npm - @solidxai/core - Versions diffs - 0.1.8-beta.8 → 0.1.8 - Mend

@solidxai/core 0.1.8-beta.8 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (145) hide show

package/src/services/api-key.service.ts ADDED Viewed

@@ -0,0 +1,111 @@
+import {
+    ForbiddenException,
+    Injectable,
+    Logger,
+    NotFoundException,
+    UnauthorizedException,
+} from '@nestjs/common';
+import { createHash, randomBytes } from 'crypto';
+import { CreateApiKeyDto } from 'src/dtos/create-api-key.dto';
+import { UpdateApiKeyDto } from 'src/dtos/update-api-key.dto';
+import { UserApiKey } from 'src/entities/user-api-key.entity';
+import { User } from 'src/entities/user.entity';
+import { ActiveUserData } from 'src/interfaces/active-user-data.interface';
+import { UserApiKeyRepository } from 'src/repository/user-api-key.repository';
+import { PermissionMetadataService } from 'src/services/permission-metadata.service';
+@Injectable()
+export class ApiKeyService {
+    private readonly logger = new Logger(ApiKeyService.name);
+    constructor(
+        private readonly apiKeyRepository: UserApiKeyRepository,
+        private readonly permissionMetadataService: PermissionMetadataService,
+    ) {}
+    async generate(userId: number, dto: CreateApiKeyDto): Promise<{ apiKey: string; record: UserApiKey }> {
+        const user = await this.apiKeyRepository.manager.findOne(User, {
+            where: { id: userId },
+            select: ['id', 'isAllowedToGenerateApiKeys'],
+        });
+        if (!user?.isAllowedToGenerateApiKeys) {
+            throw new ForbiddenException('You are not allowed to generate API keys');
+        }
+        const rawKey = 'sldx_' + randomBytes(32).toString('hex');
+        const hashedKey = this.hash(rawKey);
+        const maskedKey = 'sldx_****' + rawKey.slice(-4);
+        const record = this.apiKeyRepository.create({
+            name: dto.name,
+            hashedKey,
+            maskedKey,
+            isActive: true,
+            expiresAt: dto.expiresAt ? new Date(dto.expiresAt) : null,
+            user,
+        });
+        await this.apiKeyRepository.save(record);
+        // Strip hashedKey from the returned record — maskedKey is all the UI needs
+        delete (record as any).hashedKey;
+        return { apiKey: rawKey, record };
+    }
+    async validate(rawKey: string): Promise<ActiveUserData> {
+        const hashedKey = this.hash(rawKey);
+        // Bypass security rules for auth validation — must find the key regardless of caller context
+        const keyRecord = await this.apiKeyRepository.findOne({
+            where: { hashedKey, isActive: true },
+            relations: ['user', 'user.roles'],
+        });
+        if (!keyRecord) {
+            throw new UnauthorizedException();
+        }
+        if (keyRecord.expiresAt && keyRecord.expiresAt < new Date()) {
+            throw new UnauthorizedException('API key expired');
+        }
+        // Fire-and-forget — does not need security rule context
+        this.apiKeyRepository.update(keyRecord.id, { lastUsedAt: new Date() }).catch((err) => {
+            this.logger.warn(`Failed to update lastUsedAt for key ${keyRecord.id}: ${err.message}`);
+        });
+        const roles = (keyRecord.user.roles ?? []).map((r) => r.name);
+        const permissions = await this.permissionMetadataService.findAllUsingRoles(roles);
+        return {
+            sub: keyRecord.user.id,
+            username: keyRecord.user.username,
+            email: keyRecord.user.email,
+            roles,
+            permissions: permissions.map((p) => p.name),
+        };
+    }
+    async updateKey(id: number, userId: number, dto: UpdateApiKeyDto): Promise<void> {
+        const keyRecord = await this.apiKeyRepository.findOne({
+            where: { id, user: { id: userId } },
+        });
+        if (!keyRecord) {
+            throw new NotFoundException('API key not found');
+        }
+        await this.apiKeyRepository.manager
+            .createQueryBuilder()
+            .update(UserApiKey)
+            .set({ isActive: dto.isActive })
+            .where('id = :id', { id })
+            .execute();
+    }
+    private hash(rawKey: string): string {
+        return createHash('sha256').update(rawKey).digest('hex');
+    }
+}

