@furystack/rest-service 11.0.7 → 12.1.0

package/src/http-user-context.ts

@@ -1,194 +1,164 @@
-import type { User } from '@furystack/core'
-import { StoreManager } from '@furystack/core'
-import { Injectable, Injected } from '@furystack/inject'
-import { PasswordAuthenticator, UnauthenticatedError } from '@furystack/security'
-import { randomBytes } from 'crypto'
-import type { IncomingMessage } from 'http'
-import { HttpAuthenticationSettings } from './http-authentication-settings.js'
-import type { DefaultSession } from './models/default-session.js'
-
-/**
- * Injectable UserContext for FuryStack HTTP Api
- */
-@Injectable({ lifetime: 'scoped' })
-export class HttpUserContext {
-  public getUserStore = () => this.authentication.getUserStore(this.storeManager)
-
-  public getSessionStore = () => this.authentication.getSessionStore(this.storeManager)
-
-  private getUserByName = async (userName: string) => {
-    const userStore = this.getUserStore()
-    const users = await userStore.find({ filter: { username: { $eq: userName } }, top: 2 })
-    if (users.length !== 1) {
-      throw new UnauthenticatedError()
-    }
-    return users[0]
-  }
-
-  private getSessionById = async (sessionId: string) => {
-    const sessionStore = this.getSessionStore()
-    const sessions = await sessionStore.find({ filter: { sessionId: { $eq: sessionId } }, top: 2 })
-    if (sessions.length !== 1) {
-      throw new UnauthenticatedError()
-    }
-    return sessions[0]
-  }
-
-  private user?: User
-
-  /**
-   * @param request The request to be authenticated
-   * @returns whether the current user is authenticated
-   */
-  public async isAuthenticated(request: IncomingMessage) {
-    try {
-      const currentUser = await this.getCurrentUser(request)
-      return currentUser !== null
-    } catch (error) {
-      return false
-    }
-  }
-
-  /**
-   * Returns whether the current user can be authorized with ALL of the specified roles
-   * @param request The request to be authenticated
-   * @param roles The list of roles to authorize
-   * @returns a boolean value that indicates whether the user is authorized
-   */
-  public async isAuthorized(request: IncomingMessage, ...roles: string[]): Promise<boolean> {
-    const currentUser = await this.getCurrentUser(request)
-    for (const role of roles) {
-      if (!currentUser || !currentUser.roles.some((c) => c === role)) {
-        return false
-      }
-    }
-    return true
-  }
-
-  /**
-   * Checks if the system contains a user with the provided name and password, throws an error otherwise
-   * @param userName The username
-   * @param password The password
-   * @returns the authenticated User
-   */
-  public async authenticateUser(userName: string, password: string) {
-    const result = await this.authenticator.checkPasswordForUser(userName, password)
-
-    if (!result.isValid) {
-      throw new UnauthenticatedError()
-    }
-    const user = await this.getUserByName(userName)
-    if (!user) {
-      throw new UnauthenticatedError()
-    }
-    return user
-  }
-
-  public async getCurrentUser(request: Pick<IncomingMessage, 'headers'>) {
-    if (!this.user) {
-      this.user = await this.authenticateRequest(request)
-      return this.user
-    }
-    return this.user
-  }
-
-  public getSessionIdFromRequest(request: Pick<IncomingMessage, 'headers'>): string | null {
-    if (request.headers.cookie) {
-      const cookies = request.headers.cookie
-        .toString()
-        .split(';')
-        .filter((val) => val.length > 0)
-        .map((val) => {
-          const [name, value] = val.split('=')
-          return { name: name?.trim(), value: value?.trim() }
-        })
-      const sessionCookie = cookies.find((c) => c.name === this.authentication.cookieName)
-      if (sessionCookie) {
-        return sessionCookie.value
-      }
-    }
-    return null
-  }
-
-  public async authenticateRequest(request: Pick<IncomingMessage, 'headers'>): Promise<User> {
-    // Basic auth
-    if (this.authentication.enableBasicAuth && request.headers.authorization) {
-      const authData = Buffer.from(request.headers.authorization.toString().split(' ')[1], 'base64')
-      const [userName, password] = authData.toString().split(':')
-      return await this.authenticateUser(userName, password)
