insforge 1.2.10 → 1.4.8

package/backend/src/infra/security/token.manager.ts

@@ -1,125 +1,216 @@
-import jwt from 'jsonwebtoken';
-import { createRemoteJWKSet, JWTPayload, jwtVerify } from 'jose';
-import { AppError } from '@/api/middlewares/error.js';
-import { ERROR_CODES, NEXT_ACTION } from '@/types/error-constants.js';
-import type { TokenPayloadSchema } from '@insforge/shared-schemas';
-
-const JWT_SECRET = process.env.JWT_SECRET ?? '';
-const JWT_EXPIRES_IN = '7d';
-
-/**
- * Create JWKS instance with caching and timeout configuration
- * The instance will automatically cache keys and handle refetching
- */
-const cloudApiHost = process.env.CLOUD_API_HOST || 'https://api.insforge.dev';
-const JWKS = createRemoteJWKSet(new URL(`${cloudApiHost}/.well-known/jwks.json`), {
-  timeoutDuration: 10000, // 10 second timeout for HTTP requests
-  cooldownDuration: 30000, // 30 seconds cooldown after successful fetch
-  cacheMaxAge: 600000, // Maximum 10 minutes between refetches
-});
-
-/**
- * TokenManager - Handles JWT token operations
- * Infrastructure layer for token generation and verification
- */
-export class TokenManager {
-  private static instance: TokenManager;
-
-  private constructor() {
-    if (!process.env.JWT_SECRET) {
-      throw new Error('JWT_SECRET environment variable is required');
-    }
-  }
-
-  public static getInstance(): TokenManager {
-    if (!TokenManager.instance) {
-      TokenManager.instance = new TokenManager();
-    }
-    return TokenManager.instance;
-  }
-
-  /**
-   * Generate JWT token for users and admins
-   */
-  generateToken(payload: TokenPayloadSchema): string {
-    return jwt.sign(payload, JWT_SECRET, {
-      algorithm: 'HS256',
-      expiresIn: JWT_EXPIRES_IN,
-    });
-  }
-
-  /**
-   * Generate anonymous JWT token (never expires)
-   */
-  generateAnonToken(): string {
-    const payload = {
-      sub: '12345678-1234-5678-90ab-cdef12345678',
-      email: 'anon@insforge.com',
-      role: 'anon',
-    };
-    return jwt.sign(payload, JWT_SECRET, {
-      algorithm: 'HS256',
-      // No expiresIn means token never expires
-    });
-  }
-
-  /**
-   * Verify JWT token
-   */
-  verifyToken(token: string): TokenPayloadSchema {
-    try {
-      const decoded = jwt.verify(token, JWT_SECRET) as TokenPayloadSchema;
-      return {
-        sub: decoded.sub,
-        email: decoded.email,
-        role: decoded.role || 'authenticated',
-      };
-    } catch {
-      throw new AppError('Invalid token', 401, ERROR_CODES.AUTH_UNAUTHORIZED);
-    }
-  }
-
-  /**
-   * Verify cloud backend JWT token
-   * Validates JWT tokens from api.insforge.dev using JWKS
-   */
-  async verifyCloudToken(token: string): Promise<{ projectId: string; payload: JWTPayload }> {
-    try {
-      // JWKS handles caching internally, no need to manage it manually
-      const { payload } = await jwtVerify(token, JWKS, {
-        algorithms: ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'],
-      });
-
-      // Verify project_id matches if configured
-      const tokenProjectId = payload['projectId'] as string;
-      const expectedProjectId = process.env.PROJECT_ID;
-
-      if (expectedProjectId && tokenProjectId !== expectedProjectId) {
-        throw new AppError(
-          'Project ID mismatch',
-          403,
-          ERROR_CODES.AUTH_UNAUTHORIZED,
-          NEXT_ACTION.CHECK_TOKEN
-        );
-      }
-
-      return {
-        projectId: tokenProjectId || expectedProjectId || 'local',
-        payload,
-      };
-    } catch (error) {
-      // Re-throw AppError as-is
-      if (error instanceof AppError) {
-        throw error;
-      }
-
-      // Wrap other JWT errors
-      throw new AppError(
-        `Invalid cloud authorization code: ${error instanceof Error ? error.message : 'Unknown error'}`,
-        401,
-        ERROR_CODES.AUTH_INVALID_CREDENTIALS,
-        NEXT_ACTION.CHECK_TOKEN
-      );
-    }
-  }
-}
+import jwt from 'jsonwebtoken';
+import crypto from 'crypto';
+import { createRemoteJWKSet, JWTPayload, jwtVerify } from 'jose';
+import { AppError } from '@/api/middlewares/error.js';
+import { ERROR_CODES, NEXT_ACTION } from '@/types/error-constants.js';
+import type { TokenPayloadSchema } from '@insforge/shared-schemas';
+
+const JWT_SECRET = process.env.JWT_SECRET ?? '';
+// TODO: Change access token expiration time to 15 min
+const JWT_EXPIRES_IN = '7d';
+const REFRESH_TOKEN_EXPIRES_IN = '7d';
+
+/**
+ * Refresh token payload interface
+ */
+export interface RefreshTokenPayload {
+  sub: string;
+  type: 'refresh';
+  iss: string;
+}
+
+/**
+ * Create JWKS instance with caching and timeout configuration
+ * The instance will automatically cache keys and handle refetching
+ */
+const cloudApiHost = process.env.CLOUD_API_HOST || 'https://api.insforge.dev';
+const JWKS = createRemoteJWKSet(new URL(`${cloudApiHost}/.well-known/jwks.json`), {
+  timeoutDuration: 10000, // 10 second timeout for HTTP requests
+  cooldownDuration: 30000, // 30 seconds cooldown after successful fetch
+  cacheMaxAge: 600000, // Maximum 10 minutes between refetches
+});
+
+/**
+ * TokenManager - Handles JWT token operations
+ * Infrastructure layer for token generation and verification