package/src/services/authentication.service.ts CHANGED Viewed

@@ -41,6 +41,7 @@ import { EventDetails, EventType } from "../interfaces";
 import { ActiveUserData } from '../interfaces/active-user-data.interface';
 import { HashingService } from './hashing.service';
 import { InvalidatedRefreshTokenError, RefreshTokenIdsStorageService } from './refresh-token-ids-storage.service';
+import { SsoCodeStorageService } from './sso-code-storage.service';
 import { RoleMetadataService } from './role-metadata.service';
 import { SettingService } from './setting.service';
 import { UserActivityHistoryService } from './user-activity-history.service';
@@ -78,6 +79,7 @@ export class AuthenticationService {
         private readonly settingService: SettingService,
         private readonly roleMetadataService: RoleMetadataService,
         private readonly userActivityHistoryService: UserActivityHistoryService,
+        private readonly ssoCodeStorage: SsoCodeStorageService,
         @InjectDataSource()
         private readonly dataSource: DataSource,
@@ -152,6 +154,10 @@ export class AuthenticationService {
             const defaultRole = this.settingService.getConfigValue<SolidCoreSetting>('defaultRole');
             var { user, pwd, autoGeneratedPwd } = await this.populateForSignup(new User(), signUpDto, activateUserOnRegistration, onForcePasswordChange);
+            const privateDto = signUpDto as { isAllowedToGenerateApiKeys?: boolean };
+            if (privateDto.isAllowedToGenerateApiKeys !== undefined) {
+                user.isAllowedToGenerateApiKeys = privateDto.isAllowedToGenerateApiKeys;
+            }
             const savedUser = await this.userRepository.save(user);
             // Also assign a default role to the newly created user.
             const userRoles = signUpDto.roles ?? [];
@@ -879,11 +885,15 @@ export class AuthenticationService {
         }
     }
-    private async buildLoginTokenResponse(user: User) {
-        const { accessToken, refreshToken } = await this.generateTokens(user);
+    private buildUserPayload(user: User) {
         const { id, username, email, mobile, lastLoginProvider } = user;
         const roles = user.roles.map((role) => role.name);
-        return { accessToken, refreshToken, user: { id, username, email, mobile, lastLoginProvider, roles } };
+        return { id, username, email, mobile, lastLoginProvider, roles };
+    }
+    private async buildLoginTokenResponse(user: User) {
+        const { accessToken, refreshToken } = await this.generateTokens(user);
+        return { accessToken, refreshToken, user: this.buildUserPayload(user) };
     }
     async changePassword(changePasswordDto: ChangePasswordDto, activeUser: ActiveUserData) {
@@ -1414,6 +1424,28 @@ export class AuthenticationService {
         return response;
     }
+    async generateSsoCode(activeUser: ActiveUserData, rawAccessToken: string): Promise<{ ssoCode: string }> {
+        const refreshTokenState = await this.refreshTokenIdsStorage.getCurrentRefreshTokenState(activeUser.sub);
+        if (!refreshTokenState?.currentRefreshToken) {
+            throw new UnauthorizedException('No active session found');
+        }
+        const ssoCode = await this.ssoCodeStorage.generateCode(
+            activeUser.sub,
+            rawAccessToken,
+            refreshTokenState.currentRefreshToken,
+        );
+        return { ssoCode };
+    }
+    async exchangeSsoCode(code: string) {
+        const { userId, accessToken, refreshToken } = await this.ssoCodeStorage.consumeCode(code);
+        const user = await this.userRepository.findOne({ where: { id: userId }, relations: { roles: true } });
+        if (!user) {
+            throw new UnauthorizedException('User not found');
+        }
+        return { accessToken, refreshToken, user: this.buildUserPayload(user) };
+    }
 }
 function parseUniqueConstraintError(detail: string): string {

package/src/services/encryption.service.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import * as crypto from 'crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+const SCRYPT_SALT = 'solid-encryption-salt';
+const ENC_PREFIX = 'enc:';
+export class EncryptionService {
+  private readonly key: Buffer;
+  constructor(secret: string) {
+    if (!secret) throw new Error('EncryptionService: secret must not be empty');
+    this.key = crypto.scryptSync(secret, SCRYPT_SALT, KEY_LENGTH) as Buffer;
+  }
+  encrypt(plaintext: string): string {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, this.key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return `${ENC_PREFIX}${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted.toString('hex')}`;
+  }
+  decrypt(ciphertext: string): string {
+    if (!ciphertext.startsWith(ENC_PREFIX)) {
+      throw new Error('EncryptionService: value does not appear to be encrypted');
+    }
+    const payload = ciphertext.slice(ENC_PREFIX.length);
+    const [ivHex, authTagHex, encryptedHex] = payload.split(':');
+    const iv = Buffer.from(ivHex, 'hex');
+    const authTag = Buffer.from(authTagHex, 'hex');
+    const encryptedBuf = Buffer.from(encryptedHex, 'hex');
+    const decipher = crypto.createDecipheriv(ALGORITHM, this.key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    decipher.setAuthTag(authTag);
+    return decipher.update(encryptedBuf).toString('utf8') + decipher.final('utf8');
+  }
+  isEncrypted(value: string): boolean {
+    return typeof value === 'string' && value.startsWith(ENC_PREFIX);
+  }
+}

