WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 10 Pull requests 3 Projects Releases Packages Wiki Activity Actions
dragonflight/services/mam-api/src/middleware/auth.js

135 lines
5.9 KiB
JavaScript
Raw Normal View History

fix(playout): repair failover, authenticate scheduler self-calls, fix playlist walk + CasparCG consumer syntax Post-review fixes for the 8-commit playout-mcr drop: - Scheduler self-calls (callSelf -> /recorders, /playout) carried no auth, so under AUTH_ENABLED=true requireUiHeader 403'd every mutating POST. This broke playout failover AND scheduled recordings. Add a per-boot in-process service token (x-internal-token) the scheduler attaches; requireAuth/requireUiHeader treat it as the seeded admin. No env/compose config needed. - Failover deadlocked: restartChannel set status='starting' then the scheduler called the guarded /start route, which 409s on 'starting'. Extract the spawn body into spawnChannelSidecar() shared by /start and restartChannel; failover now spawns directly with no self-call. - Phase A playlist stalled after 2 clips: _scheduleAdvance cued the next clip via LOADBG AUTO but never advanced the pointer. Pass asset_duration_ms in the /play payload and arm a duration-based timer that advances currentIndex and cues subsequent clips, keeping as-run in sync for arbitrary-length playlists. - CasparCG consumer syntax was invalid: "ADD <ch> FFMPEG" is the producer name, not a consumer keyword, and old -vcodec/-acodec short args are rejected. Use STREAM/FILE with -codec:v / -codec:a / -preset:v / -tune:v and a format=yuv420p filter ahead of libx264 (channel output is RGBA). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 10:51:35 -04:00
import crypto from 'crypto';
feat(mam-api): requireAuth middleware — session + bearer + idle/absolute timeout
2026-05-27 13:59:50 -04:00
import pool from '../db/pool.js';
import { parseBearer, hashToken } from '../auth/tokens.js';
fix(playout): repair failover, authenticate scheduler self-calls, fix playlist walk + CasparCG consumer syntax Post-review fixes for the 8-commit playout-mcr drop: - Scheduler self-calls (callSelf -> /recorders, /playout) carried no auth, so under AUTH_ENABLED=true requireUiHeader 403'd every mutating POST. This broke playout failover AND scheduled recordings. Add a per-boot in-process service token (x-internal-token) the scheduler attaches; requireAuth/requireUiHeader treat it as the seeded admin. No env/compose config needed. - Failover deadlocked: restartChannel set status='starting' then the scheduler called the guarded /start route, which 409s on 'starting'. Extract the spawn body into spawnChannelSidecar() shared by /start and restartChannel; failover now spawns directly with no self-call. - Phase A playlist stalled after 2 clips: _scheduleAdvance cued the next clip via LOADBG AUTO but never advanced the pointer. Pass asset_duration_ms in the /play payload and arm a duration-based timer that advances currentIndex and cues subsequent clips, keeping as-run in sync for arbitrary-length playlists. - CasparCG consumer syntax was invalid: "ADD <ch> FFMPEG" is the producer name, not a consumer keyword, and old -vcodec/-acodec short args are rejected. Use STREAM/FILE with -codec:v / -codec:a / -preset:v / -tune:v and a format=yuv420p filter ahead of libx264 (channel output is RGBA). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 10:51:35 -04:00
// In-process service token for the scheduler's loopback self-calls
// (scheduler.js -> /recorders|/playout). The scheduler runs in THIS process, so
// a per-boot random constant needs no env/compose config and is never exposed:
// it only travels over the loopback fetch inside the same process. Multi-replica
// is safe because each replica's scheduler only ever calls 127.0.0.1 (itself),
// matching that replica's token. Requests bearing it are treated as the seeded
// admin (DEV_USER) so RBAC + FK-bearing routes work.
export const INTERNAL_TOKEN = crypto.randomBytes(32).toString('hex');
const INTERNAL_HEADER = 'x-internal-token';
function isInternalCall(req) {
const got = req.headers[INTERNAL_HEADER];
if (typeof got !== 'string' || got.length !== INTERNAL_TOKEN.length) return false;
return crypto.timingSafeEqual(Buffer.from(got), Buffer.from(INTERNAL_TOKEN));
}
feat(mam-api): requireAuth middleware — session + bearer + idle/absolute timeout
2026-05-27 13:59:50 -04:00
// Stable UUID matching migration 023's seeded dev user.
fix(mam-api): requireAuth — stamp last_seen_at after user confirmation Code-review feedback: writing last_seen_at = now before loadUser() lets the stamp persist if the lookup throws (resave:false still writes when modified), extending the idle window without confirming the user exists. Also clarify DEV_USER_ID is a specific placeholder, not a generic sentinel.
