@blazedpath/commons 0.0.4

package/blz-security/implementations/oidc.js

@@ -0,0 +1,404 @@
+/**
+ * @author Blazedpath Team
+ * @implements OpenID Connect specifications
+ * @description It is an identity protocol that is designed to authenticate
+ * users through relying parties (RP or applications) with an external server
+ * called OpenID Connect Provider (OP); this server typically gets the user
+ * information from an identity provider for access control.
+ * @see https://openid.net/specs/openid-connect-core-1_0.html
+ */
+
+const CryptoJS = require('crypto-js') // Crypto standards
+const { Issuer, generators, custom } = require('openid-client') // OpenID Certified Relying Party.
+const Jsonwebtoken = require('jsonwebtoken') // Implementations of JSON Web Tokens.
+const JwksClient = require('jwks-rsa') // Retrieve RSA public keys from a JWKS.
+const Uuid = require('uuid') // Support for RFC4122 version 1, 3, 4, and 5 UUIDs.
+const { METADATA } = require('../helpers/consts')
+// const cache = require('../implementations/cache')
+const { trace, Exception: Exception, getTokenTolerance } = require('../helpers/utils')
+
+/**
+ * @param OP OpenId Provider
+ * @param RP Relying Party (Client)
+ */
+
+/**
+ * Variables with a global scope
+ */
+
+let jwks // Provide the client with the jwks which exposes signing keys.
+let clientOidc // Client instance for the authorization server of that issuer.
+
+custom.setHttpOptionsDefaults({
+  timeout: process.env.TIMEOUT_HTTP || 30e3
+})
+
+/**
+ * @name Iss
+ * @api public
+ * @description Entity that issues a set of claims
+ */
+class Iss {
+  /**
+   * @constructor
+   * @param {Object} metadata
+   */
+  constructor (metadata) {
+    if (!metadata.id_token_signing_alg_values_supported) {
+      metadata.id_token_signing_alg_values_supported = ['RS256']
+    }
+    if (!metadata.response_types_supported) {
+      metadata.response_types_supported = ['code', 'none', 'id_token', 'token', 'id_token token', 'code id_token', 'code token', 'code id_token token']
+    }
+    if (!metadata.subject_types_supported) {
+      metadata.subject_types_supported = ['public']
+    }
+    const claimsRequired = METADATA.filter(({ type }) => type === 'REQUIRED')
+    const attributes = Object.entries(metadata)
+    for (let i = 0; i < attributes.length; i++) {
+      claimsRequired.forEach((claim, index) => {
+        if (attributes[i][0] === claim.name && attributes[i][1]) {
+          claimsRequired.splice(index, 1)
+        }
+      })
+    }
+    if (claimsRequired.length > 0) {
+      throw new Exception(JSON.stringify(claimsRequired), 'ClaimError', 403)
+    }
+    jwks = JwksClient({
+      cache: true, // Signature key verification results are cached to prevent excessive HTTP requests.
+      rateLimit: true, // Limit requests that are made to the jwks per minute.
+      cacheMaxAge: 60e3, // 1 minute to cache because a key rotation could have taken place.
+      jwksRequestsPerMinute: 15, // Max requests per minute.
+      jwksUri: metadata.jwks_uri // https://issuer/.well-known/jwks.json or https://issuer/openid-connect/certs
+    })
+    const issuer = metadata.Client ? metadata : new Issuer(metadata)
+    // Client instance for the authorization server of that issuer.
+    const clientPayload = {
+      client_id: metadata.clientId,
+      response_type: 'code'
+    }
+    if (metadata.clientSecret) {
+      clientPayload.client_secret = metadata.clientSecret
+    }
+    clientOidc = new issuer.Client(clientPayload)
+  }
+}
+class Oidc {
+  constructor (cache, config) {
+    this.cache = cache
+    this.config = config
+    if (this.config.authServer) {
+      if (this.config.authServer.PrivateKey && this.config.authServer.PublicKey) {
+        this.config.authServer.PrivateKey = this.config.authServer.PrivateKey.replace(/\\n/g, '\n')
+        this.config.authServer.PublicKey = this.config.authServer.PublicKey.replace(/\\n/g, '\n')
