npm - @drax/identity-back - Versions diffs - 3.14.0 → 3.15.0 - Mend

@drax/identity-back 3.14.0 → 3.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (133) hide show

package/src/services/UserService.ts CHANGED Viewed

@@ -11,12 +11,20 @@ import {AbstractService} from "@drax/crud-back";
 import {randomUUID} from "crypto"
 import UserLoginFailServiceFactory from "../factory/UserLoginFailServiceFactory.js";
 import UserSessionServiceFactory from "../factory/UserSessionServiceFactory.js";
+import type PasswordPolicyService from "./PasswordPolicyService";
+import PasswordPolicyServiceFactory from "../factory/PasswordPolicyServiceFactory.js";
+import type UserPasswordHistoryService from "./UserPasswordHistoryService.js";
+import UserPasswordHistoryServiceFactory from "../factory/UserPasswordHistoryServiceFactory.js";
 class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
     _repository: IUserRepository
-    constructor(userRepository: IUserRepository) {
+    constructor(
+        userRepository: IUserRepository,
+        private readonly passwordPolicyService: PasswordPolicyService = PasswordPolicyServiceFactory(),
+        private readonly userPasswordHistoryService: UserPasswordHistoryService = UserPasswordHistoryServiceFactory()
+    ) {
         super(userRepository, UserBaseSchema);
         this._repository = userRepository;
     }
@@ -75,7 +83,7 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
         user = await this.findByEmail(email)
         if (!user && createIfNotFound) {
-            userData.password = userData.password ? userData.password : randomUUID()
+            userData.password = userData.password ? userData.password : await this.passwordPolicyService.generateCompatiblePassword()
             userData.active = userData.active === undefined ? true : userData.active
             user = await this.create(userData)
         }
@@ -105,8 +113,14 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
     async changeUserPassword(userId: string, newPassword: string):Promise<IUser> {
         const user = await this._repository.findByIdWithPassword(userId)
         if (user) {
-            newPassword = AuthUtils.hashPassword(newPassword)
-            await this._repository.changePassword(userId, newPassword)
+            await this.passwordPolicyService.validatePassword(newPassword,  {
+                field: 'newPassword',
+                userId,
+                currentPasswordHash: user.password
+            })
+            const newPasswordHash = AuthUtils.hashPassword(newPassword)
+            await this._repository.changePassword(userId, newPasswordHash)
+            await this.userPasswordHistoryService.create(userId, newPasswordHash)
             delete user.password
             return user
         } else {
@@ -124,8 +138,14 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
             }
             if (AuthUtils.checkPassword(currentPassword, user.password)) {
-                newPassword = AuthUtils.hashPassword(newPassword)
-                await this._repository.changePassword(userId, newPassword)
+                await this.passwordPolicyService.validatePassword(newPassword,  {
+                    field: 'newPassword',
+                    userId,
+                    currentPasswordHash: user.password
+                })
+                const newPasswordHash = AuthUtils.hashPassword(newPassword)
+                await this._repository.changePassword(userId, newPasswordHash)
+                await this.userPasswordHistoryService.create(userId, newPasswordHash)
                 delete user.password
                 return user
             } else {
@@ -167,8 +187,14 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
         try {
             const user = await this._repository.findByRecoveryCode(recoveryCode)
             if (user && user.active) {
-                newPassword = AuthUtils.hashPassword(newPassword)
-                await this._repository.changePassword(user._id, newPassword)
+                await this.passwordPolicyService.validatePassword(newPassword, {
+                    field: 'newPassword',
+                    userId: user._id.toString(),
+                    currentPasswordHash: user.password
+                })
+                const newPasswordHash = AuthUtils.hashPassword(newPassword)
+                await this._repository.changePassword(user._id, newPasswordHash)
+                await this.userPasswordHistoryService.create(user._id.toString(), newPasswordHash)
                 await this._repository.updatePartial(user._id, {recoveryCode: null})
                 return user
             } else {
@@ -237,10 +263,13 @@ class UserService extends AbstractService<IUser, IUserCreate, IUserUpdate> {
             userData.tenant = userData.tenant === "" ? null : userData.tenant
             await UserCreateSchema.parseAsync(userData)
+            await this.passwordPolicyService.validatePassword(userData.password)
-            userData.password = AuthUtils.hashPassword(userData.password.trim())
+            const passwordHash = AuthUtils.hashPassword(userData.password.trim())
+            userData.password = passwordHash
             const user: IUser = await this._repository.create(userData)
+            await this.userPasswordHistoryService.create(user._id.toString(), passwordHash)
             return user
         } catch (e) {
             console.error("Error creating user", e)

