@stackmemoryai/stackmemory 0.5.58 → 0.5.59

package/dist/src/middleware/exponential-rate-limiter.js

@@ -0,0 +1,289 @@
+import { fileURLToPath as __fileURLToPath } from 'url';
+import { dirname as __pathDirname } from 'path';
+const __filename = __fileURLToPath(import.meta.url);
+const __dirname = __pathDirname(__filename);
+import { logger } from "../core/monitoring/logger.js";
+import { metrics } from "../core/monitoring/metrics.js";
+class ExponentialRateLimiter {
+  redis;
+  localCache = /* @__PURE__ */ new Map();
+  localCacheOrder = [];
+  config;
+  constructor(redis, config = {}) {
+    this.redis = redis;
+    this.config = {
+      baseLimit: 10,
+      windowMs: 60 * 1e3,
+      // 1 minute
+      maxBackoff: 32,
+      backoffMultiplier: 2,
+      localCacheSize: 1e4,
+      localCacheTTL: 5 * 60 * 1e3,
+      // 5 minutes
+      whitelistIPs: [],
+      blacklistIPs: [],
+      customKeyGenerator: (req) => this.getClientIdentifier(req),
+      ...config
+    };
+    setInterval(() => this.cleanupLocalCache(), this.config.localCacheTTL);
+  }
+  /**
+   * Main middleware function with exponential backoff
+   */
+  middleware() {
+    return async (req, res, next) => {
+      const clientId = this.config.customKeyGenerator(req);
+      if (this.isWhitelisted(clientId)) {
+        return next();
+      }
+      if (this.isBlacklisted(clientId)) {
+        metrics.increment("rate_limit.blacklisted", { ip: clientId });
+        res.status(403).json({
+          error: "Access denied",
+          code: "BLACKLISTED_IP"
+        });
+        return;
+      }
+      try {
+        let entry = this.getFromLocalCache(clientId);
+        if (!entry) {
+          entry = await this.getFromRedis(clientId);
+        }
+        const now = Date.now();
+        if (entry.blockedUntil && entry.blockedUntil > now) {
+          const retryAfter = Math.ceil((entry.blockedUntil - now) / 1e3);
+          metrics.increment("rate_limit.blocked", {
+            ip: clientId,
+            backoffLevel: String(entry.backoffLevel)
+          });
+          res.status(429).json({
+            error: "Too many requests - exponential backoff applied",
+            code: "RATE_LIMIT_BACKOFF",
+            retryAfter,
+            backoffLevel: entry.backoffLevel
+          });
+          res.setHeader("Retry-After", String(retryAfter));
+          res.setHeader("X-RateLimit-BackoffLevel", String(entry.backoffLevel));
+          return;
+        }
+        if (now - entry.firstRequest > this.config.windowMs) {
+          entry = {
+            requests: 1,
+            violations: Math.max(0, entry.violations - 1),
+            // Decay violations
+            backoffLevel: Math.max(0, entry.backoffLevel - 1),
+            // Decay backoff
+            firstRequest: now,
+            lastRequest: now
+          };
+        } else {
+          entry.requests++;
+          entry.lastRequest = now;
+        }
+        const currentLimit = Math.max(
+          1,
+          Math.floor(
+            this.config.baseLimit / Math.pow(this.config.backoffMultiplier, entry.backoffLevel)
+          )
+        );
+        if (entry.requests > currentLimit) {
+          entry.violations++;
+          if (entry.backoffLevel < Math.log2(this.config.maxBackoff)) {
+            entry.backoffLevel++;
+          }
+          const backoffDuration = this.config.windowMs * Math.pow(this.config.backoffMultiplier, entry.backoffLevel);
+          entry.blockedUntil = now + backoffDuration;
+          await this.updateCaches(clientId, entry);
+          const retryAfter = Math.ceil(backoffDuration / 1e3);
+          metrics.increment("rate_limit.exceeded", {
+            ip: clientId,
+            violations: String(entry.violations),
+            backoffLevel: String(entry.backoffLevel)
+          });
+          res.status(429).json({
+            error: "Rate limit exceeded - entering exponential backoff",
+            code: "RATE_LIMIT_EXCEEDED",
+            retryAfter,
+            violations: entry.violations,
+            backoffLevel: entry.backoffLevel,
+            currentLimit
+          });
+          res.setHeader("Retry-After", String(retryAfter));
+          res.setHeader("X-RateLimit-Limit", String(currentLimit));
+          res.setHeader("X-RateLimit-Remaining", "0");
+          res.setHeader("X-RateLimit-BackoffLevel", String(entry.backoffLevel));
+          return;
+        }
+        await this.updateCaches(clientId, entry);
+        res.setHeader("X-RateLimit-Limit", String(currentLimit));
+        res.setHeader(
+          "X-RateLimit-Remaining",
+          String(currentLimit - entry.requests)
+        );
