npm - @serve.zone/dcrouter - Versions diffs - 13.31.0 → 13.32.1 - Mend

@serve.zone/dcrouter 13.31.0 → 13.32.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

package/dist_serve/bundle.js +721 -721
package/dist_ts/00_commitinfo_data.js +1 -1
package/dist_ts/config/classes.route-config-manager.d.ts +1 -0
package/dist_ts/config/classes.route-config-manager.js +28 -3
package/dist_ts/config/classes.target-profile-manager.d.ts +1 -0
package/dist_ts/config/classes.target-profile-manager.js +11 -8
package/dist_ts/opsserver/classes.opsserver.d.ts +4 -2
package/dist_ts/opsserver/classes.opsserver.js +2 -11
package/dist_ts/opsserver/handlers/acme-config.handler.js +7 -24
package/dist_ts/opsserver/handlers/admin.handler.d.ts +3 -1
package/dist_ts/opsserver/handlers/admin.handler.js +95 -110
package/dist_ts/opsserver/handlers/api-token.handler.js +28 -2
package/dist_ts/opsserver/handlers/certificate.handler.js +7 -24
package/dist_ts/opsserver/handlers/config.handler.js +3 -1
package/dist_ts/opsserver/handlers/dns-provider.handler.js +7 -24
package/dist_ts/opsserver/handlers/dns-record.handler.js +7 -24
package/dist_ts/opsserver/handlers/domain.handler.js +7 -24
package/dist_ts/opsserver/handlers/email-domain.handler.js +7 -24
package/dist_ts/opsserver/handlers/email-ops.handler.js +8 -1
package/dist_ts/opsserver/handlers/logs.handler.js +4 -1
package/dist_ts/opsserver/handlers/network-target.handler.js +7 -24
package/dist_ts/opsserver/handlers/radius.handler.js +32 -1
package/dist_ts/opsserver/handlers/remoteingress.handler.js +24 -1
package/dist_ts/opsserver/handlers/route-management.handler.js +7 -26
package/dist_ts/opsserver/handlers/security.handler.js +32 -7
package/dist_ts/opsserver/handlers/source-profile.handler.js +7 -24
package/dist_ts/opsserver/handlers/stats.handler.js +8 -1
package/dist_ts/opsserver/handlers/target-profile.handler.js +7 -24
package/dist_ts/opsserver/handlers/users.handler.js +33 -13
package/dist_ts/opsserver/handlers/vpn.handler.js +34 -1
package/dist_ts/opsserver/handlers/workhoster.handler.js +16 -35
package/dist_ts/opsserver/helpers/auth.d.ts +21 -0
package/dist_ts/opsserver/helpers/auth.js +63 -0
package/dist_ts_interfaces/data/route-management.d.ts +2 -1
package/dist_ts_interfaces/data/route-management.js +48 -2
package/dist_ts_interfaces/requests/api-tokens.d.ts +10 -5
package/dist_ts_interfaces/requests/combined.stats.d.ts +2 -1
package/dist_ts_interfaces/requests/config.d.ts +2 -1
package/dist_ts_interfaces/requests/email-ops.d.ts +6 -3
package/dist_ts_interfaces/requests/logs.d.ts +4 -2
package/dist_ts_interfaces/requests/radius.d.ts +24 -12
package/dist_ts_interfaces/requests/remoteingress.d.ts +14 -7
package/dist_ts_interfaces/requests/security-policy.d.ts +16 -8
package/dist_ts_interfaces/requests/stats.d.ts +18 -9
package/dist_ts_interfaces/requests/users.d.ts +6 -3
package/dist_ts_interfaces/requests/vpn.d.ts +22 -11
package/dist_ts_interfaces/requests/workhoster.d.ts +10 -5
package/dist_ts_migrations/index.js +3 -1
package/dist_ts_web/00_commitinfo_data.js +1 -1
package/dist_ts_web/elements/access/ops-view-apitokens.js +2 -21
package/package.json +4 -4
package/ts/00_commitinfo_data.ts +1 -1
package/ts/config/classes.route-config-manager.ts +35 -2
package/ts/config/classes.target-profile-manager.ts +10 -7
package/ts/opsserver/classes.opsserver.ts +3 -14
package/ts/opsserver/handlers/acme-config.handler.ts +6 -23
package/ts/opsserver/handlers/admin.handler.ts +109 -123
package/ts/opsserver/handlers/api-token.handler.ts +27 -1
package/ts/opsserver/handlers/certificate.handler.ts +6 -23
package/ts/opsserver/handlers/config.handler.ts +2 -0
package/ts/opsserver/handlers/dns-provider.handler.ts +6 -23
package/ts/opsserver/handlers/dns-record.handler.ts +6 -23
package/ts/opsserver/handlers/domain.handler.ts +6 -23
package/ts/opsserver/handlers/email-domain.handler.ts +6 -23
package/ts/opsserver/handlers/email-ops.handler.ts +7 -0
package/ts/opsserver/handlers/logs.handler.ts +3 -0
package/ts/opsserver/handlers/network-target.handler.ts +6 -23
package/ts/opsserver/handlers/radius.handler.ts +31 -0
package/ts/opsserver/handlers/remoteingress.handler.ts +23 -0
package/ts/opsserver/handlers/route-management.handler.ts +6 -25
package/ts/opsserver/handlers/security.handler.ts +31 -6
package/ts/opsserver/handlers/source-profile.handler.ts +6 -23
package/ts/opsserver/handlers/stats.handler.ts +7 -0
package/ts/opsserver/handlers/target-profile.handler.ts +6 -23
package/ts/opsserver/handlers/users.handler.ts +32 -12
package/ts/opsserver/handlers/vpn.handler.ts +33 -0
package/ts/opsserver/handlers/workhoster.handler.ts +18 -33
package/ts/opsserver/helpers/auth.ts +91 -0
package/ts_web/00_commitinfo_data.ts +1 -1
package/ts_web/elements/access/ops-view-apitokens.ts +1 -20