2026-05-27 14:04:15 -04:00
/** UUID of the seeded dev-mode placeholder. NOT a sentinel for "any unauthenticated user". */
fix(auth): sync DEV_USER_ID with migration 023 — use all-zeros UUID Migration 023 was fixed in 9dc572b to use '00000000-0000-4000-8000-000000000000' because 'v' isn't a valid hex digit, but the DEV_USER_ID constant in middleware/auth.js still referenced the original '...000000000dev'. Every route that passes DEV_USER_ID as a query parameter (users list, login lookup, setup-required count) was throwing 22P02 invalid input syntax for type uuid. The errors were swallowed by Promise.allSettled in the SPA's data load so the app appeared to work in dev mode, but enabling AUTH_ENABLED=true would have broken login entirely.
2026-05-27 19:08:07 -04:00
export const DEV_USER_ID = '00000000-0000-4000-8000-000000000000';
feat(mam-api,web-ui): per-project RBAC (v2 auth layer) Adds per-project access control on top of the flat v1 auth. admin keeps global access; editor/viewer are scoped to projects granted to them (direct or via group) at view (read-only) or edit (read-write) level. - migration 026: project_access table + access_level enum - src/auth/authz.js: central isAdmin/accessibleProjectIds/projectLevel/ assertProjectAccess - requireAdmin middleware; admin-gate /users, /auth/users, /groups - enforce scoping on projects, assets, bins (list filter + per-resource view/edit + create checks); gate bulk asset maintenance + batch-trim - grant API: GET/POST/DELETE /projects/:id/access - web-ui: hide admin nav for non-admins, admin-route bounce, project "Manage access" modal, rewrite Policies tab - tests: authz, project-access, assets-access (node:test, skip w/o DB) - deferred routers carry TODO(authz) markers; .env.example documents the service-token-needs-admin/grants requirement Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 22:37:36 -04:00
// role 'admin' so dev mode (AUTH_ENABLED=false) keeps full access through the
// RBAC v2 gates — matches migration 023's seeded dev row.
export const DEV_USER = { id: DEV_USER_ID, username: 'dev', display_name: 'Dev (AUTH_ENABLED=false)', role: 'admin' };
feat(mam-api): requireAuth middleware — session + bearer + idle/absolute timeout
2026-05-27 13:59:50 -04:00
const ABSOLUTE_MS = 8 * 3600 * 1000;
const IDLE_MS = 1 * 3600 * 1000;
async function destroyAnd401(req, res) {
if (req.session?.destroy) {
await new Promise(r => req.session.destroy(() => r()));
}
return res.status(401).json({ error: 'unauthorized' });
}
async function loadUser(id) {
const { rows } = await pool.query(
feat(mam-api,web-ui): TOTP two-factor authentication Optional time-based 2FA on top of password login. TOTP core is hand-rolled on node:crypto (RFC 6238) — no runtime dep — and verified against the RFC test vectors. - migration 027: users.totp_secret/totp_enabled + user_recovery_codes - src/auth/totp.js: base32, secret gen, RFC 6238 verify, otpauth URI, recovery codes - src/auth/mfa-tickets.js: short-lived single-use tickets bridging the two login steps (in-memory, single-instance like the rate-limiter) - auth routes: /totp/setup, /totp/enable (returns recovery codes once), /totp/disable (password-confirmed); login returns {mfa_required, ticket} when enabled, /login/totp completes with a code or recovery code - /auth/me and loadUser surface totp_enabled - web-ui: login second-factor step; Settings -> Account TOTP enroll (QR + manual secret + recovery codes + disable) - qrcode added as an optional dep; setup degrades to manual entry if absent - tests: totp unit (RFC vectors) + integration (enable/login/recovery/disable) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 22:42:57 -04:00
`SELECT id, username, display_name, role, totp_enabled FROM users WHERE id = $1`, [id]);
feat(mam-api): requireAuth middleware — session + bearer + idle/absolute timeout
2026-05-27 13:59:50 -04:00
return rows[0] || null;
}
export async function requireAuth(req, res, next) {
