@dismissible/nestjs-jwt-auth-hook 0.0.1 → 0.0.2-canary.585db17.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dismissible/nestjs-jwt-auth-hook",
-  "version": "0.0.1",
+  "version": "0.0.2-canary.585db17.0",
   "description": "JWT authentication hook for Dismissible applications using OIDC well-known discovery",
   "main": "./src/index.js",
   "types": "./src/index.d.ts",
@@ -12,30 +12,38 @@
     }
   },
   "dependencies": {
-    "jwks-rsa": "^3.1.0",
-    "jsonwebtoken": "^9.0.0"
+    "@nestjs/axios": "^4.0.1",
+    "@dismissible/nestjs-dismissible-hooks": "^0.0.2-canary.585db17.0",
+    "@dismissible/nestjs-dismissible-request": "^0.0.2-canary.585db17.0",
+    "@dismissible/nestjs-logger": "^0.0.2-canary.585db17.0",
+    "@dismissible/nestjs-validation": "^0.0.2-canary.585db17.0",
+    "jwks-rsa": "^3.2.0",
+    "jsonwebtoken": "^9.0.3"
+  },
+  "devDependencies": {
+    "@types/jsonwebtoken": "^9.0.10"
   },
   "peerDependencies": {
-    "@nestjs/axios": "^4.0.0",
     "@nestjs/common": "^11.0.0",
     "@nestjs/core": "^11.0.0",
-    "@dismissible/nestjs-dismissible": "*",
-    "@dismissible/nestjs-logger": "*"
+    "class-validator": "^0.14.0",
+    "class-transformer": "^0.5.0",
+    "rxjs": "^7.8.2"
   },
   "peerDependenciesMeta": {
-    "@nestjs/axios": {
-      "optional": false
-    },
     "@nestjs/common": {
       "optional": false
     },
     "@nestjs/core": {
       "optional": false
     },
-    "@dismissible/nestjs-dismissible": {
+    "class-validator": {
+      "optional": false
+    },
+    "class-transformer": {
       "optional": false
     },
-    "@dismissible/nestjs-logger": {
+    "rxjs": {
       "optional": false
     }
   },

package/src/jwt-auth-hook.config.spec.ts

@@ -56,7 +56,6 @@ describe('JwtAuthHookConfig', () => {
         wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
       });
 
-      // The transform converts string values: 'true' -> true, anything else -> false
       expect(config.enabled).toBe(false);
     });
   });
@@ -78,7 +77,6 @@ describe('JwtAuthHookConfig', () => {
       });
 
       const errors = await validate(config);
-      // wellKnownUrl should not be required when enabled is false
       expect(errors.some((e) => e.property === 'wellKnownUrl')).toBe(false);
     });
 

package/src/jwt-auth.hook.spec.ts

@@ -4,7 +4,32 @@ import { JwtAuthHook } from './jwt-auth.hook';
 import { JwtAuthService, IJwtValidationResult } from './jwt-auth.service';
 import { JwtAuthHookConfig } from './jwt-auth-hook.config';
 import { IDismissibleLogger } from '@dismissible/nestjs-logger';
-import { IRequestContext } from '@dismissible/nestjs-dismissible';
+import { IRequestContext } from '@dismissible/nestjs-dismissible-request';
+
+function createMinimalContext(overrides: Partial<IRequestContext> = {}): IRequestContext {
+  return {
+    requestId: 'req-123',
+    headers: {},
+    query: {},
+    params: {},
+    body: {},
+    user: {},
+    ip: '127.0.0.1',
+    method: 'GET',
+    url: '/test',
+    protocol: 'http',
+    secure: false,
+    hostname: 'localhost',
+    port: 3000,
+    path: '/test',
+    search: '',
+    searchParams: {},
+    origin: 'http://localhost:3000',
+    referer: '',
+    userAgent: 'test-agent',
+    ...overrides,
+  };
+}
 
 describe('JwtAuthHook', () => {
   let hook: JwtAuthHook;
@@ -44,7 +69,7 @@ describe('JwtAuthHook', () => {
       const disabledConfig = { ...mockConfig, enabled: false };
       const disabledHook = new JwtAuthHook(mockJwtAuthService, disabledConfig, mockLogger);
 
-      const context: IRequestContext = { requestId: 'req-123' };
+      const context = createMinimalContext();
       const result = await disabledHook.onBeforeRequest(testItemId, testUserId, context);
 
       expect(result.proceed).toBe(true);
@@ -55,7 +80,7 @@ describe('JwtAuthHook', () => {
     it('should throw UnauthorizedException when no authorization header is present', async () => {
       mockJwtAuthService.extractBearerToken.mockReturnValue(null);
 
-      const context: IRequestContext = { requestId: 'req-123' };
+      const context = createMinimalContext();
 
       await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
         UnauthorizedException,
@@ -69,10 +94,9 @@ describe('JwtAuthHook', () => {
     it('should throw UnauthorizedException when authorization header is malformed', async () => {
       mockJwtAuthService.extractBearerToken.mockReturnValue(null);
 
