@digilogiclabs/platform-core 1.5.1 → 1.7.0

package/dist/auth.js

@@ -20,6 +20,9 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/auth/index.ts
 var auth_exports = {};
 __export(auth_exports, {
+  ApiError: () => ApiError,
+  ApiErrorCode: () => ApiErrorCode,
+  CommonApiErrors: () => CommonApiErrors,
   CommonRateLimits: () => CommonRateLimits,
   DateRangeSchema: () => DateRangeSchema,
   EmailSchema: () => EmailSchema,
@@ -39,34 +42,57 @@ __export(auth_exports, {
   buildAuthCookies: () => buildAuthCookies,
   buildErrorBody: () => buildErrorBody,
   buildKeycloakCallbacks: () => buildKeycloakCallbacks,
+  buildPagination: () => buildPagination,
   buildRateLimitHeaders: () => buildRateLimitHeaders,
   buildRateLimitResponseHeaders: () => buildRateLimitResponseHeaders,
   buildRedirectCallback: () => buildRedirectCallback,
   buildTokenRefreshParams: () => buildTokenRefreshParams,
+  checkEnvVars: () => checkEnvVars,
   checkRateLimit: () => checkRateLimit,
+  classifyError: () => classifyError,
+  constantTimeEqual: () => constantTimeEqual,
+  containsHtml: () => containsHtml,
+  containsUrls: () => containsUrls,
   createAuditActor: () => createAuditActor,
   createAuditLogger: () => createAuditLogger,
   createFeatureFlags: () => createFeatureFlags,
   createMemoryRateLimitStore: () => createMemoryRateLimitStore,
+  createRedisRateLimitStore: () => createRedisRateLimitStore,
   createSafeTextSchema: () => createSafeTextSchema,
   detectStage: () => detectStage,
+  enforceRateLimit: () => enforceRateLimit,
+  errorResponse: () => errorResponse,
+  escapeHtml: () => escapeHtml,
   extractAuditIp: () => extractAuditIp,
   extractAuditRequestId: () => extractAuditRequestId,
   extractAuditUserAgent: () => extractAuditUserAgent,
+  extractBearerToken: () => extractBearerToken,
   extractClientIp: () => extractClientIp,
+  getBoolEnv: () => getBoolEnv,
+  getCorrelationId: () => getCorrelationId,
   getEndSessionEndpoint: () => getEndSessionEndpoint,
+  getEnvSummary: () => getEnvSummary,
+  getIntEnv: () => getIntEnv,
+  getOptionalEnv: () => getOptionalEnv,
   getRateLimitStatus: () => getRateLimitStatus,
+  getRequiredEnv: () => getRequiredEnv,
   getTokenEndpoint: () => getTokenEndpoint,
   hasAllRoles: () => hasAllRoles,
   hasAnyRole: () => hasAnyRole,
   hasRole: () => hasRole,
   isAllowlisted: () => isAllowlisted,
+  isApiError: () => isApiError,
   isTokenExpired: () => isTokenExpired,
+  isValidBearerToken: () => isValidBearerToken,
   parseKeycloakRoles: () => parseKeycloakRoles,
   refreshKeycloakToken: () => refreshKeycloakToken,
   resetRateLimitForKey: () => resetRateLimitForKey,
   resolveIdentifier: () => resolveIdentifier,
-  resolveRateLimitIdentifier: () => resolveRateLimitIdentifier
+  resolveRateLimitIdentifier: () => resolveRateLimitIdentifier,
+  sanitizeApiError: () => sanitizeApiError,
+  stripHtml: () => stripHtml,
+  validateEnvVars: () => validateEnvVars,
+  zodErrorResponse: () => zodErrorResponse
 });
 module.exports = __toCommonJS(auth_exports);
 
@@ -239,6 +265,7 @@ function buildKeycloakCallbacks(config) {
      *
      * Compatible with Auth.js v5 JWT callback signature.
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     async jwt({
       token,
       user,
@@ -289,10 +316,8 @@ function buildKeycloakCallbacks(config) {
      *
      * Compatible with Auth.js v5 session callback signature.