+ */
+export class TokenManager {
+  private static instance: TokenManager;
+
+  private constructor() {
+    if (!process.env.JWT_SECRET) {
+      throw new Error('JWT_SECRET environment variable is required');
+    }
+  }
+
+  public static getInstance(): TokenManager {
+    if (!TokenManager.instance) {
+      TokenManager.instance = new TokenManager();
+    }
+    return TokenManager.instance;
+  }
+
+  /**
+   * Generate JWT access token for users and admins
+   */
+  generateToken(payload: TokenPayloadSchema): string {
+    return jwt.sign(payload, JWT_SECRET, {
+      algorithm: 'HS256',
+      expiresIn: JWT_EXPIRES_IN,
+    });
+  }
+
+  /**
+   * Generate admin JWT token (never expires)
+   * Used for internal API key authenticated requests to PostgREST
+   */
+  generateAdminToken(): string {
+    const payload = {
+      sub: 'project-admin-with-api-key',
+      email: 'project-admin@email.com',
+      role: 'project_admin',
+    };
+    return jwt.sign(payload, JWT_SECRET, {
+      algorithm: 'HS256',
+      // No expiresIn means token never expires
+    });
+  }
+
+  /**
+   * Generate refresh token for secure session management
+   */
+  generateRefreshToken(userId: string): string {
+    const refreshPayload: RefreshTokenPayload = {
+      sub: userId,
+      type: 'refresh',
+      iss: 'insforge',
+    };
+    return jwt.sign(refreshPayload, JWT_SECRET, {
+      algorithm: 'HS256',
+      expiresIn: REFRESH_TOKEN_EXPIRES_IN,
+    });
+  }
+
+  /**
+   * Verify refresh token and return payload
+   * Ensures the token is a valid refresh token (not an access token)
+   */
+  verifyRefreshToken(token: string): RefreshTokenPayload {
+    try {
+      const decoded = jwt.verify(token, JWT_SECRET, {
+        algorithms: ['HS256'],
+        issuer: 'insforge',
+      }) as RefreshTokenPayload;
+
+      // Ensure this is a refresh token, not an access token
+      if (decoded.type !== 'refresh' || !decoded.sub) {
+        throw new AppError('Invalid refresh token type', 401, ERROR_CODES.AUTH_UNAUTHORIZED);
+      }
+
+      return decoded;
+    } catch (error) {
+      if (error instanceof AppError) {
+        throw error;
+      }
+      throw new AppError('Invalid or expired refresh token', 401, ERROR_CODES.AUTH_UNAUTHORIZED);
+    }
+  }
+
+  /**
+   * Generate anonymous JWT token (never expires)
+   */
+  generateAnonToken(): string {
+    const payload = {
+      sub: '12345678-1234-5678-90ab-cdef12345678',
+      email: 'anon@insforge.com',
+      role: 'anon',
+    };
+    return jwt.sign(payload, JWT_SECRET, {
+      algorithm: 'HS256',
+      // No expiresIn means token never expires
+    });
+  }
+
+  /**
+   * Verify JWT token
+   */
+  verifyToken(token: string): TokenPayloadSchema {
+    try {
+      const decoded = jwt.verify(token, JWT_SECRET) as TokenPayloadSchema;
+      return {
+        sub: decoded.sub,
+        email: decoded.email,
+        role: decoded.role || 'authenticated',
+      };
+    } catch {
+      throw new AppError('Invalid token', 401, ERROR_CODES.AUTH_UNAUTHORIZED);
+    }
+  }
+
+  /**
+   * Verify cloud backend JWT token
+   * Validates JWT tokens from api.insforge.dev using JWKS
+   */
+  async verifyCloudToken(token: string): Promise<{ projectId: string; payload: JWTPayload }> {
+    try {
+      // JWKS handles caching internally, no need to manage it manually
+      const { payload } = await jwtVerify(token, JWKS, {
+        algorithms: ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'],
+      });
+
+      // Verify project_id matches if configured
+      const tokenProjectId = payload['projectId'] as string;
+      const expectedProjectId = process.env.PROJECT_ID;
+
+      if (expectedProjectId && tokenProjectId !== expectedProjectId) {
+        throw new AppError(
+          'Project ID mismatch',
+          403,
+          ERROR_CODES.AUTH_UNAUTHORIZED,
+          NEXT_ACTION.CHECK_TOKEN
+        );
+      }
+
+      return {
+        projectId: tokenProjectId || expectedProjectId || 'local',
+        payload,
+      };
+    } catch (error) {
+      // Re-throw AppError as-is
+      if (error instanceof AppError) {
+        throw error;
+      }
+
+      // Wrap other JWT errors
+      throw new AppError(
+        `Invalid cloud authorization code: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        401,
+        ERROR_CODES.AUTH_INVALID_CREDENTIALS,
+        NEXT_ACTION.CHECK_TOKEN
+      );
+    }
+  }
+
+  /**
+   * Generate CSRF token derived from refresh token using HMAC
+   */
+  generateCsrfToken(refreshToken: string): string {
+    return crypto.createHmac('sha256', JWT_SECRET).update(refreshToken).digest('hex');
+  }
+
+  /**
+   * Verify CSRF token by re-computing from refresh token
+   * Uses timing-safe comparison to prevent timing attacks
+   */
+  verifyCsrfToken(csrfHeader: string | undefined, refreshToken: string): boolean {
+    if (!csrfHeader || !refreshToken) {
+      return false;
+    }
+    const expectedCsrf = this.generateCsrfToken(refreshToken);
+    try {
+      return crypto.timingSafeEqual(Buffer.from(csrfHeader), Buffer.from(expectedCsrf));
+    } catch {
+      return false;
+    }
+  }
+}

