@blazedpath/commons 0.2.2 → 0.3.1

package/blz-security/navigationMemoryRepository.js

@@ -1,15 +0,0 @@
-module.exports = class NavigationMemoryRepository {
-    constructor() {
-        this._navigation = [];
-    }
-
-    async push(navigation) {
-        this._navigation.push(navigation);
-    }
-    
-    async get () {
-        return structuredClone(this._navigation)
-    }
-
-}
-

package/blz-security/navigationMongoDbRepository.js

@@ -1,73 +0,0 @@
-const { MongoClient } = require("mongodb");
-const fs = require('fs');
-
-module.exports = class NavigationMongoDbRepository {
-    constructor(url, database, collectionName,certificate) {
-        if (certificate) {
-            const tempFile = '/tmp/mongo-cert.pem';
-            fs.writeFileSync(tempFile, certificate);
-            this.client = new MongoClient(url,{ tls: true,tlsCAFile: tempFile})
-        } else {
-            this.client = new MongoClient(url);
-        } 
-        this.database = database;
-        this.collectionName = collectionName;
-        this.connected = false;
-    }
-
-    async connect() {
-        if (!this.connected) {
-            try {
-                await this.client.connect();
-                this.db = this.client.db(this.database);
-                this.collection = this.db.collection(this.collectionName);
-                this.connected = true;
-                console.log("Navigation info Connected to MongoDB.");
-            } catch (error) {
-                console.error("Failed Navigation info to connect to MongoDB:", error);
-                throw error;
-            }
-        }
-    }
-
-    async close() {
-        if (this.connected) {
-            try {
-                await this.client.close();
-                this.connected = false;
-                console.log("Connection to MongoDB closed.");
-            } catch (error) {
-                console.error("Failed to close MongoDB connection:", error);
-                throw error;
-            }
-        }
-    }
-
-    async push(navigation) {
-        if (!this.connected) {
-            await this.connect();
-        }
-
-        try {
-            const result = await this.collection.insertOne(navigation);
-            return result.insertedId.toString();
-        } catch (error) {
-            console.error("Failed to insert navigation:", error);
-            throw error;
-        }
-    }
-
-    async get () {
-        if (!this.connected) {
-            await this.connect();
-        }
-
-        try {
-            const cursor = this.collection.find({});
-            return await cursor.toArray();
-        } catch (error) {
-            console.error("Failed to get navigation:", error);
-            throw error;
-        }
-    }
-};

package/blz-security/secureUrlService.js

@@ -1,47 +0,0 @@
-const { Exception, isBase64 } = require('./helpers/utils')
-const CryptoJS = require('crypto-js');
-
-module.exports = class SecureUrlService {
-    constructor(logger = console) {
-        this.logger = logger;
-    }
-
-    validate(url, token, _session_key, timeoutMs) {       
-        const path = decodeURIComponent(url.split('?')[0]); 
-        if (!token) {
-          this.logger.error(`Token parameter 'sut' is missing in the URL. path:${path}`)
-          throw new Exception("Token parameter 'sut' is missing in the URL.", 'SecureUrlError', 404);
-        }
-        const session_key = isBase64(_session_key)?atob(_session_key):_session_key    
-        const key = `${session_key}${btoa(path)}`;
-        const bytes = CryptoJS.AES.decrypt(decodeURIComponent(token), key);
-        const requestTimeStr = bytes.toString(CryptoJS.enc.Utf8);
-        if (!requestTimeStr) {
-          this.logger.error(`Token decryption failed or is invalid. token:${token} path:${path} session: ${session_key}`)
-          throw new Exception("Token decryption failed or is invalid.", 'SecureUrlError', 404);
-        }
-        let requestTime
-        try {
-          requestTime = parseInt(JSON.parse(requestTimeStr));          
