@alliance-droid/svelte-auth-core 1.0.0

package/src/session.ts

@@ -0,0 +1,42 @@
+/**
+ * Session management utilities
+ */
+
+export interface SessionConfig {
+  maxAge: number; // in seconds
+  secure: boolean;
+  httpOnly: boolean;
+  sameSite: 'strict' | 'lax' | 'none';
+}
+
+export const defaultSessionConfig: SessionConfig = {
+  maxAge: 30 * 24 * 60 * 60, // 30 days
+  secure: true,
+  httpOnly: true,
+  sameSite: 'lax'
+};
+
+export function createSessionCookie(sessionId: string, config: SessionConfig = defaultSessionConfig): string {
+  const flags: string[] = [];
+  flags.push(`Max-Age=${config.maxAge}`);
+  flags.push(`SameSite=${config.sameSite}`);
+  if (config.secure) flags.push('Secure');
+  if (config.httpOnly) flags.push('HttpOnly');
+  flags.push('Path=/');
+
+  return `session=${sessionId}; ${flags.join('; ')}`;
+}
+
+export function parseSessionId(cookieHeader: string | null): string | null {
+  if (!cookieHeader) return null;
+
+  const cookies = cookieHeader.split(';');
+  for (const cookie of cookies) {
+    const [name, value] = cookie.trim().split('=');
+    if (name === 'session') {
+      return decodeURIComponent(value);
+    }
+  }
+
+  return null;
+}

package/src/sql-injection-prevention.test.ts

@@ -0,0 +1,337 @@
+import { describe, it, expect } from 'vitest';
+import {
+	isSafePropertyName,
+	getSafeProperty,
+	safeFilter,
+	safeSearch,
+	sanitizeForLikeQuery,
+	prepareDatabaseValue,
+	validateDatabaseQuery,
+	databaseSecurityGuides,
+	getParameterizedQueryExample
+} from './sql-injection-prevention';
+
+describe('SQL Injection Prevention', () => {
+	describe('isSafePropertyName', () => {
+		it('should allow alphanumeric names', () => {
+			expect(isSafePropertyName('name')).toBe(true);
+			expect(isSafePropertyName('Name123')).toBe(true);
+		});
+
+		it('should allow underscores and hyphens', () => {
+			expect(isSafePropertyName('user_name')).toBe(true);
+			expect(isSafePropertyName('user-name')).toBe(true);
+		});
+
+		it('should reject special characters', () => {
+			expect(isSafePropertyName('user@name')).toBe(false);
+			expect(isSafePropertyName('user.name')).toBe(false);
+			expect(isSafePropertyName('user$name')).toBe(false);
+		});
+
+		it('should reject SQL injection patterns', () => {
+			expect(isSafePropertyName("name'; DROP TABLE users--")).toBe(false);
+			expect(isSafePropertyName('name" OR "1"="1')).toBe(false);
+		});
+
+		it('should reject empty string', () => {
+			expect(isSafePropertyName('')).toBe(false);
+		});
+	});
+
+	describe('getSafeProperty', () => {
+		const obj = {
+			user: {
+				email: 'test@example.com',
+				profile: {
+					name: 'John Doe'
+				}
+			},
+			age: 25
+		};
+
+		it('should get top-level property', () => {
+			expect(getSafeProperty(obj, 'age')).toBe(25);
+		});
+
+		it('should get nested property with dot notation', () => {
+			expect(getSafeProperty(obj, 'user.email')).toBe('test@example.com');
+			expect(getSafeProperty(obj, 'user.profile.name')).toBe('John Doe');
+		});
+
+		it('should return default for missing property', () => {
+			expect(getSafeProperty(obj, 'missing')).toBeUndefined();
+			expect(getSafeProperty(obj, 'missing', 'default')).toBe('default');
+		});
+
+		it('should return default for unsafe property name', () => {
+			expect(getSafeProperty(obj, "'; DROP TABLE--")).toBeUndefined();
+		});
+
+		it('should handle non-object input', () => {
+			expect(getSafeProperty(null, 'prop')).toBeUndefined();
+			expect(getSafeProperty('string', 'prop')).toBeUndefined();
+		});
+
+		it('should handle empty path', () => {
+			expect(getSafeProperty(obj, '')).toBeUndefined();
+		});
+	});
+
+	describe('safeFilter', () => {
+		const users = [
+			{ id: 1, name: 'Alice', email: 'alice@example.com' },
+			{ id: 2, name: 'Bob', email: 'bob@example.com' },
