@furystack/rest-service 11.0.7 → 12.0.0

package/src/http-user-context.spec.ts

@@ -1,7 +1,14 @@
 /* eslint-disable @typescript-eslint/ban-ts-comment */
-import { InMemoryStore, StoreManager, User, addStore } from '@furystack/core'
+import { InMemoryStore, StoreManager, User, addStore, useSystemIdentityContext } from '@furystack/core'
 import { Injector } from '@furystack/inject'
-import { PasswordAuthenticator, PasswordCredential, UnauthenticatedError } from '@furystack/security'
+import { getDataSetFor, getRepository } from '@furystack/repository'
+import {
+  PasswordAuthenticator,
+  PasswordCredential,
+  PasswordResetToken,
+  UnauthenticatedError,
+  usePasswordPolicy,
+} from '@furystack/security'
 import { usingAsync } from '@furystack/utils'
 import type { IncomingMessage, ServerResponse } from 'http'
 import { describe, expect, it, vi } from 'vitest'
@@ -9,12 +16,20 @@ import { useHttpAuthentication } from './helpers.js'
 import { HttpUserContext } from './http-user-context.js'
 import { DefaultSession } from './models/default-session.js'
 
-export const prepareInjector = async (i: Injector) => {
+export const prepareInjector = async (i: Injector, options?: { enableBasicAuth?: boolean }) => {
   addStore(i, new InMemoryStore({ model: User, primaryKey: 'username' }))
     .addStore(new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }))
     .addStore(new InMemoryStore({ model: PasswordCredential, primaryKey: 'userName' }))
+    .addStore(new InMemoryStore({ model: PasswordResetToken, primaryKey: 'token' }))
 
-  useHttpAuthentication(i)
+  const repo = getRepository(i)
+  repo.createDataSet(User, 'username')
+  repo.createDataSet(DefaultSession, 'sessionId')
+  repo.createDataSet(PasswordCredential, 'userName')
+  repo.createDataSet(PasswordResetToken, 'token')
+
+  usePasswordPolicy(i)
+  useHttpAuthentication(i, { enableBasicAuth: options?.enableBasicAuth ?? true })
 }
 
 const setupUser = async (i: Injector, userName: string, password: string) => {
@@ -184,31 +199,28 @@ describe('HttpUserContext', () => {
   })
 
   describe('authenticateRequest', () => {
-    it('Should try to authenticate with Basic, if enabled', async () => {
+    it('Should authenticate with Basic Auth when enabled and valid credentials provided', async () => {
       await usingAsync(new Injector(), async (i) => {
         await prepareInjector(i)
+        await setupUser(i, 'testuser', 'password')
         const ctx = i.getInstance(HttpUserContext)
-        ctx.authenticateUser = vi.fn(async () => testUser)
         const result = await ctx.authenticateRequest({
           headers: { authorization: `Basic dGVzdHVzZXI6cGFzc3dvcmQ=` },
         } as IncomingMessage)
-        expect(ctx.authenticateUser).toBeCalledWith('testuser', 'password')
-        expect(result).toBe(testUser)
+        expect(result.username).toBe('testuser')
       })
     })
 
-    it('Should NOT try to authenticate with Basic, if disabled', async () => {
+    it('Should NOT try to authenticate with Basic when disabled', async () => {
       await usingAsync(new Injector(), async (i) => {
-        await prepareInjector(i)
+        await prepareInjector(i, { enableBasicAuth: false })
+        await setupUser(i, 'testuser', 'password')
         const ctx = i.getInstance(HttpUserContext)
-        ctx.authentication.enableBasicAuth = false
-        ctx.authenticateUser = vi.fn(async () => testUser)
         await expect(
           ctx.authenticateRequest({
             headers: { authorization: `Basic dGVzdHVzZXI6cGFzc3dvcmQ=` },
           } as IncomingMessage),
         ).rejects.toThrowError(UnauthenticatedError)
-        expect(ctx.authenticateUser).not.toBeCalled()
       })
     })
 
