npm - @absolutejs/auth - Versions diffs - 0.27.0-beta.8 → 0.27.0-beta.9 - Mend

@absolutejs/auth 0.27.0-beta.8 → 0.27.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/adaptive/config.d.ts +13 -1
package/dist/adaptive/fingerprint.d.ts +2 -0
package/dist/adaptive/types.d.ts +13 -1
package/dist/audit/export.d.ts +2 -0
package/dist/audit/types.d.ts +1 -0
package/dist/fga/config.d.ts +8 -0
package/dist/fga/schema.d.ts +2 -0
package/dist/fga/types.d.ts +1 -0
package/dist/index.d.ts +3 -0
package/dist/index.js +193 -18
package/dist/index.js.map +14 -11
package/package.json +1 -1

package/dist/adaptive/config.d.ts CHANGED Viewed

@@ -1,9 +1,13 @@
-import type { KnownDeviceStore, LoginHistoryStore, RiskAction, RiskAssessment, RiskContext, RiskSignal } from './types';
+import type { KnownDeviceStore, LoginHistoryStore, RiskAction, RiskAssessment, RiskContext, RiskSignal, RiskThresholds, RiskWeights, WeightedRiskAssessment } from './types';
 export type AdaptiveConfig = {
     historyLimit?: number;
     knownDeviceStore: KnownDeviceStore;
     loginHistoryStore: LoginHistoryStore;
     maxTravelKmh?: number;
+    offHours?: {
+        end: number;
+        start: number;
+    };
     rules?: Partial<Record<RiskSignal, RiskAction>>;
     velocityMaxAttempts?: number;
     velocityWindowMs?: number;
@@ -14,9 +18,17 @@ export declare const createRiskEngine: (config: AdaptiveConfig) => {
     recordAttempt: (context: RiskContext & {
         outcome: RiskAction;
     }) => Promise<void>;
+    scoreRisk: (context: RiskContext, options?: {
+        thresholds?: RiskThresholds;
+        weights?: RiskWeights;
+    }) => Promise<WeightedRiskAssessment>;
     trustDevice: (userId: string, deviceId: string, label?: string) => Promise<void>;
 };
 export declare const recordLoginAttempt: (config: AdaptiveConfig, context: RiskContext & {
     outcome: RiskAction;
 }) => Promise<void>;
+export declare const scoreRisk: (config: AdaptiveConfig & {
+    thresholds?: RiskThresholds;
+    weights?: RiskWeights;
+}, context: RiskContext) => Promise<WeightedRiskAssessment>;
 export declare const trustDevice: (config: AdaptiveConfig, userId: string, deviceId: string, label?: string) => Promise<void>;

package/dist/adaptive/fingerprint.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export type DeviceSignals = Record<string, unknown>;
2	+ export declare const fingerprintDevice: (signals: DeviceSignals) => Promise<string>;

package/dist/adaptive/types.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 export type RiskAction = 'allow' | 'deny' | 'step_up';
-export type RiskSignal = 'impossible_travel' | 'new_country' | 'new_device' | 'velocity';
+export type RiskSignal = 'impossible_travel' | 'new_country' | 'new_device' | 'off_hours' | 'proxy' | 'velocity';
 export type GeoPoint = {
     country?: string;
     latitude?: number;
@@ -9,6 +9,8 @@ export type RiskContext = {
     deviceId: string;
     geo?: GeoPoint;
     ipAddress?: string;
+    isProxy?: boolean;
+    localHour?: number;
     now?: number;
     userId: string;
 };
@@ -20,6 +22,16 @@ export type RiskAssessment = {
     action: RiskAction;
     reasons: RiskReason[];
 };
+export type RiskWeights = Partial<Record<RiskSignal, number>>;
+export type RiskThresholds = {
+    deny: number;
+    stepUp: number;
+};
+export type WeightedRiskAssessment = {
+    action: RiskAction;
+    reasons: RiskReason[];
+    score: number;
+};
 export type KnownDevice = {
     deviceId: string;
     firstSeenAt: number;

