feat: add authentication

Also remove extension/matrix mapping: it's now automatic after auth

Author: gsanchietti

README.md

@@ -12,13 +12,15 @@ The service authenticates to the Matrix homeserver as an **Application Service**
 
 The proxy is configured via environment variables. Minimal required env:
 
-- `MATRIX_HOMESERVER_URL`: URL of your Matrix homeserver (e.g. `https://matrix.example`)
+- `MATRIX_HOMESERVER_URL`: URL of your Matrix homeserver (e.g. `https://matrix.example`),
+  used also to derive the hostname when constructing Matrix IDs from external auth responses
 - `SUPER_ADMIN_TOKEN`: the Application Service `as_token` from your registration file
 - `PROXY_PORT` (optional): port to listen on (default: `8080`)
 - `AS_USER_ID` (optional): the user ID of the Application Service bot (default: `@_acrobits_proxy:matrix.example`)
 - `PROXY_URL` (optional): public-facing URL of this proxy (e.g. `https://matrix-proxy.example.com`) - **required for push notification support**
+ - `EXT_AUTH_URL` (optional): external HTTP endpoint used to validate extension+password for push token reports (default: `https://voice.gs.nethserver.net/freepbx/testextauth`)
+ - `EXT_AUTH_TIMEOUT_S` (optional): timeout in seconds for calls to `EXT_AUTH_URL` (default: `5`)
 - `LOGLEVEL` (optional): logging verbosity level - `DEBUG`, `INFO`, `WARNING`, `CRITICAL` (default: `INFO`)
-- `MAPPING_FILE` (optional): path to a JSON file containing -to-Matrix mappings to load at startup
 - `PUSH_TOKEN_DB_PATH` (optional): path to a database file for storing push tokens
 - `CACHE_TTL_SECONDS` (optional): time-to-live for in-memory cache entries (default: `3600` seconds)
 
@@ -49,20 +51,7 @@ The `LOGLEVEL` environment variable controls the verbosity of application logs:
 
 For debugging mapping and API issues, set `LOGLEVEL=DEBUG` to see detailed trace information.
 
-### Loading Mappings from File
 
-You can pre-load -to-Matrix mappings at startup by providing a `MAPPING_FILE` environment variable pointing to a JSON file. This is useful for initializing the proxy with a set of known mappings.
-
-See `docs/example-mappings.json` for an example format.
-
-Usage:
-
-```bash
-export MAPPING_FILE="/path/to/mappings.json"
-./matrix2acrobits
-```
-
-The loaded mappings will be logged at startup with the message: `mappings loaded from file count=N file=/path/to/mappings.json`
 
 ## Extra info
 
@@ -82,10 +71,52 @@ Implemented APIs:
 - https://doc.acrobits.net/api/client/send_message.html
 - https://doc.acrobits.net/api/client/push_token_reporter.html
 
+## Authentication
+
+All client API endpoints (`/api/client/fetch_messages`, `/api/client/send_message`, `/api/client/push_token_report`) require authentication via an external authentication service.
+
+### External Auth Flow
+
+When a client sends a request, the proxy:
+1. Extracts the `username` (extension) and `password` from the request.
+2. Calls `EXT_AUTH_URL` with a POST request containing JSON: `{"extension":"<username>","secret":"<password>"}`.
+3. On successful auth (200), parses the response for `main_extension`, `sub_extensions`, and `user_name`, which are converted into a mapping and saved.
+4. On failure (401 or other error), returns an authentication error and does NOT save the push token or create a mapping.
+5. Auth responses are cached in-memory for `CACHE_TTL_SECONDS` seconds to reduce external service load.
+
+### Request Requirements
+
+- **`/api/client/fetch_messages`**: Requires `username` and `password` fields.
+- **`/api/client/send_message`**: Requires `from` (sender extension/ID) and `password` fields.
+- **`/api/client/push_token_report`**: Requires `username` (extension) and `password` fields.
+
+If any request is missing a `password`, it fails with authentication error.
+
 ## TODO
 
 The following features are not yet implemented:
 
