@eduzz/miau-client 1.0.2 → 1.0.3

package/dist/middleware.d.ts

@@ -1,5 +1,5 @@
 import { type RequestHandler, type NextFunction, type Request, type Response } from 'express';
-import type { MiauApplication } from '@eduzz/miau-types';
+import { type MiauApplication } from '@eduzz/miau-types';
 import type { MiauClient } from './MiauClient';
 export type RequestAugmentation<T> = (data: {
     req: Request;

package/package.json

@@ -1,11 +1,12 @@
 {
   "name": "@eduzz/miau-client",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "Eduzz Miau Client",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "scripts": {
     "lint": "eslint && tsc --noEmit",
+    "test": "tsx --test src/**/*.test.ts",
     "build": "esbuild src/index.ts --bundle --sourcemap --platform=node --target=es2020 --outfile=dist/index.js",
     "build:types": "tsc --emitDeclarationOnly --outDir dist"
   },
@@ -13,4 +14,4 @@
     "@eduzz/miau-types": "workspace:*",
     "chokidar-cli": "^3.0.0"
   }
-}
+}

package/scripts/should-release.sh

@@ -3,6 +3,16 @@
 set -e
 
 PACKAGE_JSON=$1
+BRANCH_NAME=$2
+RUN_NUMBER=$3
+
+if [[ ! "$BRANCH_NAME" =~ "master" ]]; then
+  echo "Branch is not master, release candidate versioning will be applied."
+  VERSION=$(jq -r .version "$PACKAGE_JSON")
+  VERSION_RC="${VERSION}-rc.${RUN_NUMBER}"
+  jq --arg version "$VERSION_RC" '.version = $version' "$PACKAGE_JSON" > "$PACKAGE_JSON.tmp"
+  mv "$PACKAGE_JSON.tmp" "$PACKAGE_JSON"
+fi
 
 if [ -z "$PACKAGE_JSON" ]; then
   echo "Usage: $0 <package-json-path>"
@@ -19,7 +29,7 @@ REMOTE_VERSION=$(npm view "$NAME" version 2>/dev/null || echo "")
 
 echo "NPM Version: $REMOTE_VERSION"
 
-if [ "$VERSION" = "$REMOTE_VERSION" ] || [ "$(printf '%s\n%s' "$REMOTE_VERSION" "$VERSION" | sort -V | tail -n1)" != "$VERSION" ]; then
+if [ "$VERSION" = "$REMOTE_VERSION" ] || { [[ "$REMOTE_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] && [ "$(printf '%s\n%s' "$REMOTE_VERSION" "$VERSION" | sort -V | tail -n1)" != "$VERSION" ]; }; then
   echo "Version already published, skipping..."
   exit 1
 fi

package/src/MiauClient.ts

@@ -4,7 +4,7 @@ import { type RequestHandler } from 'express';
 import jwt from 'jsonwebtoken';
 import { JwksClient } from 'jwks-rsa';
 
-import { type SecretEnv, type Permission, SecretEnvValues } from '@eduzz/miau-types';
+import { type SecretEnv, type Permission, SecretEnvValues, type Resource } from '@eduzz/miau-types';
 
 import { miauMiddleware, type RequestAugmentation } from './middleware';
 
@@ -12,6 +12,8 @@ type MiauClientConfig = { apiUrl: string; appSecret: string; environment: Secret
 type FetchInput = Parameters<typeof fetch>[0];
 type FetchInit = Parameters<typeof fetch>[1];
 
+const requestsCache: Map<string, Promise<{ data: any; headers: Headers }>> = new Map();
+
 const reusableFetch = async <T>(input: FetchInput, init?: FetchInit): Promise<{ data: T; headers: Headers }> => {
   return new Promise(async (resolve, reject) => {
     try {
@@ -25,13 +27,36 @@ const reusableFetch = async <T>(input: FetchInput, init?: FetchInit): Promise<{
   });
 };
 
+const cacheableFetch = async <T>(input: FetchInput, init?: FetchInit) => {
+  const cacheKeyData = JSON.stringify({ input, init });
+  const cacheKey = crypto.createHash('sha256').update(cacheKeyData).digest('hex');
+  const cachedResponse = requestsCache.get(cacheKey);
+
+  if (cachedResponse) {
+    const { data, headers } = await cachedResponse;
+    const expiresAt = expiresHeaderToUnixtime(headers.get('Expires'));
+
+    if (expiresAt > Date.now()) {
+      return data as T;
+    }
+
+    requestsCache.delete(cacheKey);
+  }
+
+  const newRequest = reusableFetch<T>(input, init);
+  requestsCache.set(cacheKey, newRequest);
+  return (await newRequest).data as T;
+};
+
+const expiresHeaderToUnixtime = (expires: string | null): number => {
+  return expires ? new Date(expires).getTime() : Date.now() + 60_000;
+};
+
 export class MiauClient {
   private config: MiauClientConfig;
   private jwtToken: string | undefined;
   private jwksClient: JwksClient | undefined;
   private basicAuthToken: string;
-  private permissionsCache: Map<string, { data: Permission; expiresAt: number }> = new Map();
-  private permissionsRequests: Map<string, Promise<{ data: Permission; headers: Headers }>> = new Map();
 
   constructor(config: MiauClientConfig) {
     if (!config.apiUrl || !config.appSecret || !config.environment) {
@@ -95,41 +120,16 @@ export class MiauClient {
     return miauMiddleware<T>(this, config?.requestAugmentation, config?.fallbackMiddleware);
   }
 
