archicore 0.3.1 → 0.3.3

package/dist/server/config/passport.js

@@ -0,0 +1,86 @@
+/**
+ * Passport OAuth Configuration
+ * Google and GitHub authentication strategies
+ */
+import passport from 'passport';
+import { Strategy as GoogleStrategy } from 'passport-google-oauth20';
+import { Strategy as GitHubStrategy } from 'passport-github2';
+import { Logger } from '../../utils/logger.js';
+// Google OAuth Strategy
+if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
+    passport.use(new GoogleStrategy({
+        clientID: process.env.GOOGLE_CLIENT_ID,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+        callbackURL: process.env.GOOGLE_CALLBACK_URL || '/api/auth/oauth/google/callback',
+        scope: ['profile', 'email'],
+    }, async (_accessToken, _refreshToken, profile, done) => {
+        try {
+            Logger.info(`[OAuth] Google authentication for user: ${profile.emails?.[0]?.value}`);
+            const oauthProfile = {
+                id: profile.id,
+                email: profile.emails?.[0]?.value || '',
+                displayName: profile.displayName,
+                avatar: profile.photos?.[0]?.value,
+                provider: 'google',
+            };
+            // Validate email
+            if (!oauthProfile.email) {
+                return done(new Error('No email provided by Google'));
+            }
+            done(null, oauthProfile);
+        }
+        catch (error) {
+            Logger.error('[OAuth] Google authentication error:', error);
+            done(error);
+        }
+    }));
+    Logger.info('[OAuth] Google strategy configured');
+}
+else {
+    Logger.warn('[OAuth] Google OAuth not configured - missing GOOGLE_CLIENT_ID or GOOGLE_CLIENT_SECRET');
+}
+// GitHub OAuth Strategy
+if (process.env.GITHUB_OAUTH_CLIENT_ID && process.env.GITHUB_OAUTH_CLIENT_SECRET) {
+    passport.use(new GitHubStrategy({
+        clientID: process.env.GITHUB_OAUTH_CLIENT_ID,
+        clientSecret: process.env.GITHUB_OAUTH_CLIENT_SECRET,
+        callbackURL: process.env.GITHUB_OAUTH_CALLBACK_URL || '/api/auth/oauth/github/callback',
+        scope: ['user:email'],
+    }, async (_accessToken, _refreshToken, profile, done) => {
+        try {
+            Logger.info(`[OAuth] GitHub authentication for user: ${profile.username}`);
+            // GitHub might not provide email in profile, check emails array
+            const email = profile.emails?.[0]?.value || profile._json?.email || '';
+            const oauthProfile = {
+                id: profile.id,
+                email,
+                displayName: profile.displayName || profile.username || '',
+                avatar: profile.photos?.[0]?.value || profile._json?.avatar_url,
+                provider: 'github',
+            };
+            // Validate email
+            if (!oauthProfile.email) {
+                return done(new Error('No email provided by GitHub. Please make your email public in GitHub settings.'));
+            }
+            done(null, oauthProfile);
+        }
+        catch (error) {
+            Logger.error('[OAuth] GitHub authentication error:', error);
+            done(error);
+        }
+    }));
+    Logger.info('[OAuth] GitHub strategy configured');
+}
+else {
+    Logger.warn('[OAuth] GitHub OAuth not configured - missing GITHUB_OAUTH_CLIENT_ID or GITHUB_OAUTH_CLIENT_SECRET');
+}
+// Serialize user to session (not used in stateless JWT, but required by passport)
+passport.serializeUser((user, done) => {
+    done(null, user);
+});
+// Deserialize user from session
+passport.deserializeUser((user, done) => {
+    done(null, user);
+});
+export default passport;
+//# sourceMappingURL=passport.js.map

