@panguard-ai/panguard-auth 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth.d.ts +32 -0
- package/dist/auth.d.ts.map +1 -0
- package/dist/auth.js +68 -0
- package/dist/auth.js.map +1 -0
- package/dist/crypto.d.ts +21 -0
- package/dist/crypto.d.ts.map +1 -0
- package/dist/crypto.js +60 -0
- package/dist/crypto.js.map +1 -0
- package/dist/database.d.ts +266 -0
- package/dist/database.d.ts.map +1 -0
- package/dist/database.js +936 -0
- package/dist/database.js.map +1 -0
- package/dist/email-verify.d.ts +31 -0
- package/dist/email-verify.d.ts.map +1 -0
- package/dist/email-verify.js +506 -0
- package/dist/email-verify.js.map +1 -0
- package/dist/error-tracker.d.ts +24 -0
- package/dist/error-tracker.d.ts.map +1 -0
- package/dist/error-tracker.js +80 -0
- package/dist/error-tracker.js.map +1 -0
- package/dist/google-oauth.d.ts +40 -0
- package/dist/google-oauth.d.ts.map +1 -0
- package/dist/google-oauth.js +77 -0
- package/dist/google-oauth.js.map +1 -0
- package/dist/google-sheets.d.ts +35 -0
- package/dist/google-sheets.d.ts.map +1 -0
- package/dist/google-sheets.js +128 -0
- package/dist/google-sheets.js.map +1 -0
- package/dist/index.d.ts +27 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +18 -0
- package/dist/index.js.map +1 -0
- package/dist/lemonsqueezy.d.ts +61 -0
- package/dist/lemonsqueezy.d.ts.map +1 -0
- package/dist/lemonsqueezy.js +254 -0
- package/dist/lemonsqueezy.js.map +1 -0
- package/dist/middleware.d.ts +22 -0
- package/dist/middleware.d.ts.map +1 -0
- package/dist/middleware.js +40 -0
- package/dist/middleware.js.map +1 -0
- package/dist/openapi.d.ts +17 -0
- package/dist/openapi.d.ts.map +1 -0
- package/dist/openapi.js +683 -0
- package/dist/openapi.js.map +1 -0
- package/dist/rate-limiter.d.ts +46 -0
- package/dist/rate-limiter.d.ts.map +1 -0
- package/dist/rate-limiter.js +64 -0
- package/dist/rate-limiter.js.map +1 -0
- package/dist/routes/admin.d.ts +30 -0
- package/dist/routes/admin.d.ts.map +1 -0
- package/dist/routes/admin.js +490 -0
- package/dist/routes/admin.js.map +1 -0
- package/dist/routes/auth.d.ts +18 -0
- package/dist/routes/auth.d.ts.map +1 -0
- package/dist/routes/auth.js +426 -0
- package/dist/routes/auth.js.map +1 -0
- package/dist/routes/billing.d.ts +14 -0
- package/dist/routes/billing.d.ts.map +1 -0
- package/dist/routes/billing.js +176 -0
- package/dist/routes/billing.js.map +1 -0
- package/dist/routes/index.d.ts +60 -0
- package/dist/routes/index.d.ts.map +1 -0
- package/dist/routes/index.js +133 -0
- package/dist/routes/index.js.map +1 -0
- package/dist/routes/oauth.d.ts +15 -0
- package/dist/routes/oauth.d.ts.map +1 -0
- package/dist/routes/oauth.js +215 -0
- package/dist/routes/oauth.js.map +1 -0
- package/dist/routes/shared.d.ts +71 -0
- package/dist/routes/shared.d.ts.map +1 -0
- package/dist/routes/shared.js +100 -0
- package/dist/routes/shared.js.map +1 -0
- package/dist/routes/totp.d.ts +14 -0
- package/dist/routes/totp.d.ts.map +1 -0
- package/dist/routes/totp.js +166 -0
- package/dist/routes/totp.js.map +1 -0
- package/dist/routes/usage.d.ts +14 -0
- package/dist/routes/usage.d.ts.map +1 -0
- package/dist/routes/usage.js +127 -0
- package/dist/routes/usage.js.map +1 -0
- package/dist/routes/waitlist.d.ts +16 -0
- package/dist/routes/waitlist.d.ts.map +1 -0
- package/dist/routes/waitlist.js +171 -0
- package/dist/routes/waitlist.js.map +1 -0
- package/dist/routes.d.ts +72 -0
- package/dist/routes.d.ts.map +1 -0
- package/dist/routes.js +1806 -0
- package/dist/routes.js.map +1 -0
- package/dist/totp.d.ts +41 -0
- package/dist/totp.d.ts.map +1 -0
- package/dist/totp.js +129 -0
- package/dist/totp.js.map +1 -0
- package/dist/types.d.ts +155 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +6 -0
- package/dist/types.js.map +1 -0
- package/dist/usage-meter.d.ts +49 -0
- package/dist/usage-meter.d.ts.map +1 -0
- package/dist/usage-meter.js +123 -0
- package/dist/usage-meter.js.map +1 -0
- package/package.json +33 -0
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared helpers, types, and the RouteContext interface for route modules.