package/dist/audit/export.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { AuditEvent } from './types';
2	+ export declare const exportAuditCsv: (events: AuditEvent[]) => string;

package/dist/audit/types.d.ts CHANGED Viewed

@@ -15,4 +15,5 @@ export type AuditEventFilter = {
 export type AuditSink = {
     append: (event: AuditEvent) => Promise<void>;
     list?: (filter?: AuditEventFilter) => Promise<AuditEvent[]>;
+    prune?: (before: number) => Promise<number>;
 };

package/dist/fga/config.d.ts CHANGED Viewed

@@ -15,10 +15,17 @@ export type Subject = {
     subjectId: string;
     subjectType: string;
 };
+export type ObjectQuery = {
+    relation: string;
+    resourceType: string;
+    subjectId: string;
+    subjectType: string;
+};
 export declare const check: (config: FgaConfig, query: CheckQuery) => Promise<boolean>;
 export declare const createFgaEngine: (config: FgaConfig) => {
     check: (query: CheckQuery) => Promise<boolean>;
     deleteWarrant: (warrant: Warrant) => Promise<void>;
+    listObjects: (query: ObjectQuery) => Promise<string[]>;
     listSubjects: (query: {
         relation: string;
         resourceId: string;
@@ -27,6 +34,7 @@ export declare const createFgaEngine: (config: FgaConfig) => {
     writeWarrant: (warrant: Warrant) => Promise<void>;
 };
 export declare const deleteWarrant: (config: FgaConfig, warrant: Warrant) => Promise<void>;
+export declare const listObjects: (config: FgaConfig, query: ObjectQuery) => Promise<string[]>;
 export declare const listSubjects: (config: FgaConfig, query: {
     relation: string;
     resourceId: string;

package/dist/fga/schema.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { FgaSchema } from './types';
2	+ export declare const parseSchema: (dsl: string) => FgaSchema;

package/dist/fga/types.d.ts CHANGED Viewed

@@ -9,6 +9,7 @@ export type Warrant = {
 export type WarrantStore = {
     deleteWarrant: (warrant: Warrant) => Promise<void>;
     listForResource: (resourceType: string, resourceId: string, relation: string) => Promise<Warrant[]>;
+    listResourceIds: (resourceType: string) => Promise<string[]>;
     saveWarrant: (warrant: Warrant) => Promise<void>;
 };
 export type RelationRule = {

package/dist/index.d.ts CHANGED Viewed

@@ -14712,6 +14712,7 @@ export { createInMemoryLockoutStore } from './lockout/inMemoryLockoutStore';
 export { createNeonLockoutStore, createPostgresLockoutStore, lockoutsTable } from './lockout/postgresLockoutStore';
 export { createRedisLockoutStore } from './lockout/redisLockoutStore';
 export type { RedisLike } from './stores/redis';
+export { exportAuditCsv } from './audit/export';
 export { createInMemoryAuditSink } from './audit/inMemoryAuditStore';
 export { auditEventsTable, createNeonAuditSink, createPostgresAuditSink } from './audit/postgresAuditStore';
 export * from './sso/types';
@@ -14736,10 +14737,12 @@ export type { DpopResult } from './oidc/dpop';
 export { createInMemoryAuthorizationCodeStore, createInMemoryOAuthClientStore, createInMemoryOidcRefreshTokenStore } from './oidc/inMemoryStores';
 export { createNeonAuthorizationCodeStore, createNeonOAuthClientStore, createNeonOidcRefreshTokenStore, createPostgresAuthorizationCodeStore, createPostgresOAuthClientStore, createPostgresOidcRefreshTokenStore, oauthClientsTable, oauthCodesTable, oauthRefreshTokensTable } from './oidc/postgresStores';
 export * from './adaptive/config';
+export * from './adaptive/fingerprint';
 export * from './adaptive/types';
 export { createInMemoryKnownDeviceStore, createInMemoryLoginHistoryStore } from './adaptive/inMemoryStores';
 export { createNeonKnownDeviceStore, createNeonLoginHistoryStore, createPostgresKnownDeviceStore, createPostgresLoginHistoryStore, knownDevicesTable, loginHistoryTable } from './adaptive/postgresStores';
 export * from './fga/config';
+export * from './fga/schema';
 export * from './fga/types';
 export { createInMemoryWarrantStore, warrantKey } from './fga/inMemoryStores';
 export { createNeonWarrantStore, createPostgresWarrantStore, warrantsTable } from './fga/postgresStores';