package/src/services/setting.service.ts CHANGED Viewed

@@ -15,6 +15,7 @@ import { ISettingsProvider, NoInfer, SettingDefinition, SettingLevel } from '../
 import { ModuleMetadataRepository } from 'src/repository/module-metadata.repository';
 import type { SolidCoreSetting } from './settings/default-settings-provider.service';
 import { Logger } from '@nestjs/common';
+import { EncryptionService } from './encryption.service';
 @Injectable()
@@ -23,6 +24,7 @@ export class SettingService {
   private settings: SettingDefinition[] = [];
   private settingsByKey = new Map<string, SettingDefinition>();
+  private readonly encryptionService: EncryptionService | null;
   private readonly arrayKeysToSkip = new Set([
     'authenticationPasswordRegex',
@@ -38,7 +40,11 @@ export class SettingService {
     readonly moduleMetadataRepo: ModuleMetadataRepository,
     private readonly requestContextService: RequestContextService,
     @InjectRepository(User) private readonly userRepository: Repository<User>,
-  ) { }
+  ) {
+    const encKey = process.env.APP_ENCRYPTION_KEY;
+    this.encryptionService = encKey ? new EncryptionService(encKey) : null;
+    if (!encKey) this._logger.warn('APP_ENCRYPTION_KEY is not set — encrypted settings will not be decrypted');
+  }
   private async getSettingsFromDb(): Promise<Setting[]> {
     const settings = await this.repo.find({ relations: ['user'] });
@@ -112,7 +118,15 @@ export class SettingService {
       const settingFromDb = settingsFromDbByKey.get(setting.key);
       const valueFromDb = settingFromDb?.value;
       if (settingFromDb?.key && valueFromDb !== undefined && valueFromDb !== null) {
-        const parsedValue = typeof valueFromDb === 'string' ? this.parseSettingValue(valueFromDb, settingFromDb.key) : valueFromDb;
+        let rawValue = valueFromDb;
+        if (settingFromDb.encrypted && this.encryptionService) {
+          try {
+            rawValue = this.encryptionService.decrypt(rawValue);
+          } catch {
+            this._logger.warn(`Failed to decrypt setting "${setting.key}" — using raw value`);
+          }
+        }
+        const parsedValue = typeof rawValue === 'string' ? this.parseSettingValue(rawValue, settingFromDb.key) : rawValue;
         return { ...setting, value: parsedValue };
       }
       return setting;
@@ -149,30 +163,38 @@ export class SettingService {
     const settingsToMutate: Setting[] = [];
     // const settingsToUpdate: Setting[] = [];
-    for (const { key, value, level, moduleName } of saEditableAndAbove) {
+    for (const { key, value, level, moduleName, encrypted } of saEditableAndAbove) {
       const moduleMetadata = await this.moduleMetadataRepo.findOneBy({ name: moduleName });
       if (!existingSettingsFromDbByKey.has(key)) {
         const setting = new Setting();
         setting.key = key;
         setting.level = level;
+        setting.encrypted = !!encrypted;
         if (moduleMetadata)
           setting.moduleMetadata = moduleMetadata;
+        let rawValue: string | null;
         if (typeof value === 'boolean') {
-          setting.value = value.toString();
+          rawValue = value.toString();
         } else if (Array.isArray(value)) {
-          setting.value = value.join(',');
+          rawValue = value.join(',');
         } else if (value === null || value === undefined) {
-          setting.value = null;
+          rawValue = null;
         } else {
-          setting.value = String(value);
+          rawValue = String(value);
         }
+        if (encrypted && this.encryptionService && rawValue !== null) {
+          rawValue = this.encryptionService.encrypt(rawValue);
+        }
+        setting.value = rawValue;
         settingsToMutate.push(setting);
       }
       else {
         const setting = existingSettingsFromDbByKey.get(key);
         setting.level = level;
+        setting.encrypted = !!encrypted;
         if (moduleMetadata)
           setting.moduleMetadata = moduleMetadata;
         settingsToMutate.push(setting);
@@ -289,22 +311,29 @@ export class SettingService {
       }
       const key = settingDto.key;
-      // const value = settingDto.value ?? '';
       const rawValue = settingDto.value;
-      const value = rawValue === null || rawValue === undefined ? null : String(rawValue);
+      let value = rawValue === null || rawValue === undefined ? null : String(rawValue);
       const settingType = settingDto.type ?? 'system';
+      const definition = this.settingsByKey.get(key);
+      const shouldEncrypt = !!definition?.encrypted && this.encryptionService !== null && value !== null;
+      if (shouldEncrypt) {
+        value = this.encryptionService.encrypt(value);
+      }
       const existingSetting = existingSettings.find(s => s.key === key);
       if (existingSetting) {
         existingSetting.value = value;
         existingSetting.type = settingType;
+        existingSetting.encrypted = shouldEncrypt;
         settingsToUpdate.push(existingSetting);
       } else {
         const newSetting = new Setting();
         newSetting.key = key;
         newSetting.value = value;
         newSetting.type = settingType;
+        newSetting.encrypted = shouldEncrypt;
         if (settingType === 'user' && user) {
           newSetting.user = user;

