@thotischner/observability-mcp 1.7.1 → 3.0.0

package/dist/auth/rbac.js

@@ -0,0 +1,162 @@
+/**
+ * Role-based access control for the management plane.
+ *
+ * Roles are simple string identifiers (`viewer`, `operator`, `admin` ship
+ * built-in but the resolver is open-set — a deployment may add any number
+ * of custom roles via OIDC group claims, the local users file, or future
+ * RBAC config).
+ *
+ * Permissions are encoded as `<resource>:<action>` pairs. The permission
+ * table maps each pair to the set of roles that are granted it. A role
+ * with no entries in the table grants nothing.
+ *
+ * Anonymous mode bypasses RBAC entirely — there is no identity to check.
+ * Basic mode runs every mutating /api/* request through `requirePermission`
+ * middleware (mounted in index.ts alongside `requireSession`).
+ */
+/** Built-in default policy. Operators replace this via OMCP_RBAC_POLICY_FILE
+ *  (YAML/JSON file → BuiltinPolicyEngine) or OMCP_OPA_URL (external
+ *  OPA → OpaPolicyEngine). The gate consumes whichever via
+ *  `buildRequirePermissionFromEngine` so tenant-conditional Rego
+ *  rules can fire. */
+export const DEFAULT_POLICY = {
+    viewer: [
+        { resource: "sources", action: "read" },
+        { resource: "services", action: "read" },
+        { resource: "health", action: "read" },
+        { resource: "topology", action: "read" },
+        { resource: "settings", action: "read" },
+        { resource: "connectors", action: "read" },
+        { resource: "audit", action: "read" },
+        { resource: "catalog", action: "read" },
+        { resource: "products", action: "read" },
+    ],
+    operator: [
+        // Inherits viewer's read set + write on operational resources.
+        { resource: "sources", action: "read" },
+        { resource: "sources", action: "write" },
+        { resource: "services", action: "read" },
+        { resource: "health", action: "read" },
+        { resource: "health", action: "write" },
+        { resource: "topology", action: "read" },
+        { resource: "settings", action: "read" },
+        { resource: "settings", action: "write" },
+        { resource: "connectors", action: "read" },
+        { resource: "audit", action: "read" },
+        { resource: "catalog", action: "read" },
+        { resource: "products", action: "read" },
+        { resource: "products", action: "write" },
+    ],
+    admin: [
+        // Full surface — readable + writable + deletable.
+        ...["sources", "services", "health", "topology", "settings", "connectors", "audit", "catalog", "users", "products"]
+            .flatMap((r) => ["read", "write", "delete"].map((a) => ({ resource: r, action: a }))),
+        // Special: admins may bypass log-redaction on per-call MCP tool
+        // invocations (when the bearer credential ALSO opts in via
+        // OMCP_KEY_BYPASS_REDACTION — RBAC is the management-plane gate,
+        // the credential flag is the data-plane gate; both must allow).
+        { resource: "redaction", action: "bypass" },
+    ],
+};
+/** Resolve whether the given role set grants the requested permission. */
+export function hasPermission(roles, resource, action, policy = DEFAULT_POLICY) {
+    if (!roles || roles.length === 0)
+        return false;
+    for (const role of roles) {
+        const grants = policy[role];
+        if (!grants)
+            continue;
+        for (const g of grants) {
+            if (g.resource === resource && g.action === action)
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Express middleware factory. Returns a no-op in anonymous mode, otherwise
+ * gates the route on the named permission. Assumes `req.session` has been
+ * attached upstream by `buildSessionAttacher` and any auth requirement has
+ * already been enforced by `buildRequireSession` — so reaching this point
+ * with no session means anonymous mode is active.
+ */
+export function buildRequirePermission(runtime, resource, action, policy = DEFAULT_POLICY) {
+    if (runtime.mode === "anonymous") {
+        return function rbacNoop(_req, _res, next) {
+            next();
+        };
+    }
+    return function rbacGate(req, res, next) {
+        const roles = req.session?.roles;
+        if (hasPermission(roles, resource, action, policy)) {
+            next();
+            return;
+        }
+        res.status(403).json({
+            error: "permission denied",
+            code: "OMCP_PERMISSION_DENIED",
+            required: { resource, action },
+            have: roles ?? [],
+        });
+    };
+}
+/**
+ * Engine-aware variant of `buildRequirePermission`. Prefer this when an
+ * external policy engine (OPA, custom Rego) is in play — the legacy
+ * `(roles, resource, action) → boolean` map cannot carry the active
+ * tenant, so a Rego rule like `allow { input.tenant == "acme" }` can
+ * never fire if you go through the map. This variant calls
+ * `engine.evaluate(roles, resource, action, { tenant: session.tenant })`
+ * so tenant-conditional rules see the input they need.