package/dist/index.js CHANGED Viewed

@@ -18769,6 +18769,7 @@ var createTamperEvidentSink = ({
   };
   return {
     list: sink.list,
+    prune: sink.prune,
     append: async (event) => {
       await seed();
       const previousHash = lastHash ?? GENESIS;
@@ -19084,6 +19085,19 @@ var createRedisLockoutStore = (redis, keyPrefix = DEFAULT_PREFIX) => {
     }
   };
 };
+// src/audit/export.ts
+var CSV_HEADER = "at,type,userId,ip,organizationId,metadata";
+var escapeCsv = (value) => /[",\n\r]/u.test(value) ? `"${value.replace(/"/gu, '""')}"` : value;
+var toRow = (event) => [
+  new Date(event.at).toISOString(),
+  event.type,
+  event.userId ?? "",
+  event.ip ?? "",
+  event.organizationId ?? "",
+  event.metadata ? JSON.stringify(event.metadata) : ""
+].map(escapeCsv).join(",");
+var exportAuditCsv = (events) => [CSV_HEADER, ...events.map(toRow)].join(`
+`);
 // src/audit/inMemoryAuditStore.ts
 var createInMemoryAuditSink = () => {
   const events = [];
@@ -19096,6 +19110,13 @@ var createInMemoryAuditSink = () => {
       const ordered = [...matched].sort((left, right) => right.at - left.at);
       const limited = filter?.limit === undefined ? ordered : ordered.slice(0, filter.limit);
       return limited.map((event) => ({ ...event }));
+    },
+    prune: async (before) => {
+      const kept = events.filter((event) => event.at >= before);
+      const removed = events.length - kept.length;
+      events.length = 0;
+      events.push(...kept);
+      return removed;
     }
   };
 };
@@ -19137,6 +19158,10 @@ var createPostgresAuditSink = (db) => ({
   list: async (filter) => {
     const rows = await db.select().from(auditEventsTable).where(filter?.userId ? eq(auditEventsTable.user_id, filter.userId) : undefined).orderBy(desc(auditEventsTable.at_ms)).limit(filter?.limit ?? DEFAULT_AUDIT_LIMIT);
     return rows.map(toEvent);
+  },
+  prune: async (before) => {
+    const deleted = await db.delete(auditEventsTable).where(lt(auditEventsTable.at_ms, before)).returning({ id: auditEventsTable.id });
+    return deleted.length;
   }
 });
 // src/scim/inMemoryScimTokenStore.ts
@@ -19573,8 +19598,22 @@ var DEFAULT_RULE_ACTIONS = {
   impossible_travel: "deny",
   new_country: "step_up",
   new_device: "step_up",
+  off_hours: "allow",
+  proxy: "step_up",
   velocity: "deny"
 };
+var DEFAULT_RISK_WEIGHTS = {
+  impossible_travel: 80,
+  new_country: 25,
+  new_device: 20,
+  off_hours: 10,
+  proxy: 30,
+  velocity: 80
+};
+var DEFAULT_OFF_HOURS_START = 0;
+var DEFAULT_OFF_HOURS_END = 6;
+var DEFAULT_DENY_SCORE = 80;
+var DEFAULT_STEP_UP_SCORE = 40;
 var toRadians = (degrees) => degrees * Math.PI / DEGREES_PER_HALF_TURN;
 var haversineKm = (start, end) => {
   if (start.latitude === undefined || start.longitude === undefined || end.latitude === undefined || end.longitude === undefined) {
@@ -19588,32 +19627,44 @@ var haversineKm = (start, end) => {
   return HALF * EARTH_RADIUS_KM * Math.asin(Math.sqrt(factor));
 };
 var mostSevere2 = (reasons) => reasons.reduce((worst, reason) => ACTION_SEVERITY2[reason.action] > ACTION_SEVERITY2[worst] ? reason.action : worst, "allow");
-var assessRisk = async (config, context) => {
+var isWithinOffHours = (hour, range) => {
+  const start = range?.start ?? DEFAULT_OFF_HOURS_START;
+  const end = range?.end ?? DEFAULT_OFF_HOURS_END;
+  if (start <= end)
+    return hour >= start && hour < end;
+  return hour >= start || hour < end;
