@alliance-droid/svelte-auth-core 1.0.0

package/src/password.ts

@@ -0,0 +1,62 @@
+import * as bcrypt from 'bcryptjs';
+
+const BCRYPT_ROUNDS = 10;
+
+/**
+ * Hash a password using bcrypt
+ * @param password - Plain text password
+ * @returns Hashed password
+ */
+export async function hashPassword(password: string): Promise<string> {
+	return bcrypt.hash(password, BCRYPT_ROUNDS);
+}
+
+/**
+ * Verify a password against a hash
+ * @param password - Plain text password
+ * @param hash - Hashed password
+ * @returns True if password matches, false otherwise
+ */
+export async function verifyPassword(password: string, hash: string): Promise<boolean> {
+	return bcrypt.compare(password, hash);
+}
+
+/**
+ * Validate password strength
+ * Requirements:
+ * - At least 8 characters
+ * - At least one uppercase letter
+ * - At least one lowercase letter
+ * - At least one number
+ * @param password - Password to validate
+ * @returns Error message if invalid, undefined if valid
+ */
+export function validatePasswordStrength(password: string): string | undefined {
+	if (password.length < 8) {
+		return 'Password must be at least 8 characters long';
+	}
+
+	if (!/[A-Z]/.test(password)) {
+		return 'Password must contain at least one uppercase letter';
+	}
+
+	if (!/[a-z]/.test(password)) {
+		return 'Password must contain at least one lowercase letter';
+	}
+
+	if (!/[0-9]/.test(password)) {
+		return 'Password must contain at least one number';
+	}
+
+	return undefined;
+}
+
+/**
+ * Validate email format
+ * @param email - Email to validate
+ * @returns True if valid, false otherwise
+ */
+export function isValidEmail(email: string): boolean {
+	const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+	return emailRegex.test(email) && email.length <= 254;
+}

package/src/providers/github-oauth.test.ts

@@ -0,0 +1,290 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { GitHubOAuthProvider } from './github-oauth';
+
+describe('GitHubOAuthProvider', () => {
+	let provider: GitHubOAuthProvider;
+	const mockConfig = {
+		clientId: 'test-client-id',
+		clientSecret: 'test-client-secret',
+		redirectUri: 'http://localhost:3000/auth/github/callback'
+	};
+
+	beforeEach(() => {
+		provider = new GitHubOAuthProvider(mockConfig);
+	});
+
+	describe('constructor', () => {
+		it('should create provider with valid config', () => {
+			expect(provider).toBeDefined();
+		});
+
+		it('should set default scopes', () => {
+			const url = provider.generateAuthorizationUrl('state');
+			expect(url).toContain('scope=');
+		});
+
+		it('should support custom scopes', () => {
+			const customProvider = new GitHubOAuthProvider({
+				...mockConfig,
+				scope: ['read:user', 'user:email', 'repo']
+			});
+
+			const url = customProvider.generateAuthorizationUrl('state');
+			expect(url).toContain('read%3Auser');
+			expect(url).toContain('user%3Aemail');
+			expect(url).toContain('repo');
+		});
+
+		it('should throw error when clientId is missing', () => {
+			expect(() => {
+				new GitHubOAuthProvider({
+					clientId: '',
+					clientSecret: 'secret',
+					redirectUri: 'http://localhost:3000/callback'
+				});
+			}).toThrow('GitHub OAuth configuration is missing required fields');
+		});
+
+		it('should throw error when clientSecret is missing', () => {
+			expect(() => {
+				new GitHubOAuthProvider({
+					clientId: 'id',
+					clientSecret: '',
+					redirectUri: 'http://localhost:3000/callback'
+				});
+			}).toThrow('GitHub OAuth configuration is missing required fields');
+		});
+
+		it('should throw error when redirectUri is missing', () => {
+			expect(() => {
+				new GitHubOAuthProvider({
+					clientId: 'id',
+					clientSecret: 'secret',
+					redirectUri: ''
+				});
+			}).toThrow('GitHub OAuth configuration is missing required fields');
+		});
+	});
+
+	describe('generateAuthorizationUrl', () => {
+		it('should generate valid authorization URL', () => {
+			const state = 'test-state';
+			const url = provider.generateAuthorizationUrl(state);
+
+			expect(url).toContain('https://github.com/login/oauth/authorize');
+			expect(url).toContain('client_id=test-client-id');
