@alliance-droid/svelte-auth-core 1.0.0

package/src/csrf.test.ts

@@ -0,0 +1,226 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import {
+	generateCsrfToken,
+	createCsrfToken,
+	validateCsrfToken,
+	revokeCsrfToken,
+	cleanupExpiredCsrfTokens,
+	getCsrfTokenStats,
+	csrfTokenStore
+} from './csrf';
+
+describe('CSRF Token Utilities', () => {
+	beforeEach(() => {
+		// Clear token store before each test
+		csrfTokenStore.tokens.clear();
+	});
+
+	describe('generateCsrfToken', () => {
+		it('should generate a random token', () => {
+			const token1 = generateCsrfToken();
+			const token2 = generateCsrfToken();
+
+			expect(token1).toBeTruthy();
+			expect(token2).toBeTruthy();
+			expect(token1).not.toBe(token2);
+		});
+
+		it('should generate tokens in base64url format', () => {
+			const token = generateCsrfToken();
+			// Base64url contains A-Z, a-z, 0-9, -, _
+			expect(token).toMatch(/^[A-Za-z0-9_-]+$/);
+		});
+
+		it('should generate tokens of consistent length', () => {
+			const tokens = Array.from({ length: 10 }, () => generateCsrfToken());
+			const lengths = tokens.map((t) => t.length);
+			const firstLength = lengths[0];
+
+			expect(lengths.every((l) => l === firstLength)).toBe(true);
+		});
+	});
+
+	describe('createCsrfToken', () => {
+		it('should create and store a token for a session', () => {
+			const sessionId = 'session-123';
+			const token = createCsrfToken(sessionId);
+
+			expect(token).toBeTruthy();
+			expect(csrfTokenStore.tokens.has(sessionId)).toBe(true);
+		});
+
+		it('should set expiry time correctly', () => {
+			const sessionId = 'session-456';
+			const beforeCreation = Date.now();
+			createCsrfToken(sessionId, 30); // 30 minutes
+			const afterCreation = Date.now();
+
+			const stored = csrfTokenStore.tokens.get(sessionId);
+			expect(stored).toBeTruthy();
+			expect(stored!.expiresAt).toBeGreaterThanOrEqual(beforeCreation + 30 * 60 * 1000);
+			expect(stored!.expiresAt).toBeLessThanOrEqual(afterCreation + 30 * 60 * 1000);
+		});
+
+		it('should use default expiry of 60 minutes', () => {
+			const sessionId = 'session-789';
+			const beforeCreation = Date.now();
+			const token = createCsrfToken(sessionId);
+			const afterCreation = Date.now();
+
+			const stored = csrfTokenStore.tokens.get(sessionId);
+			expect(stored!.expiresAt).toBeGreaterThanOrEqual(beforeCreation + 60 * 60 * 1000);
+			expect(stored!.expiresAt).toBeLessThanOrEqual(afterCreation + 60 * 60 * 1000);
+		});
+
+		it('should store creation timestamp', () => {
+			const sessionId = 'session-abc';
+			const beforeCreation = Date.now();
+			createCsrfToken(sessionId);
+			const afterCreation = Date.now();
+
+			const stored = csrfTokenStore.tokens.get(sessionId);
+			expect(stored!.createdAt).toBeGreaterThanOrEqual(beforeCreation);
+			expect(stored!.createdAt).toBeLessThanOrEqual(afterCreation);
+		});
+	});
+
+	describe('validateCsrfToken', () => {
+		it('should validate a correct token', () => {
+			const sessionId = 'session-valid';
+			const token = createCsrfToken(sessionId);
+
+			const isValid = validateCsrfToken(sessionId, token);
+			expect(isValid).toBe(true);
+		});
+
+		it('should reject an incorrect token', () => {
+			const sessionId = 'session-invalid';
+			createCsrfToken(sessionId);
+
+			const isValid = validateCsrfToken(sessionId, 'wrong-token');
+			expect(isValid).toBe(false);
+		});
+
+		it('should reject token for non-existent session', () => {
+			const isValid = validateCsrfToken('non-existent-session', 'some-token');