-        } catch (e) {
-          this.logger.error(`Malformed token content. path:${path} error: ${e.message}`)
-          throw new Exception("Malformed token content.", 'SecureUrlError', 400);
-        }              
-        const now = Date.now();
-        const diff = Math.abs(now - requestTime);
-        const limit = parseInt(timeoutMs, 10);
-        const isValid = diff <= limit;        
-        if (!isValid) {
-          this.logger.error(`The token has expired. path:${path} requestTime:${requestTime} now: ${now} limit:${limit} diff:${diff}`)
-          throw new Exception("The token has expired.", 'SecureUrlError', 410);
-        }        
-    }
-
-    createToken(url, _session_key){
-      const path = url.split('?')[0];      
-      const session_key = isBase64(_session_key)?atob(_session_key):_session_key
-      const key = `${session_key}${btoa(decodeURIComponent(path))}`;
-      const token = CryptoJS.AES.encrypt((Date.now()).toString(), key).toString();
-      return encodeURIComponent(token);      
-    }
-}

package/blz-security/securityService.js

@@ -1,413 +0,0 @@
-const { Hapi } = require('./middleware/hapi')
-const { Oidc } = require('./implementations/oidc')
-const { HapiServerSimToken } = require('./middleware/HapiServerSimToken');
-const { HapiServerKeycloak } = require('./middleware/HapiServerKeycloak');
-const { HapiServerAzureAd } = require('./middleware/HapiServerAzureAd');
-const { RedisCache, LruCache } = require('./implementations/cache')
-const { Exception, getMappingValues } = require('./helpers/utils')
-const Jsonwebtoken = require('jsonwebtoken')
-const micromatch = require('micromatch');
-module.exports = class SecurityService {
-  constructor(authorizationService, sqlInjectionGuard, xssGuard, navigationRepository,secureUrlService, logger) {
-    this.authorizationService = authorizationService
-    this.sqlInjectionGuard = sqlInjectionGuard
-    this.xssGuard = xssGuard
-    this.navigationRepository = navigationRepository
-    this.secureUrlService = secureUrlService
-    this.logger = logger
-    this.cookiesName = null
-    this.blzConfig = null
-    this.oidc = null
-    this.hapi = null
-    this.config = null
-    this.middleware = null
-    this.protected = false
-    this.unProtected = []
-    this.useHapiServerFullStack = false;
-  }
-
-  async pushNavigation(navigation) {
-    if (this.navigationRepository) {
-      return this.navigationRepository.push(navigation)
-    } else {
-      return null;
-    }
-  }
-
-  async getNavigation() {
-    return this.navigationRepository ? this.navigationRepository.get() : {};
-  }
-
-  setBlzConfig(blzConfig) {
-    this.blzConfig = blzConfig
-  }
-
-  // Same signature as your current function
-  sanitizeSqlParams(params) {
-    return this.sqlInjectionGuard.validateParamList(params);
-  }
-
-  // New helper for full SQL validation
-  sanitizeSql(sql) {
-    return this.sqlInjectionGuard.validateRawSql(sql);
-  }
-
-  isExcludedFromSanitize(method, path) {
-    const raw = process.env.blz_securityExcludeSanitizePaths;
-  
-    if (!raw || !raw.trim()) {
-      // No rules defined — sanitize by default
-      return false;
-    }
-  
-    const rules = raw
-      .split(',')
-      .map(rule => rule.trim().toLowerCase())
-      .filter(Boolean);
-  
-    if (rules.length === 0) {
-      // All rules were empty or invalid
-      return false;
-    }
-  
-    return rules.some(rule => {
-      let [ruleMethod, rulePath] = rule.includes(':')
-        ? rule.split(':')
-        : [null, rule]; // if no method is specified, apply to all methods
-  
-      ruleMethod = ruleMethod?.toLowerCase();
-  
-      // Normalize rulePath to use compatible wildcards
-      const normalizedPattern = rulePath
-        .replace(/\*\*/g, '**')  // double wildcard
-        .replace(/\*/g, '*');    // single wildcard
-  
-      return (!ruleMethod || ruleMethod === method.toLowerCase()) &&
-             micromatch.isMatch(path.toLowerCase(), normalizedPattern);
-    });
-  }
-
-  validateObject(obj) {
