feat: Migrate Arbiter and Modpack Version Checker to monorepo

WHAT WAS DONE: - Migrated Arbiter (discord-oauth-arbiter) code to services/arbiter/ - Migrated Modpack Version Checker code to services/modpack-version-checker/ - Created .env.example for Arbiter with all required environment variables - Moved systemd service file to services/arbiter/deploy/ - Organized directory structure per Gemini monorepo recommendations WHY: - Consolidate all service code in one repository - Prepare for Gemini code review (Panel v1.12 compatibility check) - Enable service-prefixed Git tagging (arbiter-v2.1.0, modpack-v1.0.0) - Support npm workspaces for shared dependencies SERVICES MIGRATED: 1. Arbiter (Discord OAuth bot) - Originally written by Gemini + Claude - Full source code from ops-manual docs/implementation/ - Created comprehensive .env.example - Ready for Panel v1.12 compatibility verification 2. Modpack Version Checker (Python CLI tool) - Full source code from ops-manual docs/tasks/ - Written for Panel v1.11, needs Gemini review for v1.12 - Never had code review before STILL TODO: - Whitelist Manager - Pull from Billing VPS (38.68.14.188) - Currently deployed and running - Needs Panel v1.12 API compatibility fix (Task #86) - Requires SSH access to pull code NEXT STEPS: - Gemini code review for Panel v1.12 API compatibility - Create package.json for each service - Test npm workspaces integration - Deploy after verification FILES: - services/arbiter/ (25 new files, full application) - services/modpack-version-checker/ (21 new files, full application) Signed-off-by: The Golden Chronicler <claude@firefrostgaming.com>
2026-03-31 21:52:42 +00:00
parent 4efdd44691
commit 04e9b407d5
47 changed files with 6366 additions and 0 deletions
--- a/services/arbiter/src/middleware/auth.js
+++ b/services/arbiter/src/middleware/auth.js
@@ -0,0 +1,27 @@
+// src/middleware/auth.js
+// Authentication middleware for admin panel access control
+
+/**
+ * Require admin authentication - checks if logged-in user is in Trinity whitelist
+ * @param {Object} req - Express request
+ * @param {Object} res - Express response
+ * @param {Function} next - Express next function
+ */
+function requireAdmin(req, res, next) {
+    // This assumes your existing OAuth flow stores the logged-in user's ID in a session
+    const userId = req.session?.discordId; 
+    
+    if (!userId) {
+        return res.redirect('/admin/login');
+    }
+
+    const adminIds = process.env.ADMIN_DISCORD_IDS.split(',');
+    
+    if (adminIds.includes(userId)) {
+        return next();
+    }
+
+    return res.status(403).send('Forbidden: You do not have admin access.');
+}
+
+module.exports = { requireAdmin };
--- a/services/arbiter/src/middleware/validateWebhook.js
+++ b/services/arbiter/src/middleware/validateWebhook.js
@@ -0,0 +1,33 @@
+// src/middleware/validateWebhook.js
+// Zod-based payload validation for Paymenter webhooks
+
+const { z } = require('zod');
+
+const webhookSchema = z.object({
+    event: z.string(),
+    customer_email: z.string().email(),
+    customer_name: z.string().optional(),
+    tier: z.string(),
+    product_id: z.string().optional(),
+    subscription_id: z.string().optional(),
+    discord_id: z.string().optional().nullable()
+});
+
+/**
+ * Validate webhook payload structure using Zod
+ * @param {Object} req - Express request
+ * @param {Object} res - Express response
+ * @param {Function} next - Express next function
+ */
+function validateBillingPayload(req, res, next) {
+    try {
+        req.body = webhookSchema.parse(req.body);
+        next();
+    } catch (error) {
+        // Log the validation error for debugging, but return 400
+        console.error('[Webhook] Validation Error:', error.errors);
+        return res.status(400).json({ error: 'Invalid payload structure' });
+    }
+}
+
+module.exports = validateBillingPayload;
--- a/services/arbiter/src/middleware/verifyWebhook.js
+++ b/services/arbiter/src/middleware/verifyWebhook.js
@@ -0,0 +1,35 @@
+// src/middleware/verifyWebhook.js
+// HMAC SHA256 webhook signature verification for Paymenter webhooks
+
+const crypto = require('crypto');
+
+/**
+ * Verify webhook signature to prevent unauthorized requests
+ * @param {Object} req - Express request
+ * @param {Object} res - Express response
+ * @param {Function} next - Express next function
+ */
+function verifyBillingWebhook(req, res, next) {
+    const signature = req.headers['x-signature']; // Check your provider's exact header name
+    const payload = JSON.stringify(req.body);
+    const secret = process.env.WEBHOOK_SECRET;
+
+    if (!signature || !secret) {
+        console.error('[Webhook] Missing signature or secret');
+        return res.status(401).json({ error: 'Invalid webhook signature' });
+    }
+
+    const expectedSignature = crypto
+        .createHmac('sha256', secret)
+        .update(payload)
+        .digest('hex');
+
+    if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature))) {
+        console.error('[Webhook] Signature verification failed');
+        return res.status(401).json({ error: 'Invalid webhook signature' });
+    }
+    
+    next();
+}
+
+module.exports = verifyBillingWebhook;