aap-agent-server 2.0.0 → 2.6.0

package/index.js

@@ -1,20 +1,41 @@
 /**
- * @aap/server
+ * @aap/server v2.5.0
  * 
  * Server-side utilities for Agent Attestation Protocol.
- * Provides middleware and challenge generation for verification servers.
+ * The Reverse Turing Test - CAPTCHAs block bots, AAP blocks humans.
  */
 
 export * from './middleware.js';
 export * from './challenges.js';
+export * from './ratelimit.js';
+export * from './whitelist.js';
+export * from './persistence.js';
+export * from './errors.js';
+export * as logger from './logger.js';
 
 import { aapMiddleware, createRouter } from './middleware.js';
 import challenges from './challenges.js';
+import { createRateLimiter, createFailureLimiter } from './ratelimit.js';
+import { createWhitelist, createKeyRotation } from './whitelist.js';
+import { createStore, createMemoryStore, createFileStore, createRedisStore } from './persistence.js';
 
 export { challenges };
 
 export default {
+  // Core
   aapMiddleware,
   createRouter,
-  challenges
+  challenges,
+  
+  // Security
+  createRateLimiter,
+  createFailureLimiter,
+  createWhitelist,
+  createKeyRotation,
+  
+  // Persistence
+  createStore,
+  createMemoryStore,
+  createFileStore,
+  createRedisStore
 };

package/middleware.js

@@ -15,14 +15,16 @@ import {
   MAX_RESPONSE_TIME_MS, 
   CHALLENGE_EXPIRY_MS 
 } from './challenges.js';
+import * as logger from './logger.js';
+import { ErrorCodes, sendError } from './errors.js';
 
 /**
  * Create AAP verification middleware/router
  * 
  * @param {Object} [options]
  * @param {number} [options.challengeExpiryMs=60000] - Challenge expiration time
- * @param {number} [options.maxResponseTimeMs=12000] - Max response time for batch
- * @param {number} [options.batchSize=3] - Number of challenges per batch
+ * @param {number} [options.maxResponseTimeMs=8000] - Max response time for batch
+ * @param {number} [options.batchSize=5] - Number of challenges per batch
  * @param {number} [options.minPassCount] - Minimum challenges to pass (default: all)
  * @param {Function} [options.onVerified] - Callback when agent is verified
  * @param {Function} [options.onFailed] - Callback when verification fails
@@ -38,7 +40,8 @@ export function aapMiddleware(options = {}) {
     onFailed
   } = options;
 
-  // In-memory challenge store
+  // In-memory challenge store with size limit (DoS protection)
+  const MAX_CHALLENGES = 10000;
   const challenges = new Map();
 
   // Cleanup expired challenges periodically
@@ -49,6 +52,15 @@ export function aapMiddleware(options = {}) {
         challenges.delete(nonce);
       }
     }
+    
+    // Emergency cleanup if still too many (keep newest)
+    if (challenges.size > MAX_CHALLENGES) {
+      const entries = [...challenges.entries()]
+        .sort((a, b) => b[1].timestamp - a[1].timestamp)
+        .slice(0, MAX_CHALLENGES / 2);
+      challenges.clear();
+      entries.forEach(([k, v]) => challenges.set(k, v));
+    }
   };
 
   // Return a function that creates routes
@@ -121,6 +133,7 @@ export function aapMiddleware(options = {}) {
       } = req.body;
 
       const checks = {
+        inputValid: false,
         challengeExists: false,
         notExpired: false,
         solutionsExist: false,
@@ -130,7 +143,28 @@ export function aapMiddleware(options = {}) {
       };
 