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Basic abc123',
-      };
+      const context = createMinimalContext({
+        headers: { authorization: 'Basic abc123' },
+      });
 
       await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
         UnauthorizedException,
@@ -90,10 +114,9 @@ describe('JwtAuthHook', () => {
       mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
       mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
 
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
+      const context = createMinimalContext({
+        headers: { authorization: 'Bearer valid-token' },
+      });
 
       await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
         UnauthorizedException,
@@ -116,10 +139,9 @@ describe('JwtAuthHook', () => {
       mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
       mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
 
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
+      const context = createMinimalContext({
+        headers: { authorization: 'Bearer valid-token' },
+      });
       const result = await hook.onBeforeRequest(testItemId, matchingUserId, context);
 
       expect(result.proceed).toBe(true);
@@ -144,10 +166,9 @@ describe('JwtAuthHook', () => {
       mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
       mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
 
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
+      const context = createMinimalContext({
+        headers: { authorization: 'Bearer valid-token' },
+      });
       await hook.onBeforeRequest(testItemId, matchingUserId, context);
 
       expect(mockLogger.debug).toHaveBeenCalledWith(
@@ -172,10 +193,9 @@ describe('JwtAuthHook', () => {
       mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
       mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
 
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
+      const context = createMinimalContext({
+        headers: { authorization: 'Bearer valid-token' },
+      });
 
       await expect(hook.onBeforeRequest(testItemId, testUserId, context)).rejects.toThrow(
         ForbiddenException,
@@ -206,10 +226,9 @@ describe('JwtAuthHook', () => {
       mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
       mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
 
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
+      const context = createMinimalContext({
+        headers: { authorization: 'Bearer valid-token' },
+      });
       const result = await hook.onBeforeRequest(testItemId, testUserId, context);
 
       expect(result.proceed).toBe(true);
@@ -234,10 +253,9 @@ describe('JwtAuthHook', () => {
       mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
       mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
 
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
+      const context = createMinimalContext({
+        headers: { authorization: 'Bearer valid-token' },
+      });
       const result = await disabledVerifyHook.onBeforeRequest(testItemId, testUserId, context);
 
       expect(result.proceed).toBe(true);
@@ -248,16 +266,14 @@ describe('JwtAuthHook', () => {
         valid: true,
         payload: {
           iss: 'https://auth.example.com',
-          // No sub claim
         },
       };
       mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
       mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
 
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
+      const context = createMinimalContext({
+        headers: { authorization: 'Bearer valid-token' },
+      });
       const result = await hook.onBeforeRequest(testItemId, testUserId, context);
 
       expect(result.proceed).toBe(true);
@@ -266,15 +282,13 @@ describe('JwtAuthHook', () => {
     it('should proceed when JWT payload is undefined and verifyUserIdMatch is enabled', async () => {
       const validationResult: IJwtValidationResult = {
         valid: true,
-        // No payload
       };
       mockJwtAuthService.extractBearerToken.mockReturnValue('valid-token');
       mockJwtAuthService.validateToken.mockResolvedValue(validationResult);
 
-      const context: IRequestContext = {
-        requestId: 'req-123',
-        authorizationHeader: 'Bearer valid-token',
-      };
+      const context = createMinimalContext({
+        headers: { authorization: 'Bearer valid-token' },
+      });
       const result = await hook.onBeforeRequest(testItemId, testUserId, context);
 
       expect(result.proceed).toBe(true);

package/src/jwt-auth.hook.ts

@@ -1,9 +1,6 @@
 import { Injectable, Inject, UnauthorizedException, ForbiddenException } from '@nestjs/common';
-import {
-  IDismissibleLifecycleHook,
-  IHookResult,
-  IRequestContext,
-} from '@dismissible/nestjs-dismissible';
+import { IDismissibleLifecycleHook, IHookResult } from '@dismissible/nestjs-dismissible-hooks';
+import { IRequestContext } from '@dismissible/nestjs-dismissible-request';
 import { DISMISSIBLE_LOGGER, IDismissibleLogger } from '@dismissible/nestjs-logger';
 import { JwtAuthService } from './jwt-auth.service';
 import { JWT_AUTH_HOOK_CONFIG, JwtAuthHookConfig } from './jwt-auth-hook.config';
@@ -23,7 +20,6 @@ export class JwtAuthHook implements IDismissibleLifecycleHook {
     @Inject(DISMISSIBLE_LOGGER)
     private readonly logger: IDismissibleLogger,
   ) {
-    // Default to -100 for authentication (runs early)
     this.priority = config.priority ?? -100;
   }
 
@@ -40,9 +36,8 @@ export class JwtAuthHook implements IDismissibleLifecycleHook {
       return { proceed: true };
     }
 
-    const authorizationHeader = context?.authorizationHeader;
+    const authorizationHeader = context?.headers['authorization'];
 
