@qwickapps/server 1.3.1 → 1.5.0

package/src/plugins/auth/env-config.ts

@@ -11,6 +11,7 @@ import type { Request, Response } from 'express';
 import type { Plugin, PluginConfig, PluginRegistry } from '../../core/plugin-registry.js';
 import type {
   AuthPluginConfig,
+  AuthAdapter,
   Auth0AdapterConfig,
   SupabaseAdapterConfig,
   SupertokensAdapterConfig,
@@ -18,12 +19,19 @@ import type {
   AuthEnvPluginOptions,
   AuthConfigStatus,
   AuthPluginState,
+  AuthAdapterType,
+  RuntimeAuthConfig,
+  UpdateAuthConfigRequest,
+  TestProviderRequest,
+  TestProviderResponse,
+  AuthConfigStore,
 } from './types.js';
 import { createAuthPlugin } from './auth-plugin.js';
 import { auth0Adapter } from './adapters/auth0-adapter.js';
 import { supabaseAdapter } from './adapters/supabase-adapter.js';
 import { supertokensAdapter } from './adapters/supertokens-adapter.js';
 import { basicAdapter } from './adapters/basic-adapter.js';
+import { createAdapterWrapper, type AdapterWrapper } from './adapter-wrapper.js';
 
 // ═══════════════════════════════════════════════════════════════════════════
 // Module State
@@ -34,6 +42,15 @@ let currentStatus: AuthConfigStatus = {
   adapter: null,
 };
 
+// Runtime configuration store (PostgreSQL-backed)
+let configStore: AuthConfigStore | null = null;
+
+// Adapter wrapper for hot-reload support
+let adapterWrapper: AdapterWrapper | null = null;
+
+// Unsubscribe function for config change listener
+let configUnsubscribe: (() => void) | null = null;
+
 // ═══════════════════════════════════════════════════════════════════════════
 // Environment Variable Helpers
 // ═══════════════════════════════════════════════════════════════════════════
@@ -476,32 +493,324 @@ function getMaskedConfig(adapter: AdapterName): Record<string, string> {
  * Register config API routes
  */
 function registerConfigRoutes(registry: PluginRegistry): void {
-  // GET /api/auth/config/status - Get current auth status
+  // GET /auth/config/status - Get current auth status
   registry.addRoute({
     method: 'get',
-    path: '/api/auth/config/status',
+    path: '/auth/config/status',
     pluginId: 'auth',
     handler: (_req: Request, res: Response) => {
       res.json(getAuthStatus());
     },
   });
 
-  // GET /api/auth/config - Get current configuration (masked)
+  // GET /auth/config - Get current configuration (masked)
   registry.addRoute({
     method: 'get',
-    path: '/api/auth/config',
+    path: '/auth/config',
     pluginId: 'auth',
-    handler: (_req: Request, res: Response) => {
+    handler: async (_req: Request, res: Response) => {
       const status = getAuthStatus();
-      res.json({
+      const response: Record<string, unknown> = {
         state: status.state,
         adapter: status.adapter,
         config: status.config || {},
         error: status.error,
         missingVars: status.missingVars,
-      });
+      };
+
+      // Include runtime config if available from store
+      if (configStore) {
+        try {
+          const runtimeConfig = await configStore.load();
+          if (runtimeConfig) {
+            response.runtimeConfig = runtimeConfig;
+          }
+        } catch (err) {
+          console.error('[AuthPlugin] Failed to load runtime config:', err);
+        }
+      }
+
+      res.json(response);
+    },
+  });
+
+  // PUT /auth/config - Save new configuration
+  registry.addRoute({
+    method: 'put',
+    path: '/auth/config',
+    pluginId: 'auth',
+    handler: async (req: Request, res: Response) => {
+      try {
+        // Check if config store is available
+        if (!configStore) {
+          return res.status(503).json({
+            error: 'Configuration store not available',
+            message: 'Runtime configuration requires a config store (PostgreSQL)',
+          });
+        }
+
+        // Parse and validate request body
+        const body = req.body as UpdateAuthConfigRequest;
+        if (!body || !body.adapter) {
+          return res.status(400).json({
+            error: 'Invalid request',
+            message: 'Request body must include adapter type',
+          });
+        }
+
+        // Validate adapter type
+        if (!VALID_ADAPTERS.includes(body.adapter as AdapterName)) {
