npm - @semiont/backend - Versions diffs - 0.5.7 → 0.5.9 - Mend

@semiont/backend 0.5.7 → 0.5.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js +53 -110
package/dist/index.js.map +1 -1
package/dist/openapi.json +4 -118
package/package.json +19 -20
package/prisma/migrations/20260619120000_add_token_version/migration.sql +3 -0
package/prisma/schema.prisma +1 -0

package/dist/index.js CHANGED Viewed

@@ -12,7 +12,6 @@ import { SemiontProject, loadEnvironmentConfig } from '@semiont/core/node';
 import { exportBackup, importBackup, readEntityTypesProjection, exportLinkedData, importLinkedData, startMakeMeaning, ResourceOperations, ResourceContext } from '@semiont/make-meaning';
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
-import { setCookie, deleteCookie, getCookie } from 'hono/cookie';
 import { HTTPException } from 'hono/http-exception';
 import Ajv from 'ajv';
 import addFormats from 'ajv-formats';
@@ -30,11 +29,20 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __esm = (fn, res) => function __init() {
-  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+var __esm = (fn, res, err) => function __init() {
+  if (err) throw err[0];
+  try {
+    return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+  } catch (e) {
+    throw err = [e], e;
+  }
 };
 var __commonJS = (cb, mod) => function __require() {
-  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+  try {
+    return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+  } catch (e) {
+    throw mod = 0, e;
+  }
 };
 var __export = (target, all) => {
   for (var name in all)
@@ -186,6 +194,13 @@ var init_jwt_types = __esm({
       // `_userId` instead of recomputing `userToDid(user)`. Unset for human
       // tokens.
       agentDid: z.string().optional(),
+      // Per-user revocation epoch (SDK-AUTH-CORS Phase 2): every token carries the
+      // user's tokenVersion at mint; logout bumps User.tokenVersion, so a token
+      // whose tokenVersion is behind the user's current value is rejected.
+      // Required — a token minted before this feature lacks the claim and fails
+      // validation, so the holder re-authenticates. That is the intended
+      // revoke-every-session-on-rollout behavior, not a regression.
+      tokenVersion: z.number().int(),
       iat: z.number().optional(),
       exp: z.number().optional()
     });
@@ -12665,17 +12680,6 @@ var openapi_default = {
           }
         }
       },
-      MCPGenerateResponse: {
-        type: "object",
-        properties: {
-          refresh_token: {
-            type: "string"
-          }
-        },
-        required: [
-          "refresh_token"
-        ]
-      },
       Motivation: {
         type: "string",
         enum: [
@@ -16214,9 +16218,10 @@ var OAuthService = class {
       ...user.name && { name: user.name },
       domain: user.domain,
       provider: user.provider,
-      isAdmin: user.isAdmin
+      isAdmin: user.isAdmin,
+      tokenVersion: user.tokenVersion
     };
-    const token = accessToken(JWTService.generateToken(jwtPayload, "1h"));
+    const token = accessToken(JWTService.generateToken(jwtPayload, "10m"));
     const refreshToken = JWTService.generateToken(jwtPayload, "30d");
     return { user, token, refreshToken, isNewUser };
   }
@@ -16240,6 +16245,9 @@ var OAuthService = class {
     if (!user || !user.isActive) {
       throw new Error("User not found or inactive");
     }
+    if (payload.tokenVersion !== user.tokenVersion) {
+      throw new Error("Token revoked");
+    }
     return payload.agentDid ? { user, agentDid: payload.agentDid } : { user };
   }
   static async acceptTerms(userId2) {
@@ -16284,8 +16292,6 @@ var authMiddleware = async (c, next) => {
   let tokenStr;
   if (authHeader?.startsWith("Bearer ")) {
     tokenStr = authHeader.substring(7).trim();
-  } else {
-    tokenStr = getCookie(c, "semiont-token");
   }
   if (!tokenStr) {
     logger2.warn("Authentication failed: No token", {
@@ -16294,7 +16300,10 @@ var authMiddleware = async (c, next) => {
       path: c.req.path,
       method: c.req.method
     });
-    return c.json({ error: "Unauthorized" }, 401);
+    return c.json({
+      error: "Unauthorized",
+      hint: "Authentication required: send an `Authorization: Bearer <token>` header. A raw browser navigation to a protected resource is unauthenticated."
