@dismissible/nestjs-jwt-auth-hook 0.0.1 → 0.0.2-canary.43c6bbd.0

package/project.json

@@ -1,42 +0,0 @@
-{
-  "name": "jwt-auth-hook",
-  "$schema": "../../node_modules/nx/schemas/project-schema.json",
-  "sourceRoot": "libs/jwt-auth-hook/src",
-  "projectType": "library",
-  "tags": [],
-  "targets": {
-    "build": {
-      "executor": "@nx/js:tsc",
-      "outputs": ["{options.outputPath}"],
-      "options": {
-        "outputPath": "dist/libs/jwt-auth-hook",
-        "main": "libs/jwt-auth-hook/src/index.ts",
-        "tsConfig": "libs/jwt-auth-hook/tsconfig.lib.json",
-        "assets": ["libs/jwt-auth-hook/package.json", "libs/jwt-auth-hook/README.md"],
-        "generatePackageJson": true
-      }
-    },
-    "lint": {
-      "executor": "@nx/eslint:lint",
-      "outputs": ["{options.outputFile}"],
-      "options": {
-        "lintFilePatterns": ["libs/jwt-auth-hook/**/*.ts"]
-      }
-    },
-    "test": {
-      "executor": "@nx/jest:jest",
-      "outputs": ["{workspaceRoot}/coverage/libs/jwt-auth-hook"],
-      "options": {
-        "jestConfig": "libs/jwt-auth-hook/jest.config.ts",
-        "passWithNoTests": true
-      }
-    },
-    "npm-publish": {
-      "executor": "nx:run-commands",
-      "options": {
-        "command": "npm publish --access public",
-        "cwd": "dist/libs/jwt-auth-hook"
-      }
-    }
-  }
-}

package/src/jwt-auth-hook.config.spec.ts

@@ -1,158 +0,0 @@
-import 'reflect-metadata';
-import { plainToInstance } from 'class-transformer';
-import { validate } from 'class-validator';
-import { JwtAuthHookConfig } from './jwt-auth-hook.config';
-
-describe('JwtAuthHookConfig', () => {
-  describe('enabled property', () => {
-    it('should transform boolean true to true', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: true,
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-      });
-
-      expect(config.enabled).toBe(true);
-    });
-
-    it('should transform boolean false to false', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: false,
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-      });
-
-      expect(config.enabled).toBe(false);
-    });
-
-    it('should transform string "true" to boolean true', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: 'true',
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-      });
-
-      expect(config.enabled).toBe(true);
-    });
-
-    it('should transform string "false" to boolean false', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: 'false',
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-      });
-
-      expect(config.enabled).toBe(false);
-    });
-
-    it('should transform string "True" (case insensitive) to boolean true', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: 'True',
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-      });
-
-      expect(config.enabled).toBe(true);
-    });
-
-    it('should convert non-true string values to false', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: 'other',
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-      });
-
-      // The transform converts string values: 'true' -> true, anything else -> false
-      expect(config.enabled).toBe(false);
-    });
-  });
-
-  describe('wellKnownUrl validation', () => {
-    it('should require wellKnownUrl when enabled is true', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: true,
-      });
-
-      const errors = await validate(config);
-      expect(errors.length).toBeGreaterThan(0);
-      expect(errors.some((e) => e.property === 'wellKnownUrl')).toBe(true);
-    });
-
-    it('should not require wellKnownUrl when enabled is false', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: false,
-      });
-
-      const errors = await validate(config);
-      // wellKnownUrl should not be required when enabled is false
-      expect(errors.some((e) => e.property === 'wellKnownUrl')).toBe(false);
-    });
-
-    it('should validate wellKnownUrl is a valid URL', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: true,
-        wellKnownUrl: 'not-a-valid-url',
-      });
-
-      const errors = await validate(config);
-      expect(errors.length).toBeGreaterThan(0);
-      expect(errors.some((e) => e.property === 'wellKnownUrl')).toBe(true);
-    });
-  });
-
-  describe('optional properties', () => {
-    it('should accept optional issuer', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: true,
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-        issuer: 'https://auth.example.com',
-      });
-
-      expect(config.issuer).toBe('https://auth.example.com');
-    });
-
-    it('should accept optional audience', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: true,
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-        audience: 'my-api',
-      });
-
-      expect(config.audience).toBe('my-api');
-    });
-
-    it('should accept optional algorithms array', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: true,
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-        algorithms: ['RS256', 'RS384'],
-      });
-
-      expect(config.algorithms).toEqual(['RS256', 'RS384']);
-    });
-
-    it('should transform jwksCacheDuration to number', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: true,
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-        jwksCacheDuration: '600000',
-      });
-
-      expect(config.jwksCacheDuration).toBe(600000);
-    });
-
-    it('should transform requestTimeout to number', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: true,
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-        requestTimeout: '30000',
-      });
-
-      expect(config.requestTimeout).toBe(30000);
-    });
-
-    it('should transform priority to number', async () => {
-      const config = plainToInstance(JwtAuthHookConfig, {
-        enabled: true,
-        wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-        priority: '-100',
-      });
-
-      expect(config.priority).toBe(-100);
-    });
-  });
-});