+          return res.status(400).json({
+            error: 'Invalid adapter',
+            message: `Valid adapters: ${VALID_ADAPTERS.join(', ')}`,
+          });
+        }
+
+        // Validate adapter config
+        const validation = validateAdapterConfig(body.adapter, body.config || {});
+        if (!validation.valid) {
+          return res.status(400).json({
+            error: 'Invalid configuration',
+            message: validation.errors.join(', '),
+            errors: validation.errors,
+          });
+        }
+
+        // Build runtime config
+        const runtimeConfig: RuntimeAuthConfig = {
+          adapter: body.adapter,
+          config: {
+            [body.adapter]: body.config,
+          } as RuntimeAuthConfig['config'],
+          settings: body.settings || {},
+          updatedAt: new Date().toISOString(),
+        };
+
+        // Save to store
+        await configStore.save(runtimeConfig);
+
+        // Apply config immediately (hot-reload)
+        if (adapterWrapper) {
+          const adapter = createAdapterFromConfig(body.adapter, runtimeConfig.config);
+          if (adapter) {
+            await adapterWrapper.setAdapter(adapter);
+          }
+        }
+
+        // Update status
+        currentStatus = {
+          state: 'enabled',
+          adapter: body.adapter,
+          config: getMaskedRuntimeConfig(runtimeConfig),
+        };
+
+        res.json({
+          success: true,
+          status: getAuthStatus(),
+        });
+      } catch (error) {
+        console.error('[AuthPlugin] Failed to save config:', error);
+        res.status(500).json({
+          error: 'Failed to save configuration',
+          message: error instanceof Error ? error.message : 'Unknown error',
+        });
+      }
     },
   });
+
+  // DELETE /auth/config - Revert to environment variables
+  registry.addRoute({
+    method: 'delete',
+    path: '/auth/config',
+    pluginId: 'auth',
+    handler: async (_req: Request, res: Response) => {
+      try {
+        // Check if config store is available
+        if (!configStore) {
+          return res.status(503).json({
+            error: 'Configuration store not available',
+            message: 'Runtime configuration requires a config store (PostgreSQL)',
+          });
+        }
+
+        // Delete from store
+        await configStore.delete();
+
+        // Revert to env vars
+        const adapterName = getEnv('AUTH_ADAPTER')?.toLowerCase() as AdapterName | undefined;
+        if (adapterName && VALID_ADAPTERS.includes(adapterName)) {
+          const parseResult = getParseResultForAdapter(adapterName);
+          if (parseResult.config && adapterWrapper) {
+            const adapter = createAdapterForName(adapterName, parseResult.config);
+            await adapterWrapper.setAdapter(adapter);
+            currentStatus = {
+              state: 'enabled',
+              adapter: adapterName,
+              config: getMaskedConfig(adapterName),
+            };
+          } else if (parseResult.errors.length > 0) {
+            currentStatus = {
+              state: 'error',
+              adapter: adapterName,
+              error: `Missing env vars: ${parseResult.errors.join(', ')}`,
+              missingVars: parseResult.errors,
+            };
+          }
+        } else {
+          currentStatus = {
+            state: 'disabled',
+            adapter: null,
+          };
+        }
+
+        res.json({
+          success: true,
+          status: getAuthStatus(),
+        });
+      } catch (error) {
+        console.error('[AuthPlugin] Failed to delete config:', error);
+        res.status(500).json({
+          error: 'Failed to delete configuration',
+          message: error instanceof Error ? error.message : 'Unknown error',
+        });
+      }
+    },
+  });
+
+  // POST /auth/test-provider - Test provider connection
+  registry.addRoute({
+    method: 'post',
+    path: '/auth/test-provider',
+    pluginId: 'auth',
+    handler: async (req: Request, res: Response) => {
+      try {
+        const body = req.body as TestProviderRequest;
+        if (!body || !body.adapter) {
+          return res.status(400).json({
+            error: 'Invalid request',