+    }, 401);
   }
   try {
     const { user, agentDid } = await OAuthService.getPrincipalFromToken(accessToken(tokenStr));
@@ -16464,22 +16473,15 @@ authRouter.post(
         ...user.name && { name: user.name },
         domain: user.domain,
         provider: user.provider,
-        isAdmin: user.isAdmin
+        isAdmin: user.isAdmin,
+        tokenVersion: user.tokenVersion
       };
-      const token = JWTService.generateToken(jwtPayload, "1h");
+      const token = JWTService.generateToken(jwtPayload, "10m");
       const refreshToken = JWTService.generateToken(jwtPayload, "30d");
       await prisma2.user.update({
         where: { id: user.id },
         data: { lastLogin: /* @__PURE__ */ new Date() }
       });
-      setCookie(c, "semiont-token", token, {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === "production",
-        sameSite: "Lax",
-        path: "/",
-        maxAge: 60 * 60
-        // 1 hour, matching access token lifetime
-      });
       const response = {
         success: true,
         user: {
@@ -16520,14 +16522,6 @@ authRouter.post(
       }
       const googleUser = await OAuthService.verifyGoogleToken(googleCredential(access_token));
       const { user, token, refreshToken, isNewUser } = await OAuthService.createOrUpdateUser(googleUser);
-      setCookie(c, "semiont-token", token, {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === "production",
-        sameSite: "Lax",
-        path: "/",
-        maxAge: 60 * 60
-        // 1 hour, matching access token lifetime
-      });
       const response = {
         success: true,
         user: {
@@ -16579,15 +16573,19 @@ authRouter.post(
       if (!user || !user.isActive) {
         return c.json({ error: "User not found or inactive" }, 401);
       }
+      if (payload.tokenVersion !== user.tokenVersion) {
+        return c.json({ error: "Token revoked" }, 401);
+      }
       const accessTokenPayload = {
         userId: userId(user.id),
         email: email(user.email),
         domain: user.domain,
         provider: user.provider,
         isAdmin: user.isAdmin,
-        ...user.name && { name: user.name }
+        ...user.name && { name: user.name },
+        tokenVersion: user.tokenVersion
       };
-      const accessToken2 = JWTService.generateToken(accessTokenPayload, "1h");
+      const accessToken2 = JWTService.generateToken(accessTokenPayload, "10m");
       const response = {
         access_token: accessToken2
       };
@@ -16628,63 +16626,6 @@ authRouter.get("/api/users/me", authMiddleware, async (c) => {
   };
   return c.json(response, 200);
 });
-authRouter.get("/api/tokens/mcp-setup", authMiddleware, async (c) => {
-  const callback = c.req.query("callback");
-  if (!callback) {
-    return c.json({ error: "Callback URL required" }, 400);
-  }
-  const allowedCallbackPatterns = [
-    /^http:\/\/localhost:\d+\/.*$/,
-    /^http:\/\/127\.0\.0\.1:\d+\/.*$/,
-    /^http:\/\/\[::1\]:\d+\/.*$/
-  ];
-  if (!allowedCallbackPatterns.some((p) => p.test(callback))) {
-    return c.json({ error: "Invalid callback URL. Must be a localhost URL for CLI authentication." }, 400);
-  }
-  const user = c.get("user");
-  try {
-    const tokenPayload = {
-      userId: userId(user.id),
-      email: email(user.email),
-      domain: user.domain,
-      provider: user.provider,
-      isAdmin: user.isAdmin,
-      ...user.name && { name: user.name }
-    };
-    const refreshToken = JWTService.generateToken(tokenPayload, "30d");
-    return c.redirect(`${callback}?token=${refreshToken}`, 302);
-  } catch (error) {
-    getRouteLogger2().error("MCP setup error", {
