@agjs/tsforge 0.1.0

package/src/rule-packs/jwt-cookies/rules/bcrypt-rounds-min.ts

@@ -0,0 +1,195 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+import type { JSONSchema4 } from "@typescript-eslint/utils/json-schema";
+
+import { createRule } from "../../create-rule";
+
+export const RULE_NAME = "bcrypt-rounds-min";
+
+export interface BcryptRoundsMinOptions {
+  readonly minRounds?: number;
+  readonly bcryptModules?: readonly string[];
+}
+
+type RuleOptions = [BcryptRoundsMinOptions];
+type MessageIds = "roundsTooLow";
+
+const DEFAULT_MIN_ROUNDS = 10;
+const DEFAULT_BCRYPT_MODULES: readonly string[] = ["bcrypt", "bcryptjs"];
+
+const optionSchema: JSONSchema4 = {
+  type: "object",
+  additionalProperties: false,
+  properties: {
+    minRounds: { type: "number", minimum: 1 },
+    bcryptModules: {
+      type: "array",
+      items: { type: "string" },
+      uniqueItems: true,
+      minItems: 1,
+    },
+  },
+};
+
+interface ImportTracker {
+  readonly bindings: Map<string, string>; // local name -> module
+}
+
+export const bcryptRoundsMinRule = createRule<RuleOptions, MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow `bcrypt.hash` / `bcrypt.hashSync` calls with a numeric-literal rounds value below the configured minimum (default 10).",
+    },
+    schema: [optionSchema],
+    messages: {
+      roundsTooLow:
+        "{{module}}.{{method}} with {{found}} rounds is below the {{min}} minimum — too cheap to bruteforce in 2026.",
+    },
+  },
+  defaultOptions: [
+    {
+      minRounds: DEFAULT_MIN_ROUNDS,
+      bcryptModules: [...DEFAULT_BCRYPT_MODULES],
+    },
+  ],
+  create(context, [options]) {
+    const minRounds = options.minRounds ?? DEFAULT_MIN_ROUNDS;
+    const bcryptModules = new Set(
+      options.bcryptModules ?? DEFAULT_BCRYPT_MODULES
+    );
+
+    const tracker: ImportTracker = { bindings: new Map() };
+
+    function getRootIdentifier(
+      node: TSESTree.Node
+    ): TSESTree.Identifier | null {
+      let current: TSESTree.Node = node;
+
+      while (current.type === AST_NODE_TYPES.MemberExpression) {
+        current = current.object;
+      }
+
+      if (current.type === AST_NODE_TYPES.Identifier) {
+        return current;
+      }
+
+      return null;
+    }
+
+    function getMemberMethodName(
+      callee: TSESTree.MemberExpression
+    ): string | null {
+      if (
+        callee.computed ||
+        callee.property.type !== AST_NODE_TYPES.Identifier
+      ) {
+        return null;
+      }
+
+      return callee.property.name;
+    }
+
+    return {
+      ImportDeclaration(node) {
+        const source = node.source.value;
+
+        if (!bcryptModules.has(source)) {
+          return;
+        }
+
+        for (const spec of node.specifiers) {
+          if (
+            spec.type === AST_NODE_TYPES.ImportDefaultSpecifier ||
+            spec.type === AST_NODE_TYPES.ImportNamespaceSpecifier
+          ) {
+            tracker.bindings.set(spec.local.name, source);
+          } else if (spec.type === AST_NODE_TYPES.ImportSpecifier) {
+            // `import { hash } from "bcrypt"` — local name resolves directly.
+            tracker.bindings.set(spec.local.name, source);
+          }
+        }
+      },
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Member style: `bcrypt.hash(...)`, `bcrypt.hashSync(...)`.
+        if (callee.type === AST_NODE_TYPES.MemberExpression) {
+          const root = getRootIdentifier(callee);
+
+          if (root === null) {
+            return;
+          }
+
+          const moduleName = tracker.bindings.get(root.name);
+
+          if (moduleName === undefined) {
+            return;
+          }
+
+          const method = getMemberMethodName(callee);
+
+          if (method !== "hash" && method !== "hashSync") {
+            return;
+          }
+
+          checkRoundsArg(node, moduleName, method);
+
+          return;
+        }
+
+        // Direct call style: `import { hash } from "bcrypt"; hash(plain, 8);`
+        if (callee.type === AST_NODE_TYPES.Identifier) {
+          const moduleName = tracker.bindings.get(callee.name);
+
+          if (moduleName === undefined) {
+            return;
+          }
+
+          if (callee.name !== "hash" && callee.name !== "hashSync") {
+            return;
+          }
+
+          checkRoundsArg(node, moduleName, callee.name);
+        }
+      },
+    };
+
+    function checkRoundsArg(
+      node: TSESTree.CallExpression,
+      moduleName: string,
+      method: string
+    ): void {
+      const arg = node.arguments[1];
+
+      if (arg === undefined) {
+        return;
+      }
+
+      // Identifier or any non-literal: assumed env-driven, accepted.