|
|
3
|
+
* @module @panguard-ai/panguard-auth/routes/shared
|
|
4
|
+
*/
|
|
5
|
+
import type { IncomingMessage, ServerResponse } from 'node:http';
|
|
6
|
+
import type { AuthDB } from '../database.js';
|
|
7
|
+
import type { EmailConfig } from '../email-verify.js';
|
|
8
|
+
import type { GoogleOAuthConfig } from '../google-oauth.js';
|
|
9
|
+
import type { GoogleSheetsConfig } from '../google-sheets.js';
|
|
10
|
+
import type { LemonSqueezyConfig } from '../lemonsqueezy.js';
|
|
11
|
+
import { RateLimiter } from '../rate-limiter.js';
|
|
12
|
+
import type { UserPublic } from '../types.js';
|
|
13
|
+
export declare const MAX_BODY_SIZE: number;
|
|
14
|
+
export type ReadBodyResult = {
|
|
15
|
+
ok: true;
|
|
16
|
+
data: Record<string, unknown>;
|
|
17
|
+
} | {
|
|
18
|
+
ok: false;
|
|
19
|
+
status: 400 | 413;
|
|
20
|
+
};
|
|
21
|
+
export declare function readBody(req: IncomingMessage): Promise<ReadBodyResult>;
|
|
22
|
+
export type ReadRawBodyResult = {
|
|
23
|
+
ok: true;
|
|
24
|
+
raw: string;
|
|
25
|
+
} | {
|
|
26
|
+
ok: false;
|
|
27
|
+
status: 400 | 413;
|
|
28
|
+
};
|
|
29
|
+
export declare function readRawBody(req: IncomingMessage): Promise<ReadRawBodyResult>;
|
|
30
|
+
export declare function json(res: ServerResponse, status: number, data: unknown): void;
|
|
31
|
+
export declare function getClientIP(req: IncomingMessage): string;
|
|
32
|
+
export declare function isValidEmail(email: unknown): email is string;
|
|
33
|
+
export declare function toPublicUser(u: {
|
|
34
|
+
id: number;
|
|
35
|
+
email: string;
|
|
36
|
+
name: string;
|
|
37
|
+
role: string;
|
|
38
|
+
tier: string;
|
|
39
|
+
createdAt: string;
|
|
40
|
+
planExpiresAt?: string | null;
|
|
41
|
+
}): UserPublic;
|
|
42
|
+
export interface AuthRouteConfig {
|
|
43
|
+
db: AuthDB;
|
|
44
|
+
smtp?: EmailConfig;
|
|
45
|
+
baseUrl?: string;
|
|
46
|
+
google?: GoogleOAuthConfig;
|
|
47
|
+
sheets?: GoogleSheetsConfig;
|
|
48
|
+
lemonsqueezy?: LemonSqueezyConfig;
|
|
49
|
+
}
|
|
50
|
+
export interface RouteContext {
|
|
51
|
+
db: AuthDB;
|
|
52
|
+
config: AuthRouteConfig;
|
|
53
|
+
loginLimiter: RateLimiter;
|
|
54
|
+
registerLimiter: RateLimiter;
|
|
55
|
+
resetLimiter: RateLimiter;
|
|
56
|
+
waitlistLimiter: RateLimiter;
|
|
57
|
+
pendingOAuthFlows: Map<string, {
|
|
58
|
+
codeVerifier: string;
|
|
59
|
+
createdAt: number;
|
|
60
|
+
}>;
|
|
61
|
+
pendingCliFlows: Map<string, {
|
|
62
|
+
callbackUrl: string;
|
|
63
|
+
createdAt: number;
|
|
64
|
+
}>;
|
|
65
|
+
oauthExchangeCodes: Map<string, {
|
|
66
|
+
sessionToken: string;
|
|
67
|
+
expiresAt: string;
|
|
68
|
+
createdAt: number;
|
|
69
|
+
}>;
|
|
70
|
+
}
|
|
71
|
+
//# sourceMappingURL=shared.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../src/routes/shared.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AACjE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAI9C,eAAO,MAAM,aAAa,QAAc,CAAC;AAIzC,MAAM,MAAM,cAAc,GACtB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,GAC3C;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,GAAG,GAAG,GAAG,CAAA;CAAE,CAAC;AAErC,wBAAgB,QAAQ,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC,CA6BtE;AAED,MAAM,MAAM,iBAAiB,GAAG;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,GAAG,GAAG,GAAG,CAAA;CAAE,CAAC;AAE7F,wBAAgB,WAAW,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAwB5E;AAID,wBAAgB,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,IAAI,CAG7E;AAID,wBAAgB,WAAW,CAAC,GAAG,EAAE,eAAe,GAAG,MAAM,CASxD;AAID,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAG5D;AAID,wBAAgB,YAAY,CAAC,CAAC,EAAE;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B,GAAG,UAAU,CAUb;AAID,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAC5B,YAAY,CAAC,EAAE,kBAAkB,CAAC;CACnC;AAID,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,eAAe,CAAC;IACxB,YAAY,EAAE,WAAW,CAAC;IAC1B,eAAe,EAAE,WAAW,CAAC;IAC7B,YAAY,EAAE,WAAW,CAAC;IAC1B,eAAe,EAAE,WAAW,CAAC;IAC7B,iBAAiB,EAAE,GAAG,CAAC,MAAM,EAAE;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC5E,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACzE,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACjG"}
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared helpers, types, and the RouteContext interface for route modules.
