@hitchy/plugin-auth 0.4.6 → 0.5.1

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 cepharum GmbH
+Copyright (c) 2024 cepharum GmbH
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/api/controller/user.js

@@ -1,96 +1,90 @@
-"use strict";
-
-module.exports = function() {
-
+/**
+ * Implements request handlers for common requests related to authenticating as
+ * a user.
+ */
+export default class UserController {
 	/**
-	 * Implements request handlers for common requests related to authenticating as
-	 * a user.
+	 * Responds on request for changing authenticated user's password.
+	 *
+	 * This handler assumes to follow one or more policy handler(s) which
+	 * actually manage the process of changing the password.
+	 *
+	 * @param {Hitchy.Core.IncomingMessage} req request descriptor
+	 * @param {Hitchy.Core.ServerResponse} res response manager
+	 * @returns {void}
 	 */
-	class UserController {
-		/**
-		 * Responds on request for changing authenticated user's password.
-		 *
-		 * This handler assumes to follow one or more policy handler(s) which
-		 * actually manage the process of changing the password.
-		 *
-		 * @param {Hitchy.Core.IncomingMessage} req request descriptor
-		 * @param {Hitchy.Core.ServerResponse} res response manager
-		 * @returns {void}
-		 */
-		static changePassword( req, res ) {
-			res.format( {
-				default() {
-					res.json( {
-						success: true
-					} );
-				},
-			} );
-		}
-
-		/**
-		 * Responds on success after authenticating as a user.
-		 *
-		 * This request handler assumes to follow one or more policy handler(s)
-		 * which actually manage authentication.
-		 *
-		 * @param {Hitchy.Core.IncomingMessage} req request descriptor
-		 * @param {Hitchy.Core.ServerResponse} res response manager
-		 * @returns {void}
-		 */
-		static authenticate( req, res ) {
-			res.format( {
-				default() {
-					res.json( {
-						success: true,
-						authenticated: Boolean( req.user ),
-					} );
-				},
-			} );
-		}
+	static changePassword( req, res ) {
+		res.format( {
+			default() {
+				res.json( {
+					success: true
+				} );
+			},
+		} );
+	}
 
-		/**
-		 * Provides status of current request's user being authenticated or not.
-		 *
-		 * @param {Hitchy.Core.IncomingMessage} req request descriptor
-		 * @param {Hitchy.Core.ServerResponse} res response manager
-		 * @returns {void}
-		 */
-		static getCurrent( req, res ) {
-			res.format( {
-				default() {
-					res.json( {
-						success: true,
-						authenticated: req.user ? {
-							uuid: req.user.uuid,
-							name: req.user.name,
-							strategy: req.user.strategy || "local",
-							roles: req.user.roles.map( role => role.name ),
-						} : false,
-					} );
-				},
-			} );
-		}
+	/**
+	 * Responds on success after authenticating as a user.
+	 *
+	 * This request handler assumes to follow one or more policy handler(s)
+	 * which actually manage authentication.
+	 *
+	 * @param {Hitchy.Core.IncomingMessage} req request descriptor
+	 * @param {Hitchy.Core.ServerResponse} res response manager
+	 * @returns {void}
+	 */
+	static authenticate( req, res ) {
+		res.format( {
+			default() {
+				res.json( {
+					success: true,
+					authenticated: Boolean( req.user ),
+				} );
+			},
+		} );
+	}
 
-		/**
-		 * Drops authentication of current request's user. This request handler
-		 * is assuming to be a follow-up handler to some policy actually dropping
-		 * the user's authentication.
-		 *
-		 * @param {Hitchy.Core.IncomingMessage} req request descriptor
-		 * @param {Hitchy.Core.ServerResponse} res response manager
-		 * @returns {void}
-		 */
-		static unauthenticate( req, res ) {
-			res.format( {
-				default() {
-					res.json( {
-						success: true,
-					} );
-				},
-			} );
-		}
+	/**
+	 * Provides status of current request's user being authenticated or not.
+	 *
+	 * @param {Hitchy.Core.IncomingMessage} req request descriptor
+	 * @param {Hitchy.Core.ServerResponse} res response manager
+	 * @returns {void}
+	 */
+	static getCurrent( req, res ) {
+		res.format( {
+			default() {
+				res.json( {
+					success: true,
+					authenticated: req.user ? {
+						uuid: req.user.uuid,
+						name: req.user.name,
+						strategy: req.user.strategy || "local",
+						roles: req.user.roles.map( role => role.name ),
+					} : false,
+				} );
+			},
+		} );
 	}
 