       try {
-        // Check 1: Challenge exists
+        // Check 0: Input validation (security)
+        if (!nonce || typeof nonce !== 'string' || nonce.length !== 32) {
+          return res.status(400).json({ verified: false, error: 'Invalid nonce format', checks });
+        }
+        if (!publicId || typeof publicId !== 'string' || publicId.length !== 20) {
+          return res.status(400).json({ verified: false, error: 'Invalid publicId format', checks });
+        }
+        if (!signature || typeof signature !== 'string' || signature.length < 50) {
+          return res.status(400).json({ verified: false, error: 'Invalid signature format', checks });
+        }
+        if (!publicKey || typeof publicKey !== 'string' || !publicKey.includes('BEGIN PUBLIC KEY')) {
+          return res.status(400).json({ verified: false, error: 'Invalid publicKey format', checks });
+        }
+        if (!timestamp || typeof timestamp !== 'number') {
+          return res.status(400).json({ verified: false, error: 'Invalid timestamp', checks });
+        }
+        if (!responseTimeMs || typeof responseTimeMs !== 'number' || responseTimeMs < 0) {
+          return res.status(400).json({ verified: false, error: 'Invalid responseTimeMs', checks });
+        }
+        checks.inputValid = true;
+
+        // Check 1: Challenge exists (check BEFORE delete for race condition fix)
         const challenge = challenges.get(nonce);
         if (!challenge) {
           if (onFailed) onFailed({ error: 'Challenge not found', checks }, req);
@@ -142,12 +176,9 @@ export function aapMiddleware(options = {}) {
         }
         checks.challengeExists = true;
 
-        // Remove challenge (one-time use)
-        const { validators, batchSize: size } = challenge;
-        challenges.delete(nonce);
-
-        // Check 2: Not expired
+        // Check 2: Not expired (check BEFORE delete - race condition fix)
         if (Date.now() > challenge.expiresAt) {
+          challenges.delete(nonce);  // Clean up expired
           if (onFailed) onFailed({ error: 'Challenge expired', checks }, req);
           return res.status(400).json({
             verified: false,
@@ -157,6 +188,10 @@ export function aapMiddleware(options = {}) {
         }
         checks.notExpired = true;
 
+        // Remove challenge (one-time use) - only after expiry check
+        const { validators, batchSize: size } = challenge;
+        challenges.delete(nonce);
+
         // Check 3: Solutions exist
         if (!solutions || !Array.isArray(solutions) || solutions.length !== size) {
           if (onFailed) onFailed({ error: 'Invalid solutions array', checks }, req);
@@ -183,13 +218,17 @@ export function aapMiddleware(options = {}) {
         }
         checks.solutionsValid = true;
 
-        // Check 5: Response time (Proof of Liveness)
-        if (responseTimeMs > maxResponseTimeMs) {
+        // Check 5: Response time (Proof of Liveness) - SERVER-SIDE validation
+        const serverResponseTime = Date.now() - challenge.timestamp;
+        const effectiveResponseTime = Math.max(responseTimeMs, serverResponseTime);
+        
+        if (effectiveResponseTime > maxResponseTimeMs) {
           if (onFailed) onFailed({ error: 'Response too slow', checks }, req);
           return res.status(400).json({
             verified: false,
-            error: `Response too slow: ${responseTimeMs}ms > ${maxResponseTimeMs}ms (Proof of Liveness failed)`,
-            checks
+            error: `Response too slow: ${effectiveResponseTime}ms > ${maxResponseTimeMs}ms (Proof of Liveness failed)`,
+            checks,
+            timing: { client: responseTimeMs, server: serverResponseTime }
           });
         }
         checks.responseTimeValid = true;
@@ -361,8 +400,14 @@ export function aapMiddleware(options = {}) {
  * const app = express();
  * app.use('/aap/v1', createRouter());
  */
-export function createRouter(options = {}) {
-  const express = require('express');
+export async function createRouter(options = {}) {
+  // Dynamic import for optional express dependency
+  let express;
+  try {
+    express = (await import('express')).default;
+  } catch {
+    throw new Error('express is required for createRouter. Install with: npm install express');
+  }
   const router = express.Router();
   router.use(express.json());
   

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aap-agent-server",
-  "version": "2.0.0",
+  "version": "2.6.0",
   "description": "Server middleware for Agent Attestation Protocol - verify AI agents",
   "main": "index.js",
   "types": "index.d.ts",
@@ -21,7 +21,7 @@
   },
   "homepage": "https://github.com/ira-hash/agent-attestation-protocol#readme",
   "dependencies": {
-    "aap-agent-core": "^2.0.0"
+    "aap-agent-core": "^2.6.0"
   },
   "peerDependencies": {
     "express": "^4.18.0 || ^5.0.0"

