@qwickapps/server 1.5.1 → 1.6.0

package/src/plugins/api-keys/api-keys-plugin.ts

@@ -0,0 +1,397 @@
+/**
+ * API Keys Plugin
+ *
+ * API key authentication and management plugin for @qwickapps/server.
+ * Provides API key generation, storage, and verification with PostgreSQL RLS.
+ *
+ * This plugin depends on the Users Plugin for user identity.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+
+import type { Request, Response } from 'express';
+import type { Plugin, PluginConfig, PluginRegistry } from '../../core/plugin-registry.js';
+import type {
+  ApiKeysPluginConfig,
+  ApiKeyStore,
+  CreateApiKeyParams,
+  UpdateApiKeyParams,
+  ApiKey,
+} from './types.js';
+import type { AuthenticatedRequest } from '../auth/types.js';
+import {
+  CreateApiKeySchema,
+  UpdateApiKeySchema,
+} from './types.js';
+
+// Store instance for helper access
+let currentStore: ApiKeyStore | null = null;
+
+/**
+ * Create the API Keys plugin
+ */
+export function createApiKeysPlugin(config: ApiKeysPluginConfig): Plugin {
+  const debug = config.debug || false;
+  // Routes are mounted under /api by the control panel, so don't include /api in prefix
+  const apiPrefix = config.api?.prefix || '/api-keys';
+  const apiEnabled = config.api?.enabled !== false;
+
+  function log(message: string, data?: Record<string, unknown>) {
+    if (debug) {
+      console.log(`[ApiKeysPlugin] ${message}`, data || '');
+    }
+  }
+
+  return {
+    id: 'api-keys',
+    name: 'API Keys',
+    version: '1.0.0',
+
+    async onStart(_pluginConfig: PluginConfig, registry: PluginRegistry): Promise<void> {
+      log('Starting API keys plugin');
+
+      // Check for users plugin dependency
+      if (!registry.hasPlugin('users')) {
+        throw new Error('API Keys plugin requires Users plugin to be loaded first');
+      }
+
+      // Initialize the store (creates tables and RLS policies if needed)
+      await config.store.initialize();
+      log('API keys plugin migrations complete');
+
+      // Store reference for helper access
+      currentStore = config.store;
+
+      // Register health check
+      registry.registerHealthCheck({
+        name: 'api-keys-store',
+        type: 'custom',
+        check: async () => {
+          try {
+            // Simple health check - store is accessible
+            return { healthy: currentStore !== null };
+          } catch {
+            return { healthy: false };
+          }
+        },
+      });
+
+      // Add API routes if enabled
+      if (apiEnabled) {
+        // POST /api-keys - Create a new API key
+        registry.addRoute({
+          method: 'post',
+          path: apiPrefix,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              // Validate request body
+              const validation = CreateApiKeySchema.safeParse(req.body);
+              if (!validation.success) {
+                return res.status(400).json({
+                  error: 'Invalid request',
+                });
+              }
+
+              const params: CreateApiKeyParams = {
+                user_id: userId,
+                ...validation.data,
+              };
+
+              // Create the API key
+              const apiKey = await config.store.create(params);
+
+              // Return the key with plaintext (ONLY time plaintext is accessible)
+              res.status(201).json({
+                id: apiKey.id,
+                name: apiKey.name,
+                key: apiKey.plaintext_key, // Client must save this - won't be shown again
+                key_prefix: apiKey.key_prefix,
+                key_type: apiKey.key_type,
+                scopes: apiKey.scopes,
+                expires_at: apiKey.expires_at,
+                is_active: apiKey.is_active,
+                created_at: apiKey.created_at,
+              });
+            } catch (error) {
+              console.error('[ApiKeysPlugin] Create API key error:', error);
+              res.status(500).json({ error: 'Failed to create API key' });
+            }
+          },
+        });
+
+        // GET /api-keys - List current user's API keys
+        registry.addRoute({
