apteva 0.4.57 → 0.7.0

package/src/auth/index.ts

@@ -1,394 +0,0 @@
-import { createHmac, randomBytes } from "crypto";
-import { join } from "path";
-import { homedir } from "os";
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
-import { UserDB, SessionDB, generateId, type User } from "../db";
-
-// ============ Configuration ============
-
-const ACCESS_TOKEN_EXPIRY = 15 * 60; // 15 minutes in seconds
-const REFRESH_TOKEN_EXPIRY = 7 * 24 * 60 * 60; // 7 days in seconds
-
-// ============ Secret Key Management ============
-
-let authSecret: string | null = null;
-
-function getAuthSecretPath(): string {
-  const homeDir = process.env.DATA_DIR || join(homedir(), ".apteva");
-  return join(homeDir, "auth.key");
-}
-
-function getAuthSecret(): string {
-  if (authSecret) return authSecret;
-
-  if (process.env.AUTH_SECRET) {
-    authSecret = process.env.AUTH_SECRET;
-    return authSecret;
-  }
-
-  const secretPath = getAuthSecretPath();
-  if (existsSync(secretPath)) {
-    authSecret = readFileSync(secretPath, "utf-8").trim();
-    return authSecret;
-  }
-
-  authSecret = randomBytes(64).toString("hex");
-
-  const dir = process.env.DATA_DIR || join(homedir(), ".apteva");
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true });
-  }
-  writeFileSync(secretPath, authSecret, { mode: 0o600 });
-
-  return authSecret;
-}
-
-// ============ Password Hashing ============
-
-export async function hashPassword(password: string): Promise<string> {
-  return await Bun.password.hash(password, {
-    algorithm: "bcrypt",
-    cost: 12,
-  });
-}
-
-export async function verifyPassword(password: string, hash: string): Promise<boolean> {
-  try {
-    return await Bun.password.verify(password, hash);
-  } catch {
-    return false;
-  }
-}
-
-// ============ Password Validation ============
-
-export interface PasswordValidation {
-  valid: boolean;
-  errors: string[];
-}
-
-export function validatePassword(password: string): PasswordValidation {
-  const errors: string[] = [];
-
-  if (password.length < 8) {
-    errors.push("Password must be at least 8 characters");
-  }
-  if (!/[a-z]/.test(password)) {
-    errors.push("Password must contain a lowercase letter");
-  }
-  if (!/[A-Z]/.test(password)) {
-    errors.push("Password must contain an uppercase letter");
-  }
-  if (!/[0-9]/.test(password)) {
-    errors.push("Password must contain a number");
-  }
-
-  return { valid: errors.length === 0, errors };
-}
-
-// ============ JWT Token Handling ============
-
-interface TokenPayload {
-  userId: string;
-  username: string;
-  role: string;
-  type: "access" | "refresh";
-  iat: number;
-  exp: number;
-}
-
-function base64UrlEncode(data: string): string {
-  return Buffer.from(data)
-    .toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=/g, "");
-}
-
-function base64UrlDecode(data: string): string {
-  const padded = data + "=".repeat((4 - (data.length % 4)) % 4);
-  return Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString();
-}
-
-function createToken(payload: Omit<TokenPayload, "iat" | "exp">, expiresIn: number): string {
-  const secret = getAuthSecret();
-  const now = Math.floor(Date.now() / 1000);
-
-  const fullPayload: TokenPayload = {
-    ...payload,
-    iat: now,
-    exp: now + expiresIn,
-  };
-
-  const header = { alg: "HS256", typ: "JWT" };
-  const headerEncoded = base64UrlEncode(JSON.stringify(header));
-  const payloadEncoded = base64UrlEncode(JSON.stringify(fullPayload));
-
-  const signature = createHmac("sha256", secret)
-    .update(`${headerEncoded}.${payloadEncoded}`)
-    .digest("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=/g, "");
-
-  return `${headerEncoded}.${payloadEncoded}.${signature}`;
-}
-
-function verifyToken(token: string): TokenPayload | null {
-  try {
-    const secret = getAuthSecret();
-    const [headerEncoded, payloadEncoded, signature] = token.split(".");
-
-    if (!headerEncoded || !payloadEncoded || !signature) {
-      return null;
-    }
-
-    const expectedSignature = createHmac("sha256", secret)
-      .update(`${headerEncoded}.${payloadEncoded}`)
-      .digest("base64")
-      .replace(/\+/g, "-")
-      .replace(/\//g, "_")
