Merge branch 'main' of github.com:Portkey-AI/gateway into feat/ft-batch-improvements

Author: b4s36t4

conf.json

@@ -7,7 +7,8 @@
     "pillar",
     "patronus",
     "pangea",
-    "promptsecurity"
+    "promptsecurity",
+    "panw-prisma-airs"
   ],
   "credentials": {
     "portkey": {

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@portkey-ai/gateway",
-  "version": "1.9.18",
+  "version": "1.9.19",
   "description": "A fast AI gateway by Portkey",
   "repository": {
     "type": "git",
@@ -51,6 +51,7 @@
     "async-retry": "^1.3.3",
     "avsc": "^5.7.7",
     "hono": "^4.6.10",
+    "jose": "^6.0.11",
     "patch-package": "^8.0.0",
     "ws": "^8.18.0",
     "zod": "^3.22.4"

package.json

@@ -13,8 +13,7 @@ import { handler as endsWithHandler } from './endsWith';
 import { handler as allLowerCaseHandler } from './alllowercase';
 import { handler as modelWhitelistHandler } from './modelWhitelist';
 import { handler as characterCountHandler } from './characterCount';
-
-import { z } from 'zod';
+import { handler as jwtHandler } from './jwt';
 import { PluginContext, PluginParameters } from '../types';
 
 describe('Regex Matcher Plugin', () => {
@@ -2315,3 +2314,156 @@ describe('endsWith handler', () => {
     });
   });
 });
+
+describe('jwt handler', () => {
+  const mockEventType = 'beforeRequestHook';
+
+  it('should validate a valid JWT token', async () => {
+    const context: PluginContext = {
+      headers: {
+        Authorization:
+          'Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
+      },
+    };
+    const parameters: PluginParameters = {
+      jwksUri: 'https://www.googleapis.com/oauth2/v3/certs',
+      headerKey: 'Authorization',
+    };
+
+    const result = await jwtHandler(context, parameters, mockEventType);
+
+    expect(result.error).toBe(null);
+    expect(result.verdict).toBe(true);
+    expect(result.data).toMatchObject({
+      verdict: true,
+      explanation: 'JWT token validation succeeded',
+      payload: expect.any(Object),
+    });
+  });
+
+  it('should handle missing authorization header', async () => {
+    const context: PluginContext = {
+      headers: {},
+    };
+    const parameters: PluginParameters = {
+      jwksUri: 'https://www.googleapis.com/oauth2/v3/certs',
+    };
+
+    const result = await jwtHandler(context, parameters, mockEventType);
+
+    expect(result.error).not.toBe(null);
+    expect(result.verdict).toBe(false);
+    expect(result.data).toMatchObject({
+      verdict: false,
+      explanation: 'JWT validation error: Missing authorization header',
+    });
+  });
+
+  it('should handle invalid authorization header format', async () => {
+    const context: PluginContext = {
+      headers: {
+        Authorization: 'InvalidFormat',
+      },
+    };
+    const parameters: PluginParameters = {
+      jwksUri: 'https://www.googleapis.com/oauth2/v3/certs',
+    };
+
+    const result = await jwtHandler(context, parameters, mockEventType);
+
+    expect(result.error).not.toBe(null);
+    expect(result.verdict).toBe(false);
+    expect(result.data).toMatchObject({
+      verdict: false,
+      explanation: 'JWT validation error: Invalid authorization header format',
+    });
+  });
+
+  it('should handle missing JWKS URI', async () => {
+    const context: PluginContext = {
+      headers: {
+        Authorization: 'Bearer valid.token.here',
+      },
+    };
+    const parameters: PluginParameters = {};
+
+    const result = await jwtHandler(context, parameters, mockEventType);
+
+    expect(result.error).not.toBe(null);
+    expect(result.verdict).toBe(false);
+    expect(result.data).toMatchObject({
+      verdict: false,
+      explanation: 'JWT validation error: Missing JWKS URI',
+    });
+  });
+
+  it('should use custom header key from parameters', async () => {
+    const context: PluginContext = {
+      headers: {
+        'X-Custom-Auth':
+          'Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
+      },
+    };
+    const parameters: PluginParameters = {
+      jwksUri: 'https://www.googleapis.com/oauth2/v3/certs',
+      headerKey: 'X-Custom-Auth',
+    };
+
+    const result = await jwtHandler(context, parameters, mockEventType);
+
+    expect(result.error).toBe(null);
+    expect(result.verdict).toBe(true);
+    expect(result.data).toMatchObject({
+      verdict: true,
+      explanation: 'JWT token validation succeeded',
+      payload: expect.any(Object),
+    });
+  });
+
+  it('should use environment variables when parameters not provided', async () => {
+    process.env.JWT_AUTH_HEADER = 'X-Env-Auth';
+    process.env.JWT_JWKS_URI = 'https://www.googleapis.com/oauth2/v3/certs';
+
+    const context: PluginContext = {
+      headers: {
+        'X-Env-Auth':
+          'Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
+      },
+    };
+    const parameters: PluginParameters = {};
+
+    const result = await jwtHandler(context, parameters, mockEventType);
+
+    expect(result.error).toBe(null);
+    expect(result.verdict).toBe(true);
+    expect(result.data).toMatchObject({
+      verdict: true,
+      explanation: 'JWT token validation succeeded',
+      payload: expect.any(Object),
+    });
+
+    // Clean up
+    delete process.env.JWT_AUTH_HEADER;
+    delete process.env.JWT_JWKS_URI;
+  });
+
+  it('should handle invalid JWKS URI', async () => {
+    const context: PluginContext = {
+      headers: {
+        Authorization: 'Bearer valid.token.here',
+      },
+    };
+    const parameters: PluginParameters = {
+      jwksUri: 'https://invalid-jwks-uri.example.com/keys',
+    };
+
+    const result = await jwtHandler(context, parameters, mockEventType);
+
+    expect(result.error).not.toBe(null);
+    expect(result.verdict).toBe(false);
+    expect(result.data).toMatchObject({
+      verdict: false,
+      explanation: expect.stringContaining('JWT validation error'),
+    });
+  });
+});