fix(playout): repair failover, authenticate scheduler self-calls, fix playlist walk + CasparCG consumer syntax Post-review fixes for the 8-commit playout-mcr drop: - Scheduler self-calls (callSelf -> /recorders, /playout) carried no auth, so under AUTH_ENABLED=true requireUiHeader 403'd every mutating POST. This broke playout failover AND scheduled recordings. Add a per-boot in-process service token (x-internal-token) the scheduler attaches; requireAuth/requireUiHeader treat it as the seeded admin. No env/compose config needed. - Failover deadlocked: restartChannel set status='starting' then the scheduler called the guarded /start route, which 409s on 'starting'. Extract the spawn body into spawnChannelSidecar() shared by /start and restartChannel; failover now spawns directly with no self-call. - Phase A playlist stalled after 2 clips: _scheduleAdvance cued the next clip via LOADBG AUTO but never advanced the pointer. Pass asset_duration_ms in the /play payload and arm a duration-based timer that advances currentIndex and cues subsequent clips, keeping as-run in sync for arbitrary-length playlists. - CasparCG consumer syntax was invalid: "ADD <ch> FFMPEG" is the producer name, not a consumer keyword, and old -vcodec/-acodec short args are rejected. Use STREAM/FILE with -codec:v / -codec:a / -preset:v / -tune:v and a format=yuv420p filter ahead of libx264 (channel output is RGBA). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 10:51:35 -04:00
// Internal loopback self-call (scheduler). Acts as the seeded admin so RBAC
// and FK-bearing routes work, regardless of AUTH_ENABLED.
if (isInternalCall(req)) {
req.user = DEV_USER;
return next();
}
feat(mam-api): requireAuth middleware — session + bearer + idle/absolute timeout
2026-05-27 13:59:50 -04:00
// Dev mode — attach the seeded dev user so FK-bearing routes work.
if (process.env.AUTH_ENABLED !== 'true') {
req.user = DEV_USER;
return next();
}
// 1. Session
if (req.session?.user_id) {
const now = Date.now();
const first = req.session.first_seen_at || 0;
const last = req.session.last_seen_at || 0;
if (now - first > ABSOLUTE_MS) return destroyAnd401(req, res);
if (now - last > IDLE_MS) return destroyAnd401(req, res);
const u = await loadUser(req.session.user_id);
if (!u) return destroyAnd401(req, res);
fix(mam-api): requireAuth — stamp last_seen_at after user confirmation Code-review feedback: writing last_seen_at = now before loadUser() lets the stamp persist if the lookup throws (resave:false still writes when modified), extending the idle window without confirming the user exists. Also clarify DEV_USER_ID is a specific placeholder, not a generic sentinel.
2026-05-27 14:04:15 -04:00
req.session.last_seen_at = now; // stamp only after user is confirmed; avoids extending idle window if loadUser throws or the user was deleted
feat(mam-api): requireAuth middleware — session + bearer + idle/absolute timeout
2026-05-27 13:59:50 -04:00
req.user = u;
return next();
}
// 2. Bearer
const bearer = parseBearer(req.headers.authorization);
if (bearer) {
const hash = hashToken(bearer);
const { rows } = await pool.query(
feat(auth): bound-hostname tokens for node-agent + return role from /me - requireAuth bearer path now selects api_tokens.bound_hostname and users.role, populates req.tokenBoundHostname and req.user.role. /cluster/heartbeat can now authenticate via a bound api_token (issued via POST /auth/tokens with bound_hostname). - routes/tokens.js POST accepts bound_hostname; GET returns it so users can see which tokens are bound. - Remove /cluster/heartbeat from SERVICE_PATHS so requireAuth runs on it (the bearer auth handles the gate; the heartbeat handler still enforces the body.hostname === bound match). - /auth/me now returns role (final-review I2). Closes the gap where every signed-in user appeared as 'viewer' in the UI regardless of actual role. - loadUser SELECTs role for session auth. - Backend tests still 37/15/0/22 — no test changes needed; existing token CRUD tests stay passing since bound_hostname is optional.
