@1auth/authn 0.0.0-alpha.7 → 0.0.0-alpha.71

package/index.js

@@ -1,163 +1,365 @@
-import { setTimeout } from 'node:timers/promises'
-import { randomId, makeSymetricKey } from '@1auth/crypto'
+import { setTimeout } from "node:timers/promises";
+import {
+  makeRandomConfigObject,
+  symmetricGenerateEncryptionKey,
+  symmetricEncryptFields,
+  symmetricDecryptFields,
+} from "@1auth/crypto";
 
-export const options = {
+const id = "authn";
+
+export const randomId = ({ prefix = "authn_", ...params } = {}) =>
+  makeRandomConfigObject({
+    id,
+    prefix,
+    ...params,
+  });
+
+const defaults = {
+  id,
+  log: false,
   store: undefined,
   notify: undefined,
-  table: 'credentials',
-  authenticationDuration: 500, // min duration authentication should take (ms)
-  usernameExists: [] // hooks to allow what to be used as a username
-}
-export default (params) => {
-  Object.assign(options, params)
-}
-export const getOptions = () => options
-
-export const create = async (
-  credentialType,
-  { id, sub, value, ...rest },
-  parentOptions
+  table: "authentications",
+  idGenerate: true,
+  randomId: randomId(),
+  authenticationDuration: 100, // minimum duration authentication should take (ms)
+  usernameExists: [], // hooks to allow what to be used as a username
+  encryptedFields: ["value"],
+};
+const options = {};
+export default (opt = {}) => {
+  Object.assign(options, defaults, opt);
+};
+export const getOptions = () => options;
+
+// export const exists = async (credentialOptions, sub, params) => {
+//   const type = makeType(credentialOptions);
+//   const list = await options.store.selectList(options.table, {
+//     ...params,
+//     sub,
+//     type,
+//   });
+//   return list.length > 1;
+// };
+
+export const count = async (credentialOptions, sub) => {
+  const type = makeType(credentialOptions);
+  const credentials = await options.store.selectList(
+    options.table,
+    { sub, type },
+    ["verify", "expire"],
+  );
+  let count = 0;
+  const now = nowInSeconds();
+  for (let i = credentials.length; i--; ) {
+    const credential = credentials[i];
+    if (credential.expire && credential.expire < now) {
+      continue;
+    }
+    if (!credential.verify) {
+      continue;
+    }
+    count += 1;
+  }
+  return count;
+};
+
+export const list = async (credentialOptions, sub, params, fields) => {
+  const type = makeType(credentialOptions);
+  const items = await options.store.selectList(
+    options.table,
+    {
+      ...params,
+      sub,
+      type,
+    },
+    fields,
+  );
+  // const now = nowInSeconds();
+  const list = [];
+  for (let i = items.length; i--; ) {
+    const item = items[i];
+    // TODO need filter for expire
+    // if (credential.expire < now) {
+    //   continue;
+    // }
+    const { encryptionKey: encryptedKey } = item;
+    delete item.encryptionKey;
+    const decryptedItem = symmetricDecryptFields(
+      item,
+      { encryptedKey, sub },
+      options.encryptedFields,
+    );
+    list.push(decryptedItem);
+  }
+  return list;
+};
+
+const createCredential = async (
+  credentialOptions,
+  sub,
+  { id, value, ...values },
 ) => {
-  const now = nowInSeconds()
-  id ??= await randomId.create()
-  const type = parentOptions.id + '-' + parentOptions[credentialType].type
-  const otp = parentOptions[credentialType].otp
-  const expire = parentOptions[credentialType].expire
-    ? now + parentOptions[credentialType].expire
-    : null
-  const { encryptedKey } = makeSymetricKey(sub)
-
-  const encryptedData = await parentOptions[credentialType].encode(
-    value,
-    encryptedKey,
-    sub
-  )
-  await options.store.insert(options.table, {
-    expire,
-    ...rest,
-    id,
+  const now = nowInSeconds();
+  const type = makeType(credentialOptions);
+  let { otp, expire } = credentialOptions;
+  expire &&= now + expire;
+
+  if (options.idGenerate) {
+    id ??= await options.randomId.create(options.idPrefix);
+  }
+  value ??= credentialOptions.create();
+  const encodedValue = await credentialOptions.encode(value);
+
+  const { encryptionKey, encryptedKey } = symmetricGenerateEncryptionKey(sub);
+  const encryptedValues = symmetricEncryptFields(
+    { ...values, value: encodedValue },
+    { encryptionKey, sub },
+    options.encryptedFields,
+  );
+  const params = {
+    ...encryptedValues,
     sub,
     type,
     otp,
     encryptionKey: encryptedKey,
-    value: encryptedData,
     create: now,
-    update: now
-  })
-  return id
-}
+    update: now,
+    expire,
+  };
+  if (options.idGenerate) {
+    params.id = id;
+  }
+  return params;
+};
+
+export const create = async (credentialOptions, sub, values) => {
+  const params = await createCredential(credentialOptions, sub, values);
+  const id = await options.store.insert(options.table, params);
+  return { ...params, id };
+};
+
+export const createList = async (credentialOptions, sub, list) => {
+  const rows = await Promise.all(
+    list.map((values) => createCredential(credentialOptions, sub, values)),
+  );
+  const params = rows[0];
+  const res = await options.store.insertList(options.table, rows);
+  return { ...params, id: res };
+};
 
