@hitchy/plugin-auth 0.2.0 → 0.3.2

package/.gitlab-ci.yml

@@ -7,40 +7,61 @@ cache:
   paths:
     - .npm
 
-.common-install: &common-install
-  before_script:
-    - npm ci --cache .npm --prefer-offline
 
-alpine-lts:
-  <<: *common-install
+.common-test: &common-test
   stage: test
-  image: "node:lts-alpine"
   script:
+    - npm i -g npm
+    - node -v
+    - npm -v
+    - npm ci --cache .npm --prefer-offline
     - npm run lint
     - npm run test
 
+
+alpine-current:
+  image: "node:current-alpine"
+  <<: *common-test
+
+alpine-lts:
+  image: "node:lts-alpine"
+  <<: *common-test
+
+alpine-old:
+  image: "node:erbium-alpine"
+  <<: *common-test
+  allow_failure: true
+
+alpine-legacy:
+  image: "node:fermium-alpine"
+  <<: *common-test
+  allow_failure: true
+
+debian-current:
+  image: "node:current"
+  <<: *common-test
+
 debian-lts:
-  <<: *common-install
-  stage: test
-  image: "node:lts-buster"
-  script:
-    - npm run lint
-    - npm run test
+  image: "node:lts"
+  <<: *common-test
+
+debian-old:
+  image: "node:erbium"
+  <<: *common-test
+  allow_failure: true
+
+debian-legacy:
+  image: "node:fermium"
+  <<: *common-test
+  allow_failure: true
 
-alpine-12:
-  <<: *common-install
-  stage: test
-  image: "node:12-alpine"
-  script:
-    - npm run lint
-    - npm run test
 
 pages:
-  <<: *common-install
   stage: deploy
   image: node:lts-alpine
   script:
-    - npm run doc:build
+    - npm ci --cache .npm --prefer-offline
+    - npm run docs:build
   artifacts:
     paths:
       - public

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 cepharum GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/api/controller/user.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {
@@ -91,7 +63,8 @@ module.exports = function() {
 						authenticated: req.user ? {
 							uuid: req.user.uuid,
 							name: req.user.name,
-							roles: req.user.roles,
+							strategy: req.user.strategy || "local",
+							roles: req.user.roles.map( role => role.name ),
 						} : false,
 					} );
 				},

package/api/model/authorization/rule.js

@@ -1,30 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
 "use strict";
 
 module.exports = function() {

package/api/model/role.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 /**

package/api/model/user-to-role.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 /**

package/api/model/user.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 const crypto = require( "crypto" );
@@ -46,7 +18,7 @@ module.exports = function() {
 	 * @property {string} role name of user's role (user-role relationship is 1:n)
 	 * @property {string} password hash of user's password required for authenticating as
 	 * @property {string} strategy name of passport strategy used for authentication
-	 * @property {string} provider additional information specific to strategy used
+	 * @property {string} strategyData additional information specific to strategy used
 	 *
 	 * @name Hitchy.Plugin.Auth.User
 	 */
@@ -58,7 +30,7 @@ module.exports = function() {
 			},
 			password: {},
 			strategy: {},
-			provider: {},
+			strategyData: {},
 		},
 		hooks: {
 			afterValidate( errors ) {

package/api/policy/authentication.js

@@ -1,39 +1,11 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {
 	const api = this;
-	const { services } = api.runtime;
+	const { models, services } = api.runtime;
 
-	const AlertLog = api.log( "hitchy:plugin:auth:alert" );
-	const DebugLog = api.log( "hitchy:plugin:auth:debug" );
+	const logAlert = api.log( "hitchy:plugin:auth:alert" );
+	const logDebug = api.log( "hitchy:plugin:auth:debug" );
 
 	/**
 	 * Implements policy handlers transparently managing authentication process
@@ -76,6 +48,43 @@ module.exports = function() {
 			} );
 		}
 
+		/**
+		 * Discovers HTTP basic authentication header and processes it
+		 * accordingly based local user database.
+		 *
+		 * @param {Hitchy.Core.IncomingMessage} req request descriptor
+		 * @param {Hitchy.Core.ServerResponse} res response manager
+		 * @param {Hitchy.Core.ContinuationHandler} next invoke to continue request handling
+		 * @returns {void}
+		 */
+		static handleBasicAuth( req, res, next ) {
+			if ( req.user ) {
+				next();
+				return;
+			}
+
+			const match = /^basic\s+([a-z0-9+/]+={1,2})$/i.exec( req.headers.authorization );
+			if ( !match ) {
+				next();
+				return;
+			}
+
+			const decoded = Buffer.from( match[1], "base64" ).toString( "utf8" );
+			const parts = /^([^:]+):(.+)$/.exec( decoded );
+			if ( !parts ) {
+				next();
+				return;
+			}
+
+			services.AuthManager.checkAuthentication( parts[1], parts[2] )
+				.then( user => {
+					req.user = user; // eslint-disable-line no-param-reassign
+
+					this.qualifyAuthenticated( req, res, next );
+				} )
+				.catch( next );
+		}
+
 		/**
 		 * Authenticates a request, updates server-side session accordingly and
 		 * injects information on authentication result in response header.
@@ -87,41 +96,71 @@ module.exports = function() {
 		 */
 		static login( req, res, next ) {
 			const { strategy } = req.params;
-			const { model, service } = this;
-			const { AuthenticationStrategies, AuthenticationPassport, AuthManager } = service;
+			const { AuthenticationStrategies, AuthenticationPassport } = services;
 			const defaultStrategy = AuthenticationStrategies.defaultStrategy();
 