+            message: 'Request body must include adapter type',
+          });
+        }
+
+        // Validate adapter type
+        if (!VALID_ADAPTERS.includes(body.adapter as AdapterName)) {
+          return res.status(400).json({
+            error: 'Invalid adapter',
+            message: `Valid adapters: ${VALID_ADAPTERS.join(', ')}`,
+          });
+        }
+
+        // Test the connection
+        const result = await testProviderConnection(body.adapter, body.config || {});
+        res.json(result);
+      } catch (error) {
+        console.error('[AuthPlugin] Test provider error:', error);
+        res.status(500).json({
+          success: false,
+          message: error instanceof Error ? error.message : 'Unknown error',
+        });
+      }
+    },
+  });
+
+  // POST /auth/test-current - Test current auth configuration (env-based or runtime)
+  registry.addRoute({
+    method: 'post',
+    path: '/auth/test-current',
+    pluginId: 'auth',
+    handler: async (_req: Request, res: Response) => {
+      try {
+        const status = getAuthStatus();
+
+        if (status.state !== 'enabled' || !status.adapter) {
+          return res.status(400).json({
+            success: false,
+            message: 'No active auth configuration to test',
+          });
+        }
+
+        // Get the current configuration from env vars
+        const adapterName = status.adapter as AdapterName;
+        const parseResult = getParseResultForAdapter(adapterName);
+
+        if (parseResult.errors.length > 0) {
+          return res.json({
+            success: false,
+            message: `Missing configuration: ${parseResult.errors.join(', ')}`,
+          });
+        }
+
+        // Test the connection using the current env-based config
+        // Use JSON round-trip for safe conversion to plain object
+        const configObj = JSON.parse(JSON.stringify(parseResult.config)) as Record<string, unknown>;
+        const result = await testProviderConnection(adapterName, configObj);
+        res.json(result);
+      } catch (error) {
+        console.error('[AuthPlugin] Test current provider error:', error);
+        res.status(500).json({
+          success: false,
+          message: error instanceof Error ? error.message : 'Unknown error',
+        });
+      }
+    },
+  });
+
+  // Register UI menu item for auth configuration
+  registry.addMenuItem({
+    pluginId: 'auth',
+    id: 'auth:sidebar',
+    label: 'Authentication',
+    icon: 'security',
+    route: '/auth',
+    order: 50, // After Entitlements (35)
+  });
+
+  // Register page contribution
+  registry.addPage({
+    pluginId: 'auth',
+    id: 'auth:config-page',
+    route: '/auth',
+    component: 'AuthPage',
+  });
+
+  // Register dashboard widget
+  registry.addWidget({
+    id: 'auth-status',
+    title: 'Authentication',
+    component: 'AuthStatusWidget',
+    priority: 40, // Show before integrations
+    showByDefault: true,
+    pluginId: 'auth',
+  });
+
+  // Register health check for auth provider connection
+  const status = getAuthStatus();
+  if (status.state === 'enabled' && status.adapter) {
+    registry.registerHealthCheck({
+      name: `auth-${status.adapter}`,
+      type: 'custom',
+      check: async () => {
+        const currentStatus = getAuthStatus();
+        if (currentStatus.state !== 'enabled' || !currentStatus.adapter) {
+          return { healthy: false, message: 'Auth not configured' };
+        }
+
+        const adapterName = currentStatus.adapter as AdapterName;
+        const parseResult = getParseResultForAdapter(adapterName);
+        if (parseResult.errors.length > 0) {
+          return { healthy: false, message: `Missing config: ${parseResult.errors.join(', ')}` };
+        }
+
+        const configObj = JSON.parse(JSON.stringify(parseResult.config)) as Record<string, unknown>;
+        const result = await testProviderConnection(adapterName, configObj);
+        return {
+          healthy: result.success,
+          message: result.message,
+          details: result.details,
+        };
+      },
+    });
+  }
 }
 
 // ═══════════════════════════════════════════════════════════════════════════
@@ -554,6 +863,401 @@ function createErrorPlugin(error: string): Plugin {
   };
 }
 
