agentlang 0.0.3 → 0.0.4

package/src/runtime/modules/auth.ts

@@ -1,12 +1,29 @@
 import { Result, Environment, makeEventEvaluator } from '../interpreter.js';
 import { logger } from '../logger.js';
-import { Instance, RbacPermissionFlag } from '../module.js';
+import { Instance, makeInstance, newInstanceAttributes, RbacPermissionFlag } from '../module.js';
 import { makeCoreModuleName } from '../util.js';
 import { isSqlTrue } from '../resolvers/sqldb/dbutil.js';
 import { AgentlangAuth, SessionInfo, UserInfo } from '../auth/interface.js';
-import { ActiveSessionInfo, AdminUserId, BypassSession, isAuthEnabled } from '../auth/defs.js';
+import {
+  ActiveSessionInfo,
+  AdminUserId,
+  BypassSession,
+  isAuthEnabled,
+  isRbacEnabled,
+} from '../auth/defs.js';
 import { isNodeEnv } from '../../utils/runtime.js';
-import { CognitoAuth } from '../auth/cognito.js';
+import { CognitoAuth, getHttpStatusForError } from '../auth/cognito.js';
+import {
+  UnauthorisedError,
+  UserNotFoundError,
+  UserNotConfirmedError,
+  PasswordResetRequiredError,
+  TooManyRequestsError,
+  InvalidParameterError,
+  ExpiredCodeError,
+  CodeMismatchError,
+  BadRequestError,
+} from '../defs.js';
 
 export const CoreAuthModuleName = makeCoreModuleName('auth');
 
@@ -56,7 +73,7 @@ entity Permission {
 relationship RolePermission between(Role, Permission)
 
 workflow CreateRole {
-    upsert {Role {name CreateRole.name}}
+    {Role {name CreateRole.name}, @upsert}
 }
 
 workflow FindRole {
@@ -67,13 +84,13 @@ workflow FindRole {
 workflow AssignUserToRole {
     {User {id? AssignUserToRole.userId}} as [user];
     {Role {name? AssignUserToRole.roleName}} as [role];
-    upsert {UserRole {User user, Role role}}
+    {UserRole {User user, Role role}, @upsert}
 }
 
 workflow AssignUserToRoleByEmail {
     {User {email? AssignUserToRoleByEmail.email}} as [user];
     {Role {name? AssignUserToRoleByEmail.roleName}} as [role];
-    upsert {UserRole {User user, Role role}}
+    {UserRole {User user, Role role}, @upsert}
 }
 
 workflow FindUserRoles {
@@ -82,19 +99,20 @@ workflow FindUserRoles {
 }
 
 workflow CreatePermission {
-     upsert {Permission {id CreatePermission.id,
-                         resourceFqName CreatePermission.resourceFqName,
-                         c CreatePermission.c,
-                         r CreatePermission.r,
-                         u CreatePermission.u,
-                         d CreatePermission.d},
-             RolePermission {Role {name? CreatePermission.roleName}}}
+     {Permission {id CreatePermission.id,
+                  resourceFqName CreatePermission.resourceFqName,
+                  c CreatePermission.c,
+                  r CreatePermission.r,
+                  u CreatePermission.u,
+                  d CreatePermission.d},
+      RolePermission {Role {name? CreatePermission.roleName}},
+      @upsert}
 }
 
 workflow AddPermissionToRole {
     {Role {name? AddPermissionToRole.roleName}} as role;
     {Permission {id? AddPermissionToRole.permissionId}} as perm;
-    upsert {RolePermission {Role role, Permission perm}}
+    {RolePermission {Role role, Permission perm}, @upsert}
 }
 
 workflow FindRolePermissions {
@@ -109,6 +127,7 @@ entity Session {
   isActive Boolean
 }
 
+
 workflow CreateSession {
   {Session {id CreateSession.id, userId CreateSession.userId,
             authToken CreateSession.authToken, isActive true}}
@@ -128,6 +147,7 @@ workflow RemoveSession {
   purge {Session {id? RemoveSession.id}}
 }
 
