@hemia/core 0.0.10 → 0.0.13

package/dist/hemia-core.esm.js

@@ -1,12 +1,12 @@
 import 'reflect-metadata';
 import express, { Router } from 'express';
-import { METADATA_KEYS, ParamType, ApiResponse, isRedirectResponse, ControllerRegistry } from '@hemia/common';
+import { METADATA_KEYS, ParamType, ApiResponse, isRedirectResponse, ControllerRegistry, CustomHttpError } from '@hemia/common';
 import { TRACE_METADATA_KEY } from '@hemia/trace-manager';
 import { traceMiddleware } from '@hemia/app-context';
 import { plainToInstance } from 'class-transformer';
 import multer from 'multer';
 import { injectable, inject } from 'inversify';
-import { AUTH_SERVICE_ID, AuthService } from '@hemia/auth-sdk';
+import { AUTH_SERVICE_ID, AuthService, OAuthService } from '@hemia/auth-sdk';
 
 class GuardsConsumer {
     /**
@@ -338,9 +338,9 @@ class AppFactory {
             const defaultHeaders = {
                 'Access-Control-Allow-Origin': req.headers.origin || '*',
                 'Access-Control-Allow-Methods': 'GET,POST,PUT,DELETE,PATCH,OPTIONS',
-                'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Api-Key, Language, X-No-Cookies, x-session',
+                'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Api-Key, Language, X-No-Cookies, x-session, x-client-id, X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After',
                 'Access-Control-Allow-Credentials': 'true',
-                'Access-Control-Expose-Headers': 'Authorization, X-Correlation-Id, X-Trace-Id, x-session',
+                'Access-Control-Expose-Headers': 'Authorization, X-Correlation-Id, X-Trace-Id, x-session, X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After',
             };
             const headers = { ...defaultHeaders, ...(options.corsHeaders || {}) };
             Object.entries(headers).forEach(([key, value]) => {
@@ -392,6 +392,7 @@ class AppFactory {
 /**
  * Guardia de autorización que verifica roles y permisos definidos en los controladores y métodos.
  * Utiliza los metadatos definidos con los decoradores @Roles y @Permissions.
+ * Soporta wildcards en permisos jerárquicos (ej: account:*, account:email:*)
  */
 let AuthGuard = class AuthGuard {
     constructor(reflector) {
@@ -422,12 +423,36 @@ let AuthGuard = class AuthGuard {
         }
         if (requiredPermissions) {
             const userPermissions = Array.isArray(permissions) ? permissions : [];
-            const hasPermission = requiredPermissions.some((perm) => userPermissions.includes(perm));
+            const hasPermission = requiredPermissions.some((requiredPerm) => this.checkPermission(requiredPerm, userPermissions));
             if (!hasPermission)
                 return false;
         }
         return true;
     }
+    /**
+     * Verifica si el usuario tiene un permiso requerido, soportando wildcards
+     * @param requiredPermission Permiso requerido (ej: account:email:update)
+     * @param userPermissions Array de permisos del usuario
+     * @returns true si el usuario tiene el permiso
+     */
+    checkPermission(requiredPermission, userPermissions) {
+        const requiredParts = requiredPermission.split(':');
+        return userPermissions.some(userPerm => {
+            const userParts = userPerm.split(':');
+            for (let i = 0; i < requiredParts.length; i++) {
+                if (userParts[i] === '*') {
+                    return true;
+                }
+                if (i >= userParts.length) {
+                    return false;
+                }
+                if (userParts[i] !== requiredParts[i]) {
+                    return false;
+                }
+            }
+            return true;
+        });
+    }
 };
 AuthGuard = __decorate([
     injectable(),
@@ -500,4 +525,112 @@ JWTGuard = __decorate([
     __metadata("design:paramtypes", [AuthService])
 ], JWTGuard);
 
