npm - crewly - Versions diffs - 1.3.31 → 1.4.0 - Mend

crewly 1.3.31 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (665) hide show

package/dist/backend/backend/src/controllers/cloud/cloud-google-auth.controller.js ADDED Viewed

@@ -0,0 +1,368 @@
+/**
+ * Cloud Google OAuth Controller
+ *
+ * Handles Google OAuth login flow for the CrewlyAI Cloud Console.
+ * Provides both browser-redirect (GET) and API (POST) flows.
+ *
+ * Routes:
+ * - GET  /api/cloud/google/start    -> Redirects to Google consent screen
+ * - GET  /api/cloud/google/callback  -> Handles Google redirect, issues JWT, redirects to frontend
+ * - POST /api/cloud/google/url       -> Returns Google OAuth URL as JSON (for SPA clients)
+ * - POST /api/cloud/google/callback  -> Exchanges code for JWT, returns JSON (for SPA clients)
+ *
+ * @module controllers/cloud/cloud-google-auth.controller
+ */
+import crypto from 'crypto';
+import { GOOGLE_OAUTH_CONSTANTS, AUTH_CONSTANTS, CLOUD_AUTH_CONSTANTS } from '../../constants.js';
+import { UserIdentityService } from '../../services/user/user-identity.service.js';
+import { LoggerService } from '../../services/core/logger.service.js';
+const logger = LoggerService.getInstance().createComponentLogger('CloudGoogleAuth');
+/** Env var for the Cloud Console frontend URL (where to redirect after login). */
+const CLOUD_CONSOLE_FRONTEND_URL = () => process.env['CLOUD_PORTAL_URL'] || 'https://crewlyai.com';
+/** Env var for the Google OAuth redirect URI (must match GCP console). */
+const CLOUD_GOOGLE_REDIRECT_URI = (req) => process.env['CLOUD_GOOGLE_REDIRECT_URI'] ||
+    `${req.protocol}://${req.get('host')}/api/cloud/google/callback`;
+/** Scopes for Cloud Console login -- only need email and profile. */
+const LOGIN_SCOPES = ['openid', 'email', 'profile'];
+/** Default user plan assigned to new users. */
+const DEFAULT_USER_PLAN = AUTH_CONSTANTS.PLANS.FREE;
+/**
+ * Build a Google OAuth consent URL with the given post-login redirect.
+ *
+ * Consolidates URL construction used by both cloudGoogleStart and cloudGoogleUrl.
+ *
+ * @param req - Express request (used to derive redirect_uri)
+ * @param postLoginRedirect - Where to send user after login completes
+ * @returns Full Google OAuth consent URL string
+ * @throws Error if GOOGLE_CLIENT_ID is not configured
+ */
+function buildGoogleOAuthUrl(req, postLoginRedirect) {
+    const clientId = CLOUD_AUTH_CONSTANTS.GOOGLE.CLIENT_ID;
+    if (!clientId)
+        throw new Error('GOOGLE_CLIENT_ID is not configured');
+    const redirectUri = CLOUD_GOOGLE_REDIRECT_URI(req);
+    const statePayload = {
+        redirectTo: postLoginRedirect,
+        t: Date.now(),
+        nonce: crypto.randomUUID(),
+    };
+    const state = Buffer.from(JSON.stringify(statePayload)).toString('base64url');
+    const url = new URL(GOOGLE_OAUTH_CONSTANTS.AUTH_BASE_URL);
+    url.searchParams.set('client_id', clientId);
+    url.searchParams.set('redirect_uri', redirectUri);
+    url.searchParams.set('response_type', 'code');
+    url.searchParams.set('access_type', 'offline');
+    url.searchParams.set('prompt', 'consent');
+    url.searchParams.set('scope', LOGIN_SCOPES.join(' '));
+    url.searchParams.set('state', state);
+    return url.toString();
+}
+/**
+ * Exchange a Google authorization code for tokens, fetch user profile,
+ * and upsert the user in the local identity store.
+ *
+ * Shared by both GET and POST callback handlers.
