@lobu/gateway 3.0.9 → 3.0.13

package/src/routes/public/oauth.ts

@@ -1,147 +0,0 @@
-/**
- * OAuth Utility Routes
- *
- * OAuth code exchange and redirect handling.
- */
-
-import { createRoute, OpenAPIHono, z } from "@hono/zod-openapi";
-import type { ProviderOAuthStateStore } from "../../auth/oauth/state-store";
-import { verifySettingsSessionOrToken } from "./settings-auth";
-
-const TAG = "Auth";
-const SuccessResponse = z.object({ success: z.boolean() });
-const ErrorResponse = z.object({ error: z.string() });
-
-export interface ProviderCredentialStore {
-  hasCredentials(agentId: string): Promise<boolean>;
-  deleteCredentials(agentId: string): Promise<void>;
-  setCredentials(agentId: string, credentials: unknown): Promise<void>;
-}
-
-export interface ProviderOAuthClient {
-  generateCodeVerifier(): string;
-  buildAuthUrl(state: string, codeVerifier: string): string;
-  exchangeCodeForToken(
-    code: string,
-    codeVerifier: string,
-    redirectUri?: string,
-    state?: string
-  ): Promise<unknown>;
-}
-
-const codeExchangeRoute = createRoute({
-  method: "post",
-  path: "/{provider}/code",
-  tags: [TAG],
-  summary: "Exchange OAuth code for token",
-  request: {
-    query: z.object({ token: z.string().optional() }),
-    params: z.object({ provider: z.string() }),
-    body: {
-      content: {
-        "application/json": {
-          schema: z.object({ code: z.string() }),
-        },
-      },
-    },
-  },
-  responses: {
-    200: {
-      description: "Exchanged",
-      content: { "application/json": { schema: SuccessResponse } },
-    },
-    400: {
-      description: "Invalid",
-      content: { "application/json": { schema: ErrorResponse } },
-    },
-    401: {
-      description: "Unauthorized",
-      content: { "application/json": { schema: ErrorResponse } },
-    },
-  },
-});
-
-export interface OAuthRoutesConfig {
-  providerStores?: Record<string, ProviderCredentialStore>;
-  oauthClients?: Record<string, ProviderOAuthClient>;
-  oauthStateStore?: ProviderOAuthStateStore;
-}
-
-export function createOAuthRoutes(config: OAuthRoutesConfig): OpenAPIHono {
-  const app = new OpenAPIHono();
-
-  // --- Provider login redirect (excluded from docs) ---
-  app.get("/:provider/login", async (c) => {
-    const session = verifySettingsSessionOrToken(c);
-    const agentId = session?.agentId || c.req.query("agentId");
-
-    if (!agentId) return c.json({ error: "Missing agentId" }, 400);
-
-    if (!session) {
-      // No session — redirect through settings OAuth to establish one, then return here
-      const returnUrl = `${c.req.path}?agentId=${encodeURIComponent(agentId)}`;
-      return c.redirect(
-        `/connect/oauth/login?returnUrl=${encodeURIComponent(returnUrl)}`
-      );
-    }
-
-    const oauthClient = config.oauthClients?.[c.req.param("provider")];
-    if (!oauthClient) return c.json({ error: "Unknown provider" }, 404);
-    if (!config.oauthStateStore)
-      return c.json({ error: "Not configured" }, 500);
-
-    const codeVerifier = oauthClient.generateCodeVerifier();
-    const state = await config.oauthStateStore.create({
-      userId: session.userId,
-      agentId,
-      codeVerifier,
-      context: { platform: session.platform, channelId: agentId },
-    });
-
-    return c.redirect(oauthClient.buildAuthUrl(state, codeVerifier));
-  });
-
-  // --- Provider code exchange ---
-  app.openapi(codeExchangeRoute, async (c): Promise<any> => {
-    const session = verifySettingsSessionOrToken(c);
-    const agentId = session?.agentId;
-    if (!session || !agentId) return c.json({ error: "Unauthorized" }, 401);
-
-    const { provider } = c.req.valid("param");
-    const oauthClient = config.oauthClients?.[provider];
-    const credentialStore = config.providerStores?.[provider];
-    if (!oauthClient || !credentialStore)
-      return c.json({ error: "Unknown provider" }, 404);
-    if (!config.oauthStateStore)
-      return c.json({ error: "Not configured" }, 500);
-
-    const { code: input } = c.req.valid("json");
-    const parts = input.split("#");
-    if (parts.length !== 2 || !parts[0] || !parts[1]) {
-      return c.json({ error: "Invalid format" }, 400);
-    }
-
-    const authCode = parts[0].trim();
-    const state = parts[1].trim();
-    const stateData = await config.oauthStateStore.consume(state);
-    if (!stateData) return c.json({ error: "Invalid state" }, 400);
-
-    try {
-      const credentials = await oauthClient.exchangeCodeForToken(
-        authCode,
-        stateData.codeVerifier,
-        "https://console.anthropic.com/oauth/code/callback",
-        state
-      );
-      await credentialStore.setCredentials(agentId, credentials);
-      return c.json({ success: true });
-    } catch (e) {
-      return c.json(
-        { error: e instanceof Error ? e.message : "Exchange failed" },
-        400
-      );
-    }
-  });
-
-  return app;
-}

