@blazedpath/commons 0.3.1 → 0.4.0

package/blz-security/navigationMemoryRepository.js

@@ -0,0 +1,15 @@
+module.exports = class NavigationMemoryRepository {
+    constructor() {
+        this._navigation = [];
+    }
+
+    async push(navigation) {
+        this._navigation.push(navigation);
+    }
+    
+    async get () {
+        return structuredClone(this._navigation)
+    }
+
+}
+

package/blz-security/navigationMongoDbRepository.js

@@ -0,0 +1,73 @@
+const { MongoClient } = require("mongodb");
+const fs = require('fs');
+
+module.exports = class NavigationMongoDbRepository {
+    constructor(url, database, collectionName,certificate) {
+        if (certificate) {
+            const tempFile = '/tmp/mongo-cert.pem';
+            fs.writeFileSync(tempFile, certificate);
+            this.client = new MongoClient(url,{ tls: true,tlsCAFile: tempFile})
+        } else {
+            this.client = new MongoClient(url);
+        } 
+        this.database = database;
+        this.collectionName = collectionName;
+        this.connected = false;
+    }
+
+    async connect() {
+        if (!this.connected) {
+            try {
+                await this.client.connect();
+                this.db = this.client.db(this.database);
+                this.collection = this.db.collection(this.collectionName);
+                this.connected = true;
+                console.log("Navigation info Connected to MongoDB.");
+            } catch (error) {
+                console.error("Failed Navigation info to connect to MongoDB:", error);
+                throw error;
+            }
+        }
+    }
+
+    async close() {
+        if (this.connected) {
+            try {
+                await this.client.close();
+                this.connected = false;
+                console.log("Connection to MongoDB closed.");
+            } catch (error) {
+                console.error("Failed to close MongoDB connection:", error);
+                throw error;
+            }
+        }
+    }
+
+    async push(navigation) {
+        if (!this.connected) {
+            await this.connect();
+        }
+
+        try {
+            const result = await this.collection.insertOne(navigation);
+            return result.insertedId.toString();
+        } catch (error) {
+            console.error("Failed to insert navigation:", error);
+            throw error;
+        }
+    }
+
+    async get () {
+        if (!this.connected) {
+            await this.connect();
+        }
+
+        try {
+            const cursor = this.collection.find({});
+            return await cursor.toArray();
+        } catch (error) {
+            console.error("Failed to get navigation:", error);
+            throw error;
+        }
+    }
+};

package/blz-security/secureUrlService.js

@@ -0,0 +1,47 @@
+const { Exception, isBase64 } = require('./helpers/utils')
+const CryptoJS = require('crypto-js');
+
+module.exports = class SecureUrlService {
+    constructor(logger = console) {
+        this.logger = logger;
+    }
+
+    validate(url, token, _session_key, timeoutMs) {       
+        const path = decodeURIComponent(url.split('?')[0]); 
+        if (!token) {
+          this.logger.error(`Token parameter 'sut' is missing in the URL. path:${path}`)
+          throw new Exception("Token parameter 'sut' is missing in the URL.", 'SecureUrlError', 404);
+        }
+        const session_key = isBase64(_session_key)?atob(_session_key):_session_key    
+        const key = `${session_key}${btoa(path)}`;
+        const bytes = CryptoJS.AES.decrypt(decodeURIComponent(token), key);
+        const requestTimeStr = bytes.toString(CryptoJS.enc.Utf8);
+        if (!requestTimeStr) {
+          this.logger.error(`Token decryption failed or is invalid. token:${token} path:${path} session: ${session_key}`)
+          throw new Exception("Token decryption failed or is invalid.", 'SecureUrlError', 404);
+        }
+        let requestTime
+        try {
+          requestTime = parseInt(JSON.parse(requestTimeStr));          
