@valentinkolb/cloud 0.4.0 → 0.5.1

package/src/services/auth-flows/magic-link.ts

@@ -1,45 +1,108 @@
-import { sql } from "bun";
+import { redis, sql } from "bun";
 import { accounts } from "../accounts";
 import { notifications } from "../notifications";
 import { providers } from "../providers";
 import * as settings from "../settings";
 import { renderTemplate } from "../settings/templates";
 import type { User } from "../../contracts/shared";
+import { createAuthLoginUrl } from "../../shared/redirect";
+import { logger } from "../logging";
 
-export const request = async (params: { email: string }): Promise<
+const log = logger("auth:magic-link");
+const IPA_HINT_COOLDOWN_SECONDS = 300;
+
+const normalizeEmail = (email: string): string => email.trim().toLowerCase();
+const ipaHintCooldownKey = (email: string): string => `ipa-email-login-hint-cooldown:${email}`;
+
+const getAppUrl = async (): Promise<string> => {
+  const rawAppUrl = await settings.get<string>("app.url");
+  return rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
+};
+
+const hasIpaAccountForEmail = async (email: string): Promise<boolean> => {
+  const rows = await sql<{ exists: boolean }[]>`
+    SELECT EXISTS (
+      SELECT 1
+      FROM auth.users
+      WHERE provider = 'ipa'
+        AND lower(btrim(mail)) = ${email}
+    ) AS exists
+  `;
+  return Boolean(rows[0]?.exists);
+};
+
+const claimIpaHintCooldown = async (email: string): Promise<boolean> => {
+  const result = await redis.send("SET", [
+    ipaHintCooldownKey(email),
+    "1",
+    "EX",
+    String(IPA_HINT_COOLDOWN_SECONDS),
+    "NX",
+  ]);
+  return result === "OK";
+};
+
+const sendIpaEmailLoginHint = async (params: { email: string; redirectTo?: string }): Promise<void> => {
+  const appUrl = await getAppUrl();
+  const loginUrl = createAuthLoginUrl(appUrl, {
+    method: "ipa",
+    redirectTo: params.redirectTo,
+  });
+  const [appName, contactEmail, template] = await Promise.all([
+    settings.get<string>("app.name"),
+    settings.get<string>("app.contact_email"),
+    settings.get<string>("mail.ipa_email_login_hint"),
+  ]);
+
+  await notifications.send({
+    type: "email",
+    recipient: params.email,
+    subject: `${appName} FreeIPA Sign In`,
+    rawHtml: renderTemplate(template, {
+      EMAIL: params.email,
+      LOGIN_URL: loginUrl,
+      APP_NAME: appName,
+      CONTACT_EMAIL: contactEmail?.trim() ?? "",
+    }),
+  });
+};
+
+export const request = async (params: { email: string; redirectTo?: string }): Promise<
   | { ok: true }
   | { ok: false; status: 400; message: string }
 > => {
-  const userRows = await sql`SELECT uid, provider FROM auth.users WHERE mail = ${params.email}`;
+  const email = normalizeEmail(params.email);
+  const hasIpaUser = await hasIpaAccountForEmail(email);
+  const userRows = hasIpaUser ? [] : await sql`SELECT uid, provider FROM auth.users WHERE lower(btrim(mail)) = ${email}`;
   const hasLocalUser = userRows.some((row: { provider: string | null }) => row.provider === "local");
-  const hasIpaUser = userRows.some((row: { provider: string | null }) => row.provider === "ipa");
   const allowSelfRegistration = await settings.get<boolean>("user.allow_self_registration");
 
-  if (!hasLocalUser && !allowSelfRegistration) {
-    return {
-      ok: false,
-      status: 400,
-      message: "Only existing local accounts can sign in with email. Contact an administrator if you need access.",
-    };
+  if (hasIpaUser) {
+    if (await claimIpaHintCooldown(email)) {
+      void sendIpaEmailLoginHint({ email, redirectTo: params.redirectTo }).catch((error) => {
+        log.warn("Failed to send FreeIPA email-login hint", {
+          email,
+          error: error instanceof Error ? error.message : String(error),
+        });
+      });
+    }
+    return { ok: true };
   }
 
