@digilogiclabs/platform-core 1.9.0 → 1.11.0

package/dist/auth.mjs

@@ -562,6 +562,12 @@ var CommonRateLimits = {
     limit: 10,
     windowSeconds: 3600,
     blockDurationSeconds: 3600
+  },
+  /** Beta code validation: 5/min with 5min block (prevents brute force guessing) */
+  betaValidation: {
+    limit: 5,
+    windowSeconds: 60,
+    blockDurationSeconds: 300
   }
 };
 function createMemoryRateLimitStore() {
@@ -1105,6 +1111,71 @@ function isValidBearerToken(request, secret) {
   if (!token) return false;
   return constantTimeEqual(token, secret);
 }
+function verifyCronAuth(request, secret) {
+  const authHeader = request.headers.get("authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    return new Response(JSON.stringify({ error: "Missing authorization" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  const token = authHeader.slice(7);
+  const expectedSecret = secret ?? process.env.CRON_SECRET;
+  if (!expectedSecret) {
+    console.error("[verifyCronAuth] CRON_SECRET not configured");
+    return new Response(
+      JSON.stringify({ error: "Server configuration error" }),
+      { status: 500, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  if (!constantTimeEqual(token, expectedSecret)) {
+    return new Response(JSON.stringify({ error: "Invalid authorization" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return null;
+}
+function getClientIp(request) {
+  return request.headers.get("cf-connecting-ip") || request.headers.get("x-real-ip") || request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
+function rateLimitResponse(result) {
+  const retryAfter = Math.ceil(result.resetMs / 1e3);
+  const resetTimestamp = Math.ceil(Date.now() / 1e3 + result.resetMs / 1e3);
+  return new Response(
+    JSON.stringify({ error: "Too many requests", retryAfter }),
+    {
+      status: 429,
+      headers: {
+        "Content-Type": "application/json",
+        "X-RateLimit-Limit": String(result.limit),
+        "X-RateLimit-Remaining": "0",
+        "X-RateLimit-Reset": String(resetTimestamp),
+        "Retry-After": String(retryAfter)
+      }
+    }
+  );
+}
+function addRateLimitHeaders(response, result) {
+  const resetTimestamp = Math.ceil(Date.now() / 1e3 + result.resetMs / 1e3);
+  response.headers.set("X-RateLimit-Limit", String(result.limit));
+  response.headers.set("X-RateLimit-Remaining", String(result.remaining));
+  response.headers.set("X-RateLimit-Reset", String(resetTimestamp));
+  return response;
+}
+function safeValidate(schema, data) {
+  const result = schema.safeParse(data);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  return {
+    success: false,
+    errors: (result.error?.issues || []).map((issue) => ({
+      field: issue.path.join("."),
+      message: issue.message
+    }))
+  };
+}
 
 // src/auth/beta-client.ts
 var DEFAULT_CONFIG = {
@@ -1213,6 +1284,172 @@ function clearStoredBetaCode(config = {}) {
   }
 }
 
