npm - @flink-app/jwt-auth-plugin - Versions diffs - 0.12.1-alpha.4 → 0.12.1-alpha.41 - Mend

@flink-app/jwt-auth-plugin 0.12.1-alpha.4 → 0.12.1-alpha.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/FlinkJwtAuthPlugin.d.ts +47 -3
package/dist/FlinkJwtAuthPlugin.js +42 -18
package/package.json +4 -4
package/readme.md +968 -18
package/spec/FlinkJwtAuthPlugin.spec.ts +443 -0
package/src/FlinkJwtAuthPlugin.ts +180 -130

package/spec/FlinkJwtAuthPlugin.spec.ts CHANGED Viewed

@@ -126,4 +126,447 @@ describe("FlinkJwtAuthPlugin", () => {
     expect(decoded.id).toBe("123");
   });
+  describe("tokenExtractor", () => {
+    it("should use custom token extractor when it returns a string", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const customToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          expect(id).toBe(userId);
+          return {
+            id,
+            username: "username",
+          };
+        },
+        rolePermissions: {
+          user: ["*"],
+        },
+        tokenExtractor: (req) => {
+          // Extract from query param
+          return req.query?.token as string;
+        },
+      });
+      const mockRequest = {
+        headers: {},
+        query: {
+          token: customToken,
+        },
+      } as unknown as FlinkRequest;
+      const authenticated = await plugin.authenticateRequest(mockRequest, "foo");
+      expect(authenticated).toBeTruthy();
+    });
+    it("should fail auth when tokenExtractor returns null", async () => {
+      const plugin = jwtAuthPlugin({
+        secret: "secret",
+        getUser: async (id: string) => {
+          fail(); // Should not be called
+          return {
+            id,
+            username: "username",
+          };
+        },
+        rolePermissions: {
+          user: ["*"],
+        },
+        tokenExtractor: (req) => {
+          // Explicitly no token for this route
+          return null;
+        },
+      });
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer some-valid-token",
+        },
+      } as FlinkRequest;
+      const authenticated = await plugin.authenticateRequest(mockRequest, "foo");
+      expect(authenticated).toBeFalse();
+    });
+    it("should fall back to Bearer token when tokenExtractor returns undefined", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          expect(id).toBe(userId);
+          return {
+            id,
+            username: "username",
+          };
+        },
+        rolePermissions: {
+          user: ["*"],
+        },
+        tokenExtractor: (req) => {
+          // Return undefined to fall back to default
+          return undefined;
+        },
+      });
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+        },
+      } as FlinkRequest;
+      const authenticated = await plugin.authenticateRequest(mockRequest, "foo");
+      expect(authenticated).toBeTruthy();
+    });
+    it("should support conditional extraction based on path", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const queryToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      const bearerToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          return {
+            id,
+            username: "username",
+          };
+        },
+        rolePermissions: {
+          user: ["*"],
+        },
+        tokenExtractor: (req) => {
+          // Use query param for public API routes only
+          if (req.path?.startsWith("/api/public/")) {
+            return req.query?.token as string || null;
+          }
+          // Fall back to Bearer for other routes
+          return undefined;
+        },
+      });
+      // Test public route with query param
+      const publicRequest = {
+        path: "/api/public/data",
+        headers: {},
+        query: {
+          token: queryToken,
+        },
+      } as unknown as FlinkRequest;
+      const publicAuth = await plugin.authenticateRequest(publicRequest, "foo");
+      expect(publicAuth).toBeTruthy();
+      // Test non-public route with Bearer token
+      const privateRequest = {
+        path: "/api/private/data",
+        headers: {
+          authorization: "Bearer " + bearerToken,
+        },
+      } as unknown as FlinkRequest;
+      const privateAuth = await plugin.authenticateRequest(privateRequest, "foo");
+      expect(privateAuth).toBeTruthy();
+    });
+    it("should use default Bearer extraction when no tokenExtractor provided", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          return {
+            id,
+            username: "username",
+          };
+        },
+        rolePermissions: {
+          user: ["*"],
+        },
+        // No tokenExtractor provided
+      });
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+        },
+      } as FlinkRequest;
+      const authenticated = await plugin.authenticateRequest(mockRequest, "foo");
+      expect(authenticated).toBeTruthy();
+    });
+  });
+  describe("checkPermissions callback", () => {
+    it("should use custom permission checker when provided", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          return {
+            id,
+            username: "testuser",
