siclaw 0.1.0

package/dist/gateway/auth/login.js

@@ -0,0 +1,74 @@
+/**
+ * Login API
+ *
+ * Handles user login requests and returns a JWT token.
+ */
+import { signJwt } from "./jwt.js";
+/**
+ * Create the login handler
+ */
+export function createLoginHandler(userStore, jwtSecret) {
+    /**
+     * Parse the JSON request body
+     */
+    async function parseBody(req) {
+        return new Promise((resolve, reject) => {
+            let body = "";
+            req.on("data", (chunk) => (body += chunk));
+            req.on("end", () => {
+                try {
+                    resolve(body ? JSON.parse(body) : {});
+                }
+                catch {
+                    reject(new Error("Invalid JSON"));
+                }
+            });
+            req.on("error", reject);
+        });
+    }
+    /**
+     * Handle a login request
+     */
+    async function handleLogin(req, res) {
+        // Only accept POST
+        if (req.method !== "POST") {
+            res.writeHead(405, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: false, error: "Method not allowed" }));
+            return;
+        }
+        try {
+            const { username, password } = await parseBody(req);
+            if (!username || !password) {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ ok: false, error: "Missing username or password" }));
+                return;
+            }
+            // Authenticate the user
+            const user = userStore.authenticate(username, password);
+            if (!user) {
+                res.writeHead(401, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ ok: false, error: "Invalid credentials" }));
+                return;
+            }
+            // Issue token
+            const token = signJwt({ userId: user.id, username: user.username }, jwtSecret);
+            const response = {
+                ok: true,
+                token,
+                user: {
+                    id: user.id,
+                    username: user.username,
+                },
+            };
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify(response));
+        }
+        catch (err) {
+            console.error("[login] Error:", err);
+            res.writeHead(500, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: false, error: "Internal server error" }));
+        }
+    }
+    return { handleLogin };
+}
+//# sourceMappingURL=login.js.map

package/dist/gateway/auth/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/gateway/auth/login.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAkBnC;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAoB,EAAE,SAAiB;IACxE;;OAEG;IACH,KAAK,UAAU,SAAS,CAAC,GAAyB;QAChD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,IAAI,GAAG,EAAE,CAAC;YACd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC;YAC3C,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACxC,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC,CAAC,CAAC;YACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,UAAU,WAAW,CACxB,GAAyB,EACzB,GAAwB;QAExB,mBAAmB;QACnB,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC,CAAC;YACpE,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YAEpD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC3B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,CAAC,CAAC;gBAC9E,OAAO;YACT,CAAC;YAED,wBAAwB;YACxB,MAAM,IAAI,GAAG,SAAS,CAAC,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YACxD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC,CAAC;gBACrE,OAAO;YACT,CAAC;YAED,cAAc;YACd,MAAM,KAAK,GAAG,OAAO,CACnB,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,EAC5C,SAAS,CACV,CAAC;YAEF,MAAM,QAAQ,GAAkB;gBAC9B,EAAE,EAAE,IAAI;gBACR,KAAK;gBACL,IAAI,EAAE;oBACJ,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB;aACF,CAAC;YAEF,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;YACrC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,CAAC;AACzB,CAAC"}

package/dist/gateway/auth/middleware.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Authentication middleware
+ *
+ * Handles authentication for HTTP and WebSocket requests.
+ */
+import type http from "node:http";
+/** Authenticated request context */
+export interface AuthContext {
+    userId: string;
+    username: string;
+}
+/** Extended request type with auth context */
+export interface AuthenticatedRequest extends http.IncomingMessage {
+    auth?: AuthContext;
+}
+/**
+ * Create the authentication middleware
+ */
+export declare function createAuthMiddleware(jwtSecret: string): {
+    authenticateRequest: (req: http.IncomingMessage) => AuthContext | null;
+    authenticateWebSocket: (req: http.IncomingMessage) => AuthContext | null;
+    authenticateFromQuery: (url: string | undefined, host: string | undefined) => AuthContext | null;
+};

