@draftlab/auth 0.15.1 → 0.16.0

package/dist/esm/provider/password.js

@@ -0,0 +1,331 @@
+// src/provider/password.ts
+import { UnknownStateError } from "../error";
+import { generateUnbiasedDigits, timingSafeCompare } from "../random";
+import { Storage } from "../storage/storage";
+import { getRelativeUrl } from "../util";
+import { TextEncoder } from "node:util";
+import * as jose from "jose";
+import { randomBytes, scrypt, timingSafeEqual } from "node:crypto";
+var PasswordProvider = (config) => {
+  const hasher = config.hasher ?? ScryptHasher();
+  const generateCode = () => {
+    return generateUnbiasedDigits(config.length ?? 6);
+  };
+  return {
+    type: "password",
+    init(routes, ctx) {
+      routes.get("/authorize", async (c) => ctx.forward(c, await config.login(c.req.raw)));
+      routes.post("/authorize", async (c) => {
+        const formData = await c.req.formData();
+        const error = async (err) => {
+          return ctx.forward(c, await config.login(c.req.raw, formData, err));
+        };
+        const email = formData.get("email")?.toString()?.toLowerCase();
+        if (!email) {
+          return error({ type: "invalid_email" });
+        }
+        const storedHash = await Storage.get(ctx.storage, [
+          "email",
+          email,
+          "password"
+        ]);
+        const password = formData.get("password")?.toString();
+        if (!(password && storedHash && await hasher.verify(password, storedHash))) {
+          return error({ type: "invalid_password" });
+        }
+        return ctx.success(c, { email }, {
+          invalidate: async (subject) => {
+            await Storage.set(ctx.storage, ["email", email, "subject"], subject);
+          }
+        });
+      });
+      routes.get("/register", async (c) => {
+        const state = { type: "start" };
+        await ctx.set(c, "provider", 60 * 60 * 24, state);
+        return ctx.forward(c, await config.register(c.req.raw, state));
+      });
+      routes.post("/register", async (c) => {
+        const formData = await c.req.formData();
+        const email = formData.get("email")?.toString()?.toLowerCase();
+        const action = formData.get("action")?.toString();
+        let provider = await ctx.get(c, "provider");
+        if (!provider) {
+          const state = { type: "start" };
+          await ctx.set(c, "provider", 60 * 60 * 24, state);
+          if (action === "register") {
+            provider = state;
+          } else {
+            return ctx.forward(c, await config.register(c.req.raw, state));
+          }
+        }
+        const transition = async (next, err) => {
+          await ctx.set(c, "provider", 60 * 60 * 24, next);
+          return ctx.forward(c, await config.register(c.req.raw, next, formData, err));
+        };
+        if (action === "register" && provider.type === "start") {
+          const password = formData.get("password")?.toString();
+          const repeat = formData.get("repeat")?.toString();
+          if (!email) {
+            return transition(provider, { type: "invalid_email" });
+          }
+          if (!password) {
+            return transition(provider, { type: "invalid_password" });
+          }
+          if (password !== repeat) {
+            return transition(provider, { type: "password_mismatch" });
+          }
+          if (config.validatePassword) {
+            let validationError;
+            try {
+              if (typeof config.validatePassword === "function") {
+                validationError = await config.validatePassword(password);
+              } else {
+                const result = await config.validatePassword["~standard"].validate(password);
+                if (result.issues?.length) {
+                  throw new Error(result.issues.map((issue) => issue.message).join(", "));
+                }
+              }
+            } catch (error) {
+              validationError = error instanceof Error ? error.message : undefined;
+            }
+            if (validationError) {
+              return transition(provider, {
+                type: "validation_error",
+                message: validationError
+              });
+            }
+          }
+          const existingUser = await Storage.get(ctx.storage, ["email", email, "password"]);
+          if (existingUser) {
+            return transition(provider, { type: "email_taken" });
+          }
+          const code = generateCode();
+          await config.sendCode(email, code, "register");
+          return transition({
+            type: "code",
+            code,
+            password: await hasher.hash(password),
+            email
+          });
+        }
+        if (action === "register" && provider.type === "code") {
+          const code = generateCode();
+          await config.sendCode(provider.email, code, "register:resend");
+          return transition({
+            type: "code",
+            code,
+            password: provider.password,
+            email: provider.email
+          });
+        }
+        if (action === "verify" && provider.type === "code") {
+          const code = formData.get("code")?.toString();
+          if (!(code && timingSafeCompare(code, provider.code))) {
+            return transition(provider, { type: "invalid_code" });
+          }
+          const existingUser = await Storage.get(ctx.storage, [
+            "email",
+            provider.email,
+            "password"
+          ]);
+          if (existingUser) {
+            return transition({ type: "start" }, { type: "email_taken" });
+          }
+          await Storage.set(ctx.storage, ["email", provider.email, "password"], provider.password);
+          return ctx.success(c, { email: provider.email });
+        }
+        return transition({ type: "start" });
+      });
+      routes.get("/change", async (c) => {
+        const redirect = c.req.query("redirect_uri") || getRelativeUrl(c, "./authorize");
+        const state = {
+          type: "start",
+          redirect
+        };
+        await ctx.set(c, "provider", 60 * 60 * 24, state);
+        return ctx.forward(c, await config.change(c.req.raw, state));
+      });
+      routes.post("/change", async (c) => {
+        const formData = await c.req.formData();
+        const action = formData.get("action")?.toString();
+        const provider = await ctx.get(c, "provider");
+        if (!provider) {
+          throw new UnknownStateError;
