palaryn 0.1.0 → 0.3.2

package/src/auth/routes.ts

@@ -0,0 +1,561 @@
+import { Router, Request, Response } from 'express';
+import { randomUUID } from 'crypto';
+import { OAuthConfig, OAuthProvider, OAuthProfile } from '../types/user';
+import {
+  UserStore,
+  OAuthAccountStore,
+  SessionStore,
+  WorkspaceStore,
+  WorkspaceMemberStore,
+  UserApiKeyStore,
+} from '../storage/interfaces';
+import { generateCodeVerifier } from './pkce';
+import { generateNonce } from './pkce';
+import {
+  buildGoogleAuthUrl, exchangeGoogleCode, getGoogleUserInfo,
+  buildGitHubAuthUrl, exchangeGitHubCode, getGitHubUserInfo,
+} from './providers';
+import {
+  generateSessionId, encryptState, decryptState, encryptToken,
+  SESSION_COOKIE_NAME, STATE_COOKIE_NAME,
+} from './session';
+import { hashPassword, verifyPassword } from './password';
+
+export interface AuthRouteDeps {
+  config: OAuthConfig;
+  userStore: UserStore;
+  oauthAccountStore: OAuthAccountStore;
+  sessionStore: SessionStore;
+  workspaceStore: WorkspaceStore;
+  workspaceMemberStore: WorkspaceMemberStore;
+  userApiKeyStore?: UserApiKeyStore;
+}
+
+export function createAuthRouter(deps: AuthRouteDeps): Router {
+  const router = Router();
+  const { config, userStore, oauthAccountStore, sessionStore, workspaceStore, workspaceMemberStore, userApiKeyStore } = deps;
+  const isProduction = process.env.NODE_ENV === 'production';
+
+  // ---------------------------------------------------------------------------
+  // GET /auth/:provider/authorize — redirect to OAuth provider
+  // ---------------------------------------------------------------------------
+  router.get('/:provider/authorize', (req: Request, res: Response) => {
+    const provider = req.params.provider as OAuthProvider;
+    const baseUrl = `${req.protocol}://${req.get('host')}`;
+
+    if (provider === 'google' && config.google) {
+      const redirectUri = config.google.redirect_uri || `${baseUrl}/auth/google/callback`;
+      const nonce = generateNonce();
+      const codeVerifier = generateCodeVerifier();
+
+      const state = encryptState({
+        provider: 'google',
+        code_verifier: codeVerifier,
+        nonce,
+        redirect_uri: redirectUri,
+        created_at: Date.now(),
+      }, config.session_secret);
+
+      const { url } = buildGoogleAuthUrl(config.google, redirectUri, state, codeVerifier);
+
+      res.cookie(STATE_COOKIE_NAME, state, {
+        httpOnly: true,
+        secure: isProduction,
+        sameSite: 'lax',
+        maxAge: 600_000, // 10 min
+        path: '/',
+      });
+
+      res.redirect(url);
+    } else if (provider === 'github' && config.github) {
+      const redirectUri = config.github.redirect_uri || `${baseUrl}/auth/github/callback`;
+      const nonce = generateNonce();
+
+      const state = encryptState({
+        provider: 'github',
+        nonce,
+        redirect_uri: redirectUri,
+        created_at: Date.now(),
+      }, config.session_secret);
+
+      const url = buildGitHubAuthUrl(config.github, redirectUri, state);
+
+      res.cookie(STATE_COOKIE_NAME, state, {
+        httpOnly: true,
+        secure: isProduction,
+        sameSite: 'lax',
+        maxAge: 600_000,
+        path: '/',
+      });
+
+      res.redirect(url);
+    } else {
+      res.status(400).json({ error: `Unsupported or unconfigured provider: ${provider}` });
+    }
+  });
+
+  // ---------------------------------------------------------------------------
+  // GET /auth/:provider/callback — handle OAuth callback
+  // ---------------------------------------------------------------------------
+  router.get('/:provider/callback', async (req: Request, res: Response) => {
+    const provider = req.params.provider as OAuthProvider;
+    const { code, state: stateParam, error } = req.query as Record<string, string>;
+
+    if (error) {
+      return res.redirect(`/login?error=${encodeURIComponent(error)}`);
+    }
+
+    if (!code || !stateParam) {
+      return res.redirect('/login?error=missing_params');
+    }
+
+    // Validate state cookie
+    const stateCookie = req.cookies?.[STATE_COOKIE_NAME];
+    if (!stateCookie || stateCookie !== stateParam) {
+      return res.redirect('/login?error=invalid_state');
+    }
+
+    // Clear state cookie
+    res.clearCookie(STATE_COOKIE_NAME, { path: '/' });
+
+    let flowState;
+    try {
+      flowState = decryptState(stateCookie, config.session_secret);
+    } catch {
+      return res.redirect('/login?error=invalid_state');
+    }
+
+    // Check state expiry (10 min max)
+    if (Date.now() - flowState.created_at > 600_000) {
+      return res.redirect('/login?error=state_expired');