|
|
3
|
+
* @module @panguard-ai/panguard-auth/routes/shared
|
|
4
|
+
*/
|
|
5
|
+
// ── Constants ────────────────────────────────────────────────────────
|
|
6
|
+
export const MAX_BODY_SIZE = 1024 * 1024; // 1 MB
|
|
7
|
+
export function readBody(req) {
|
|
8
|
+
return new Promise((resolve) => {
|
|
9
|
+
const chunks = [];
|
|
10
|
+
let totalSize = 0;
|
|
11
|
+
let aborted = false;
|
|
12
|
+
req.on('data', (chunk) => {
|
|
13
|
+
totalSize += chunk.length;
|
|
14
|
+
if (totalSize > MAX_BODY_SIZE) {
|
|
15
|
+
aborted = true;
|
|
16
|
+
req.destroy();
|
|
17
|
+
resolve({ ok: false, status: 413 });
|
|
18
|
+
return;
|
|
19
|
+
}
|
|
20
|
+
chunks.push(chunk);
|
|
21
|
+
});
|
|
22
|
+
req.on('end', () => {
|
|
23
|
+
if (aborted)
|
|
24
|
+
return;
|
|
25
|
+
try {
|
|
26
|
+
const raw = Buffer.concat(chunks).toString('utf-8');
|
|
27
|
+
resolve({ ok: true, data: JSON.parse(raw) });
|
|
28
|
+
}
|
|
29
|
+
catch {
|
|
30
|
+
resolve({ ok: false, status: 400 });
|
|
31
|
+
}
|
|
32
|
+
});
|
|
33
|
+
req.on('error', () => {
|
|
34
|
+
if (!aborted)
|
|
35
|
+
resolve({ ok: false, status: 400 });
|
|
36
|
+
});
|
|
37
|
+
});
|
|
38
|
+
}
|
|
39
|
+
export function readRawBody(req) {
|
|
40
|
+
return new Promise((resolve) => {
|
|
41
|
+
const chunks = [];
|
|
42
|
+
let totalSize = 0;
|
|
43
|
+
let aborted = false;
|
|
44
|
+
req.on('data', (chunk) => {
|
|
45
|
+
totalSize += chunk.length;
|
|
46
|
+
if (totalSize > MAX_BODY_SIZE) {
|
|
47
|
+
aborted = true;
|
|
48
|
+
req.destroy();
|
|
49
|
+
resolve({ ok: false, status: 413 });
|
|
50
|
+
return;
|
|
51
|
+
}
|
|
52
|
+
chunks.push(chunk);
|
|
53
|
+
});
|
|
54
|
+
req.on('end', () => {
|
|
55
|
+
if (aborted)
|
|
56
|
+
return;
|
|
57
|
+
resolve({ ok: true, raw: Buffer.concat(chunks).toString('utf-8') });
|
|
58
|
+
});
|
|
59
|
+
req.on('error', () => {
|
|
60
|
+
if (!aborted)
|
|
61
|
+
resolve({ ok: false, status: 400 });
|
|
62
|
+
});
|
|
63
|
+
});
|
|
64
|
+
}
|
|
65
|
+
// ── Response helper ──────────────────────────────────────────────────
|
|
66
|
+
export function json(res, status, data) {
|
|
67
|
+
res.writeHead(status, { 'Content-Type': 'application/json' });
|
|
68
|
+
res.end(JSON.stringify(data));
|
|
69
|
+
}
|
|
70
|
+
// ── IP helper ────────────────────────────────────────────────────────
|
|
71
|
+
export function getClientIP(req) {
|
|
72
|
+
if (process.env['TRUST_PROXY'] === '1') {
|
|
73
|
+
const forwarded = req.headers['x-forwarded-for'];
|
|
74
|
+
if (typeof forwarded === 'string') {
|
|
75
|
+
const first = forwarded.split(',')[0]?.trim();
|
|
76
|
+
if (first)
|
|
77
|
+
return first;
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
return req.socket.remoteAddress ?? '127.0.0.1';
|
|
81
|
+
}
|
|
82
|
+
// ── Validation helpers ───────────────────────────────────────────────
|
|
83
|
+
export function isValidEmail(email) {
|
|
84
|
+
if (typeof email !== 'string')
|
|
85
|
+
return false;
|
|
86
|
+
return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
|
|
87
|
+
}
|
|
88
|
+
// ── User projection ──────────────────────────────────────────────────
|
|
89
|
+
export function toPublicUser(u) {
|
|
90
|
+
return {
|
|
91
|
+
id: u.id,
|
|
92
|
+
email: u.email,
|
|
93
|
+
name: u.name,
|
|
94
|
+
role: u.role,
|
|
95
|
+
tier: u.tier,
|
|
96
|
+
createdAt: u.createdAt,
|
|
97
|
+
planExpiresAt: u.planExpiresAt,
|
|
98
|
+
};
|
|
99
|
+
}
|
|
100
|
+
//# sourceMappingURL=shared.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"shared.js","sourceRoot":"","sources":["../../src/routes/shared.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAWH,wEAAwE;AAExE,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AAQjD,MAAM,UAAU,QAAQ,CAAC,GAAoB;IAC3C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,SAAS,IAAI,KAAK,CAAC,MAAM,CAAC;YAC1B,IAAI,SAAS,GAAG,aAAa,EAAE,CAAC;gBAC9B,OAAO,GAAG,IAAI,CAAC;gBACf,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpC,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,IAAI,OAAO;gBAAE,OAAO;YACpB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACpD,OAAO,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,EAAE,CAAC,CAAC;YAC1E,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACtC,CAAC;QACH,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,IAAI,CAAC,OAAO;gBAAE,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAID,MAAM,UAAU,WAAW,CAAC,GAAoB;IAC9C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,SAAS,IAAI,KAAK,CAAC,MAAM,CAAC;YAC1B,IAAI,SAAS,GAAG,aAAa,EAAE,CAAC;gBAC9B,OAAO,GAAG,IAAI,CAAC;gBACf,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpC,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,IAAI,CAAC,OAAO;gBAAE,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,wEAAwE;AAExE,MAAM,UAAU,IAAI,CAAC,GAAmB,EAAE,MAAc,EAAE,IAAa;IACrE,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAC9D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;AAChC,CAAC;AAED,wEAAwE;AAExE,MAAM,UAAU,WAAW,CAAC,GAAoB;IAC9C,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,KAAK,GAAG,EAAE,CAAC;QACvC,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACjD,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;YAC9C,IAAI,KAAK;gBAAE,OAAO,KAAK,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,WAAW,CAAC;AACjD,CAAC;AAED,wEAAwE;AAExE,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,OAAO,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAClD,CAAC;AAED,wEAAwE;AAExE,MAAM,UAAU,YAAY,CAAC,CAQ5B;IACC,OAAO;QACL,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,aAAa,EAAE,CAAC,CAAC,aAAa;KAC/B,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* TOTP (Two-Factor Authentication) route handlers:
|
|
3
|
+
* handleTotpSetup, handleTotpVerify, handleTotpDisable, handleTotpStatus.