-  if (!hasLocalUser && hasIpaUser) {
-    // Return ok without sending email to prevent account enumeration.
-    // IPA-only users must authenticate via Kerberos, not magic-link.
+  if (!hasLocalUser && !allowSelfRegistration) {
     return { ok: true };
   }
 
-  const token = await providers.local.auth.createMagicLinkToken({ email: params.email, ttlSeconds: 300 });
-  const rawAppUrl = await settings.get<string>("app.url");
-  const appUrl = rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
-  const magicLink = `${appUrl}/auth/login?token=${token}`;
+  const token = await providers.local.auth.createMagicLinkToken({ email, ttlSeconds: 300 });
+  const appUrl = await getAppUrl();
+  const magicLink = createAuthLoginUrl(appUrl, { token, redirectTo: params.redirectTo });
 
   const appName = await settings.get<string>("app.name");
   const template = await settings.get<string>("mail.magic_link_login");
 
   await notifications.send({
     type: "email",
-    recipient: params.email,
+    recipient: email,
     subject: `${appName} Login Code`,
     rawHtml: renderTemplate(template, {
       TOKEN: token,
@@ -62,13 +125,22 @@ export const verify = async (params: { token: string }): Promise<
   }
 
   const { email } = payload;
+  const normalizedEmail = normalizeEmail(email);
+  if (await hasIpaAccountForEmail(normalizedEmail)) {
+    return {
+      ok: false,
+      status: 401,
+      message: "This email address belongs to a FreeIPA-managed account. Sign in with FreeIPA.",
+    };
+  }
+
   // Reject expired accounts at login time, not just during cleanup. Without
   // this, an expired local user / guest could still authenticate in the
   // window between expiry and the next lifecycle run.
   const userRows = await sql`
     SELECT id, account_expires
     FROM auth.users
-    WHERE mail = ${email} AND provider = 'local'
+    WHERE lower(btrim(mail)) = ${normalizedEmail} AND provider = 'local'
       AND (account_expires IS NULL OR account_expires > now())
     ORDER BY profile = 'user' DESC
     LIMIT 1
@@ -83,7 +155,7 @@ export const verify = async (params: { token: string }): Promise<
     const expiredRows = await sql`
       SELECT id
       FROM auth.users
-      WHERE mail = ${email} AND provider = 'local'
+      WHERE lower(btrim(mail)) = ${normalizedEmail} AND provider = 'local'
         AND account_expires IS NOT NULL AND account_expires <= now()
       LIMIT 1
     `;

