@wopr-network/platform-core 0.1.0

package/src/auth/scoped-tokens.test.ts

@@ -0,0 +1,362 @@
+import { Hono } from "hono";
+import { describe, expect, it } from "vitest";
+import { buildTokenMap, parseTokenScope, scopedBearerAuth, scopeSatisfies, type TokenScope } from "./index.js";
+
+// ---------------------------------------------------------------------------
+// parseTokenScope
+// ---------------------------------------------------------------------------
+
+describe("parseTokenScope", () => {
+  it("parses read scope from wopr_read_<random>", () => {
+    expect(parseTokenScope("wopr_read_abc123")).toBe("read");
+  });
+
+  it("parses write scope from wopr_write_<random>", () => {
+    expect(parseTokenScope("wopr_write_xyz789")).toBe("write");
+  });
+
+  it("parses admin scope from wopr_admin_<random>", () => {
+    expect(parseTokenScope("wopr_admin_secret42")).toBe("admin");
+  });
+
+  it("handles tokens with underscores in the random part", () => {
+    expect(parseTokenScope("wopr_read_abc_def_ghi")).toBe("read");
+  });
+
+  it("returns null for tokens without wopr_ prefix", () => {
+    expect(parseTokenScope("some-plain-token")).toBeNull();
+    expect(parseTokenScope("fleet-token-123")).toBeNull();
+  });
+
+  it("returns null for empty string", () => {
+    expect(parseTokenScope("")).toBeNull();
+  });
+
+  it("returns null for wopr_ with no scope", () => {
+    expect(parseTokenScope("wopr_")).toBeNull();
+  });
+
+  it("returns null for wopr_ with invalid scope", () => {
+    expect(parseTokenScope("wopr_superadmin_abc")).toBeNull();
+    expect(parseTokenScope("wopr_delete_abc")).toBeNull();
+    expect(parseTokenScope("wopr_root_abc")).toBeNull();
+  });
+
+  it("returns null for wopr_ with scope but no random part", () => {
+    expect(parseTokenScope("wopr_read_")).toBeNull();
+    expect(parseTokenScope("wopr_read")).toBeNull();
+  });
+
+  it("returns null for partial prefix", () => {
+    expect(parseTokenScope("wop_read_abc")).toBeNull();
+    expect(parseTokenScope("WOPR_read_abc")).toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// scopeSatisfies
+// ---------------------------------------------------------------------------
+
+describe("scopeSatisfies", () => {
+  it("read satisfies read", () => {
+    expect(scopeSatisfies("read", "read")).toBe(true);
+  });
+
+  it("write satisfies read", () => {
+    expect(scopeSatisfies("write", "read")).toBe(true);
+  });
+
+  it("write satisfies write", () => {
+    expect(scopeSatisfies("write", "write")).toBe(true);
+  });
+
+  it("admin satisfies read", () => {
+    expect(scopeSatisfies("admin", "read")).toBe(true);
+  });
+
+  it("admin satisfies write", () => {
+    expect(scopeSatisfies("admin", "write")).toBe(true);
+  });
+
+  it("admin satisfies admin", () => {
+    expect(scopeSatisfies("admin", "admin")).toBe(true);
+  });
+
+  it("read does NOT satisfy write", () => {
+    expect(scopeSatisfies("read", "write")).toBe(false);
+  });
+
+  it("read does NOT satisfy admin", () => {
+    expect(scopeSatisfies("read", "admin")).toBe(false);
+  });
+
+  it("write does NOT satisfy admin", () => {
+    expect(scopeSatisfies("write", "admin")).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// buildTokenMap
+// ---------------------------------------------------------------------------
+
+describe("buildTokenMap", () => {
+  it("maps FLEET_API_TOKEN as admin (backwards compat)", () => {
+    const map = buildTokenMap({ FLEET_API_TOKEN: "legacy-token" });
+    expect(map.get("legacy-token")).toBe("admin");
+  });
+
+  it("maps scoped env vars to correct scopes", () => {
+    const map = buildTokenMap({
+      FLEET_API_TOKEN_READ: "wopr_read_r1",
+      FLEET_API_TOKEN_WRITE: "wopr_write_w1",
+      FLEET_API_TOKEN_ADMIN: "wopr_admin_a1",
+    });
+    expect(map.get("wopr_read_r1")).toBe("read");
+    expect(map.get("wopr_write_w1")).toBe("write");
