npm - @furystack/rest-service - Versions diffs - 12.0.0 → 12.1.0 - Mend

@furystack/rest-service 12.0.0 → 12.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/CHANGELOG.md +52 -0
package/esm/actions/index.d.ts +1 -0
package/esm/actions/index.d.ts.map +1 -1
package/esm/actions/index.js +1 -0
package/esm/actions/index.js.map +1 -1
package/esm/actions/login.d.ts +7 -3
package/esm/actions/login.d.ts.map +1 -1
package/esm/actions/login.js +11 -5
package/esm/actions/login.js.map +1 -1
package/esm/actions/password-login-action.d.ts +24 -0
package/esm/actions/password-login-action.d.ts.map +1 -0
package/esm/actions/password-login-action.js +31 -0
package/esm/actions/password-login-action.js.map +1 -0
package/esm/actions/password-login-action.spec.d.ts +2 -0
package/esm/actions/password-login-action.spec.d.ts.map +1 -0
package/esm/actions/password-login-action.spec.js +105 -0
package/esm/actions/password-login-action.spec.js.map +1 -0
package/esm/index.d.ts +1 -0
package/esm/index.d.ts.map +1 -1
package/esm/index.js +1 -0
package/esm/index.js.map +1 -1
package/esm/login-response-strategy.d.ts +28 -0
package/esm/login-response-strategy.d.ts.map +1 -0
package/esm/login-response-strategy.js +28 -0
package/esm/login-response-strategy.js.map +1 -0
package/esm/login-response-strategy.spec.d.ts +2 -0
package/esm/login-response-strategy.spec.d.ts.map +1 -0
package/esm/login-response-strategy.spec.js +78 -0
package/esm/login-response-strategy.spec.js.map +1 -0
package/package.json +7 -7
package/src/actions/index.ts +1 -0
package/src/actions/login.ts +12 -6
package/src/actions/password-login-action.spec.ts +122 -0
package/src/actions/password-login-action.ts +35 -0
package/src/http-authentication-settings.ts +30 -30
package/src/http-user-context.spec.ts +462 -462
package/src/http-user-context.ts +164 -164
package/src/index.ts +1 -0
package/src/login-response-strategy.spec.ts +90 -0
package/src/login-response-strategy.ts +48 -0

package/src/actions/password-login-action.spec.ts ADDED Viewed

@@ -0,0 +1,122 @@
+import { InMemoryStore, StoreManager, User, addStore } from '@furystack/core'
+import { Injector } from '@furystack/inject'
+import { getRepository } from '@furystack/repository'
+import { PasswordAuthenticator, PasswordCredential, PasswordResetToken, usePasswordPolicy } from '@furystack/security'
+import { usingAsync } from '@furystack/utils'
+import type { IncomingMessage, ServerResponse } from 'http'
+import { describe, expect, it, vi } from 'vitest'
+import { useHttpAuthentication } from '../helpers.js'
+import type { LoginResponseStrategy } from '../login-response-strategy.js'
+import { DefaultSession } from '../models/default-session.js'
+import { JsonResult } from '../request-action-implementation.js'
+import { createPasswordLoginAction } from './password-login-action.js'
+const setupInjector = async (i: Injector, username: string, password: string) => {
+  addStore(i, new InMemoryStore({ model: User, primaryKey: 'username' }))
+    .addStore(new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }))
+    .addStore(new InMemoryStore({ model: PasswordCredential, primaryKey: 'userName' }))
+    .addStore(new InMemoryStore({ model: PasswordResetToken, primaryKey: 'token' }))
+  const repo = getRepository(i)
+  repo.createDataSet(User, 'username')
+  repo.createDataSet(DefaultSession, 'sessionId')
+  repo.createDataSet(PasswordCredential, 'userName')
+  repo.createDataSet(PasswordResetToken, 'token')
+  usePasswordPolicy(i)
+  useHttpAuthentication(i)
+  const sm = i.getInstance(StoreManager)
+  const pw = i.getInstance(PasswordAuthenticator)
+  const cred = await pw.hasher.createCredential(username, password)
+  await sm.getStoreFor(PasswordCredential, 'userName').add(cred)
+  await sm.getStoreFor(User, 'username').add({ username, roles: ['admin'] })
+}
+const mockStrategy: LoginResponseStrategy<User> = {
+  createLoginResponse: vi.fn(async (user: User) => JsonResult(user, 200)),
+}
+describe('createPasswordLoginAction', () => {
+  const request = {} as IncomingMessage
+  const response = {} as ServerResponse
+  it('Should delegate to the strategy on successful authentication', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      await setupInjector(i, 'testuser', 'testpass')
+      const action = createPasswordLoginAction(mockStrategy)
+      const result = await action({
+        injector: i,
+        request,
+        response,
+        getBody: () => Promise.resolve({ username: 'testuser', password: 'testpass' }),
+      })
+      expect(mockStrategy.createLoginResponse).toHaveBeenCalled()
+      expect(result.chunk.username).toBe('testuser')
+    })
+  })
+  it('Should pass the correct user to the strategy', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      await setupInjector(i, 'testuser', 'testpass')
+      const strategyFn = vi.fn(async (user: User) => JsonResult(user, 200))
+      const strategy: LoginResponseStrategy<User> = { createLoginResponse: strategyFn }
+      const action = createPasswordLoginAction(strategy)
+      await action({
+        injector: i,
+        request,
+        response,
+        getBody: () => Promise.resolve({ username: 'testuser', password: 'testpass' }),
+      })
+      expect(strategyFn).toHaveBeenCalledWith(expect.objectContaining({ username: 'testuser', roles: ['admin'] }), i)
+    })
+  })
+  it('Should throw RequestError on invalid credentials', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      await setupInjector(i, 'testuser', 'testpass')
+      const action = createPasswordLoginAction(mockStrategy)
+      await expect(
+        action({
+          injector: i,
+          request,
+          response,
+          getBody: () => Promise.resolve({ username: 'testuser', password: 'wrongpass' }),
+        }),
+      ).rejects.toThrow('Login Failed')
+    })
+  })
+  it('Should throw RequestError for nonexistent user', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      await setupInjector(i, 'testuser', 'testpass')
+      const action = createPasswordLoginAction(mockStrategy)
+      await expect(
+        action({
+          injector: i,
+          request,
+          response,
+          getBody: () => Promise.resolve({ username: 'nobody', password: 'nopass' }),
+        }),
+      ).rejects.toThrow('Login Failed')
+    })
+  })
+  it('Should work with a custom result type from strategy', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      await setupInjector(i, 'testuser', 'testpass')
+      const tokenStrategy: LoginResponseStrategy<{ accessToken: string }> = {
+        createLoginResponse: async () => JsonResult({ accessToken: 'tok123' }, 200),
+      }
+      const action = createPasswordLoginAction(tokenStrategy)
+      const result = await action({
+        injector: i,
+        request,
+        response,
+        getBody: () => Promise.resolve({ username: 'testuser', password: 'testpass' }),
+      })
+      expect(result.chunk.accessToken).toBe('tok123')
+    })
+  })
+})

