auramaxx 1.0.0-alpha.4

package/server/routes/auth.ts

@@ -0,0 +1,457 @@
+import { Router, Request, Response } from 'express';
+import { randomBytes, timingSafeEqual } from 'crypto';
+import { prisma } from '../lib/db';
+import { createHumanActionNotification } from '../lib/notifications';
+import { events } from '../lib/events';
+import { requireWalletAuth } from '../middleware/auth';
+import { isAdmin } from '../lib/permissions';
+import { getPublicKey } from '../lib/transport';
+import { claimEscrowedToken } from '../lib/auth';
+import { isValidAgentPubkey, normalizeAgentPubkey, encryptToAgentPubkey } from '../lib/credential-transport';
+import { hashSecret } from '../lib/crypto';
+import { getDefault } from '../lib/defaults';
+import { logger } from '../lib/logger';
+import { getErrorMessage } from '../lib/error';
+import { AgentProfileError, resolveProfileToEffectivePolicy } from '../lib/agent-profiles';
+
+const router = Router();
+
+// GET /auth/connect - Get server's public key for encrypting passwords
+// This is a public endpoint - no authentication required
+router.get('/connect', (_req: Request, res: Response) => {
+  res.json({ publicKey: getPublicKey() });
+});
+
+// POST /auth - Agent requests access token (queued for human approval)
+// Returns a requestId and secret that can be used to retrieve the token later
+router.post('/', async (req: Request, res: Response) => {
+  try {
+    const {
+      agentId,
+      limit,
+      permissions,
+      ttl,
+      limits,
+      walletAccess,
+      pubkey,
+      credentialAccess,
+      profile,
+      profileVersion,
+      profileOverrides,
+    } = req.body;
+
+    if (!agentId || typeof agentId !== 'string') {
+      res.status(400).json({ error: 'agentId is required' });
+      return;
+    }
+
+    if (typeof profile !== 'string' || profile.trim().length === 0) {
+      res.status(400).json({
+        error: 'profile is required for agent issuance',
+        code: 'AGENT_PROFILE_REQUIRED',
+      });
+      return;
+    }
+
+    const hasRawIssuancePayload = (
+      permissions !== undefined ||
+      ttl !== undefined ||
+      credentialAccess !== undefined
+    );
+    if (hasRawIssuancePayload) {
+      res.status(400).json({
+        error: 'Raw permission issuance is disabled on /auth. Use profile + optional profileOverrides.',
+        code: 'AGENT_PROFILE_ONLY',
+      });
+      return;
+    }
+
+    const defaultFundLimit = await getDefault<number>('limits.fund', 0.1);
+    const requestedLimit = typeof limit === 'number' ? limit : defaultFundLimit;
+    const resolvedProfile = resolveProfileToEffectivePolicy({
+      profileId: profile,
+      profileVersion: typeof profileVersion === 'string' ? profileVersion : undefined,
+      overrides: profileOverrides,
+    });
+    const requestedPermissions = [...resolvedProfile.permissions];
+    const requestedTtl = resolvedProfile.ttlSeconds;
+    const requestedLimits = limits || { fund: requestedLimit };
+    const requestedWalletAccess = Array.isArray(walletAccess)
+      ? walletAccess.map((addr: string) => addr.toLowerCase())
+      : undefined;
+    const requestedCredentialAccess = resolvedProfile.credentialAccess;
+
+    if (typeof pubkey !== 'string' || !pubkey.trim()) {
+      res.status(400).json({ error: 'pubkey is required' });
+      return;
+    }
+    if (!isValidAgentPubkey(pubkey)) {
+      res.status(400).json({ error: 'pubkey must be a valid RSA public key (PEM or base64)' });
+      return;
+    }
+    const normalizedPubkey = normalizeAgentPubkey(pubkey);
+
+    // Generate a secret for retrieving the token later
+    const secret = randomBytes(32).toString('hex');
+    const secretHash = hashSecret(secret);
+
+    // Create pending request with secretHash in metadata
+    const request = await prisma.humanAction.create({
+      data: {
+        type: 'auth',
+        fromTier: 'system',
+        toAddress: null,
+        amount: null,
+        chain: 'base',
+        status: 'pending',
+        metadata: JSON.stringify({
+          agentId,
+          limit: requestedLimit,
+          permissions: requestedPermissions,
+          ttl: requestedTtl,
+          limits: requestedLimits,
+          walletAccess: requestedWalletAccess,
+          credentialAccess: requestedCredentialAccess,
+          profile: resolvedProfile.profile,
+          effectivePolicyHash: resolvedProfile.effectivePolicyHash,
+          overrideDelta: resolvedProfile.overrideDelta,
+          warnings: resolvedProfile.warnings,
+          pubkey: normalizedPubkey,
+          secretHash,
+          // tokenHash will be added here when approved (raw token stays in memory escrow)
+        })
+      }
+    });
+
+    // Create notification for human approval
+    await createHumanActionNotification(request);
+
+    // Emit WebSocket event
+    events.actionCreated({
+      id: request.id,
+      type: 'agent_access',
+      source: `agent:${agentId}`,
+      summary: `${agentId} requesting ${requestedLimit} ETH access`,
+      expiresAt: null,
+      metadata: {
+        agentId,
+        limit: requestedLimit,
+        permissions: requestedPermissions,
+        profile: resolvedProfile.profile,
+        effectivePolicyHash: resolvedProfile.effectivePolicyHash,
+      },
+    });
+
+    logger.agentRequested(agentId, request.id, requestedLimit);
+
+    res.json({
+      success: true,
+      requestId: request.id,
+      secret, // Only returned once - agent must store this!