-    }
-
-    // Cookie auth
-    const sessionId = this.getSessionIdFromRequest(request)
-    if (sessionId) {
-      const session = await this.getSessionById(sessionId)
-      if (session) {
-        const user = await this.getUserByName(session.username)
-        if (user) {
-          return user
-        }
-      }
-    }
-
-    throw new UnauthenticatedError()
-  }
-
-  /**
-   * Creates and sets up a cookie-based session for the provided user
-   * @param user The user to create a session for
-   * @param serverResponse A serverResponse to set the cookie
-   * @returns the current User
-   */
-  public async cookieLogin(
-    user: User,
-    serverResponse: { setHeader: (header: string, value: string) => void },
-  ): Promise<User> {
-    const sessionId = randomBytes(32).toString('hex')
-    await this.getSessionStore().add({ sessionId, username: user.username })
-    serverResponse.setHeader('Set-Cookie', `${this.authentication.cookieName}=${sessionId}; Path=/; HttpOnly`)
-    this.user = user
-    return user
-  }
-
-  public async cookieLogout(
-    request: Pick<IncomingMessage, 'headers'>,
-    response: { setHeader: (header: string, value: string) => void },
-  ) {
-    this.user = undefined
-    const sessionId = this.getSessionIdFromRequest(request)
-    response.setHeader('Set-Cookie', `${this.authentication.cookieName}=; Path=/; HttpOnly`)
-
-    if (sessionId) {
-      const sessionStore = this.getSessionStore()
-      const sessions = await sessionStore.find({ filter: { sessionId: { $eq: sessionId } } })
-      await this.getSessionStore().remove(...sessions.map((s) => s[sessionStore.primaryKey]))
-    }
-  }
-
-  @Injected(HttpAuthenticationSettings)
-  declare public readonly authentication: HttpAuthenticationSettings<User, DefaultSession>
-
-  @Injected(StoreManager)
-  declare private readonly storeManager: StoreManager
-
-  @Injected(PasswordAuthenticator)
-  declare private readonly authenticator: PasswordAuthenticator
-
-  public init() {
-    this.getUserStore().addListener('onEntityUpdated', ({ id, change }) => {
-      if (this.user?.username === id) {
-        this.user = { ...this.user, ...change }
-      }
-    })
-
-    this.getUserStore().addListener('onEntityRemoved', ({ key }) => {
-      if (this.user?.username === key) {
-        this.user = undefined
-      }
-    })
-
-    this.getSessionStore().addListener('onEntityRemoved', () => {
-      this.user = undefined // as user cannot be determined by the session id anymore
-    })
-  }
-}
+import type { User } from '@furystack/core'
+import { useSystemIdentityContext } from '@furystack/core'
+import type { Injector } from '@furystack/inject'
+import { Injectable, Injected } from '@furystack/inject'
+import { PasswordAuthenticator, UnauthenticatedError } from '@furystack/security'
+import { randomBytes } from 'crypto'
+import type { IncomingMessage } from 'http'
+import { extractSessionIdFromCookies } from './authentication-providers/helpers.js'
+import { HttpAuthenticationSettings } from './http-authentication-settings.js'
+import type { DefaultSession } from './models/default-session.js'
+
+/**
+ * Injectable UserContext for FuryStack HTTP Api
+ */
+@Injectable({ lifetime: 'scoped' })
+export class HttpUserContext {
+  public getUserDataSet = () => this.authentication.getUserDataSet(this.systemInjector)
+
+  public getSessionDataSet = () => this.authentication.getSessionDataSet(this.systemInjector)
+
+  private getUserByName = async (userName: string) => {
+    const userDataSet = this.getUserDataSet()
+    const users = await userDataSet.find(this.systemInjector, { filter: { username: { $eq: userName } }, top: 2 })
+    if (users.length !== 1) {
+      throw new UnauthenticatedError()
+    }
+    return users[0]
+  }
+
+  private user?: User
+
+  /**
+   * @param request The request to be authenticated
+   * @returns whether the current user is authenticated
+   */
+  public async isAuthenticated(request: IncomingMessage) {
+    try {
+      const currentUser = await this.getCurrentUser(request)
+      return currentUser !== null
+    } catch (error) {
+      return false
+    }
+  }
+
+  /**
+   * Returns whether the current user can be authorized with ALL of the specified roles
+   * @param request The request to be authenticated
