npm - @absolutejs/auth - Versions diffs - 0.27.0-beta.2 → 0.27.0-beta.3 - Mend

@absolutejs/auth 0.27.0-beta.2 → 0.27.0-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/abuse/config.d.ts +29 -0
package/dist/audit/integrity.d.ts +15 -0
package/dist/audit/siem.d.ts +11 -0
package/dist/audit/types.d.ts +1 -1
package/dist/index.d.ts +6 -0
package/dist/index.js +284 -4
package/dist/index.js.map +9 -5
package/dist/session/impersonation.d.ts +29 -0
package/dist/session/promote.d.ts +2 -1
package/dist/types.d.ts +13 -0
package/package.json +1 -1

package/dist/abuse/config.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+export type AbuseAction = 'allow' | 'challenge' | 'deny';
+export type AbuseSignal = 'blocked_ip' | 'bot' | 'captcha_failed' | 'not_allowlisted';
+export type BotClass = 'agent' | 'bot' | 'crawler' | 'human';
+export type AbuseContext = {
+    captchaToken?: string;
+    ip?: string;
+    userAgent?: string;
+};
+export type AbuseReason = {
+    action: AbuseAction;
+    signal: AbuseSignal;
+};
+export type AbuseAssessment = {
+    action: AbuseAction;
+    reasons: AbuseReason[];
+};
+export type AbuseConfig = {
+    botAction?: AbuseAction;
+    captchaAction?: AbuseAction;
+    classifyBot?: (context: AbuseContext) => BotClass | Promise<BotClass>;
+    ipAllow?: string[];
+    ipDeny?: string[];
+    verifyCaptcha?: (token: string | undefined, context: AbuseContext) => boolean | Promise<boolean>;
+};
+export declare const assessAbuse: (config: AbuseConfig, context: AbuseContext) => Promise<AbuseAssessment>;
+export declare const createAbuseGuard: (config: AbuseConfig) => {
+    assess: (context: AbuseContext) => Promise<AbuseAssessment>;
+};
+export declare const defaultBotClassifier: (context: AbuseContext) => "bot" | "crawler" | "human";

package/dist/audit/integrity.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { AuditEvent, AuditSink } from './types';
+export type AuditIntegrity = {
+    hash: string;
+    previousHash: string;
+};
+export type AuditChainResult = {
+    brokenAt?: number;
+    ok: boolean;
+};
+export declare const createTamperEvidentSink: ({ secret, sink }: {
+    secret?: string;
+    sink: AuditSink;
+}) => AuditSink;
+export declare const hashAuditEvent: (event: AuditEvent, previousHash: string, secret?: string) => Promise<string>;
+export declare const verifyAuditChain: (events: AuditEvent[], secret?: string) => Promise<AuditChainResult>;

package/dist/audit/siem.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import type { AuditSink } from './types';
+export type SiemFormat = 'datadog' | 'generic' | 'splunk';
+export type SiemEndpoint = {
+    format?: SiemFormat;
+    headers?: Record<string, string>;
+    token?: string;
+    url: string;
+};
+export declare const createSiemLogStream: ({ endpoints }: {
+    endpoints: SiemEndpoint[];
+}) => AuditSink;

package/dist/audit/types.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import type { OrganizationId } from '../tenancy';
-export type AuditEventType = 'account_deleted' | 'authorization_denied' | 'credentials_login' | 'credentials_login_failed' | 'data_exported' | 'email_verified' | 'identity_conflict' | 'invitation_accepted' | 'invitation_created' | 'logout' | 'membership_removed' | 'mfa_challenge' | 'mfa_challenge_failed' | 'mfa_enrolled' | 'oauth_login' | 'organization_created' | 'password_reset' | 'passwordless_login' | 'register' | 'role_assigned' | 'scim_provision' | 'scim_token_created' | 'session_revoked' | 'setup_session_created' | 'sso_connection_configured' | 'sso_login' | 'token_refreshed' | 'token_revoked' | 'webauthn_authenticated' | 'webauthn_registered';
+export type AuditEventType = 'account_deleted' | 'authorization_denied' | 'credentials_login' | 'credentials_login_failed' | 'data_exported' | 'email_verified' | 'identity_conflict' | 'impersonation_ended' | 'impersonation_started' | 'invitation_accepted' | 'invitation_created' | 'logout' | 'membership_removed' | 'mfa_challenge' | 'mfa_challenge_failed' | 'mfa_enrolled' | 'oauth_login' | 'organization_created' | 'password_reset' | 'passwordless_login' | 'register' | 'role_assigned' | 'scim_provision' | 'scim_token_created' | 'session_revoked' | 'setup_session_created' | 'sso_connection_configured' | 'sso_login' | 'token_refreshed' | 'token_revoked' | 'webauthn_authenticated' | 'webauthn_registered';
 export type AuditEvent = {
     at: number;
     ip?: string;

