@pikku/core 0.12.3 → 0.12.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (218) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/dist/services/in-memory-workflow-service.d.ts +15 -2
  3. package/dist/services/in-memory-workflow-service.js +49 -0
  4. package/lcov.info +18891 -0
  5. package/package.json +1 -1
  6. package/src/crypto-utils.test.ts +0 -214
  7. package/src/crypto-utils.ts +0 -213
  8. package/src/errors/error-handler.ts +0 -62
  9. package/src/errors/error.test.ts +0 -195
  10. package/src/errors/errors.ts +0 -374
  11. package/src/errors/index.ts +0 -2
  12. package/src/factory-functions.test.ts +0 -109
  13. package/src/function/function-runner.test.ts +0 -536
  14. package/src/function/function-runner.ts +0 -365
  15. package/src/function/functions.types.ts +0 -304
  16. package/src/function/index.ts +0 -5
  17. package/src/handle-error.test.ts +0 -424
  18. package/src/handle-error.ts +0 -69
  19. package/src/index.ts +0 -118
  20. package/src/internal.ts +0 -6
  21. package/src/middleware/auth-apikey.test.ts +0 -363
  22. package/src/middleware/auth-apikey.ts +0 -47
  23. package/src/middleware/auth-bearer.test.ts +0 -450
  24. package/src/middleware/auth-bearer.ts +0 -72
  25. package/src/middleware/auth-cookie.test.ts +0 -528
  26. package/src/middleware/auth-cookie.ts +0 -80
  27. package/src/middleware/cors.test.ts +0 -424
  28. package/src/middleware/cors.ts +0 -104
  29. package/src/middleware/index.ts +0 -5
  30. package/src/middleware/remote-auth.test.ts +0 -488
  31. package/src/middleware/remote-auth.ts +0 -68
  32. package/src/middleware/timeout.ts +0 -15
  33. package/src/middleware-runner.test.ts +0 -418
  34. package/src/middleware-runner.ts +0 -234
  35. package/src/permissions.test.ts +0 -434
  36. package/src/permissions.ts +0 -319
  37. package/src/pikku-request.ts +0 -23
  38. package/src/pikku-response.ts +0 -5
  39. package/src/pikku-state.test.ts +0 -224
  40. package/src/pikku-state.ts +0 -216
  41. package/src/run-tests-script.test.ts +0 -49
  42. package/src/schema.test.ts +0 -249
  43. package/src/schema.ts +0 -151
  44. package/src/services/ai-agent-runner-service.ts +0 -41
  45. package/src/services/ai-run-state-service.ts +0 -20
  46. package/src/services/ai-storage-service.ts +0 -39
  47. package/src/services/content-service.ts +0 -76
  48. package/src/services/deployment-service.ts +0 -22
  49. package/src/services/gateway-service.ts +0 -20
  50. package/src/services/gopass-secrets.ts +0 -98
  51. package/src/services/in-memory-ai-run-state-service.ts +0 -73
  52. package/src/services/in-memory-trigger-service.ts +0 -64
  53. package/src/services/in-memory-workflow-service.test.ts +0 -351
  54. package/src/services/in-memory-workflow-service.ts +0 -438
  55. package/src/services/index.ts +0 -56
  56. package/src/services/jwt-service.ts +0 -30
  57. package/src/services/local-content.ts +0 -120
  58. package/src/services/local-gateway-service.ts +0 -62
  59. package/src/services/local-secrets.test.ts +0 -80
  60. package/src/services/local-secrets.ts +0 -94
  61. package/src/services/local-variables.test.ts +0 -61
  62. package/src/services/local-variables.ts +0 -39
  63. package/src/services/logger-console.test.ts +0 -118
  64. package/src/services/logger-console.ts +0 -98
  65. package/src/services/logger.ts +0 -57
  66. package/src/services/scheduler-service.ts +0 -86
  67. package/src/services/schema-service.ts +0 -33
