@insureco/cli 0.1.10 → 0.1.11

package/dist/templates/nextjs-oauth/src/lib/auth.ts

@@ -0,0 +1,274 @@
+import { cookies } from 'next/headers'
+import { jwtVerify } from 'jose'
+import crypto from 'crypto'
+
+// Configuration — set these in .env
+const BIO_ID_URL = process.env.BIO_ID_URL || 'http://localhost:6100'
+const APP_URL = process.env.APP_URL || 'http://localhost:3000'
+const CLIENT_ID = process.env.OAUTH_CLIENT_ID || ''
+const CLIENT_SECRET = process.env.OAUTH_CLIENT_SECRET || ''
+
+function getJwtSecret(): Uint8Array {
+  const secret = process.env.JWT_SECRET
+  if (!secret && process.env.NODE_ENV === 'production') {
+    throw new Error('JWT_SECRET environment variable is required in production')
+  }
+  return new TextEncoder().encode(secret || 'dev-only-secret-do-not-use-in-production')
+}
+
+const JWT_SECRET = getJwtSecret()
+
+if (process.env.NODE_ENV === 'production' && (!CLIENT_ID || !CLIENT_SECRET)) {
+  throw new Error('OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET are required in production')
+}
+
+const COOKIE_PREFIX = '{{name}}'
+const REFRESH_TOKEN_MAX_AGE = 60 * 60 * 24 * 30 // 30 days
+const OAUTH_FLOW_MAX_AGE = 60 * 10               // 10 minutes
+
+export interface User {
+  id: string // Maps to bio_id from Bio-id userinfo endpoint
+  email: string
+  name: string
+  roles: string[]
+}
+
+/**
+ * Validate that a returnTo path is safe (relative, no open redirect)
+ */
+export function sanitizeReturnTo(returnTo: string | undefined, fallback = '/dashboard'): string {
+  if (!returnTo || !returnTo.startsWith('/') || returnTo.startsWith('//')) {
+    return fallback
+  }
+  return returnTo
+}
+
+/**
+ * Generate PKCE code verifier and S256 challenge
+ */
+export function generatePKCE(): { codeVerifier: string; codeChallenge: string } {
+  const codeVerifier = crypto.randomBytes(32).toString('base64url')
+  const codeChallenge = crypto
+    .createHash('sha256')
+    .update(codeVerifier)
+    .digest('base64url')
+
+  return { codeVerifier, codeChallenge }
+}
+
+/**
+ * Build Bio-id authorization URL
+ */
+export function getAuthorizationUrl(state: string, codeChallenge: string): string {
+  const params = new URLSearchParams({
+    client_id: CLIENT_ID,
+    redirect_uri: `${APP_URL}/api/auth/callback`,
+    response_type: 'code',
+    scope: 'openid profile email',
+    state,
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+  })
+
+  return `${BIO_ID_URL}/oauth/authorize?${params.toString()}`
+}
+
+async function parseErrorResponse(response: Response, fallbackMessage: string): Promise<string> {
+  try {
+    const error = await response.json()
+    return error.error_description || error.error || fallbackMessage
+  } catch {
+    return fallbackMessage
+  }
+}
+
+/**
+ * Exchange authorization code for tokens
+ */
+export async function exchangeCodeForTokens(
+  code: string,
+  codeVerifier: string
+): Promise<{
+  access_token: string
+  token_type: string
+  expires_in: number
+  refresh_token: string
+  scope: string
+  id_token?: string
+}> {
+  const response = await fetch(`${BIO_ID_URL}/api/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      grant_type: 'authorization_code',
+      code,
+      redirect_uri: `${APP_URL}/api/auth/callback`,
+      client_id: CLIENT_ID,
+      client_secret: CLIENT_SECRET,
+      code_verifier: codeVerifier,
+    }).toString(),
+  })
+
+  if (!response.ok) {
+    throw new Error(await parseErrorResponse(response, 'Token exchange failed'))
+  }
+
+  return response.json()
+}
+
+/**
+ * Refresh an expired access token
+ */
+export async function refreshAccessToken(refreshToken: string): Promise<{
+  access_token: string
+  token_type: string
+  expires_in: number
+  refresh_token: string
+  scope: string
+}> {
+  const response = await fetch(`${BIO_ID_URL}/api/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      grant_type: 'refresh_token',
+      refresh_token: refreshToken,
+      client_id: CLIENT_ID,
+      client_secret: CLIENT_SECRET,
+    }).toString(),
+  })
+
+  if (!response.ok) {
+    throw new Error(await parseErrorResponse(response, 'Token refresh failed'))
+  }
+
+  return response.json()
+}
+
+/**
+ * Fetch user info from Bio-id userinfo endpoint
+ */
+export async function fetchUserInfo(accessToken: string): Promise<User> {
+  const response = await fetch(`${BIO_ID_URL}/api/oauth/userinfo`, {
+    headers: { Authorization: `Bearer ${accessToken}` },
+  })
+
+  if (!response.ok) {
+    throw new Error('Failed to fetch user info')
+  }
+
+  const data = await response.json()
+
+  return {
+    id: data.bio_id || data.sub,
+    email: data.email,
+    name: data.name,
+    roles: data.roles || [],
+  }
+}
+
+/**
+ * Set httpOnly auth cookies
+ */
+export async function setAuthCookies(
+  accessToken: string,
+  refreshToken: string,
+  expiresIn: number
+): Promise<void> {
+  const cookieStore = await cookies()
+  const secure = process.env.NODE_ENV === 'production'
+
+  cookieStore.set(`${COOKIE_PREFIX}_access_token`, accessToken, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: expiresIn,
+    path: '/',
+  })
+
+  cookieStore.set(`${COOKIE_PREFIX}_refresh_token`, refreshToken, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: REFRESH_TOKEN_MAX_AGE,
+    path: '/',
+  })
+}
+
+/**
+ * Clear all auth cookies
+ */
+export async function clearAuthCookies(): Promise<void> {
+  const cookieStore = await cookies()
+  cookieStore.delete(`${COOKIE_PREFIX}_access_token`)
+  cookieStore.delete(`${COOKIE_PREFIX}_refresh_token`)
+  cookieStore.delete('oauth_state')
+  cookieStore.delete('oauth_code_verifier')
+  cookieStore.delete('oauth_return_to')
+}
+
+/**
+ * Get the current authenticated user from JWT payload (no network call)
+ */
+export async function getCurrentUser(): Promise<User | null> {
+  const cookieStore = await cookies()
+  const accessToken = cookieStore.get(`${COOKIE_PREFIX}_access_token`)?.value
+
+  if (!accessToken) {
+    return null
+  }
+
+  try {
+    const { payload } = await jwtVerify(accessToken, JWT_SECRET, {
+      issuer: BIO_ID_URL,
+    })
+
+    return {
+      id: (payload.bio_id as string) || payload.sub || '',
+      email: payload.email as string,
+      name: payload.name as string,
+      roles: (payload.roles as string[]) || [],
+    }
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Generate a login URL with PKCE and state stored in cookies
+ */
+export async function getLoginUrl(returnTo?: string): Promise<string> {
+  const cookieStore = await cookies()
+  const secure = process.env.NODE_ENV === 'production'
+
+  const state = crypto.randomBytes(16).toString('hex')
+  const { codeVerifier, codeChallenge } = generatePKCE()
+
+  cookieStore.set('oauth_state', state, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: OAUTH_FLOW_MAX_AGE,
+    path: '/',
+  })
+
+  cookieStore.set('oauth_code_verifier', codeVerifier, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: OAUTH_FLOW_MAX_AGE,
+    path: '/',
+  })
+
+  const safeReturnTo = sanitizeReturnTo(returnTo)
+  cookieStore.set('oauth_return_to', safeReturnTo, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: OAUTH_FLOW_MAX_AGE,
+    path: '/',
+  })
+
+  return getAuthorizationUrl(state, codeChallenge)
+}
+
+export { COOKIE_PREFIX, JWT_SECRET, BIO_ID_URL }

