@ministerjs/auth 2.0.1 → 3.0.1

package/dist/nestjs.js

@@ -32,15 +32,174 @@ __export(nestjs_exports, {
   AUTH_DRIVER: () => AUTH_DRIVER,
   AuthController: () => AuthController,
   AuthModule: () => AuthModule,
-  JwtPrismaCookieAuthDriver: () => JwtPrismaCookieAuthDriver
+  InMemoryLockoutStore: () => InMemoryLockoutStore,
+  InMemoryRefreshTokenStore: () => InMemoryRefreshTokenStore,
+  JwtAuthGuard: () => JwtAuthGuard,
+  JwtPrismaCookieAuthDriver: () => JwtPrismaCookieAuthDriver,
+  ROLES_KEY: () => ROLES_KEY,
+  Roles: () => Roles,
+  RolesGuard: () => RolesGuard
 });
 module.exports = __toCommonJS(nestjs_exports);
 
 // src/nestjs/token.ts
 var AUTH_DRIVER = Symbol("AUTH_DRIVER");
 
-// src/nestjs/AuthController.ts
+// src/nestjs/stores.ts
+var InMemoryLockoutStore = class {
+  constructor(windowMs) {
+    this.windowMs = windowMs;
+  }
+  entries = /* @__PURE__ */ new Map();
+  async recordFailure(key) {
+    const now = Date.now();
+    const entry = this.entries.get(key);
+    if (!entry || now - entry.firstFailure > this.windowMs) {
+      this.entries.set(key, { count: 1, firstFailure: now });
+    } else {
+      entry.count++;
+    }
+  }
+  async getFailures(key) {
+    const entry = this.entries.get(key);
+    if (!entry) return 0;
+    if (Date.now() - entry.firstFailure > this.windowMs) {
+      this.entries.delete(key);
+      return 0;
+    }
+    return entry.count;
+  }
+  async reset(key) {
+    this.entries.delete(key);
+  }
+};
+var InMemoryRefreshTokenStore = class {
+  tokens = /* @__PURE__ */ new Map();
+  userJtis = /* @__PURE__ */ new Map();
+  async save(jti, userId, expiresAt) {
+    this.tokens.set(jti, { userId, expiresAt });
+    let jtis = this.userJtis.get(userId);
+    if (!jtis) {
+      jtis = /* @__PURE__ */ new Set();
+      this.userJtis.set(userId, jtis);
+    }
+    jtis.add(jti);
+  }
+  async find(jti) {
+    const entry = this.tokens.get(jti);
+    if (!entry) return null;
+    if (entry.expiresAt.getTime() < Date.now()) {
+      this.tokens.delete(jti);
+      return null;
+    }
+    return entry;
+  }
+  async revoke(jti) {
+    const entry = this.tokens.get(jti);
+    if (entry) {
+      this.userJtis.get(entry.userId)?.delete(jti);
+    }
+    this.tokens.delete(jti);
+  }
+  async revokeAll(userId) {
+    const jtis = this.userJtis.get(userId);
+    if (jtis) {
+      for (const jti of jtis) {
+        this.tokens.delete(jti);
+      }
+      this.userJtis.delete(userId);
+    }
+  }
+};
+
+// src/nestjs/rbac.ts
 var import_common = require("@nestjs/common");
+var ROLES_KEY = "ministerjs:roles";
+var Roles = (...roles) => (0, import_common.SetMetadata)(ROLES_KEY, roles);
+
+// src/nestjs/guards/JwtAuthGuard.ts
+var import_common2 = require("@nestjs/common");
+var import_jsonwebtoken = require("jsonwebtoken");
+var JwtAuthGuard = class {
+  jwtSecret;
+  cookieName;
+  csrfEnabled;
+  constructor(options) {
+    this.jwtSecret = options.jwtSecret;
+    this.cookieName = options.cookieName ?? "auth_token";
+    this.csrfEnabled = options.csrfEnabled ?? false;
+  }
+  canActivate(context) {
+    const request = context.switchToHttp().getRequest();
+    const token = this.extractToken(request);
+    if (!token) {
+      throw new import_common2.UnauthorizedException("No token provided");
+    }
+    let payload;
+    try {
+      payload = (0, import_jsonwebtoken.verify)(token, this.jwtSecret, {
+        algorithms: ["HS256"]
+      });
+    } catch {
+      throw new import_common2.UnauthorizedException("Invalid token");
+    }
+    if (this.csrfEnabled) {
+      this.validateCsrf(request);
+    }
+    request.user = {
+      id: payload.sub,
+      roles: payload.roles ?? []
+    };
+    return true;
+  }
+  extractToken(request) {
+    const fromCookie = request.cookies?.[this.cookieName];
+    if (fromCookie) return fromCookie;
+    const authHeader = request.headers.authorization;
+    if (authHeader?.startsWith("Bearer ")) return authHeader.slice(7);
+    return void 0;
+  }
+  validateCsrf(request) {