+        res.setHeader(
+          "X-RateLimit-Reset",
+          String(new Date(entry.firstRequest + this.config.windowMs).getTime())
+        );
+        if (entry.backoffLevel > 0) {
+          res.setHeader("X-RateLimit-BackoffLevel", String(entry.backoffLevel));
+        }
+        next();
+      } catch (error) {
+        logger.error(
+          "Rate limiter error",
+          error instanceof Error ? error : new Error(String(error))
+        );
+        next();
+      }
+    };
+  }
+  /**
+   * Get client identifier from request
+   */
+  getClientIdentifier(req) {
+    const forwarded = req.headers["x-forwarded-for"];
+    const realIp = req.headers["x-real-ip"];
+    const cfIp = req.headers["cf-connecting-ip"];
+    if (typeof forwarded === "string") {
+      return forwarded.split(",")[0].trim();
+    }
+    if (typeof realIp === "string") {
+      return realIp;
+    }
+    if (typeof cfIp === "string") {
+      return cfIp;
+    }
+    return req.ip || req.socket.remoteAddress || "unknown";
+  }
+  /**
+   * Check if IP is whitelisted
+   */
+  isWhitelisted(ip) {
+    return this.config.whitelistIPs.includes(ip) || ip === "127.0.0.1" || ip === "::1" || ip.startsWith("192.168.") || ip.startsWith("10.");
+  }
+  /**
+   * Check if IP is blacklisted
+   */
+  isBlacklisted(ip) {
+    return this.config.blacklistIPs.includes(ip);
+  }
+  /**
+   * Get rate limit entry from local cache
+   */
+  getFromLocalCache(clientId) {
+    const cached = this.localCache.get(clientId);
+    if (cached) {
+      const now = Date.now();
+      if (now - cached.lastRequest < this.config.localCacheTTL) {
+        return cached;
+      }
+      this.localCache.delete(clientId);
+      const index = this.localCacheOrder.indexOf(clientId);
+      if (index > -1) {
+        this.localCacheOrder.splice(index, 1);
+      }
+    }
+    return null;
+  }
+  /**
+   * Get rate limit entry from Redis
+   */
+  async getFromRedis(clientId) {
+    const key = `rate_limit:${clientId}`;
+    const data = await this.redis.get(key);
+    if (data) {
+      return JSON.parse(data);
+    }
+    return {
+      requests: 0,
+      violations: 0,
+      backoffLevel: 0,
+      firstRequest: Date.now(),
+      lastRequest: Date.now()
+    };
+  }
+  /**
+   * Update both local cache and Redis
+   */
+  async updateCaches(clientId, entry) {
+    if (!this.localCache.has(clientId)) {
+      if (this.localCache.size >= this.config.localCacheSize) {
+        const oldest = this.localCacheOrder.shift();
+        if (oldest) {
+          this.localCache.delete(oldest);
+        }
+      }
+      this.localCacheOrder.push(clientId);
+    }
+    this.localCache.set(clientId, entry);
+    const key = `rate_limit:${clientId}`;
+    const ttl = Math.ceil(
+      this.config.windowMs * Math.pow(2, entry.backoffLevel) / 1e3
+    );
+    await this.redis.setex(key, ttl, JSON.stringify(entry));
+  }
+  /**
+   * Clean up stale entries from local cache
+   */
+  cleanupLocalCache() {
+    const now = Date.now();
+    const staleThreshold = now - this.config.localCacheTTL;
+    for (const [clientId, entry] of this.localCache.entries()) {
+      if (entry.lastRequest < staleThreshold) {
+        this.localCache.delete(clientId);
+        const index = this.localCacheOrder.indexOf(clientId);
+        if (index > -1) {
+          this.localCacheOrder.splice(index, 1);
+        }
+      }
+    }
+    metrics.record("rate_limit.local_cache_size", this.localCache.size);
+  }
+  /**
+   * Reset rate limit for a specific client
+   */
+  async reset(clientId) {
+    this.localCache.delete(clientId);
+    const index = this.localCacheOrder.indexOf(clientId);
+    if (index > -1) {
+      this.localCacheOrder.splice(index, 1);
+    }
+    await this.redis.del(`rate_limit:${clientId}`);
+  }
+  /**
+   * Get current rate limit status for a client
+   */
+  async getStatus(clientId) {
+    let entry = this.getFromLocalCache(clientId);
+    if (!entry) {
+      const data = await this.redis.get(`rate_limit:${clientId}`);
+      if (data) {
+        entry = JSON.parse(data);
+      }
+    }
+    return entry;
+  }
+  /**
+   * Add IP to blacklist
+   */
+  blacklistIP(ip) {
+    if (!this.config.blacklistIPs.includes(ip)) {
+      this.config.blacklistIPs.push(ip);
+      logger.warn("IP blacklisted", { ip });
+    }
+  }
+  /**
+   * Remove IP from blacklist
+   */
+  unblacklistIP(ip) {
+    const index = this.config.blacklistIPs.indexOf(ip);
+    if (index > -1) {
+      this.config.blacklistIPs.splice(index, 1);
+      logger.info("IP unblacklisted", { ip });
+    }
+  }
+}
+export {
+  ExponentialRateLimiter
+};
+//# sourceMappingURL=exponential-rate-limiter.js.map

