palaryn 0.1.0

package/dist/src/middleware/auth.js

@@ -0,0 +1,720 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.failedAuthAttempts = void 0;
+exports.stopBruteForceCleanup = stopBruteForceCleanup;
+exports.resolvePermissions = resolvePermissions;
+exports.hasPermission = hasPermission;
+exports.hashKeyWithSalt = hashKeyWithSalt;
+exports.generateSalt = generateSalt;
+exports.verifySaasKeyHash = verifySaasKeyHash;
+exports.createSaltedKeyHash = createSaltedKeyHash;
+exports.createAuthMiddleware = createAuthMiddleware;
+exports.parseProxyAuth = parseProxyAuth;
+exports.createRBACMiddleware = createRBACMiddleware;
+const crypto = __importStar(require("crypto"));
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const errors_1 = require("../server/errors");
+const logger_1 = require("../server/logger");
+const BRUTE_FORCE_WINDOW_MS = 15 * 60 * 1000; // 15 minutes
+const BRUTE_FORCE_MAX_ATTEMPTS = 5;
+const BRUTE_FORCE_CLEANUP_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes
+const BRUTE_FORCE_MAX_ENTRIES = 100000;
+exports.failedAuthAttempts = new Map();
+let bruteForceCleanupTimer = null;
+function startBruteForceCleanup() {
+    if (bruteForceCleanupTimer)
+        return;
+    bruteForceCleanupTimer = setInterval(() => {
+        const now = Date.now();
+        for (const [ip, entry] of exports.failedAuthAttempts) {
+            if (now - entry.firstAttempt > BRUTE_FORCE_WINDOW_MS && entry.lockedUntil < now) {
+                exports.failedAuthAttempts.delete(ip);
+            }
+        }
+    }, BRUTE_FORCE_CLEANUP_INTERVAL_MS);
+    // Allow the process to exit even if the interval is running
+    if (bruteForceCleanupTimer && typeof bruteForceCleanupTimer === 'object' && 'unref' in bruteForceCleanupTimer) {
+        bruteForceCleanupTimer.unref();
+    }
+}
+function stopBruteForceCleanup() {
+    if (bruteForceCleanupTimer) {
+        clearInterval(bruteForceCleanupTimer);
+        bruteForceCleanupTimer = null;
+    }
+}
+function getClientIp(req, trustedProxies) {
+    const socketIp = req.socket?.remoteAddress || req.ip || 'unknown';
+    // Only trust X-Forwarded-For when the direct connection is from a trusted proxy
+    if (trustedProxies && trustedProxies.length > 0) {
+        const normalizedSocketIp = socketIp.replace(/^::ffff:/, '');
+        if (trustedProxies.includes(normalizedSocketIp)) {
+            const forwarded = req.headers['x-forwarded-for'];
+            if (typeof forwarded === 'string') {
+                return forwarded.split(',')[0].trim();
+            }
+        }
+    }
+    return socketIp;
+}
+function evictBruteForceEntries() {
+    const now = Date.now();
+    const aggressiveWindowMs = 5 * 60 * 1000; // 5 minutes (stricter than normal 15 min)
+    // First pass: delete entries older than 5 minutes
+    for (const [ip, entry] of exports.failedAuthAttempts) {
+        if (now - entry.firstAttempt > aggressiveWindowMs && entry.lockedUntil < now) {
+            exports.failedAuthAttempts.delete(ip);
+        }
+    }
+    // If still over limit, delete the oldest half
+    if (exports.failedAuthAttempts.size > BRUTE_FORCE_MAX_ENTRIES) {
+        const entries = Array.from(exports.failedAuthAttempts.entries())
+            .sort((a, b) => a[1].firstAttempt - b[1].firstAttempt);
+        const toDelete = Math.ceil(entries.length / 2);
+        for (let i = 0; i < toDelete; i++) {
+            exports.failedAuthAttempts.delete(entries[i][0]);
+        }
+    }
+}
+function recordAuthFailure(ip) {
+    const now = Date.now();
+    // Cap map size to prevent unbounded memory growth
+    if (exports.failedAuthAttempts.size >= BRUTE_FORCE_MAX_ENTRIES) {
+        evictBruteForceEntries();
+    }
+    const entry = exports.failedAuthAttempts.get(ip);
+    if (!entry || now - entry.firstAttempt > BRUTE_FORCE_WINDOW_MS) {
+        // Start a new window
+        exports.failedAuthAttempts.set(ip, { count: 1, firstAttempt: now, lockedUntil: 0 });
+        return;
+    }
+    entry.count++;
+    if (entry.count >= BRUTE_FORCE_MAX_ATTEMPTS) {
+        // Exponential backoff: 1s, 2s, 4s, 8s, 16s for subsequent failures
+        const excessFailures = entry.count - BRUTE_FORCE_MAX_ATTEMPTS;
+        const backoffMs = Math.min(1000 * Math.pow(2, excessFailures), 16000);
+        entry.lockedUntil = now + backoffMs;
+    }
+}
+function clearAuthFailures(ip) {
+    exports.failedAuthAttempts.delete(ip);
+}
+function checkBruteForce(ip) {
+    const entry = exports.failedAuthAttempts.get(ip);
+    if (!entry)
+        return { locked: false };
+    const now = Date.now();
+    if (entry.lockedUntil > now) {
+        return { locked: true, retryAfterSec: Math.ceil((entry.lockedUntil - now) / 1000) };
+    }
+    return { locked: false };
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Resolve a set of role names into a flat Permission[] array using the RBAC config.