package/backend/src/infra/socket/socket.manager.ts

@@ -2,17 +2,19 @@ import { Server as HttpServer } from 'http';
 import { Server as SocketIOServer, Socket } from 'socket.io';
 import logger from '@/utils/logger.js';
 import { TokenManager } from '@/infra/security/token.manager.js';
-import {
-  ServerEvents,
-  ClientEvents,
+import { ServerEvents, ClientEvents, SocketMetadata, NotificationPayload } from '@/types/socket.js';
+import type {
+  SubscribeChannelPayload,
+  PublishEventPayload,
   SocketMessage,
-  SocketMetadata,
-  NotificationPayload,
-  SubscribePayload,
-  UnsubscribePayload,
-} from '@/types/socket.js';
+  SocketMessageMeta,
+  SubscribeResponse,
+  UnsubscribeChannelPayload,
+} from '@insforge/shared-schemas';
 import { AppError } from '@/api/middlewares/error.js';
 import { ERROR_CODES, NEXT_ACTION } from '@/types/error-constants.js';
+import { RealtimeAuthService } from '@/services/realtime/realtime-auth.service.js';
+import { RealtimeMessageService } from '@/services/realtime/realtime-message.service.js';
 
 const tokenManager = TokenManager.getInstance();
 
@@ -188,14 +190,22 @@ export class SocketManager {
    * Setup handlers for client events
    */
   private setupClientEventHandlers(socket: Socket): void {
-    // Handle subscription requests
-    socket.on(ClientEvents.SUBSCRIBE, (payload: SubscribePayload) => {
-      this.handleSubscribe(socket, payload);
+    // Handle realtime channel subscribe with ack callback
+    socket.on(
+      ClientEvents.REALTIME_SUBSCRIBE,
+      (payload: SubscribeChannelPayload, ack: (response: SubscribeResponse) => void) => {
+        void this.handleRealtimeSubscribe(socket, payload, ack);
+      }
+    );
+
+    // Handle realtime channel unsubscribe (fire-and-forget, no ack needed)
+    socket.on(ClientEvents.REALTIME_UNSUBSCRIBE, (payload: UnsubscribeChannelPayload) => {
+      this.handleRealtimeUnsubscribe(socket, payload);
     });
 