-      .replace(/=/g, "");
-
-    if (signature !== expectedSignature) {
-      return null;
-    }
-
-    const payload = JSON.parse(base64UrlDecode(payloadEncoded)) as TokenPayload;
-    const now = Math.floor(Date.now() / 1000);
-
-    if (payload.exp < now) {
-      return null;
-    }
-
-    return payload;
-  } catch {
-    return null;
-  }
-}
-
-// ============ Token Generation ============
-
-export function generateAccessToken(user: User): string {
-  return createToken(
-    { userId: user.id, username: user.username, role: user.role, type: "access" },
-    ACCESS_TOKEN_EXPIRY
-  );
-}
-
-export function generateRefreshToken(user: User): string {
-  return createToken(
-    { userId: user.id, username: user.username, role: user.role, type: "refresh" },
-    REFRESH_TOKEN_EXPIRY
-  );
-}
-
-export function verifyAccessToken(token: string): TokenPayload | null {
-  const payload = verifyToken(token);
-  if (!payload || payload.type !== "access") {
-    return null;
-  }
-  return payload;
-}
-
-export function verifyRefreshToken(token: string): TokenPayload | null {
-  const payload = verifyToken(token);
-  if (!payload || payload.type !== "refresh") {
-    return null;
-  }
-  return payload;
-}
-
-// ============ Session Management ============
-
-export function hashToken(token: string): string {
-  return createHmac("sha256", getAuthSecret()).update(token).digest("hex");
-}
-
-export interface AuthTokens {
-  accessToken: string;
-  refreshToken: string;
-  expiresIn: number;
-}
-
-export async function createSession(user: User): Promise<AuthTokens> {
-  const accessToken = generateAccessToken(user);
-  const refreshToken = generateRefreshToken(user);
-  const refreshTokenHash = hashToken(refreshToken);
-
-  const expiresAt = new Date();
-  expiresAt.setSeconds(expiresAt.getSeconds() + REFRESH_TOKEN_EXPIRY);
-
-  SessionDB.create({
-    user_id: user.id,
-    refresh_token_hash: refreshTokenHash,
-    expires_at: expiresAt.toISOString(),
-  });
-
-  UserDB.updateLastLogin(user.id);
-
-  return { accessToken, refreshToken, expiresIn: ACCESS_TOKEN_EXPIRY };
-}
-
-export async function refreshSession(refreshToken: string): Promise<AuthTokens | null> {
-  const payload = verifyRefreshToken(refreshToken);
-  if (!payload) {
-    return null;
-  }
-
-  const tokenHash = hashToken(refreshToken);
-  const session = SessionDB.findByTokenHash(tokenHash);
-  if (!session) {
-    return null;
-  }
-
-  if (new Date(session.expires_at) < new Date()) {
-    SessionDB.delete(session.id);
-    return null;
-  }
-
-  const user = UserDB.findById(payload.userId);
-  if (!user) {
-    SessionDB.delete(session.id);
-    return null;
-  }
-
-  SessionDB.delete(session.id);
-  return createSession(user);
-}
-
-export function invalidateSession(refreshToken: string): boolean {
-  const tokenHash = hashToken(refreshToken);
-  return SessionDB.deleteByTokenHash(tokenHash);
-}
-
-export function invalidateAllSessions(userId: string): number {
-  return SessionDB.deleteByUser(userId);
-}
-
-// ============ Auth Check ============
-
-export interface AuthStatus {
-  hasUsers: boolean;
-  authenticated: boolean;
-  isDev: boolean;
-  user?: { id: string; username: string; role: string };
-}
-
-// Determine if we're in dev mode - used by frontend for dev-only features
-function checkIsDev(): boolean {
-  return process.env.NODE_ENV !== "production";
-}
-
-export function getAuthStatus(accessToken?: string): AuthStatus {
-  const hasUsers = UserDB.hasUsers();
-  const isDev = checkIsDev();
-
-  if (!accessToken) {
-    return { hasUsers, authenticated: false, isDev };
-  }
-
-  const payload = verifyAccessToken(accessToken);
-  if (!payload) {
-    return { hasUsers, authenticated: false, isDev };
-  }
-
-  const user = UserDB.findById(payload.userId);
-  if (!user) {
-    return { hasUsers, authenticated: false, isDev };
-  }
-
-  return {
-    hasUsers,
-    authenticated: true,
-    isDev,
-    user: { id: user.id, username: user.username, role: user.role },
-  };
-}
-
-// ============ User Creation ============
-
-export interface CreateUserResult {
-  success: boolean;
-  user?: User;
-  error?: string;
-}
-
-export async function createUser(data: {