  68. package/src/services/scoped-secret-service.test.ts +0 -74
  69. package/src/services/scoped-secret-service.ts +0 -41
  70. package/src/services/secret-service.ts +0 -38
  71. package/src/services/trigger-service.ts +0 -17
  72. package/src/services/typed-secret-service.test.ts +0 -93
  73. package/src/services/typed-secret-service.ts +0 -70
  74. package/src/services/typed-variables-service.test.ts +0 -73
  75. package/src/services/typed-variables-service.ts +0 -81
  76. package/src/services/user-session-service.test.ts +0 -113
  77. package/src/services/user-session-service.ts +0 -86
  78. package/src/services/variables-service.ts +0 -11
  79. package/src/services/workflow-service.ts +0 -95
  80. package/src/testing/index.ts +0 -2
  81. package/src/testing/service-tests.ts +0 -873
  82. package/src/time-utils.test.ts +0 -56
  83. package/src/time-utils.ts +0 -107
  84. package/src/types/core.types.ts +0 -478
  85. package/src/types/state.types.ts +0 -188
  86. package/src/utils/hash.test.ts +0 -68
  87. package/src/utils/hash.ts +0 -26
  88. package/src/utils.test.ts +0 -350
  89. package/src/utils.ts +0 -129
  90. package/src/version.test.ts +0 -80
  91. package/src/version.ts +0 -25
  92. package/src/wirings/ai-agent/agent-dynamic-workflow.ts +0 -469
  93. package/src/wirings/ai-agent/ai-agent-helpers.test.ts +0 -152
  94. package/src/wirings/ai-agent/ai-agent-helpers.ts +0 -76
  95. package/src/wirings/ai-agent/ai-agent-memory.ts +0 -310
  96. package/src/wirings/ai-agent/ai-agent-model-config.test.ts +0 -115
  97. package/src/wirings/ai-agent/ai-agent-model-config.ts +0 -43
  98. package/src/wirings/ai-agent/ai-agent-prepare.ts +0 -636
  99. package/src/wirings/ai-agent/ai-agent-registry.test.ts +0 -37
  100. package/src/wirings/ai-agent/ai-agent-registry.ts +0 -82
  101. package/src/wirings/ai-agent/ai-agent-runner.test.ts +0 -319
  102. package/src/wirings/ai-agent/ai-agent-runner.ts +0 -773
  103. package/src/wirings/ai-agent/ai-agent-stream.test.ts +0 -859
  104. package/src/wirings/ai-agent/ai-agent-stream.ts +0 -1153
  105. package/src/wirings/ai-agent/ai-agent.types.ts +0 -382
  106. package/src/wirings/ai-agent/index.ts +0 -37
  107. package/src/wirings/channel/channel-common.ts +0 -90
  108. package/src/wirings/channel/channel-handler.ts +0 -250
  109. package/src/wirings/channel/channel-middleware-runner.ts +0 -120
  110. package/src/wirings/channel/channel-runner.ts +0 -166
  111. package/src/wirings/channel/channel-store.ts +0 -29
  112. package/src/wirings/channel/channel.types.ts +0 -172
  113. package/src/wirings/channel/define-channel-routes.ts +0 -25
  114. package/src/wirings/channel/eventhub-service.ts +0 -34
  115. package/src/wirings/channel/eventhub-store.ts +0 -13
  116. package/src/wirings/channel/index.ts +0 -24
  117. package/src/wirings/channel/local/index.ts +0 -3
  118. package/src/wirings/channel/local/local-channel-handler.ts +0 -81
  119. package/src/wirings/channel/local/local-channel-runner.test.ts +0 -215
  120. package/src/wirings/channel/local/local-channel-runner.ts +0 -210
  121. package/src/wirings/channel/local/local-eventhub-service.test.ts +0 -95
  122. package/src/wirings/channel/local/local-eventhub-service.ts +0 -101
  123. package/src/wirings/channel/log-channels.ts +0 -20
  124. package/src/wirings/channel/pikku-abstract-channel-handler.test.ts +0 -54
  125. package/src/wirings/channel/pikku-abstract-channel-handler.ts +0 -45
  126. package/src/wirings/channel/serverless/index.ts +0 -5