+    }
+
+    try {
+      let profile: OAuthProfile;
+      let accessToken: string;
+      let refreshToken: string | undefined;
+
+      if (provider === 'google' && config.google) {
+        const tokens = await exchangeGoogleCode(
+          config.google,
+          flowState.redirect_uri,
+          code,
+          flowState.code_verifier || '',
+        );
+        accessToken = tokens.access_token;
+        refreshToken = tokens.refresh_token;
+        profile = await getGoogleUserInfo(tokens.access_token);
+      } else if (provider === 'github' && config.github) {
+        const tokens = await exchangeGitHubCode(config.github, code);
+        accessToken = tokens.access_token;
+        profile = await getGitHubUserInfo(tokens.access_token);
+      } else {
+        return res.redirect('/login?error=unsupported_provider');
+      }
+
+      // Find or create user + link OAuth account
+      const { user, isNewUser, needsLinking } = findOrCreateUser(profile, accessToken, refreshToken);
+
+      // If an existing account with the same email was found but OAuth is not
+      // linked, redirect to login with a message instead of auto-linking.
+      if (needsLinking) {
+        return res.redirect('/login?error=account_exists&message=' +
+          encodeURIComponent('An account with this email already exists. Please sign in with your password first, then link your OAuth provider from settings.'));
+      }
+
+      // Create session
+      const sessionId = generateSessionId();
+      const now = new Date().toISOString();
+
+      // Find user's first workspace
+      const memberships = workspaceMemberStore.getByUser(user.id);
+      const workspaceId = memberships.length > 0 ? memberships[0].workspace_id : undefined;
+
+      sessionStore.create({
+        id: sessionId,
+        user_id: user.id,
+        workspace_id: workspaceId,
+        ip_address: req.ip || req.socket.remoteAddress,
+        user_agent: req.get('user-agent'),
+        expires_at: new Date(Date.now() + config.session_ttl_seconds * 1000).toISOString(),
+        last_active_at: now,
+        created_at: now,
+      });
+
+      // Set session cookie
+      res.cookie(SESSION_COOKIE_NAME, sessionId, {
+        httpOnly: true,
+        secure: isProduction,
+        sameSite: 'lax',
+        maxAge: config.session_ttl_seconds * 1000,
+        path: '/',
+      });
+
+      // Redirect based on user state
+      if (isNewUser || !user.onboarding_completed) {
+        return res.redirect('/onboarding');
+      }
+      return res.redirect('/dashboard');
+    } catch (err) {
+      console.error(`[auth] OAuth callback error (${provider}):`, err);
+      return res.redirect('/login?error=auth_failed');
+    }
+  });
+
+  // ---------------------------------------------------------------------------
+  // POST /auth/register — create account with email + password
+  // ---------------------------------------------------------------------------
+  router.post('/register', async (req: Request, res: Response) => {
+    const { email, password, display_name } = req.body || {};
+
+    if (!email || !password) {
+      res.status(400).json({ error: 'email and password are required' });
+      return;
+    }
+
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(email)) {
+      res.status(400).json({ error: 'Invalid email format' });
+      return;
+    }
+
+    if (password.length < 6) {
+      res.status(400).json({ error: 'Password must be at least 6 characters' });
+      return;
+    }
+
+    const existing = userStore.getByEmail(email);
+    if (existing) {
+      // Return identical response to prevent account enumeration
+      res.status(201).json({
+        user: { id: randomUUID(), email, display_name: display_name || email.split('@')[0] },
+      });
+      return;
+    }
+
+    const now = new Date().toISOString();
+    const userId = randomUUID();
+    const displayName = display_name || email.split('@')[0];
+    userStore.create({
+      id: userId,
+      email,
+      display_name: displayName,
+      password_hash: await hashPassword(password),
+      status: 'active',
+      onboarding_completed: false,
+      created_at: now,
+      updated_at: now,
+    });
+
+    // Auto-login: create session
+    const sessionId = generateSessionId();
+    sessionStore.create({
+      id: sessionId,
+      user_id: userId,
+      ip_address: req.ip || req.socket.remoteAddress,
+      user_agent: req.get('user-agent'),
+      expires_at: new Date(Date.now() + config.session_ttl_seconds * 1000).toISOString(),
+      last_active_at: now,
+      created_at: now,
+    });
+
+    res.cookie(SESSION_COOKIE_NAME, sessionId, {
