@furystack/rest-service 4.0.19

package/src/endpoint-generators/index.ts

@@ -0,0 +1,5 @@
+export * from './create-delete-endpoint'
+export * from './create-get-collection-endpoint'
+export * from './create-get-entity-endpoint'
+export * from './create-patch-endpoint'
+export * from './create-post-endpoint'

package/src/endpoint-generators/utils.ts

@@ -0,0 +1,34 @@
+import { Injector } from '@furystack/inject'
+import { InMemoryStore, User } from '@furystack/core'
+import { DefaultSession } from '../models/default-session'
+import '@furystack/repository'
+import '../injector-extensions'
+
+export class MockClass {
+  id!: string
+  value!: string
+}
+
+export const setupContext = (i: Injector) => {
+  i.setupStores((b) =>
+    b
+      .addStore(
+        new InMemoryStore({
+          model: MockClass,
+          primaryKey: 'id',
+        }),
+      )
+      .addStore(
+        new InMemoryStore({
+          model: User,
+          primaryKey: 'username',
+        }),
+      )
+      .addStore(
+        new InMemoryStore({
+          model: DefaultSession,
+          primaryKey: 'sessionId',
+        }),
+      ),
+  ).setupRepository((r) => r.createDataSet(MockClass, 'id'))
+}

package/src/http-authentication-settings.ts

@@ -0,0 +1,23 @@
+import { PhysicalStore, User, StoreManager } from '@furystack/core'
+import { Constructable, Injectable } from '@furystack/inject'
+import { sha256 } from 'hash.js'
+import { DefaultSession } from './models/default-session'
+
+/**
+ * Authentication settings object for FuryStack HTTP Api
+ */
+@Injectable({ lifetime: 'singleton' })
+export class HttpAuthenticationSettings<TUser extends User, TSession extends DefaultSession> {
+  public model: Constructable<TUser> = User as Constructable<TUser>
+
+  public getUserStore: (storeManager: StoreManager) => PhysicalStore<TUser & { password: string }, keyof TUser> = (
+    sm,
+  ) => sm.getStoreFor<TUser & { password: string }, keyof TUser>(User as any, 'username')
+
+  public getSessionStore: (storeManager: StoreManager) => PhysicalStore<TSession, keyof TSession> = (sm) =>
+    sm.getStoreFor(DefaultSession, 'sessionId') as unknown as PhysicalStore<TSession, keyof TSession>
+
+  public cookieName = 'fss'
+  public hashMethod: (plain: string) => string = (plain) => sha256().update(plain).digest('hex')
+  public enableBasicAuth = true
+}