-  username: string;
-  password: string;
-  email?: string;
-  role?: "admin" | "user";
-}): Promise<CreateUserResult> {
-  const usernameRegex = /^[a-zA-Z0-9_]{3,20}$/;
-  if (!usernameRegex.test(data.username)) {
-    return { success: false, error: "Username must be 3-20 characters (letters, numbers, underscore)" };
-  }
-
-  const existing = UserDB.findByUsername(data.username);
-  if (existing) {
-    return { success: false, error: "Username already taken" };
-  }
-
-  if (data.email) {
-    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-    if (!emailRegex.test(data.email)) {
-      return { success: false, error: "Invalid email format" };
-    }
-  }
-
-  const passwordValidation = validatePassword(data.password);
-  if (!passwordValidation.valid) {
-    return { success: false, error: passwordValidation.errors.join(". ") };
-  }
-
-  const passwordHash = await hashPassword(data.password);
-
-  const user = UserDB.create({
-    username: data.username,
-    password_hash: passwordHash,
-    email: data.email || null,
-    role: data.role || "user",
-  });
-
-  return { success: true, user };
-}
-
-// ============ Login ============
-
-export interface LoginResult {
-  success: boolean;
-  tokens?: AuthTokens;
-  user?: { id: string; username: string; role: string };
-  error?: string;
-}
-
-export async function login(username: string, password: string): Promise<LoginResult> {
-  const user = UserDB.findByUsername(username);
-  if (!user) {
-    return { success: false, error: "Invalid username or password" };
-  }
-
-  const valid = await verifyPassword(password, user.password_hash);
-  if (!valid) {
-    return { success: false, error: "Invalid username or password" };
-  }
-
-  const tokens = await createSession(user);
-
-  return {
-    success: true,
-    tokens,
-    user: { id: user.id, username: user.username, role: user.role },
-  };
-}
-
-// ============ Cleanup ============
-
-export function cleanupExpiredSessions(): number {
-  return SessionDB.deleteExpired();
-}
-
-// ============ Exports ============
-
-export { ACCESS_TOKEN_EXPIRY, REFRESH_TOKEN_EXPIRY };

package/src/auth/middleware.ts

@@ -1,213 +0,0 @@
-import { verifyAccessToken, getAuthStatus } from "./index";
-import { UserDB, ApiKeyDB, type User } from "../db";
-
-// Extend Request type to include user
-declare global {
-  interface Request {
-    user?: User;
-  }
-}
-
-// Helper to create JSON response
-function json(data: unknown, status = 200): Response {
-  return new Response(JSON.stringify(data), {
-    status,
-    headers: { "Content-Type": "application/json" },
-  });
-}
-
-// Public paths that don't require authentication
-const PUBLIC_PATHS = [
-  "/api/auth/check",
-  "/api/auth/login",
-  "/api/auth/refresh",
-  "/api/health",
-  "/api/features", // Feature flags needed before auth
-  "/api/telemetry", // Agents POST telemetry here
-  "/api/telemetry/stream", // SSE doesn't support auth headers
-  "/api/mcp/platform", // Built-in MCP server for agent communication
-  "/api/webhooks/composio", // Composio trigger webhooks (HMAC-verified)
-  "/api/webhooks/agentdojo", // AgentDojo trigger webhooks (HMAC-verified)
-];
-
-// Regex patterns for public paths (for dynamic segments)
-const PUBLIC_PATTERNS = [
-  /^\/api\/mcp\/servers\/[^/]+\/mcp$/, // Local MCP server JSON-RPC endpoints
-];
-
-// Path prefixes that don't require authentication (for agent communication)
-const PUBLIC_PREFIXES = [
-  "/api/agents/", // Agent chat API needs to work without frontend auth
-];
-
-// Paths that only work when no users exist
-const SETUP_PATHS = [
-  "/api/onboarding/user",
-];
-
-// Admin-only paths
-const ADMIN_PATHS = [
-  "/api/users",
-];
-
-export interface AuthContext {
-  user: User | null;
-  isAuthenticated: boolean;
-  isAdmin: boolean;
-}
-
-/**
- * Auth middleware for protecting API routes
- * Returns null if request should proceed, or a Response to return immediately
- */
-export async function authMiddleware(req: Request, path: string): Promise<{ response?: Response; context: AuthContext }> {
-  const context: AuthContext = {
-    user: null,
-    isAuthenticated: false,
-    isAdmin: false,
-  };
-
-  // Check if auth is disabled