+ */
+function resolvePermissions(roles, rbacConfig) {
+    if (!rbacConfig || !rbacConfig.enabled) {
+        return [];
+    }
+    const permissionSet = new Set();
+    for (const roleName of roles) {
+        const roleDef = rbacConfig.roles[roleName];
+        if (roleDef) {
+            for (const p of roleDef.permissions) {
+                permissionSet.add(p);
+            }
+        }
+    }
+    return Array.from(permissionSet);
+}
+/**
+ * Check whether a given set of permissions satisfies a required permission.
+ * - `admin:full` always satisfies any permission.
+ * - `tool:execute` satisfies any `tool:execute:*` check.
+ */
+function hasPermission(permissions, required) {
+    if (permissions.includes('admin:full'))
+        return true;
+    if (permissions.includes(required))
+        return true;
+    // tool:execute grants all tool:execute:* sub-permissions
+    if (required.startsWith('tool:execute:') && permissions.includes('tool:execute')) {
+        return true;
+    }
+    return false;
+}
+// ---------------------------------------------------------------------------
+// JWKS signing key retrieval (cached per jwks_uri)
+// ---------------------------------------------------------------------------
+const jwksClients = new Map();
+function getJwksClient(uri) {
+    let client = jwksClients.get(uri);
+    if (!client) {
+        client = new jwks_rsa_1.default.JwksClient({
+            jwksUri: uri,
+            cache: true,
+            cacheMaxAge: 600000, // 10 min
+            rateLimit: true,
+            jwksRequestsPerMinute: 10,
+        });
+        jwksClients.set(uri, client);
+    }
+    return client;
+}
+function getJwksSigningKey(uri, header) {
+    const client = getJwksClient(uri);
+    return new Promise((resolve, reject) => {
+        client.getSigningKey(header.kid, (err, key) => {
+            if (err)
+                return reject(err);
+            if (!key)
+                return reject(new Error('No signing key found'));
+            const signingKey = key.getPublicKey();
+            resolve(signingKey);
+        });
+    });
+}
+// ---------------------------------------------------------------------------
+// JWT verification
+// ---------------------------------------------------------------------------
+async function verifyJWT(token, config) {
+    const jwtConfig = config.jwt;
+    if (!jwtConfig || !jwtConfig.enabled) {
+        return { error: 'JWT authentication is not configured' };
+    }
+    // Determine the secret or key
+    // IMPORTANT: Prevent algorithm confusion attacks by restricting algorithms
+    // based on the verification method. Never allow symmetric (HS*) algorithms
+    // when using JWKS (asymmetric keys), and vice versa.