+ *
+ * @param code - Google authorization code
+ * @param req - Express request (used to derive redirect_uri)
+ * @returns GoogleLoginResult with user, profile, and token data
+ * @throws Error on credential misconfiguration, token exchange failure, or missing profile data
+ */
+async function exchangeCodeAndCreateUser(code, req) {
+    const clientId = CLOUD_AUTH_CONSTANTS.GOOGLE.CLIENT_ID;
+    const clientSecret = process.env['GOOGLE_CLIENT_SECRET'] || '';
+    if (!clientId || !clientSecret) {
+        throw new Error('Google OAuth credentials not configured');
+    }
+    const redirectUri = CLOUD_GOOGLE_REDIRECT_URI(req);
+    // Exchange code for tokens
+    const tokenResp = await fetch(GOOGLE_OAUTH_CONSTANTS.TOKEN_ENDPOINT, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+            code,
+            client_id: clientId,
+            client_secret: clientSecret,
+            redirect_uri: redirectUri,
+            grant_type: 'authorization_code',
+        }),
+    });
+    if (!tokenResp.ok) {
+        const details = await tokenResp.text();
+        logger.error('Failed to exchange Google OAuth code', { status: tokenResp.status, details });
+        throw new Error(`token_exchange_failed: ${tokenResp.status}`);
+    }
+    const tokenData = (await tokenResp.json());
+    // Fetch Google profile
+    const profileResp = await fetch(GOOGLE_OAUTH_CONSTANTS.USERINFO_ENDPOINT, {
+        headers: { Authorization: `Bearer ${tokenData.access_token}` },
+    });
+    if (!profileResp.ok) {
+        logger.error('Failed to fetch Google profile', { status: profileResp.status });
+        throw new Error(`profile_fetch_failed: ${profileResp.status}`);
+    }
+    const profile = (await profileResp.json());
+    if (!profile.email) {
+        throw new Error('no_email');
+    }
+    // Create or find user and store tokens
+    const users = UserIdentityService.getInstance();
+    const user = await users.createOrUpdateUser({ email: profile.email });
+    if (tokenData.refresh_token || tokenData.access_token) {
+        await users.connectService(user.id, 'google', {
+            refreshToken: tokenData.refresh_token || tokenData.access_token,
+            accessToken: tokenData.access_token,
+            scopes: LOGIN_SCOPES,
+        });
+    }
+    return {
+        user,
+        profile: { email: profile.email, name: profile.name, picture: profile.picture },
+        tokenData: { access_token: tokenData.access_token, refresh_token: tokenData.refresh_token },
+    };
+}
+/**
+ * Sign a JWT using HMAC-SHA256.
+ *
+ * @param payload - JWT payload object
+ * @returns Signed JWT string (header.payload.signature)
+ */
+export function signJwt(payload) {
+    const header = { alg: 'HS256', typ: 'JWT' };
+    const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signature = crypto
+        .createHmac('sha256', AUTH_CONSTANTS.JWT.DEFAULT_SECRET)
+        .update(`${headerB64}.${payloadB64}`)
+        .digest('base64url');
+    return `${headerB64}.${payloadB64}.${signature}`;
+}
+/**
+ * Verify a JWT signed with HMAC-SHA256.
+ *
+ * @param token - JWT string (header.payload.signature)
+ * @returns Decoded payload if valid, null if invalid or expired
+ */
+export function verifyJwt(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3)
+            return null;
+        const [headerB64, payloadB64, signature] = parts;
+        const expectedSig = crypto
+            .createHmac('sha256', AUTH_CONSTANTS.JWT.DEFAULT_SECRET)
+            .update(`${headerB64}.${payloadB64}`)
+            .digest('base64url');
+        if (signature !== expectedSig)
+            return null;
+        const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf8'));
+        // Check expiry
+        if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+            return null;
+        }
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Route handlers
+// ---------------------------------------------------------------------------
+/**
+ * GET /api/cloud/google/start
+ *
+ * Redirects the browser to the Google OAuth consent screen.
+ *
+ * @param req - Express request with optional query: { redirect }
+ * @param res - Express response (302 redirect)
+ * @param next - Next function for error propagation
+ */
+export async function cloudGoogleStart(req, res, next) {
+    try {
+        const postLoginRedirect = req.query['redirect'] ? String(req.query['redirect']) : '';
+        const url = buildGoogleOAuthUrl(req, postLoginRedirect);
+        logger.info('Redirecting to Google OAuth consent screen');
+        res.redirect(url);
+    }
+    catch (error) {
+        if (error instanceof Error && error.message.includes('GOOGLE_CLIENT_ID')) {
+            res.status(500).json({ success: false, error: error.message });
+            return;
+        }
+        logger.error('Failed to initiate Google OAuth', {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        next(error);
+    }
+}
+/**
+ * GET /api/cloud/google/callback
+ *
+ * Handles the Google OAuth redirect, exchanges code, issues JWT, and redirects.