-	return UserController;
-};
+	/**
+	 * Drops authentication of current request's user. This request handler
+	 * is assuming to be a follow-up handler to some policy actually dropping
+	 * the user's authentication.
+	 *
+	 * @param {Hitchy.Core.IncomingMessage} req request descriptor
+	 * @param {Hitchy.Core.ServerResponse} res response manager
+	 * @returns {void}
+	 */
+	static unauthenticate( req, res ) {
+		res.format( {
+			default() {
+				res.json( {
+					success: true,
+				} );
+			},
+		} );
+	}
 
+	static useCMP = false;
+}

package/api/model/authorization/rule.js

@@ -1,6 +1,4 @@
-"use strict";
-
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 	const { services } = api;
 
@@ -46,4 +44,4 @@ module.exports = function() {
 			},
 		},
 	};
-};
+}

package/api/model/role.js

@@ -1,11 +1,4 @@
-"use strict";
-
-/**
- * Defines role model.
- *
- * @returns {Hitchy.Plugin.Odem.ModelSchema} definition of role model
- */
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 	const { models } = api;
 
@@ -15,7 +8,7 @@ module.exports = function() {
 	 * @property {string} name unique name of user
 	 *
 	 * @name Hitchy.Plugin.Auth.Role
-	 * @type Hitchy.Plugin.Odem.Model
+	 * @type {Hitchy.Plugin.Odem.Model}
 	 */
 	return {
 		props: {
@@ -37,4 +30,4 @@ module.exports = function() {
 			},
 		},
 	};
-};
+}

package/api/model/user-to-role.js

@@ -1,12 +1,4 @@
-"use strict";
-
 /**
- * Defines model associating users with roles.
- *
- * @returns {Hitchy.Plugin.Odem.ModelSchema} definition of model associating users with roles
- */
-module.exports = function() {
-	/**
 	 * Implements model of a user suitable for authenticating as.
 	 *
 	 * @property {Buffer} role UUID of associated role
@@ -14,16 +6,15 @@ module.exports = function() {
 	 *
 	 * @name Hitchy.Plugin.Auth.UserToRole
 	 */
-	return {
-		props: {
-			user: {
-				required: true,
-				type: "uuid",
-			},
-			role: {
-				required: true,
-				type: "uuid",
-			},
+export default {
+	props: {
+		user: {
+			required: true,
+			type: "uuid",
 		},
-	};
+		role: {
+			required: true,
+			type: "uuid",
+		},
+	},
 };

package/api/model/user.js

@@ -1,13 +1,6 @@
-"use strict";
+import Crypto from "node:crypto";
 
-const crypto = require( "crypto" );
-
-/**
- * Defines user model.
- *
- * @returns {Hitchy.Plugin.Odem.ModelSchema} definition of user model
- */
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 	const { services, models } = api;
 
@@ -62,7 +55,7 @@ module.exports = function() {
 
 			async beforeSave( existsAlready, record ) {
 				if ( record.password ) {
-					record.password = await this.hashPassword( record.password ); // eslint-disable-line no-param-reassign
+					record.password = await this.hashPassword( record.password );
 				}
 
 				return record;
@@ -105,7 +98,7 @@ module.exports = function() {
 
 				switch ( algorithmName || "SCRYPT" ) {
 					case "SSHA512" : {
-						const hash = crypto.createHash( "SHA512" );
+						const hash = Crypto.createHash( "SHA512" );
 						hash.update( normalized );
 						hash.update( salt );
 