+        }
+        const transition = async (next, err) => {
+          await ctx.set(c, "provider", 60 * 60 * 24, next);
+          return ctx.forward(c, await config.change(c.req.raw, next, formData, err));
+        };
+        if (action === "code") {
+          const email = formData.get("email")?.toString()?.toLowerCase();
+          if (!email) {
+            return transition({ type: "start", redirect: provider.redirect }, { type: "invalid_email" });
+          }
+          const existingPassword = await Storage.get(ctx.storage, ["email", email, "password"]);
+          if (!existingPassword) {
+            return transition({ type: "start", redirect: provider.redirect }, { type: "invalid_email" });
+          }
+          const code = generateCode();
+          const context = provider.type === "code" && provider.email === email ? "reset:resend" : "reset";
+          await config.sendCode(email, code, context);
+          return transition({
+            type: "code",
+            code,
+            email,
+            redirect: provider.redirect
+          });
+        }
+        if (action === "verify" && provider.type === "code") {
+          const code = formData.get("code")?.toString();
+          if (!(code && timingSafeCompare(code, provider.code))) {
+            return transition(provider, { type: "invalid_code" });
+          }
+          return transition({
+            type: "update",
+            email: provider.email,
+            redirect: provider.redirect
+          });
+        }
+        if (action === "update" && provider.type === "update") {
+          const existingPassword = await Storage.get(ctx.storage, [
+            "email",
+            provider.email,
+            "password"
+          ]);
+          if (!existingPassword) {
+            return c.redirect(provider.redirect, 302);
+          }
+          const password = formData.get("password")?.toString();
+          const repeat = formData.get("repeat")?.toString();
+          if (!password) {
+            return transition(provider, { type: "invalid_password" });
+          }
+          if (!repeat) {
+            return transition(provider, { type: "invalid_password" });
+          }
+          if (password !== repeat) {
+            return transition(provider, { type: "password_mismatch" });
+          }
+          if (config.validatePassword) {
+            let validationError;
+            try {
+              if (typeof config.validatePassword === "function") {
+                validationError = await config.validatePassword(password);
+              } else {
+                const result = await config.validatePassword["~standard"].validate(password);
+                if (result.issues?.length) {
+                  throw new Error(result.issues.map((issue) => issue.message).join(", "));
+                }
+              }
+            } catch (error) {
+              validationError = error instanceof Error ? error.message : undefined;
+            }
+            if (validationError) {
+              return transition(provider, {
+                type: "validation_error",
+                message: validationError
+              });
+            }
+          }
+          await Storage.set(ctx.storage, ["email", provider.email, "password"], await hasher.hash(password));
+          const subject = await Storage.get(ctx.storage, [
+            "email",
+            provider.email,
+            "subject"
+          ]);
+          if (subject) {
+            await ctx.invalidate(subject);
+          }
+          return c.redirect(provider.redirect, 302);
+        }
+        return transition({ type: "start", redirect: provider.redirect });
+      });
+    }
+  };
+};
+var PBKDF2Hasher = (opts) => {
+  const iterations = opts?.iterations ?? 600000;
+  return {
+    async hash(password) {
+      const encoder = new TextEncoder;
+      const passwordBytes = encoder.encode(password);
+      const salt = crypto.getRandomValues(new Uint8Array(16));
+      const keyMaterial = await crypto.subtle.importKey("raw", passwordBytes, "PBKDF2", false, ["deriveBits"]);
+      const hashBuffer = await crypto.subtle.deriveBits({
+        name: "PBKDF2",
+        hash: "SHA-256",
+        salt,
+        iterations
+      }, keyMaterial, 256);
+      const hashBase64 = jose.base64url.encode(new Uint8Array(hashBuffer));
+      const saltBase64 = jose.base64url.encode(salt);
+      return {
+        hash: hashBase64,
+        salt: saltBase64,
+        iterations
+      };
+    },
+    async verify(password, compare) {
+      const encoder = new TextEncoder;
+      const passwordBytes = encoder.encode(password);
+      const salt = jose.base64url.decode(compare.salt);
+      const keyMaterial = await crypto.subtle.importKey("raw", passwordBytes, "PBKDF2", false, ["deriveBits"]);
+      const hashBuffer = await crypto.subtle.deriveBits({
+        name: "PBKDF2",
+        hash: "SHA-256",
+        salt,
+        iterations: compare.iterations
+      }, keyMaterial, 256);
+      const hashBase64 = jose.base64url.encode(new Uint8Array(hashBuffer));
+      return timingSafeCompare(hashBase64, compare.hash);
+    }
+  };
+};
+var ScryptHasher = (opts) => {
+  const N = opts?.N ?? 16384;
+  const r = opts?.r ?? 8;
+  const p = opts?.p ?? 1;
+  return {
+    async hash(password) {
+      const salt = randomBytes(16);
+      const keyLength = 32;
+      const derivedKey = await new Promise((resolve, reject) => {
+        scrypt(password, salt, keyLength, { N, r, p }, (err, derivedKey2) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve(derivedKey2);
+          }
+        });
+      });
+      const hashBase64 = derivedKey.toString("base64");
+      const saltBase64 = salt.toString("base64");
+      return {
+        hash: hashBase64,
+        salt: saltBase64,
+        N,
+        r,
+        p
+      };
+    },
+    async verify(password, compare) {
+      const salt = Buffer.from(compare.salt, "base64");
+      const keyLength = 32;
+      const derivedKey = await new Promise((resolve, reject) => {
+        scrypt(password, salt, keyLength, { N: compare.N, r: compare.r, p: compare.p }, (err, derivedKey2) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve(derivedKey2);
+          }
+        });
+      });
+      return timingSafeEqual(derivedKey, Buffer.from(compare.hash, "base64"));
+    }
+  };
+};
+export {
+  ScryptHasher,
+  PasswordProvider,
+  PBKDF2Hasher
+};

