@engjts/nexus 0.1.7 → 0.1.9

package/src/security/adapter.ts

@@ -1,318 +0,0 @@
-/**
- * Security Adapter Interfaces
- * 
- * Extensible adapter system for security components
- */
-
-import type { Context } from '../core/types';
-import type {
-    User,
-    SecurityHeadersConfig,
-    SanitizationConfig,
-    RateLimitInfo,
-    PermissionCheckResult
-} from './types';
-
-/**
- * Security headers adapter interface
- * Allows custom security headers implementation
- */
-export interface SecurityHeadersAdapter {
-    /**
-     * Generate security headers for response
-     */
-    generateHeaders(ctx: Context, config: SecurityHeadersConfig): Record<string, string>;
-
-    /**
-     * Generate CSP nonce if needed
-     */
-    generateNonce?(): string;
-}
-
-/**
- * Input sanitization adapter interface
- * Allows custom sanitization logic
- */
-export interface SanitizationAdapter {
-    /**
-     * Sanitize input value
-     * @returns Sanitized value or throws if in strict mode
-     */
-    sanitize(value: any, config: SanitizationConfig): any;
-
-    /**
-     * Check if value contains malicious patterns
-     */
-    isMalicious(value: any, config: SanitizationConfig): boolean;
-}
-
-/**
- * Base authentication adapter interface
- */
-export interface AuthAdapter<TConfig = any> {
-    /**
-     * Verify credentials and return user
-     * @returns User object if valid, null otherwise
-     */
-    verify(ctx: Context, config: TConfig): Promise<User | null>;
-
-    /**
-     * Generate authentication token/session
-     */
-    generateToken?(user: User, config: TConfig): Promise<string>;
-
-    /**
-     * Refresh authentication token
-     */
-    refreshToken?(token: string, config: TConfig): Promise<string | null>;
-}
-
-/**
- * Rate limiting storage adapter interface
- */
-export interface RateLimitAdapter {
-    /**
-     * Increment request count for key
-     * @returns Current count and reset time
-     */
-    increment(key: string, windowMs: number): Promise<{
-        count: number;
-        resetTime: number;
-    }>;
-
-    /**
-     * Get current rate limit info for key
-     */
-    get(key: string): Promise<RateLimitInfo | null>;
-
-    /**
-     * Reset rate limit for key
-     */
-    reset(key: string): Promise<void>;
-
-    /**
-     * Clean up expired entries
-     */
-    cleanup?(): Promise<void>;
-}
-
-/**
- * CSRF token adapter interface
- */
-export interface CSRFAdapter {
-    /**
-     * Generate CSRF token
-     */
-    generateToken(ctx: Context): string;
-
-    /**
-     * Validate CSRF token
-     */
-    validateToken(ctx: Context, token: string): boolean;
-
-    /**
-     * Extract token from request
-     */
-    extractToken(ctx: Context): string | null;
-}
-
-/**
- * Permission checker adapter interface
- * Allows custom RBAC logic
- */
-export interface PermissionAdapter {
-    /**
-     * Check if user has required permissions
-     */
-    checkPermissions(user: User, required: string[]): PermissionCheckResult;
-
-    /**
-     * Check if user has required roles
-     */
-    checkRoles(user: User, required: string[]): boolean;
-
-    /**
-     * Expand role to permissions
-     */
-    expandRole?(role: string): string[] | undefined;
-}
-
-/**
- * Default security headers adapter
- */
-export class DefaultSecurityHeadersAdapter implements SecurityHeadersAdapter {
-    generateHeaders(_ctx: Context, config: SecurityHeadersConfig): Record<string, string> {
-        const mode = config.mode || 'moderate';
-        const headers: Record<string, string> = {};
-
-        // Base headers
-        headers['X-Content-Type-Options'] = 'nosniff';
-        headers['X-Frame-Options'] = mode === 'strict' ? 'DENY' : 'SAMEORIGIN';
-        headers['X-XSS-Protection'] = '1; mode=block';
-
-        if (mode === 'strict' || mode === 'moderate') {
-            headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains';
-            headers['Referrer-Policy'] = 'no-referrer';