@@ -113,7 +106,7 @@ module.exports = function() {
 					}
 
 					case "SCRYPT" :
-						return await new Promise( ( resolve, reject ) => crypto.scrypt( normalized, salt, 64, {
+						return await new Promise( ( resolve, reject ) => Crypto.scrypt( normalized, salt, 64, {
 							cost: 16384,
 							blockSize: 8,
 							parallelization: 1,
@@ -173,7 +166,7 @@ module.exports = function() {
 				 * @returns {Promise<number>} promise for random integer in selected range
 				 */
 				function randomNumber( min, max ) {
-					return new Promise( ( resolve, reject ) => crypto.randomInt( min, max, ( error, number ) => {
+					return new Promise( ( resolve, reject ) => Crypto.randomInt( min, max, ( error, number ) => {
 						if ( error ) {
 							reject( error );
 						} else {
@@ -189,7 +182,7 @@ module.exports = function() {
 				 * @returns {Promise<Buffer>} promise for selected number of random octets
 				 */
 				function randomOctets( size ) {
-					return new Promise( ( resolve, reject ) => crypto.randomBytes( size, ( error, octets ) => {
+					return new Promise( ( resolve, reject ) => Crypto.randomBytes( size, ( error, octets ) => {
 						if ( error ) {
 							reject( error );
 						} else {
@@ -227,4 +220,4 @@ module.exports = function() {
 			},
 		},
 	};
-};
+}

package/api/policy/authentication.js

@@ -1,6 +1,4 @@
-"use strict";
-
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 	const { models, service } = api;
 
@@ -78,7 +76,7 @@ module.exports = function() {
 
 			service.AuthManager.checkAuthentication( parts[1], parts[2] )
 				.then( user => {
-					req.user = user; // eslint-disable-line no-param-reassign
+					req.user = user;
 
 					this.qualifyAuthenticated( req, res, next );
 				} )
@@ -101,7 +99,7 @@ module.exports = function() {
 
 			req.fetchBody()
 				.then( body => {
-					req.body = body; // eslint-disable-line no-param-reassign
+					req.body = body;
 
 					return new Promise( ( resolve, reject ) => {
 						AuthenticationPassport.authenticate( strategy || defaultStrategy )( req, res, err => {
@@ -148,7 +146,7 @@ module.exports = function() {
 
 				service.AuthManager.listRolesOfUser( new models.User( uuid ) )
 					.then( roles => {
-						req.user.roles = roles; // eslint-disable-line no-param-reassign
+						req.user.roles = roles;
 
 						logDebug( "authenticated as", req.user.name );
 
@@ -197,11 +195,11 @@ module.exports = function() {
 							} );
 						} else {
 							// re-generating session on change of user authentication mitigates session-related attacks
-							// -> passport's logout does not seem to exist, so we can't rely on passport regenerating the session
+							// -> passport's logout does not seem to exist, so we can not rely on passport regenerating the session
 							await new Promise( ( resolve, reject ) => req.session.regenerate( error => ( error ? reject( error ) : resolve() ) ) );
 						}
 
-						req.user = undefined; // eslint-disable-line no-param-reassign
+						req.user = undefined;
 
 						res.set( "X-Authenticated-As", undefined );
 						res.set( "X-Authorized-As", undefined );
@@ -260,5 +258,4 @@ module.exports = function() {
 	}
 