-  public async getPermissions(targetAppId: string) {
-    if (this.permissionsCache.has(targetAppId)) {
-      const { data, expiresAt } = this.permissionsCache.get(targetAppId)!;
-
-      if (expiresAt > Date.now()) {
-        this.permissionsRequests.delete(targetAppId);
-        return data;
-      }
-    }
-
-    const request = await this.requestPermissions(targetAppId);
-
-    if (request !== undefined) {
-      const { data, headers } = request;
-      this.permissionsCache.set(targetAppId, {
-        data,
-        expiresAt: headers.has('Expires') ? new Date(headers.get('Expires')!).getTime() : Date.now() + 60_000 // Default to 1 minute if no Expires header
-      });
-      return data;
-    }
-
-    throw new Error(`Failed to fetch permissions for app Id: ${targetAppId}`);
+  public async getResources() {
+    return cacheableFetch<Resource[]>(this.getResourcesUrl(), {
+      headers: { Authorization: `Basic ${this.basicAuthToken}` }
+    });
   }
 
-  private async requestPermissions(sourceAppId: string) {
-    if (this.permissionsRequests.has(sourceAppId)) {
-      return this.permissionsRequests.get(sourceAppId);
-    }
-
-    const request = reusableFetch<Permission>(`${this.getPermissionsUrl()}/${sourceAppId}`, {
+  public async getPermissions(targetAppId: string) {
+    return cacheableFetch<Permission>(`${this.getPermissionsUrl()}/${targetAppId}`, {
       headers: { Authorization: `Basic ${this.basicAuthToken}` }
     });
-
-    this.permissionsRequests.set(sourceAppId, request);
-    return request;
   }
 
   private getApiJwtUrl = () => {
@@ -140,6 +140,10 @@ export class MiauClient {
     return `${this.config.apiUrl}/v1/permissions`;
   };
 
+  private getResourcesUrl = () => {
+    return `${this.config.apiUrl}/v1/resources`;
+  };
+
   private getJwksUrl = () => {
     return `${this.config.apiUrl}/v1/jwks.json`;
   };

package/src/functions.test.ts

@@ -0,0 +1,76 @@
+import { equal } from 'node:assert';
+import test from 'node:test';
+
+import { type Resource } from '@eduzz/miau-types';
+
+import { isResourceAllowed, wildcardToRegex } from './functions';
+
+test('wildcardToRegex should convert wildcard to regex', () => {
+  const pattern = '/v1/resources/*/details';
+  const pattern2 = '/v1/resources/*';
+  const regex = wildcardToRegex(pattern);
+  const regex2 = wildcardToRegex(pattern2);
+  equal(regex.test('/v1/resources/123/details'), true);
+  equal(regex.test('/v1/resources/abc/details'), true);
+  equal(regex.test('/v1/resources/details'), false);
+  equal(regex.test('/v1/resources/123/other'), false);
+  equal(regex2.test('/v1/resources/123'), true);
+  equal(regex2.test('/v1/resources/abc'), true);
+  equal(regex2.test('/v1/resources/123/other'), false);
+});
+
+const resources1: Resource[] = [
+  { protocol: 'http', method: 'GET', path: '/v1/resources' },
+  { protocol: 'http', method: 'GET', path: '/v1/another' },
+  { protocol: 'http', method: 'GET', path: '/v1/resources/*' },
+  { protocol: 'http', method: 'GET', path: '/v1/resources/fixed' },
+  { protocol: 'http', method: 'GET', path: '/v1/chumbated/chumbated' },
+  { protocol: 'http', method: 'GET', path: '/v1/*/*' },
+  { protocol: 'http', method: 'POST', path: '/v1/resources' },
+  { protocol: 'http', method: 'PUT', path: '/v1/resources/*' },
+  { protocol: 'http', method: 'DELETE', path: '/v1/resources/*' }
+];
+
+const permissions1: Resource[] = [
+  { protocol: 'http', method: 'GET', path: '/v1/resources' },
+  { protocol: 'http', method: 'GET', path: '/v1/resources/*' },
+  { protocol: 'http', method: 'POST', path: '/v1/resources' },
+  { protocol: 'http', method: 'PUT', path: '/v1/resources/*' },
+  { protocol: 'http', method: 'DELETE', path: '/v1/resources/*' }
+];
+
+test('should access route', () => {
+  const resource: Resource = { protocol: 'http', method: 'GET', path: '/v1/resources' };
+  equal(isResourceAllowed(resource, resources1, permissions1), true);
+});
+
+test('should NOT access route with wrong method', () => {
+  const resource: Resource = { protocol: 'http', method: 'POST', path: '/v1/resources/123' };
+  equal(isResourceAllowed(resource, resources1, permissions1), false);
+});
+
+test('should NOT access route with no permission', () => {
+  const resource: Resource = { protocol: 'http', method: 'GET', path: '/v1/another' };
+  equal(isResourceAllowed(resource, resources1, permissions1), false);
+});
+
+test('should access wildcard route', () => {
+  const resource: Resource = { protocol: 'http', method: 'GET', path: '/v1/resources/12345' };
+  equal(isResourceAllowed(resource, resources1, permissions1), true);
+});
+
+test('should NOT access fixed route despite wildcard', () => {
+  const resource: Resource = { protocol: 'http', method: 'GET', path: '/v1/resources/fixed' };
+  equal(isResourceAllowed(resource, resources1, permissions1), false);
+});
+
+test('should NOT access chumbated route with exact match', () => {
+  const resource: Resource = { protocol: 'http', method: 'GET', path: '/v1/chumbated/chumbated' };
+  equal(isResourceAllowed(resource, resources1, permissions1), false);
+});
+
+test('should access double wildcard route', () => {
+  const permissions: Resource[] = [{ protocol: 'http', method: 'GET', path: '/v1/*/*' }];
+  const resource: Resource = { protocol: 'http', method: 'GET', path: '/v1/another/route' };
+  equal(isResourceAllowed(resource, resources1, permissions), true);
+});