  127. package/src/wirings/channel/serverless/serverless-channel-runner.ts +0 -289
  128. package/src/wirings/cli/channel/cli-channel-runner.ts +0 -136
  129. package/src/wirings/cli/channel/index.ts +0 -1
  130. package/src/wirings/cli/cli-runner.test.ts +0 -403
  131. package/src/wirings/cli/cli-runner.ts +0 -529
  132. package/src/wirings/cli/cli.types.ts +0 -358
  133. package/src/wirings/cli/command-parser.test.ts +0 -445
  134. package/src/wirings/cli/command-parser.ts +0 -504
  135. package/src/wirings/cli/define-cli-commands.ts +0 -24
  136. package/src/wirings/cli/index.ts +0 -19
  137. package/src/wirings/gateway/gateway-runner.test.ts +0 -474
  138. package/src/wirings/gateway/gateway-runner.ts +0 -411
  139. package/src/wirings/gateway/gateway.types.ts +0 -149
  140. package/src/wirings/gateway/index.ts +0 -13
  141. package/src/wirings/http/http-routes.test.ts +0 -322
  142. package/src/wirings/http/http-routes.ts +0 -197
  143. package/src/wirings/http/http-runner.test.ts +0 -144
  144. package/src/wirings/http/http-runner.ts +0 -588
  145. package/src/wirings/http/http.types.ts +0 -369
  146. package/src/wirings/http/index.ts +0 -28
  147. package/src/wirings/http/log-http-routes.ts +0 -22
  148. package/src/wirings/http/pikku-fetch-http-request.test.ts +0 -237
  149. package/src/wirings/http/pikku-fetch-http-request.ts +0 -170
  150. package/src/wirings/http/pikku-fetch-http-response.test.ts +0 -82
  151. package/src/wirings/http/pikku-fetch-http-response.ts +0 -147
  152. package/src/wirings/http/routers/http-router.ts +0 -13
  153. package/src/wirings/http/routers/path-to-regex.test.ts +0 -319
  154. package/src/wirings/http/routers/path-to-regex.ts +0 -126
  155. package/src/wirings/http/web-request.test.ts +0 -236
  156. package/src/wirings/http/web-request.ts +0 -104
  157. package/src/wirings/mcp/index.ts +0 -27
  158. package/src/wirings/mcp/mcp-endpoint-registry.test.ts +0 -389
  159. package/src/wirings/mcp/mcp-endpoint-registry.ts +0 -159
  160. package/src/wirings/mcp/mcp-runner.ts +0 -323
  161. package/src/wirings/mcp/mcp.types.ts +0 -216
  162. package/src/wirings/node/index.ts +0 -2
  163. package/src/wirings/node/node.types.ts +0 -23
  164. package/src/wirings/oauth2/index.ts +0 -3
  165. package/src/wirings/oauth2/oauth2-client.test.ts +0 -929
  166. package/src/wirings/oauth2/oauth2-client.ts +0 -335
  167. package/src/wirings/oauth2/oauth2.types.ts +0 -69
  168. package/src/wirings/oauth2/wire-oauth2-credential.ts +0 -23
  169. package/src/wirings/queue/index.ts +0 -31
  170. package/src/wirings/queue/queue-runner.test.ts +0 -710
  171. package/src/wirings/queue/queue-runner.ts +0 -192
  172. package/src/wirings/queue/queue.types.ts +0 -189
  173. package/src/wirings/queue/register-queue-helper.ts +0 -60
  174. package/src/wirings/queue/validate-worker-config.test.ts +0 -108
  175. package/src/wirings/queue/validate-worker-config.ts +0 -116
  176. package/src/wirings/rpc/index.ts +0 -4
  177. package/src/wirings/rpc/rpc-runner.ts +0 -460
  178. package/src/wirings/rpc/rpc-types.ts +0 -56
  179. package/src/wirings/rpc/wire-addon.ts +0 -21
  180. package/src/wirings/scheduler/index.ts +0 -11
  181. package/src/wirings/scheduler/log-schedulers.ts +0 -20
  182. package/src/wirings/scheduler/scheduler-runner.test.ts +0 -660
  183. package/src/wirings/scheduler/scheduler-runner.ts +0 -133
  184. package/src/wirings/scheduler/scheduler.types.ts +0 -53
  185. package/src/wirings/secret/index.ts +0 -9