+// src/auth/federated-logout.ts
+function expireCookie(name, options) {
+  const parts = [
+    `${name}=`,
+    "Path=/",
+    "Expires=Thu, 01 Jan 1970 00:00:00 GMT",
+    "Max-Age=0",
+    "SameSite=Lax"
+  ];
+  if (options?.hostPrefix) {
+    parts.push("Secure");
+  } else {
+    parts.push("HttpOnly");
+    if (options?.domain) parts.push(`Domain=${options.domain}`);
+    if (options?.secure) parts.push("Secure");
+  }
+  return parts.join("; ");
+}
+function isAllowedCallbackUrl(url, baseUrl) {
+  if (url.startsWith("/") && !url.startsWith("//")) return true;
+  try {
+    const parsed = new URL(url);
+    const base = new URL(baseUrl);
+    const allowedHosts = [base.hostname, `www.${base.hostname}`];
+    if (base.hostname.startsWith("www.")) {
+      allowedHosts.push(base.hostname.slice(4));
+    }
+    return allowedHosts.includes(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+var AUTH_COOKIE_NAMES = [
+  "authjs.session-token",
+  "__Secure-authjs.session-token",
+  "authjs.callback-url",
+  "__Secure-authjs.callback-url",
+  "authjs.csrf-token",
+  "__Secure-authjs.csrf-token",
+  "authjs.pkce.code_verifier",
+  "__Secure-authjs.pkce.code_verifier",
+  "authjs.state",
+  "__Secure-authjs.state",
+  // Legacy next-auth names
+  "next-auth.session-token",
+  "__Secure-next-auth.session-token",
+  "next-auth.callback-url",
+  "__Secure-next-auth.callback-url",
+  "next-auth.csrf-token",
+  "__Secure-next-auth.csrf-token"
+];
+var HOST_COOKIES = [
+  "__Host-authjs.csrf-token",
+  "__Host-next-auth.csrf-token"
+];
+function buildFederatedLogoutHandler(config) {
+  const { auth, domain, baseUrlFallback, extraCookies = [], onError } = config;
+  return async function GET(request) {
+    const session = await auth();
+    const url = new URL(request.url);
+    const rawCallbackUrl = url.searchParams.get("callbackUrl") || "/";
+    const queryIdToken = url.searchParams.get("id_token_hint");
+    const baseUrl = process.env.NEXTAUTH_URL || process.env.AUTH_URL || baseUrlFallback;
+    const callbackUrl = isAllowedCallbackUrl(rawCallbackUrl, baseUrl) ? rawCallbackUrl : "/";
+    const postLogoutRedirectUri = callbackUrl.startsWith("http") ? callbackUrl : `${baseUrl}${callbackUrl}`;
+    const keycloakIssuer = process.env.AUTH_KEYCLOAK_ISSUER;
+    if (!keycloakIssuer) {
+      onError?.("Missing AUTH_KEYCLOAK_ISSUER");
+      return Response.redirect(
+        new URL(
+          "/api/auth/signout?callbackUrl=" + encodeURIComponent(callbackUrl),
+          request.url
+        ).toString()
+      );
+    }
+    const refreshToken = session?.refreshToken;
+    if (refreshToken) {
+      try {
+        const revokeUrl = `${keycloakIssuer}/protocol/openid-connect/revoke`;
+        const clientId2 = process.env.AUTH_KEYCLOAK_ID;
+        const clientSecret = process.env.AUTH_KEYCLOAK_SECRET;
+        await fetch(revokeUrl, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: new URLSearchParams({
+            token: refreshToken,
+            token_type_hint: "refresh_token",
+            ...clientId2 && { client_id: clientId2 },
+            ...clientSecret && { client_secret: clientSecret }
+          })
+        });
+      } catch (err) {
+        onError?.("Token revocation failed", err);
+      }
+    }
+    const keycloakLogoutUrl = new URL(
+      `${keycloakIssuer}/protocol/openid-connect/logout`
+    );
+    keycloakLogoutUrl.searchParams.set(
+      "post_logout_redirect_uri",
+      postLogoutRedirectUri
+    );
+    const clientId = process.env.AUTH_KEYCLOAK_ID;
+    if (clientId) keycloakLogoutUrl.searchParams.set("client_id", clientId);
+    const idToken = session?.idToken || queryIdToken;
+    if (idToken) keycloakLogoutUrl.searchParams.set("id_token_hint", idToken);
+    const escapedUrl = keycloakLogoutUrl.toString().replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+    const html = `<!DOCTYPE html>
+<html><head>
+<meta charset="utf-8">
+<meta http-equiv="refresh" content="0;url=${escapedUrl}">
+<title>Signing out...</title>
+<style>body{display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;font-family:system-ui,sans-serif;background:#0a0a0a;color:#fff}p{font-size:1.1rem;opacity:0.7}</style>
+</head><body>
+<p>Signing out&hellip;</p>
+<script>window.location.replace(${JSON.stringify(keycloakLogoutUrl.toString()).replace(/</g, "\\u003c")});</script>
+</body></html>`;
+    const response = new Response(html, {
+      status: 200,
+      headers: {
+        "Content-Type": "text/html; charset=utf-8",
+        "Cache-Control": "no-store, no-cache, must-revalidate",
+        Pragma: "no-cache"
+      }
+    });
+    const isProduction = process.env.NODE_ENV === "production";
+    const isSecure = isProduction;
+    const allCookieNames = [...AUTH_COOKIE_NAMES, ...extraCookies];
+    for (const name of allCookieNames) {
+      const needsSecure = isSecure || name.startsWith("__Secure-");
+      response.headers.append(
+        "Set-Cookie",
+        expireCookie(name, { secure: needsSecure })
+      );
+      if (isProduction) {
+        response.headers.append(
+          "Set-Cookie",
+          expireCookie(name, { domain, secure: needsSecure })
+        );
+      }
+    }
+    for (const name of HOST_COOKIES) {
+      response.headers.append(
+        "Set-Cookie",
+        expireCookie(name, { hostPrefix: true })
+      );
+    }
+    return response;
+  };
+}
+
+// src/auth/lazy-rate-limit-store.ts
+function createLazyRateLimitStore(getRedis, options = {}) {
+  const { keyPrefix = "rl:" } = options;
+  let store;
+  let initialized = false;
+  return function getRateLimitStore() {
+    if (initialized) return store;
+    initialized = true;
+    const redis = getRedis();
+    if (!redis) return void 0;
+    store = createRedisRateLimitStore(redis, { keyPrefix });
+    return store;
+  };
+}
+
 // src/env.ts
 function getRequiredEnv(key) {
   const value = process.env[key];
@@ -1322,9 +1559,11 @@ export {
   StandardAuditActions,
   StandardRateLimitPresets,
   WrapperPresets,
+  addRateLimitHeaders,
   buildAllowlist,
   buildAuthCookies,
   buildErrorBody,
+  buildFederatedLogoutHandler,
   buildKeycloakCallbacks,
   buildPagination,
   buildRateLimitHeaders,
@@ -1342,6 +1581,7 @@ export {
   createAuditLogger,
   createBetaClient,
   createFeatureFlags,
+  createLazyRateLimitStore,
   createMemoryRateLimitStore,
   createRedisRateLimitStore,
   createSafeTextSchema,
@@ -1356,6 +1596,7 @@ export {
   extractClientIp,
   fetchBetaSettings,
   getBoolEnv,
+  getClientIp,
   getCorrelationId,
   getEndSessionEndpoint,
   getEnvSummary,
@@ -1373,15 +1614,18 @@ export {
   isTokenExpired,
   isValidBearerToken,
   parseKeycloakRoles,
+  rateLimitResponse,
   refreshKeycloakToken,
   resetRateLimitForKey,
   resolveIdentifier,
   resolveRateLimitIdentifier,
+  safeValidate,
   sanitizeApiError,
   storeBetaCode,
   stripHtml,
   validateBetaCode,
   validateEnvVars,
+  verifyCronAuth,
   zodErrorResponse
 };
 //# sourceMappingURL=auth.mjs.map