-        }
-
-        // CSP
-        if (config.csp) {
-            let cspValue = '';
-            const directives = config.csp.directives || {
-                'default-src': ["'self'"]
-            };
-
-            for (const [directive, values] of Object.entries(directives)) {
-                cspValue += `${directive} ${values.join(' ')}; `;
-            }
-
-            if (config.csp.reportUri) {
-                cspValue += `report-uri ${config.csp.reportUri}; `;
-            }
-
-            const headerName = config.csp.reportOnly
-                ? 'Content-Security-Policy-Report-Only'
-                : 'Content-Security-Policy';
-            headers[headerName] = cspValue.trim();
-        }
-
-        // Custom headers override
-        if (config.customHeaders) {
-            Object.assign(headers, config.customHeaders);
-        }
-
-        return headers;
-    }
-
-    generateNonce?(): string {
-        return crypto.randomUUID().replace(/-/g, '');
-    }
-}
-
-/**
- * Default input sanitization adapter
- */
-export class DefaultSanitizationAdapter implements SanitizationAdapter {
-    private readonly defaultPatterns = {
-        sql: /((\bUNION\b)|(\bSELECT\b)|(\bINSERT\b)|(\bUPDATE\b)|(\bDELETE\b)|(\bDROP\b)|(\bCREATE\b)|(\bALTER\b))/gi,
-        xss: /(<script|javascript:|onerror=|onload=|<iframe|<object|<embed)/gi,
-        pathTraversal: /(\.\.[\/\\])/g,
-        noSqlInjection: /(\$where|\$ne|\$gt|\$lt|\$regex)/gi
-    };
-
-    sanitize(value: any, config: SanitizationConfig): any {
-        if (value === null || value === undefined) {
-            return value;
-        }
-
-        if (typeof value === 'string') {
-            return this.sanitizeString(value, config);
-        }
-
-        if (Array.isArray(value)) {
-            return value.map(item => this.sanitize(item, config));
-        }
-
-        if (typeof value === 'object') {
-            const sanitized: any = {};
-            for (const [key, val] of Object.entries(value)) {
-                sanitized[key] = this.sanitize(val, config);
-            }
-            return sanitized;
-        }
-
-        return value;
-    }
-
-    private sanitizeString(value: string, config: SanitizationConfig): string {
-        const patterns = config.patterns || [];
-        const allPatterns = [...Object.values(this.defaultPatterns), ...patterns.map(p => p.pattern)];
-
-        for (const pattern of allPatterns) {
-            if (pattern.test(value)) {
-                if (config.strict) {
-                    throw new Error('Malicious input detected');
-                }
-                // Remove malicious content
-                value = value.replace(pattern, '');
-            }
-        }
-
-        return value;
-    }
-
-    isMalicious(value: any, config: SanitizationConfig): boolean {
-        if (typeof value !== 'string') {
-            return false;
-        }
-
-        const patterns = config.patterns || [];
-        const allPatterns = [...Object.values(this.defaultPatterns), ...patterns.map(p => p.pattern)];
-
-        return allPatterns.some(pattern => pattern.test(value));
-    }
-}
-
-/**
- * Default permission checker adapter
- */
-export class DefaultPermissionAdapter implements PermissionAdapter {
-    private roleHierarchy: Map<string, string[]> = new Map();
-
-    checkPermissions(user: User, required: string[]): PermissionCheckResult {
-        const userPermissions = new Set(user.permissions || []);
-
-        // Check for wildcard permission
-        if (userPermissions.has('*')) {
-            return { allowed: true };
-        }
-
-        // Expand roles to permissions
-        if (user.roles) {
-            for (const role of user.roles) {
-                const rolePerms = this.expandRole?.(role);
-                if (rolePerms) {
-                    rolePerms.forEach(p => userPermissions.add(p));
-                }
-            }
-        }
-