  186. package/src/wirings/secret/secret.types.ts +0 -32
  187. package/src/wirings/secret/validate-secret-definitions.test.ts +0 -140
  188. package/src/wirings/secret/validate-secret-definitions.ts +0 -82
  189. package/src/wirings/trigger/index.ts +0 -10
  190. package/src/wirings/trigger/pikku-trigger-service.ts +0 -112
  191. package/src/wirings/trigger/trigger-runner.test.ts +0 -79
  192. package/src/wirings/trigger/trigger-runner.ts +0 -135
  193. package/src/wirings/trigger/trigger.types.ts +0 -178
  194. package/src/wirings/variable/index.ts +0 -8
  195. package/src/wirings/variable/validate-variable-definitions.test.ts +0 -91
  196. package/src/wirings/variable/validate-variable-definitions.ts +0 -69
  197. package/src/wirings/variable/variable.types.ts +0 -22
  198. package/src/wirings/workflow/dsl/index.ts +0 -31
  199. package/src/wirings/workflow/dsl/workflow-dsl.types.ts +0 -320
  200. package/src/wirings/workflow/dsl/workflow-runner.ts +0 -28
  201. package/src/wirings/workflow/graph/graph-node.ts +0 -222
  202. package/src/wirings/workflow/graph/graph-runner.test.ts +0 -487
  203. package/src/wirings/workflow/graph/graph-runner.ts +0 -816
  204. package/src/wirings/workflow/graph/graph-validation.test.ts +0 -170
  205. package/src/wirings/workflow/graph/graph-validation.ts +0 -237
  206. package/src/wirings/workflow/graph/index.ts +0 -19
  207. package/src/wirings/workflow/graph/template.test.ts +0 -49
  208. package/src/wirings/workflow/graph/template.ts +0 -42
  209. package/src/wirings/workflow/graph/wire-workflow-graph.ts +0 -29
  210. package/src/wirings/workflow/graph/workflow-graph.types.ts +0 -104
  211. package/src/wirings/workflow/index.ts +0 -82
  212. package/src/wirings/workflow/pikku-workflow-service.test.ts +0 -200
  213. package/src/wirings/workflow/pikku-workflow-service.ts +0 -1176
  214. package/src/wirings/workflow/workflow-helpers.test.ts +0 -129
  215. package/src/wirings/workflow/workflow-helpers.ts +0 -79
  216. package/src/wirings/workflow/workflow.types.ts +0 -274
  217. package/tsconfig.json +0 -14
  218. package/tsconfig.tsbuildinfo +0 -1
@@ -1,488 +0,0 @@
1
- import { describe, test, beforeEach } from 'node:test'
2
- import assert from 'node:assert'
3
- import { pikkuRemoteAuthMiddleware } from './remote-auth.js'
4
- import { UnauthorizedError } from '../errors/errors.js'
5
- import { resetPikkuState } from '../pikku-state.js'
6
- import { encryptJSON } from '../crypto-utils.js'
7
-
8
- beforeEach(() => {
9
- resetPikkuState()
10
- })
11
-
12
- const TEST_SECRET = 'test-remote-secret-key'
13
-
14
- const createMockSecrets = (secret?: string) => ({
15
- getSecret: async (key: string) => {
16
- if (key === 'PIKKU_REMOTE_SECRET' && secret !== undefined) {
17
- return secret
18
- }
19
- throw new Error(`Secret ${key} not found`)
20
- },
21
- })
22
-
23
- const createMockJWT = (payload?: any, shouldThrow = false) => ({
24
- decode: async (_token: string) => {
25
- if (shouldThrow) throw new Error('Invalid token')
26
- return payload
27
- },
28
- encode: async () => 'token',
29
- })
30
-
31
- const createMockRequest = (
32
- headers: Record<string, string> = {},
33
- path = '/api/test',
34
- method = 'POST'
35
- ) => ({
36
- header: (name: string) => headers[name.toLowerCase()] || headers[name],
37
- path: () => path,
38
- method: () => method,
39
- })
40
-
41
- describe('pikkuRemoteAuthMiddleware', () => {
42
- test('should call next when no http.request', async () => {