@@ -228,9 +240,10 @@ describe('HttpUserContext', () => {
       await usingAsync(new Injector(), async (i) => {
         await prepareInjector(i)
         const ctx = i.getInstance(HttpUserContext)
-        await ctx.authentication
-          .getSessionStore(i.getInstance(StoreManager))
-          .add({ sessionId: '666', username: testUser.username })
+        await i.getInstance(StoreManager).getStoreFor(DefaultSession, 'sessionId').add({
+          sessionId: '666',
+          username: testUser.username,
+        })
         await expect(
           ctx.authenticateRequest({
             headers: { cookie: `${ctx.authentication.cookieName}=666;a=3` },
@@ -244,11 +257,15 @@ describe('HttpUserContext', () => {
         await prepareInjector(i)
 
         const ctx = i.getInstance(HttpUserContext)
-        await ctx.authentication
-          .getSessionStore(i.getInstance(StoreManager))
-          .add({ sessionId: '666', username: testUser.username })
+        await i.getInstance(StoreManager).getStoreFor(DefaultSession, 'sessionId').add({
+          sessionId: '666',
+          username: testUser.username,
+        })
 
-        await ctx.authentication.getUserStore(i.getInstance(StoreManager)).add({ ...testUser })
+        await i
+          .getInstance(StoreManager)
+          .getStoreFor(User, 'username')
+          .add({ ...testUser })
 
         const result = await ctx.authenticateRequest({
           headers: { cookie: `${ctx.authentication.cookieName}=666;a=3` },
@@ -257,6 +274,49 @@ describe('HttpUserContext', () => {
         expect(result).toEqual(testUser)
       })
     })
+
+    it('Should iterate providers and return null results pass to next', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        const provider1 = vi.fn(async () => null)
+        const provider2 = vi.fn(async () => testUser)
+        ctx.authentication.authenticationProviders = [
+          { name: 'test-1', authenticate: provider1 },
+          { name: 'test-2', authenticate: provider2 },
+        ]
+        const result = await ctx.authenticateRequest(request)
+        expect(provider1).toHaveBeenCalledOnce()
+        expect(provider2).toHaveBeenCalledOnce()
+        expect(result).toBe(testUser)
+      })
+    })
+
+    it('Should throw if provider throws (skipping remaining providers)', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        const provider1 = vi.fn(async () => {
+          throw new UnauthenticatedError()
+        })
+        const provider2 = vi.fn(async () => testUser)
+        ctx.authentication.authenticationProviders = [
+          { name: 'test-1', authenticate: provider1 },
+          { name: 'test-2', authenticate: provider2 },
+        ]
+        await expect(ctx.authenticateRequest(request)).rejects.toThrowError(UnauthenticatedError)
+        expect(provider2).not.toHaveBeenCalled()
+      })
+    })
+
+    it('Should throw UnauthenticatedError if no provider returns a user', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.authentication.authenticationProviders = [{ name: 'test-1', authenticate: async () => null }]
+        await expect(ctx.authenticateRequest(request)).rejects.toThrowError(UnauthenticatedError)
+      })
+    })
   })
 