+    expect(map.get("wopr_admin_a1")).toBe("admin");
+  });
+
+  it("scoped vars take priority over legacy token", () => {
+    const token = "shared-token";
+    const map = buildTokenMap({
+      FLEET_API_TOKEN: token,
+      FLEET_API_TOKEN_READ: token,
+    });
+    // The scoped var should have set it to read first
+    expect(map.get(token)).toBe("read");
+  });
+
+  it("returns empty map when no env vars set", () => {
+    const map = buildTokenMap({});
+    expect(map.size).toBe(0);
+  });
+
+  it("ignores empty string env vars", () => {
+    const map = buildTokenMap({
+      FLEET_API_TOKEN: "",
+      FLEET_API_TOKEN_READ: "",
+      FLEET_API_TOKEN_WRITE: "",
+      FLEET_API_TOKEN_ADMIN: "",
+    });
+    expect(map.size).toBe(0);
+  });
+
+  it("ignores whitespace-only env vars", () => {
+    const map = buildTokenMap({
+      FLEET_API_TOKEN: "   ",
+      FLEET_API_TOKEN_READ: " ",
+    });
+    expect(map.size).toBe(0);
+  });
+
+  it("infers scope from wopr_ format for legacy token", () => {
+    const map = buildTokenMap({ FLEET_API_TOKEN: "wopr_read_abc123" });
+    expect(map.get("wopr_read_abc123")).toBe("read");
+  });
+
+  it("supports all scoped vars alongside legacy", () => {
+    const map = buildTokenMap({
+      FLEET_API_TOKEN: "legacy-admin",
+      FLEET_API_TOKEN_READ: "read-token",
+      FLEET_API_TOKEN_WRITE: "write-token",
+      FLEET_API_TOKEN_ADMIN: "admin-token",
+    });
+    expect(map.size).toBe(4);
+    expect(map.get("legacy-admin")).toBe("admin");
+    expect(map.get("read-token")).toBe("read");
+    expect(map.get("write-token")).toBe("write");
+    expect(map.get("admin-token")).toBe("admin");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// scopedBearerAuth middleware
+// ---------------------------------------------------------------------------
+
+describe("scopedBearerAuth middleware", () => {
+  const tokenMap = new Map<string, TokenScope>([
+    ["wopr_read_r1", "read"],
+    ["wopr_write_w1", "write"],
+    ["wopr_admin_a1", "admin"],
+    ["legacy-admin", "admin"],
+  ]);
+
+  function createApp(requiredScope: TokenScope) {
+    const app = new Hono();
+    app.use("/*", scopedBearerAuth(tokenMap, requiredScope));
+    app.get("/test", (c) => c.json({ ok: true }));
+    app.post("/test", (c) => c.json({ ok: true }));
+    return app;
+  }
+
+  describe("authentication", () => {
+    it("rejects request with no Authorization header", async () => {
+      const app = createApp("read");
+      const res = await app.request("/test");
+      expect(res.status).toBe(401);
+      const body = await res.json();
+      expect(body.error).toBe("Authentication required");
+    });
+
+    it("rejects request with empty Authorization header", async () => {
+      const app = createApp("read");
+      const res = await app.request("/test", {
+        headers: { Authorization: "" },
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("rejects request with non-Bearer scheme", async () => {
+      const app = createApp("read");
+      const res = await app.request("/test", {
+        headers: { Authorization: "Basic abc123" },
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("rejects request with unknown token", async () => {
+      const app = createApp("read");
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer unknown-token" },
+      });
+      expect(res.status).toBe(401);
+      const body = await res.json();
+      expect(body.error).toBe("Invalid or expired token");
+    });
+  });
+
+  describe("read scope routes", () => {
+    const app = createApp("read");
+
+    it("allows read token on read routes", async () => {
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer wopr_read_r1" },
+      });
+      expect(res.status).toBe(200);
+    });
+
+    it("allows write token on read routes", async () => {
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer wopr_write_w1" },
+      });