package/src/http-user-context.spec.ts

@@ -0,0 +1,299 @@
+import { IncomingMessage, ServerResponse } from 'http'
+import { usingAsync } from '@furystack/utils'
+import { Injector } from '@furystack/inject'
+import { User, StoreManager, InMemoryStore } from '@furystack/core'
+import { DefaultSession } from './models/default-session'
+import { HttpUserContext } from './http-user-context'
+import './injector-extensions'
+
+export const prepareInjector = async (i: Injector) => {
+  i.setupStores((sm) =>
+    sm
+      .addStore(new InMemoryStore({ model: User, primaryKey: 'username' }))
+      .addStore(new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' })),
+  )
+
+  i.useHttpAuthentication()
+  // await i.getInstance(ServerManager).getOrCreate({ port: 19999 })
+}
+
+describe('HttpUserContext', () => {
+  const request = { headers: {} } as IncomingMessage
+  const response = {} as any as ServerResponse
+
+  const testUser: User = { username: 'testUser', roles: ['grantedRole1', 'grantedRole2'] }
+
+  it('Should be constructed with the extension method', async () => {
+    await usingAsync(new Injector(), async (i) => {
+      await prepareInjector(i)
+      const ctx = i.getInstance(HttpUserContext)
+      expect(ctx).toBeInstanceOf(HttpUserContext)
+    })
+  })
+
+  describe('isAuthenticated', () => {
+    it('Should return true for authenticated users', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.getCurrentUser = jest.fn(async () => testUser)
+        const value = await ctx.isAuthenticated(request)
+        expect(value).toBe(true)
+        expect(ctx.getCurrentUser).toBeCalled()
+      })
+    })
+
+    it('Should return false for unauthenticated users', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.getCurrentUser = jest.fn(async () => {
+          throw Error(':(')
+        })
+        await expect(ctx.isAuthenticated(request)).resolves.toEqual(false)
+        expect(ctx.getCurrentUser).toBeCalled()
+      })
+    })
+  })
+
+  describe('isAuthorized', () => {
+    it('Should return true if all roles are authorized', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.getCurrentUser = jest.fn(async () => testUser)
+        const value = await ctx.isAuthorized(request, 'grantedRole1', 'grantedRole2')
+        expect(value).toBe(true)
+        expect(ctx.getCurrentUser).toBeCalled()
+      })
+    })
+
+    it('Should return false if not all roles are authorized', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.getCurrentUser = jest.fn(async () => testUser)
+        const value = await ctx.isAuthorized(request, 'grantedRole1', 'nonGrantedRole2')
+        expect(value).toBe(false)
+        expect(ctx.getCurrentUser).toBeCalled()
+      })
+    })
+  })
+
+  describe('authenticateUser', () => {
+    it('Should fail when the store is empty', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        await expect(ctx.authenticateUser('user', 'password')).rejects.toThrow('')
+      })
+    })
+
+    it('Should fail when the password not equals', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.authentication
+          .getUserStore(i.getInstance(StoreManager))
+          .add({ username: 'user', password: ctx.authentication.hashMethod('pass123'), roles: [] })
+        await expect(ctx.authenticateUser('user', 'pass321')).rejects.toThrow('')
+      })
+    })
+
+    it('Should fail when the username not equals', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.authentication
+          .getUserStore(i.getInstance(StoreManager))
+          .add({ username: 'otherUser', password: ctx.authentication.hashMethod('pass123'), roles: [] })
+        expect(ctx.authenticateUser('user', 'pass123')).rejects.toThrow('')
+      })
+    })
+
+    it('Should fail when password not provided', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.authentication
+          .getUserStore(i.getInstance(StoreManager))
+          .add({ username: 'otherUser', password: ctx.authentication.hashMethod('pass123'), roles: [] })
+        await expect(ctx.authenticateUser('user', '')).rejects.toThrow('')
+      })
+    })
+
+    it('Should return the user without the password hash when the username and password matches', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        const store = ctx.authentication.getUserStore(i.getInstance(StoreManager))
+        const loginUser = { username: 'user', roles: [] }
+        store.add({ ...loginUser, password: ctx.authentication.hashMethod('pass123') })
+        const value = await ctx.authenticateUser('user', 'pass123')
+        expect(value).toEqual(loginUser)
+      })
+    })
+  })
+
+  describe('getSessionIdFromRequest', () => {
+    it('Should return null if no headers present', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        const sid = ctx.getSessionIdFromRequest(request)
+        expect(sid).toBeNull()
+      })
+    })
+
+    it('Should return null if no session ID cookie present', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const requestWithCookie = { ...request, cookie: 'a=2;b=3;c=4;' } as unknown as IncomingMessage
