@authup/server-kit 1.0.0-beta.2 → 1.0.0-beta.20

package/dist/index.mjs

@@ -1,20 +1,24 @@
-import { compare as compare$1, hash as hash$1 } from 'bcrypt';
+import { compare as compare$1, hash as hash$1 } from '@node-rs/bcrypt';
 import { createPrivateKey, generateKeyPair, createPublicKey } from 'node:crypto';
-import { isObject, TokenError, KeyType, DomainEventName, buildDomainEventFullName } from '@authup/core';
+import { isObject, TokenError, JWTAlgorithm, JWKType, buildEventFullName } from '@authup/kit';
 import path from 'node:path';
 import fs from 'node:fs';
-import { decode, sign, verify } from 'jsonwebtoken';
+import { Algorithm, sign, verify } from '@node-rs/jsonwebtoken';
 import { isObject as isObject$1 } from 'smob';
-import { hasClient, hasConfig, useClient } from 'redis-extension';
+import * as process$1 from 'node:process';
+import { transports, createLogger as createLogger$1, format } from 'winston';
+export { Logger } from 'winston';
+import { singa } from 'singa';
+export { Client as RedisClient, ClientOptions as RedisClientOptions, JsonAdapter as RedisJsonAdapter, Watcher as RedisWatcher, buildKeyPath as buildRedisKeyPath, createClient as createRedisClient, escapeKey as escapeRedisKey, parseKeyPath as parseRedisKeyPath } from 'redis-extension';
+export { VaultClient, createClient as createVaultClient } from '@hapic/vault';
 import { Emitter } from '@socket.io/redis-emitter';
-import { createTransport, createTestAccount } from 'nodemailer';
 
 async function compare(value, hashedValue) {
     return compare$1(value, hashedValue);
 }
 
-async function hash(str, saltOrRounds = 10) {
-    return hash$1(str, saltOrRounds);
+async function hash(str, rounds = 10) {
+    return hash$1(str, rounds);
 }
 
 /*
@@ -121,6 +125,41 @@ function decryptRSAPrivateKey(context, key) {
     return content;
 }
 
+/*
+ * Copyright (c) 2024.
+ * Author Peter Placzek (tada5hi)
+ * For the full copyright and license information,
+ * view the LICENSE file that was distributed with this source code.
+ */ function wrapPem(type, input) {
+    if (typeof input !== 'string') {
+        input = Buffer.from(input).toString('base64');
+    }
+    return `-----BEGIN ${type}-----\n${input}\n-----END ${type}-----`;
+}
+function wrapPrivateKeyPem(input) {
+    return wrapPem('PRIVATE KEY', input);
+}
+function wrapPublicKeyPem(input) {
+    return wrapPem('PUBLIC KEY', input);
+}
+// ------------------------------------------------------------
+function unwrapPem(type, input) {
+    if (typeof input !== 'string') {
+        input = Buffer.from(input).toString('base64');
+    }
+    input = input.replace(`-----BEGIN ${type}-----\n`, '');
+    input = input.replace(`\n-----END ${type}-----\n`, '');
+    input = input.replace(`-----END ${type}-----\n`, '');
+    input = input.replace(`\n-----END ${type}-----`, '');
+    return input;
+}
+function unwrapPrivateKeyPem(input) {
+    return unwrapPem('PRIVATE KEY', input);
+}
+function unwrapPublicKeyPem(input) {
+    return unwrapPem('PUBLIC KEY', input);
+}
+
 async function saveKeyPair(keyPair, context) {
     context = extendKeyPairOptions(context);
     await fs.promises.mkdir(context.directory, {
@@ -259,26 +298,89 @@ async function useKeyPair(value) {
     return keyPair;
 }
 