-    // Handle unsubscription requests
-    socket.on(ClientEvents.UNSUBSCRIBE, (payload: UnsubscribePayload) => {
-      this.handleUnsubscribe(socket, payload);
+    // Handle realtime publish (client-initiated messages)
+    socket.on(ClientEvents.REALTIME_PUBLISH, (payload: PublishEventPayload) => {
+      void this.handleRealtimePublish(socket, payload);
     });
 
     // Update last activity on any event
@@ -208,70 +218,181 @@ export class SocketManager {
   }
 
   /**
-   * Handle channel subscription
+   * Handle realtime channel subscribe request
    */
-  private handleSubscribe(socket: Socket, payload: SubscribePayload): void {
-    const metadata = this.socketMetadata.get(socket.id);
-    if (!metadata) {
-      return;
+  private async handleRealtimeSubscribe(
+    socket: Socket,
+    payload: SubscribeChannelPayload,
+    ack?: (response: SubscribeResponse) => void
+  ): Promise<void> {
+    const authService = RealtimeAuthService.getInstance();
+    const { channel } = payload;
+    const userId = socket.data.user?.id;
+    const userRole = socket.data.user?.role;
+
+    try {
+      // Check subscribe permission via RLS SELECT policy
+      const canSubscribe = await authService.checkSubscribePermission(channel, userId, userRole);
+
+      if (!canSubscribe) {
+        ack?.({
+          ok: false,
+          channel,
+          error: { code: 'UNAUTHORIZED', message: 'Not authorized to subscribe to this channel' },
+        });
+        return;
+      }
+
+      const roomName = `realtime:${channel}`;
+      await socket.join(roomName);
+
+      const metadata = this.socketMetadata.get(socket.id);
+      if (metadata) {
+        metadata.subscriptions.add(roomName);
+      }
+
+      ack?.({ ok: true, channel });
+
+      logger.debug('Socket subscribed to realtime channel', {
+        socketId: socket.id,
+        channel,
+      });
+    } catch (error) {
+      logger.error('Error handling realtime subscribe', { error, channel });
+      ack?.({
+        ok: false,
+        channel,
+        error: { code: 'INTERNAL_ERROR', message: 'Failed to subscribe to channel' },
+      });
     }
+  }
 
-    void socket.join(payload.channel);
-    metadata.subscriptions.add(payload.channel);
+  /**
+   * Handle realtime channel unsubscribe request (fire-and-forget)
+   */
+  private handleRealtimeUnsubscribe(socket: Socket, payload: UnsubscribeChannelPayload): void {
+    const { channel } = payload;
+    const roomName = `realtime:${channel}`;
 
-    logger.debug('Socket subscribed to channel', {
-      socketId: socket.id,
-      channel: payload.channel,
-    });
+    void socket.leave(roomName);
+
+    const metadata = this.socketMetadata.get(socket.id);
+    if (metadata) {
+      metadata.subscriptions.delete(roomName);
+    }
+
+    logger.debug('Socket unsubscribed from realtime channel', { socketId: socket.id, channel });
   }
 
   /**
-   * Handle channel unsubscription
+   * Handle realtime publish request (client-initiated message)
+   * Inserts message to DB - trigger handles pg_notify, broadcast, and stats update.
    */
-  private handleUnsubscribe(socket: Socket, payload: UnsubscribePayload): void {
+  private async handleRealtimePublish(socket: Socket, payload: PublishEventPayload): Promise<void> {
+    const { channel, event, payload: eventPayload } = payload;
+    const userId = socket.data.user?.id;
+    const userRole = socket.data.user?.role;
+
+    // Check if client has subscribed to this channel
+    const roomName = `realtime:${channel}`;
     const metadata = this.socketMetadata.get(socket.id);
-    if (!metadata) {
+    if (!metadata?.subscriptions.has(roomName)) {
+      socket.emit(ServerEvents.REALTIME_ERROR, {
+        channel,
+        code: 'NOT_SUBSCRIBED',
+        message: 'Must subscribe to channel before publishing messages',
+      });
       return;
     }
 
-    void socket.leave(payload.channel);
-    metadata.subscriptions.delete(payload.channel);
+    try {
+      // Insert message directly - trigger will handle pg_notify and broadcasting
+      const messageService = RealtimeMessageService.getInstance();
+      const result = await messageService.insertMessage(
+        channel,
+        event,
+        eventPayload,
+        userId,
+        userRole
+      );
+
+      if (!result) {
+        socket.emit(ServerEvents.REALTIME_ERROR, {
+          channel,
+          code: 'UNAUTHORIZED',
+          message: 'Not authorized to publish to this channel',
+        });
+        return;
+      }
 
