@lobu/gateway 3.0.9 → 3.0.13

package/src/auth/oauth/state-store.ts

@@ -1,150 +0,0 @@
-import { randomBytes } from "node:crypto";
-import { createLogger, type Logger } from "@lobu/core";
-import type Redis from "ioredis";
-
-/**
- * Generic OAuth state store for CSRF protection
- * Pattern: {keyPrefix}:{state}
- * TTL: 5 minutes
- */
-export class OAuthStateStore<T extends object> {
-  private static readonly TTL_SECONDS = 5 * 60; // 5 minutes
-  protected logger: Logger;
-
-  constructor(
-    private redis: Redis,
-    private keyPrefix: string,
-    loggerName: string
-  ) {
-    this.logger = createLogger(loggerName);
-  }
-
-  /**
-   * Create a new OAuth state with data
-   * Returns the state string to use in OAuth flow
-   */
-  async create(data: T): Promise<string> {
-    const state = this.generateState();
-    const key = this.getKey(state);
-
-    const stateData = {
-      ...data,
-      createdAt: Date.now(),
-    };
-
-    await this.redis.setex(
-      key,
-      OAuthStateStore.TTL_SECONDS,
-      JSON.stringify(stateData)
-    );
-
-    const userId =
-      typeof (data as { userId?: unknown }).userId === "string"
-        ? (data as { userId: string }).userId
-        : undefined;
-    this.logger.info(
-      userId ? `Created OAuth state for user ${userId}` : "Created OAuth state",
-      { state }
-    );
-    return state;
-  }
-
-  /**
-   * Validate and consume an OAuth state
-   * Returns the state data if valid, null if invalid or expired
-   * Deletes the state after retrieval (one-time use)
-   */
-  async consume(state: string): Promise<(T & { createdAt: number }) | null> {
-    const key = this.getKey(state);
-
-    // Get and delete in one operation
-    const data = await this.redis.getdel(key);
-
-    if (!data) {
-      this.logger.warn(`Invalid or expired OAuth state: ${state}`);
-      return null;
-    }
-
-    try {
-      const stateData = JSON.parse(data) as T & { createdAt: number };
-      const stateDataWithUser = stateData as unknown as { userId?: unknown };
-      const userId =
-        typeof stateDataWithUser.userId === "string"
-          ? stateDataWithUser.userId
-          : undefined;
-      this.logger.info(
-        userId
-          ? `Consumed OAuth state for user ${userId}`
-          : "Consumed OAuth state",
-        { state }
-      );
-      return stateData;
-    } catch (error) {
-      this.logger.error(`Failed to parse OAuth state: ${state}`, { error });
-      return null;
-    }
-  }
-
-  /**
-   * Generate a cryptographically secure random state string
-   */
-  private generateState(): string {
-    return randomBytes(32).toString("base64url");
-  }
-
-  private getKey(state: string): string {
-    return `${this.keyPrefix}:${state}`;
-  }
-}
-
-// ============================================================================
-// Provider OAuth State Types and Factory
-// ============================================================================
-
-/**
- * Context for routing auth completion back to the originating platform.
- */
-export interface OAuthPlatformContext {
-  platform: string;
-  channelId: string; // chatJid for WhatsApp, channel for Slack
-  conversationId?: string;
-}
-
-export interface ProviderOAuthStateData {
-  userId: string;
-  agentId: string;
-  codeVerifier: string;
-  context?: OAuthPlatformContext;
-}
-
-export type ProviderOAuthState = ProviderOAuthStateData & {
-  createdAt: number;
-};
-
-/**
- * Create a provider OAuth state store for PKCE flow
- */
-export function createOAuthStateStore(
-  providerId: string,
-  redis: Redis
-): OAuthStateStore<ProviderOAuthStateData> {
-  return new OAuthStateStore(
-    redis,
-    `${providerId}:oauth_state`,
-    `${providerId}-oauth-state`
-  );
-}
-
-export interface SlackInstallStateData {
-  redirectUri: string;
-}
-
-export type SlackInstallState = SlackInstallStateData & { createdAt: number };
-
-export function createSlackInstallStateStore(
-  redis: Redis
-): OAuthStateStore<SlackInstallStateData> {
-  return new OAuthStateStore(redis, "slack:oauth:state", "slack-install-state");
-}
-
-export type ProviderOAuthStateStore = OAuthStateStore<ProviderOAuthStateData>;