+			expect(isValid).toBe(false);
+		});
+
+		it('should reject expired tokens', async () => {
+			const sessionId = 'session-expired';
+			// Create token that expires in 1 millisecond
+			const token = createCsrfToken(sessionId, 0.00001);
+
+			// Wait a bit to ensure expiry
+			await new Promise((resolve) => setTimeout(resolve, 100));
+
+			const isValid = validateCsrfToken(sessionId, token);
+			expect(isValid).toBe(false);
+		});
+
+		it('should clean up expired token from store', async () => {
+			const sessionId = 'session-cleanup';
+			createCsrfToken(sessionId, 0.00001);
+
+			await new Promise((resolve) => setTimeout(resolve, 100));
+
+			validateCsrfToken(sessionId, generateCsrfToken());
+
+			// Token should be deleted from store
+			expect(csrfTokenStore.tokens.has(sessionId)).toBe(false);
+		});
+
+		it('should perform timing-safe comparison', () => {
+			const sessionId = 'session-timing';
+			const token = createCsrfToken(sessionId);
+
+			// Test with same length but different token
+			const invalidToken = token.split('').reverse().join('');
+			const isValid = validateCsrfToken(sessionId, invalidToken);
+
+			expect(isValid).toBe(false);
+		});
+
+		it('should reject tokens of different length', () => {
+			const sessionId = 'session-length';
+			createCsrfToken(sessionId);
+
+			const isValid = validateCsrfToken(sessionId, 'short');
+			expect(isValid).toBe(false);
+		});
+	});
+
+	describe('revokeCsrfToken', () => {
+		it('should remove token from store', () => {
+			const sessionId = 'session-revoke';
+			createCsrfToken(sessionId);
+
+			expect(csrfTokenStore.tokens.has(sessionId)).toBe(true);
+
+			revokeCsrfToken(sessionId);
+
+			expect(csrfTokenStore.tokens.has(sessionId)).toBe(false);
+		});
+
+		it('should handle revoking non-existent token gracefully', () => {
+			expect(() => revokeCsrfToken('non-existent')).not.toThrow();
+		});
+
+		it('should prevent validation after revocation', () => {
+			const sessionId = 'session-revoke-validate';
+			const token = createCsrfToken(sessionId);
+
+			revokeCsrfToken(sessionId);
+
+			const isValid = validateCsrfToken(sessionId, token);
+			expect(isValid).toBe(false);
+		});
+	});
+
+	describe('cleanupExpiredCsrfTokens', () => {
+		it('should remove expired tokens', async () => {
+			createCsrfToken('session-1', 0.00001);
+			createCsrfToken('session-2', 60); // Valid
+
+			await new Promise((resolve) => setTimeout(resolve, 100));
+
+			expect(csrfTokenStore.tokens.size).toBe(2);
+
+			cleanupExpiredCsrfTokens();
+
+			expect(csrfTokenStore.tokens.size).toBe(1);
+			expect(csrfTokenStore.tokens.has('session-2')).toBe(true);
+		});
+
+		it('should keep valid tokens', () => {
+			createCsrfToken('session-a', 60);
+			createCsrfToken('session-b', 60);
+			createCsrfToken('session-c', 60);
+
+			cleanupExpiredCsrfTokens();
+
+			expect(csrfTokenStore.tokens.size).toBe(3);
+		});
+
+		it('should handle empty token store', () => {
+			expect(() => cleanupExpiredCsrfTokens()).not.toThrow();
+			expect(csrfTokenStore.tokens.size).toBe(0);
+		});
+	});
+
+	describe('getCsrfTokenStats', () => {
+		it('should return token count', () => {
+			createCsrfToken('session-1');
+			createCsrfToken('session-2');
+			createCsrfToken('session-3');
+
+			const stats = getCsrfTokenStats();
+			expect(stats.tokenCount).toBe(3);
+		});
+
+		it('should return zero for empty store', () => {
+			const stats = getCsrfTokenStats();
+			expect(stats.tokenCount).toBe(0);
+		});
+	});
+});

