@spfn/core 0.2.0-beta.12 → 0.2.0-beta.13

package/dist/server/index.js

@@ -8,6 +8,7 @@ import { registerRoutes } from '@spfn/core/route';
 import { ErrorHandler, RequestLogger } from '@spfn/core/middleware';
 import { streamSSE } from 'hono/streaming';
 import { logger } from '@spfn/core/logger';
+import { randomBytes } from 'crypto';
 import { initDatabase, getDatabase, closeDatabase } from '@spfn/core/db';
 import { initCache, getCache, closeCache } from '@spfn/core/cache';
 import { serve } from '@hono/node-server';
@@ -333,17 +334,26 @@ function loadEnvFiles() {
   }
 }
 var sseLogger = logger.child("@spfn/core:sse");
-function createSSEHandler(router, config2 = {}) {
+function createSSEHandler(router, config2 = {}, tokenManager) {
   const {
-    pingInterval = 3e4
-    // headers: customHeaders = {},  // Reserved for future use
+    pingInterval = 3e4,
+    auth: authConfig
   } = config2;
   return async (c) => {
-    const eventsParam = c.req.query("events");
-    if (!eventsParam) {
+    const subject = await authenticateToken(c, tokenManager);
+    if (subject === false) {
+      return c.json({ error: "Missing token parameter" }, 401);
+    }
+    if (subject === null) {
+      return c.json({ error: "Invalid or expired token" }, 401);
+    }
+    if (subject) {
+      c.set("sseSubject", subject);
+    }
+    const requestedEvents = parseRequestedEvents(c);
+    if (!requestedEvents) {
       return c.json({ error: "Missing events parameter" }, 400);
     }
-    const requestedEvents = eventsParam.split(",").map((e) => e.trim());
     const validEventNames = router.eventNames;
     const invalidEvents = requestedEvents.filter((e) => !validEventNames.includes(e));
     if (invalidEvents.length > 0) {
@@ -353,19 +363,29 @@ function createSSEHandler(router, config2 = {}) {
         validEvents: validEventNames
       }, 400);
     }
+    const allowedEvents = await authorizeEvents(subject, requestedEvents, authConfig);
+    if (allowedEvents === null) {
+      return c.json({ error: "Not authorized for any requested events" }, 403);
+    }
     sseLogger.debug("SSE connection requested", {
-      events: requestedEvents,
+      events: allowedEvents,
+      subject: subject || void 0,
       clientIp: c.req.header("x-forwarded-for") || c.req.header("x-real-ip")
     });
     return streamSSE(c, async (stream) => {
       const unsubscribes = [];
       let messageId = 0;
-      for (const eventName of requestedEvents) {
+      for (const eventName of allowedEvents) {
         const eventDef = router.events[eventName];
         if (!eventDef) {
           continue;
         }
         const unsubscribe = eventDef.subscribe((payload) => {
+          if (subject && authConfig?.filter?.[eventName]) {
+            if (!authConfig.filter[eventName](subject, payload)) {
+              return;
+            }
+          }
           messageId++;
           const message = {
             event: eventName,
@@ -384,13 +404,13 @@ function createSSEHandler(router, config2 = {}) {
         unsubscribes.push(unsubscribe);
       }
       sseLogger.info("SSE connection established", {
-        events: requestedEvents,
+        events: allowedEvents,
         subscriptionCount: unsubscribes.length
       });
       await stream.writeSSE({
         event: "connected",
         data: JSON.stringify({
-          subscribedEvents: requestedEvents,
+          subscribedEvents: allowedEvents,
           timestamp: Date.now()
         })
       });
@@ -407,7 +427,7 @@ function createSSEHandler(router, config2 = {}) {
       clearInterval(pingTimer);
       unsubscribes.forEach((fn) => fn());
       sseLogger.info("SSE connection closed", {
-        events: requestedEvents
+        events: allowedEvents
       });
     }, async (err) => {
       sseLogger.error("SSE stream error", {
@@ -416,6 +436,99 @@ function createSSEHandler(router, config2 = {}) {
     });
   };
 }
+async function authenticateToken(c, tokenManager) {