+      expect(res.status).toBe(200);
+    });
+
+    it("allows admin token on read routes", async () => {
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer wopr_admin_a1" },
+      });
+      expect(res.status).toBe(200);
+    });
+
+    it("allows legacy admin token on read routes", async () => {
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer legacy-admin" },
+      });
+      expect(res.status).toBe(200);
+    });
+  });
+
+  describe("write scope routes", () => {
+    const app = createApp("write");
+
+    it("rejects read token on write routes with 403", async () => {
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { Authorization: "Bearer wopr_read_r1" },
+      });
+      expect(res.status).toBe(403);
+      const body = await res.json();
+      expect(body.error).toBe("Insufficient scope");
+      expect(body.required).toBe("write");
+      expect(body.provided).toBe("read");
+    });
+
+    it("allows write token on write routes", async () => {
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { Authorization: "Bearer wopr_write_w1" },
+      });
+      expect(res.status).toBe(200);
+    });
+
+    it("allows admin token on write routes", async () => {
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { Authorization: "Bearer wopr_admin_a1" },
+      });
+      expect(res.status).toBe(200);
+    });
+  });
+
+  describe("admin scope routes", () => {
+    const app = createApp("admin");
+
+    it("rejects read token on admin routes with 403", async () => {
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer wopr_read_r1" },
+      });
+      expect(res.status).toBe(403);
+      const body = await res.json();
+      expect(body.error).toBe("Insufficient scope");
+      expect(body.required).toBe("admin");
+      expect(body.provided).toBe("read");
+    });
+
+    it("rejects write token on admin routes with 403", async () => {
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer wopr_write_w1" },
+      });
+      expect(res.status).toBe(403);
+      const body = await res.json();
+      expect(body.error).toBe("Insufficient scope");
+      expect(body.required).toBe("admin");
+      expect(body.provided).toBe("write");
+    });
+
+    it("allows admin token on admin routes", async () => {
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer wopr_admin_a1" },
+      });
+      expect(res.status).toBe(200);
+    });
+
+    it("allows legacy admin token on admin routes", async () => {
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer legacy-admin" },
+      });
+      expect(res.status).toBe(200);
+    });
+  });
+
+  describe("backwards compatibility", () => {
+    it("existing FLEET_API_TOKEN works as admin on all scopes", async () => {
+      const legacyMap = buildTokenMap({ FLEET_API_TOKEN: "my-old-token" });
+
+      for (const scope of ["read", "write", "admin"] as TokenScope[]) {
+        const app = new Hono();
+        app.use("/*", scopedBearerAuth(legacyMap, scope));
+        app.get("/test", (c) => c.json({ ok: true }));
+
+        const res = await app.request("/test", {
+          headers: { Authorization: "Bearer my-old-token" },
+        });
+        expect(res.status).toBe(200);
+      }
+    });
+  });
+
+  describe("empty token map", () => {
+    it("rejects all tokens when map is empty", async () => {
+      const emptyMap = new Map<string, TokenScope>();
+      const app = new Hono();
+      app.use("/*", scopedBearerAuth(emptyMap, "read"));
+      app.get("/test", (c) => c.json({ ok: true }));
+
+      const res = await app.request("/test", {
+        headers: { Authorization: "Bearer any-token" },
+      });
+      expect(res.status).toBe(401);
+    });
+  });
+});

package/src/auth/tenant-access.test.ts

@@ -0,0 +1,69 @@
+import { describe, expect, it, vi } from "vitest";
+import type { IOrgMemberRepository } from "../tenancy/org-member-repository.js";