+      } else if (process.env.PRIVATE_KEY && process.env.PUBLIC_KEY) {
+        this.config.authServer.PrivateKey = process.env.PRIVATE_KEY
+        this.config.authServer.PublicKey = process.env.PUBLIC_KEY
+      } else {
+        throw new Exception('Private and public keys are mandatory', 'AttributeError', 403)
+      }
+      if (!this.config.authServer.Signature) {
+        if (process.env.OIDC_SIGNATURE)
+          this.config.authServer.Signature = process.env.OIDC_SIGNATURE
+        else
+          this.config.authServer.Signature = '--'
+      }
+    }
+  }
+
+  oidcMetadataKey() {
+    return this.config.authServer.sessionCookiesDomain || 'oidcMetadata'
+  }
+
+  async oidcMetadata() {
+    return await this.cache.get(this.oidcMetadataKey())
+  }
+
+  /**
+   * @name configuration
+   * @api public
+   * @param {String} uri OP configuration information
+   */
+  async configuration (context) {
+    let metadata = await this.cache.get(this.oidcMetadataKey())
+    if (typeof context === 'string' && !context.match(/(https?:\/\/.*):?(\d*)\/?(.*)/gi)) {
+      throw new Exception('Wrong OpenId Provider configuration URI entered', 'AttributeError', 403)
+    }
+    if (!metadata || !metadata.issuer) {
+      if (context.issuer) {
+        metadata = { ...(metadata || {}), ...context }
+      } else {
+        metadata = metadata || {}
+        metadata.openid_configuration = context
+        metadata = { ...metadata, ...(await Issuer.discover(context)) } // Discover an issuer configuration.
+      }
+      await this.cache.set(this.oidcMetadataKey(), metadata, 864e5) // 1 day of cache
+    }
+    return new Iss(metadata)
+  }
+
+  expiresIn (tokensSet) {
+    return Math.round((tokensSet.expires_at * 1000 - Date.now()) / 1000)
+  }
+
+  expired (tokensSet) {
+    return this.expiresIn(tokensSet) < getTokenTolerance()
+  }
+
+  /**
+   * @name tokenSet
+   * @generator PKCE is mandatory in OAuth 2.1.
+   * @see https://tools.ietf.org/html/draft-ietf-oauth-v2-1-02
+   * @see https://tools.ietf.org/html/rfc7636
+   */
+  async tokenSet () {
+    return {
+      /**
+       * @name tokens
+       * @api public
+       * @param sessionState String that represents the End-User's login state at the OP.
+       * @returns Tokens set
+       */
+      tokens: async (sessionState) => {
+        if (!sessionState) {
+          throw new Exception('Session state is mandatory', 'AttributeError', 404)
+        }
+        const tokensSet = await this.cache.get(sessionState)
+        if (!tokensSet || !tokensSet.access_token) {
+          throw new Exception(`No token found fo session_state: ${sessionState}`, 'TokenError', 403)
+        }
+        // Get the payload by the public key and verify it.
+        // const publicKey = (hdr, cb) => jwks.getSigningKey(hdr.kid, async (err, key) => cb(err, key ? key.publicKey || key.rsaPublicKey : key))
+        // const [error] = await new Promise((resolve) => {
+        //   Jsonwebtoken.verify(tokensSet.access_token, publicKey, null, async (err, res) => {
+        //     resolve([err, res])
+        //   })
+        // })
+        // if (error) {
+        //   throw new Exception(error.message, 'TokenInvalid', 403)
+        // }
+        if (this.expired(tokensSet) && tokensSet.refresh_token) {
+          const [error, payload] = await clientOidc.refresh(tokensSet.refresh_token, {
+            exchangeBody: {
+              client_id: clientOidc.clientId
+            }
+          }).then((tokenSet) => [null, tokenSet]).catch((error) => [error, null])
+          if (error || !payload.access_token) {
+            await this.cache.del(sessionState)
+            throw new Exception(`Can not refresh token for session_state: ${sessionState}`, 'ExpirationError', 403)
+          }
+          trace('INFO', `Refresh token for session_state: ${sessionState}`)
+          await this.cache.set(sessionState, payload, (payload.refresh_expires_in || payload.expires_in) * 1e3)
+          return payload