package/dist/index.d.ts CHANGED Viewed

@@ -8407,6 +8407,7 @@ export { protectRoutePlugin } from './routes/protectRoute';
 export { sessionRoutes } from './routes/sessions';
 export { stepUpPlugin } from './routes/stepUp';
 export * from './session/sessionsConfig';
+export { endImpersonation, isImpersonating, startImpersonation } from './session/impersonation';
 export { listUserSessions, revokeUserSessions } from './session/userSessions';
 export type { UserSession } from './session/userSessions';
 export { sessionCleanup } from './session/cleanup';
@@ -8445,6 +8446,11 @@ export { createInMemoryMfaStore } from './mfa/inMemoryMfaStore';
 export { createNeonMfaStore, createPostgresMfaStore, mfaEnrollmentsTable } from './mfa/postgresMfaStore';
 export * from './audit/config';
 export * from './audit/types';
+export { createTamperEvidentSink, hashAuditEvent, verifyAuditChain } from './audit/integrity';
+export type { AuditChainResult, AuditIntegrity } from './audit/integrity';
+export { createSiemLogStream } from './audit/siem';
+export type { SiemEndpoint, SiemFormat } from './audit/siem';
+export * from './abuse/config';
 export * from './authorization/config';
 export { protectPermissionPlugin } from './authorization/protectPermission';
 export * from './compliance/config';

