conductor-oss 0.2.5 → 0.2.6

package/web/.next/standalone/packages/web/src/lib/auth.ts

@@ -1,12 +1,28 @@
+import type { DashboardAccessConfig, DashboardRole } from "@conductor-oss/core/types";
+import { cookies, headers } from "next/headers";
 import { NextRequest, NextResponse } from "next/server";
+import { resolveRoleForEmail, roleMeetsRequirement, isLoopbackHost } from "@/lib/accessControl";
+import { verifyTrustedEdgeIdentity } from "@/lib/edgeAuth";
+import { BUILTIN_REMOTE_SESSION_COOKIE, isBuiltinRemoteAuthEnabled, verifyBuiltinRemoteSession } from "@/lib/remoteAuth";
+import { getServices } from "@/lib/services";
 
 const clerkConfigured = Boolean(
   process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY && process.env.CLERK_SECRET_KEY,
 );
 
+type DashboardIdentityProvider =
+  | "local"
+  | "builtin"
+  | "clerk"
+  | "trusted-header"
+  | "cloudflare-access";
+
 export interface DashboardAccess {
   ok: boolean;
+  authenticated: boolean;
+  role?: DashboardRole;
   email?: string;
+  provider?: DashboardIdentityProvider;
   reason?: string;
 }
 
@@ -23,6 +39,12 @@ type HostParts = {
   host: string;
 };
 
+type ClerkUser = {
+  emailAddresses: { id: string; emailAddress: string }[];
+  primaryEmailAddressId: string | null;
+  publicMetadata: Record<string, unknown>;
+};
+
 function parseHostParts(value: string, fallbackHost?: string): HostParts | null {
   try {
     const url = new URL(value, fallbackHost ? `https://${fallbackHost}` : undefined);
@@ -34,10 +56,6 @@ function parseHostParts(value: string, fallbackHost?: string): HostParts | null
   }
 }
 
-function isLoopbackHost(hostname: string): boolean {
-  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "0.0.0.0" || hostname === "::1" || hostname === "[::1]";
-}
-
 function equivalentHost(candidate: string, expectedHost: string): boolean {
   if (candidate.toLowerCase() === expectedHost.toLowerCase()) return true;
 
@@ -69,77 +87,306 @@ function getAllowedActionHosts(expectedHost: string): Set<string> {
   return hosts;
 }
 
-type ClerkUser = {
-  emailAddresses: { id: string; emailAddress: string }[];
-  primaryEmailAddressId: string | null;
-  publicMetadata: Record<string, unknown>;
-};
-
 function isApproved(user: ClerkUser): boolean {
   const raw = user.publicMetadata ?? {};
   return raw.conductorApproved === true;
 }
 
