@promptbook/cli 0.112.0-101 → 0.112.0-103

package/apps/agents-server/src/app/api/auth/shibboleth/acs/route.ts

@@ -1,92 +1,112 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { setSession } from '../../../../../utils/session';
+import { revalidatePath } from 'next/cache';
+import { NextResponse } from 'next/server';
 import {
-    createShibbolethProfileLogDetails,
     createShibbolethSamlClient,
-    loadShibbolethConfiguration,
-    logShibbolethAuthenticationEvent,
-    resolveSafeShibbolethRelayState,
-    resolveShibbolethUser,
-    ShibbolethConfigurationError,
+    findOrCreateShibbolethUser,
+    getShibbolethRequestDetails,
+    recordShibbolethAuthenticationAttempt,
+    resolveShibbolethAuthenticationConfiguration,
+    sanitizeShibbolethRelayState,
 } from '../../../../../utils/shibbolethAuthentication';
-
-/**
- * Forces this route to run in Node.js because node-saml depends on Node crypto/zlib APIs.
- */
-export const runtime = 'nodejs';
+import { setSession } from '../../../../../utils/session';
 
 /**
  * Handles post.
  */
-export async function POST(request: NextRequest) {
-    const configuration = await loadShibbolethConfiguration(request);
-
-    if (!configuration.isEnabled) {
-        logShibbolethAuthenticationEvent('acs_rejected_disabled');
-        return NextResponse.json({ error: 'Shibboleth authentication is not enabled.' }, { status: 404 });
-    }
-
-    if (!configuration.isConfigured) {
-        const error = new ShibbolethConfigurationError(configuration.missingConfiguration);
-        logShibbolethAuthenticationEvent('acs_rejected_incomplete_configuration', {
-            missingConfiguration: configuration.missingConfiguration,
-        });
-        return NextResponse.json({ error: error.message }, { status: 503 });
-    }
+export async function POST(request: Request) {
+    const requestDetails = getShibbolethRequestDetails(request);
+    let relayState = '/';
 
     try {
         const formData = await request.formData();
         const samlResponse = formData.get('SAMLResponse');
-        const relayState = resolveSafeShibbolethRelayState(
-            typeof formData.get('RelayState') === 'string' ? String(formData.get('RelayState')) : null,
-        );
+        relayState = sanitizeShibbolethRelayState(formData.get('RelayState')?.toString());
 
-        if (typeof samlResponse !== 'string' || samlResponse.trim() === '') {
-            logShibbolethAuthenticationEvent('acs_rejected_missing_saml_response');
+        if (typeof samlResponse !== 'string' || !samlResponse) {
+            await recordShibbolethAuthenticationAttempt({
+                stage: 'ASSERTION_CONSUMER_SERVICE',
+                status: 'FAILED',
+                requestDetails,
+                relayState,
+                errorMessage: 'Missing SAMLResponse.',
+            });
             return NextResponse.json({ error: 'Missing SAMLResponse.' }, { status: 400 });
         }
 
-        logShibbolethAuthenticationEvent('acs_response_received', {
-            relayState,
-            responseLength: samlResponse.length,
+        const configuration = await resolveShibbolethAuthenticationConfiguration({
+            requestUrl: request.url,
+            isIdentityProviderMetadataValidationEnabled: true,
         });
 
+        if (!configuration.isActive) {
+            await recordShibbolethAuthenticationAttempt({
+                stage: 'ASSERTION_CONSUMER_SERVICE',
+                status: 'REJECTED',
+                requestDetails,
+                relayState,
+                errorMessage: 'Shibboleth authentication is not active.',
+            });
+            return NextResponse.json({ error: 'Shibboleth authentication is not active.' }, { status: 404 });
+        }
+
+        if (!configuration.isConfigured) {
+            const errorMessage = configuration.errors.join(' ');
+            await recordShibbolethAuthenticationAttempt({
+                stage: 'ASSERTION_CONSUMER_SERVICE',
+                status: 'FAILED',
+                requestDetails,
+                relayState,
+                errorMessage,
+            });
+            return NextResponse.json({ error: errorMessage }, { status: 503 });
+        }
+
         const saml = createShibbolethSamlClient(configuration);
-        const { profile } = await saml.validatePostResponseAsync({
-            SAMLResponse: samlResponse,
-            RelayState: relayState,
-        });
+        const { profile } = await saml.validatePostResponseAsync({ SAMLResponse: samlResponse });
 
         if (!profile) {
-            logShibbolethAuthenticationEvent('acs_rejected_empty_profile');
-            return NextResponse.json({ error: 'Shibboleth did not return a user profile.' }, { status: 401 });
+            await recordShibbolethAuthenticationAttempt({
+                stage: 'ASSERTION_CONSUMER_SERVICE',
+                status: 'FAILED',
+                requestDetails,
+                relayState,
+                errorMessage: 'Shibboleth response did not include a user profile.',
+            });
+            return NextResponse.json({ error: 'Shibboleth response did not include a user profile.' }, { status: 401 });
         }
 
