lsh-framework 3.2.4 → 3.5.0

package/dist/daemon/saas-api-routes.js

@@ -1,599 +0,0 @@
-/**
- * LSH SaaS API Routes
- * RESTful API endpoints for the SaaS platform
- */
-import rateLimit from 'express-rate-limit';
-import { authService, verifyToken } from '../lib/saas-auth.js';
-import { organizationService, teamService } from '../lib/saas-organizations.js';
-import { billingService } from '../lib/saas-billing.js';
-import { auditLogger, getIpFromRequest } from '../lib/saas-audit.js';
-import { emailService } from '../lib/saas-email.js';
-import { secretsService } from '../lib/saas-secrets.js';
-import { getAuthenticatedUser } from '../lib/saas-types.js'; // eslint-disable-line no-duplicate-imports
-import { sendSuccess, sendError, ApiErrors, extractApiErrorMessage } from '../lib/api-response.js';
-import { ERROR_CODES } from '../constants/errors.js';
-/**
- * Rate Limiters for different endpoint types
- */
-// Strict rate limiter for authentication endpoints (5 requests per 15 minutes)
-const authLimiter = rateLimit({
-    windowMs: 15 * 60 * 1000, // 15 minutes
-    max: 5,
-    message: {
-        success: false,
-        error: {
-            code: 'RATE_LIMIT_EXCEEDED',
-            message: 'Too many authentication attempts, please try again later',
-        },
-    },
-    standardHeaders: true,
-    legacyHeaders: false,
-});
-// Moderate rate limiter for write operations (30 requests per 15 minutes)
-const writeLimiter = rateLimit({
-    windowMs: 15 * 60 * 1000,
-    max: 30,
-    message: {
-        success: false,
-        error: {
-            code: 'RATE_LIMIT_EXCEEDED',
-            message: 'Too many write requests, please try again later',
-        },
-    },
-    standardHeaders: true,
-    legacyHeaders: false,
-});
-/**
- * Middleware: Authenticate user from JWT token
- * Security is enforced by cryptographic JWT verification and database lookup,
- * not by input validation alone.
- */
-export async function authenticateUser(req, res, next) {
-    try {
-        const authHeader = req.headers.authorization;
-        // Early rejection for malformed requests (not a security boundary)
-        // Real security comes from JWT cryptographic verification below
-        if (typeof authHeader !== 'string' || !authHeader.startsWith('Bearer ')) {
-            return ApiErrors.unauthorized(res, 'No authorization token provided');
-        }
-        const token = authHeader.substring(7).trim();
-        // SECURITY BOUNDARY: Cryptographic JWT verification
-        // This uses server-side secret to verify token authenticity
-        // User cannot bypass this by manipulating input
-        const { userId } = verifyToken(token);
-        const user = await authService.getUserById(userId);
-        if (!user) {
-            return ApiErrors.unauthorized(res, 'Invalid token');
-        }
-        // Attach user to request (safe - req is not reassigned, only augmented)
-        // eslint-disable-next-line require-atomic-updates
-        req.user = user;
-        next();
-    }
-    catch (error) {
-        return ApiErrors.unauthorized(res, extractApiErrorMessage(error) || 'Authentication failed');
-    }
-}
-/**
- * Middleware: Check organization membership
- */
-export async function requireOrganizationMembership(req, res, next) {
-    try {
-        // Only use organizationId from URL params to prevent bypass attacks
-        const organizationId = req.params.organizationId;
-        if (!organizationId) {
-            return ApiErrors.invalidInput(res, 'Organization ID required');
-        }
-        if (!req.user) {
-            return ApiErrors.unauthorized(res, 'User not authenticated');
-        }
-        const role = await organizationService.getUserRole(organizationId, getAuthenticatedUser(req).id);
-        if (!role) {
-            return ApiErrors.forbidden(res, 'Not a member of this organization');
-        }
-        // Safe - req is not reassigned, only augmented with organization context
-        // eslint-disable-next-line require-atomic-updates
-        req.organizationId = organizationId;
-        next();
-    }
-    catch (error) {
-        return ApiErrors.internalError(res, extractApiErrorMessage(error));
-    }
-}
-/**
- * Setup SaaS API routes
- */
-export function setupSaaSApiRoutes(app) {
-    // ============================================================================
-    // AUTH ROUTES
-    // ============================================================================
-    /**
-     * POST /api/v1/auth/signup
-     * Sign up a new user
-     */
-    app.post('/api/v1/auth/signup', authLimiter, async (req, res) => {
-        try {
-            const { email, password, firstName, lastName } = req.body;
-            // Input sanitization (not a security boundary)
-            // Real validation happens in authService.signup()
