couchloop-eq-mcp 1.0.0

package/dist/server/middleware/auth.js

@@ -0,0 +1,157 @@
+import { oauthServer } from '../oauth/authServer.js';
+import { logger } from '../../utils/logger.js';
+/**
+ * Middleware to validate OAuth access token
+ */
+export async function validateToken(req, res, next) {
+    try {
+        const authHeader = req.headers.authorization;
+        if (!authHeader) {
+            res.status(401).json({
+                error: 'unauthorized',
+                message: 'Missing authorization header',
+            });
+            return;
+        }
+        if (!authHeader.startsWith('Bearer ')) {
+            res.status(401).json({
+                error: 'unauthorized',
+                message: 'Invalid authorization format. Use Bearer token',
+            });
+            return;
+        }
+        const token = authHeader.substring(7);
+        // Validate token
+        const tokenPayload = await oauthServer.validateAccessToken(token);
+        if (!tokenPayload) {
+            res.status(401).json({
+                error: 'unauthorized',
+                message: 'Invalid or expired access token',
+            });
+            return;
+        }
+        // Attach user context to request
+        req.user = {
+            userId: tokenPayload.sub,
+            clientId: tokenPayload.client_id,
+            scope: tokenPayload.scope,
+        };
+        logger.debug(`Authenticated user ${tokenPayload.sub} from client ${tokenPayload.client_id}`);
+        next();
+    }
+    catch (error) {
+        logger.error('Token validation error:', error);
+        res.status(500).json({
+            error: 'internal_error',
+            message: 'Failed to validate token',
+        });
+    }
+}
+/**
+ * Middleware to check required scopes
+ */
+export function requireScope(...requiredScopes) {
+    return (req, res, next) => {
+        if (!req.user) {
+            res.status(401).json({
+                error: 'unauthorized',
+                message: 'Authentication required',
+            });
+            return;
+        }
+        const userScopes = req.user.scope.split(' ');
+        const hasRequiredScope = requiredScopes.some(scope => userScopes.includes(scope));
+        if (!hasRequiredScope) {
+            res.status(403).json({
+                error: 'forbidden',
+                message: `Insufficient scope. Required: ${requiredScopes.join(' or ')}`,
+            });
+            return;
+        }
+        next();
+    };
+}
+/**
+ * Optional authentication - sets user if token present but doesn't require it
+ */
+export async function optionalAuth(req, _res, next) {
+    try {
+        const authHeader = req.headers.authorization;
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            // No token, continue without user context
+            next();
+            return;
+        }
+        const token = authHeader.substring(7);
+        const tokenPayload = await oauthServer.validateAccessToken(token);
+        if (tokenPayload) {
+            req.user = {
+                userId: tokenPayload.sub,
+                clientId: tokenPayload.client_id,
+                scope: tokenPayload.scope,
+            };
+        }
+        next();
+    }
+    catch (error) {
+        // Log error but continue without auth
+        logger.debug('Optional auth error (continuing):', error);
+        next();
+    }
+}
+/**
+ * Rate limiting per user/client
+ */
+const rateLimitMap = new Map();
+export function rateLimit(maxRequests = 100, windowMs = 60000 // 1 minute
+) {
+    return (req, res, next) => {
+        const key = req.user
+            ? `user:${req.user.userId}`
+            : `ip:${req.ip}`;
+        const now = Date.now();
+        const limit = rateLimitMap.get(key);
+        if (!limit || now > limit.resetAt) {
+            // New window
+            rateLimitMap.set(key, {
+                count: 1,
+                resetAt: now + windowMs,
+            });
+            next();
+            return;
+        }
+        if (limit.count >= maxRequests) {
+            res.status(429).json({
+                error: 'rate_limit_exceeded',
+                message: 'Too many requests',
+                retryAfter: Math.ceil((limit.resetAt - now) / 1000),
+            });
+            return;
+        }
+        limit.count++;
+        next();
+    };
+}
+/**
+ * CORS middleware for OAuth endpoints
+ */
+export function oauthCors(req, res, next) {
+    const allowedOrigins = [
+        'https://chat.openai.com',
+        'http://localhost:3000',
+        'http://localhost:3001',
+    ];
+    const origin = req.headers.origin;
+    if (origin && allowedOrigins.includes(origin)) {
+        res.setHeader('Access-Control-Allow-Origin', origin);
+    }
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type');
+    res.setHeader('Access-Control-Allow-Credentials', 'true');
+    if (req.method === 'OPTIONS') {
+        res.status(204).end();
+        return;
+    }
+    next();
+}
+//# sourceMappingURL=auth.js.map