+// ═══════════════════════════════════════════════════════════════════════════
+// Runtime Configuration Support
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Extended options for createAuthPluginFromEnv with runtime config support
+ */
+export interface AuthEnvPluginOptionsExtended extends AuthEnvPluginOptions {
+  /** Configuration store for runtime config persistence */
+  configStore?: AuthConfigStore;
+}
+
+/**
+ * Create an adapter from runtime configuration
+ */
+function createAdapterFromConfig(
+  adapterType: AuthAdapterType,
+  config: RuntimeAuthConfig['config']
+): AuthAdapter | null {
+  switch (adapterType) {
+    case 'supertokens':
+      if (config.supertokens) {
+        return supertokensAdapter(config.supertokens);
+      }
+      break;
+    case 'auth0':
+      if (config.auth0) {
+        return auth0Adapter(config.auth0);
+      }
+      break;
+    case 'supabase':
+      if (config.supabase) {
+        return supabaseAdapter(config.supabase);
+      }
+      break;
+    case 'basic':
+      if (config.basic) {
+        return basicAdapter(config.basic);
+      }
+      break;
+  }
+  return null;
+}
+
+/**
+ * Validate adapter configuration
+ */
+function validateAdapterConfig(
+  adapterType: AuthAdapterType,
+  config: Record<string, unknown>
+): { valid: boolean; errors: string[] } {
+  const errors: string[] = [];
+
+  switch (adapterType) {
+    case 'supertokens':
+      if (!config.connectionUri) errors.push('connectionUri is required');
+      if (!config.appName) errors.push('appName is required');
+      if (!config.apiDomain) errors.push('apiDomain is required');
+      if (!config.websiteDomain) errors.push('websiteDomain is required');
+      break;
+    case 'auth0':
+      if (!config.domain) errors.push('domain is required');
+      if (!config.clientId) errors.push('clientId is required');
+      if (!config.clientSecret) errors.push('clientSecret is required');
+      if (!config.baseUrl) errors.push('baseUrl is required');
+      if (!config.secret) errors.push('secret is required');
+      break;
+    case 'supabase':
+      if (!config.url) errors.push('url is required');
+      if (!config.anonKey) errors.push('anonKey is required');
+      break;
+    case 'basic':
+      if (!config.username) errors.push('username is required');
+      if (!config.password) errors.push('password is required');
+      break;
+  }
+
+  return { valid: errors.length === 0, errors };
+}
+
+/**
+ * Validate a URL for security (prevent SSRF attacks)
+ */
+function validateUrl(urlString: string): URL {
+  const url = new URL(urlString);
+  if (!['http:', 'https:'].includes(url.protocol)) {
+    throw new Error('URL must use http or https protocol');
+  }
+  // Block private/internal IPs (basic SSRF protection)
+  const hostname = url.hostname.toLowerCase();
+  if (
+    hostname === 'localhost' ||
+    hostname === '127.0.0.1' ||
+    hostname === '::1' ||
+    hostname.startsWith('192.168.') ||
+    hostname.startsWith('10.') ||
+    hostname.startsWith('172.') ||
+    hostname.endsWith('.internal') ||
+    hostname.endsWith('.local')
+  ) {
+    // Allow localhost for dev/testing, but log it
+    console.warn(`[AuthPlugin] Testing connection to internal address: ${hostname}`);
+  }
+  return url;
+}
+
+/**
+ * Test a provider connection
+ */
+async function testProviderConnection(
+  adapterType: AuthAdapterType,
+  config: Record<string, unknown>
+): Promise<TestProviderResponse> {
+  const startTime = Date.now();
+
+  try {
+    // Validate config first
+    const validation = validateAdapterConfig(adapterType, config);
+    if (!validation.valid) {
+      return {
+        success: false,
+        message: `Invalid configuration: ${validation.errors.join(', ')}`,
+      };
+    }
+
+    // Test connection based on adapter type
+    switch (adapterType) {
+      case 'supertokens': {
+        // Try to connect to Supertokens core
+        const connectionUri = config.connectionUri as string;
+        validateUrl(connectionUri); // Validate URL before making request
+        const apiKey = config.apiKey as string | undefined;
+
+        const headers: Record<string, string> = {
+          'Content-Type': 'application/json',
+        };
+        if (apiKey) {