43
- let nextCalled = false
44
- await pikkuRemoteAuthMiddleware(
45
- { secrets: createMockSecrets(TEST_SECRET) } as any,
46
- { http: {} } as any,
47
- async () => {
48
- nextCalled = true
49
- }
50
- )
51
- assert.strictEqual(nextCalled, true)
52
- })
53
-
54
- test('should call next when no secrets service', async () => {
55
- let nextCalled = false
56
- await pikkuRemoteAuthMiddleware(
57
- {} as any,
58
- { http: { request: createMockRequest() } } as any,
59
- async () => {
60
- nextCalled = true
61
- }
62
- )
63
- assert.strictEqual(nextCalled, true)
64
- })
65
-
66
- test('should call next when PIKKU_REMOTE_SECRET not found', async () => {
67
- let nextCalled = false
68
- await pikkuRemoteAuthMiddleware(
69
- { secrets: createMockSecrets() } as any,
70
- { http: { request: createMockRequest() } } as any,
71
- async () => {
72
- nextCalled = true
73
- }
74
- )
75
- assert.strictEqual(nextCalled, true)
76
- })
77
-
78
- test('should throw when PIKKU_REMOTE_SECRET set but no jwt service', async () => {
79
- await assert.rejects(
80
- () =>
81
- pikkuRemoteAuthMiddleware(
82
- { secrets: createMockSecrets(TEST_SECRET) } as any,
83
- { http: { request: createMockRequest() } } as any,
84
- async () => {}
85
- ),
86
- { message: 'PIKKU_REMOTE_SECRET set but JWT service missing' }
87
- )
88
- })
89
-
90
- test('should throw UnauthorizedError when no authorization header', async () => {
91
- await assert.rejects(
92
- () =>
93
- pikkuRemoteAuthMiddleware(
94
- {
95
- secrets: createMockSecrets(TEST_SECRET),
96
- jwt: createMockJWT(),
97
- } as any,
98
- { http: { request: createMockRequest({}) } } as any,
99
- async () => {}
100
- ),
101
- (err: any) => err instanceof UnauthorizedError
102
- )
103
- })
104
-
105
- test('should throw UnauthorizedError for non-Bearer scheme', async () => {
106
- await assert.rejects(
107
- () =>
108
- pikkuRemoteAuthMiddleware(
109
- {
110
- secrets: createMockSecrets(TEST_SECRET),
111
- jwt: createMockJWT(),
112
- } as any,
113
- {
114
- http: {
115
- request: createMockRequest({ authorization: 'Basic abc123' }),
116
- },
117
- } as any,
118
- async () => {}
119
- ),
120
- (err: any) => err instanceof UnauthorizedError
121
- )
122
- })
123
-
124
- test('should throw UnauthorizedError when Bearer has no token', async () => {
125
- await assert.rejects(
126
- () =>
127
- pikkuRemoteAuthMiddleware(
128
- {
129
- secrets: createMockSecrets(TEST_SECRET),
130
- jwt: createMockJWT(),
131
- } as any,
132
- {
133
- http: { request: createMockRequest({ authorization: 'Bearer' }) },
134
- } as any,
135
- async () => {}
136
- ),
137
- (err: any) => err instanceof UnauthorizedError
138
- )
139
- })
140
-
141
- test('should throw UnauthorizedError when JWT decode fails', async () => {
142
- await assert.rejects(
143
- () =>
144
- pikkuRemoteAuthMiddleware(
145
- {
146
- secrets: createMockSecrets(TEST_SECRET),
147
- jwt: createMockJWT(null, true),
148
- } as any,
149
- {
150
- http: {
151
- request: createMockRequest({
152
- authorization: 'Bearer valid-token',
153
- }),
154
- },
155
- } as any,
156
- async () => {}
157
- ),
158
- (err: any) => err instanceof UnauthorizedError
159
- )
160
- })
161
-
162
- test('should throw UnauthorizedError when audience is not pikku-remote', async () => {
163
- await assert.rejects(
164
- () =>
165
- pikkuRemoteAuthMiddleware(
166
- {
167
- secrets: createMockSecrets(TEST_SECRET),
168
- jwt: createMockJWT({ aud: 'wrong-audience' }),
169