-            if (typeof email !== 'string' || typeof password !== 'string' ||
-                email.trim().length === 0 || password.length < 8) {
-                return ApiErrors.invalidInput(res, 'Valid email and password (min 8 chars) required');
-            }
-            // Basic email format validation (fail-fast for obviously bad input)
-            // Real security: authService validates and prevents duplicate emails in database
-            if (email.length > 254 || // RFC 5321 max email length
-                !email.includes('@') ||
-                email.indexOf('@') !== email.lastIndexOf('@') || // Exactly one @
-                email.startsWith('@') ||
-                email.endsWith('@') ||
-                email.split('@')[1]?.includes('.') === false) { // Domain has a dot
-                return ApiErrors.invalidInput(res, 'Invalid email format');
-            }
-            // SECURITY BOUNDARY: authService handles:
-            // - Password hashing with bcrypt
-            // - Database uniqueness constraints
-            // - Email verification token generation
-            const { user, verificationToken } = await authService.signup({
-                email,
-                password,
-                firstName,
-                lastName,
-            });
-            // Send verification email
-            await emailService.sendVerificationEmail(user.email, verificationToken, user.firstName || undefined);
-            return sendSuccess(res, {
-                user: {
-                    id: user.id,
-                    email: user.email,
-                    firstName: user.firstName,
-                    lastName: user.lastName,
-                    emailVerified: user.emailVerified,
-                },
-                message: 'Verification email sent',
-            });
-        }
-        catch (error) {
-            const msg = extractApiErrorMessage(error);
-            const code = msg.includes('ALREADY_EXISTS') ? ERROR_CODES.EMAIL_ALREADY_EXISTS : ERROR_CODES.INTERNAL_ERROR;
-            return sendError(res, code, msg, 400);
-        }
-    });
-    /**
-     * POST /api/v1/auth/login
-     * Login with email and password
-     */
-    app.post('/api/v1/auth/login', authLimiter, async (req, res) => {
-        try {
-            const { email, password } = req.body;
-            // Input sanitization (not a security boundary)
-            // Real authentication happens in authService.login() via bcrypt password comparison
-            if (typeof email !== 'string' || typeof password !== 'string' ||
-                email.trim().length === 0 || password.length === 0) {
-                return ApiErrors.invalidInput(res, 'Email and password required');
-            }
-            // SECURITY BOUNDARY: authService.login() performs:
-            // - Database lookup for user by email
-            // - bcrypt password verification (cryptographic)
-            // - Session token generation with server-side secret
-            const ipAddress = getIpFromRequest(req);
-            const session = await authService.login({ email, password }, ipAddress);
-            return sendSuccess(res, session);
-        }
-        catch (error) {
-            const msg = extractApiErrorMessage(error);
-            const statusCode = msg.includes('EMAIL_NOT_VERIFIED') ? 403 : 401;
-            const code = msg || ERROR_CODES.INVALID_CREDENTIALS;
-            return sendError(res, code, msg, statusCode);
-        }
-    });
-    /**
-     * POST /api/v1/auth/verify-email
-     * Verify email address
-     */
-    app.post('/api/v1/auth/verify-email', authLimiter, async (req, res) => {
-        try {
-            const { token } = req.body;
-            // Input sanitization (not a security boundary)
-            // Real verification happens in authService.verifyEmail() via database lookup
-            if (typeof token !== 'string' || token.trim().length === 0) {
-                return ApiErrors.invalidInput(res, 'Valid token required');
-            }
-            // SECURITY BOUNDARY: authService.verifyEmail() performs:
-            // - Database lookup for verification token
-            // - Token expiry validation
-            // - User status update in database
-            const user = await authService.verifyEmail(token);
-            // Send welcome email
-            await emailService.sendWelcomeEmail(user.email, user.firstName || undefined);
-            return sendSuccess(res, { user, message: 'Email verified successfully' });
-        }
-        catch (error) {
-            return ApiErrors.invalidToken(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * POST /api/v1/auth/resend-verification
-     * Resend verification email
-     */
-    app.post('/api/v1/auth/resend-verification', authLimiter, async (req, res) => {
-        try {
-            const { email } = req.body;