+    if (jwtConfig.jwks_uri) {
+        // JWKS-based: only asymmetric algorithms allowed
+        const ASYMMETRIC_ALGOS = ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512'];
+        const userAlgos = jwtConfig.algorithms;
+        const algorithms = userAlgos
+            ? userAlgos.filter(a => ASYMMETRIC_ALGOS.includes(a))
+            : ['RS256'];
+        if (algorithms.length === 0) {
+            return { error: 'No valid asymmetric algorithms configured for JWKS verification' };
+        }
+        try {
+            const decoded = jsonwebtoken_1.default.decode(token, { complete: true });
+            if (!decoded || typeof decoded === 'string') {
+                return { error: 'Invalid JWT format' };
+            }
+            const signingKey = await getJwksSigningKey(jwtConfig.jwks_uri, decoded.header);
+            const payload = jsonwebtoken_1.default.verify(token, signingKey, {
+                algorithms,
+                issuer: jwtConfig.issuer,
+                audience: jwtConfig.audience,
+            });
+            return { payload };
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : 'JWT verification failed';
+            return { error: msg };
+        }
+    }
+    else if (jwtConfig.secret) {
+        // Static secret: only symmetric algorithms allowed
+        const SYMMETRIC_ALGOS = ['HS256', 'HS384', 'HS512'];
+        const userAlgos = jwtConfig.algorithms;
+        const algorithms = userAlgos
+            ? userAlgos.filter(a => SYMMETRIC_ALGOS.includes(a))
+            : ['HS256'];
+        if (algorithms.length === 0) {
+            return { error: 'No valid symmetric algorithms configured for secret-based verification' };
+        }
+        try {
+            const payload = jsonwebtoken_1.default.verify(token, jwtConfig.secret, {
+                algorithms,
+                issuer: jwtConfig.issuer,
+                audience: jwtConfig.audience,
+            });
+            return { payload };
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : 'JWT verification failed';
+            return { error: msg };
+        }
+    }
+    return { error: 'JWT auth enabled but no secret or jwks_uri configured' };
+}
+// ---------------------------------------------------------------------------
+// Hash-based API key lookup helpers (constant-time, prevents timing attacks)
+// ---------------------------------------------------------------------------
+/** SHA-256 hash a key for constant-time lookup (legacy unsalted) */
+function hashKey(key) {
+    return crypto.createHash('sha256').update(key).digest('hex');
+}
+/** SHA-256 hash a key with a salt */
+function hashKeyWithSalt(key, salt) {
+    return crypto.createHash('sha256').update(salt + key).digest('hex');
+}
+/** Generate a 16-byte random salt as hex string */
+function generateSalt() {
+    return crypto.randomBytes(16).toString('hex');
+}
+/** Dummy buffer used for constant-time comparison when no match is found */
+const DUMMY_HASH = crypto.createHash('sha256').update('dummy-no-match-sentinel').digest('hex');
+/**
+ * Build a hash map from config API keys for O(1) lookup.
+ * Maps SHA-256(key) -> original key string.
+ */
+function buildKeyHashMap(apiKeys) {
+    const map = new Map();
+    for (const key of Object.keys(apiKeys)) {
+        map.set(hashKey(key), key);
+    }
+    return map;
+}
+/** Cache for buildKeyHashMap to avoid rebuilding per-request (e.g. in proxy auth) */
+const keyHashMapCache = new WeakMap();
+/** Get or build a cached key hash map for the given api_keys config object */
+function getCachedKeyHashMap(apiKeys) {
+    let cached = keyHashMapCache.get(apiKeys);
+    if (!cached) {
+        cached = buildKeyHashMap(apiKeys);
+        keyHashMapCache.set(apiKeys, cached);
+    }
+    return cached;
+}
+/**
+ * Look up an API key by its hash. Uses timingSafeEqual for final verification
+ * and always performs a comparison (even on miss) to prevent timing leaks.
+ */
+function lookupApiKey(token, apiKeys, keyHashMap) {
+    const tokenHash = hashKey(token);
+    const candidateKey = keyHashMap.get(tokenHash);
+    // Always do a timingSafeEqual comparison regardless of match to prevent
+    // timing leaks between "no keys match" vs "a key matched"
+    const a = Buffer.from(tokenHash);
+    const b = Buffer.from(candidateKey ? hashKey(candidateKey) : DUMMY_HASH);
+    const isMatch = crypto.timingSafeEqual(a, b);
+    return isMatch && candidateKey ? candidateKey : undefined;
+}
+// ---------------------------------------------------------------------------
+// Salted SaaS key lookup (backward compatible with unsalted hashes)
+// ---------------------------------------------------------------------------
+/**
+ * Compute the hash for a token given a stored key_hash value.
+ * Supports salted format "salt:hash" and legacy unsalted plain hex format.
+ * Returns true if the token matches the stored hash.