- } as any,
170
- {
171
- http: {
172
- request: createMockRequest({
173
- authorization: 'Bearer valid-token',
174
- }),
175
- },
176
- } as any,
177
- async () => {}
178
- ),
179
- (err: any) => err instanceof UnauthorizedError
180
- )
181
- })
182
-
183
- test('should throw UnauthorizedError when audience is missing', async () => {
184
- await assert.rejects(
185
- () =>
186
- pikkuRemoteAuthMiddleware(
187
- {
188
- secrets: createMockSecrets(TEST_SECRET),
189
- jwt: createMockJWT({}),
190
- } as any,
191
- {
192
- http: {
193
- request: createMockRequest({
194
- authorization: 'Bearer valid-token',
195
- }),
196
- },
197
- } as any,
198
- async () => {}
199
- ),
200
- (err: any) => err instanceof UnauthorizedError
201
- )
202
- })
203
-
204
- test('should call next for valid token with correct audience', async () => {
205
- let nextCalled = false
206
- await pikkuRemoteAuthMiddleware(
207
- {
208
- secrets: createMockSecrets(TEST_SECRET),
209
- jwt: createMockJWT({ aud: 'pikku-remote' }),
210
- } as any,
211
- {
212
- http: {
213
- request: createMockRequest({ authorization: 'Bearer valid-token' }),
214
- },
215
- } as any,
216
- async () => {
217
- nextCalled = true
218
- }
219
- )
220
- assert.strictEqual(nextCalled, true)
221
- })
222
-
223
- test('should accept Authorization header (capitalized)', async () => {
224
- let nextCalled = false
225
- await pikkuRemoteAuthMiddleware(
226
- {
227
- secrets: createMockSecrets(TEST_SECRET),
228
- jwt: createMockJWT({ aud: 'pikku-remote' }),
229
- } as any,
230
- {
231
- http: {
232
- request: createMockRequest({ Authorization: 'Bearer valid-token' }),
233
- },
234
- } as any,
235
- async () => {
236
- nextCalled = true
237
- }
238
- )
239
- assert.strictEqual(nextCalled, true)
240
- })
241
-
242
- describe('RPC function authorization', () => {
243
- test('should throw UnauthorizedError when token fn does not match requested function', async () => {
244
- await assert.rejects(
245
- () =>
246
- pikkuRemoteAuthMiddleware(
247
- {
248
- secrets: createMockSecrets(TEST_SECRET),
249
- jwt: createMockJWT({ aud: 'pikku-remote', fn: 'allowedFunc' }),
250
- } as any,
251
- {
252
- http: {
253
- request: createMockRequest(
254
- { authorization: 'Bearer valid-token' },
255
- '/rpc/otherFunc'
256
- ),
257
- },
258
- } as any,
259
- async () => {}
260
- ),
261
- (err: any) => err instanceof UnauthorizedError
262
- )
263
- })
264
-
265
- test('should allow when token fn matches requested function', async () => {
266
- let nextCalled = false
267
- await pikkuRemoteAuthMiddleware(
268
- {
269
- secrets: createMockSecrets(TEST_SECRET),
270
- jwt: createMockJWT({ aud: 'pikku-remote', fn: 'myFunc' }),
271
- } as any,
272
- {
273
- http: {
274
- request: createMockRequest(
275
- { authorization: 'Bearer valid-token' },
276
- '/rpc/myFunc'
277
- ),
278
- },
279
- } as any,
280
- async () => {
281
- nextCalled = true
282
- }
283
- )
284
- assert.strictEqual(nextCalled, true)
285
- })
286
-
287
- test('should allow any RPC call when token has no fn claim', async () => {
288
- let nextCalled = false
289
- await pikkuRemoteAuthMiddleware(
290
- {
291
- secrets: createMockSecrets(TEST_SECRET),
292
- jwt: createMockJWT({ aud: 'pikku-remote' }),
293
- } as any,
294
- {
295
- http: {
296
- request: createMockRequest(
297
- { authorization: 'Bearer valid-token' },
298
- '/rpc/anyFunc'
299
- ),
300
- },
301
- } as any,
302
- async () => {
303
- nextCalled = true
304
- }
305
- )
306