package/src/functions.ts

@@ -0,0 +1,38 @@
+import { type Resource } from '@eduzz/miau-types';
+
+export const wildcardToRegex = (pattern: string) => {
+  const escaped = pattern.replace(/[-/\\^$+?.()|[\]{}]/g, '\\$&');
+  const withWildcards = escaped.replace(/\*/g, '[^/]+');
+  const regexStr = `^${withWildcards}$`;
+  return new RegExp(regexStr);
+};
+
+export const isResourceAllowed = (
+  resource: Resource,
+  resources: Resource[],
+  permittedResources: Resource[]
+): boolean => {
+  const hasExactMatch = resources.some((res: Resource) => {
+    return (
+      res.method.toLowerCase() === resource.method.toLowerCase() &&
+      res.path.toLowerCase() === resource.path.toLowerCase()
+    );
+  });
+
+  if (hasExactMatch) {
+    return permittedResources.some((perm: Resource) => {
+      return (
+        perm.method.toLowerCase() === resource.method.toLowerCase() &&
+        perm.path.toLowerCase() === resource.path.toLowerCase()
+      );
+    });
+  }
+
+  return permittedResources.some((permission: Resource) => {
+    const permissionRegex = wildcardToRegex(permission.path);
+    return (
+      permission.method.toLowerCase() === resource.method.toLowerCase() &&
+      permissionRegex.test(resource.path.toLowerCase())
+    );
+  });
+};

package/src/middleware.ts

@@ -1,8 +1,9 @@
 import { type RequestHandler, type NextFunction, type Request, type Response } from 'express';
 import jwt from 'jsonwebtoken';
 
-import type { MiauApplication, MiauClientToken, Resource } from '@eduzz/miau-types';
+import { type Resource, type MiauApplication, type MiauClientToken } from '@eduzz/miau-types';
 
+import { isResourceAllowed } from './functions';
 import type { MiauClient } from './MiauClient';
 
 class HttpError extends Error {
@@ -19,13 +20,6 @@ class HttpError extends Error {
 
 export type RequestAugmentation<T> = (data: { req: Request; app: MiauApplication; meta: T }) => void;
 
-const wildcardToRegex = (pattern: string) => {
-  const escaped = pattern.replace(/[-/\\^$+?.()|[\]{}]/g, '\\$&');
-  const withWildcards = escaped.replace(/\*/g, '[^/]+');
-  const regexStr = `^${withWildcards}$`;
-  return new RegExp(regexStr);
-};
-
 export const miauMiddleware = <T>(
   miauClient: MiauClient,
   requestAugmentation?: RequestAugmentation<T>,
@@ -69,20 +63,26 @@ export const miauMiddleware = <T>(
         );
       }
 
+      const resources = await miauClient.getResources();
+
+      if (!resources) {
+        throw new HttpError(401, 'Unauthorized', 'No resources found for this application');
+      }
+
       const permission = await miauClient.getPermissions(application.id);
 
       if (!permission) {
         throw new HttpError(401, 'Unauthorized', 'No permissions found for this application');
       }
 
-      const resources = permission?.resources || [];
+      const permittedResources = permission?.resources || [];
 
-      const isAllowed = resources.some((resource: Resource) => {
-        return (
-          resource.method.toLowerCase() === req.method.toLowerCase() &&
-          wildcardToRegex(resource.path.toLowerCase()).test(req.path.toLowerCase())
-        );
-      });
+      if (!permittedResources.length) {
+        throw new HttpError(403, 'Forbidden', 'No resources are permitted for this application');
+      }
+
+      const resource = { protocol: 'http', method: req.method, path: req.path } as Resource;
+      const isAllowed = isResourceAllowed(resource, resources, permittedResources);
 
       if (!isAllowed) {
         throw new HttpError(403, 'Forbidden', `You do not have permission to access ${req.method} ${req.path}`);