ts/opsserver/helpers/auth.ts

import * as plugins from '../../plugins.js';
import type { OpsServer } from '../classes.opsserver.js';
import * as interfaces from '../../../ts_interfaces/index.js';

export interface IAuthRequest {
  identity?: interfaces.data.IIdentity;
  apiToken?: string;
}

export interface IAuthRequirement {
  scope?: interfaces.data.TApiTokenScope;
  requireAdminIdentity?: boolean;
  requireAdminToken?: boolean;
}

export interface IAuthContext {
  type: 'identity' | 'apiToken';
  userId: string;
  role?: string;
  isAdmin: boolean;
  scopes: interfaces.data.TApiTokenScope[];
  identity?: interfaces.data.IIdentity;
  token?: interfaces.data.IStoredApiToken;
}

const typedAuthError = (messageArg: string) => {
  return new plugins.typedrequest.TypedResponseError(messageArg);
};

export async function requireOpsAuth(
  opsServerRefArg: OpsServer,
  requestArg: IAuthRequest,
  requirementArg: IAuthRequirement = {},
): Promise<IAuthContext> {
  let identityNeedsAdmin = false;
  let tokenNeedsAdmin = false;
  let tokenNeedsScope = false;

  if (requestArg.identity?.jwt) {
    const identity = await opsServerRefArg.adminHandler.validateIdentity(requestArg.identity);
    if (identity) {
      const isAdmin = identity.role === 'admin';
      if (!requirementArg.requireAdminIdentity || isAdmin) {
        return {
          type: 'identity',
          userId: identity.userId,
          role: identity.role,
          isAdmin,
          scopes: [],
          identity,
        };
      }
      identityNeedsAdmin = true;
    }
  }

  if (requestArg.apiToken) {
    const tokenManager = opsServerRefArg.dcRouterRef.apiTokenManager;
    const token = tokenManager ? await tokenManager.validateToken(requestArg.apiToken) : null;
    if (token) {
      if (requirementArg.requireAdminToken && token.policy?.role !== 'admin') {
        tokenNeedsAdmin = true;
      } else if (requirementArg.scope && !tokenManager!.hasScope(token, requirementArg.scope)) {
        tokenNeedsScope = true;
      } else {
        const scopes = token.policy?.role === 'admin'
          ? ['*' as interfaces.data.TApiTokenScope]
          : Array.from(new Set([...(token.scopes || []), ...(token.policy?.scopes || [])]));
        return {
          type: 'apiToken',
          userId: token.createdBy,
          role: token.policy?.role || 'operator',
          isAdmin: token.policy?.role === 'admin',
          scopes,
          token,
        };
      }
    }
  }

  if (tokenNeedsScope) {
    throw typedAuthError('insufficient scope');
  }
  if (tokenNeedsAdmin) {
    throw typedAuthError('admin API token required');
  }
  if (identityNeedsAdmin) {
    throw typedAuthError('admin identity required');
  }
  throw typedAuthError('unauthorized');
}
feat(ops-auth): add scoped API token auth across ops endpoints 2026-05-19 22:24:37 +00:00			`import * as plugins from '../../plugins.js';`
			`import type { OpsServer } from '../classes.opsserver.js';`
			`import * as interfaces from '../../../ts_interfaces/index.js';`

			`export interface IAuthRequest {`
			`identity?: interfaces.data.IIdentity;`
			`apiToken?: string;`
			`}`

			`export interface IAuthRequirement {`
			`scope?: interfaces.data.TApiTokenScope;`
			`requireAdminIdentity?: boolean;`
			`requireAdminToken?: boolean;`
			`}`

			`export interface IAuthContext {`
			`type: 'identity' \| 'apiToken';`
			`userId: string;`
			`role?: string;`
			`isAdmin: boolean;`
			`scopes: interfaces.data.TApiTokenScope[];`
			`identity?: interfaces.data.IIdentity;`
			`token?: interfaces.data.IStoredApiToken;`
			`}`

			`const typedAuthError = (messageArg: string) => {`
			`return new plugins.typedrequest.TypedResponseError(messageArg);`
			`};`

			`export async function requireOpsAuth(`
			`opsServerRefArg: OpsServer,`
			`requestArg: IAuthRequest,`
			`requirementArg: IAuthRequirement = {},`
			`): Promise<IAuthContext> {`
			`let identityNeedsAdmin = false;`
			`let tokenNeedsAdmin = false;`
			`let tokenNeedsScope = false;`

			`if (requestArg.identity?.jwt) {`
			`const identity = await opsServerRefArg.adminHandler.validateIdentity(requestArg.identity);`
			`if (identity) {`
			`const isAdmin = identity.role === 'admin';`
			`if (!requirementArg.requireAdminIdentity \|\| isAdmin) {`
			`return {`
			`type: 'identity',`
			`userId: identity.userId,`
			`role: identity.role,`
			`isAdmin,`
			`scopes: [],`
			`identity,`
			`};`
			`}`
			`identityNeedsAdmin = true;`
			`}`
			`}`

			`if (requestArg.apiToken) {`
			`const tokenManager = opsServerRefArg.dcRouterRef.apiTokenManager;`
			`const token = tokenManager ? await tokenManager.validateToken(requestArg.apiToken) : null;`
			`if (token) {`
			`if (requirementArg.requireAdminToken && token.policy?.role !== 'admin') {`
			`tokenNeedsAdmin = true;`
			`} else if (requirementArg.scope && !tokenManager!.hasScope(token, requirementArg.scope)) {`
			`tokenNeedsScope = true;`
			`} else {`
			`const scopes = token.policy?.role === 'admin'`
			`? ['*' as interfaces.data.TApiTokenScope]`
			`: Array.from(new Set([...(token.scopes \|\| []), ...(token.policy?.scopes \|\| [])]));`
			`return {`
			`type: 'apiToken',`
			`userId: token.createdBy,`
			`role: token.policy?.role \|\| 'operator',`
			`isAdmin: token.policy?.role === 'admin',`
			`scopes,`
			`token,`
			`};`
			`}`
			`}`
			`}`

			`if (tokenNeedsScope) {`
			`throw typedAuthError('insufficient scope');`
			`}`
			`if (tokenNeedsAdmin) {`
			`throw typedAuthError('admin API token required');`
			`}`
			`if (identityNeedsAdmin) {`
			`throw typedAuthError('admin identity required');`
			`}`
			`throw typedAuthError('unauthorized');`
			`}`