-  if (process.env.AUTH_ENABLED === "false") {
-    return { context };
-  }
-
-  // Public paths - no auth needed
-  if (PUBLIC_PATHS.some(p => path === p || path.startsWith(p + "/"))) {
-    return { context };
-  }
-
-  // Public patterns - no auth needed (dynamic path segments)
-  if (PUBLIC_PATTERNS.some(p => p.test(path))) {
-    return { context };
-  }
-
-  // Public prefixes - no auth needed (for agent communication)
-  if (PUBLIC_PREFIXES.some(p => path.startsWith(p))) {
-    return { context };
-  }
-
-  // Setup paths - only allowed when no users exist
-  if (SETUP_PATHS.some(p => path === p || path.startsWith(p + "/"))) {
-    const hasUsers = UserDB.hasUsers();
-    if (!hasUsers) {
-      return { context }; // Allow - no users yet
-    }
-    // Users exist - require auth for these paths
-  }
-
-  // Check for API key authentication (X-API-Key header or Bearer apt_... token)
-  const apiKeyHeader = req.headers.get("X-API-Key");
-  const authHeader = req.headers.get("Authorization");
-  const bearerToken = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
-
-  const apiKeyValue = apiKeyHeader || (bearerToken?.startsWith("apt_") ? bearerToken : null);
-
-  if (apiKeyValue) {
-    // API key auth
-    const result = ApiKeyDB.validate(apiKeyValue);
-    if (!result) {
-      return {
-        response: json({ error: "Invalid or expired API key", code: "INVALID_API_KEY" }, 401),
-        context,
-      };
-    }
-
-    context.user = result.user;
-    context.isAuthenticated = true;
-    context.isAdmin = result.user.role === "admin";
-  } else if (bearerToken) {
-    // JWT auth
-    const payload = verifyAccessToken(bearerToken);
-
-    if (!payload) {
-      return {
-        response: json({ error: "Invalid or expired token", code: "INVALID_TOKEN" }, 401),
-        context,
-      };
-    }
-
-    const user = UserDB.findById(payload.userId);
-    if (!user) {
-      return {
-        response: json({ error: "User not found", code: "USER_NOT_FOUND" }, 401),
-        context,
-      };
-    }
-
-    context.user = user;
-    context.isAuthenticated = true;
-    context.isAdmin = user.role === "admin";
-  } else {
-    return {
-      response: json({ error: "Unauthorized", code: "NO_TOKEN" }, 401),
-      context,
-    };
-  }
-
-  // Check admin-only paths
-  if (ADMIN_PATHS.some(p => path === p || path.startsWith(p + "/"))) {
-    if (!context.isAdmin) {
-      return {
-        response: json({ error: "Admin access required", code: "FORBIDDEN" }, 403),
-        context,
-      };
-    }
-  }
-
-  return { context };
-}
-
-/**
- * Helper to check if a path requires authentication
- */
-export function requiresAuth(path: string): boolean {
-  if (process.env.AUTH_ENABLED === "false") {
-    return false;
-  }
-
-  if (PUBLIC_PATHS.some(p => path === p || path.startsWith(p + "/"))) {
-    return false;
-  }
-
-  return true;
-}
-
-/**
- * Helper to extract token from request
- */
-export function getTokenFromRequest(req: Request): string | null {
-  const authHeader = req.headers.get("Authorization");
-  if (!authHeader || !authHeader.startsWith("Bearer ")) {
-    return null;
-  }
-  return authHeader.slice(7);
-}
-
-/**
- * Helper to extract refresh token from cookie
- */
-export function getRefreshTokenFromCookie(req: Request): string | null {
-  const cookie = req.headers.get("Cookie");
-  if (!cookie) return null;
-
-  const match = cookie.match(/(?:^|;\s*)apteva_session=([^;]+)/);
-  return match ? match[1] : null;
-}
-
-/**
- * Create Set-Cookie header for refresh token
- * Note: Secure flag only added when HTTPS is explicitly enabled (not just production mode)
- * This allows Docker deployments to work on localhost without HTTPS
- */
-export function createRefreshTokenCookie(token: string, maxAge: number): string {
-  const secure = process.env.HTTPS_ENABLED === "true" ? "; Secure" : "";
-  return `apteva_session=${token}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${maxAge}${secure}`;
-}
-
-/**
- * Create Set-Cookie header to clear refresh token
- */
-export function clearRefreshTokenCookie(): string {
-  return "apteva_session=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0";
-}