+      if (arg.type !== AST_NODE_TYPES.Literal) {
+        return;
+      }
+
+      if (typeof arg.value !== "number") {
+        return;
+      }
+
+      if (arg.value >= minRounds) {
+        return;
+      }
+
+      context.report({
+        node: arg,
+        messageId: "roundsTooLow",
+        data: {
+          module: moduleName,
+          method,
+          found: String(arg.value),
+          min: String(minRounds),
+        },
+      });
+    }
+  },
+});

package/src/rule-packs/jwt-cookies/utils.ts

@@ -0,0 +1,188 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+
+const PATTERN_TYPES = new Set<string>([
+  AST_NODE_TYPES.AssignmentPattern,
+  AST_NODE_TYPES.RestElement,
+  AST_NODE_TYPES.ArrayPattern,
+  AST_NODE_TYPES.ObjectPattern,
+  AST_NODE_TYPES.TSEmptyBodyFunctionExpression,
+]);
+
+function isExpression(node: TSESTree.Node): node is TSESTree.Expression {
+  return !PATTERN_TYPES.has(node.type);
+}
+
+export const DEFAULT_AUTH_COOKIE_NAMES: readonly string[] = [
+  "auth_token",
+  "session",
+  "sid",
+  "authToken",
+];
+
+export const DEFAULT_TRUSTED_CONFIG_NAMES: readonly string[] = [
+  "AUTH_COOKIE_CONFIG",
+];
+
+export const DEFAULT_SET_COOKIE_FUNCTIONS: readonly string[] = [
+  "setCookie",
+  "set",
+];
+
+export interface CookieSetCall {
+  /**
+   * Cookie name as a string. Empty string when the call form does not name
+   * a cookie (caller must decide whether to flag — usually no).
+   */
+  readonly cookieName: string;
+  /**
+   * The ObjectExpression carrying cookie options (httpOnly, secure, ...).
+   * `null` if the call form has no recognizable options object.
+   */
+  readonly optionsNode: TSESTree.ObjectExpression | null;
+}
+
+function getStringLiteral(node: TSESTree.Node | undefined): string | null {
+  if (node?.type === AST_NODE_TYPES.Literal && typeof node.value === "string") {
+    return node.value;
+  }
+
+  return null;
+}
+
+function getMemberPropertyName(node: TSESTree.MemberExpression): string | null {
+  if (!node.computed && node.property.type === AST_NODE_TYPES.Identifier) {
+    return node.property.name;
+  }
+
+  if (
+    node.computed &&
+    node.property.type === AST_NODE_TYPES.Literal &&
+    typeof node.property.value === "string"
+  ) {
+    return node.property.value;
+  }
+
+  return null;
+}
+
+/**
+ * Recognizes three call shapes:
+ *
+ *   1. `cookie.<name>.set({...})`        — Elysia / Hono style
+ *   2. `set("<name>", value, {...})`     — generic helper
+ *   3. `reply.setCookie("<name>", value, {...})`   — Fastify
+ *
+ * Returns null when the call doesn't match any known shape with an auth-named
+ * cookie.
+ */
+export function matchAuthCookieSet(
+  node: TSESTree.CallExpression,
+  authCookieNames: ReadonlySet<string>,
+  setCookieFunctions: ReadonlySet<string>
+): CookieSetCall | null {
+  const callee = node.callee;
+
+  // Form 1: `cookie.<name>.set({...})`
+  if (
+    callee.type === AST_NODE_TYPES.MemberExpression &&
+    !callee.computed &&
+    callee.property.type === AST_NODE_TYPES.Identifier &&
+    callee.property.name === "set" &&
+    callee.object.type === AST_NODE_TYPES.MemberExpression
+  ) {
+    const innerName = getMemberPropertyName(callee.object);
+
+    if (innerName !== null && authCookieNames.has(innerName)) {
+      const arg = node.arguments[0];
+      const optionsNode =
+        arg?.type === AST_NODE_TYPES.ObjectExpression ? arg : null;
+
+      return { cookieName: innerName, optionsNode };
+    }
+  }
+
+  // Forms 2 + 3: helper-style calls.