- assert.strictEqual(nextCalled, true)
307
- })
308
-
309
- test('should skip fn check for non-RPC paths even if fn in token', async () => {
310
- let nextCalled = false
311
- await pikkuRemoteAuthMiddleware(
312
- {
313
- secrets: createMockSecrets(TEST_SECRET),
314
- jwt: createMockJWT({ aud: 'pikku-remote', fn: 'someFunc' }),
315
- } as any,
316
- {
317
- http: {
318
- request: createMockRequest(
319
- { authorization: 'Bearer valid-token' },
320
- '/api/other'
321
- ),
322
- },
323
- } as any,
324
- async () => {
325
- nextCalled = true
326
- }
327
- )
328
- assert.strictEqual(nextCalled, true)
329
- })
330
-
331
- test('should handle URI-encoded function names', async () => {
332
- let nextCalled = false
333
- await pikkuRemoteAuthMiddleware(
334
- {
335
- secrets: createMockSecrets(TEST_SECRET),
336
- jwt: createMockJWT({ aud: 'pikku-remote', fn: 'my func' }),
337
- } as any,
338
- {
339
- http: {
340
- request: createMockRequest(
341
- { authorization: 'Bearer valid-token' },
342
- '/rpc/my%20func'
343
- ),
344
- },
345
- } as any,
346
- async () => {
347
- nextCalled = true
348
- }
349
- )
350
- assert.strictEqual(nextCalled, true)
351
- })
352
- })
353
-
354
- describe('session decryption', () => {
355
- test('should decrypt and set session when payload.session exists', async () => {
356
- const sessionData = { userId: 'user-1', role: 'admin' }
357
- const encryptedSession = await encryptJSON(TEST_SECRET, {
358
- session: sessionData,
359
- })
360
- let receivedSession: any
361
-
362
- await pikkuRemoteAuthMiddleware(
363
- {
364
- secrets: createMockSecrets(TEST_SECRET),
365
- jwt: createMockJWT({
366
- aud: 'pikku-remote',
367
- session: encryptedSession,
368
- }),
369
- } as any,
370
- {
371
- http: {
372
- request: createMockRequest({ authorization: 'Bearer valid-token' }),
373
- },
374
- setSession: async (session: any) => {
375
- receivedSession = session
376
- },
377
- } as any,
378
- async () => {}
379
- )
380
-
381
- assert.deepStrictEqual(receivedSession, sessionData)
382
- })
383
-
384
- test('should throw UnauthorizedError when session decryption fails', async () => {
385
- await assert.rejects(
386
- () =>
387
- pikkuRemoteAuthMiddleware(
388
- {
389
- secrets: createMockSecrets(TEST_SECRET),
390
- jwt: createMockJWT({
391
- aud: 'pikku-remote',
392
- session: 'invalid-encrypted-data',
393
- }),
394
- } as any,
395
- {
396
- http: {
397
- request: createMockRequest({
398
- authorization: 'Bearer valid-token',
399
- }),
400
- },
401
- setSession: async () => {},
402
- } as any,
403
- async () => {}
404
- ),
405
- (err: any) => err instanceof UnauthorizedError
406
- )
407
- })
408
-
409
- test('should skip setSession when setSession is not available', async () => {
410
- const encryptedSession = await encryptJSON(TEST_SECRET, {
411
- session: { userId: 'u1' },
412
- })
413
- let nextCalled = false
414
-
415
- await pikkuRemoteAuthMiddleware(
416
- {
417
- secrets: createMockSecrets(TEST_SECRET),
418
- jwt: createMockJWT({
419
- aud: 'pikku-remote',
420
- session: encryptedSession,
421
- }),
422
- } as any,
423
- {
424
- http: {
425
- request: createMockRequest({ authorization: 'Bearer valid-token' }),
426
- },
427
- } as any,
428
- async () => {
429
- nextCalled = true
430
- }
431
- )
432
-
433
- assert.strictEqual(nextCalled, true)
434
- })
435
-
436
- test('should skip setSession when decrypted.session is falsy', async () => {
437
- const encryptedSession = await encryptJSON(TEST_SECRET, { session: null })