+ *
+ * @param req - Express request with query: { code, state? }
+ * @param res - Express response (302 redirect to frontend)
+ * @param next - Next function for error propagation
+ */
+export async function cloudGoogleCallback(req, res, next) {
+    try {
+        const code = req.query['code'] ? String(req.query['code']) : '';
+        const state = req.query['state'] ? String(req.query['state']) : '';
+        const errorParam = req.query['error'] ? String(req.query['error']) : '';
+        const portalUrl = CLOUD_CONSOLE_FRONTEND_URL();
+        if (errorParam) {
+            logger.warn('Google OAuth returned error', { error: errorParam });
+            res.redirect(`${portalUrl}/login?error=${encodeURIComponent(errorParam)}`);
+            return;
+        }
+        if (!code) {
+            logger.warn('Google OAuth callback missing code');
+            res.redirect(`${portalUrl}/login?error=missing_code`);
+            return;
+        }
+        let result;
+        try {
+            result = await exchangeCodeAndCreateUser(code, req);
+        }
+        catch (err) {
+            const errMsg = err instanceof Error ? err.message : String(err);
+            logger.error('Google OAuth exchange failed', { error: errMsg });
+            const errorCode = errMsg.split(':')[0] || 'exchange_failed';
+            res.redirect(`${portalUrl}/login?error=${encodeURIComponent(errorCode)}`);
+            return;
+        }
+        // Issue JWT
+        const now = Math.floor(Date.now() / 1000);
+        const accessToken = signJwt({
+            sub: result.user.id,
+            email: result.profile.email,
+            name: result.profile.name || '',
+            plan: DEFAULT_USER_PLAN,
+            iat: now,
+            exp: now + AUTH_CONSTANTS.JWT.ACCESS_TOKEN_EXPIRY_S,
+            iss: AUTH_CONSTANTS.JWT.ISSUER,
+            type: 'access',
+        });
+        // Parse state for post-login redirect
+        let postLoginRedirect = '';
+        if (state) {
+            try {
+                const parsed = JSON.parse(Buffer.from(state, 'base64url').toString('utf8'));
+                postLoginRedirect = parsed.redirectTo || parsed.redirect || '';
+            }
+            catch {
+                logger.warn('Failed to parse OAuth state parameter');
+            }
+        }
+        const finalRedirect = postLoginRedirect || portalUrl;
+        const separator = finalRedirect.includes('?') ? '&' : '?';
+        logger.info('Cloud Google OAuth login successful', { email: result.profile.email, userId: result.user.id });
+        res.redirect(`${finalRedirect}${separator}token=${accessToken}`);
+    }
+    catch (error) {
+        logger.error('Cloud Google OAuth callback error', {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        next(error);
+    }
+}
+/**
+ * POST /api/cloud/google/url
+ *
+ * Returns the Google OAuth consent URL as JSON (for SPA clients).
+ *
+ * @param req - Request with optional body: { redirectTo, redirectUrl }
+ * @param res - Response returning { success, data: { url } }
+ * @param next - Next function for error propagation
+ */
+export async function cloudGoogleUrl(req, res, next) {
+    try {
+        const postLoginRedirect = req.body?.redirectTo || req.body?.redirectUrl || '';
+        const url = buildGoogleOAuthUrl(req, postLoginRedirect);
+        logger.info('Returning Google OAuth URL for SPA client');
+        res.json({ success: true, data: { url } });
+    }
+    catch (error) {
+        if (error instanceof Error && error.message.includes('GOOGLE_CLIENT_ID')) {
+            res.status(500).json({ success: false, error: error.message });
+            return;
+        }
+        logger.error('Failed to generate Google OAuth URL', {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        next(error);
+    }
+}
+/**
+ * POST /api/cloud/google/callback
+ *
+ * SPA-friendly code exchange: accepts { code } in body, returns JWT + user as JSON.