+};
+var actionForScore = (score, thresholds) => {
+  const deny = "deny";
+  const stepUp = "step_up";
+  const allow = "allow";
+  if (score >= thresholds.deny)
+    return deny;
+  if (score >= thresholds.stepUp)
+    return stepUp;
+  return allow;
+};
+var detectSignals = async (config, context) => {
   const {
     historyLimit = DEFAULT_HISTORY_LIMIT,
     knownDeviceStore,
     loginHistoryStore,
     maxTravelKmh = DEFAULT_MAX_TRAVEL_KMH,
-    rules,
+    offHours,
     velocityMaxAttempts = DEFAULT_VELOCITY_MAX_ATTEMPTS,
     velocityWindowMs = DEFAULT_VELOCITY_WINDOW_MS
   } = config;
   const now = context.now ?? Date.now();
-  const actions = {
-    ...DEFAULT_RULE_ACTIONS,
-    ...rules
-  };
-  const reasons = [];
+  const fired = [];
   const [device, history] = await Promise.all([
     knownDeviceStore.findDevice(context.userId, context.deviceId),
     loginHistoryStore.listRecent(context.userId, historyLimit)
   ]);
-  if (device === undefined || !device.trusted) {
-    reasons.push({ action: actions.new_device, signal: "new_device" });
-  }
+  if (device === undefined || !device.trusted)
+    fired.push("new_device");
   const country = context.geo?.country;
   if (country !== undefined && history.length > 0 && !history.some((attempt) => attempt.country === country)) {
-    reasons.push({ action: actions.new_country, signal: "new_country" });
+    fired.push("new_country");
   }
   const [previous] = history;
   const traveledKm = previous !== undefined && context.geo !== undefined ? haversineKm({
@@ -19622,20 +19673,34 @@ var assessRisk = async (config, context) => {
   }, context.geo) : undefined;
   const hours = previous === undefined ? 0 : (now - previous.timestamp) / MILLISECONDS_IN_AN_HOUR;
   if (traveledKm !== undefined && hours > 0 && traveledKm / hours > maxTravelKmh) {
-    reasons.push({
-      action: actions.impossible_travel,
-      signal: "impossible_travel"
-    });
+    fired.push("impossible_travel");
   }
   const recentCount = history.filter((attempt) => now - attempt.timestamp <= velocityWindowMs).length;
-  if (recentCount >= velocityMaxAttempts) {
-    reasons.push({ action: actions.velocity, signal: "velocity" });
+  if (recentCount >= velocityMaxAttempts)
+    fired.push("velocity");
+  if (context.isProxy === true)
+    fired.push("proxy");
+  if (context.localHour !== undefined && isWithinOffHours(context.localHour, offHours)) {
+    fired.push("off_hours");
   }
+  return fired;
+};
+var assessRisk = async (config, context) => {
+  const actions = {
+    ...DEFAULT_RULE_ACTIONS,
+    ...config.rules
+  };
+  const fired = await detectSignals(config, context);
+  const reasons = fired.map((signal) => ({
+    action: actions[signal],
+    signal
+  }));
   return { action: mostSevere2(reasons), reasons };
 };
 var createRiskEngine = (config) => ({
   assessRisk: (context) => assessRisk(config, context),
   recordAttempt: (context) => recordLoginAttempt(config, context),
+  scoreRisk: (context, options) => scoreRisk({ ...config, ...options }, context),
   trustDevice: (userId, deviceId, label) => trustDevice(config, userId, deviceId, label)
 });
 var recordLoginAttempt = async (config, context) => {
@@ -19661,6 +19726,22 @@ var recordLoginAttempt = async (config, context) => {
     userId: context.userId
   });
 };
+var scoreRisk = async (config, context) => {
+  const weights = {
+    ...DEFAULT_RISK_WEIGHTS,