+        }
+        if (tokensSet.refresh_expires_in < getTokenTolerance()) {
+          await this.cache.del(sessionState)
+          throw new Exception(`Token expired, remove session_state: ${sessionState}`, 'ExpirationError', 403)
+        }
+        trace('INFO', `Get token of session_state: ${sessionState}`)
+        return tokensSet
+      },
+      /**
+       * @name generate
+       * @api public
+       * @param {code, scope, redirect_uri}
+       * @description Generate token with authorization flow with PKCE.
+       */
+      generate: async ({ code, scope = 'openid', redirectUri = '', sid }) => {
+        if (!sid) {
+          throw new Exception('SID is mandatory', '')
+        }
+        const { codeVerifier } = await this.pkceCode(sid)
+        const tokensResponse = await clientOidc.callback(redirectUri,
+          {
+            grant_type: 'authorization_code',
+            code,
+            scope,
+            client_id: clientOidc.client_id,
+            client_secret: clientOidc.client_secret || ' ',
+            redirect_uri: redirectUri
+          },
+          {
+            code_verifier: codeVerifier
+          }).then((tokenSet) => tokenSet).catch((error) => error)
+
+        if (tokensResponse && tokensResponse.access_token) {
+          tokensResponse.session_state = tokensResponse.session_state || Uuid.v4()
+          if (tokensResponse.refresh_expires_in <= getTokenTolerance(0)) {
+            throw new Exception(`Invalid refresh token expiration ${tokensResponse.refresh_expires_in}`, 'ExpirationError', 403)
+          }
+          const expirationTime = (tokensResponse.refresh_expires_in || tokensResponse.expires_in) * 1e3
+          if (expirationTime > 0) {
+            await this.cache.set(tokensResponse.session_state, tokensResponse, expirationTime)
+            return tokensResponse
+          } else {
+            trace('ERROR', `Expiration time: ${expirationTime}`)
+            return null
+          }
+        }
+        if (tokensResponse.message && tokensResponse.exp <= tokensResponse.now) {
+          throw new Exception(tokensResponse.message, 'ExpirationError', 403)
+        }
+        throw new Exception(tokensResponse.error_description || tokensResponse.error || tokensResponse.message, 'TokenError', 403)
+      },
+      /**
+       * @name userInfo
+       * @api public
+       * @param {String} sessionState
+       * @returns userInfo Returns previously consented user profile information to the RP.
+       * @see https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+       */
+      userInfo: async (sessionState) => {
+        const tokensSet = await this.cache.get(sessionState)
+        let userInfo = {}
+        if (!tokensSet || !tokensSet.access_token) {
+          throw new Exception('Access token is mandatory', 'TokenError', 401)
+        }
+        if (clientOidc.issuer && clientOidc.issuer.userinfo_endpoint) {
+          userInfo = await clientOidc.userinfo(tokensSet.access_token).then((info) => info).catch((err) => err)
+        } else {
+          userInfo = Jsonwebtoken.decode(tokensSet.id_token)
+        }
+        if (!userInfo.user_name && userInfo.name) {
+          userInfo.user_name = userInfo.name
+        }
+        if (userInfo.error) {
+          throw new Exception(userInfo.error, 'UserInfoError', 403)
+        }
+        return userInfo
+      }
+    }
+  }
+
+  getUseTokenType() {
+    return this.config.authServer.useTokenType || 'access_token'
+  }
+
+  async getUseToken (sessionState) {
+    const tokenSet = await this.tokenSet();
+    if (tokenSet && sessionState) {
+      const tokens = await tokenSet.tokens(sessionState);
+      if (tokens) {
+        return tokens[this.getUseTokenType()];
+      }
+    }
+    return null;
+  }
+
+  /**
+   * @name pkceCode
+   * @api public
+   * @description The properties "code_challenge" and "code_verifier" are adopted from the OAuth 2.0 extension
+   * known as "Proof-Key for Code Exchange", or PKCE [RFC7636].
+   * @see https://datatracker.ietf.org/doc/html/rfc7636
+   * @param {String} code
+   * @returns
+   */
+  async pkceCode (code) {
+    if (!code) {
+      const codeVerifier = generators.codeVerifier()
+      const data = {
+        jti: Uuid.v4(),
+        iat: Math.floor(Date.now() / 1e3),
+        typ: 'Serialized-ID',
+        state_checker: CryptoJS.AES.encrypt(
+          JSON.stringify({
+            codeVerifier, // Is a random string.
+            codeChallenge: generators.codeChallenge(codeVerifier) // BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
+          }),
+          this.config.authServer.Signature
+        ).toString()
+      }
+      const token = Jsonwebtoken.sign(data, this.config.authServer.PrivateKey, { expiresIn: '1m', algorithm: 'RS256' })
+      return token
+    }
+    try {
+      const decoded = await Jsonwebtoken.verify(code, this.config.authServer.PublicKey, { algorithms: ['RS256'] })
+      const { state_checker: stateChecker } = decoded
+      const codeVerifier = JSON.parse(CryptoJS.AES.decrypt(stateChecker, this.config.authServer.Signature).toString(CryptoJS.enc.Utf8))
+      return codeVerifier
+    } catch (error) {
+      throw new Exception(error, 'pkceCode', 403)
+    }
+  }
+
+  /**
+   * @name authorizationUrl
+   * @api public
+   * @param {scope, redirect_uri}
+   * @returns authorization endpoint with PKCE
+   */
+  async authorizationUrl ({ scope = 'openid', redirectUri = '', pkceCode }) {
+    const { codeChallenge } = await this.pkceCode(pkceCode)
+    const oidcMetadata = await this.cache.get(this.oidcMetadataKey())
+    if (!clientOidc && !oidcMetadata) {
+      throw new Exception('Unable to fetch configuration from identity provider', 'ConfigurationError', 404)
+    }
+    await this.configuration(oidcMetadata.openid_configuration)
+    // Authorization url with code_challenge and code_challenge_method.
+    return clientOidc.authorizationUrl({
+      scope,
+      code_challenge: codeChallenge,
+      code_challenge_method: 'S256',
+      redirect_uri: redirectUri.replace(/\/(logout|invalid-session).*/gm, '/')
+    })
+  }
+
+  /**
+   * @name endSessionUrl
+   * @api public
+   * @param {session_state, redirect_uri}
+   * @returns end session url
+   */
+  async endSessionUrl ({ sessionState, redirectUri }) {
+    redirectUri = redirectUri.replace(/logout|invalid-session/gmi, '')
+    // Log off specific session.
+    trace('INFO', `Logout session_state: ${sessionState}`)
+    if (sessionState) {
+      const tokensSet = await this.cache.get(sessionState)
+      await this.cache.del(sessionState)
+      if (tokensSet) {
+        return clientOidc.endSessionUrl({
+          id_token_hint: tokensSet.id_token,
+          post_logout_redirect_uri: redirectUri,
+          state: sessionState
+        })
+      }
+    }
+    if (!clientOidc) {
+      throw new Exception('Unable to fetch configuration from identity provider', 'ConfigurationError', 404)
+    }
+    return clientOidc.endSessionUrl({
+      post_logout_redirect_uri: redirectUri
+    })
+  }
+
+  /**
+   * @name client
+   * @api public
+   * @description set client ID and secret in metadata object
+   * @param {clientId, clientSecret}
+   */
+  async client ({ clientId, clientSecret }) {
+    if (!clientId) {
+      throw new Exception('Client ID is wrong', 'AttributeError', 404)
+    }
+    const metadata = await this.cache.get(this.oidcMetadataKey())
+    if (clientSecret) {
+      await this.cache.set(this.oidcMetadataKey(), { ...(metadata || {}), ...{ clientId, clientSecret } }, 864e5)
+    } else {
+      await this.cache.set(this.oidcMetadataKey(), { ...(metadata || {}), ...{ clientId } }, 864e5)
+    }
+  }
+
+  jwt () {
+    return {
+      sign: ({ payload, secret, algorithm = 'RS256' }) => {
+        return Jsonwebtoken.sign(payload, secret, { algorithm: algorithm })
+      }
+    }
+  }
+}
+
+module.exports = { Oidc }