+/**
+ * Decode a JWT token with no verification.
+ *
+ * @param token
+ *
+ * @throws TokenError
+ */ function extractTokenHeader(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        throw TokenError.payloadInvalid('The token format is not valid.');
+    }
+    const [headerBase64] = parts;
+    try {
+        const payload = atob(headerBase64);
+        return JSON.parse(payload);
+    /*
+        return {
+            typ: 'JWT',
+            alg: transformInternalToJWTAlgorithm(header.algorithm),
+            cty: header.contentType,
+            jku: header.jsonKeyUrl,
+            kid: header.keyId,
+            x5u: header.x5Url,
+            x5c: header.x5CertChain,
+            x5t: header.x5CertThumbprint,
+            'x5t#S256': header.x5TS256CertThumbprint,
+        };
+         */ } catch (e) {
+        throw TokenError.headerInvalid('The token header could not be extracted.');
+    }
+}
+function extractTokenPayload(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        throw TokenError.payloadInvalid('The token format is not valid.');
+    }
+    const [, payloadBase64] = parts;
+    try {
+        const payload = atob(payloadBase64);
+        return JSON.parse(payload);
+    } catch (e) {
+        throw TokenError.payloadInvalid('The token payload could not be extracted.');
+    }
+}
+
 function createErrorForJWTError(e) {
-    if (isObject$1(e) && typeof e.name === 'string') {
-        switch(e.name){
-            case 'TokenExpiredError':
+    if (isObject$1(e)) {
+        if (typeof e.name === 'string') {
+            switch(e.name){
+                case 'TokenExpiredError':
+                    {
+                        return TokenError.expired();
+                    }
+                case 'NotBeforeError':
+                    {
+                        if (typeof e.date === 'string' || e.date instanceof Date) {
+                            return TokenError.notActiveBefore(e.date);
+                        }
+                        break;
+                    }
+                case 'JsonWebTokenError':
+                    {
+                        if (typeof e.message === 'string') {
+                            return TokenError.payloadInvalid(e.message);
+                        }
+                        break;
+                    }
+            }
+        }
+        // @see https://github.com/Keats/jsonwebtoken/blob/master/src/errors.rs
+        switch(e.message){
+            case 'ExpiredSignature':
                 {
                     return TokenError.expired();
                 }
-            case 'NotBeforeError':
+            case 'ImmatureSignature':
                 {
-                    if (typeof e.date === 'string' || e.date instanceof Date) {
-                        return TokenError.notActiveBefore(e.date);
-                    }
-                    break;
+                    return TokenError.notActiveBefore();
                 }
-            case 'JsonWebTokenError':
+            case 'InvalidToken':
+            case 'InvalidSignature':
                 {
-                    if (typeof e.message === 'string') {
-                        return TokenError.payloadInvalid(e.message);
-                    }
-                    break;
+                    return TokenError.payloadInvalid();
                 }
         }
     }
@@ -288,101 +390,140 @@ function createErrorForJWTError(e) {
         message: 'The JWT error could not be determined.'
     });
 }
-
-function decodeToken(token, options) {
-    options ?? (options = {});
-    let output;
-    try {
-        output = decode(token, {
-            ...options
-        });
-    } catch (e) {
-        throw createErrorForJWTError(e);
-    }
-    if (output === null) {
-        throw TokenError.payloadInvalid('The token could not be decoded.');
+function transformJWTAlgorithmToInternal(algorithm) {
+    switch(algorithm){
+        case JWTAlgorithm.HS256:
+            {
+                return Algorithm.HS256;
+            }
+        case JWTAlgorithm.HS384:
+            {
+                return Algorithm.HS384;
+            }
+        case JWTAlgorithm.HS512:
+            {
+                return Algorithm.HS512;
+            }
+        case JWTAlgorithm.RS256:
+            {
+                return Algorithm.RS256;
+            }
+        case JWTAlgorithm.RS384:
+            {
+                return Algorithm.RS384;
+            }
+        case JWTAlgorithm.RS512:
+            {
+                return Algorithm.RS512;
+            }
+        case JWTAlgorithm.ES256:
+            {
+                return Algorithm.ES256;
+            }
+        case JWTAlgorithm.ES384:
+            {
+                return Algorithm.ES384;
+            }
+        case JWTAlgorithm.PS256:
+            {
+                return Algorithm.PS256;
+            }
+        case JWTAlgorithm.PS384:
+            {
+                return Algorithm.PS384;
+            }
+        case JWTAlgorithm.PS512:
+            {
+                return Algorithm.PS512;
+            }
     }
-    return output;
+    throw new Error(`The algorithm ${algorithm} is not supported.`);
 }
 