package/dist/gateway/auth/middleware.js

@@ -0,0 +1,67 @@
+/**
+ * Authentication middleware
+ *
+ * Handles authentication for HTTP and WebSocket requests.
+ */
+import { extractBearerToken, verifyJwt } from "./jwt.js";
+/**
+ * Create the authentication middleware
+ */
+export function createAuthMiddleware(jwtSecret) {
+    /**
+     * Authenticate an HTTP request
+     */
+    function authenticateRequest(req) {
+        const authHeader = req.headers.authorization;
+        const token = extractBearerToken(authHeader);
+        if (!token)
+            return null;
+        const payload = verifyJwt(token, jwtSecret);
+        if (!payload)
+            return null;
+        return {
+            userId: payload.userId,
+            username: payload.username,
+        };
+    }
+    /**
+     * Get token from URL query parameters (used for WebSocket)
+     */
+    function authenticateFromQuery(url, host) {
+        if (!url)
+            return null;
+        try {
+            const fullUrl = new URL(url, `http://${host || "localhost"}`);
+            const token = fullUrl.searchParams.get("token");
+            if (!token)
+                return null;
+            const payload = verifyJwt(token, jwtSecret);
+            if (!payload)
+                return null;
+            return {
+                userId: payload.userId,
+                username: payload.username,
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Authenticate a WebSocket upgrade request
+     */
+    function authenticateWebSocket(req) {
+        // Try Authorization header first
+        const auth = authenticateRequest(req);
+        if (auth)
+            return auth;
+        // Fall back to query parameter
+        return authenticateFromQuery(req.url, req.headers.host);
+    }
+    return {
+        authenticateRequest,
+        authenticateWebSocket,
+        authenticateFromQuery,
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/gateway/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/gateway/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAmB,MAAM,UAAU,CAAC;AAa1E;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,SAAiB;IACpD;;OAEG;IACH,SAAS,mBAAmB,CAAC,GAAyB;QACpD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC7C,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAE7C,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,OAAO;YACL,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS,qBAAqB,CAAC,GAAuB,EAAE,IAAwB;QAC9E,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,IAAI,IAAI,WAAW,EAAE,CAAC,CAAC;YAC9D,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAEhD,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YAExB,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YAC5C,IAAI,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;YAE1B,OAAO;gBACL,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC3B,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS,qBAAqB,CAAC,GAAyB;QACtD,iCAAiC;QACjC,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;QAEtB,+BAA+B;QAC/B,OAAO,qBAAqB,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO;QACL,mBAAmB;QACnB,qBAAqB;QACrB,qBAAqB;KACtB,CAAC;AACJ,CAAC"}

package/dist/gateway/auth/oauth2.d.ts

@@ -0,0 +1,57 @@
+/**
+ * OAuth2 Authorization Code Flow — Dex / Generic OIDC
+ *
+ * Handles the server-side OAuth2 flow:
+ *   1. Build authorize URL (redirect user to IdP)
+ *   2. Exchange authorization code for tokens
+ *   3. Fetch user info from IdP
+ *
+ * Config is loaded from DB overrides → SICLAW_SSO_* environment variables.
+ * If neither is set, SSO is disabled and loadOAuth2Config() returns null.
+ */
+export interface OAuth2Config {
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    /** Derived endpoints (from issuer) */
+    authorizeUrl: string;
+    tokenUrl: string;
+    userInfoUrl: string;
+}
+/**
+ * Load OAuth2 config from DB overrides → environment variables.
+ * Returns null if SSO is not configured.
+ *
+ * Priority: dbOverrides > SICLAW_SSO_* env vars > null
+ */
+export declare function loadOAuth2Config(dbOverrides?: Record<string, string>): OAuth2Config | null;
+/** Generate a cryptographic random state and store it */
+export declare function generateState(): string;
+/** Validate and consume a state (returns true if valid) */
+export declare function consumeState(state: string): boolean;
+/**
+ * Step 1: Build the authorization URL that the user's browser should redirect to.
+ */
+export declare function buildAuthorizeUrl(config: OAuth2Config, state: string): string;
+/**
+ * Step 2: Exchange the authorization code for tokens.
+ */
+export interface TokenResponse {
+    access_token: string;
+    id_token?: string;
+    token_type: string;
+    expires_in?: number;
+    refresh_token?: string;
+}
+export declare function exchangeCode(config: OAuth2Config, code: string): Promise<TokenResponse>;
+/**
+ * Step 3: Fetch user info using the access token.
+ */
+export interface SsoUserInfo {
+    sub: string;
+    email?: string;
+    name?: string;
+    preferred_username?: string;
+}
+export declare function fetchUserInfo(config: OAuth2Config, accessToken: string): Promise<SsoUserInfo>;

package/dist/gateway/auth/oauth2.js

@@ -0,0 +1,113 @@
+/**
+ * OAuth2 Authorization Code Flow — Dex / Generic OIDC
+ *
+ * Handles the server-side OAuth2 flow:
+ *   1. Build authorize URL (redirect user to IdP)
+ *   2. Exchange authorization code for tokens
+ *   3. Fetch user info from IdP
+ *
+ * Config is loaded from DB overrides → SICLAW_SSO_* environment variables.
+ * If neither is set, SSO is disabled and loadOAuth2Config() returns null.
+ */
+import crypto from "node:crypto";
+/**
+ * Load OAuth2 config from DB overrides → environment variables.
+ * Returns null if SSO is not configured.
+ *
+ * Priority: dbOverrides > SICLAW_SSO_* env vars > null
+ */
+export function loadOAuth2Config(dbOverrides) {
+    const issuer = dbOverrides?.["sso.issuer"] ?? process.env.SICLAW_SSO_ISSUER;
+    if (!issuer)
+        return null;
+    const clientId = dbOverrides?.["sso.clientId"] ?? process.env.SICLAW_SSO_CLIENT_ID;
+    const clientSecret = dbOverrides?.["sso.clientSecret"] ?? process.env.SICLAW_SSO_CLIENT_SECRET;
+    const redirectUri = dbOverrides?.["sso.redirectUri"] ?? process.env.SICLAW_SSO_REDIRECT_URI;
+    if (!clientId || !clientSecret || !redirectUri) {
+        console.warn("[oauth2] SSO issuer is set but missing clientId, clientSecret, or redirectUri — SSO disabled");
+        return null;
+    }
+    // Standard OIDC endpoints (Dex follows this convention)
+    const base = issuer.replace(/\/+$/, "");
+    return {
+        issuer: base,
+        clientId,
+        clientSecret,
+        redirectUri,
+        authorizeUrl: `${base}/auth`,
+        tokenUrl: `${base}/token`,
+        userInfoUrl: `${base}/userinfo`,
+    };
+}
+// ─── CSRF State Store ───────────────────────────────
+const pendingStates = new Map();
+const STATE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+/** Generate a cryptographic random state and store it */
+export function generateState() {
+    const state = crypto.randomBytes(16).toString("hex");
+    pendingStates.set(state, { createdAt: Date.now() });
+    return state;
+}
+/** Validate and consume a state (returns true if valid) */
+export function consumeState(state) {
+    const entry = pendingStates.get(state);
+    if (!entry)
+        return false;
+    pendingStates.delete(state);
+    return Date.now() - entry.createdAt < STATE_TTL_MS;
+}
+/** Periodic cleanup of expired states */
+setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of pendingStates) {
+        if (now - entry.createdAt > STATE_TTL_MS) {
+            pendingStates.delete(key);
+        }
+    }
+}, 60_000);
+// ─── OAuth2 Flow Steps ──────────────────────────────
+/**
+ * Step 1: Build the authorization URL that the user's browser should redirect to.
+ */
+export function buildAuthorizeUrl(config, state) {
+    const params = new URLSearchParams({
+        response_type: "code",
+        client_id: config.clientId,
+        redirect_uri: config.redirectUri,
+        scope: "openid profile email",
+        state,
+    });
+    return `${config.authorizeUrl}?${params.toString()}`;
+}
+export async function exchangeCode(config, code) {
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+        redirect_uri: config.redirectUri,
+    });
+    const res = await fetch(config.tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString(),
+        signal: AbortSignal.timeout(10_000),
+    });
+    if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`Token exchange failed (${res.status}): ${text}`);
+    }
+    return res.json();
+}
+export async function fetchUserInfo(config, accessToken) {
+    const res = await fetch(config.userInfoUrl, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+        signal: AbortSignal.timeout(10_000),
+    });
+    if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`UserInfo fetch failed (${res.status}): ${text}`);
+    }
+    return res.json();
+}
+//# sourceMappingURL=oauth2.js.map