package/blz-security/implementations/pkceCacheStore.js

@@ -0,0 +1,23 @@
+// Simple in-memory store (can be in a separate module/file)
+const pkceStore = new Map();
+
+// Store verifier with a TTL (5 minutes)
+function saveVerifier(stateId, codeVerifier) {
+  pkceStore.set(stateId, codeVerifier);
+
+  // Remove after 5 minutes to avoid memory leaks
+  setTimeout(() => {
+    pkceStore.delete(stateId);
+  }, 5 * 60 * 1000);
+}
+
+// Retrieve and remove verifier (one-time use)
+function getVerifier(stateId) {
+  const verifier = pkceStore.get(stateId);
+  if (verifier) {
+    pkceStore.delete(stateId);
+  }
+  return verifier;
+}
+
+module.exports = { saveVerifier, getVerifier };

package/blz-security/implementations/saml.js

@@ -0,0 +1,10 @@
+/**
+ * @author Blazedpath Team
+ * @implements Security Assertion Markup Language 2.0 specifications
+ * @description It is a standardized way of telling external applications
+ * and services that a user is whom they say they are, making it possible
+ * to authenticate a user across multiple applications.
+ * @see http://saml.xml.org/saml-specifications
+ */
+
+/** Work-in-progress [WIP] * */

package/blz-security/implementations/uma.js

@@ -0,0 +1,63 @@
+/**
+ * @author Blazedpath Team
+ * @implements User-Managed Access (UMA) 2.0 specifications
+ * @description Defines how a client (RP - requesting party) uses a
+ * permission ticket to request an access token to get a protected resource
+ * asynchronously from the short time the resource owner authorizes access.
+ * @see https://tools.ietf.org/html/draft-maler-oauth-umagrant-00
+ */
+
+const Got = require('got') // HTTP request library
+
+/**
+ * @param RPT Requesting Party Token
+ * @param PAT Protection API Token
+ * @param AS Authorization Server
+ * @param RS Resource Server
+ */
+
+/**
+ * @name Uma
+ * @api public
+ * @description Managing access to protected resources.
+ */
+class Uma {
+  /**
+   * @name permission
+   * @api public
+   * @description
+   * @returns
+   */
+  static async permission () {
+    return {
+      /**
+       * @name ticket
+       * @api public
+       * @description Through grant type xx:uma-ticket, clients can send authorization
+       * requests and get an RPT with all permissions granted by auth server.
+       * @param {token_url, token, audience}
+       * @returns token
+       */
+      ticket: async ({ tokenUrl, token, audience }) => {
+        const searchParams = new URLSearchParams([
+          ['grant_type', 'urn:ietf:params:oauth:grant-type:uma-ticket'],
+          ['audience', audience]
+        ])
+        // Get token with permissions.
+        let { body: response } = await Got.post(tokenUrl, {
+          headers: {
+            Authorization: `Bearer ${token}`,
+            'Content-Type': 'application/x-www-form-urlencoded'
+          },
+          body: searchParams.toString()
+        })
+        if (typeof response === 'string') {
+          response = JSON.parse(response)
+        }
+        return response
+      }
+    }
+  }
+}
+
+module.exports = Uma