package/src/services/auth-flows/password-reset.ts

@@ -0,0 +1,284 @@
+import { redis, sql } from "bun";
+import { notifications } from "../notifications";
+import { providers } from "../providers";
+import { session } from "../session";
+import * as settings from "../settings";
+import { renderTemplate } from "../settings/templates";
+import { logger } from "../logging";
+import { getServiceIpaSession } from "../ipa/service-account";
+import { getFreeIpaConfig } from "../freeipa-config";
+import type { User } from "../../contracts/shared";
+import { createAuthPasswordResetUrl } from "../../shared/redirect";
+import * as ipaFlow from "./ipa";
+
+const log = logger("auth:password-reset");
+
+const REQUEST_TTL_SECONDS = 900;
+const REQUEST_COOLDOWN_SECONDS = 60;
+const GENERIC_MESSAGE =
+  "If this account can reset a password, a reset link has been sent.";
+
+type ResetTarget = {
+  userId: string;
+  uid: string;
+  email: string;
+};
+
+type ResetAttemptSuccess = {
+  ok: true;
+  userId: string;
+  user: User;
+};
+
+type ResetAttemptFailure =
+  | {
+      ok: false;
+      status: 400;
+      reason: "policy_failed";
+      message: string;
+    }
+  | {
+      ok: false;
+      status: 400 | 401;
+      reason: "invalid_or_expired";
+      message: string;
+    }
+  | {
+      ok: false;
+      status: number;
+      reason: "reset_failed" | "login_failed";
+      message: string;
+    };
+
+const normalizeEmail = (email: string): string => email.trim().toLowerCase();
+const cooldownKey = (email: string) => `password-reset-cooldown:${email}`;
+
+const isInCooldown = async (email: string): Promise<boolean> => {
+  if (await redis.get(cooldownKey(email))) return true;
+  await redis.set(cooldownKey(email), "1", "EX", REQUEST_COOLDOWN_SECONDS);
+  return false;
+};
+
+const buildTarget = (row: { id: string; uid: string; mail: string }): ResetTarget => ({
+  userId: row.id,
+  uid: row.uid,
+  email: row.mail,
+});
+
+const resolveResetTarget = async (email: string): Promise<ResetTarget | null> => {
+  const rows = await sql<{ id: string; uid: string; mail: string }[]>`
+    SELECT id, uid, btrim(mail) AS mail
+    FROM auth.users
+    WHERE provider = 'ipa'
+      AND profile = 'user'
+      AND lower(btrim(mail)) = ${email}
+      AND (account_expires IS NULL OR account_expires > now())
+  `;
+
+  if (rows.length !== 1) {
+    if (rows.length > 1) {
+      log.warn("Password reset skipped: ambiguous IPA email", {
+        email,
+        matches: rows.length,
+      });
+    }
+    return null;
+  }
+
+  return buildTarget(rows[0]!);
+};
+
+const resolveResetTargetForToken = async (params: {
+  userId: string;
+  email: string;
+}): Promise<ResetTarget | null> => {
+  const rows = await sql<{ id: string; uid: string; mail: string }[]>`
+    SELECT id, uid, btrim(mail) AS mail
+    FROM auth.users
+    WHERE id = ${params.userId}
+      AND provider = 'ipa'
+      AND profile = 'user'
+      AND lower(btrim(mail)) = ${params.email}
+      AND (account_expires IS NULL OR account_expires > now())
+    LIMIT 1
+  `;
+
+  return rows.length === 1 ? buildTarget(rows[0]!) : null;
+};
+
+const sendResetEmail = async (
+  params: ResetTarget & { redirectTo?: string }
+): Promise<void> => {
+  const token = await providers.local.auth.createPasswordResetToken({
+    userId: params.userId,
+    uid: params.uid,
+    email: params.email,
+    ttlSeconds: REQUEST_TTL_SECONDS,
+  });
+  const rawAppUrl = await settings.get<string>("app.url");
+  const appUrl = rawAppUrl.startsWith("http")
+    ? rawAppUrl
+    : `https://${rawAppUrl}`;
+  const resetLink = createAuthPasswordResetUrl(appUrl, {
+    token,
+    redirectTo: params.redirectTo,
+  });
+  const [appName, contactEmail, template] = await Promise.all([
+    settings.get<string>("app.name"),
+    settings.get<string>("app.contact_email"),
+    settings.get<string>("mail.password_reset"),
+  ]);
+
+  await notifications.send({