package/ts/opsserver/handlers/dns-record.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 /**
  * CRUD handlers for DnsRecordDoc.
@@ -17,29 +18,11 @@ export class DnsRecordHandler {
     request: { identity?: interfaces.data.IIdentity; apiToken?: string },
     requiredScope?: interfaces.data.TApiTokenScope,
   ): Promise<string> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+    const auth = await requireOpsAuth(this.opsServerRef, request, {
+      scope: requiredScope,
+      requireAdminIdentity: requiredScope?.endsWith(':write'),
+    });
+    return auth.userId;
   }
   private registerHandlers(): void {

package/ts/opsserver/handlers/domain.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 /**
  * CRUD handlers for DomainDoc.
@@ -17,29 +18,11 @@ export class DomainHandler {
     request: { identity?: interfaces.data.IIdentity; apiToken?: string },
     requiredScope?: interfaces.data.TApiTokenScope,
   ): Promise<string> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+    const auth = await requireOpsAuth(this.opsServerRef, request, {
+      scope: requiredScope,
+      requireAdminIdentity: requiredScope?.endsWith(':write'),
+    });
+    return auth.userId;
   }
   private registerHandlers(): void {

package/ts/opsserver/handlers/email-domain.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 /**
  * CRUD + DNS provisioning handler for email domains.
@@ -19,29 +20,11 @@ export class EmailDomainHandler {
     request: { identity?: interfaces.data.IIdentity; apiToken?: string },
     requiredScope?: interfaces.data.TApiTokenScope,
   ): Promise<string> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+    const auth = await requireOpsAuth(this.opsServerRef, request, {
+      scope: requiredScope,
+      requireAdminIdentity: requiredScope?.endsWith(':write'),
+    });
+    return auth.userId;
   }
   private get manager() {

package/ts/opsserver/handlers/email-ops.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class EmailOpsHandler {
   constructor(private opsServerRef: OpsServer) {
@@ -18,6 +19,7 @@ export class EmailOpsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAllEmails>(
         'getAllEmails',
         async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'emails:read' });
           const emails = this.getAllQueueEmails();
           return { emails };
         }
@@ -29,6 +31,7 @@ export class EmailOpsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailDetail>(
         'getEmailDetail',
         async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'emails:read' });
           const email = this.getEmailDetail(dataArg.emailId);
           return { email };
         }
@@ -42,6 +45,10 @@ export class EmailOpsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ResendEmail>(
         'resendEmail',
         async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'emails:write',
+            requireAdminIdentity: true,
+          });
           const emailServer = this.opsServerRef.dcRouterRef.emailServer;
           if (!emailServer?.deliveryQueue) {
             return { success: false, error: 'Email server not available' };

package/ts/opsserver/handlers/logs.handler.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 import { logBuffer, baseLogger } from '../../logger.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 // Module-level singleton: the log push destination is added once and reuses
 // the current OpsServer reference so it survives OpsServer restarts without
@@ -40,6 +41,7 @@ export class LogsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRecentLogs>(
         'getRecentLogs',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'logs:read' });
           const logs = await this.getRecentLogs(
             dataArg.level,
             dataArg.category,
@@ -63,6 +65,7 @@ export class LogsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetLogStream>(
         'getLogStream',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'logs:read' });
           // Create a virtual stream for log streaming
           const virtualStream = new plugins.typedrequest.VirtualStream<Uint8Array>();