package/src/csrf.ts

@@ -0,0 +1,126 @@
+import { randomBytes, timingSafeEqual } from 'crypto';
+
+/**
+ * CSRF Token storage interface
+ * Stores CSRF tokens associated with sessions
+ */
+export interface CsrfTokenStore {
+	tokens: Map<string, CsrfTokenData>;
+}
+
+/**
+ * CSRF Token data with expiry
+ */
+export interface CsrfTokenData {
+	token: string;
+	expiresAt: number;
+	createdAt: number;
+}
+
+/**
+ * In-memory CSRF token store
+ */
+export const csrfTokenStore: CsrfTokenStore = {
+	tokens: new Map()
+};
+
+/**
+ * Generate a cryptographically secure CSRF token
+ * @returns CSRF token (base64 encoded for safe transmission)
+ */
+export function generateCsrfToken(): string {
+	return randomBytes(32).toString('base64url');
+}
+
+/**
+ * Generate CSRF token for a session
+ * @param sessionId - Session ID to store the token under
+ * @param expiryMinutes - Token expiry time in minutes (default: 60)
+ * @returns CSRF token
+ */
+export function createCsrfToken(sessionId: string, expiryMinutes: number = 60): string {
+	const token = generateCsrfToken();
+	const expiresAt = Date.now() + expiryMinutes * 60 * 1000;
+
+	csrfTokenStore.tokens.set(sessionId, {
+		token,
+		expiresAt,
+		createdAt: Date.now()
+	});
+
+	return token;
+}
+
+/**
+ * Validate a CSRF token against stored token for session
+ * Uses timing-safe comparison to prevent timing attacks
+ * @param sessionId - Session ID
+ * @param providedToken - Token to validate (from form/header)
+ * @returns True if valid, false otherwise
+ */
+export function validateCsrfToken(sessionId: string, providedToken: string): boolean {
+	const stored = csrfTokenStore.tokens.get(sessionId);
+
+	if (!stored) {
+		return false;
+	}
+
+	// Check if token has expired
+	if (Date.now() > stored.expiresAt) {
+		csrfTokenStore.tokens.delete(sessionId);
+		return false;
+	}
+
+	try {
+		// Use timing-safe comparison to prevent timing attacks
+		const storedBuffer = Buffer.from(stored.token);
+		const providedBuffer = Buffer.from(providedToken);
+
+		// Check lengths match before comparison
+		if (storedBuffer.length !== providedBuffer.length) {
+			return false;
+		}
+
+		return timingSafeEqual(storedBuffer, providedBuffer);
+	} catch {
+		// If comparison fails, token is invalid
+		return false;
+	}
+}
+
+/**
+ * Revoke a CSRF token
+ * @param sessionId - Session ID
+ */
+export function revokeCsrfToken(sessionId: string): void {
+	csrfTokenStore.tokens.delete(sessionId);
+}
+
+/**
+ * Clean up expired CSRF tokens
+ * Should be run periodically
+ */
+export function cleanupExpiredCsrfTokens(): void {
+	const now = Date.now();
+	const expiredSessions: string[] = [];
+
+	csrfTokenStore.tokens.forEach((data, sessionId) => {
+		if (now > data.expiresAt) {
+			expiredSessions.push(sessionId);
+		}
+	});
+
+	expiredSessions.forEach((sessionId) => {
+		csrfTokenStore.tokens.delete(sessionId);
+	});
+}
+
+/**
+ * Get token statistics (for debugging/monitoring)
+ * @returns Number of stored tokens
+ */
+export function getCsrfTokenStats(): { tokenCount: number } {
+	return {
+		tokenCount: csrfTokenStore.tokens.size
+	};
+}

package/src/db.ts

@@ -0,0 +1,57 @@
+import fs from 'fs';
+import path from 'path';
+import type { User } from './types';
+import type { OAuthUser, OAuthSession } from './oauth-types';
+
+interface DatabaseStore {
+	users: Record<string, User>;
+	sessions: Record<string, any>;
+	oauthUsers?: Record<string, OAuthUser>;
+	oauthSessions?: Record<string, OAuthSession>;
+}
+
+let dbPath: string = '';
+let store: DatabaseStore | null = null;
+
+/**
+ * Get or initialize the database
+ */
+export function getDatabase(customDbPath?: string): DatabaseStore {
+	if (store) {
+		return store;
+	}
+
+	dbPath = customDbPath || path.join(process.cwd(), 'auth.json');
+
+	if (fs.existsSync(dbPath)) {
+		const data = fs.readFileSync(dbPath, 'utf-8');
+		store = JSON.parse(data) as DatabaseStore;
+	} else {
+		store = {
+			users: {},
+			sessions: {}
+		};
+		saveDatabase();
+	}
+
+	return store as DatabaseStore;
+}
+
+/**
+ * Save database to disk
+ */
+export function saveDatabase(): void {
+	if (store && dbPath) {
+		fs.writeFileSync(dbPath, JSON.stringify(store, null, 2), 'utf-8');
+	}
+}
+
+/**
+ * Close database connection
+ */
+export function closeDatabase(): void {
+	if (store) {
+		saveDatabase();
+		store = null;
+	}
+}