+    const headerToken = request.headers["x-csrf-token"];
+    const cookieToken = request.cookies?.["csrf_token"];
+    if (!headerToken || headerToken !== cookieToken) {
+      throw new import_common2.UnauthorizedException("CSRF token mismatch");
+    }
+  }
+};
+JwtAuthGuard = __decorateClass([
+  (0, import_common2.Injectable)()
+], JwtAuthGuard);
+
+// src/nestjs/guards/RolesGuard.ts
+var import_common3 = require("@nestjs/common");
+var RolesGuard = class {
+  constructor(reflector) {
+    this.reflector = reflector;
+  }
+  canActivate(context) {
+    const required = this.reflector.getAllAndOverride(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (!required?.length) return true;
+    const request = context.switchToHttp().getRequest();
+    if (!request.user) {
+      throw new import_common3.ForbiddenException("Not authenticated");
+    }
+    const hasRole = required.some((r) => request.user.roles.includes(r));
+    if (!hasRole) {
+      throw new import_common3.ForbiddenException("Insufficient permissions");
+    }
+    return true;
+  }
+};
+RolesGuard = __decorateClass([
+  (0, import_common3.Injectable)()
+], RolesGuard);
+
+// src/nestjs/AuthController.ts
+var import_common4 = require("@nestjs/common");
 var AuthController = class {
   constructor(driver) {
     this.driver = driver;
@@ -52,7 +211,17 @@ var AuthController = class {
   async checkIn(request, response) {
     const user = await this.driver.checkIn(request, response);
     if (!user) {
-      throw new import_common.UnauthorizedException("Not authenticated");
+      throw new import_common4.UnauthorizedException("Not authenticated");
+    }
+    return { message: "ok", data: user };
+  }
+  async refresh(request, response) {
+    if (!this.driver.refresh) {
+      throw new import_common4.UnauthorizedException("Refresh not supported");
+    }
+    const user = await this.driver.refresh(request, response);
+    if (!user) {
+      throw new import_common4.UnauthorizedException("Invalid refresh token");
     }
     return { message: "ok", data: user };
   }
@@ -62,31 +231,37 @@ var AuthController = class {
   }
 };
 __decorateClass([
-  (0, import_common.Post)("/login"),
-  (0, import_common.HttpCode)(200),
-  __decorateParam(0, (0, import_common.Body)()),
-  __decorateParam(1, (0, import_common.Req)()),
-  __decorateParam(2, (0, import_common.Res)({ passthrough: true }))
+  (0, import_common4.Post)("/login"),
+  (0, import_common4.HttpCode)(200),
+  __decorateParam(0, (0, import_common4.Body)()),
+  __decorateParam(1, (0, import_common4.Req)()),
+  __decorateParam(2, (0, import_common4.Res)({ passthrough: true }))
 ], AuthController.prototype, "login", 1);
 __decorateClass([
-  (0, import_common.Post)("/checkin"),
-  (0, import_common.HttpCode)(200),
-  __decorateParam(0, (0, import_common.Req)()),
-  __decorateParam(1, (0, import_common.Res)({ passthrough: true }))
+  (0, import_common4.Post)("/checkin"),
+  (0, import_common4.HttpCode)(200),
+  __decorateParam(0, (0, import_common4.Req)()),
+  __decorateParam(1, (0, import_common4.Res)({ passthrough: true }))
 ], AuthController.prototype, "checkIn", 1);
 __decorateClass([
-  (0, import_common.Post)("/logout"),
-  (0, import_common.HttpCode)(200),
-  __decorateParam(0, (0, import_common.Req)()),
-  __decorateParam(1, (0, import_common.Res)({ passthrough: true }))
+  (0, import_common4.Post)("/refresh"),
+  (0, import_common4.HttpCode)(200),
+  __decorateParam(0, (0, import_common4.Req)()),
+  __decorateParam(1, (0, import_common4.Res)({ passthrough: true }))
+], AuthController.prototype, "refresh", 1);
+__decorateClass([
+  (0, import_common4.Post)("/logout"),
+  (0, import_common4.HttpCode)(200),
+  __decorateParam(0, (0, import_common4.Req)()),
+  __decorateParam(1, (0, import_common4.Res)({ passthrough: true }))
 ], AuthController.prototype, "logout", 1);
 AuthController = __decorateClass([
-  (0, import_common.Controller)(),
-  __decorateParam(0, (0, import_common.Inject)(AUTH_DRIVER))
+  (0, import_common4.Controller)(),
+  __decorateParam(0, (0, import_common4.Inject)(AUTH_DRIVER))