+ */
+function verifySaasKeyHash(token, storedKeyHash) {
+    if (storedKeyHash.includes(':')) {
+        // Salted format: "salt:hash"
+        const colonIndex = storedKeyHash.indexOf(':');
+        const salt = storedKeyHash.slice(0, colonIndex);
+        const expectedHash = storedKeyHash.slice(colonIndex + 1);
+        const computedHash = hashKeyWithSalt(token, salt);
+        // Constant-time comparison
+        const a = Buffer.from(computedHash, 'hex');
+        const b = Buffer.from(expectedHash, 'hex');
+        if (a.length !== b.length)
+            return false;
+        return crypto.timingSafeEqual(a, b);
+    }
+    // Legacy unsalted format: plain hex
+    const computedHash = hashKey(token);
+    const a = Buffer.from(computedHash, 'hex');
+    const b = Buffer.from(storedKeyHash, 'hex');
+    if (a.length !== b.length)
+        return false;
+    return crypto.timingSafeEqual(a, b);
+}
+/**
+ * Create a salted key hash for storage. Returns "salt:hash" format.
+ */
+function createSaltedKeyHash(key) {
+    const salt = generateSalt();
+    const hash = hashKeyWithSalt(key, salt);
+    return `${salt}:${hash}`;
+}
+/**
+ * Look up a SaaS-generated API key. Uses verifyToken if available (supports
+ * both salted and unsalted hashes), otherwise falls back to unsalted hash lookup.
+ */
+function lookupSaasKey(token, store) {
+    // Prefer verifyToken which handles both salted and unsalted formats
+    if (store.verifyToken) {
+        return store.verifyToken(token);
+    }
+    // Fallback: legacy unsalted hash lookup
+    const unsaltedHash = hashKey(token);
+    return store.getByKeyHash(unsaltedHash);
+}
+// ---------------------------------------------------------------------------
+// Main auth middleware
+// ---------------------------------------------------------------------------
+function createAuthMiddleware(config, userApiKeyStore) {
+    // Pre-build hash map for O(1) key lookup
+    const keyHashMap = buildKeyHashMap(config.api_keys);
+    // Start brute-force cleanup timer
+    startBruteForceCleanup();
+    return async (req, res, next) => {
+        // -----------------------------------------------------------------------
+        // Session auth: if session middleware already set req.auth, pass through
+        // -----------------------------------------------------------------------
+        if (req.auth) {
+            return next();
+        }
+        // -----------------------------------------------------------------------
+        // Auth disabled: pass through with defaults
+        // -----------------------------------------------------------------------
+        if (!config.enabled) {
+            const authCtx = {
+                workspace_id: 'ws_default',
+                actor_id: 'anonymous',
+                roles: [],
+                permissions: [],
+                auth_method: 'none',
+            };
+            req.auth = authCtx;
+            // Backward compat
+            req.workspace_id = authCtx.workspace_id;
+            return next();
+        }
+        // -----------------------------------------------------------------------
+        // Brute-force protection: check if IP is locked
+        // -----------------------------------------------------------------------
+        const clientIp = getClientIp(req, config.trusted_proxies);
+        const bruteForceCheck = checkBruteForce(clientIp);
+        if (bruteForceCheck.locked) {
+            res.setHeader('Retry-After', String(bruteForceCheck.retryAfterSec));
+            (0, errors_1.sendError)(res, 429, errors_1.ErrorCode.RATE_LIMIT_EXCEEDED, 'Too many failed authentication attempts. Try again later.', {
+                hint: `Retry after ${bruteForceCheck.retryAfterSec} seconds`,
+            });
+            return;
+        }
+        // -----------------------------------------------------------------------
+        // Extract token from headers
+        // -----------------------------------------------------------------------
+        const apiKeyHeader = req.headers['x-api-key'];
+        const authHeader = req.headers['authorization'];
+        const bearerToken = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : undefined;
+        const token = apiKeyHeader || bearerToken;
+        if (!token) {
+            recordAuthFailure(clientIp);
+            (0, errors_1.sendError)(res, 401, errors_1.ErrorCode.AUTH_REQUIRED, 'Missing API key. Provide X-API-Key header or Bearer token.', {
+                hint: 'Provide X-API-Key header or Authorization: Bearer <token>',
+            });
+            return;
+        }
+        // -----------------------------------------------------------------------
+        // Try API key auth first (hash-based lookup to prevent timing attacks)
+        // -----------------------------------------------------------------------
+        const matchedKey = lookupApiKey(token, config.api_keys, keyHashMap);
+        const keyConfig = matchedKey ? config.api_keys[matchedKey] : undefined;
+        if (keyConfig) {
+            // Check revocation
+            if (keyConfig.revoked) {
+                recordAuthFailure(clientIp);
+                (0, errors_1.sendError)(res, 403, errors_1.ErrorCode.AUTH_KEY_REVOKED, 'API key has been revoked.', {
+                    hint: 'Generate a new key via /admin/api-keys',
+                });
+                return;
+            }
+            // Check expiration
+            if (keyConfig.expires_at) {
+                const expiresAt = new Date(keyConfig.expires_at);
+                if (expiresAt.getTime() <= Date.now()) {
+                    recordAuthFailure(clientIp);
+                    (0, errors_1.sendError)(res, 403, errors_1.ErrorCode.AUTH_KEY_EXPIRED, 'API key has expired.', {
+                        hint: 'Renew the key or create a new one via /admin/api-keys',
+                    });
+                    return;
+                }
+            }
+            // Auth success: clear brute-force entry
+            clearAuthFailures(clientIp);
+            // Fire-and-forget: update last_used_at
+            keyConfig.last_used_at = new Date().toISOString();
+            // Resolve roles and permissions
+            const roles = keyConfig.roles || [];
+            const permissions = resolvePermissions(roles, config.rbac);
+            const authCtx = {
+                workspace_id: keyConfig.workspace_id,
+                actor_id: `apikey:${crypto.createHash('sha256').update(token).digest('hex').slice(0, 12)}`,
+                roles,
+                permissions,
+                auth_method: 'api_key',
+                api_key_id: token,
+            };
+            req.auth = authCtx;
+            // Backward compat
+            req.workspace_id = keyConfig.workspace_id;
+            req.api_key_description = keyConfig.description;
+            return next();
+        }
+        // -----------------------------------------------------------------------
+        // Try SaaS-generated API key (UserApiKeyStore, salted or legacy hash lookup)
+        // -----------------------------------------------------------------------
+        if (userApiKeyStore) {
+            const saasKey = lookupSaasKey(token, userApiKeyStore);
+            if (saasKey) {
+                if (saasKey.revoked) {
+                    recordAuthFailure(clientIp);
+                    (0, errors_1.sendError)(res, 403, errors_1.ErrorCode.AUTH_KEY_REVOKED, 'API key has been revoked.', {
+                        hint: 'Generate a new key via /admin/api-keys',
+                    });
+                    return;
+                }
+                // Auth success: clear brute-force entry
+                clearAuthFailures(clientIp);
+                // Fire-and-forget: update last_used_at
+                userApiKeyStore.update(saasKey.id, { last_used_at: new Date().toISOString() });
+                const roles = saasKey.roles || [];
+                const permissions = resolvePermissions(roles, config.rbac);
+                const authCtx = {
+                    workspace_id: saasKey.workspace_id,
+                    actor_id: `apikey:${crypto.createHash('sha256').update(token).digest('hex').slice(0, 12)}`,
+                    roles,
+                    permissions,
+                    auth_method: 'api_key',
+                    api_key_id: saasKey.id,
+                    user_id: saasKey.user_id,
+                    api_key_tags: saasKey.tags && saasKey.tags.length > 0 ? saasKey.tags : undefined,
+                };
+                req.auth = authCtx;
+                req.workspace_id = saasKey.workspace_id;
+                return next();
+            }
+        }
+        // -----------------------------------------------------------------------
+        // Try JWT auth (only if bearer token and JWT is configured)
+        // -----------------------------------------------------------------------
+        if (bearerToken && config.jwt?.enabled) {
+            const result = await verifyJWT(bearerToken, config);
+            if ('error' in result) {
+                recordAuthFailure(clientIp);
+                (0, errors_1.sendError)(res, 401, errors_1.ErrorCode.AUTH_INVALID_KEY, `JWT verification failed: ${result.error}`, {
+                    hint: 'Check that the JWT is properly signed and not expired',
+                });
+                return;
+            }
+            // Auth success: clear brute-force entry
+            clearAuthFailures(clientIp);
+            const payload = result.payload;
+            const workspaceClaim = config.jwt.workspace_claim || 'workspace_id';
+            const rolesClaim = config.jwt.roles_claim || 'roles';
+            const actorClaim = config.jwt.actor_claim || 'sub';
+            const workspaceId = payload[workspaceClaim] || 'ws_default';
+            const roles = Array.isArray(payload[rolesClaim]) ? payload[rolesClaim] : [];
+            const actorId = payload[actorClaim] || 'unknown';
+            const permissions = resolvePermissions(roles, config.rbac);
+            const authCtx = {
+                workspace_id: workspaceId,
+                actor_id: actorId,
+                roles,
+                permissions,
+                auth_method: 'jwt',
+            };
+            req.auth = authCtx;
+            // Backward compat
+            req.workspace_id = workspaceId;
+            return next();
+        }
+        // -----------------------------------------------------------------------
+        // No valid auth found
+        // -----------------------------------------------------------------------
+        recordAuthFailure(clientIp);
+        (0, errors_1.sendError)(res, 403, errors_1.ErrorCode.AUTH_INVALID_KEY, 'Invalid API key.', {
+            hint: 'Check that the API key is correct and has not been revoked',
+        });
+        return;
+    };
+}
+/**
+ * Parse proxy auth from an HTTP request's Proxy-Authorization header.
