npm - @flink-app/jwt-auth-plugin - Versions diffs - 0.12.1-alpha.40 → 0.12.1-alpha.43 - Mend

@flink-app/jwt-auth-plugin 0.12.1-alpha.40 → 0.12.1-alpha.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/FlinkJwtAuthPlugin.d.ts +68 -3
package/dist/FlinkJwtAuthPlugin.js +44 -9
package/package.json +2 -2
package/readme.md +698 -1
package/spec/FlinkJwtAuthPlugin.spec.ts +692 -5
package/src/FlinkJwtAuthPlugin.ts +118 -5

package/src/FlinkJwtAuthPlugin.ts CHANGED Viewed

@@ -9,15 +9,84 @@ import { hasValidPermissions } from "./PermissionValidator";
  */
 const defaultPasswordPolicy = /^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$/;
+/**
+ * Custom token extraction callback.
+ *
+ * Return values:
+ * - `string`: Token found, use this token
+ * - `null`: No token found, authentication should fail
+ * - `undefined`: Skip custom extraction, use default Bearer token extraction
+ */
+export type TokenExtractor = (req: FlinkRequest) => string | null | undefined;
+/**
+ * Custom permission validation callback.
+ *
+ * Called after getUser to validate if the user has required permissions.
+ * Useful for dynamic permissions stored in database.
+ *
+ * @param user - The authenticated user object returned from getUser
+ * @param routePermissions - Array of permissions required by the route
+ * @returns true if user has required permissions, false otherwise
+ */
+export type PermissionChecker = (
+    user: FlinkAuthUser,
+    routePermissions: string[]
+) => Promise<boolean> | boolean;
 export interface JwtAuthPluginOptions {
     secret: string;
     algo?: jwtSimple.TAlgorithm;
-    getUser: (tokenData: any) => Promise<FlinkAuthUser | null | undefined>;
+    getUser: (tokenData: any, req: FlinkRequest) => Promise<FlinkAuthUser | null | undefined>;
     passwordPolicy?: RegExp;
     tokenTTL?: number;
     rolePermissions: {
         [role: string]: string[];
     };
+    /**
+     * Optional custom token extraction callback.
+     *
+     * Allows conditional token extraction based on request properties (path, method, headers, etc.).
+     * Return `undefined` to fall back to default Bearer token extraction.
+     */
+    tokenExtractor?: TokenExtractor;
+    /**
+     * Optional custom permission checker for dynamic permissions.
+     *
+     * When provided, replaces static rolePermissions checking.
+     * Called after getUser with the full user object.
+     *
+     * Example:
+     * ```typescript
+     * checkPermissions: async (user, routePermissions) => {
+     *   return routePermissions.every(perm =>
+     *     user.permissions?.includes(perm)
+     *   );
+     * }
+     * ```
+     */
+    checkPermissions?: PermissionChecker;
+    /**
+     * When true, uses roles from the user object returned by getUser
+     * instead of roles from the decoded token for static permission checking.
+     *
+     * Useful for multi-tenant scenarios where user roles vary by organization context.
+     * The organization context can be determined from request headers, subdomain, path, etc.
+     *
+     * Example:
+     * ```typescript
+     * useDynamicRoles: true,
+     * getUser: async (tokenData, req) => {
+     *   const orgId = req.headers['x-organization-id'];
+     *   const membership = await getOrgMembership(tokenData.userId, orgId);
+     *   return {
+     *     id: tokenData.userId,
+     *     roles: [membership.role], // Org-specific role
+     *   };
+     * }
+     * ```
+     */
+    useDynamicRoles?: boolean;
 }
 export interface JwtAuthPlugin extends FlinkAuthPlugin {
@@ -55,6 +124,9 @@ export function jwtAuthPlugin({
     algo = "HS256",
     passwordPolicy = defaultPasswordPolicy,
     tokenTTL = 1000 * 60 * 60 * 24 * 365 * 100, //Defaults to hundred year
+    tokenExtractor,
+    checkPermissions,
+    useDynamicRoles = false,
 }: JwtAuthPluginOptions): JwtAuthPlugin {
     return {
         authenticateRequest: async (req, permissions) =>
@@ -62,6 +134,9 @@ export function jwtAuthPlugin({
                 algo,
                 secret,
                 getUser,
+                tokenExtractor,
+                checkPermissions,
+                useDynamicRoles,
             }),
         createToken: (payload, roles) => createToken({ ...payload, roles }, { algo, secret, tokenTTL }),
         createPasswordHashAndSalt: (password: string) => createPasswordHashAndSalt(password, passwordPolicy),
@@ -73,9 +148,26 @@ async function authenticateRequest(
     req: FlinkRequest,
     routePermissions: string | string[],
     rolePermissions: { [x: string]: string[] },
-    { secret, algo, getUser }: Pick<JwtAuthPluginOptions, "algo" | "secret" | "getUser">
+    { secret, algo, getUser, tokenExtractor, checkPermissions, useDynamicRoles }: Pick<
+        JwtAuthPluginOptions,
+        "algo" | "secret" | "getUser" | "tokenExtractor" | "checkPermissions" | "useDynamicRoles"
+    >
 ) {
-    const token = getTokenFromReq(req);
+    let token: string | null | undefined;
+    if (tokenExtractor) {
+        token = tokenExtractor(req);
+        // If tokenExtractor returns undefined, fall back to default
+        if (token === undefined) {
+            token = getTokenFromReq(req);
+        }
+        // If it returns null, token stays null (no default fallback)
+        // If it returns string, token is the string
+    } else {
+        // No custom extractor, use default
+        token = getTokenFromReq(req);
+    }
     if (token) {
         let decodedToken;
@@ -90,7 +182,8 @@ async function authenticateRequest(
         if (decodedToken) {
             const permissionsArr = Array.isArray(routePermissions) ? routePermissions : [routePermissions];
-            if (permissionsArr && permissionsArr.length > 0) {
+            // Static permission check - only if custom checker NOT provided AND not using dynamic roles
+            if (!checkPermissions && !useDynamicRoles && permissionsArr && permissionsArr.length > 0) {
                 const validPerms = hasValidPermissions(decodedToken.roles || [], rolePermissions, permissionsArr);
                 if (!validPerms) {
@@ -98,13 +191,33 @@ async function authenticateRequest(
                 }
             }
-            const user = await getUser(decodedToken);
+            const user = await getUser(decodedToken, req);
             if (!user) {
                 log.debug("[JWT AUTH PLUGIN] User not returned from getUser callback");
                 return false;
             }
+            // Dynamic roles: check permissions using roles from user object
+            if (!checkPermissions && useDynamicRoles && permissionsArr && permissionsArr.length > 0) {
+                const validPerms = hasValidPermissions(user.roles || [], rolePermissions, permissionsArr);
+                if (!validPerms) {
+                    log.debug("[JWT AUTH PLUGIN] Dynamic role permission check failed");
+                    return false;
+                }
+            }
+            // Custom permission check - only if provided
+            if (checkPermissions && permissionsArr && permissionsArr.length > 0) {
+                const hasPermission = await checkPermissions(user, permissionsArr);
+                if (!hasPermission) {
+                    log.debug("[JWT AUTH PLUGIN] Custom permission check failed");
+                    return false;
+                }
+            }
             req.user = user;
             return true;
         }