+  if (!tokenManager) {
+    return void 0;
+  }
+  const token = c.req.query("token");
+  if (!token) {
+    return false;
+  }
+  return await tokenManager.verify(token);
+}
+function parseRequestedEvents(c) {
+  const eventsParam = c.req.query("events");
+  if (!eventsParam) {
+    return null;
+  }
+  return eventsParam.split(",").map((e) => e.trim());
+}
+async function authorizeEvents(subject, requestedEvents, authConfig) {
+  if (!subject || !authConfig?.authorize) {
+    return requestedEvents;
+  }
+  const allowed = await authConfig.authorize(subject, requestedEvents);
+  if (allowed.length === 0) {
+    return null;
+  }
+  return allowed;
+}
+var InMemoryTokenStore = class {
+  tokens = /* @__PURE__ */ new Map();
+  async set(token, data) {
+    this.tokens.set(token, data);
+  }
+  async consume(token) {
+    const data = this.tokens.get(token);
+    if (!data) {
+      return null;
+    }
+    this.tokens.delete(token);
+    return data;
+  }
+  async cleanup() {
+    const now = Date.now();
+    for (const [token, data] of this.tokens) {
+      if (data.expiresAt <= now) {
+        this.tokens.delete(token);
+      }
+    }
+  }
+};
+var SSETokenManager = class {
+  store;
+  ttl;
+  cleanupTimer = null;
+  constructor(config2) {
+    this.ttl = config2?.ttl ?? 3e4;
+    this.store = config2?.store ?? new InMemoryTokenStore();
+    const cleanupInterval = config2?.cleanupInterval ?? 6e4;
+    this.cleanupTimer = setInterval(() => void this.store.cleanup(), cleanupInterval);
+    this.cleanupTimer.unref();
+  }
+  /**
+   * Issue a new one-time-use token for the given subject
+   */
+  async issue(subject) {
+    const token = randomBytes(32).toString("hex");
+    await this.store.set(token, {
+      token,
+      subject,
+      expiresAt: Date.now() + this.ttl
+    });
+    return token;
+  }
+  /**
+   * Verify and consume a token
+   * @returns subject string if valid, null if invalid/expired/already consumed
+   */
+  async verify(token) {
+    const data = await this.store.consume(token);
+    if (!data || data.expiresAt <= Date.now()) {
+      return null;
+    }
+    return data.subject;
+  }
+  /**
+   * Cleanup timer and resources
+   */
+  destroy() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = null;
+    }
+  }
+};
 function createHealthCheckHandler(detailed) {
   return async (c) => {
     const response = {
@@ -641,13 +754,36 @@ function registerSSEEndpoint(app, config2) {
     return;
   }
   const eventsConfig = config2.eventsConfig ?? {};
-  const path = eventsConfig.path ?? "/events/stream";
+  const streamPath = eventsConfig.path ?? "/events/stream";
+  const authConfig = eventsConfig.auth;
   const debug = isDebugMode(config2);
-  app.get(path, createSSEHandler(config2.events, eventsConfig));
+  let tokenManager;
+  if (authConfig?.enabled) {
+    tokenManager = new SSETokenManager({
+      ttl: authConfig.tokenTtl,
+      store: authConfig.store
+    });
+    const tokenPath = streamPath.replace(/\/[^/]+$/, "/token");
+    const mwHandlers = (config2.middlewares ?? []).map((mw) => mw.handler);
+    const getSubject = authConfig.getSubject ?? ((c) => c.get("auth")?.userId ?? null);
+    app.post(tokenPath, ...mwHandlers, async (c) => {
+      const subject = getSubject(c);
+      if (!subject) {
+        return c.json({ error: "Unable to identify subject" }, 401);
+      }
+      const token = await tokenManager.issue(subject);
+      return c.json({ token });
+    });
+    if (debug) {
+      serverLogger.info(`\u2713 SSE token endpoint registered at POST ${tokenPath}`);
+    }
+  }
+  app.get(streamPath, createSSEHandler(config2.events, eventsConfig, tokenManager));
   if (debug) {
     const eventNames = config2.events.eventNames;
-    serverLogger.info(`\u2713 SSE endpoint registered at ${path}`, {
-      events: eventNames
+    serverLogger.info(`\u2713 SSE endpoint registered at ${streamPath}`, {
+      events: eventNames,
+      auth: !!authConfig?.enabled
     });
   }
 }