@mantiq/auth 0.1.3 → 0.2.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mantiq/auth",
-  "version": "0.1.3",
+  "version": "0.2.1",
   "description": "Session & token auth, guards, providers",
   "type": "module",
   "license": "MIT",
@@ -40,14 +40,16 @@
     "LICENSE"
   ],
   "scripts": {
-    "build": "bun build ./src/index.ts --outdir ./dist --target bun",
+    "build": "bun build ./src/index.ts --outdir ./dist --target bun --packages=external",
     "test": "bun test",
     "typecheck": "tsc --noEmit",
     "clean": "rm -rf dist"
   },
   "devDependencies": {
     "bun-types": "latest",
-    "typescript": "^5.7.0"
+    "typescript": "^5.7.0",
+    "@mantiq/core": "workspace:*",
+    "@mantiq/database": "workspace:*"
   },
   "peerDependencies": {
     "@mantiq/core": "^0.1.0",

package/src/AuthManager.ts

@@ -7,6 +7,7 @@ import type { Authenticatable } from './contracts/Authenticatable.ts'
 import type { AuthConfig } from './contracts/AuthConfig.ts'
 import { SessionGuard } from './guards/SessionGuard.ts'
 import { RequestGuard } from './guards/RequestGuard.ts'
+import { TokenGuard } from './guards/TokenGuard.ts'
 import { DatabaseUserProvider } from './providers/DatabaseUserProvider.ts'
 
 type RequestGuardCallback = (
@@ -208,6 +209,10 @@ export class AuthManager implements DriverManager<Guard> {
         }
         return new SessionGuard(name, provider, encrypter)
       }
+      case 'token': {
+        const provider = this.createUserProvider(guardConfig.provider)
+        return new TokenGuard(name, provider, guardConfig.trackLastUsed ?? false)
+      }
       default: {
         throw new Error(
           `Unsupported auth guard driver: "${guardConfig.driver}". ` +

package/src/HasApiTokens.ts

@@ -0,0 +1,58 @@
+import { PersonalAccessToken } from './models/PersonalAccessToken.ts'
+import { sha256 } from './helpers/hash.ts'
+import type { NewAccessToken } from './contracts/NewAccessToken.ts'
+
+export function applyHasApiTokens(ModelClass: any): void {
+  // Store current access token on instance
+  const proto = ModelClass.prototype
+
+  proto.createToken = async function(name: string, abilities: string[] = ['*'], expiresAt?: Date): Promise<NewAccessToken> {
+    // Generate 64 random hex characters
+    const randomBytes = new Uint8Array(32)
+    crypto.getRandomValues(randomBytes)
+    const plaintext = Array.from(randomBytes).map(b => b.toString(16).padStart(2, '0')).join('')
+
+    const hash = await sha256(plaintext)
+
+    const ctor = this.constructor as any
+    const token = await PersonalAccessToken.create({
+      tokenable_type: ctor.table ?? ctor.name?.toLowerCase() + 's',
+      tokenable_id: this.getKey(),
+      name,
+      token: hash,
+      abilities: JSON.stringify(abilities),
+      expires_at: expiresAt?.toISOString() ?? null,
+    })
+
+    const id = token.getKey()
+    return {
+      accessToken: token,
+      plainTextToken: `${id}|${plaintext}`,
+    }
+  }
+
+  proto.tokens = function() {
+    const ctor = this.constructor as any
+    return PersonalAccessToken.where('tokenable_type', ctor.table ?? ctor.name?.toLowerCase() + 's')
+      .where('tokenable_id', this.getKey())
+  }
+
+  proto.currentAccessToken = function(): PersonalAccessToken | null {
+    return this._currentAccessToken ?? null
+  }
+
+  proto.withAccessToken = function(token: PersonalAccessToken): any {
+    this._currentAccessToken = token
+    return this
+  }
+
+  proto.tokenCan = function(ability: string): boolean {
+    const token = this.currentAccessToken()
+    if (!token) return false
+    return token.can(ability)
+  }
+
+  proto.tokenCant = function(ability: string): boolean {
+    return !this.tokenCan(ability)
+  }
+}

package/src/contracts/NewAccessToken.ts

@@ -0,0 +1,6 @@
+import type { PersonalAccessToken } from '../models/PersonalAccessToken.ts'
+
+export interface NewAccessToken {
+  accessToken: PersonalAccessToken
+  plainTextToken: string
+}

