@1auth/authn 0.0.0-alpha.5 → 0.0.0-alpha.51

package/index.js

@@ -1,68 +1,152 @@
 import { setTimeout } from 'node:timers/promises'
-import { randomId, makeSymetricKey } from '@1auth/crypto'
+import {
+  randomId,
+  symmetricGenerateEncryptionKey,
+  symmetricEncryptFields,
+  symmetricDecryptFields
+} from '@1auth/crypto'
 
-export const options = {
+const id = 'authn'
+
+const defaults = {
+  id,
+  log: false,
   store: undefined,
   notify: undefined,
-  table: 'credentials',
-  authenticationDuration: 500, // min duration authentication should take (ms)
-  usernameExists: [] // hooks to allow what to be used as a username
+  table: 'authentications',
+  idGenerate: true,
+  idPrefix: 'authn',
+  randomId: { ...randomId },
+  authenticationDuration: 500, // minimum duration authentication should take (ms)
+  usernameExists: [], // hooks to allow what to be used as a username
+  encryptedFields: ['value']
 }
-export default (params) => {
-  Object.assign(options, params)
+const options = {}
+export default (opt = {}) => {
+  Object.assign(options, defaults, opt)
 }
 export const getOptions = () => options
 
+export const exists = async (credentialOptions, sub, params) => {
+  const type = makeType(credentialOptions)
+  const list = await options.store.selectList(options.table, {
+    ...params,
+    sub,
+    type
+  })
+  return list.length > 1
+}
+
+export const count = async (credentialOptions, sub) => {
+  const type = makeType(credentialOptions)
+  const credentials = await options.store.selectList(
+    options.table,
+    { sub, type },
+    ['verify', 'expire']
+  )
+  let count = 0
+  const now = nowInSeconds()
+  for (let i = credentials.length; i--;) {
+    const credential = credentials[i]
+    if (credential.expire && credential.expire < now) {
+      continue
+    }
+    if (!credential.verify) {
+      continue
+    }
+    count += 1
+  }
+  return count
+}
+
+export const list = async (credentialOptions, sub, params, fields) => {
+  const type = makeType(credentialOptions)
+  const items = await options.store.selectList(
+    options.table,
+    {
+      ...params,
+      sub,
+      type
+    },
+    fields
+  )
+  // const now = nowInSeconds();
+  const list = []
+  for (let i = items.length; i--;) {
+    const item = items[i]
+    // TODO need filter for expire
+    // if (credential.expire < now) {
+    //   continue;
+    // }
+    const { encryptionKey: encryptedKey } = item
+    delete item.encryptionKey
+    const decryptedItem = symmetricDecryptFields(
+      item,
+      { encryptedKey, sub },
+      options.encryptedFields
+    )
+    list.push(decryptedItem)
+  }
+  return list
+}
+
 export const create = async (
-  credentialType,
-  { id, sub, value, ...rest },
-  parentOptions
+  credentialOptions,
+  sub,
+  { id, value, ...values }
 ) => {
   const now = nowInSeconds()
-  id ??= await randomId.create()
-  const type = parentOptions.id + '-' + parentOptions[credentialType].type
-  const otp = parentOptions[credentialType].otp
-  const expire = parentOptions[credentialType].expire
-    ? now + parentOptions[credentialType].expire
-    : null
-  const { encryptedKey } = makeSymetricKey(sub)
-
-  const encryptedData = await parentOptions[credentialType].encode(
-    value,
-    encryptedKey,
-    sub
+  const type = makeType(credentialOptions)
+  let { otp, expire } = credentialOptions
+  expire &&= now + expire
+
+  if (options.idGenerate) {
+    id ??= await options.randomId.create(options.idPrefix)
+  }
+  value ??= credentialOptions.create()
+  const encodedValue = await credentialOptions.encode(value)
+
+  const { encryptionKey, encryptedKey } = symmetricGenerateEncryptionKey(sub)
+  const encryptedValues = symmetricEncryptFields(
+    { ...values, value: encodedValue },
+    { encryptionKey, sub },
+    options.encryptedFields
   )
-  await options.store.insert(options.table, {
-    expire,
-    ...rest,
-    id,
+  const params = {
+    ...encryptedValues,
     sub,
     type,
     otp,
     encryptionKey: encryptedKey,
-    value: encryptedData,
     create: now,
-    update: now
-  })
-  return id
+    update: now,
+    expire
+  }
+  if (options.idGenerate) {
+    params.id = id
+  }
+  const row = await options.store.insert(options.table, params)
+  return { type, id: row.id, value, otp, expire }
 }
 