-- sendMessage: implement password validation on send messages, currently the password is ignored
 - when a private room is deleted, there is no way to send messages to the user
-- implement https://doc.acrobits.net/api/client/account_removal_reporter.html#account-removal-reporter-webservice
+- implement https://doc.acrobits.net/api/client/account_removal_reporter.html#account-removal-reporter-webservice
+
+Example minimal push token report request body (JSON):
+
+```json
+{
+	"username": "91201",
+	"password": "user-password",
+	"selector": "@alice:example.com",
+	"token_msgs": "token123",
+	"app_id_msgs": "com.acrobits.softphone"
+}
+```
+
+Environment example for running with external auth and Matrix host:
+
+```bash
+export MATRIX_HOMESERVER_URL="https://matrix.example.com"
+export EXT_AUTH_URL="https://voice.gs.nethserver.net/freepbx/testextauth"
+export EXT_AUTH_TIMEOUT_S=5
+export CACHE_TTL_SECONDS=3600
+./matrix2acrobits
+```

agents.md

@@ -101,9 +101,13 @@ export LOGLEVEL=INFO  # DEBUG, INFO, WARNING, or CRITICAL
 
 ### Unit Tests
 
-- Test `internal/service` logic using mocks for the Matrix client.
+- Test logic using mocks for the Matrix client.
 - Verify correct JSON marshalling/unmarshalling of Acrobits payloads.
 - Verify mapping logic (e.g., Matrix timestamp → Acrobits RFC3339).
+- Execute unit tests:
+  ```
+  go test -v ./...
+  ```
 
 ### Integration Tests
 

api/routes.go

@@ -21,8 +21,6 @@ func RegisterRoutes(e *echo.Echo, svc *service.MessageService, pushSvc *service.
 	e.POST("/api/client/send_message", h.sendMessage)
 	e.POST("/api/client/fetch_messages", h.fetchMessages)
 	e.POST("/api/client/push_token_report", h.pushTokenReport)
-	e.POST("/api/internal/map_number_to_matrix", h.postMapping)
-	e.GET("/api/internal/map_number_to_matrix", h.getMapping)
 	e.GET("/api/internal/push_tokens", h.getPushTokens)
 	e.DELETE("/api/internal/push_tokens", h.resetPushTokens)
 
@@ -99,63 +97,6 @@ func (h handler) pushTokenReport(c echo.Context) error {
 	return c.JSON(http.StatusOK, resp)
 }
 
-func (h handler) postMapping(c echo.Context) error {
-	if err := h.ensureAdminAccess(c); err != nil {
-		return err
-	}
-
-	var req models.MappingRequest
-	if err := c.Bind(&req); err != nil {
-		logger.Warn().Str("endpoint", "post_mapping").Err(err).Msg("invalid request payload")
-		return echo.NewHTTPError(http.StatusBadRequest, "invalid payload")
-	}
-
-	logger.Debug().Str("endpoint", "post_mapping").Int("number", req.Number).Msg("saving mapping")
-
-	resp, err := h.svc.SaveMapping(&req)
-	if err != nil {
-		logger.Error().Str("endpoint", "post_mapping").Int("number", req.Number).Err(err).Msg("failed to save mapping")
-		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
-	}
-
-	logger.Info().Str("endpoint", "post_mapping").Int("number", req.Number).Msg("mapping saved successfully")
-	return c.JSON(http.StatusOK, resp)
-}
-
-func (h handler) getMapping(c echo.Context) error {
-	if err := h.ensureAdminAccess(c); err != nil {
-		return err
-	}
-
-	number := strings.TrimSpace(c.QueryParam("number"))
-	if number == "" {
-		logger.Debug().Str("endpoint", "get_mapping").Msg("listing all mappings")
-		// return full mappings list when number is not provided
-		respList, err := h.svc.ListMappings()
-		if err != nil {
-			logger.Error().Str("endpoint", "get_mapping").Err(err).Msg("failed to list mappings")
-			return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
-		}
-		logger.Info().Str("endpoint", "get_mapping").Int("count", len(respList)).Msg("listed all mappings")
-		return c.JSON(http.StatusOK, respList)
-	}
-
-	logger.Debug().Str("endpoint", "get_mapping").Str("number", number).Msg("looking up mapping")
-
-	resp, err := h.svc.LookupMapping(number)
-	if err != nil {
-		if errors.Is(err, service.ErrMappingNotFound) {
-			logger.Warn().Str("endpoint", "get_mapping").Str("number", number).Msg("mapping not found")
-			return echo.NewHTTPError(http.StatusNotFound, err.Error())
-		}
-		logger.Error().Str("endpoint", "get_mapping").Str("number", number).Err(err).Msg("failed to lookup mapping")
-		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
-	}
-
-	logger.Info().Str("endpoint", "get_mapping").Str("number", number).Msg("mapping found")
-	return c.JSON(http.StatusOK, resp)
-}
-
 func (h handler) getPushTokens(c echo.Context) error {
 	if err := h.ensureAdminAccess(c); err != nil {
 		return err