+        const ctx = i.getInstance(HttpUserContext)
+        const sid = ctx.getSessionIdFromRequest(requestWithCookie)
+        expect(sid).toBeNull()
+      })
+    })
+    it('Should return the Session ID value if session ID cookie present', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        const requestWithAuthCookie = {
+          ...request,
+          headers: { cookie: `a=2;b=3;${ctx.authentication.cookieName}=666;c=4;` },
+        } as unknown as IncomingMessage
+
+        const sid = ctx.getSessionIdFromRequest(requestWithAuthCookie)
+        expect(sid).toBe('666')
+      })
+    })
+  })
+
+  describe('authenticateRequest', () => {
+    it('Should try to authenticate with Basic, if enabled', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.authenticateUser = jest.fn(async () => testUser)
+        const result = await ctx.authenticateRequest({
+          headers: { authorization: `Basic dGVzdHVzZXI6cGFzc3dvcmQ=` },
+        } as IncomingMessage)
+        expect(ctx.authenticateUser).toBeCalledWith('testuser', 'password')
+        expect(result).toBe(testUser)
+      })
+    })
+
+    it('Should NOT try to authenticate with Basic, if disabled', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.authentication.enableBasicAuth = false
+        ctx.authenticateUser = jest.fn(async () => testUser)
+        await expect(
+          ctx.authenticateRequest({
+            headers: { authorization: `Basic dGVzdHVzZXI6cGFzc3dvcmQ=` },
+          } as IncomingMessage),
+        ).rejects.toThrow('')
+        expect(ctx.authenticateUser).not.toBeCalled()
+      })
+    })
+
+    it('Should fail with no session in the store', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        await expect(
+          ctx.authenticateRequest({
+            headers: { cookie: `${ctx.authentication.cookieName}=666;a=3` },
+          } as IncomingMessage),
+        ).rejects.toThrow('')
+      })
+    })
+
+    it('Should fail with valid session Id but no user', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.authentication
+          .getSessionStore(i.getInstance(StoreManager))
+          .add({ sessionId: '666', username: testUser.username })
+        await expect(
+          ctx.authenticateRequest({
+            headers: { cookie: `${ctx.authentication.cookieName}=666;a=3` },
+          } as IncomingMessage),
+        ).rejects.toThrow('')
+      })
+    })
+
+    it('Should authenticate with cookie, if the session IDs matches', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.authentication
+          .getSessionStore(i.getInstance(StoreManager))
+          .add({ sessionId: '666', username: testUser.username })
+
+        ctx.authentication.getUserStore(i.getInstance(StoreManager)).add({ ...testUser, password: '' })
+
+        const result = await ctx.authenticateRequest({
+          headers: { cookie: `${ctx.authentication.cookieName}=666;a=3` },
+        } as IncomingMessage)
+
+        expect(result).toEqual(testUser)
+      })
+    })
+  })
+
+  describe('getCurrentUser', () => {
+    it('Should return the current user from authenticateRequest() once per request', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        ctx.authenticateRequest = jest.fn(async () => testUser)
+        const result = await ctx.getCurrentUser(request)
+        const result2 = await ctx.getCurrentUser(request)
+        expect(ctx.authenticateRequest).toBeCalledTimes(1)
+        expect(result).toBe(testUser)
+        expect(result2).toBe(testUser)
+      })
+    })
+  })
+
+  describe('cookieLogin', () => {
+    it('Should return the current user from authenticateRequest() once per request', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        const setHeader = jest.fn()
+        ctx.getSessionStore().add = jest.fn(async () => {
+          return {} as any
+        })
+        const authResult = await ctx.cookieLogin(testUser, { setHeader } as any)
+        expect(authResult).toBe(testUser)
+        expect(setHeader).toBeCalled()
+        expect(ctx.getSessionStore().add).toBeCalled()
+      })
+    })
+  })
+
+  describe('cookieLogout', () => {
+    it('Should invalidate the current session id cookie', async () => {
+      await usingAsync(new Injector(), async (i) => {
+        await prepareInjector(i)
+        const ctx = i.getInstance(HttpUserContext)
+        const setHeader = jest.fn()
+        ctx.getSessionStore().add = jest.fn(async () => {
+          return {} as any
+        })
+        ctx.authenticateRequest = jest.fn(async () => testUser)
+        ctx.getSessionStore().remove = jest.fn(async () => undefined)
+        ctx.getSessionIdFromRequest = () => 'example-session-id'
+        response.setHeader = jest.fn(() => response)
+        await ctx.cookieLogin(testUser, { setHeader } as any)
+        await ctx.cookieLogout(request, response)
+        expect(response.setHeader).toBeCalledWith('Set-Cookie', 'fss=; Path=/; HttpOnly')
+        expect(ctx.getSessionStore().remove).toBeCalled()
+      })
+    })
+  })
+})