package/persistence.js

@@ -0,0 +1,238 @@
+/**
+ * AAP Challenge Persistence
+ * 
+ * Optional: Persist challenges to survive server restarts
+ * Supports: Memory (default), File, Redis
+ */
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+
+/**
+ * Create in-memory store (default, no persistence)
+ */
+export function createMemoryStore() {
+  const challenges = new Map();
+
+  return {
+    type: 'memory',
+    
+    async get(nonce) {
+      return challenges.get(nonce) || null;
+    },
+
+    async set(nonce, data) {
+      challenges.set(nonce, data);
+    },
+
+    async delete(nonce) {
+      challenges.delete(nonce);
+    },
+
+    async has(nonce) {
+      return challenges.has(nonce);
+    },
+
+    async size() {
+      return challenges.size;
+    },
+
+    async keys() {
+      return [...challenges.keys()];
+    },
+
+    async clear() {
+      challenges.clear();
+    },
+
+    async cleanup(now = Date.now()) {
+      for (const [nonce, data] of challenges.entries()) {
+        if (now > data.expiresAt) {
+          challenges.delete(nonce);
+        }
+      }
+    }
+  };
+}
+
+/**
+ * Create file-based store (survives restarts)
+ * @param {string} filePath - Path to store file
+ */
+export function createFileStore(filePath = '.aap/challenges.json') {
+  const fullPath = join(process.cwd(), filePath);
+  let challenges = new Map();
+
+  // Load existing data
+  try {
+    if (existsSync(fullPath)) {
+      const data = JSON.parse(readFileSync(fullPath, 'utf8'));
+      challenges = new Map(Object.entries(data));
+      console.log(`[AAP] Loaded ${challenges.size} challenges from ${fullPath}`);
+    }
+  } catch (error) {
+    console.warn('[AAP] Could not load challenges:', error.message);
+  }
+
+  // Save to file
+  const save = () => {
+    try {
+      const dir = dirname(fullPath);
+      if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+      }
+      
+      const data = Object.fromEntries(challenges);
+      // Remove validator functions (not serializable)
+      for (const key of Object.keys(data)) {
+        delete data[key].validators;
+      }
+      
+      writeFileSync(fullPath, JSON.stringify(data, null, 2));
+    } catch (error) {
+      console.error('[AAP] Could not save challenges:', error.message);
+    }
+  };
+
+  // Auto-save periodically
+  const saveInterval = setInterval(save, 30000);
+
+  return {
+    type: 'file',
+    
+    async get(nonce) {
+      return challenges.get(nonce) || null;
+    },
+
+    async set(nonce, data) {
+      challenges.set(nonce, data);
+      save();
+    },
+
+    async delete(nonce) {
+      challenges.delete(nonce);
+      save();
+    },
+
+    async has(nonce) {
+      return challenges.has(nonce);
+    },
+
+    async size() {
+      return challenges.size;
+    },
+
+    async keys() {
+      return [...challenges.keys()];
+    },
+
+    async clear() {
+      challenges.clear();
+      save();
+    },
+
+    async cleanup(now = Date.now()) {
+      let cleaned = 0;
+      for (const [nonce, data] of challenges.entries()) {
+        if (now > data.expiresAt) {
+          challenges.delete(nonce);
+          cleaned++;
+        }
+      }
+      if (cleaned > 0) save();
+      return cleaned;
+    },
+
+    close() {
+      clearInterval(saveInterval);
+      save();
+    }
+  };
+}
+
+/**
+ * Create Redis-based store (for distributed deployments)
+ * @param {Object} redisClient - Redis client instance (ioredis or redis)
+ * @param {string} [prefix='aap:challenge:'] - Key prefix
+ */
+export function createRedisStore(redisClient, prefix = 'aap:challenge:') {
+  return {
+    type: 'redis',
+    
+    async get(nonce) {
+      const data = await redisClient.get(prefix + nonce);
+      return data ? JSON.parse(data) : null;
+    },
+
+    async set(nonce, data, ttlMs = 60000) {
+      // Store without validators (not serializable)
+      const { validators, ...storable } = data;
+      await redisClient.set(
+        prefix + nonce,
+        JSON.stringify(storable),
+        'PX',
+        ttlMs
+      );
+    },
+
+    async delete(nonce) {
+      await redisClient.del(prefix + nonce);
+    },
+
+    async has(nonce) {
+      return (await redisClient.exists(prefix + nonce)) === 1;
+    },
+
+    async size() {
+      const keys = await redisClient.keys(prefix + '*');
+      return keys.length;
+    },
+
+    async keys() {
+      const keys = await redisClient.keys(prefix + '*');
+      return keys.map(k => k.slice(prefix.length));
+    },
+
+    async clear() {
+      const keys = await redisClient.keys(prefix + '*');
+      if (keys.length > 0) {
+        await redisClient.del(...keys);
+      }
+    },
+
+    async cleanup() {
+      // Redis handles TTL automatically
+      return 0;
+    }
+  };
+}
+
+/**
+ * Auto-detect and create appropriate store
+ * @param {Object} options
+ * @param {'memory'|'file'|'redis'} [options.type='memory']
+ * @param {string} [options.filePath]
+ * @param {Object} [options.redisClient]
+ */
+export function createStore(options = {}) {
+  const { type = 'memory', filePath, redisClient } = options;
+
+  switch (type) {
+    case 'file':
+      return createFileStore(filePath);
+    case 'redis':
+      if (!redisClient) {
+        throw new Error('Redis client required for redis store');
+      }
+      return createRedisStore(redisClient);
+    default:
+      return createMemoryStore();
+  }
+}
+
+export default {
+  createMemoryStore,
+  createFileStore,
+  createRedisStore,
+  createStore
+};