package/ts/opsserver/handlers/network-target.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class NetworkTargetHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -14,29 +15,11 @@ export class NetworkTargetHandler {
     request: { identity?: interfaces.data.IIdentity; apiToken?: string },
     requiredScope?: interfaces.data.TApiTokenScope,
   ): Promise<string> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+    const auth = await requireOpsAuth(this.opsServerRef, request, {
+      scope: requiredScope,
+      requireAdminIdentity: requiredScope?.endsWith(':write'),
+    });
+    return auth.userId;
   }
   private registerHandlers(): void {

package/ts/opsserver/handlers/radius.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class RadiusHandler {
   constructor(private opsServerRef: OpsServer) {
@@ -19,6 +20,7 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusClients>(
         'getRadiusClients',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'radius:read' });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -43,6 +45,10 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetRadiusClient>(
         'setRadiusClient',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'radius:write',
+            requireAdminIdentity: true,
+          });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -64,6 +70,10 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveRadiusClient>(
         'removeRadiusClient',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'radius:write',
+            requireAdminIdentity: true,
+          });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -88,6 +98,7 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVlanMappings>(
         'getVlanMappings',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'radius:read' });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -124,6 +135,10 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetVlanMapping>(
         'setVlanMapping',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'radius:write',
+            requireAdminIdentity: true,
+          });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -156,6 +171,10 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveVlanMapping>(
         'removeVlanMapping',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'radius:write',
+            requireAdminIdentity: true,
+          });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -177,6 +196,10 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateVlanConfig>(
         'updateVlanConfig',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'radius:write',
+            requireAdminIdentity: true,
+          });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -209,6 +232,7 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_TestVlanAssignment>(
         'testVlanAssignment',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'radius:read' });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -243,6 +267,7 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusSessions>(
         'getRadiusSessions',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'radius:read' });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -292,6 +317,10 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DisconnectRadiusSession>(
         'disconnectRadiusSession',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'radius:write',
+            requireAdminIdentity: true,
+          });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -317,6 +346,7 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusAccountingSummary>(
         'getRadiusAccountingSummary',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'radius:read' });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {
@@ -354,6 +384,7 @@ export class RadiusHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusStatistics>(
         'getRadiusStatistics',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'radius:read' });
           const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
           if (!radiusServer) {

package/ts/opsserver/handlers/remoteingress.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class RemoteIngressHandler {
   constructor(private opsServerRef: OpsServer) {
@@ -18,6 +19,7 @@ export class RemoteIngressHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngresses>(
         'getRemoteIngresses',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'remote-ingress:read' });
           const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
           if (!manager) {
             return { edges: [] };
@@ -46,6 +48,10 @@ export class RemoteIngressHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateRemoteIngress>(
         'createRemoteIngress',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'remote-ingress:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
           const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
@@ -78,6 +84,10 @@ export class RemoteIngressHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteRemoteIngress>(
         'deleteRemoteIngress',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'remote-ingress:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
           const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
@@ -103,6 +113,10 @@ export class RemoteIngressHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateRemoteIngress>(
         'updateRemoteIngress',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'remote-ingress:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
           const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
@@ -148,6 +162,10 @@ export class RemoteIngressHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RegenerateRemoteIngressSecret>(
         'regenerateRemoteIngressSecret',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'remote-ingress:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
           const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
@@ -175,6 +193,7 @@ export class RemoteIngressHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressStatus>(
         'getRemoteIngressStatus',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'remote-ingress:read' });
           const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
           if (!tunnelManager) {
             return { statuses: [] };
@@ -189,6 +208,10 @@ export class RemoteIngressHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressConnectionToken>(
         'getRemoteIngressConnectionToken',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'remote-ingress:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
           if (!manager) {
             return { success: false, message: 'RemoteIngress not configured' };

package/ts/opsserver/handlers/route-management.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class RouteManagementHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -18,31 +19,11 @@ export class RouteManagementHandler {
     request: { identity?: interfaces.data.IIdentity; apiToken?: string },
     requiredScope?: interfaces.data.TApiTokenScope,
   ): Promise<string> {
-    // Try JWT identity first
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-    // Try API token
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+    const auth = await requireOpsAuth(this.opsServerRef, request, {
+      scope: requiredScope,
+      requireAdminIdentity: requiredScope?.endsWith(':write'),
+    });
+    return auth.userId;
   }
   private registerHandlers(): void {