package/dist/src/middleware/exponential-rate-limiter.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/middleware/exponential-rate-limiter.ts"],
+  "sourcesContent": ["import { Request, Response, NextFunction } from 'express';\nimport Redis from 'ioredis';\nimport { logger } from '../core/monitoring/logger.js';\nimport { metrics } from '../core/monitoring/metrics.js';\n\ninterface RateLimitConfig {\n  baseLimit: number; // Initial requests allowed\n  windowMs: number; // Time window in milliseconds\n  maxBackoff: number; // Maximum backoff multiplier (e.g., 32 = 2^5)\n  backoffMultiplier: number; // Multiplier for each violation (typically 2)\n  localCacheSize: number; // Max IPs to cache locally\n  localCacheTTL: number; // Local cache TTL in ms\n  whitelistIPs?: string[]; // IPs to bypass rate limiting\n  blacklistIPs?: string[]; // IPs to block immediately\n  customKeyGenerator?: (req: Request) => string;\n}\n\ninterface RateLimitEntry {\n  requests: number;\n  violations: number;\n  backoffLevel: number;\n  firstRequest: number;\n  lastRequest: number;\n  blockedUntil?: number;\n}\n\nexport class ExponentialRateLimiter {\n  private redis: Redis;\n  private localCache: Map<string, RateLimitEntry> = new Map();\n  private localCacheOrder: string[] = [];\n  private config: Required<RateLimitConfig>;\n\n  constructor(redis: Redis, config: Partial<RateLimitConfig> = {}) {\n    this.redis = redis;\n    this.config = {\n      baseLimit: 10,\n      windowMs: 60 * 1000, // 1 minute\n      maxBackoff: 32,\n      backoffMultiplier: 2,\n      localCacheSize: 10000,\n      localCacheTTL: 5 * 60 * 1000, // 5 minutes\n      whitelistIPs: [],\n      blacklistIPs: [],\n      customKeyGenerator: (req) => this.getClientIdentifier(req),\n      ...config,\n    };\n\n    // Clean up local cache periodically\n    setInterval(() => this.cleanupLocalCache(), this.config.localCacheTTL);\n  }\n\n  /**\n   * Main middleware function with exponential backoff\n   */\n  middleware() {\n    return async (\n      req: Request,\n      res: Response,\n      next: NextFunction\n    ): Promise<void> => {\n      const clientId = this.config.customKeyGenerator(req);\n\n      // Check whitelist/blacklist\n      if (this.isWhitelisted(clientId)) {\n        return next();\n      }\n\n      if (this.isBlacklisted(clientId)) {\n        metrics.increment('rate_limit.blacklisted', { ip: clientId });\n        res.status(403).json({\n          error: 'Access denied',\n          code: 'BLACKLISTED_IP',\n        });\n        return;\n      }\n\n      try {\n        // Try local cache first for performance\n        let entry = this.getFromLocalCache(clientId);\n\n        if (!entry) {\n          // Fallback to Redis\n          entry = await this.getFromRedis(clientId);\n        }\n\n        const now = Date.now();\n\n        // Check if client is in backoff period\n        if (entry.blockedUntil && entry.blockedUntil > now) {\n          const retryAfter = Math.ceil((entry.blockedUntil - now) / 1000);\n          metrics.increment('rate_limit.blocked', {\n            ip: clientId,\n            backoffLevel: String(entry.backoffLevel),\n          });\n\n          res.status(429).json({\n            error: 'Too many requests - exponential backoff applied',\n            code: 'RATE_LIMIT_BACKOFF',\n            retryAfter,\n            backoffLevel: entry.backoffLevel,\n          });\n          res.setHeader('Retry-After', String(retryAfter));\n          res.setHeader('X-RateLimit-BackoffLevel', String(entry.backoffLevel));\n          return;\n        }\n\n        // Check if window has expired\n        if (now - entry.firstRequest > this.config.windowMs) {\n          // Reset window\n          entry = {\n            requests: 1,\n            violations: Math.max(0, entry.violations - 1), // Decay violations\n            backoffLevel: Math.max(0, entry.backoffLevel - 1), // Decay backoff\n            firstRequest: now,\n            lastRequest: now,\n          };\n        } else {\n          entry.requests++;\n          entry.lastRequest = now;\n        }\n\n        // Calculate current limit with exponential backoff reduction\n        const currentLimit = Math.max(\n          1,\n          Math.floor(\n            this.config.baseLimit /\n              Math.pow(this.config.backoffMultiplier, entry.backoffLevel)\n          )\n        );\n\n        // Check if limit exceeded\n        if (entry.requests > currentLimit) {\n          entry.violations++;\n\n          // Increase backoff level\n          if (entry.backoffLevel < Math.log2(this.config.maxBackoff)) {\n            entry.backoffLevel++;\n          }\n\n          // Calculate backoff duration with exponential increase\n          const backoffDuration =\n            this.config.windowMs *\n            Math.pow(this.config.backoffMultiplier, entry.backoffLevel);\n          entry.blockedUntil = now + backoffDuration;\n\n          // Update caches\n          await this.updateCaches(clientId, entry);\n\n          const retryAfter = Math.ceil(backoffDuration / 1000);\n          metrics.increment('rate_limit.exceeded', {\n            ip: clientId,\n            violations: String(entry.violations),\n            backoffLevel: String(entry.backoffLevel),\n          });\n\n          res.status(429).json({\n            error: 'Rate limit exceeded - entering exponential backoff',\n            code: 'RATE_LIMIT_EXCEEDED',\n            retryAfter,\n            violations: entry.violations,\n            backoffLevel: entry.backoffLevel,\n            currentLimit,\n          });\n          res.setHeader('Retry-After', String(retryAfter));\n          res.setHeader('X-RateLimit-Limit', String(currentLimit));\n          res.setHeader('X-RateLimit-Remaining', '0');\n          res.setHeader('X-RateLimit-BackoffLevel', String(entry.backoffLevel));\n          return;\n        }\n\n        // Update successful request\n        await this.updateCaches(clientId, entry);\n\n        // Add rate limit headers\n        res.setHeader('X-RateLimit-Limit', String(currentLimit));\n        res.setHeader(\n          'X-RateLimit-Remaining',\n          String(currentLimit - entry.requests)\n        );\n        res.setHeader(\n          'X-RateLimit-Reset',\n          String(new Date(entry.firstRequest + this.config.windowMs).getTime())\n        );\n\n        if (entry.backoffLevel > 0) {\n          res.setHeader('X-RateLimit-BackoffLevel', String(entry.backoffLevel));\n        }\n\n        next();\n      } catch (error: unknown) {\n        logger.error(\n          'Rate limiter error',\n          error instanceof Error ? error : new Error(String(error))\n        );\n        // Fail open - allow request on error\n        next();\n      }\n    };\n  }\n\n  /**\n   * Get client identifier from request\n   */\n  private getClientIdentifier(req: Request): string {\n    // Try various methods to identify the client\n    const forwarded = req.headers['x-forwarded-for'];\n    const realIp = req.headers['x-real-ip'];\n    const cfIp = req.headers['cf-connecting-ip']; // Cloudflare\n\n    if (typeof forwarded === 'string') {\n      return forwarded.split(',')[0].trim();\n    }\n    if (typeof realIp === 'string') {\n      return realIp;\n    }\n    if (typeof cfIp === 'string') {\n      return cfIp;\n    }\n\n    return req.ip || req.socket.remoteAddress || 'unknown';\n  }\n\n  /**\n   * Check if IP is whitelisted\n   */\n  private isWhitelisted(ip: string): boolean {\n    return (\n      this.config.whitelistIPs.includes(ip) ||\n      ip === '127.0.0.1' ||\n      ip === '::1' ||\n      ip.startsWith('192.168.') ||\n      ip.startsWith('10.')\n    );\n  }\n\n  /**\n   * Check if IP is blacklisted\n   */\n  private isBlacklisted(ip: string): boolean {\n    return this.config.blacklistIPs.includes(ip);\n  }\n\n  /**\n   * Get rate limit entry from local cache\n   */\n  private getFromLocalCache(clientId: string): RateLimitEntry | null {\n    const cached = this.localCache.get(clientId);\n    if (cached) {\n      const now = Date.now();\n      // Check if cache entry is still valid\n      if (now - cached.lastRequest < this.config.localCacheTTL) {\n        return cached;\n      }\n      // Remove stale entry\n      this.localCache.delete(clientId);\n      const index = this.localCacheOrder.indexOf(clientId);\n      if (index > -1) {\n        this.localCacheOrder.splice(index, 1);\n      }\n    }\n    return null;\n  }\n\n  /**\n   * Get rate limit entry from Redis\n   */\n  private async getFromRedis(clientId: string): Promise<RateLimitEntry> {\n    const key = `rate_limit:${clientId}`;\n    const data = await this.redis.get(key);\n\n    if (data) {\n      return JSON.parse(data);\n    }\n\n    // Return new entry\n    return {\n      requests: 0,\n      violations: 0,\n      backoffLevel: 0,\n      firstRequest: Date.now(),\n      lastRequest: Date.now(),\n    };\n  }\n\n  /**\n   * Update both local cache and Redis\n   */\n  private async updateCaches(\n    clientId: string,\n    entry: RateLimitEntry\n  ): Promise<void> {\n    // Update local cache with LRU eviction\n    if (!this.localCache.has(clientId)) {\n      // Check cache size limit\n      if (this.localCache.size >= this.config.localCacheSize) {\n        // Remove oldest entry\n        const oldest = this.localCacheOrder.shift();\n        if (oldest) {\n          this.localCache.delete(oldest);\n        }\n      }\n      this.localCacheOrder.push(clientId);\n    }\n    this.localCache.set(clientId, entry);\n\n    // Update Redis with TTL\n    const key = `rate_limit:${clientId}`;\n    const ttl = Math.ceil(\n      (this.config.windowMs * Math.pow(2, entry.backoffLevel)) / 1000\n    );\n    await this.redis.setex(key, ttl, JSON.stringify(entry));\n  }\n\n  /**\n   * Clean up stale entries from local cache\n   */\n  private cleanupLocalCache(): void {\n    const now = Date.now();\n    const staleThreshold = now - this.config.localCacheTTL;\n\n    for (const [clientId, entry] of this.localCache.entries()) {\n      if (entry.lastRequest < staleThreshold) {\n        this.localCache.delete(clientId);\n        const index = this.localCacheOrder.indexOf(clientId);\n        if (index > -1) {\n          this.localCacheOrder.splice(index, 1);\n        }\n      }\n    }\n\n    metrics.record('rate_limit.local_cache_size', this.localCache.size);\n  }\n\n  /**\n   * Reset rate limit for a specific client\n   */\n  async reset(clientId: string): Promise<void> {\n    this.localCache.delete(clientId);\n    const index = this.localCacheOrder.indexOf(clientId);\n    if (index > -1) {\n      this.localCacheOrder.splice(index, 1);\n    }\n    await this.redis.del(`rate_limit:${clientId}`);\n  }\n\n  /**\n   * Get current rate limit status for a client\n   */\n  async getStatus(clientId: string): Promise<RateLimitEntry | null> {\n    let entry = this.getFromLocalCache(clientId);\n    if (!entry) {\n      const data = await this.redis.get(`rate_limit:${clientId}`);\n      if (data) {\n        entry = JSON.parse(data);\n      }\n    }\n    return entry;\n  }\n\n  /**\n   * Add IP to blacklist\n   */\n  blacklistIP(ip: string): void {\n    if (!this.config.blacklistIPs.includes(ip)) {\n      this.config.blacklistIPs.push(ip);\n      logger.warn('IP blacklisted', { ip });\n    }\n  }\n\n  /**\n   * Remove IP from blacklist\n   */\n  unblacklistIP(ip: string): void {\n    const index = this.config.blacklistIPs.indexOf(ip);\n    if (index > -1) {\n      this.config.blacklistIPs.splice(index, 1);\n      logger.info('IP unblacklisted', { ip });\n    }\n  }\n}\n"],
+  "mappings": ";;;;AAEA,SAAS,cAAc;AACvB,SAAS,eAAe;AAuBjB,MAAM,uBAAuB;AAAA,EAC1B;AAAA,EACA,aAA0C,oBAAI,IAAI;AAAA,EAClD,kBAA4B,CAAC;AAAA,EAC7B;AAAA,EAER,YAAY,OAAc,SAAmC,CAAC,GAAG;AAC/D,SAAK,QAAQ;AACb,SAAK,SAAS;AAAA,MACZ,WAAW;AAAA,MACX,UAAU,KAAK;AAAA;AAAA,MACf,YAAY;AAAA,MACZ,mBAAmB;AAAA,MACnB,gBAAgB;AAAA,MAChB,eAAe,IAAI,KAAK;AAAA;AAAA,MACxB,cAAc,CAAC;AAAA,MACf,cAAc,CAAC;AAAA,MACf,oBAAoB,CAAC,QAAQ,KAAK,oBAAoB,GAAG;AAAA,MACzD,GAAG;AAAA,IACL;AAGA,gBAAY,MAAM,KAAK,kBAAkB,GAAG,KAAK,OAAO,aAAa;AAAA,EACvE;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa;AACX,WAAO,OACL,KACA,KACA,SACkB;AAClB,YAAM,WAAW,KAAK,OAAO,mBAAmB,GAAG;AAGnD,UAAI,KAAK,cAAc,QAAQ,GAAG;AAChC,eAAO,KAAK;AAAA,MACd;AAEA,UAAI,KAAK,cAAc,QAAQ,GAAG;AAChC,gBAAQ,UAAU,0BAA0B,EAAE,IAAI,SAAS,CAAC;AAC5D,YAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACnB,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AACD;AAAA,MACF;AAEA,UAAI;AAEF,YAAI,QAAQ,KAAK,kBAAkB,QAAQ;AAE3C,YAAI,CAAC,OAAO;AAEV,kBAAQ,MAAM,KAAK,aAAa,QAAQ;AAAA,QAC1C;AAEA,cAAM,MAAM,KAAK,IAAI;AAGrB,YAAI,MAAM,gBAAgB,MAAM,eAAe,KAAK;AAClD,gBAAM,aAAa,KAAK,MAAM,MAAM,eAAe,OAAO,GAAI;AAC9D,kBAAQ,UAAU,sBAAsB;AAAA,YACtC,IAAI;AAAA,YACJ,cAAc,OAAO,MAAM,YAAY;AAAA,UACzC,CAAC;AAED,cAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACnB,OAAO;AAAA,YACP,MAAM;AAAA,YACN;AAAA,YACA,cAAc,MAAM;AAAA,UACtB,CAAC;AACD,cAAI,UAAU,eAAe,OAAO,UAAU,CAAC;AAC/C,cAAI,UAAU,4BAA4B,OAAO,MAAM,YAAY,CAAC;AACpE;AAAA,QACF;AAGA,YAAI,MAAM,MAAM,eAAe,KAAK,OAAO,UAAU;AAEnD,kBAAQ;AAAA,YACN,UAAU;AAAA,YACV,YAAY,KAAK,IAAI,GAAG,MAAM,aAAa,CAAC;AAAA;AAAA,YAC5C,cAAc,KAAK,IAAI,GAAG,MAAM,eAAe,CAAC;AAAA;AAAA,YAChD,cAAc;AAAA,YACd,aAAa;AAAA,UACf;AAAA,QACF,OAAO;AACL,gBAAM;AACN,gBAAM,cAAc;AAAA,QACtB;AAGA,cAAM,eAAe,KAAK;AAAA,UACxB;AAAA,UACA,KAAK;AAAA,YACH,KAAK,OAAO,YACV,KAAK,IAAI,KAAK,OAAO,mBAAmB,MAAM,YAAY;AAAA,UAC9D;AAAA,QACF;AAGA,YAAI,MAAM,WAAW,cAAc;AACjC,gBAAM;AAGN,cAAI,MAAM,eAAe,KAAK,KAAK,KAAK,OAAO,UAAU,GAAG;AAC1D,kBAAM;AAAA,UACR;AAGA,gBAAM,kBACJ,KAAK,OAAO,WACZ,KAAK,IAAI,KAAK,OAAO,mBAAmB,MAAM,YAAY;AAC5D,gBAAM,eAAe,MAAM;AAG3B,gBAAM,KAAK,aAAa,UAAU,KAAK;AAEvC,gBAAM,aAAa,KAAK,KAAK,kBAAkB,GAAI;AACnD,kBAAQ,UAAU,uBAAuB;AAAA,YACvC,IAAI;AAAA,YACJ,YAAY,OAAO,MAAM,UAAU;AAAA,YACnC,cAAc,OAAO,MAAM,YAAY;AAAA,UACzC,CAAC;AAED,cAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACnB,OAAO;AAAA,YACP,MAAM;AAAA,YACN;AAAA,YACA,YAAY,MAAM;AAAA,YAClB,cAAc,MAAM;AAAA,YACpB;AAAA,UACF,CAAC;AACD,cAAI,UAAU,eAAe,OAAO,UAAU,CAAC;AAC/C,cAAI,UAAU,qBAAqB,OAAO,YAAY,CAAC;AACvD,cAAI,UAAU,yBAAyB,GAAG;AAC1C,cAAI,UAAU,4BAA4B,OAAO,MAAM,YAAY,CAAC;AACpE;AAAA,QACF;AAGA,cAAM,KAAK,aAAa,UAAU,KAAK;AAGvC,YAAI,UAAU,qBAAqB,OAAO,YAAY,CAAC;AACvD,YAAI;AAAA,UACF;AAAA,UACA,OAAO,eAAe,MAAM,QAAQ;AAAA,QACtC;AACA,YAAI;AAAA,UACF;AAAA,UACA,OAAO,IAAI,KAAK,MAAM,eAAe,KAAK,OAAO,QAAQ,EAAE,QAAQ,CAAC;AAAA,QACtE;AAEA,YAAI,MAAM,eAAe,GAAG;AAC1B,cAAI,UAAU,4BAA4B,OAAO,MAAM,YAAY,CAAC;AAAA,QACtE;AAEA,aAAK;AAAA,MACP,SAAS,OAAgB;AACvB,eAAO;AAAA,UACL;AAAA,UACA,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAAA,QAC1D;AAEA,aAAK;AAAA,MACP;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAoB,KAAsB;AAEhD,UAAM,YAAY,IAAI,QAAQ,iBAAiB;AAC/C,UAAM,SAAS,IAAI,QAAQ,WAAW;AACtC,UAAM,OAAO,IAAI,QAAQ,kBAAkB;AAE3C,QAAI,OAAO,cAAc,UAAU;AACjC,aAAO,UAAU,MAAM,GAAG,EAAE,CAAC,EAAE,KAAK;AAAA,IACtC;AACA,QAAI,OAAO,WAAW,UAAU;AAC9B,aAAO;AAAA,IACT;AACA,QAAI,OAAO,SAAS,UAAU;AAC5B,aAAO;AAAA,IACT;AAEA,WAAO,IAAI,MAAM,IAAI,OAAO,iBAAiB;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAc,IAAqB;AACzC,WACE,KAAK,OAAO,aAAa,SAAS,EAAE,KACpC,OAAO,eACP,OAAO,SACP,GAAG,WAAW,UAAU,KACxB,GAAG,WAAW,KAAK;AAAA,EAEvB;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAc,IAAqB;AACzC,WAAO,KAAK,OAAO,aAAa,SAAS,EAAE;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,UAAyC;AACjE,UAAM,SAAS,KAAK,WAAW,IAAI,QAAQ;AAC3C,QAAI,QAAQ;AACV,YAAM,MAAM,KAAK,IAAI;AAErB,UAAI,MAAM,OAAO,cAAc,KAAK,OAAO,eAAe;AACxD,eAAO;AAAA,MACT;AAEA,WAAK,WAAW,OAAO,QAAQ;AAC/B,YAAM,QAAQ,KAAK,gBAAgB,QAAQ,QAAQ;AACnD,UAAI,QAAQ,IAAI;AACd,aAAK,gBAAgB,OAAO,OAAO,CAAC;AAAA,MACtC;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,aAAa,UAA2C;AACpE,UAAM,MAAM,cAAc,QAAQ;AAClC,UAAM,OAAO,MAAM,KAAK,MAAM,IAAI,GAAG;AAErC,QAAI,MAAM;AACR,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB;AAGA,WAAO;AAAA,MACL,UAAU;AAAA,MACV,YAAY;AAAA,MACZ,cAAc;AAAA,MACd,cAAc,KAAK,IAAI;AAAA,MACvB,aAAa,KAAK,IAAI;AAAA,IACxB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,aACZ,UACA,OACe;AAEf,QAAI,CAAC,KAAK,WAAW,IAAI,QAAQ,GAAG;AAElC,UAAI,KAAK,WAAW,QAAQ,KAAK,OAAO,gBAAgB;AAEtD,cAAM,SAAS,KAAK,gBAAgB,MAAM;AAC1C,YAAI,QAAQ;AACV,eAAK,WAAW,OAAO,MAAM;AAAA,QAC/B;AAAA,MACF;AACA,WAAK,gBAAgB,KAAK,QAAQ;AAAA,IACpC;AACA,SAAK,WAAW,IAAI,UAAU,KAAK;AAGnC,UAAM,MAAM,cAAc,QAAQ;AAClC,UAAM,MAAM,KAAK;AAAA,MACd,KAAK,OAAO,WAAW,KAAK,IAAI,GAAG,MAAM,YAAY,IAAK;AAAA,IAC7D;AACA,UAAM,KAAK,MAAM,MAAM,KAAK,KAAK,KAAK,UAAU,KAAK,CAAC;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAA0B;AAChC,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,iBAAiB,MAAM,KAAK,OAAO;AAEzC,eAAW,CAAC,UAAU,KAAK,KAAK,KAAK,WAAW,QAAQ,GAAG;AACzD,UAAI,MAAM,cAAc,gBAAgB;AACtC,aAAK,WAAW,OAAO,QAAQ;AAC/B,cAAM,QAAQ,KAAK,gBAAgB,QAAQ,QAAQ;AACnD,YAAI,QAAQ,IAAI;AACd,eAAK,gBAAgB,OAAO,OAAO,CAAC;AAAA,QACtC;AAAA,MACF;AAAA,IACF;AAEA,YAAQ,OAAO,+BAA+B,KAAK,WAAW,IAAI;AAAA,EACpE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,UAAiC;AAC3C,SAAK,WAAW,OAAO,QAAQ;AAC/B,UAAM,QAAQ,KAAK,gBAAgB,QAAQ,QAAQ;AACnD,QAAI,QAAQ,IAAI;AACd,WAAK,gBAAgB,OAAO,OAAO,CAAC;AAAA,IACtC;AACA,UAAM,KAAK,MAAM,IAAI,cAAc,QAAQ,EAAE;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAU,UAAkD;AAChE,QAAI,QAAQ,KAAK,kBAAkB,QAAQ;AAC3C,QAAI,CAAC,OAAO;AACV,YAAM,OAAO,MAAM,KAAK,MAAM,IAAI,cAAc,QAAQ,EAAE;AAC1D,UAAI,MAAM;AACR,gBAAQ,KAAK,MAAM,IAAI;AAAA,MACzB;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,IAAkB;AAC5B,QAAI,CAAC,KAAK,OAAO,aAAa,SAAS,EAAE,GAAG;AAC1C,WAAK,OAAO,aAAa,KAAK,EAAE;AAChC,aAAO,KAAK,kBAAkB,EAAE,GAAG,CAAC;AAAA,IACtC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,IAAkB;AAC9B,UAAM,QAAQ,KAAK,OAAO,aAAa,QAAQ,EAAE;AACjD,QAAI,QAAQ,IAAI;AACd,WAAK,OAAO,aAAa,OAAO,OAAO,CAAC;AACxC,aAAO,KAAK,oBAAoB,EAAE,GAAG,CAAC;AAAA,IACxC;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/src/models/user.model.js

@@ -0,0 +1,358 @@
+import { fileURLToPath as __fileURLToPath } from 'url';
+import { dirname as __pathDirname } from 'path';
+const __filename = __fileURLToPath(import.meta.url);
+const __dirname = __pathDirname(__filename);
+import { v4 as uuidv4 } from "uuid";
+import * as bcrypt from "bcryptjs";
+import { logger } from "../core/monitoring/logger.js";
+class UserModel {
+  db;
+  constructor(db) {
+    this.db = db;
+    this.initialize();
+  }
+  initialize() {
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS users (
+        id TEXT PRIMARY KEY,
+        sub TEXT UNIQUE NOT NULL,
+        email TEXT UNIQUE NOT NULL,
+        name TEXT,
+        avatar TEXT,
+        tier TEXT DEFAULT 'free',
+        permissions TEXT DEFAULT '["read", "write"]',
+        organizations TEXT DEFAULT '[]',
+        api_keys TEXT DEFAULT '[]',
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        last_login_at DATETIME,
+        metadata TEXT DEFAULT '{}'
+      )
+    `);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS user_sessions (