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: 'lax',
+      maxAge: config.session_ttl_seconds * 1000,
+      path: '/',
+    });
+
+    res.status(201).json({
+      user: { id: userId, email, display_name: displayName },
+    });
+  });
+
+  // ---------------------------------------------------------------------------
+  // POST /auth/login — sign in with email + password
+  // ---------------------------------------------------------------------------
+  router.post('/login', async (req: Request, res: Response) => {
+    const { email, password } = req.body || {};
+
+    if (!email || !password) {
+      res.status(400).json({ error: 'email and password are required' });
+      return;
+    }
+
+    const user = userStore.getByEmail(email);
+    if (!user || !user.password_hash) {
+      res.status(401).json({ error: 'Invalid email or password' });
+      return;
+    }
+
+    if (!(await verifyPassword(password, user.password_hash))) {
+      res.status(401).json({ error: 'Invalid email or password' });
+      return;
+    }
+
+    if (user.status !== 'active') {
+      res.status(403).json({ error: 'Account is suspended' });
+      return;
+    }
+
+    const now = new Date().toISOString();
+    const sessionId = generateSessionId();
+
+    const memberships = workspaceMemberStore.getByUser(user.id);
+    const workspaceId = memberships.length > 0 ? memberships[0].workspace_id : undefined;
+
+    sessionStore.create({
+      id: sessionId,
+      user_id: user.id,
+      workspace_id: workspaceId,
+      ip_address: req.ip || req.socket.remoteAddress,
+      user_agent: req.get('user-agent'),
+      expires_at: new Date(Date.now() + config.session_ttl_seconds * 1000).toISOString(),
+      last_active_at: now,
+      created_at: now,
+    });
+
+    res.cookie(SESSION_COOKIE_NAME, sessionId, {
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: 'lax',
+      maxAge: config.session_ttl_seconds * 1000,
+      path: '/',
+    });
+
+    res.json({
+      user: {
+        id: user.id,
+        email: user.email,
+        display_name: user.display_name,
+        onboarding_completed: user.onboarding_completed,
+        default_workspace_id: workspaceId,
+      },
+    });
+  });
+
+  // ---------------------------------------------------------------------------
+  // GET /auth/me — return current user + session info
+  // ---------------------------------------------------------------------------
+  router.get('/me', (req: Request, res: Response) => {
+    const sessionUser = (req as any).sessionUser;
+    if (!sessionUser) {
+      res.status(401).json({ error: 'Not authenticated' });
+      return;
+    }
+
+    const oauthAccounts = oauthAccountStore.getByUserId(sessionUser.id);
+    const memberships = workspaceMemberStore.getByUser(sessionUser.id);
+    const workspaces = memberships.map(m => {
+      const ws = workspaceStore.getById(m.workspace_id);
+      return ws ? { ...ws, role: m.role } : null;
+    }).filter(Boolean);
+
+    // Pick the first workspace as default
+    const defaultWorkspaceId = workspaces.length > 0 ? (workspaces[0] as any).id : undefined;
+
+    res.json({
+      user: {
+        id: sessionUser.id,
+        email: sessionUser.email,
+        display_name: sessionUser.display_name,
+        avatar_url: sessionUser.avatar_url,
+        status: sessionUser.status,
+        onboarding_completed: sessionUser.onboarding_completed,
+        default_workspace_id: defaultWorkspaceId,
+        created_at: sessionUser.created_at,
+      },
+      providers: oauthAccounts.map(a => ({
+        provider: a.provider,
+        email: a.provider_email,
+      })),
+      workspaces,
+      session: {
+        workspace_id: (req as any).sessionData?.workspace_id,
+        expires_at: (req as any).sessionData?.expires_at,
+      },
+    });
+  });
+
+  // ---------------------------------------------------------------------------
+  // PUT /auth/password — change password for current user (or admin sets for another user by email)
+  // ---------------------------------------------------------------------------
+  router.put('/password', async (req: Request, res: Response) => {
+    const sessionUser = (req as any).sessionUser;
+    if (!sessionUser) {
+      res.status(401).json({ error: 'Not authenticated' });
+      return;
+    }
+
+    const { new_password, email } = req.body || {};
+    if (!new_password || new_password.length < 6) {
+      res.status(400).json({ error: 'new_password must be at least 6 characters' });
+      return;
+    }
+
+    // If email is provided and differs from session user, check admin
+    let targetUser = sessionUser;
