@javagt/express-easy-auth 1.0.0

package/src/db/init.js

@@ -0,0 +1,203 @@
+import { DatabaseSync } from 'node:sqlite';
+import fs from 'fs';
+import path from 'path';
+
+let authDb;
+let userDb;
+
+export function initAuthDb(dataDir) {
+  if (!authDb) {
+    if (!fs.existsSync(dataDir)) {
+      fs.mkdirSync(dataDir, { recursive: true });
+    }
+    authDb = new DatabaseSync(path.join(dataDir, 'auth.db'));
+  }
+
+  authDb.exec(`
+    CREATE TABLE IF NOT EXISTS users (
+      id TEXT PRIMARY KEY,
+      username TEXT UNIQUE NOT NULL,
+      email TEXT UNIQUE NOT NULL,
+      password_hash TEXT NOT NULL,
+      totp_enabled INTEGER NOT NULL DEFAULT 0,
+      totp_secret TEXT,
+      mfa_required INTEGER NOT NULL DEFAULT 0,
+      failed_attempts INTEGER NOT NULL DEFAULT 0,
+      locked_until INTEGER NOT NULL DEFAULT 0,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS sessions (
+      id TEXT PRIMARY KEY,
+      user_id TEXT, -- Nullable for anonymous/pending sessions
+      data TEXT NOT NULL,
+      created_at INTEGER NOT NULL,
+      expires_at INTEGER NOT NULL,
+      last_activity INTEGER NOT NULL,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS totp_secrets (
+      user_id TEXT PRIMARY KEY,
+      secret TEXT NOT NULL,
+      verified INTEGER NOT NULL DEFAULT 0,
+      created_at INTEGER NOT NULL,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS passkeys (
+      id TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL,
+      credential_id TEXT UNIQUE NOT NULL,
+      public_key TEXT NOT NULL,
+      counter INTEGER NOT NULL DEFAULT 0,
+      device_type TEXT,
+      backed_up INTEGER NOT NULL DEFAULT 0,
+      transports TEXT,
+      friendly_name TEXT,
+      created_at INTEGER NOT NULL,
+      last_used INTEGER,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS webauthn_challenges (
+      id TEXT PRIMARY KEY,
+      user_id TEXT,
+      challenge TEXT NOT NULL,
+      type TEXT NOT NULL,
+      created_at INTEGER NOT NULL,
+      expires_at INTEGER NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS fresh_auth_tokens (
+      id TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL,
+      session_id TEXT NOT NULL,
+      verified_at INTEGER NOT NULL,
+      expires_at INTEGER NOT NULL,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    );
+    
+    CREATE TABLE IF NOT EXISTS recovery_codes (
+      id TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL,
+      code_hash TEXT NOT NULL,
+      used INTEGER NOT NULL DEFAULT 0,
+      created_at INTEGER NOT NULL,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS system_logs (
+      id TEXT PRIMARY KEY,
+      level TEXT NOT NULL,
+      source TEXT NOT NULL,
+      message TEXT NOT NULL,
+      stack TEXT,
+      context TEXT,
+      user_id TEXT,
+      timestamp INTEGER NOT NULL
+    );
+    
+    CREATE TABLE IF NOT EXISTS password_reset_tokens (
+      token_hash TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL,
+      expires_at INTEGER NOT NULL,
+      used INTEGER NOT NULL DEFAULT 0,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS api_keys (
+      id TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL,
+      key_hash TEXT UNIQUE NOT NULL,
+      name TEXT,
+      permissions TEXT, -- JSON string
+      created_at INTEGER NOT NULL,
+      last_used INTEGER,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS settings (
+      key TEXT PRIMARY KEY,
+      value TEXT
+    );
+
+    -- Seed settings with new grouped keys