package/ratelimit.js

@@ -0,0 +1,117 @@
+/**
+ * AAP Rate Limiter
+ * 
+ * Simple in-memory rate limiting (no external dependencies)
+ */
+
+/**
+ * Create a rate limiter
+ * @param {Object} options
+ * @param {number} [options.windowMs=60000] - Time window in ms
+ * @param {number} [options.max=10] - Max requests per window
+ * @param {string} [options.message] - Error message
+ * @returns {Function} Express middleware
+ */
+export function createRateLimiter(options = {}) {
+  const {
+    windowMs = 60000,
+    max = 10,
+    message = 'Too many requests, please try again later'
+  } = options;
+
+  const requests = new Map();
+
+  // Cleanup old entries periodically
+  setInterval(() => {
+    const now = Date.now();
+    for (const [key, data] of requests.entries()) {
+      if (now - data.firstRequest > windowMs) {
+        requests.delete(key);
+      }
+    }
+  }, windowMs);
+
+  return (req, res, next) => {
+    const key = req.ip || req.connection.remoteAddress || 'unknown';
+    const now = Date.now();
+
+    let data = requests.get(key);
+
+    if (!data || now - data.firstRequest > windowMs) {
+      // New window
+      data = { count: 1, firstRequest: now };
+      requests.set(key, data);
+    } else {
+      data.count++;
+    }
+
+    // Set headers
+    const remaining = Math.max(0, max - data.count);
+    const resetTime = Math.ceil((data.firstRequest + windowMs) / 1000);
+    
+    res.setHeader('X-RateLimit-Limit', max);
+    res.setHeader('X-RateLimit-Remaining', remaining);
+    res.setHeader('X-RateLimit-Reset', resetTime);
+
+    if (data.count > max) {
+      res.setHeader('Retry-After', Math.ceil((data.firstRequest + windowMs - now) / 1000));
+      return res.status(429).json({
+        error: message,
+        retryAfter: Math.ceil((data.firstRequest + windowMs - now) / 1000)
+      });
+    }
+
+    next();
+  };
+}
+
+/**
+ * Create rate limiter for failed attempts
+ * Stricter limits after failures
+ */
+export function createFailureLimiter(options = {}) {
+  const {
+    windowMs = 60000,
+    maxFailures = 5,
+    message = 'Too many failed attempts'
+  } = options;
+
+  const failures = new Map();
+
+  return {
+    middleware: (req, res, next) => {
+      const key = req.ip || req.connection.remoteAddress || 'unknown';
+      const data = failures.get(key);
+
+      if (data && data.count >= maxFailures && Date.now() - data.firstFailure < windowMs) {
+        return res.status(429).json({
+          error: message,
+          retryAfter: Math.ceil((data.firstFailure + windowMs - Date.now()) / 1000)
+        });
+      }
+
+      next();
+    },
+
+    recordFailure: (req) => {
+      const key = req.ip || req.connection.remoteAddress || 'unknown';
+      const now = Date.now();
+      let data = failures.get(key);
+
+      if (!data || now - data.firstFailure > windowMs) {
+        data = { count: 1, firstFailure: now };
+      } else {
+        data.count++;
+      }
+
+      failures.set(key, data);
+    },
+
+    clearFailures: (req) => {
+      const key = req.ip || req.connection.remoteAddress || 'unknown';
+      failures.delete(key);
+    }
+  };
+}
+
+export default { createRateLimiter, createFailureLimiter };