-export async function getDashboardAccess(): Promise<DashboardAccess> {
-  if (!clerkConfigured) {
-    return { ok: true, email: "local" };
+function envRequiresAuth(): boolean {
+  return (process.env.CONDUCTOR_REQUIRE_AUTH ?? "").trim().toLowerCase() === "true";
+}
+
+function legacyRoleEnvFallback(): {
+  allowedEmails: string[];
+  allowedDomains: string[];
+  adminEmails: string[];
+} {
+  return {
+    allowedEmails: parseCsv(process.env.CONDUCTOR_ALLOWED_EMAILS),
+    allowedDomains: parseCsv(process.env.CONDUCTOR_ALLOWED_DOMAINS),
+    adminEmails: parseCsv(process.env.CONDUCTOR_ADMIN_EMAILS),
+  };
+}
+
+function hasLegacyAllowListConfigured(): boolean {
+  const { allowedEmails, allowedDomains, adminEmails } = legacyRoleEnvFallback();
+  return allowedEmails.length > 0 || allowedDomains.length > 0 || adminEmails.length > 0;
+}
+
+function passesLegacyEmailRestrictions(email: string): boolean {
+  const normalizedEmail = email.trim().toLowerCase();
+  const { allowedEmails, allowedDomains, adminEmails } = legacyRoleEnvFallback();
+
+  const emailAllowed =
+    allowedEmails.length === 0 ||
+    allowedEmails.includes(normalizedEmail) ||
+    adminEmails.includes(normalizedEmail);
+
+  const domainAllowed =
+    allowedDomains.length === 0 ||
+    allowedDomains.some((domain) => normalizedEmail.endsWith(`@${domain}`));
+
+  return emailAllowed && domainAllowed;
+}
+
+async function loadAccessConfig(): Promise<DashboardAccessConfig | null> {
+  try {
+    const { config } = await getServices();
+    return config.access ?? null;
+  } catch {
+    return null;
+  }
+}
+
+function getDefaultRole(access: DashboardAccessConfig | null): DashboardRole | null {
+  const configured = process.env.CONDUCTOR_ACCESS_DEFAULT_ROLE?.trim().toLowerCase();
+  if (configured === "viewer" || configured === "operator" || configured === "admin") {
+    return configured;
+  }
+  return access?.defaultRole ?? null;
+}
+
+async function currentHeaders(request?: Request): Promise<Headers> {
+  if (request) return request.headers;
+  return headers();
+}
+
+async function currentHost(request?: Request): Promise<string> {
+  if (request) {
+    try {
+      return new URL(request.url).hostname;
+    } catch {
+      return request.headers.get("host")?.split(":")[0]?.trim().toLowerCase() ?? "";
+    }
+  }
+  const headerStore = await headers();
+  return headerStore.get("host")?.split(":")[0]?.trim().toLowerCase() ?? "";
+}
+
+function resolveRoleForAuthenticatedEmail(
+  email: string,
+  access: DashboardAccessConfig | null,
+): DashboardAccess {
+  if (!passesLegacyEmailRestrictions(email)) {
+    return {
+      ok: false,
+      authenticated: true,
+      email,
+      reason: "Email/domain not allowed",
+    };
+  }
+
+  const defaultRole = getDefaultRole(access);
+  const roleResolution = resolveRoleForEmail(
+    email,
+    defaultRole ? { ...access, defaultRole } : access,
+    legacyRoleEnvFallback(),
+  );
+
+  if (!roleResolution.role) {
+    return {
+      ok: false,
+      authenticated: true,
+      email,
+      reason: "Authenticated user is not granted dashboard access",
+    };
+  }
+
+  return {
+    ok: true,
+    authenticated: true,
+    email,
+    role: roleResolution.role,
+  };
+}
+
+async function resolveTrustedHeaderAccess(
+  request: Request | undefined,
+  access: DashboardAccessConfig | null,
+): Promise<DashboardAccess | null> {
+  const headerStore = await currentHeaders(request);
+  const identity = await verifyTrustedEdgeIdentity(headerStore, access);
+  if (!identity) return null;
+  if (!identity.ok) {
+    return {
+      ok: false,
+      authenticated: false,
+      reason: identity.reason,
+      provider: identity.provider,
+    };
   }
 
+  const resolved = resolveRoleForAuthenticatedEmail(identity.email, access);
+  return {
+    ...resolved,
+    provider: identity.provider,
+  };
+}
+
+async function resolveBuiltinRemoteAccess(): Promise<DashboardAccess | null> {
+  if (!isBuiltinRemoteAuthEnabled()) return null;
+
+  const cookieStore = await cookies();
+  const session = cookieStore.get(BUILTIN_REMOTE_SESSION_COOKIE)?.value ?? null;
+  if (!session) {
+    return {
+      ok: false,
+      authenticated: false,
+      reason: "Remote sign-in required",
+      provider: "builtin",
+    };
+  }
+
+  const validSession = await verifyBuiltinRemoteSession(session);
+  if (!validSession) {
+    return {
+      ok: false,
+      authenticated: false,
+      reason: "Remote sign-in required",
+      provider: "builtin",
+    };
+  }
+
+  return {
+    ok: true,
+    authenticated: true,
+    role: "admin",
+    email: "builtin",
+    provider: "builtin",
+  };
+}
+
+async function resolveClerkAccess(access: DashboardAccessConfig | null): Promise<DashboardAccess | null> {
+  if (!clerkConfigured) return null;
+
   try {
     const { currentUser } = await import("@clerk/nextjs/server");
     const user = await currentUser() as ClerkUser | null;
-    if (!user) return { ok: false, reason: "Not authenticated" };
+    if (!user) {
+      return {
+        ok: false,
+        authenticated: false,
+        reason: "Not authenticated",
+        provider: "clerk",
+      };
+    }
 