+        id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL,
+        token TEXT UNIQUE NOT NULL,
+        expires_at DATETIME NOT NULL,
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        metadata TEXT DEFAULT '{}',
+        FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+      )
+    `);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS api_keys (
+        id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL,
+        key_hash TEXT UNIQUE NOT NULL,
+        name TEXT,
+        last_used_at DATETIME,
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        expires_at DATETIME,
+        metadata TEXT DEFAULT '{}',
+        FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+      )
+    `);
+    this.db.exec(`
+      CREATE INDEX IF NOT EXISTS idx_users_sub ON users(sub);
+      CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+      CREATE INDEX IF NOT EXISTS idx_sessions_token ON user_sessions(token);
+      CREATE INDEX IF NOT EXISTS idx_sessions_user ON user_sessions(user_id);
+      CREATE INDEX IF NOT EXISTS idx_sessions_expires ON user_sessions(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
+      CREATE INDEX IF NOT EXISTS idx_api_keys_user ON api_keys(user_id);
+    `);
+    logger.info("User database schema initialized");
+  }
+  async createUser(userData) {
+    if (!userData.sub || !userData.email) {
+      throw new Error("User sub and email are required");
+    }
+    const user = {
+      id: userData.id || uuidv4(),
+      sub: userData.sub,
+      email: userData.email,
+      name: userData.name,
+      avatar: userData.avatar,
+      tier: userData.tier || "free",
+      permissions: userData.permissions || ["read", "write"],
+      organizations: userData.organizations || [],
+      apiKeys: userData.apiKeys || [],
+      createdAt: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date(),
+      metadata: userData.metadata || {}
+    };
+    const stmt = this.db.prepare(`
+      INSERT INTO users (
+        id, sub, email, name, avatar, tier, permissions, 
+        organizations, api_keys, created_at, updated_at, metadata
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+    stmt.run(
+      user.id,
+      user.sub,
+      user.email,
+      user.name,
+      user.avatar,
+      user.tier,
+      JSON.stringify(user.permissions),
+      JSON.stringify(user.organizations),
+      JSON.stringify(user.apiKeys),
+      user.createdAt.toISOString(),
+      user.updatedAt.toISOString(),
+      JSON.stringify(user.metadata)
+    );
+    logger.info("User created", { userId: user.id, email: user.email });
+    return user;
+  }
+  async findUserBySub(sub) {
+    const stmt = this.db.prepare("SELECT * FROM users WHERE sub = ?");
+    const row = stmt.get(sub);
+    if (!row) {
+      return null;
+    }
+    return this.rowToUser(row);
+  }
+  async findUserByEmail(email) {
+    const stmt = this.db.prepare("SELECT * FROM users WHERE email = ?");
+    const row = stmt.get(email);
+    if (!row) {
+      return null;
+    }
+    return this.rowToUser(row);
+  }
+  async findUserById(id) {
+    const stmt = this.db.prepare("SELECT * FROM users WHERE id = ?");
+    const row = stmt.get(id);
+    if (!row) {
+      return null;
+    }
+    return this.rowToUser(row);
+  }
+  async updateUser(id, updates) {
+    const user = await this.findUserById(id);
+    if (!user) {
+      return null;
+    }
+    const updatedUser = {
+      ...user,
+      ...updates,
+      updatedAt: /* @__PURE__ */ new Date()
+    };
+    const stmt = this.db.prepare(`
+      UPDATE users SET
+        email = ?, name = ?, avatar = ?, tier = ?, 
+        permissions = ?, organizations = ?, api_keys = ?,
+        updated_at = ?, last_login_at = ?, metadata = ?
+      WHERE id = ?
+    `);
+    stmt.run(
+      updatedUser.email,
+      updatedUser.name,
+      updatedUser.avatar,
+      updatedUser.tier,
+      JSON.stringify(updatedUser.permissions),
+      JSON.stringify(updatedUser.organizations),
+      JSON.stringify(updatedUser.apiKeys),
+      updatedUser.updatedAt.toISOString(),
+      updatedUser.lastLoginAt?.toISOString(),
+      JSON.stringify(updatedUser.metadata),
+      id
+    );
+    logger.info("User updated", { userId: id });
+    return updatedUser;
+  }
+  async deleteUser(id) {
+    const stmt = this.db.prepare("DELETE FROM users WHERE id = ?");
+    const result = stmt.run(id);
+    if (result.changes > 0) {
+      logger.info("User deleted", { userId: id });
+      return true;
+    }
+    return false;
+  }
+  async updateLastLogin(id) {
+    const stmt = this.db.prepare(
+      "UPDATE users SET last_login_at = ? WHERE id = ?"