+ *
+ * @param req - Request with body: { code }
+ * @param res - Response returning { success, data: { accessToken, refreshToken, expiresIn, user } }
+ * @param next - Next function for error propagation
+ */
+export async function cloudGoogleCallbackPost(req, res, next) {
+    try {
+        const { code } = req.body;
+        if (!code) {
+            res.status(400).json({ success: false, error: 'Missing authorization code' });
+            return;
+        }
+        const result = await exchangeCodeAndCreateUser(code, req);
+        // Issue access token
+        const now = Math.floor(Date.now() / 1000);
+        const accessToken = signJwt({
+            sub: result.user.id,
+            email: result.profile.email,
+            name: result.profile.name || '',
+            plan: DEFAULT_USER_PLAN,
+            iat: now,
+            exp: now + AUTH_CONSTANTS.JWT.ACCESS_TOKEN_EXPIRY_S,
+            iss: AUTH_CONSTANTS.JWT.ISSUER,
+            type: 'access',
+        });
+        // Issue refresh token (longer lived, carries user claims for token refresh)
+        const refreshToken = signJwt({
+            sub: result.user.id,
+            email: result.profile.email,
+            name: result.profile.name || '',
+            plan: DEFAULT_USER_PLAN,
+            iat: now,
+            exp: now + AUTH_CONSTANTS.JWT.REFRESH_TOKEN_EXPIRY_S,
+            iss: AUTH_CONSTANTS.JWT.ISSUER,
+            type: 'refresh',
+        });
+        logger.info('Cloud Google OAuth login successful (POST)', { email: result.profile.email, userId: result.user.id });
+        res.json({
+            success: true,
+            data: {
+                accessToken,
+                refreshToken,
+                expiresIn: AUTH_CONSTANTS.JWT.ACCESS_TOKEN_EXPIRY_S,
+                user: {
+                    id: result.user.id,
+                    email: result.profile.email,
+                    displayName: result.profile.name || '',
+                    plan: DEFAULT_USER_PLAN,
+                    createdAt: result.user.createdAt || '',
+                },
+            },
+        });
+    }
+    catch (error) {
+        const errMsg = error instanceof Error ? error.message : String(error);
+        if (errMsg.includes('credentials not configured')) {
+            res.status(500).json({ success: false, error: 'Google OAuth credentials not configured' });
+            return;
+        }
+        if (errMsg.startsWith('token_exchange_failed') || errMsg.startsWith('profile_fetch_failed') || errMsg === 'no_email') {
+            res.status(400).json({ success: false, error: errMsg.includes(':') ? errMsg.split(':')[0] : errMsg });
+            return;
+        }
+        logger.error('Cloud Google OAuth callback (POST) error', { error: errMsg });
+        next(error);
+    }
+}
+//# sourceMappingURL=cloud-google-auth.controller.js.map

package/dist/backend/backend/src/controllers/cloud/cloud-google-auth.controller.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cloud-google-auth.controller.js","sourceRoot":"","sources":["../../../../../../backend/src/controllers/cloud/cloud-google-auth.controller.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,sBAAsB,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAClG,OAAO,EAAE,mBAAmB,EAAE,MAAM,8CAA8C,CAAC;AACnF,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAEtE,MAAM,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC,qBAAqB,CAAC,iBAAiB,CAAC,CAAC;AAEpF,kFAAkF;AAClF,MAAM,0BAA0B,GAAG,GAAW,EAAE,CAC9C,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,sBAAsB,CAAC;AAE5D,0EAA0E;AAC1E,MAAM,yBAAyB,GAAG,CAAC,GAAY,EAAU,EAAE,CACzD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;IACxC,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,4BAA4B,CAAC;AAEnE,qEAAqE;AACrE,MAAM,YAAY,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AAEpD,+CAA+C;AAC/C,MAAM,iBAAiB,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC;AAapD;;;;;;;;;GASG;AACH,SAAS,mBAAmB,CAAC,GAAY,EAAE,iBAAyB;IAClE,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,SAAS,CAAC;IACvD,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IAErE,MAAM,WAAW,GAAG,yBAAyB,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,YAAY,GAAG;QACnB,UAAU,EAAE,iBAAiB;QAC7B,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE;QACb,KAAK,EAAE,MAAM,CAAC,UAAU,EAAE;KAC3B,CAAC;IACF,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE9E,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,sBAAsB,CAAC,aAAa,CAAC,CAAC;IAC1D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC5C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IAC/C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC1C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACtD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,yBAAyB,CAAC,IAAY,EAAE,GAAY;IACjE,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,SAAS,CAAC;IACvD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,EAAE,CAAC;IAE/D,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,WAAW,GAAG,yBAAyB,CAAC,GAAG,CAAC,CAAC;IAEnD,2BAA2B;IAC3B,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,sBAAsB,CAAC,cAAc,EAAE;QACnE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,IAAI;YACJ,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,YAAY;YAC3B,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,oBAAoB;SACjC,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,EAAE,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5F,MAAM,IAAI,KAAK,CAAC,0BAA0B,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,SAAS,GAAG,CAAC,MAAM,SAAS,CAAC,IAAI,EAAE,CAIxC,CAAC;IAEF,uBAAuB;IACvB,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,sBAAsB,CAAC,iBAAiB,EAAE;QACxE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,SAAS,CAAC,YAAY,EAAE,EAAE;KAC/D,CAAC,CAAC;IAEH,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/E,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,MAAM,WAAW,CAAC,IAAI,EAAE,CAIxC,CAAC;IAEF,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC;IAED,uCAAuC;IACvC,MAAM,KAAK,GAAG,mBAAmB,CAAC,WAAW,EAAE,CAAC;IAChD,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;IAEtE,IAAI,SAAS,CAAC,aAAa,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;QACtD,MAAM,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE;YAC5C,YAAY,EAAE,SAAS,CAAC,aAAa,IAAI,SAAS,CAAC,YAAY;YAC/D,WAAW,EAAE,SAAS,CAAC,YAAY;YACnC,MAAM,EAAE,YAAY;SACrB,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,IAAI;QACJ,OAAO,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE;QAC/E,SAAS,EAAE,EAAE,YAAY,EAAE,SAAS,CAAC,YAAY,EAAE,aAAa,EAAE,SAAS,CAAC,aAAa,EAAE;KAC5F,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,OAAO,CAAC,OAAgC;IACtD,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5E,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC9E,MAAM,SAAS,GAAG,MAAM;SACrB,UAAU,CAAC,QAAQ,EAAE,cAAc,CAAC,GAAG,CAAC,cAAc,CAAC;SACvD,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;SACpC,MAAM,CAAC,WAAW,CAAC,CAAC;IACvB,OAAO,GAAG,SAAS,IAAI,UAAU,IAAI,SAAS,EAAE,CAAC;AACnD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QACjD,MAAM,WAAW,GAAG,MAAM;aACvB,UAAU,CAAC,QAAQ,EAAE,cAAc,CAAC,GAAG,CAAC,cAAc,CAAC;aACvD,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;aACpC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvB,IAAI,SAAS,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QAE3C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAEnF,eAAe;QACf,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IACpF,IAAI,CAAC;QACH,MAAM,iBAAiB,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACrF,MAAM,GAAG,GAAG,mBAAmB,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAC;QAExD,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC1D,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/D,OAAO;QACT,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;YAC9C,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IACvF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACnE,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAExE,MAAM,SAAS,GAAG,0BAA0B,EAAE,CAAC;QAE/C,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,6BAA6B,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;YAClE,GAAG,CAAC,QAAQ,CAAC,GAAG,SAAS,gBAAgB,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YAC3E,OAAO;QACT,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YAClD,GAAG,CAAC,QAAQ,CAAC,GAAG,SAAS,2BAA2B,CAAC,CAAC;YACtD,OAAO;QACT,CAAC;QAED,IAAI,MAAyB,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,yBAAyB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAChE,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,iBAAiB,CAAC;YAC5D,GAAG,CAAC,QAAQ,CAAC,GAAG,SAAS,gBAAgB,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAC1E,OAAO;QACT,CAAC;QAED,YAAY;QACZ,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,WAAW,GAAG,OAAO,CAAC;YAC1B,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;YACnB,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK;YAC3B,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE;YAC/B,IAAI,EAAE,iBAAiB;YACvB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,qBAAqB;YACnD,GAAG,EAAE,cAAc,CAAC,GAAG,CAAC,MAAM;YAC9B,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;QAEH,sCAAsC;QACtC,IAAI,iBAAiB,GAAG,EAAE,CAAC;QAC3B,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAA+C,CAAC;gBAC1H,iBAAiB,GAAG,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;YACjE,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,iBAAiB,IAAI,SAAS,CAAC;QACrD,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QAE1D,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAC5G,GAAG,CAAC,QAAQ,CAAC,GAAG,aAAa,GAAG,SAAS,SAAS,WAAW,EAAE,CAAC,CAAC;IACnE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE;YAChD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAClF,IAAI,CAAC;QACH,MAAM,iBAAiB,GAAG,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,GAAG,CAAC,IAAI,EAAE,WAAW,IAAI,EAAE,CAAC;QAC9E,MAAM,GAAG,GAAG,mBAAmB,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAC;QAExD,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QACzD,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/D,OAAO;QACT,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE;YAClD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAC3F,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;QAC1B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,CAAC;YAC9E,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAE1D,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