@lobu/gateway 3.0.5 → 3.0.6

package/src/__tests__/provider-inheritance.test.ts

@@ -0,0 +1,212 @@
+import { beforeEach, describe, expect, test } from "bun:test";
+import { MockRedisClient } from "@lobu/core/testing";
+import {
+  ProviderCatalogService,
+  resolveInstalledProviders,
+} from "../auth/provider-catalog";
+import { AgentSettingsStore } from "../auth/settings/agent-settings-store";
+import { AuthProfilesManager } from "../auth/settings/auth-profiles-manager";
+import {
+  canEditSettingsSection,
+  canViewSettingsSection,
+  resolveSettingsView,
+} from "../auth/settings/resolved-settings-view";
+import { buildDefaultSettingsFromSource } from "../auth/settings/template-utils";
+import { hasConfiguredProvider } from "../services/platform-helpers";
+
+describe("sandbox provider inheritance", () => {
+  let redis: MockRedisClient;
+  let store: AgentSettingsStore;
+  let authProfilesManager: AuthProfilesManager;
+
+  beforeEach(() => {
+    redis = new MockRedisClient();
+    store = new AgentSettingsStore(redis as any);
+    authProfilesManager = new AuthProfilesManager(store);
+  });
+
+  test("inherits installed providers through metadata and connection template fallback", async () => {
+    await store.saveSettings("template-agent", {
+      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
+    });
+    await redis.set(
+      "agent_metadata:telegram-6570514069",
+      JSON.stringify({ parentConnectionId: "conn-1" })
+    );
+    await redis.set(
+      "connection:conn-1",
+      JSON.stringify({ templateAgentId: "template-agent" })
+    );
+
+    const providers = await resolveInstalledProviders(
+      store,
+      "telegram-6570514069"
+    );
+
+    expect(providers).toEqual([{ providerId: "z-ai", installedAt: 1 }]);
+  });
+
+  test("inherits auth profiles through metadata and connection template fallback", async () => {
+    await store.saveSettings("template-agent", {
+      authProfiles: [
+        {
+          id: "profile-1",
+          provider: "z-ai",
+          credential: "secret",
+          authType: "api-key",
+          label: "z.ai",
+          model: "*",
+          createdAt: 1,
+        },
+      ],
+      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
+    });
+    await redis.set(
+      "agent_metadata:telegram-6570514069",
+      JSON.stringify({ parentConnectionId: "conn-1" })
+    );
+    await redis.set(
+      "connection:conn-1",
+      JSON.stringify({ templateAgentId: "template-agent" })
+    );
+
+    const profiles = await authProfilesManager.listProfiles(
+      "telegram-6570514069"
+    );
+
+    expect(profiles).toHaveLength(1);
+    expect(profiles[0]?.provider).toBe("z-ai");
+    expect(profiles[0]?.credential).toBe("secret");
+  });
+
+  test("inherits auth profiles for cloned sandbox settings that copied providers", async () => {
+    await store.saveSettings("template-agent", {
+      authProfiles: [
+        {
+          id: "profile-1",
+          provider: "z-ai",
+          credential: "secret",
+          authType: "api-key",
+          label: "z.ai",
+          model: "*",
+          createdAt: 1,
+        },
+      ],
+      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
+    });
+
+    const templateSettings = await store.getSettings("template-agent");
+    const cloned = buildDefaultSettingsFromSource(templateSettings);
+    cloned.templateAgentId = "template-agent";
+    await store.saveSettings("telegram-6570514069", cloned);
+
+    const effective = await store.getEffectiveSettings("telegram-6570514069");
+    const profiles = await authProfilesManager.listProfiles(
+      "telegram-6570514069"
+    );
+
+    expect(cloned.authProfiles).toBeUndefined();
+    expect(effective?.authProfiles).toHaveLength(1);
+    expect(profiles).toHaveLength(1);
+  });
+
+  test("treats cloned sandbox settings as configured when template provides credentials", async () => {
+    await store.saveSettings("template-agent", {
+      authProfiles: [
+        {
+          id: "profile-1",
+          provider: "z-ai",
+          credential: "secret",
+          authType: "api-key",
+          label: "z.ai",
+          model: "*",
+          createdAt: 1,