+import { validateTenantAccess } from "./index.js";
+
+function mockOrgMemberRepo(overrides: Partial<IOrgMemberRepository> = {}): IOrgMemberRepository {
+  return {
+    listMembers: vi.fn().mockResolvedValue([]),
+    addMember: vi.fn().mockResolvedValue(undefined),
+    updateMemberRole: vi.fn().mockResolvedValue(undefined),
+    removeMember: vi.fn().mockResolvedValue(undefined),
+    findMember: vi.fn().mockResolvedValue(null),
+    countAdminsAndOwners: vi.fn().mockResolvedValue(0),
+    listInvites: vi.fn().mockResolvedValue([]),
+    createInvite: vi.fn().mockResolvedValue(undefined),
+    findInviteById: vi.fn().mockResolvedValue(null),
+    findInviteByToken: vi.fn().mockResolvedValue(null),
+    deleteInvite: vi.fn().mockResolvedValue(undefined),
+    deleteAllMembers: vi.fn().mockResolvedValue(undefined),
+    deleteAllInvites: vi.fn().mockResolvedValue(undefined),
+    ...overrides,
+  };
+}
+
+describe("validateTenantAccess", () => {
+  it("allows access when requestedTenantId matches userId (personal tenant)", async () => {
+    const repo = mockOrgMemberRepo();
+    const result = await validateTenantAccess("user-1", "user-1", repo);
+    expect(result).toBe(true);
+    expect(repo.findMember).not.toHaveBeenCalled();
+  });
+
+  it("allows access when user is a member of the requested org", async () => {
+    const repo = mockOrgMemberRepo({
+      findMember: vi.fn().mockResolvedValue({
+        id: "m1",
+        orgId: "org-1",
+        userId: "user-1",
+        role: "member",
+        joinedAt: 0,
+      }),
+    });
+    const result = await validateTenantAccess("user-1", "org-1", repo);
+    expect(result).toBe(true);
+    expect(repo.findMember).toHaveBeenCalledWith("org-1", "user-1");
+  });
+
+  it("denies access when user is NOT a member of the requested org", async () => {
+    const repo = mockOrgMemberRepo({
+      findMember: vi.fn().mockResolvedValue(null),
+    });
+    const result = await validateTenantAccess("user-1", "org-evil", repo);
+    expect(result).toBe(false);
+    expect(repo.findMember).toHaveBeenCalledWith("org-evil", "user-1");
+  });
+
+  it("allows access when requestedTenantId is undefined (falls back to personal)", async () => {
+    const repo = mockOrgMemberRepo();
+    const result = await validateTenantAccess("user-1", undefined, repo);
+    expect(result).toBe(true);
+    expect(repo.findMember).not.toHaveBeenCalled();
+  });
+
+  it("allows access when requestedTenantId is empty string (falls back to personal)", async () => {
+    const repo = mockOrgMemberRepo();
+    const result = await validateTenantAccess("user-1", "", repo);
+    expect(result).toBe(true);
+    expect(repo.findMember).not.toHaveBeenCalled();
+  });
+});

package/src/auth/user-creator.test.ts

@@ -0,0 +1,98 @@
+import { describe, expect, it, vi } from "vitest";
+import type { RoleStore } from "../admin/role-store.js";
+import { createUserCreator } from "./user-creator.js";
+
+// Minimal mock RoleStore
+function mockRoleStore(adminCount: number) {
+  const calls: Array<{ userId: string; tenantId: string; role: string; grantedBy: string | null }> = [];
+  return {
+    store: {
+      countPlatformAdmins: vi.fn().mockResolvedValue(adminCount),
+      setRole: vi.fn(async (userId: string, tenantId: string, role: string, grantedBy: string | null) => {
+        calls.push({ userId, tenantId, role, grantedBy });
+      }),
+    } as unknown as RoleStore,
+    calls,
+  };
+}
+
+describe("createUserCreator", () => {
+  it("promotes first user when no admins exist", async () => {
+    const { store, calls } = mockRoleStore(0);
+    const creator = await createUserCreator(store);
+
+    await creator.createUser("user-1");
+
+    expect(store.setRole).toHaveBeenCalledOnce();
+    expect(calls[0]).toEqual({
+      userId: "user-1",
+      tenantId: "*",
+      role: "platform_admin",
+      grantedBy: "bootstrap",
+    });
+  });
+