,WAAW,GAAG,OAAO,CAAC;YAC1B,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;YACnB,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK;YAC3B,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE;YAC/B,IAAI,EAAE,iBAAiB;YACvB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,qBAAqB;YACnD,GAAG,EAAE,cAAc,CAAC,GAAG,CAAC,MAAM;YAC9B,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;QAEH,4EAA4E;QAC5E,MAAM,YAAY,GAAG,OAAO,CAAC;YAC3B,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;YACnB,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK;YAC3B,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE;YAC/B,IAAI,EAAE,iBAAiB;YACvB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,sBAAsB;YACpD,GAAG,EAAE,cAAc,CAAC,GAAG,CAAC,MAAM;YAC9B,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QACnH,GAAG,CAAC,IAAI,CAAC;YACP,OAAO,EAAE,IAAI;YACb,IAAI,EAAE;gBACJ,WAAW;gBACX,YAAY;gBACZ,SAAS,EAAE,cAAc,CAAC,GAAG,CAAC,qBAAqB;gBACnD,IAAI,EAAE;oBACJ,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;oBAClB,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK;oBAC3B,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE;oBACtC,IAAI,EAAE,iBAAiB;oBACvB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE;iBACvC;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtE,IAAI,MAAM,CAAC,QAAQ,CAAC,4BAA4B,CAAC,EAAE,CAAC;YAClD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;YAC3F,OAAO;QACT,CAAC;QACD,IAAI,MAAM,CAAC,UAAU,CAAC,uBAAuB,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,sBAAsB,CAAC,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;YACrH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;YACvG,OAAO;QACT,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/backend/backend/src/controllers/cloud/cloud.controller.d.ts CHANGED Viewed

@@ -38,6 +38,30 @@ export declare function disconnectFromCloud(req: Request, res: Response, next: N
  * @param next - Next function for error propagation
  */
 export declare function getCloudStatus(req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * POST /api/cloud/validate
+ *
+ * Validate a JWT access token locally by verifying its HMAC signature
+ * and expiry. Returns user profile from the token payload.
+ *
+ * Falls back to proxying to the Cloud API if CREWLY_CLOUD_API_BASE
+ * is explicitly set (for OSS→Cloud validation).
+ *
+ * @param req - Request with Authorization: Bearer <token> header
+ * @param res - Response returning { success, data: { id, email, displayName, plan } }
+ * @param next - Next function for error propagation
+ */
+export declare function validateCloudToken(req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * POST /api/cloud/refresh
+ *
+ * Exchange a valid refresh token for a new access token.
+ *
+ * @param req - Request with body: { refreshToken }
+ * @param res - Response returning { success, data: { accessToken, expiresIn } }
+ * @param next - Next function for error propagation
+ */
+export declare function refreshCloudToken(req: Request, res: Response, next: NextFunction): Promise<void>;
 /**
  * GET /api/cloud/templates
  *

package/dist/backend/backend/src/controllers/cloud/cloud.controller.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"cloud.controller.d.ts","sourceRoot":"","sources":["../../../../../../backend/src/controllers/cloud/cloud.controller.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;~~AAO~~/D;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,~~CAyBnG~~;AAED;;;;;;;;GAQG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,~~CAaxG~~;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAYnG;AAED;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBtG"}
1	+ {"version":3,"file":"cloud.controller.d.ts","sourceRoot":"","sources":["../../../../../../backend/src/controllers/cloud/cloud.controller.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AA4D/D;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA4CnG;AAED;;;;;;;;GAQG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0BxG;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAYnG;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0DvG;AAED;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAuCtG;AAED;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBtG"}

package/dist/backend/backend/src/controllers/cloud/cloud.controller.js CHANGED Viewed

@@ -7,10 +7,57 @@
  *
  * @module controllers/cloud/cloud.controller
  */
+import crypto from 'crypto';
 import { CloudClientService } from '../../services/cloud/cloud-client.service.js';
+import { RelayClientService } from '../../services/cloud/relay-client.service.js';
 import { LoggerService } from '../../services/core/logger.service.js';
-import { CLOUD_CONSTANTS } from '../../constants.js';
+import { CLOUD_CONSTANTS, AUTH_CONSTANTS } from '../../constants.js';
+import { verifyJwt, signJwt } from './cloud-google-auth.controller.js';
 const logger = LoggerService.getInstance().createComponentLogger('CloudController');
+/** Relay server URL — env var overrides the default from constants. */
+const RELAY_WS_URL = () => process.env['CREWLY_RELAY_WS_URL'] || CLOUD_CONSTANTS.RELAY.DEFAULT_WS_URL;
+/**
+ * Auto-connect to the Cloud Relay after a successful cloud login.