+
 workflow signup {
   await Auth.signUpUser(signup.email, signup.password, signup.userData)
 }
@@ -135,6 +155,14 @@ workflow signup {
 workflow login {
   await Auth.loginUser(login.email, login.password)
 }
+
+workflow getUser {
+  await Auth.getUserInfo(getUser.userId)
+}
+
+workflow getUserByEmail {
+  await Auth.getUserInfoByEmail(getUserByEmail.email)
+}
 `;
 
 const evalEvent = makeEventEvaluator(CoreAuthModuleName);
@@ -298,11 +326,25 @@ export async function assignUserToRole(
   return r;
 }
 
+let DefaultRoleInstance: Instance | undefined;
+
 export async function findUserRoles(userId: string, env: Environment): Promise<Result> {
   const result: any = await evalEvent('FindUserRoles', { userId: userId }, env);
   const inst: Instance | undefined = result ? (result[0] as Instance) : undefined;
   if (inst) {
-    return inst.getRelatedInstances('UserRole');
+    let roles: Instance[] | undefined = inst.getRelatedInstances('UserRole');
+    if (roles == undefined) {
+      roles = [];
+    }
+    if (DefaultRoleInstance == undefined) {
+      DefaultRoleInstance = makeInstance(
+        CoreAuthModuleName,
+        'Role',
+        newInstanceAttributes().set('name', '*')
+      );
+    }
+    roles.push(DefaultRoleInstance);
+    return roles;
   }
   return undefined;
 }
@@ -344,7 +386,7 @@ export async function userHasPermissions(
   perms: Set<RbacPermissionFlag>,
   env: Environment
 ): Promise<boolean> {
-  if (userId == AdminUserId) {
+  if (userId == AdminUserId || !isRbacEnabled()) {
     return true;
   }
   let userRoles: string[] | undefined = UserRoleCache.get(userId);
@@ -437,43 +479,197 @@ export async function signUpUser(
   env: Environment
 ): Promise<UserInfo> {
   let result: any;
-  await fetchAuthImpl().signUp(
-    username,
-    password,
-    userData ? new Map(Object.entries(userData)) : undefined,
-    env,
-    (userInfo: UserInfo) => {
-      result = userInfo;
-    }
-  );
-  return result as UserInfo;
+  try {
+    await fetchAuthImpl().signUp(
+      username,
+      password,
+      userData ? new Map(Object.entries(userData)) : undefined,
+      env,
+      (userInfo: UserInfo) => {
+        result = userInfo;
+      }
+    );
+    return result as UserInfo;
+  } catch (err: any) {
+    logger.error(`Signup failed for ${username}: ${err.message}`);
+    throw err; // Re-throw to preserve error type for HTTP status mapping
+  }
 }
 
 export async function loginUser(
   username: string,
   password: string,
   env: Environment
-): Promise<string> {
-  let result: string = '';
-  await fetchAuthImpl().login(username, password, env, (r: SessionInfo) => {
-    result = `${r.userId}/${r.sessionId}`;
-  });
-  return result;
+): Promise<string | object> {
+  let result: string | object = '';
+  try {
+    await fetchAuthImpl().login(username, password, env, (r: SessionInfo) => {
+      // Check if Cognito is configured by checking if we have the tokens
+      if (r.idToken && r.accessToken && r.refreshToken) {
+        // Return full token response for Cognito
+        result = {
+          id_token: r.idToken,
+          access_token: r.accessToken,
+          refresh_token: r.refreshToken,
+          token_type: 'Bearer',
+          expires_in: 3600,
+          userId: r.userId,
+          sessionId: r.sessionId,
+        };
+      } else {
+        // Return string format for non-Cognito authentication
+        result = `${r.userId}/${r.sessionId}`;
+      }
+    });
+    return result;
+  } catch (err: any) {
+    logger.error(`Login failed for ${username}: ${err.message}`);
+    throw err; // Re-throw to preserve error type for HTTP status mapping
+  }
 }
 
