npm - @1auth/authn - Versions diffs - 0.0.0-alpha.8 → 0.0.0-beta.0 - Mend

@1auth/authn 0.0.0-alpha.8 → 0.0.0-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/index.js CHANGED Viewed

@@ -1,163 +1,430 @@
-import { setTimeout } from 'node:timers/promises'
-import { randomId, makeSymetricKey } from '@1auth/crypto'
-export const options = {
-  store: undefined,
-  notify: undefined,
-  table: 'credentials',
-  authenticationDuration: 500, // min duration authentication should take (ms)
-  usernameExists: [] // hooks to allow what to be used as a username
-}
-export default (params) => {
-  Object.assign(options, params)
-}
-export const getOptions = () => options
-export const create = async (
-  credentialType,
-  { id, sub, value, ...rest },
-  parentOptions
+import { setTimeout } from "node:timers/promises";
+import {
+	makeRandomConfigObject,
+	symmetricDecryptFields,
+	symmetricEncryptFields,
+	symmetricGenerateEncryptionKey,
+} from "@1auth/crypto";
+const id = "authn";
+export const randomId = ({ prefix = "authn_", ...params } = {}) =>
+	makeRandomConfigObject({
+		id,
+		prefix,
+		...params,
+	});
+const defaults = {
+	id,
+	log: false,
+	store: undefined,
+	notify: undefined,
+	table: "authentications",
+	idGenerate: true,
+	randomId: randomId(),
+	authenticationDuration: 100, // minimum duration authentication should take (ms)
+	usernameExists: [], // hooks to allow what to be used as a username
+	encryptedFields: ["value"],
+};
+const options = {};
+export default (opt = {}) => {
+	Object.assign(options, defaults, opt);
+};
+export const getOptions = () => options;
+// export const exists = async (credentialOptions, sub, params) => {
+//   const type = makeType(credentialOptions);
+//   const list = await options.store.selectList(options.table, {
+//     ...params,
+//     sub,
+//     type,
+//   });
+//   return list.length > 1;
+// };
+export const count = async (credentialOptions, sub) => {
+	if (!sub || typeof sub !== "string") {
+		throw new Error("401 Unauthorized", { cause: { sub, id } });
+	}
+	const type = makeType(credentialOptions);
+	const credentials = await options.store.selectList(
+		options.table,
+		{ sub, type },
+		["verify", "expire"],
+	);
+	let count = 0;
+	const now = nowInSeconds();
+	for (let i = credentials.length; i--; ) {
+		const credential = credentials[i];
+		if (credential.expire && credential.expire < now) {
+			continue;
+		}
+		if (!credential.verify) {
+			continue;
+		}
+		count += 1;
+	}
+	return count;
+};
+export const list = async (credentialOptions, sub, params, fields) => {
+	if (!sub || typeof sub !== "string") {
+		throw new Error("401 Unauthorized", { cause: { sub, id } });
+	}
+	const type = makeType(credentialOptions);
+	const items = await options.store.selectList(
+		options.table,
+		{
+			...params,
+			sub,
+			type,
+		},
+		fields,
+	);
+	// const now = nowInSeconds();
+	const list = [];
+	for (let i = items.length; i--; ) {
+		const item = items[i];
+		// TODO need filter for expire
+		// if (credential.expire < now) {
+		//   continue;
+		// }
+		const { encryptionKey: encryptedKey } = item;
+		item.encryptionKey = undefined;
+		const decryptedItem = symmetricDecryptFields(
+			item,
+			{ encryptedKey, sub },
+			options.encryptedFields,
+		);
+		list.push(decryptedItem);
+	}
+	return list;
+};
+const createCredential = async (
+	credentialOptions,
+	sub,
+	{ id, value, ...values },
 ) => {
-  const now = nowInSeconds()
-  id ??= await randomId.create()
-  const type = parentOptions.id + '-' + parentOptions[credentialType].type
-  const otp = parentOptions[credentialType].otp
-  const expire = parentOptions[credentialType].expire
-    ? now + parentOptions[credentialType].expire
-    : null
-  const { encryptedKey } = makeSymetricKey(sub)
-  const encryptedData = await parentOptions[credentialType].encode(
-    value,
-    encryptedKey,
-    sub
-  )
-  await options.store.insert(options.table, {
-    expire,
-    ...rest,
-    id,
-    sub,
-    type,