+          method: 'get',
+          path: apiPrefix,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              const keys = await config.store.list(userId);
+
+              // Remove sensitive fields from response
+              const sanitized = keys.map(key => ({
+                id: key.id,
+                name: key.name,
+                key_prefix: key.key_prefix,
+                key_type: key.key_type,
+                scopes: key.scopes,
+                last_used_at: key.last_used_at,
+                expires_at: key.expires_at,
+                is_active: key.is_active,
+                created_at: key.created_at,
+                updated_at: key.updated_at,
+              }));
+
+              res.json({ keys: sanitized });
+            } catch (error) {
+              console.error('[ApiKeysPlugin] List API keys error:', error);
+              res.status(500).json({ error: 'Failed to list API keys' });
+            }
+          },
+        });
+
+        // GET /api-keys/:id - Get a specific API key
+        registry.addRoute({
+          method: 'get',
+          path: `${apiPrefix}/:id`,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              const { id } = req.params;
+              const key = await config.store.get(userId, id);
+
+              if (!key) {
+                return res.status(404).json({ error: 'API key not found' });
+              }
+
+              // Remove sensitive fields from response
+              const sanitized = {
+                id: key.id,
+                name: key.name,
+                key_prefix: key.key_prefix,
+                key_type: key.key_type,
+                scopes: key.scopes,
+                last_used_at: key.last_used_at,
+                expires_at: key.expires_at,
+                is_active: key.is_active,
+                created_at: key.created_at,
+                updated_at: key.updated_at,
+              };
+
+              res.json(sanitized);
+            } catch (error) {
+              console.error('[ApiKeysPlugin] Get API key error:', error);
+              res.status(500).json({ error: 'Failed to get API key' });
+            }
+          },
+        });
+
+        // PUT /api-keys/:id - Update an API key
+        registry.addRoute({
+          method: 'put',
+          path: `${apiPrefix}/:id`,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              // Validate request body
+              const validation = UpdateApiKeySchema.safeParse(req.body);
+              if (!validation.success) {
+                return res.status(400).json({
+                  error: 'Invalid request',
+                });
+              }
+
+              const { id } = req.params;
+              const params: UpdateApiKeyParams = validation.data;
+
+              const updated = await config.store.update(userId, id, params);
+
+              if (!updated) {
+                return res.status(404).json({ error: 'API key not found' });
+              }
+
+              // Remove sensitive fields from response
+              const sanitized = {
+                id: updated.id,
+                name: updated.name,
+                key_prefix: updated.key_prefix,
+                key_type: updated.key_type,
+                scopes: updated.scopes,
+                last_used_at: updated.last_used_at,
+                expires_at: updated.expires_at,
+                is_active: updated.is_active,
+                created_at: updated.created_at,
+                updated_at: updated.updated_at,
+              };
+
+              res.json(sanitized);
+            } catch (error) {
+              console.error('[ApiKeysPlugin] Update API key error:', error);
+              res.status(500).json({ error: 'Failed to update API key' });
+            }
+          },
+        });
+
+        // DELETE /api-keys/:id - Delete an API key
+        registry.addRoute({
+          method: 'delete',
+          path: `${apiPrefix}/:id`,
+          pluginId: 'api-keys',
+          handler: async (req: Request, res: Response) => {
+            try {
+              const authReq = req as AuthenticatedRequest;