+        },
+      ],
+      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
+    });
+
+    const templateSettings = await store.getSettings("template-agent");
+    const cloned = buildDefaultSettingsFromSource(templateSettings);
+    cloned.templateAgentId = "template-agent";
+    await store.saveSettings("telegram-6570514069", cloned);
+
+    await expect(
+      hasConfiguredProvider("telegram-6570514069", store)
+    ).resolves.toBe(true);
+  });
+
+  test("exposes inherited provider state with read-only model visibility", async () => {
+    await store.saveSettings("template-agent", {
+      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
+    });
+    await redis.set(
+      "agent_metadata:telegram-6570514069",
+      JSON.stringify({ parentConnectionId: "conn-1" })
+    );
+    await redis.set(
+      "connection:conn-1",
+      JSON.stringify({ templateAgentId: "template-agent" })
+    );
+
+    const settingsView = await resolveSettingsView({
+      agentId: "telegram-6570514069",
+      agentSettingsStore: store,
+      viewer: {
+        settingsMode: "user",
+        allowedScopes: ["view-model"],
+        isAdmin: false,
+      },
+    });
+
+    expect(
+      canViewSettingsSection("model", {
+        settingsMode: "user",
+        allowedScopes: ["view-model"],
+        isAdmin: false,
+      })
+    ).toBe(true);
+    expect(
+      canEditSettingsSection("model", {
+        settingsMode: "user",
+        allowedScopes: ["view-model"],
+        isAdmin: false,
+      })
+    ).toBe(false);
+    expect(settingsView.scope).toBe("sandbox");
+    expect(settingsView.sections.model.source).toBe("inherited");
+    expect(settingsView.sections.model.editable).toBe(false);
+    expect(settingsView.providerSources["z-ai"]?.source).toBe("inherited");
+    expect(settingsView.providerSources["z-ai"]?.canEdit).toBe(false);
+  });
+
+  test("uninstalling an inherited sandbox provider writes a local override list", async () => {
+    await store.saveSettings("template-agent", {
+      installedProviders: [
+        { providerId: "z-ai", installedAt: 1 },
+        { providerId: "openai", installedAt: 2 },
+      ],
+    });
+    await redis.set(
+      "agent_metadata:telegram-6570514069",
+      JSON.stringify({ parentConnectionId: "conn-1" })
+    );
+    await redis.set(
+      "connection:conn-1",
+      JSON.stringify({ templateAgentId: "template-agent" })
+    );
+
+    const catalog = new ProviderCatalogService(store, authProfilesManager);
+    await catalog.uninstallProvider("telegram-6570514069", "z-ai");
+
+    const local = await store.getSettings("telegram-6570514069");
+    const effective = await store.getEffectiveSettings("telegram-6570514069");
+
+    expect(local?.installedProviders).toEqual([
+      { providerId: "openai", installedAt: 2 },
+    ]);
+    expect(effective?.installedProviders).toEqual([
+      { providerId: "openai", installedAt: 2 },
+    ]);
+  });
+});

package/src/__tests__/routes/cli-auth.test.ts

@@ -0,0 +1,337 @@
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+import { decrypt } from "@lobu/core";
+import { MockRedisClient } from "../../../../core/src/__tests__/fixtures/mock-redis";
+import {
+  createCliAuthRoutes,
+  createConnectAuthRoutes,
+} from "../../routes/public/cli-auth";
+
+describe("cli auth routes", () => {
+  let originalKey: string | undefined;
+  let redis: MockRedisClient;
+  let queue: { getRedisClient(): MockRedisClient };
+
+  beforeEach(() => {
+    mock.restore();
+    originalKey = process.env.ENCRYPTION_KEY;
+    process.env.ENCRYPTION_KEY =
+      "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
+    redis = new MockRedisClient();
+    queue = {
+      getRedisClient: () => redis,
+    };
+  });
+
+  afterEach(() => {
+    if (originalKey !== undefined) {
+      process.env.ENCRYPTION_KEY = originalKey;
+    } else {
+      delete process.env.ENCRYPTION_KEY;
+    }
+  });
+
+  test("POST /cli/start returns device mode when the external provider supports device auth", async () => {
+    const router = createCliAuthRoutes({
+      queue: queue as any,
+      externalAuthClient: {
+        getCapabilities: mock(async () => ({ browser: true, device: true })),
