@openparachute/vault 0.4.9-rc.9 → 0.5.0-rc.2

package/src/auth.test.ts

@@ -1,13 +1,16 @@
 /**
- * Auth invariants — per-vault routing with strict isolation.
+ * Auth invariants — vault as a pure hub resource-server (vault#282 Stage 2).
  *
- * Every HTTP path that touches a vault lives under `/vault/<name>/...`, so
- * a token minted for vault A must authenticate at vault A endpoints and
- * must not authenticate at vault B endpoints. The global auth path still
- * exists for cross-vault listings (`/vaults`) and scans every vault's DB.
+ * The `pvt_*` opaque vault-DB token was dropped at 0.5.0: vault no longer
+ * mints or validates it. The surviving auth surfaces tested here are:
+ *   - VAULT_AUTH_TOKEN — the server-wide operator bearer.
+ *   - Legacy YAML api_keys (vault.yaml / config.yaml) — hashed keys.
+ *   - The fail-closed guarantee: a `pvt_`-prefixed bearer is now 401-rejected
+ *     on both the per-vault and global auth surfaces (it's unvalidatable).
  *
- * These tests isolate `PARACHUTE_HOME` so they don't touch the user's real
- * config. Each test builds 1-2 vaults from scratch.
+ * Hub-JWT auth + its per-vault audience isolation is covered end-to-end in
+ * `auth-hub-jwt.test.ts`. These tests isolate `PARACHUTE_HOME` so they don't
+ * touch the user's real config.
  */
 
 import { describe, test, expect, beforeEach, afterEach } from "bun:test";
@@ -23,7 +26,6 @@ import {
   hashKey,
 } from "./config.ts";
 import { getVaultStore, clearVaultStoreCache } from "./vault-store.ts";
-import { generateToken, createToken } from "./token-store.ts";
 import { authenticateVaultRequest, authenticateGlobalRequest } from "./auth.ts";
 
 let tmpHome: string;
@@ -66,178 +68,100 @@ function seedVault(name: string, opts: { isDefault?: boolean } = {}): void {
   }
 }
 
-/** Mint a fresh OAuth-style token directly into the named vault's DB. */
-function mintTokenInVault(vaultName: string): string {
-  const store = getVaultStore(vaultName);
-  const { fullToken } = generateToken();
-  createToken(store.db, fullToken, { label: "test", permission: "full" });
-  return fullToken;
-}
-
 function bearer(token: string): Request {
   return new Request("https://vault.test/x", {
     headers: { Authorization: `Bearer ${token}` },
   });
 }
 
-describe("auth — per-vault routing", () => {
-  test("token minted in a vault authenticates at its own /vault/<name>/* endpoints", async () => {
-    seedVault("journal");
-    const token = mintTokenInVault("journal");
-    const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
-
-    // /vault/journal/api/* and /vault/journal/mcp both funnel into
-    // authenticateVaultRequest with journal's config + DB.
-    const vaultAuth = await authenticateVaultRequest(bearer(token), journalConfig, journalStore.db);
-    expect("error" in vaultAuth).toBe(false);
-    if (!("error" in vaultAuth)) expect(vaultAuth.permission).toBe("full");
-
-    // /vaults (global metadata listing) uses authenticateGlobalRequest which
-    // scans every vault's DB. Since the token is in journal's DB, it must resolve.
-    const global = await authenticateGlobalRequest(bearer(token));
-    expect("error" in global).toBe(false);
-  });
-
-  // HTTP-level routing stand-in. Mirrors routing.ts: every vault-scoped path
-  // matches `/vault/<name>/...`, we look the vault up, then authenticate the
-  // request against that vault's DB.
-  async function dispatchAuthFromPath(path: string, req: Request): Promise<{
-    status: number;
-    permission?: string;
-  }> {
-    const match = path.match(/^\/vault\/([^/]+)(\/.*)?$/);
-    if (!match) return { status: 404 };
-    const vaultName = match[1]!;
-    const vaultConfig = readVaultConfig(vaultName);
-    if (!vaultConfig) return { status: 404 };
-    const store = getVaultStore(vaultName);
-    const res = await authenticateVaultRequest(req, vaultConfig, store.db);
-    if ("error" in res) return { status: res.error.status };
-    return { status: 200, permission: res.permission };
-  }
-
-  test("routing: /vault/<name>/api/health accepts a token minted in that vault", async () => {
-    seedVault("journal");
-    const token = mintTokenInVault("journal");
-
-    const result = await dispatchAuthFromPath("/vault/journal/api/health", bearer(token));
-    expect(result.status).toBe(200);
-    expect(result.permission).toBe("full");
-  });
+// ---------------------------------------------------------------------------
+// pvt_* fail-closed regression (vault#282 Stage 2)
+//
+// The DROP's load-bearing safety property: a pvt_*-prefixed bearer is no
+// longer validatable. It isn't JWT-shaped (skips authenticateHubJwt), matches
+// no YAML key_hash, and doesn't match VAULT_AUTH_TOKEN — so it falls through
+// to a 401 on BOTH the per-vault and global surfaces. This proves pvt_* can't
+// authenticate post-DROP.
+// ---------------------------------------------------------------------------
 