package/dist/templates/nextjs-oauth/src/middleware.ts

@@ -0,0 +1,70 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { jwtVerify } from 'jose'
+
+const COOKIE_PREFIX = '{{name}}'
+
+// Routes that require authentication
+const PROTECTED_PATHS = ['/dashboard']
+
+// Routes that should never be blocked
+const PUBLIC_PATHS = [
+  '/',
+  '/api/auth',
+  '/api/health',
+]
+
+function isPublicPath(pathname: string): boolean {
+  return PUBLIC_PATHS.some(
+    (path) => pathname === path || pathname.startsWith(`${path}/`)
+  )
+}
+
+function isProtectedPath(pathname: string): boolean {
+  return PROTECTED_PATHS.some(
+    (path) => pathname === path || pathname.startsWith(`${path}/`)
+  )
+}
+
+export async function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl
+
+  if (isPublicPath(pathname)) {
+    return NextResponse.next()
+  }
+
+  if (!isProtectedPath(pathname)) {
+    return NextResponse.next()
+  }
+
+  const accessToken = request.cookies.get(`${COOKIE_PREFIX}_access_token`)?.value
+
+  if (!accessToken) {
+    const loginUrl = new URL('/api/auth/login', request.url)
+    loginUrl.searchParams.set('returnTo', pathname)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  // Verify JWT is valid and not expired
+  try {
+    const secret = new TextEncoder().encode(
+      process.env.JWT_SECRET || 'dev-only-secret-do-not-use-in-production'
+    )
+    await jwtVerify(accessToken, secret, {
+      issuer: process.env.BIO_ID_URL || 'http://localhost:6100',
+    })
+  } catch {
+    // Token invalid or expired — redirect to login
+    const loginUrl = new URL('/api/auth/login', request.url)
+    loginUrl.searchParams.set('returnTo', pathname)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  return NextResponse.next()
+}
+
+export const config = {
+  matcher: [
+    // Match all paths except static files and Next.js internals
+    '/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
+  ],
+}

package/dist/templates/nextjs-oauth/tsconfig.json

@@ -0,0 +1,26 @@
+{
+  "compilerOptions": {
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [
+      {
+        "name": "next"
+      }
+    ],
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@insureco/cli",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "Developer CLI for InsurEco Tawa platform",
   "type": "module",
   "bin": {