 export async function verifySession(token: string, env?: Environment): Promise<ActiveSessionInfo> {
   if (!isAuthEnabled()) return BypassSession;
+
+  // Check if token is a JWT (Cognito ID token) or userId/sessionId format
+  if (isJwtToken(token)) {
+    return await verifyJwtToken(token, env);
+  } else {
+    return await verifySessionToken(token, env);
+  }
+}
+
+function isJwtToken(token: string): boolean {
+  // Simple JWT structure check - JWT tokens have 3 parts separated by dots
+  return !!(token && typeof token === 'string' && token.split('.').length === 3);
+}
+
+async function verifyJwtToken(token: string, env?: Environment): Promise<ActiveSessionInfo> {
+  const needCommit = env ? false : true;
+  env = env ? env : new Environment();
+  const f = async () => {
+    try {
+      // Validate JWT structure first
+      if (!isJwtToken(token)) {
+        throw new UnauthorisedError('Invalid JWT token structure');
+      }
+
+      // Verify the JWT token directly with Cognito
+      await fetchAuthImpl().verifyToken(token, env);
+
+      // Extract user information from JWT payload
+      const parts = token.split('.');
+      const payload = JSON.parse(atob(parts[1]));
+
+      // Extract user ID from standard JWT claims (sub or cognito:username)
+      const userId = payload.sub || payload['cognito:username'];
+      const email = payload.email || payload['cognito:username'];
+
+      if (!userId) {
+        throw new UnauthorisedError('Invalid JWT token: missing user identifier');
+      }
+
+      let localUser = null;
+      if (email) {
+        localUser = await findUserByEmail(email, env);
+      }
+
+      if (!localUser && userId) {
+        localUser = await findUser(userId, env);
+      }
+
+      if (!localUser) {
+        logger.warn(
+          `User not found in local database for JWT token. Email: ${email}, UserId: ${userId}`
+        );
+        throw new UnauthorisedError(`User not found in local database`);
+      }
+
+      // Use the local user's ID for consistency
+      const localUserId = localUser.lookup('id');
+
+      // For JWT tokens, we use the token itself as sessionId for tracking
+      return { sessionId: token.substring(0, 32), userId: localUserId };
+    } catch (err: any) {
+      if (err instanceof UnauthorisedError) {
+        throw err;
+      }
+      logger.error(`JWT token verification failed:`, {
+        errorName: err.name,
+        errorMessage: err.message,
+      });
+      throw new UnauthorisedError('JWT token verification failed');
+    }
+  };
+  if (needCommit) {
+    return await env.callInTransaction(f);
+  } else {
+    return await f();
+  }
+}
+
+async function verifySessionToken(token: string, env?: Environment): Promise<ActiveSessionInfo> {
   const parts = token.split('/');
   const sessId = parts[1];
   const needCommit = env ? false : true;
   env = env ? env : new Environment();
   const f = async () => {
-    const sess: Instance = await findSession(sessId, env);
-    if (sess != undefined) {
-      await fetchAuthImpl().verifyToken(sess.lookup('authToken'), env);
-      return { sessionId: sessId, userId: parts[0] };
-    } else {
-      throw new Error(`No active session for user '${parts[0]}'`);
+    try {
+      const sess: Instance = await findSession(sessId, env);
+      if (sess != undefined) {
+        await fetchAuthImpl().verifyToken(sess.lookup('authToken'), env);
+        return { sessionId: sessId, userId: parts[0] };
+      } else {
+        logger.warn(`No active session found for user '${parts[0]}'`);
+        throw new UnauthorisedError(`No active session for user '${parts[0]}'`);
+      }
+    } catch (err: any) {
+      if (err instanceof UnauthorisedError) {
+        throw err;
+      }
+      // Log error details for debugging
+      logger.error(`Session verification failed for user '${parts[0]}':`, {
+        errorName: err.name,
+        errorMessage: err.message,
+        sessionId: sessId,
+      });
+      throw new UnauthorisedError('Session verification failed');
+    }
+  };
+  if (needCommit) {
+    return await env.callInTransaction(f);
+  } else {
+    return await f();
+  }
+}
+
+export async function getUserInfo(userId: string, env: Environment): Promise<UserInfo> {
+  const needCommit = env ? false : true;