 export const update = async (
-  credentialType,
-  { id, sub, encryptionKey, value, ...rest },
-  parentOptions
+  credentialOptions,
+  { id, sub, encryptionKey, encryptedKey, value, ...values },
 ) => {
-  const now = nowInSeconds()
-  const encryptedData = await parentOptions[credentialType].encode(
-    value,
-    encryptionKey,
-    sub
-  )
+  const now = nowInSeconds();
+  // const type = makeType(credentialOptions);
+
+  const encodedValue = await credentialOptions.encode(value);
+
+  const encryptedValues = symmetricEncryptFields(
+    { ...values, value: encodedValue },
+    { encryptionKey, encryptedKey, sub },
+    options.encryptedFields,
+  );
+
   return options.store.update(
     options.table,
-    { id, sub },
+    { sub, id },
     {
-      ...rest,
-      value: encryptedData,
-      update: now
-    }
-  )
-}
+      ...encryptedValues,
+      update: now,
+    },
+  );
+};
 
 export const subject = async (username) => {
   return Promise.all(
-    options.usernameExists.map((exists) => exists(username))
+    options.usernameExists.map((exists) => {
+      return exists(username);
+    }),
   ).then((identities) => {
-    return identities.filter((lookup) => lookup)?.[0]
-  })
-}
+    return identities.filter((lookup) => lookup)?.[0];
+  });
+};
 
-export const authenticate = async (username, secret, parentOptions) => {
-  const timeout = setTimeout(() => {}, options.authenticationDuration)
-  const type = parentOptions.id + '-' + parentOptions.secret.type
+export const authenticate = async (credentialOptions, username, secret) => {
+  const sub = await subject(username);
 
-  const sub = await subject(username)
+  const timeout = setTimeout(options.authenticationDuration);
+  const type = makeType(credentialOptions);
 