+			{ id: 3, name: 'Charlie', email: 'charlie@example.com' }
+		];
+
+		it('should filter by exact match', () => {
+			const result = safeFilter(users, 'name', 'Alice', true);
+			expect(result).toHaveLength(1);
+			expect(result[0].name).toBe('Alice');
+		});
+
+		it('should filter by number property', () => {
+			const result = safeFilter(users, 'id', 2, true);
+			expect(result).toHaveLength(1);
+			expect(result[0].id).toBe(2);
+		});
+
+		it('should filter by substring match', () => {
+			const result = safeFilter(users, 'email', 'example', false);
+			expect(result).toHaveLength(3);
+		});
+
+		it('should return empty array for unsafe property', () => {
+			const result = safeFilter(users, "'; DROP TABLE--", 'value', true);
+			expect(result).toHaveLength(0);
+		});
+
+		it('should handle non-array input', () => {
+			const result = safeFilter('not an array' as any, 'prop', 'value', true);
+			expect(result).toHaveLength(0);
+		});
+
+		it('should return empty array if no matches', () => {
+			const result = safeFilter(users, 'name', 'NonExistent', true);
+			expect(result).toHaveLength(0);
+		});
+	});
+
+	describe('safeSearch', () => {
+		const users = [
+			{ id: 1, name: 'Alice', status: 'active' },
+			{ id: 2, name: 'Bob', status: 'inactive' },
+			{ id: 3, name: 'Charlie', status: 'active' }
+		];
+
+		it('should search with single condition', () => {
+			const result = safeSearch(users, { name: 'Alice' });
+			expect(result).toHaveLength(1);
+		});
+
+		it('should search with multiple conditions (AND logic)', () => {
+			const result = safeSearch(users, { status: 'active', name: 'Alice' });
+			expect(result).toHaveLength(1);
+			expect(result[0].id).toBe(1);
+		});
+
+		it('should return empty if any condition fails', () => {
+			const result = safeSearch(users, { status: 'active', name: 'Bob' });
+			expect(result).toHaveLength(0);
+		});
+
+		it('should reject unsafe property names', () => {
+			const result = safeSearch(users, { "'; DROP TABLE--": 'value' });
+			expect(result).toHaveLength(0);
+		});
+
+		it('should handle non-array input', () => {
+			const result = safeSearch('not an array' as any, { name: 'Alice' });
+			expect(result).toHaveLength(0);
+		});
+	});
+
+	describe('sanitizeForLikeQuery', () => {
+		it('should escape percent wildcard', () => {
+			expect(sanitizeForLikeQuery('50%')).toBe('50\\%');
+		});
+
+		it('should escape underscore wildcard', () => {
+			expect(sanitizeForLikeQuery('test_value')).toBe('test\\_value');
+		});
+
+		it('should escape backslash', () => {
+			expect(sanitizeForLikeQuery('path\\to\\file')).toBe('path\\\\to\\\\file');
+		});
+
+		it('should escape multiple special characters', () => {
+			expect(sanitizeForLikeQuery('50%_\\value')).toBe('50\\%\\_\\\\value');
+		});
+
+		it('should handle non-string input', () => {
+			expect(sanitizeForLikeQuery(123 as any)).toBe('');
+		});
+
+		it('should preserve normal characters', () => {
+			expect(sanitizeForLikeQuery('normal text')).toBe('normal text');
+		});
+	});
+
+	describe('prepareDatabaseValue', () => {
+		it('should return null for null/undefined', () => {
+			expect(prepareDatabaseValue(null)).toBeNull();
+			expect(prepareDatabaseValue(undefined)).toBeNull();
+		});
+
+		it('should return strings as-is', () => {
+			expect(prepareDatabaseValue('test')).toBe('test');
+		});
+
+		it('should return numbers as-is', () => {
+			expect(prepareDatabaseValue(42)).toBe(42);
+		});
+
+		it('should return booleans as-is', () => {
+			expect(prepareDatabaseValue(true)).toBe(true);
+		});
+
+		it('should return objects as-is', () => {
+			const obj = { key: 'value' };
+			expect(prepareDatabaseValue(obj)).toBe(obj);
+		});
+
+		it('should return arrays as-is', () => {
+			const arr = [1, 2, 3];
+			expect(prepareDatabaseValue(arr)).toBe(arr);
+		});
+
