@fraym/auth 0.3.1 → 0.5.0

package/README.md

@@ -21,6 +21,11 @@ Use the `auth` cli command to automatically apply your permissions to the auth s
 
 You can specify the address (and port) of the auth service instance you use in the `AUTH_SERVER_ADDRESS` env variable (default: `127.0.0.1:9000`).
 
+In case of scopes api you need to configure the HTTP api:
+
+-   `AUTH_HTTP_SERVER_ADDRESS`: Http api url of the auth service (default: `http://127.0.0.1`)
+-   `AUTH_HTTP_API_TOKEN`: The value of that token has to match the token configured in the auth service
+
 The needed schema for auth is a simple enum containing all your permissions. Example:
 
 ```graphql
@@ -36,9 +41,55 @@ Use a `.env` file or env variables to configure cte clients and the command:
 
 ```env
 AUTH_SERVER_ADDRESS=127.0.0.1:9000
+AUTH_HTTP_SERVER_ADDRESS=http://127.0.0.1
+AUTH_HTTP_API_TOKEN=
+```
+
+## JWT functions
+
+### Create a new JWT for usage with fraym
+
+```typescript
+const jwt = await generateJwt(appSecret, tenantId, scopes, data, expirationTime);
+```
+
+Parameters:
+
+-   `appSecret`: the secret used to sign the jwt
+-   `tenantId`: the id of the tenant to use
+-   `scopes`: (optional) list of scopes available in this token
+-   `data`: (optional) data added to the `data` field of the token
+-   `expirationTime`: (optional) string is resolved to a time span and added to the current timestamp to calculate the expiration time
+
+### Add data to an existing JWT
+
+Note: this will validate the existing token first.
+
+```typescript
+const jwt = await addDataToJwt(appSecret, token, data);
 ```
 
-## Usage
+Parameters:
+
+-   `appSecret`: the secret used to sign the jwt
+-   `token`: the existing jwt
+-   `data`: (optional) data added to the `data` field of the token, existing fields in the data object will be overwritten
+
+### Validate the token and get associated data
+
+Get scopes:
+
+```typescript
+const { scopes, userId, exp } = await getTokenData(appSecret, token, requireUserId);
+```
+
+Parameters:
+
+-   `appSecret`: the secret used to sign the jwt
+-   `token`: the existing jwt
+-   `requireUserId`: (optional, default: `true`) If set to true the function will throw an error if it cannot determine the id of the user that owns the jwt
+
+## Client Usage
 
 ### Create the client
 
@@ -56,6 +107,8 @@ The `clientId` paramenter is optional. If none is given the default client will
 const scopes = await managementClient.getScopes();
 ```
 
+Note: you need to configure `AUTH_HTTP_SERVER_ADDRESS` and `AUTH_HTTP_API_TOKEN` to use this function.
+
 ## Create a scope (permission)
 
 The `clientId` paramenter is optional. If none is given the default client will be used.
@@ -64,6 +117,8 @@ The `clientId` paramenter is optional. If none is given the default client will
 await managementClient.createScope("PERMISSION_NAME");
 ```
 
+Note: you need to configure `AUTH_HTTP_SERVER_ADDRESS` and `AUTH_HTTP_API_TOKEN` to use this function.
+
 ## Delete a scope (permission)
 
 The `clientId` paramenter is optional. If none is given the default client will be used.
@@ -72,6 +127,8 @@ The `clientId` paramenter is optional. If none is given the default client will
 await managementClient.deleteScope("PERMISSION_NAME");
 ```
 