   describe('getCurrentUser', () => {
@@ -280,14 +340,13 @@ describe('HttpUserContext', () => {
         await prepareInjector(i)
         const ctx = i.getInstance(HttpUserContext)
         const setHeader = vi.fn()
+        const addMock = vi.fn(async () => ({}))
         // @ts-expect-error
-        ctx.getSessionStore().add = vi.fn(async () => {
-          return {}
-        })
+        ctx.getSessionDataSet = vi.fn(() => ({ add: addMock }))
         const authResult = await ctx.cookieLogin(testUser, { setHeader })
         expect(authResult).toBe(testUser)
         expect(setHeader).toBeCalled()
-        expect(ctx.getSessionStore().add).toBeCalled()
+        expect(addMock).toBeCalled()
       })
     })
   })
@@ -298,18 +357,22 @@ describe('HttpUserContext', () => {
         await prepareInjector(i)
         const ctx = i.getInstance(HttpUserContext)
         const setHeader = vi.fn()
+        const removeMock = vi.fn(async () => undefined)
+        const sessionDataSetMock = {
+          add: vi.fn(async () => ({})),
+          find: vi.fn(async () => [{ sessionId: 'example-session-id' }]),
+          remove: removeMock,
+          primaryKey: 'sessionId' as const,
+        }
         // @ts-expect-error
-        ctx.getSessionStore().add = vi.fn(async () => {
-          return {}
-        })
+        ctx.getSessionDataSet = vi.fn(() => sessionDataSetMock)
         ctx.authenticateRequest = vi.fn(async () => testUser)
-        ctx.getSessionStore().remove = vi.fn(async () => undefined)
         ctx.getSessionIdFromRequest = () => 'example-session-id'
         response.setHeader = vi.fn(() => response)
         await ctx.cookieLogin(testUser, { setHeader })
         await ctx.cookieLogout(request, response)
         expect(response.setHeader).toBeCalledWith('Set-Cookie', 'fss=; Path=/; HttpOnly')
-        expect(ctx.getSessionStore().remove).toBeCalled()
+        expect(removeMock).toBeCalled()
       })
     })
   })
@@ -319,23 +382,25 @@ describe('HttpUserContext', () => {
       return usingAsync(new Injector(), async (i) => {
         await prepareInjector(i)
         const ctx = i.getInstance(HttpUserContext)
-        const userStore = i.getInstance(StoreManager).getStoreFor(User, 'username')
-        await userStore.add(testUser)
+        const sm = i.getInstance(StoreManager)
+        await sm.getStoreFor(User, 'username').add(testUser)
 
         const pw = await i.getInstance(PasswordAuthenticator).hasher.createCredential(testUser.username, 'test')
-        await i.getInstance(StoreManager).getStoreFor(PasswordCredential, 'userName').add(pw)
+        await sm.getStoreFor(PasswordCredential, 'userName').add(pw)
 
         await ctx.cookieLogin(testUser, { setHeader: vi.fn() })
 
         const originalUser = await ctx.getCurrentUser(request)
         expect(originalUser).toEqual(testUser)
 
+        const systemInjector = useSystemIdentityContext({ injector: i, username: 'test' })
+        const userDataSet = getDataSetFor(systemInjector, User, 'username')
         const updatedUser = { ...testUser, roles: ['newFancyRole'] }
-        await userStore.update(testUser.username, updatedUser)
+        await userDataSet.update(systemInjector, testUser.username, updatedUser)
         const updatedUserFromContext = await ctx.getCurrentUser(request)
         expect(updatedUserFromContext.roles).toEqual(['newFancyRole'])
 
-        await userStore.update(testUser.username, { ...updatedUser, roles: [] })
+        await userDataSet.update(systemInjector, testUser.username, { ...updatedUser, roles: [] })
         const reloadedUserFromContext = await ctx.getCurrentUser(request)
         expect(reloadedUserFromContext.roles).toEqual([])
       })
@@ -345,18 +410,20 @@ describe('HttpUserContext', () => {
       return usingAsync(new Injector(), async (i) => {
         await prepareInjector(i)
         const ctx = i.getInstance(HttpUserContext)
-        const userStore = i.getInstance(StoreManager).getStoreFor(User, 'username')
-        await userStore.add(testUser)
+        const sm = i.getInstance(StoreManager)
+        await sm.getStoreFor(User, 'username').add(testUser)
 
         const pw = await i.getInstance(PasswordAuthenticator).hasher.createCredential(testUser.username, 'test')
-        await i.getInstance(StoreManager).getStoreFor(PasswordCredential, 'userName').add(pw)
+        await sm.getStoreFor(PasswordCredential, 'userName').add(pw)
 
         await ctx.cookieLogin(testUser, { setHeader: vi.fn() })
 
         const originalUser = await ctx.getCurrentUser(request)
         expect(originalUser).toEqual(testUser)
 