+    type: "email",
+    recipient: params.email,
+    subject: `${appName} Password Reset`,
+    rawHtml: renderTemplate(template, {
+      RESET_LINK: resetLink,
+      APP_NAME: appName,
+      CONTACT_EMAIL: contactEmail?.trim() ?? "",
+    }),
+  });
+};
+
+const changeTemporaryPassword = async (params: {
+  userId: string;
+  uid: string;
+  email: string;
+  temporaryPassword: string;
+  newPassword: string;
+}): Promise<ResetAttemptSuccess | ResetAttemptFailure> => {
+  const changeResult = await ipaFlow.changeExpiredPassword({
+    username: params.uid,
+    currentPassword: params.temporaryPassword,
+    newPassword: params.newPassword,
+  });
+
+  if (!changeResult.ok) {
+    if (changeResult.reason === "change_failed") {
+      return {
+        ok: false,
+        status: 400,
+        reason: "policy_failed",
+        message: `${changeResult.message} Request a new reset link and choose a stronger password.`,
+      };
+    }
+
+    return {
+      ok: false,
+      status: changeResult.status,
+      reason: "login_failed",
+      message: changeResult.message,
+    };
+  }
+
+  await session.revokeAllForUser(changeResult.userId);
+
+  return {
+    ok: true,
+    userId: changeResult.userId,
+    user: changeResult.user,
+  };
+};
+
+export const request = async (params: {
+  email: string;
+  redirectTo?: string;
+}): Promise<{ ok: true; message: string }> => {
+  const email = normalizeEmail(params.email);
+  if (await isInCooldown(email)) {
+    log.info("Password reset request ignored during cooldown");
+    return { ok: true, message: GENERIC_MESSAGE };
+  }
+
+  const freeIpaConfig = await getFreeIpaConfig();
+  if (!freeIpaConfig.enabled || !freeIpaConfig.configured) {
+    log.info("Password reset request accepted while FreeIPA is unavailable");
+    return { ok: true, message: GENERIC_MESSAGE };
+  }
+
+  const target = await resolveResetTarget(email);
+  if (!target) {
+    log.info("Password reset request accepted without eligible target");
+    return { ok: true, message: GENERIC_MESSAGE };
+  }
+
+  await sendResetEmail({ ...target, redirectTo: params.redirectTo });
+  log.info("Password reset email sent", { uid: target.uid });
+  return { ok: true, message: GENERIC_MESSAGE };
+};
+
+export const complete = async (params: {
+  token?: string;
+  newPassword: string;
+}): Promise<ResetAttemptSuccess | ResetAttemptFailure> => {
+  if (!params.token) {
+    return {
+      ok: false,
+      status: 400,
+      reason: "invalid_or_expired",
+      message: "Missing password reset token.",
+    };
+  }
+
+  const payload = await providers.local.auth.consumePasswordResetToken(
+    params.token
+  );
+  if (!payload) {
+    return {
+      ok: false,
+      status: 401,
+      reason: "invalid_or_expired",
+      message:
+        "This password reset link has expired. Request a new reset link.",
+    };
+  }
+
+  const target = await resolveResetTargetForToken({
+    userId: payload.userId,
+    email: payload.email,
+  });
+  if (!target) {
+    return {
+      ok: false,
+      status: 401,
+      reason: "invalid_or_expired",
+      message:
+        "This password reset link has expired. Request a new reset link.",
+    };
+  }
+
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) {
+    return {
+      ok: false,
+      status: serviceSession.status,
+      reason: "reset_failed",
+      message: serviceSession.error,
+    };
+  }
+
+  const resetResult = await providers.ipa.users.resetPassword({
+    ipaSession: serviceSession.data,
+    id: target.userId,
+  });
+  if (!resetResult.ok) {
+    return {
+      ok: false,
+      status: resetResult.status,
+      reason: "reset_failed",
+      message: resetResult.error,
+    };
+  }
+
+  return changeTemporaryPassword({
+    ...target,
+    temporaryPassword: resetResult.data.password,
+    newPassword: params.newPassword,
+  });
+};
+
+export const passwordReset = {
+  request,
+  complete,
+} as const;