+   * @param roles The list of roles to authorize
+   * @returns a boolean value that indicates whether the user is authorized
+   */
+  public async isAuthorized(request: IncomingMessage, ...roles: string[]): Promise<boolean> {
+    const currentUser = await this.getCurrentUser(request)
+    for (const role of roles) {
+      if (!currentUser || !currentUser.roles.some((c) => c === role)) {
+        return false
+      }
+    }
+    return true
+  }
+
+  /**
+   * Checks if the system contains a user with the provided name and password, throws an error otherwise
+   * @param userName The username
+   * @param password The password
+   * @returns the authenticated User
+   */
+  public async authenticateUser(userName: string, password: string) {
+    const result = await this.authenticator.checkPasswordForUser(userName, password)
+
+    if (!result.isValid) {
+      throw new UnauthenticatedError()
+    }
+    const user = await this.getUserByName(userName)
+    if (!user) {
+      throw new UnauthenticatedError()
+    }
+    return user
+  }
+
+  public async getCurrentUser(request: Pick<IncomingMessage, 'headers'>) {
+    if (!this.user) {
+      this.user = await this.authenticateRequest(request)
+      return this.user
+    }
+    return this.user
+  }
+
+  public getSessionIdFromRequest(request: Pick<IncomingMessage, 'headers'>): string | null {
+    return extractSessionIdFromCookies(request, this.authentication.cookieName)
+  }
+
+  /**
+   * Iterates registered authentication providers in order.
+   * - A provider returning `User` means authentication succeeded.
+   * - A provider returning `null` means it does not apply; try the next one.
+   * - A provider throwing means it owns the request but auth failed; propagate the error.
+   */
+  public async authenticateRequest(request: Pick<IncomingMessage, 'headers'>): Promise<User> {
+    for (const provider of this.authentication.authenticationProviders) {
+      const user = await provider.authenticate(request)
+      if (user) return user
+    }
+    throw new UnauthenticatedError()
+  }
+
+  /**
+   * Creates and sets up a cookie-based session for the provided user
+   * @param user The user to create a session for
+   * @param serverResponse A serverResponse to set the cookie
+   * @returns the current User
+   */
+  public async cookieLogin(
+    user: User,
+    serverResponse: { setHeader: (header: string, value: string) => void },
+  ): Promise<User> {
+    const sessionId = randomBytes(32).toString('hex')
+    await this.getSessionDataSet().add(this.systemInjector, { sessionId, username: user.username })
+    serverResponse.setHeader('Set-Cookie', `${this.authentication.cookieName}=${sessionId}; Path=/; HttpOnly`)
+    this.user = user
+    return user
+  }
+
+  public async cookieLogout(
+    request: Pick<IncomingMessage, 'headers'>,
+    response: { setHeader: (header: string, value: string) => void },
+  ) {
+    this.user = undefined
+    const sessionId = this.getSessionIdFromRequest(request)
+    response.setHeader('Set-Cookie', `${this.authentication.cookieName}=; Path=/; HttpOnly`)
+
+    if (sessionId) {
+      const sessionDataSet = this.getSessionDataSet()
+      const sessions = await sessionDataSet.find(this.systemInjector, { filter: { sessionId: { $eq: sessionId } } })
+      await sessionDataSet.remove(this.systemInjector, ...sessions.map((s) => s[sessionDataSet.primaryKey]))
+    }
+  }
+
+  @Injected(HttpAuthenticationSettings)
+  declare public readonly authentication: HttpAuthenticationSettings<User, DefaultSession>
+
+  @Injected((injector: Injector) => useSystemIdentityContext({ injector, username: 'HttpUserContext' }))
+  declare private readonly systemInjector: Injector
+
+  @Injected(PasswordAuthenticator)
+  declare private readonly authenticator: PasswordAuthenticator
+
+  public init() {
+    this.getUserDataSet().addListener('onEntityUpdated', ({ id, change }) => {
+      if (this.user?.username === id) {
+        this.user = { ...this.user, ...change }
+      }
+    })
+
+    this.getUserDataSet().addListener('onEntityRemoved', ({ key }) => {
+      if (this.user?.username === key) {
+        this.user = undefined
+      }
+    })
+
+    this.getSessionDataSet().addListener('onEntityRemoved', () => {
+      this.user = undefined
+    })
+  }
+}