+  // Identifier callee: `set(...)`. MemberExpression callee: `reply.setCookie(...)`.
+  let calleeName: string | null = null;
+
+  if (callee.type === AST_NODE_TYPES.Identifier) {
+    calleeName = callee.name;
+  } else if (callee.type === AST_NODE_TYPES.MemberExpression) {
+    calleeName = getMemberPropertyName(callee);
+  }
+
+  if (calleeName === null || !setCookieFunctions.has(calleeName)) {
+    return null;
+  }
+
+  const cookieName = getStringLiteral(node.arguments[0]);
+
+  if (cookieName === null || !authCookieNames.has(cookieName)) {
+    return null;
+  }
+
+  // Options object is typically the last positional argument.
+  const last = node.arguments[node.arguments.length - 1];
+  const optionsNode =
+    last?.type === AST_NODE_TYPES.ObjectExpression ? last : null;
+
+  return { cookieName, optionsNode };
+}
+
+export interface PropertyValue {
+  readonly value: TSESTree.Expression | null;
+  readonly hasTrustedSpread: boolean;
+}
+
+/**
+ * Returns the value node for `key` in the options object, plus whether the
+ * options object spreads a trusted config identifier (which we treat as
+ * "everything is set correctly").
+ */
+export function lookupCookieOption(
+  options: TSESTree.ObjectExpression,
+  key: string,
+  trustedConfigNames: ReadonlySet<string>
+): PropertyValue {
+  let hasTrustedSpread = false;
+
+  for (const prop of options.properties) {
+    if (prop.type === AST_NODE_TYPES.SpreadElement) {
+      if (
+        prop.argument.type === AST_NODE_TYPES.Identifier &&
+        trustedConfigNames.has(prop.argument.name)
+      ) {
+        hasTrustedSpread = true;
+      }
+
+      continue;
+    }
+
+    if (prop.type !== AST_NODE_TYPES.Property || prop.computed) {
+      continue;
+    }
+
+    let propName: string | null = null;
+
+    if (prop.key.type === AST_NODE_TYPES.Identifier) {
+      propName = prop.key.name;
+    } else if (
+      prop.key.type === AST_NODE_TYPES.Literal &&
+      typeof prop.key.value === "string"
+    ) {
+      propName = prop.key.value;
+    }
+
+    if (propName === key) {
+      const value = prop.value;
+
+      if (!isExpression(value)) {
+        return { value: null, hasTrustedSpread };
+      }
+
+      return { value, hasTrustedSpread };
+    }
+  }
+
+  return { value: null, hasTrustedSpread };
+}

package/src/rule-packs/oauth-security/index.ts

@@ -0,0 +1,25 @@
+import type { TSESLint } from "@typescript-eslint/utils";
+
+import { pkceRequiredForOidcRule } from "./rules/pkce-required-for-oidc";
+import { stateMustBeRedisBackedRule } from "./rules/state-must-be-redis-backed";
+import { stateTtlBoundedRule } from "./rules/state-ttl-bounded";
+import type { IRulePack } from "../rule-packs.types";
+
+const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>> = {
+  "pkce-required-for-oidc": pkceRequiredForOidcRule,
+  "state-must-be-redis-backed": stateMustBeRedisBackedRule,
+  "state-ttl-bounded": stateTtlBoundedRule,
+};
+
+export const oauthSecurityPack: IRulePack = {
+  id: "oauth-security",
+  description: "OAuth and OpenID patterns and security considerations",
+  rules,
+  rulesConfig: {
+    "pkce-required-for-oidc": "error",
+    "state-must-be-redis-backed": "error",
+    "state-ttl-bounded": "error",
+  },
+};
+
+export default oauthSecurityPack;

package/src/rule-packs/oauth-security/rules/pkce-required-for-oidc.ts

@@ -0,0 +1,296 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+import type { JSONSchema4 } from "@typescript-eslint/utils/json-schema";
+
+import { createRule } from "../../create-rule";
+import {
+  DEFAULT_OIDC_PROVIDERS,
+  DEFAULT_PROVIDERS_GLOB,
+  DEFAULT_VERIFIER_FN_NAMES,
+  matchesAnyGlobPattern,
+  toPosixRelative,
+} from "../utils";
+
+export const RULE_NAME = "pkce-required-for-oidc";
+