-  test("routing: /vault/A/api/* rejects a token issued for vault B", async () => {
-    // The privilege-escalation barrier: a valid token for vault A must not
-    // authenticate at vault B's endpoint, even though the token is valid
-    // for some vault. This is the point of per-vault DBs.
-    seedVault("journal");
-    seedVault("work");
-    const workToken = mintTokenInVault("work");
+describe("auth — pvt_* tokens are unvalidatable (fail closed)", () => {
+  const PVT = "pvt_deadbeefdeadbeefdeadbeefdeadbeef";
 
-    const crossVault = await dispatchAuthFromPath("/vault/journal/api/health", bearer(workToken));
-    expect(crossVault.status).toBe(401);
-  });
+  // The pointed message a pvt_*-shaped bearer gets (vs the generic "Invalid
+  // API key" a non-pvt_ bad token gets) — the prefix is the user-meaningful
+  // signal that the mechanism was dropped, not that the key was mistyped.
+  const PVT_MESSAGE =
+    "pvt_* tokens are no longer supported (vault 0.5.0). Re-add this vault via your hub to get an access token.";
 
-  test("routing: /vault/<unknown> returns 404 (not 401)", async () => {
+  test("a pvt_* bearer is 401-rejected with the dropped-token message on the per-vault surface", async () => {
     seedVault("journal");
-    const token = mintTokenInVault("journal");
-    const result = await dispatchAuthFromPath("/vault/nonexistent/api/health", bearer(token));
-    expect(result.status).toBe(404);
-  });
-});
-
-describe("auth — cross-vault isolation", () => {
-  test("token minted in a non-default vault authenticates via scoped and global paths", async () => {
-    seedVault("journal", { isDefault: true });
-    seedVault("work");
-    const workToken = mintTokenInVault("work");
-    const workConfig = readVaultConfig("work")!;
-    const workStore = getVaultStore("work");
-
-    const scoped = await authenticateVaultRequest(bearer(workToken), workConfig, workStore.db);
-    expect("error" in scoped).toBe(false);
-
-    // Global auth scans every vault, must find the token in work's DB.
-    const global = await authenticateGlobalRequest(bearer(workToken));
-    expect("error" in global).toBe(false);
-  });
-
-  test("a work-vault token does NOT authenticate against the journal vault", async () => {
-    seedVault("journal", { isDefault: true });
-    seedVault("work");
-    const workToken = mintTokenInVault("work");
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
 
-    const res = await authenticateVaultRequest(bearer(workToken), journalConfig, journalStore.db);
-    expect("error" in res).toBe(true);
+    const result = await authenticateVaultRequest(bearer(PVT), journalConfig);
+    expect("error" in result).toBe(true);
+    if ("error" in result) {
+      expect(result.error.status).toBe(401);
+      const body = (await result.error.json()) as { error: string; message: string };
+      expect(body.error).toBe("Unauthorized");
+      expect(body.message).toBe(PVT_MESSAGE);
+    }
   });
 
-  test("v16 vault_name binding rejects with 403 when the row is cross-vault", async () => {
-    // Per-vault DB scoping is the first line of defense (a token only
-    // resolves against the DB it was minted in). The v16 vault_name column
-    // is defense-in-depth: if a token row somehow lives in vault A's DB
-    // but its vault_name says "B" (e.g. an out-of-band copy, or a future
-    // mistake in the mint path), the binding mismatch must reject. We
-    // simulate that by minting into journal's DB with vault_name="work".
+  test("a pvt_* bearer is 401-rejected with the dropped-token message on the global (/vaults) surface", async () => {
     seedVault("journal", { isDefault: true });
     seedVault("work");
-    const journalStore = getVaultStore("journal");
-    const { fullToken } = generateToken();
-    createToken(journalStore.db, fullToken, {
-      label: "mis-bound",
-      permission: "full",
-      vault_name: "work",
-    });
-    const journalConfig = readVaultConfig("journal")!;
 