package/dist/index.js CHANGED Viewed

@@ -3215,6 +3215,7 @@ var persistWhen = async (shouldPersist, persist) => {
 var promoteToSession = async ({
   authSessionStore,
   cookie,
+  impersonator,
   inMemorySession,
   samlLogout,
   sessionDurationMs,
@@ -3233,6 +3234,8 @@ var promoteToSession = async ({
   };
   if (samlLogout !== undefined)
     data.samlLogout = samlLogout;
+  if (impersonator !== undefined)
+    data.impersonator = impersonator;
   targetSession[userSessionId] = data;
   cookie.set({
     httpOnly: true,
@@ -17531,6 +17534,85 @@ var createInMemoryLinkedProviderStores = (input = {}) => {
   };
   return { bindingStore, grantStore };
 };
+// src/session/impersonation.ts
+var DEFAULT_IMPERSONATION_TTL_MS = MILLISECONDS_IN_AN_HOUR;
+var endImpersonation = async ({
+  authSessionStore,
+  cookie,
+  emit,
+  inMemorySession
+}) => {
+  const currentId = cookie.value;
+  if (currentId === undefined)
+    return { restored: false };
+  const current = await loadSessionFromSource({
+    authSessionStore,
+    removeExpired: false,
+    session: inMemorySession,
+    userSessionId: currentId
+  });
+  const impersonator = current?.impersonator;
+  if (authSessionStore)
+    await authSessionStore.removeSession(currentId);
+  else
+    delete inMemorySession[currentId];
+  await emit?.({
+    at: Date.now(),
+    metadata: impersonator === undefined ? undefined : { actorId: impersonator.actorId },
+    type: "impersonation_ended"
+  });
+  const returnTo = impersonator?.returnToSessionId;
+  const prior = returnTo === undefined ? undefined : await loadSessionFromSource({
+    authSessionStore,
+    session: inMemorySession,
+    userSessionId: returnTo
+  });
+  if (prior !== undefined && returnTo !== undefined) {
+    cookie.set({
+      httpOnly: true,
+      sameSite: "lax",
+      secure: true,
+      value: returnTo
+    });
+    return { restored: true };
+  }
+  cookie.remove();
+  return { restored: false };
+};
+var isImpersonating = (session) => session?.impersonator !== undefined;
+var startImpersonation = async ({
+  authSessionStore,
+  cookie,
+  emit,
+  getUserId,
+  impersonator,
+  inMemorySession,
+  sessionDurationMs = DEFAULT_IMPERSONATION_TTL_MS,
+  user
+}) => {
+  const stamp = {
+    actorEmail: impersonator.actorEmail,
+    actorId: impersonator.actorId,
+    reason: impersonator.reason,
+    returnToSessionId: cookie.value,
+    startedAt: Date.now()
+  };
+  const sessionId = await promoteToSession({
+    authSessionStore,
+    cookie,
+    impersonator: stamp,
+    inMemorySession,
+    sessionDurationMs,
+    user
+  });
+  await emit?.({
+    at: Date.now(),
+    metadata: { actorId: stamp.actorId, reason: stamp.reason },
+    type: "impersonation_started",
+    userId: getUserId?.(user)
+  });
+  return sessionId;
+};
 // src/utils.ts
 var defineAuthConfig = (configuration) => configuration;
 var defineAuthHtmxConfig = (htmxConfig) => htmxConfig;
@@ -17963,6 +18045,194 @@ var createPostgresMfaStore = (db) => ({
     });
   }
 });
+// src/audit/integrity.ts
+var INTEGRITY_KEY = "__integrity";
+var GENESIS = "";
+var HEX_RADIX2 = 16;
+var HEX_PAD = 2;
+var encoder = new TextEncoder;
+var toHex = (buffer) => [...new Uint8Array(buffer)].map((byte) => byte.toString(HEX_RADIX2).padStart(HEX_PAD, "0")).join("");
+var sha256Hex = async (message) => toHex(await crypto.subtle.digest("SHA-256", encoder.encode(message)));
+var hmacSha256Hex = async (secret, message) => {
+  const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { hash: "SHA-256", name: "HMAC" }, false, ["sign"]);
+  return toHex(await crypto.subtle.sign("HMAC", key, encoder.encode(message)));
+};
+var sortKeys = (value) => value === null || typeof value !== "object" || Array.isArray(value) ? value : Object.fromEntries(Object.entries(value).sort((left, right) => left[0].localeCompare(right[0])));
+var stableStringify = (value) => JSON.stringify(value, (_key, val) => sortKeys(val));
+var cleanMetadata = (metadata) => {
+  if (metadata === undefined)
+    return;
+  const result = {};
+  for (const [key, val] of Object.entries(metadata)) {
+    if (key !== INTEGRITY_KEY)
+      result[key] = val;
+  }
+  return Object.keys(result).length === 0 ? undefined : result;
+};
+var readIntegrity = (event) => {
+  const raw = event.metadata?.[INTEGRITY_KEY];
+  if (raw === undefined)
+    return;
+  return raw;