package/src/setup/LoadIdentityConfigFromEnv.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import {DraxConfig} from "@drax/common-back";
 import IdentityConfig from "../config/IdentityConfig.js";
+import PasswordPolicyConfig from "../config/PasswordPolicyConfig.js";
 function LoadIdentityConfigFromEnv() {
@@ -10,6 +11,16 @@ function LoadIdentityConfigFromEnv() {
     DraxConfig.set(IdentityConfig.RbacCacheTTL, process.env[IdentityConfig.RbacCacheTTL])
     DraxConfig.set(IdentityConfig.AvatarDir, process.env[IdentityConfig.AvatarDir])
+    DraxConfig.set(PasswordPolicyConfig.MinLength, process.env[PasswordPolicyConfig.MinLength])
+    DraxConfig.set(PasswordPolicyConfig.MaxLength, process.env[PasswordPolicyConfig.MaxLength])
+    DraxConfig.set(PasswordPolicyConfig.RequireUppercase, process.env[PasswordPolicyConfig.RequireUppercase])
+    DraxConfig.set(PasswordPolicyConfig.RequireLowercase, process.env[PasswordPolicyConfig.RequireLowercase])
+    DraxConfig.set(PasswordPolicyConfig.RequireNumber, process.env[PasswordPolicyConfig.RequireNumber])
+    DraxConfig.set(PasswordPolicyConfig.RequireSpecialChar, process.env[PasswordPolicyConfig.RequireSpecialChar])
+    DraxConfig.set(PasswordPolicyConfig.DisallowSpaces, process.env[PasswordPolicyConfig.DisallowSpaces])
+    DraxConfig.set(PasswordPolicyConfig.PreventReuse, process.env[PasswordPolicyConfig.PreventReuse])
+    DraxConfig.set(PasswordPolicyConfig.ExpirationDays, process.env[PasswordPolicyConfig.ExpirationDays])
 }
 export default LoadIdentityConfigFromEnv

package/src/setup/SetProjectPasswordPolicy.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type {IPasswordPolicyProject} from "@drax/identity-share";
+import PasswordPolicyResolverFactory from "../factory/PasswordPolicyResolverFactory.js";
+function SetProjectPasswordPolicy(projectPasswordPolicy: IPasswordPolicyProject){
+    const passwordPolicyResolver = PasswordPolicyResolverFactory()
+    passwordPolicyResolver.setProjectPolicy(projectPasswordPolicy)
+}
+export default SetProjectPasswordPolicy
+export {SetProjectPasswordPolicy}