 ], AuthController);
 
 // src/nestjs/AuthModule.ts
-var import_common2 = require("@nestjs/common");
+var import_common5 = require("@nestjs/common");
 var AuthModule = class {
   static register(options) {
     const driverProvider = this.normalizeDriverProvider(options.driver);
@@ -111,6 +286,9 @@ var AuthModule = class {
       exports: [driverProvider]
     };
   }
+  static createGuard(options) {
+    return new JwtAuthGuard(options);
+  }
   static normalizeDriverProvider(driver) {
     if (typeof driver === "function") {
       return { provide: AUTH_DRIVER, useClass: driver };
@@ -132,16 +310,30 @@ var AuthModule = class {
   }
 };
 AuthModule = __decorateClass([
-  (0, import_common2.Module)({})
+  (0, import_common5.Module)({})
 ], AuthModule);
 
 // src/nestjs/JwtPrismaCookieAuthDriver.ts
-var import_common3 = require("@nestjs/common");
-var import_jsonwebtoken = require("jsonwebtoken");
+var import_node_crypto = require("crypto");
+var import_common6 = require("@nestjs/common");
+var import_jsonwebtoken2 = require("jsonwebtoken");
+var DURATION_UNITS = {
+  s: 1e3,
+  m: 6e4,
+  h: 36e5,
+  d: 864e5
+};
+function parseDuration(value) {
+  const match = value.match(/^(\d+)\s*([smhd])$/);
+  if (!match) return 7 * 864e5;
+  return parseInt(match[1], 10) * DURATION_UNITS[match[2]];
+}
+var isProduction = process.env.NODE_ENV === "production";
 var defaultCookieOptions = {
   httpOnly: true,
   sameSite: "lax",
-  path: "/"
+  path: "/",
+  secure: isProduction
 };
 var JwtPrismaCookieAuthDriver = class {
   prismaModel;
@@ -154,13 +346,23 @@ var JwtPrismaCookieAuthDriver = class {
   cookieOptions;
   comparePassword;
   transformUser;
+  csrf;
+  onAudit;
+  onRateLimitCheck;
+  lockoutStore;
+  lockoutMaxAttempts;
+  refreshTokenEnabled;
+  refreshTokenCookieName;
+  refreshTokenExpiresIn;
+  refreshTokenStore;
   constructor(options) {
-    this.prismaModel = options.prisma[options.modelName];
-    if (!this.prismaModel) {
+    const model = options.prisma[options.modelName];
+    if (!model) {
       throw new Error(
         `Model "${options.modelName}" n\xE3o encontrado no PrismaClient.`
       );
     }
+    this.prismaModel = model;
     this.identifierField = options.identifierField ?? "email";
     this.passwordField = options.passwordField ?? "password";
     this.idField = options.idField ?? "id";
@@ -171,34 +373,107 @@ var JwtPrismaCookieAuthDriver = class {
       ...defaultCookieOptions,
       ...options.cookieOptions ?? {}
     };
-    this.comparePassword = options.comparePassword ?? ((provided, stored) => String(stored) === provided);
+    this.comparePassword = options.comparePassword;
     this.transformUser = options.transformUser ?? ((user) => {
       const clone = { ...user };
       delete clone[this.passwordField];
       return clone;
     });
+    this.csrf = options.csrf ?? false;
+    this.onAudit = options.onAudit;
+    this.onRateLimitCheck = options.onRateLimitCheck;
+    if (options.lockout) {
+      const windowMs = options.lockout.windowMs ?? 15 * 60 * 1e3;
+      this.lockoutMaxAttempts = options.lockout.maxAttempts ?? 5;
+      this.lockoutStore = options.lockout.store ?? new InMemoryLockoutStore(windowMs);
+    } else {
+      this.lockoutMaxAttempts = 0;
+    }
+    if (options.refreshToken?.enabled) {
+      this.refreshTokenEnabled = true;
+      this.refreshTokenCookieName = options.refreshToken.cookieName ?? "refresh_token";
+      this.refreshTokenExpiresIn = options.refreshToken.expiresIn ?? "30d";
+      this.refreshTokenStore = options.refreshToken.store ?? new InMemoryRefreshTokenStore();
+    } else {
+      this.refreshTokenEnabled = false;
+      this.refreshTokenCookieName = "refresh_token";
+      this.refreshTokenExpiresIn = "30d";
+    }
   }
-  async login(payload, _req, res) {
+  async login(payload, req, res) {
     const identifier = payload[this.identifierField];
+    const ip = req.ip ?? req.socket?.remoteAddress ?? "unknown";
+    if (this.onRateLimitCheck) {
+      const allowed = await this.onRateLimitCheck(ip, identifier);