package/blz-security/implementations/webAuthn.js

@@ -0,0 +1,9 @@
+/**
+ * @author Blazedpath Team
+ * @implements Web Authentication (WebAuthn).
+ * @description It is a new W3C global standard for secure authentication
+ * on the Web supported by all leading browsers and platforms.
+ * @see https://www.w3.org/TR/webauthn-2/
+ */
+
+/** Work-in-progress [WIP] * */

package/blz-security/implementations/wstg.js

@@ -0,0 +1,72 @@
+/**
+ * @author Blazedpath Team
+ * @implements OWASP Web Security Testing
+ * @description The WSTG is a comprehensive guide to testing the security
+ * of web applications and services that provides a framework of best practices
+ * used by penetration testers and organizations all over the world.
+ * @see https://owasp.org/www-project-web-security-testing-guide/stable/
+ */
+const Fs = require('fs')
+const { filePathList } = require('../helpers/utils')
+const { log } = require('../helpers/utils')
+
+/**
+ * @name informationGathering
+ * @api private
+ * @param {string} path
+ * @description 4-Web Application Security Testing > 01-Information Gathering
+ * @see https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/
+ * @returns testing methods
+ */
+const informationGathering = (path) => {
+  /**
+  * @name reviewLeakage
+  * @description Review Webpage Content for Information Leakage (WSTG-INFO-05)
+  */
+  const reviewLeakage = () => {
+    const files = filePathList(path, 'public')
+    for (let i = 0; i < files.length; i += 1) {
+      const file = files[i]
+      if ([/^(.*\.((html?|(tp|ft)l|s?[c|a]ss|less|m?js(on)?)))$/gmi].some((reg) => reg.test(file))) {
+        let regex = /( )*<!--((.*)|[^<]*|[^!]*|[^-]*|[^>]*)-->\n*/gm
+        let fileContent = Fs.readFileSync(file, 'utf8')
+        if ([/^(.*\.((s?[c|a]ss|less)?))$/gmi].some((reg) => reg.test(file))) {
+          regex = /\/\*[^*]*\*+([^/*][^*]*\*+)*\//gm
+        } else if ([/^(.*\.((m?js(on)?)))$/gmi].some((reg) => reg.test(file))) {
+          if (!fileContent.split(/\r?\n/).some(line => line.length > 250 && line.match(/class|Blz|function/gm))) {
+            fileContent = fileContent.replace(/(?<=(("([^"\\]|\\.|\\\n)*"|'([^'\\]|\\.|\\\n)*'|`([^`\\]|\\.|\\\n)*`)|\/.*\/(g|m|i|y|u|s)+|\{|\}|\*\/|\)|;|\]|^|\r*))\/{2}[^'"].*/gm, '')
+          }
+          regex = /(?<=[^'|"|`])\/\*[^*"^]*\*+(?:[^/*][^*]*\*+)*\//gm
+        }
+        fileContent = fileContent.replace(regex, '')
+        Fs.writeFileSync(file, fileContent, 'utf8')
+        log({ message: `Applying rules to the file ${file}`, withDateTime: true })
+      }
+    }
+    return files
+  }
+  return {
+    reviewLeakage
+  }
+}
+
+/**
+ * @name testing
+ * @api public
+ * @param {object} context
+ * @description Security testing
+ * @returns functions
+ */
+const testing = (context) => {
+  const fix = () => {
+    const path = typeof context === 'string' ? context : context[Object.keys(context).find((key) => typeof context[key] === 'string')]
+    if (path && [/^.*[/ | \\].*$/gm].some((reg) => reg.test(path))) {
+      informationGathering(path).reviewLeakage()
+    }
+  }
+  return { fix }
+}
+
+module.exports = {
+  testing
+}