plugins/default/default.test.ts

@@ -0,0 +1,137 @@
+import { PluginContext, PluginHandler, PluginParameters } from '../types';
+import { jwtVerify, importJWK, JWTHeaderParameters, JWK } from 'jose';
+
+interface JWKSCacheOptions {
+  maxAge: number; // seconds
+  clockTolerance?: number; // seconds
+  maxTokenAge?: string; // 1d, 1h, 1m, 1s
+}
+
+async function getMatchingKey(token: string, jwks: any) {
+  const header = JSON.parse(
+    Buffer.from(token.split('.')[0], 'base64url').toString()
+  ) as JWTHeaderParameters;
+  if (!header.kid) return null;
+  const jwk = (jwks.keys || []).find((key: JWK) => key.kid === header.kid);
+  if (!jwk) return null;
+  return importJWK(jwk, jwk.alg);
+}
+
+async function fetchAndCacheJWKS(
+  jwksUri: string,
+  cacheKey: string,
+  maxAge: number,
+  putInCacheWithValue?: Function
+) {
+  const res = await fetch(jwksUri);
+  if (!res.ok) throw new Error(`Failed to fetch JWKS from ${jwksUri}`);
+  const jwks = await res.json();
+  await putInCacheWithValue?.(cacheKey, jwks, maxAge);
+  return jwks;
+}
+
+export const handler: PluginHandler = async (
+  context: PluginContext,
+  parameters: PluginParameters,
+  eventType: string,
+  options
+) => {
+  let error = null;
+  let verdict = false;
+  let data = null;
+
+  try {
+    const jwtAuthHeader = parameters.headerKey || 'Authorization';
+    const jwksUri = parameters.jwksUri;
+    if (!jwksUri) throw new Error('Missing JWKS URI');
+
+    const authHeader = context.request?.headers?.[jwtAuthHeader];
+    if (!authHeader) {
+      return {
+        error,
+        verdict,
+        data: {
+          verdict: false,
+          explanation: 'Missing authorization header',
+        },
+      };
+    }
+
+    const token = authHeader.replace(/^Bearer\s+/i, '').trim();
+
+    const cacheKey = `jwks:${jwksUri}`;
+    const cacheOptions: JWKSCacheOptions = {
+      maxAge: parameters.cacheMaxAge || 86400, // 24h
+      clockTolerance: parameters.clockTolerance || 5, // 5s
+      maxTokenAge: parameters.maxTokenAge || '1d',
+    };
+
+    let jwks = await options?.getFromCacheByKey?.(cacheKey);
+    if (!jwks) {
+      jwks = await fetchAndCacheJWKS(
+        jwksUri,
+        cacheKey,
+        cacheOptions.maxAge,
+        options?.putInCacheWithValue
+      );
+    }
+
+    let key = null;
+    try {
+      key = await getMatchingKey(token, jwks);
+      if (!key) {
+        jwks = await fetchAndCacheJWKS(
+          jwksUri,
+          cacheKey,
+          cacheOptions.maxAge,
+          options?.putInCacheWithValue
+        );
+        key = await getMatchingKey(token, jwks);
+      }
+
+      if (!key) {
+        return {
+          error,
+          verdict,
+          data: {
+            verdict: false,
+            explanation: 'No matching key found for kid',
+          },
+        };
+      }
+    } catch (e: any) {
+      return {
+        error: e,
+        verdict,
+        data: {
+          verdict: false,
+          explanation: `JWT validation error: ${e.message}`,
+        },
+      };
+    }
+
+    try {
+      await jwtVerify(token, key, {
+        clockTolerance: cacheOptions.clockTolerance,
+        maxTokenAge: cacheOptions.maxTokenAge,
+      });
+      verdict = true;
+      data = {
+        verdict,
+        explanation: 'JWT token validation succeeded',
+      };
+    } catch (e: any) {
+      data = {
+        verdict: false,
+        explanation: `JWT validation error: ${e.message}`,
+      };
+    }
+  } catch (e: any) {
+    error = e;
+    data = {
+      verdict: false,
+      explanation: `JWT validation error: ${e.message}`,
+    };
+  }
+  return { error, verdict, data };
+};