-        logShibbolethAuthenticationEvent(
-            'acs_profile_validated',
-            createShibbolethProfileLogDetails(profile, configuration.usernameAttribute),
-        );
-
-        const user = await resolveShibbolethUser(profile, configuration);
+        const linkedUser = await findOrCreateShibbolethUser(profile);
         await setSession({
-            username: user.username,
-            isAdmin: user.isAdmin,
+            username: linkedUser.user.username,
+            isAdmin: linkedUser.user.isAdmin,
             isGlobalAdmin: false,
         });
+        revalidatePath('/', 'layout');
 
-        logShibbolethAuthenticationEvent('acs_session_created', {
-            username: user.username,
-            isAdmin: user.isAdmin,
-            isNewUser: user.isNewUser,
+        await recordShibbolethAuthenticationAttempt({
+            stage: 'ASSERTION_CONSUMER_SERVICE',
+            status: 'SUCCESS',
+            requestDetails,
             relayState,
+            userId: linkedUser.user.id,
+            email: linkedUser.profileAttributes.email,
+            displayName: linkedUser.profileAttributes.displayName,
+            nameId: linkedUser.profileAttributes.nameId,
+            rawAttributes: linkedUser.profileAttributes.rawAttributes,
         });
 
         return NextResponse.redirect(new URL(relayState, request.url), 303);
     } catch (error) {
-        logShibbolethAuthenticationEvent('acs_failed', {
-            error: error instanceof Error ? error.message : String(error),
+        const errorMessage = error instanceof Error ? error.message : 'Failed to finish Shibboleth authentication.';
+        await recordShibbolethAuthenticationAttempt({
+            stage: 'ASSERTION_CONSUMER_SERVICE',
+            status: 'FAILED',
+            requestDetails,
+            relayState,
+            errorMessage,
         });
 
-        return NextResponse.json({ error: 'Shibboleth authentication failed.' }, { status: 401 });
+        console.error('Shibboleth assertion consumer service error:', error);
+        return NextResponse.json({ error: errorMessage }, { status: 401 });
     }
 }

package/apps/agents-server/src/app/api/auth/shibboleth/login/route.ts

@@ -1,46 +1,70 @@
-import { NextRequest, NextResponse } from 'next/server';
+import { NextResponse } from 'next/server';
 import {
     createShibbolethSamlClient,
-    loadShibbolethConfiguration,
-    logShibbolethAuthenticationEvent,
-    resolveSafeShibbolethRelayState,
-    ShibbolethConfigurationError,
+    getShibbolethRequestDetails,
+    recordShibbolethAuthenticationAttempt,
+    resolveShibbolethAuthenticationConfiguration,
+    sanitizeShibbolethRelayState,
 } from '../../../../../utils/shibbolethAuthentication';
 
-/**
- * Forces this route to run in Node.js because node-saml depends on Node crypto/zlib APIs.
- */
-export const runtime = 'nodejs';
-
 /**
  * Handles get.
  */
-export async function GET(request: NextRequest) {
-    const configuration = await loadShibbolethConfiguration(request);
+export async function GET(request: Request) {
+    const requestDetails = getShibbolethRequestDetails(request);
+    const relayState = sanitizeShibbolethRelayState(new URL(request.url).searchParams.get('returnTo'));
 
-    if (!configuration.isEnabled) {
-        logShibbolethAuthenticationEvent('login_rejected_disabled');
-        return NextResponse.json({ error: 'Shibboleth authentication is not enabled.' }, { status: 404 });
-    }
-
-    if (!configuration.isConfigured) {
-        const error = new ShibbolethConfigurationError(configuration.missingConfiguration);
-        logShibbolethAuthenticationEvent('login_rejected_incomplete_configuration', {
-            missingConfiguration: configuration.missingConfiguration,
+    try {
+        const configuration = await resolveShibbolethAuthenticationConfiguration({
+            requestUrl: request.url,
+            isIdentityProviderMetadataValidationEnabled: true,
         });
-        return NextResponse.json({ error: error.message }, { status: 503 });
-    }
 