|
|
4
|
+
* @module @panguard-ai/panguard-auth/routes/totp
|
|
5
|
+
*/
|
|
6
|
+
import type { IncomingMessage, ServerResponse } from 'node:http';
|
|
7
|
+
import type { RouteContext } from './shared.js';
|
|
8
|
+
export declare function createTotpRoutes(ctx: RouteContext): {
|
|
9
|
+
handleTotpSetup: (req: IncomingMessage, res: ServerResponse) => void;
|
|
10
|
+
handleTotpVerify: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
|
|
11
|
+
handleTotpDisable: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
|
|
12
|
+
handleTotpStatus: (req: IncomingMessage, res: ServerResponse) => void;
|
|
13
|
+
};
|
|
14
|
+
//# sourceMappingURL=totp.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"totp.d.ts","sourceRoot":"","sources":["../../src/routes/totp.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAKjE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGhD,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,YAAY;2BAOlB,eAAe,OAAO,cAAc,KAAG,IAAI;4BA0CpC,eAAe,OAAO,cAAc,KAAG,OAAO,CAAC,IAAI,CAAC;6BAuDnD,eAAe,OAAO,cAAc,KAAG,OAAO,CAAC,IAAI,CAAC;4BAgD3D,eAAe,OAAO,cAAc,KAAG,IAAI;EA8B3E"}
|
|
@@ -0,0 +1,166 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* TOTP (Two-Factor Authentication) route handlers:
|
|
3
|
+
* handleTotpSetup, handleTotpVerify, handleTotpDisable, handleTotpStatus.
|
|
4
|
+
* @module @panguard-ai/panguard-auth/routes/totp
|
|
5
|
+
*/
|
|
6
|
+
import { verifyPassword } from '../auth.js';
|
|
7
|
+
import { authenticateRequest } from '../middleware.js';
|
|
8
|
+
import { logAuditEvent } from '@panguard-ai/security-hardening';
|
|
9
|
+
import { generateTotpSecret, generateBackupCodes, buildOtpauthUri, verifyTotp } from '../totp.js';
|
|
10
|
+
import { readBody, json } from './shared.js';
|
|
11
|
+
export function createTotpRoutes(ctx) {
|
|
12
|
+
const { db } = ctx;
|
|
13
|
+
/**
|
|
14
|
+
* POST /api/auth/totp/setup
|
|
15
|
+
* Generate a new TOTP secret and backup codes. Returns otpauth URI for QR code.
|
|
16
|
+
*/
|
|
17
|
+
function handleTotpSetup(req, res) {
|
|
18
|
+
if (req.method !== 'POST') {
|
|
19
|
+
json(res, 405, { ok: false, error: 'Method not allowed' });
|
|
20
|
+
return;
|
|
21
|
+
}
|
|
22
|
+
const user = authenticateRequest(req, db);
|
|
23
|
+
if (!user) {
|
|
24
|
+
json(res, 401, { ok: false, error: 'Not authenticated' });
|
|
25
|
+
return;
|
|
26
|
+
}
|
|
27
|
+
// Check if already enabled
|
|
28
|
+
const existing = db.getTotpSecret(user.id);
|
|
29
|
+
if (existing?.enabled) {
|
|
30
|
+
json(res, 409, { ok: false, error: '2FA is already enabled. Disable it first to re-setup.' });
|
|
31
|
+
return;
|
|
32
|
+
}
|
|
33
|
+
const secret = generateTotpSecret();
|
|
34
|
+
const backupCodes = generateBackupCodes();
|
|
35
|
+
const otpauthUri = buildOtpauthUri(secret, user.email);
|
|
36
|
+
// Store (not yet enabled — user must verify first)
|
|
37
|
+
db.saveTotpSecret(user.id, secret, JSON.stringify(backupCodes));
|
|
38
|
+
json(res, 200, {
|
|
39
|
+
ok: true,
|
|
40
|
+
data: {
|
|
41
|
+
secret,
|
|
42
|
+
otpauthUri,
|
|
43
|
+
backupCodes,
|
|
44
|
+
message: 'Scan the QR code with your authenticator app, then verify with /api/auth/totp/verify.',
|
|
45
|
+
},
|
|
46
|
+
});
|
|
47
|
+
}
|
|
48
|
+
/**
|
|
49
|
+
* POST /api/auth/totp/verify
|
|
50
|
+
* Verify a TOTP code to enable 2FA. Body: { code: "123456" }
|
|
51
|
+
*/
|
|
52
|
+