 	return AuthenticationPolicy;
-};
-
+}

package/api/policy/authorization.js

@@ -1,34 +1,30 @@
-"use strict";
-
-module.exports = function() {
+/**
+ * Implements commonly useful policy handlers for testing a request's
+ * authorizations.
+ */
+export default class AuthorizationPolicy {
 	/**
-	 * Implements commonly useful policy handlers for testing a request's
-	 * authorizations.
+	 * Ensures current request's user has administrative privileges.
+	 *
+	 * @param {Hitchy.Core.IncomingMessage} req request descriptor
+	 * @param {Hitchy.Core.ServerResponse} res response manager
+	 * @param {Hitchy.Core.ContinuationHandler} next invoke to continue request handling
+	 * @returns {void}
 	 */
-	class AuthorizationPolicy {
-		/**
-		 * Ensures current request's user has administrative privileges.
-		 *
-		 * @param {Hitchy.Core.IncomingMessage} req request descriptor
-		 * @param {Hitchy.Core.ServerResponse} res response manager
-		 * @param {Hitchy.Core.ContinuationHandler} next invoke to continue request handling
-		 * @returns {void}
-		 */
-		static mustBeAdmin( req, res, next ) {
-			const { adminRole } = this.services.AuthManager;
-
-			if ( req.user && Array.isArray( req.user.roles ) && req.user.roles.some( role => role.name === adminRole ) ) {
-				next();
-				return;
-			}
+	static mustBeAdmin( req, res, next ) {
+		const { adminRole } = this.services.AuthManager;
 
-			res
-				.status( 403 )
-				.json( {
-					error: "access forbidden: must be admin",
-				} );
+		if ( req.user && Array.isArray( req.user.roles ) && req.user.roles.some( role => role.name === adminRole ) ) {
+			next();
+			return;
 		}
+
+		res
+			.status( 403 )
+			.json( {
+				error: "access forbidden: must be admin",
+			} );
 	}
 
-	return AuthorizationPolicy;
-};
+	static useCMP = false;
+}

package/api/policy/user.js

@@ -1,6 +1,4 @@
-"use strict";
-
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 	const { models } = api;
 
@@ -22,7 +20,7 @@ module.exports = function() {
 			}
 
 			res.status( 403 ).json( {
-				error: "access forbidden: this isn't you"
+				error: "access forbidden: this is not you"
 			} );
 		},
 
@@ -130,4 +128,4 @@ module.exports = function() {
 			next();
 		}
 	};
-};
+}

package/api/service/auth/manager.js

@@ -1,6 +1,4 @@
-"use strict";
-
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 	const { models, services } = api;
 
@@ -63,7 +61,7 @@ module.exports = function() {
 			const { Role } = models;
 
 			if ( !( role instanceof Role ) ) {
-				role = String( role ); // eslint-disable-line no-param-reassign
+				role = String( role );
 
 				if ( !/^[a-z_]/i.test( role ) || /\s/.test( role ) ) {
 					throw new TypeError( "missing role information" );
@@ -290,4 +288,4 @@ module.exports = function() {
 	}
 
 	return AuthManager;
-};
+}

package/api/service/authentication/passport.js

@@ -1,8 +1,6 @@
-"use strict";
+import PassportLib from "passport";
 
-const PassportLib = require( "passport" );
-
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 
 	const logAlert = api.log( "hitchy:auth:alert" );
@@ -28,7 +26,7 @@ module.exports = function() {
 		} );
 
 		passport.deserializeUser( ( uuid, done ) => {
-			/** @type Hitchy.Plugin.Auth.User */
+			/** @type {Hitchy.Plugin.Auth.User} */
 			const user = new User( uuid );
 
 			user.$exists
@@ -68,4 +66,4 @@ module.exports = function() {
 	};
 
 	return passport;
-};
+}

package/api/service/authentication/strategies.js

@@ -1,6 +1,4 @@
-"use strict";
-
-const LocalStrategy = require( "passport-local" ).Strategy;
+import { Strategy as LocalStrategy } from "passport-local";
 
 /**
  * Temporarily tracks additional session data per remotely authenticated user.
@@ -15,7 +13,7 @@ const LocalStrategy = require( "passport-local" ).Strategy;
  */
 const RemoteAuthCustomData = new Map();
 
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 	const { models, services } = api;
 