+Note: you need to configure `AUTH_HTTP_SERVER_ADDRESS` and `AUTH_HTTP_API_TOKEN` to use this function.
+
 ## Get all roles
 
 ```typescript

package/dist/cmd/auth.js

@@ -17,21 +17,31 @@ const run = async () => {
         .config({
         schemaGlob: "./src/**/*.graphql",
         serverAddress: "127.0.0.1:9000",
+        httpServerAddress: "http://127.0.0.1",
+        httpApiToken: "",
     })
         .pkgConf("auth").argv;
     let schemaGlob = argv.schemaGlob;
     let serverAddress = argv.serverAddress;
+    let httpServerAddress = argv.httpServerAddress;
+    let httpApiToken = argv.httpApiToken;
     if (process.env.AUTH_SCHEMA_GLOB) {
         schemaGlob = process.env.AUTH_SCHEMA_GLOB;
     }
     if (process.env.AUTH_SERVER_ADDRESS) {
         serverAddress = process.env.AUTH_SERVER_ADDRESS;
     }
+    if (process.env.AUTH_HTTP_SERVER_ADDRESS) {
+        httpServerAddress = process.env.AUTH_HTTP_SERVER_ADDRESS;
+    }
+    if (process.env.AUTH_HTTP_API_TOKEN) {
+        httpApiToken = process.env.AUTH_HTTP_API_TOKEN;
+    }
     const schema = await (0, load_1.loadSchema)(`${schemaGlob}`, {
         loaders: [new graphql_file_loader_1.GraphQLFileLoader()],
     });
     const permissions = getSchemaPermissions(schema);
-    await migratePermissions(permissions, serverAddress);
+    await migratePermissions(permissions, serverAddress, httpServerAddress, httpApiToken);
 };
 const getSchemaPermissions = (schema) => {
     const permissions = [];
@@ -50,8 +60,12 @@ const getSchemaPermissions = (schema) => {
     });
     return permissions;
 };
-const migratePermissions = async (permissions, serverAddress) => {
-    const managementClient = await (0, client_1.newManagementClient)({ serverAddress });
+const migratePermissions = async (permissions, serverAddress, httpServerAddress, httpApiToken) => {
+    const managementClient = await (0, client_1.newManagementClient)({
+        serverAddress,
+        httpServerAddress,
+        httpApiToken,
+    });
     const existingPermissions = (await managementClient.getScopes()).filter(permission => !permission.startsWith("FRAYM_"));
     console.log("existingPermissions", existingPermissions);
     const permissionsToCreate = permissions.filter(permission => !existingPermissions.includes(permission));

package/dist/config/config.d.ts

@@ -1,5 +1,7 @@
 export interface ClientConfig {
     serverAddress: string;
+    httpServerAddress: string;
+    httpApiToken: string;
     keepaliveInterval?: number;
     keepaliveTimeout?: number;
 }

package/dist/config/config.js

@@ -3,9 +3,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.useConfigDefaults = exports.getEnvConfig = void 0;
 const dotenv_1 = require("dotenv");
 const getEnvConfig = () => {
-    var _a;
+    var _a, _b, _c;
     (0, dotenv_1.config)();
     const serverAddress = (_a = process.env.AUTH_SERVER_ADDRESS) !== null && _a !== void 0 ? _a : "";
+    const httpServerAddress = (_b = process.env.AUTH_HTTP_SERVER_ADDRESS) !== null && _b !== void 0 ? _b : "";
+    const httpApiToken = (_c = process.env.AUTH_HTTP_API_TOKEN) !== null && _c !== void 0 ? _c : "";
     let keepaliveInterval;
     let keepaliveTimeout;
     const keepaliveIntervalString = process.env.AUTH_CONNECTION_KEEPALIVE_INTERVAL;
@@ -18,6 +20,8 @@ const getEnvConfig = () => {
     }
     return {
         serverAddress,
+        httpServerAddress,
+        httpApiToken,
         keepaliveInterval,
         keepaliveTimeout,
     };
@@ -30,6 +34,8 @@ const useConfigDefaults = (config) => {
     }
     return {
         serverAddress: config.serverAddress,
+        httpServerAddress: config.httpServerAddress,
+        httpApiToken: config.httpApiToken,
         keepaliveTimeout: (_a = config.keepaliveTimeout) !== null && _a !== void 0 ? _a : 3 * 1000,
         keepaliveInterval: (_b = config.keepaliveInterval) !== null && _b !== void 0 ? _b : 40 * 1000,
     };

package/dist/management/client.js

@@ -15,20 +15,20 @@ const getUsers_1 = require("./getUsers");
 const updateUser_1 = require("./updateUser");
 const upsertRole_1 = require("./upsertRole");
 const newManagementClient = async (config) => {
-    config = (0, config_1.useConfigDefaults)(config);