package/dist/server/index.js

@@ -22,14 +22,20 @@ import { Logger } from '../utils/logger.js';
 import { apiRouter } from './routes/api.js';
 import { uploadRouter } from './routes/upload.js';
 import { authRouter } from './routes/auth.js';
+import { oauthRouter } from './routes/oauth.js';
 import { adminRouter } from './routes/admin.js';
 import { developerRouter } from './routes/developer.js';
 import { githubRouter } from './routes/github.js';
+import { gitlabRouter } from './routes/gitlab.js';
 import deviceAuthRouter from './routes/device-auth.js';
 import { reportIssueRouter } from './routes/report-issue.js';
 import { cache } from './services/cache.js';
 import { db } from './services/database.js';
 import { AuthService } from './services/auth-service.js';
+import { securityConfig } from './config.js';
+import passport from './config/passport.js';
+import cookieParser from 'cookie-parser';
+import { csrfProtection, csrfTokenEndpoint } from './middleware/csrf.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 // CORS whitelist - настройте под свои домены
@@ -153,17 +159,19 @@ export class ArchiCoreServer {
         this.setupErrorHandling();
     }
     setupMiddleware() {
-        // Security headers (helmet) - disabled in development for easier testing
-        // Set HELMET_ENABLED=true in production
-        const helmetEnabled = process.env.HELMET_ENABLED === 'true';
+        // Security headers (helmet) - enabled by default for security
+        // Set HELMET_ENABLED=false to disable (not recommended)
+        const helmetEnabled = process.env.HELMET_ENABLED !== 'false';
         if (helmetEnabled) {
             this.app.use(helmet({
                 contentSecurityPolicy: {
                     directives: {
                         defaultSrc: ["'self'"],
-                        styleSrc: ["'self'", "'unsafe-inline'"],
-                        scriptSrc: ["'self'", "'unsafe-inline'"],
+                        styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
+                        scriptSrc: ["'self'", "'unsafe-inline'", "https://cdn.jsdelivr.net"],
+                        scriptSrcAttr: ["'unsafe-inline'", "'unsafe-hashes'"],
                         imgSrc: ["'self'", "data:", "https:"],
+                        fontSrc: ["'self'", "https://fonts.gstatic.com"],
                         connectSrc: ["'self'", "https://api.jina.ai", "https://api.openai.com", "https://api.anthropic.com"],
                     },
                 },
@@ -196,8 +204,8 @@ export class ArchiCoreServer {
         const globalLimiter = createRateLimiter(this.config.rateLimitWindowMs || 60 * 1000, this.config.rateLimitMax || 100, 'Too many requests, please try again later');
         this.app.use(globalLimiter);
         // CORS configuration
-        // Set CORS_RESTRICT=true in .env to enable whitelist mode
-        const restrictCors = process.env.CORS_RESTRICT === 'true';
+        // Set CORS_RESTRICT=false in .env to disable whitelist mode (not recommended for production)
+        const restrictCors = process.env.CORS_RESTRICT !== 'false';
         const allowedOrigins = this.config.corsOrigins || DEFAULT_CORS_ORIGINS;
         this.app.use(cors({
             origin: restrictCors
@@ -224,10 +232,14 @@ export class ArchiCoreServer {
                 }
                 : true, // Allow all origins when CORS_RESTRICT is not set
             methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
-            allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key', 'X-Request-ID'],
+            allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key', 'X-Request-ID', 'x-csrf-token'],
             credentials: true,
             maxAge: 86400, // Cache preflight for 24 hours
         }));
+        // Cookie parser for OAuth session
+        this.app.use(cookieParser());
+        // Passport initialization for OAuth
+        this.app.use(passport.initialize());
         // JSON парсинг - лимит должен покрывать максимальный тариф (admin = 1GB)
         // Проверка по тарифу пользователя происходит в бизнес-логике после парсинга
         this.app.use(express.json({ limit: '1gb' }));
@@ -251,8 +263,32 @@ export class ArchiCoreServer {
         }));
     }
     setupRoutes() {
-        // Auth routes
+        // Strict rate limiting for auth endpoints to prevent brute force attacks
+        const authRateLimiter = createRateLimiter(15 * 60 * 1000, // 15 minutes
+        20, // Max 20 attempts per 15 minutes
+        'Too many authentication attempts, please try again later');
+        const verificationRateLimiter = createRateLimiter(60 * 60 * 1000, // 1 hour
+        5, // Max 5 verification requests per hour
+        'Too many verification code requests, please try again later');
+        // CSRF token endpoint (no protection needed for GET)
+        this.app.get('/api/auth/csrf-token', csrfTokenEndpoint);
+        // CSRF protection for state-changing auth operations
+        // Ignore paths that use API keys or device auth flow
+        const csrfMiddleware = csrfProtection({
+            ignorePaths: [
+                '/api/auth/device',
+                '/api/auth/oauth',
+                '/api/developer',
+                '/api/v1'
+            ]
+        });
+        // Auth routes with rate limiting and CSRF protection
+        this.app.use('/api/auth/login', authRateLimiter, csrfMiddleware);
+        this.app.use('/api/auth/register', authRateLimiter, csrfMiddleware);
+        this.app.use('/api/auth/send-verification-code', verificationRateLimiter, csrfMiddleware);
         this.app.use('/api/auth', authRouter);
+        // OAuth routes (Google, GitHub)
+        this.app.use('/api/auth/oauth', oauthRouter);
         // Device auth for CLI
         this.app.use('/api/auth/device', deviceAuthRouter);
         // Admin routes
@@ -261,6 +297,8 @@ export class ArchiCoreServer {
         this.app.use('/api/developer', developerRouter);
         // GitHub integration routes
         this.app.use('/api/github', githubRouter);
+        // GitLab integration routes
+        this.app.use('/api/gitlab', gitlabRouter);
         // API маршруты
         this.app.use('/api', apiRouter);
         // Upload маршруты
@@ -405,7 +443,11 @@ const isMainModule = process.argv[1]?.includes('server');
 if (isMainModule) {
     const port = parseInt(process.env.PORT || '3000', 10);
     const host = process.env.HOST || '0.0.0.0';
-    const server = new ArchiCoreServer({ port, host });
+    const server = new ArchiCoreServer({
+        port,
+        host,
+        corsOrigins: securityConfig.cors.allowedOrigins
+    });
     server.start().catch((err) => {
         Logger.error('Failed to start server:', err);
         process.exit(1);