-    const res = await authenticateVaultRequest(bearer(fullToken), journalConfig, journalStore.db);
-    expect("error" in res).toBe(true);
-    if ("error" in res) {
-      expect(res.error.status).toBe(403);
+    const result = await authenticateGlobalRequest(bearer(PVT));
+    expect("error" in result).toBe(true);
+    if ("error" in result) {
+      expect(result.error.status).toBe(401);
+      const body = (await result.error.json()) as { error: string; message: string };
+      expect(body.error).toBe("Unauthorized");
+      expect(body.message).toBe(PVT_MESSAGE);
     }
   });
 
-  test("v16 vault_name binding accepts when token is bound to the requested vault", async () => {
-    seedVault("work");
-    const workStore = getVaultStore("work");
-    const { fullToken } = generateToken();
-    createToken(workStore.db, fullToken, {
-      label: "bound",
-      permission: "full",
-      vault_name: "work",
-    });
-    const workConfig = readVaultConfig("work")!;
-
-    const res = await authenticateVaultRequest(bearer(fullToken), workConfig, workStore.db);
-    expect("error" in res).toBe(false);
-    if (!("error" in res)) {
-      expect(res.vault_name).toBe("work");
+  test("a pvt_* bearer is rejected even when VAULT_AUTH_TOKEN is set (no fall-through accept)", async () => {
+    const prev = process.env.VAULT_AUTH_TOKEN;
+    process.env.VAULT_AUTH_TOKEN = "operator-bearer-not-the-pvt-token";
+    try {
+      seedVault("journal");
+      const journalConfig = readVaultConfig("journal")!;
+      const result = await authenticateVaultRequest(bearer(PVT), journalConfig);
+      expect("error" in result).toBe(true);
+      if ("error" in result) {
+        expect(result.error.status).toBe(401);
+        const body = (await result.error.json()) as { message: string };
+        expect(body.message).toBe(PVT_MESSAGE);
+      }
+    } finally {
+      if (prev === undefined) delete process.env.VAULT_AUTH_TOKEN;
+      else process.env.VAULT_AUTH_TOKEN = prev;
     }
   });
 
-  test("legacy NULL-bound tokens still authenticate against any vault", async () => {
-    // Backwards compatibility: pre-v16 tokens (and legacy YAML keys, and
-    // hub JWTs) all carry vault_name = null. They keep working at any
-    // vault — the migration is lenient by design.
-    seedVault("work");
-    const workToken = mintTokenInVault("work");
-    const workConfig = readVaultConfig("work")!;
-    const workStore = getVaultStore("work");
+  test("a non-pvt_ invalid bearer keeps the generic message (no behavior change)", async () => {
+    seedVault("journal");
+    const journalConfig = readVaultConfig("journal")!;
 
-    const res = await authenticateVaultRequest(bearer(workToken), workConfig, workStore.db);
-    expect("error" in res).toBe(false);
-    if (!("error" in res)) {
-      expect(res.vault_name).toBeNull();
+    const result = await authenticateVaultRequest(bearer("notavalidkey123"), journalConfig);
+    expect("error" in result).toBe(true);
+    if ("error" in result) {
+      expect(result.error.status).toBe(401);
+      const body = (await result.error.json()) as { message: string };
+      expect(body.message).toBe("Invalid API key");
     }
   });
-});
 
-// The "End-to-end OAuth flow" suite was retired alongside the standalone
-// OAuth issuer in workstream E (vault#366). Per-vault token coherence is
-// still pinned by the v16 binding tests above and by `tokens-routes.test.ts`
-// (mint-via-CLI → present at /vault/<name>/* surfaces); the OAuth handshake
-// itself has moved entirely to the hub.
+  test("/vault/<unknown> still 404s before auth (routing precedence unchanged)", async () => {
+    // HTTP-level routing stand-in mirroring routing.ts: an unknown vault is a
+    // 404 (the vault config lookup fails) before any bearer is evaluated.
+    seedVault("journal");
+    const match = "/vault/nonexistent/api/health".match(/^\/vault\/([^/]+)(\/.*)?$/);
+    const vaultName = match![1]!;
+    expect(readVaultConfig(vaultName)).toBeNull();
+  });
+});
 