-    const serviceClient = new auth_proto_1.ManagementServiceClient(config.serverAddress, grpc_js_1.credentials.createInsecure(), {
-        "grpc.keepalive_time_ms": config.keepaliveInterval,
-        "grpc.keepalive_timeout_ms": config.keepaliveTimeout,
+    const currentConfig = (0, config_1.useConfigDefaults)(config);
+    const serviceClient = new auth_proto_1.ManagementServiceClient(currentConfig.serverAddress, grpc_js_1.credentials.createInsecure(), {
+        "grpc.keepalive_time_ms": currentConfig.keepaliveInterval,
+        "grpc.keepalive_timeout_ms": currentConfig.keepaliveTimeout,
         "grpc.keepalive_permit_without_calls": 1,
     });
     const createScope = async (name, clientId = "") => {
-        await (0, createScope_1.createNewScope)(name, clientId, serviceClient);
+        await (0, createScope_1.createNewScope)(name, clientId, currentConfig);
     };
     const deleteScope = async (name, clientId = "") => {
-        await (0, deleteScope_1.deleteExistingScope)(name, clientId, serviceClient);
+        await (0, deleteScope_1.deleteExistingScope)(name, clientId, currentConfig);
     };
     const getScopes = async (clientId = "") => {
-        return await (0, getScopes_1.getAllScopes)(clientId, serviceClient);
+        return await (0, getScopes_1.getAllScopes)(clientId, currentConfig);
     };
     const upsertRole = async (tenantId, allowedScopes, id = "") => {
         return await (0, upsertRole_1.createOrUpdateRole)(tenantId, id, allowedScopes, serviceClient);

package/dist/management/createScope.d.ts

@@ -1,2 +1,2 @@
-import { ManagementServiceClient } from "@fraym/auth-proto";
-export declare const createNewScope: (name: string, clientId: string, serviceClient: ManagementServiceClient) => Promise<void>;
+import { ClientConfig } from "config/config";
+export declare const createNewScope: (name: string, clientId: string, config: ClientConfig) => Promise<void>;

package/dist/management/createScope.js

@@ -1,18 +1,17 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createNewScope = void 0;
-const createNewScope = async (name, clientId, serviceClient) => {
-    return new Promise((resolve, reject) => {
-        serviceClient.createScope({
-            name,
+const createNewScope = async (name, clientId, config) => {
+    await fetch(`${config.httpServerAddress}/management/scopes`, {
+        method: "POST",
+        headers: {
+            Authorization: `Bearer ${config.httpApiToken}`,
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
             clientId,
-        }, error => {
-            if (error) {
-                reject(error.message);
-                return;
-            }
-            resolve();
-        });
+            name,
+        }),
     });
 };
 exports.createNewScope = createNewScope;

package/dist/management/deleteScope.d.ts

@@ -1,2 +1,2 @@
-import { ManagementServiceClient } from "@fraym/auth-proto";
-export declare const deleteExistingScope: (name: string, clientId: string, serviceClient: ManagementServiceClient) => Promise<void>;
+import { ClientConfig } from "config/config";
+export declare const deleteExistingScope: (name: string, clientId: string, config: ClientConfig) => Promise<void>;

package/dist/management/deleteScope.js

@@ -1,18 +1,17 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.deleteExistingScope = void 0;
-const deleteExistingScope = async (name, clientId, serviceClient) => {
-    return new Promise((resolve, reject) => {
-        serviceClient.deleteScope({
-            name,
+const deleteExistingScope = async (name, clientId, config) => {
+    await fetch(`${config.httpServerAddress}/management/scopes`, {
+        method: "DELETE",
+        headers: {
+            Authorization: `Bearer ${config.httpApiToken}`,
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
             clientId,
-        }, error => {
-            if (error) {
-                reject(error.message);
-                return;
-            }
-            resolve();
-        });
+            name,
+        }),
     });
 };
 exports.deleteExistingScope = deleteExistingScope;

package/dist/management/getScopes.d.ts

@@ -1,2 +1,2 @@
-import { ManagementServiceClient } from "@fraym/auth-proto";