+  env = env ? env : new Environment();
+  const f = async () => {
+    try {
+      return await fetchAuthImpl().getUser(userId, env);
+    } catch (err: any) {
+      logger.error(`Failed to get user info for ${userId}: ${err.message}`);
+      throw err; // Re-throw to preserve error type
+    }
+  };
+  if (needCommit) {
+    return await env.callInTransaction(f);
+  } else {
+    return await f();
+  }
+}
+
+export async function getUserInfoByEmail(email: string, env: Environment): Promise<UserInfo> {
+  const needCommit = env ? false : true;
+  env = env ? env : new Environment();
+  const f = async () => {
+    try {
+      return await fetchAuthImpl().getUserByEmail(email, env);
+    } catch (err: any) {
+      logger.error(`Failed to get user info for email ${email}: ${err.message}`);
+      throw err; // Re-throw to preserve error type
     }
   };
   if (needCommit) {
@@ -487,3 +683,99 @@ export function requireAuth(moduleName: string, eventName: string): boolean {
   const f = moduleName == CoreAuthModuleName && (eventName == 'login' || eventName == 'signup');
   return !f;
 }
+
+// Export getHttpStatusForError for use in HTTP handlers
+export { getHttpStatusForError };
+
+// Helper function to create standardized error responses
+export function createAuthErrorResponse(error: Error): {
+  error: string;
+  message: string;
+  statusCode: number;
+} {
+  const statusCode = getHttpStatusForError(error);
+  let errorType = 'AUTHENTICATION_ERROR';
+
+  if (error instanceof UserNotFoundError) {
+    errorType = 'USER_NOT_FOUND';
+  } else if (error instanceof UnauthorisedError) {
+    errorType = 'UNAUTHORIZED';
+  } else if (error instanceof UserNotConfirmedError) {
+    errorType = 'USER_NOT_CONFIRMED';
+  } else if (error instanceof PasswordResetRequiredError) {
+    errorType = 'PASSWORD_RESET_REQUIRED';
+  } else if (error instanceof TooManyRequestsError) {
+    errorType = 'TOO_MANY_REQUESTS';
+  } else if (error instanceof InvalidParameterError) {
+    errorType = 'INVALID_PARAMETER';
+  } else if (error instanceof ExpiredCodeError) {
+    errorType = 'EXPIRED_CODE';
+  } else if (error instanceof CodeMismatchError) {
+    errorType = 'CODE_MISMATCH';
+  } else if (error instanceof BadRequestError) {
+    errorType = 'BAD_REQUEST';
+  }
+
+  // Log error creation for debugging purposes
+  logger.debug(`Creating auth error response:`, {
+    errorType: errorType,
+    statusCode: statusCode,
+    originalError: error.name,
+  });
+
+  return {
+    error: errorType,
+    message: error.message,
+    statusCode: statusCode,
+  };
+}
+
+// Helper function to check if an error is a known auth error
+export function isAuthError(error: any): boolean {
+  return (
+    error instanceof UnauthorisedError ||
+    error instanceof UserNotFoundError ||
+    error instanceof UserNotConfirmedError ||
+    error instanceof PasswordResetRequiredError ||
+    error instanceof TooManyRequestsError ||
+    error instanceof InvalidParameterError ||
+    error instanceof ExpiredCodeError ||
+    error instanceof CodeMismatchError ||
+    error instanceof BadRequestError
+  );
+}
+
+// Helper function to sanitize error details before logging
+export function sanitizeErrorForLogging(error: Error): {
+  name: string;
+  message: string;
+  sanitizedMessage: string;
+} {
+  const sanitizedMessage = error.message
+    .replace(/password/gi, '[REDACTED]')
+    .replace(/token/gi, '[REDACTED]')
+    .replace(/secret/gi, '[REDACTED]')
+    .replace(/key/gi, '[REDACTED]')
+    .replace(/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, '[EMAIL_REDACTED]')
+    .replace(/\b[A-Fa-f0-9]{32,}\b/g, '[TOKEN_REDACTED]')
+    .replace(/\b\d{4,}\b/g, '[NUMBER_REDACTED]');
+
+  return {
+    name: error.name,
+    message: error.message,
+    sanitizedMessage: sanitizedMessage,
+  };
+}
+
+// Helper function to determine if an error should be retried
+export function isRetryableError(error: Error): boolean {
+  // Only retry on certain types of errors
+  return (
+    error instanceof TooManyRequestsError ||
+    (error.message
+      ? error.message.includes('temporarily unavailable') ||
+        error.message.includes('service error') ||
+        error.message.includes('timeout')
+      : false)
+  );
+}