+      message: 'Waiting for human approval',
+      agentId,
+      limit: requestedLimit,
+      permissions: requestedPermissions,
+      limits: requestedLimits,
+      credentialAccess: requestedCredentialAccess,
+      profile: resolvedProfile.profile,
+      effectivePolicyHash: resolvedProfile.effectivePolicyHash,
+      overrideDelta: resolvedProfile.overrideDelta,
+      warnings: resolvedProfile.warnings,
+      ttl: requestedTtl
+    });
+  } catch (error) {
+    if (error instanceof AgentProfileError) {
+      res.status(400).json({ error: error.message, code: error.code });
+      return;
+    }
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+// GET /auth/pending - List pending auth requests (public, shows sanitized info)
+router.get('/pending', async (_req: Request, res: Response) => {
+  try {
+    const requests = await prisma.humanAction.findMany({
+      where: {
+        type: 'auth',
+        status: 'pending'
+      },
+      orderBy: { createdAt: 'desc' }
+    });
+
+    res.json({
+      success: true,
+      requests: requests.map(r => {
+        const metadata = r.metadata ? JSON.parse(r.metadata) : {};
+        // Don't expose secretHash
+        const { secretHash, ...safeMetadata } = metadata;
+        return {
+          ...r,
+          metadata: safeMetadata
+        };
+      })
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+// POST /auth/request-permissions - Agent requests additional permissions or wallet access
+// Requires existing valid token
+router.post('/request-permissions', requireWalletAuth, async (req: Request, res: Response) => {
+  try {
+    const auth = req.auth!;
+    const { requestedPermissions, requestedWalletAccess, requestedLimits, requestedPubkey } = req.body;
+
+    // Don't allow admin to request more permissions
+    if (isAdmin(auth)) {
+      res.status(400).json({ error: 'Admin already has all permissions' });
+      return;
+    }
+
+    // Validate input
+    if (!requestedPermissions && !requestedWalletAccess && !requestedLimits) {
+      res.status(400).json({ error: 'Must request at least one of: permissions, walletAccess, or limits' });
+      return;
+    }
+
+    // Normalize wallet access
+    const normalizedWalletAccess = requestedWalletAccess && Array.isArray(requestedWalletAccess)
+      ? requestedWalletAccess.map((addr: string) => addr.toLowerCase())
+      : undefined;
+    if (typeof requestedPubkey !== 'string' || !requestedPubkey.trim()) {
+      res.status(400).json({ error: 'requestedPubkey is required' });
+      return;
+    }
+    if (!isValidAgentPubkey(requestedPubkey)) {
+      res.status(400).json({ error: 'requestedPubkey must be a valid RSA public key (PEM or base64)' });
+      return;
+    }
+    const normalizedPubkey = normalizeAgentPubkey(requestedPubkey);
+
+    // Generate a secret for retrieving the new token
+    const secret = randomBytes(32).toString('hex');
+    const secretHash = hashSecret(secret);
+
+    // Create pending request
+    const request = await prisma.humanAction.create({
+      data: {
+        type: 'permission_update',
+        fromTier: 'system',
+        toAddress: null,
+        amount: null,
+        chain: 'base',
+        status: 'pending',
+        metadata: JSON.stringify({
+          agentId: auth.token.agentId,
+          tokenHash: auth.tokenHash,
+          currentPermissions: auth.token.permissions,
+          currentLimits: auth.token.limits,
+          currentWalletAccess: auth.token.walletAccess,
+          requestedPermissions: requestedPermissions || [],
+          requestedWalletAccess: normalizedWalletAccess,
+          requestedLimits,
+          requestedPubkey: normalizedPubkey,
+          secretHash,
+        })
+      }
+    });
+
+    // Create notification for human approval
+    await createHumanActionNotification(request);
+
+    // Emit WebSocket event
+    events.actionCreated({
+      id: request.id,
+      type: 'permission_update',
+      source: `agent:${auth.token.agentId}`,
+      summary: `${auth.token.agentId} requesting permission update`,
+      expiresAt: null,
+      metadata: { agentId: auth.token.agentId, requestedPermissions, requestedLimits },
+    });
+
+    logger.permissionRequested(auth.token.agentId, request.id, requestedPermissions || []);
+
+    res.json({
+      success: true,
+      requestId: request.id,
+      secret, // Only returned once - agent must store this!
