singularity-forge/web/lib/auth-guard.ts

// SF Web — Inline auth token verification for sensitive API routes
// Copyright (c) 2026 Jeremy McSpadden <jeremy@fluxlabs.net>

/**
 * Defense-in-depth auth check for critical API routes (shutdown, update, etc.).
 *
 * The primary auth gate is Next.js middleware (web/middleware.ts). This helper
 * provides a second layer so that even if middleware is misconfigured or
 * bypassed, sensitive endpoints still reject unauthenticated requests.
 *
 * Returns a 401 Response if the token is missing or invalid, or null if auth
 * passes (or no token is configured).
 */
export function verifyAuthToken(request: Request): Response | null {
	const expectedToken = process.env.SF_WEB_AUTH_TOKEN;
	if (!expectedToken) {
		// No token configured (e.g. dev mode) — allow through
		return null;
	}

	let token: string | null = null;

	// 1. Authorization header (preferred)
	const authHeader = request.headers.get("authorization");
	if (authHeader?.startsWith("Bearer ")) {
		token = authHeader.slice(7);
	}

	// 2. Query parameter fallback for EventSource / sendBeacon
	if (!token) {
		try {
			const url = new URL(request.url);
			token = url.searchParams.get("_token");
		} catch {
			// Malformed URL — reject
		}
	}

	if (!token || token !== expectedToken) {
		return Response.json({ error: "Unauthorized" }, { status: 401 });
	}

	return null;
}
chore: sync workspace state after rebrand - Rebrand commits already in history (gsd → forge) - Sync pre-existing doc, docker, and CI config updates - All rebrand artifacts verified in place: * Native crates: forge-engine, forge-ast, forge-grep * Log prefixes: [forge] across 22+ files * Binary: ~/bin/sf-run * Workspace scopes: @sf-run/, @singularity-forge/ * Nix flake: Rust toolchain ready System ready for: nix develop && bun run build:native Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 14:54:20 +02:00			`// SF Web — Inline auth token verification for sensitive API routes`
fix(security): activate auth middleware and harden shutdown/update routes (#4023) The Next.js auth middleware (proxy.ts) was never wired in — it exported `proxy` from a file named proxy.ts, but Next.js requires a `middleware` export from middleware.ts. The middleware-manifest.json was empty, leaving all 42 API routes accessible without authentication. Fixes: - Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy` - Add defense-in-depth auth-guard to /api/shutdown and /api/update routes - Remove shell: true from update-service spawn (command injection surface) - Update contract tests to verify middleware file name and export Closes #4014 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-13 06:52:43 -05:00			`// Copyright (c) 2026 Jeremy McSpadden <jeremy@fluxlabs.net>`