+ *
+ * Anonymous mode stays a no-op — same as the map variant.
+ *
+ * Performance: `evaluate` is sync by contract. OPA hits its cache; on
+ * first miss it returns a conservative deny and warms in the
+ * background — the second request inside the TTL gets the real
+ * verdict. Documented in opa.ts.
+ */
+export function buildRequirePermissionFromEngine(runtime, resource, action, engine) {
+    if (runtime.mode === "anonymous") {
+        return function rbacNoop(_req, _res, next) {
+            next();
+        };
+    }
+    return function rbacGateEngine(req, res, next) {
+        const sess = req.session;
+        const verdict = engine.evaluate(sess?.roles, resource, action, { tenant: sess?.tenant });
+        if (verdict.allowed) {
+            next();
+            return;
+        }
+        res.status(403).json({
+            error: "permission denied",
+            code: "OMCP_PERMISSION_DENIED",
+            required: { resource, action },
+            have: sess?.roles ?? [],
+            reason: verdict.reason,
+        });
+    };
+}
+/** Convenience snapshot for `/api/me` — list every permission the
+ * given role set unlocks. Used by the UI to hide write controls the
+ * current user can't trigger anyway. */
+export function listGrantedPermissions(roles, policy = DEFAULT_POLICY) {
+    if (!roles || roles.length === 0)
+        return [];
+    const seen = new Set();
+    const out = [];
+    for (const role of roles) {
+        const grants = policy[role];
+        if (!grants)
+            continue;
+        for (const g of grants) {
+            const key = `${g.resource}:${g.action}`;
+            if (seen.has(key))
+                continue;
+            seen.add(key);
+            out.push(g);
+        }
+    }
+    return out;
+}

package/dist/auth/rbac.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/auth/rbac.test.js

@@ -0,0 +1,183 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { hasPermission, buildRequirePermission, listGrantedPermissions, DEFAULT_POLICY, } from "./rbac.js";
+function mkReq(roles) {
+    return {
+        session: roles
+            ? { sub: "u", name: "u", roles, iat: 0, exp: Date.now() / 1000 + 60 }
+            : undefined,
+    };
+}
+function mkRes() {
+    let statusCode = 0;
+    let body = null;
+    return {
+        status(c) { statusCode = c; return this; },
+        json(b) { body = b; return this; },
+        get statusCode() { return statusCode; },
+        get body() { return body; },
+    };
+}
+test("DEFAULT_POLICY — viewer reads but cannot write", () => {
+    assert.equal(hasPermission(["viewer"], "sources", "read"), true);
+    assert.equal(hasPermission(["viewer"], "sources", "write"), false);
+    assert.equal(hasPermission(["viewer"], "sources", "delete"), false);
+});
+test("DEFAULT_POLICY — operator writes sources + settings but never deletes", () => {
+    assert.equal(hasPermission(["operator"], "sources", "write"), true);
+    assert.equal(hasPermission(["operator"], "settings", "write"), true);
+    assert.equal(hasPermission(["operator"], "sources", "delete"), false);
+});
+test("DEFAULT_POLICY — admin can do everything across every resource", () => {
+    for (const resource of ["sources", "services", "health", "topology", "settings", "connectors", "audit", "catalog", "users", "products"]) {
+        for (const action of ["read", "write", "delete"]) {
+            assert.equal(hasPermission(["admin"], resource, action), true, `admin should ${action} ${resource}`);
+        }
+    }
+});
+test("DEFAULT_POLICY — only admin holds redaction:bypass", () => {
+    assert.equal(hasPermission(["admin"], "redaction", "bypass"), true);
+    assert.equal(hasPermission(["operator"], "redaction", "bypass"), false);
+    assert.equal(hasPermission(["viewer"], "redaction", "bypass"), false);
+    // Other actions on the redaction resource are intentionally NOT granted —
+    // there is no read/write/delete semantic, only bypass.