package/src/auth/oauth-templates.ts

@@ -1,179 +0,0 @@
-/**
- * HTML templates for OAuth flow
- */
-
-function escapeHtml(value: string): string {
-  return value.replace(/[&<>"'`]/g, (char) => {
-    switch (char) {
-      case "&":
-        return "&amp;";
-      case "<":
-        return "&lt;";
-      case ">":
-        return "&gt;";
-      case '"':
-        return "&quot;";
-      case "'":
-        return "&#39;";
-      case "`":
-        return "&#96;";
-      default:
-        return char;
-    }
-  });
-}
-
-/**
- * Render a success page that auto-closes the tab (for in-app browsers)
- * and provides a fallback link to agent configuration when available.
- */
-export function renderOAuthSuccessPage(
-  name: string,
-  settingsUrl?: string,
-  options?: {
-    title?: string;
-    description?: string;
-    details?: string;
-    closeNote?: string;
-  }
-): string {
-  const safeName = escapeHtml(name);
-  const safeSettingsUrl = settingsUrl ? escapeHtml(settingsUrl) : "";
-  const safeTitle = escapeHtml(options?.title || "Connected!");
-  const safeDescription = escapeHtml(
-    options?.description || `Successfully authenticated with ${name}`
-  );
-  const safeDetails = options?.details ? escapeHtml(options.details) : "";
-  const safeCloseNote = escapeHtml(
-    options?.closeNote || "You can close this tab and return to your chat."
-  );
-
-  return `
-    <!DOCTYPE html>
-    <html>
-      <head>
-        <title>Connected</title>
-        <style>
-          body {
-            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-            display: flex;
-            align-items: center;
-            justify-content: center;
-            height: 100vh;
-            margin: 0;
-            background: linear-gradient(135deg, #334155 0%, #0f172a 100%);
-          }
-          .container {
-            background: white;
-            padding: 2.5rem;
-            border-radius: 12px;
-            text-align: center;
-            box-shadow: 0 20px 60px rgba(0,0,0,0.3);
-            max-width: 360px;
-          }
-          .icon { font-size: 3rem; margin-bottom: 0.75rem; }
-          h1 { color: #2d3748; margin: 0 0 0.5rem 0; font-size: 1.25rem; }
-          p { color: #718096; line-height: 1.5; font-size: 0.875rem; margin: 0 0 1rem 0; }
-          .btn {
-            display: inline-block;
-            padding: 0.625rem 1.25rem;
-            background: linear-gradient(to right, #334155, #1e293b);
-            color: white;
-            text-decoration: none;
-            border-radius: 8px;
-            font-size: 0.875rem;
-            font-weight: 600;
-          }
-          .btn:hover { opacity: 0.9; }
-          .close-note { color: #94a3b8; font-size: 0.75rem; margin-top: 1rem; }
-        </style>
-      </head>
-      <body>
-        <div class="container">
-          <div class="icon">&#9989;</div>
-          <h1>${safeTitle}</h1>
-          <p>${safeDescription.includes(safeName) ? safeDescription : `${safeDescription} <strong>${safeName}</strong>`}</p>
-          ${safeDetails ? `<p>${safeDetails}</p>` : ""}
-          ${safeSettingsUrl ? `<a class="btn" href="${safeSettingsUrl}">Open Configuration</a>` : ""}
-          <p class="close-note">${safeCloseNote}</p>
-        </div>
-        <script>
-          // Auto-close for Telegram in-app browser
-          if (window.Telegram && window.Telegram.WebApp) {
-            window.Telegram.WebApp.close();
-          }
-          // Try to close the window/tab after a brief moment
-          setTimeout(function() { window.close(); }, 1500);
-        </script>
-      </body>
-    </html>
-  `;
-}
-
-export function renderOAuthErrorPage(
-  error: string,
-  description?: string
-): string {
-  const safeError = escapeHtml(error);
-  const safeDescription = escapeHtml(
-    description || "An error occurred during authentication"
-  );
-
-  return `
-    <!DOCTYPE html>
-    <html>
-      <head>
-        <title>Authentication Failed</title>
-        <style>
-          body {
-            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-            display: flex;
-            align-items: center;
-            justify-content: center;
-            height: 100vh;
-            margin: 0;
-            background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%);
-          }
-          .container {
-            background: white;
-            padding: 3rem;
-            border-radius: 12px;
-            text-align: center;
-            box-shadow: 0 20px 60px rgba(0,0,0,0.3);
-            max-width: 400px;
-          }
-          .error-icon {
-            font-size: 4rem;
-            margin-bottom: 1rem;
-          }
-          h1 {
-            color: #2d3748;
-            margin: 0 0 1rem 0;
-          }
-          p {
-            color: #718096;
-            line-height: 1.6;
-          }
-          .error-code {
-            background: #f7fafc;
-            padding: 0.5rem;
-            border-radius: 6px;
-            font-family: monospace;
-            font-size: 0.875rem;
-            color: #e53e3e;
-            margin-top: 1rem;
-          }
-        </style>
-      </head>
-      <body>
-        <div class="container">
-          <div class="error-icon">❌</div>
-          <h1>Authentication Failed</h1>
-          <p>${safeDescription}</p>
-          <div class="error-code">${safeError}</div>
-          <p style="margin-top: 2rem;">Please close this window and try again.</p>
-        </div>
-      </body>
-    </html>
-  `;
-}