+		it('should convert other types to null', () => {
+			expect(prepareDatabaseValue(Symbol('test'))).toBeNull();
+		});
+	});
+
+	describe('validateDatabaseQuery', () => {
+		it('should validate safe query', () => {
+			const result = validateDatabaseQuery({
+				email: 'test@example.com',
+				name: 'John'
+			});
+			expect(result.valid).toBe(true);
+		});
+
+		it('should reject non-object input', () => {
+			const result = validateDatabaseQuery('not an object');
+			expect(result.valid).toBe(false);
+		});
+
+		it('should reject null input', () => {
+			const result = validateDatabaseQuery(null);
+			expect(result.valid).toBe(false);
+		});
+
+		it('should detect unsafe property names', () => {
+			const result = validateDatabaseQuery({
+				"'; DROP TABLE users--": 'value'
+			});
+			expect(result.valid).toBe(false);
+			expect(result.errors.length).toBeGreaterThan(0);
+		});
+
+		it('should detect SQL injection patterns in values', () => {
+			const result = validateDatabaseQuery({
+				name: "'; DROP TABLE users--"
+			});
+			expect(result.valid).toBe(false);
+		});
+
+		it('should report multiple errors', () => {
+			const result = validateDatabaseQuery({
+				"bad-prop'; DROP": 'test',
+				comment: '-- injection'
+			});
+			expect(result.errors.length).toBeGreaterThanOrEqual(1);
+		});
+	});
+
+	describe('databaseSecurityGuides', () => {
+		it('should provide JSON guide', () => {
+			expect(databaseSecurityGuides.json.name).toBe('JSON File Storage');
+			expect(databaseSecurityGuides.json.practices).toBeInstanceOf(Array);
+			expect(databaseSecurityGuides.json.practices.length).toBeGreaterThan(0);
+		});
+
+		it('should provide SQL guide', () => {
+			expect(databaseSecurityGuides.sql.name).toBe('SQL Databases (PostgreSQL, MySQL, etc.)');
+			expect(databaseSecurityGuides.sql.practices).toBeInstanceOf(Array);
+			expect(databaseSecurityGuides.sql.practices.length).toBeGreaterThan(0);
+		});
+
+		it('SQL guide should mention parameterized queries', () => {
+			const sqlPractices = databaseSecurityGuides.sql.practices.join(' ');
+			expect(sqlPractices.toLowerCase()).toContain('parameterized');
+		});
+	});
+
+	describe('getParameterizedQueryExample', () => {
+		it('should return example code', () => {
+			const example = getParameterizedQueryExample();
+			expect(example).toBeTruthy();
+			expect(typeof example).toBe('string');
+		});
+
+		it('should show safe example', () => {
+			const example = getParameterizedQueryExample();
+			expect(example).toContain('$1');
+		});
+
+		it('should show unsafe example', () => {
+			const example = getParameterizedQueryExample();
+			expect(example).toContain('VULNERABLE');
+		});
+	});
+
+	describe('Integration scenarios', () => {
+		it('should prevent property injection in search', () => {
+			const users = [{ id: 1, name: 'Alice' }];
+			const injectionAttempt = { "'; DROP": 'value' };
+
+			const result = safeSearch(users, injectionAttempt);
+			expect(result).toHaveLength(0);
+		});
+
+		it('should safely filter with user input', () => {
+			const items = [
+				{ id: 1, description: 'Test Item 50% off' },
+				{ id: 2, description: 'Regular Item' }
+			];
+
+			const userSearch = '50%';
+			const sanitized = sanitizeForLikeQuery(userSearch);
+			expect(sanitized).toBe('50\\%');
+
+			// Filter would use the sanitized value safely
+			const results = safeFilter(items, 'description', 'Test Item 50% off', true);
+			expect(results).toHaveLength(1);
+		});
+
+		it('should validate complete query flow', () => {
+			const userInput = {
+				email: 'test@example.com',
+				status: 'active'
+			};
+
+			const validation = validateDatabaseQuery(userInput);
+			expect(validation.valid).toBe(true);
+
+			// Proceed with query
+			const mockUsers = [
+				{ email: 'test@example.com', status: 'active' },