+			expect(url).toContain('redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fgithub%2Fcallback');
+			expect(url).toContain('state=test-state');
+		});
+
+		it('should allow signup by default', () => {
+			const url = provider.generateAuthorizationUrl('state');
+			expect(url).toContain('allow_signup=true');
+		});
+
+		it('should disable signup when configured', () => {
+			const customProvider = new GitHubOAuthProvider({
+				...mockConfig,
+				allowSignup: false
+			});
+
+			const url = customProvider.generateAuthorizationUrl('state');
+			expect(url).toContain('allow_signup=false');
+		});
+	});
+
+	describe('validateAuthorizationCode', () => {
+		it('should validate valid authorization code', () => {
+			const code = 'valid-code-abc123';
+			expect(provider.validateAuthorizationCode(code)).toBe(true);
+		});
+
+		it('should reject empty code', () => {
+			expect(provider.validateAuthorizationCode('')).toBe(false);
+		});
+
+		it('should reject null/undefined code', () => {
+			expect(provider.validateAuthorizationCode(null as any)).toBe(false);
+			expect(provider.validateAuthorizationCode(undefined as any)).toBe(false);
+		});
+	});
+
+	describe('validateAccessToken', () => {
+		it('should validate valid access token', () => {
+			const token = 'ghu_valid-token-123';
+			expect(provider.validateAccessToken(token)).toBe(true);
+		});
+
+		it('should reject empty token', () => {
+			expect(provider.validateAccessToken('')).toBe(false);
+		});
+
+		it('should reject null/undefined token', () => {
+			expect(provider.validateAccessToken(null as any)).toBe(false);
+			expect(provider.validateAccessToken(undefined as any)).toBe(false);
+		});
+	});
+
+	describe('exchangeCode', () => {
+		it('should exchange code for access token', async () => {
+			const mockResponse = {
+				ok: true,
+				json: vi.fn().mockResolvedValue({
+					access_token: 'ghu_test-token-123',
+					token_type: 'bearer',
+					scope: 'read:user,user:email',
+					expires_in: 28800
+				})
+			};
+
+			global.fetch = vi.fn().mockResolvedValue(mockResponse);
+
+			const result = await provider.exchangeCode('test-code');
+
+			expect(result.accessToken).toBe('ghu_test-token-123');
+			expect(result.tokenType).toBe('bearer');
+			expect(result.expiresIn).toBe(28800);
+		});
+
+		it('should handle GitHub error response', async () => {
+			global.fetch = vi.fn().mockResolvedValue({
+				ok: true,
+				json: vi.fn().mockResolvedValue({
+					error: 'bad_verification_code',
+					error_description: 'The code passed is incorrect or expired.'
+				})
+			});
+
+			await expect(provider.exchangeCode('invalid-code')).rejects.toThrow('GitHub OAuth error');
+		});
+
+		it('should throw error on failed exchange', async () => {
+			global.fetch = vi.fn().mockResolvedValue({
+				ok: false,
+				statusText: 'Unauthorized'
+			});
+
+			await expect(provider.exchangeCode('test-code')).rejects.toThrow(
+				'GitHub token exchange failed'
+			);
+		});
+	});
+
+	describe('fetchUserProfile', () => {
+		it('should fetch user profile with public email', async () => {
+			global.fetch = vi.fn().mockResolvedValue({
+				ok: true,
+				json: vi.fn().mockResolvedValue({
+					id: 123456,
+					login: 'testuser',
+					email: 'user@example.com',
+					name: 'Test User',
+					avatar_url: 'https://avatars.githubusercontent.com/u/123456'
+				})
+			});
+
+			const result = await provider.fetchUserProfile('test-token');
+
+			expect(result.id).toBe('123456');
+			expect(result.email).toBe('user@example.com');
+			expect(result.name).toBe('Test User');
+			expect(result.avatar).toBe('https://avatars.githubusercontent.com/u/123456');
+			expect(result.provider).toBe('github');
+		});
+
+		it('should fetch email from emails endpoint when not in profile', async () => {
+			const fetchMock = vi.fn();
+			fetchMock.mockResolvedValueOnce({
+				ok: true,
+				json: vi.fn().mockResolvedValue({
+					id: 123456,
+					login: 'testuser',
+					email: null,
+					name: 'Test User',
+					avatar_url: 'https://avatars.githubusercontent.com/u/123456'
+				})
+			});
+
