feat(ops-auth): add scoped API token auth across ops endpoints

test/test.certificate-api-token.node.ts

@@ -56,6 +56,7 @@ const setupHandler = (scopes: TScope[], options?: {
   const opsServerRef: any = {
     typedrouter,
     adminHandler: {
+      validateIdentity: async () => null,
       adminIdentityGuard: {
         exec: async () => false,
       },

test/test.config-api-token.node.ts

@@ -0,0 +1,79 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { ConfigHandler } from '../ts/opsserver/handlers/config.handler.js';
+import * as plugins from '../ts/plugins.js';
+import * as interfaces from '../ts_interfaces/index.js';
+
+const fireTypedRequest = async (
+  router: plugins.typedrequest.TypedRouter,
+  method: string,
+  request: Record<string, any>,
+) => {
+  return await router.routeAndAddResponse({
+    method,
+    request,
+    response: {},
+    correlation: {
+      id: `${method}-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+      phase: 'request',
+    },
+  } as any, { localRequest: true, skipHooks: true }) as any;
+};
+
+const makeOpsServer = (scopes: interfaces.data.TApiTokenScope[]) => {
+  const router = new plugins.typedrequest.TypedRouter();
+  const token = {
+    id: 'token-1',
+    name: 'config-token',
+    tokenHash: 'hash',
+    scopes,
+    createdBy: 'token-user',
+    createdAt: Date.now(),
+    expiresAt: null,
+    lastUsedAt: null,
+    enabled: true,
+  } as interfaces.data.IStoredApiToken;
+
+  const opsServerRef = {
+    viewRouter: router,
+    adminHandler: {
+      validateIdentity: async () => null,
+    },
+    dcRouterRef: {
+      options: {
+        dbConfig: { enabled: false },
+      },
+      resolvedPaths: {
+        dcrouterHomeDir: '/tmp/dcrouter-home',
+        dataDir: '/tmp/dcrouter-data',
+        defaultTsmDbPath: '/tmp/dcrouter-data/db',
+      },
+      detectedPublicIp: null,
+      apiTokenManager: {
+        validateToken: async (rawTokenArg: string) => rawTokenArg === 'valid-token' ? token : null,
+        hasScope: (storedTokenArg: interfaces.data.IStoredApiToken, scopeArg: interfaces.data.TApiTokenScope) => storedTokenArg.scopes.includes(scopeArg),
+      },
+    },
+  } as any;
+
+  new ConfigHandler(opsServerRef);
+  return router;
+};
+
+tap.test('ConfigHandler accepts API token with config:read', async () => {
+  const router = makeOpsServer(['config:read']);
+  const result = await fireTypedRequest(router, 'getConfiguration', {
+    apiToken: 'valid-token',
+  });
+  expect(result.error).toBeUndefined();
+  expect(result.response.config.system.baseDir).toEqual('/tmp/dcrouter-home');
+});
+
+tap.test('ConfigHandler rejects API token without config:read', async () => {
+  const router = makeOpsServer(['logs:read']);
+  const result = await fireTypedRequest(router, 'getConfiguration', {
+    apiToken: 'valid-token',
+  });
+  expect(result.error?.text).toEqual('insufficient scope');
+});
+
+export default tap.start();

test/test.migrations.node.ts

@@ -0,0 +1,69 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+
+import { createMigrationRunner } from '../ts_migrations/index.js';
+
+function setPath(target: Record<string, any>, path: string, value: unknown): void {
+  const parts = path.split('.');
+  let cursor = target;
+  for (const part of parts.slice(0, -1)) {
+    cursor[part] = cursor[part] || {};
+    cursor = cursor[part];
+  }
+  cursor[parts[parts.length - 1]] = value;
+}
+
+function applySet(document: Record<string, any>, set: Record<string, unknown>): void {
+  for (const [key, value] of Object.entries(set)) {
+    setPath(document, key, value);
+  }
+}
+
+function createFakeDb(currentVersion: string) {
+  const ledgerDocument = {
+    nameId: 'smartmigration:smartmigration',
+    data: {
+      currentVersion,
+      steps: {},
+      lock: { holder: null, acquiredAt: null, expiresAt: null },
+      checkpoints: {},
+    },
+  };
+
+  const emptyCollection = {
+    find: () => ({
+      async *[Symbol.asyncIterator]() {},
+    }),
+    updateMany: async () => ({ modifiedCount: 0 }),
+  };
+
+  const ledgerCollection = {
+    createIndex: async () => undefined,
+    findOne: async () => structuredClone(ledgerDocument),
+    findOneAndUpdate: async (_query: unknown, update: any) => {
+      applySet(ledgerDocument, update.$set || {});
+      return structuredClone(ledgerDocument);
+    },
+    updateOne: async (_query: unknown, update: any) => {
+      applySet(ledgerDocument, update.$set || {});
+      return { matchedCount: 1, modifiedCount: 1, upsertedCount: 0 };
+    },
+  };
+
+  return {
+    mongoDb: {
+      collection: (name: string) =>
+        name === 'SmartdataEasyStore' ? ledgerCollection : emptyCollection,
+    },
+  };
+}
+
+tap.test('migration runner bridges old package-version targets without real schema steps', async () => {
+  const runner = await createMigrationRunner(createFakeDb('13.16.0'), '13.31.0');
+  const result = await runner.run();
+
+  expect(result.currentVersionBefore).toEqual('13.16.0');
+  expect(result.currentVersionAfter).toEqual('13.31.0');
+  expect(result.stepsApplied).toHaveLength(3);
+});
+
+export default tap.start();