-export declare const getAllScopes: (clientId: string, serviceClient: ManagementServiceClient) => Promise<string[]>;
+import { ClientConfig } from "config/config";
+export declare const getAllScopes: (clientId: string, config: ClientConfig) => Promise<string[]>;

package/dist/management/getScopes.js

@@ -1,17 +1,18 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getAllScopes = void 0;
-const getAllScopes = async (clientId, serviceClient) => {
-    return new Promise((resolve, reject) => {
-        serviceClient.getScopes({
+const getAllScopes = async (clientId, config) => {
+    const response = await fetch(`${config.httpServerAddress}/management/scopes/list`, {
+        method: "POST",
+        headers: {
+            Authorization: `Bearer ${config.httpApiToken}`,
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
             clientId,
-        }, (error, response) => {
-            if (error) {
-                reject(error.message);
-                return;
-            }
-            resolve(response.scopes);
-        });
+        }),
     });
+    const data = await response.json();
+    return data.scopes;
 };
 exports.getAllScopes = getAllScopes;

package/dist/util/token.d.ts

@@ -0,0 +1,8 @@
+export declare const generateJwt: (appSecret: string, tenantId: string, scopes?: string[], data?: Record<string, any>, expirationTime?: string) => Promise<string>;
+export declare const addDataToJwt: (appSecret: string, token: string, data: Record<string, any>) => Promise<string>;
+export interface TokenData {
+    userId: string;
+    scopes: string[];
+    exp: number;
+}
+export declare const getTokenData: (appSecret: string, token: string, requireUserId?: boolean) => Promise<TokenData>;

package/dist/util/token.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getTokenData = exports.addDataToJwt = exports.generateJwt = void 0;
+const jose_1 = require("jose");
+const alg = "HS256";
+const generateJwt = async (appSecret, tenantId, scopes = [], data = {}, expirationTime = "5m") => {
+    const secret = new TextEncoder().encode(appSecret);
+    return await new jose_1.SignJWT({
+        type: "access_token",
+        tenantId,
+        scopes,
+        data,
+    })
+        .setProtectedHeader({
+        alg,
+        typ: "JWT",
+    })
+        .setIssuedAt()
+        .setNotBefore("0s")
+        .setIssuer("auth")
+        .setAudience(["fraym"])
+        .setExpirationTime(expirationTime)
+        .sign(secret);
+};
+exports.generateJwt = generateJwt;
+const addDataToJwt = async (appSecret, token, data) => {
+    var _a;
+    const secret = new TextEncoder().encode(appSecret);
+    const { payload, protectedHeader } = await (0, jose_1.jwtVerify)(token, secret);
+    if (!payload.exp) {
+        throw Error("expiration time is missing in JWT");
+    }
+    const newData = (_a = payload.data) !== null && _a !== void 0 ? _a : {};
+    for (let key in data) {
+        newData[key] = data[key];
+    }
+    return new jose_1.SignJWT(Object.assign(Object.assign({}, payload), { data: newData }))
+        .setProtectedHeader(protectedHeader)
+        .sign(secret);
+};
+exports.addDataToJwt = addDataToJwt;
+const getTokenData = async (appSecret, token, requireUserId = true) => {
+    var _a, _b;
+    const secret = new TextEncoder().encode(appSecret);
+    const { payload } = await (0, jose_1.jwtVerify)(token, secret);
+    if (!payload.exp) {
+        throw Error("expiration time is missing in JWT");
+    }
+    if (requireUserId && !payload.jti) {
+        throw Error("expiration time is missing in JWT");
+    }
+    return {
+        scopes: (_a = payload.scopes) !== null && _a !== void 0 ? _a : [],
+        userId: (_b = payload.jti) !== null && _b !== void 0 ? _b : "",
+        exp: payload.exp,
+    };
+};
+exports.getTokenData = getTokenData;

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@fraym/auth",
-    "version": "0.3.1",
+    "version": "0.5.0",
     "license": "UNLICENSED",
     "homepage": "https://github.com/fraym/auth-nodejs",
     "repository": {
@@ -33,6 +33,7 @@
         "@grpc/grpc-js": "^1.8.7",
         "dotenv": "^16.0.3",
         "graphql": "^16.6.0",
+        "jose": "^4.13.1",
         "yargs": "^17.6.2"
     },
     "devDependencies": {