package/src/routes/public/settings-auth.ts

@@ -1,104 +0,0 @@
-import { decrypt, encrypt } from "@lobu/core";
-import type { Context } from "hono";
-import { deleteCookie, getCookie, setCookie } from "hono/cookie";
-import type { SettingsTokenPayload } from "../../auth/settings/token-service";
-
-export type AuthProvider = (c: Context) => SettingsTokenPayload | null;
-
-export const SETTINGS_SESSION_COOKIE_NAME = "lobu_settings_session";
-
-let _authProvider: AuthProvider | null = null;
-
-/**
- * Set a custom auth provider for embedded mode.
- * When set, verifySettingsSession delegates to this provider first,
- * falling back to cookie auth only if it returns null.
- */
-export function setAuthProvider(provider: AuthProvider | null): void {
-  _authProvider = provider;
-}
-
-function decodeSettingsPayload(
-  token: string | null | undefined
-): SettingsTokenPayload | null {
-  if (!token || token.trim().length === 0) return null;
-
-  try {
-    const decrypted = decrypt(token);
-    const payload = JSON.parse(decrypted) as SettingsTokenPayload;
-
-    if (!payload.userId || !payload.exp) return null;
-    if (Date.now() > payload.exp) return null;
-
-    return payload;
-  } catch {
-    return null;
-  }
-}
-
-function isSecureRequest(c: Context): boolean {
-  const forwardedProto = c.req.header("x-forwarded-proto");
-  if (forwardedProto) {
-    return forwardedProto.split(",")[0]?.trim().toLowerCase() === "https";
-  }
-  return new URL(c.req.url).protocol === "https:";
-}
-
-/**
- * Verify settings session.
- * Checks injected auth provider first (for embedded mode),
- * then falls back to cookie-based session auth.
- */
-export function verifySettingsSession(c: Context): SettingsTokenPayload | null {
-  if (_authProvider) {
-    const result = _authProvider(c);
-    if (result) return result;
-  }
-
-  const token = getCookie(c, SETTINGS_SESSION_COOKIE_NAME);
-  return decodeSettingsPayload(token);
-}
-
-export function verifySettingsToken(
-  token: string | null | undefined
-): SettingsTokenPayload | null {
-  if (!token) return null;
-  return decodeSettingsPayload(token);
-}
-
-/**
- * Resolve settings auth from an injected auth provider, cookie session,
- * or a direct encrypted query token.
- */
-export function verifySettingsSessionOrToken(
-  c: Context,
-  queryKey = "token"
-): SettingsTokenPayload | null {
-  return verifySettingsSession(c) ?? verifySettingsToken(c.req.query(queryKey));
-}
-
-/**
- * Set a settings session cookie from a SettingsTokenPayload.
- */
-export function setSettingsSessionCookie(
-  c: Context,
-  session: SettingsTokenPayload
-): void {
-  const token = encrypt(JSON.stringify(session));
-  const maxAgeSeconds = Math.max(
-    1,
-    Math.floor((session.exp - Date.now()) / 1000)
-  );
-
-  setCookie(c, SETTINGS_SESSION_COOKIE_NAME, token, {
-    path: "/",
-    httpOnly: true,
-    sameSite: "Lax",
-    secure: isSecureRequest(c),
-    maxAge: maxAgeSeconds,
-  });
-}
-
-export function clearSettingsSessionCookie(c: Context): void {
-  deleteCookie(c, SETTINGS_SESSION_COOKIE_NAME, { path: "/" });
-}