+ * Format: `Proxy-Authorization: Basic base64(workspace_id:api_key)`
+ *
+ * Falls back to sidecar defaults (env vars) if no header is present.
+ * Also checks X-Palaryn-Workspace and X-Palaryn-Actor headers as overrides.
+ */
+function parseProxyAuth(headers, proxyConfig, authConfig) {
+    const proxyAuthHeader = headers['proxy-authorization'];
+    const workspaceHeader = headers['x-palaryn-workspace'];
+    const actorHeader = headers['x-palaryn-actor'];
+    // Try Proxy-Authorization: Basic <base64>
+    if (proxyAuthHeader) {
+        const match = proxyAuthHeader.match(/^Basic\s+(.+)$/i);
+        if (!match) {
+            return { authenticated: false, error: 'Invalid Proxy-Authorization format. Expected: Basic <base64>' };
+        }
+        const decoded = Buffer.from(match[1], 'base64').toString('utf-8');
+        const colonIndex = decoded.indexOf(':');
+        if (colonIndex === -1) {
+            return { authenticated: false, error: 'Invalid Proxy-Authorization credentials. Expected: workspace_id:api_key' };
+        }
+        const workspaceId = decoded.slice(0, colonIndex);
+        const apiKey = decoded.slice(colonIndex + 1);
+        if (!workspaceId || !apiKey) {
+            return { authenticated: false, error: 'Empty workspace_id or api_key in Proxy-Authorization' };
+        }
+        // Validate API key against config (hash-based lookup to prevent timing attacks)
+        if (authConfig.enabled) {
+            const proxyKeyHashMap = getCachedKeyHashMap(authConfig.api_keys);
+            const matchedKey = lookupApiKey(apiKey, authConfig.api_keys, proxyKeyHashMap);
+            const keyConfig = matchedKey ? authConfig.api_keys[matchedKey] : undefined;
+            if (!keyConfig) {
+                return { authenticated: false, error: 'Invalid API key in Proxy-Authorization' };
+            }
+            if (keyConfig.revoked) {
+                return { authenticated: false, error: 'API key has been revoked' };
+            }
+            if (keyConfig.expires_at) {
+                const expiresAt = new Date(keyConfig.expires_at);
+                if (expiresAt.getTime() <= Date.now()) {
+                    return { authenticated: false, error: 'API key has expired' };
+                }
+            }
+            keyConfig.last_used_at = new Date().toISOString();
+        }
+        return {
+            authenticated: true,
+            workspace_id: workspaceId,
+            api_key: apiKey,
+            actor_id: actorHeader || `proxy:${workspaceId}`,
+        };
+    }
+    // Fall back to sidecar defaults from config/env vars
+    if (proxyConfig.default_workspace_id) {
+        return {
+            authenticated: true,
+            workspace_id: workspaceHeader || proxyConfig.default_workspace_id,
+            actor_id: actorHeader || proxyConfig.default_actor_id || 'proxy:sidecar',
+        };
+    }
+    // Header-only auth (X-Palaryn-Workspace without Proxy-Authorization).
+    // Only allowed when auth is not required (permissive/dev mode).
+    // When require_auth is true, headers alone are not sufficient — they can be
+    // spoofed by any client. Require Proxy-Authorization or sidecar defaults.