+    ...config.weights
+  };
+  const defaultThresholds = {
+    deny: DEFAULT_DENY_SCORE,
+    stepUp: DEFAULT_STEP_UP_SCORE
+  };
+  const thresholds = config.thresholds ?? defaultThresholds;
+  const fired = await detectSignals(config, context);
+  const score = fired.reduce((sum, signal) => sum + weights[signal], 0);
+  const action = actionForScore(score, thresholds);
+  const reasons = fired.map((signal) => ({ action, signal }));
+  return { action, reasons, score };
+};
 var trustDevice = async (config, userId, deviceId, label) => {
   const now = Date.now();
   const existing = await config.knownDeviceStore.findDevice(userId, deviceId);
@@ -19673,6 +19754,9 @@ var trustDevice = async (config, userId, deviceId, label) => {
     userId
   });
 };
+// src/adaptive/fingerprint.ts
+var canonical = (signals) => JSON.stringify(signals, (_key, value) => value === null || typeof value !== "object" || Array.isArray(value) ? value : Object.fromEntries(Object.entries(value).sort((left, right) => left[0].localeCompare(right[0]))));
+var fingerprintDevice = (signals) => hashToken(canonical(signals));
 // src/adaptive/inMemoryStores.ts
 var deviceKey = (userId, deviceId) => `${userId}:${deviceId}`;
 var createInMemoryKnownDeviceStore = () => {
@@ -19872,16 +19956,95 @@ var expandRule = async (config, resourceType, resourceId, relation, rule, depth,
 var createFgaEngine = (config) => ({
   check: (query) => check(config, query),
   deleteWarrant: (warrant) => deleteWarrant(config, warrant),
+  listObjects: (query) => listObjects(config, query),
   listSubjects: (query) => listSubjects(config, query),
   writeWarrant: (warrant) => writeWarrant(config, warrant)
 });
 var deleteWarrant = (config, warrant) => config.warrantStore.deleteWarrant(warrant);
+var listObjects = async (config, query) => {
+  const candidates = await config.warrantStore.listResourceIds(query.resourceType);
+  const allowed = await Promise.all(candidates.map((resourceId) => check(config, {
+    relation: query.relation,
+    resourceId,
+    resourceType: query.resourceType,
+    subjectId: query.subjectId,
+    subjectType: query.subjectType
+  })));
+  return candidates.filter((_resourceId, index) => allowed[index] === true);
+};
 var listSubjects = async (config, query) => {
   const found = new Map;
   await expand(config, query.resourceType, query.resourceId, query.relation, config.maxDepth ?? DEFAULT_MAX_DEPTH, found, new Set);
   return [...found.values()];
 };
 var writeWarrant = (config, warrant) => config.warrantStore.saveWarrant(warrant);
+// src/fga/schema.ts
+var TYPE_PATTERN = /^type\s+(\w+)$/u;
+var DEFINE_PATTERN = /^define\s+(\w+)\s*:\s*(.+)$/u;
+var FROM_PATTERN = /^(\w+)\s+from\s+(\w+)$/u;
+var OR_SEPARATOR = /\s+or\s+/u;
+var parseTerm = (term) => {
+  const trimmed = term.trim();
+  if (trimmed.startsWith("[")) {
+    const rule2 = { kind: "self" };
+    return rule2;
+  }
+  const fromMatch = FROM_PATTERN.exec(trimmed);
+  if (fromMatch) {
+    const [, relation, viaRelation] = fromMatch;
+    const rule2 = {
+      kind: "tupleToUserset",
+      relation: relation ?? "",
+      viaRelation: viaRelation ?? ""
+    };
+    return rule2;
+  }
+  const rule = { kind: "computedUserset", relation: trimmed };
+  return rule;
+};
+var parseExpression = (expression) => {
+  const terms = expression.split(OR_SEPARATOR).map(parseTerm);
+  const [first] = terms;
+  if (terms.length === 1 && first)