-			req.fetchBody().then( body => {
-				req.body = body; // eslint-disable-line no-param-reassign
+			req.fetchBody()
+				.then( body => {
+					req.body = body; // eslint-disable-line no-param-reassign
+
+					return new Promise( ( resolve, reject ) => {
+						AuthenticationPassport.authenticate( strategy || defaultStrategy )( req, res, err => {
+							if ( err ) {
+								reject( err );
+							} else {
+								this.qualifyAuthenticated( req, res, error => {
+									if ( error ) {
+										reject( error );
+									} else {
+										resolve();
+									}
+								} );
+							}
+						} );
+					} );
+				} )
+				.then( next )
+				.catch( err => {
+					logAlert( err );
+
+					AuthenticationPolicy.logout( req, res, cause => {
+						if ( cause ) {
+							logAlert( `applying logout policy after failed login has caused another issue: ${cause.stack}` );
+						}
 
-				AuthenticationPassport.authenticate( strategy || defaultStrategy )( req, res, err => {
-					if ( err ) {
-						AlertLog( err );
-						AuthenticationPolicy.logout( req, res, () => { next( err ); } );
-					} else if ( req.user ) {
-						const { uuid, name } = req.user;
+						next( err );
+					} );
+				} );
+		}
 
-						return AuthManager.listRolesOfUser( new model.User( uuid ) )
-							.then( roles => {
-								req.user.roles = roles; // eslint-disable-line no-param-reassign
+		/**
+		 * Extends request descriptor in case some authenticated user has been
+		 * found recently.
+		 *
+		 * @param {Hitchy.Core.IncomingMessage} req request descriptor
+		 * @param {Hitchy.Core.ServerResponse} res response manager
+		 * @param {Hitchy.Core.ContinuationHandler} next invoke to continue request handling
+		 * @returns {void}
+		 */
+		static qualifyAuthenticated( req, res, next ) {
+			if ( req.user ) {
+				const { uuid, name } = req.user;
 
-								DebugLog( "authenticated as", req.user.name );
+				services.AuthManager.listRolesOfUser( new models.User( uuid ) )
+					.then( roles => {
+						req.user.roles = roles; // eslint-disable-line no-param-reassign
 
-								res.set( "X-Authenticated-As", name );
-								res.set( "X-Authorized-As", roles.join( "," ) );
+						logDebug( "authenticated as", req.user.name );
 
-								next();
-							} );
-					} else {
-						AuthenticationPolicy.logout( req, res, next );
-					}
+						res.set( "X-Authenticated-As", name );
+						res.set( "X-Authorized-As", roles.join( "," ) );
 
-					return undefined;
-				} );
-			} ).catch( err => {
-				AlertLog( err );
-				AuthenticationPolicy.logout( req, res, () => next( err ) );
-			} );
+						next();
+					} )
+					.catch( next );
+			} else {
+				AuthenticationPolicy.logout( req, res, next );
+			}
 		}
 
 		/**
@@ -133,21 +172,39 @@ module.exports = function() {
 		 * @returns {void}
 		 */
 		static logout( req, res, next ) {
-			try {
-				if ( typeof req.logout === "function" ) {
-					req.logout();
-				}
+			Promise.resolve()
+				.then( () => {
+					// (optional) log out remotely using current user's authentication strategy
+					if ( req.user ) {
+						const strategyName = req.user.strategy;
+
+						if ( strategyName ) {
+							const strategy = api.config.auth.strategies[strategyName];
+
+							if ( strategy && typeof strategy.logOutRemotely === "function" ) {
+								return strategy.logOutRemotely( req );
+							}
+						}
+					}
 
-				req.session.drop();
-				req.user = undefined; // eslint-disable-line no-param-reassign
+					return undefined;
+				} )
+				.then( async willLogoutInFuture => {
+					if ( !willLogoutInFuture ) {
+						if ( typeof req.logout === "function" ) {
+							await req.logout();
+						}
 
-				res.set( "X-Authenticated-As", undefined );
-				res.set( "X-Authorized-As", undefined );
+						req.session.drop();
+						req.user = undefined; // eslint-disable-line no-param-reassign
 
-				next();
-			} catch ( e ) {
-				next( e );
-			}
+						res.set( "X-Authenticated-As", undefined );
+						res.set( "X-Authorized-As", undefined );
+
+						next();
+					}
+				} )
+				.catch( next );
 		}
 
 		/**

package/api/policy/authorization.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {

package/api/policy/user.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {