wyrm-mcp 7.2.0 → 7.2.2

package/dist/http-auth.js

@@ -1,321 +1,3 @@
-/**
- * Wyrm HTTP Authentication - Secure API access control
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- * @module http-auth
- * @version 3.0.0
- */
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
-import { join } from 'path';
-import { homedir } from 'os';
-import { randomBytes, createHash } from 'crypto';
-import { WyrmLogger } from './logger.js';
-// ==================== CONSTANTS ====================
-const CONFIG_DIR = join(homedir(), '.wyrm');
-const CONFIG_PATH = join(CONFIG_DIR, 'http-config.json');
-const DEFAULT_RATE_LIMIT = { enabled: true, requests: 100, windowMs: 60000 };
-const DEFAULT_ORIGINS = ['http://localhost:3333', 'http://127.0.0.1:3333'];
-// ==================== STATE ====================
-const rateLimitStore = new Map();
-let config = null;
-const logger = new WyrmLogger();
-// ==================== HELPER FUNCTIONS ====================
-/**
- * Hash a token for secure storage
- */
-function hashToken(token) {
-    return createHash('sha256').update(token).digest('hex');
-}
-/**
- * Constant-time string comparison to prevent timing attacks
- */
-function constantTimeCompare(a, b) {
-    if (a.length !== b.length) {
-        return false;
-    }
-    let result = 0;
-    for (let i = 0; i < a.length; i++) {
-        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
-    }
-    return result === 0;
-}
-/**
- * Load or create authentication configuration
- */
-function loadOrCreateConfig() {
-    // Ensure config directory exists
-    if (!existsSync(CONFIG_DIR)) {
-        mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
-    }
-    // Load existing config
-    if (existsSync(CONFIG_PATH)) {
-        try {
-            const data = JSON.parse(readFileSync(CONFIG_PATH, 'utf-8'));
-            return {
-                apiKeyHash: data.apiKeyHash,
-                allowedOrigins: data.allowedOrigins || DEFAULT_ORIGINS,
-                rateLimit: { ...DEFAULT_RATE_LIMIT, ...data.rateLimit },
-                requireAuth: data.requireAuth ?? true,
-                devMode: process.env.WYRM_DEV === 'true',
-            };
-        }
-        catch (error) {
-            logger.error('Failed to load HTTP config, regenerating', { error: error.message });
-        }
-    }
-    // Generate new API key
-    const apiKey = randomBytes(32).toString('hex');
-    logger.info('Generated new API key for HTTP server');
-    console.log('\n' + '═'.repeat(60));
-    console.log('🔐 WYRM API KEY (save this securely, shown once):');
-    console.log('');
-    console.log(`   ${apiKey}`);
-    console.log('');
-    console.log('   Use with: Authorization: Bearer <key>');
-    console.log('═'.repeat(60) + '\n');
-    const newConfig = {
-        apiKeyHash: hashToken(apiKey),
-        allowedOrigins: DEFAULT_ORIGINS,
-        rateLimit: DEFAULT_RATE_LIMIT,
-        requireAuth: true,
-        devMode: process.env.WYRM_DEV === 'true',
-    };
-    // Save config with restrictive permissions
-    writeFileSync(CONFIG_PATH, JSON.stringify(newConfig, null, 2), { mode: 0o600 });
-    return newConfig;
-}
-/**
- * Get configuration (lazy load)
- */
-function getConfig() {
-    if (!config) {
-        config = loadOrCreateConfig();
-    }
-    return config;
-}
-// ==================== AUTHENTICATION ====================
-/**
- * Validate API key from Authorization header
- */
-export function authenticate(req) {
-    const cfg = getConfig();
-    // Dev mode: allow local connections without auth
-    if (cfg.devMode) {
-        const remoteAddr = req.socket.remoteAddress;
-        if (remoteAddr === '127.0.0.1' || remoteAddr === '::1' || remoteAddr === '::ffff:127.0.0.1') {
-            return true;
-        }
-    }
-    // Spec 016: the local Wyrm Web UI announces itself with X-Wyrm-Origin: ui.
-    // [sec 6.3.1] Hardened: require an EXACT loopback socket (dropped the broad
-    // `startsWith('127.')`) AND a loopback Host header. The Host check defeats
-    // DNS-rebinding — a rebinding attack reaches the loopback socket but carries
-    // an attacker-domain Host. Header alone is never sufficient. (A per-session
-    // UI nonce, tracked separately, will replace this origin-header trust.)
-    const remoteAddr = req.socket.remoteAddress ?? '';
-    const isLoopback = remoteAddr === '127.0.0.1' || remoteAddr === '::1' || remoteAddr === '::ffff:127.0.0.1';
-    const hostName = (req.headers['host'] ?? '').split(':')[0].toLowerCase();
-    const hostIsLoopback = hostName === 'localhost' || hostName === '127.0.0.1' || hostName === '::1' || hostName === '[::1]';
-    if (isLoopback && hostIsLoopback && req.headers['x-wyrm-origin'] === 'ui') {
-        return true;
-    }
-    // Check if auth is required
-    if (!cfg.requireAuth) {
-        logger.warn('Authentication disabled - API is open');
-        return true;
-    }
-    // Validate Authorization header
-    const authHeader = req.headers['authorization'];
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-        return false;
-    }
-    const token = authHeader.slice(7);
-    if (!token || token.length < 32) {
-        return false;
-    }
-    // Constant-time comparison
-    const tokenHash = hashToken(token);
-    return constantTimeCompare(tokenHash, cfg.apiKeyHash);
-}
-// ==================== RATE LIMITING ====================
-/**
- * Check and update rate limit for a client
- */
-export function checkRateLimit(req) {
-    const cfg = getConfig();
-    if (!cfg.rateLimit.enabled) {
-        return { allowed: true, remaining: Infinity, resetAt: 0 };
-    }
-    const clientId = req.socket.remoteAddress || 'unknown';
-    const now = Date.now();
-    // Clean up expired entries periodically
-    if (rateLimitStore.size > 10000) {
-        for (const [key, entry] of rateLimitStore) {
-            if (entry.resetAt < now) {
-                rateLimitStore.delete(key);
-            }
-        }
-    }
-    let entry = rateLimitStore.get(clientId);
-    if (!entry || entry.resetAt < now) {
-        entry = { count: 0, resetAt: now + cfg.rateLimit.windowMs };
-        rateLimitStore.set(clientId, entry);
-    }
-    entry.count++;
-    return {
-        allowed: entry.count <= cfg.rateLimit.requests,
-        remaining: Math.max(0, cfg.rateLimit.requests - entry.count),
-        resetAt: entry.resetAt,
-    };
-}
-// ==================== CORS ====================
-/**
- * Get CORS origin for response
- */
-export function getCorsOrigin(req) {
-    const cfg = getConfig();
-    const origin = req.headers['origin'];
-    if (origin && cfg.allowedOrigins.includes(origin)) {
-        return origin;
-    }
-    // Return first allowed origin if request origin not in list
-    return cfg.allowedOrigins[0];
-}
-/**
- * Get security headers for response
- */
-export function getSecurityHeaders(req) {
-    return {
-        'Access-Control-Allow-Origin': getCorsOrigin(req),
-        'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-        'X-Content-Type-Options': 'nosniff',
-        'X-Frame-Options': 'DENY',
-        'Cache-Control': 'no-store',
-        'Content-Security-Policy': "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; frame-ancestors 'none'",
-        'Referrer-Policy': 'no-referrer',
-        'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
-        'X-Robots-Tag': 'noindex, nofollow',
-    };
-}
-// ==================== MIDDLEWARE ====================
-// Public endpoints that don't require authentication
-const PUBLIC_ENDPOINTS = ['/health', '/auth/status', '/ui'];
-/**
- * Authentication middleware for HTTP server
- * Returns error response if auth fails, null if auth passes
- */
-export function authMiddleware(req, res) {
-    // Handle CORS preflight
-    if (req.method === 'OPTIONS') {
-        const headers = getSecurityHeaders(req);
-        res.writeHead(204, headers);
-        res.end();
-        return { error: true }; // Request handled, stop processing
-    }
-    // Check rate limit (applies to all endpoints)
-    const rateLimit = checkRateLimit(req);
-    if (!rateLimit.allowed) {
-        const headers = getSecurityHeaders(req);
-        res.writeHead(429, {
-            ...headers,
-            'X-RateLimit-Remaining': '0',
-            'X-RateLimit-Reset': String(rateLimit.resetAt),
-            'Retry-After': String(Math.ceil((rateLimit.resetAt - Date.now()) / 1000)),
-        });
-        res.end(JSON.stringify({ error: 'Rate limit exceeded' }));
-        logger.warn('Rate limit exceeded', {
-            ip: req.socket.remoteAddress,
-            path: req.url,
-        });
-        return { error: true };
-    }
-    // Skip auth for public endpoints
-    const pathname = new URL(req.url || '/', `http://localhost`).pathname;
-    if (PUBLIC_ENDPOINTS.includes(pathname)) {
-        return { error: false };
-    }
-    // Check authentication
-    if (!authenticate(req)) {
-        const headers = getSecurityHeaders(req);
-        res.writeHead(401, {
-            ...headers,
-            'WWW-Authenticate': 'Bearer realm="Wyrm API"',
-        });
-        res.end(JSON.stringify({ error: 'Unauthorized' }));
-        logger.warn('Authentication failed', {
-            ip: req.socket.remoteAddress,
-            path: req.url,
-        });
-        return { error: true };
-    }
-    // Add rate limit headers to successful response later
-    return { error: false };
-}
-// ==================== CONFIGURATION MANAGEMENT ====================
-/**
- * Regenerate API key
- */
-export function regenerateApiKey() {
-    const apiKey = randomBytes(32).toString('hex');
-    const cfg = getConfig();
-    cfg.apiKeyHash = hashToken(apiKey);
-    writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2), { mode: 0o600 });
-    config = cfg;
-    logger.info('API key regenerated');
-    return apiKey;
-}
-/**
- * Update allowed CORS origins
- */
-export function setAllowedOrigins(origins) {
-    const cfg = getConfig();
-    cfg.allowedOrigins = origins;
-    writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2), { mode: 0o600 });
-    config = cfg;
-    logger.info('CORS origins updated', { origins });
-}
-/**
- * Update rate limit configuration
- */
-export function setRateLimit(requests, windowMs) {
-    const cfg = getConfig();
-    cfg.rateLimit = { enabled: true, requests, windowMs };
-    writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2), { mode: 0o600 });
-    config = cfg;
-    logger.info('Rate limit updated', { requests, windowMs });
-}
-/**
- * Enable/disable authentication requirement
- */
-export function setRequireAuth(require) {
-    const cfg = getConfig();
-    cfg.requireAuth = require;
-    writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2), { mode: 0o600 });
-    config = cfg;
-    if (!require) {
-        logger.warn('Authentication disabled - API is now open');
-    }
-}
-/**
- * Enable dev mode at runtime (e.g. for --ui flag)
- * Safe because auth still verifies remoteAddress is localhost
- */
-export function enableDevMode() {
-    const cfg = getConfig();
-    cfg.devMode = true;
-}
-/**
- * Get current configuration (without exposing API key hash)
- */
-export function getAuthStatus() {
-    const cfg = getConfig();
-    return {
-        requireAuth: cfg.requireAuth,
-        devMode: cfg.devMode,
-        rateLimit: cfg.rateLimit,
-        allowedOrigins: cfg.allowedOrigins,
-    };
-}
-//# sourceMappingURL=http-auth.js.map
+import{existsSync as w,readFileSync as I,writeFileSync as u,mkdirSync as R}from"fs";import{join as y}from"path";import{homedir as x}from"os";import{randomBytes as O,createHash as T}from"crypto";import{WyrmLogger as k}from"./logger.js";const g=y(x(),".wyrm"),a=y(g,"http-config.json"),L={enabled:!0,requests:100,windowMs:6e4},S=["http://localhost:3333","http://127.0.0.1:3333"],d=new Map;let c=null;const i=new k;function m(e){return T("sha256").update(e).digest("hex")}function P(e,t){if(e.length!==t.length)return!1;let r=0;for(let n=0;n<e.length;n++)r|=e.charCodeAt(n)^t.charCodeAt(n);return r===0}function M(){if(w(g)||R(g,{recursive:!0,mode:448}),w(a))try{const r=JSON.parse(I(a,"utf-8"));return{apiKeyHash:r.apiKeyHash,allowedOrigins:r.allowedOrigins||S,rateLimit:{...L,...r.rateLimit},requireAuth:r.requireAuth??!0,devMode:process.env.WYRM_DEV==="true"}}catch(r){i.error("Failed to load HTTP config, regenerating",{error:r.message})}const e=O(32).toString("hex");i.info("Generated new API key for HTTP server"),console.log(`