-    logger.debug('Socket unsubscribed from channel', {
-      socketId: socket.id,
-      channel: payload.channel,
-    });
+      logger.debug('Client message inserted', {
+        socketId: socket.id,
+        channel,
+        event,
+      });
+    } catch (error) {
+      logger.error('Error handling realtime publish', { error, channel });
+      socket.emit(ServerEvents.REALTIME_ERROR, {
+        channel,
+        code: 'INTERNAL_ERROR',
+        message: 'Failed to publish message',
+      });
+    }
   }
 
   /**
-   * Emit event to specific socket with type safety
+   * Build a SocketMessage with meta and payload
    */
-  emitToSocket<T>(socket: Socket, event: ServerEvents, payload: T): void {
-    const message: SocketMessage<T> = {
-      type: event,
-      payload,
-      timestamp: Date.now(),
-      id: this.generateMessageId(),
-    };
+  private buildSocketMessage<T extends object>(
+    payload: T,
+    meta: Omit<SocketMessageMeta, 'messageId' | 'timestamp'> & { messageId?: string }
+  ): SocketMessage & T {
+    return {
+      ...payload,
+      meta: {
+        ...meta,
+        messageId: meta.messageId || this.generateMessageId(),
+        timestamp: new Date().toISOString(),
+      },
+    } as SocketMessage & T;
+  }
+
+  /**
+   * Emit message to specific socket
+   */
+  emitToSocket<T extends object>(
+    socket: Socket,
+    event: string,
+    payload: T,
+    senderType: 'system' | 'user' = 'system',
+    senderId?: string,
+    messageId?: string
+  ): void {
+    const message = this.buildSocketMessage(payload, {
+      channel: socket.id,
+      senderType,
+      senderId,
+      messageId,
+    });
     socket.emit(event, message);
   }
 
   /**
    * Broadcast to all connected clients
    */
-  broadcastToAll<T>(event: ServerEvents, payload: T): void {
+  broadcastToAll<T extends object>(
+    event: string,
+    payload: T,
+    senderType: 'system' | 'user' = 'system',
+    senderId?: string,
+    messageId?: string
+  ): void {
     if (!this.io) {
       logger.warn('Socket.IO server not initialized');
       return;
     }
 
-    const message: SocketMessage<T> = {
-      type: event,
-      payload,
-      timestamp: Date.now(),
-      id: this.generateMessageId(),
-    };
-
+    const message = this.buildSocketMessage(payload, { senderType, senderId, messageId });
     this.io.emit(event, message);
 
     logger.info('Broadcasted message to all clients', {
@@ -283,25 +404,38 @@ export class SocketManager {
   /**
    * Broadcast to specific room
    */
-  broadcastToRoom<T>(room: string, event: ServerEvents, payload?: T): void {
+  broadcastToRoom<T extends object>(
+    room: string,
+    event: string,
+    payload: T,
+    senderType: 'system' | 'user',
+    senderId?: string,
+    messageId?: string
+  ): void {
     if (!this.io) {
       logger.warn('Socket.IO server not initialized');
       return;
     }
 
-    const message: SocketMessage<T> = {
-      type: event,
-      payload,
-      timestamp: Date.now(),
-      id: this.generateMessageId(),
-    };
-
+    const message = this.buildSocketMessage(payload, {
+      channel: room,
+      senderType,
+      senderId,
+      messageId,
+    });
     this.io.to(room).emit(event, message);
 
-    logger.info('Broadcasted message to room', {
-      event,
-      room,
-    });
+    logger.debug('Broadcasted message to room', { event, room });
+  }
+
+  /**
+   * Get the number of sockets in a room
+   */
+  getRoomSize(room: string): number {
+    if (!this.io) {
+      return 0;
+    }
+    return this.io.sockets.adapter.rooms.get(room)?.size || 0;
   }
 
   /**
@@ -368,11 +502,11 @@ export class SocketManager {
   close(): void {
     if (this.io) {
       // Notify all clients about server shutdown
-      this.broadcastToAll<NotificationPayload>(ServerEvents.NOTIFICATION, {
+      this.broadcastToAll(ServerEvents.NOTIFICATION, {
         level: 'warning',
         title: 'Server Shutdown',
         message: 'Server is shutting down',
-      });
+      } as NotificationPayload);
 
       // Close all connections
       void this.io.close();