+        startDeviceAuthorization: mock(async () => ({
+          deviceAuthId: "device-123",
+          userCode: "ABCD-EFGH",
+          verificationUri: "https://issuer.example.com/device",
+          verificationUriComplete:
+            "https://issuer.example.com/device?user_code=ABCD-EFGH",
+          interval: 5,
+          expiresIn: 600,
+        })),
+      } as any,
+    });
+
+    const res = await router.request("/cli/start", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+    });
+
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.mode).toBe("device");
+    expect(body.deviceAuthId).toBe("device-123");
+    expect(body.userCode).toBe("ABCD-EFGH");
+  });
+
+  test("POST /cli/start falls back to browser mode when device auth is unavailable", async () => {
+    const router = createCliAuthRoutes({
+      queue: queue as any,
+      externalAuthClient: {
+        getCapabilities: mock(async () => ({ browser: true, device: false })),
+      } as any,
+    });
+
+    const res = await router.request("https://gateway.example.com/cli/start", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+    });
+
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.mode).toBe("browser");
+    expect(typeof body.requestId).toBe("string");
+    expect(body.loginUrl).toContain("/api/v1/auth/cli/session/login?request=");
+  });
+
+  test("GET /connect/oauth/login redirects into external browser auth", async () => {
+    const router = createConnectAuthRoutes({
+      queue: queue as any,
+      externalAuthClient: {
+        generateCodeVerifier: () => "code-verifier",
+        buildAuthUrl: mock(async (state: string, codeVerifier: string) => {
+          expect(state).toBeTruthy();
+          expect(codeVerifier).toBe("code-verifier");
+          return "https://issuer.example.com/oauth/authorize";
+        }),
+      } as any,
+    });
+
+    const res = await router.request(
+      "https://gateway.example.com/connect/oauth/login?returnUrl=%2Fdone"
+    );
+
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe(
+      "https://issuer.example.com/oauth/authorize"
+    );
+  });
+
+  test("GET /connect/oauth/callback sets a settings session and redirects back", async () => {
+    await redis.setex(
+      "cli:auth:connect:state-123",
+      600,
+      JSON.stringify({
+        returnUrl: "/done",
+        codeVerifier: "code-verifier",
+      })
+    );
+
+    const router = createConnectAuthRoutes({
+      queue: queue as any,
+      externalAuthClient: {
+        exchangeCodeForToken: mock(async () => ({
+          accessToken: "provider-access-token",
+          refreshToken: "provider-refresh-token",
+          tokenType: "Bearer",
+          expiresAt: Date.now() + 3600_000,
+          scopes: ["profile:read"],
+        })),
+        fetchUserInfo: mock(async () => ({
+          sub: "user-123",
+          email: "user@example.com",
+          name: "Example User",
+        })),
+      } as any,
+    });
+
+    const res = await router.request(
+      "https://gateway.example.com/connect/oauth/callback?code=auth-code&state=state-123"
+    );
+
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/done");
+    expect(res.headers.get("set-cookie")).toContain("lobu_settings_session=");
+
+    const setCookie = res.headers.get("set-cookie");
+    const token = setCookie?.match(/lobu_settings_session=([^;]+)/)?.[1];
+    expect(token).toBeTruthy();
+
+    const payload = JSON.parse(decrypt(decodeURIComponent(token!))) as Record<
+      string,
+      unknown
+    >;
+    expect(payload.userId).toBe("user-123");
+    expect(payload.platform).toBe("external");
+    expect(payload.isAdmin).toBeUndefined();
+    expect(payload.settingsMode).toBeUndefined();
+  });
+
+  test("POST /cli/poll mints Lobu tokens after device auth completes", async () => {
+    await redis.setex(
+      "cli:auth:device:device-123",
+      600,
+      JSON.stringify({
+        status: "pending",
+        createdAt: Date.now(),
+        expiresAt: Date.now() + 600_000,
+        interval: 5,
+        userCode: "ABCD-EFGH",
+        verificationUri: "https://issuer.example.com/device",
+      })
+    );
+