+    assert.equal(hasPermission(["admin"], "redaction", "read"), false);
+    assert.equal(hasPermission(["admin"], "redaction", "write"), false);
+});
+test("hasPermission — empty / missing roles grant nothing", () => {
+    assert.equal(hasPermission(undefined, "sources", "read"), false);
+    assert.equal(hasPermission([], "sources", "read"), false);
+    assert.equal(hasPermission(["unknown-role"], "sources", "read"), false);
+});
+test("hasPermission — union of roles is honoured", () => {
+    // A user assigned both viewer and operator gets the operator superset.
+    assert.equal(hasPermission(["viewer", "operator"], "sources", "write"), true);
+});
+test("hasPermission — custom policy overrides built-in", () => {
+    const custom = {
+        "incident-commander": [{ resource: "sources", action: "delete" }],
+    };
+    assert.equal(hasPermission(["incident-commander"], "sources", "delete", custom), true);
+    // Built-in admin is NOT in the custom policy → loses its grants.
+    assert.equal(hasPermission(["admin"], "sources", "delete", custom), false);
+});
+test("buildRequirePermission — anonymous always allows", () => {
+    const mw = buildRequirePermission({ mode: "anonymous" }, "sources", "write");
+    const res = mkRes();
+    let called = false;
+    mw(mkReq(), res, () => { called = true; });
+    assert.equal(called, true);
+    assert.equal(res.statusCode, 0);
+});
+test("buildRequirePermission — denies viewer on write", () => {
+    const runtime = { mode: "basic", session: { secret: "x".repeat(48) } };
+    const mw = buildRequirePermission(runtime, "sources", "write");
+    const res = mkRes();
+    let called = false;
+    mw(mkReq(["viewer"]), res, () => { called = true; });
+    assert.equal(called, false);
+    assert.equal(res.statusCode, 403);
+    const body = res.body;
+    assert.equal(body.code, "OMCP_PERMISSION_DENIED");
+});
+test("buildRequirePermission — allows operator on write", () => {
+    const runtime = { mode: "basic", session: { secret: "x".repeat(48) } };
+    const mw = buildRequirePermission(runtime, "sources", "write");
+    const res = mkRes();
+    let called = false;
+    mw(mkReq(["operator"]), res, () => { called = true; });
+    assert.equal(called, true);
+    assert.equal(res.statusCode, 0);
+});
+test("buildRequirePermission — denies missing session in basic mode", () => {
+    const runtime = { mode: "basic", session: { secret: "x".repeat(48) } };
+    const mw = buildRequirePermission(runtime, "sources", "read");
+    const res = mkRes();
+    let called = false;
+    mw(mkReq(), res, () => { called = true; });
+    assert.equal(called, false);
+    assert.equal(res.statusCode, 403);
+});
+test("listGrantedPermissions — deduplicates across overlapping roles", () => {
+    const p = listGrantedPermissions(["viewer", "operator"]);
+    const keys = p.map((g) => `${g.resource}:${g.action}`);
+    assert.equal(new Set(keys).size, keys.length, "expected no duplicates");
+    // sanity: includes both a viewer-only read and an operator-only write
+    assert.ok(p.some((g) => g.resource === "sources" && g.action === "read"));
+    assert.ok(p.some((g) => g.resource === "sources" && g.action === "write"));
+});
+test("listGrantedPermissions — admin lists every (resource, action) once", () => {
+    const p = listGrantedPermissions(["admin"]);
+    // 10 resources (added 'products' in the products-RBAC phase) * 3 actions
+    // = 30, plus the special redaction:bypass entry = 31.
+    assert.equal(p.length, 31);
+    assert.ok(p.some((g) => g.resource === "redaction" && g.action === "bypass"));
+    assert.ok(p.some((g) => g.resource === "products" && g.action === "delete"));
+});
+test("DEFAULT_POLICY shape — has the three built-in roles", () => {
+    assert.ok(DEFAULT_POLICY.viewer);
+    assert.ok(DEFAULT_POLICY.operator);
+    assert.ok(DEFAULT_POLICY.admin);
+});
+import { buildRequirePermissionFromEngine } from "./rbac.js";
+import { BuiltinPolicyEngine } from "./policy/engine.js";
+test("buildRequirePermissionFromEngine — anonymous always allows (no-op middleware)", () => {
+    const engine = new BuiltinPolicyEngine(DEFAULT_POLICY);
+    const mw = buildRequirePermissionFromEngine({ mode: "anonymous" }, "sources", "write", engine);
+    const res = mkRes();
+    let called = false;
+    mw(mkReq(), res, () => { called = true; });
+    assert.equal(called, true);
+    assert.equal(res.statusCode, 0);
+});
+test("buildRequirePermissionFromEngine — engine.evaluate verdict is surfaced verbatim in the 403 body", () => {
+    // Spy engine returns a custom reason so we can prove the gate forwards it.