+      message: 'Permission update request created, waiting for human approval',
+      currentPermissions: auth.token.permissions,
+      requestedPermissions: requestedPermissions || [],
+      requestedWalletAccess: normalizedWalletAccess,
+      requestedLimits
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+// POST /auth/validate - Validate a token and return its info
+// Used by Next.js WebSocket server to authenticate connections
+router.post('/validate', async (req: Request, res: Response) => {
+  try {
+    const { token } = req.body;
+
+    if (!token || typeof token !== 'string') {
+      res.status(400).json({ valid: false, error: 'token is required' });
+      return;
+    }
+
+    // Import validation functions
+    const { validateToken, getTokenHash } = await import('../lib/auth');
+    const { isRevoked } = await import('../lib/sessions');
+
+    // Validate token (admin tokens are just tokens with admin:* permission)
+    const payload = validateToken(token);
+    if (!payload) {
+      res.json({ valid: false, error: 'Invalid or expired token' });
+      return;
+    }
+
+    const tokenHash = getTokenHash(token);
+
+    // Check if revoked
+    if (isRevoked(tokenHash)) {
+      res.json({ valid: false, error: 'Token has been revoked' });
+      return;
+    }
+
+    logger.tokenValidated(payload.agentId, tokenHash);
+
+    res.json({
+      valid: true,
+      isAdmin: payload.permissions.includes('admin:*'),
+      tokenHash,
+      payload: {
+        agentId: payload.agentId,
+        permissions: payload.permissions,
+        limits: payload.limits,
+        walletAccess: payload.walletAccess,
+        exp: payload.exp
+      }
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ valid: false, error: message });
+  }
+});
+
+// GET /auth/:requestId - Agent polls for token (requires secret)
+router.get('/:requestId', async (req: Request<{ requestId: string }>, res: Response) => {
+  try {
+    const { requestId } = req.params;
+    const { secret } = req.query;
+
+    if (!secret || typeof secret !== 'string') {
+      res.status(400).json({ error: 'secret query parameter is required' });
+      return;
+    }
+
+    const request = await prisma.humanAction.findUnique({
+      where: { id: requestId }
+    });
+
+    if (!request) {
+      res.status(404).json({ error: 'Request not found' });
+      return;
+    }
+
+    // Parse metadata
+    let metadata: {
+      agentId?: string;
+      limit?: number;
+      permissions?: string[];
+      ttl?: number;
+      secretHash?: string;
+      tokenHash?: string;
+      limits?: { fund?: number; send?: number; swap?: number };
+      walletAccess?: string[];
+      profile?: { id: string; version: string; displayName?: string; rationale?: string };
+      effectivePolicyHash?: string;
+      overrideDelta?: string[];
+      warnings?: string[];
+    } = {};
+    if (request.metadata) {
+      try {
+        metadata = JSON.parse(request.metadata);
+      } catch {
+        // ignore parse errors
+      }
+    }
+
+    // Verify secret (timing-safe comparison)
+    const providedHash = hashSecret(secret);
+    if (!metadata.secretHash) {
+      res.status(403).json({ error: 'Invalid secret' });
+      return;
+    }
+    const providedBuf = Buffer.from(providedHash, 'hex');
+    const expectedBuf = Buffer.from(metadata.secretHash, 'hex');
+    if (providedBuf.length !== expectedBuf.length || !timingSafeEqual(providedBuf, expectedBuf)) {
+      res.status(403).json({ error: 'Invalid secret' });
+      return;
+    }
+
+    // Return status based on request state
+    if (request.status === 'pending') {
+      res.json({
+        success: true,
+        status: 'pending',
+        message: 'Waiting for human approval'
+      });
+      return;
+    }
+
+    if (request.status === 'rejected') {
+      res.json({
+        success: true,
+        status: 'rejected',
+        message: 'Request was rejected'
+      });
+      return;
+    }
+
+    if (request.status === 'approved') {
+      const tokenToReturn = claimEscrowedToken(requestId);
+      if (!tokenToReturn) {
+        res.status(410).json({ error: 'Token already claimed or expired', status: 'approved' });
+        return;
+      }
+
+      // Encrypt token to agent pubkey for transport (plaintext is no longer supported)
+      const pubkey = (metadata as { pubkey?: string }).pubkey;
+      if (!pubkey) {
+        res.status(500).json({ error: 'No pubkey available to return encrypted token' });
+        return;
+      }
+
+      res.json({
+        success: true,
+        status: 'approved',
+        encryptedToken: encryptToAgentPubkey(tokenToReturn, pubkey),
+        agentId: metadata.agentId,
+        limit: metadata.limit,
+        limits: metadata.limits,
+        permissions: metadata.permissions,
+        walletAccess: metadata.walletAccess,
+        profile: metadata.profile,
+        effectivePolicyHash: metadata.effectivePolicyHash,
+        overrideDelta: metadata.overrideDelta,
+        warnings: metadata.warnings,
+      });
+      return;
+    }
+
+    res.status(400).json({ error: `Unknown status: ${request.status}` });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+export default router;