+    );
+    stmt.run((/* @__PURE__ */ new Date()).toISOString(), id);
+  }
+  // Session management
+  async createSession(userId, expiresIn = 86400) {
+    const session = {
+      id: uuidv4(),
+      userId,
+      token: this.generateSessionToken(),
+      expiresAt: new Date(Date.now() + expiresIn * 1e3),
+      createdAt: /* @__PURE__ */ new Date(),
+      metadata: {}
+    };
+    const stmt = this.db.prepare(`
+      INSERT INTO user_sessions (id, user_id, token, expires_at, created_at, metadata)
+      VALUES (?, ?, ?, ?, ?, ?)
+    `);
+    stmt.run(
+      session.id,
+      session.userId,
+      session.token,
+      session.expiresAt.toISOString(),
+      session.createdAt.toISOString(),
+      JSON.stringify(session.metadata)
+    );
+    logger.info("Session created", { sessionId: session.id, userId });
+    return session;
+  }
+  async findSessionByToken(token) {
+    const stmt = this.db.prepare("SELECT * FROM user_sessions WHERE token = ?");
+    const row = stmt.get(token);
+    if (!row) {
+      return null;
+    }
+    return this.rowToSession(row);
+  }
+  async validateSession(token) {
+    const session = await this.findSessionByToken(token);
+    if (!session) {
+      return null;
+    }
+    if (new Date(session.expiresAt) < /* @__PURE__ */ new Date()) {
+      await this.deleteSession(session.id);
+      return null;
+    }
+    return await this.findUserById(session.userId);
+  }
+  async deleteSession(id) {
+    const stmt = this.db.prepare("DELETE FROM user_sessions WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+  async deleteExpiredSessions() {
+    const stmt = this.db.prepare(
+      "DELETE FROM user_sessions WHERE expires_at < ?"
+    );
+    const result = stmt.run((/* @__PURE__ */ new Date()).toISOString());
+    if (result.changes > 0) {
+      logger.info("Expired sessions deleted", { count: result.changes });
+    }
+    return result.changes;
+  }
+  // API Key management
+  async generateApiKey(userId, name) {
+    const user = await this.findUserById(userId);
+    if (!user) {
+      throw new Error("User not found");
+    }
+    const apiKey = `sk-${this.generateToken(32)}`;
+    const hashedKey = await bcrypt.hash(apiKey, 10);
+    const stmt = this.db.prepare(`
+      INSERT INTO api_keys (id, user_id, key_hash, name, created_at)
+      VALUES (?, ?, ?, ?, ?)
+    `);
+    const apiKeyId = uuidv4();
+    stmt.run(
+      apiKeyId,
+      userId,
+      hashedKey,
+      name || "API Key",
+      (/* @__PURE__ */ new Date()).toISOString()
+    );
+    logger.info("API key generated", { userId, apiKeyId });
+    return apiKey;
+  }
+  async validateApiKey(apiKey) {
+    const stmt = this.db.prepare(`
+      SELECT u.*, ak.id as api_key_id, ak.key_hash
+      FROM api_keys ak
+      JOIN users u ON ak.user_id = u.id
+      WHERE (ak.expires_at IS NULL OR ak.expires_at > datetime('now'))
+    `);
+    const rows = stmt.all();
+    for (const row of rows) {
+      if (await bcrypt.compare(apiKey, row.key_hash)) {
+        const updateStmt = this.db.prepare(
+          "UPDATE api_keys SET last_used_at = ? WHERE id = ?"
+        );
+        updateStmt.run((/* @__PURE__ */ new Date()).toISOString(), row.api_key_id);
+        return this.rowToUser(row);
+      }
+    }
+    return null;
+  }
+  async revokeApiKey(userId, apiKeyId) {
+    const stmt = this.db.prepare(
+      "DELETE FROM api_keys WHERE id = ? AND user_id = ?"
+    );
+    const result = stmt.run(apiKeyId, userId);
+    if (result.changes > 0) {
+      logger.info("API key revoked", { userId, apiKeyId });
+      return true;
+    }
+    return false;
+  }
+  async listApiKeys(userId) {
+    const stmt = this.db.prepare(`
+      SELECT id, name, last_used_at, created_at
+      FROM api_keys
+      WHERE user_id = ?
+      ORDER BY created_at DESC
+    `);
+    const rows = stmt.all(userId);
+    return rows.map((row) => ({
+      id: row.id,
+      name: row.name,
+      lastUsed: row.last_used_at ? new Date(row.last_used_at) : void 0,
+      createdAt: new Date(row.created_at)
+    }));
+  }
+  // Helper methods
+  rowToUser(row) {
+    return {
+      id: row.id,
+      sub: row.sub,
+      email: row.email,
+      name: row.name,
+      avatar: row.avatar,
+      tier: row.tier,
+      permissions: JSON.parse(row.permissions),
+      organizations: JSON.parse(row.organizations),
+      apiKeys: JSON.parse(row.api_keys || "[]"),
+      createdAt: new Date(row.created_at),
+      updatedAt: new Date(row.updated_at),
+      lastLoginAt: row.last_login_at ? new Date(row.last_login_at) : void 0,
+      metadata: JSON.parse(row.metadata || "{}")
+    };
+  }
+  rowToSession(row) {
+    return {
+      id: row.id,
+      userId: row.user_id,
+      token: row.token,
+      expiresAt: new Date(row.expires_at),
+      createdAt: new Date(row.created_at),
+      metadata: JSON.parse(row.metadata || "{}")
+    };
+  }
+  generateSessionToken() {
+    return this.generateToken(48);
+  }
+  generateToken(length) {
+    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+    let token = "";
+    for (let i = 0; i < length; i++) {
+      token += chars.charAt(Math.floor(Math.random() * chars.length));
+    }
+    return token;
+  }
+}
+let userModelInstance = null;
+function getUserModel(db) {
+  if (!userModelInstance) {
+    userModelInstance = new UserModel(db);
+  }
+  return userModelInstance;
+}
+export {
+  UserModel,
+  getUserModel
+};
+//# sourceMappingURL=user.model.js.map