@@ -62,7 +60,7 @@ module.exports = function() {
 		 *
 		 * @param {string} username name of user to authenticate
 		 * @param {string} password named user's password for authentication
-		 * @param {function(Error?, object, object)} done invoked with optional error, authenticated user or some message as feedback
+		 * @param {function(Error?, object, object):void} done invoked with optional error, authenticated user or some message as feedback
 		 * @returns {void}
 		 */
 		static checkAuthentication( username, password, done ) {
@@ -136,7 +134,7 @@ module.exports = function() {
 		 * @param {Hitchy.Plugin.Auth.SamlConfig} config SAML protocol configuration
 		 * @returns {Strategy} generated strategy for use with passport.js
 		 */
-		static generateSaml( strategyName, config ) {
+		static async generateSaml( strategyName, config ) {
 			const verifyLocalProfileOnLogin = ( req, userInfo, done ) => {
 				RemoteAuthCustomData.set( `${strategyName}:${userInfo.nameID}`, { ...userInfo } );
 
@@ -147,7 +145,7 @@ module.exports = function() {
 				getLocalProfile( strategyName, userInfo.nameID, false, done );
 			};
 
-			const { Strategy } = require( "passport-saml" );
+			const { Strategy } = await import( "passport-saml" );
 			const strategy = new Strategy( {
 				...config,
 				passReqToCallback: true,
@@ -224,15 +222,15 @@ module.exports = function() {
 		 * supporting OpenID Connect with Authorization Code Flow.
 		 *
 		 * @param {string} strategyName name of resulting strategy in context of your application
-		 * @param {ClientMetaData} config OpenID Connect client configuration
+		 * @param {object} config OpenID Connect client configuration
 		 * @returns {Promise<Strategy>} promises generated strategy for use with passport.js
 		 */
-		static async generateOpenIdConnect( strategyName, config ) { // eslint-disable-line consistent-this
+		static async generateOpenIdConnect( strategyName, config ) {
 			const verifyLocalProfileOnLogin = ( req, tokens, userInfo, done ) => {
 				getLocalProfile( strategyName, userInfo.preferred_username, true, done );
 			};
 
-			const { Issuer, Strategy, generators } = require( "openid-client" );
+			const { Issuer, Strategy, generators } = await import( "openid-client" );
 			const issuer = await Issuer.discover( config.discovery_url );
 			const client = new issuer.Client( config );
 
@@ -248,7 +246,7 @@ module.exports = function() {
 					return Promise.resolve( false );
 				}
 
-				const state = req.session[key] = generators.state( 32 ); // eslint-disable-line no-param-reassign
+				const state = req.session[key] = generators.state( 32 );
 
 				// redirect user to discovered end_session_url of IdP
 				req.context.response.redirect( 302, client.endSessionUrl( { state } ) );
@@ -280,4 +278,4 @@ module.exports = function() {
 	}
 
 	return AuthenticationStrategies;
-};
+}

package/api/service/authorization/node.js

@@ -1,15 +1,13 @@
-"use strict";
-
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	/**
 	 * Implements behavior of a single node in a hierarchy of authorization
 	 * rules.
 	 *
 	 * @property {?AuthorizationNode} parent refers to superordinated node
 	 * @property {?string} name name of segment addressing this node in context of its parent
-	 * @property {{accept: object<string, number>, reject: object<string, number>}} roles maps names of roles into number of rules requesting to accept/reject
-	 * @property {{accept: object<string, number>, reject: object<string, number>}} users lists UUIDs of users to accept/reject in context of node
-	 * @property {object<string,AuthorizationNode>} children maps relative names into subordinated nodes
+	 * @property {{accept: Object<string, number>, reject: Object<string, number>}} roles maps names of roles into number of rules requesting to accept/reject
+	 * @property {{accept: Object<string, number>, reject: Object<string, number>}} users lists UUIDs of users to accept/reject in context of node
+	 * @property {Object<string,AuthorizationNode>} children maps relative names into subordinated nodes
 	 */
 	class AuthorizationNode {
 		/**
@@ -193,7 +191,7 @@ module.exports = function() {
 		/**
 		 * Indicates if current node lacks any viable information.
 		 *
-		 * @returns {boolean} true if node hasn't any viable information affecting authorization checks
+		 * @returns {boolean} true if node has not any viable information affecting authorization checks
 		 */
 		isSpare() {
 			for ( const list of [ this.users.accept, this.users.reject, this.roles.accept, this.roles.reject ] ) {
@@ -242,7 +240,7 @@ module.exports = function() {
 		 * Transfer every valuable information to a clone of current node and
 		 * return it.
 		 *
-		 * @returns {AuthorizationNode} clone of current node limited to currently valuable data, undefined if node isn't required anymore
+		 * @returns {AuthorizationNode} clone of current node limited to currently valuable data, undefined if node is not required anymore
 		 */
 		gc() {
 			const children = this.children;
@@ -293,4 +291,4 @@ module.exports = function() {
 	}
 
