.userId;
+
+    const raw = await redis.get(deviceAuthKey(agentId, userId, mcpId));
+    if (!raw) {
+      return c.json(
+        {
+          status: "error",
+          message: "No device auth in progress. Call start first.",
+        },
+        400
+      );
+    }
+
+    const deviceState = JSON.parse(raw) as StoredDeviceAuth;
+
+    if (Date.now() > deviceState.expiresAt) {
+      await redis.del(deviceAuthKey(agentId, userId, mcpId));
+      return c.json(
+        { status: "error", message: "Device code expired. Start again." },
+        400
+      );
+    }
+
+    try {
+      const deviceCodeClient = new GenericDeviceCodeClient({
+        clientId: deviceState.clientId,
+        clientSecret: deviceState.clientSecret,
+        tokenUrl: deviceState.tokenUrl,
+        deviceAuthorizationUrl: `${deviceState.issuer}/oauth/device_authorization`,
+        scope: DEFAULT_MCP_SCOPE,
+        tokenEndpointAuthMethod: deviceState.clientSecret
+          ? "client_secret_post"
+          : "none",
+      });
+
+      const pollResult = await deviceCodeClient.pollForToken(
+        deviceState.deviceCode,
+        deviceState.interval
+      );
+
+      if (pollResult.status === "pending") {
+        // Update interval if slow_down was received
+        if (
+          pollResult.interval &&
+          pollResult.interval !== deviceState.interval
+        ) {
+          deviceState.interval = pollResult.interval;
+          const ttl = Math.max(
+            Math.floor((deviceState.expiresAt - Date.now()) / 1000),
+            10
+          );
+          await redis.set(
+            deviceAuthKey(agentId, userId, mcpId),
+            JSON.stringify(deviceState),
+            "EX",
+            ttl
+          );
+        }
+        return c.json({ status: "pending" });
+      }
+
+      if (pollResult.status === "error") {
+        await redis.del(deviceAuthKey(agentId, userId, mcpId));
+        return c.json({ status: "error", message: pollResult.error });
+      }
+
+      // Success — store credential and clean up device auth state
+      const { credentials } = pollResult;
+      const storedCred: StoredCredential = {
+        accessToken: credentials.accessToken,
+        refreshToken: credentials.refreshToken,
+        expiresAt: credentials.expiresAt,
+        clientId: deviceState.clientId,
+        clientSecret: deviceState.clientSecret,
+        tokenUrl: deviceState.tokenUrl,
+      };
+
+      await storeCredential(redis, agentId, userId, mcpId, storedCred);
+      await redis.del(deviceAuthKey(agentId, userId, mcpId));
+
+      logger.info("Device auth completed", { mcpId, agentId, userId });
+      return c.json({ status: "complete" });
+    } catch (error) {
+      logger.error("Failed to poll device auth", { mcpId, error });
+      return c.json(
+        { status: "error", message: "Failed to poll device auth" },
+        500
+      );
+    }
+  });
+
+  // GET /internal/device-auth/status?mcpId=owletto
+  router.get("/internal/device-auth/status", authenticateWorker, async (c) => {
+    const mcpId = c.req.query("mcpId");
+    if (!mcpId) {
+      return c.json({ error: "Missing required query param: mcpId" }, 400);
+    }
+
+    const worker = c.get("worker");
+    const agentId = worker.agentId || worker.userId;
+    const userId = worker.userId;
+
+    const credential = await getStoredCredential(redis, agentId, userId, mcpId);
+    return c.json({ authenticated: !!credential });
+  });
+
+  logger.debug("Device auth routes registered");
+  return router;
+}