+			fetchMock.mockResolvedValueOnce({
+				ok: true,
+				json: vi.fn().mockResolvedValue([
+					{
+						email: 'primary@example.com',
+						primary: true,
+						verified: true,
+						visibility: 'public'
+					}
+				])
+			});
+
+			global.fetch = fetchMock;
+
+			const result = await provider.fetchUserProfile('test-token');
+
+			expect(result.email).toBe('primary@example.com');
+		});
+
+		it('should throw error when email cannot be retrieved', async () => {
+			global.fetch = vi.fn();
+
+			(global.fetch as any).mockResolvedValueOnce({
+				ok: true,
+				json: vi.fn().mockResolvedValue({
+					id: 123456,
+					login: 'testuser',
+					email: null,
+					name: 'Test User'
+				})
+			});
+
+			(global.fetch as any).mockResolvedValueOnce({
+				ok: false,
+				statusText: 'Unauthorized'
+			});
+
+			await expect(provider.fetchUserProfile('invalid-token')).rejects.toThrow(
+				'Could not retrieve email from GitHub'
+			);
+		});
+
+		it('should throw error on network failure', async () => {
+			global.fetch = vi.fn().mockRejectedValue(new Error('Network error'));
+
+			await expect(provider.fetchUserProfile('test-token')).rejects.toThrow(
+				'Failed to fetch GitHub user profile'
+			);
+		});
+	});
+
+	describe('refreshAccessToken', () => {
+		it('should return same token (GitHub tokens do not expire)', async () => {
+			const token = 'ghu_test-token-123';
+			const result = await provider.refreshAccessToken(token);
+
+			expect(result.accessToken).toBe(token);
+			expect(result.expiresIn).toBe(0); // GitHub tokens don't expire
+		});
+	});
+
+	describe('revokeAccessToken', () => {
+		it('should attempt to revoke token', async () => {
+			global.fetch = vi.fn().mockResolvedValue({
+				ok: true
+			});
+
+			const result = await provider.revokeAccessToken('test-token');
+
+			expect(result).toBe(true);
+		});
+
+		it('should return false on revocation failure', async () => {
+			global.fetch = vi.fn().mockResolvedValue({
+				ok: false
+			});
+
+			const result = await provider.revokeAccessToken('test-token');
+
+			expect(result).toBe(false);
+		});
+	});
+});

package/src/providers/github-oauth.ts

@@ -0,0 +1,226 @@
+import type { OAuthProviderConfig, OAuthUserProfile, OAuthTokenResponse } from '../oauth-types';
+
+/**
+ * GitHub OAuth Configuration
+ */
+export interface GitHubOAuthConfig extends OAuthProviderConfig {
+	scope?: string[];
+	allowSignup?: boolean;
+}
+
+/**
+ * GitHub OAuth Provider
+ * Handles GitHub OAuth 2.0 flow
+ */
+export class GitHubOAuthProvider {
+	private clientId: string;
+	private clientSecret: string;
+	private redirectUri: string;
+	private scope: string[];
+	private allowSignup: boolean;
+
+	private readonly authorizationEndpoint = 'https://github.com/login/oauth/authorize';
+	private readonly tokenEndpoint = 'https://github.com/login/oauth/access_token';
+	private readonly userinfoEndpoint = 'https://api.github.com/user';
+
+	constructor(config: GitHubOAuthConfig) {
+		if (!config.clientId || !config.clientSecret || !config.redirectUri) {
+			throw new Error('GitHub OAuth configuration is missing required fields');
+		}
+
+		this.clientId = config.clientId;
+		this.clientSecret = config.clientSecret;
+		this.redirectUri = config.redirectUri;
+		this.scope = config.scope || ['read:user', 'user:email'];
+		this.allowSignup = config.allowSignup !== false;
+	}
+
+	/**
+	 * Generate authorization URL
+	 */
+	generateAuthorizationUrl(state: string): string {
+		const params = new URLSearchParams({
+			client_id: this.clientId,
+			redirect_uri: this.redirectUri,
+			scope: this.scope.join(' '),
+			state,
+			allow_signup: this.allowSignup.toString()
+		});
+
+		return `${this.authorizationEndpoint}?${params.toString()}`;
+	}
+
+	/**
+	 * Exchange authorization code for tokens
+	 */
+	async exchangeCode(code: string): Promise<OAuthTokenResponse> {
+		try {
+			const response = await fetch(this.tokenEndpoint, {
+				method: 'POST',
+				headers: {
+					'Content-Type': 'application/json',
+					Accept: 'application/json'
+				},
+				body: JSON.stringify({
+					code,
+					client_id: this.clientId,