package/src/auth/provider-catalog.ts

@@ -1,220 +0,0 @@
-import { createLogger, type InstalledProvider } from "@lobu/core";
-import {
-  getModelProviderModules,
-  type ModelProviderModule,
-} from "../modules/module-system";
-import type { AgentSettingsStore } from "./settings/agent-settings-store";
-import type { AuthProfilesManager } from "./settings/auth-profiles-manager";
-import { reconcileModelSelectionForInstalledProviders } from "./settings/model-selection";
-
-const logger = createLogger("provider-catalog");
-
-/**
- * Resolve an agent's installed providers, falling back to the base agent's
- * providers for sandbox agents that have none of their own.
- */
-export async function resolveInstalledProviders(
-  agentSettingsStore: AgentSettingsStore,
-  agentId: string
-): Promise<InstalledProvider[]> {
-  const settings = await agentSettingsStore.getEffectiveSettings(agentId);
-  return settings?.installedProviders || [];
-}
-
-/**
- * ProviderCatalogService wraps the module registry to provide
- * per-agent provider install/uninstall/reorder operations.
- *
- * Providers are registered globally in the module registry,
- * but each agent chooses which providers to install from the catalog.
- */
-export class ProviderCatalogService {
-  constructor(
-    private agentSettingsStore: AgentSettingsStore,
-    private authProfilesManager: AuthProfilesManager
-  ) {}
-
-  /**
-   * List all catalog-visible providers from the module registry.
-   */
-  listCatalogProviders(): ModelProviderModule[] {
-    return getModelProviderModules().filter((m) => m.catalogVisible !== false);
-  }
-
-  /**
-   * Resolve an agent's installedProviders to their module instances.
-   * Returns modules in the agent's install order.
-   */
-  async getInstalledModules(agentId: string): Promise<ModelProviderModule[]> {
-    const installed = await resolveInstalledProviders(
-      this.agentSettingsStore,
-      agentId
-    );
-    if (installed.length === 0) return [];
-
-    const allModules = getModelProviderModules();
-    const moduleMap = new Map(allModules.map((m) => [m.providerId, m]));
-
-    return installed
-      .map((ip) => moduleMap.get(ip.providerId))
-      .filter((m): m is ModelProviderModule => m !== undefined);
-  }
-
-  /**
-   * Get raw installed provider entries for an agent.
-   */
-  async getInstalledProviders(agentId: string): Promise<InstalledProvider[]> {
-    return resolveInstalledProviders(this.agentSettingsStore, agentId);
-  }
-
-  /**
-   * Install a provider for an agent. Appends to the end of the list.
-   */
-  async installProvider(
-    agentId: string,
-    providerId: string,
-    config?: InstalledProvider["config"]
-  ): Promise<void> {
-    const allModules = getModelProviderModules();
-    const module = allModules.find((m) => m.providerId === providerId);
-    if (!module) {
-      throw new Error(`Unknown provider: ${providerId}`);
-    }
-
-    const { localSettings, effectiveSettings } =
-      await this.agentSettingsStore.getSettingsContext(agentId);
-    const installed = effectiveSettings?.installedProviders || [];
-
-    if (installed.some((ip) => ip.providerId === providerId)) {
-      logger.info(
-        `Provider ${providerId} already installed for agent ${agentId}`
-      );
-      return;
-    }
-
-    const entry: InstalledProvider = {
-      providerId,
-      installedAt: Date.now(),
-      ...(config ? { config } : {}),
-    };
-    const nextInstalledProviders = [...installed, entry];
-    const reconciled = reconcileModelSelectionForInstalledProviders({
-      model: localSettings?.model ?? effectiveSettings?.model,
-      modelSelection:
-        localSettings?.modelSelection ?? effectiveSettings?.modelSelection,
-      providerModelPreferences:
-        localSettings?.providerModelPreferences ??
-        effectiveSettings?.providerModelPreferences,
-      installedProviders: nextInstalledProviders,
-    });
-
-    await this.agentSettingsStore.updateSettings(agentId, {
-      installedProviders: nextInstalledProviders,
-      ...reconciled,
-    });
-
-    logger.info(`Installed provider ${providerId} for agent ${agentId}`);
-  }
-
-  /**
-   * Uninstall a provider from an agent. Also cleans up auth profiles.
-   */
-  async uninstallProvider(agentId: string, providerId: string): Promise<void> {
-    const { localSettings, effectiveSettings } =
-      await this.agentSettingsStore.getSettingsContext(agentId);
-    const installed = effectiveSettings?.installedProviders || [];
-