package/src/routes/public/slack.ts

@@ -1,173 +0,0 @@
-import { readFile } from "node:fs/promises";
-import { createLogger } from "@lobu/core";
-import { Hono } from "hono";
-import { createSlackInstallStateStore } from "../../auth/oauth/state-store";
-import {
-  renderOAuthErrorPage,
-  renderOAuthSuccessPage,
-} from "../../auth/oauth-templates";
-import type { ChatInstanceManager } from "../../connections/chat-instance-manager";
-import { resolvePublicUrl } from "../../utils/public-url";
-
-const logger = createLogger("slack-routes");
-
-const DEFAULT_SLACK_BOT_SCOPES = [
-  "app_mentions:read",
-  "assistant:write",
-  "channels:history",
-  "channels:read",
-  "chat:write",
-  "chat:write.public",
-  "commands",
-  "files:read",
-  "files:write",
-  "groups:history",
-  "groups:read",
-  "im:history",
-  "im:read",
-  "im:write",
-  "mpim:read",
-  "reactions:read",
-  "reactions:write",
-  "users:read",
-];
-type SlackManifest = {
-  oauth_config?: {
-    scopes?: {
-      bot?: string[];
-    };
-  };
-};
-
-function splitScopes(scopes: string): string[] {
-  return scopes
-    .split(",")
-    .map((scope) => scope.trim())
-    .filter(Boolean);
-}
-
-async function loadSlackBotScopes(): Promise<string[]> {
-  const envScopes =
-    process.env.SLACK_OAUTH_SCOPES || process.env.SLACK_BOT_SCOPES;
-  if (envScopes) {
-    return splitScopes(envScopes);
-  }
-
-  const manifestPath =
-    process.env.SLACK_MANIFEST_PATH ||
-    "config/slack-app-manifest.community.json";
-
-  try {
-    const raw = await readFile(manifestPath, "utf8");
-    const manifest = JSON.parse(raw) as SlackManifest;
-    const scopes = manifest.oauth_config?.scopes?.bot;
-    if (Array.isArray(scopes) && scopes.length > 0) {
-      return scopes;
-    }
-  } catch (error) {
-    logger.warn(
-      { manifestPath, error: String(error) },
-      "Failed to load Slack scopes from manifest, using defaults"
-    );
-  }
-
-  return DEFAULT_SLACK_BOT_SCOPES;
-}
-
-export function createSlackRoutes(manager: ChatInstanceManager): Hono {
-  const router = new Hono();
-
-  router.get("/slack/install", async (c) => {
-    const clientId = process.env.SLACK_CLIENT_ID;
-    if (!clientId) {
-      return c.html(
-        renderOAuthErrorPage(
-          "slack_not_configured",
-          "Slack OAuth is not configured on this gateway. Set SLACK_CLIENT_ID and try again."
-        ),
-        503
-      );
-    }
-
-    const redis = manager.getServices().getQueue().getRedisClient();
-    const stateStore = createSlackInstallStateStore(redis);
-    const redirectUri = resolvePublicUrl("/slack/oauth_callback", {
-      configuredUrl: manager.getServices().getPublicGatewayUrl?.(),
-      requestUrl: c.req.url,
-    });
-    const scopes = await loadSlackBotScopes();
-    const state = await stateStore.create({ redirectUri });
-
-    const oauthUrl = new URL("https://slack.com/oauth/v2/authorize");
-    oauthUrl.searchParams.set("client_id", clientId);
-    oauthUrl.searchParams.set("scope", scopes.join(","));
-    oauthUrl.searchParams.set("redirect_uri", redirectUri);
-    oauthUrl.searchParams.set("state", state);
-
-    return c.redirect(oauthUrl.toString(), 302);
-  });
-
-  router.get("/slack/oauth_callback", async (c) => {
-    const state = c.req.query("state");
-    const code = c.req.query("code");
-    if (!state || !code) {
-      return c.html(
-        renderOAuthErrorPage(
-          "invalid_request",
-          "The Slack OAuth callback is missing the required state or code parameter."
-        ),
-        400
-      );
-    }
-
-    const redis = manager.getServices().getQueue().getRedisClient();
-    const stateStore = createSlackInstallStateStore(redis);
-    const oauthState = await stateStore.consume(state);
-
-    if (!oauthState) {
-      return c.html(
-        renderOAuthErrorPage(
-          "invalid_state",
-          "This Slack install link is invalid or has expired."
-        ),
-        400
-      );
-    }
-
-    try {
-      const result = await manager.completeSlackOAuthInstall(
-        c.req.raw,
-        oauthState.redirectUri
-      );
-      return c.html(
-        renderOAuthSuccessPage(result.teamName || result.teamId, undefined, {
-          title: "Slack installed",
-          description: "Workspace connected to Lobu:",
-          details: `Connection ID: ${result.connectionId}`,
-        })
-      );
-    } catch (error) {
-      logger.error({ error: String(error) }, "Slack OAuth callback failed");
-      return c.html(
-        renderOAuthErrorPage(
-          "slack_install_failed",
-          error instanceof Error
-            ? error.message
-            : "Slack OAuth callback failed."
-        ),
-        500
-      );
-    }
-  });
-
-  router.post("/slack/events", async (c) => {
-    try {
-      return await manager.handleSlackAppWebhook(c.req.raw);
-    } catch (error) {
-      logger.error({ error: String(error) }, "Slack event handling failed");
-      return c.text("Slack webhook processing failed", 500);
-    }
-  });
-
-  return router;
-}