package/dist/server/middleware/api-auth.d.ts

@@ -4,7 +4,7 @@
  * Аутентификация через API ключи, rate limiting, проверка permissions
  */
 import { Request, Response, NextFunction } from 'express';
-import { ApiPermission, ApiRequestContext } from '../../types/api.js';
+import { ApiPermission, ApiRequestContext, OperationCategory } from '../../types/api.js';
 declare global {
     namespace Express {
         interface Request {
@@ -31,7 +31,7 @@ export declare function checkBalance(estimatedTokens: number): (req: Request, re
 /**
  * Wrapper для автоматического трекинга использования токенов
  */
-export declare function trackUsage(operation: ApiPermission extends `${infer Op}:${string}` ? Op : never): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+export declare function trackUsage(operation: OperationCategory): (req: Request, res: Response, next: NextFunction) => Promise<void>;
 /**
  * Error handler для API ошибок
  */

package/dist/server/middleware/api-auth.js

@@ -152,6 +152,24 @@ export function checkBalance(estimatedTokens) {
         next();
     };
 }
+/**
+ * Map operation category to ApiOperation for internal processing
+ */
+function mapOperationToApiOperation(operation) {
+    const mapping = {
+        'index': 'index',
+        'analyze': 'analyze_full',
+        'search': 'search_semantic',
+        'ask': 'ask_architect',
+        'export': 'export',
+        'refactoring': 'refactoring',
+        'metrics': 'metrics',
+        'rules': 'rules_check',
+        'dead_code': 'dead_code',
+        'duplication': 'duplication'
+    };
+    return mapping[operation] || 'index';
+}
 /**
  * Wrapper для автоматического трекинга использования токенов
  */
@@ -164,18 +182,19 @@ export function trackUsage(operation) {
         // Сохраняем оригинальный json метод
         const originalJson = res.json.bind(res);
         const startTime = Date.now();
+        const apiOperation = mapOperationToApiOperation(operation);
         // Перехватываем ответ
         res.json = function (body) {
             // Подсчитываем токены на основе размера ответа
             const responseSize = JSON.stringify(body).length;
             const inputSize = JSON.stringify(req.body || {}).length;
-            const tokens = tokenService.calculateTokens(operation, {
+            const tokens = tokenService.calculateTokens(apiOperation, {
                 inputText: JSON.stringify(req.body || {}),
                 outputText: JSON.stringify(body),
                 contentSizeKb: Math.ceil((inputSize + responseSize) / 1024)
             });
             // Записываем использование асинхронно (не блокируем ответ)
-            tokenService.recordUsage(req.apiContext.apiKey.id, req.apiContext.userId, operation, tokens, req.params.id, // projectId if present
+            tokenService.recordUsage(req.apiContext.apiKey.id, req.apiContext.userId, apiOperation, tokens, req.params.id, // projectId if present
             {
                 endpoint: req.path,
                 method: req.method,

package/dist/server/middleware/csrf.d.ts

@@ -0,0 +1,23 @@
+/**
+ * CSRF Protection Middleware
+ *
+ * Implements double-submit cookie pattern for CSRF protection.
+ * This is a modern alternative to the deprecated csurf package.
+ */
+import { Request, Response, NextFunction } from 'express';
+/**
+ * CSRF Protection Middleware
+ *
+ * For GET requests: Sets a CSRF cookie and provides the token in response
+ * For state-changing requests (POST, PUT, DELETE, PATCH): Validates the token
+ */
+export declare function csrfProtection(options?: {
+    ignoreMethods?: string[];
+    ignorePaths?: string[];
+}): (req: Request, res: Response, next: NextFunction) => void;
+/**
+ * Endpoint to get CSRF token
+ * GET /api/auth/csrf-token
+ */
+export declare function csrfTokenEndpoint(req: Request, res: Response): void;
+//# sourceMappingURL=csrf.d.ts.map