+        } catch (e) {
+          this.logger.error(`Malformed token content. path:${path} error: ${e.message}`)
+          throw new Exception("Malformed token content.", 'SecureUrlError', 400);
+        }              
+        const now = Date.now();
+        const diff = Math.abs(now - requestTime);
+        const limit = parseInt(timeoutMs, 10);
+        const isValid = diff <= limit;        
+        if (!isValid) {
+          this.logger.error(`The token has expired. path:${path} requestTime:${requestTime} now: ${now} limit:${limit} diff:${diff}`)
+          throw new Exception("The token has expired.", 'SecureUrlError', 410);
+        }        
+    }
+
+    createToken(url, _session_key){
+      const path = url.split('?')[0];      
+      const session_key = isBase64(_session_key)?atob(_session_key):_session_key
+      const key = `${session_key}${btoa(decodeURIComponent(path))}`;
+      const token = CryptoJS.AES.encrypt((Date.now()).toString(), key).toString();
+      return encodeURIComponent(token);      
+    }
+}

package/blz-security/securityService.js

@@ -0,0 +1,413 @@
+const { Hapi } = require('./middleware/hapi')
+const { Oidc } = require('./implementations/oidc')
+const { HapiServerSimToken } = require('./middleware/HapiServerSimToken');
+const { HapiServerKeycloak } = require('./middleware/HapiServerKeycloak');
+const { HapiServerAzureAd } = require('./middleware/HapiServerAzureAd');
+const { RedisCache, LruCache } = require('./implementations/cache')
+const { Exception, getMappingValues } = require('./helpers/utils')
+const Jsonwebtoken = require('jsonwebtoken')
+const micromatch = require('micromatch');
+module.exports = class SecurityService {
+  constructor(authorizationService, sqlInjectionGuard, xssGuard, navigationRepository,secureUrlService, logger) {
+    this.authorizationService = authorizationService
+    this.sqlInjectionGuard = sqlInjectionGuard
+    this.xssGuard = xssGuard
+    this.navigationRepository = navigationRepository
+    this.secureUrlService = secureUrlService
+    this.logger = logger
+    this.cookiesName = null
+    this.blzConfig = null
+    this.oidc = null
+    this.hapi = null
+    this.config = null
+    this.middleware = null
+    this.protected = false
+    this.unProtected = []
+    this.useHapiServerFullStack = false;
+  }
+
+  async pushNavigation(navigation) {
+    if (this.navigationRepository) {
+      return this.navigationRepository.push(navigation)
+    } else {
+      return null;
+    }
+  }
+
+  async getNavigation() {
+    return this.navigationRepository ? this.navigationRepository.get() : {};
+  }
+
+  setBlzConfig(blzConfig) {
+    this.blzConfig = blzConfig
+  }
+
+  // Same signature as your current function
+  sanitizeSqlParams(params) {
+    return this.sqlInjectionGuard.validateParamList(params);
+  }
+
+  // New helper for full SQL validation
+  sanitizeSql(sql) {
+    return this.sqlInjectionGuard.validateRawSql(sql);
+  }
+
+  isExcludedFromSanitize(method, path) {
+    const raw = process.env.blz_securityExcludeSanitizePaths;
+  
+    if (!raw || !raw.trim()) {
+      // No rules defined — sanitize by default
+      return false;
+    }
+  
+    const rules = raw
+      .split(',')
+      .map(rule => rule.trim().toLowerCase())
+      .filter(Boolean);
+  
+    if (rules.length === 0) {
+      // All rules were empty or invalid
+      return false;
+    }
+  
+    return rules.some(rule => {
+      let [ruleMethod, rulePath] = rule.includes(':')
+        ? rule.split(':')
+        : [null, rule]; // if no method is specified, apply to all methods
+  
+      ruleMethod = ruleMethod?.toLowerCase();
+  
+      // Normalize rulePath to use compatible wildcards
+      const normalizedPattern = rulePath
+        .replace(/\*\*/g, '**')  // double wildcard
+        .replace(/\*/g, '*');    // single wildcard
+  
+      return (!ruleMethod || ruleMethod === method.toLowerCase()) &&
+             micromatch.isMatch(path.toLowerCase(), normalizedPattern);
+    });
+  }
+
+  validateObject(obj) {