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('auth_mfa_force_all', 'false');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('auth_mfa_force_new_users', 'false');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('auth_registration_enabled', 'true');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('lockout_duration_mins', '15');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('lockout_max_attempts', '5');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('password_min_length', '8');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('password_reset_expiry_mins', '30');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('session_duration_days', '7');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('session_fresh_auth_mins', '5');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('site_admin_emails', 'admin@example.com');
+    INSERT OR IGNORE INTO settings (key, value) VALUES ('site_name', 'Authentication Server');
+
+    CREATE INDEX IF NOT EXISTS idx_sessions_user ON sessions(user_id);
+    CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
+    CREATE INDEX IF NOT EXISTS idx_passkeys_user ON passkeys(user_id);
+    CREATE INDEX IF NOT EXISTS idx_challenges_expires ON webauthn_challenges(expires_at);
+    CREATE INDEX IF NOT EXISTS idx_fresh_auth_expires ON fresh_auth_tokens(expires_at);
+    CREATE INDEX IF NOT EXISTS idx_logs_timestamp ON system_logs(timestamp);
+    CREATE INDEX IF NOT EXISTS idx_logs_level ON system_logs(level);
+  `);
+
+  // Migration: Rename old keys if they exist
+  const migrateMap = {
+    'force_2fa': 'auth_mfa_force_all',
+    'enforce_mfa_new_users': 'auth_mfa_force_new_users',
+    'registration_enabled': 'auth_registration_enabled',
+    'max_login_attempts': 'lockout_max_attempts',
+    'min_password_length': 'password_min_length',
+    'reset_token_expiry_mins': 'password_reset_expiry_mins',
+    'fresh_auth_duration': 'session_fresh_auth_mins',
+    'admin_email': 'site_admin_emails'
+  };
+
+    for (const [oldKey, newKey] of Object.entries(migrateMap)) {
+      try {
+        authDb.prepare(`
+          UPDATE settings SET key = ? 
+          WHERE key = ? AND NOT EXISTS (SELECT 1 FROM settings WHERE key = ?)
+        `).run(newKey, oldKey, newKey);
+      } catch (e) {
+        // Ignore migration errors (e.g. key already migrated)
+      }
+    }
+  
+    // Migration: Rename 'name' to 'friendly_name' in passkeys table if it exists
+    try {
+        const columns = authDb.prepare("PRAGMA table_info(passkeys)").all();
+        const hasName = columns.some(c => c.name === 'name');
+        const hasFriendlyName = columns.some(c => c.name === 'friendly_name');
+        
+        if (hasName && !hasFriendlyName) {
+            authDb.exec("ALTER TABLE passkeys RENAME COLUMN name TO friendly_name");
+        }
+    } catch (e) {
+        // Ignore table_info errors or if table doesn't exist yet
+    }
+  }
+
+export function initUserDb(dataDir) {
+  if (!userDb) {
+    if (!fs.existsSync(dataDir)) {
+      fs.mkdirSync(dataDir, { recursive: true });
+    }
+    userDb = new DatabaseSync(path.join(dataDir, 'users.db'));
+  }
+
+  // Profile table removed from core library. Implement in demo if needed.
+}
+
+export { authDb, userDb };
+export function getAppSettings() {
+  const rows = authDb.prepare('SELECT key, value FROM settings').all();
+  return rows.reduce((acc, row) => {
+    acc[row.key] = row.value;
+    return acc;
+  }, {});
+}