+  it("second call after promotion does NOT grant role", async () => {
+    const { store } = mockRoleStore(0);
+    const creator = await createUserCreator(store);
+
+    await creator.createUser("user-1");
+    await creator.createUser("user-2");
+
+    expect(store.setRole).toHaveBeenCalledOnce();
+  });
+
+  it("does not promote when admins already exist", async () => {
+    const { store } = mockRoleStore(1);
+    const creator = await createUserCreator(store);
+
+    await creator.createUser("user-1");
+    await creator.createUser("user-2");
+
+    expect(store.setRole).not.toHaveBeenCalled();
+  });
+
+  it("retries bootstrap on transient setRole failure", async () => {
+    const calls: Array<{ userId: string }> = [];
+    let failOnce = true;
+    const store = {
+      countPlatformAdmins: vi.fn().mockResolvedValue(0),
+      setRole: vi.fn(async (userId: string) => {
+        if (failOnce) {
+          failOnce = false;
+          throw new Error("transient DB error");
+        }
+        calls.push({ userId });
+      }),
+    } as unknown as RoleStore;
+
+    const creator = await createUserCreator(store);
+
+    // First call fails — should NOT permanently disable bootstrap
+    await expect(creator.createUser("user-1")).rejects.toThrow("transient DB error");
+
+    // Second call should still attempt promotion
+    await creator.createUser("user-2");
+
+    expect(calls).toHaveLength(1);
+    expect(calls[0].userId).toBe("user-2");
+  });
+
+  it("concurrent calls promote only the first user (race condition)", async () => {
+    const calls: Array<{ userId: string }> = [];
+    const store = {
+      countPlatformAdmins: vi.fn().mockResolvedValue(0),
+      setRole: vi.fn(async (userId: string) => {
+        calls.push({ userId });
+      }),
+    } as unknown as RoleStore;
+
+    const creator = await createUserCreator(store);
+
+    // Simulate concurrent signups
+    await Promise.all([creator.createUser("user-a"), creator.createUser("user-b")]);
+
+    // Only one should be promoted
+    expect(store.setRole).toHaveBeenCalledOnce();
+  });
+});

package/src/auth/user-creator.ts

@@ -0,0 +1,54 @@
+import type { RoleStore } from "../admin/role-store.js";
+import { logger } from "../config/logger.js";
+
+export interface IUserCreator {
+  createUser(userId: string): Promise<void>;
+}
+
+class UserCreator implements IUserCreator {
+  async createUser(_userId: string): Promise<void> {
+    // No-op for normal signups
+  }
+}
+
+class AdminUserCreator implements IUserCreator {
+  constructor(
+    private readonly roleStore: RoleStore,
+    private readonly holder: UserCreatorHolder,
+  ) {}
+
+  async createUser(userId: string): Promise<void> {
+    // Swap to no-op BEFORE await to prevent concurrent double-promoting.
+    // Save the current creator so we can restore it on failure.
+    const previous = this.holder.creator;
+    this.holder.creator = new UserCreator();
+    try {
+      await this.roleStore.setRole(userId, "*", "platform_admin", "bootstrap");
+      logger.info(`Bootstrap: first user ${userId} auto-promoted to platform_admin`);
+    } catch (err) {
+      // Restore holder so the next signup can retry bootstrap
+      this.holder.creator = previous;
+      throw err;
+    }
+  }
+}
+
+class UserCreatorHolder {
+  creator: IUserCreator;
+  constructor(creator: IUserCreator) {
+    this.creator = creator;
+  }
+}
+
+/**
+ * Create a user creator that auto-promotes the first signup to platform_admin
+ * when no admins exist. After promotion, all subsequent signups are no-ops.
+ */
+export async function createUserCreator(roleStore: RoleStore): Promise<IUserCreator> {
+  const holder = new UserCreatorHolder(new UserCreator());
+  const count = await roleStore.countPlatformAdmins();
+  if (count === 0) {
+    holder.creator = new AdminUserCreator(roleStore, holder);
+  }
+  return { createUser: (id) => holder.creator.createUser(id) };
+}