 	return AuthorizationNode;
-};
+}

package/api/service/authorization/policy-generator.js

@@ -1,6 +1,4 @@
-"use strict";
-
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 
 	const logError = api.log( "hitchy:plugin:auth:error" );
@@ -12,11 +10,11 @@ module.exports = function() {
 	class AuthorizationPolicyGenerator {
 		/**
 		 * Generates policy handler testing a request's user for having any of
-		 * the listed roles and instantly rejecting requests of users who don't.
+		 * the listed roles and instantly rejecting requests of users who do not.
 		 * Request is also rejected of request's user is unknown.
 		 *
 		 * @param {string|string[]} roles lists roles to accept
-		 * @returns {Hitchy.Core.RequestPolicyHandler} policy handler rejecting requests of users who doesn't have any of the listed roles
+		 * @returns {Hitchy.Core.RequestPolicyHandler} policy handler rejecting requests of users who does not have any of the listed roles
 		 */
 		static hasRole( roles ) {
 			if ( !roles ) {
@@ -35,7 +33,7 @@ module.exports = function() {
 
 			return ( req, res, next ) => {
 				if ( req.user && Array.isArray( req.user.roles ) ) {
-					const { adminRole } = req.hitchy.runtime.services.AuthManager;
+					const { adminRole } = req.hitchy.services.AuthManager;
 					const userRoles = req.user.roles;
 					const numUserRoles = userRoles.length;
 
@@ -60,10 +58,10 @@ module.exports = function() {
 		/**
 		 * Generates policy handler testing a request's user for being
 		 * authorized to access at least one of the listed resources and
-		 * instantly rejecting requests of users who don't.
+		 * instantly rejecting requests of users who do not.
 		 *
 		 * @param {string|string[]} resource name(s) of resource(s)
-		 * @returns {Hitchy.Core.RequestPolicyHandler} policy handler rejecting requests of users who mustn't access any of the named resources
+		 * @returns {Hitchy.Core.RequestPolicyHandler} policy handler rejecting requests of users who must not access any of the named resources
 		 */
 		static mayAccess( resource ) {
 			if ( !resource ) {
@@ -92,4 +90,4 @@ module.exports = function() {
 	}
 
 	return AuthorizationPolicyGenerator;
-};
+}

package/api/service/authorization/tree.js

@@ -1,6 +1,4 @@
-"use strict";
-
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 	const { services, models } = api;
 
@@ -300,4 +298,4 @@ module.exports = function() {
 	}
 
 	return AuthorizationTree;
-};
+}

package/api/service/authorization.js

@@ -1,6 +1,4 @@
-"use strict";
-
-module.exports = function() {
+export default function() { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 	const { service } = api;
 