 export const update = async (
-  credentialType,
-  { id, sub, encryptionKey, value, ...rest },
-  parentOptions
+  credentialOptions,
+  { id, sub, encryptionKey, encryptedKey, value, ...values }
 ) => {
   const now = nowInSeconds()
-  const encryptedData = await parentOptions[credentialType].encode(
+  // const type = makeType(credentialOptions);
+
+  const encryptedData = await credentialOptions.encode(
     value,
     encryptionKey,
+    encryptedKey,
     sub
   )
   return options.store.update(
     options.table,
-    { id, sub },
+    { sub, id },
     {
-      ...rest,
+      ...values,
       value: encryptedData,
       update: now
     }
@@ -71,92 +155,190 @@ export const update = async (
 
 export const subject = async (username) => {
   return Promise.all(
-    options.usernameExists.map((exists) => exists(username))
+    options.usernameExists.map((exists) => {
+      return exists(username)
+    })
   ).then((identities) => {
     return identities.filter((lookup) => lookup)?.[0]
   })
 }
 
-export const authenticate = async (username, secret, parentOptions) => {
-  const timeout = setTimeout(() => {}, options.authenticationDuration)
-  const type = parentOptions.id + '-' + parentOptions.secret.type
-
+export const authenticate = async (credentialOptions, username, secret) => {
   const sub = await subject(username)
 
-  const credentials = await options.store.selectList(options.table, {
-    sub,
-    type
-  }) // TODO and verify is not null
-  let valid, id, encryptionKey
+  const timeout = setTimeout(options.authenticationDuration)
+  const type = makeType(credentialOptions)
+
+  const credentials = await options.store.selectList(
+    options.table,
+    {
+      sub,
+      type
+    },
+    ['id', 'encryptionKey', 'value', 'otp', 'verify', 'expire', 'sourceId']
+  )
+  const now = nowInSeconds()
+  let valid
+  let skipIgnoredCount = 0
+  let skipExpiredCount = 0
   for (const credential of credentials) {
-    let { value, encryptionKey: encryptedKey, ...rest } = credential
-    value = await parentOptions.secret.decode(value, encryptedKey, sub)
-    valid = await parentOptions.secret.verify(secret, value, rest)
+    // non-opt credentials must be verified before use
+    if (!credential.otp && !credential.verify) {
+      skipIgnoredCount += 1
+      continue
+    }
+    // skip expired
+    if (credential.expire < now) {
+      skipExpiredCount += 1
+      continue
+    }
+    const { encryptionKey: encryptedKey } = credential
+    const decryptedCredential = symmetricDecryptFields(
+      credential,
+      { encryptedKey, sub },
+      options.encryptedFields
+    )
+    let { value, ...values } = decryptedCredential
+    value = await credentialOptions.decode(value)
+    try {
+      valid = await credentialOptions.verify(secret, value, values)
+    } catch (e) {
+      if (options.log) {
+        options.log(e)
+      }
+      continue
+    }
     if (valid) {
-      id ??= credential.id
-      encryptionKey ??= encryptedKey
+      const { id, otp } = credential
+      if (otp) {
+        await options.store.update(
+          options.table,
+          { id, sub },
+          { update: now, expire: now, lastused: now }
+        )
+      } else if (credentialOptions.clean) {
+        await credentialOptions.clean(sub, value, values)
+      } else {
+        const now = nowInSeconds()
+        await options.store.update(
+          options.table,
+          { id, sub },
+          { update: now, lastused: now }
+        )
+      }
+
       break
     }
   }
 
-  if (valid && parentOptions.secret.otp) {
-    await options.store.remove(options.table, { id, sub })
-  }
   await timeout
-  if (!valid) throw new Error('401 Unauthorized')
-  return { sub, id, encryptionKey, ...valid }
+  if (!valid) {
+    let cause = 'invalid'
+    const credentialsCount = credentials.length - skipIgnoredCount
+    if (credentialsCount === 0) {
+      cause = 'missing'
+    } else if (skipExpiredCount === credentialsCount) {
+      cause = 'expired'
+    }
+    throw new Error('401 Unauthorized', cause)
+  }
+  return sub
 }
 
-export const verifySecret = async (sub, id, parentOptions) => {
-  // const type = parentOptions.id + '-' + parentOptions.secret.type
+export const verifySecret = async (credentialOptions, sub, id) => {
+  // const type = makeType(credentialOptions);
+  const now = nowInSeconds()
   await options.store.update(
     options.table,
-    { id, sub },
-    { verify: nowInSeconds() }
+    { sub, id },
+    { update: now, verify: now }
   )
 }
 