+export interface PkceRequiredForOidcOptions {
+  readonly providersGlob?: string;
+  readonly oidcProviders?: readonly string[];
+  readonly verifierFnNames?: readonly string[];
+}
+
+type RuleOptions = [PkceRequiredForOidcOptions];
+type MessageIds = "missingPkce";
+
+const optionSchema: JSONSchema4 = {
+  type: "object",
+  additionalProperties: false,
+  properties: {
+    providersGlob: { type: "string", minLength: 1 },
+    oidcProviders: {
+      type: "array",
+      items: { type: "string" },
+      uniqueItems: true,
+      minItems: 1,
+    },
+    verifierFnNames: {
+      type: "array",
+      items: { type: "string" },
+      uniqueItems: true,
+      minItems: 1,
+    },
+  },
+};
+
+const BUILD_FN_RE = /^(buildAuthorizationURL|getAuthorizationURL)$/;
+
+type FunctionLike =
+  | TSESTree.FunctionDeclaration
+  | TSESTree.FunctionExpression
+  | TSESTree.ArrowFunctionExpression;
+
+function getFunctionName(node: FunctionLike): string | null {
+  if (node.type === AST_NODE_TYPES.FunctionDeclaration && node.id !== null) {
+    return node.id.name;
+  }
+
+  const parent = node.parent;
+
+  if (parent === undefined) {
+    return null;
+  }
+
+  if (
+    parent.type === AST_NODE_TYPES.VariableDeclarator &&
+    parent.id.type === AST_NODE_TYPES.Identifier
+  ) {
+    return parent.id.name;
+  }
+
+  if (
+    parent.type === AST_NODE_TYPES.MethodDefinition &&
+    parent.key.type === AST_NODE_TYPES.Identifier
+  ) {
+    return parent.key.name;
+  }
+
+  if (
+    parent.type === AST_NODE_TYPES.Property &&
+    parent.key.type === AST_NODE_TYPES.Identifier
+  ) {
+    return parent.key.name;
+  }
+
+  return null;
+}
+
+export const pkceRequiredForOidcRule = createRule<RuleOptions, MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "OIDC providers must use PKCE: `buildAuthorizationURL` must call `generateCodeVerifier()` and pass it to `createAuthorizationURL`.",
+    },
+    schema: [optionSchema],
+    messages: {
+      missingPkce:
+        "{{providerClass}} is OIDC — pass a PKCE `codeVerifier` to `createAuthorizationURL(state, verifier, scopes)`.",
+    },
+  },
+  defaultOptions: [
+    {
+      providersGlob: DEFAULT_PROVIDERS_GLOB,
+      oidcProviders: [...DEFAULT_OIDC_PROVIDERS],
+      verifierFnNames: [...DEFAULT_VERIFIER_FN_NAMES],
+    },
+  ],
+  create(context, [options]) {
+    const providersGlob = options.providersGlob ?? DEFAULT_PROVIDERS_GLOB;
+    const oidcProviders = new Set(
+      options.oidcProviders ?? DEFAULT_OIDC_PROVIDERS
+    );
+    const verifierFnNames = new Set(
+      options.verifierFnNames ?? DEFAULT_VERIFIER_FN_NAMES
+    );
+
+    const relative = toPosixRelative(context.filename, context.cwd);
+
+    if (!matchesAnyGlobPattern(relative, [providersGlob])) {
+      return {};
+    }
+
+    let importedOidcProvider: string | null = null;
+    const verifierLocalNames = new Set<string>();
+
+    interface FrameInfo {
+      readonly node: FunctionLike;
+      readonly name: string;
+      verifierIdentifiers: Set<string>;
+      hasCreateAuthorizationCallWithVerifier: boolean;
+      hasCreateAuthorizationCall: boolean;
+    }
+
+    const stack: FrameInfo[] = [];
+
+    function visitFn(node: FunctionLike): void {
+      const name = getFunctionName(node);
+
+      if (name === null || !BUILD_FN_RE.test(name)) {
+        return;
+      }
+
+      stack.push({
+        node,
+        name,
+        verifierIdentifiers: new Set(),
+        hasCreateAuthorizationCallWithVerifier: false,
+        hasCreateAuthorizationCall: false,
+      });
+    }
+
+    function exitFn(node: FunctionLike): void {
+      const top = stack[stack.length - 1];
+
+      if (top?.node !== node) {
+        return;
+      }
+
+      stack.pop();
+
+      if (importedOidcProvider === null) {
+        return;
+      }