@@ -22,8 +20,8 @@ module.exports = function() {
 			const adminRole = service.AuthManager.adminRole;
 
 			if ( adminRole && Array.isArray( userInfo?.roles ) ) {
-				for ( const role of userInfo.roles ) {
-					if ( role?.name === adminRole ) {
+				for ( let i = 0; i < userInfo.roles.length; i++ ) {
+					if ( userInfo.roles[i]?.name === adminRole ) {
 						return true;
 					}
 				}
@@ -70,4 +68,4 @@ module.exports = function() {
 	}
 
 	return AuthorizationService;
-};
+}

package/api/service/session.js

@@ -1,6 +1,4 @@
-"use strict";
-
-module.exports = function( options, HitchyPluginSession ) {
+export default function( options, HitchyPluginSession ) { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 
 	const logDebug = api.log( "hitchy:auth:debug" );
@@ -93,7 +91,7 @@ module.exports = function( options, HitchyPluginSession ) {
 		 *
 		 * This method is used by passport.
 		 *
-		 * @param {function(error: (Error|undefined)): void} doneFn callback invoked when session has been re-generated or some error occurred
+		 * @param {function((Error|undefined)): void} doneFn callback invoked when session has been re-generated or some error occurred
 		 * @returns {void}
 		 */
 		regenerate( doneFn ) {
@@ -134,7 +132,7 @@ module.exports = function( options, HitchyPluginSession ) {
 		 *
 		 * This method is used by passport.
 		 *
-		 * @param {function(error: (Error|undefined)): void} doneFn callback invoked when session has been saved or some error occurred
+		 * @param {function((Error|undefined)):void} doneFn callback invoked when session has been saved or some error occurred
 		 * @returns {void}
 		 */
 		save( doneFn ) {
@@ -147,4 +145,4 @@ module.exports = function( options, HitchyPluginSession ) {
 	}
 
 	return PassportCompatibleSession;
-};
+}

package/config/auth.js

@@ -1,20 +1,14 @@
-"use strict";
-
-module.exports = function() {
-	return {
-		auth: {
-			prefix: "/api/auth",
-			strategies: {
-				// local: this.runtime.services.AuthStrategies.generateLocal()
-			},
-			authorizations: {
-				// "feature.export.pdf": "@customers"
-				// "feature.export.text": "@customers,@testers"
-			},
-			roles: [
-				// "customers",
-				// "testers",
-			],
-		}
-	};
+export const auth = {
+	prefix: "/api/auth",
+	strategies: {
+		// local: this.services.AuthStrategies.generateLocal()
+	},
+	authorizations: {
+		// "feature.export.pdf": "@customers"
+		// "feature.export.text": "@customers,@testers"
+	},
+	roles: [
+		// "customers",
+		// "testers",
+	],
 };

package/hash-password.js

@@ -1,41 +1,16 @@
-/**
- * (c) 2020 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2020 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
+#!/usr/bin/env node
+import UserModel from "./api/model/user.js";
 
-"use strict";
-
-const { hashPassword } = require( "./api/model/user" )().methods;
 const chunks = [];
 
 process.stdin.on( "data", chunk => chunks.push( chunk ) );
-process.stdin.on( "end", () => {
-	hashPassword( Buffer.concat( chunks ) )
+process.stdin.once( "end", () => {
+	const input = Buffer.concat( chunks );
+
+	UserModel.call( { services: {}, models: {} } )
+		.methods.hashPassword( input )
 		.then( password => {
-			console.log( password );
+			console.log( password ); // eslint-disable-line no-console
 		} )
 		.catch( console.error );
 } );

package/index.js

@@ -1,6 +1,4 @@
-"use strict";
-
-module.exports = function( options, plugins ) {
+export default function( options, plugins ) { // eslint-disable-line jsdoc/require-jsdoc
 	const api = this;
 
 	const logWarning = api.log( "hitchy:session:warning" );
@@ -32,7 +30,9 @@ module.exports = function( options, plugins ) {
 			const roles = api.config.auth.roles;
 
 			if ( Array.isArray( roles ) && roles.length > 0 ) {
-				for ( const roleName of roles ) {
+				for ( let i = 0; i < roles.length; i++ ) {
+					const roleName = roles[i];
+
 					if ( typeof roleName === "string" && roleName && !/\s/.test( roleName.trim() ) ) {
 						await AuthManager.asRole( roleName.trim(), true ); // eslint-disable-line no-await-in-loop
 					} else {
@@ -53,7 +53,7 @@ module.exports = function( options, plugins ) {
 			const policies = {};
 
