KI-AGENT: Zentralen Push-Server Stack ergänzen

push-server/apps/api/src/lib/auth.ts

@@ -0,0 +1,52 @@
+import type { FastifyReply, FastifyRequest } from "fastify";
+import { eq } from "drizzle-orm";
+import { pushInstances } from "@fedeo/push-db";
+import { env } from "../config/env.js";
+import { db } from "../db/client.js";
+import { decryptSecret, hmacSha256, secureEqual, sha256 } from "./crypto.js";
+
+export async function requireAdmin(request: FastifyRequest, reply: FastifyReply): Promise<void> {
+  const token = request.headers.authorization?.replace(/^Bearer\s+/i, "") || String(request.headers["x-admin-token"] || "");
+  if (!token || !secureEqual(token, env.ADMIN_TOKEN)) {
+    await reply.code(401).send({ error: "admin_unauthorized", message: "Admin-Token fehlt oder ist ungültig." });
+  }
+}
+
+export async function requireInstance(request: FastifyRequest, reply: FastifyReply): Promise<void> {
+  const instanceId = String(request.headers["x-fedeo-instance-id"] || "");
+  const timestamp = String(request.headers["x-fedeo-timestamp"] || "");
+  const signature = String(request.headers["x-fedeo-signature"] || "");
+
+  if (!instanceId || !timestamp || !signature) {
+    await reply.code(401).send({ error: "instance_auth_missing", message: "Instanzsignatur fehlt." });
+    return;
+  }
+
+  const timestampMs = Date.parse(timestamp);
+  if (!Number.isFinite(timestampMs) || Math.abs(Date.now() - timestampMs) > 5 * 60 * 1000) {
+    await reply.code(401).send({ error: "instance_timestamp_invalid", message: "Instanzsignatur ist abgelaufen oder ungültig." });
+    return;
+  }
+
+  const [instance] = await db.select().from(pushInstances).where(eq(pushInstances.instanceId, instanceId)).limit(1);
+  if (!instance || instance.status !== "active") {
+    await reply.code(403).send({ error: "instance_not_allowed", message: "Instanz ist nicht aktiv." });
+    return;
+  }
+
+  const path = request.url.split("?")[0] || request.url;
+  const bodyHash = sha256(request.rawBody || "");
+  const canonical = [request.method.toUpperCase(), path, timestamp, bodyHash, instanceId].join("\n");
+  const secrets = [instance.currentSecretEncrypted, instance.nextSecretEncrypted].filter(Boolean) as string[];
+  const accepted = secrets.some((encrypted) => {
+    const expected = hmacSha256(decryptSecret(encrypted), canonical);
+    return secureEqual(signature, expected);
+  });
+
+  if (!accepted) {
+    await reply.code(401).send({ error: "instance_signature_invalid", message: "Instanzsignatur ist ungültig." });
+    return;
+  }
+
+  request.pushInstance = instance;
+}

push-server/apps/api/src/lib/crypto.ts

@@ -0,0 +1,39 @@
+import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+import { env } from "../config/env.js";
+
+function key(): Buffer {
+  return createHash("sha256").update(env.PUSH_SECRET_ENCRYPTION_KEY).digest();
+}
+
+export function encryptSecret(value: string): string {
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key(), iv);
+  const encrypted = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return [iv.toString("base64url"), tag.toString("base64url"), encrypted.toString("base64url")].join(".");
+}
+
+export function decryptSecret(value: string): string {
+  const [ivRaw, tagRaw, encryptedRaw] = value.split(".");
+  if (!ivRaw || !tagRaw || !encryptedRaw) throw new Error("Ungültiges Secret-Format");
+  const decipher = createDecipheriv("aes-256-gcm", key(), Buffer.from(ivRaw, "base64url"));
+  decipher.setAuthTag(Buffer.from(tagRaw, "base64url"));
+  return Buffer.concat([
+    decipher.update(Buffer.from(encryptedRaw, "base64url")),
+    decipher.final(),
+  ]).toString("utf8");
+}
+
+export function sha256(input: string): string {
+  return createHash("sha256").update(input).digest("hex");
+}
+
+export function hmacSha256(secret: string, input: string): string {
+  return createHmac("sha256", secret).update(input).digest("hex");
+}
+
+export function secureEqual(a: string, b: string): boolean {
+  const left = Buffer.from(a);
+  const right = Buffer.from(b);
+  return left.length === right.length && timingSafeEqual(left, right);
+}

push-server/apps/api/src/lib/ids.ts

@@ -0,0 +1,13 @@
+import { randomBytes } from "node:crypto";
+
+export function createPublicId(prefix: string): string {
+  return `${prefix}_${randomBytes(16).toString("base64url")}`;
+}
+
+export function createClientSecret(): string {
+  return `fps_${randomBytes(32).toString("base64url")}`;
+}
+
+export function previewSecret(secret: string): string {
+  return `${secret.slice(0, 7)}...${secret.slice(-6)}`;
+}