2026-05-27 19:27:51 -04:00
`SELECT t.id AS token_id, t.user_id, t.expires_at, t.bound_hostname,
u.username, u.display_name, u.role
feat(mam-api): requireAuth middleware — session + bearer + idle/absolute timeout
2026-05-27 13:59:50 -04:00
FROM api_tokens t JOIN users u ON u.id = t.user_id
WHERE t.token_hash = $1`, [hash]);
if (rows.length && (!rows[0].expires_at || rows[0].expires_at > new Date())) {
pool.query(`UPDATE api_tokens SET last_used_at = NOW() WHERE id = $1`, [rows[0].token_id])
.catch(err => console.error('[auth] token last_used_at update failed:', err.message));
feat(auth): bound-hostname tokens for node-agent + return role from /me - requireAuth bearer path now selects api_tokens.bound_hostname and users.role, populates req.tokenBoundHostname and req.user.role. /cluster/heartbeat can now authenticate via a bound api_token (issued via POST /auth/tokens with bound_hostname). - routes/tokens.js POST accepts bound_hostname; GET returns it so users can see which tokens are bound. - Remove /cluster/heartbeat from SERVICE_PATHS so requireAuth runs on it (the bearer auth handles the gate; the heartbeat handler still enforces the body.hostname === bound match). - /auth/me now returns role (final-review I2). Closes the gap where every signed-in user appeared as 'viewer' in the UI regardless of actual role. - loadUser SELECTs role for session auth. - Backend tests still 37/15/0/22 — no test changes needed; existing token CRUD tests stay passing since bound_hostname is optional.
2026-05-27 19:27:51 -04:00
req.user = {
id: rows[0].user_id,
username: rows[0].username,
display_name: rows[0].display_name,
role: rows[0].role,
};
// Per migration 019: tokens with a bound_hostname can only be used by
// node-agents reporting that hostname. The /cluster/heartbeat handler
// enforces this; we just surface the binding here.
if (rows[0].bound_hostname) req.tokenBoundHostname = rows[0].bound_hostname;
feat(mam-api): requireAuth middleware — session + bearer + idle/absolute timeout
2026-05-27 13:59:50 -04:00
return next();
}
}
// 3. Nothing matched
return res.status(401).json({ error: 'unauthorized' });
}
feat(mam-api): login rate limit + X-Requested-With CSRF header check
2026-05-27 14:58:02 -04:00
feat(mam-api,web-ui): per-project RBAC (v2 auth layer) Adds per-project access control on top of the flat v1 auth. admin keeps global access; editor/viewer are scoped to projects granted to them (direct or via group) at view (read-only) or edit (read-write) level. - migration 026: project_access table + access_level enum - src/auth/authz.js: central isAdmin/accessibleProjectIds/projectLevel/ assertProjectAccess - requireAdmin middleware; admin-gate /users, /auth/users, /groups - enforce scoping on projects, assets, bins (list filter + per-resource view/edit + create checks); gate bulk asset maintenance + batch-trim - grant API: GET/POST/DELETE /projects/:id/access - web-ui: hide admin nav for non-admins, admin-route bounce, project "Manage access" modal, rewrite Policies tab - tests: authz, project-access, assets-access (node:test, skip w/o DB) - deferred routers carry TODO(authz) markers; .env.example documents the service-token-needs-admin/grants requirement Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 22:37:36 -04:00
// Gate a route to admins only. requireAuth must run first (it sets req.user).
// 401 when unauthenticated, 403 when authenticated but not an admin.
export function requireAdmin(req, res, next) {
if (!req.user) return res.status(401).json({ error: 'unauthorized' });
if (req.user.role !== 'admin') return res.status(403).json({ error: 'forbidden' });
return next();
}
feat(mam-api): login rate limit + X-Requested-With CSRF header check
2026-05-27 14:58:02 -04:00
// Belt-and-suspenders CSRF: SameSite=Lax already blocks most cross-site
// cookie sends, but a custom header that no <form> can produce hardens
// against the edge cases. Applied to mutating verbs only.
const MUTATING = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
const REQUIRED_HEADER = 'dragonflight-ui';
feat(auth): bound-hostname tokens for node-agent + return role from /me - requireAuth bearer path now selects api_tokens.bound_hostname and users.role, populates req.tokenBoundHostname and req.user.role. /cluster/heartbeat can now authenticate via a bound api_token (issued via POST /auth/tokens with bound_hostname). - routes/tokens.js POST accepts bound_hostname; GET returns it so users can see which tokens are bound. - Remove /cluster/heartbeat from SERVICE_PATHS so requireAuth runs on it (the bearer auth handles the gate; the heartbeat handler still enforces the body.hostname === bound match). - /auth/me now returns role (final-review I2). Closes the gap where every signed-in user appeared as 'viewer' in the UI regardless of actual role. - loadUser SELECTs role for session auth. - Backend tests still 37/15/0/22 — no test changes needed; existing token CRUD tests stay passing since bound_hostname is optional.