package/src/utils/PasswordPolicySchemaFactory.ts ADDED Viewed

@@ -0,0 +1,47 @@
+import z from "zod";
+import type {IPasswordPolicy} from "@drax/identity-share";
+class PasswordPolicySchemaFactory {
+    private static cache = new Map<string, z.ZodType<string>>()
+    static create(policy: IPasswordPolicy): z.ZodType<string> {
+        const cacheKey = JSON.stringify(policy)
+        const cached = this.cache.get(cacheKey)
+        if (cached) {
+            return cached
+        }
+        let schema = z.string({error: "validation.required"})
+            .min(1, "validation.required")
+            .min(policy.minLength, "validation.password.minLength")
+            .max(policy.maxLength, "validation.password.maxLength")
+        if (policy.requireUppercase) {
+            schema = schema.regex(/[A-Z]/, "validation.password.requireUppercase")
+        }
+        if (policy.requireLowercase) {
+            schema = schema.regex(/[a-z]/, "validation.password.requireLowercase")
+        }
+        if (policy.requireNumber) {
+            schema = schema.regex(/[0-9]/, "validation.password.requireNumber")
+        }
+        if (policy.requireSpecialChar) {
+            schema = schema.regex(/[^A-Za-z0-9]/, "validation.password.requireSpecialChar")
+        }
+        if (policy.disallowSpaces) {
+            schema = schema.refine((value) => !/\s/.test(value), {
+                message: "validation.password.disallowSpaces"
+            })
+        }
+        this.cache.set(cacheKey, schema)
+        return schema
+    }
+}
+export default PasswordPolicySchemaFactory
+export {PasswordPolicySchemaFactory}

package/src/utils/getPasswordEnvPolicy.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import type {IPasswordPolicy} from "@drax/identity-share";
+import {DraxConfig} from "@drax/common-back";
+import PasswordPolicyConfig from "../config/PasswordPolicyConfig.js";
+import {PartialPasswordPolicySchema} from "../schemas/PasswordPolicySchema.js";
+function getPasswordEnvPolicy(): Partial<IPasswordPolicy> {
+    const envPolicy = {
+        minLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MinLength, "number"),
+        maxLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MaxLength, "number"),
+        requireUppercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireUppercase, "boolean"),
+        requireLowercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireLowercase, "boolean"),
+        requireNumber: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireNumber, "boolean"),
+        requireSpecialChar: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireSpecialChar, "boolean"),
+        disallowSpaces: DraxConfig.getOrLoad(PasswordPolicyConfig.DisallowSpaces, "boolean"),
+        preventReuse: DraxConfig.getOrLoad(PasswordPolicyConfig.PreventReuse, "number"),
+        expirationDays: DraxConfig.getOrLoad(PasswordPolicyConfig.ExpirationDays, "number")
+    }
+    return PartialPasswordPolicySchema.parse(
+        Object.fromEntries(Object.entries(envPolicy).filter(([, value]) => value !== undefined))
+    )
+}
+export default getPasswordEnvPolicy
+export {getPasswordEnvPolicy}

package/test/data-obj/users/root-mongo-user.ts CHANGED Viewed

@@ -6,7 +6,7 @@ const user = {
   groups: [],
   username:  "root",
   email: "root@example.com",
-  password: "12345678",
+  password: "Root1234",
   name: "root",
   phone: "123456789",
   role: "646a661e44c93567c23d8d62",

package/test/data-obj/users/root-sqlite-user.ts CHANGED Viewed

@@ -6,7 +6,7 @@ const user = {
   groups: [],
   username:  "root",
   email: "root@example.com",
-  password: "123",
+  password: "Root1234",
   name: "root",
   phone: "123456789",
   avatar: "asd",

package/test/endpoints/data/users-data.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import {IUserCreate} from "@drax/identity-share";
 const USER1: IUserCreate = {
     active: true,
-    password: "12345678",
+    password: "User1234",
     phone: "",
     role: "",
     name: "John Wick",
@@ -11,7 +11,7 @@ const USER1: IUserCreate = {
 }
 const USER2: IUserCreate = {
     active: true,
-    password: "12345678",
+    password: "User1234",
     phone: "",
     role: "",
     name: "John Rambo",
@@ -20,7 +20,7 @@ const USER2: IUserCreate = {
 }
 const USER3: IUserCreate = {
     active: true,
-    password: "12345678",
+    password: "User1234",
     phone: "",
     role: "",
     name: "John Depp",