-async function signToken(payload, context) {
-    context.expiresIn = context.expiresIn || 3600;
+const getUtcTimestamp = ()=>Math.floor(new Date().getTime() / 1000);
+async function signToken(claims, context) {
+    if (typeof claims.exp !== 'number') {
+        claims.exp = getUtcTimestamp() + 3600;
+    }
+    if (typeof claims.iat !== 'number') {
+        claims.iat = getUtcTimestamp();
+    }
     switch(context.type){
-        case KeyType.RSA:
-        case KeyType.EC:
+        case JWKType.RSA:
+        case JWKType.EC:
             {
-                const { type, keyPair, ...options } = context;
-                const { privateKey } = isKeyPair(keyPair) ? keyPair : await useKeyPair(keyPair);
-                if (type === KeyType.RSA) {
-                    options.algorithm = options.algorithm || 'RS256';
+                const { privateKey } = isKeyPair(context.keyPair) ? context.keyPair : await useKeyPair(context.keyPair);
+                let algorithm;
+                if (context.type === JWKType.RSA) {
+                    algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.RS256;
                 } else {
-                    options.algorithm = options.algorithm || 'ES256';
+                    algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.ES256;
                 }
-                return sign(payload, privateKey, options);
+                return sign(claims, privateKey, {
+                    algorithm,
+                    keyId: context.keyId
+                });
             }
-        case KeyType.OCT:
+        case JWKType.OCT:
             {
-                const { type, secret, ...options } = context;
-                options.algorithm = options.algorithm || 'HS256';
-                return sign(payload, secret, options);
+                const algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.HS256;
+                return sign(claims, context.key, {
+                    algorithm,
+                    keyId: context.keyId
+                });
             }
     }
     throw new TokenError();
 }
 
-async function verifyToken(token, context) {
+/**
+ * Verify JWT.
+ *
+ * @param token
+ * @param context
+ *
+ * @throws TokenError
+ */ async function verifyToken(token, context) {
     let promise;
     let output;
     try {
         switch(context.type){
-            case KeyType.RSA:
-            case KeyType.EC:
+            case JWKType.RSA:
+            case JWKType.EC:
                 {
-                    const { type, keyPair, ...options } = context;
-                    const { publicKey } = isKeyPairWithPublicKey(keyPair) ? keyPair : await useKeyPair(keyPair);
-                    if (type === KeyType.RSA) {
-                        options.algorithms = options.algorithms || [
-                            'RS256',
-                            'RS384',
-                            'RS512',
-                            'PS256',
-                            'PS384',
-                            'PS512'
+                    const { publicKey } = isKeyPairWithPublicKey(context.keyPair) ? context.keyPair : await useKeyPair(context.keyPair);
+                    let algorithms;
+                    if (context.type === JWKType.RSA) {
+                        algorithms = context.algorithms ? context.algorithms.map((algorithm)=>transformJWTAlgorithmToInternal(algorithm)) : [
+                            Algorithm.RS256,
+                            Algorithm.RS384,
+                            Algorithm.RS512,
+                            Algorithm.PS256,
+                            Algorithm.PS384,
+                            Algorithm.PS512
                         ];
                     } else {
-                        options.algorithms = options.algorithms || [
-                            'ES256',
-                            'ES384',
-                            'ES512'
+                        algorithms = context.algorithms ? context.algorithms.map((algorithm)=>transformJWTAlgorithmToInternal(algorithm)) : [
+                            Algorithm.ES256,
+                            Algorithm.ES384
                         ];
                     }
-                    promise = new Promise((resolve, reject)=>{
-                        verify(token, publicKey, options, (err, decoded)=>{
-                            if (err) {
-                                reject(err);
-                                return;
-                            }
-                            resolve(decoded);
-                        });
+                    promise = verify(token, publicKey, {
+                        algorithms,
+                        validateNbf: true
                     });
                     break;
                 }
-            case KeyType.OCT:
+            case JWKType.OCT:
                 {
-                    const { type, secret, ...options } = context;
-                    options.algorithms = options.algorithms || [
-                        'HS256',
-                        'HS384',
-                        'HS512'
+                    const algorithms = context.algorithms ? context.algorithms.map((algorithm)=>transformJWTAlgorithmToInternal(algorithm)) : [
+                        Algorithm.HS256,
+                        Algorithm.HS384,
+                        Algorithm.HS512
                     ];
-                    promise = new Promise((resolve, reject)=>{
-                        verify(token, secret, options, (err, decoded)=>{
-                            if (err) {
-                                reject(err);
-                                return;
-                            }
-                            resolve(decoded);
-                        });
+                    promise = verify(token, context.key, {
+                        algorithms,
+                        validateNbf: true
                     });
                 }
         }
@@ -398,6 +539,87 @@ async function verifyToken(token, context) {
     return output;
 }
 