+ *
+ * Derives a deterministic pairing code and shared secret from the user's ID
+ * so that all devices belonging to the same user auto-pair via the relay.
+ * Best-effort — failures are logged but do not affect cloud connect.
+ *
+ * @param token - JWT access token from cloud login
+ */
+function autoConnectRelay(token) {
+    try {
+        const relay = RelayClientService.getInstance();
+        if (relay.getState() !== 'disconnected' && relay.getState() !== 'error') {
+            logger.info('Relay already connected or connecting, skipping auto-connect');
+            return;
+        }
+        const payload = verifyJwt(token);
+        if (!payload || !payload.sub) {
+            logger.warn('Cannot auto-connect relay: invalid token payload');
+            return;
+        }
+        const userId = String(payload.sub);
+        // Deterministic pairing code from user ID — both devices of the same user get the same code
+        const pairingCode = crypto.createHash('sha256').update(`crewly-pair-${userId}`).digest('hex').slice(0, 12);
+        // Shared secret incorporates the JWT secret so it can't be derived from user ID alone
+        const jwtSecret = AUTH_CONSTANTS.JWT.DEFAULT_SECRET;
+        const sharedSecret = crypto.createHash('sha256').update(`crewly-e2ee-${userId}-${jwtSecret}`).digest('hex');
+        relay.connect({
+            wsUrl: RELAY_WS_URL(),
+            pairingCode,
+            role: 'orchestrator',
+            token,
+            sharedSecret,
+        });
+        logger.info('Relay auto-connect initiated', { pairingCode: pairingCode.slice(0, 4) + '...' });
+    }
+    catch (err) {
+        logger.warn('Relay auto-connect failed (non-fatal)', {
+            error: err instanceof Error ? err.message : String(err),
+        });
+    }
+}
 /**
  * POST /api/cloud/connect
  *
@@ -29,8 +76,25 @@ export async function connectToCloud(req, res, next) {
         }
         const resolvedUrl = cloudUrl || CLOUD_CONSTANTS.DEFAULT_CLOUD_URL;
         const client = CloudClientService.getInstance();
-        const result = await client.connect(resolvedUrl, token);
-        logger.info('Connected to CrewlyAI Cloud', { tier: result.tier });
+        // Try local JWT verification first — this works when OSS and Cloud share
+        // the same JWT secret (CREWLY_JWT_SECRET), or when the token was issued
+        // by this same instance (e.g. local Google OAuth flow).
+        const localPayload = verifyJwt(token);
+        let result;
+        if (localPayload) {
+            // JWT verified locally — connect without calling cloud API
+            const tier = localPayload.plan || 'free';
+            client.connectLocal(resolvedUrl, token, tier);
+            result = { success: true, tier };
+            logger.info('Connected to CrewlyAI Cloud (local JWT verification)', { tier });
+        }
+        else {
+            // Local verification failed (different JWT secret) — call cloud API
+            result = await client.connect(resolvedUrl, token);
+            logger.info('Connected to CrewlyAI Cloud (remote verification)', { tier: result.tier });
+        }
+        // Auto-initiate relay connection (best-effort, non-blocking)
+        autoConnectRelay(token);
         res.json({ success: true, data: { tier: result.tier } });
     }
     catch (error) {
@@ -57,6 +121,19 @@ export async function disconnectFromCloud(req, res, next) {
     try {
         const client = CloudClientService.getInstance();
         client.disconnect();
+        // Also disconnect relay
+        try {
+            const relay = RelayClientService.getInstance();
+            if (relay.getState() !== 'disconnected') {
+                relay.disconnect();
+                logger.info('Relay disconnected as part of cloud disconnect');
+            }
+        }
+        catch (err) {
+            logger.warn('Relay disconnect failed (non-fatal)', {
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
         logger.info('Disconnected from CrewlyAI Cloud');
         res.json({ success: true });
     }
@@ -89,6 +166,121 @@ export async function getCloudStatus(req, res, next) {
         next(error);
     }
 }
+/**
+ * POST /api/cloud/validate
+ *
+ * Validate a JWT access token locally by verifying its HMAC signature
+ * and expiry. Returns user profile from the token payload.