package/dist/server/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/server/middleware/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAe/C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAY,EACZ,GAAa,EACb,IAAkB;IAElB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAE7C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,8BAA8B;aACxC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,gDAAgD;aAC1D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAEtC,iBAAiB;QACjB,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAElE,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,iCAAiC;aAC3C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,iCAAiC;QACjC,GAAG,CAAC,IAAI,GAAG;YACT,MAAM,EAAE,YAAY,CAAC,GAAG;YACxB,QAAQ,EAAE,YAAY,CAAC,SAAS;YAChC,KAAK,EAAE,YAAY,CAAC,KAAK;SAC1B,CAAC;QAEF,MAAM,CAAC,KAAK,CAAC,sBAAsB,YAAY,CAAC,GAAG,gBAAgB,YAAY,CAAC,SAAS,EAAE,CAAC,CAAC;QAC7F,IAAI,EAAE,CAAC;IACT,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QAC/C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,gBAAgB;YACvB,OAAO,EAAE,0BAA0B;SACpC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,GAAG,cAAwB;IACtD,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACzD,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;QAElF,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,iCAAiC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;aACxE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAY,EACZ,IAAc,EACd,IAAkB;IAElB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAE7C,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,0CAA0C;YAC1C,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAElE,IAAI,YAAY,EAAE,CAAC;YACjB,GAAG,CAAC,IAAI,GAAG;gBACT,MAAM,EAAE,YAAY,CAAC,GAAG;gBACxB,QAAQ,EAAE,YAAY,CAAC,SAAS;gBAChC,KAAK,EAAE,YAAY,CAAC,KAAK;aAC1B,CAAC;QACJ,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,sCAAsC;QACtC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;QACzD,IAAI,EAAE,CAAC;IACT,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,YAAY,GAAG,IAAI,GAAG,EAA8C,CAAC;AAE3E,MAAM,UAAU,SAAS,CACvB,cAAsB,GAAG,EACzB,WAAmB,KAAK,CAAC,WAAW;;IAEpC,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACzD,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI;YAClB,CAAC,CAAC,QAAQ,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE;YAC3B,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,EAAE,CAAC;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEpC,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;YAClC,aAAa;YACb,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE;gBACpB,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,GAAG,GAAG,QAAQ;aACxB,CAAC,CAAC;YACH,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,KAAK,IAAI,WAAW,EAAE,CAAC;YAC/B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,qBAAqB;gBAC5B,OAAO,EAAE,mBAAmB;gBAC5B,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aACpD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CACvB,GAAY,EACZ,GAAa,EACb,IAAkB;IAElB,MAAM,cAAc,GAAG;QACrB,yBAAyB;QACzB,uBAAuB;QACvB,uBAAuB;KACxB,CAAC;IAEF,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;IAClC,IAAI,MAAM,IAAI,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9C,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,MAAM,CAAC,CAAC;IACvD,CAAC;IAED,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,oBAAoB,CAAC,CAAC;IACpE,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,6BAA6B,CAAC,CAAC;IAC7E,GAAG,CAAC,SAAS,CAAC,kCAAkC,EAAE,MAAM,CAAC,CAAC;IAE1D,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,IAAI,EAAE,CAAC;AACT,CAAC"}