+    const engine = {
+        evaluate: () => ({ allowed: false, reason: "test deny reason from engine" }),
+        list: () => [],
+        roles: () => [],
+        kind: () => "test",
+    };
+    const runtime = { mode: "basic", session: { secret: "x".repeat(48) } };
+    const mw = buildRequirePermissionFromEngine(runtime, "sources", "write", engine);
+    const res = mkRes();
+    mw(mkReq(["viewer"]), res, () => undefined);
+    assert.equal(res.statusCode, 403);
+    const body = res.body;
+    assert.equal(body.code, "OMCP_PERMISSION_DENIED");
+    assert.equal(body.reason, "test deny reason from engine");
+});
+test("buildRequirePermissionFromEngine — passes session.tenant into engine.evaluate's EvalContext (load-bearing for OPA tenant rules)", () => {
+    // This is the property the OPA-input-tenant refine relies on:
+    // the gate MUST pass session.tenant to engine.evaluate so a Rego
+    // rule like `allow { input.tenant == "acme" }` can fire. Capture
+    // the ctx and assert it carries the tenant verbatim.
+    let seenCtx;
+    const engine = {
+        evaluate: (_roles, _r, _a, ctx) => {
+            seenCtx = ctx;
+            return { allowed: true, reason: "ok" };
+        },
+        list: () => [],
+        roles: () => [],
+        kind: () => "spy",
+    };
+    const runtime = { mode: "basic", session: { secret: "x".repeat(48) } };
+    const mw = buildRequirePermissionFromEngine(runtime, "sources", "read", engine);
+    const res = mkRes();
+    const req = {
+        session: { sub: "u", name: "u", roles: ["viewer"], tenant: "acme", iat: 0, exp: Date.now() / 1000 + 60 },
+    };
+    mw(req, res, () => undefined);
+    assert.equal(seenCtx?.tenant, "acme", "tenant from session must flow into engine.evaluate ctx");
+});
+test("buildRequirePermissionFromEngine — sessionless basic-mode request denies via engine (roles undefined → no permission)", () => {
+    const engine = new BuiltinPolicyEngine(DEFAULT_POLICY);
+    const runtime = { mode: "basic", session: { secret: "x".repeat(48) } };
+    const mw = buildRequirePermissionFromEngine(runtime, "sources", "read", engine);
+    const res = mkRes();
+    let called = false;
+    mw(mkReq(), res, () => { called = true; });
+    assert.equal(called, false);
+    assert.equal(res.statusCode, 403);
+});

package/dist/auth/session.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Stateless signed-cookie sessions for the management plane (`/api/*`).
+ *
+ * The cookie value is `<base64url(payload)>.<base64url(hmacSha256(payload))>`.
+ * The payload is a small JSON object with the user's identity, the issued-at
+ * timestamp and the absolute expiry. No server-side store; rotating the
+ * secret invalidates every outstanding session.
+ *
+ * MCP transport authentication still uses {@link Credential} bearer tokens
+ * — see `./credentials.ts`. This module is exclusively for the browser /
+ * UI / `/api/*` plane.