+				{ email: 'other@example.com', status: 'inactive' }
+			];
+
+			const results = safeSearch(mockUsers, userInput);
+			expect(results).toHaveLength(1);
+		});
+	});
+});

package/src/sql-injection-prevention.ts

@@ -0,0 +1,272 @@
+/**
+ * SQL Injection Prevention
+ * Provides utilities for preventing SQL injection attacks
+ * 
+ * NOTE: This project uses JSON file storage, not SQL. These utilities
+ * provide guidance and helpers for:
+ * 1. Parameterized query patterns for JSON operations
+ * 2. Input sanitization for search/filter operations
+ * 3. Safe object property access patterns
+ */
+
+/**
+ * Safe query builder for JSON operations
+ * Prevents injection by using parameterized patterns
+ */
+export interface SafeQueryParams {
+	[key: string]: unknown;
+}
+
+/**
+ * Validate that a property name is safe to access
+ * Only allows alphanumeric, underscore, and hyphen characters
+ * @param property - Property name to validate
+ * @returns True if property name is safe
+ */
+export function isSafePropertyName(property: string): boolean {
+	// Only allow alphanumeric, underscore, and hyphen
+	return /^[a-zA-Z0-9_-]+$/.test(property);
+}
+
+/**
+ * Get object property safely without injection risk
+ * @param obj - Object to query
+ * @param property - Property path (supports dot notation like 'user.email')
+ * @param defaultValue - Default value if property not found
+ * @returns Property value or default
+ */
+export function getSafeProperty(
+	obj: unknown,
+	property: string,
+	defaultValue: unknown = undefined
+): unknown {
+	if (typeof obj !== 'object' || obj === null) {
+		return defaultValue;
+	}
+
+	// Split property path by dots
+	const parts = property.split('.');
+
+	// Validate all parts are safe property names
+	if (!parts.every(isSafePropertyName)) {
+		return defaultValue;
+	}
+
+	// Navigate safely through the object
+	let current: unknown = obj;
+	for (const part of parts) {
+		if (typeof current !== 'object' || current === null) {
+			return defaultValue;
+		}
+
+		const next = (current as Record<string, unknown>)[part];
+		if (next === undefined) {
+			return defaultValue;
+		}
+
+		current = next;
+	}
+
+	return current;
+}
+
+/**
+ * Safe filter operation on array of objects
+ * Prevents injection by validating property names
+ * @param items - Array to filter
+ * @param property - Property to filter by (no dot notation)
+ * @param value - Value to match
+ * @param exact - If true, use exact match; if false, substring match
+ * @returns Filtered array
+ */
+export function safeFilter<T extends Record<string, unknown>>(
+	items: T[],
+	property: string,
+	value: unknown,
+	exact: boolean = true
+): T[] {
+	// Validate property name
+	if (!isSafePropertyName(property)) {
+		return [];
+	}
+
+	if (!Array.isArray(items)) {
+		return [];
+	}
+
+	return items.filter((item) => {
+		const itemValue = item[property];
+
+		if (exact) {
+			// Exact match
+			return itemValue === value;
+		} else {
+			// Substring match (only for strings)
+			if (typeof itemValue === 'string' && typeof value === 'string') {
+				return itemValue.includes(value);
+			}
+			return itemValue === value;
+		}
+	});
+}
+
+/**
+ * Safe search operation with multiple conditions
+ * Uses AND logic for multiple conditions
+ * @param items - Array to search
+ * @param conditions - Object with property-value pairs to match
+ * @returns Filtered array
+ */
+export function safeSearch<T extends Record<string, unknown>>(
+	items: T[],
+	conditions: SafeQueryParams
+): T[] {
+	if (!Array.isArray(items)) {
+		return [];
+	}
+
+	return items.filter((item) => {
+		// All conditions must match (AND logic)
+		return Object.entries(conditions).every(([property, value]) => {
+			// Validate property name
+			if (!isSafePropertyName(property)) {
+				return false;
+			}
+