-        await userStore.remove(testUser.username)
+        const systemInjector = useSystemIdentityContext({ injector: i, username: 'test' })
+        const userDataSet = getDataSetFor(systemInjector, User, 'username')
+        await userDataSet.remove(systemInjector, testUser.username)
 
         await expect(() => ctx.getCurrentUser(request)).rejects.toThrowError(UnauthenticatedError)
       })
@@ -366,17 +433,17 @@ describe('HttpUserContext', () => {
       return usingAsync(new Injector(), async (i) => {
         await prepareInjector(i)
         const ctx = i.getInstance(HttpUserContext)
-        const userStore = i.getInstance(StoreManager).getStoreFor(User, 'username')
-        await userStore.add(testUser)
+        const sm = i.getInstance(StoreManager)
+        await sm.getStoreFor(User, 'username').add(testUser)
 
         let sessionId = ''
 
         const pw = await i.getInstance(PasswordAuthenticator).hasher.createCredential(testUser.username, 'test')
-        await i.getInstance(StoreManager).getStoreFor(PasswordCredential, 'userName').add(pw)
+        await sm.getStoreFor(PasswordCredential, 'userName').add(pw)
 
         await ctx.cookieLogin(testUser, {
           setHeader: (_headerName, headerValue) => {
-            sessionId = headerValue
+            sessionId = headerValue.split('=')[1].split(';')[0]
             return {} as ServerResponse
           },
         })
@@ -384,8 +451,9 @@ describe('HttpUserContext', () => {
         const originalUser = await ctx.getCurrentUser(request)
         expect(originalUser).toEqual(testUser)
 
-        const sessionStore = ctx.getSessionStore()
-        await sessionStore.remove(sessionId)
+        const systemInjector = useSystemIdentityContext({ injector: i, username: 'test' })
+        const sessionDataSet = getDataSetFor(systemInjector, DefaultSession, 'sessionId')
+        await sessionDataSet.remove(systemInjector, sessionId)
 
         await expect(() => ctx.getCurrentUser(request)).rejects.toThrowError(UnauthenticatedError)
       })

package/src/http-user-context.ts

@@ -1,9 +1,11 @@
 import type { User } from '@furystack/core'
-import { StoreManager } from '@furystack/core'
+import { useSystemIdentityContext } from '@furystack/core'
+import type { Injector } from '@furystack/inject'
 import { Injectable, Injected } from '@furystack/inject'
 import { PasswordAuthenticator, UnauthenticatedError } from '@furystack/security'
 import { randomBytes } from 'crypto'
 import type { IncomingMessage } from 'http'
+import { extractSessionIdFromCookies } from './authentication-providers/helpers.js'
 import { HttpAuthenticationSettings } from './http-authentication-settings.js'
 import type { DefaultSession } from './models/default-session.js'
 
@@ -12,28 +14,19 @@ import type { DefaultSession } from './models/default-session.js'
  */
 @Injectable({ lifetime: 'scoped' })
 export class HttpUserContext {
-  public getUserStore = () => this.authentication.getUserStore(this.storeManager)
+  public getUserDataSet = () => this.authentication.getUserDataSet(this.systemInjector)
 
-  public getSessionStore = () => this.authentication.getSessionStore(this.storeManager)
+  public getSessionDataSet = () => this.authentication.getSessionDataSet(this.systemInjector)
 
   private getUserByName = async (userName: string) => {
-    const userStore = this.getUserStore()
-    const users = await userStore.find({ filter: { username: { $eq: userName } }, top: 2 })
+    const userDataSet = this.getUserDataSet()
+    const users = await userDataSet.find(this.systemInjector, { filter: { username: { $eq: userName } }, top: 2 })
     if (users.length !== 1) {
       throw new UnauthenticatedError()
     }
     return users[0]
   }
 
-  private getSessionById = async (sessionId: string) => {
-    const sessionStore = this.getSessionStore()
-    const sessions = await sessionStore.find({ filter: { sessionId: { $eq: sessionId } }, top: 2 })
-    if (sessions.length !== 1) {
-      throw new UnauthenticatedError()
-    }
-    return sessions[0]
-  }
-
   private user?: User
 
   /**
@@ -93,43 +86,20 @@ export class HttpUserContext {
   }
 
   public getSessionIdFromRequest(request: Pick<IncomingMessage, 'headers'>): string | null {
-    if (request.headers.cookie) {
-      const cookies = request.headers.cookie
-        .toString()
-        .split(';')
-        .filter((val) => val.length > 0)
-        .map((val) => {
-          const [name, value] = val.split('=')
-          return { name: name?.trim(), value: value?.trim() }
-        })
-      const sessionCookie = cookies.find((c) => c.name === this.authentication.cookieName)
-      if (sessionCookie) {
-        return sessionCookie.value
-      }
-    }
-    return null
+    return extractSessionIdFromCookies(request, this.authentication.cookieName)
   }
 
+  /**
+   * Iterates registered authentication providers in order.
+   * - A provider returning `User` means authentication succeeded.
+   * - A provider returning `null` means it does not apply; try the next one.
+   * - A provider throwing means it owns the request but auth failed; propagate the error.
+   */
   public async authenticateRequest(request: Pick<IncomingMessage, 'headers'>): Promise<User> {
-    // Basic auth
-    if (this.authentication.enableBasicAuth && request.headers.authorization) {
-      const authData = Buffer.from(request.headers.authorization.toString().split(' ')[1], 'base64')
-      const [userName, password] = authData.toString().split(':')
-      return await this.authenticateUser(userName, password)
+    for (const provider of this.authentication.authenticationProviders) {
+      const user = await provider.authenticate(request)
+      if (user) return user
     }
-
-    // Cookie auth
-    const sessionId = this.getSessionIdFromRequest(request)
-    if (sessionId) {
-      const session = await this.getSessionById(sessionId)
-      if (session) {
-        const user = await this.getUserByName(session.username)
-        if (user) {
-          return user
-        }
-      }
-    }
-
     throw new UnauthenticatedError()
   }
 
@@ -144,7 +114,7 @@ export class HttpUserContext {
     serverResponse: { setHeader: (header: string, value: string) => void },
   ): Promise<User> {
     const sessionId = randomBytes(32).toString('hex')
-    await this.getSessionStore().add({ sessionId, username: user.username })
+    await this.getSessionDataSet().add(this.systemInjector, { sessionId, username: user.username })
     serverResponse.setHeader('Set-Cookie', `${this.authentication.cookieName}=${sessionId}; Path=/; HttpOnly`)
     this.user = user
     return user
@@ -159,36 +129,36 @@ export class HttpUserContext {
     response.setHeader('Set-Cookie', `${this.authentication.cookieName}=; Path=/; HttpOnly`)
 
     if (sessionId) {
-      const sessionStore = this.getSessionStore()
-      const sessions = await sessionStore.find({ filter: { sessionId: { $eq: sessionId } } })
-      await this.getSessionStore().remove(...sessions.map((s) => s[sessionStore.primaryKey]))
+      const sessionDataSet = this.getSessionDataSet()
+      const sessions = await sessionDataSet.find(this.systemInjector, { filter: { sessionId: { $eq: sessionId } } })
+      await sessionDataSet.remove(this.systemInjector, ...sessions.map((s) => s[sessionDataSet.primaryKey]))
     }
   }
 
   @Injected(HttpAuthenticationSettings)
   declare public readonly authentication: HttpAuthenticationSettings<User, DefaultSession>
 