package/src/actions/password-login-action.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import { RequestError } from '@furystack/rest'
+import { sleepAsync } from '@furystack/utils'
+import { HttpUserContext } from '../http-user-context.js'
+import type { LoginResponseStrategy } from '../login-response-strategy.js'
+import type { RequestAction } from '../request-action-implementation.js'
+/**
+ * Creates a login {@link RequestAction} that authenticates a user by
+ * username + password, then delegates session/token creation to the
+ * provided {@link LoginResponseStrategy}.
+ *
+ * The return type is inferred from the strategy:
+ * - Cookie strategy -> `ActionResult<User>`
+ * - JWT strategy   -> `ActionResult<{ accessToken: string; refreshToken: string }>`
+ *
+ * A random delay (0-1 s) is added on failure to mitigate timing attacks.
+ *
+ * @param strategy The login response strategy that produces the session/token result
+ * @returns A `RequestAction` that can be wired into a REST API route
+ */
+export const createPasswordLoginAction = <TResult>(
+  strategy: LoginResponseStrategy<TResult>,
+): RequestAction<{ result: TResult; body: { username: string; password: string } }> => {
+  return async ({ injector, getBody }) => {
+    const body = await getBody()
+    try {
+      const user = await injector.getInstance(HttpUserContext).authenticateUser(body.username, body.password)
+      return strategy.createLoginResponse(user, injector)
+    } catch {
+      await sleepAsync(Math.random() * 1000)
+      throw new RequestError('Login Failed', 400)
+    }
+  }
+}

package/src/http-authentication-settings.ts CHANGED Viewed

@@ -1,30 +1,30 @@
-import { User } from '@furystack/core'
-import type { Constructable, Injector } from '@furystack/inject'
-import { Injectable } from '@furystack/inject'
-import type { DataSet } from '@furystack/repository'
-import { getDataSetFor } from '@furystack/repository'
-import type { AuthenticationProvider } from './authentication-providers/authentication-provider.js'
-import { DefaultSession } from './models/default-session.js'
-/**
- * Authentication settings object for FuryStack HTTP Api
- */
-@Injectable({ lifetime: 'singleton' })
-export class HttpAuthenticationSettings<TUser extends User, TSession extends DefaultSession> {
-  public model: Constructable<TUser> = User as Constructable<TUser>
-  public getUserDataSet = (injector: Injector) => getDataSetFor(injector, User, 'username')
-  public getSessionDataSet: (injector: Injector) => DataSet<TSession, keyof TSession> = (injector) =>
-    getDataSetFor(injector, DefaultSession, 'sessionId') as unknown as DataSet<TSession, keyof TSession>
-  public cookieName = 'fss'
-  public enableBasicAuth = true
-  /**
-   * Ordered list of authentication providers. Populated by {@link useHttpAuthentication}
-   * and extended by `useJwtAuthentication()` or other auth plugins.
-   * Safe to mutate only during setup, before the first request is served.
-   */
-  public authenticationProviders: AuthenticationProvider[] = []
-}
+import { User } from '@furystack/core'
+import type { Constructable, Injector } from '@furystack/inject'
+import { Injectable } from '@furystack/inject'
+import type { DataSet } from '@furystack/repository'
+import { getDataSetFor } from '@furystack/repository'
+import type { AuthenticationProvider } from './authentication-providers/authentication-provider.js'
+import { DefaultSession } from './models/default-session.js'
+/**
+ * Authentication settings object for FuryStack HTTP Api
+ */
+@Injectable({ lifetime: 'singleton' })
+export class HttpAuthenticationSettings<TUser extends User, TSession extends DefaultSession> {
+  public model: Constructable<TUser> = User as Constructable<TUser>
+  public getUserDataSet = (injector: Injector) => getDataSetFor(injector, User, 'username')
+  public getSessionDataSet: (injector: Injector) => DataSet<TSession, keyof TSession> = (injector) =>
+    getDataSetFor(injector, DefaultSession, 'sessionId') as unknown as DataSet<TSession, keyof TSession>
+  public cookieName = 'fss'
+  public enableBasicAuth = true
+  /**
+   * Ordered list of authentication providers. Populated by {@link useHttpAuthentication}
+   * and extended by `useJwtAuthentication()` or other auth plugins.
+   * Safe to mutate only during setup, before the first request is served.
+   */
+  public authenticationProviders: AuthenticationProvider[] = []
+}