package/src/db/sessionStore.js

@@ -0,0 +1,67 @@
+import session from 'express-session';
+import { authDb } from './init.js';
+
+const SESSION_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+export default class SQLiteSessionStore extends session.Store {
+  constructor() {
+    super();
+    setInterval(() => this._cleanup(), 15 * 60 * 1000).unref();
+  }
+
+  get db() { return authDb; }
+
+  get(sid, callback) {
+    try {
+      const row = this.db
+        .prepare('SELECT data FROM sessions WHERE id=? AND expires_at > unixepoch()')
+        .get(sid);
+      if (!row) {
+        console.log(`[session] GET ${sid} -> NOT FOUND`);
+        return callback(null, null);
+      }
+      console.log(`[session] GET ${sid} -> FOUND`);
+      callback(null, JSON.parse(row.data));
+    } catch (e) {
+      console.error(`[session] GET ${sid} -> ERROR`, e);
+      callback(e);
+    }
+  }
+
+  set(sid, session, callback) {
+    try {
+      const now = Math.floor(Date.now() / 1000);
+      const expires = Math.floor((Date.now() + SESSION_TTL_MS) / 1000);
+      const data = JSON.stringify(session);
+      const userId = session.userId || null;
+
+      this.db.prepare(`
+        INSERT INTO sessions (id, user_id, data, created_at, expires_at, last_activity)
+        VALUES (?, ?, ?, ?, ?, ?)
+        ON CONFLICT(id) DO UPDATE SET
+          data=excluded.data, 
+          user_id=excluded.user_id,
+          expires_at=excluded.expires_at, 
+          last_activity=excluded.last_activity
+      `).run(sid, userId, data, now, expires, now);
+      console.log(`[session] SET ${sid} (user: ${userId})`);
+      callback(null);
+    } catch (e) {
+      console.error(`[session] SET ${sid} -> ERROR`, e);
+      callback(e);
+    }
+  }
+
+  destroy(sid, callback) {
+    try {
+      this.db.prepare('DELETE FROM sessions WHERE id=?').run(sid);
+      callback(null);
+    } catch (e) { callback(e); }
+  }
+
+  touch(sid, session, callback) { this.set(sid, session, callback); }
+
+  _cleanup() {
+    try { this.db.prepare('DELETE FROM sessions WHERE expires_at <= unixepoch()').run(); } catch (_) { }
+  }
+}

package/src/index.js

@@ -0,0 +1,61 @@
+import { initAuthDb, initUserDb, authDb, userDb } from './db/init.js';
+import SQLiteSessionStore from './db/sessionStore.js';
+import authRouter from './routes/auth.js';
+import { requireAuth, requireFreshAuth, requireApiKey, authErrorLogger } from './middleware/auth.js';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { dirname } from 'path';
+
+import { DefaultLogger } from './utils/logger.js';
+import { AuthClient } from './client.js';
+
+/**
+ * Initializes the authentication databases and configuration.
+ * @param {import('express').Application} app - The Express application.
+ * @param {Object} options - Configuration options.
+ * @param {string} [options.dataDir] - Directory to store SQLite databases. Defaults to './data'.
+ * @param {Object} [options.config] - Authentication configuration (domain, rpID, etc.).
+ * @param {string|boolean} [options.sdkRoute='/auth-sdk.js'] - Route to serve the frontend SDK. Set to false to disable.
+ * @param {boolean} [options.exposeErrors=false] - If true, detailed error messages are sent to the client.
+ * @param {Object} [options.logger] - Custom logger object. Should implement error, warn, info, debug.
+ */
+export function setupAuth(app, options = {}) {
+  const dataDir = options.dataDir || path.join(process.cwd(), 'data');
+  const config = options.config || {};
+  const sdkRoute = options.sdkRoute !== undefined ? options.sdkRoute : '/auth-sdk.js';
+  const exposeErrors = options.exposeErrors !== undefined ? options.exposeErrors : false;
+  const logger = options.logger || new DefaultLogger();
+
+  initAuthDb(dataDir);
+  initUserDb(dataDir);
+
+  // Store for middleware access
+  app.set('config', { ...config, exposeErrors });
+  app.set('logger', logger);
+
+  // Serve the frontend SDK if enabled
+  if (sdkRoute) {
+    const __filename = fileURLToPath(import.meta.url);
+    const __dirname = dirname(__filename);
+    const sdkPath = path.join(__dirname, 'client.js');
+
+    app.get(sdkRoute, (req, res) => {
+      res.setHeader('Content-Type', 'application/javascript');
+      res.sendFile(sdkPath);
+    });
+  }
+}
+
+export {
+  authDb,
+  userDb,
+  SQLiteSessionStore,
+  authRouter,
+  authRouter as auth,
+  requireAuth,
+  requireFreshAuth,
+  requireApiKey,
+  authErrorLogger,
+  DefaultLogger,
+  AuthClient
+};

