@standardagents/builder 0.17.2 → 0.17.3

package/dist/built-in-routes.js

@@ -63100,6 +63100,30 @@ function getTokenPrefix(token) {
   const match2 = token.match(/^([^_]+_)/);
   return match2 ? match2[1] : "";
 }
+var SESSION_COOKIE_NAME = "agtuser_session";
+function readSessionCookie(request) {
+  const header = request.headers.get("Cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const eq = part.indexOf("=");
+    if (eq === -1) continue;
+    if (part.slice(0, eq).trim() === SESSION_COOKIE_NAME) {
+      return decodeURIComponent(part.slice(eq + 1).trim()) || null;
+    }
+  }
+  return null;
+}
+function buildSessionCookie(request, token, maxAgeSeconds) {
+  const attrs = ["Path=/", "HttpOnly", "SameSite=Lax"];
+  try {
+    if (new URL(request.url).protocol === "https:") attrs.push("Secure");
+  } catch {
+  }
+  if (maxAgeSeconds <= 0) {
+    return `${SESSION_COOKIE_NAME}=; ${attrs.join("; ")}; Max-Age=0`;
+  }
+  return `${SESSION_COOKIE_NAME}=${encodeURIComponent(token)}; ${attrs.join("; ")}; Max-Age=${maxAgeSeconds}`;
+}
 function isValidUserToken(token) {
   return token.startsWith("agtuser_") && token.length > 10;
 }
@@ -63202,6 +63226,10 @@ function extractBearerToken(request) {
   if (authHeader && authHeader.startsWith("Bearer ")) {
     return authHeader.substring(7);
   }
+  const cookieToken = readSessionCookie(request);
+  if (cookieToken) {
+    return cookieToken;
+  }
   const isWebSocket = request.headers.get("upgrade")?.toLowerCase() === "websocket";
   if (isWebSocket) {
     try {
@@ -63399,6 +63427,10 @@ function platformApiKey(env2) {
 function hasPlatformApiKey(env2) {
   return platformApiKey(env2) !== null;
 }
+function isPlatformHosted(env2) {
+  const value = env2.STANDARD_AGENTS_HOSTED;
+  return typeof value === "string" ? value.trim() !== "" && value.trim() !== "0" && value.trim().toLowerCase() !== "false" : Boolean(value);
+}
 function platformEndpoint(env2) {
   const configured = env2.PLATFORM_ENDPOINT || env2.STANDARD_AGENTS_PLATFORM_URL || env2.PLATFORM_URL || env2.STANDARD_AGENTS_PUBLIC_URL;
   if (typeof configured === "string" && configured.trim()) {
@@ -63476,7 +63508,31 @@ async function getPlatformIdentity(env2) {
     platformEndpoint: endpoint
   };
 }
+async function mintLocalSessionForPlatformUser(env2, platformUserId) {
+  const namespace = env2.AGENT_BUILDER;
+  if (!namespace || typeof namespace.idFromName !== "function" || typeof namespace.get !== "function") {
+    throw new Error("Server misconfigured: AGENT_BUILDER Durable Object binding is required for platform auth");
+  }
+  const agentBuilder = namespace.get(namespace.idFromName("singleton"));
+  const username = sanitizeUsername(`sa-${platformUserId}`);
+  let user = await agentBuilder.getUserByUsername(username);
+  if (!user) {
+    user = await agentBuilder.createUser({
+      username,
+      password_hash: await hashPassword(crypto.randomUUID()),
+      role: "admin"
+    });
+  }
+  const token = generateUserToken();
+  const tokenHash = await hashToken(token);
+  const expiresAt = Math.floor(Date.now() / 1e3) + SESSION_TTL_SECONDS;
+  await agentBuilder.createSession({ user_id: user.id, token_hash: tokenHash, expires_at: expiresAt });
+  return { token, user: { id: user.id, username: user.username, role: user.role } };
+}
 async function createPlatformLocalSession(env2) {
+  if (isPlatformHosted(env2)) {
+    return null;
+  }
   const identity = await getPlatformIdentity(env2);
   if (!identity) {
     return null;
@@ -65734,11 +65790,15 @@ var config_get_default2 = defineController2(async ({ req, env: env2 }) => {
   const configuredPlatformEndpoint = resolvePlatformEndpoint(req, env2);
   const platformConnected = hasPlatformApiKey(env2) || !!findLocalBootstrapSession(void 0, env2);
   const localPassword = typeof env2.SUPER_ADMIN_PASSWORD === "string" && env2.SUPER_ADMIN_PASSWORD.length > 0;
+  const hosted = isPlatformHosted(env2);
+  const standardAgentsLogin = hosted && typeof env2.STANDARD_AGENTS_OAUTH_CLIENT_ID === "string" && env2.STANDARD_AGENTS_OAUTH_CLIENT_ID.trim() !== "";
   return {
     github: githubConfigured,
     google: googleConfigured,
     platformConnected,
     localPassword,
+    hosted,
+    standardAgentsLogin,
     platformEndpoint: hasPlatformApiKey(env2) ? platformEndpoint(env2) : configuredPlatformEndpoint
   };
 });
@@ -65826,28 +65886,28 @@ var login_post_default = defineController2(async ({ req, env: env2 }) => {
 