-    otp,
-    encryptionKey: encryptedKey,
-    value: encryptedData,
-    create: now,
-    update: now
-  })
-  return id
-}
+	if (!sub || typeof sub !== "string") {
+		throw new Error("401 Unauthorized", { cause: { sub } });
+	}
+	const now = nowInSeconds();
+	const type = makeType(credentialOptions);
+	let { otp, expire } = credentialOptions;
+	expire &&= now + expire;
+	if (options.idGenerate) {
+		id ??= await options.randomId.create(options.idPrefix);
+	}
+	value ??= credentialOptions.create();
+	const encodedValue = await credentialOptions.encode(value);
+	const { encryptionKey, encryptedKey } = symmetricGenerateEncryptionKey(sub);
+	const encryptedValues = symmetricEncryptFields(
+		{ ...values, value: encodedValue },
+		{ encryptionKey, sub },
+		options.encryptedFields,
+	);
+	const params = {
+		...encryptedValues,
+		sub,
+		type,
+		otp,
+		encryptionKey: encryptedKey,
+		create: now,
+		update: now,
+	};
+	if (expire) {
+		params.expire = expire;
+	}
+	if (options.idGenerate) {
+		params.id = id;
+	}
+	return params;
+};
+export const create = async (credentialOptions, sub, values) => {
+	const params = await createCredential(credentialOptions, sub, values);
+	const id = await options.store.insert(options.table, params);
+	return { ...params, id };
+};
+export const createList = async (credentialOptions, sub, list) => {
+	const rows = await Promise.all(
+		list.map((values) => createCredential(credentialOptions, sub, values)),
+	);
+	const res = await options.store.insertList(options.table, rows);
+	const params = rows[0];
+	return { ...params, id: res };
+};
+// Only used by webauthn to update counter within value
 export const update = async (
-  credentialType,
-  { id, sub, encryptionKey, value, ...rest },
-  parentOptions
+	credentialOptions,
+	{ id, sub, encryptionKey, encryptedKey, value, ...values },
 ) => {
-  const now = nowInSeconds()
-  const encryptedData = await parentOptions[credentialType].encode(
-    value,
-    encryptionKey,
-    sub
-  )
-  return options.store.update(
-    options.table,
-    { id, sub },
-    {
-      ...rest,
-      value: encryptedData,
-      update: now
-    }
-  )
-}
+	// if (!sub || typeof sub !== "string") {
+	// 	throw new Error("401 Unauthorized", { cause: { sub } });
+	// }
+	const now = nowInSeconds();
+	// const type = makeType(credentialOptions);
+	const encodedValue = await credentialOptions.encode(value);
+	const encryptedValues = symmetricEncryptFields(
+		{ ...values, value: encodedValue },
+		{ encryptionKey, encryptedKey, sub },
+		options.encryptedFields,
+	);
+	return options.store.update(
+		options.table,
+		{ sub, id },
+		{
+			...encryptedValues,
+			update: now,
+		},
+	);
+};
 export const subject = async (username) => {
-  return Promise.all(
-    options.usernameExists.map((exists) => exists(username))
-  ).then((identities) => {
-    return identities.filter((lookup) => lookup)?.[0]
-  })
-}
-export const authenticate = async (username, secret, parentOptions) => {
-  const timeout = setTimeout(() => {}, options.authenticationDuration)
-  const type = parentOptions.id + '-' + parentOptions.secret.type
-  const sub = await subject(username)
-  const credentials = await options.store.selectList(options.table, {
-    sub,
-    type
-  }) // TODO and verify is not null
-  let valid, id, encryptionKey
-  for (const credential of credentials) {
-    let { value, encryptionKey: encryptedKey, ...rest } = credential
-    value = await parentOptions.secret.decode(value, encryptedKey, sub)
-    valid = await parentOptions.secret.verify(secret, value, rest)
-    if (valid) {
-      id ??= credential.id
-      encryptionKey ??= encryptedKey
-      break
-    }
-  }
-  if (valid && parentOptions.secret.otp) {
-    await options.store.remove(options.table, { id, sub })
-  }
-  await timeout
-  if (!valid) throw new Error('401 Unauthorized')
-  return { sub, id, encryptionKey, ...valid }
-}
-export const verifySecret = async (sub, id, parentOptions) => {