+    if (email && email !== sessionUser.email) {
+      // Only workspace owners can reset other users' passwords
+      const memberships = workspaceMemberStore.getByUser(sessionUser.id);
+      const isOwner = memberships.some(m => m.role === 'owner');
+      if (!isOwner) {
+        res.status(403).json({ error: 'Only workspace owners can reset other users passwords' });
+        return;
+      }
+      const found = userStore.getByEmail(email);
+      if (!found) {
+        res.status(404).json({ error: 'User not found' });
+        return;
+      }
+      targetUser = found;
+    }
+
+    const newHash = await hashPassword(new_password);
+    userStore.update(targetUser.id, { password_hash: newHash, updated_at: new Date().toISOString() });
+
+    res.json({ ok: true, email: targetUser.email });
+  });
+
+  // ---------------------------------------------------------------------------
+  // DELETE /auth/users/:id — delete a user and all related data (self only)
+  // ---------------------------------------------------------------------------
+  router.delete('/users/:id', (req: Request, res: Response) => {
+    const sessionUser = (req as any).sessionUser;
+    if (!sessionUser) {
+      res.status(401).json({ error: 'Not authenticated' });
+      return;
+    }
+
+    const targetId = Array.isArray(req.params.id) ? req.params.id[0] : req.params.id;
+
+    // Only allow deleting yourself (no admin role needed)
+    if (sessionUser.id !== targetId) {
+      res.status(403).json({ error: 'Can only delete your own account' });
+      return;
+    }
+
+    // Delete workspace memberships and owned workspaces
+    const memberships = workspaceMemberStore.getByUser(targetId);
+    for (const m of memberships) {
+      // If sole owner of workspace, delete the workspace too
+      const wsMembers = workspaceMemberStore.getByWorkspace(m.workspace_id);
+      const otherOwners = wsMembers.filter(wm => wm.user_id !== targetId && wm.role === 'owner');
+      if (otherOwners.length === 0) {
+        // Delete all members of this workspace
+        for (const wm of wsMembers) {
+          workspaceMemberStore.delete(wm.id);
+        }
+        // Delete workspace API keys
+        if (userApiKeyStore) {
+          const keys = userApiKeyStore.getByWorkspace(m.workspace_id);
+          for (const k of keys) {
+            userApiKeyStore.delete(k.id);
+          }
+        }
+        workspaceStore.delete(m.workspace_id);
+      } else {
+        workspaceMemberStore.delete(m.id);
+      }
+    }
+
+    // Delete OAuth accounts
+    const oauthAccounts = oauthAccountStore.getByUserId(targetId);
+    for (const oa of oauthAccounts) {
+      oauthAccountStore.delete(oa.id);
+    }
+
+    // Delete user API keys
+    if (userApiKeyStore) {
+      const keys = userApiKeyStore.getByUser(targetId);
+      for (const k of keys) {
+        userApiKeyStore.delete(k.id);
+      }
+    }
+
+    // Clear session
+    const sessionId = req.cookies?.[SESSION_COOKIE_NAME];
+    if (sessionId) {
+      sessionStore.delete(sessionId);
+    }
+
+    // Delete user
+    userStore.delete(targetId);
+
+    res.clearCookie(SESSION_COOKIE_NAME, { path: '/' });
+    res.json({ status: 'ok', deleted_user_id: targetId });
+  });
+
+  // ---------------------------------------------------------------------------
+  // POST /auth/logout — clear session
+  // ---------------------------------------------------------------------------
+  router.post('/logout', (req: Request, res: Response) => {
+    const sessionId = req.cookies?.[SESSION_COOKIE_NAME];
+    if (sessionId) {
+      sessionStore.delete(sessionId);
+    }
+    res.clearCookie(SESSION_COOKIE_NAME, { path: '/' });
+    res.json({ status: 'ok' });
+  });
+
+  // ---------------------------------------------------------------------------
+  // Helper: find or create user from OAuth profile
+  // ---------------------------------------------------------------------------
+  function findOrCreateUser(profile: OAuthProfile, accessToken: string, refreshToken?: string): {
+    user: any;
+    isNewUser: boolean;
+    needsLinking?: boolean;
+  } {
+    const now = new Date().toISOString();
+
+    // Check if OAuth account already exists
+    const existingOAuth = oauthAccountStore.getByProvider(profile.provider, profile.provider_user_id);
+    if (existingOAuth) {
+      // Update tokens
+      oauthAccountStore.update(existingOAuth.id, {
+        access_token_encrypted: encryptToken(accessToken, config.session_secret),
+        refresh_token_encrypted: refreshToken ? encryptToken(refreshToken, config.session_secret) : undefined,
+        updated_at: now,
+      });