-export { ApiKeyGuard, AppFactory, AuthGuard, GuardsConsumer, HemiaExecutionContext, JWTGuard, Reflector, ResponseSerializer, registerRoutes };
+let PublicClientGuard = class PublicClientGuard {
+    constructor(oauthService) {
+        this.oauthService = oauthService;
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const clientId = request.headers['x-client-id'] || request.body.client_id;
+        if (!clientId) {
+            return false;
+        }
+        const client = await this.oauthService.getByClientId(clientId);
+        if (!client || !client.isActive) {
+            return false;
+        }
+        request.oauthClient = client;
+        return true;
+    }
+};
+PublicClientGuard = __decorate([
+    injectable(),
+    __param(0, inject(OAuthService)),
+    __metadata("design:paramtypes", [OAuthService])
+], PublicClientGuard);
+
+var ThrottleGuard_1;
+let ThrottleGuard = ThrottleGuard_1 = class ThrottleGuard {
+    constructor() {
+        if (!ThrottleGuard_1.cleanupInterval) {
+            ThrottleGuard_1.cleanupInterval = setInterval(() => {
+                this.cleanup();
+            }, 60000);
+            ThrottleGuard_1.cleanupInterval.unref();
+        }
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const handler = context.getHandler();
+        const options = Reflect.getMetadata(METADATA_KEYS.THROTTLE, handler);
+        if (!options) {
+            return true;
+        }
+        if (options.skipIf && options.skipIf(context)) {
+            return true;
+        }
+        const ip = this.getClientIp(request);
+        const endpointKey = `${context.getClass().name}:${handler.name}`;
+        const key = `throttle:${endpointKey}:${ip}`;
+        const now = Date.now();
+        const ttlMs = options.ttl * 1000;
+        let record = ThrottleGuard_1.storage.get(key);
+        if (!record || record.expiresAt < now) {
+            record = {
+                hits: 0,
+                expiresAt: now + ttlMs
+            };
+        }
+        record.hits++;
+        ThrottleGuard_1.storage.set(key, record);
+        if (record.hits > options.limit) {
+            const response = context.switchToHttp().getResponse();
+            const retryAfter = Math.ceil((record.expiresAt - now) / 1000);
+            this.setHeaders(response, options.limit, 0, retryAfter);
+            throw new CustomHttpError('Too Many Requests', 429, 'rate_limit_exceeded');
+        }
+        const response = context.switchToHttp().getResponse();
+        const remaining = Math.max(0, options.limit - record.hits);
+        this.setHeaders(response, options.limit, remaining, options.ttl);
+        return true;
+    }
+    /**
+     * Limpia las entradas expiradas para evitar fugas de memoria
+     */
+    cleanup() {
+        const now = Date.now();
+        ThrottleGuard_1.storage.forEach((value, key) => {
+            if (value.expiresAt < now) {
+                ThrottleGuard_1.storage.delete(key);
+            }
+        });
+    }
+    getClientIp(request) {
+        const headers = request.headers;
+        if (headers['cf-connecting-ip'])
+            return headers['cf-connecting-ip'];
+        if (headers['x-forwarded-for']) {
+            return headers['x-forwarded-for'].split(',')[0].trim();
+        }
+        if (headers['x-real-ip'])
+            return headers['x-real-ip'];
+        return request.socket?.remoteAddress || request.ip || 'unknown';
+    }
+    setHeaders(res, limit, remaining, resetOrRetry) {
+        if (res && typeof res.setHeader === 'function') {
+            res.setHeader('X-RateLimit-Limit', limit);
+            res.setHeader('X-RateLimit-Remaining', remaining);
+            if (remaining === 0) {
+                res.setHeader('Retry-After', resetOrRetry);
+            }
+        }
+    }
+};
+ThrottleGuard.storage = new Map();
+ThrottleGuard.cleanupInterval = null;
+ThrottleGuard = ThrottleGuard_1 = __decorate([
+    injectable(),
+    __metadata("design:paramtypes", [])
+], ThrottleGuard);
+
+export { ApiKeyGuard, AppFactory, AuthGuard, GuardsConsumer, HemiaExecutionContext, JWTGuard, PublicClientGuard, Reflector, ResponseSerializer, ThrottleGuard, registerRoutes };