+`+"\u2550".repeat(60)),console.log("\u{1F510} WYRM API KEY (save this securely, shown once):"),console.log(""),console.log(`   ${e}`),console.log(""),console.log("   Use with: Authorization: Bearer <key>"),console.log("\u2550".repeat(60)+`
+`);const t={apiKeyHash:m(e),allowedOrigins:S,rateLimit:L,requireAuth:!0,devMode:process.env.WYRM_DEV==="true"};return u(a,JSON.stringify(t,null,2),{mode:384}),t}function s(){return c||(c=M()),c}function N(e){const t=s();if(t.devMode){const h=e.socket.remoteAddress;if(h==="127.0.0.1"||h==="::1"||h==="::ffff:127.0.0.1")return!0}const r=e.socket.remoteAddress??"",n=r==="127.0.0.1"||r==="::1"||r==="::ffff:127.0.0.1",o=(e.headers.host??"").split(":")[0].toLowerCase();if(n&&(o==="localhost"||o==="127.0.0.1"||o==="::1"||o==="[::1]")&&e.headers["x-wyrm-origin"]==="ui")return!0;if(!t.requireAuth)return i.warn("Authentication disabled - API is open"),!0;const l=e.headers.authorization;if(!l||!l.startsWith("Bearer "))return!1;const f=l.slice(7);if(!f||f.length<32)return!1;const C=m(f);return P(C,t.apiKeyHash)}function H(e){const t=s();if(!t.rateLimit.enabled)return{allowed:!0,remaining:1/0,resetAt:0};const r=e.socket.remoteAddress||"unknown",n=Date.now();if(d.size>1e4)for(const[A,l]of d)l.resetAt<n&&d.delete(A);let o=d.get(r);return(!o||o.resetAt<n)&&(o={count:0,resetAt:n+t.rateLimit.windowMs},d.set(r,o)),o.count++,{allowed:o.count<=t.rateLimit.requests,remaining:Math.max(0,t.rateLimit.requests-o.count),resetAt:o.resetAt}}function v(e){const t=s(),r=e.headers.origin;return r&&t.allowedOrigins.includes(r)?r:t.allowedOrigins[0]}function p(e){return{"Access-Control-Allow-Origin":v(e),"Access-Control-Allow-Methods":"GET, POST, OPTIONS","Access-Control-Allow-Headers":"Content-Type, Authorization","X-Content-Type-Options":"nosniff","X-Frame-Options":"DENY","Cache-Control":"no-store","Content-Security-Policy":"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; frame-ancestors 'none'","Referrer-Policy":"no-referrer","Permissions-Policy":"geolocation=(), microphone=(), camera=()","X-Robots-Tag":"noindex, nofollow"}}const D=["/health","/auth/status","/ui"];function J(e,t){if(e.method==="OPTIONS"){const o=p(e);return t.writeHead(204,o),t.end(),{error:!0}}const r=H(e);if(!r.allowed){const o=p(e);return t.writeHead(429,{...o,"X-RateLimit-Remaining":"0","X-RateLimit-Reset":String(r.resetAt),"Retry-After":String(Math.ceil((r.resetAt-Date.now())/1e3))}),t.end(JSON.stringify({error:"Rate limit exceeded"})),i.warn("Rate limit exceeded",{ip:e.socket.remoteAddress,path:e.url}),{error:!0}}const n=new URL(e.url||"/","http://localhost").pathname;if(D.includes(n))return{error:!1};if(!N(e)){const o=p(e);return t.writeHead(401,{...o,"WWW-Authenticate":'Bearer realm="Wyrm API"'}),t.end(JSON.stringify({error:"Unauthorized"})),i.warn("Authentication failed",{ip:e.socket.remoteAddress,path:e.url}),{error:!0}}return{error:!1}}function _(){const e=O(32).toString("hex"),t=s();return t.apiKeyHash=m(e),u(a,JSON.stringify(t,null,2),{mode:384}),c=t,i.info("API key regenerated"),e}function U(e){const t=s();t.allowedOrigins=e,u(a,JSON.stringify(t,null,2),{mode:384}),c=t,i.info("CORS origins updated",{origins:e})}function z(e,t){const r=s();r.rateLimit={enabled:!0,requests:e,windowMs:t},u(a,JSON.stringify(r,null,2),{mode:384}),c=r,i.info("Rate limit updated",{requests:e,windowMs:t})}function B(e){const t=s();t.requireAuth=e,u(a,JSON.stringify(t,null,2),{mode:384}),c=t,e||i.warn("Authentication disabled - API is now open")}function G(){const e=s();e.devMode=!0}function X(){const e=s();return{requireAuth:e.requireAuth,devMode:e.devMode,rateLimit:e.rateLimit,allowedOrigins:e.allowedOrigins}}export{J as authMiddleware,N as authenticate,H as checkRateLimit,G as enableDevMode,X as getAuthStatus,v as getCorsOrigin,p as getSecurityHeaders,_ as regenerateApiKey,U as setAllowedOrigins,z as setRateLimit,B as setRequireAuth};