package/src/index.ts

@@ -0,0 +1,143 @@
+// Types
+export type { User, RegisterInput, LoginInput, Session, AuthResponse, PasswordResetRequest, PasswordReset } from './types';
+
+// Database adapters
+export type { DatabaseAdapter } from './adapters/adapter';
+export { FileSystemAdapter, PostgresAdapter, MongoDBAdapter, SqliteAdapter } from './adapters';
+export { initializeAdapter, initializeDefaultAdapter, getAdapter, closeAdapter } from './adapter-context';
+
+// Legacy database (kept for backward compatibility)
+export { getDatabase, closeDatabase } from './db';
+
+// Password utilities
+export { hashPassword, verifyPassword, validatePasswordStrength, isValidEmail } from './password';
+
+// Token utilities
+export { generateToken, generateId, getTokenExpiry, isTokenExpired } from './token';
+
+// CSRF protection
+export {
+	generateCsrfToken,
+	createCsrfToken,
+	validateCsrfToken,
+	revokeCsrfToken,
+	cleanupExpiredCsrfTokens,
+	getCsrfTokenStats
+} from './csrf';
+export type { CsrfTokenStore, CsrfTokenData } from './csrf';
+
+// CORS configuration
+export {
+	isOriginAllowed,
+	generateCorsHeaders,
+	isPreflightRequest,
+	validateCorsRequest,
+	defaultCorsConfig
+} from './cors';
+export type { CorsConfig } from './cors';
+
+// Security headers
+export {
+	generateSecurityHeaders,
+	validateCSP,
+	getDevelopmentCSP,
+	getProductionCSP,
+	defaultSecurityHeadersConfig,
+	securityLevels
+} from './security-headers';
+export type { SecurityHeadersConfig } from './security-headers';
+
+// Input validation and sanitization
+export {
+	sanitizeString,
+	validateEmail,
+	validatePassword,
+	validateUsername,
+	validateUrl,
+	validateNumber,
+	validateUuid,
+	escapeHtml,
+	validateObject
+} from './input-validation';
+export type { ValidationResult } from './input-validation';
+
+// SQL injection prevention
+export {
+	isSafePropertyName,
+	getSafeProperty,
+	safeFilter,
+	safeSearch,
+	sanitizeForLikeQuery,
+	prepareDatabaseValue,
+	validateDatabaseQuery,
+	databaseSecurityGuides,
+	getParameterizedQueryExample
+} from './sql-injection-prevention';
+export type { SafeQueryParams } from './sql-injection-prevention';
+
+// Rate limiting
+export {
+	RateLimiter,
+	rateLimitPresets,
+	getClientIdentifier,
+	getRateLimitHeaders
+} from './rate-limiting';
+export type { RateLimitConfig, RateLimitAttempt } from './rate-limiting';
+
+// User operations
+export { registerUser, getUserById, getUserByEmail, verifyUserEmail, setPasswordResetToken, updateUserPassword } from './user';
+
+// Authentication
+export {
+	loginUser,
+	createSession,
+	getSession,
+	destroySession,
+	requestPasswordReset,
+	verifyPasswordResetToken,
+	resetPassword,
+	verifyEmailToken,
+	completeEmailVerification,
+	cleanupExpiredSessions
+} from './auth';
+
+// Client-side stores and utilities (Svelte)
+export { auth, user, isAuthenticated, isLoading, authError, accessToken } from './client-store';
+export type { User as ClientUser, AuthState } from './client-store';
+export { decodeToken, isTokenExpired as isTokenExpiredClient, getTokenTimeRemaining, createAuthHeader, extractToken } from './client-jwt';
+export type { TokenPayload } from './client-jwt';
+
+// OAuth/OIDC Types
+export type {
+	OAuthProviderConfig,
+	OAuthUserProfile,
+	OAuthTokenResponse,
+	OAuthCodeResponse,
+	OAuthSession,
+	OAuthUser,
+	OAuthCallbackResponse
+} from './oauth-types';
+
+// OAuth Providers
+export { OAuthProviderFactory, OAuthProfileParser, OAuthTokenManager, OAuthConfigStore } from './oauth-providers';
+
+// OAuth Callbacks and Session Management
+export {
+	handleOAuthCallback,
+	getOAuthSession,
+	destroyOAuthSession,
+	refreshOAuthToken,
+	getOAuthUser,
+	updateOAuthUserProfile,
+	cleanupExpiredOAuthSessions
+} from './oauth-callback';
+
+// OAuth Specific Providers
+export { GoogleOAuthProvider } from './providers/google-oauth';
+export type { GoogleOAuthConfig } from './providers/google-oauth';
+
+export { GitHubOAuthProvider } from './providers/github-oauth';
+export type { GitHubOAuthConfig } from './providers/github-oauth';
+
+export { OIDCOAuthProvider } from './providers/oidc-oauth';
+export type { OIDCProviderConfig } from './providers/oidc-oauth';