-  // const type = parentOptions.id + '-' + parentOptions.secret.type
-  await options.store.update(
-    options.table,
-    { id, sub },
-    { verify: nowInSeconds() }
-  )
-}
-export const verify = async (credentialType, sub, token, parentOptions) => {
-  const timeout = setTimeout(() => {}, options.authenticationDuration)
-  const type = parentOptions.id + '-' + parentOptions[credentialType].type
-  let id
-  const credentials = await options.store.selectList(options.table, {
-    sub,
-    type
-  })
-  // TODO re-confirm when needed
-  // .then((rows) => {
-  //   if (rows.length) {
-  //     return rows
-  //   }
-  //
-  //   return options.store.select(options.table, { id: sub, type })
-  // })
-  let valid
-  for (const credential of credentials) {
-    let { value, encryptionKey, ...rest } = credential
-    value = await parentOptions[credentialType].decode(
-      value,
-      encryptionKey,
-      sub
-    )
-    valid = await parentOptions[credentialType].verify(token, value, rest)
-    if (valid) {
-      id = credential.id
-      break
-    }
-  }
-  if (valid && parentOptions[credentialType].otp) {
-    await options.store.remove(options.table, { id, sub })
-  }
-  if (!valid) throw new Error('401 Unauthorized')
-  await timeout
-  return { sub, id, ...valid }
-}
-export const expire = async (sub, id, parentOptions = options) => {
-  await options.store.remove(options.table, { id, sub })
-}
+	return Promise.all(
+		options.usernameExists.map((exists) => {
+			return exists(username);
+		}),
+	).then((identities) => {
+		return identities.filter((lookup) => lookup)?.[0];
+	});
+};
+export const authenticate = async (credentialOptions, username, secret) => {
+	const timeout = setTimeout(options.authenticationDuration);
+	const sub = await subject(username);
+	if (!sub) {
+		await timeout;
+		throw new Error("401 Unauthorized", { cause: { username } });
+	}
+	const type = makeType(credentialOptions);
+	const credentials = await options.store.selectList(
+		options.table,
+		{
+			sub,
+			type,
+		},
+		["id", "encryptionKey", "value", "otp", "verify", "expire", "sourceId"],
+	);
+	const now = nowInSeconds();
+	let valid;
+	let skipIgnoredCount = 0;
+	let skipExpiredCount = 0;
+	for (const credential of credentials) {
+		// non-opt credentials must be verified before use
+		if (!credential.otp && !credential.verify) {
+			skipIgnoredCount += 1;
+			continue;
+		}
+		// skip expired
+		if (credential.expire && credential.expire < now) {
+			skipExpiredCount += 1;
+			continue;
+		}
+		const { encryptionKey: encryptedKey } = credential;
+		const decryptedCredential = symmetricDecryptFields(
+			credential,
+			{ encryptedKey, sub },
+			options.encryptedFields,
+		);
+		let { value, ...values } = decryptedCredential;
+		value = await credentialOptions.decode(value);
+		try {
+			valid = await credentialOptions.verify(secret, value, values);
+		} catch (e) {
+			if (options.log) {
+				options.log(e);
+			}
+			continue;
+		}
+		if (valid) {
+			const { id, otp } = credential;
+			if (otp) {
+				await expire(credentialOptions, sub, id, { lastused: now });
+			} else {
+				const now = nowInSeconds();
+				await options.store.update(
+					options.table,
+					{ id, sub },
+					{ lastused: now },
+				);
+			}
+			if (credentialOptions.cleanup) {
+				await credentialOptions.cleanup(sub, value, values);
+			}
+			break;
+		}
+	}
+	await timeout;
+	if (!valid) {
+		let cause = "invalid";
+		const credentialsCount = credentials.length - skipIgnoredCount;
+		if (credentialsCount === 0) {
+			cause = "missing";
+		} else if (skipExpiredCount === credentialsCount) {
+			cause = "expired";
+		}
+		throw new Error("401 Unauthorized", { cause });
+	}
+	return sub;
+};
+export const verifySecret = async (_credentialOptions, sub, id) => {
+	if (!sub || typeof sub !== "string") {
+		throw new Error("401 Unauthorized", { cause: { sub, id } });
+	}
+	if (!id || typeof id !== "string") {
+		throw new Error("404 Not Found", { cause: { sub, id } });