+    return this.sqlInjectionGuard.validateObject(this.xssGuard.sanitizeObject(obj));
+  }
+
+  validateSqlObject(obj) {
+    return this.sqlInjectionGuard.validateObject(obj);
+  }
+
+  initializeCookiesNames() {
+    this.cookiesName = {
+      ACCESS_TOKEN: this.getCookieName('access_token'),
+      SID: this.getCookieName('sid'),
+      SESSION_STATE: this.getCookieName('session_state'),
+      SESSION: this.getCookieName('session')
+    }
+  }
+
+  getRoleProperty() {
+    const config = this.blzConfig.getConfig() || {}
+    if (config && config.authServer && config.authServer.roleProperty && config.authServer.roleProperty.trim() !== '') {
+      return config.authServer.roleProperty
+    }
+    return 'authorities'
+  }
+
+  getUseTonkenName() {
+    return this.config.authServer.useTokenType || 'access_token'
+  }
+
+  async getRoles(request) {
+    if (this.useHapiServerFullStack) {
+      const token = request.headers.authorization?.replace('Bearer ', ''); // From Authorization header
+      // Decode and verify the token
+      const decoded = Jsonwebtoken.decode(token);
+      const rolePropertyName = this.getRoleProperty()
+      return decoded[rolePropertyName] || []
+    } else {
+      const sessionState = this.getSessionState(request)
+      const tokenSet = await this.tokenSet()
+      const tokens = await tokenSet.tokens(sessionState)
+      const tokenName = this.getUseTonkenName()
+      const token = tokens[tokenName]
+      const decodeToken = Jsonwebtoken.decode(token)
+      const rolePropertyName = this.getRoleProperty()
+      return decodeToken[rolePropertyName] || []
+    }
+  }
+
+  getCookieName(cookieName = '') {
+    const config = this.blzConfig.getConfig() || {}
+    const prefix = (config.authServer && config.authServer.sessionCookiesPrefix) || ''
+    return prefix + cookieName
+  }
+
+  getCache(config) {
+    if (process.env.SECURITY_REDIS_CACHE) {
+      return new RedisCache(process.env.SECURITY_REDIS_CACHE)
+    } else if (config && config.securityCache) {
+      const cnx = config.connections[config.securityCache]
+      if (cnx && cnx.type === 'Redis') {
+        const connection = `redis://${cnx.user || ''}:${cnx.password}@${cnx.host
+          }:${cnx.port || '6379'}/${cnx.db || '0'}`
+        return new RedisCache(connection)
+      } else {
+        return new LruCache()
+      }
+    } else {
+      return new LruCache()
+    }
+  }
+
+  // This receives:
+  // middlehare: receives the hapiServer instance from the proxy
+  // config: the config options
+  async protect(middleware, config) {
+    if (!middleware) {
+      this.logger.error('The middleware context could not be analyzed')
+      throw new Exception(
+        'The middleware context could not be analyzed',
+        'MiddlewareError',
+        403
+      )
+    }
+    if (!config || (!config.callee && !config.authServer && !config.accessTokenSimulation)) {
+      this.logger.error('Authorization server configuration is mandatory')
+      throw new Exception(
+        'Authorization server configuration is mandatory',
+        'ConfigurationError',
+        403
+      )
+    }
+    this.config = config
+    this.middleware = middleware
+    const cache = this.getCache(this.config)
+
+    // Choose the hapi server version
+    if (this.config.accessTokenSimulation) {
+      this.oidc = new Oidc(cache, this.config);
+      this.openIdConnect = new Oidc(this.getCache(this.config), this.config);
+      this.hapiServer = new HapiServerSimToken(this.openIdConnect, this.cookiesName, cache);
+      await this.hapiServer.connect(this, this.middleware, this.config)
+    } else if (config.authServer.useHapiServerFullStack) {
+      // Use oauth0 with signing and authentication with an external oauth server
+      this.useHapiServerFullStack = true;
+      this.oidc = new Oidc(cache, this.config);
+      await this.protectExperimental(cache);
+      this.protected = true
+      return;
+    } else {
+      // legacy oauth0 authentication with local key signing
+      this.oidc = new Oidc(cache, this.config);