-    const email = user.emailAddresses.find((e) => e.id === user.primaryEmailAddressId)?.emailAddress
+    const email = user.emailAddresses.find((entry) => entry.id === user.primaryEmailAddressId)?.emailAddress
       ?? user.emailAddresses[0]?.emailAddress
       ?? "";
 
-    if (!email) return { ok: false, reason: "No email on account" };
+    if (!email) {
+      return {
+        ok: false,
+        authenticated: true,
+        reason: "No email on account",
+        provider: "clerk",
+      };
+    }
 
     const normalizedEmail = email.toLowerCase();
-    const allowedEmails = parseCsv(process.env.CONDUCTOR_ALLOWED_EMAILS);
-    const adminEmails = parseCsv(process.env.CONDUCTOR_ADMIN_EMAILS);
-    const allowedDomains = parseCsv(process.env.CONDUCTOR_ALLOWED_DOMAINS);
-    const requireApproval = (process.env.CONDUCTOR_REQUIRE_APPROVAL ?? "true") === "true";
-
-    const emailAllowed =
-      allowedEmails.length === 0 ||
-      allowedEmails.includes(normalizedEmail) ||
-      adminEmails.includes(normalizedEmail);
-
-    const domainAllowed =
-      allowedDomains.length === 0 ||
-      allowedDomains.some((d) => normalizedEmail.endsWith(`@${d}`));
-
-    if (!emailAllowed || !domainAllowed) {
-      return { ok: false, email: normalizedEmail, reason: "Email/domain not allowed" };
+    const resolved = resolveRoleForAuthenticatedEmail(normalizedEmail, access);
+    if (!resolved.ok) {
+      return {
+        ...resolved,
+        provider: "clerk",
+      };
     }
 
+    const requireApproval = (process.env.CONDUCTOR_REQUIRE_APPROVAL ?? "true") === "true";
+    const adminEmails = legacyRoleEnvFallback().adminEmails;
     if (requireApproval && !adminEmails.includes(normalizedEmail) && !isApproved(user)) {
-      return { ok: false, email: normalizedEmail, reason: "Awaiting manual approval" };
+      return {
+        ok: false,
+        authenticated: true,
+        email: normalizedEmail,
+        provider: "clerk",
+        reason: "Awaiting manual approval",
+      };
     }
 
-    return { ok: true, email: normalizedEmail };
+    return {
+      ...resolved,
+      provider: "clerk",
+    };
   } catch {
     return {
       ok: false,
-      reason:
-        "Authentication service is unavailable. Check Clerk env vars and retry.",
+      authenticated: false,
+      reason: "Authentication service is unavailable. Check Clerk env vars and retry.",
+      provider: "clerk",
     };
   }
 }
 
-export async function guardApiAccess(): Promise<NextResponse | null> {
-  const access = await getDashboardAccess();
-  if (access.ok) return null;
-  return NextResponse.json(
-    {
-      error: "Access denied",
-      reason: access.reason,
-      email: access.email ?? null,
-    },
-    { status: 403 },
-  );
+export async function getDashboardAccess(request?: Request): Promise<DashboardAccess> {
+  const access = await loadAccessConfig();
+  const host = await currentHost(request);
+
+  const trustedHeaderAccess = await resolveTrustedHeaderAccess(request, access);
+  if (trustedHeaderAccess) return trustedHeaderAccess;
+
+  const builtinAccess = await resolveBuiltinRemoteAccess();
+  if (builtinAccess) return builtinAccess;
+
+  const clerkAccess = await resolveClerkAccess(access);
+  if (clerkAccess) return clerkAccess;
+
+  const requireAuth = access?.requireAuth === true || envRequiresAuth() || hasLegacyAllowListConfigured();
+  if (!isLoopbackHost(host)) {
+    return {
+      ok: false,
+      authenticated: false,
+      reason: "Authentication is required for non-local dashboard access",
+    };
+  }
+
+  if (requireAuth) {
+    return {
+      ok: false,
+      authenticated: false,
+      reason: "Authentication required",
+    };
+  }
+
+  return {
+    ok: true,
+    authenticated: false,
+    role: "admin",
+    email: "local",
+    provider: "local",
+  };
+}
+
+export async function guardApiAccess(
+  request?: Request,
+  requiredRole: DashboardRole = "viewer",
+): Promise<NextResponse | null> {
+  const access = await getDashboardAccess(request);
+  if (!access.ok) {
+    return NextResponse.json(
+      {
+        error: "Access denied",
+        reason: access.reason,
+        email: access.email ?? null,
+      },
+      { status: 403 },
+    );
+  }
+
+  if (!access.role || !roleMeetsRequirement(access.role, requiredRole)) {
+    return NextResponse.json(
+      {
+        error: "Insufficient permissions",
+        reason: `Requires ${requiredRole} access`,
+        email: access.email ?? null,
+        role: access.role ?? null,
+      },
+      { status: 403 },
+    );
+  }
+
+  return null;
 }
 