package/ts/opsserver/handlers/security.handler.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 import { MetricsManager } from '../../monitoring/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class SecurityHandler {
   constructor(private opsServerRef: OpsServer) {
@@ -17,6 +18,7 @@ export class SecurityHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityMetrics>(
         'getSecurityMetrics',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'security:read' });
           const metrics = await this.collectSecurityMetrics();
           return {
             metrics: {
@@ -43,6 +45,7 @@ export class SecurityHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetActiveConnections>(
         'getActiveConnections',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
           const connections = await this.getActiveConnections(dataArg.protocol, dataArg.state);
           const connectionInfos: interfaces.data.IConnectionInfo[] = connections.map(conn => ({
             id: conn.id,
@@ -82,6 +85,7 @@ export class SecurityHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkStats>(
         'getNetworkStats',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
           // Get network stats from MetricsManager if available
           if (this.opsServerRef.dcRouterRef.metricsManager) {
             const networkStats = await this.opsServerRef.dcRouterRef.metricsManager.getNetworkStats();
@@ -136,6 +140,7 @@ export class SecurityHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRateLimitStatus>(
         'getRateLimitStatus',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'security:read' });
           const status = await this.getRateLimitStatus(dataArg.domain, dataArg.ip);
           const limits: interfaces.data.IRateLimitInfo[] = status.limits.map(limit => ({
             domain: limit.identifier,
@@ -161,7 +166,8 @@ export class SecurityHandler {
     router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListSecurityBlockRules>(
         'listSecurityBlockRules',
-        async () => {
+        async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'security:read' });
           const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
           return { rules: manager ? await manager.listBlockRules() : [] };
         },
@@ -171,7 +177,8 @@ export class SecurityHandler {
     router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListIpIntelligence>(
         'listIpIntelligence',
-        async () => {
+        async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'security:read' });
           const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
           return { records: manager ? await manager.listIpIntelligence() : [] };
         },
@@ -181,7 +188,8 @@ export class SecurityHandler {
     router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCompiledSecurityPolicy>(
         'getCompiledSecurityPolicy',
-        async () => {
+        async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'security:read' });
           const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
           return {
             policy: manager
@@ -196,6 +204,7 @@ export class SecurityHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListSecurityPolicyAudit>(
         'listSecurityPolicyAudit',
         async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'security:read' });
           const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
           return { events: manager ? await manager.listAuditEvents(dataArg.limit || 100) : [] };
         },
@@ -208,6 +217,10 @@ export class SecurityHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSecurityBlockRule>(
         'createSecurityBlockRule',
         async (dataArg) => {
+          const auth = await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'security:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
           if (!manager) return { success: false, message: 'Security policy manager not initialized' };
           const rule = await manager.createBlockRule({
@@ -216,7 +229,7 @@ export class SecurityHandler {
             matchMode: dataArg.matchMode,
             reason: dataArg.reason,
             enabled: dataArg.enabled,
-          }, dataArg.identity.userId);
+          }, auth.userId);
           return { success: true, rule };
         },
       ),
@@ -226,6 +239,10 @@ export class SecurityHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSecurityBlockRule>(
         'updateSecurityBlockRule',
         async (dataArg) => {
+          const auth = await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'security:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
           if (!manager) return { success: false, message: 'Security policy manager not initialized' };
           const rule = await manager.updateBlockRule(dataArg.id, {
@@ -233,7 +250,7 @@ export class SecurityHandler {
             matchMode: dataArg.matchMode,
             reason: dataArg.reason,
             enabled: dataArg.enabled,
-          }, dataArg.identity.userId);
+          }, auth.userId);
           return rule ? { success: true, rule } : { success: false, message: 'Rule not found' };
         },
       ),
@@ -243,9 +260,13 @@ export class SecurityHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSecurityBlockRule>(
         'deleteSecurityBlockRule',
         async (dataArg) => {
+          const auth = await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'security:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
           if (!manager) return { success: false, message: 'Security policy manager not initialized' };
-          const success = await manager.deleteBlockRule(dataArg.id, dataArg.identity.userId);
+          const success = await manager.deleteBlockRule(dataArg.id, auth.userId);
           return { success, message: success ? undefined : 'Rule not found' };
         },
       ),
@@ -255,6 +276,10 @@ export class SecurityHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RefreshIpIntelligence>(
         'refreshIpIntelligence',
         async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'security:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
           if (!manager) return { success: false, message: 'Security policy manager not initialized' };
           const record = await manager.refreshIpIntelligence(dataArg.ipAddress);

package/ts/opsserver/handlers/source-profile.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class SourceProfileHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -14,29 +15,11 @@ export class SourceProfileHandler {
     request: { identity?: interfaces.data.IIdentity; apiToken?: string },
     requiredScope?: interfaces.data.TApiTokenScope,
   ): Promise<string> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+    const auth = await requireOpsAuth(this.opsServerRef, request, {
+      scope: requiredScope,
+      requireAdminIdentity: requiredScope?.endsWith(':write'),
+    });
+    return auth.userId;
   }
   private registerHandlers(): void {