package/src/jwt-auth-hook.config.ts

@@ -1,94 +0,0 @@
-import {
-  IsString,
-  IsUrl,
-  IsOptional,
-  IsArray,
-  IsNumber,
-  IsBoolean,
-  ValidateIf,
-} from 'class-validator';
-import { Type } from 'class-transformer';
-import { TransformBoolean } from '@dismissible/nestjs-validation';
-
-/**
- * Injection token for JWT auth hook configuration.
- */
-export const JWT_AUTH_HOOK_CONFIG = Symbol('JWT_AUTH_HOOK_CONFIG');
-
-/**
- * Configuration options for JWT authentication hook.
- */
-export class JwtAuthHookConfig {
-  @IsBoolean()
-  @TransformBoolean()
-  public readonly enabled!: boolean;
-
-  /**
-   * The OpenID Connect well-known URL (e.g., https://auth.example.com/.well-known/openid-configuration).
-   * The JWKS URI will be fetched from this endpoint.
-   */
-  @ValidateIf((o) => o.enabled === true)
-  @IsUrl()
-  public readonly wellKnownUrl!: string;
-
-  /**
-   * Optional: Expected issuer claim (iss) to validate.
-   * If not provided, issuer validation is skipped.
-   */
-  @IsOptional()
-  @IsString()
-  public readonly issuer?: string;
-
-  /**
-   * Optional: Expected audience claim (aud) to validate.
-   * If not provided, audience validation is skipped.
-   */
-  @IsOptional()
-  @IsString()
-  public readonly audience?: string;
-
-  /**
-   * Optional: Allowed algorithms for JWT verification.
-   * Defaults to ['RS256'].
-   */
-  @IsOptional()
-  @IsArray()
-  @IsString({ each: true })
-  public readonly algorithms?: string[];
-
-  /**
-   * Optional: Cache duration in milliseconds for JWKS.
-   * Defaults to 600000 (10 minutes).
-   */
-  @IsOptional()
-  @IsNumber()
-  @Type(() => Number)
-  public readonly jwksCacheDuration?: number;
-
-  /**
-   * Optional: Request timeout in milliseconds.
-   * Defaults to 30000 (30 seconds).
-   */
-  @IsOptional()
-  @IsNumber()
-  @Type(() => Number)
-  public readonly requestTimeout?: number;
-
-  /**
-   * Optional: Hook priority (lower numbers run first).
-   * Defaults to -100 (runs early for authentication).
-   */
-  @IsOptional()
-  @IsNumber()
-  @Type(() => Number)
-  public readonly priority?: number;
-
-  /**
-   * Optional: Verify that the userId parameter matches the JWT subject (sub) claim.
-   * Defaults to true for security. Set to false for service-to-service scenarios.
-   */
-  @IsOptional()
-  @IsBoolean()
-  @TransformBoolean(true) // Default to true if not provided
-  public readonly verifyUserIdMatch?: boolean;
-}