package/test/endpoints/password-policy-route.test.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import {afterAll, beforeAll, describe, expect, it} from "vitest";
+import {LoadIdentityConfigFromEnv} from "../../src/setup/LoadIdentityConfigFromEnv.js";
+import {TestSetup} from "../setup/TestSetup";
+describe("Password Policy Route Test", () => {
+    const testSetup = new TestSetup("sqlite")
+    beforeAll(async () => {
+        await testSetup.setup()
+        process.env.PASSWORD_POLICY_REQUIRE_SPECIAL_CHAR = "true"
+        process.env.PASSWORD_POLICY_MIN_LENGTH = "18"
+        LoadIdentityConfigFromEnv()
+    })
+    afterAll(async () => {
+        delete process.env.PASSWORD_POLICY_MIN_LENGTH
+        delete process.env.PASSWORD_POLICY_REQUIRE_SPECIAL_CHAR
+        await testSetup.dropAndClose()
+    })
+    it("returns the final effective policy", async () => {
+        const response = await testSetup.fastifyInstance.inject({
+            method: "GET",
+            url: "/api/auth/password-policy"
+        })
+        expect(response.statusCode).toBe(200)
+        const body = response.json()
+        expect(body.minLength).toBe(18)
+        expect(body.requireSpecialChar).toBe(true)
+        expect(body.requireUppercase).toBe(true)
+    })
+})

package/test/endpoints/user-route.test.ts CHANGED Viewed

@@ -6,7 +6,7 @@ import {USER1} from "./data/users-data"
 describe("User Route Test", async function () {
-    let testSetup = new TestSetup()
+    let testSetup = new TestSetup("sqlite")
     beforeAll(async () => {
         await testSetup.setup()
@@ -91,7 +91,7 @@ describe("User Route Test", async function () {
         const items = await getResp.json();
         expect(getResp.statusCode).toBe(200);
-        expect(items[0].name).toBe(USER1.name);
+        expect(items.some((item) => item._id === result._id && item.name === USER1.name)).toBe(true);
     })
@@ -123,7 +123,7 @@ describe("User Route Test", async function () {
         const respPassword = await testSetup.fastifyInstance.inject({
             method: 'POST',
             url: '/api/users/password/change',
-            payload: {currentPassword: "basic.123", newPassword: "newpass"},
+            payload: {currentPassword: "Basic1234", newPassword: "Newpass123"},
             headers: {Authorization: `Bearer ${accessToken}`}
         });
@@ -141,7 +141,7 @@ describe("User Route Test", async function () {
         const respPassword = await testSetup.fastifyInstance.inject({
             method: 'POST',
             url: '/api/users/password/change/'+testSetup.rootUser._id,
-            payload: {currentPassword: "root.123", newPassword: "newpass"},
+            payload: {currentPassword: "Root1234", newPassword: "Newpass123"},
             headers: {Authorization: `Bearer ${accessToken}`}
         });
@@ -152,5 +152,18 @@ describe("User Route Test", async function () {
     })
+    it("should return effective password policy", async () => {
+        const resp = await testSetup.fastifyInstance.inject({
+            method: 'GET',
+            url: '/api/auth/password-policy',
+        });
+        const result = await resp.json();
+        expect(resp.statusCode).toBe(200);
+        expect(result.minLength).toBe(8);
+        expect(result.requireUppercase).toBe(true);
+        expect(result.preventReuse).toBe(3);
+    })
 })