+	}
+	// const type = makeType(credentialOptions);
+	const now = nowInSeconds();
+	await options.store.update(
+		options.table,
+		{ sub, id },
+		{ update: now, verify: now },
+	);
+};
+// TODO add in sourceId as filter for messengers
+export const verify = async (credentialOptions, sub, input) => {
+	const timeout = setTimeout(options.authenticationDuration);
+	if (!sub || typeof sub !== "string") {
+		await timeout;
+		throw new Error("401 Unauthorized", { cause: { sub } });
+	}
+	// Can be string or json (webauthn)
+	if (!input) {
+		await timeout;
+		throw new Error("401 Unauthorized", { cause: { sub, input } });
+	}
+	const type = makeType(credentialOptions);
+	const credentials = await options.store.selectList(options.table, {
+		sub,
+		type,
+	});
+	const now = nowInSeconds();
+	let valid;
+	let credential;
+	let skipExpiredCount = 0;
+	for (credential of credentials) {
+		// skip expired
+		if (credential.expire < now) {
+			skipExpiredCount += 1;
+			continue;
+		}
+		const { encryptionKey: encryptedKey } = credential;
+		const decryptedCredential = symmetricDecryptFields(
+			credential,
+			{ encryptedKey, sub },
+			options.encryptedFields,
+		);
+		let { value, ...values } = decryptedCredential;
+		value = await credentialOptions.decode(value);
+		try {
+			valid = await credentialOptions.verify(input, value, values);
+		} catch (e) {
+			if (options.log) {
+				options.log(e);
+			}
+			continue;
+		}
+		if (valid) {
+			const { id, otp } = credential;
+			if (otp) {
+				await remove(credentialOptions, sub, id);
+			}
+			break;
+		}
+	}
+	await timeout;
+	if (!valid) {
+		let cause = "invalid";
+		const credentialsCount = credentials.length;
+		if (credentialsCount === 0) {
+			cause = "missing";
+		} else if (skipExpiredCount === credentialsCount) {
+			cause = "expired";
+		}
+		throw new Error("401 Unauthorized", { cause });
+	}
+	return { ...credential, ...valid };
+};
+export const expire = async (_credentialOptions, sub, id, values = {}) => {
+	if (!sub || typeof sub !== "string") {
+		throw new Error("401 Unauthorized", { cause: { sub, id } });
+	}
+	if (!id || typeof id !== "string") {
+		throw new Error("404 Not Found", { cause: { sub, id } });
+	}
+	// const type = makeType(credentialOptions);
+	await options.store.update(
+		options.table,
+		{ sub, id },
+		{ ...values, expire: nowInSeconds() - 1 },
+	);
+};
+export const remove = async (credentialOptions, sub, id) => {
+	if (!sub || typeof sub !== "string") {
+		throw new Error("401 Unauthorized", { cause: { sub, id } });
+	}
+	if (!id || typeof id !== "string") {
+		throw new Error("404 Not Found", { cause: { sub, id } });
+	}
+	const type = makeType(credentialOptions);
+	await options.store.remove(options.table, { id, type, sub });
+};
+export const removeList = async (credentialOptions, sub, id) => {
+	if (!sub || typeof sub !== "string") {
+		throw new Error("401 Unauthorized", { cause: { sub, id } });
+	}
+	if (!id || !Array.isArray(id) || !id.length) {
+		throw new Error("404 Not Found", { cause: { sub, id } });
+	}
+	const type = makeType(credentialOptions);
+	await options.store.removeList(options.table, { id, type, sub });
+};
+export const select = async (credentialOptions, sub, id) => {
+	if (!sub || typeof sub !== "string") {
+		throw new Error("401 Unauthorized", { cause: { sub, id } });
+	}
+	if (!id || typeof id !== "string") {
+		throw new Error("404 Not Found", { cause: { sub, id } });
+	}
+	const type = makeType(credentialOptions);
+	const item = await options.store.select(options.table, { id, type, sub });
+	if (!item) return item;
+	const { encryptionKey: encryptedKey } = item;
+	item.encryptionKey = undefined;
+	const decryptedItem = symmetricDecryptFields(
+		item,
+		{ encryptedKey, sub },
+		options.encryptedFields,
+	);
+	return decryptedItem;
+};
 // TODO manage onboard state
@@ -165,4 +432,6 @@ export const expire = async (sub, id, parentOptions = options) => {
 // TODO authorize management?