+
+      if (
+        top.hasCreateAuthorizationCall &&
+        !top.hasCreateAuthorizationCallWithVerifier
+      ) {
+        context.report({
+          node,
+          messageId: "missingPkce",
+          data: { providerClass: importedOidcProvider },
+        });
+      }
+    }
+
+    return {
+      ImportDeclaration(node) {
+        for (const spec of node.specifiers) {
+          if (spec.type !== AST_NODE_TYPES.ImportSpecifier) {
+            continue;
+          }
+
+          if (spec.imported.type !== AST_NODE_TYPES.Identifier) {
+            continue;
+          }
+
+          if (oidcProviders.has(spec.imported.name)) {
+            importedOidcProvider = spec.imported.name;
+          }
+
+          if (verifierFnNames.has(spec.imported.name)) {
+            verifierLocalNames.add(spec.local.name);
+          }
+        }
+      },
+
+      FunctionDeclaration: visitFn,
+      "FunctionDeclaration:exit": exitFn,
+      FunctionExpression: visitFn,
+      "FunctionExpression:exit": exitFn,
+      ArrowFunctionExpression: visitFn,
+      "ArrowFunctionExpression:exit": exitFn,
+
+      VariableDeclarator(node) {
+        if (stack.length === 0) {
+          return;
+        }
+
+        const top = stack[stack.length - 1];
+
+        if (top === undefined) {
+          return;
+        }
+
+        if (
+          node.id.type === AST_NODE_TYPES.Identifier &&
+          node.init !== null &&
+          node.init.type === AST_NODE_TYPES.AwaitExpression &&
+          node.init.argument.type === AST_NODE_TYPES.CallExpression
+        ) {
+          const callee = node.init.argument.callee;
+
+          if (
+            callee.type === AST_NODE_TYPES.Identifier &&
+            verifierLocalNames.has(callee.name)
+          ) {
+            top.verifierIdentifiers.add(node.id.name);
+          }
+        }
+
+        if (
+          node.id.type === AST_NODE_TYPES.Identifier &&
+          node.init !== null &&
+          node.init.type === AST_NODE_TYPES.CallExpression
+        ) {
+          const callee = node.init.callee;
+
+          if (
+            callee.type === AST_NODE_TYPES.Identifier &&
+            verifierLocalNames.has(callee.name)
+          ) {
+            top.verifierIdentifiers.add(node.id.name);
+          }
+        }
+      },
+
+      CallExpression(node) {
+        if (stack.length === 0) {
+          return;
+        }
+
+        const top = stack[stack.length - 1];
+
+        if (top === undefined) {
+          return;
+        }
+
+        const callee = node.callee;
+
+        if (
+          callee.type !== AST_NODE_TYPES.MemberExpression ||
+          callee.computed ||
+          callee.property.type !== AST_NODE_TYPES.Identifier ||
+          callee.property.name !== "createAuthorizationURL"
+        ) {
+          return;
+        }
+
+        top.hasCreateAuthorizationCall = true;
+
+        // Inspect args. In arctic OIDC providers the signature is:
+        //   createAuthorizationURL(state, codeVerifier, scopes)
+        // The non-OIDC version is:
+        //   createAuthorizationURL(state, scopes)
+        // Detect PKCE by: 2nd arg is a verifier identifier we've tracked,
+        // OR the call has 3 positional args (heuristic).
+        const second = node.arguments[1];
+
+        if (
+          second?.type === AST_NODE_TYPES.Identifier &&
+          (top.verifierIdentifiers.has(second.name) ||
+            verifierLocalNames.has(second.name))
+        ) {
+          top.hasCreateAuthorizationCallWithVerifier = true;
+
+          return;
+        }
+
+        if (node.arguments.length >= 3) {
+          // Conservative — assume the 3-arg form is the OIDC variant.
+          top.hasCreateAuthorizationCallWithVerifier = true;
+        }
+      },
+    };
+  },
+});