-        // Check required permissions
-        const missing = required.filter(perm => {
-            // Check for wildcard match (e.g., 'read:*' matches 'read:users')
-            const hasWildcard = Array.from(userPermissions).some(userPerm => {
-                if (userPerm.endsWith('*')) {
-                    const prefix = userPerm.slice(0, -1);
-                    return perm.startsWith(prefix);
-                }
-                return userPerm === perm;
-            });
-
-            return !hasWildcard && !userPermissions.has(perm);
-        });
-
-        return {
-            allowed: missing.length === 0,
-            missing: missing.length > 0 ? missing : undefined
-        };
-    }
-
-    checkRoles(user: User, required: string[]): boolean {
-        if (!user.roles || user.roles.length === 0) {
-            return false;
-        }
-
-        return required.some(role => user.roles!.includes(role));
-    }
-
-    expandRole?(role: string): string[] | undefined {
-        return this.roleHierarchy.get(role);
-    }
-
-    /**
-     * Define role permissions
-     */
-    defineRole(role: string, permissions: string[]): void {
-        this.roleHierarchy.set(role, permissions);
-    }
-}

package/src/security/auth/JWTPlugin.ts

@@ -1,234 +0,0 @@
-/**
- * JWT Authentication Plugin
- * 
- * Plugin untuk JWT authentication yang otomatis:
- * - Menambahkan jwt provider ke dependencies
- * - Menambahkan auth middleware (opsional)
- * - Mendekorasi context dengan user property
- * - Export API untuk plugin lain
- */
-
-import { definePlugin } from '../../core/plugin';
-import { JWTProvider, JWTProviderConfig, VerifyResult } from './JWTProvider';
-import type { User } from '../types';
-import type { Context } from '../../core';
-
-export interface JWTPluginConfig extends JWTProviderConfig {
-  /**
-   * Auto-protect semua route (default: false)
-   * Jika true, semua route akan butuh auth kecuali yang ada di `publicPaths`
-   */
-  autoProtect?: boolean;
-  
-  /**
-   * Path yang tidak perlu auth (hanya berlaku jika autoProtect: true)
-   */
-  publicPaths?: string[];
-  
-  /**
-   * Nama cookie untuk menyimpan token (opsional)
-   */
-  cookieName?: string;
-  
-  /**
-   * Custom handler ketika unauthorized
-   */
-  onUnauthorized?: (ctx: Context, error: string) => any;
-}
-
-export interface JWTPluginExports {
-  /**
-   * JWT Provider instance
-   */
-  provider: JWTProvider;
-  
-  /**
-   * Sign token dari payload
-   */
-  sign: (payload: { id: string | number; [key: string]: any }) => Promise<string>;
-  
-  /**
-   * Verify token dari context
-   */
-  verify: (ctx: Context) => Promise<VerifyResult>;
-  
-  /**
-   * Verify token string
-   */
-  verifyToken: (token: string) => Promise<VerifyResult>;
-  
-  /**
-   * Decode token tanpa verify
-   */
-  decode: (token: string) => any;
-  
-  /**
-   * Refresh token
-   */
-  refresh: (token: string) => Promise<string | null>;
-  
-  /**
-   * Check role
-   */
-  hasRole: (user: User, role: string | string[]) => boolean;
-  
-  /**
-   * Check permission
-   */
-  hasPermission: (user: User, permission: string | string[]) => boolean;
-  
-  /**
-   * Get middleware for protecting routes
-   */
-  middleware: () => (ctx: Context, next: any) => Promise<any>;
-}
-
-/**
- * Create JWT Plugin
- * 
- * @example
- * ```typescript
- * import { createApp } from 'nexus';
- * import { jwtPlugin } from 'nexus/security';
- * 
- * const app = createApp()
- *   .plugin(jwtPlugin, {
- *     secret: process.env.JWT_SECRET!,
- *     expiresIn: '7d',
- *     autoProtect: false
- *   });
- * 
- * // Akses JWT via plugin exports
- * app.post('/login', async (ctx) => {
- *   const jwt = app.getPluginExports<JWTPluginExports>('jwt');
- *   const token = await jwt.sign({ id: user.id, email: user.email });
- *   return { token };
- * });
- * 
- * // Atau via context decorator
- * app.get('/profile', async (ctx) => {
- *   const result = await ctx.jwt.verify(ctx);