-  @Injected(StoreManager)
-  declare private readonly storeManager: StoreManager
+  @Injected((injector: Injector) => useSystemIdentityContext({ injector, username: 'HttpUserContext' }))
+  declare private readonly systemInjector: Injector
 
   @Injected(PasswordAuthenticator)
   declare private readonly authenticator: PasswordAuthenticator
 
   public init() {
-    this.getUserStore().addListener('onEntityUpdated', ({ id, change }) => {
+    this.getUserDataSet().addListener('onEntityUpdated', ({ id, change }) => {
       if (this.user?.username === id) {
         this.user = { ...this.user, ...change }
       }
     })
 
-    this.getUserStore().addListener('onEntityRemoved', ({ key }) => {
+    this.getUserDataSet().addListener('onEntityRemoved', ({ key }) => {
       if (this.user?.username === key) {
         this.user = undefined
       }
     })
 
-    this.getSessionStore().addListener('onEntityRemoved', () => {
-      this.user = undefined // as user cannot be determined by the session id anymore
+    this.getSessionDataSet().addListener('onEntityRemoved', () => {
+      this.user = undefined
     })
   }
 }

package/src/index.ts

@@ -2,6 +2,7 @@ export * from './actions/index.js'
 export * from './add-cors-header.js'
 export * from './api-manager.js'
 export * from './authenticate.js'
+export * from './authentication-providers/index.js'
 export * from './authorize.js'
 export * from './endpoint-generators/index.js'
 export * from './get-schema-from-api.js'

package/src/rest-service.integration.spec.ts

@@ -1,6 +1,7 @@
 import { InMemoryStore, User, addStore } from '@furystack/core'
 import { getPort } from '@furystack/core/port-generator'
 import { Injector } from '@furystack/inject'
+import { getRepository } from '@furystack/repository'
 import type { RestApi } from '@furystack/rest'
 import { serializeValue } from '@furystack/rest'
 import { PathHelper, usingAsync } from '@furystack/utils'
@@ -33,10 +34,10 @@ const createIntegrationApi = async () => {
   addStore(i, new InMemoryStore({ model: User, primaryKey: 'username' })).addStore(
     new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }),
   )
-  useHttpAuthentication(i, {
-    getUserStore: (sm) => sm.getStoreFor(User, 'username'),
-    getSessionStore: (sm) => sm.getStoreFor(DefaultSession, 'sessionId'),
-  })
+  const repo = getRepository(i)
+  repo.createDataSet(User, 'username')
+  repo.createDataSet(DefaultSession, 'sessionId')
+  useHttpAuthentication(i)
   await useRestService<IntegrationTestApi>({
     injector: i,
     root,

package/src/validate.integration.spec.ts

@@ -2,6 +2,7 @@
 import { getStoreManager, InMemoryStore, User } from '@furystack/core'
 import { getPort } from '@furystack/core/port-generator'
 import { Injector } from '@furystack/inject'
+import { getRepository } from '@furystack/repository'
 import type { SwaggerDocument, WithSchemaAction } from '@furystack/rest'
 import { createClient, ResponseError } from '@furystack/rest-client-fetch'
 import { usingAsync } from '@furystack/utils'
@@ -32,6 +33,10 @@ const createValidateApi = async (options = { enableGetSchema: false }) => {
 
   getStoreManager(injector).addStore(new InMemoryStore({ model: User, primaryKey: 'username' }))
   getStoreManager(injector).addStore(new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }))
+  getStoreManager(injector).addStore(new InMemoryStore({ model: MockClass, primaryKey: 'id' }))
+  getRepository(injector).createDataSet(MockClass, 'id')
+  getRepository(injector).createDataSet(User, 'username')
+  getRepository(injector).createDataSet(DefaultSession, 'sessionId')
 
   const api = await useRestService<ValidationApi>({
     injector,