-const nowInSeconds = () => Math.floor(Date.now() / 1000)
+const makeType = (credentialOptions) =>
+	`${credentialOptions.id}-${credentialOptions.type}`;
+const nowInSeconds = () => Math.floor(Date.now() / 1000);

package/package.json CHANGED Viewed

@@ -1,55 +1,55 @@
 {
-  "name": "@1auth/authn",
-  "version": "0.0.0-alpha.8",
-  "description": "",
-  "type": "module",
-  "engines": {
-    "node": ">=16"
-  },
-  "engineStrict": true,
-  "publishConfig": {
-    "access": "public"
-  },
-  "main": "./index.js",
-  "module": "./index.js",
-  "exports": {
-    ".": {
-      "import": {
-        "types": "./index.d.ts",
-        "default": "./index.js"
-      }
-    }
-  },
-  "types": "index.d.ts",
-  "files": [
-    "index.js",
-    "index.d.ts"
-  ],
-  "scripts": {
-    "test": "npm run test:unit",
-    "test:unit": "ava"
-  },
-  "license": "MIT",
-  "funding": {
-    "type": "github",
-    "url": "https://github.com/sponsors/willfarrell"
-  },
-  "keywords": [],
-  "author": {
-    "name": "1auth contributors",
-    "url": "https://github.com/willfarrell/1auth/graphs/contributors"
-  },
-  "repository": {
-    "type": "git",
-    "url": "github:willfarrell/1auth",
-    "directory": "packages/authn"
-  },
-  "bugs": {
-    "url": "https://github.com/willfarrell/1auth/issues"
-  },
-  "homepage": "https://github.com/willfarrell/1auth",
-  "gitHead": "d21e1013f55ed05af4daf980bc4dfdfd52538792",
-  "dependencies": {
-    "@1auth/crypto": "0.0.0-alpha.8"
-  }
+	"name": "@1auth/authn",
+	"version": "0.0.0-beta.0",
+	"description": "",
+	"type": "module",
+	"engines": {
+		"node": ">=24"
+	},
+	"engineStrict": true,
+	"publishConfig": {
+		"access": "public"
+	},
+	"main": "./index.js",
+	"module": "./index.js",
+	"exports": {
+		".": {
+			"import": {
+				"types": "./index.d.ts",
+				"default": "./index.js"
+			}
+		}
+	},
+	"types": "index.d.ts",
+	"files": [
+		"index.js",
+		"index.d.ts"
+	],
+	"scripts": {
+		"test": "npm run test:unit",
+		"test:unit": "node --test"
+	},
+	"license": "MIT",
+	"funding": {
+		"type": "github",
+		"url": "https://github.com/sponsors/willfarrell"
+	},
+	"keywords": [],
+	"author": {
+		"name": "1auth contributors",
+		"url": "https://github.com/willfarrell/1auth/graphs/contributors"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/willfarrell/1auth.git",
+		"directory": "packages/authn"
+	},
+	"bugs": {
+		"url": "https://github.com/willfarrell/1auth/issues"
+	},
+	"homepage": "https://github.com/willfarrell/1auth",
+	"gitHead": "7a6c0fbb8ab71d6a2171e678697de9f237568431",
+	"dependencies": {
+		"@1auth/crypto": "0.0.0-beta.0"
+	}
 }

package/LICENSE DELETED Viewed

@@ -1,21 +0,0 @@
-MIT License
-Copyright (c) 2023 will Farrell
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.