package/src/guards/TokenGuard.ts

@@ -0,0 +1,108 @@
+import type { Guard } from '../contracts/Guard.ts'
+import type { Authenticatable } from '../contracts/Authenticatable.ts'
+import type { UserProvider } from '../contracts/UserProvider.ts'
+import type { MantiqRequest } from '@mantiq/core'
+import { PersonalAccessToken } from '../models/PersonalAccessToken.ts'
+import { sha256 } from '../helpers/hash.ts'
+
+export class TokenGuard implements Guard {
+  private _user: Authenticatable | null = null
+  private _request: MantiqRequest | null = null
+  private _resolved = false
+
+  constructor(
+    private readonly name: string,
+    private readonly provider: UserProvider,
+    private readonly trackLastUsed = false,
+  ) {}
+
+  async check(): Promise<boolean> {
+    return (await this.user()) !== null
+  }
+
+  async guest(): Promise<boolean> {
+    return !(await this.check())
+  }
+
+  async user(): Promise<Authenticatable | null> {
+    if (this._resolved) return this._user
+    this._resolved = true
+
+    if (!this._request) return null
+
+    const bearerToken = this._request.bearerToken()
+    if (!bearerToken) return null
+
+    const token = await this.resolveToken(bearerToken)
+    if (!token) return null
+
+    // Check expiration
+    if (token.isExpired()) return null
+
+    // Optionally track last usage (disabled by default to avoid write-per-request)
+    if (this.trackLastUsed) {
+      token.setAttribute('last_used_at', new Date().toISOString())
+      token.save().catch(() => {})
+    }
+
+    // Resolve user
+    const userId = token.getAttribute('tokenable_id')
+    const user = await this.provider.retrieveById(userId)
+    if (!user) return null
+
+    // Attach token to user if it supports it
+    if (typeof (user as any).withAccessToken === 'function') {
+      (user as any).withAccessToken(token)
+    }
+
+    this._user = user
+    return user
+  }
+
+  async id(): Promise<string | number | null> {
+    const user = await this.user()
+    return user?.getAuthIdentifier() ?? null
+  }
+
+  async validate(credentials: Record<string, any>): Promise<boolean> {
+    const user = await this.provider.retrieveByCredentials(credentials)
+    if (!user) return false
+    return this.provider.validateCredentials(user, credentials)
+  }
+
+  setUser(user: Authenticatable): void {
+    this._user = user
+    this._resolved = true
+  }
+
+  hasUser(): boolean {
+    return this._user !== null
+  }
+
+  setRequest(request: MantiqRequest): void {
+    this._request = request
+    this._user = null
+    this._resolved = false
+  }
+
+  private async resolveToken(bearerToken: string): Promise<PersonalAccessToken | null> {
+    const parts = bearerToken.split('|')
+
+    if (parts.length === 2) {
+      // Format: {id}|{plaintext}
+      const [id, plaintext] = parts
+      const token = await PersonalAccessToken.find(Number(id))
+      if (!token) return null
+
+      const hash = await sha256(plaintext!)
+      const storedHash = token.getAttribute('token') as string
+      if (hash !== storedHash) return null
+
+      return token
+    }
+
+    // Fallback: hash the entire string and search by token hash
+    const hash = await sha256(bearerToken)
+    return await PersonalAccessToken.where('token', hash).first() as PersonalAccessToken | null
+  }
+}

package/src/helpers/hash.ts

@@ -0,0 +1,5 @@
+export async function sha256(input: string): Promise<string> {
+  const data = new TextEncoder().encode(input)
+  const hashBuffer = await crypto.subtle.digest('SHA-256', data)
+  return Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, '0')).join('')
+}

package/src/index.ts

@@ -4,6 +4,7 @@ export type { Guard } from './contracts/Guard.ts'
 export type { StatefulGuard } from './contracts/StatefulGuard.ts'
 export type { UserProvider } from './contracts/UserProvider.ts'
 export type { AuthConfig, GuardConfig, ProviderConfig } from './contracts/AuthConfig.ts'
+export type { NewAccessToken } from './contracts/NewAccessToken.ts'
 
 // ── Core ──────────────────────────────────────────────────────────────────────
 export { AuthManager } from './AuthManager.ts'
@@ -12,6 +13,7 @@ export { AuthServiceProvider } from './AuthServiceProvider.ts'
 // ── Guards ────────────────────────────────────────────────────────────────────
 export { SessionGuard } from './guards/SessionGuard.ts'
 export { RequestGuard } from './guards/RequestGuard.ts'
+export { TokenGuard } from './guards/TokenGuard.ts'
 
 // ── Providers ─────────────────────────────────────────────────────────────────
 export { DatabaseUserProvider } from './providers/DatabaseUserProvider.ts'
@@ -21,6 +23,8 @@ export { Authenticate } from './middleware/Authenticate.ts'
 export { RedirectIfAuthenticated } from './middleware/RedirectIfAuthenticated.ts'
 export { EnsureEmailIsVerified } from './middleware/EnsureEmailIsVerified.ts'
 export { ConfirmPassword } from './middleware/ConfirmPassword.ts'
+export { CheckAbilities } from './middleware/CheckAbilities.ts'
+export { CheckForAnyAbility } from './middleware/CheckForAnyAbility.ts'
 