async function handleTotpVerify(req, res) {
|
|
53
|
+
if (req.method !== 'POST') {
|
|
54
|
+
json(res, 405, { ok: false, error: 'Method not allowed' });
|
|
55
|
+
return;
|
|
56
|
+
}
|
|
57
|
+
const user = authenticateRequest(req, db);
|
|
58
|
+
if (!user) {
|
|
59
|
+
json(res, 401, { ok: false, error: 'Not authenticated' });
|
|
60
|
+
return;
|
|
61
|
+
}
|
|
62
|
+
const body = await readBody(req);
|
|
63
|
+
if (!body.ok) {
|
|
64
|
+
json(res, body.status, { ok: false, error: 'Invalid request body' });
|
|
65
|
+
return;
|
|
66
|
+
}
|
|
67
|
+
const { code } = body.data;
|
|
68
|
+
if (typeof code !== 'string' || code.length !== 6) {
|
|
69
|
+
json(res, 400, { ok: false, error: 'A 6-digit code is required' });
|
|
70
|
+
return;
|
|
71
|
+
}
|
|
72
|
+
const totpSecret = db.getTotpSecret(user.id);
|
|
73
|
+
if (!totpSecret) {
|
|
74
|
+
json(res, 404, { ok: false, error: 'No TOTP setup found. Call /api/auth/totp/setup first.' });
|
|
75
|
+
return;
|
|
76
|
+
}
|
|
77
|
+
const matchedStep = verifyTotp(totpSecret.encryptedSecret, code, totpSecret.lastUsedStep);
|
|
78
|
+
if (matchedStep < 0) {
|
|
79
|
+
json(res, 401, { ok: false, error: 'Invalid TOTP code' });
|
|
80
|
+
return;
|
|
81
|
+
}
|
|
82
|
+
db.updateLastUsedStep(user.id, matchedStep);
|
|
83
|
+
db.enableTotp(user.id);
|
|
84
|
+
db.addAuditLog('totp_enabled', user.id, user.id, undefined);
|
|
85
|
+
logAuditEvent({
|
|
86
|
+
level: 'info',
|
|
87
|
+
action: 'credential_access',
|
|
88
|
+
target: user.email,
|
|
89
|
+
result: 'success',
|
|
90
|
+
context: { details: '2FA enabled' },
|
|
91
|
+
});
|
|
92
|
+
json(res, 200, { ok: true, data: { message: '2FA has been enabled.' } });
|
|
93
|
+
}
|
|
94
|
+
/**
|
|
95
|
+
* POST /api/auth/totp/disable
|
|
96
|
+
* Disable 2FA. Requires password confirmation. Body: { password: "..." }
|
|
97
|
+
*/
|
|
98
|
+
async function handleTotpDisable(req, res) {
|
|
99
|
+
if (req.method !== 'POST') {
|
|
100
|
+
json(res, 405, { ok: false, error: 'Method not allowed' });
|
|
101
|
+
return;
|
|
102
|
+
}
|
|
103
|
+
const user = authenticateRequest(req, db);
|
|
104
|
+
if (!user) {
|
|
105
|
+
json(res, 401, { ok: false, error: 'Not authenticated' });
|
|
106
|
+
return;
|
|
107
|
+
}
|
|
108
|
+
const body = await readBody(req);
|
|
109
|
+
if (!body.ok) {
|
|
110
|
+
json(res, body.status, { ok: false, error: 'Invalid request body' });
|
|
111
|
+
return;
|
|
112
|
+
}
|
|
113
|
+
const { password } = body.data;
|
|
114
|
+
if (typeof password !== 'string') {
|
|
115
|
+
json(res, 400, { ok: false, error: 'Password is required to disable 2FA' });
|
|
116
|
+
return;
|
|
117
|
+
}
|
|
118
|
+
const valid = await verifyPassword(password, user.passwordHash);
|
|
119
|
+
if (!valid) {
|
|
120
|
+
json(res, 401, { ok: false, error: 'Invalid password' });
|
|
121
|
+
return;
|
|
122
|
+
}
|
|
123
|
+
db.disableTotp(user.id);
|
|
124
|
+
db.addAuditLog('totp_disabled', user.id, user.id, undefined);
|
|
125
|
+
logAuditEvent({
|
|
126
|
+
level: 'info',
|
|
127
|
+
action: 'credential_access',
|
|
128
|
+
target: user.email,
|
|
129
|
+
result: 'success',
|
|
130
|
+
context: { details: '2FA disabled' },
|
|
131
|
+
});
|
|
132
|
+
json(res, 200, { ok: true, data: { message: '2FA has been disabled.' } });
|
|
133
|
+
}
|
|
134
|
+
/**
|
|
135
|
+
* GET /api/auth/totp/status
|
|
136
|
+
* Check if 2FA is enabled for the authenticated user.
