palaryn 0.1.0 → 0.3.2

package/src/middleware/session.ts

@@ -0,0 +1,85 @@
+import { Request, Response, NextFunction } from 'express';
+import { SessionStore, UserStore, WorkspaceMemberStore } from '../storage/interfaces';
+import { OAuthConfig } from '../types/user';
+import { SESSION_COOKIE_NAME } from '../auth/session';
+import { resolvePermissions } from './auth';
+import { AuthConfig } from '../types/config';
+
+export interface SessionMiddlewareDeps {
+  oauthConfig: OAuthConfig;
+  authConfig: AuthConfig;
+  sessionStore: SessionStore;
+  userStore: UserStore;
+  workspaceMemberStore: WorkspaceMemberStore;
+}
+
+/**
+ * Session middleware that reads the session cookie and populates req.auth
+ * if a valid session is found. This runs before the existing auth middleware
+ * so that session-authenticated requests skip API key / JWT checks.
+ */
+export function createSessionMiddleware(deps: SessionMiddlewareDeps) {
+  const { oauthConfig, authConfig, sessionStore, userStore, workspaceMemberStore } = deps;
+
+  return (req: Request, res: Response, next: NextFunction): void => {
+    const sessionId = req.cookies?.[SESSION_COOKIE_NAME];
+    if (!sessionId) {
+      return next();
+    }
+
+    const session = sessionStore.getById(sessionId);
+    if (!session) {
+      // Expired or invalid session - clear cookie
+      res.clearCookie(SESSION_COOKIE_NAME, { path: '/' });
+      return next();
+    }
+
+    const user = userStore.getById(session.user_id);
+    if (!user || user.status !== 'active') {
+      sessionStore.delete(sessionId);
+      res.clearCookie(SESSION_COOKIE_NAME, { path: '/' });
+      return next();
+    }
+
+    // Update last_active_at (fire-and-forget)
+    sessionStore.update(sessionId, { last_active_at: new Date().toISOString() });
+
+    // Determine workspace and roles
+    const workspaceId = session.workspace_id || 'ws_default';
+    const memberships = workspaceMemberStore.getByUser(user.id);
+    const membership = memberships.find(m => m.workspace_id === workspaceId);
+
+    // Map workspace role to RBAC roles
+    let roles: string[] = [];
+    if (membership) {
+      if (membership.role === 'owner' || membership.role === 'admin') {
+        roles = ['admin'];
+      } else if (membership.role === 'member') {
+        roles = ['operator'];
+      } else {
+        roles = ['readonly'];
+      }
+    }
+
+    const permissions = resolvePermissions(roles, authConfig.rbac);
+
+    // Set auth context (same shape as API key / JWT auth)
+    (req as any).auth = {
+      workspace_id: workspaceId,
+      actor_id: `user:${user.id}`,
+      roles,
+      permissions,
+      auth_method: 'session' as const,
+      user_id: user.id,
+    };
+
+    // Attach user and session for use in auth routes
+    (req as any).sessionUser = user;
+    (req as any).sessionData = session;
+
+    // Backward compat
+    (req as any).workspace_id = workspaceId;
+
+    return next();
+  };
+}

package/src/middleware/validate.ts

@@ -0,0 +1,130 @@
+import { Request, Response, NextFunction } from 'express';
+import { randomUUID } from 'crypto';
+import { sendError, ErrorCode } from '../server/errors';
+
+const TOOL_NAME_PATTERN = /^[a-zA-Z][a-zA-Z0-9_.:\-]{0,127}$/;
+const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const SAFE_ID_PATTERN = /^[a-zA-Z0-9_-]{1,64}$/;
+
+/** Infer tool.capability from the tool name (e.g. "http.get" → "read") */
+function inferCapability(toolName: string): 'read' | 'write' | 'delete' | 'admin' {
+  const lower = toolName.toLowerCase();
+  if (lower.includes('get') || lower.includes('read') || lower.includes('list') || lower.includes('search')) return 'read';
+  if (lower.includes('delete') || lower.includes('remove')) return 'delete';
+  return 'write';
+}
+
+/**
+ * Normalize the simplified docs format into the full ToolCall schema.
+ * Accepts:  { tool, input, taskId, actorId, platform? }
+ * Produces: { tool_call_id, task_id, actor, source, tool, args }
+ *
+ * If the body already has tool_call_id or tool.name, it's left untouched.
+ */
+export function normalizeToolCall(req: Request, _res: Response, next: NextFunction): void {
+  const body = req.body;
+  if (!body || typeof body !== 'object') { next(); return; }
+
+  // Detect simplified format: has "tool" as string + "input" object, lacks "tool_call_id"
+  const isSimplified = typeof body.tool === 'string' && !body.tool_call_id;
+  if (!isSimplified) { next(); return; }
+
+  const toolName: string = body.tool;
+  const input = body.input && typeof body.input === 'object' ? body.input : {};
+
+  req.body = {
+    tool_call_id: randomUUID(),
+    task_id: body.taskId || body.task_id || randomUUID(),
+    actor: body.actor || { type: 'agent' as const, id: body.actorId || 'anonymous' },
+    source: body.source || { platform: body.platform || 'rest' },
+    tool: { name: toolName, capability: inferCapability(toolName) },
+    args: { method: toolName.split('.').pop()?.toUpperCase() || 'GET', ...input },
+    ...(body.workspace_id ? { workspace_id: body.workspace_id } : {}),
+    ...(body.constraints ? { constraints: body.constraints } : {}),
+    ...(body.context ? { context: body.context } : {}),
+  };
+
+  next();
+}
+
+export function validateToolCall(req: Request, res: Response, next: NextFunction): void {
+  const body = req.body;
+
+  const errors: string[] = [];
+
+  if (!body.tool_call_id) errors.push('tool_call_id is required');
+  if (!body.task_id) errors.push('task_id is required');
+  if (!body.actor || !body.actor.type || !body.actor.id) errors.push('actor with type and id is required');
+  if (!body.source || !body.source.platform) errors.push('source with platform is required');
+  if (!body.tool || !body.tool.name || !body.tool.capability) errors.push('tool with name and capability is required');
+  if (!body.args || typeof body.args !== 'object') errors.push('args object is required');
+
+  // Validate enum values
+  if (body.actor?.type && !['agent', 'user', 'system'].includes(body.actor.type)) {
+    errors.push('actor.type must be agent, user, or system');
+  }
+  if (body.tool?.capability && !['read', 'write', 'delete', 'admin'].includes(body.tool.capability)) {
+    errors.push('tool.capability must be read, write, delete, or admin');
+  }
+
+  // Validate tool name pattern
+  if (body.tool?.name && !TOOL_NAME_PATTERN.test(body.tool.name)) {
+    errors.push('tool.name must start with a letter, contain only alphanumeric characters, dots, underscores, colons, or hyphens, and be at most 128 characters');
+  }
+
+  // Validate URL format in args
+  if (body.args?.url !== undefined && body.args?.url !== null) {
+    const url = String(body.args.url);
+    if (!/^https?:\/\//i.test(url)) {
+      errors.push('args.url must be a well-formed URL starting with http:// or https://');
+    }
+  }
+
+  // Validate args size limit (< 1MB)
+  if (body.args && typeof body.args === 'object') {
+    const argsSize = Buffer.byteLength(JSON.stringify(body.args), 'utf8');
+    if (argsSize >= 1048576) {
+      errors.push('args must be less than 1MB when serialized');
+    }
+  }
+
+  // Validate tool_call_id format: UUID or alphanumeric up to 64 chars
+  if (body.tool_call_id && typeof body.tool_call_id === 'string') {
+    if (!UUID_PATTERN.test(body.tool_call_id) && !SAFE_ID_PATTERN.test(body.tool_call_id)) {
+      errors.push('tool_call_id must be a UUID (e.g. 550e8400-e29b-41d4-a716-446655440000) or alphanumeric string up to 64 chars (a-z, A-Z, 0-9, _, -)');
+    }
+  } else if (body.tool_call_id && typeof body.tool_call_id !== 'string') {
+    errors.push('tool_call_id must be a string');
+  }
+
+  // Validate task_id format: UUID or alphanumeric up to 64 chars
+  if (body.task_id && typeof body.task_id === 'string') {
+    if (!UUID_PATTERN.test(body.task_id) && !SAFE_ID_PATTERN.test(body.task_id)) {
+      errors.push('task_id must be a UUID (e.g. 550e8400-e29b-41d4-a716-446655440000) or alphanumeric string up to 64 chars (a-z, A-Z, 0-9, _, -)');
+    }
+  } else if (body.task_id && typeof body.task_id !== 'string') {
+    errors.push('task_id must be a string');
+  }
+
+  // Validate workspace_id if present
+  if (body.workspace_id !== undefined && body.workspace_id !== null) {
+    if (typeof body.workspace_id !== 'string' || body.workspace_id.length === 0 || body.workspace_id.length > 128) {
+      errors.push('workspace_id must be a non-empty string with length <= 128');
+    }
+  }
+
+  // Validate actor.id length
+  if (body.actor?.id && typeof body.actor.id === 'string' && body.actor.id.length > 256) {
+    errors.push('actor.id must be <= 256 characters');
+  }
+
+  if (errors.length > 0) {
+    sendError(res, 400, ErrorCode.VALIDATION_FAILED, 'Invalid ToolCall', {
+      details: errors,
+      hint: 'Check the ToolCall schema: tool_call_id, task_id, actor, source, tool, and args are required',
+    });
+    return;
+  }
+
+  next();
+}