+          headers['api-key'] = apiKey;
+        }
+
+        const response = await fetch(`${connectionUri}/apiversion`, { headers });
+        if (!response.ok) {
+          return {
+            success: false,
+            message: `Failed to connect to Supertokens core: ${response.status} ${response.statusText}`,
+          };
+        }
+
+        const data = (await response.json()) as { versions?: string[] };
+        return {
+          success: true,
+          message: 'Successfully connected to Supertokens core',
+          details: {
+            latency: Date.now() - startTime,
+            version: data.versions?.[0],
+          },
+        };
+      }
+
+      case 'auth0': {
+        // Test Auth0 domain is reachable
+        const domain = config.domain as string;
+        const response = await fetch(`https://${domain}/.well-known/openid-configuration`);
+        if (!response.ok) {
+          return {
+            success: false,
+            message: `Failed to connect to Auth0: ${response.status} ${response.statusText}`,
+          };
+        }
+
+        return {
+          success: true,
+          message: 'Successfully connected to Auth0',
+          details: {
+            latency: Date.now() - startTime,
+          },
+        };
+      }
+
+      case 'supabase': {
+        // Test Supabase endpoint
+        const url = config.url as string;
+        validateUrl(url); // Validate URL before making request
+        const anonKey = config.anonKey as string;
+
+        const response = await fetch(`${url}/rest/v1/`, {
+          headers: {
+            apikey: anonKey,
+            Authorization: `Bearer ${anonKey}`,
+          },
+        });
+
+        // Supabase returns 200 even without tables
+        if (!response.ok && response.status !== 404) {
+          return {
+            success: false,
+            message: `Failed to connect to Supabase: ${response.status} ${response.statusText}`,
+          };
+        }
+
+        return {
+          success: true,
+          message: 'Successfully connected to Supabase',
+          details: {
+            latency: Date.now() - startTime,
+          },
+        };
+      }
+
+      case 'basic': {
+        // Basic auth just validates credentials are present
+        return {
+          success: true,
+          message: 'Basic auth configuration is valid',
+          details: {
+            latency: Date.now() - startTime,
+          },
+        };
+      }
+
+      default:
+        return {
+          success: false,
+          message: `Unknown adapter type: ${adapterType}`,
+        };
+    }
+  } catch (error) {
+    // Provide more helpful error messages for common network errors
+    let message = 'Connection test failed';
+    if (error instanceof Error) {
+      const errorWithCause = error as Error & { cause?: Error };
+      if (error.message === 'fetch failed' || errorWithCause.cause) {
+        // Network error - server not reachable
+        const cause = errorWithCause.cause;
+        if (cause?.message?.includes('ECONNREFUSED')) {
+          const uri = adapterType === 'supertokens' ? config.connectionUri :
+                      adapterType === 'supabase' ? config.url :
+                      adapterType === 'auth0' ? `https://${config.domain}` : 'server';
+          message = `Cannot connect to ${adapterType} at ${uri}. Is the server running?`;
+        } else {
+          message = `Network error: Unable to reach the ${adapterType} server. Check if it's running and accessible.`;
+        }
+      } else {
+        message = `Connection test failed: ${error.message}`;
+      }
+    }
+    return {
+      success: false,
+      message,
+    };
+  }
+}
+
+/**
+ * Handle configuration change (from database)
+ * Called when pg_notify fires on another instance
+ */
+async function handleConfigChange(newConfig: RuntimeAuthConfig | null): Promise<void> {
+  if (!adapterWrapper) return;
+
+  if (!newConfig || !newConfig.adapter) {
+    // No config in database - revert to env vars
+    const adapterName = getEnv('AUTH_ADAPTER')?.toLowerCase() as AdapterName | undefined;
+    if (adapterName && VALID_ADAPTERS.includes(adapterName)) {
+      // Re-create adapter from env vars