package/dist/hemia-core.js

@@ -340,9 +340,9 @@ class AppFactory {
             const defaultHeaders = {
                 'Access-Control-Allow-Origin': req.headers.origin || '*',
                 'Access-Control-Allow-Methods': 'GET,POST,PUT,DELETE,PATCH,OPTIONS',
-                'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Api-Key, Language, X-No-Cookies, x-session',
+                'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Api-Key, Language, X-No-Cookies, x-session, x-client-id, X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After',
                 'Access-Control-Allow-Credentials': 'true',
-                'Access-Control-Expose-Headers': 'Authorization, X-Correlation-Id, X-Trace-Id, x-session',
+                'Access-Control-Expose-Headers': 'Authorization, X-Correlation-Id, X-Trace-Id, x-session, X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After',
             };
             const headers = { ...defaultHeaders, ...(options.corsHeaders || {}) };
             Object.entries(headers).forEach(([key, value]) => {
@@ -394,6 +394,7 @@ class AppFactory {
 /**
  * Guardia de autorización que verifica roles y permisos definidos en los controladores y métodos.
  * Utiliza los metadatos definidos con los decoradores @Roles y @Permissions.
+ * Soporta wildcards en permisos jerárquicos (ej: account:*, account:email:*)
  */
 exports.AuthGuard = class AuthGuard {
     constructor(reflector) {
@@ -424,12 +425,36 @@ exports.AuthGuard = class AuthGuard {
         }
         if (requiredPermissions) {
             const userPermissions = Array.isArray(permissions) ? permissions : [];
-            const hasPermission = requiredPermissions.some((perm) => userPermissions.includes(perm));
+            const hasPermission = requiredPermissions.some((requiredPerm) => this.checkPermission(requiredPerm, userPermissions));
             if (!hasPermission)
                 return false;
         }
         return true;
     }
+    /**
+     * Verifica si el usuario tiene un permiso requerido, soportando wildcards
+     * @param requiredPermission Permiso requerido (ej: account:email:update)
+     * @param userPermissions Array de permisos del usuario
+     * @returns true si el usuario tiene el permiso
+     */
+    checkPermission(requiredPermission, userPermissions) {
+        const requiredParts = requiredPermission.split(':');
+        return userPermissions.some(userPerm => {
+            const userParts = userPerm.split(':');
+            for (let i = 0; i < requiredParts.length; i++) {
+                if (userParts[i] === '*') {
+                    return true;
+                }
+                if (i >= userParts.length) {
+                    return false;
+                }
+                if (userParts[i] !== requiredParts[i]) {
+                    return false;
+                }
+            }
+            return true;
+        });
+    }
 };
 exports.AuthGuard = __decorate([
     inversify.injectable(),
@@ -502,6 +527,114 @@ exports.JWTGuard = __decorate([
     __metadata("design:paramtypes", [authSdk.AuthService])
 ], exports.JWTGuard);
 
+exports.PublicClientGuard = class PublicClientGuard {
+    constructor(oauthService) {
+        this.oauthService = oauthService;
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const clientId = request.headers['x-client-id'] || request.body.client_id;
+        if (!clientId) {
+            return false;
+        }
+        const client = await this.oauthService.getByClientId(clientId);
+        if (!client || !client.isActive) {
+            return false;
+        }
+        request.oauthClient = client;
+        return true;
+    }
+};
+exports.PublicClientGuard = __decorate([
+    inversify.injectable(),
+    __param(0, inversify.inject(authSdk.OAuthService)),
+    __metadata("design:paramtypes", [authSdk.OAuthService])
+], exports.PublicClientGuard);
+
+var ThrottleGuard_1;
+exports.ThrottleGuard = ThrottleGuard_1 = class ThrottleGuard {
+    constructor() {
+        if (!ThrottleGuard_1.cleanupInterval) {
+            ThrottleGuard_1.cleanupInterval = setInterval(() => {
+                this.cleanup();
+            }, 60000);
+            ThrottleGuard_1.cleanupInterval.unref();
+        }
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const handler = context.getHandler();
+        const options = Reflect.getMetadata(common.METADATA_KEYS.THROTTLE, handler);
+        if (!options) {
+            return true;
+        }
+        if (options.skipIf && options.skipIf(context)) {
+            return true;
+        }
+        const ip = this.getClientIp(request);
+        const endpointKey = `${context.getClass().name}:${handler.name}`;
+        const key = `throttle:${endpointKey}:${ip}`;
+        const now = Date.now();
+        const ttlMs = options.ttl * 1000;
+        let record = ThrottleGuard_1.storage.get(key);
+        if (!record || record.expiresAt < now) {
+            record = {
+                hits: 0,
+                expiresAt: now + ttlMs
+            };
+        }
+        record.hits++;
+        ThrottleGuard_1.storage.set(key, record);
+        if (record.hits > options.limit) {
+            const response = context.switchToHttp().getResponse();
+            const retryAfter = Math.ceil((record.expiresAt - now) / 1000);
+            this.setHeaders(response, options.limit, 0, retryAfter);
+            throw new common.CustomHttpError('Too Many Requests', 429, 'rate_limit_exceeded');
+        }
+        const response = context.switchToHttp().getResponse();
+        const remaining = Math.max(0, options.limit - record.hits);
+        this.setHeaders(response, options.limit, remaining, options.ttl);
+        return true;
+    }
+    /**
+     * Limpia las entradas expiradas para evitar fugas de memoria
+     */
+    cleanup() {
+        const now = Date.now();
+        ThrottleGuard_1.storage.forEach((value, key) => {
+            if (value.expiresAt < now) {
+                ThrottleGuard_1.storage.delete(key);
+            }
+        });
+    }
+    getClientIp(request) {
+        const headers = request.headers;
+        if (headers['cf-connecting-ip'])
+            return headers['cf-connecting-ip'];
+        if (headers['x-forwarded-for']) {
+            return headers['x-forwarded-for'].split(',')[0].trim();
+        }
+        if (headers['x-real-ip'])
+            return headers['x-real-ip'];
+        return request.socket?.remoteAddress || request.ip || 'unknown';
+    }
+    setHeaders(res, limit, remaining, resetOrRetry) {
+        if (res && typeof res.setHeader === 'function') {
+            res.setHeader('X-RateLimit-Limit', limit);
+            res.setHeader('X-RateLimit-Remaining', remaining);
+            if (remaining === 0) {
+                res.setHeader('Retry-After', resetOrRetry);
+            }
+        }
+    }
+};
+exports.ThrottleGuard.storage = new Map();
+exports.ThrottleGuard.cleanupInterval = null;
+exports.ThrottleGuard = ThrottleGuard_1 = __decorate([
+    inversify.injectable(),
+    __metadata("design:paramtypes", [])
+], exports.ThrottleGuard);
+
 exports.AppFactory = AppFactory;
 exports.GuardsConsumer = GuardsConsumer;
 exports.HemiaExecutionContext = HemiaExecutionContext;