-            const token = await authService.resendVerificationEmail(email);
-            const user = await authService.getUserByEmail(email);
-            if (user) {
-                await emailService.sendVerificationEmail(email, token, user.firstName || undefined);
-            }
-            return sendSuccess(res, { message: 'Verification email sent' });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * POST /api/v1/auth/refresh
-     * Refresh access token
-     */
-    app.post('/api/v1/auth/refresh', authLimiter, async (req, res) => {
-        try {
-            const { refreshToken } = req.body;
-            if (!refreshToken) {
-                return ApiErrors.invalidInput(res, 'Refresh token required');
-            }
-            const tokens = await authService.refreshAccessToken(refreshToken);
-            return sendSuccess(res, tokens);
-        }
-        catch (error) {
-            return ApiErrors.invalidToken(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * GET /api/v1/auth/me
-     * Get current user
-     */
-    app.get('/api/v1/auth/me', authenticateUser, async (req, res) => {
-        return sendSuccess(res, { user: req.user });
-    });
-    // ============================================================================
-    // ORGANIZATION ROUTES
-    // ============================================================================
-    /**
-     * POST /api/v1/organizations
-     * Create a new organization
-     */
-    app.post('/api/v1/organizations', writeLimiter, authenticateUser, async (req, res) => {
-        try {
-            const { name, slug } = req.body;
-            if (!name) {
-                return ApiErrors.invalidInput(res, 'Organization name required');
-            }
-            const organization = await organizationService.createOrganization({
-                name,
-                slug,
-                ownerId: getAuthenticatedUser(req).id,
-            });
-            return sendSuccess(res, { organization });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * GET /api/v1/organizations/:organizationId
-     * Get organization details
-     */
-    app.get('/api/v1/organizations/:organizationId', authenticateUser, requireOrganizationMembership, async (req, res) => {
-        try {
-            const organization = await organizationService.getOrganizationById(req.params.organizationId);
-            if (!organization) {
-                return ApiErrors.notFound(res, 'Organization');
-            }
-            // Get usage summary
-            const usage = await organizationService.getUsageSummary(req.params.organizationId);
-            return sendSuccess(res, { organization, usage });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * GET /api/v1/organizations/:organizationId/members
-     * Get organization members
-     */
-    app.get('/api/v1/organizations/:organizationId/members', authenticateUser, requireOrganizationMembership, async (req, res) => {
-        try {
-            const members = await organizationService.getOrganizationMembers(req.params.organizationId);
-            return sendSuccess(res, { members });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * POST /api/v1/organizations/:organizationId/members
-     * Add member to organization
-     */
-    app.post('/api/v1/organizations/:organizationId/members', writeLimiter, authenticateUser, requireOrganizationMembership, async (req, res) => {
-        try {
-            // Check permission
-            const canInvite = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canInviteMembers');
-            if (!canInvite) {
-                return ApiErrors.forbidden(res, 'No permission to invite members');
-            }
-            const { userId, role } = req.body;
-            const member = await organizationService.addMember({
-                organizationId: req.params.organizationId,
-                userId,
-                role: role || 'member',
-                invitedBy: getAuthenticatedUser(req).id,
-            });
-            return sendSuccess(res, { member });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    // ============================================================================
-    // TEAM ROUTES
-    // ============================================================================
-    /**
-     * POST /api/v1/organizations/:organizationId/teams
-     * Create a team
-     */
-    app.post('/api/v1/organizations/:organizationId/teams', writeLimiter, authenticateUser, requireOrganizationMembership, async (req, res) => {
-        try {
-            const { name, slug, description } = req.body;
-            if (!name) {
-                return ApiErrors.invalidInput(res, 'Team name required');
-            }
-            const team = await teamService.createTeam({
-                organizationId: req.params.organizationId,
-                name,
-                slug,