+					client_secret: this.clientSecret,
+					redirect_uri: this.redirectUri
+				})
+			});
+
+			if (!response.ok) {
+				throw new Error(`GitHub token exchange failed: ${response.statusText}`);
+			}
+
+			const data = await response.json();
+
+			if (data.error) {
+				throw new Error(`GitHub OAuth error: ${data.error}`);
+			}
+
+			return {
+				accessToken: data.access_token,
+				expiresIn: data.expires_in || 28800, // 8 hours default
+				tokenType: data.token_type || 'Bearer'
+			};
+		} catch (error) {
+			throw new Error(`Failed to exchange GitHub authorization code: ${error}`);
+		}
+	}
+
+	/**
+	 * Fetch user profile from GitHub
+	 * Also fetches email if not in primary profile
+	 */
+	async fetchUserProfile(accessToken: string): Promise<OAuthUserProfile> {
+		try {
+			// Fetch user profile
+			const profileResponse = await fetch(this.userinfoEndpoint, {
+				headers: {
+					Authorization: `Bearer ${accessToken}`,
+					'User-Agent': 'svelte-auth-system'
+				}
+			});
+
+			if (!profileResponse.ok) {
+				throw new Error(`Failed to fetch GitHub user info: ${profileResponse.statusText}`);
+			}
+
+			const profileData = await profileResponse.json();
+
+			// If email is not public, fetch from emails endpoint
+			let email = profileData.email;
+			if (!email) {
+				email = await this.fetchUserEmail(accessToken);
+			}
+
+			if (!email) {
+				throw new Error('Could not retrieve email from GitHub');
+			}
+
+			return {
+				id: profileData.id.toString(),
+				email,
+				name: profileData.name,
+				avatar: profileData.avatar_url,
+				provider: 'github'
+			};
+		} catch (error) {
+			throw new Error(`Failed to fetch GitHub user profile: ${error}`);
+		}
+	}
+
+	/**
+	 * Fetch user email from GitHub emails endpoint
+	 */
+	private async fetchUserEmail(accessToken: string): Promise<string | null> {
+		try {
+			const response = await fetch('https://api.github.com/user/emails', {
+				headers: {
+					Authorization: `Bearer ${accessToken}`,
+					'User-Agent': 'svelte-auth-system'
+				}
+			});
+
+			if (!response.ok) {
+				return null;
+			}
+
+			const emails = await response.json();
+
+			// Find primary email
+			const primaryEmail = emails.find((e: any) => e.primary);
+			if (primaryEmail) {
+				return primaryEmail.email;
+			}
+
+			// Find verified email
+			const verifiedEmail = emails.find((e: any) => e.verified);
+			if (verifiedEmail) {
+				return verifiedEmail.email;
+			}
+
+			// Return first email if available
+			return emails[0]?.email || null;
+		} catch (error) {
+			console.error('Failed to fetch GitHub user email:', error);
+			return null;
+		}
+	}
+
+	/**
+	 * GitHub does not support refresh tokens (token doesn't expire)
+	 * This method is a no-op but included for API consistency
+	 */
+	async refreshAccessToken(accessToken: string): Promise<OAuthTokenResponse> {
+		// GitHub tokens don't expire, so we just return the same token
+		return {
+			accessToken,
+			expiresIn: 0,
+			tokenType: 'Bearer'
+		};
+	}
+
+	/**
+	 * Validate authorization code format
+	 */
+	validateAuthorizationCode(code: string): boolean {
+		return !!(code && typeof code === 'string' && code.length > 0);
+	}
+
+	/**
+	 * Validate access token format
+	 */
+	validateAccessToken(token: string): boolean {
+		return !!(token && typeof token === 'string' && token.length > 0);
+	}
+
+	/**
+	 * Revoke access token
+	 */
+	async revokeAccessToken(accessToken: string): Promise<boolean> {
+		try {
+			// GitHub requires basic auth with clientId:clientSecret
+			const auth = Buffer.from(`${this.clientId}:${this.clientSecret}`).toString('base64');
+			
+			const response = await fetch(
+				`https://api.github.com/applications/${this.clientId}/token`,
+				{
+					method: 'DELETE',
+					headers: {
+						Authorization: `Basic ${auth}`,
+						'User-Agent': 'svelte-auth-system',
+						'Content-Type': 'application/json'
+					},
+					body: JSON.stringify({ access_token: accessToken })
+				}
+			);
+
+			return response.ok;
+		} catch (error) {
+			console.error('Failed to revoke GitHub access token:', error);
+			return false;
+		}
+	}
+}