-  const credentials = await options.store.selectList(options.table, {
-    sub,
-    type
-  }) // TODO and verify is not null
-  let valid, id, encryptionKey
+  const credentials = await options.store.selectList(
+    options.table,
+    {
+      sub,
+      type,
+    },
+    ["id", "encryptionKey", "value", "otp", "verify", "expire", "sourceId"],
+  );
+  const now = nowInSeconds();
+  let valid;
+  let skipIgnoredCount = 0;
+  let skipExpiredCount = 0;
   for (const credential of credentials) {
-    let { value, encryptionKey: encryptedKey, ...rest } = credential
-    value = await parentOptions.secret.decode(value, encryptedKey, sub)
-    valid = await parentOptions.secret.verify(secret, value, rest)
+    // non-opt credentials must be verified before use
+    if (!credential.otp && !credential.verify) {
+      skipIgnoredCount += 1;
+      continue;
+    }
+    // skip expired
+    if (credential.expire < now) {
+      skipExpiredCount += 1;
+      continue;
+    }
+    const { encryptionKey: encryptedKey } = credential;
+    const decryptedCredential = symmetricDecryptFields(
+      credential,
+      { encryptedKey, sub },
+      options.encryptedFields,
+    );
+    let { value, ...values } = decryptedCredential;
+    value = await credentialOptions.decode(value);
+    try {
+      valid = await credentialOptions.verify(secret, value, values);
+    } catch (e) {
+      if (options.log) {
+        options.log(e);
+      }
+      continue;
+    }
     if (valid) {
-      id ??= credential.id
-      encryptionKey ??= encryptedKey
-      break
+      const { id, otp } = credential;
+      if (otp) {
+        await expire(credentialOptions, sub, id, { lastused: now });
+      } else {
+        const now = nowInSeconds();
+        await options.store.update(
+          options.table,
+          { id, sub },
+          { lastused: now },
+        );
+      }
+
+      if (credentialOptions.cleanup) {
+        await credentialOptions.cleanup(sub, value, values);
+      }
+      break;
     }
   }
 
-  if (valid && parentOptions.secret.otp) {
-    await options.store.remove(options.table, { id, sub })
+  await timeout;
+  if (!valid) {
+    let cause = "invalid";
+    const credentialsCount = credentials.length - skipIgnoredCount;
+    if (credentialsCount === 0) {
+      cause = "missing";
+    } else if (skipExpiredCount === credentialsCount) {
+      cause = "expired";
+    }
+    throw new Error("401 Unauthorized", { cause });
   }
-  await timeout
-  if (!valid) throw new Error('401 Unauthorized')
-  return { sub, id, encryptionKey, ...valid }
-}
+  return sub;
+};
 
-export const verifySecret = async (sub, id, parentOptions) => {
-  // const type = parentOptions.id + '-' + parentOptions.secret.type
+export const verifySecret = async (credentialOptions, sub, id) => {
+  // const type = makeType(credentialOptions);
+  const now = nowInSeconds();
   await options.store.update(
     options.table,
-    { id, sub },
-    { verify: nowInSeconds() }
-  )
-}
-
-export const verify = async (credentialType, sub, token, parentOptions) => {
-  const timeout = setTimeout(() => {}, options.authenticationDuration)
-  const type = parentOptions.id + '-' + parentOptions[credentialType].type
-  let id
+    { sub, id },
+    { update: now, verify: now },
+  );
+};
+
+// TODO add in sourceId as filter for messengers
+export const verify = async (credentialOptions, sub, input) => {
+  const timeout = setTimeout(options.authenticationDuration);
+  const type = makeType(credentialOptions);
+
   const credentials = await options.store.selectList(options.table, {
     sub,
-    type
-  })
-  // TODO re-confirm when needed
-  // .then((rows) => {
-  //   if (rows.length) {
-  //     return rows
-  //   }
-  //
-  //   return options.store.select(options.table, { id: sub, type })
-  // })
-
-  let valid
-  for (const credential of credentials) {
-    let { value, encryptionKey, ...rest } = credential
-    value = await parentOptions[credentialType].decode(
-      value,
-      encryptionKey,
-      sub
-    )
-    valid = await parentOptions[credentialType].verify(token, value, rest)
+    type,
+  });
+
+  const now = nowInSeconds();
+  let valid;
+  let credential;
+  let skipExpiredCount = 0;
+  for (credential of credentials) {
+    // skip expired
+    if (credential.expire < now) {
+      skipExpiredCount += 1;
+      continue;
+    }
+    const { encryptionKey: encryptedKey } = credential;
+    const decryptedCredential = symmetricDecryptFields(
+      credential,
+      { encryptedKey, sub },
+      options.encryptedFields,
+    );
+    let { value, ...values } = decryptedCredential;
+    value = await credentialOptions.decode(value);
+    try {
+      valid = await credentialOptions.verify(input, value, values);
+    } catch (e) {
+      if (options.log) {
+        options.log(e);
+      }
+      continue;
+    }
     if (valid) {
-      id = credential.id
-      break
+      const { id, otp } = credential;
+      if (otp) {
+        await remove(credentialOptions, sub, id);
+      }
+      break;
     }
   }
-  if (valid && parentOptions[credentialType].otp) {
-    await options.store.remove(options.table, { id, sub })
+
+  await timeout;
+
+  if (!valid) {
+    let cause = "invalid";
+    const credentialsCount = credentials.length;
+    if (credentialsCount === 0) {
+      cause = "missing";
+    } else if (skipExpiredCount === credentialsCount) {
+      cause = "expired";
+    }
+    throw new Error("401 Unauthorized", { cause });
   }
-  if (!valid) throw new Error('401 Unauthorized')
-  await timeout
-  return { sub, id, ...valid }
-}
+  return { ...credential, ...valid };
+};
+
+export const expire = async (credentialOptions, sub, id, values) => {
+  // const type = makeType(credentialOptions);
+  await options.store.update(
+    options.table,
+    { sub, id },
+    { ...values, expire: nowInSeconds() - 1 },
+  );
+};
+
+export const remove = async (credentialOptions, sub, id) => {
+  const type = makeType(credentialOptions);
+  await options.store.remove(options.table, { id, type, sub });
+};
 