package/dist/types/guards/auth.guard.d.ts

@@ -3,9 +3,17 @@ import { Reflector } from '../services';
 /**
  * Guardia de autorización que verifica roles y permisos definidos en los controladores y métodos.
  * Utiliza los metadatos definidos con los decoradores @Roles y @Permissions.
+ * Soporta wildcards en permisos jerárquicos (ej: account:*, account:email:*)
  */
 export declare class AuthGuard implements CanActivate {
     private reflector;
     constructor(reflector: Reflector);
     canActivate(context: ExecutionContext): boolean;
+    /**
+     * Verifica si el usuario tiene un permiso requerido, soportando wildcards
+     * @param requiredPermission Permiso requerido (ej: account:email:update)
+     * @param userPermissions Array de permisos del usuario
+     * @returns true si el usuario tiene el permiso
+     */
+    private checkPermission;
 }

package/dist/types/guards/index.d.ts

@@ -2,3 +2,5 @@ export * from "./auth.guard";
 export * from "./guards-consumer";
 export * from "./api-key.guard";
 export * from "./jwt.guard";
+export * from "./public-client.guard";
+export * from "./throttle.guard";

package/dist/types/guards/public-client.guard.d.ts

@@ -0,0 +1,7 @@
+import { CanActivate, ExecutionContext } from "@hemia/common";
+import { OAuthService } from "@hemia/auth-sdk";
+export declare class PublicClientGuard implements CanActivate {
+    private readonly oauthService;
+    constructor(oauthService: OAuthService);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}

package/dist/types/guards/throttle.guard.d.ts

@@ -0,0 +1,13 @@
+import { CanActivate, ExecutionContext } from "@hemia/common";
+export declare class ThrottleGuard implements CanActivate {
+    private static storage;
+    private static cleanupInterval;
+    constructor();
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    /**
+     * Limpia las entradas expiradas para evitar fugas de memoria
+     */
+    private cleanup;
+    private getClientIp;
+    private setHeaders;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hemia/core",
-  "version": "0.0.10",
+  "version": "0.0.13",
   "description": "Core utilities for Hemia projects",
   "main": "dist/hemia-core.js",
   "module": "dist/hemia-core.esm.js",
@@ -18,10 +18,10 @@
     "@rollup/plugin-commonjs": "^26.0.1",
     "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^15.2.3",
-    "@hemia/common": "^0.0.14",
+    "@hemia/common": "^0.0.15",
     "@hemia/app-context": "^0.0.6",
     "@hemia/trace-manager": "^0.0.9",
-    "@hemia/auth-sdk": "^0.0.13",
+    "@hemia/auth-sdk": "^0.0.16",
     "@types/express": "^5.0.5",
     "express": "^5.1.0",
     "inversify": "^7.10.4",