package/dist/server/oauth/anomalyDetection.d.ts

@@ -0,0 +1,146 @@
+/**
+ * Authentication request context
+ */
+export interface AuthRequest {
+    userId?: string;
+    clientId: string;
+    ip: string;
+    userAgent?: string;
+    fingerprint?: string;
+    timestamp: Date;
+    method: 'login' | 'refresh' | 'logout' | 'register';
+    success: boolean;
+    metadata?: {
+        country?: string;
+        city?: string;
+        asn?: string;
+        isp?: string;
+        deviceType?: string;
+        browser?: string;
+        os?: string;
+    };
+}
+/**
+ * Anomaly score and action
+ */
+export interface AnomalyScore {
+    composite: number;
+    details: {
+        ip: number;
+        geo: number;
+        device: number;
+        time: number;
+        velocity: number;
+        pattern: number;
+    };
+    action: 'allow' | 'challenge' | 'deny';
+    reasons: string[];
+}
+/**
+ * Risk factors configuration
+ */
+export interface RiskFactors {
+    vpnWeight: number;
+    torWeight: number;
+    proxyWeight: number;
+    newDeviceWeight: number;
+    newLocationWeight: number;
+    impossibleTravelWeight: number;
+    bruteForceWeight: number;
+    timeAnomalyWeight: number;
+}
+/**
+ * Anomaly Detection System
+ * Detects suspicious authentication patterns and potential attacks
+ */
+export declare class AnomalyDetector {
+    private userProfiles;
+    private ipReputation;
+    private readonly MAX_FAILED_ATTEMPTS;
+    private readonly IMPOSSIBLE_TRAVEL_SPEED;
+    private readonly TIME_WINDOW;
+    private readonly riskFactors;
+    /**
+     * Analyze authentication request for anomalies
+     */
+    detectAnomalies(request: AuthRequest): Promise<AnomalyScore>;
+    /**
+     * Check IP reputation
+     */
+    private checkIPReputation;
+    /**
+     * Check geolocation anomaly
+     */
+    private checkGeoAnomaly;
+    /**
+     * Check device anomaly
+     */
+    private checkDeviceAnomaly;
+    /**
+     * Check time-based anomaly
+     */
+    private checkTimeAnomaly;
+    /**
+     * Check request velocity
+     */
+    private checkVelocity;
+    /**
+     * Check behavioral patterns
+     */
+    private checkBehavioralPattern;
+    /**
+     * Determine action based on score and context
+     */
+    private determineAction;
+    /**
+     * Query threat intelligence feeds
+     */
+    private queryThreatIntelligence;
+    /**
+     * Check if IP is in private range
+     */
+    private isPrivateIP;
+    /**
+     * Calculate distance between two coordinates (Haversine formula)
+     */
+    private calculateDistance;
+    private toRad;
+    /**
+     * Calculate request entropy (randomness)
+     */
+    private calculateRequestEntropy;
+    /**
+     * Get or create user profile
+     */
+    private getUserProfile;
+    /**
+     * Update user profile with successful authentication
+     */
+    private updateUserProfile;
+    /**
+     * Count recent requests from IP
+     */
+    private countRecentRequests;
+    /**
+     * Log anomaly to database
+     */
+    private logAnomaly;
+    /**
+     * Get risk score for a user
+     */
+    getUserRiskScore(userId: string): Promise<number>;
+    /**
+     * Reset user profile (after password reset, etc.)
+     */
+    resetUserProfile(userId: string): void;
+    /**
+     * Get statistics
+     */
+    getStats(): {
+        totalProfiles: number;
+        totalIPs: number;
+        highRiskUsers: number;
+    };
+}
+export declare const anomalyDetector: AnomalyDetector;
+//# sourceMappingURL=anomalyDetection.d.ts.map

package/dist/server/oauth/anomalyDetection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anomalyDetection.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/anomalyDetection.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,IAAI,CAAC;IAChB,MAAM,EAAE,OAAO,GAAG,SAAS,GAAG,QAAQ,GAAG,UAAU,CAAC;IACpD,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE;QACT,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,EAAE,CAAC,EAAE,MAAM,CAAC;KACb,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE;QACP,EAAE,EAAE,MAAM,CAAC;QACX,GAAG,EAAE,MAAM,CAAC;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,MAAM,EAAE,OAAO,GAAG,WAAW,GAAG,MAAM,CAAC;IACvC,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAkBD;;;GAGG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,YAAY,CAA6B;IACjD,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAK;IACzC,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAO;IAC/C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAW;IAEvC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAS1B;IAEF;;OAEG;IACG,eAAe,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC;IA4ElE;;OAEG;YACW,iBAAiB;IAwC/B;;OAEG;YACW,eAAe;IAoC7B;;OAEG;YACW,kBAAkB;IAehC;;OAEG;YACW,gBAAgB;IAoB9B;;OAEG;YACW,aAAa;IAuB3B;;OAEG;YACW,sBAAsB;IA6BpC;;OAEG;IACH,OAAO,CAAC,eAAe;IAwBvB;;OAEG;YACW,uBAAuB;IA2BrC;;OAEG;IACH,OAAO,CAAC,WAAW;IAWnB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAazB,OAAO,CAAC,KAAK;IAIb;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAmB/B;;OAEG;IACH,OAAO,CAAC,cAAc;IAoBtB;;OAEG;YACW,iBAAiB;IA2B/B;;OAEG;YACW,mBAAmB;IAMjC;;OAEG;YACW,UAAU;IASxB;;OAEG;IACG,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKvD;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAKtC;;OAEG;IACH,QAAQ,IAAI;QACV,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;KACvB;CAUF;AAGD,eAAO,MAAM,eAAe,iBAAwB,CAAC"}