package/src/services/settings/default-settings-provider.service.ts CHANGED Viewed

@@ -35,12 +35,13 @@ const getSolidCoreSettings = (isProd: boolean) => ([
   {
     moduleName: "solid-core", key: "solidXGenAiCodeBuilderConfig", value: JSON.stringify({
       models: {
-        default: { providerKey: "", behavior: { streaming: false, custom: "" } },
-        fast: { providerKey: "", behavior: { streaming: false, custom: "" } },
+        default: { providerId: "", model: "", behavior: { streaming: false, custom: "" } },
+        fast: { providerId: "", model: "", behavior: { streaming: false, custom: "" } },
       },
       providers: {},
-    }), level: SettingLevel.SystemAdminEditable
+    }), level: SettingLevel.SystemAdminEditable, encrypted: true
   },
+  { moduleName: "solid-core", key: "appEncryptionKey", value: process.env.APP_ENCRYPTION_KEY, level: SettingLevel.SystemEnv },
   { moduleName: "solid-core", key: "mcpEnabled", value: process.env.MCP_ENABLED || false, level: SettingLevel.SystemAdminReadonly },
   { moduleName: "solid-core", key: "mcpServerUrl", value: process.env.MCP_SERVER_URL, level: SettingLevel.SystemAdminReadonly },
   { moduleName: "solid-core", key: "mcpApiKey", value: process.env.MCP_API_KEY, level: SettingLevel.SystemEnv },

package/src/services/sso-code-storage.service.ts ADDED Viewed

@@ -0,0 +1,36 @@
+import { CACHE_MANAGER } from '@nestjs/cache-manager';
+import { Inject, Injectable, UnauthorizedException } from '@nestjs/common';
+import { Cache } from 'cache-manager';
+import { randomBytes } from 'crypto';
+const SSO_CODE_TTL_MS = 60 * 1000; // 60 seconds
+interface SsoCodeEntry {
+    userId: number;
+    accessToken: string;
+    refreshToken: string;
+}
+@Injectable()
+export class SsoCodeStorageService {
+    constructor(@Inject(CACHE_MANAGER) private cacheManager: Cache) {}
+    async generateCode(userId: number, accessToken: string, refreshToken: string): Promise<string> {
+        const code = randomBytes(32).toString('hex');
+        await this.cacheManager.set(this.getKey(code), { userId, accessToken, refreshToken }, SSO_CODE_TTL_MS);
+        return code;
+    }
+    async consumeCode(code: string): Promise<SsoCodeEntry> {
+        const entry = await this.cacheManager.get<SsoCodeEntry>(this.getKey(code));
+        if (!entry) {
+            throw new UnauthorizedException('Invalid or expired SSO code');
+        }
+        await this.cacheManager.del(this.getKey(code));
+        return entry;
+    }
+    private getKey(code: string): string {
+        return `sso-code-${code}`;
+    }
+}

