@objectstack/core 7.9.0 → 8.0.0

package/dist/index.cjs

@@ -30,6 +30,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  API_KEY_PREFIX: () => API_KEY_PREFIX,
   ApiRegistry: () => ApiRegistry,
   CORE_FALLBACK_FACTORIES: () => CORE_FALLBACK_FACTORIES,
   DependencyResolver: () => DependencyResolver,
@@ -63,11 +64,17 @@ __export(index_exports, {
   createMemoryQueue: () => createMemoryQueue,
   createPluginConfigValidator: () => createPluginConfigValidator,
   createPluginPermissionEnforcer: () => createPluginPermissionEnforcer,
+  extractApiKey: () => extractApiKey,
+  generateApiKey: () => generateApiKey,
   generateEd25519KeyPair: () => generateEd25519KeyPair,
   getEnv: () => getEnv,
   getMemoryUsage: () => getMemoryUsage,
+  hashApiKey: () => hashApiKey,
+  isExpired: () => isExpired,
   isNode: () => isNode,
+  parseScopes: () => parseScopes,
   parseSignature: () => parseSignature,
+  resolveApiKeyPrincipal: () => resolveApiKeyPrincipal,
   resolveLocale: () => resolveLocale,
   safeExit: () => safeExit,
   signPayload: () => signPayload,
@@ -3946,6 +3953,109 @@ var PluginSecurityScanner = class {
   }
 };
 
+// src/security/api-key.ts
+var import_node_crypto2 = require("crypto");
+var API_KEY_PREFIX = "osk_";
+var API_KEY_ENTROPY_BYTES = 32;
+var VISIBLE_PREFIX_LEN = 12;
+function hashApiKey(raw) {
+  return (0, import_node_crypto2.createHash)("sha256").update(raw, "utf8").digest("hex");
+}
+function generateApiKey(prefix = API_KEY_PREFIX) {
+  const secret = (0, import_node_crypto2.randomBytes)(API_KEY_ENTROPY_BYTES).toString("base64url");
+  const raw = `${prefix}${secret}`;
+  return {
+    raw,
+    hash: hashApiKey(raw),
+    prefix: raw.slice(0, VISIBLE_PREFIX_LEN)
+  };
+}
+function extractApiKey(headers) {
+  const x = readHeader(headers, "x-api-key");
+  if (x && x.trim()) return x.trim();
+  const auth = readHeader(headers, "authorization");
+  if (!auth) return void 0;
+  const m = auth.match(/^ApiKey\s+(.+)$/i);
+  const token = m?.[1]?.trim();
+  return token || void 0;
+}
+function parseScopes(value) {
+  if (Array.isArray(value)) {
+    return value.filter((s) => typeof s === "string" && s.length > 0);
+  }
+  if (typeof value === "string" && value.trim()) {
+    const parsed = safeJsonParse(value, []);
+    if (Array.isArray(parsed)) {
+      return parsed.filter((s) => typeof s === "string" && s.length > 0);
+    }
+  }
+  return [];
+}
+function isExpired(value, nowMs) {
+  if (value == null) return false;
+  let ms;
+  if (typeof value === "number") {
+    ms = value < 1e12 ? value * 1e3 : value;
+  } else if (value instanceof Date) {
+    ms = value.getTime();
+  } else if (typeof value === "string") {
+    ms = Date.parse(value);
+  } else {
+    return false;
+  }
+  if (Number.isNaN(ms)) return false;
+  return ms <= nowMs;
+}
+async function resolveApiKeyPrincipal(ql, headers, nowMs = Date.now()) {
+  const apiKey = extractApiKey(headers);
+  if (!apiKey) return void 0;
+  if (!ql || typeof ql.find !== "function") return void 0;
+  let rows;
+  try {
+    rows = await ql.find("sys_api_key", {
+      where: { key: hashApiKey(apiKey), revoked: false },
+      limit: 1,
+      context: { isSystem: true }
+    });
+  } catch {
+    return void 0;
+  }
+  if (rows && rows.value) rows = rows.value;
+  const row = Array.isArray(rows) ? rows[0] : void 0;
+  if (!row || row.revoked === true) return void 0;
+  const expiresAt = row.expires_at ?? row.expiresAt;
+  if (isExpired(expiresAt, nowMs)) return void 0;
+  const userId = row.user_id ?? row.userId;
+  if (!userId || typeof userId !== "string") return void 0;
+  return {
+    userId,
+    tenantId: row.organization_id ?? row.organizationId ?? void 0,
+    scopes: parseScopes(row.scopes)
+  };
+}
+function readHeader(headers, name) {
+  if (!headers) return void 0;
+  const lower = name.toLowerCase();
+  if (typeof headers.get === "function") {
+    const v = headers.get(name) ?? headers.get(lower);
+    return v == null ? void 0 : String(v);
+  }
+  for (const key of Object.keys(headers)) {
+    if (key.toLowerCase() === lower) {
+      const v = headers[key];
+      return Array.isArray(v) ? v[0] : v == null ? void 0 : String(v);
+    }
+  }
+  return void 0;
+}
+function safeJsonParse(s, fallback) {
+  try {
+    return JSON.parse(s);
+  } catch {
+    return fallback;
+  }
+}
+
 // src/health-monitor.ts
 var PluginHealthMonitor = class {
   constructor(logger) {
@@ -4189,7 +4299,7 @@ var PluginHealthMonitor = class {
 };
 
 // src/hot-reload.ts
-var import_node_crypto2 = require("crypto");
+var import_node_crypto3 = require("crypto");
 var generateUUID = () => {
   if (typeof crypto !== "undefined" && crypto.randomUUID) {
     return crypto.randomUUID();
@@ -4284,7 +4394,7 @@ var PluginStateManager = class {
    */
   calculateChecksum(state) {
     const stateStr = JSON.stringify(state);
-    return (0, import_node_crypto2.createHash)("sha256").update(stateStr).digest("hex");
+    return (0, import_node_crypto3.createHash)("sha256").update(stateStr).digest("hex");
   }
   /**
    * Shutdown state manager
@@ -4861,6 +4971,7 @@ var NamespaceResolver = class {
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  API_KEY_PREFIX,
   ApiRegistry,
   CORE_FALLBACK_FACTORIES,
   DependencyResolver,
@@ -4894,11 +5005,17 @@ var NamespaceResolver = class {
   createMemoryQueue,
   createPluginConfigValidator,
   createPluginPermissionEnforcer,
+  extractApiKey,
+  generateApiKey,
   generateEd25519KeyPair,
   getEnv,
   getMemoryUsage,
+  hashApiKey,
+  isExpired,
   isNode,
+  parseScopes,
   parseSignature,
+  resolveApiKeyPrincipal,
   resolveLocale,
   safeExit,
   signPayload,