package/src/runtime/modules/core.ts

@@ -1,6 +1,6 @@
 import { default as ai } from './ai.js';
 import { default as auth } from './auth.js';
-import { DefaultModuleName } from '../util.js';
+import { DefaultModuleName, DefaultModules } from '../util.js';
 import { Instance, isInstanceOfType } from '../module.js';
 import { Environment, parseAndEvaluateStatement } from '../interpreter.js';
 import { logger } from '../logger.js';
@@ -27,9 +27,11 @@ entity auditlog {
 export const CoreModules: string[] = [];
 
 export function registerCoreModules() {
+  DefaultModules.add(DefaultModuleName);
   CoreModules.push(CoreModuleDefinition);
   [auth, ai].forEach((mdef: string) => {
     CoreModules.push(mdef);
+    DefaultModules.add(mdef);
   });
 }
 

package/src/runtime/relgraph.ts

@@ -1,10 +1,4 @@
-import {
-  fetchModule,
-  getUserModuleNames,
-  Relationship,
-  RelationshipNode,
-  Module,
-} from './module.js';
+import { fetchModule, Relationship, RelationshipNode, Module, getModuleNames } from './module.js';
 import { DefaultModuleName, Path } from './util.js';
 
 export type RelationshipGraphNode = {
@@ -86,7 +80,7 @@ export function buildGraph(moduleName: string): RelationshipGraph {
   const inRels: Set<string> = new Set();
   const nodes: Array<RelationshipGraphNode> = [];
   let localMod: Module | undefined;
-  getUserModuleNames().forEach((n: string) => {
+  getModuleNames().forEach((n: string) => {
     const m: Module = fetchModule(n);
     if (n == moduleName) localMod = m;
     const rels: Relationship[] = m.getRelationshipEntries();

package/src/runtime/resolvers/interface.ts

@@ -1,4 +1,13 @@
-import { Instance, InstanceAttributes, Relationship } from '../module.js';
+import { evaluate } from '../interpreter.js';
+import { logger } from '../logger.js';
+import {
+  Instance,
+  InstanceAttributes,
+  makeInstance,
+  newInstanceAttributes,
+  Relationship,
+} from '../module.js';
+import { splitFqName } from '../util.js';
 
 export class ResolverAuthInfo {
   userId: string;
@@ -24,6 +33,16 @@ export type JoinInfo = {
   subJoins: JoinInfo[] | undefined;
 };
 
+const subscriptionEvents: Map<string, string> = new Map<string, string>();
+
+export function setSubscriptionEvent(fqEventName: string, resolverName: string) {
+  subscriptionEvents.set(resolverName, fqEventName);
+}
+
+export function getSubscriptionEvent(resolverName: string): string | undefined {
+  return subscriptionEvents.get(resolverName);
+}
+
 export class Resolver {
   protected authInfo: ResolverAuthInfo = DefaultAuthInfo;
   protected userData: any;
@@ -31,6 +50,10 @@ export class Resolver {
 
   static Default = new Resolver();
 
+  constructor(name?: string) {
+    if (name) this.name = name;
+  }
+
   public setAuthInfo(authInfo: ResolverAuthInfo): Resolver {
     this.authInfo = authInfo;
     return this;
@@ -49,8 +72,8 @@ export class Resolver {
     return this.name;
   }
 
-  private notImpl(method: string) {
-    throw new Error(`Resolver method ${method} not implemented`);
+  protected notImpl(method: string) {
+    logger.warn(`Method ${method} not implemented in resolver ${this.name}`);
   }
 
   public onSetPath(moduleName: string, entryName: string): any {
@@ -147,14 +170,126 @@ export class Resolver {
 