-    const filtered = installed.filter((ip) => ip.providerId !== providerId);
-    if (filtered.length === installed.length) {
-      logger.info(
-        `Provider ${providerId} not installed for agent ${agentId}, nothing to uninstall`
-      );
-      return;
-    }
-
-    // Clean up auth profiles for this provider
-    await this.authProfilesManager.deleteProviderProfiles(agentId, providerId);
-    const reconciled = reconcileModelSelectionForInstalledProviders({
-      model: localSettings?.model ?? effectiveSettings?.model,
-      modelSelection:
-        localSettings?.modelSelection ?? effectiveSettings?.modelSelection,
-      providerModelPreferences:
-        localSettings?.providerModelPreferences ??
-        effectiveSettings?.providerModelPreferences,
-      installedProviders: filtered,
-    });
-
-    await this.agentSettingsStore.updateSettings(agentId, {
-      installedProviders: filtered,
-      ...reconciled,
-    });
-
-    logger.info(`Uninstalled provider ${providerId} for agent ${agentId}`);
-  }
-
-  /**
-   * Find the provider module whose model options include the given model string.
-   */
-  async findProviderForModel(
-    model: string,
-    providers?: ModelProviderModule[]
-  ): Promise<ModelProviderModule | undefined> {
-    const candidates = providers || getModelProviderModules();
-    for (const provider of candidates) {
-      if (!provider.getModelOptions) continue;
-      const options = await provider.getModelOptions("", "");
-      if (options.some((opt) => opt.value === model)) {
-        return provider;
-      }
-    }
-    return undefined;
-  }
-
-  /**
-   * Reorder installed providers. The orderedIds must contain
-   * exactly the same provider IDs as currently installed.
-   */
-  async reorderProviders(agentId: string, orderedIds: string[]): Promise<void> {
-    const { localSettings, effectiveSettings } =
-      await this.agentSettingsStore.getSettingsContext(agentId);
-    const installed = effectiveSettings?.installedProviders || [];
-
-    const installedMap = new Map(installed.map((ip) => [ip.providerId, ip]));
-
-    // Validate all ordered IDs exist in installed
-    for (const id of orderedIds) {
-      if (!installedMap.has(id)) {
-        throw new Error(`Provider ${id} is not installed`);
-      }
-    }
-
-    const reordered = orderedIds
-      .map((id) => installedMap.get(id))
-      .filter((ip): ip is InstalledProvider => ip !== undefined);
-
-    // Append any installed providers not in orderedIds (shouldn't happen but safety)
-    for (const ip of installed) {
-      if (!orderedIds.includes(ip.providerId)) {
-        reordered.push(ip);
-      }
-    }
-    const reconciled = reconcileModelSelectionForInstalledProviders({
-      model: localSettings?.model ?? effectiveSettings?.model,
-      modelSelection:
-        localSettings?.modelSelection ?? effectiveSettings?.modelSelection,
-      providerModelPreferences:
-        localSettings?.providerModelPreferences ??
-        effectiveSettings?.providerModelPreferences,
-      installedProviders: reordered,
-    });
-
-    await this.agentSettingsStore.updateSettings(agentId, {
-      installedProviders: reordered,
-      ...reconciled,
-    });
-
-    logger.info(
-      `Reordered providers for agent ${agentId}: ${orderedIds.join(", ")}`
-    );
-  }
-}

package/src/auth/provider-model-options.ts

@@ -1,41 +0,0 @@
-import { createLogger } from "@lobu/core";
-import {
-  getModelProviderModules,
-  type ModelOption,
-} from "../modules/module-system";
-
-const logger = createLogger("provider-model-options");
-
-export async function collectProviderModelOptions(
-  agentId: string,
-  userId: string
-): Promise<Record<string, ModelOption[]>> {
-  const modules = getModelProviderModules();
-
-  const results: Record<string, ModelOption[]> = {};
-
-  await Promise.all(
-    modules.map(async (mod) => {
-      try {
-        if (typeof mod.getModelOptions !== "function") {
-          results[mod.providerId] = [];
-          return;
-        }
-
-        const options = await mod.getModelOptions(agentId, userId);
-        results[mod.providerId] = Array.isArray(options) ? options : [];
-      } catch (error) {
-        results[mod.providerId] = [];
-        logger.warn(
-          {
-            providerId: mod.providerId,
-            error: error instanceof Error ? error.message : String(error),
-          },
-          "Failed to collect model options for provider"
-        );
-      }
-    })
-  );
-
-  return results;
-}