package/test/security/password-policy-resolver.test.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import {afterEach, describe, expect, it} from "vitest";
+import {DraxConfig} from "@drax/common-back";
+import PasswordPolicyResolver from "../../src/resolver/PasswordPolicyResolver.js";
+import PasswordPolicyConfig from "../../src/config/PasswordPolicyConfig.js";
+describe("PasswordPolicyResolver", () => {
+    afterEach(() => {
+        delete process.env.PASSWORD_POLICY_MIN_LENGTH
+        delete process.env.PASSWORD_POLICY_MAX_LENGTH
+        delete process.env.PASSWORD_POLICY_REQUIRE_SPECIAL_CHAR
+        DraxConfig.set(PasswordPolicyConfig.MinLength, undefined)
+        DraxConfig.set(PasswordPolicyConfig.MaxLength, undefined)
+        DraxConfig.set(PasswordPolicyConfig.RequireSpecialChar, undefined)
+    })
+    it("uses default policy when there are no overrides", async () => {
+        const resolver = new PasswordPolicyResolver()
+        const policy = await resolver.resolve()
+        expect(policy.minLength).toBe(8)
+        expect(policy.maxLength).toBe(64)
+        expect(policy.requireUppercase).toBe(true)
+    })
+    it("project policy overrides default policy", async () => {
+        const resolver = new PasswordPolicyResolver()
+        resolver.setProjectPolicy({minLength: 12, requireUppercase: false, requireSpecialChar: true})
+        const policy = await resolver.resolve()
+        expect(policy.minLength).toBe(12)
+        expect(policy.requireSpecialChar).toBe(true)
+        expect(policy.requireUppercase).toBe(false)
+    })
+    it("env policy overrides project policy", async () => {
+        process.env.PASSWORD_POLICY_MIN_LENGTH = "16"
+        process.env.PASSWORD_POLICY_REQUIRE_SPECIAL_CHAR = "false"
+        const resolver = new PasswordPolicyResolver()
+        const policy = await resolver.resolve()
+        expect(policy.minLength).toBe(16)
+        expect(policy.requireSpecialChar).toBe(false)
+    })
+    it("ignores undefined env overrides", async () => {
+        process.env.PASSWORD_POLICY_MIN_LENGTH = ""
+        const resolver = new PasswordPolicyResolver()
+        resolver.setProjectPolicy({minLength: 14})
+        const policy = await resolver.resolve()
+        expect(policy.minLength).toBe(14)
+    })
+})

package/test/security/password-policy-schema-factory.test.ts ADDED Viewed

@@ -0,0 +1,40 @@
+import {describe, expect, it} from "vitest";
+import PasswordPolicySchemaFactory from "../../src/utils/PasswordPolicySchemaFactory.js";
+import {defaultPasswordPolicy} from "../../src/policies/defaultPasswordPolicy.js";
+describe("PasswordPolicySchemaFactory", () => {
+    it("validates minLength", async () => {
+        const schema = PasswordPolicySchemaFactory.create(defaultPasswordPolicy)
+        await expect(schema.parseAsync("Abc1234")).rejects.toThrow()
+    })
+    it("validates maxLength", async () => {
+        const schema = PasswordPolicySchemaFactory.create({...defaultPasswordPolicy, maxLength: 8})
+        await expect(schema.parseAsync("Abcd12345")).rejects.toThrow()
+    })
+    it("validates uppercase", async () => {
+        const schema = PasswordPolicySchemaFactory.create(defaultPasswordPolicy)
+        await expect(schema.parseAsync("lowercase1")).rejects.toThrow()
+    })
+    it("validates lowercase", async () => {
+        const schema = PasswordPolicySchemaFactory.create(defaultPasswordPolicy)
+        await expect(schema.parseAsync("UPPERCASE1")).rejects.toThrow()
+    })
+    it("validates number", async () => {
+        const schema = PasswordPolicySchemaFactory.create(defaultPasswordPolicy)
+        await expect(schema.parseAsync("NoNumbers")).rejects.toThrow()
+    })
+    it("validates specialChar", async () => {
+        const schema = PasswordPolicySchemaFactory.create({...defaultPasswordPolicy, requireSpecialChar: true})
+        await expect(schema.parseAsync("NoSpecial1")).rejects.toThrow()
+    })
+    it("validates disallowSpaces", async () => {
+        const schema = PasswordPolicySchemaFactory.create(defaultPasswordPolicy)
+        await expect(schema.parseAsync("Space 123A")).rejects.toThrow()
+    })
+})