+ *
+ * Falls back to proxying to the Cloud API if CREWLY_CLOUD_API_BASE
+ * is explicitly set (for OSS→Cloud validation).
+ *
+ * @param req - Request with Authorization: Bearer <token> header
+ * @param res - Response returning { success, data: { id, email, displayName, plan } }
+ * @param next - Next function for error propagation
+ */
+export async function validateCloudToken(req, res, next) {
+    try {
+        const authHeader = req.headers.authorization;
+        if (!authHeader) {
+            res.status(401).json({ success: false, error: 'Missing Authorization header' });
+            return;
+        }
+        const token = authHeader.replace(/^Bearer\s+/i, '');
+        if (!token) {
+            res.status(401).json({ success: false, error: 'Missing token' });
+            return;
+        }
+        // Try local JWT verification first
+        const payload = verifyJwt(token);
+        if (payload) {
+            res.json({
+                success: true,
+                data: {
+                    id: payload.sub,
+                    email: payload.email,
+                    displayName: payload.name || '',
+                    plan: payload.plan || 'free',
+                },
+            });
+            return;
+        }
+        // If local verification fails and a cloud API base is explicitly configured,
+        // proxy to the remote cloud API (used by OSS instances)
+        const cloudApiBase = process.env['CREWLY_CLOUD_API_BASE'];
+        if (cloudApiBase) {
+            const response = await fetch(`${cloudApiBase}/cloud/validate`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    Authorization: authHeader,
+                },
+                signal: AbortSignal.timeout(CLOUD_CONSTANTS.TIMEOUTS.CONNECT),
+            });
+            const data = await response.json();
+            res.status(response.status).json(data);
+            return;
+        }
+        // Token invalid and no proxy configured
+        res.status(401).json({ success: false, error: 'Invalid or expired token' });
+    }
+    catch (error) {
+        logger.error('Failed to validate cloud token', {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        res.status(502).json({
+            success: false,
+            error: 'Could not validate token. Check your internet connection.',
+        });
+    }
+}
+/**
+ * POST /api/cloud/refresh
+ *
+ * Exchange a valid refresh token for a new access token.
+ *
+ * @param req - Request with body: { refreshToken }
+ * @param res - Response returning { success, data: { accessToken, expiresIn } }
+ * @param next - Next function for error propagation
+ */
+export async function refreshCloudToken(req, res, next) {
+    try {
+        const { refreshToken } = req.body;
+        if (!refreshToken) {
+            res.status(400).json({ success: false, error: 'Missing refreshToken' });
+            return;
+        }
+        const payload = verifyJwt(refreshToken);
+        if (!payload || payload.type !== 'refresh') {
+            res.status(401).json({ success: false, error: 'Invalid or expired refresh token' });
+            return;
+        }
+        const now = Math.floor(Date.now() / 1000);
+        const accessToken = signJwt({
+            sub: payload.sub,
+            email: payload.email || '',
+            name: payload.name || '',
+            plan: payload.plan || 'free',
+            iat: now,
+            exp: now + AUTH_CONSTANTS.JWT.ACCESS_TOKEN_EXPIRY_S,
+            iss: AUTH_CONSTANTS.JWT.ISSUER,
+            type: 'access',
+        });
+        res.json({
+            success: true,
+            data: {
+                accessToken,
+                expiresIn: AUTH_CONSTANTS.JWT.ACCESS_TOKEN_EXPIRY_S,
+            },
+        });
+    }
+    catch (error) {
+        logger.error('Failed to refresh token', {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        next(error);
+    }
+}
 /**
  * GET /api/cloud/templates
  *