From 363737efb6c153c59def60e67237c411c8287795 Mon Sep 17 00:00:00 2001 From: sirpiglr <49359077-sirpiglr@users.noreply.replit.com> Date: Sun, 14 Dec 2025 03:59:45 +0000 Subject: [PATCH] Add secure authentication and service endpoints for Nexus integration Implement Nexus API client and secure endpoints for token management, text scrubbing, IP checking, and activity logging, requiring AeThex session authentication. Replit-Commit-Author: Agent Replit-Commit-Session-Id: aed2e46d-25bb-4b73-81a1-bb9e8437c261 Replit-Commit-Checkpoint-Type: intermediate_checkpoint Replit-Commit-Event-Id: 4b61d3bd-c210-44e9-90e0-2e6834788822 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/3bdfff67-975a-46ad-9845-fbb6b4a4c4b5/aed2e46d-25bb-4b73-81a1-bb9e8437c261/wAz691s Replit-Helium-Checkpoint-Created: true --- aethex-bot/server/webServer.js | 155 +++++++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) diff --git a/aethex-bot/server/webServer.js b/aethex-bot/server/webServer.js index 718f0d5..ae9279b 100644 --- a/aethex-bot/server/webServer.js +++ b/aethex-bot/server/webServer.js @@ -6,6 +6,7 @@ const path = require('path'); const crypto = require('crypto'); const Stripe = require('stripe'); const { invalidateCooldownCache } = require('../utils/cooldownManager'); +const { NexusClient } = require('../utils/nexusClient'); function createWebServer(discordClient, supabase, options = {}) { const app = express(); @@ -3126,6 +3127,160 @@ function createWebServer(discordClient, supabase, options = {}) { res.sendFile(path.join(__dirname, '../public/index.html')); }); + // ============================================ + // NEXUS Security API Integration Routes + // ============================================ + const nexusClient = new NexusClient(); + + // Middleware: Require AeThex session authentication + const requireAethexAuth = (req, res, next) => { + if (!req.session.user) { + return res.status(401).json({ error: 'AeThex authentication required. Please log in via Discord OAuth.' }); + } + next(); + }; + + // Middleware: Require admin permissions (MANAGE_GUILD permission) + const requireAdmin = (req, res, next) => { + if (!req.session.user) { + return res.status(401).json({ error: 'Authentication required' }); + } + const guildId = req.query.guildId || req.body.guildId || req.params.guildId; + if (guildId) { + const guild = req.session.user.guilds?.find(g => g.id === guildId); + if (!guild || !guild.isAdmin) { + return res.status(403).json({ error: 'Admin permissions required for this guild' }); + } + } + next(); + }; + + // Authentication: Get token (requires AeThex session - for authenticated users only) + app.post('/api/nexus/token', requireAethexAuth, async (req, res) => { + try { + const result = await nexusClient.getToken(req.body); + res.json(result); + } catch (error) { + console.error('[NEXUS] Token error:', error.message); + res.status(400).json({ error: error.message }); + } + }); + + // Authentication: Refresh token (requires AeThex session) + app.post('/api/nexus/refresh', requireAethexAuth, async (req, res) => { + try { + const { refresh_token } = req.body; + if (!refresh_token) { + return res.status(400).json({ error: 'refresh_token required' }); + } + const result = await nexusClient.refreshToken(refresh_token); + res.json(result); + } catch (error) { + console.error('[NEXUS] Refresh error:', error.message); + res.status(400).json({ error: error.message }); + } + }); + + // Sentinel: Scrub text (requires AeThex session + NEXUS bearer token) + app.post('/api/nexus/scrub', requireAethexAuth, async (req, res) => { + const authHeader = req.headers.authorization; + if (!authHeader || !authHeader.startsWith('Bearer ')) { + return res.status(401).json({ error: 'NEXUS Bearer token required' }); + } + const token = authHeader.split(' ')[1]; + + try { + const { text } = req.body; + if (!text) { + return res.status(400).json({ error: 'text required' }); + } + const result = await nexusClient.scrubText(text, token); + res.json(result); + } catch (error) { + console.error('[NEXUS] Scrub error:', error.message); + res.status(400).json({ error: error.message }); + } + }); + + // Sentinel: Check self IP (requires AeThex session + NEXUS bearer token) + app.get('/api/nexus/check-self', requireAethexAuth, async (req, res) => { + const authHeader = req.headers.authorization; + if (!authHeader || !authHeader.startsWith('Bearer ')) { + return res.status(401).json({ error: 'NEXUS Bearer token required' }); + } + const token = authHeader.split(' ')[1]; + + try { + const result = await nexusClient.checkSelfIP(token); + res.json(result); + } catch (error) { + console.error('[NEXUS] Check-self error:', error.message); + res.status(400).json({ error: error.message }); + } + }); + + // Sentinel: Log activity (requires AeThex session + NEXUS bearer token) + app.post('/api/nexus/activity/log', requireAethexAuth, async (req, res) => { + const authHeader = req.headers.authorization; + if (!authHeader || !authHeader.startsWith('Bearer ')) { + return res.status(401).json({ error: 'NEXUS Bearer token required' }); + } + const token = authHeader.split(' ')[1]; + + try { + const result = await nexusClient.logActivity(req.body, token); + res.json(result); + } catch (error) { + console.error('[NEXUS] Activity log error:', error.message); + res.status(400).json({ error: error.message }); + } + }); + + // Sentinel: Check IP blacklist (requires admin permissions + NEXUS bearer token) + app.get('/api/nexus/blacklist/check/:ip', requireAdmin, async (req, res) => { + const authHeader = req.headers.authorization; + if (!authHeader || !authHeader.startsWith('Bearer ')) { + return res.status(401).json({ error: 'NEXUS Bearer token required' }); + } + const token = authHeader.split(' ')[1]; + + try { + const result = await nexusClient.checkIP(req.params.ip, token); + res.json(result); + } catch (error) { + console.error('[NEXUS] Blacklist check error:', error.message); + res.status(400).json({ error: error.message }); + } + }); + + // Sentinel: Get user snapshot (requires admin permissions + NEXUS bearer token) + app.get('/api/nexus/user-snapshot/:userId', requireAdmin, async (req, res) => { + const authHeader = req.headers.authorization; + if (!authHeader || !authHeader.startsWith('Bearer ')) { + return res.status(401).json({ error: 'NEXUS Bearer token required' }); + } + const token = authHeader.split(' ')[1]; + + try { + const result = await nexusClient.getUserSnapshot(req.params.userId, token); + res.json(result); + } catch (error) { + console.error('[NEXUS] User snapshot error:', error.message); + res.status(400).json({ error: error.message }); + } + }); + + // Public: Get NEXUS public stats (no auth required - public data only) + app.get('/api/nexus/public-stats', async (req, res) => { + try { + const result = await nexusClient.getPublicStats(); + res.json(result); + } catch (error) { + console.error('[NEXUS] Public stats error:', error.message); + res.status(400).json({ error: error.message }); + } + }); + // Catch-all route for SPA - use middleware instead of wildcard app.use((req, res, next) => { if (req.method === 'GET' && !req.path.startsWith('/api/')) {