package/src/jwt-auth-hook.module.ts

@@ -1,79 +0,0 @@
-import { Module, DynamicModule, InjectionToken } from '@nestjs/common';
-import { HttpModule } from '@nestjs/axios';
-import { JwtAuthHook } from './jwt-auth.hook';
-import { JwtAuthService } from './jwt-auth.service';
-import { JWT_AUTH_HOOK_CONFIG, JwtAuthHookConfig } from './jwt-auth-hook.config';
-
-/**
- * Async module options for JWT auth hook.
- */
-export interface IJwtAuthHookModuleAsyncOptions {
-  useFactory: (...args: unknown[]) => JwtAuthHookConfig | Promise<JwtAuthHookConfig>;
-  inject?: InjectionToken[];
-}
-
-/**
- * Module that provides JWT authentication hook for Dismissible.
- *
- * @example
- * ```typescript
- * import { DismissibleModule } from '@dismissible/nestjs-dismissible';
- * import { JwtAuthHookModule, JwtAuthHook } from '@dismissible/nestjs-jwt-auth-hook';
- *
- * @Module({
- *   imports: [
- *     JwtAuthHookModule.forRoot({
- *       wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
- *       issuer: 'https://auth.example.com',
- *       audience: 'my-api',
- *     }),
- *     DismissibleModule.forRoot({
- *       hooks: [JwtAuthHook],
- *       // ... other options
- *     }),
- *   ],
- * })
- * export class AppModule {}
- * ```
- */
-@Module({})
-export class JwtAuthHookModule {
-  static forRoot(config: JwtAuthHookConfig): DynamicModule {
-    return {
-      module: JwtAuthHookModule,
-      imports: [HttpModule],
-      providers: [
-        {
-          provide: JWT_AUTH_HOOK_CONFIG,
-          useValue: config,
-        },
-        JwtAuthService,
-        JwtAuthHook,
-      ],
-      exports: [JwtAuthHook, JwtAuthService, JWT_AUTH_HOOK_CONFIG],
-      global: true,
-    };
-  }
-
-  /**
-   * Create module with async configuration.
-   * Useful when config values come from environment or other async sources.
-   */
-  static forRootAsync(options: IJwtAuthHookModuleAsyncOptions): DynamicModule {
-    return {
-      module: JwtAuthHookModule,
-      imports: [HttpModule],
-      providers: [
-        {
-          provide: JWT_AUTH_HOOK_CONFIG,
-          useFactory: options.useFactory,
-          inject: options.inject ?? [],
-        },
-        JwtAuthService,
-        JwtAuthHook,
-      ],
-      exports: [JwtAuthHook, JwtAuthService, JWT_AUTH_HOOK_CONFIG],
-      global: true,
-    };
-  }
-}