package/src/solid-core.module.ts CHANGED Viewed

@@ -78,6 +78,7 @@ import { MqMessageQueue } from './entities/mq-message-queue.entity';
 import { MqMessage } from './entities/mq-message.entity';
 import { SmsTemplate } from './entities/sms-template.entity';
 import { AccessTokenGuard } from './guards/access-token.guard';
+import { ApiKeyGuard } from './guards/api-key.guard';
 import { AuthenticationGuard } from './guards/authentication.guard';
 import { PermissionsGuard } from './guards/permissions.guard';
 import { SolidRegistry } from './helpers/solid-registry';
@@ -126,6 +127,7 @@ import { TwilioSmsQueuePublisherRedis } from './jobs/redis/twilio-sms-publisher-
 import { TwilioSmsQueueSubscriberRedis } from './jobs/redis/twilio-sms-subscriber-redis.service';
 import { UserRegistrationListener } from './listeners/user-registration.listener';
 import { GoogleOauthStrategy } from './passport-strategies/google-oauth.strategy';
+import { ApiKeyService } from './services/api-key.service';
 import { AuthenticationService } from './services/authentication.service';
 import { BcryptService } from './services/bcrypt.service';
 import { UuidExternalIdEntityComputedFieldProvider } from './services/computed-fields/entity/uuid-externalid-entity-computed-field-provider.service';
@@ -140,6 +142,7 @@ import { MqMessageQueueService } from './services/mq-message-queue.service';
 import { MqMessageService } from './services/mq-message.service';
 import { PdfService } from './services/pdf.service';
 import { RefreshTokenIdsStorageService } from './services/refresh-token-ids-storage.service';
+import { SsoCodeStorageService } from './services/sso-code-storage.service';
 import { ListOfModelsSelectionProvider } from './services/selection-providers/list-of-models-selection-provider.service';
 import { TinyUrlService } from './services/short-url/tiny-url.service';
 import { SmsTemplateService } from './services/sms-template.service';
@@ -205,6 +208,7 @@ import { SecurityRule } from './entities/security-rule.entity';
 import { Setting } from './entities/setting.entity';
 import { UserActivityHistory } from './entities/user-activity-history.entity';
 import { UserViewMetadata } from './entities/user-view-metadata.entity';
+import { UserApiKey } from './entities/user-api-key.entity';
 import { User } from './entities/user.entity';
 import { HttpExceptionFilter } from './filters/http-exception.filter';
 import { ModelMetadataHelperService } from './helpers/model-metadata-helper.service';
@@ -284,6 +288,7 @@ import { SettingRepository } from './repository/setting.repository';
 import { SmsTemplateRepository } from './repository/sms-template.repository';
 import { UserActivityHistoryRepository } from './repository/user-activity-history.repository';
 import { UserViewMetadataRepository } from './repository/user-view-metadata.repository';
+import { UserApiKeyRepository } from './repository/user-api-key.repository';
 import { UserRepository } from './repository/user.repository';
 import { ViewMetadataRepository } from './repository/view-metadata.repository';
 import { PermissionMetadataSeederService } from './seeders/permission-metadata-seeder.service';
@@ -415,6 +420,7 @@ import { Entity } from 'typeorm';
       Setting,
       SmsTemplate,
       User,
+      UserApiKey,
       UserActivityHistory,
       UserViewMetadata,
       ViewMetadata,
@@ -627,9 +633,12 @@ import { Entity } from 'typeorm';
     LocaleListSelectionProvider,
     SoftDeleteAwareEventSubscriber,
     AccessTokenGuard,
+    ApiKeyGuard,
+    ApiKeyService,
     AuthenticationService,
     GoogleAuthenticationController,
     RefreshTokenIdsStorageService,
+    SsoCodeStorageService,
     GoogleOauthStrategy,
     UserRegistrationListener,
     TestQueuePublisher,
@@ -679,6 +688,7 @@ import { Entity } from 'typeorm';
     RoleMetadataService,
     PermissionMetadataSeederService,
     UserService,
+    UserApiKeyRepository,
     UserRepository,
     SettingService,
     ConcatComputedFieldProvider,

package/src/subscribers/audit.subscriber.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { Injectable, Logger, Scope } from '@nestjs/common';
 import { lowerFirst } from 'src/helpers/string.helper';
 import { SolidRegistry } from 'src/helpers/solid-registry';
 import { DataSource, EntityMetadata, EntitySubscriberInterface, InsertEvent, RemoveEvent, UpdateEvent } from 'typeorm';
-import { AuditQueuePayload } from 'src/jobs/rabbitmq/chatter-queue-publisher.service';
+import { AuditQueuePayload } from 'src/interfaces';
 import { RequestContextService } from 'src/services/request-context.service';
 import { PublisherFactory } from 'src/services/queues/publisher-factory.service';