 // src/api/auth/logout.post.ts
 var logout_post_default = defineController2(async ({ req, env: env2 }) => {
+  const clearCookie = (body, status = 200) => new Response(JSON.stringify(body), {
+    status,
+    headers: {
+      "Content-Type": "application/json",
+      "Set-Cookie": buildSessionCookie(req, "", 0)
+    }
+  });
   try {
     const authHeader = req.headers.get("Authorization");
-    if (!authHeader || !authHeader.startsWith("Bearer ")) {
-      return Response.json({ error: "Unauthorized" }, { status: 401 });
-    }
-    const token = authHeader.substring(7);
-    if (token.includes(".")) {
-      return Response.json({ success: true });
+    const token = authHeader && authHeader.startsWith("Bearer ") ? authHeader.substring(7) : readSessionCookie(req);
+    if (!token) {
+      return clearCookie({ success: true });
     }
-    if (isValidUserToken(token)) {
+    if (!token.includes(".") && isValidUserToken(token)) {
       const tokenHash = await hashToken(token);
-      const agentBuilderId = env2.AGENT_BUILDER.idFromName("singleton");
-      const agentBuilder = env2.AGENT_BUILDER.get(agentBuilderId);
+      const agentBuilder = env2.AGENT_BUILDER.get(env2.AGENT_BUILDER.idFromName("singleton"));
       await agentBuilder.deleteSession(tokenHash);
     }
-    return Response.json({ success: true });
+    return clearCookie({ success: true });
   } catch (error) {
     console.error("Logout error:", error);
-    return Response.json(
-      { error: error.message || "Logout failed" },
-      { status: 500 }
-    );
+    return clearCookie({ error: error.message || "Logout failed" }, 500);
   }
 });
 
@@ -68755,6 +68815,121 @@ var name_get_default7 = defineController2(async ({ params, url, prompts, agents,
   return Response.json({ variables });
 });
 