+			return item[property] === value;
+		});
+	});
+}
+
+/**
+ * Sanitize string for use in LIKE queries (if migrating to SQL)
+ * Escapes SQL wildcards and special characters
+ * @param str - String to sanitize
+ * @returns Sanitized string
+ */
+export function sanitizeForLikeQuery(str: string): string {
+	if (typeof str !== 'string') {
+		return '';
+	}
+
+	// Escape SQL wildcard characters: %, _
+	// Also escape backslash if used as escape character
+	return str
+		.replace(/\\/g, '\\\\') // Backslash first
+		.replace(/%/g, '\\%')
+		.replace(/_/g, '\\_');
+}
+
+/**
+ * Prepare a value for safe database insertion
+ * Handles type coercion and sanitization
+ * @param value - Value to prepare
+ * @returns Prepared value
+ */
+export function prepareDatabaseValue(value: unknown): unknown {
+	if (value === null || value === undefined) {
+		return null;
+	}
+
+	if (typeof value === 'string') {
+		// For JSON storage, strings are safe as-is
+		// If migrating to SQL, use parameterized queries
+		return value;
+	}
+
+	if (typeof value === 'number' || typeof value === 'boolean') {
+		return value;
+	}
+
+	if (typeof value === 'object') {
+		// For arrays and objects, store as-is (JSON handles serialization)
+		return value;
+	}
+
+	// For other types, convert to null
+	return null;
+}
+
+/**
+ * Validate a database query object for safe execution
+ * Checks for suspicious patterns that might indicate injection
+ * @param query - Query object to validate
+ * @returns { valid: boolean; errors: string[] }
+ */
+export function validateDatabaseQuery(
+	query: unknown
+): { valid: boolean; errors: string[] } {
+	const errors: string[] = [];
+
+	if (typeof query !== 'object' || query === null) {
+		errors.push('Query must be an object');
+		return { valid: false, errors };
+	}
+
+	const queryObj = query as Record<string, unknown>;
+
+	// Check for suspicious property names
+	for (const property of Object.keys(queryObj)) {
+		if (!isSafePropertyName(property)) {
+			errors.push(`Unsafe property name: ${property}`);
+		}
+
+		// Check for SQL injection patterns in string values
+		const value = queryObj[property];
+		if (typeof value === 'string') {
+			if (value.includes(';') || value.includes('--') || value.includes('/*')) {
+				errors.push(`Suspicious content in property: ${property}`);
+			}
+		}
+	}
+
+	return { valid: errors.length === 0, errors };
+}
+
+/**
+ * Security recommendations for different database systems
+ */
+export const databaseSecurityGuides = {
+	json: {
+		name: 'JSON File Storage',
+		description: 'Current implementation',
+		practices: [
+			'Use isSafePropertyName() to validate property names',
+			'Use safeFilter() and safeSearch() for queries',
+			'Use getSafeProperty() for nested property access',
+			'Never use string interpolation for property access'
+		]
+	},
+	sql: {
+		name: 'SQL Databases (PostgreSQL, MySQL, etc.)',
+		description: 'For future migration',
+		practices: [
+			'Always use parameterized queries / prepared statements',
+			'Never concatenate user input into SQL strings',
+			'Use ORM libraries with built-in protection',
+			'Validate column/table names with whitelist',
+			'Use input validation before queries',
+			'Implement principle of least privilege for DB user'
+		]
+	}
+};
+
+/**
+ * Example parameterized query pattern (for SQL migration reference)
+ */
+export function getParameterizedQueryExample(): string {
+	return `
+// Example: PostgreSQL with parameterized query
+const query = 'SELECT * FROM users WHERE email = $1';
+const values = [userEmail];
+const result = await db.query(query, values);
+
+// Example: Using ORM (Prisma)
+const user = await prisma.user.findUnique({
+  where: { email: userEmail }
+});
+
+// NEVER do this:
+// const query = \`SELECT * FROM users WHERE email = '\${userEmail}'\`; // VULNERABLE
+`;
+}