 function matchesHost(value: string, expectedHost: string, allowedHosts: Set<string>): boolean {
@@ -191,12 +438,6 @@ function guardActionOrigin(request: NextRequest): NextResponse | null {
   return null;
 }
 
-/**
- * Guard mutating dashboard actions against simple CSRF-style origin/referer abuse.
- *
- * We keep this header-based check intentionally conservative: allow requests with
- * missing origin/referer headers (API clients), but block obvious cross-site calls.
- */
 export function guardApiActionAccess(request: NextRequest): NextResponse | null {
   return guardActionOrigin(request);
 }

package/web/.next/standalone/packages/web/src/lib/edgeAuth.test.ts

@@ -0,0 +1,91 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { exportJWK, generateKeyPair, SignJWT } from "jose";
+import { resolveTrustedEdgeAuthConfig, verifyTrustedEdgeIdentity } from "./edgeAuth";
+
+test("resolveTrustedEdgeAuthConfig defaults to verified Cloudflare Access mode", { concurrency: false }, () => {
+  const config = resolveTrustedEdgeAuthConfig(null);
+
+  assert.equal(config.enabled, false);
+  assert.equal(config.provider, "cloudflare-access");
+  assert.equal(config.emailHeader, "Cf-Access-Authenticated-User-Email");
+  assert.equal(config.jwtHeader, "Cf-Access-Jwt-Assertion");
+});
+
+test("verifyTrustedEdgeIdentity blocks generic header passthrough by default", { concurrency: false }, async () => {
+  const original = process.env.CONDUCTOR_ALLOW_INSECURE_TRUSTED_HEADERS;
+  delete process.env.CONDUCTOR_ALLOW_INSECURE_TRUSTED_HEADERS;
+
+  try {
+    const result = await verifyTrustedEdgeIdentity(
+      new Headers({
+        "Cf-Access-Authenticated-User-Email": "dev@example.com",
+      }),
+      {
+        trustedHeaders: {
+          enabled: true,
+          provider: "generic",
+          emailHeader: "Cf-Access-Authenticated-User-Email",
+        },
+      },
+    );
+
+    assert.equal(result?.ok, false);
+    assert.match(result?.reason ?? "", /disabled/i);
+  } finally {
+    if (original === undefined) {
+      delete process.env.CONDUCTOR_ALLOW_INSECURE_TRUSTED_HEADERS;
+    } else {
+      process.env.CONDUCTOR_ALLOW_INSECURE_TRUSTED_HEADERS = original;
+    }
+  }
+});
+
+test("verifyTrustedEdgeIdentity validates a Cloudflare Access JWT before trusting the email", { concurrency: false }, async () => {
+  const { privateKey, publicKey } = await generateKeyPair("RS256");
+  const jwk = await exportJWK(publicKey);
+  jwk.kid = "edge-auth-test";
+
+  const assertion = await new SignJWT({ email: "dev@example.com" })
+    .setProtectedHeader({ alg: "RS256", kid: "edge-auth-test" })
+    .setIssuedAt()
+    .setIssuer("https://acme.cloudflareaccess.com")
+    .setAudience("cf-access-audience")
+    .setExpirationTime("5m")
+    .sign(privateKey);
+
+  const originalFetch = globalThis.fetch;
+  globalThis.fetch = async (input) => {
+    const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
+    assert.equal(url, "https://acme.cloudflareaccess.com/cdn-cgi/access/certs");
+    return new Response(JSON.stringify({ keys: [jwk] }), {
+      headers: { "content-type": "application/json" },
+      status: 200,
+    });
+  };
+
+  try {
+    const result = await verifyTrustedEdgeIdentity(
+      new Headers({
+        "Cf-Access-Jwt-Assertion": assertion,
+        "Cf-Access-Authenticated-User-Email": "dev@example.com",
+      }),
+      {
+        trustedHeaders: {
+          enabled: true,
+          provider: "cloudflare-access",
+          teamDomain: "acme.cloudflareaccess.com",
+          audience: "cf-access-audience",
+          emailHeader: "Cf-Access-Authenticated-User-Email",
+          jwtHeader: "Cf-Access-Jwt-Assertion",
+        },
+      },
+    );
+
+    assert.equal(result?.ok, true);
+    assert.equal(result?.provider, "cloudflare-access");
+    assert.equal(result?.ok ? result.email : null, "dev@example.com");
+  } finally {
+    globalThis.fetch = originalFetch;
+  }
+});

