Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
819345acfab41d0efa6a73c48af6d8a72e25d069
Nexus/packages/api/src/ai-client.ts
T
Hartmut 9d43e4b113 feat: ACN Application Security Standard V7.30 compliance (19/23 items) 
CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 14:16:39 +01:00

120 lines
5.3 KiB
TypeScript
Raw Blame History

import OpenAI, { AzureOpenAI } from "openai";
import { logger } from "./lib/logger.js";
type AiSettings = {
aiProvider?: string | null;
azureOpenAiEndpoint?: string | null;
azureOpenAiDeployment?: string | null;
azureOpenAiApiKey?: string | null;
azureApiVersion?: string | null;
aiMaxCompletionTokens?: number | null;
aiTemperature?: number | null;
azureDalleDeployment?: string | null;
azureDalleEndpoint?: string | null;
azureDalleApiKey?: string | null;
};
/** Returns true if the settings have enough information to make an API call. */
export function isAiConfigured(settings: AiSettings | null | undefined): boolean {
if (!settings?.azureOpenAiApiKey || !settings.azureOpenAiDeployment) return false;
if (settings.aiProvider === "azure" && !settings.azureOpenAiEndpoint) return false;
return true;
}
/** Instantiates the right OpenAI client based on the stored provider setting. */
export function createAiClient(settings: AiSettings): OpenAI {
if (settings.aiProvider === "azure") {
return new AzureOpenAI({
endpoint: settings.azureOpenAiEndpoint!,
apiKey: settings.azureOpenAiApiKey!,
apiVersion: settings.azureApiVersion ?? "2025-01-01-preview",
deployment: settings.azureOpenAiDeployment!,
});
}
// Default: regular OpenAI (sk-... key)
return new OpenAI({ apiKey: settings.azureOpenAiApiKey! });
}
/** Returns true if DALL-E image generation is configured. */
export function isDalleConfigured(settings: AiSettings | null | undefined): boolean {
if (!settings) return false;
// DALL-E needs its own deployment (or a non-Azure key with model name)
if (settings.aiProvider === "azure") {
return !!(settings.azureDalleDeployment && (settings.azureDalleEndpoint || settings.azureOpenAiEndpoint) && (settings.azureDalleApiKey || settings.azureOpenAiApiKey));
}
// For direct OpenAI, the chat API key works for DALL-E too
return !!settings.azureOpenAiApiKey;
}
/** Creates an OpenAI client configured for DALL-E image generation. */
export function createDalleClient(settings: AiSettings): OpenAI {
if (settings.aiProvider === "azure") {
const endpoint = settings.azureDalleEndpoint || settings.azureOpenAiEndpoint!;
const apiKey = settings.azureDalleApiKey || settings.azureOpenAiApiKey!;
return new AzureOpenAI({
endpoint,
apiKey,
apiVersion: settings.azureApiVersion ?? "2025-01-01-preview",
deployment: settings.azureDalleDeployment!,
});
}
return new OpenAI({ apiKey: settings.azureOpenAiApiKey! });
}
/**
* Wraps an external AI API call with timing and structured logging.
* Use this around any chat.completions.create / images.generate / responses.create call.
*/
export async function loggedAiCall<T>(
provider: string,
model: string,
promptLength: number,
fn: () => Promise<T>,
): Promise<T> {
const start = performance.now();
try {
const result = await fn();
const responseTimeMs = Math.round(performance.now() - start);
logger.info({ provider, model, promptLength, responseTimeMs }, "External API call");
return result;
} catch (err) {
const responseTimeMs = Math.round(performance.now() - start);
const errorMessage = err instanceof Error ? err.message : String(err);
logger.warn({ provider, model, promptLength, responseTimeMs, errorMessage }, "External API call failed");
throw err;
}
}
/** Turns raw API errors into actionable human-readable messages. */
export function parseAiError(err: unknown): string {
const msg = err instanceof Error ? err.message : String(err);
const lower = msg.toLowerCase();
if (lower.includes("401") || lower.includes("unauthorized") || lower.includes("invalid_api_key") || lower.includes("incorrect api key")) {
return "Invalid API key — make sure you copied it correctly from your provider's dashboard.";
}
if (lower.includes("insufficient_quota") || lower.includes("exceeded your current quota") || lower.includes("billing")) {
return "Account quota exceeded or billing issue — check your usage limits at platform.openai.com.";
}
if (lower.includes("403") || lower.includes("forbidden")) {
return "Access denied — your key may not have permission to use this model/deployment.";
}
if (lower.includes("deploymentnotfound") || lower.includes("model_not_found") || (lower.includes("404") && lower.includes("deployment"))) {
return "Deployment not found — check the deployment name matches exactly what's configured in Azure.";
}
if (lower.includes("404") || lower.includes("not found")) {
return "Model not found — verify the model name (e.g. gpt-4o-mini) is correct and available on your account.";
}
if (lower.includes("429") || lower.includes("rate limit") || lower.includes("ratelimiterror")) {
return "Rate limit exceeded — wait a moment and try again.";
}
if (lower.includes("econnrefused") || lower.includes("enotfound") || lower.includes("fetch failed") || lower.includes("failed to fetch")) {
return "Cannot reach the API endpoint — check the endpoint URL and your network connection.";
}
if (lower.includes("context_length_exceeded") || lower.includes("maximum context")) {
return "Request too large — the prompt exceeded the model's context limit.";
}
// Fall back to the raw message but strip noise
return msg.replace(/^Error: /, "").slice(0, 300);
}
Reference in New Issue View Git Blame Copy Permalink