      */
-    async session({
-      session,
-      token
-    }) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    async session({ session, token }) {
       const user = session.user;
       if (user) {
         user.id = token.id || token.sub;
@@ -416,9 +441,53 @@ var WrapperPresets = {
 var import_zod = require("zod");
 
 // src/security.ts
+var import_crypto = require("crypto");
 var URL_PROTOCOL_PATTERN = /(https?:\/\/|ftp:\/\/|www\.)\S+/i;
 var URL_DOMAIN_PATTERN = /\b[\w.-]+\.(com|net|org|io|co|dev|app|xyz|info|biz|me|us|uk|edu|gov)\b/i;
 var HTML_TAG_PATTERN = /<[^>]*>/;
+function escapeHtml(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+function containsUrls(str) {
+  return URL_PROTOCOL_PATTERN.test(str) || URL_DOMAIN_PATTERN.test(str);
+}
+function containsHtml(str) {
+  return HTML_TAG_PATTERN.test(str);
+}
+function stripHtml(str) {
+  return str.replace(/<[^>]*>/g, "");
+}
+function constantTimeEqual(a, b) {
+  try {
+    const aBuf = Buffer.from(a, "utf-8");
+    const bBuf = Buffer.from(b, "utf-8");
+    if (aBuf.length !== bBuf.length) return false;
+    return (0, import_crypto.timingSafeEqual)(aBuf, bBuf);
+  } catch {
+    return false;
+  }
+}
+function sanitizeApiError(error, statusCode, isDevelopment = false) {
+  if (statusCode >= 400 && statusCode < 500) {
+    const message = error instanceof Error ? error.message : String(error || "Bad request");
+    return { message };
+  }
+  const result = {
+    message: "An internal error occurred. Please try again later.",
+    code: "INTERNAL_ERROR"
+  };
+  if (isDevelopment && error instanceof Error) {
+    result.stack = error.stack;
+  }
+  return result;
+}
+function getCorrelationId(headers) {
+  const get = typeof headers === "function" ? headers : (name) => {
+    const val = headers[name] ?? headers[name.toLowerCase()];
+    return Array.isArray(val) ? val[0] : val;
+  };
+  return get("x-request-id") || get("X-Request-ID") || get("x-correlation-id") || get("X-Correlation-ID") || crypto.randomUUID();
+}
 
 // src/auth/schemas.ts
 var EmailSchema = import_zod.z.string().trim().toLowerCase().email("Invalid email address");
@@ -762,6 +831,44 @@ function resolveIdentifier(session, clientIp) {
   return { identifier: `ip:${clientIp ?? "unknown"}`, isAuthenticated: false };
 }
 
+// src/auth/rate-limit-store-redis.ts
+function createRedisRateLimitStore(redis, options = {}) {
+  const prefix = options.keyPrefix ?? "";
+  return {
+    async increment(key, windowMs, now) {
+      const fullKey = `${prefix}${key}`;
+      const windowStart = now - windowMs;
+      const windowSeconds = Math.ceil(windowMs / 1e3) + 60;
+      await redis.zremrangebyscore(fullKey, 0, windowStart);
+      const current = await redis.zcard(fullKey);
+      const member = `${now}:${Math.random().toString(36).slice(2, 10)}`;
+      await redis.zadd(fullKey, now, member);
+      await redis.expire(fullKey, windowSeconds);
+      return { count: current + 1 };
+    },
+    async isBlocked(key) {
+      const fullKey = `${prefix}${key}`;
+      const value = await redis.get(fullKey);
+      if (!value) {
+        return { blocked: false, ttlMs: 0 };
+      }
+      const ttlSeconds = await redis.ttl(fullKey);
+      if (ttlSeconds <= 0) {
+        return { blocked: false, ttlMs: 0 };
+      }
+      return { blocked: true, ttlMs: ttlSeconds * 1e3 };
+    },
+    async setBlock(key, durationSeconds) {
+      const fullKey = `${prefix}${key}`;
+      await redis.setex(fullKey, durationSeconds, "1");
+    },
+    async reset(key) {
+      const fullKey = `${prefix}${key}`;
+      await redis.del(fullKey);
+    }
+  };
+}
+
 // src/auth/audit.ts
 var StandardAuditActions = {
   // Authentication
@@ -920,8 +1027,278 @@ function createAuditLogger(options = {}) {
   }
   return { log, createTimedAudit };
 }
+
+// src/api.ts
+var ApiErrorCode = {
+  VALIDATION_ERROR: "VALIDATION_ERROR",
+  UNAUTHORIZED: "UNAUTHORIZED",
+  FORBIDDEN: "FORBIDDEN",
+  NOT_FOUND: "NOT_FOUND",
+  CONFLICT: "CONFLICT",
+  RATE_LIMIT_EXCEEDED: "RATE_LIMIT_EXCEEDED",
+  INTERNAL_ERROR: "INTERNAL_ERROR",
+  DATABASE_ERROR: "DATABASE_ERROR",
+  EXTERNAL_SERVICE_ERROR: "EXTERNAL_SERVICE_ERROR",
+  CONFIGURATION_ERROR: "CONFIGURATION_ERROR"
+};
+var ApiError = class extends Error {
+  statusCode;
+  code;
+  details;