package/dist/gateway/auth/oauth2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth2.js","sourceRoot":"","sources":["../../../src/gateway/auth/oauth2.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAejC;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,WAAoC;IACnE,MAAM,MAAM,GAAG,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC5E,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACnF,MAAM,YAAY,GAAG,WAAW,EAAE,CAAC,kBAAkB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAC/F,MAAM,WAAW,GAAG,WAAW,EAAE,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;IAE5F,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/C,OAAO,CAAC,IAAI,CACV,8FAA8F,CAC/F,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,wDAAwD;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAExC,OAAO;QACL,MAAM,EAAE,IAAI;QACZ,QAAQ;QACR,YAAY;QACZ,WAAW;QACX,YAAY,EAAE,GAAG,IAAI,OAAO;QAC5B,QAAQ,EAAE,GAAG,IAAI,QAAQ;QACzB,WAAW,EAAE,GAAG,IAAI,WAAW;KAChC,CAAC;AACJ,CAAC;AAED,uDAAuD;AAEvD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAiC,CAAC;AAC/D,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAEhD,yDAAyD;AACzD,MAAM,UAAU,aAAa;IAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACrD,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACpD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5B,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,YAAY,CAAC;AACrD,CAAC;AAED,yCAAyC;AACzC,WAAW,CAAC,GAAG,EAAE;IACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,GAAG,YAAY,EAAE,CAAC;YACzC,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;AACH,CAAC,EAAE,MAAM,CAAC,CAAC;AAEX,uDAAuD;AAEvD;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAoB,EAAE,KAAa;IACnE,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,KAAK,EAAE,sBAAsB;QAC7B,KAAK;KACN,CAAC,CAAC;IACH,OAAO,GAAG,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;AACvD,CAAC;AAaD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAoB,EACpB,IAAY;IAEZ,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,IAAI;QACJ,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,YAAY,EAAE,MAAM,CAAC,WAAW;KACjC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE;QACvC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;QACrB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACpC,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,EAA4B,CAAC;AAC9C,CAAC;AAYD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAoB,EACpB,WAAmB;IAEnB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE;QAC1C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;QACnD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACpC,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,EAA0B,CAAC;AAC5C,CAAC"}

package/dist/gateway/auth/user-store.d.ts

@@ -0,0 +1,95 @@
+/**
+ * User store
+ *
+ * DB-first: falls back to in-memory when no DB is available.
+ */
+import type { Database } from "../db/index.js";
+export interface User {
+    id: string;
+    username: string;
+    passwordHash: string;
+    createdAt: Date;
+    /** Channel bindings */
+    bindings?: Record<string, string>;
+    /** Intern flag: restricted to test environments only */
+    testOnly?: boolean;
+    /** SSO user flag: password changes are not supported */
+    ssoUser?: boolean;
+}
+export interface CreateUserInput {
+    username: string;
+    password: string;
+    testOnly?: boolean;
+    ssoUser?: boolean;
+}
+export declare class UserStore {
+    private users;
+    private usernameIndex;
+    private repo;
+    constructor(db: Database | null);
+    /**
+     * Async initialization — loads users from DB or creates the default admin
+     */
+    init(): Promise<void>;
+    /**
+     * Create the default admin user
+     */
+    private createDefaultAdmin;
+    /**
+     * Create a user (async, writes to DB)
+     */
+    createAsync(input: CreateUserInput): Promise<User>;
+    /**
+     * Create a user (sync compat, in-memory only)
+     */
+    create(input: CreateUserInput): User;
+    /**
+     * Get a user by ID
+     */
+    getById(id: string): User | undefined;
+    /**
+     * Get a user by username
+     */
+    getByUsername(username: string): User | undefined;
+    /**
+     * Authenticate a login attempt
+     */
+    authenticate(username: string, password: string): User | null;
+    /**
+     * Find a user by channel binding
+     */
+    getByBinding(channel: string, channelUserId: string): User | undefined;
+    /**
+     * Add a channel binding
+     */
+    addBinding(userId: string, channel: string, channelUserId: string): void;
+    /**
+     * Remove a channel binding
+     */
+    removeBinding(userId: string, channel: string): void;
+    /**
+     * SSO login: finds an existing user by username, or auto-creates one if not found
+     */
+    findOrCreateBySso(ssoInfo: {
+        sub: string;
+        email?: string;
+        name?: string;
+        preferredUsername?: string;
+    }): Promise<User>;
+    /**
+     * Change password (requires verification of the old password)
+     */
+    changePassword(userId: string, oldPassword: string, newPassword: string): Promise<void>;
+    /**
+     * Reset password (admin use — no verification of old password)
+     */
+    resetPassword(userId: string, newPassword: string): Promise<void>;
+    /**
+     * Set the testOnly flag
+     */
+    setTestOnly(userId: string, testOnly: boolean): Promise<void>;
+    /**
+     * List all users
+     */
+    list(): User[];
+}