-    // Extract the bearer token
     const token = this.jwtAuthService.extractBearerToken(authorizationHeader);
 
     if (!token) {
@@ -55,7 +50,6 @@ export class JwtAuthHook implements IDismissibleLifecycleHook {
       throw new UnauthorizedException('Missing or invalid bearer token');
     }
 
-    // Validate the token
     const result = await this.jwtAuthService.validateToken(token);
 
     if (!result.valid) {
@@ -69,8 +63,6 @@ export class JwtAuthHook implements IDismissibleLifecycleHook {
       throw new UnauthorizedException(result.error);
     }
 
-    // Verify that the userId parameter matches the JWT subject (sub) claim
-    // This prevents users from accessing other users' data by changing the userId in the URL
     const verifyUserIdMatch = this.config.verifyUserIdMatch ?? true;
     if (verifyUserIdMatch && result.payload?.sub) {
       if (result.payload.sub !== userId) {

package/src/jwt-auth.service.spec.ts

@@ -90,7 +90,6 @@ describe('JwtAuthService', () => {
     });
 
     it('should return invalid for malformed token', async () => {
-      // Mock HTTP response for well-known config
       const mockResponse: AxiosResponse = {
         data: {
           jwks_uri: 'https://auth.example.com/.well-known/jwks.json',
@@ -124,7 +123,6 @@ describe('JwtAuthService', () => {
 
       await service.initializeJwksClient();
 
-      // Mock jwt.decode to return a string
       const jwt = require('jsonwebtoken');
       jest.spyOn(jwt, 'decode').mockReturnValue('string-token');
 
@@ -148,7 +146,6 @@ describe('JwtAuthService', () => {
 
       await service.initializeJwksClient();
 
-      // Mock jwt.decode to return object without kid
       const jwt = require('jsonwebtoken');
       jest.spyOn(jwt, 'decode').mockReturnValue({
         header: {},
@@ -175,14 +172,12 @@ describe('JwtAuthService', () => {
 
       await service.initializeJwksClient();
 
-      // Mock jwt.decode
       const jwt = require('jsonwebtoken');
       jest.spyOn(jwt, 'decode').mockReturnValue({
         header: { kid: 'key-id-123' },
         payload: {},
       });
 
-      // Mock jwksClient.getSigningKey to throw
       const mockJwksClient = (service as any).jwksClient;
       jest.spyOn(mockJwksClient, 'getSigningKey').mockRejectedValue(new Error('Key not found'));
 
@@ -206,7 +201,6 @@ describe('JwtAuthService', () => {
 
       await service.initializeJwksClient();
 
-      // Mock jwt operations
       const jwt = require('jsonwebtoken');
       const mockPayload = {
         sub: 'user-123',
@@ -283,7 +277,6 @@ describe('JwtAuthService', () => {
       const result = await serviceWithoutIssuerAudience.validateToken('valid-token');
 
       expect(result.valid).toBe(true);
-      // Check the last call (this test's call) doesn't have issuer/audience
       const lastCall = verifySpy.mock.calls[verifySpy.mock.calls.length - 1];
       expect(lastCall[2]).not.toHaveProperty('issuer');
       expect(lastCall[2]).not.toHaveProperty('audience');
@@ -458,7 +451,6 @@ describe('JwtAuthService', () => {
       const mockResponse: AxiosResponse = {
         data: {
           issuer: 'https://auth.example.com',
-          // no jwks_uri
         },
         status: 200,
         statusText: 'OK',
@@ -524,7 +516,6 @@ describe('JwtAuthService', () => {
 
       await serviceWithCacheDuration.initializeJwksClient();
 
-      // Verify service initialized successfully with custom cache duration
       expect((serviceWithCacheDuration as any).jwksClient).toBeDefined();
       expect(mockLogger.info).toHaveBeenCalledWith(
         'JWKS client initialized successfully',
@@ -545,7 +536,6 @@ describe('JwtAuthService', () => {
         mockLogger,
       );
 
-      // Service should be created without error
       expect(serviceWithDefaults).toBeDefined();
     });
 

package/src/jwt-auth.service.ts

@@ -120,7 +120,6 @@ export class JwtAuthService implements OnModuleInit {
     }
 
     try {
-      // Decode the token header to get the key ID (kid)
       const decoded = jwt.decode(token, { complete: true });
 
       if (!decoded || typeof decoded === 'string') {
@@ -138,7 +137,6 @@ export class JwtAuthService implements OnModuleInit {
         };
       }
 
-      // Get the signing key from JWKS
       let signingKey: SigningKey;
       try {
         signingKey = await this.jwksClient.getSigningKey(kid);
@@ -151,7 +149,6 @@ export class JwtAuthService implements OnModuleInit {
 
       const publicKey = signingKey.getPublicKey();
 
-      // Verify the token
       const verifyOptions: jwt.VerifyOptions = {
         algorithms: (this.config.algorithms as jwt.Algorithm[]) ?? ['RS256'],
       };