-      error: error instanceof Error ? error.message : String(error),
-      stack: error instanceof Error ? error.stack : void 0
-    });
-    return c.json({ error: "Failed to generate refresh token" }, 500);
-  }
-});
-authRouter.post("/api/tokens/mcp-generate", authMiddleware, async (c) => {
-  const user = c.get("user");
-  try {
-    const tokenPayload = {
-      userId: userId(user.id),
-      email: email(user.email),
-      domain: user.domain,
-      provider: user.provider,
-      isAdmin: user.isAdmin,
-      ...user.name && { name: user.name }
-    };
-    const refreshToken = JWTService.generateToken(tokenPayload, "30d");
-    const response = {
-      refresh_token: refreshToken
-    };
-    return c.json(response, 200);
-  } catch (error) {
-    getRouteLogger2().error("MCP token generation error", {
-      error: error instanceof Error ? error.message : String(error),
-      stack: error instanceof Error ? error.stack : void 0
-    });
-    return c.json({ error: "Failed to generate refresh token" }, 401);
-  }
-});
 authRouter.post("/api/tokens/agent", async (c) => {
   const workerSecret = process.env.SEMIONT_WORKER_SECRET;
   if (!workerSecret) {
@@ -16739,7 +16680,8 @@ authRouter.post("/api/tokens/agent", async (c) => {
     domain: agentUser.domain,
     provider: agentUser.provider,
     isAdmin: false,
-    agentDid: did
+    agentDid: did,
+    tokenVersion: agentUser.tokenVersion
   }, "24h");
   return c.json({ token, did }, 200);
 });
@@ -16767,11 +16709,13 @@ authRouter.post("/api/users/accept-terms", authMiddleware, async (c) => {
   return c.json(response, 200);
 });
 authRouter.post("/api/users/logout", authMiddleware, async (c) => {
-  deleteCookie(c, "semiont-token", { path: "/" });
-  return c.json({
-    success: true,
-    message: "Logged out successfully"
-  }, 200);
+  const user = c.get("user");
+  const prisma2 = DatabaseConnection.getClient();
+  await prisma2.user.update({
+    where: { id: user.id },
+    data: { tokenVersion: { increment: 1 } }
+  });
+  return c.body(null, 204);
 });
 authRouter.get("/api/cookies/consent", authMiddleware, async (c) => {
   return c.json({
@@ -17802,9 +17746,6 @@ var config = loadEnvironmentConfig(projectRoot, env);
 if (!config.services?.backend) {
   throw new Error("services.backend is required in environment config");
 }
-if (!config.services.backend.corsOrigin) {
-  throw new Error("services.backend.corsOrigin is required in environment config");
-}
 var backendService = config.services.backend;
 initializeLogger(config.logLevel);
 var logger = getLogger();
@@ -17835,10 +17776,7 @@ var makeMeaning = await startMakeMeaning(new SemiontProject(projectRoot), makeMe
 var __filename$1 = fileURLToPath(import.meta.url);
 var __dirname$1 = path.dirname(__filename$1);
 var app = new Hono();
-app.use("*", cors({
-  origin: backendService.corsOrigin,
-  credentials: true
-}));
+app.use("*", cors({ origin: "*" }));
 app.use("*", securityHeaders());
 app.use("*", requestIdMiddleware);
 app.use("*", errorLoggerMiddleware);
@@ -17926,6 +17864,11 @@ if (config.env?.NODE_ENV !== "test") {
       url: `http://localhost:${info.port}/api`,
       environment: config.env?.NODE_ENV ?? "development"
     });
+    logger.info("Auth posture: bearer-only, open CORS", {
+      cors: "any origin (*)",
+      credentials: "disabled",
+      auth: "Authorization: Bearer; media tokens via ?token= for /api/resources/:id"
+    });
     try {
       const { JWTService: JWTService2 } = await Promise.resolve().then(() => (init_jwt(), jwt_exports));
       JWTService2.initialize(config);