"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || (function () { var ownKeys = function(o) { ownKeys = Object.getOwnPropertyNames || function (o) { var ar = []; for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k; return ar; }; return ownKeys(o); }; return function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]); __setModuleDefault(result, mod); return result; }; })(); Object.defineProperty(exports, "__esModule", { value: true }); exports.AuthValidator = void 0; const fs = __importStar(require("fs/promises")); const crypto = __importStar(require("crypto")); const path = __importStar(require("path")); const logger_1 = require("../utils/logger"); const config_1 = require("../utils/config"); class AuthValidator { logger; sessionsCache = new Map(); constructor() { this.logger = new logger_1.Logger('AuthValidator'); } async validateWebSocketAuth(sessionId, signature) { try { const session = await this.loadSession(sessionId); if (!session) { this.logger.warn(`Session not found: ${sessionId}`); return false; } // For WebSocket, we'll validate a simple signature // In production, this should include timestamp and nonce const expectedSignature = crypto .createHmac('sha256', session.server_key) .update(sessionId) .digest('hex'); return signature === expectedSignature; } catch (error) { this.logger.error('WebSocket auth validation failed:', error); return false; } } authMiddleware() { return async (req, res, next) => { const sessionId = req.headers['x-session-id']; const signature = req.headers['x-auth-signature']; const timestamp = req.headers['x-timestamp']; if (!sessionId || !signature || !timestamp) { res.status(401).json({ error: 'Missing authentication headers', code: 401 }); return; } try { const session = await this.loadSession(sessionId); if (!session) { res.status(401).json({ error: 'Session not found', code: 401, recoverable: true, recovery: 'Create new session via POST /_ide/service/auth/create' }); return; } // Validate signature const method = req.method; const path = req.path; const body = JSON.stringify(req.body || {}); const signatureBase = `${method}\n${path}\n${timestamp}\n${body}`; const expectedSignature = crypto .createHmac('sha256', session.server_key) .update(signatureBase) .digest('hex'); if (signature !== expectedSignature) { this.logger.warn('Invalid signature for session:', sessionId); res.status(401).json({ error: 'Invalid signature', code: 401 }); return; } // Check timestamp to prevent replay attacks (5 minute window) const requestTime = parseInt(timestamp, 10); const currentTime = Math.floor(Date.now() / 1000); if (Math.abs(currentTime - requestTime) > 300) { res.status(401).json({ error: 'Request timestamp expired', code: 401 }); return; } // Attach session to request for use in routes req.session = session; req.sessionId = sessionId; next(); } catch (error) { this.logger.error('Auth middleware error:', error); res.status(500).json({ error: 'Authentication error', code: 500 }); } }; } async loadSession(sessionId) { // Check cache first if (this.sessionsCache.has(sessionId)) { return this.sessionsCache.get(sessionId); } try { const sessionPath = path.join(config_1.Config.AUTH_SESSION_PATH, `auth-${sessionId}.json`); const data = await fs.readFile(sessionPath, 'utf8'); const session = JSON.parse(data); // Cache the session this.sessionsCache.set(sessionId, session); return session; } catch (error) { if (error.code === 'ENOENT') { return null; // Session file doesn't exist } throw error; } } clearCache() { this.sessionsCache.clear(); } } exports.AuthValidator = AuthValidator; //# sourceMappingURL=auth.js.map