|
|
137
|
+
*/
|
|
138
|
+
function handleTotpStatus(req, res) {
|
|
139
|
+
if (req.method !== 'GET') {
|
|
140
|
+
json(res, 405, { ok: false, error: 'Method not allowed' });
|
|
141
|
+
return;
|
|
142
|
+
}
|
|
143
|
+
const user = authenticateRequest(req, db);
|
|
144
|
+
if (!user) {
|
|
145
|
+
json(res, 401, { ok: false, error: 'Not authenticated' });
|
|
146
|
+
return;
|
|
147
|
+
}
|
|
148
|
+
const totpSecret = db.getTotpSecret(user.id);
|
|
149
|
+
json(res, 200, {
|
|
150
|
+
ok: true,
|
|
151
|
+
data: {
|
|
152
|
+
enabled: totpSecret?.enabled === 1,
|
|
153
|
+
backupCodesRemaining: totpSecret
|
|
154
|
+
? JSON.parse(totpSecret.backupCodes).length
|
|
155
|
+
: 0,
|
|
156
|
+
},
|
|
157
|
+
});
|
|
158
|
+
}
|
|
159
|
+
return {
|
|
160
|
+
handleTotpSetup,
|
|
161
|
+
handleTotpVerify,
|
|
162
|
+
handleTotpDisable,
|
|
163
|
+
handleTotpStatus,
|
|
164
|
+
};
|
|
165
|
+
}
|
|
166
|
+
//# sourceMappingURL=totp.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"totp.js","sourceRoot":"","sources":["../../src/routes/totp.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAElG,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,UAAU,gBAAgB,CAAC,GAAiB;IAChD,MAAM,EAAE,EAAE,EAAE,GAAG,GAAG,CAAC;IAEnB;;;OAGG;IACH,SAAS,eAAe,CAAC,GAAoB,EAAE,GAAmB;QAChE,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3C,IAAI,QAAQ,EAAE,OAAO,EAAE,CAAC;YACtB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,uDAAuD,EAAE,CAAC,CAAC;YAC9F,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,kBAAkB,EAAE,CAAC;QACpC,MAAM,WAAW,GAAG,mBAAmB,EAAE,CAAC;QAC1C,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAEvD,mDAAmD;QACnD,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;QAEhE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;YACb,EAAE,EAAE,IAAI;YACR,IAAI,EAAE;gBACJ,MAAM;gBACN,UAAU;gBACV,WAAW;gBACX,OAAO,EACL,uFAAuF;aAC1F;SACF,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,KAAK,UAAU,gBAAgB,CAAC,GAAoB,EAAE,GAAmB;QACvE,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;YACrE,OAAO;QACT,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,uDAAuD,EAAE,CAAC,CAAC;YAC9F,OAAO;QACT,CAAC;QAED,MAAM,WAAW,GAAG,UAAU,CAAC,UAAU,CAAC,eAAe,EAAE,IAAI,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;QAC1F,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QACD,EAAE,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;QAE5C,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEvB,EAAE,CAAC,WAAW,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;QAC5D,aAAa,CAAC;YACZ,KAAK,EAAE,MAAM;YACb,MAAM,EAAE,mBAAmB;YAC3B,MAAM,EAAE,IAAI,CAAC,KAAK;YAClB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,EAAE,OAAO,EAAE,aAAa,EAAE;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,uBAAuB,EAAE,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED;;;OAGG;IACH,KAAK,UAAU,iBAAiB,CAAC,GAAoB,EAAE,GAAmB;QACxE,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;YACrE,OAAO;QACT,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QAC/B,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAC,CAAC;YAC5E,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC,CAAC;YACzD,OAAO;QACT,CAAC;QAED,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAExB,EAAE,CAAC,WAAW,CAAC,eAAe,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;QAC7D,aAAa,CAAC;YACZ,KAAK,EAAE,MAAM;YACb,MAAM,EAAE,mBAAmB;YAC3B,MAAM,EAAE,IAAI,CAAC,KAAK;YAClB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,EAAE,OAAO,EAAE,cAAc,EAAE;SACrC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED;;;OAGG;IACH,SAAS,gBAAgB,CAAC,GAAoB,EAAE,GAAmB;QACjE,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC7C,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;YACb,EAAE,EAAE,IAAI;YACR,IAAI,EAAE;gBACJ,OAAO,EAAE,UAAU,EAAE,OAAO,KAAK,CAAC;gBAClC,oBAAoB,EAAE,UAAU;oBAC9B,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,CAAc,CAAC,MAAM;oBACzD,CAAC,CAAC,CAAC;aACN;SACF,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,eAAe;QACf,gBAAgB;QAChB,iBAAiB;QACjB,gBAAgB;KACjB,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Usage / Quota route handlers:
|
|
3
|
+
* handleUsageSummary, handleUsageLimits, handleUsageCheck, handleUsageRecord.
|
|
4
|
+
* @module @panguard-ai/panguard-auth/routes/usage
|
|
5
|
+
*/
|
|
6
|
+
import type { IncomingMessage, ServerResponse } from 'node:http';
|
|
7
|
+
import type { RouteContext } from './shared.js';
|
|
8
|
+
export declare function createUsageRoutes(ctx: RouteContext): {
|
|
9
|
+
handleUsageSummary: (req: IncomingMessage, res: ServerResponse) => void;
|
|
10
|
+
handleUsageLimits: (req: IncomingMessage, res: ServerResponse) => void;
|
|
11
|
+
handleUsageCheck: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
|
|
12
|
+
handleUsageRecord: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
|
|
13
|
+
};
|
|
14
|
+
//# sourceMappingURL=usage.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"usage.d.ts","sourceRoot":"","sources":["../../src/routes/usage.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAIjE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGhD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,YAAY;8BAOhB,eAAe,OAAO,cAAc,KAAG,IAAI;6BAoB5C,eAAe,OAAO,cAAc,KAAG,IAAI;4BAqBtC,eAAe,OAAO,cAAc,KAAG,OAAO,CAAC,IAAI,CAAC;6BAiCnD,eAAe,OAAO,cAAc,KAAG,OAAO,CAAC,IAAI,CAAC;EAuD3F"}
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Usage / Quota route handlers:
|
|
3
|
+
* handleUsageSummary, handleUsageLimits, handleUsageCheck, handleUsageRecord.