 			if ( session.disable ) {
-				logWarning( "server-side sessions are disabled, thus passport isn't integrated for commonly handling all requests automatically" );
+				logWarning( "server-side sessions are disabled, thus passport is not integrated for commonly handling all requests automatically" );
 
 				policies["/"] = [
 					"authentication.handleBasicAuth",
@@ -67,7 +67,7 @@ module.exports = function( options, plugins ) {
 
 			return prefix === false ? policies : {
 				...policies,
-				[`POST ${prefix}/login/:strategy?`]: ["authentication.login"],
+				[`POST ${prefix}/login{/:strategy}`]: ["authentication.login"],
 				[`GET ${prefix}/login/:strategy`]: ["authentication.login"],
 				[`GET ${prefix}/logout`]: ["authentication.logout"],
 				[`POST ${prefix}/password`]: ["user.changePassword"],
@@ -80,7 +80,7 @@ module.exports = function( options, plugins ) {
 
 			return prefix === false ? {} : {
 				after: {
-					[`POST ${prefix}/login/:strategy?`]: "user.authenticate",
+					[`POST ${prefix}/login{/:strategy}`]: "user.authenticate",
 					[`GET ${prefix}/login/:strategy`]: "user.authenticate",
 					[`GET ${prefix}/current`]: "user.getCurrent",
 					[`GET ${prefix}/logout`]: "user.unauthenticate",
@@ -98,4 +98,4 @@ module.exports = function( options, plugins ) {
 	}
 
 	return pluginApi;
-};
+}

package/package.json

@@ -1,7 +1,8 @@
 {
 	"name": "@hitchy/plugin-auth",
-	"version": "0.4.6",
+	"version": "0.5.1",
 	"description": "user authentication and authorization for Hitchy",
+	"type": "module",
 	"main": "index.js",
 	"types": "index.d.ts",
 	"scripts": {
@@ -11,6 +12,9 @@
 		"docs:dev": "vitepress dev docs",
 		"docs:build": "vitepress build docs"
 	},
+	"bin": {
+		"hash-password": "./hash-password.js"
+	},
 	"repository": {
 		"type": "git",
 		"url": "https://gitlab.com/hitchy/plugin-auth.git"
@@ -22,24 +26,26 @@
 	},
 	"homepage": "https://auth.hitchy.org",
 	"peerDependencies": {
-		"@hitchy/core": "0.8.x",
-		"@hitchy/plugin-odem": "0.9.x",
+		"@hitchy/core": "1.x",
 		"@hitchy/plugin-cookies": "0.1.x",
+		"@hitchy/plugin-odem": "0.9.x",
 		"@hitchy/plugin-session": "0.4.x"
 	},
 	"devDependencies": {
-		"@hitchy/server-dev-tools": "^0.4.9",
+		"@hitchy/core": "^1.0.1",
+		"@hitchy/server-dev-tools": "^0.8.5",
 		"@hitchy/types": "^0.1.3",
 		"c8": "^10.1.2",
-		"eslint": "^8.57.0",
-		"eslint-config-cepharum": "^1.0.14",
-		"eslint-plugin-promise": "^6.6.0",
-		"mocha": "^10.7.3",
-		"openid-client": "^5.6.5",
+		"eslint": "^9.15.0",
+		"eslint-config-cepharum": "^2.0.2",
+		"mermaid": "^11.4.0",
+		"mocha": "^10.8.2",
+		"openid-client": "^5.7.0",
 		"passport-saml": "^3.2.4",
 		"should": "^13.2.3",
 		"should-http": "^0.1.1",
-		"vitepress": "^1.3.4"
+		"vitepress": "^1.5.0",
+		"vitepress-plugin-mermaid": "^2.0.17"
 	},
 	"dependencies": {
 		"passport": "^0.7.0",
@@ -51,6 +57,6 @@
 		"hash-password.js",
 		"hitchy.json",
 		"index.d.ts",
-		"index.js"
+		"index.cjs"
 	]
 }