-    return this.sqlInjectionGuard.validateObject(this.xssGuard.sanitizeObject(obj));
-  }
-
-  validateSqlObject(obj) {
-    return this.sqlInjectionGuard.validateObject(obj);
-  }
-
-  initializeCookiesNames() {
-    this.cookiesName = {
-      ACCESS_TOKEN: this.getCookieName('access_token'),
-      SID: this.getCookieName('sid'),
-      SESSION_STATE: this.getCookieName('session_state'),
-      SESSION: this.getCookieName('session')
-    }
-  }
-
-  getRoleProperty() {
-    const config = this.blzConfig.getConfig() || {}
-    if (config && config.authServer && config.authServer.roleProperty && config.authServer.roleProperty.trim() !== '') {
-      return config.authServer.roleProperty
-    }
-    return 'authorities'
-  }
-
-  getUseTonkenName() {
-    return this.config.authServer.useTokenType || 'access_token'
-  }
-
-  async getRoles(request) {
-    if (this.useHapiServerFullStack) {
-      const token = request.headers.authorization?.replace('Bearer ', ''); // From Authorization header
-      // Decode and verify the token
-      const decoded = Jsonwebtoken.decode(token);
-      const rolePropertyName = this.getRoleProperty()
-      return decoded[rolePropertyName] || []
-    } else {
-      const sessionState = this.getSessionState(request)
-      const tokenSet = await this.tokenSet()
-      const tokens = await tokenSet.tokens(sessionState)
-      const tokenName = this.getUseTonkenName()
-      const token = tokens[tokenName]
-      const decodeToken = Jsonwebtoken.decode(token)
-      const rolePropertyName = this.getRoleProperty()
-      return decodeToken[rolePropertyName] || []
-    }
-  }
-
-  getCookieName(cookieName = '') {
-    const config = this.blzConfig.getConfig() || {}
-    const prefix = (config.authServer && config.authServer.sessionCookiesPrefix) || ''
-    return prefix + cookieName
-  }
-
-  getCache(config) {
-    if (process.env.SECURITY_REDIS_CACHE) {
-      return new RedisCache(process.env.SECURITY_REDIS_CACHE)
-    } else if (config && config.securityCache) {
-      const cnx = config.connections[config.securityCache]
-      if (cnx && cnx.type === 'Redis') {
-        const connection = `redis://${cnx.user || ''}:${cnx.password}@${cnx.host
-          }:${cnx.port || '6379'}/${cnx.db || '0'}`
-        return new RedisCache(connection)
-      } else {
-        return new LruCache()
-      }
-    } else {
-      return new LruCache()
-    }
-  }
-
-  // This receives:
-  // middlehare: receives the hapiServer instance from the proxy
-  // config: the config options
-  async protect(middleware, config) {
-    if (!middleware) {
-      this.logger.error('The middleware context could not be analyzed')
-      throw new Exception(
-        'The middleware context could not be analyzed',
-        'MiddlewareError',
-        403
-      )
-    }
-    if (!config || (!config.callee && !config.authServer && !config.accessTokenSimulation)) {
-      this.logger.error('Authorization server configuration is mandatory')
-      throw new Exception(
-        'Authorization server configuration is mandatory',
-        'ConfigurationError',
-        403
-      )
-    }
-    this.config = config
-    this.middleware = middleware
-    const cache = this.getCache(this.config)
-
-    // Choose the hapi server version
-    if (this.config.accessTokenSimulation) {
-      this.oidc = new Oidc(cache, this.config);
-      this.openIdConnect = new Oidc(this.getCache(this.config), this.config);
-      this.hapiServer = new HapiServerSimToken(this.openIdConnect, this.cookiesName, cache);
-      await this.hapiServer.connect(this, this.middleware, this.config)
-    } else if (config.authServer.useHapiServerFullStack) {
-      // Use oauth0 with signing and authentication with an external oauth server
-      this.useHapiServerFullStack = true;
-      this.oidc = new Oidc(cache, this.config);
-      await this.protectExperimental(cache);
-      this.protected = true
-      return;
-    } else {
-      // legacy oauth0 authentication with local key signing
-      this.oidc = new Oidc(cache, this.config);