+// src/api/auth/sa/callback.get.ts
+var SESSION_TTL_SECONDS2 = 30 * 24 * 60 * 60;
+function readNamedCookie(req, name15) {
+  const header = req.headers.get("Cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const eq = part.indexOf("=");
+    if (eq === -1) continue;
+    if (part.slice(0, eq).trim() === name15) return decodeURIComponent(part.slice(eq + 1).trim()) || null;
+  }
+  return null;
+}
+function failRedirect(req, reason) {
+  const origin = new URL(req.url).origin;
+  const headers = new Headers({ Location: `${origin}/login?sa_error=${encodeURIComponent(reason)}` });
+  headers.append("Set-Cookie", "sa_oauth=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0");
+  return new Response(null, { status: 302, headers });
+}
+var callback_get_default = defineController2(async ({ req, env: env2 }) => {
+  const url = new URL(req.url);
+  const code = url.searchParams.get("code");
+  const state = url.searchParams.get("state");
+  const stash = readNamedCookie(req, "sa_oauth");
+  if (!code || !state || !stash) {
+    return failRedirect(req, "invalid_response");
+  }
+  const sep = stash.indexOf(":");
+  const verifier = sep === -1 ? "" : stash.slice(0, sep);
+  const expectedState = sep === -1 ? "" : stash.slice(sep + 1);
+  if (!verifier || expectedState !== state) {
+    return failRedirect(req, "state_mismatch");
+  }
+  const clientId = typeof env2.STANDARD_AGENTS_OAUTH_CLIENT_ID === "string" ? env2.STANDARD_AGENTS_OAUTH_CLIENT_ID.trim() : "";
+  if (!clientId) {
+    return failRedirect(req, "not_configured");
+  }
+  const endpoint = platformEndpoint(env2);
+  const redirectUri = `${url.origin}/api/auth/sa/callback`;
+  let platformUserId;
+  try {
+    const tokenRes = await fetch(`${endpoint}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        code_verifier: verifier
+      }).toString()
+    });
+    if (!tokenRes.ok) return failRedirect(req, "token_exchange_failed");
+    const tokenBody = await tokenRes.json().catch(() => ({}));
+    if (!tokenBody.access_token) return failRedirect(req, "token_exchange_failed");
+    const userRes = await fetch(`${endpoint}/oauth/userinfo`, {
+      headers: { Authorization: `Bearer ${tokenBody.access_token}` }
+    });
+    if (!userRes.ok) return failRedirect(req, "userinfo_failed");
+    const userinfo = await userRes.json().catch(() => ({}));
+    if (!userinfo.sub) return failRedirect(req, "userinfo_failed");
+    platformUserId = userinfo.sub;
+  } catch {
+    return failRedirect(req, "platform_unreachable");
+  }
+  const session = await mintLocalSessionForPlatformUser(env2, platformUserId);
+  const headers = new Headers({ Location: `${url.origin}/` });
+  headers.append("Set-Cookie", buildSessionCookie(req, session.token, SESSION_TTL_SECONDS2));
+  headers.append("Set-Cookie", "sa_oauth=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0");
+  return new Response(null, { status: 302, headers });
+});
+
+// src/api/auth/sa/start.get.ts
+function randomToken(bytesLength = 32) {
+  const bytes = new Uint8Array(bytesLength);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function base64Url(bytes) {
+  let binary = "";
+  for (const byte of new Uint8Array(bytes)) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+async function pkceChallenge(verifier) {
+  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+  return base64Url(digest);
+}
+var start_get_default = defineController2(async ({ req, env: env2 }) => {
+  const clientId = typeof env2.STANDARD_AGENTS_OAUTH_CLIENT_ID === "string" ? env2.STANDARD_AGENTS_OAUTH_CLIENT_ID.trim() : "";
+  if (!clientId) {
+    return Response.json({ error: "Standard Agents login is not configured for this instance." }, { status: 400 });
+  }
+  const verifier = randomToken(32);
+  const challenge = await pkceChallenge(verifier);
+  const state = randomToken(16);
+  const reqUrl = new URL(req.url);
+  const redirectUri = `${reqUrl.origin}/api/auth/sa/callback`;
+  const authorize = new URL(`${platformEndpoint(env2)}/oauth/authorize`);
+  authorize.searchParams.set("client_id", clientId);
+  authorize.searchParams.set("redirect_uri", redirectUri);
+  authorize.searchParams.set("code_challenge", challenge);
+  authorize.searchParams.set("code_challenge_method", "S256");
+  authorize.searchParams.set("state", state);
+  authorize.searchParams.set("scope", "openid profile email");
+  const attrs = ["Path=/", "HttpOnly", "SameSite=Lax", "Max-Age=600"];
+  try {
+    if (reqUrl.protocol === "https:") attrs.push("Secure");
+  } catch {
+  }
+  const oauthCookie = `sa_oauth=${encodeURIComponent(`${verifier}:${state}`)}; ${attrs.join("; ")}`;
+  return new Response(null, {
+    status: 302,
+    headers: { Location: authorize.toString(), "Set-Cookie": oauthCookie }
+  });
+});
+
 // src/api/users/me/env.get.ts
 var env_get_default2 = defineController2(async ({ req, env: env2 }) => {
   try {
@@ -69900,6 +70075,8 @@ var routeHandlers = {
   "GET:/variables/agents/:name": name_get_default5,
   "GET:/variables/prompts/:name": name_get_default6,
   "GET:/variables/tools/:name": name_get_default7,
+  "GET:/auth/sa/callback": callback_get_default,
+  "GET:/auth/sa/start": start_get_default,
   "GET:/users/me/env": env_get_default2,
   "PATCH:/users/me/env": env_patch_default2,
   "DELETE:/threads/:id/fs/**": path_default3,