+      const parseResult = getParseResultForAdapter(adapterName);
+      if (parseResult.config) {
+        const adapter = createAdapterForName(adapterName, parseResult.config);
+        if (adapter) {
+          await adapterWrapper.setAdapter(adapter);
+          currentStatus = {
+            state: 'enabled',
+            adapter: adapterName,
+            config: getMaskedConfig(adapterName),
+          };
+        }
+      }
+    } else {
+      // No env config either - disable
+      currentStatus = {
+        state: 'disabled',
+        adapter: null,
+      };
+    }
+    return;
+  }
+
+  // Apply new config
+  const adapter = createAdapterFromConfig(newConfig.adapter, newConfig.config);
+  if (adapter) {
+    await adapterWrapper.setAdapter(adapter);
+    currentStatus = {
+      state: 'enabled',
+      adapter: newConfig.adapter,
+      config: getMaskedRuntimeConfig(newConfig),
+    };
+  }
+}
+
+/**
+ * Get masked runtime configuration
+ */
+function getMaskedRuntimeConfig(config: RuntimeAuthConfig): Record<string, string> {
+  const result: Record<string, string> = {};
+
+  if (!config.adapter) return result;
+
+  const sensitiveKeys = ['secret', 'password', 'key', 'token', 'anonKey', 'clientSecret', 'apiKey'];
+  const isSensitive = (key: string): boolean =>
+    sensitiveKeys.some((s) => key.toLowerCase().includes(s.toLowerCase()));
+
+  // Get adapter-specific config
+  const adapterConfig = config.config[config.adapter];
+  if (adapterConfig) {
+    for (const [key, value] of Object.entries(adapterConfig)) {
+      if (typeof value === 'string') {
+        result[key] = isSensitive(key) ? maskValue(value) : value;
+      } else if (typeof value === 'boolean' || typeof value === 'number') {
+        result[key] = String(value);
+      }
+    }
+  }
+
+  result['AUTH_ADAPTER'] = config.adapter;
+
+  return result;
+}
+
+/**
+ * Helper to get parse result for a given adapter
+ */
+function getParseResultForAdapter(adapterName: AdapterName): EnvParseResult<
+  Auth0AdapterConfig | SupabaseAdapterConfig | SupertokensAdapterConfig | BasicAdapterConfig
+> {
+  switch (adapterName) {
+    case 'supertokens':
+      return parseSupertokensEnv();
+    case 'auth0':
+      return parseAuth0Env();
+    case 'supabase':
+      return parseSupabaseEnv();
+    case 'basic':
+      return parseBasicAuthEnv();
+  }
+}
+
+/**
+ * Helper to create adapter for a given name and config
+ */
+function createAdapterForName(
+  adapterName: AdapterName,
+  config: Auth0AdapterConfig | SupabaseAdapterConfig | SupertokensAdapterConfig | BasicAdapterConfig
+): AuthAdapter {
+  switch (adapterName) {
+    case 'supertokens':
+      return supertokensAdapter(config as SupertokensAdapterConfig);
+    case 'auth0':
+      return auth0Adapter(config as Auth0AdapterConfig);
+    case 'supabase':
+      return supabaseAdapter(config as SupabaseAdapterConfig);
+    case 'basic':
+      return basicAdapter(config as BasicAdapterConfig);
+  }
+}
+
+/**
+ * Set the configuration store for runtime auth config persistence.
+ *
+ * This must be called during application startup to enable runtime configuration
+ * features. Without a config store, the PUT/DELETE endpoints will return 503.
+ *
+ * @param store - PostgreSQL-backed config store from `postgresAuthConfigStore()`
+ *
+ * @example
+ * ```typescript
+ * import { Pool } from 'pg';
+ * import { setAuthConfigStore, postgresAuthConfigStore } from '@qwickapps/server';
+ *
+ * const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+ * const configStore = postgresAuthConfigStore({ pool });
+ * await configStore.initialize();
+ * setAuthConfigStore(configStore);
+ * ```
+ */
+export function setAuthConfigStore(store: AuthConfigStore): void {
+  configStore = store;
+}
+
+/**
+ * Get the current adapter wrapper
+ */
+export function getAdapterWrapper(): AdapterWrapper | null {
+  return adapterWrapper;
+}
+
 // ═══════════════════════════════════════════════════════════════════════════
 // Exports for Testing
 // ═══════════════════════════════════════════════════════════════════════════
@@ -569,4 +1273,7 @@ export const __testing = {
   getEnvList,
   maskValue,
   VALID_ADAPTERS,
+  validateAdapterConfig,
+  testProviderConnection,
+  createAdapterFromConfig,
 };