-      this.hapi = new Hapi(this.oidc, this.cookiesName);
-      this.protected = true
-      if (this.config.queryStringLimit) {
-        this.hapi.queryStringLimit = this.config.queryStringLimit
-      }
-      if (this.config.securityLoginTokenExpToleranceSeconds) {
-        this.hapi.securityLoginTokenExpToleranceSeconds = this.config.securityLoginTokenExpToleranceSeconds
-      }
-      await this.hapi.connect(this, this.middleware, this.config)
-      this.protected = true
-    }
-  }
-
-  async protectExperimental(cache) {
-    //this.openIdConnect = new OpenIdConnect(this.getCache(this.config), this.config);
-    if (this.config.authServer.provider !== "ad-azure") {
-      this.hapiServer = new HapiServerKeycloak(this.openIdConnect, this.cookiesName, cache);
-    } else {
-      this.hapiServer = new HapiServerAzureAd(this.openIdConnect, this.cookiesName, cache);
-    }
-    this.openIdConnect = null
-    // heck for options in the config
-    if (this.config.queryStringLimit) {
-      this.hapiServer.queryStringLimit = this.config.queryStringLimit
-    }
-    if (this.config.securityLoginTokenExpToleranceSeconds) {
-      this.hapiServer.securityLoginTokenExpToleranceSeconds = this.config.securityLoginTokenExpToleranceSeconds
-    }
-    await this.hapiServer.connect(this, this.middleware, this.config)
-  }
-
-  async tokenSet() {
-    if (!this.oidc) {
-      this.logger.error('authServer and accessTokenSimulation undefined')
-      throw new Error('authServer and accessTokenSimulation undefined')
-    }
-    return await this.oidc.tokenSet()
-  }
-
-  async getUseToken(sessionState, request) {
-    if (this.useHapiServerFullStack) {
-      return this.extractTokenhNoDecode(request, this.config.authServer.PublicKey)
-    } else if (this.config.accessTokenSimulation) { } else {
-      return this.oidc.getUseToken(sessionState);
-    }
-  }
-
-  getSessionState(request) {
-    const sessionState = request.state[this.cookiesName.SESSION_STATE]
-    const session = request.state[this.cookiesName.SESSION]
-    if (sessionState) {
-      return sessionState;
-    } else if (session) {
-      return session.id;
-    } else {
-      this.logger.error("getSessionState: Session cookie doesn't exist.")
-      throw new Exception("getSessionState: Session cookie doesn't exist.", 'CookiesError', 404)
-    }
-  }
-
-  getSecureUrlSessionKey(request) {
-    const session = request.state[this.blzConfig.getConfig()?.parameters?.SecureUrlCookieKey]
-    if (session) {
-      return session;
-    } else {
-      this.logger.error("getSecureUrlSessionKey: Session cookie doesn't exist.")
-      throw new Exception("getSecureUrlSessionKey: Session cookie doesn't exist.", 'CookiesError', 404)
-    }
-  }
-
-  enableSecureUrl() {
-    const key = this.blzConfig.getConfig()?.parameters?.SecureUrlCookieKey;
-    return !!key && key !== 'none';
-  }
-
-  getSecureUrlCookieKey() {
-    if (this.enableSecureUrl()) {
-      return this.blzConfig.getConfig()?.parameters?.SecureUrlCookieKey;
-    }
-    return undefined;
-  }
-
-  validateSecureRequest(request) {
-    if (!request) return;
-    if (!this.enableSecureUrl()) {
-      return
-    }
-    let _session_key = this.getSecureUrlSessionKey(request);
-    const params = new URLSearchParams(request.query);
-    const token = params.get('sut');
-    const timeoutMs = this.blzConfig.getConfig()?.parameters?.SecureUrlTimeoutMs || 15000;
-    this.secureUrlService.validate(request.path,token,_session_key,timeoutMs)
-  }
-
-  async getUserInfo(request) {
-    let sourceData = null
-    let userInfo = {}
-    if (this.useHapiServerFullStack) {
-      sourceData = await this.extractAndDecodeToken(request, this.config.authServer.PublicKey)
-      return sourceData;
-    } else {
-      const sessionState = this.getSessionState(request)
-      const tokenSet = await this.tokenSet()
-      if (this.config.parameters && this.config.parameters.UserInfoSource) {
-        const strToken = await tokenSet.tokens(sessionState)