package/src/services/auth-flows/proxy-return.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, test } from "bun:test";
+import * as proxyReturn from "./proxy-return";
+
+describe("proxy auth return tokens", () => {
+  test("creates and consumes one-time return tokens", async () => {
+    const token = await proxyReturn.create({
+      clientId: "proxy-client",
+      url: "https://protected.example/path?query=1",
+      ttlSeconds: 30,
+    });
+
+    expect(token).toBeTruthy();
+    const consumed = await proxyReturn.consume({ token: token! });
+    expect(consumed).toEqual({
+      clientId: "proxy-client",
+      url: "https://protected.example/path?query=1",
+    });
+    expect(await proxyReturn.consume({ token: token! })).toBeNull();
+  });
+
+  test("rejects non-http return URLs", async () => {
+    expect(await proxyReturn.create({ clientId: "proxy-client", url: "javascript:alert(1)" })).toBeNull();
+  });
+});

package/src/services/auth-flows/proxy-return.ts

@@ -0,0 +1,49 @@
+import { redis } from "bun";
+
+const KEY_PREFIX = "auth:proxy-return:";
+const DEFAULT_TTL_SECONDS = 300;
+
+type ProxyReturnPayload = {
+  clientId: string;
+  url: string;
+};
+
+const key = (token: string) => `${KEY_PREFIX}${token}`;
+
+const normalizeReturnUrl = (value: string): string | null => {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "https:" && url.protocol !== "http:") return null;
+    return url.toString();
+  } catch {
+    return null;
+  }
+};
+
+export const create = async (params: { clientId: string; url: string; ttlSeconds?: number }): Promise<string | null> => {
+  const url = normalizeReturnUrl(params.url);
+  if (!url) return null;
+
+  const token = crypto.randomUUID();
+  const payload: ProxyReturnPayload = {
+    clientId: params.clientId,
+    url,
+  };
+  await redis.set(key(token), JSON.stringify(payload), "EX", params.ttlSeconds ?? DEFAULT_TTL_SECONDS);
+  return token;
+};
+
+export const consume = async (params: { token: string }): Promise<ProxyReturnPayload | null> => {
+  const raw = await redis.getdel(key(params.token));
+  if (!raw) return null;
+
+  try {
+    const payload = JSON.parse(raw) as Partial<ProxyReturnPayload>;
+    if (typeof payload.clientId !== "string" || typeof payload.url !== "string") return null;
+    const url = normalizeReturnUrl(payload.url);
+    if (!url) return null;
+    return { clientId: payload.clientId, url };
+  } catch {
+    return null;
+  }
+};