+      this.hapi = new Hapi(this.oidc, this.cookiesName);
+      this.protected = true
+      if (this.config.queryStringLimit) {
+        this.hapi.queryStringLimit = this.config.queryStringLimit
+      }
+      if (this.config.securityLoginTokenExpToleranceSeconds) {
+        this.hapi.securityLoginTokenExpToleranceSeconds = this.config.securityLoginTokenExpToleranceSeconds
+      }
+      await this.hapi.connect(this, this.middleware, this.config)
+      this.protected = true
+    }
+  }
+
+  async protectExperimental(cache) {
+    //this.openIdConnect = new OpenIdConnect(this.getCache(this.config), this.config);
+    if (this.config.authServer.provider !== "ad-azure") {
+      this.hapiServer = new HapiServerKeycloak(this.openIdConnect, this.cookiesName, cache);
+    } else {
+      this.hapiServer = new HapiServerAzureAd(this.openIdConnect, this.cookiesName, cache);
+    }
+    this.openIdConnect = null
+    // heck for options in the config
+    if (this.config.queryStringLimit) {
+      this.hapiServer.queryStringLimit = this.config.queryStringLimit
+    }
+    if (this.config.securityLoginTokenExpToleranceSeconds) {
+      this.hapiServer.securityLoginTokenExpToleranceSeconds = this.config.securityLoginTokenExpToleranceSeconds
+    }
+    await this.hapiServer.connect(this, this.middleware, this.config)
+  }
+
+  async tokenSet() {
+    if (!this.oidc) {
+      this.logger.error('authServer and accessTokenSimulation undefined')
+      throw new Error('authServer and accessTokenSimulation undefined')
+    }
+    return await this.oidc.tokenSet()
+  }
+
+  async getUseToken(sessionState, request) {
+    if (this.useHapiServerFullStack) {
+      return this.extractTokenhNoDecode(request, this.config.authServer.PublicKey)
+    } else if (this.config.accessTokenSimulation) { } else {
+      return this.oidc.getUseToken(sessionState);
+    }
+  }
+
+  getSessionState(request) {
+    const sessionState = request.state[this.cookiesName.SESSION_STATE]
+    const session = request.state[this.cookiesName.SESSION]
+    if (sessionState) {
+      return sessionState;
+    } else if (session) {
+      return session.id;
+    } else {
+      this.logger.error("getSessionState: Session cookie doesn't exist.")
+      throw new Exception("getSessionState: Session cookie doesn't exist.", 'CookiesError', 404)
+    }
+  }
+
+  getSecureUrlSessionKey(request) {
+    const session = request.state[this.blzConfig.getConfig()?.parameters?.SecureUrlCookieKey]
+    if (session) {
+      return session;
+    } else {
+      this.logger.error("getSecureUrlSessionKey: Session cookie doesn't exist.")
+      throw new Exception("getSecureUrlSessionKey: Session cookie doesn't exist.", 'CookiesError', 404)
+    }
+  }
+
+  enableSecureUrl() {
+    const key = this.blzConfig.getConfig()?.parameters?.SecureUrlCookieKey;
+    return !!key && key !== 'none';
+  }
+
+  getSecureUrlCookieKey() {
+    if (this.enableSecureUrl()) {
+      return this.blzConfig.getConfig()?.parameters?.SecureUrlCookieKey;
+    }
+    return undefined;
+  }
+
+  validateSecureRequest(request) {
+    if (!request) return;
+    if (!this.enableSecureUrl()) {
+      return
+    }
+    let _session_key = this.getSecureUrlSessionKey(request);
+    const params = new URLSearchParams(request.query);
+    const token = params.get('sut');
+    const timeoutMs = this.blzConfig.getConfig()?.parameters?.SecureUrlTimeoutMs || 15000;
+    this.secureUrlService.validate(request.path,token,_session_key,timeoutMs)
+  }
+
+  async getUserInfo(request) {
+    let sourceData = null
+    let userInfo = {}
+    if (this.useHapiServerFullStack) {
+      sourceData = await this.extractAndDecodeToken(request, this.config.authServer.PublicKey)
+      return sourceData;
+    } else {
+      const sessionState = this.getSessionState(request)
+      const tokenSet = await this.tokenSet()
+      if (this.config.parameters && this.config.parameters.UserInfoSource) {
+        const strToken = await tokenSet.tokens(sessionState)