package/src/http-user-context.ts

@@ -0,0 +1,160 @@
+import { IncomingMessage, ServerResponse } from 'http'
+import { User, StoreManager } from '@furystack/core'
+import { Injectable } from '@furystack/inject'
+import { v1 } from 'uuid'
+import { HttpAuthenticationSettings } from './http-authentication-settings'
+import { DefaultSession } from 'models/default-session'
+
+/**
+ * Injectable UserContext for FuryStack HTTP Api
+ */
+@Injectable({ lifetime: 'scoped' })
+export class HttpUserContext {
+  public getUserStore = () => this.authentication.getUserStore(this.storeManager)
+
+  public getSessionStore = () => this.authentication.getSessionStore(this.storeManager)
+
+  private user?: User
+
+  /**
+   * @param request The request to be authenticated
+   * @returns if the current user is authenticated
+   */
+  public async isAuthenticated(request: IncomingMessage) {
+    try {
+      const currentUser = await this.getCurrentUser(request)
+      return currentUser !== null
+    } catch (error) {
+      return false
+    }
+  }
+
+  /**
+   * Returns if the current user can be authorized with ALL of the specified roles
+   *
+   * @param request The request to be authenticated
+   * @param roles The list of roles to authorize
+   * @returns a boolean value that indicates if the user is authenticated
+   */
+  public async isAuthorized(request: IncomingMessage, ...roles: string[]): Promise<boolean> {
+    const currentUser = await this.getCurrentUser(request)
+    for (const role of roles) {
+      if (!currentUser || !currentUser.roles.some((c) => c === role)) {
+        return false
+      }
+    }
+    return true
+  }
+
+  /**
+   * Checks if the system contains a user with the provided name and password, throws an error otherwise
+   *
+   * @param userName The username
+   * @param password The password
+   * @returns the authenticated User
+   */
+  public async authenticateUser(userName: string, password: string) {
+    const match =
+      (password &&
+        password.length &&
+        (await this.getUserStore().find({
+          filter: {
+            username: { $eq: userName },
+            password: { $eq: this.authentication.hashMethod(password) },
+          },
+        }))) ||
+      []
+    if (match.length === 1) {
+      const { password: pw, ...user } = match[0]
+      return user
+    }
+    throw Error('Failed to authenticate.')
+  }
+
+  public async getCurrentUser(request: IncomingMessage) {
+    if (!this.user) {
+      this.user = await this.authenticateRequest(request)
+      return this.user
+    }
+    return this.user
+  }
+
+  public getSessionIdFromRequest(request: IncomingMessage): string | null {
+    if (request.headers.cookie) {
+      const cookies = request.headers.cookie
+        .toString()
+        .split(';')
+        .filter((val) => val.length > 0)
+        .map((val) => {
+          const [name, value] = val.split('=')
+          return { name: name.trim(), value: value.trim() }
+        })
+      const sessionCookie = cookies.find((c) => c.name === this.authentication.cookieName)
+      if (sessionCookie) {
+        return sessionCookie.value
+      }
+    }
+    return null
+  }
+
+  public async authenticateRequest(request: IncomingMessage): Promise<User> {
+    // Basic auth
+    if (this.authentication.enableBasicAuth && request.headers.authorization) {
+      const authData = Buffer.from(request.headers.authorization.toString().split(' ')[1], 'base64')
+      const [userName, password] = authData.toString().split(':')
+      return await this.authenticateUser(userName, password)
+    }
+
+    // Cookie auth
+    const sessionId = this.getSessionIdFromRequest(request)
+    if (sessionId) {
+      const [session] = await this.getSessionStore().find({ filter: { sessionId: { $eq: sessionId } }, top: 2 })
+      if (session) {
+        const userResult = await this.getUserStore().find({
+          filter: {
+            username: { $eq: session.username },
+          },
+          top: 2,
+        })
+        if (userResult.length === 1) {
+          const { password, ...user } = userResult[0]
+          return user
+        }
+        throw Error('Inconsistent session result')
+      }
+    }
+
+    throw Error('Failed to authenticate request')
+  }
+
+  /**
+   * Creates and sets up a cookie-based session for the provided user
+   *
+   * @param user The user to create a session for
+   * @param serverResponse A serverResponse to set the cookie
+   * @returns the current User
+   */
+  public async cookieLogin(user: User, serverResponse: ServerResponse): Promise<User> {
+    const sessionId = v1()
+    await this.getSessionStore().add({ sessionId, username: user.username })
+    serverResponse.setHeader('Set-Cookie', `${this.authentication.cookieName}=${sessionId}; Path=/; HttpOnly`)
+    this.user = user
+    return user
+  }
+
+  public async cookieLogout(request: IncomingMessage, response: ServerResponse) {
+    const sessionId = this.getSessionIdFromRequest(request)
+    response.setHeader('Set-Cookie', `${this.authentication.cookieName}=; Path=/; HttpOnly`)
+    this.user = undefined
+    if (sessionId) {
+      const sessionStore = this.getSessionStore()
+      const sessions = await sessionStore.find({ filter: { sessionId: { $eq: sessionId } } })
+      await this.getSessionStore().remove(...sessions.map((s) => s[sessionStore.primaryKey]))
+    }
+  }
+
+  constructor(
+    public readonly authentication: HttpAuthenticationSettings<User, DefaultSession>,
+    private readonly storeManager: StoreManager,
+  ) {}
+}