package/src/index.ts

@@ -2,12 +2,14 @@ export * from './actions/index.js'
 export * from './add-cors-header.js'
 export * from './api-manager.js'
 export * from './authenticate.js'
+export * from './authentication-providers/index.js'
 export * from './authorize.js'
 export * from './endpoint-generators/index.js'
 export * from './get-schema-from-api.js'
 export * from './helpers.js'
 export * from './http-authentication-settings.js'
 export * from './http-user-context.js'
+export * from './login-response-strategy.js'
 export * from './mime-types.js'
 export * from './models/index.js'
 export * from './proxy-manager.js'

package/src/login-response-strategy.spec.ts

@@ -0,0 +1,90 @@
+import { InMemoryStore, User, addStore } from '@furystack/core'
+import { Injector } from '@furystack/inject'
+import { getRepository } from '@furystack/repository'
+import { PasswordCredential, PasswordResetToken, usePasswordPolicy } from '@furystack/security'
+import { usingAsync } from '@furystack/utils'
+import { describe, expect, it } from 'vitest'
+
+import { useHttpAuthentication } from './helpers.js'
+import { createCookieLoginStrategy } from './login-response-strategy.js'
+import { DefaultSession } from './models/default-session.js'
+
+const setupInjector = (i: Injector) => {
+  addStore(i, new InMemoryStore({ model: User, primaryKey: 'username' }))
+    .addStore(new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }))
+    .addStore(new InMemoryStore({ model: PasswordCredential, primaryKey: 'userName' }))
+    .addStore(new InMemoryStore({ model: PasswordResetToken, primaryKey: 'token' }))
+
+  const repo = getRepository(i)
+  repo.createDataSet(User, 'username')
+  repo.createDataSet(DefaultSession, 'sessionId')
+  repo.createDataSet(PasswordCredential, 'userName')
+  repo.createDataSet(PasswordResetToken, 'token')
+
+  usePasswordPolicy(i)
+  useHttpAuthentication(i)
+}
+
+describe('createCookieLoginStrategy', () => {
+  const testUser: User = { username: 'testuser', roles: ['admin'] }
+
+  it('Should return the user as the response body', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      setupInjector(i)
+      const strategy = createCookieLoginStrategy(i)
+      const result = await strategy.createLoginResponse(testUser, i)
+      expect(result.chunk).toEqual(testUser)
+    })
+  })
+
+  it('Should return status code 200', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      setupInjector(i)
+      const strategy = createCookieLoginStrategy(i)
+      const result = await strategy.createLoginResponse(testUser, i)
+      expect(result.statusCode).toBe(200)
+    })
+  })
+
+  it('Should include a Set-Cookie header with the session ID', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      setupInjector(i)
+      const strategy = createCookieLoginStrategy(i)
+      const result = await strategy.createLoginResponse(testUser, i)
+      const setCookie = result.headers['Set-Cookie']
+      expect(setCookie).toBeDefined()
+      expect(setCookie).toContain('fss=')
+      expect(setCookie).toContain('Path=/')
+      expect(setCookie).toContain('HttpOnly')
+    })
+  })
+
+  it('Should persist the session in the DataSet', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      setupInjector(i)
+      const strategy = createCookieLoginStrategy(i)
+      await strategy.createLoginResponse(testUser, i)
+
+      const repo = getRepository(i)
+      const sessionDataSet = repo.getDataSetFor(DefaultSession, 'sessionId')
+      const sessions = await sessionDataSet.find(i, { filter: { username: { $eq: 'testuser' } } })
+      expect(sessions).toHaveLength(1)
+      expect(sessions[0].username).toBe('testuser')
+      expect(sessions[0].sessionId).toBeTruthy()
+    })
+  })
+
+  it('Should create unique session IDs for each call', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      setupInjector(i)
+      const strategy = createCookieLoginStrategy(i)
+
+      const result1 = await strategy.createLoginResponse(testUser, i)
+      const result2 = await strategy.createLoginResponse(testUser, i)
+
+      const sessionId1 = result1.headers['Set-Cookie']?.split('=')[1]?.split(';')[0]
+      const sessionId2 = result2.headers['Set-Cookie']?.split('=')[1]?.split(';')[0]
+      expect(sessionId1).not.toBe(sessionId2)
+    })
+  })
+})