-                description,
-            }, getAuthenticatedUser(req).id);
-            return sendSuccess(res, { team });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * GET /api/v1/organizations/:organizationId/teams
-     * Get organization teams
-     */
-    app.get('/api/v1/organizations/:organizationId/teams', authenticateUser, requireOrganizationMembership, async (req, res) => {
-        try {
-            const teams = await teamService.getOrganizationTeams(req.params.organizationId);
-            return sendSuccess(res, { teams });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    // ============================================================================
-    // SECRETS ROUTES
-    // ============================================================================
-    /**
-     * POST /api/v1/teams/:teamId/secrets
-     * Create a new secret
-     */
-    app.post('/api/v1/teams/:teamId/secrets', writeLimiter, authenticateUser, async (req, res) => {
-        try {
-            const { environment, key, value, description, tags, rotationIntervalDays } = req.body;
-            if (!environment || !key || !value) {
-                return ApiErrors.invalidInput(res, 'Environment, key, and value required');
-            }
-            const secret = await secretsService.createSecret({
-                teamId: req.params.teamId,
-                environment,
-                key,
-                value,
-                description,
-                tags,
-                rotationIntervalDays,
-                createdBy: getAuthenticatedUser(req).id,
-            });
-            return sendSuccess(res, { secret: { ...secret, encryptedValue: '***REDACTED***' } });
-        }
-        catch (error) {
-            const msg = extractApiErrorMessage(error);
-            if (msg.includes('TIER_LIMIT_EXCEEDED')) {
-                return ApiErrors.tierLimitExceeded(res, msg);
-            }
-            return ApiErrors.internalError(res, msg);
-        }
-    });
-    /**
-     * GET /api/v1/teams/:teamId/secrets
-     * Get team secrets
-     */
-    app.get('/api/v1/teams/:teamId/secrets', authenticateUser, async (req, res) => {
-        try {
-            const { environment, decrypt } = req.query;
-            const secrets = await secretsService.getTeamSecrets(req.params.teamId, environment, decrypt === 'true');
-            // Mask encrypted values unless decryption was requested
-            const maskedSecrets = secrets.map((secret) => ({
-                ...secret,
-                encryptedValue: decrypt === 'true' ? secret.encryptedValue : '***REDACTED***',
-            }));
-            return sendSuccess(res, { secrets: maskedSecrets });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * POST /api/v1/teams/:teamId/secrets/:secretId/retrieve
-     * Get secret by ID (POST method to prevent sensitive flags in GET logs)
-     * Request body: { decrypt: boolean }
-     */
-    app.post('/api/v1/teams/:teamId/secrets/:secretId/retrieve', authenticateUser, async (req, res) => {
-        try {
-            // Use POST body for decrypt flag to prevent exposure in logs/URLs
-            const decrypt = req.body?.decrypt === true;
-            const secret = await secretsService.getSecretById(req.params.secretId, decrypt);
-            if (!secret) {
-                return ApiErrors.notFound(res, 'Secret');
-            }
-            return sendSuccess(res, {
-                secret: {
-                    ...secret,
-                    encryptedValue: decrypt ? secret.encryptedValue : '***REDACTED***',
-                },
-            });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * PUT /api/v1/teams/:teamId/secrets/:secretId
-     * Update secret
-     */
-    app.put('/api/v1/teams/:teamId/secrets/:secretId', writeLimiter, authenticateUser, async (req, res) => {
-        try {
-            const { value, description, tags, rotationIntervalDays } = req.body;
-            const secret = await secretsService.updateSecret(req.params.secretId, {
-                value,
-                description,
-                tags,
-                rotationIntervalDays,
-                updatedBy: getAuthenticatedUser(req).id,
-            });
-            return sendSuccess(res, { secret: { ...secret, encryptedValue: '***REDACTED***' } });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * DELETE /api/v1/teams/:teamId/secrets/:secretId
-     * Delete secret
-     */
-    app.delete('/api/v1/teams/:teamId/secrets/:secretId', writeLimiter, authenticateUser, async (req, res) => {
-        try {
-            await secretsService.deleteSecret(req.params.secretId, getAuthenticatedUser(req).id);
-            return sendSuccess(res, { message: 'Secret deleted successfully' });
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * GET /api/v1/teams/:teamId/secrets/export/env