package/src/jwt-auth.hook.spec.ts

@@ -1,283 +0,0 @@
-import { UnauthorizedException, ForbiddenException } from '@nestjs/common';
-import { mock } from 'ts-jest-mocker';
-import { JwtAuthHook } from './jwt-auth.hook';
-import { JwtAuthService, IJwtValidationResult } from './jwt-auth.service';
-import { JwtAuthHookConfig } from './jwt-auth-hook.config';
-import { IDismissibleLogger } from '@dismissible/nestjs-logger';
-import { IRequestContext } from '@dismissible/nestjs-dismissible';
-
-describe('JwtAuthHook', () => {
-  let hook: JwtAuthHook;
-  let mockJwtAuthService: jest.Mocked<JwtAuthService>;
-  let mockLogger: jest.Mocked<IDismissibleLogger>;
-  let mockConfig: JwtAuthHookConfig;
-
-  const testItemId = 'test-item-id';
-  const testUserId = 'test-user-id';
-
-  beforeEach(() => {
-    mockJwtAuthService = mock(JwtAuthService, { failIfMockNotProvided: false });
-    mockLogger = mock<IDismissibleLogger>({ failIfMockNotProvided: false });
-    mockConfig = {
-      enabled: true,
-      wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
-      issuer: 'https://auth.example.com',
-    };
-
-    hook = new JwtAuthHook(mockJwtAuthService, mockConfig, mockLogger);
-  });
-
-  describe('priority', () => {
-    it('should default to -100 priority', () => {
-      expect(hook.priority).toBe(-100);
-    });
-
-    it('should use custom priority when provided', () => {
-      const customConfig = { ...mockConfig, priority: -50 };
-      const customHook = new JwtAuthHook(mockJwtAuthService, customConfig, mockLogger);
-      expect(customHook.priority).toBe(-50);
-    });
-  });
-
-  describe('onBeforeRequest', () => {
-    it('should skip validation and proceed when disabled', async () => {
-      const disabledConfig = { ...mockConfig, enabled: false };
-      const disabledHook = new JwtAuthHook(mockJwtAuthService, disabledConfig, mockLogger);
-
-      const context: IRequestContext = { requestId: 'req-123' };
-      const result = await disabledHook.onBeforeRequest(testItemId, testUserId, context);
-
-      expect(result.proceed).toBe(true);
-      expect(mockJwtAuthService.extractBearerToken).not.toHaveBeenCalled();
-      expect(mockJwtAuthService.validateToken).not.toHaveBeenCalled();
-    });
-
-    it('should throw UnauthorizedException when no authorization header is present', async () => {
-      mockJwtAuthService.extractBearerToken.mockReturnValue(null);
-
-      const context: IRequestContext = { requestId: 'req-123' };
-
-      await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
-        UnauthorizedException,
-      );
-      await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
-        'Missing or invalid bearer token',
-      );
-      expect(mockJwtAuthService.extractBearerToken).toHaveBeenCalledWith(undefined);
-    });
-
-    it('should throw UnauthorizedException when authorization header is malformed', async () => {
-      mockJwtAuthService.extractBearerToken.mockReturnValue(null);
-
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Basic abc123',
-      };
-
-      await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
-        UnauthorizedException,
-      );
-      await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
-        'Missing or invalid bearer token',
-      );
-    });
-
-    it('should throw UnauthorizedException when token validation fails', async () => {
-      const validationResult: IJwtValidationResult = {
-        valid: false,
-        error: 'Token expired',
-      };
-      mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
-      mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
-
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
-
-      await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
-        UnauthorizedException,
-      );
-      await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
-        'Token expired',
-      );
-      expect(mockJwtAuthService.validateToken).toHaveBeenCalledWith('valid-token');
-    });
-
-    it('should proceed when token is valid', async () => {
-      const matchingUserId = 'user-123';
-      const validationResult: IJwtValidationResult = {
-        valid: true,
-        payload: {
-          sub: matchingUserId,
-          iss: 'https://auth.example.com',
-        },
-      };
-      mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
-      mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
-
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
-      const result = await hook.onBeforeRequest(testItemId, matchingUserId, context);
-
-      expect(result.proceed).toBe(true);
-      expect(result.reason).toBeUndefined();
-    });
-
-    it('should throw UnauthorizedException when context is missing', async () => {
-      mockJwtAuthService.extractBearerToken.mockReturnValue(null);
-
-      await expect(hook.onBeforeRequest(testItemId, testUserId, undefined)).rejects.toThrow(
-        UnauthorizedException,
-      );
-      expect(mockJwtAuthService.extractBearerToken).toHaveBeenCalledWith(undefined);
-    });
-
-    it('should log debug message on successful validation', async () => {
-      const matchingUserId = 'user-123';
-      const validationResult: IJwtValidationResult = {
-        valid: true,
-        payload: { sub: matchingUserId },
-      };
-      mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
-      mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
-
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
-      await hook.onBeforeRequest(testItemId, matchingUserId, context);
-
-      expect(mockLogger.debug).toHaveBeenCalledWith(
-        'JWT auth hook: Token validated successfully',
-        expect.objectContaining({
-          itemId: testItemId,
-          userId: matchingUserId,
-          requestId: 'req-123',
-          subject: matchingUserId,
-        }),
-      );
-    });
-
-    it('should throw ForbiddenException when userId does not match JWT sub claim', async () => {
-      const validationResult: IJwtValidationResult = {
-        valid: true,
-        payload: {
-          sub: 'different-user-id',
-          iss: 'https://auth.example.com',
-        },
-      };
-      mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
-      mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
-
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
-
-      await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
-        ForbiddenException,
-      );
-      await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
-        'User ID in request does not match authenticated user',
-      );
-
-      expect(mockLogger.debug).toHaveBeenCalledWith(
-        'JWT auth hook: User ID mismatch',
-        expect.objectContaining({
-          itemId: testItemId,
-          userId: testUserId,
-          requestId: 'req-123',
-          tokenSubject: 'different-user-id',
-        }),
-      );
-    });
-
-    it('should proceed when userId matches JWT sub claim', async () => {
-      const validationResult: IJwtValidationResult = {
-        valid: true,
-        payload: {
-          sub: testUserId,
-          iss: 'https://auth.example.com',
-        },
-      };
-      mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
-      mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
-
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
-      const result = await hook.onBeforeRequest(testItemId, testUserId, context);
-
-      expect(result.proceed).toBe(true);
-      expect(result.reason).toBeUndefined();
-    });
-
-    it('should proceed when verifyUserIdMatch is disabled even if userId does not match', async () => {
-      const disabledVerifyConfig = { ...mockConfig, verifyUserIdMatch: false };
-      const disabledVerifyHook = new JwtAuthHook(
-        mockJwtAuthService,
-        disabledVerifyConfig,
-        mockLogger,
-      );
-
-      const validationResult: IJwtValidationResult = {
-        valid: true,
-        payload: {
-          sub: 'different-user-id',
-          iss: 'https://auth.example.com',
-        },
-      };
-      mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
-      mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
-
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
-      const result = await disabledVerifyHook.onBeforeRequest(testItemId, testUserId, context);
-
-      expect(result.proceed).toBe(true);
-    });
-
-    it('should proceed when JWT payload does not have sub claim and verifyUserIdMatch is enabled', async () => {
-      const validationResult: IJwtValidationResult = {
-        valid: true,
-        payload: {
-          iss: 'https://auth.example.com',
-          // No sub claim
-        },
-      };
-      mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
-      mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
-
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
-      const result = await hook.onBeforeRequest(testItemId, testUserId, context);
-
-      expect(result.proceed).toBe(true);
-    });
-
-    it('should proceed when JWT payload is undefined and verifyUserIdMatch is enabled', async () => {
-      const validationResult: IJwtValidationResult = {
-        valid: true,
-        // No payload
-      };
-      mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
-      mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
-
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
-      const result = await hook.onBeforeRequest(testItemId, testUserId, context);
-
-      expect(result.proceed).toBe(true);
-    });
-  });
-});