   // Return a transactionId
   public async startTransaction(): Promise<any> {
-    return this.notImpl('startTransaction()');
+    this.notImpl('startTransaction()');
+    return 1;
   }
 
   public async commitTransaction(txnId: string): Promise<any> {
     return this.notImpl(`commitTransaction(${txnId})`);
   }
 
-  public async rollbackTransaction(txtIn: string): Promise<any> {
-    return this.notImpl(`rollbackTransaction(${txtIn})`);
+  public async rollbackTransaction(txnId: string): Promise<any> {
+    return this.notImpl(`rollbackTransaction(${txnId})`);
+  }
+
+  public async subscribe(): Promise<any> {
+    return undefined;
+  }
+
+  public async onSubscription(result: any): Promise<any> {
+    if (result != undefined) {
+      const eventName = getSubscriptionEvent(this.name);
+      if (eventName) {
+        const path = splitFqName(eventName);
+        const inst = makeInstance(
+          path.getModuleName(),
+          path.getEntryName(),
+          newInstanceAttributes().set('data', result)
+        );
+        return await evaluate(inst);
+      }
+    }
+  }
+}
+
+type MaybeFunction = Function | undefined;
+
+export type GenericResolverMethods = {
+  create: MaybeFunction;
+  upsert: MaybeFunction;
+  update: MaybeFunction;
+  query: MaybeFunction;
+  delete: MaybeFunction;
+  startTransaction: MaybeFunction;
+  commitTransaction: MaybeFunction;
+  rollbackTransaction: MaybeFunction;
+};
+
+export type GenericResolverSubscription = {
+  subscribe: MaybeFunction;
+  onSubscriptionEvent: string;
+};
+
+export class GenericResolver extends Resolver {
+  implementation: GenericResolverMethods | undefined;
+  subs: GenericResolverSubscription | undefined;
+
+  constructor(name: string, implementation?: GenericResolverMethods) {
+    super(name);
+    this.implementation = implementation;
+  }
+
+  public override async createInstance(inst: Instance): Promise<any> {
+    if (this.implementation?.create) {
+      return await this.implementation.create(this, inst);
+    } else {
+      return await super.createInstance(inst);
+    }
+  }
+
+  public override async upsertInstance(inst: Instance): Promise<any> {
+    if (this.implementation?.upsert) {
+      return await this.implementation.upsert(this, inst);
+    }
+    return await super.upsertInstance(inst);
+  }
+
+  public override async updateInstance(inst: Instance, newAttrs: InstanceAttributes): Promise<any> {
+    if (this.implementation?.update) {
+      return await this.implementation.update(this, inst, newAttrs);
+    }
+    return await super.updateInstance(inst, newAttrs);
+  }
+
+  public override async queryInstances(inst: Instance, queryAll: boolean): Promise<any> {
+    if (this.implementation?.query) {
+      return await this.implementation.query(this, inst, queryAll);
+    }
+    return await super.queryInstances(inst, queryAll);
+  }
+
+  public override async deleteInstance(inst: Instance | Instance[], purge: boolean): Promise<any> {
+    if (this.implementation?.delete) {
+      return await this.implementation.delete(this, inst, purge);
+    }
+    return await super.deleteInstance(inst, purge);
+  }
+
+  public override async startTransaction(): Promise<any> {
+    if (this.implementation?.startTransaction) {
+      return await this.implementation.startTransaction(this);
+    }
+    return await super.startTransaction();
+  }
+
+  public override async commitTransaction(txnId: string): Promise<any> {
+    if (this.implementation?.commitTransaction) {
+      return await this.implementation.commitTransaction(this, txnId);
+    }
+    return await super.commitTransaction(txnId);
+  }
+
+  public override async rollbackTransaction(txnId: string): Promise<any> {
+    if (this.implementation?.rollbackTransaction) {
+      return await this.implementation.rollbackTransaction(this, txnId);
+    }
+    return await super.rollbackTransaction(txnId);
+  }
+
+  override async subscribe() {
+    if (this.subs?.subscribe) {
+      await this.subs.subscribe(this);
+    }
+    await super.subscribe();
   }
 }