+              const userId = authReq.auth?.user?.id;
+
+              if (!userId) {
+                return res.status(401).json({ error: 'Authentication required' });
+              }
+
+              const { id } = req.params;
+              const deleted = await config.store.delete(userId, id);
+
+              if (!deleted) {
+                return res.status(404).json({ error: 'API key not found' });
+              }
+
+              res.status(204).send();
+            } catch (error) {
+              console.error('[ApiKeysPlugin] Delete API key error:', error);
+              res.status(500).json({ error: 'Failed to delete API key' });
+            }
+          },
+        });
+      }
+
+      log('API keys plugin started');
+    },
+
+    async onStop(): Promise<void> {
+      log('Stopping API keys plugin');
+      if (currentStore) {
+        await currentStore.shutdown();
+      }
+      currentStore = null;
+      log('API keys plugin stopped');
+    },
+  };
+}
+
+// ========================================
+// Helper Functions
+// ========================================
+
+/**
+ * Get the current API keys store instance
+ */
+export function getApiKeysStore(): ApiKeyStore | null {
+  return currentStore;
+}
+
+/**
+ * Verify an API key and return the associated key record
+ * Returns null if key is invalid, expired, or inactive
+ */
+export async function verifyApiKey(plaintextKey: string): Promise<ApiKey | null> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  const key = await currentStore.verify(plaintextKey);
+
+  // Update last_used_at timestamp if key is valid
+  if (key) {
+    await currentStore.recordUsage(key.id).catch(err => {
+      console.error('[ApiKeysPlugin] Failed to record key usage:', err);
+    });
+  }
+
+  return key;
+}
+
+/**
+ * Create an API key for a user
+ */
+export async function createApiKey(params: CreateApiKeyParams): Promise<ApiKey> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.create(params);
+}
+
+/**
+ * List all API keys for a user
+ */
+export async function listApiKeys(userId: string): Promise<ApiKey[]> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.list(userId);
+}
+
+/**
+ * Get a specific API key
+ */
+export async function getApiKey(userId: string, keyId: string): Promise<ApiKey | null> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.get(userId, keyId);
+}
+
+/**
+ * Update an API key
+ */
+export async function updateApiKey(
+  userId: string,
+  keyId: string,
+  params: UpdateApiKeyParams
+): Promise<ApiKey | null> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.update(userId, keyId, params);
+}
+
+/**
+ * Delete an API key
+ */
+export async function deleteApiKey(userId: string, keyId: string): Promise<boolean> {
+  if (!currentStore) {
+    throw new Error('API Keys plugin not initialized');
+  }
+
+  return currentStore.delete(userId, keyId);
+}

package/src/plugins/api-keys/index.ts

@@ -0,0 +1,49 @@
+/**
+ * API Keys Plugin Index
+ *
+ * API key authentication and management plugin with PostgreSQL RLS.
+ * Depends on the Users Plugin for user identity.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+
+// Main plugin
+export {
+  createApiKeysPlugin,
+  getApiKeysStore,
+  verifyApiKey,
+  createApiKey,
+  listApiKeys,
+  getApiKey,
+  updateApiKey,
+  deleteApiKey,
+} from './api-keys-plugin.js';
+
+// Types
+export type {
+  ApiKeysPluginConfig,
+  ApiKeyStore,
+  ApiKey,
+  ApiKeyWithPlaintext,
+  ApiKeyScope,
+  ApiKeyType,
+  CreateApiKeyParams,
+  UpdateApiKeyParams,
+  PostgresApiKeyStoreConfig,
+  ApiKeysApiConfig,
+} from './types.js';
+
+// Zod schemas
+export {
+  ApiKeyScopeSchema,
+  ApiKeyTypeSchema,
+  CreateApiKeySchema,
+  UpdateApiKeySchema,
+  ApiKeySchema,
+} from './types.js';
+
+// Stores
+export { postgresApiKeyStore } from './stores/index.js';
+
+// Middleware
+export { bearerTokenAuth } from './middleware/index.js';

package/src/plugins/api-keys/middleware/bearer-token-auth.ts

@@ -0,0 +1,250 @@
+/**
+ * Bearer Token Authentication Middleware
+ *
+ * Middleware for authenticating API requests using Bearer tokens (API keys).