package/src/login-response-strategy.ts

@@ -0,0 +1,48 @@
+import type { User } from '@furystack/core'
+import { useSystemIdentityContext } from '@furystack/core'
+import type { Injector } from '@furystack/inject'
+import { randomBytes } from 'crypto'
+
+import { HttpAuthenticationSettings } from './http-authentication-settings.js'
+import type { ActionResult } from './request-action-implementation.js'
+import { JsonResult } from './request-action-implementation.js'
+
+/**
+ * A pluggable strategy that turns an authenticated {@link User} into an
+ * {@link ActionResult} containing the session/token data for the client.
+ *
+ * Pass a concrete strategy to action factories like
+ * {@link createPasswordLoginAction} or `createGoogleLoginAction` to
+ * decouple the authentication mechanism from the session/token mechanism.
+ *
+ * @typeParam TResult The shape of the response body (e.g. `User` for cookies,
+ *   `{ accessToken: string; refreshToken: string }` for JWT)
+ */
+export type LoginResponseStrategy<TResult> = {
+  createLoginResponse: (user: User, injector: Injector) => Promise<ActionResult<TResult>>
+}
+
+/**
+ * Creates a cookie-based {@link LoginResponseStrategy}.
+ *
+ * On each login it generates a random session ID, persists it in the session
+ * DataSet, and returns the user with a `Set-Cookie` header.
+ *
+ * @param injector The root injector (must have {@link HttpAuthenticationSettings} configured)
+ * @returns A strategy that returns `ActionResult<User>`
+ */
+export const createCookieLoginStrategy = (injector: Injector): LoginResponseStrategy<User> => {
+  const settings = injector.getInstance(HttpAuthenticationSettings)
+  const systemInjector = useSystemIdentityContext({ injector, username: 'CookieLoginStrategy' })
+
+  return {
+    createLoginResponse: async (user) => {
+      const sessionDataSet = settings.getSessionDataSet(systemInjector)
+      const sessionId = randomBytes(32).toString('hex')
+      await sessionDataSet.add(systemInjector, { sessionId, username: user.username })
+      return JsonResult(user, 200, {
+        'Set-Cookie': `${settings.cookieName}=${sessionId}; Path=/; HttpOnly`,
+      })
+    },
+  }
+}

package/src/rest-service.integration.spec.ts

@@ -1,6 +1,7 @@
 import { InMemoryStore, User, addStore } from '@furystack/core'
 import { getPort } from '@furystack/core/port-generator'
 import { Injector } from '@furystack/inject'
+import { getRepository } from '@furystack/repository'
 import type { RestApi } from '@furystack/rest'
 import { serializeValue } from '@furystack/rest'
 import { PathHelper, usingAsync } from '@furystack/utils'
@@ -33,10 +34,10 @@ const createIntegrationApi = async () => {
   addStore(i, new InMemoryStore({ model: User, primaryKey: 'username' })).addStore(
     new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }),
   )
-  useHttpAuthentication(i, {
-    getUserStore: (sm) => sm.getStoreFor(User, 'username'),
-    getSessionStore: (sm) => sm.getStoreFor(DefaultSession, 'sessionId'),
-  })
+  const repo = getRepository(i)
+  repo.createDataSet(User, 'username')
+  repo.createDataSet(DefaultSession, 'sessionId')
+  useHttpAuthentication(i)
   await useRestService<IntegrationTestApi>({
     injector: i,
     root,

package/src/validate.integration.spec.ts

@@ -2,6 +2,7 @@
 import { getStoreManager, InMemoryStore, User } from '@furystack/core'
 import { getPort } from '@furystack/core/port-generator'
 import { Injector } from '@furystack/inject'
+import { getRepository } from '@furystack/repository'
 import type { SwaggerDocument, WithSchemaAction } from '@furystack/rest'
 import { createClient, ResponseError } from '@furystack/rest-client-fetch'
 import { usingAsync } from '@furystack/utils'
@@ -32,6 +33,10 @@ const createValidateApi = async (options = { enableGetSchema: false }) => {
 
   getStoreManager(injector).addStore(new InMemoryStore({ model: User, primaryKey: 'username' }))
   getStoreManager(injector).addStore(new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }))
+  getStoreManager(injector).addStore(new InMemoryStore({ model: MockClass, primaryKey: 'id' }))
+  getRepository(injector).createDataSet(MockClass, 'id')
+  getRepository(injector).createDataSet(User, 'username')
+  getRepository(injector).createDataSet(DefaultSession, 'sessionId')
 
   const api = await useRestService<ValidationApi>({
     injector,