+      const user = userStore.getById(existingOAuth.user_id)!;
+      return { user, isNewUser: false };
+    }
+
+    // Check if user exists with same email — do NOT auto-link
+    const existingUser = userStore.getByEmail(profile.email);
+    if (existingUser) {
+      return { user: existingUser, isNewUser: false, needsLinking: true };
+    }
+
+    // Create new user
+    const user = {
+      id: randomUUID(),
+      email: profile.email,
+      display_name: profile.display_name,
+      avatar_url: profile.avatar_url,
+      status: 'active' as const,
+      onboarding_completed: false,
+      created_at: now,
+      updated_at: now,
+    };
+    userStore.create(user);
+
+    // Create OAuth account link for new users only
+    oauthAccountStore.create({
+      id: randomUUID(),
+      user_id: user.id,
+      provider: profile.provider,
+      provider_user_id: profile.provider_user_id,
+      provider_email: profile.email,
+      access_token_encrypted: encryptToken(accessToken, config.session_secret),
+      refresh_token_encrypted: refreshToken ? encryptToken(refreshToken, config.session_secret) : undefined,
+      created_at: now,
+      updated_at: now,
+    });
+
+    return { user, isNewUser: true };
+  }
+
+  return router;
+}

package/src/auth/session.ts

@@ -0,0 +1,84 @@
+import * as crypto from 'crypto';
+import { OAuthFlowState, OAuthConfig } from '../types/user';
+
+/**
+ * Generate a cryptographically random session ID (256-bit).
+ */
+export function generateSessionId(): string {
+  return crypto.randomBytes(32).toString('hex');
+}
+
+// ---------------------------------------------------------------------------
+// OAuth state cookie (encrypted with AES-256-GCM)
+// ---------------------------------------------------------------------------
+
+function deriveKey(secret: string, context: string = 'palaryn-session'): Buffer {
+  return Buffer.from(crypto.hkdfSync('sha256', Buffer.from(secret, 'utf-8'), Buffer.alloc(32, 0), Buffer.from(context, 'utf-8'), 32));
+}
+
+/**
+ * Encrypt an OAuth flow state object into a cookie-safe string.
+ */
+export function encryptState(state: OAuthFlowState, secret: string): string {
+  const key = deriveKey(secret);
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const plaintext = JSON.stringify(state);
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  // Format: base64url(iv + tag + ciphertext)
+  return Buffer.concat([iv, tag, encrypted]).toString('base64url');
+}
+
+/**
+ * Decrypt an OAuth flow state from a cookie value.
+ */
+export function decryptState(encrypted: string, secret: string): OAuthFlowState {
+  const key = deriveKey(secret);
+  const buf = Buffer.from(encrypted, 'base64url');
+  const iv = buf.subarray(0, 12);
+  const tag = buf.subarray(12, 28);
+  const ciphertext = buf.subarray(28);
+  const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+  decipher.setAuthTag(tag);
+  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf-8');
+  return JSON.parse(plaintext);
+}
+
+// ---------------------------------------------------------------------------
+// Token encryption (AES-256-GCM for storing OAuth tokens at rest)
+// ---------------------------------------------------------------------------
+
+export function encryptToken(token: string, secret: string): string {
+  const key = deriveKey(secret);
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const encrypted = Buffer.concat([cipher.update(token, 'utf-8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, encrypted]).toString('base64');
+}
+
+export function decryptToken(encryptedToken: string, secret: string): string {
+  const key = deriveKey(secret);
+  const buf = Buffer.from(encryptedToken, 'base64');
+  const iv = buf.subarray(0, 12);
+  const tag = buf.subarray(12, 28);
+  const ciphertext = buf.subarray(28);
+  const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf-8');
+}
+
+// ---------------------------------------------------------------------------
+// Cookie helpers
+// ---------------------------------------------------------------------------
+
+export interface SessionCookieOptions {
+  name: string;
+  maxAge: number; // seconds
+  secure: boolean;
+  domain?: string;
+}
+
+export const SESSION_COOKIE_NAME = 'pn_session';
+export const STATE_COOKIE_NAME = 'pn_oauth_state';

package/src/billing/index.ts

@@ -0,0 +1,6 @@
+export { StripeClient } from './stripe-client';
+export { PlanEnforcer } from './plan-enforcer';
+export { WebhookHandler } from './webhook-handler';
+export { createWebhookRouter } from './webhook-routes';
+export { createBillingRouter } from './routes';
+export type { BillingRouteDeps } from './routes';