package/dist/esm/provider/provider.js

@@ -0,0 +1,18 @@
+// src/provider/provider.ts
+class ProviderError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ProviderError";
+  }
+}
+
+class ProviderUnknownError extends ProviderError {
+  constructor(message) {
+    super(message || "An unknown provider error occurred");
+    this.name = "ProviderUnknownError";
+  }
+}
+export {
+  ProviderUnknownError,
+  ProviderError
+};

package/dist/esm/provider/reddit.js

@@ -0,0 +1,15 @@
+// src/provider/reddit.ts
+import { Oauth2Provider } from "./oauth2";
+var RedditProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "reddit",
+    endpoint: {
+      authorization: "https://www.reddit.com/api/v1/authorize",
+      token: "https://www.reddit.com/api/v1/access_token"
+    }
+  });
+};
+export {
+  RedditProvider
+};

package/dist/esm/provider/slack.js

@@ -0,0 +1,15 @@
+// src/provider/slack.ts
+import { Oauth2Provider } from "./oauth2";
+var SlackProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "slack",
+    endpoint: {
+      authorization: "https://slack.com/oauth/v2/authorize",
+      token: "https://slack.com/api/oauth.v2.access"
+    }
+  });
+};
+export {
+  SlackProvider
+};

package/dist/esm/provider/spotify.js

@@ -0,0 +1,15 @@
+// src/provider/spotify.ts
+import { Oauth2Provider } from "./oauth2";
+var SpotifyProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "spotify",
+    endpoint: {
+      authorization: "https://accounts.spotify.com/authorize",
+      token: "https://accounts.spotify.com/api/token"
+    }
+  });
+};
+export {
+  SpotifyProvider
+};