+ */
+export interface SessionPayload {
+    /** Stable user identifier (username for the local-users store, sub claim for OIDC, ...) */
+    sub: string;
+    /** Display name shown in the UI. May equal `sub`. */
+    name: string;
+    /** Email address when the identity provider supplied one. Optional —
+     *  local-users-mode sessions usually omit this; OIDC sessions populate
+     *  from the `email` claim when present + verified by the IdP. */
+    email?: string;
+    /** Tenant the identity belongs to. Omitted when single-tenant — the
+     *  request handler defaults to "default" via normaliseTenant() so
+     *  existing single-tenant deployments need no migration. */
+    tenant?: string;
+    /** Optional list of role identifiers — used by later phases for RBAC. */
+    roles?: string[];
+    /** Issued-at, seconds since epoch. */
+    iat: number;
+    /** Hard expiry, seconds since epoch. */
+    exp: number;
+}
+export interface SessionConfig {
+    /** Symmetric key. Must be at least 32 bytes. */
+    secret: string;
+    /** Cookie lifetime, seconds. Defaults to 12 hours. */
+    ttlSeconds?: number;
+    /** Cookie name. Defaults to `omcp_session`. */
+    cookieName?: string;
+}
+export declare const DEFAULT_SESSION_TTL_SECONDS: number;
+export declare const DEFAULT_COOKIE_NAME = "omcp_session";
+/** Create a signed cookie value for the given identity. */
+export declare function issueSession(identity: Pick<SessionPayload, "sub" | "name" | "roles" | "email" | "tenant">, cfg: SessionConfig, now?: number): {
+    cookie: string;
+    payload: SessionPayload;
+};
+/** Reject cookies above this size before any crypto work — practical
+ * browser cookies stay well under 4 KB and a runaway input shouldn't
+ * even reach the HMAC step. Defense-in-depth; Express's
+ * `maxHttpHeaderSize` (16 KB by default) is the outer bound. */
+export declare const MAX_COOKIE_BYTES = 4096;
+/** Verify a cookie value. Returns the payload on success, null on any failure. */
+export declare function verifySession(cookieValue: string | undefined | null, cfg: SessionConfig, now?: number): SessionPayload | null;
+/** Render a Set-Cookie header value for an issued session. */
+export declare function setCookieHeader(cookie: string, cfg: SessionConfig, opts?: {
+    secure?: boolean;
+}): string;
+/** Render a Set-Cookie header that immediately expires the session cookie. */
+export declare function clearCookieHeader(cfg: SessionConfig, opts?: {
+    secure?: boolean;
+}): string;
+/** Parse the named cookie from a raw Cookie header. */
+export declare function readCookie(cookieHeader: string | undefined | null, name?: string): string | null;
+/** Generate a cryptographically strong fallback secret. Logged-once recommended. */
+export declare function generateSecret(): string;

package/dist/auth/session.js

@@ -0,0 +1,146 @@
+/**
+ * Stateless signed-cookie sessions for the management plane (`/api/*`).
+ *
+ * The cookie value is `<base64url(payload)>.<base64url(hmacSha256(payload))>`.
+ * The payload is a small JSON object with the user's identity, the issued-at
+ * timestamp and the absolute expiry. No server-side store; rotating the
+ * secret invalidates every outstanding session.
+ *
+ * MCP transport authentication still uses {@link Credential} bearer tokens
+ * — see `./credentials.ts`. This module is exclusively for the browser /
+ * UI / `/api/*` plane.
+ */
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+export const DEFAULT_SESSION_TTL_SECONDS = 12 * 60 * 60;
+export const DEFAULT_COOKIE_NAME = "omcp_session";
+function b64urlEncode(buf) {
+    return buf.toString("base64url");
+}
+function b64urlDecode(s) {
+    try {
+        return Buffer.from(s, "base64url");
+    }
+    catch {
+        return null;
+    }
+}
+function sign(secret, payload) {
+    return createHmac("sha256", secret).update(payload).digest("base64url");
+}
+/** Create a signed cookie value for the given identity. */
+export function issueSession(identity, cfg, now = Math.floor(Date.now() / 1000)) {
+    assertSecret(cfg.secret);
+    const ttl = cfg.ttlSeconds ?? DEFAULT_SESSION_TTL_SECONDS;
+    const payload = {
+        sub: identity.sub,
+        name: identity.name,
+        email: identity.email,
+        tenant: identity.tenant,
+        roles: identity.roles,
+        iat: now,
+        exp: now + ttl,
+    };
+    const payloadStr = b64urlEncode(Buffer.from(JSON.stringify(payload)));
+    const sig = sign(cfg.secret, payloadStr);
+    return { cookie: `${payloadStr}.${sig}`, payload };
+}
+/** Reject cookies above this size before any crypto work — practical
+ * browser cookies stay well under 4 KB and a runaway input shouldn't
+ * even reach the HMAC step. Defense-in-depth; Express's
+ * `maxHttpHeaderSize` (16 KB by default) is the outer bound. */
+export const MAX_COOKIE_BYTES = 4096;
+/** Verify a cookie value. Returns the payload on success, null on any failure. */
+export function verifySession(cookieValue, cfg, now = Math.floor(Date.now() / 1000)) {
+    if (!cookieValue)
+        return null;
+    if (cookieValue.length > MAX_COOKIE_BYTES)
+        return null;
+    assertSecret(cfg.secret);
+    const dot = cookieValue.indexOf(".");
+    if (dot <= 0 || dot === cookieValue.length - 1)
+        return null;
+    const payloadStr = cookieValue.slice(0, dot);
+    const sig = cookieValue.slice(dot + 1);
+    const expected = sign(cfg.secret, payloadStr);
+    // Constant-time compare on equal-length buffers; reject length mismatch first.