+};
+var brokenAt = (index) => {
+  const result = { brokenAt: index, ok: false };
+  return result;
+};
+var createTamperEvidentSink = ({
+  secret,
+  sink
+}) => {
+  let lastHash;
+  const seed = async () => {
+    if (lastHash !== undefined)
+      return;
+    const [recent] = await sink.list?.({ limit: 1 }) ?? [];
+    lastHash = recent ? readIntegrity(recent)?.hash ?? GENESIS : GENESIS;
+  };
+  return {
+    list: sink.list,
+    append: async (event) => {
+      await seed();
+      const previousHash = lastHash ?? GENESIS;
+      const hash = await hashAuditEvent(event, previousHash, secret);
+      lastHash = hash;
+      const integrity = { hash, previousHash };
+      await sink.append({
+        ...event,
+        metadata: { ...event.metadata, [INTEGRITY_KEY]: integrity }
+      });
+    }
+  };
+};
+var hashAuditEvent = async (event, previousHash, secret) => {
+  const message = `${previousHash}.${stableStringify({
+    ...event,
+    metadata: cleanMetadata(event.metadata)
+  })}`;
+  return secret === undefined ? sha256Hex(message) : hmacSha256Hex(secret, message);
+};
+var verifyAuditChain = async (events, secret) => {
+  let previousHash = GENESIS;
+  for (let index = 0;index < events.length; index += 1) {
+    const event = events[index];
+    if (event === undefined)
+      return brokenAt(index);
+    const integrity = readIntegrity(event);
+    const expected = await hashAuditEvent(event, previousHash, secret);
+    if (integrity === undefined || integrity.previousHash !== previousHash || integrity.hash !== expected) {
+      return brokenAt(index);
+    }
+    previousHash = integrity.hash;
+  }
+  const valid = { ok: true };
+  return valid;
+};
+// src/audit/siem.ts
+var SOURCE = "absolutejs-auth";
+var requestFor = (endpoint, event) => {
+  const base = {
+    "content-type": "application/json",
+    ...endpoint.headers
+  };
+  if (endpoint.format === "datadog") {
+    return {
+      body: JSON.stringify({
+        ...event,
+        ddsource: SOURCE,
+        service: SOURCE
+      }),
+      headers: endpoint.token === undefined ? base : { ...base, "DD-API-KEY": endpoint.token }
+    };
+  }
+  if (endpoint.format === "splunk") {
+    return {
+      body: JSON.stringify({ event, sourcetype: SOURCE }),
+      headers: endpoint.token === undefined ? base : { ...base, authorization: `Splunk ${endpoint.token}` }
+    };
+  }
+  return {
+    body: JSON.stringify(event),
+    headers: endpoint.token === undefined ? base : { ...base, authorization: `Bearer ${endpoint.token}` }
+  };
+};
+var createSiemLogStream = ({
+  endpoints
+}) => ({
+  append: async (event) => {
+    await Promise.all(endpoints.map(async (endpoint) => {
+      const { body, headers } = requestFor(endpoint, event);
+      await fetch(endpoint.url, {
+        body,
+        headers,
+        method: "POST"
+      }).catch(() => {
+        return;
+      });
+    }));
+  }
+});
+// src/abuse/config.ts
+var IPV4_BITS = 32;
+var IPV4_OCTET_SPACE = 256;
+var FULL_MASK = -1;
+var ACTION_SEVERITY = {
+  allow: 0,
+  challenge: 1,
+  deny: 2
+};
+var BOT_PATTERN = /bot|crawl|spider|curl|wget|python-requests|headless|scrapy/iu;
+var CRAWLER_PATTERN = /googlebot|bingbot|duckduckbot|baiduspider|yandex/iu;
+var ipv4ToInt = (ipAddress) => ipAddress.split(".").reduce((acc, octet) => acc * IPV4_OCTET_SPACE + Number(octet), 0) >>> 0;
+var matchCidrV4 = (ipAddress, cidr2) => {
+  const [range, bitsRaw] = cidr2.split("/");
+  const bits = Number(bitsRaw);
+  if (range === undefined || !Number.isInteger(bits) || !ipAddress.includes(".")) {
+    return false;
+  }
+  const mask = bits === 0 ? 0 : FULL_MASK << IPV4_BITS - bits >>> 0;
+  return (ipv4ToInt(ipAddress) & mask) === (ipv4ToInt(range) & mask);
+};
+var ipInList = (ipAddress, list) => list.some((entry) => entry.includes("/") ? matchCidrV4(ipAddress, entry) : entry === ipAddress);
+var mostSevere = (reasons) => reasons.reduce((worst, reason) => ACTION_SEVERITY[reason.action] > ACTION_SEVERITY[worst] ? reason.action : worst, "allow");
+var assessAbuse = async (config, context) => {
+  const ipAddress = context.ip;
+  if (ipAddress !== undefined && config.ipAllow !== undefined && config.ipAllow.length > 0 && ipInList(ipAddress, config.ipAllow)) {
+    return { action: "allow", reasons: [] };
+  }
+  const reasons = [];