|
|
4
|
+
* @module @panguard-ai/panguard-auth/routes/usage
|
|
5
|
+
*/
|
|
6
|
+
import { authenticateRequest } from '../middleware.js';
|
|
7
|
+
import { checkQuota, recordUsage, getUsageSummary, getQuotaLimits } from '../usage-meter.js';
|
|
8
|
+
import { readBody, json } from './shared.js';
|
|
9
|
+
export function createUsageRoutes(ctx) {
|
|
10
|
+
const { db } = ctx;
|
|
11
|
+
/**
|
|
12
|
+
* GET /api/usage
|
|
13
|
+
* Returns current usage and quota for the authenticated user.
|
|
14
|
+
*/
|
|
15
|
+
function handleUsageSummary(req, res) {
|
|
16
|
+
if (req.method !== 'GET') {
|
|
17
|
+
json(res, 405, { ok: false, error: 'Method not allowed' });
|
|
18
|
+
return;
|
|
19
|
+
}
|
|
20
|
+
const user = authenticateRequest(req, db);
|
|
21
|
+
if (!user) {
|
|
22
|
+
json(res, 401, { ok: false, error: 'Not authenticated' });
|
|
23
|
+
return;
|
|
24
|
+
}
|
|
25
|
+
const summary = getUsageSummary(db, user.id, user.tier);
|
|
26
|
+
json(res, 200, { ok: true, data: { usage: summary, tier: user.tier } });
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* GET /api/usage/limits
|
|
30
|
+
* Returns quota limits for the authenticated user's tier.
|
|
31
|
+
*/
|
|
32
|
+
function handleUsageLimits(req, res) {
|
|
33
|
+
if (req.method !== 'GET') {
|
|
34
|
+
json(res, 405, { ok: false, error: 'Method not allowed' });
|
|
35
|
+
return;
|
|
36
|
+
}
|
|
37
|
+
const user = authenticateRequest(req, db);
|
|
38
|
+
if (!user) {
|
|
39
|
+
json(res, 401, { ok: false, error: 'Not authenticated' });
|
|
40
|
+
return;
|
|
41
|
+
}
|
|
42
|
+
const limits = getQuotaLimits(user.tier);
|
|
43
|
+
json(res, 200, { ok: true, data: { limits, tier: user.tier } });
|
|
44
|
+
}
|
|
45
|
+
/**
|
|
46
|
+
* POST /api/usage/check
|
|
47
|
+
* Checks if the user has quota for a specific resource.
|
|
48
|
+
* Body: { resource: string }
|
|
49
|
+
*/
|
|
50
|
+
async function handleUsageCheck(req, res) {
|
|
51
|
+
if (req.method !== 'POST') {
|
|
52
|
+
json(res, 405, { ok: false, error: 'Method not allowed' });
|
|
53
|
+
return;
|
|
54
|
+
}
|
|
55
|
+
const user = authenticateRequest(req, db);
|
|
56
|
+
if (!user) {
|
|
57
|
+
json(res, 401, { ok: false, error: 'Not authenticated' });
|
|
58
|
+
return;
|
|
59
|
+
}
|
|
60
|
+
const body = await readBody(req);
|
|
61
|
+
if (!body.ok) {
|
|
62
|
+
json(res, body.status, { ok: false, error: 'Invalid request body' });
|
|
63
|
+
return;
|
|
64
|
+
}
|
|
65
|
+
const resource = body.data['resource'];
|
|
66
|
+
if (!resource) {
|
|
67
|
+
json(res, 400, { ok: false, error: 'resource is required' });
|
|
68
|
+
return;
|
|
69
|
+
}
|
|
70
|
+
const check = checkQuota(db, user.id, user.tier, resource);
|
|
71
|
+
json(res, 200, { ok: true, data: check });
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* POST /api/usage/record
|
|
75
|
+
* Records usage for a resource. Intended for internal/trusted callers.