- *   if (!result.valid) return ctx.response.status(401).json({ error: 'Unauthorized' });
- *   return { user: result.user };
- * });
- * ```
- */
-export const jwtPlugin = definePlugin('jwt')
-  .version('1.0.0')
-  .description('JWT Authentication Plugin')
-  .author('Nexus Team')
-  .tags('security', 'authentication', 'jwt')
-  .priority('high')
-  
-  // Type-safe configuration
-  .config<JWTPluginConfig>()
-  .defaults({
-    expiresIn: '1h',
-    autoProtect: false,
-    publicPaths: ['/health', '/api/auth/login', '/api/auth/register']
-  })
-  .validate((config) => {
-    if (!config.secret) {
-      return 'JWT secret is required. Set it via config or JWT_SECRET environment variable.';
-    }
-    if (config.secret.length < 32) {
-      return 'JWT secret should be at least 32 characters for security.';
-    }
-    return true;
-  })
-  
-  // Configure phase - create provider early
-  .configure((ctx) => {
-    const provider = new JWTProvider({
-      secret: ctx.config.secret,
-      expiresIn: ctx.config.expiresIn,
-      issuer: ctx.config.issuer,
-      audience: ctx.config.audience
-    });
-    
-    ctx.storage.set('provider', provider);
-    ctx.log.debug('JWT Provider initialized');
-  })
-  
-  // Register phase - add middleware if autoProtect
-  .register((ctx) => {
-    const provider = ctx.storage.get('provider') as JWTProvider;
-    
-    if (ctx.config.autoProtect) {
-      ctx.app.use(async (reqCtx: Context, next: any) => {
-        // Check if path is public
-        const publicPaths = ctx.config.publicPaths || [];
-        const isPublic = publicPaths.some(p => {
-          if (p.endsWith('*')) {
-            return reqCtx.path.startsWith(p.slice(0, -1));
-          }
-          return reqCtx.path === p;
-        });
-        
-        if (isPublic) {
-          return next(reqCtx);
-        }
-        
-        // Verify token
-        const result = await provider.verify(reqCtx, {
-          cookieName: ctx.config.cookieName
-        });
-        
-        if (!result.valid) {
-          if (ctx.config.onUnauthorized) {
-            return ctx.config.onUnauthorized(reqCtx, result.error || 'Unauthorized');
-          }
-          return reqCtx.response.status(401).json({
-            error: 'Unauthorized',
-            message: result.error
-          });
-        }
-        
-        // Attach user to context
-        (reqCtx as any).user = result.user;
-        
-        return next(reqCtx);
-      });
-      
-      ctx.log.info('JWT auto-protection enabled');
-    }
-  })
-  
-  // Decorate context dengan jwt helper
-  .decorate((ctx) => {
-    const provider = ctx.storage.get('provider') as JWTProvider;
-    
-    (ctx as any).jwt = {
-      sign: (payload: any) => provider.sign(payload),
-      verify: (reqCtx: Context) => provider.verify(reqCtx),
-      decode: (token: string) => provider.decode(token),
-      hasRole: (user: User, role: string | string[]) => provider.hasRole(user, role),
-      hasPermission: (user: User, perm: string | string[]) => provider.hasPermission(user, perm)
-    };
-  })
-  
-  // Export API untuk plugin lain
-  .export<JWTPluginExports>((ctx) => {
-    const provider = ctx.storage.get('provider') as JWTProvider;
-    
-    return {
-      provider,
-      sign: (payload) => provider.sign(payload),
-      verify: (reqCtx) => provider.verify(reqCtx),
-      verifyToken: (token) => provider.verifyToken(token),
-      decode: (token) => provider.decode(token),
-      refresh: (token) => provider.refresh(token),
-      hasRole: (user, role) => provider.hasRole(user, role),
-      hasPermission: (user, perm) => provider.hasPermission(user, perm),
-      middleware: () => provider.middleware({ cookieName: ctx.config.cookieName })
-    };
-  })
-  
-  // Ready phase
-  .ready((ctx) => {
-    ctx.log.info(`JWT Plugin ready (autoProtect: ${ctx.config.autoProtect})`);
-  })
-  
-  .build();
-
-export default jwtPlugin;