 // ---------------------------------------------------------------------------
 // Legacy YAML global keys — scope must round-trip through the parser
@@ -290,6 +214,32 @@ describe("auth — legacy global YAML keys honor declared scope", () => {
       expect(result.permission).toBe("full");
     }
   });
+
+  test("a per-vault YAML api_key authenticates at its vault and reports read scope", async () => {
+    // The surviving legacy per-vault path: vault.yaml api_keys. seedVault
+    // writes a `scope: write` key, so we mint a read one here explicitly.
+    const { fullKey, keyId } = generateApiKey();
+    writeVaultConfig({
+      name: "journal",
+      api_keys: [
+        {
+          id: keyId,
+          label: "reader",
+          scope: "read",
+          key_hash: hashKey(fullKey),
+          created_at: new Date().toISOString(),
+        },
+      ],
+      created_at: new Date().toISOString(),
+    });
+    const journalConfig = readVaultConfig("journal")!;
+
+    const result = await authenticateVaultRequest(bearer(fullKey), journalConfig);
+    expect("error" in result).toBe(false);
+    if (!("error" in result)) {
+      expect(result.permission).toBe("read");
+    }
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -303,11 +253,11 @@ describe("auth — legacy global YAML keys honor declared scope", () => {
 //
 // Semantic confirmed for the loopback/non-loopback split (auth gate is
 // orthogonal to socket-level loopback): when VAULT_AUTH_TOKEN is unset,
-// vault's existing token surface (per-vault DB tokens + hub JWTs + legacy
-// YAML keys) is the ONLY auth surface. The bind socket defaults to
-// 127.0.0.1 (`VAULT_BIND` in bind.ts), but no implicit loopback trust
-// exists at the auth layer — a request from 127.0.0.1 still has to
-// present a valid bearer. This matches docs/auth-model.md §1.
+// vault's surviving token surface (hub JWTs + legacy YAML keys) is the ONLY
+// auth surface. The bind socket defaults to 127.0.0.1 (`VAULT_BIND` in
+// bind.ts), but no implicit loopback trust exists at the auth layer — a
+// request from 127.0.0.1 still has to present a valid bearer. This matches
+// docs/auth-model.md §1.
 // ---------------------------------------------------------------------------
 
 describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
@@ -327,13 +277,8 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
     process.env.VAULT_AUTH_TOKEN = TOKEN;
     seedVault("journal");
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
 
-    const result = await authenticateVaultRequest(
-      bearer(TOKEN),
-      journalConfig,
-      journalStore.db,
-    );
+    const result = await authenticateVaultRequest(bearer(TOKEN), journalConfig);
 
     expect("error" in result).toBe(false);
     if (!("error" in result)) {
@@ -345,18 +290,16 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
   });
 
   test("env set + matching bearer authenticates against ANY vault on the server", async () => {
-    // Server-wide → not tied to any one vault's DB. Same bearer works
-    // for journal and work without minting a per-vault token in either.
+    // Server-wide → not tied to any one vault. Same bearer works for journal
+    // and work without any per-vault credential in either.
     process.env.VAULT_AUTH_TOKEN = TOKEN;
     seedVault("journal");
     seedVault("work");
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
     const workConfig = readVaultConfig("work")!;
-    const workStore = getVaultStore("work");
 
-    const j = await authenticateVaultRequest(bearer(TOKEN), journalConfig, journalStore.db);
-    const w = await authenticateVaultRequest(bearer(TOKEN), workConfig, workStore.db);
+    const j = await authenticateVaultRequest(bearer(TOKEN), journalConfig);
+    const w = await authenticateVaultRequest(bearer(TOKEN), workConfig);
 
     expect("error" in j).toBe(false);
     expect("error" in w).toBe(false);
@@ -366,11 +309,10 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
     process.env.VAULT_AUTH_TOKEN = TOKEN;
     seedVault("journal");
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
 
     // No Authorization header at all.
     const noBearer = new Request("https://vault.test/x");
-    const result = await authenticateVaultRequest(noBearer, journalConfig, journalStore.db);
+    const result = await authenticateVaultRequest(noBearer, journalConfig);
 
     expect("error" in result).toBe(true);
     if ("error" in result) {
@@ -382,13 +324,8 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
     process.env.VAULT_AUTH_TOKEN = TOKEN;
     seedVault("journal");
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
 