+ * Verifies the token, checks expiration and active status, and attaches
+ * the authenticated key info to the request.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+
+import type { Request, Response, NextFunction } from 'express';
+import type { ApiKey, ApiKeyScope } from '../types.js';
+import { getApiKeysStore } from '../api-keys-plugin.js';
+import { incrementLimit, isLimited } from '../../rate-limit/rate-limit-service.js';
+
+/**
+ * Extended Express Request with API key authentication info
+ */
+export interface ApiKeyAuthenticatedRequest extends Request {
+  apiKey?: {
+    id: string;
+    user_id: string;
+    scopes: ApiKeyScope[];
+    key_type: 'm2m' | 'pat';
+  };
+}
+
+/**
+ * Options for bearer token authentication middleware
+ */
+export interface BearerTokenAuthOptions {
+  /** Required scopes (all must be present) */
+  requiredScopes?: ApiKeyScope[];
+  /** Allow only specific key types */
+  allowedKeyTypes?: ('m2m' | 'pat')[];
+  /** Custom error handler */
+  onUnauthorized?: (req: Request, res: Response, reason: string) => void;
+}
+
+/**
+ * Extract Bearer token from Authorization header
+ *
+ * @param req Express request
+ * @returns Bearer token or null if not found
+ */
+function extractBearerToken(req: Request): string | null {
+  const authHeader = req.headers.authorization;
+
+  if (!authHeader) {
+    return null;
+  }
+
+  // Check for "Bearer <token>" format
+  const parts = authHeader.split(' ');
+  if (parts.length !== 2 || parts[0] !== 'Bearer') {
+    return null;
+  }
+
+  return parts[1];
+}
+
+/**
+ * Check if API key has all required scopes
+ *
+ * @param keyScopes Scopes granted to the API key
+ * @param requiredScopes Scopes required for the endpoint
+ * @returns True if key has all required scopes
+ */
+function hasRequiredScopes(keyScopes: ApiKeyScope[], requiredScopes: ApiKeyScope[]): boolean {
+  return requiredScopes.every(required => keyScopes.includes(required));
+}
+
+/**
+ * Default unauthorized handler
+ */
+function defaultUnauthorizedHandler(req: Request, res: Response, reason: string): void {
+  res.status(401).json({
+    error: 'Unauthorized',
+    message: reason,
+  });
+}
+
+/**
+ * Get rate limit identifier for API key authentication
+ * Uses IP address as the identifier
+ */
+function getRateLimitIdentifier(req: Request): string {
+  const ip = req.ip ||
+    req.headers['x-forwarded-for']?.toString().split(',')[0].trim() ||
+    req.socket?.remoteAddress ||
+    'unknown';
+  return `api-key-auth:${ip}`;
+}
+
+/**
+ * Check if rate limit has been exceeded
+ * Uses the existing rate-limit plugin with specific limits for API key auth
+ */
+async function checkRateLimit(identifier: string): Promise<boolean> {
+  try {
+    // Check rate limit: 100 requests per 15 minutes
+    return await isLimited(identifier, {
+      maxRequests: 100,
+      windowMs: 15 * 60 * 1000, // 15 minutes
+      strategy: 'sliding-window',
+    });
+  } catch (error) {
+    // If rate limit service not available, allow the request
+    // (fail open - let other security measures handle it)
+    console.warn('[bearerTokenAuth] Rate limit service unavailable:', error);
+    return false;
+  }
+}
+
+/**
+ * Record a failed authentication attempt
+ * Increments the rate limit counter
+ */
+async function recordFailedAttempt(identifier: string): Promise<void> {
+  try {
+    await incrementLimit(identifier, {
+      maxRequests: 100,
+      windowMs: 15 * 60 * 1000, // 15 minutes
+      strategy: 'sliding-window',
+    });
+  } catch (error) {
+    // Non-critical - log and continue
+    console.warn('[bearerTokenAuth] Failed to record attempt:', error);
+  }
+}
+
+/**
+ * Bearer Token Authentication Middleware
+ *
+ * Validates API keys sent as Bearer tokens in the Authorization header.
+ * Attaches authenticated key info to the request for downstream handlers.