+    const a = Buffer.from(sig);
+    const b = Buffer.from(expected);
+    if (a.length !== b.length || !timingSafeEqual(a, b))
+        return null;
+    const raw = b64urlDecode(payloadStr);
+    if (!raw)
+        return null;
+    let parsed;
+    try {
+        parsed = JSON.parse(raw.toString("utf8"));
+    }
+    catch {
+        return null;
+    }
+    if (!isSessionPayload(parsed))
+        return null;
+    if (parsed.exp <= now)
+        return null;
+    return parsed;
+}
+function isSessionPayload(v) {
+    if (!v || typeof v !== "object")
+        return false;
+    const o = v;
+    if (typeof o.sub !== "string" || typeof o.name !== "string")
+        return false;
+    if (typeof o.iat !== "number" || typeof o.exp !== "number")
+        return false;
+    if (o.roles !== undefined && !(Array.isArray(o.roles) && o.roles.every((r) => typeof r === "string")))
+        return false;
+    if (o.email !== undefined && typeof o.email !== "string")
+        return false;
+    if (o.tenant !== undefined && typeof o.tenant !== "string")
+        return false;
+    return true;
+}
+function assertSecret(secret) {
+    if (!secret || secret.length < 32) {
+        throw new Error("session secret must be at least 32 characters");
+    }
+}
+/** Render a Set-Cookie header value for an issued session. */
+export function setCookieHeader(cookie, cfg, opts = {}) {
+    const ttl = cfg.ttlSeconds ?? DEFAULT_SESSION_TTL_SECONDS;
+    const name = cfg.cookieName ?? DEFAULT_COOKIE_NAME;
+    const parts = [
+        `${name}=${cookie}`,
+        `Max-Age=${ttl}`,
+        "Path=/",
+        "HttpOnly",
+        "SameSite=Lax",
+    ];
+    if (opts.secure !== false)
+        parts.push("Secure");
+    return parts.join("; ");
+}
+/** Render a Set-Cookie header that immediately expires the session cookie. */
+export function clearCookieHeader(cfg, opts = {}) {
+    const name = cfg.cookieName ?? DEFAULT_COOKIE_NAME;
+    const parts = [`${name}=`, "Max-Age=0", "Path=/", "HttpOnly", "SameSite=Lax"];
+    if (opts.secure !== false)
+        parts.push("Secure");
+    return parts.join("; ");
+}
+/** Parse the named cookie from a raw Cookie header. */
+export function readCookie(cookieHeader, name = DEFAULT_COOKIE_NAME) {
+    if (!cookieHeader)
+        return null;
+    for (const part of cookieHeader.split(/;\s*/)) {
+        const eq = part.indexOf("=");
+        if (eq <= 0)
+            continue;
+        if (part.slice(0, eq) === name)
+            return part.slice(eq + 1);
+    }
+    return null;
+}
+/** Generate a cryptographically strong fallback secret. Logged-once recommended. */
+export function generateSecret() {
+    return randomBytes(48).toString("base64url");
+}

package/dist/auth/session.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/auth/session.test.js

@@ -0,0 +1,90 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { issueSession, verifySession, setCookieHeader, clearCookieHeader, readCookie, generateSecret, DEFAULT_COOKIE_NAME, } from "./session.js";
+const secret = "a".repeat(48);
+test("issueSession + verifySession — round-trips identity", () => {
+    const now = 1_700_000_000;
+    const { cookie, payload } = issueSession({ sub: "alice", name: "Alice", roles: ["operator"] }, { secret }, now);
+    assert.equal(payload.sub, "alice");
+    assert.equal(payload.exp, now + 12 * 60 * 60);
+    const verified = verifySession(cookie, { secret }, now + 1);
+    assert.ok(verified, "expected verified payload");
+    assert.equal(verified.sub, "alice");
+    assert.deepEqual(verified.roles, ["operator"]);
+});
+test("issueSession + verifySession — round-trips email when present", () => {
+    const now = 1_700_000_000;
+    const { cookie } = issueSession({ sub: "alice", name: "Alice", email: "alice@example.test", roles: ["operator"] }, { secret }, now);