-export const expire = async (sub, id, parentOptions = options) => {
-  await options.store.remove(options.table, { id, sub })
-}
+export const select = async (credentialOptions, sub, id) => {
+  const type = makeType(credentialOptions);
+  const item = await options.store.select(options.table, { id, type, sub });
+  if (!item) return item;
+  const { encryptionKey: encryptedKey } = item;
+  delete item.encryptionKey;
+  const decryptedItem = symmetricDecryptFields(
+    item,
+    { encryptedKey, sub },
+    options.encryptedFields,
+  );
+  return decryptedItem;
+};
 
 // TODO manage onboard state
 
@@ -165,4 +367,6 @@ export const expire = async (sub, id, parentOptions = options) => {
 
 // TODO authorize management?
 
-const nowInSeconds = () => Math.floor(Date.now() / 1000)
+const makeType = (credentialOptions) =>
+  credentialOptions.id + "-" + credentialOptions.type;
+const nowInSeconds = () => Math.floor(Date.now() / 1000);

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "@1auth/authn",
-  "version": "0.0.0-alpha.7",
+  "version": "0.0.0-alpha.71",
   "description": "",
   "type": "module",
   "engines": {
-    "node": ">=16"
+    "node": ">=20"
   },
   "engineStrict": true,
   "publishConfig": {
@@ -27,7 +27,7 @@
   ],
   "scripts": {
     "test": "npm run test:unit",
-    "test:unit": "ava"
+    "test:unit": "node --test"
   },
   "license": "MIT",
   "funding": {
@@ -41,15 +41,15 @@
   },
   "repository": {
     "type": "git",
-    "url": "github:willfarrell/1auth",
+    "url": "git+https://github.com/willfarrell/1auth.git",
     "directory": "packages/authn"
   },
   "bugs": {
     "url": "https://github.com/willfarrell/1auth/issues"
   },
   "homepage": "https://github.com/willfarrell/1auth",
-  "gitHead": "39c704fcab5798f6bee8d00b2bcf574ba250a4cf",
+  "gitHead": "7a6c0fbb8ab71d6a2171e678697de9f237568431",
   "dependencies": {
-    "@1auth/crypto": "0.0.0-alpha.7"
+    "@1auth/crypto": "0.0.0-alpha.71"
   }
 }

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2023 will Farrell
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.