+    return first;
+  const rule = { kind: "union", rules: terms };
+  return rule;
+};
+var applyType = (schema, line2) => {
+  const match = TYPE_PATTERN.exec(line2);
+  if (!match)
+    return;
+  const [, name] = match;
+  if (name)
+    schema[name] = {};
+  return name;
+};
+var applyDefine = (target, line2) => {
+  if (!target)
+    return;
+  const match = DEFINE_PATTERN.exec(line2);
+  if (!match)
+    return;
+  const [, relation, expression] = match;
+  if (relation && expression)
+    target[relation] = parseExpression(expression);
+};
+var parseSchema = (dsl) => {
+  const schema = {};
+  let currentType;
+  for (const rawLine of dsl.split(`
+`)) {
+    const line2 = rawLine.trim();
+    if (line2 === "" || line2.startsWith("#") || line2 === "relations")
+      continue;
+    const typeName = applyType(schema, line2);
+    currentType = typeName ?? currentType;
+    if (typeName !== undefined)
+      continue;
+    applyDefine(currentType ? schema[currentType] : undefined, line2);
+  }
+  return schema;
+};
 // src/fga/inMemoryStores.ts
 var createInMemoryWarrantStore = () => {
   const warrants = new Map;
@@ -19890,6 +20053,9 @@ var createInMemoryWarrantStore = () => {
       warrants.delete(warrantKey(warrant));
     },
     listForResource: async (resourceType, resourceId, relation) => [...warrants.values()].filter((warrant) => warrant.resourceType === resourceType && warrant.resourceId === resourceId && warrant.relation === relation),
+    listResourceIds: async (resourceType) => [
+      ...new Set([...warrants.values()].filter((warrant) => warrant.resourceType === resourceType).map((warrant) => warrant.resourceId))
+    ],
     saveWarrant: async (warrant) => {
       warrants.set(warrantKey(warrant), { ...warrant });
     }
@@ -19924,6 +20090,10 @@ var createPostgresWarrantStore = (db) => ({
     const rows = await db.select().from(warrantsTable).where(and(eq(warrantsTable.resource_type, resourceType), eq(warrantsTable.resource_id, resourceId), eq(warrantsTable.relation, relation)));
     return rows.map(toWarrant);
   },
+  listResourceIds: async (resourceType) => {
+    const rows = await db.selectDistinct({ resourceId: warrantsTable.resource_id }).from(warrantsTable).where(eq(warrantsTable.resource_type, resourceType));
+    return rows.map((row) => row.resourceId);
+  },
   saveWarrant: async (warrant) => {
     await db.insert(warrantsTable).values({
       id: warrantKey(warrant),
@@ -20751,6 +20921,7 @@ export {
   sessionStore,
   sessionRoutes,
   sessionCleanup,
+  scoreRisk,
   scopeRequiredProviderOptions,
   scimTokensTable,
   scimRoutes,
@@ -20781,6 +20952,7 @@ export {
   pkceProviderOptions,
   passwordlessTokensTable,
   passwordlessRoutes,
+  parseSchema,
   organizationsTable,
   organizationRoutes,
   organizationMembershipsTable,
@@ -20802,6 +20974,7 @@ export {
   listUserOrganizations,
   listSubjects,
   listRingSessions,
+  listObjects,
   knownDevicesTable,
   jwkThumbprint,
   issueTokenSet,
@@ -20835,7 +21008,9 @@ export {
   generateSecureToken,
   generateEncryptionKey,
   generateBackupCodes,
+  fingerprintDevice,
   extractPropFromIdentity,
+  exportAuditCsv,
   exchangeToken,
   exchangeClientCredentials,
   evaluatePassword,
@@ -20999,5 +21174,5 @@ export {
   AuthIdentityConflictError
 };
-//# debugId=B234E4311897F15C64756E2164756E21
+//# debugId=22C6F88FE2A9D7F764756E2164756E21
 //# sourceMappingURL=index.js.map