package/src/routes/shared/agent-ownership.ts

@@ -1,101 +0,0 @@
-import type { AgentConfigStore } from "@lobu/core";
-import type { SettingsTokenPayload } from "../../auth/settings/token-service";
-import type { UserAgentsStore } from "../../auth/user-agents-store";
-import { getAuthMethod } from "../../connections/platform-auth-methods";
-
-export interface AgentOwnershipConfig {
-  userAgentsStore?: UserAgentsStore;
-  agentMetadataStore?: Pick<AgentConfigStore, "getMetadata">;
-}
-
-export interface AgentOwnershipResult {
-  authorized: boolean;
-  ownerPlatform?: string;
-  ownerUserId?: string;
-}
-
-export function resolveSettingsLookupUserId(
-  session: SettingsTokenPayload
-): string {
-  if (session.platform === "external") {
-    return session.oauthUserId || session.userId;
-  }
-
-  const isDeterministic = getAuthMethod(session.platform).type !== "oauth";
-  return isDeterministic
-    ? session.userId
-    : session.oauthUserId || session.userId;
-}
-
-function sessionMatchesMetadataOwner(
-  session: SettingsTokenPayload,
-  ownerPlatform: string,
-  ownerUserId: string
-): boolean {
-  const lookupUserId = resolveSettingsLookupUserId(session);
-  if (!lookupUserId || ownerUserId !== lookupUserId) {
-    return false;
-  }
-
-  return ownerPlatform === session.platform || session.platform === "external";
-}
-
-export async function verifyOwnedAgentAccess(
-  session: SettingsTokenPayload,
-  agentId: string,
-  config: AgentOwnershipConfig
-): Promise<AgentOwnershipResult> {
-  if (session.isAdmin) {
-    return { authorized: true };
-  }
-
-  if (session.agentId) {
-    return { authorized: session.agentId === agentId };
-  }
-
-  const lookupUserId = resolveSettingsLookupUserId(session);
-  if (config.userAgentsStore) {
-    const owns = await config.userAgentsStore.ownsAgent(
-      session.platform,
-      lookupUserId,
-      agentId
-    );
-    if (owns) {
-      return {
-        authorized: true,
-        ownerPlatform: session.platform,
-        ownerUserId: lookupUserId,
-      };
-    }
-  }
-
-  if (!config.agentMetadataStore) {
-    return { authorized: false };
-  }
-
-  const metadata = await config.agentMetadataStore.getMetadata(agentId);
-  if (
-    !metadata?.owner ||
-    !sessionMatchesMetadataOwner(
-      session,
-      metadata.owner.platform,
-      metadata.owner.userId
-    )
-  ) {
-    return { authorized: false };
-  }
-
-  if (config.userAgentsStore) {
-    config.userAgentsStore
-      .addAgent(session.platform, lookupUserId, agentId)
-      .catch(() => {
-        /* best-effort reconciliation */
-      });
-  }
-
-  return {
-    authorized: true,
-    ownerPlatform: metadata.owner.platform,
-    ownerUserId: metadata.owner.userId,
-  };
-}

package/src/routes/shared/token-verifier.ts

@@ -1,34 +0,0 @@
-/**
- * Shared token verification utility for public routes.
- *
- * Verifies a settings token against an agentId by checking direct agentId match,
- * user ownership via UserAgentsStore, or canonical metadata owner fallback.
- */
-
-import type { AgentConfigStore } from "@lobu/core";
-import type { SettingsTokenPayload } from "../../auth/settings/token-service";
-import type { UserAgentsStore } from "../../auth/user-agents-store";
-import { verifyOwnedAgentAccess } from "./agent-ownership";
-
-export interface TokenVerifierConfig {
-  userAgentsStore?: UserAgentsStore;
-  agentMetadataStore?: Pick<AgentConfigStore, "getMetadata">;
-}
-
-/**
- * Create a token verifier function scoped to a given config.
- *
- * The returned async function accepts a decoded settings token payload and an
- * agentId, then returns the payload if the caller is authorised, or null.
- */
-export function createTokenVerifier(config: TokenVerifierConfig) {
-  return async (
-    payload: SettingsTokenPayload | null,
-    agentId: string
-  ): Promise<SettingsTokenPayload | null> => {
-    if (!payload) return null;
-
-    const result = await verifyOwnedAgentAccess(payload, agentId, config);
-    return result.authorized ? payload : null;
-  };
-}