import { verifyDeviceSignature } from "../../../infra/device-identity.js"; import type { AuthRateLimiter } from "../../auth-rate-limit.js"; import type { GatewayAuthResult } from "../../auth.js"; import { buildDeviceAuthPayload, buildDeviceAuthPayloadV3 } from "../../device-auth.js"; import { isLoopbackAddress } from "../../net.js"; import type { ConnectParams } from "../../protocol/index.js"; import type { AuthProvidedKind } from "./auth-messages.js"; export const BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP = "198.18.0.1"; export type HandshakeBrowserSecurityContext = { hasBrowserOriginHeader: boolean; enforceOriginCheckForAnyClient: boolean; rateLimitClientIp: string | undefined; authRateLimiter?: AuthRateLimiter; }; type HandshakeConnectAuth = { token?: string; bootstrapToken?: string; deviceToken?: string; password?: string; }; export function resolveHandshakeBrowserSecurityContext(params: { requestOrigin?: string; clientIp: string | undefined; rateLimiter?: AuthRateLimiter; browserRateLimiter?: AuthRateLimiter; }): HandshakeBrowserSecurityContext { const hasBrowserOriginHeader = Boolean( params.requestOrigin && params.requestOrigin.trim() !== "", ); return { hasBrowserOriginHeader, enforceOriginCheckForAnyClient: hasBrowserOriginHeader, rateLimitClientIp: hasBrowserOriginHeader && isLoopbackAddress(params.clientIp) ? BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP : params.clientIp, authRateLimiter: hasBrowserOriginHeader && params.browserRateLimiter ? params.browserRateLimiter : params.rateLimiter, }; } export function shouldAllowSilentLocalPairing(params: { isLocalClient: boolean; hasBrowserOriginHeader: boolean; isControlUi: boolean; isWebchat: boolean; reason: "not-paired" | "role-upgrade" | "scope-upgrade" | "metadata-upgrade"; }): boolean { return ( params.isLocalClient && (!params.hasBrowserOriginHeader || params.isControlUi || params.isWebchat) && (params.reason === "not-paired" || params.reason === "scope-upgrade") ); } function resolveSignatureToken(connectParams: ConnectParams): string | null { return ( connectParams.auth?.token ?? connectParams.auth?.deviceToken ?? connectParams.auth?.bootstrapToken ?? null ); } function buildUnauthorizedHandshakeContext(params: { authProvided: AuthProvidedKind; canRetryWithDeviceToken: boolean; recommendedNextStep: | "retry_with_device_token" | "update_auth_configuration" | "update_auth_credentials" | "wait_then_retry" | "review_auth_configuration"; }) { return { authProvided: params.authProvided, canRetryWithDeviceToken: params.canRetryWithDeviceToken, recommendedNextStep: params.recommendedNextStep, }; } export function resolveDeviceSignaturePayloadVersion(params: { device: { id: string; signature: string; publicKey: string; }; connectParams: ConnectParams; role: string; scopes: string[]; signedAtMs: number; nonce: string; }): "v3" | "v2" | null { const signatureToken = resolveSignatureToken(params.connectParams); const basePayload = { deviceId: params.device.id, clientId: params.connectParams.client.id, clientMode: params.connectParams.client.mode, role: params.role, scopes: params.scopes, signedAtMs: params.signedAtMs, token: signatureToken, nonce: params.nonce, }; const payloadV3 = buildDeviceAuthPayloadV3({ ...basePayload, platform: params.connectParams.client.platform, deviceFamily: params.connectParams.client.deviceFamily, }); if (verifyDeviceSignature(params.device.publicKey, payloadV3, params.device.signature)) { return "v3"; } const payloadV2 = buildDeviceAuthPayload(basePayload); if (verifyDeviceSignature(params.device.publicKey, payloadV2, params.device.signature)) { return "v2"; } return null; } export function resolveAuthProvidedKind( connectAuth: HandshakeConnectAuth | null | undefined, ): AuthProvidedKind { return connectAuth?.password ? "password" : connectAuth?.token ? "token" : connectAuth?.bootstrapToken ? "bootstrap-token" : connectAuth?.deviceToken ? "device-token" : "none"; } export function resolveUnauthorizedHandshakeContext(params: { connectAuth: HandshakeConnectAuth | null | undefined; failedAuth: GatewayAuthResult; hasDeviceIdentity: boolean; }): { authProvided: AuthProvidedKind; canRetryWithDeviceToken: boolean; recommendedNextStep: | "retry_with_device_token" | "update_auth_configuration" | "update_auth_credentials" | "wait_then_retry" | "review_auth_configuration"; } { const authProvided = resolveAuthProvidedKind(params.connectAuth); const canRetryWithDeviceToken = params.failedAuth.reason === "token_mismatch" && params.hasDeviceIdentity && authProvided === "token" && !params.connectAuth?.deviceToken; if (canRetryWithDeviceToken) { return buildUnauthorizedHandshakeContext({ authProvided, canRetryWithDeviceToken, recommendedNextStep: "retry_with_device_token", }); } switch (params.failedAuth.reason) { case "token_missing": case "token_missing_config": case "password_missing": case "password_missing_config": return buildUnauthorizedHandshakeContext({ authProvided, canRetryWithDeviceToken, recommendedNextStep: "update_auth_configuration", }); case "token_mismatch": case "password_mismatch": case "device_token_mismatch": return buildUnauthorizedHandshakeContext({ authProvided, canRetryWithDeviceToken, recommendedNextStep: "update_auth_credentials", }); case "rate_limited": return buildUnauthorizedHandshakeContext({ authProvided, canRetryWithDeviceToken, recommendedNextStep: "wait_then_retry", }); default: return buildUnauthorizedHandshakeContext({ authProvided, canRetryWithDeviceToken, recommendedNextStep: "review_auth_configuration", }); } }