package/dist/server/middleware/csrf.js

@@ -0,0 +1,96 @@
+/**
+ * CSRF Protection Middleware
+ *
+ * Implements double-submit cookie pattern for CSRF protection.
+ * This is a modern alternative to the deprecated csurf package.
+ */
+import crypto from 'crypto';
+const CSRF_COOKIE_NAME = 'archicore_csrf';
+const CSRF_HEADER_NAME = 'x-csrf-token';
+const CSRF_TOKEN_LENGTH = 32;
+/**
+ * Generate a cryptographically secure CSRF token
+ */
+function generateCsrfToken() {
+    return crypto.randomBytes(CSRF_TOKEN_LENGTH).toString('hex');
+}
+/**
+ * Validate that the token from header matches the token from cookie
+ */
+function validateCsrfToken(cookieToken, headerToken) {
+    if (!cookieToken || !headerToken) {
+        return false;
+    }
+    // Use timing-safe comparison to prevent timing attacks
+    try {
+        return crypto.timingSafeEqual(Buffer.from(cookieToken), Buffer.from(headerToken));
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * CSRF Protection Middleware
+ *
+ * For GET requests: Sets a CSRF cookie and provides the token in response
+ * For state-changing requests (POST, PUT, DELETE, PATCH): Validates the token
+ */
+export function csrfProtection(options = {}) {
+    const ignoreMethods = options.ignoreMethods || ['GET', 'HEAD', 'OPTIONS'];
+    const ignorePaths = options.ignorePaths || [];
+    return (req, res, next) => {
+        // Skip CSRF for ignored paths
+        if (ignorePaths.some(path => req.path.startsWith(path))) {
+            return next();
+        }
+        // Skip CSRF for API key authenticated requests (they use different auth)
+        if (req.headers['x-api-key'] || req.headers.authorization?.startsWith('Bearer arc_')) {
+            return next();
+        }
+        // For safe methods, just ensure token exists
+        if (ignoreMethods.includes(req.method)) {
+            // Generate token if not present
+            if (!req.cookies[CSRF_COOKIE_NAME]) {
+                const token = generateCsrfToken();
+                res.cookie(CSRF_COOKIE_NAME, token, {
+                    httpOnly: false, // Must be readable by JS
+                    secure: process.env.NODE_ENV === 'production',
+                    sameSite: 'strict',
+                    maxAge: 24 * 60 * 60 * 1000, // 24 hours
+                    path: '/'
+                });
+            }
+            return next();
+        }
+        // For state-changing methods, validate the token
+        const cookieToken = req.cookies[CSRF_COOKIE_NAME];
+        const headerToken = req.headers[CSRF_HEADER_NAME];
+        if (!validateCsrfToken(cookieToken, headerToken)) {
+            res.status(403).json({
+                error: 'CSRF token validation failed',
+                message: 'Invalid or missing CSRF token. Please refresh the page and try again.'
+            });
+            return;
+        }
+        next();
+    };
+}
+/**
+ * Endpoint to get CSRF token
+ * GET /api/auth/csrf-token
+ */
+export function csrfTokenEndpoint(req, res) {
+    let token = req.cookies[CSRF_COOKIE_NAME];
+    if (!token) {
+        token = generateCsrfToken();
+        res.cookie(CSRF_COOKIE_NAME, token, {
+            httpOnly: false,
+            secure: process.env.NODE_ENV === 'production',
+            sameSite: 'strict',
+            maxAge: 24 * 60 * 60 * 1000,
+            path: '/'
+        });
+    }
+    res.json({ csrfToken: token });
+}
+//# sourceMappingURL=csrf.js.map

package/dist/server/routes/auth.d.ts

@@ -2,12 +2,12 @@
  * Authentication API Routes for ArchiCore
  */
 import { Request, Response, NextFunction } from 'express';
-import { User } from '../../types/user.js';
+import { User as ArchiCoreUser } from '../../types/user.js';
 export declare const authRouter: import("express-serve-static-core").Router;
 declare global {
     namespace Express {
         interface Request {
-            user?: User;
+            user?: ArchiCoreUser;
         }
     }
 }