+    const verified = verifySession(cookie, { secret }, now + 1);
+    assert.ok(verified);
+    assert.equal(verified.email, "alice@example.test");
+});
+test("issueSession + verifySession — omits email when caller doesn't supply one", () => {
+    const now = 1_700_000_000;
+    const { cookie } = issueSession({ sub: "alice", name: "Alice", roles: ["operator"] }, { secret }, now);
+    const verified = verifySession(cookie, { secret }, now + 1);
+    assert.ok(verified);
+    assert.equal(verified.email, undefined);
+});
+test("verifySession — rejects an expired cookie", () => {
+    const now = 1_700_000_000;
+    const { cookie } = issueSession({ sub: "alice", name: "Alice" }, { secret, ttlSeconds: 60 }, now);
+    assert.equal(verifySession(cookie, { secret }, now + 61), null);
+});
+test("verifySession — rejects tampered payload", () => {
+    const { cookie } = issueSession({ sub: "alice", name: "Alice" }, { secret });
+    const [payload, sig] = cookie.split(".");
+    const flipped = Buffer.from(payload, "base64url").toString("utf8").replace("alice", "mallory");
+    const evil = Buffer.from(flipped).toString("base64url") + "." + sig;
+    assert.equal(verifySession(evil, { secret }), null);
+});
+test("verifySession — rejects cookie signed with a different secret", () => {
+    const { cookie } = issueSession({ sub: "alice", name: "Alice" }, { secret });
+    assert.equal(verifySession(cookie, { secret: "b".repeat(48) }), null);
+});
+test("verifySession — null / empty / malformed cookies return null", () => {
+    assert.equal(verifySession(null, { secret }), null);
+    assert.equal(verifySession("", { secret }), null);
+    assert.equal(verifySession("no-dot-anywhere", { secret }), null);
+    assert.equal(verifySession(".trailing", { secret }), null);
+    assert.equal(verifySession("leading.", { secret }), null);
+});
+test("verifySession — rejects oversized cookies before any crypto work", () => {
+    const huge = "x".repeat(10_000) + "." + "y".repeat(10);
+    assert.equal(verifySession(huge, { secret }), null);
+});
+test("verifySession — rejects short secret at verify time too (fail-closed)", () => {
+    const { cookie } = issueSession({ sub: "alice", name: "Alice" }, { secret });
+    assert.throws(() => verifySession(cookie, { secret: "short" }));
+});
+test("issueSession — rejects secrets shorter than 32 chars", () => {
+    assert.throws(() => issueSession({ sub: "alice", name: "A" }, { secret: "short" }));
+});
+test("setCookieHeader / clearCookieHeader — render expected attributes", () => {
+    const { cookie } = issueSession({ sub: "alice", name: "Alice" }, { secret });
+    const setHdr = setCookieHeader(cookie, { secret });
+    assert.match(setHdr, /^omcp_session=/);
+    assert.match(setHdr, /HttpOnly/);
+    assert.match(setHdr, /SameSite=Lax/);
+    assert.match(setHdr, /Secure/);
+    assert.match(setHdr, /Max-Age=43200/);
+    const clearHdr = clearCookieHeader({ secret });
+    assert.match(clearHdr, /^omcp_session=;/);
+    assert.match(clearHdr, /Max-Age=0/);
+});
+test("setCookieHeader — `secure: false` omits Secure (dev / plain http)", () => {
+    const { cookie } = issueSession({ sub: "alice", name: "Alice" }, { secret });
+    const hdr = setCookieHeader(cookie, { secret }, { secure: false });
+    assert.doesNotMatch(hdr, /Secure/);
+});
+test("readCookie — extracts the named cookie from a Cookie header", () => {
+    assert.equal(readCookie("foo=bar; omcp_session=hello; baz=qux"), "hello");
+    assert.equal(readCookie("omcp_session=hello", DEFAULT_COOKIE_NAME), "hello");
+    assert.equal(readCookie(undefined), null);
+    assert.equal(readCookie("missing=1"), null);
+});
+test("generateSecret — always returns ≥ 32 chars of url-safe entropy", () => {
+    const s = generateSecret();
+    assert.ok(s.length >= 32);
+    assert.match(s, /^[A-Za-z0-9_-]+$/);
+});