package/src/middleware/auth.js

@@ -0,0 +1,111 @@
+import { randomUUID, randomBytes } from 'crypto';
+import { authDb } from '../db/init.js';
+import bcrypt from 'bcrypt';
+
+const FRESH_AUTH_WINDOW_MS = 5 * 60 * 1000; // 5 minutes
+
+export function requireAuth(req, res, next) {
+    if (!req.session?.userId) {
+        return res.status(401).json({ error: 'Not authenticated' });
+    }
+    req.userId = req.session.userId; // Convenience attachment
+    next();
+}
+
+export function requireFreshAuth(req, res, next) {
+    if (!req.session?.userId) {
+        return res.status(401).json({ error: 'Not authenticated' });
+    }
+    req.userId = req.session.userId; // Ensure it's there too
+    const lastAuthed = req.session.lastAuthedAt;
+
+    // Pull dynamic duration from settings
+    const rows = authDb.prepare("SELECT value FROM settings WHERE key='session_fresh_auth_mins'").get();
+    const durationMins = parseInt(rows?.value || '5', 10);
+    const windowMs = durationMins * 60 * 1000;
+
+    if (!lastAuthed || Date.now() - lastAuthed > windowMs) {
+        return res.status(403).json({
+            error: 'Fresh authentication required',
+            code: 'FRESH_AUTH_REQUIRED',
+            freshAuthWindowMs: windowMs
+        });
+    }
+    next();
+}
+
+/**
+ * Middleware to authenticate requests via API Key.
+ * Supports X-API-Key header or Authorization: Bearer <key>.
+ */
+export async function requireApiKey(req, res, next) {
+    let key = req.get('X-API-Key');
+    if (!key) {
+        const authHeader = req.get('Authorization');
+        if (authHeader && authHeader.startsWith('Bearer ')) {
+            key = authHeader.substring(7);
+        }
+    }
+
+    if (!key) {
+        return res.status(401).json({ error: 'API Key required' });
+    }
+
+    const parts = key.split('_');
+    if (parts.length < 4) {
+        return res.status(401).json({ error: 'Invalid API Key format' });
+    }
+
+    const keyId = parts[2];
+    const secret = parts[3];
+
+    const apiKey = authDb.prepare('SELECT * FROM api_keys WHERE id = ?').get(keyId);
+    if (!apiKey) {
+        return res.status(401).json({ error: 'Invalid API Key' });
+    }
+
+    const valid = await bcrypt.compare(secret, apiKey.key_hash);
+    if (!valid) {
+        return res.status(401).json({ error: 'Invalid API Key' });
+    }
+
+    // Update last used
+    authDb.prepare('UPDATE api_keys SET last_used = ? WHERE id = ?').run(Date.now(), keyId);
+
+    req.userId = apiKey.user_id;
+    req.permissions = JSON.parse(apiKey.permissions || '[]');
+    next();
+}
+
+/**
+ * Global error handler that logs via the configured logger
+ */
+export function authErrorLogger(err, req, res, next) {
+    const logger = req.app.get('logger');
+    const config = req.app.get('config') || {};
+    const exposeErrors = config.exposeErrors;
+
+    if (logger) {
+        logger.error(err.message || String(err), {
+            err,
+            source: 'server',
+            userId: req.session?.userId || null,
+            context: {
+                url: req.url,
+                method: req.method,
+                ip: req.ip,
+                userAgent: req.get('user-agent'),
+                requestId: req.get('x-request-id') // If available
+            }
+        });
+    } else {
+        console.error('[auth-server] Logger not found, falling back to console:', err);
+    }
+
+    if (res.headersSent) return next(err);
+    
+    res.status(500).json({ 
+        error: exposeErrors ? (err.message || 'Internal server error') : 'Internal server error',
+        ...(exposeErrors && { stack: err.stack })
+    });
+}