+  constructor(statusCode, message, code = ApiErrorCode.INTERNAL_ERROR, details) {
+    super(message);
+    this.name = "ApiError";
+    this.statusCode = statusCode;
+    this.code = code;
+    this.details = details;
+  }
+};
+function isApiError(error) {
+  return error instanceof ApiError;
+}
+var CommonApiErrors = {
+  unauthorized: (msg = "Unauthorized") => new ApiError(401, msg, ApiErrorCode.UNAUTHORIZED),
+  forbidden: (msg = "Forbidden") => new ApiError(403, msg, ApiErrorCode.FORBIDDEN),
+  notFound: (resource = "Resource") => new ApiError(404, `${resource} not found`, ApiErrorCode.NOT_FOUND),
+  conflict: (msg = "Resource already exists") => new ApiError(409, msg, ApiErrorCode.CONFLICT),
+  rateLimitExceeded: (msg = "Rate limit exceeded") => new ApiError(429, msg, ApiErrorCode.RATE_LIMIT_EXCEEDED),
+  validationError: (details) => new ApiError(
+    400,
+    "Validation failed",
+    ApiErrorCode.VALIDATION_ERROR,
+    details
+  ),
+  internalError: (msg = "Internal server error") => new ApiError(500, msg, ApiErrorCode.INTERNAL_ERROR)
+};
+var PG_ERROR_MAP = {
+  "23505": {
+    status: 409,
+    code: ApiErrorCode.CONFLICT,
+    message: "Resource already exists"
+  },
+  "23503": {
+    status: 404,
+    code: ApiErrorCode.NOT_FOUND,
+    message: "Referenced resource not found"
+  },
+  PGRST116: {
+    status: 404,
+    code: ApiErrorCode.NOT_FOUND,
+    message: "Resource not found"
+  }
+};
+function classifyError(error, isDev = false) {
+  if (isApiError(error)) {
+    return {
+      status: error.statusCode,
+      body: { error: error.message, code: error.code, details: error.details }
+    };
+  }
+  if (error && typeof error === "object" && "issues" in error && Array.isArray(error.issues)) {
+    return {
+      status: 400,
+      body: {
+        error: "Validation failed",
+        code: ApiErrorCode.VALIDATION_ERROR,
+        details: error.issues.map((i) => ({
+          field: i.path?.join("."),
+          message: i.message
+        }))
+      }
+    };
+  }
+  if (error && typeof error === "object" && "code" in error && typeof error.code === "string") {
+    const pgCode = error.code;
+    const mapped = PG_ERROR_MAP[pgCode];
+    if (mapped) {
+      return {
+        status: mapped.status,
+        body: { error: mapped.message, code: mapped.code }
+      };
+    }
+    return {
+      status: 500,
+      body: {
+        error: "Database error",
+        code: ApiErrorCode.DATABASE_ERROR,
+        details: isDev ? error.message : void 0
+      }
+    };
+  }
+  if (error instanceof Error) {
+    return {
+      status: 500,
+      body: {
+        error: isDev ? error.message : "Internal server error",
+        code: ApiErrorCode.INTERNAL_ERROR,
+        details: isDev ? error.stack : void 0
+      }
+    };
+  }
+  return {
+    status: 500,
+    body: {
+      error: "An unexpected error occurred",
+      code: ApiErrorCode.INTERNAL_ERROR
+    }
+  };
+}
+function buildPagination(page, limit, total) {
+  return {
+    page,
+    limit,
+    total,
+    totalPages: Math.ceil(total / limit),
+    hasMore: page * limit < total
+  };
+}
+
+// src/auth/nextjs-api.ts
+async function enforceRateLimit(request, operation, rule, options) {
+  const identifier = options?.identifier ?? (options?.userId ? `user:${options.userId}` : void 0) ?? `ip:${extractClientIp((name) => request.headers.get(name))}`;
+  const isAuthenticated = !!options?.userId;
+  const result = await checkRateLimit(operation, identifier, rule, {
+    ...options?.rateLimitOptions,
+    isAuthenticated
+  });
+  if (!result.allowed) {
+    const headers = buildRateLimitResponseHeaders(result);
+    return new Response(
+      JSON.stringify({
+        error: "Rate limit exceeded. Please try again later.",
+        retryAfter: result.retryAfterSeconds
+      }),
+      {
+        status: 429,
+        headers: { "Content-Type": "application/json", ...headers }
+      }
+    );
+  }
+  return null;
+}
+function errorResponse(error, options) {
+  const isDev = options?.isDevelopment ?? process.env.NODE_ENV === "development";
+  const { status, body } = classifyError(error, isDev);
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function zodErrorResponse(error) {
+  const firstIssue = error.issues[0];
+  const message = firstIssue ? `${firstIssue.path.join(".") || "input"}: ${firstIssue.message}` : "Validation error";