+    const router = createCliAuthRoutes({
+      queue: queue as any,
+      externalAuthClient: {
+        pollDeviceAuthorization: mock(async () => ({
+          status: "complete",
+          credentials: {
+            accessToken: "provider-access-token",
+            refreshToken: "provider-refresh-token",
+            tokenType: "Bearer",
+            expiresAt: Date.now() + 3600_000,
+            scopes: ["profile:read"],
+          },
+          user: {
+            sub: "user-123",
+            email: "user@example.com",
+            name: "Example User",
+          },
+        })),
+      } as any,
+    });
+
+    const res = await router.request("/cli/poll", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ deviceAuthId: "device-123" }),
+    });
+
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe("complete");
+    expect(typeof body.accessToken).toBe("string");
+    expect(typeof body.refreshToken).toBe("string");
+    expect(body.user.userId).toBe("user-123");
+    expect(body.user.email).toBe("user@example.com");
+  });
+
+  test("POST /cli/poll returns a completed browser result from stored request state", async () => {
+    await redis.setex(
+      "cli:auth:request:req-123",
+      600,
+      JSON.stringify({
+        status: "complete",
+        createdAt: Date.now(),
+        result: {
+          accessToken: "lobu-access-token",
+          refreshToken: "lobu-refresh-token",
+          expiresAt: Date.now() + 3600_000,
+          user: {
+            userId: "user-123",
+            email: "user@example.com",
+            name: "Example User",
+          },
+        },
+      })
+    );
+
+    const router = createCliAuthRoutes({
+      queue: queue as any,
+      externalAuthClient: {} as any,
+    });
+
+    const res = await router.request("/cli/poll", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ requestId: "req-123" }),
+    });
+
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe("complete");
+    expect(body.user.userId).toBe("user-123");
+  });
+
+  test("POST /cli/admin-login mints tokens when development fallback is enabled", async () => {
+    const router = createCliAuthRoutes({
+      queue: queue as any,
+      allowAdminPasswordLogin: true,
+      adminPassword: "dev-secret",
+    });
+
+    const res = await router.request("/cli/admin-login", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Forwarded-For": "10.0.0.1",
+      },
+      body: JSON.stringify({ password: "dev-secret" }),
+    });
+
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe("complete");
+    expect(typeof body.accessToken).toBe("string");
+    expect(body.user.userId).toBe("admin");
+  });
+
+  test("POST /cli/admin-login is rejected when disabled or password is wrong", async () => {
+    const disabledRouter = createCliAuthRoutes({
+      queue: queue as any,
+      allowAdminPasswordLogin: false,
+      adminPassword: "dev-secret",
+    });
+
+    const disabled = await disabledRouter.request("/cli/admin-login", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ password: "dev-secret" }),
+    });
+    expect(disabled.status).toBe(403);
+
+    const enabledRouter = createCliAuthRoutes({
+      queue: queue as any,
+      allowAdminPasswordLogin: true,
+      adminPassword: "dev-secret",
+    });
+
+    const wrong = await enabledRouter.request("/cli/admin-login", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Forwarded-For": "10.0.0.1",
+      },
+      body: JSON.stringify({ password: "wrong-secret" }),
+    });
+    expect(wrong.status).toBe(401);
+  });
+
+  test("POST /cli/admin-login is rate limited per client IP", async () => {
+    const router = createCliAuthRoutes({
+      queue: queue as any,
+      allowAdminPasswordLogin: true,
+      adminPassword: "dev-secret",
+    });
+
+    for (let attempt = 0; attempt < 5; attempt += 1) {
+      const res = await router.request("/cli/admin-login", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Forwarded-For": "10.0.0.9",
+        },
+        body: JSON.stringify({ password: "wrong-secret" }),
+      });
+      expect(res.status).toBe(401);
+    }
+
+    const limited = await router.request("/cli/admin-login", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Forwarded-For": "10.0.0.9",