+function createLogger(context) {
+    let items;
+    const cwd = context.directory || process$1.cwd();
+    if (context.env === 'production') {
+        items = [
+            new transports.Console({
+                level: 'info'
+            }),
+            new transports.File({
+                filename: path.join(cwd, 'access.log'),
+                level: 'http',
+                maxsize: 10 * 1024 * 1024,
+                maxFiles: 5
+            }),
+            new transports.File({
+                filename: path.join(cwd, 'error.log'),
+                level: 'warn',
+                maxsize: 10 * 1024 * 1024,
+                maxFiles: 5
+            })
+        ];
+    } else {
+        items = [
+            new transports.Console({
+                level: 'debug'
+            })
+        ];
+    }
+    return createLogger$1({
+        format: format.combine(format.errors({
+            stack: true
+        }), format.timestamp(), format.colorize(), format.simple()),
+        transports: items
+    });
+}
+
+const instance$2 = singa({
+    name: 'logger'
+});
+function setLoggerFactory(factory) {
+    instance$2.setFactory(factory);
+}
+function isLoggerUsable() {
+    return instance$2.has() || instance$2.hasFactory();
+}
+function setLogger(input) {
+    instance$2.set(input);
+}
+function useLogger() {
+    return instance$2.use();
+}
+
+const instance$1 = singa({
+    name: 'redis'
+});
+function setRedisFactory(factory) {
+    instance$1.setFactory(factory);
+}
+function isRedisClientUsable() {
+    return instance$1.has() || instance$1.hasFactory();
+}
+function setRedisClient(input) {
+    instance$1.set(input);
+}
+function useRedisClient() {
+    return instance$1.use();
+}
+
+const instance = singa({
+    name: 'vault'
+});
+function setVaultFactory(factory) {
+    instance.setFactory(factory);
+}
+function isVaultClientUsable() {
+    return instance.has() || instance.hasFactory();
+}
+function useVaultClient() {
+    return instance.use();
+}
+
 function transformDomainEventData(input) {
     if (isObject(input)) {
         const keys = Object.keys(input);
@@ -417,187 +639,81 @@ function buildDomainEventChannelName(input, id) {
     return input(id);
 }
 