+    if (workspaceHeader && !proxyConfig.require_auth) {
+        logger_1.logger.warn('Unauthenticated request using header-provided identity — headers can be spoofed, enable require_auth in production', { component: 'proxy-auth', workspace: workspaceHeader, actor: actorHeader || 'default' });
+        return {
+            authenticated: true,
+            workspace_id: workspaceHeader,
+            actor_id: actorHeader || `proxy:${workspaceHeader}`,
+        };
+    }
+    // If auth is not required (permissive mode), use defaults
+    if (!proxyConfig.require_auth) {
+        logger_1.logger.warn('Unauthenticated proxy request using default identity (ws_default/proxy:anonymous) — enable require_auth in production', { component: 'proxy-auth' });
+        return {
+            authenticated: true,
+            workspace_id: 'ws_default',
+            actor_id: 'proxy:anonymous',
+        };
+    }
+    return {
+        authenticated: false,
+        error: 'Proxy-Authorization required. Use Basic auth with workspace_id:api_key or set PALARYN_WORKSPACE_ID env var for sidecar mode',
+    };
+}
+// ---------------------------------------------------------------------------
+// RBAC middleware factory
+// ---------------------------------------------------------------------------
+function createRBACMiddleware(config, requiredPermission) {
+    return (req, res, next) => {
+        // Even with RBAC disabled, admin endpoints require the key to have an admin role
+        if (!config.rbac?.enabled) {
+            if (requiredPermission === 'admin:full') {
+                const authCtx = req.auth;
+                // Allow if auth is disabled (no keys configured) or if the key has admin role
+                if (authCtx && authCtx.auth_method !== 'none') {
+                    const keyRoles = authCtx.roles || [];
+                    const hasAdmin = keyRoles.includes('admin');
+                    if (!hasAdmin) {
+                        // Check if the key has explicit admin:full permission via configured roles
+                        const rbacForResolve = config.rbac?.roles
+                            ? { ...config.rbac, enabled: true }
+                            : { enabled: true, roles: { admin: { description: 'Admin', permissions: ['admin:full'] } }, default_role: 'agent' };
+                        const keyPerms = resolvePermissions(keyRoles, rbacForResolve);
+                        if (!hasPermission(keyPerms, 'admin:full')) {
+                            (0, errors_1.sendError)(res, 403, errors_1.ErrorCode.AUTH_INSUFFICIENT_PERMS, 'Admin access required', {
+                                hint: 'Use an API key with the admin role to access this endpoint',
+                            });
+                            return;
+                        }
+                    }
+                }
+            }
+            return next();
+        }
+        const authCtx = req.auth;
+        if (!authCtx) {
+            (0, errors_1.sendError)(res, 401, errors_1.ErrorCode.AUTH_REQUIRED, 'Authentication required', {
+                hint: 'Provide X-API-Key header or Authorization: Bearer <token>',
+            });
+            return;
+        }
+        // Auth method 'none' (auth disabled) - allow through
+        if (authCtx.auth_method === 'none') {
+            return next();
+        }
+        // If user has no roles and a default_role is configured, apply it
+        let permissions = authCtx.permissions;
+        if (authCtx.roles.length === 0 && config.rbac.default_role) {
+            // Prevent escalation: default_role must not be admin or operator
+            let effectiveDefaultRole = config.rbac.default_role;
+            if (effectiveDefaultRole === 'admin' || effectiveDefaultRole === 'operator') {
+                logger_1.logger.warn(`default_role '${effectiveDefaultRole}' is a privileged role — falling back to 'readonly'`, { component: 'auth' });
+                effectiveDefaultRole = 'readonly';
+            }
+            const defaultPerms = resolvePermissions([effectiveDefaultRole], config.rbac);
+            permissions = defaultPerms;
+            // Also update the auth context with the default role's permissions
+            authCtx.roles = [effectiveDefaultRole];
+            authCtx.permissions = defaultPerms;
+        }
+        if (!hasPermission(permissions, requiredPermission)) {
+            (0, errors_1.sendError)(res, 403, errors_1.ErrorCode.AUTH_INSUFFICIENT_PERMS, `Insufficient permissions. Required: ${requiredPermission}`, {
+                details: { required_permission: requiredPermission, roles: authCtx.roles },
+                hint: 'Assign a role with the required permission or use an admin key',
+            });
+            return;
+        }
+        return next();
+    };
+}
+//# sourceMappingURL=auth.js.map