package/blz-security/index.js

@@ -0,0 +1,77 @@
+#!/usr/bin/env node
+
+/**
+ * @author 
+ * Blazedpath Team
+ * 
+ * @implements Security client specifications
+ * @description Security protocols for authentication (AuthN) and authorization (AuthZ)
+ * such as Open authorization 2.0, OpenID connect, UMA 2.0, SAML 2.0, WebAuth, etc.
+ * @see https://resilient-networks.com/concept-week-saml-oauth2-openid-connect/
+ *
+ * Environment variables needed:
+ * NAVIGATION_INFO_MONGODB_URL=<MongoDB connection string>
+ * NAVIGATION_INFO_MONGODB_DB=<Database name>
+ * NAVIGATION_INFO_MONGODB_COLLECTION=<Collection name>
+ * JWT_SECRET_KEY=<secret for signing JWTs>
+ */
+
+const AuthorizationService = require('./authorizationService');
+const SecurityService = require('./securityService');
+const SqlInjectionGuard = require('./sqlInjectionGuard');
+const XssGuard = require('./xssGuard');
+const SecureUrlService = require('./secureUrlService');
+
+const _ = require('underscore');
+const logger = require('pino')();
+let navigationRepository = null;
+
+const createNavigationRepository = function () {
+    const isMongoDbConfigured =
+        process.env.NAVIGATION_INFO_MONGODB_URL &&
+        process.env.NAVIGATION_INFO_MONGODB_DB &&
+        process.env.NAVIGATION_INFO_MONGODB_COLLECTION;
+
+    if (isMongoDbConfigured) {
+        const NavigationMongoDbRepository = require('./navigationMongoDbRepository');
+        return new NavigationMongoDbRepository(
+            process.env.NAVIGATION_INFO_MONGODB_URL,
+            process.env.NAVIGATION_INFO_MONGODB_DB,
+            process.env.NAVIGATION_INFO_MONGODB_COLLECTION,
+            process.env.NAVIGATION_INFO_MONGODB_CERTIFICATE
+        );
+    } else {
+        logger.warn("MongoDB configuration is missing. Using in-memory repository.");
+        const NavigationMemoryRepository = require('./navigationMemoryRepository');
+        return new NavigationMemoryRepository();
+    }
+};
+
+try {
+    navigationRepository = createNavigationRepository();
+    async function gracefulShutdown() {
+        try {
+            if (navigationRepository && navigationRepository.close) {
+                await navigationRepository.close();
+                logger.info("Navigation repository connection closed.");
+            }
+        } catch (error) {
+            logger.error("Error during shutdown:", error);
+        } finally {
+            process.exit(0);
+        }
+    }
+    process.on('SIGINT', gracefulShutdown);
+} catch (error) {
+    logger.error("Error during startup:", error);
+    process.exit(1);
+}
+
+module.exports = new SecurityService(
+    new AuthorizationService(_, logger),
+    new SqlInjectionGuard(logger),
+    new XssGuard(logger), 
+    navigationRepository,
+    new SecureUrlService(logger),
+    logger
+);

package/blz-security/lab/index.js

@@ -0,0 +1,27 @@
+const { h3lp } = require('h3lp')
+const Yaml = require('js-yaml')
+const path = require('path')
+const AuthorizationService = require('../authorizationService')
+const _ = require('underscore')
+const logger = require('pino')()
+
+async function getAuthorizationService(configPath) {  
+  const authorizationService = new AuthorizationService(_,logger)
+  const content = await h3lp.fs.read(path.join(__dirname, configPath))
+  const list = await Yaml.loadAll(content)
+  const config = list[0]
+  authorizationService.importSecurityConfig(config)
+  return authorizationService
+}
+
+
+;(async () => {
+  
+  const authorizationService = await getAuthorizationService('../__test__/AuthorizationKpn.yaml')
+  console.log(authorizationService.defaultAuthorized('/payment-responsibles', null, ['Collections.ViewOnly']))
+  console.log(authorizationService.defaultAuthorized('/taskManagement/mainInboxes/', null, ['Collections.ViewOnly']))
+  console.log(authorizationService.defaultAuthorized('/colm/autopay', null, ['Collections.ViewOnly']))
+  console.log(authorizationService.defaultAuthorized('/colm/refundorders', null, ['Collections.ViewOnly']))
+  console.log(authorizationService.defaultAuthorized('/debtors', null, ['Collections.ViewOnly']))
+
+})()