-async function publishDomainRedisEvent(context, destinations) {
-    if (!hasClient() && !hasConfig()) {
-        return Promise.resolve();
-    }
-    context = transformDomainEventData(context);
-    const json = JSON.stringify(context);
-    const client = useClient();
-    const pipeline = client.pipeline();
-    for(let i = 0; i < destinations.length; i++){
-        const { namespace } = destinations[i];
-        const keyPrefix = namespace ? `${namespace}:` : '';
-        let key = keyPrefix + buildDomainEventChannelName(destinations[i].channel);
-        pipeline.publish(key, json);
-        if (context.event !== DomainEventName.CREATED && typeof destinations[i].channel === 'function') {
-            key = keyPrefix + buildDomainEventChannelName(destinations[i].channel, context.data.id);
-            pipeline.publish(key, json);
+class DomainEventRedisPublisher {
+    async publish(ctx) {
+        const data = JSON.stringify(transformDomainEventData(ctx.content));
+        const pipeline = this.driver.pipeline();
+        for(let i = 0; i < ctx.destinations.length; i++){
+            const { namespace } = ctx.destinations[i];
+            const keyPrefix = namespace ? `${namespace}:` : '';
+            let key = keyPrefix + buildDomainEventChannelName(ctx.destinations[i].channel);
+            pipeline.publish(key, data);
+            if (typeof ctx.destinations[i].channel === 'function') {
+                key = keyPrefix + buildDomainEventChannelName(ctx.destinations[i].channel, ctx.content.data.id);
+                pipeline.publish(key, data);
+            }
         }
+        await pipeline.exec();
     }
-    return pipeline.exec();
-}
-
-let instance$3;
-function useSocketEmitter() {
-    if (typeof instance$3 !== 'undefined') {
-        return instance$3;
+    constructor(client){
+        this.driver = client;
     }
-    instance$3 = new Emitter(useClient());
-    return instance$3;
 }
 
-function publishDomainSocketEvent(context, destinations) {
-    if (!hasClient() && !hasConfig()) {
-        return;
-    }
-    context = transformDomainEventData(context);
-    for(let i = 0; i < destinations.length; i++){
-        let emitter = useSocketEmitter();
-        if (destinations[i].namespace) {
-            emitter = emitter.of(destinations[i].namespace);
-        }
-        let roomName = buildDomainEventChannelName(destinations[i].channel);
-        const fullEventName = buildDomainEventFullName(context.type, context.event);
-        emitter.in(roomName)// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore
-        .emit(fullEventName, {
-            ...context,
-            meta: {
-                roomName
+class DomainEventSocketPublisher {
+    async publish(ctx) {
+        ctx.content = transformDomainEventData(ctx.content);
+        for(let i = 0; i < ctx.destinations.length; i++){
+            let emitter;
+            if (ctx.destinations[i].namespace) {
+                emitter = this.driver.of(ctx.destinations[i].namespace);
+            } else {
+                emitter = this.driver;
             }
-        });
-        if (context.event !== DomainEventName.CREATED && typeof destinations[i].channel === 'function') {
-            roomName = buildDomainEventChannelName(destinations[i].channel, context.data.id);
-            emitter.in(roomName)// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore
-            .emit(fullEventName, {
-                ...context,
+            let roomName = buildDomainEventChannelName(ctx.destinations[i].channel);
+            const fullEventName = buildEventFullName(ctx.content.type, ctx.content.event);
+            emitter.in(roomName).emit(fullEventName, {
+                ...ctx.content,
                 meta: {
-                    roomName,
-                    roomId: context.data.id
+                    roomName
                 }
             });
+            if (typeof ctx.destinations[i].channel === 'function') {
+                roomName = buildDomainEventChannelName(ctx.destinations[i].channel, ctx.content.data.id);
+                emitter.in(roomName).emit(fullEventName, {
+                    ...ctx.content,
+                    meta: {
+                        roomName,
+                        roomId: ctx.content.data.id
+                    }
+                });
+            }
         }
     }
-}
-
-async function publishDomainEvent(context, destinations) {
-    await publishDomainRedisEvent(context, destinations);
-    publishDomainSocketEvent(context, destinations);
-}
-
-/*
- * Copyright (c) 2022.
- * Author Peter Placzek (tada5hi)
- * For the full copyright and license information,
- * view the LICENSE file that was distributed with this source code.
- */ class VoidLogger {
-    error() {
-        return this;
-    }
-    warn() {
-        return this;
-    }
-    info() {
-        return this;
-    }
-    http() {
-        return this;
-    }
-    verbose() {
-        return this;
-    }
-    debug() {
-        return this;
+    constructor(client){
+        this.driver = new Emitter(client);
     }
 }
 