+ *
+ * @param options Configuration options
+ * @returns Express middleware function
+ *
+ * @example
+ * ```ts
+ * import { bearerTokenAuth } from '@qwickapps/server';
+ *
+ * // Require authentication
+ * app.get('/api/data', bearerTokenAuth(), (req, res) => {
+ *   const { apiKey } = req as ApiKeyAuthenticatedRequest;
+ *   res.json({ user_id: apiKey?.user_id });
+ * });
+ *
+ * // Require specific scopes
+ * app.post('/api/data', bearerTokenAuth({
+ *   requiredScopes: ['write'],
+ * }), (req, res) => {
+ *   // Handler code
+ * });
+ *
+ * // Allow only M2M keys
+ * app.post('/api/admin', bearerTokenAuth({
+ *   allowedKeyTypes: ['m2m'],
+ *   requiredScopes: ['admin'],
+ * }), (req, res) => {
+ *   // Handler code
+ * });
+ * ```
+ */
+export function bearerTokenAuth(options: BearerTokenAuthOptions = {}) {
+  const {
+    requiredScopes = [],
+    allowedKeyTypes,
+    onUnauthorized = defaultUnauthorizedHandler,
+  } = options;
+
+  return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    try {
+      // Check rate limit first
+      const rateLimitId = getRateLimitIdentifier(req);
+      if (await checkRateLimit(rateLimitId)) {
+        res.status(429).json({
+          error: 'Too Many Requests',
+          message: 'Too many authentication attempts. Please try again later.',
+        });
+        return;
+      }
+
+      // Extract token from Authorization header
+      const token = extractBearerToken(req);
+
+      if (!token) {
+        recordFailedAttempt(rateLimitId);
+        onUnauthorized(req, res, 'Missing or invalid Authorization header');
+        return;
+      }
+
+      // Get store instance
+      const store = getApiKeysStore();
+      if (!store) {
+        console.error('[bearerTokenAuth] API Keys plugin not initialized');
+        res.status(500).json({ error: 'Authentication service unavailable' });
+        return;
+      }
+
+      // Verify the token
+      const apiKey = await store.verify(token);
+
+      if (!apiKey) {
+        recordFailedAttempt(rateLimitId);
+        onUnauthorized(req, res, 'Invalid, expired, or inactive API key');
+        return;
+      }
+
+      // Check key type if restrictions apply
+      if (allowedKeyTypes && !allowedKeyTypes.includes(apiKey.key_type)) {
+        onUnauthorized(req, res, `This endpoint requires ${allowedKeyTypes.join(' or ')} keys`);
+        return;
+      }
+
+      // Check scopes if required
+      if (requiredScopes.length > 0 && !hasRequiredScopes(apiKey.scopes, requiredScopes)) {
+        onUnauthorized(req, res, `Insufficient scopes. Required: ${requiredScopes.join(', ')}`);
+        return;
+      }
+
+      // Record usage (non-blocking)
+      store.recordUsage(apiKey.id).catch(err => {
+        console.error('[bearerTokenAuth] Failed to record key usage:', err);
+      });
+
+      // Attach authenticated key info to request
+      (req as ApiKeyAuthenticatedRequest).apiKey = {
+        id: apiKey.id,
+        user_id: apiKey.user_id,
+        scopes: apiKey.scopes,
+        key_type: apiKey.key_type,
+      };
+
+      next();
+    } catch (error) {
+      console.error('[bearerTokenAuth] Authentication error:', error);
+      res.status(500).json({ error: 'Authentication failed' });
+    }
+  };
+}
+
+/**
+ * Helper type guard for API key authenticated requests
+ */
+export function isApiKeyAuthenticated(req: Request): req is ApiKeyAuthenticatedRequest {
+  return 'apiKey' in req && (req as ApiKeyAuthenticatedRequest).apiKey !== undefined;
+}

package/src/plugins/api-keys/middleware/index.ts

@@ -0,0 +1,12 @@
+/**
+ * API Keys Middleware Index
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+
+export {
+  bearerTokenAuth,
+  isApiKeyAuthenticated,
+  type ApiKeyAuthenticatedRequest,
+  type BearerTokenAuthOptions,
+} from './bearer-token-auth.js';