+            permissions: ["read", "write", "delete"],
+          };
+        },
+        rolePermissions: {
+          user: [], // Empty - custom checker will handle this
+        },
+        checkPermissions: async (user, routePermissions) => {
+          // Check if user has all required permissions
+          return routePermissions.every((perm) =>
+            user.permissions?.includes(perm)
+          );
+        },
+      });
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+        },
+      } as FlinkRequest;
+      const authenticated = await plugin.authenticateRequest(mockRequest, [
+        "read",
+        "write",
+      ]);
+      expect(authenticated).toBeTruthy();
+      expect(mockRequest.user?.permissions).toEqual([
+        "read",
+        "write",
+        "delete",
+      ]);
+    });
+    it("should fail auth when custom checker returns false", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          return {
+            id,
+            username: "testuser",
+            permissions: ["read"], // Only has read
+          };
+        },
+        rolePermissions: {},
+        checkPermissions: async (user, routePermissions) => {
+          return routePermissions.every((perm) =>
+            user.permissions?.includes(perm)
+          );
+        },
+      });
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+        },
+      } as FlinkRequest;
+      // Route requires write, but user only has read
+      const authenticated = await plugin.authenticateRequest(mockRequest, [
+        "read",
+        "write",
+      ]);
+      expect(authenticated).toBeFalse();
+    });
+    it("should use static rolePermissions when checkPermissions not provided (backward compat)", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["admin"] },
+        secret
+      );
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          return {
+            id,
+            username: "admin",
+          };
+        },
+        rolePermissions: {
+          admin: ["read", "write", "delete"],
+        },
+        // No checkPermissions provided - uses static
+      });
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+        },
+      } as FlinkRequest;
+      const authenticated = await plugin.authenticateRequest(
+        mockRequest,
+        "write"
+      );
+      expect(authenticated).toBeTruthy();
+    });
+    it("should support synchronous permission checker", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          return {
+            id,
+            username: "testuser",
+            permissions: ["read"],
+          };
+        },
+        rolePermissions: {},
+        // Synchronous checker (not async)
+        checkPermissions: (user, routePermissions) => {
+          return routePermissions.every((perm) =>
+            user.permissions?.includes(perm)
+          );
+        },
+      });
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+        },
+      } as FlinkRequest;
+      const authenticated = await plugin.authenticateRequest(
+        mockRequest,
+        "read"
+      );
+      expect(authenticated).toBeTruthy();
+    });
+    it("should pass when route has no permissions and custom checker provided", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      let checkerCalled = false;
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          return { id, username: "testuser" };
+        },
+        rolePermissions: {},
+        checkPermissions: async (user, routePermissions) => {
+          checkerCalled = true;
+          return true;
+        },
+      });
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+        },
+      } as FlinkRequest;
+      // Empty permissions (public route)
+      const authenticated = await plugin.authenticateRequest(mockRequest, []);
+      expect(authenticated).toBeTruthy();
+      expect(checkerCalled).toBeFalse(); // Checker should not be called for public routes
+    });
+    it("should handle database-fetched permissions in getUser", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["user"] },
+        secret
+      );
+      // Simulate DB permissions
+      const dbPermissions: { [key: string]: string[] } = {
+        "123": ["read", "write", "custom_permission"],
+      };
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async ({ id }: { id: string }) => {
+          // Simulate fetching permissions from DB
+          const permissions = dbPermissions[id] || [];
+          return {
+            id,
+            username: "testuser",
+            permissions,
+          };
+        },
+        rolePermissions: {},
+        checkPermissions: async (user, routePermissions) => {
+          return routePermissions.every((perm) =>
+            user.permissions?.includes(perm)
+          );
+        },
+      });
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+        },
+      } as FlinkRequest;
+      const authenticated = await plugin.authenticateRequest(mockRequest, [
+        "custom_permission",
+      ]);
+      expect(authenticated).toBeTruthy();
+      expect(mockRequest.user?.permissions).toContain("custom_permission");
+    });
+  });
 });