-export const verify = async (credentialType, sub, token, parentOptions) => {
-  const timeout = setTimeout(() => {}, options.authenticationDuration)
-  const type = parentOptions.id + '-' + parentOptions[credentialType].type
-  let id
+export const verify = async (credentialOptions, sub, input) => {
+  const timeout = setTimeout(options.authenticationDuration)
+  const type = makeType(credentialOptions)
+
   const credentials = await options.store.selectList(options.table, {
     sub,
     type
   })
-  // TODO re-confirm when needed
-  // .then((rows) => {
-  //   if (rows.length) {
-  //     return rows
-  //   }
-  //
-  //   return options.store.select(options.table, { id: sub, type })
-  // })
 
+  const now = nowInSeconds()
   let valid
-  for (const credential of credentials) {
-    let { value, encryptionKey, ...rest } = credential
-    value = await parentOptions[credentialType].decode(
-      value,
-      encryptionKey,
-      sub
+  let credential
+  let skipExpiredCount = 0
+  for (credential of credentials) {
+    // skip expired
+    if (credential.expire < now) {
+      skipExpiredCount += 1
+      continue
+    }
+    const { encryptionKey: encryptedKey } = credential
+    const decryptedCredential = symmetricDecryptFields(
+      credential,
+      { encryptedKey, sub },
+      options.encryptedFields
     )
-    valid = await parentOptions[credentialType].verify(token, value, rest)
+    let { value, ...values } = decryptedCredential
+    value = await credentialOptions.decode(value)
+    try {
+      valid = await credentialOptions.verify(input, value, values)
+    } catch (e) {
+      if (options.log) {
+        options.log(e)
+      }
+      continue
+    }
     if (valid) {
-      id = credential.id
+      const { id, otp } = credential
+      if (otp) {
+        await options.store.remove(options.table, { id, sub })
+      }
       break
     }
   }
-  if (valid && parentOptions[credentialType].otp) {
-    await options.store.remove(options.table, { id, sub })
-  }
-  if (!valid) throw new Error('401 Unauthorized')
+
   await timeout
-  return { sub, id, ...valid }
+
+  if (!valid) {
+    let cause = 'invalid'
+    const credentialsCount = credentials.length
+    if (credentialsCount === 0) {
+      cause = 'missing'
+    } else if (skipExpiredCount === credentialsCount) {
+      cause = 'expired'
+    }
+    throw new Error('401 Unauthorized', { cause })
+  }
+  return { ...credential, ...valid }
 }
 
-export const expire = async (sub, id, parentOptions = options) => {
-  await options.store.remove(options.table, { id, sub })
+export const expire = async (credentialOptions, sub, id) => {
+  // const type = makeType(credentialOptions);
+  await options.store.update(
+    options.table,
+    { sub, id },
+    { expire: nowInSeconds() - 1 }
+  )
+}
+
+export const remove = async (credentialOptions, sub, id) => {
+  const type = makeType(credentialOptions)
+  await options.store.remove(options.table, { id, type, sub })
+}
+
+export const select = async (credentialOptions, sub, id) => {
+  const type = makeType(credentialOptions)
+  const item = await options.store.select(options.table, { id, type, sub })
+  const { encryptionKey: encryptedKey } = item
+  delete item.encryptionKey
+  const decryptedItem = symmetricDecryptFields(
+    item,
+    { encryptedKey, sub },
+    options.encryptedFields
+  )
+  return decryptedItem
 }
 
 // TODO manage onboard state
@@ -165,4 +347,6 @@ export const expire = async (sub, id, parentOptions = options) => {
 
 // TODO authorize management?
 
+const makeType = (credentialOptions) =>
+  credentialOptions.id + '-' + credentialOptions.type
 const nowInSeconds = () => Math.floor(Date.now() / 1000)

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "@1auth/authn",
-  "version": "0.0.0-alpha.5",
+  "version": "0.0.0-alpha.51",
   "description": "",
   "type": "module",
   "engines": {
-    "node": ">=16"
+    "node": ">=20"
   },
   "engineStrict": true,
   "publishConfig": {
@@ -27,7 +27,7 @@
   ],
   "scripts": {
     "test": "npm run test:unit",
-    "test:unit": "ava"
+    "test:unit": "node --test"
   },
   "license": "MIT",
   "funding": {
@@ -48,8 +48,8 @@
     "url": "https://github.com/willfarrell/1auth/issues"
   },
   "homepage": "https://github.com/willfarrell/1auth",
-  "gitHead": "32bb45598025fe664497e4ce8b9c1cf41c75d635",
+  "gitHead": "7a6c0fbb8ab71d6a2171e678697de9f237568431",
   "dependencies": {
-    "@1auth/crypto": "0.0.0-alpha.5"
+    "@1auth/crypto": "0.0.0-alpha.51"
   }
 }

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2023 will Farrell
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.