+  return new Response(JSON.stringify({ error: message }), {
+    status: 400,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function extractBearerToken(request) {
+  const auth = request.headers.get("authorization");
+  if (!auth?.startsWith("Bearer ")) return null;
+  return auth.slice(7).trim() || null;
+}
+function isValidBearerToken(request, secret) {
+  if (!secret) return false;
+  const token = extractBearerToken(request);
+  if (!token) return false;
+  return constantTimeEqual(token, secret);
+}
+
+// src/env.ts
+function getRequiredEnv(key) {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${key}`);
+  }
+  return value;
+}
+function getOptionalEnv(key, defaultValue) {
+  return process.env[key] || defaultValue;
+}
+function getBoolEnv(key, defaultValue = false) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  return value === "true" || value === "1";
+}
+function getIntEnv(key, defaultValue) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  const parsed = parseInt(value, 10);
+  return isNaN(parsed) ? defaultValue : parsed;
+}
+function validateEnvVars(config) {
+  const result = checkEnvVars(config);
+  if (!result.valid) {
+    const lines = [];
+    if (result.missing.length > 0) {
+      lines.push(
+        "Missing required environment variables:",
+        ...result.missing.map((v) => `  - ${v}`)
+      );
+    }
+    if (result.missingOneOf.length > 0) {
+      for (const group of result.missingOneOf) {
+        lines.push(`Missing one of: ${group.join(" | ")}`);
+      }
+    }
+    if (result.invalid.length > 0) {
+      lines.push(
+        "Invalid environment variables:",
+        ...result.invalid.map((v) => `  - ${v.key}: ${v.reason}`)
+      );
+    }
+    throw new Error(lines.join("\n"));
+  }
+}
+function checkEnvVars(config) {
+  const missing = [];
+  const invalid = [];
+  const missingOneOf = [];
+  if (config.required) {
+    for (const key of config.required) {
+      if (!process.env[key]) {
+        missing.push(key);
+      }
+    }
+  }
+  if (config.requireOneOf) {
+    for (const group of config.requireOneOf) {
+      const hasAny = group.some((key) => !!process.env[key]);
+      if (!hasAny) {
+        missingOneOf.push(group);
+      }
+    }
+  }
+  if (config.validators) {
+    for (const [key, validator] of Object.entries(config.validators)) {
+      const value = process.env[key];
+      if (value) {
+        const result = validator(value);
+        if (result !== true) {
+          invalid.push({ key, reason: result });
+        }
+      }
+    }
+  }
+  return {
+    valid: missing.length === 0 && invalid.length === 0 && missingOneOf.length === 0,
+    missing,
+    invalid,
+    missingOneOf
+  };
+}
+function getEnvSummary(keys) {
+  const summary = {};
+  for (const key of keys) {
+    summary[key] = !!process.env[key];
+  }
+  return summary;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ApiError,
+  ApiErrorCode,
+  CommonApiErrors,
   CommonRateLimits,
   DateRangeSchema,
   EmailSchema,
@@ -941,33 +1318,56 @@ function createAuditLogger(options = {}) {
   buildAuthCookies,
   buildErrorBody,
   buildKeycloakCallbacks,
+  buildPagination,
   buildRateLimitHeaders,
   buildRateLimitResponseHeaders,
   buildRedirectCallback,
   buildTokenRefreshParams,
+  checkEnvVars,
   checkRateLimit,
+  classifyError,
+  constantTimeEqual,
+  containsHtml,
+  containsUrls,
   createAuditActor,
   createAuditLogger,
   createFeatureFlags,
   createMemoryRateLimitStore,
+  createRedisRateLimitStore,
   createSafeTextSchema,
   detectStage,
+  enforceRateLimit,
+  errorResponse,
+  escapeHtml,
   extractAuditIp,
   extractAuditRequestId,
   extractAuditUserAgent,
+  extractBearerToken,
   extractClientIp,
+  getBoolEnv,
+  getCorrelationId,
   getEndSessionEndpoint,
+  getEnvSummary,
+  getIntEnv,
+  getOptionalEnv,
   getRateLimitStatus,
+  getRequiredEnv,
   getTokenEndpoint,
   hasAllRoles,
   hasAnyRole,
   hasRole,
   isAllowlisted,
+  isApiError,
   isTokenExpired,
+  isValidBearerToken,
   parseKeycloakRoles,
   refreshKeycloakToken,
   resetRateLimitForKey,
   resolveIdentifier,
-  resolveRateLimitIdentifier
+  resolveRateLimitIdentifier,
+  sanitizeApiError,
+  stripHtml,
+  validateEnvVars,
+  zodErrorResponse
 });
 //# sourceMappingURL=auth.js.map