test/test.ops-auth-helper.node.ts

@@ -0,0 +1,126 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { requireOpsAuth } from '../ts/opsserver/helpers/auth.js';
+import * as interfaces from '../ts_interfaces/index.js';
+
+type TScope = interfaces.data.TApiTokenScope;
+
+const makeIdentity = (role: string = 'user'): interfaces.data.IIdentity => ({
+  jwt: `jwt-${role}`,
+  userId: `${role}-user`,
+  name: role,
+  expiresAt: Date.now() + 3600000,
+  role,
+});
+
+const makeOpsServer = (options: {
+  identityRole?: string | null;
+  tokenScopes?: TScope[];
+  tokenPolicy?: interfaces.data.IApiTokenPolicy;
+}) => {
+  const token = {
+    id: 'token-1',
+    name: 'test-token',
+    tokenHash: 'hash',
+    scopes: options.tokenScopes || [],
+    policy: options.tokenPolicy,
+    createdAt: Date.now(),
+    expiresAt: null,
+    lastUsedAt: null,
+    createdBy: 'token-user',
+    enabled: true,
+  } as interfaces.data.IStoredApiToken;
+
+  return {
+    adminHandler: {
+      validateIdentity: async (identityArg?: interfaces.data.IIdentity) => {
+        if (!identityArg || options.identityRole === null) return null;
+        return { ...identityArg, role: options.identityRole || identityArg.role || 'user' };
+      },
+    },
+    dcRouterRef: {
+      apiTokenManager: {
+        validateToken: async (rawTokenArg: string) => rawTokenArg === 'valid-token' ? token : null,
+        hasScope: (storedTokenArg: interfaces.data.IStoredApiToken, scopeArg: TScope) => {
+          if (storedTokenArg.policy?.role === 'admin') return true;
+          return storedTokenArg.scopes.includes('*') || storedTokenArg.scopes.includes(scopeArg) || Boolean(storedTokenArg.policy?.scopes?.includes(scopeArg));
+        },
+      },
+    },
+  } as any;
+};
+
+const getErrorText = (errorArg: unknown) => {
+  return (errorArg as any).errorText || (errorArg as any).text || (errorArg as Error).message;
+};
+
+tap.test('requireOpsAuth accepts valid JWT identity for read endpoints', async () => {
+  const auth = await requireOpsAuth(
+    makeOpsServer({ identityRole: 'user' }),
+    { identity: makeIdentity('user') },
+    { scope: 'config:read' },
+  );
+  expect(auth.type).toEqual('identity');
+  expect(auth.userId).toEqual('user-user');
+  expect(auth.isAdmin).toEqual(false);
+});
+
+tap.test('requireOpsAuth rejects non-admin JWT identity for admin identity requirements', async () => {
+  let errorText = '';
+  try {
+    await requireOpsAuth(
+      makeOpsServer({ identityRole: 'user' }),
+      { identity: makeIdentity('user') },
+      { scope: 'routes:write', requireAdminIdentity: true },
+    );
+  } catch (error) {
+    errorText = getErrorText(error);
+  }
+  expect(errorText).toEqual('admin identity required');
+});
+
+tap.test('requireOpsAuth accepts scoped API tokens', async () => {
+  const auth = await requireOpsAuth(
+    makeOpsServer({ identityRole: null, tokenScopes: ['logs:read'] }),
+    { apiToken: 'valid-token' },
+    { scope: 'logs:read' },
+  );
+  expect(auth.type).toEqual('apiToken');
+  expect(auth.userId).toEqual('token-user');
+});
+
+tap.test('requireOpsAuth rejects API tokens without the required scope', async () => {
+  let errorText = '';
+  try {
+    await requireOpsAuth(
+      makeOpsServer({ identityRole: null, tokenScopes: ['logs:read'] }),
+      { apiToken: 'valid-token' },
+      { scope: 'stats:read' },
+    );
+  } catch (error) {
+    errorText = getErrorText(error);
+  }
+  expect(errorText).toEqual('insufficient scope');
+});
+
+tap.test('requireOpsAuth requires admin policy for sensitive API-token operations', async () => {
+  let errorText = '';
+  try {
+    await requireOpsAuth(
+      makeOpsServer({ identityRole: null, tokenScopes: ['tokens:manage'] }),
+      { apiToken: 'valid-token' },
+      { scope: 'tokens:manage', requireAdminToken: true },
+    );
+  } catch (error) {
+    errorText = getErrorText(error);
+  }
+  expect(errorText).toEqual('admin API token required');
+
+  const auth = await requireOpsAuth(
+    makeOpsServer({ identityRole: null, tokenPolicy: { role: 'admin' } }),
+    { apiToken: 'valid-token' },
+    { scope: 'tokens:manage', requireAdminToken: true },
+  );
+  expect(auth.isAdmin).toEqual(true);
+});
+
+export default tap.start();

test/test.workhoster-handler.node.ts

@@ -136,6 +136,9 @@ const setupHandler = (options: {
   const opsServerRef: any = {
     typedrouter,
     adminHandler: {
+      validateIdentity: async (identity: interfaces.data.IIdentity) => options.isAdmin
+        ? { ...identity, role: 'admin' }
+        : identity,
       adminIdentityGuard: {
         exec: async () => Boolean(options.isAdmin),
       },