-    const relayState = resolveSafeShibbolethRelayState(request.nextUrl.searchParams.get('redirectTo'));
-    const saml = createShibbolethSamlClient(configuration);
-    const redirectUrl = await saml.getAuthorizeUrlAsync(relayState, undefined, {});
+        if (!configuration.isActive) {
+            await recordShibbolethAuthenticationAttempt({
+                stage: 'LOGIN_REQUEST',
+                status: 'REJECTED',
+                requestDetails,
+                relayState,
+                errorMessage: 'Shibboleth authentication is not active.',
+            });
+            return NextResponse.json({ error: 'Shibboleth authentication is not active.' }, { status: 404 });
+        }
 
-    logShibbolethAuthenticationEvent('login_redirect_created', {
-        issuer: configuration.issuer,
-        callbackUrl: configuration.callbackUrl,
-        entryPoint: configuration.entryPoint,
-        relayState,
-    });
+        if (!configuration.isConfigured) {
+            const errorMessage = configuration.errors.join(' ');
+            await recordShibbolethAuthenticationAttempt({
+                stage: 'LOGIN_REQUEST',
+                status: 'FAILED',
+                requestDetails,
+                relayState,
+                errorMessage,
+            });
+            return NextResponse.json({ error: errorMessage }, { status: 503 });
+        }
 
-    return NextResponse.redirect(redirectUrl);
+        const saml = createShibbolethSamlClient(configuration);
+        const authorizeUrl = await saml.getAuthorizeUrlAsync(relayState, undefined, {});
+
+        await recordShibbolethAuthenticationAttempt({
+            stage: 'LOGIN_REQUEST',
+            status: 'REDIRECTED',
+            requestDetails,
+            relayState,
+        });
+
+        return NextResponse.redirect(authorizeUrl);
+    } catch (error) {
+        const errorMessage = error instanceof Error ? error.message : 'Failed to start Shibboleth authentication.';
+        await recordShibbolethAuthenticationAttempt({
+            stage: 'LOGIN_REQUEST',
+            status: 'FAILED',
+            requestDetails,
+            relayState,
+            errorMessage,
+        });
+
+        console.error('Shibboleth login start error:', error);
+        return NextResponse.json({ error: errorMessage }, { status: 500 });
+    }
 }

package/apps/agents-server/src/app/api/auth/shibboleth/metadata/route.ts

@@ -1,40 +1,15 @@
-import { NextRequest, NextResponse } from 'next/server';
-import {
-    createShibbolethServiceProviderMetadata,
-    loadShibbolethConfiguration,
-    logShibbolethAuthenticationEvent,
-} from '../../../../../utils/shibbolethAuthentication';
-
-/**
- * Forces this route to run in Node.js because node-saml metadata generation depends on Node APIs.
- */
-export const runtime = 'nodejs';
+import { NextResponse } from 'next/server';
+import { createShibbolethServiceProviderMetadataXml } from '../../../../../utils/shibbolethAuthentication';
 
 /**
  * Handles get.
  */
-export async function GET(request: NextRequest) {
-    const configuration = await loadShibbolethConfiguration(request);
-
-    if (!configuration.isEnabled || !configuration.issuer || !configuration.callbackUrl) {
-        logShibbolethAuthenticationEvent('metadata_rejected_disabled');
-        return NextResponse.json({ error: 'Shibboleth authentication is not enabled.' }, { status: 404 });
-    }
-
-    const metadataXml = createShibbolethServiceProviderMetadata({
-        issuer: configuration.issuer,
-        callbackUrl: configuration.callbackUrl,
-    });
-
-    logShibbolethAuthenticationEvent('metadata_served', {
-        issuer: configuration.issuer,
-        callbackUrl: configuration.callbackUrl,
-    });
+export async function GET(request: Request) {
+    const metadataXml = await createShibbolethServiceProviderMetadataXml(request.url);
 
     return new NextResponse(metadataXml, {
         headers: {
             'Content-Type': 'application/samlmetadata+xml; charset=utf-8',
-            'Cache-Control': 'no-store',
         },
     });
 }

package/apps/agents-server/src/app/api/auth/shibboleth/status/route.ts

@@ -0,0 +1,17 @@
+import { NextResponse } from 'next/server';
+import { resolveShibbolethAuthenticationConfiguration } from '../../../../../utils/shibbolethAuthentication';
+
+/**
+ * Handles get.
+ */
+export async function GET(request: Request) {
+    const configuration = await resolveShibbolethAuthenticationConfiguration({
+        requestUrl: request.url,
+        isIdentityProviderMetadataValidationEnabled: false,
+    });
+
+    return NextResponse.json({
+        isActive: configuration.isActive,
+        isConfigured: configuration.isConfigured,
+    });
+}