package/dist/esm/provider/twitch.js

@@ -0,0 +1,15 @@
+// src/provider/twitch.ts
+import { Oauth2Provider } from "./oauth2";
+var TwitchProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "twitch",
+    endpoint: {
+      authorization: "https://id.twitch.tv/oauth2/authorize",
+      token: "https://id.twitch.tv/oauth2/token"
+    }
+  });
+};
+export {
+  TwitchProvider
+};

package/dist/esm/provider/vercel.js

@@ -0,0 +1,17 @@
+// src/provider/vercel.ts
+import { Oauth2Provider } from "./oauth2";
+var VercelProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "vercel",
+    endpoint: {
+      authorization: "https://vercel.com/oauth/authorize",
+      token: "https://api.vercel.com/login/oauth/token",
+      jwks: "https://vercel.com/.well-known/jwks.json"
+    },
+    pkce: true
+  });
+};
+export {
+  VercelProvider
+};

package/dist/esm/random.js

@@ -0,0 +1,40 @@
+// src/random.ts
+import { timingSafeEqual } from "node:crypto";
+var generateSecureToken = (length = 32) => {
+  if (length <= 0 || !Number.isInteger(length)) {
+    throw new RangeError("Token length must be a positive integer");
+  }
+  const randomBytes = new Uint8Array(length);
+  crypto.getRandomValues(randomBytes);
+  const base64 = btoa(String.fromCharCode.apply(null, Array.from(randomBytes)));
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+};
+var generateUnbiasedDigits = (length) => {
+  if (length <= 0 || !Number.isInteger(length)) {
+    throw new RangeError("Length must be a positive integer");
+  }
+  const result = [];
+  while (result.length < length) {
+    const buffer = crypto.getRandomValues(new Uint8Array(length * 2));
+    for (const byte of buffer) {
+      if (byte < 250 && result.length < length) {
+        result.push(byte % 10);
+      }
+    }
+  }
+  return result.join("");
+};
+var timingSafeCompare = (a, b) => {
+  if (typeof a !== "string" || typeof b !== "string") {
+    return false;
+  }
+  if (a.length !== b.length) {
+    return false;
+  }
+  return timingSafeEqual(Buffer.from(a), Buffer.from(b));
+};
+export {
+  timingSafeCompare,
+  generateUnbiasedDigits,
+  generateSecureToken
+};

package/dist/esm/revocation.js

@@ -0,0 +1,27 @@
+// src/revocation.ts
+import { createHash } from "node:crypto";
+import { Storage } from "./storage/storage";
+var hashToken = (token) => {
+  return createHash("sha256").update(token).digest("hex");
+};
+var Revocation = {
+  revoke: async (storage, token, expiresAt) => {
+    const hash = hashToken(token);
+    const key = ["revocation:token", hash];
+    const record = {
+      revokedAt: Date.now(),
+      expiresAt
+    };
+    const ttlSeconds = Math.ceil((expiresAt - Date.now()) / 1000);
+    await Storage.set(storage, key, record, Math.max(1, ttlSeconds));
+  },
+  isRevoked: async (storage, token) => {
+    const hash = hashToken(token);
+    const key = ["revocation:token", hash];
+    const record = await Storage.get(storage, key);
+    return !!record;
+  }
+};
+export {
+  Revocation
+};