-     * Export secrets to .env format
-     */
-    app.get('/api/v1/teams/:teamId/secrets/export/env', authenticateUser, async (req, res) => {
-        try {
-            const { environment } = req.query;
-            if (!environment) {
-                return ApiErrors.invalidInput(res, 'Environment parameter required');
-            }
-            const envContent = await secretsService.exportToEnv(req.params.teamId, environment);
-            res.setHeader('Content-Type', 'text/plain');
-            res.setHeader('Content-Disposition', `attachment; filename="${environment}.env"`);
-            res.send(envContent);
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * POST /api/v1/teams/:teamId/secrets/import/env
-     * Import secrets from .env format
-     */
-    app.post('/api/v1/teams/:teamId/secrets/import/env', writeLimiter, authenticateUser, async (req, res) => {
-        try {
-            const { environment, content } = req.body;
-            if (!environment || !content) {
-                return ApiErrors.invalidInput(res, 'Environment and content required');
-            }
-            const result = await secretsService.importFromEnv(req.params.teamId, environment, content, getAuthenticatedUser(req).id);
-            return sendSuccess(res, result);
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    // ============================================================================
-    // AUDIT LOG ROUTES
-    // ============================================================================
-    /**
-     * GET /api/v1/organizations/:organizationId/audit-logs
-     * Get organization audit logs
-     */
-    app.get('/api/v1/organizations/:organizationId/audit-logs', authenticateUser, requireOrganizationMembership, async (req, res) => {
-        try {
-            // Check permission
-            const canView = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canViewAuditLogs');
-            if (!canView) {
-                return ApiErrors.forbidden(res, 'No permission to view audit logs');
-            }
-            const { limit = 50, offset = 0, action, userId, teamId, startDate, endDate } = req.query;
-            const result = await auditLogger.getOrganizationLogs(req.params.organizationId, {
-                limit: parseInt(limit),
-                offset: parseInt(offset),
-                action: action,
-                userId: userId,
-                teamId: teamId,
-                startDate: startDate ? new Date(startDate) : undefined,
-                endDate: endDate ? new Date(endDate) : undefined,
-            });
-            return sendSuccess(res, result);
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    // ============================================================================
-    // BILLING ROUTES
-    // ============================================================================
-    /**
-     * POST /api/v1/organizations/:organizationId/billing/checkout
-     * Create Stripe checkout session
-     */
-    app.post('/api/v1/organizations/:organizationId/billing/checkout', writeLimiter, authenticateUser, requireOrganizationMembership, async (req, res) => {
-        try {
-            // Check permission
-            const canManage = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canManageBilling');
-            if (!canManage) {
-                return ApiErrors.forbidden(res, 'No permission to manage billing');
-            }
-            const { tier, billingPeriod, successUrl, cancelUrl } = req.body;
-            const org = await organizationService.getOrganizationById(req.params.organizationId);
-            if (!org) {
-                return ApiErrors.notFound(res, 'Organization');
-            }
-            const checkout = await billingService.createCheckoutSession({
-                organizationId: req.params.organizationId,
-                tier,
-                billingPeriod: billingPeriod || 'monthly',
-                successUrl,
-                cancelUrl,
-                customerId: org.stripeCustomerId || undefined,
-            });
-            return sendSuccess(res, checkout);
-        }
-        catch (error) {
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    /**
-     * POST /api/v1/billing/webhooks
-     * Handle Stripe webhooks
-     */
-    app.post('/api/v1/billing/webhooks', async (req, res) => {
-        try {
-            const signature = req.headers['stripe-signature'];
-            const payload = JSON.stringify(req.body);
-            await billingService.handleWebhook(payload, signature);
-            return sendSuccess(res, { received: true });
-        }
-        catch (error) {
-            console.error('Webhook error:', error);
-            return ApiErrors.internalError(res, extractApiErrorMessage(error));
-        }
-    });
-    console.log('✅ SaaS API routes registered');
-}