package/web/.next/standalone/packages/web/src/lib/edgeAuth.ts

@@ -0,0 +1,205 @@
+import { createRemoteJWKSet, jwtVerify, type JWTPayload } from "jose";
+import type {
+  DashboardAccessConfig,
+  TrustedHeaderAccessProvider,
+} from "@conductor-oss/core/types";
+
+export type TrustedEdgeAuthProvider = "trusted-header" | "cloudflare-access";
+
+export type TrustedEdgeAuthConfig = {
+  enabled: boolean;
+  provider: TrustedHeaderAccessProvider;
+  emailHeader: string;
+  jwtHeader: string;
+  teamDomain: string | null;
+  audience: string | null;
+  allowInsecureEmailHeader: boolean;
+};
+
+export type TrustedEdgeIdentity =
+  | {
+      ok: true;
+      email: string;
+      provider: TrustedEdgeAuthProvider;
+    }
+  | {
+      ok: false;
+      reason: string;
+      provider: TrustedEdgeAuthProvider;
+    };
+
+const DEFAULT_EMAIL_HEADER = "Cf-Access-Authenticated-User-Email";
+const DEFAULT_JWT_HEADER = "Cf-Access-Jwt-Assertion";
+const CLOUDFLARE_PROVIDER = "cloudflare-access";
+const jwksCache = new Map<string, ReturnType<typeof createRemoteJWKSet>>();
+
+function normalizeValue(value: string | null | undefined): string | null {
+  const trimmed = value?.trim();
+  return trimmed ? trimmed : null;
+}
+
+function normalizeTeamDomain(value: string | null | undefined): string | null {
+  const trimmed = normalizeValue(value);
+  if (!trimmed) return null;
+
+  try {
+    return new URL(trimmed.includes("://") ? trimmed : `https://${trimmed}`).hostname.toLowerCase();
+  } catch {
+    return trimmed
+      .replace(/^https?:\/\//i, "")
+      .replace(/\/+$/g, "")
+      .toLowerCase();
+  }
+}
+
+function getProvider(
+  access: DashboardAccessConfig | null | undefined,
+  teamDomain: string | null,
+  audience: string | null,
+): TrustedHeaderAccessProvider {
+  const provider =
+    normalizeValue(process.env.CONDUCTOR_TRUST_AUTH_PROVIDER)?.toLowerCase()
+    || access?.trustedHeaders?.provider
+    || (teamDomain || audience ? CLOUDFLARE_PROVIDER : null);
+
+  return provider === "generic" ? "generic" : CLOUDFLARE_PROVIDER;
+}
+
+export function resolveTrustedEdgeAuthConfig(
+  access: DashboardAccessConfig | null | undefined,
+): TrustedEdgeAuthConfig {
+  const teamDomain = normalizeTeamDomain(
+    process.env.CONDUCTOR_CLOUDFLARE_ACCESS_TEAM_DOMAIN
+    ?? access?.trustedHeaders?.teamDomain,
+  );
+  const audience = normalizeValue(
+    process.env.CONDUCTOR_CLOUDFLARE_ACCESS_AUDIENCE
+    ?? access?.trustedHeaders?.audience,
+  );
+
+  return {
+    enabled:
+      access?.trustedHeaders?.enabled === true
+      || (process.env.CONDUCTOR_TRUST_AUTH_HEADERS ?? "").trim().toLowerCase() === "true",
+    provider: getProvider(access, teamDomain, audience),
+    emailHeader:
+      normalizeValue(process.env.CONDUCTOR_TRUST_AUTH_EMAIL_HEADER)
+      ?? normalizeValue(access?.trustedHeaders?.emailHeader)
+      ?? DEFAULT_EMAIL_HEADER,
+    jwtHeader:
+      normalizeValue(process.env.CONDUCTOR_TRUST_AUTH_JWT_HEADER)
+      ?? normalizeValue(access?.trustedHeaders?.jwtHeader)
+      ?? DEFAULT_JWT_HEADER,
+    teamDomain,
+    audience,
+    allowInsecureEmailHeader:
+      (process.env.CONDUCTOR_ALLOW_INSECURE_TRUSTED_HEADERS ?? "").trim().toLowerCase() === "true",
+  };
+}
+
+function getCloudflareJwks(teamDomain: string) {
+  const cached = jwksCache.get(teamDomain);
+  if (cached) return cached;
+
+  const next = createRemoteJWKSet(
+    new URL(`https://${teamDomain}/cdn-cgi/access/certs`),
+  );
+  jwksCache.set(teamDomain, next);
+  return next;
+}
+
+function extractEmailFromPayload(payload: JWTPayload): string | null {
+  const emailClaim = payload.email;
+  if (typeof emailClaim === "string" && emailClaim.trim().length > 0) {
+    return emailClaim.trim().toLowerCase();
+  }
+
+  const subClaim = payload.sub;
+  if (typeof subClaim === "string" && subClaim.includes("@")) {
+    return subClaim.trim().toLowerCase();
+  }
+
+  return null;
+}
+
+function formatJwtError(error: unknown): string {
+  if (error instanceof Error && error.message.trim().length > 0) {
+    return error.message;
+  }
+  return "Cloudflare Access token verification failed";
+}
+
+export async function verifyTrustedEdgeIdentity(
+  headers: Headers,
+  access: DashboardAccessConfig | null | undefined,
+): Promise<TrustedEdgeIdentity | null> {
+  const config = resolveTrustedEdgeAuthConfig(access);
+  if (!config.enabled) return null;
+
+  if (config.provider === CLOUDFLARE_PROVIDER) {
+    const assertion = headers.get(config.jwtHeader)?.trim() ?? "";
+    if (!assertion) return null;
+
+    if (!config.teamDomain || !config.audience) {
+      return {
+        ok: false,
+        reason: "Cloudflare Access is enabled but team domain or audience is missing.",
+        provider: "cloudflare-access",
+      };
+    }
+
+    try {
+      const { payload } = await jwtVerify(assertion, getCloudflareJwks(config.teamDomain), {
+        audience: config.audience,
+        issuer: `https://${config.teamDomain}`,
+      });
+      const email = extractEmailFromPayload(payload);
+      if (!email) {
+        return {
+          ok: false,
+          reason: "Cloudflare Access token is missing an email claim.",
+          provider: "cloudflare-access",
+        };
+      }
+
+      const assertedEmail = headers.get(config.emailHeader)?.trim().toLowerCase() ?? "";
+      if (assertedEmail && assertedEmail !== email) {
+        return {
+          ok: false,
+          reason: "Cloudflare Access email header does not match the verified token.",
+          provider: "cloudflare-access",
+        };
+      }
+
+      return {
+        ok: true,
+        email,
+        provider: "cloudflare-access",
+      };
+    } catch (error) {
+      return {
+        ok: false,
+        reason: formatJwtError(error),
+        provider: "cloudflare-access",
+      };
+    }
+  }
+
+  const email = headers.get(config.emailHeader)?.trim().toLowerCase() ?? "";
+  if (!email) return null;
+
+  if (!config.allowInsecureEmailHeader) {
+    return {
+      ok: false,
+      reason:
+        "Generic trusted-header mode is disabled. Use verified Cloudflare Access, or explicitly set CONDUCTOR_ALLOW_INSECURE_TRUSTED_HEADERS=true.",
+      provider: "trusted-header",
+    };
+  }
+
+  return {
+    ok: true,
+    email,
+    provider: "trusted-header",
+  };
+}