|
|
76
|
+
* Body: { resource: string, count?: number }
|
|
77
|
+
*/
|
|
78
|
+
async function handleUsageRecord(req, res) {
|
|
79
|
+
if (req.method !== 'POST') {
|
|
80
|
+
json(res, 405, { ok: false, error: 'Method not allowed' });
|
|
81
|
+
return;
|
|
82
|
+
}
|
|
83
|
+
const user = authenticateRequest(req, db);
|
|
84
|
+
if (!user) {
|
|
85
|
+
json(res, 401, { ok: false, error: 'Not authenticated' });
|
|
86
|
+
return;
|
|
87
|
+
}
|
|
88
|
+
const body = await readBody(req);
|
|
89
|
+
if (!body.ok) {
|
|
90
|
+
json(res, body.status, { ok: false, error: 'Invalid request body' });
|
|
91
|
+
return;
|
|
92
|
+
}
|
|
93
|
+
const VALID_RESOURCES = [
|
|
94
|
+
'scan',
|
|
95
|
+
'guard_endpoints',
|
|
96
|
+
'reports',
|
|
97
|
+
'api_calls',
|
|
98
|
+
'notifications',
|
|
99
|
+
'trap_instances',
|
|
100
|
+
];
|
|
101
|
+
const resource = body.data['resource'];
|
|
102
|
+
const count = typeof body.data['count'] === 'number' ? body.data['count'] : 1;
|
|
103
|
+
if (!resource || !VALID_RESOURCES.includes(resource)) {
|
|
104
|
+
json(res, 400, { ok: false, error: 'Invalid or missing resource type' });
|
|
105
|
+
return;
|
|
106
|
+
}
|
|
107
|
+
// Check quota before recording
|
|
108
|
+
const check = checkQuota(db, user.id, user.tier, resource);
|
|
109
|
+
if (!check.allowed) {
|
|
110
|
+
json(res, 429, {
|
|
111
|
+
ok: false,
|
|
112
|
+
error: 'Quota exceeded',
|
|
113
|
+
data: { current: check.current, limit: check.limit, resource },
|
|
114
|
+
});
|
|
115
|
+
return;
|
|
116
|
+
}
|
|
117
|
+
recordUsage(db, user.id, resource, count);
|
|
118
|
+
json(res, 200, { ok: true, data: { recorded: count, resource } });
|
|
119
|
+
}
|
|
120
|
+
return {
|
|
121
|
+
handleUsageSummary,
|
|
122
|
+
handleUsageLimits,
|
|
123
|
+
handleUsageCheck,
|
|
124
|
+
handleUsageRecord,
|
|
125
|
+
};
|
|
126
|
+
}
|
|
127
|
+
//# sourceMappingURL=usage.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"usage.js","sourceRoot":"","sources":["../../src/routes/usage.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAG7F,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,UAAU,iBAAiB,CAAC,GAAiB;IACjD,MAAM,EAAE,EAAE,EAAE,GAAG,GAAG,CAAC;IAEnB;;;OAGG;IACH,SAAS,kBAAkB,CAAC,GAAoB,EAAE,GAAmB;QACnE,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACxD,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED;;;OAGG;IACH,SAAS,iBAAiB,CAAC,GAAoB,EAAE,GAAmB;QAClE,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAClE,CAAC;IAED;;;;OAIG;IACH,KAAK,UAAU,gBAAgB,CAAC,GAAoB,EAAE,GAAmB;QACvE,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;YACrE,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAsB,CAAC;QAC5D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;YAC7D,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED;;;;OAIG;IACH,KAAK,UAAU,iBAAiB,CAAC,GAAoB,EAAE,GAAmB;QACxE,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;YACrE,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAsB;YACzC,MAAM;YACN,iBAAiB;YACjB,SAAS;YACT,WAAW;YACX,eAAe;YACf,gBAAgB;SACjB,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAsB,CAAC;QAC5D,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAE9E,IAAI,CAAC,QAAQ,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrD,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAkC,EAAE,CAAC,CAAC;YACzE,OAAO;QACT,CAAC;QAED,+BAA+B;QAC/B,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;gBACb,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,gBAAgB;gBACvB,IAAI,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE;aAC/D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,WAAW,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,OAAO;QACL,kBAAkB;QAClB,iBAAiB;QACjB,gBAAgB;QAChB,iBAAiB;KAClB,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Waitlist route handlers:
|
|
3
|
+
* handleWaitlistJoin, handleWaitlistVerify, handleWaitlistStats, handleWaitlistList.
|
|
4
|
+
* @module @panguard-ai/panguard-auth/routes/waitlist
|
|
5
|
+
*/
|
|
6
|
+
import type { IncomingMessage, ServerResponse } from 'node:http';
|
|
7
|
+
import type { RouteContext } from './shared.js';
|
|
8
|
+
export declare function createWaitlistRoutes(ctx: RouteContext): {
|
|
9
|
+
handleWaitlistJoin: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
|
|
10
|
+
handleWaitlistVerify: (req: IncomingMessage, res: ServerResponse, token: string) => void;
|
|
11
|
+
handleWaitlistStats: (req: IncomingMessage, res: ServerResponse) => void;
|
|
12
|
+
handleWaitlistList: (req: IncomingMessage, res: ServerResponse) => void;
|
|
13
|
+
handleAdminWaitlistApprove: (req: IncomingMessage, res: ServerResponse, entryId: string) => Promise<void>;
|
|
14
|
+
handleAdminWaitlistReject: (req: IncomingMessage, res: ServerResponse, entryId: string) => Promise<void>;
|
|
15
|
+
};
|
|
16
|
+
//# sourceMappingURL=waitlist.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"waitlist.d.ts","sourceRoot":"","sources":["../../src/routes/waitlist.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAKjE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGhD,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,YAAY;8BAGb,eAAe,OAAO,cAAc,KAAG,OAAO,CAAC,IAAI,CAAC;gCA4ExD,eAAe,OAAO,cAAc,SAAS,MAAM,KAAG,IAAI;+BAkB3D,eAAe,OAAO,cAAc,KAAG,IAAI;8BAiB5C,eAAe,OAAO,cAAc,KAAG,IAAI;sCAiBrE,eAAe,OACf,cAAc,WACV,MAAM,KACd,OAAO,CAAC,IAAI,CAAC;qCAsCT,eAAe,OACf,cAAc,WACV,MAAM,KACd,OAAO,CAAC,IAAI,CAAC;EA8BjB"}
|