2026-05-27 19:27:51 -04:00
// Paths exempt from the CSRF header check. The bearer-auth exemption (above)
// already covers node-agent because it sends Authorization: Bearer; this set
// is the belt for any future service path that might call us without a
// bearer header. Today it just lets an unauthenticated heartbeat probe
// surface as a clean 401 from requireAuth instead of a confusing 403 CSRF.
fix(auth): final-review integration fixes — Users page alias + PATCH, CSRF on uploads + heartbeat, drop .bak Final-review findings: - Mount usersRouter at /api/v1/users in addition to /api/v1/auth/users so the existing SPA Users page works; add PATCH /:id for inline edits (display_name, role, password). - Add X-Requested-With: dragonflight-ui to raw XHR/fetch paths that bypass apiFetch (file uploads, SDK uploads, EDL export) — without it, requireUiHeader 403s before reaching the route. - Exempt SERVICE_PATHS (/cluster/heartbeat) from requireUiHeader so node-agent heartbeats keep working when NODE_TOKEN is unset. - Remove stale auth.js.bak.
2026-05-27 15:42:42 -04:00
const CSRF_EXEMPT_PATHS = new Set(['/cluster/heartbeat']);
feat(mam-api): login rate limit + X-Requested-With CSRF header check
2026-05-27 14:58:02 -04:00
export function requireUiHeader(req, res, next) {
if (!MUTATING.has(req.method)) return next();
fix(playout): repair failover, authenticate scheduler self-calls, fix playlist walk + CasparCG consumer syntax Post-review fixes for the 8-commit playout-mcr drop: - Scheduler self-calls (callSelf -> /recorders, /playout) carried no auth, so under AUTH_ENABLED=true requireUiHeader 403'd every mutating POST. This broke playout failover AND scheduled recordings. Add a per-boot in-process service token (x-internal-token) the scheduler attaches; requireAuth/requireUiHeader treat it as the seeded admin. No env/compose config needed. - Failover deadlocked: restartChannel set status='starting' then the scheduler called the guarded /start route, which 409s on 'starting'. Extract the spawn body into spawnChannelSidecar() shared by /start and restartChannel; failover now spawns directly with no self-call. - Phase A playlist stalled after 2 clips: _scheduleAdvance cued the next clip via LOADBG AUTO but never advanced the pointer. Pass asset_duration_ms in the /play payload and arm a duration-based timer that advances currentIndex and cues subsequent clips, keeping as-run in sync for arbitrary-length playlists. - CasparCG consumer syntax was invalid: "ADD <ch> FFMPEG" is the producer name, not a consumer keyword, and old -vcodec/-acodec short args are rejected. Use STREAM/FILE with -codec:v / -codec:a / -preset:v / -tune:v and a format=yuv420p filter ahead of libx264 (channel output is RGBA). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 10:51:35 -04:00
// Internal loopback self-call (scheduler) — not a browser, can't be drive-by'd.
if (isInternalCall(req)) return next();
feat(mam-api): login rate limit + X-Requested-With CSRF header check
2026-05-27 14:58:02 -04:00
// Bearer-authed requests (Premiere panel, scripts) are exempt — they're not
// browsers and can't be drive-by'd from another origin.
if (req.headers.authorization?.toLowerCase().startsWith('bearer ')) return next();
fix(auth): final-review integration fixes — Users page alias + PATCH, CSRF on uploads + heartbeat, drop .bak Final-review findings: - Mount usersRouter at /api/v1/users in addition to /api/v1/auth/users so the existing SPA Users page works; add PATCH /:id for inline edits (display_name, role, password). - Add X-Requested-With: dragonflight-ui to raw XHR/fetch paths that bypass apiFetch (file uploads, SDK uploads, EDL export) — without it, requireUiHeader 403s before reaching the route. - Exempt SERVICE_PATHS (/cluster/heartbeat) from requireUiHeader so node-agent heartbeats keep working when NODE_TOKEN is unset. - Remove stale auth.js.bak.
2026-05-27 15:42:42 -04:00
// Service path carve-outs (e.g. node-agent heartbeat — not a browser).
if (CSRF_EXEMPT_PATHS.has(req.path)) return next();
feat(mam-api): login rate limit + X-Requested-With CSRF header check
2026-05-27 14:58:02 -04:00
if (req.headers['x-requested-with'] === REQUIRED_HEADER) return next();
return res.status(403).json({ error: 'missing X-Requested-With header' });
}
Reference in a new issue Copy permalink