 // ── Errors ────────────────────────────────────────────────────────────────────
 export { AuthenticationError } from './errors/AuthenticationError.ts'
@@ -28,5 +32,15 @@ export { AuthenticationError } from './errors/AuthenticationError.ts'
 // ── Events ────────────────────────────────────────────────────────────────────
 export { Attempting, Authenticated, Login, Failed, Logout, Registered, Lockout } from './events/AuthEvents.ts'
 
+// ── Models ────────────────────────────────────────────────────────────────────
+export { PersonalAccessToken } from './models/PersonalAccessToken.ts'
+
+// ── Mixins ────────────────────────────────────────────────────────────────────
+export { applyHasApiTokens } from './HasApiTokens.ts'
+
+// ── Migrations ────────────────────────────────────────────────────────────────
+export { CreatePersonalAccessTokensTable } from './migrations/CreatePersonalAccessTokensTable.ts'
+
 // ── Helpers ───────────────────────────────────────────────────────────────────
+export { sha256 } from './helpers/hash.ts'
 export { auth, AUTH_MANAGER } from './helpers/auth.ts'

package/src/middleware/CheckAbilities.ts

@@ -0,0 +1,24 @@
+import type { MantiqRequest } from '@mantiq/core'
+
+export class CheckAbilities {
+  private abilities: string[] = []
+
+  setParameters(...abilities: string[]): void {
+    this.abilities = abilities
+  }
+
+  async handle(request: MantiqRequest, next: () => Promise<Response>): Promise<Response> {
+    const user = request.user<any>()
+    if (!user || typeof user.tokenCan !== 'function') {
+      return new Response(JSON.stringify({ message: 'Unauthorized.' }), { status: 403, headers: { 'Content-Type': 'application/json' } })
+    }
+
+    for (const ability of this.abilities) {
+      if (!user.tokenCan(ability)) {
+        return new Response(JSON.stringify({ message: `Missing ability: ${ability}` }), { status: 403, headers: { 'Content-Type': 'application/json' } })
+      }
+    }
+
+    return next()
+  }
+}

package/src/middleware/CheckForAnyAbility.ts

@@ -0,0 +1,23 @@
+import type { MantiqRequest } from '@mantiq/core'
+
+export class CheckForAnyAbility {
+  private abilities: string[] = []
+
+  setParameters(...abilities: string[]): void {
+    this.abilities = abilities
+  }
+
+  async handle(request: MantiqRequest, next: () => Promise<Response>): Promise<Response> {
+    const user = request.user<any>()
+    if (!user || typeof user.tokenCan !== 'function') {
+      return new Response(JSON.stringify({ message: 'Unauthorized.' }), { status: 403, headers: { 'Content-Type': 'application/json' } })
+    }
+
+    const hasAny = this.abilities.some(ability => user.tokenCan(ability))
+    if (!hasAny) {
+      return new Response(JSON.stringify({ message: 'Insufficient abilities.' }), { status: 403, headers: { 'Content-Type': 'application/json' } })
+    }
+
+    return next()
+  }
+}

package/src/migrations/CreatePersonalAccessTokensTable.ts

@@ -0,0 +1,22 @@
+import { Migration } from '@mantiq/database'
+import type { SchemaBuilder } from '@mantiq/database'
+
+export class CreatePersonalAccessTokensTable extends Migration {
+  override async up(schema: SchemaBuilder): Promise<void> {
+    await schema.create('personal_access_tokens', (table) => {
+      table.id()
+      table.string('tokenable_type')
+      table.unsignedBigInteger('tokenable_id')
+      table.string('name')
+      table.string('token', 64).unique()
+      table.json('abilities').nullable()
+      table.timestamp('last_used_at').nullable()
+      table.timestamp('expires_at').nullable()
+      table.timestamps()
+    })
+  }
+
+  override async down(schema: SchemaBuilder): Promise<void> {
+    await schema.dropIfExists('personal_access_tokens')
+  }
+}

package/src/models/PersonalAccessToken.ts

@@ -0,0 +1,28 @@
+import { Model } from '@mantiq/database'
+
+export class PersonalAccessToken extends Model {
+  static override table = 'personal_access_tokens'
+  static override fillable = ['name', 'token', 'abilities', 'expires_at', 'last_used_at', 'tokenable_type', 'tokenable_id']
+  static override hidden = ['token']
+  static override casts = {
+    abilities: 'json' as const,
+    last_used_at: 'datetime' as const,
+    expires_at: 'datetime' as const,
+  }
+
+  can(ability: string): boolean {
+    const abilities = this.getAttribute('abilities') as string[] | null
+    if (!abilities) return false
+    return abilities.includes('*') || abilities.includes(ability)
+  }
+
+  cant(ability: string): boolean {
+    return !this.can(ability)
+  }
+
+  isExpired(): boolean {
+    const expiresAt = this.getAttribute('expires_at')
+    if (!expiresAt) return false
+    return new Date(expiresAt) < new Date()
+  }
+}