-    const result = await authenticateVaultRequest(
-      bearer("wrong-token-doesnotmatch"),
-      journalConfig,
-      journalStore.db,
-    );
+    const result = await authenticateVaultRequest(bearer("wrong-token-doesnotmatch"), journalConfig);
 
     expect("error" in result).toBe(true);
     if ("error" in result) {
@@ -396,34 +333,25 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
     }
   });
 
-  test("env set + bearer that matches a vault token still resolves (server-wide first, but per-vault unchanged)", async () => {
-    // Per-vault tokens keep working even when the server-wide bearer is
-    // set. The server-wide check is a fast-path lookup before token DB
-    // resolution — a per-vault token doesn't match the env var so it
-    // falls through to the existing path.
-    process.env.VAULT_AUTH_TOKEN = TOKEN;
-    seedVault("journal");
-    const perVaultToken = mintTokenInVault("journal");
-    const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
-
-    const result = await authenticateVaultRequest(
-      bearer(perVaultToken),
-      journalConfig,
-      journalStore.db,
-    );
-
-    expect("error" in result).toBe(false);
-  });
-
-  test("env unset + valid per-vault bearer → 200 (existing behavior preserved)", async () => {
+  test("env unset + valid per-vault YAML bearer → 200 (existing behavior preserved)", async () => {
     delete process.env.VAULT_AUTH_TOKEN;
-    seedVault("journal");
-    const token = mintTokenInVault("journal");
+    const { fullKey, keyId } = generateApiKey();
+    writeVaultConfig({
+      name: "journal",
+      api_keys: [
+        {
+          id: keyId,
+          label: "bootstrap",
+          scope: "write",
+          key_hash: hashKey(fullKey),
+          created_at: new Date().toISOString(),
+        },
+      ],
+      created_at: new Date().toISOString(),
+    });
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
 
-    const result = await authenticateVaultRequest(bearer(token), journalConfig, journalStore.db);
+    const result = await authenticateVaultRequest(bearer(fullKey), journalConfig);
     expect("error" in result).toBe(false);
   });
 
@@ -431,10 +359,9 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
     delete process.env.VAULT_AUTH_TOKEN;
     seedVault("journal");
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
 
     const noBearer = new Request("https://vault.test/x");
-    const result = await authenticateVaultRequest(noBearer, journalConfig, journalStore.db);
+    const result = await authenticateVaultRequest(noBearer, journalConfig);
     expect("error" in result).toBe(true);
     if ("error" in result) {
       expect(result.error.status).toBe(401);
@@ -450,12 +377,11 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
     delete process.env.VAULT_AUTH_TOKEN;
     seedVault("journal");
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
 
     const remote = new Request("https://vault.test/x", {
       headers: { "X-Forwarded-For": "203.0.113.7" },
     });
-    const result = await authenticateVaultRequest(remote, journalConfig, journalStore.db);
+    const result = await authenticateVaultRequest(remote, journalConfig);
     expect("error" in result).toBe(true);
     if ("error" in result) {
       expect(result.error.status).toBe(401);
@@ -466,15 +392,10 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
     process.env.VAULT_AUTH_TOKEN = "   ";
     seedVault("journal");
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
 
     // An empty/whitespace VAULT_AUTH_TOKEN must NOT allow any bearer to
     // pass — the operator either commits to bearer auth or doesn't.
-    const result = await authenticateVaultRequest(
-      bearer(""),
-      journalConfig,
-      journalStore.db,
-    );
+    const result = await authenticateVaultRequest(bearer(""), journalConfig);
     expect("error" in result).toBe(true);
   });
 
@@ -512,17 +433,12 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
     process.env.VAULT_AUTH_TOKEN = TOKEN;
     seedVault("journal");
     const journalConfig = readVaultConfig("journal")!;
-    const journalStore = getVaultStore("journal");
 
     const nearMiss = TOKEN.slice(0, -1) + "x";
     expect(nearMiss).not.toBe(TOKEN);
     expect(nearMiss.length).toBe(TOKEN.length);
 
-    const result = await authenticateVaultRequest(
-      bearer(nearMiss),
-      journalConfig,
-      journalStore.db,
-    );
+    const result = await authenticateVaultRequest(bearer(nearMiss), journalConfig);
     expect("error" in result).toBe(true);
   });
 });