438
- let setSessionCalled = false
439
-
440
- await pikkuRemoteAuthMiddleware(
441
- {
442
- secrets: createMockSecrets(TEST_SECRET),
443
- jwt: createMockJWT({
444
- aud: 'pikku-remote',
445
- session: encryptedSession,
446
- }),
447
- } as any,
448
- {
449
- http: {
450
- request: createMockRequest({ authorization: 'Bearer valid-token' }),
451
- },
452
- setSession: async () => {
453
- setSessionCalled = true
454
- },
455
- } as any,
456
- async () => {}
457
- )
458
-
459
- assert.strictEqual(setSessionCalled, false)
460
- })
461
-
462
- test('should not call setSession when no session in payload', async () => {
463
- let setSessionCalled = false
464
- let nextCalled = false
465
-
466
- await pikkuRemoteAuthMiddleware(
467
- {
468
- secrets: createMockSecrets(TEST_SECRET),
469
- jwt: createMockJWT({ aud: 'pikku-remote' }),
470
- } as any,
471
- {
472
- http: {
473
- request: createMockRequest({ authorization: 'Bearer valid-token' }),
474
- },
475
- setSession: async () => {
476
- setSessionCalled = true
477
- },
478
- } as any,
479
- async () => {
480
- nextCalled = true
481
- }
482
- )
483
-
484
- assert.strictEqual(setSessionCalled, false)
485
- assert.strictEqual(nextCalled, true)
486
- })
487
- })
488
- })
@@ -1,68 +0,0 @@
1
- import { UnauthorizedError } from '../errors/errors.js'
2
- import { pikkuMiddleware } from '../types/core.types.js'
3
- import { decryptJSON } from '../crypto-utils.js'
4
-
5
- export const pikkuRemoteAuthMiddleware = pikkuMiddleware(
6
- async ({ secrets, jwt }, { http, setSession }, next) => {
7
- if (!http?.request || !secrets) {
8
- return next()
9
- }
10
-
11
- let secret: string
12
- try {
13
- secret = await secrets.getSecret('PIKKU_REMOTE_SECRET')
14
- } catch {
15
- return next()
16
- }
17
- if (!jwt) {
18
- throw new Error('PIKKU_REMOTE_SECRET set but JWT service missing')
19
- }
20
-
21
- const authHeader =
22
- http.request.header('authorization') ||
23
- http.request.header('Authorization')
24
-
25
- if (!authHeader) {
26
- throw new UnauthorizedError()
27
- }
28
-
29
- const [scheme, token] = authHeader.split(' ')
30
- if (scheme !== 'Bearer' || !token) {
31
- throw new UnauthorizedError()
32
- }
33
-
34
- let payload: any
35
- try {
36
- payload = await jwt.decode(token)
37
- } catch {
38
- throw new UnauthorizedError()
39
- }
40
-
41
- if (payload?.aud !== 'pikku-remote') {
42
- throw new UnauthorizedError()
43
- }
44
-
45
- if (payload?.fn && http.request.path().startsWith('/rpc/')) {
46
- const fn = decodeURIComponent(http.request.path().slice('/rpc/'.length))
47
- if (fn && payload.fn !== fn) {
48
- throw new UnauthorizedError()
49
- }
50
- }
51
-
52
- if (payload?.session) {
53
- try {
54
- const decrypted = await decryptJSON<{ session?: unknown }>(
55
- secret,
56
- payload.session
57
- )
58
- if (decrypted?.session && setSession) {
59
- await setSession(decrypted.session)
60
- }
61
- } catch {
62
- throw new UnauthorizedError()
63
- }
64
- }
65
-
66
- return next()
67
- }
68
- )
@@ -1,15 +0,0 @@
1
- import { RequestTimeoutError } from '../errors/errors.js'
2
- import { pikkuMiddleware, pikkuMiddlewareFactory } from '../types/core.types.js'
3
-
4
- export const timeout = () =>
5
- pikkuMiddlewareFactory<{ timeout: number }>(({ timeout }) =>
6
- pikkuMiddleware(async (_services, _wire, next) => {
7
- const timeoutId = setTimeout(() => {
8
- throw new RequestTimeoutError()
9
- }, timeout)
10
-
11
- await next()
12
-
13
- clearTimeout(timeoutId)
14
- })
15
- )