			`/**`
			`* Defense-in-depth auth check for critical API routes (shutdown, update, etc.).`
			`*`
			`* The primary auth gate is Next.js middleware (web/middleware.ts). This helper`
			`* provides a second layer so that even if middleware is misconfigured or`
			`* bypassed, sensitive endpoints still reject unauthenticated requests.`
			`*`
			`* Returns a 401 Response if the token is missing or invalid, or null if auth`
			`* passes (or no token is configured).`
			`*/`
			`export function verifyAuthToken(request: Request): Response \| null {`
style: format repository with biome 2026-05-05 14:31:16 +02:00			`const expectedToken = process.env.SF_WEB_AUTH_TOKEN;`
			`if (!expectedToken) {`
			`// No token configured (e.g. dev mode) — allow through`
			`return null;`
			`}`
fix(security): activate auth middleware and harden shutdown/update routes (#4023) The Next.js auth middleware (proxy.ts) was never wired in — it exported `proxy` from a file named proxy.ts, but Next.js requires a `middleware` export from middleware.ts. The middleware-manifest.json was empty, leaving all 42 API routes accessible without authentication. Fixes: - Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy` - Add defense-in-depth auth-guard to /api/shutdown and /api/update routes - Remove shell: true from update-service spawn (command injection surface) - Update contract tests to verify middleware file name and export Closes #4014 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-13 06:52:43 -05:00
style: format repository with biome 2026-05-05 14:31:16 +02:00			`let token: string \| null = null;`
fix(security): activate auth middleware and harden shutdown/update routes (#4023) The Next.js auth middleware (proxy.ts) was never wired in — it exported `proxy` from a file named proxy.ts, but Next.js requires a `middleware` export from middleware.ts. The middleware-manifest.json was empty, leaving all 42 API routes accessible without authentication. Fixes: - Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy` - Add defense-in-depth auth-guard to /api/shutdown and /api/update routes - Remove shell: true from update-service spawn (command injection surface) - Update contract tests to verify middleware file name and export Closes #4014 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-13 06:52:43 -05:00
style: format repository with biome 2026-05-05 14:31:16 +02:00			`// 1. Authorization header (preferred)`
			`const authHeader = request.headers.get("authorization");`
			`if (authHeader?.startsWith("Bearer ")) {`
			`token = authHeader.slice(7);`
			`}`
fix(security): activate auth middleware and harden shutdown/update routes (#4023) The Next.js auth middleware (proxy.ts) was never wired in — it exported `proxy` from a file named proxy.ts, but Next.js requires a `middleware` export from middleware.ts. The middleware-manifest.json was empty, leaving all 42 API routes accessible without authentication. Fixes: - Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy` - Add defense-in-depth auth-guard to /api/shutdown and /api/update routes - Remove shell: true from update-service spawn (command injection surface) - Update contract tests to verify middleware file name and export Closes #4014 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-13 06:52:43 -05:00
style: format repository with biome 2026-05-05 14:31:16 +02:00			`// 2. Query parameter fallback for EventSource / sendBeacon`
			`if (!token) {`
			`try {`
			`const url = new URL(request.url);`
			`token = url.searchParams.get("_token");`
			`} catch {`
			`// Malformed URL — reject`
			`}`
			`}`
fix(security): activate auth middleware and harden shutdown/update routes (#4023) The Next.js auth middleware (proxy.ts) was never wired in — it exported `proxy` from a file named proxy.ts, but Next.js requires a `middleware` export from middleware.ts. The middleware-manifest.json was empty, leaving all 42 API routes accessible without authentication. Fixes: - Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy` - Add defense-in-depth auth-guard to /api/shutdown and /api/update routes - Remove shell: true from update-service spawn (command injection surface) - Update contract tests to verify middleware file name and export Closes #4014 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-13 06:52:43 -05:00
style: format repository with biome 2026-05-05 14:31:16 +02:00			`if (!token \|\| token !== expectedToken) {`
			`return Response.json({ error: "Unauthorized" }, { status: 401 });`
			`}`
fix(security): activate auth middleware and harden shutdown/update routes (#4023) The Next.js auth middleware (proxy.ts) was never wired in — it exported `proxy` from a file named proxy.ts, but Next.js requires a `middleware` export from middleware.ts. The middleware-manifest.json was empty, leaving all 42 API routes accessible without authentication. Fixes: - Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy` - Add defense-in-depth auth-guard to /api/shutdown and /api/update routes - Remove shell: true from update-service spawn (command injection surface) - Update contract tests to verify middleware file name and export Closes #4014 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-13 06:52:43 -05:00
style: format repository with biome 2026-05-05 14:31:16 +02:00			`return null;`
fix(security): activate auth middleware and harden shutdown/update routes (#4023) The Next.js auth middleware (proxy.ts) was never wired in — it exported `proxy` from a file named proxy.ts, but Next.js requires a `middleware` export from middleware.ts. The middleware-manifest.json was empty, leaving all 42 API routes accessible without authentication. Fixes: - Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy` - Add defense-in-depth auth-guard to /api/shutdown and /api/update routes - Remove shell: true from update-service spawn (command injection surface) - Update contract tests to verify middleware file name and export Closes #4014 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-13 06:52:43 -05:00			`}`