-        sourceData = Jsonwebtoken.decode(strToken[this.config.parameters.UserInfoSource])
-      } else {
-        userInfo = await tokenSet.userInfo(sessionState)
-        sourceData = userInfo
-      }
-    }
-
-    // Solve mapping form UserInfoMapping parameter
-    if (this.config.parameters && this.config.parameters.UserInfoMapping) {
-      const mappings = JSON.parse(this.config.parameters.UserInfoMapping)
-      const values = getMappingValues(sourceData, mappings)
-      return { ...userInfo, ...values }
-    }
-    return userInfo
-  }
-  async extractAndDecodeToken(request, secretOrPublicKey) {
-    const authorization = request.headers.authorization;
-
-    if (!authorization) {
-      this.logger.error('Authorization header is missing')
-      throw new Error('Authorization header is missing');
-    }
-    const [scheme, token] = authorization.split(' ');
-
-    if ((scheme !== 'Bearer' && scheme !== 'bearer') || !token) {
-      this.logger.error('Authorization header must be in the format: Bearer <token>')
-      throw new Error('Authorization header must be in the format: Bearer <token>');
-    }
-    if (this.hapiServer.authServerConfig.authServer.provider !== "ad-azure") {
-      const { artifacts } = request.auth;
-      secretOrPublicKey = await this.hapiServer.publicKeyFetch(artifacts);
-    }
-
-    try {
-      // Decode and verify the JWT token
-      //const decoded = Jsonwebtoken.decode(token, secretOrPublicKey);
-      const decoded = Jsonwebtoken.decode(token);
-      return decoded;
-    } catch (err) {
-      this.logger.error(`Failed to decode token: ${err.message}`)
-      throw new Error(`Failed to decode token: ${err.message}`);
-    }
-  }
-  async extractTokenhNoDecode(request) {
-    const authorization = request.headers.authorization;
-
-    if (!authorization) {
-      this.logger.error('Authorization header is missing')
-      throw new Error('Authorization header is missing');
-    }
-    const [scheme, rawToken] = authorization.split(' ');
-
-    if ((scheme !== 'Bearer' && scheme !== 'bearer') || !rawToken) {
-      this.logger.error('Authorization header must be in the format: Bearer <token>')
-      throw new Error('Authorization header must be in the format: Bearer <token>');
-    }
-    return rawToken
-  }
-
-  importSecurityConfig(config) {
-    this.authorizationService.importSecurityConfig(config)
-  }
-
-  async getFrontendSecurityRules(request) {
-    if (!this.protected) {
-      this.logger.error('Cannot get the security rules if the application is not using JWt.')
-      throw new Exception('Cannot get the security rules if the application is not using JWt.', 'SecurityRulesError', 500)
-    }
-    const domains = request.headers.domains ? request.headers.domains.split(',') : []
-    const roles = await this.getRoles(request)
-    const securityRules = this.authorizationService.getFrontendSecurityRules(roles, domains)
-    return securityRules
-  }
-
-  async getPermissions() {
-    return this.authorizationService.getPermissions()
-  }
-
-  async authorized(request) {
-    if (!this.protected) {
-      return true
-    }
-    let roles = null;
-    if (this.useHapiServerFullStack) {
-      // Token decoded
-      const userInfo = await this.getUserInfo(request);
-      roles = userInfo[this.getRoleProperty()]
-    } else {
-      roles = await this.getRoles(request)
-    }
-    const result = this.authorizationService.authorized(request.path, request.method, roles)
-    if (result !== null && result !== undefined) {
-      return result
-    }
-    if (this.config.activateTraceApiMethod && !this.unProtected.some((item) => item.path === request.path && item.method === request.method)) {
-      this.unProtected.push({ path: request.path, method: request.method })
-    }
-    return true
-  }
-
-  logUnProtected() {
-    this.logger.info('unprotected: ' + JSON.stringify(this.unProtected))
-  }
-
-  async checkAuthorize (path, action, roles, domains) {
-    return this.authorizationService.checkAuthorize(path, action, roles, domains)
-  }
-}