+        sourceData = Jsonwebtoken.decode(strToken[this.config.parameters.UserInfoSource])
+      } else {
+        userInfo = await tokenSet.userInfo(sessionState)
+        sourceData = userInfo
+      }
+    }
+
+    // Solve mapping form UserInfoMapping parameter
+    if (this.config.parameters && this.config.parameters.UserInfoMapping) {
+      const mappings = JSON.parse(this.config.parameters.UserInfoMapping)
+      const values = getMappingValues(sourceData, mappings)
+      return { ...userInfo, ...values }
+    }
+    return userInfo
+  }
+  async extractAndDecodeToken(request, secretOrPublicKey) {
+    const authorization = request.headers.authorization;
+
+    if (!authorization) {
+      this.logger.error('Authorization header is missing')
+      throw new Error('Authorization header is missing');
+    }
+    const [scheme, token] = authorization.split(' ');
+
+    if ((scheme !== 'Bearer' && scheme !== 'bearer') || !token) {
+      this.logger.error('Authorization header must be in the format: Bearer <token>')
+      throw new Error('Authorization header must be in the format: Bearer <token>');
+    }
+    if (this.hapiServer.authServerConfig.authServer.provider !== "ad-azure") {
+      const { artifacts } = request.auth;
+      secretOrPublicKey = await this.hapiServer.publicKeyFetch(artifacts);
+    }
+
+    try {
+      // Decode and verify the JWT token
+      //const decoded = Jsonwebtoken.decode(token, secretOrPublicKey);
+      const decoded = Jsonwebtoken.decode(token);
+      return decoded;
+    } catch (err) {
+      this.logger.error(`Failed to decode token: ${err.message}`)
+      throw new Error(`Failed to decode token: ${err.message}`);
+    }
+  }
+  async extractTokenhNoDecode(request) {
+    const authorization = request.headers.authorization;
+
+    if (!authorization) {
+      this.logger.error('Authorization header is missing')
+      throw new Error('Authorization header is missing');
+    }
+    const [scheme, rawToken] = authorization.split(' ');
+
+    if ((scheme !== 'Bearer' && scheme !== 'bearer') || !rawToken) {
+      this.logger.error('Authorization header must be in the format: Bearer <token>')
+      throw new Error('Authorization header must be in the format: Bearer <token>');
+    }
+    return rawToken
+  }
+
+  importSecurityConfig(config) {
+    this.authorizationService.importSecurityConfig(config)
+  }
+
+  async getFrontendSecurityRules(request) {
+    if (!this.protected) {
+      this.logger.error('Cannot get the security rules if the application is not using JWt.')
+      throw new Exception('Cannot get the security rules if the application is not using JWt.', 'SecurityRulesError', 500)
+    }
+    const domains = request.headers.domains ? request.headers.domains.split(',') : []
+    const roles = await this.getRoles(request)
+    const securityRules = this.authorizationService.getFrontendSecurityRules(roles, domains)
+    return securityRules
+  }
+
+  async getPermissions() {
+    return this.authorizationService.getPermissions()
+  }
+
+  async authorized(request) {
+    if (!this.protected) {
+      return true
+    }
+    let roles = null;
+    if (this.useHapiServerFullStack) {
+      // Token decoded
+      const userInfo = await this.getUserInfo(request);
+      roles = userInfo[this.getRoleProperty()]
+    } else {
+      roles = await this.getRoles(request)
+    }
+    const result = this.authorizationService.authorized(request.path, request.method, roles)
+    if (result !== null && result !== undefined) {
+      return result
+    }
+    if (this.config.activateTraceApiMethod && !this.unProtected.some((item) => item.path === request.path && item.method === request.method)) {
+      this.unProtected.push({ path: request.path, method: request.method })
+    }
+    return true
+  }
+
+  logUnProtected() {
+    this.logger.info('unprotected: ' + JSON.stringify(this.unProtected))
+  }
+
+  async checkAuthorize (path, action, roles, domains) {
+    return this.authorizationService.checkAuthorize(path, action, roles, domains)
+  }
+}