package/src/services/gateway.ts

@@ -0,0 +1,162 @@
+import { ephemeral, topic } from "@valentinkolb/sync";
+import { logger } from "./logging";
+
+const SNAPSHOT_TTL_MS = 30_000;
+const TOPIC_PREFIX = "cloud:gateway:telemetry";
+const TOPIC_ID = "events";
+const TOPIC_RETENTION_MS = 24 * 60 * 60 * 1000;
+const TOPIC_TENANT = "default";
+const DROP_LOG_INTERVAL_MS = 30_000;
+
+const log = logger("gateway:telemetry");
+
+export type GatewayRouteWarning = {
+  appId: string;
+  prefix: string;
+  reason: string;
+  detail?: string;
+};
+
+export type GatewayRouteSnapshotInput = {
+  instanceId: string;
+  baseUrl: string;
+  startedAt: number;
+  routeHash: string;
+  routeWarnings: GatewayRouteWarning[];
+  table: {
+    version: number;
+    builtAt: number;
+    routeCount: number;
+    routes: Array<{ prefix: string; appId: string }>;
+  };
+  stats: {
+    totalRequests: number;
+    noRouteCount: number;
+    byApp: Map<string, { count: number; totalMs: number; errors: number }>;
+    byRoute: Map<string, { count: number; errors: number; lastSeen: number }>;
+  };
+};
+
+export type GatewayRouteSnapshot = {
+  instanceId: string;
+  baseUrl: string;
+  startedAt: number;
+  updatedAt: number;
+  tableVersion: number;
+  tableBuiltAt: number;
+  routeCount: number;
+  routeHash: string;
+  routeWarnings: GatewayRouteWarning[];
+  routes: Array<{ prefix: string; appId: string }>;
+  stats: {
+    totalRequests: number;
+    noRouteCount: number;
+    byApp: Array<{ appId: string; count: number; totalMs: number; errors: number }>;
+    byRoute: Array<{ prefix: string; count: number; errors: number; lastSeen: number }>;
+  };
+};
+
+export type GatewayTelemetryEvent = {
+  v: 1;
+  kind: "request";
+  appId: string;
+  routePrefix: string;
+  method: string;
+  status: number;
+  durationMs: number;
+  errorKind: "upstream_unavailable" | "unmatched_route" | null;
+  occurredAt: string;
+};
+
+const snapshots = ephemeral<GatewayRouteSnapshot>({
+  id: "gateway-route-snapshots",
+  ttlMs: SNAPSHOT_TTL_MS,
+  limits: { maxPayloadBytes: 128_000 },
+});
+
+export const buildGatewayRouteSnapshot = (input: GatewayRouteSnapshotInput): GatewayRouteSnapshot => ({
+  instanceId: input.instanceId,
+  baseUrl: input.baseUrl,
+  startedAt: input.startedAt,
+  updatedAt: Date.now(),
+  tableVersion: input.table.version,
+  tableBuiltAt: input.table.builtAt,
+  routeCount: input.table.routeCount,
+  routeHash: input.routeHash,
+  routeWarnings: input.routeWarnings,
+  routes: input.table.routes,
+  stats: {
+    totalRequests: input.stats.totalRequests,
+    noRouteCount: input.stats.noRouteCount,
+    byApp: [...input.stats.byApp.entries()].map(([appId, value]) => ({ appId, ...value })),
+    byRoute: [...input.stats.byRoute.entries()].map(([prefix, value]) => ({ prefix, ...value })),
+  },
+});
+
+export const publishGatewayRouteSnapshot = async (snapshot: GatewayRouteSnapshot): Promise<void> => {
+  await snapshots.upsert({ key: `instances/${snapshot.instanceId}`, value: snapshot });
+};
+
+export const removeGatewayRouteSnapshot = async (instanceId: string): Promise<void> => {
+  await snapshots.remove({ key: `instances/${instanceId}` });
+};
+
+export const listGatewayRouteSnapshots = async (): Promise<GatewayRouteSnapshot[]> => {
+  const snap = await snapshots.snapshot({ prefix: "instances/" });
+  return snap.entries.map((entry) => entry.value).sort((a, b) => a.instanceId.localeCompare(b.instanceId));
+};
+
+export const latestGatewayRouteSnapshot = async (): Promise<GatewayRouteSnapshot | null> => {
+  const all = await listGatewayRouteSnapshots();
+  return all.sort((a, b) => b.updatedAt - a.updatedAt)[0] ?? null;
+};
+
+export const gatewayTelemetryTopic = topic<GatewayTelemetryEvent>({
+  id: TOPIC_ID,
+  prefix: TOPIC_PREFIX,
+  retentionMs: TOPIC_RETENTION_MS,
+  limits: { payloadBytes: 8_000 },
+});
+
+export const GATEWAY_TELEMETRY_TENANT = TOPIC_TENANT;
+
+const normalizeMethod = (method: string): string => method.toUpperCase().slice(0, 16);
+const normalizeStatus = (status: number): number => (Number.isFinite(status) ? Math.max(0, Math.min(999, Math.round(status))) : 0);
+const normalizeDuration = (durationMs: number): number => (Number.isFinite(durationMs) ? Math.max(0, Math.round(durationMs)) : 0);
+const normalizeText = (value: string, fallback: string): string => {
+  const trimmed = value.trim();
+  return (trimmed.length ? trimmed : fallback).slice(0, 200);
+};
+
+export const publishRequestTelemetry = (event: Omit<GatewayTelemetryEvent, "v" | "kind" | "occurredAt">): void => {
+  const payload: GatewayTelemetryEvent = {
+    v: 1,
+    kind: "request",
+    appId: normalizeText(event.appId, "unknown"),
+    routePrefix: normalizeText(event.routePrefix, "(unknown)"),
+    method: normalizeMethod(event.method),
+    status: normalizeStatus(event.status),
+    durationMs: normalizeDuration(event.durationMs),
+    errorKind: event.errorKind,
+    occurredAt: new Date().toISOString(),
+  };
+
+  void gatewayTelemetryTopic
+    .pub({
+      tenantId: GATEWAY_TELEMETRY_TENANT,
+      orderingKey: payload.appId,
+      data: payload,
+    })
+    .catch((error) => {
+      const now = Date.now();
+      if (now - lastPublishErrorAt < DROP_LOG_INTERVAL_MS) return;
+      lastPublishErrorAt = now;
+      log.warn("Dropped gateway telemetry event", {
+        appId: payload.appId,
+        routePrefix: payload.routePrefix,
+        error: error instanceof Error ? error.message : String(error),
+      });
+    });
+};
+
+let lastPublishErrorAt = 0;