-let instance$2;
-function useLogger() {
-    if (typeof instance$2 !== 'undefined') {
-        return instance$2;
-    }
-    instance$2 = new VoidLogger();
-    return instance$2;
-}
-function setLogger(logger) {
-    instance$2 = logger;
-}
-
-/*
- * Copyright (c) 2022.
- * Author Peter Placzek (tada5hi)
- * For the full copyright and license information,
- * view the LICENSE file that was distributed with this source code.
- */ let instance$1;
-function hasSmtpConfig() {
-    return !!instance$1;
-}
-function setSmtpConfig(value) {
-    instance$1 = value;
-}
-function useSmtpConfig() {
-    if (typeof instance$1 !== 'undefined') {
-        return instance$1;
-    }
-    instance$1 = {};
-    return instance$1;
-}
-
-function createSmtpClient(options) {
-    let transport;
-    options = options || {};
-    if (typeof options === 'string') {
-        transport = createTransport(options);
-    } else if (options.connectionString) {
-        transport = createTransport(options.connectionString);
-    } else {
-        let auth;
-        if (options.user && options.password) {
-            auth = {
-                type: 'login',
-                user: options.user,
-                pass: options.password
-            };
-        }
-        transport = createTransport({
-            host: options.host,
-            port: options.port,
-            auth,
-            secure: options.ssl,
-            opportunisticTLS: options.starttls,
-            tls: {
-                rejectUnauthorized: false
+class DomainEventPublisher {
+    async publish(ctx) {
+        const publishers = this.publishers.values();
+        while(true){
+            const it = publishers.next();
+            if (it.done) {
+                return;
             }
-        });
-    }
-    transport.on('error', (e)=>{
-        useLogger().error(e.message);
-    });
-    return transport;
-}
-
-let instance;
-async function useSMTPClient() {
-    if (typeof instance !== 'undefined') {
-        return instance;
+            await it.value.publish(ctx);
+        }
     }
-    let options;
-    if (process.env.NODE_ENV === 'test') {
-        const testAccount = await createTestAccount();
-        options = {
-            host: 'smtp.ethereal.email',
-            port: 587,
-            ssl: false,
-            user: testAccount.user,
-            password: testAccount.pass
-        };
-    } else {
-        options = useSmtpConfig();
+    constructor(){
+        this.publishers = new Set();
+        if (isRedisClientUsable()) {
+            const client = useRedisClient();
+            this.publishers.add(new DomainEventRedisPublisher(client));
+            this.publishers.add(new DomainEventSocketPublisher(client));
+        }
     }
-    instance = createSmtpClient(options);
-    return instance;
 }
 
 /*
@@ -609,5 +725,5 @@ async function useSMTPClient() {
     return Object.prototype.hasOwnProperty.call(obj, prop);
 }
 
-export { KeyPairKind, VoidLogger, buildKeyFileName, compare, createKeyPair, createSmtpClient, decodeToken, decryptRSAPrivateKey, deleteKeyPair, extendKeyPairOptions, hasOwnProperty, hasSmtpConfig, hash, isKeyPair, isKeyPairWithPublicKey, loadKeyPair, publishDomainEvent, publishDomainRedisEvent, publishDomainSocketEvent, saveKeyPair, setLogger, setSmtpConfig, signToken, useKeyPair, useLogger, useSMTPClient, useSmtpConfig, useSocketEmitter, verifyToken };
+export { DomainEventPublisher, DomainEventRedisPublisher, DomainEventSocketPublisher, KeyPairKind, buildKeyFileName, compare, createKeyPair, createLogger, decryptRSAPrivateKey, deleteKeyPair, extendKeyPairOptions, extractTokenHeader, extractTokenPayload, hasOwnProperty, hash, isKeyPair, isKeyPairWithPublicKey, isLoggerUsable, isRedisClientUsable, isVaultClientUsable, loadKeyPair, saveKeyPair, setLogger, setLoggerFactory, setRedisClient, setRedisFactory, setVaultFactory, signToken, unwrapPrivateKeyPem, unwrapPublicKeyPem, useKeyPair, useLogger, useRedisClient, useVaultClient, verifyToken, wrapPrivateKeyPem, wrapPublicKeyPem };
 //# sourceMappingURL=index.mjs.map