+      },
+      body: JSON.stringify({ password: "wrong-secret" }),
+    });
+
+    expect(limited.status).toBe(429);
+    expect(limited.headers.get("retry-after")).toBeTruthy();
+
+    const differentIp = await router.request("/cli/admin-login", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Forwarded-For": "10.0.0.10",
+      },
+      body: JSON.stringify({ password: "dev-secret" }),
+    });
+    expect(differentIp.status).toBe(200);
+  });
+});

package/src/__tests__/routes/interactions.test.ts

@@ -0,0 +1,121 @@
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+import { generateWorkerToken } from "@lobu/core";
+import { createInteractionRoutes } from "../../routes/internal/interactions";
+
+describe("interaction routes", () => {
+  let originalKey: string | undefined;
+  let workerToken: string;
+  let mockInteractionService: any;
+  let router: ReturnType<typeof createInteractionRoutes>;
+
+  beforeEach(() => {
+    originalKey = process.env.ENCRYPTION_KEY;
+    process.env.ENCRYPTION_KEY =
+      "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
+
+    workerToken = generateWorkerToken("user-1", "conv-1", "deploy-1", {
+      channelId: "chan-1",
+      teamId: "team-1",
+    });
+
+    mockInteractionService = {
+      postQuestion: mock(() => Promise.resolve({ id: "interaction-123" })),
+      createSuggestion: mock(() => Promise.resolve()),
+    };
+
+    router = createInteractionRoutes(mockInteractionService);
+  });
+
+  afterEach(() => {
+    if (originalKey !== undefined) {
+      process.env.ENCRYPTION_KEY = originalKey;
+    } else {
+      delete process.env.ENCRYPTION_KEY;
+    }
+  });
+
+  describe("POST /internal/interactions/create", () => {
+    test("returns 401 without auth header", async () => {
+      const res = await router.request("/internal/interactions/create", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ question: "test?", options: [] }),
+      });
+      expect(res.status).toBe(401);
+    });
+
+    test("returns 401 with invalid token", async () => {
+      const res = await router.request("/internal/interactions/create", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: "Bearer invalid-token",
+        },
+        body: JSON.stringify({ question: "test?", options: [] }),
+      });
+      expect(res.status).toBe(401);
+    });
+
+    test("posts question and returns id", async () => {
+      const res = await router.request("/internal/interactions/create", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${workerToken}`,
+        },
+        body: JSON.stringify({
+          question: "Which option?",
+          options: ["A", "B"],
+        }),
+      });
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.id).toBe("interaction-123");
+      expect(body.status).toBe("posted");
+      expect(mockInteractionService.postQuestion).toHaveBeenCalledTimes(1);
+    });
+
+    test("returns 500 on service error", async () => {
+      mockInteractionService.postQuestion = mock(() =>
+        Promise.reject(new Error("service down"))
+      );
+      const res = await router.request("/internal/interactions/create", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${workerToken}`,
+        },
+        body: JSON.stringify({ question: "test?", options: [] }),
+      });
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe("POST /internal/suggestions/create", () => {
+    test("creates suggestions", async () => {
+      const res = await router.request("/internal/suggestions/create", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${workerToken}`,
+        },
+        body: JSON.stringify({
+          prompts: ["Try this", "Or this"],
+        }),
+      });
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.success).toBe(true);
+      expect(mockInteractionService.createSuggestion).toHaveBeenCalledTimes(1);
+    });
+
+    test("returns 401 without auth", async () => {
+      const res = await router.request("/internal/suggestions/create", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ prompts: ["test"] }),
+      });
+      expect(res.status).toBe(401);
+    });
+  });
+});