+  if (ipAddress !== undefined && config.ipDeny !== undefined && ipInList(ipAddress, config.ipDeny)) {
+    reasons.push({ action: "deny", signal: "blocked_ip" });
+  }
+  if (ipAddress !== undefined && config.ipAllow !== undefined && config.ipAllow.length > 0 && !ipInList(ipAddress, config.ipAllow)) {
+    reasons.push({ action: "deny", signal: "not_allowlisted" });
+  }
+  const captchaPassed = config.verifyCaptcha === undefined || await config.verifyCaptcha(context.captchaToken, context);
+  if (!captchaPassed) {
+    reasons.push({
+      action: config.captchaAction ?? "deny",
+      signal: "captcha_failed"
+    });
+  }
+  const botClass = config.classifyBot === undefined ? "human" : await config.classifyBot(context);
+  if (botClass !== "human") {
+    reasons.push({ action: config.botAction ?? "deny", signal: "bot" });
+  }
+  return { action: mostSevere(reasons), reasons };
+};
+var createAbuseGuard = (config) => ({
+  assess: (context) => assessAbuse(config, context)
+});
+var defaultBotClassifier = (context) => {
+  const userAgent = context.userAgent ?? "";
+  if (userAgent.trim() === "")
+    return "bot";
+  if (CRAWLER_PATTERN.test(userAgent))
+    return "crawler";
+  if (BOT_PATTERN.test(userAgent))
+    return "bot";
+  return "human";
+};
 // src/compliance/redaction.ts
 var createAuditRedactor = ({
   dropFields = [],
@@ -18457,7 +18727,7 @@ var DEFAULT_VELOCITY_WINDOW_MS = MILLISECONDS_IN_A_MINUTE * DEFAULT_VELOCITY_WIN
 var EARTH_RADIUS_KM = 6371;
 var DEGREES_PER_HALF_TURN = 180;
 var HALF = 2;
-var ACTION_SEVERITY = {
+var ACTION_SEVERITY2 = {
   allow: 0,
   deny: 2,
   step_up: 1
@@ -18480,7 +18750,7 @@ var haversineKm = (start, end) => {
   const factor = sinLat * sinLat + Math.cos(toRadians(start.latitude)) * Math.cos(toRadians(end.latitude)) * sinLon * sinLon;
   return HALF * EARTH_RADIUS_KM * Math.asin(Math.sqrt(factor));
 };
-var mostSevere = (reasons) => reasons.reduce((worst, reason) => ACTION_SEVERITY[reason.action] > ACTION_SEVERITY[worst] ? reason.action : worst, "allow");
+var mostSevere2 = (reasons) => reasons.reduce((worst, reason) => ACTION_SEVERITY2[reason.action] > ACTION_SEVERITY2[worst] ? reason.action : worst, "allow");
 var assessRisk = async (config, context) => {
   const {
     historyLimit = DEFAULT_HISTORY_LIMIT,
@@ -18524,7 +18794,7 @@ var assessRisk = async (config, context) => {
   if (recentCount >= velocityMaxAttempts) {
     reasons.push({ action: actions.velocity, signal: "velocity" });
   }
-  return { action: mostSevere(reasons), reasons };
+  return { action: mostSevere2(reasons), reasons };
 };
 var createRiskEngine = (config) => ({
   assessRisk: (context) => assessRisk(config, context),
@@ -19475,12 +19745,14 @@ export {
   verifyWebhookSignature,
   verifyTotp,
   verifyPassword,
+  verifyAuditChain,
   verifyApiKey,
   verifyAccessToken,
   validateSession,
   userSessionIdTypebox,
   trustDevice,
   stepUpPlugin,
+  startImpersonation,
   ssoDiscoveryRoute,
   ssoConnectionsTable,
   signWebhook,
@@ -19542,11 +19814,13 @@ export {
   isPKCEProviderOption,
   isOIDCProviderOption,
   isMfaEnrolled,
+  isImpersonating,
   isAuthIntent,
   inviteToOrganization,
   instantiateUserSession,
   hashToken,
   hashPassword,
+  hashAuditEvent,
   hasScopes,
   hasOrganizationScope,
   getUserSessionId,
@@ -19559,12 +19833,14 @@ export {
   extractPropFromIdentity,
   exchangeClientCredentials,
   evaluatePassword,
+  endImpersonation,
   encryptTotpSecret,
   encryptSecret,
   defineProvidersConfiguration,
   defineAuthSettings,
   defineAuthHtmxConfig,
   defineAuthConfig,
+  defaultBotClassifier,
   decryptTotpSecret,
   decryptSecret,
   decodeJWT,
@@ -19578,6 +19854,8 @@ export {
   credentialResetTokensTable,
   createWebhookDispatcher,
   createTotpKeyUri,
+  createTamperEvidentSink,
+  createSiemLogStream,
   createSetupSession,
   createSecretCipher,
   createScimToken,
@@ -19649,6 +19927,7 @@ export {
   createAuditEmitter,
   createApiKey,
   createApiClient,
+  createAbuseGuard,
   consumeBackupCode,
   constantTimeEqual,
   complianceRoutes,
@@ -19661,6 +19940,7 @@ export {
   auth,
   auditEventsTable,
   assessRisk,
+  assessAbuse,
   apiKeysTable,
   apiKeysRoutes,
   apiClientsTable,
@@ -19695,5 +19975,5 @@ export {
   AuthIdentityConflictError
 };
-//# debugId=F0BD7B32BDA8B43664756E2164756E21
+//# debugId=5C9E1C93D2A5368D64756E2164756E21
 //# sourceMappingURL=index.js.map