package/dist/esm/storage/memory.js

@@ -0,0 +1,110 @@
+// src/storage/memory.ts
+import { existsSync, readFileSync } from "node:fs";
+import { writeFile } from "node:fs/promises";
+import { joinKey, splitKey } from "./storage";
+var MemoryStorage = (options) => {
+  const store = [];
+  const isValidStoreData = (data) => {
+    return Array.isArray(data) && data.every((item) => Array.isArray(item) && item.length === 2 && typeof item[0] === "string" && typeof item[1] === "object" && item[1] !== null && ("value" in item[1]));
+  };
+  if (options?.persist && existsSync(options.persist)) {
+    try {
+      const fileContent = readFileSync(options.persist, "utf8");
+      const parsed = JSON.parse(fileContent);
+      if (isValidStoreData(parsed)) {
+        store.push(...parsed);
+      }
+    } catch {}
+  }
+  const save = async () => {
+    if (!options?.persist) {
+      return;
+    }
+    try {
+      const serialized = JSON.stringify(store, null, 2);
+      await writeFile(options.persist, serialized, "utf8");
+    } catch {}
+  };
+  const search = (key) => {
+    let left = 0;
+    let right = store.length - 1;
+    while (left <= right) {
+      const mid = Math.floor((left + right) / 2);
+      const midEntry = store[mid];
+      if (!midEntry) {
+        return { found: false, index: left };
+      }
+      const comparison = key.localeCompare(midEntry[0]);
+      if (comparison === 0) {
+        return { found: true, index: mid };
+      }
+      if (comparison < 0) {
+        right = mid - 1;
+      } else {
+        left = mid + 1;
+      }
+    }
+    return { found: false, index: left };
+  };
+  return {
+    async get(key) {
+      const searchKey = joinKey(key);
+      const match = search(searchKey);
+      if (!match.found) {
+        return;
+      }
+      const storeEntry = store[match.index];
+      if (!storeEntry) {
+        return;
+      }
+      const entry = storeEntry[1];
+      if (entry.expiry && Date.now() >= entry.expiry) {
+        store.splice(match.index, 1);
+        await save();
+        return;
+      }
+      return entry.value;
+    },
+    async set(key, value, expiry) {
+      const searchKey = joinKey(key);
+      const match = search(searchKey);
+      const entry = [
+        searchKey,
+        {
+          value,
+          expiry: expiry?.getTime()
+        }
+      ];
+      if (match.found) {
+        store[match.index] = entry;
+      } else {
+        store.splice(match.index, 0, entry);
+      }
+      await save();
+    },
+    async remove(key) {
+      const searchKey = joinKey(key);
+      const match = search(searchKey);
+      if (match.found) {
+        store.splice(match.index, 1);
+        await save();
+      }
+    },
+    async* scan(prefix) {
+      const now = Date.now();
+      const prefixStr = joinKey(prefix);
+      for (const [key, entry] of store) {
+        if (!key.startsWith(prefixStr)) {
+          continue;
+        }
+        if (entry.expiry && now >= entry.expiry) {
+          continue;
+        }
+        yield [splitKey(key), entry.value];
+      }
+    }
+  };
+};
+export {
+  MemoryStorage
+};

package/dist/esm/storage/storage.js

@@ -0,0 +1,56 @@
+// src/storage/storage.ts
+var SEPARATOR = String.fromCharCode(31);
+var ESCAPE = "\\";
+var joinKey = (key) => {
+  return key.join(SEPARATOR);
+};
+var splitKey = (key) => {
+  return key.split(SEPARATOR);
+};
+var encodeSegment = (segment) => {
+  if (!segment || !segment.trim()) {
+    throw new Error(`Storage key segment cannot be empty or whitespace-only: "${segment}"`);
+  }
+  return segment.replaceAll(ESCAPE, ESCAPE + ESCAPE).replaceAll(SEPARATOR, ESCAPE + SEPARATOR);
+};
+var decodeSegment = (segment) => {
+  return segment.replaceAll(ESCAPE + SEPARATOR, SEPARATOR).replaceAll(ESCAPE + ESCAPE, ESCAPE);
+};
+var Storage = {
+  encode: (key) => {
+    return key.map(encodeSegment);
+  },
+  decode: (key) => {
+    return key.map(decodeSegment);
+  },
+  get: (adapter, key) => {
+    return adapter.get(Storage.encode(key));
+  },
+  set: (adapter, key, value, ttlSeconds) => {
+    if (ttlSeconds !== undefined && ttlSeconds !== null) {
+      if (!Number.isInteger(ttlSeconds)) {
+        throw new RangeError(`Storage TTL must be an integer in seconds, received ${typeof ttlSeconds}`);
+      }
+      if (ttlSeconds <= 0) {
+        throw new RangeError(`Storage TTL must be positive, received ${ttlSeconds}`);
+      }
+      const maxTtlSeconds = 60 * 60 * 24 * 365 * 10;
+      if (ttlSeconds > maxTtlSeconds) {
+        throw new RangeError(`Storage TTL exceeds maximum (${maxTtlSeconds}s = 10 years), received ${ttlSeconds}s`);
+      }
+    }
+    const expiry = ttlSeconds ? new Date(Date.now() + ttlSeconds * 1000) : undefined;
+    return adapter.set(Storage.encode(key), value, expiry);
+  },
+  remove: (adapter, key) => {
+    return adapter.remove(Storage.encode(key));
+  },
+  scan: (adapter, prefix) => {
+    return adapter.scan(Storage.encode(prefix));
+  }
+};
+export {
+  splitKey,
+  joinKey,
+  Storage
+};