+      if (!allowed) {
+        await this.emitAudit({
+          action: "login",
+          ip,
+          success: false,
+          metadata: { reason: "rate_limited" }
+        });
+        throw new import_common6.UnauthorizedException("Too many requests");
+      }
+    }
+    if (this.lockoutStore) {
+      const failures = await this.lockoutStore.getFailures(identifier);
+      if (failures >= this.lockoutMaxAttempts) {
+        await this.emitAudit({
+          action: "lockout",
+          ip,
+          success: false,
+          metadata: { identifier }
+        });
+        throw new import_common6.UnauthorizedException("Invalid credentials");
+      }
+    }
     const user = await this.prismaModel.findUnique({
       where: { [this.identifierField]: identifier }
     });
     if (!user) {
-      throw new import_common3.UnauthorizedException("Invalid credentials");
+      await this.lockoutStore?.recordFailure(identifier);
+      await this.emitAudit({ action: "login", ip, success: false });
+      throw new import_common6.UnauthorizedException("Invalid credentials");
     }
     const ok = await this.comparePassword(
       payload[this.passwordField],
       user[this.passwordField]
     );
     if (!ok) {
-      throw new import_common3.UnauthorizedException("Invalid credentials");
+      await this.lockoutStore?.recordFailure(identifier);
+      await this.emitAudit({
+        action: "login",
+        userId: String(user[this.idField]),
+        ip,
+        success: false
+      });
+      throw new import_common6.UnauthorizedException("Invalid credentials");
     }
-    const token = (0, import_jsonwebtoken.sign)(
+    await this.lockoutStore?.reset(identifier);
+    const token = (0, import_jsonwebtoken2.sign)(
       { sub: user[this.idField] },
       this.jwtSecret,
-      { expiresIn: this.jwtExpiresIn }
+      { expiresIn: this.jwtExpiresIn, algorithm: "HS256" }
     );
     res.cookie(this.cookieName, token, this.cookieOptions);
+    if (this.refreshTokenEnabled && this.refreshTokenStore) {
+      await this.issueRefreshToken(String(user[this.idField]), res);
+    }
+    if (this.csrf) {
+      const csrfToken = (0, import_node_crypto.randomBytes)(32).toString("hex");
+      res.cookie("csrf_token", csrfToken, {
+        httpOnly: false,
+        sameSite: this.cookieOptions.sameSite,
+        path: "/",
+        secure: this.cookieOptions.secure
+      });
+    }
+    await this.emitAudit({
+      action: "login",
+      userId: String(user[this.idField]),
+      ip,
+      success: true
+    });
     return this.transformUser(user);
   }
   async checkIn(req, res) {
@@ -208,7 +483,9 @@ var JwtPrismaCookieAuthDriver = class {
     }
     let payload;
     try {
-      payload = (0, import_jsonwebtoken.verify)(token, this.jwtSecret);
+      payload = (0, import_jsonwebtoken2.verify)(token, this.jwtSecret, {
+        algorithms: ["HS256"]
+      });
     } catch {
       return null;
     }
@@ -218,14 +495,125 @@ var JwtPrismaCookieAuthDriver = class {
     if (!user) {
       return null;
     }
-    res.cookie(this.cookieName, token, this.cookieOptions);
+    const newToken = (0, import_jsonwebtoken2.sign)(
+      { sub: payload.sub },
+      this.jwtSecret,
+      { expiresIn: this.jwtExpiresIn, algorithm: "HS256" }
+    );
+    res.cookie(this.cookieName, newToken, this.cookieOptions);
+    await this.emitAudit({
+      action: "checkin",
+      userId: String(payload.sub),
+      ip: req.ip ?? req.socket?.remoteAddress,
+      success: true
+    });
     return this.transformUser(user);
   }
-  async logout(_req, res) {
+  async logout(req, res) {
     res.clearCookie(this.cookieName, {
       ...this.cookieOptions,
       maxAge: 0
     });
+    if (this.refreshTokenEnabled) {
+      const refreshCookie = req.cookies?.[this.refreshTokenCookieName];
+      if (refreshCookie && this.refreshTokenStore) {
+        try {
+          const payload = (0, import_jsonwebtoken2.verify)(refreshCookie, this.jwtSecret, {
+            algorithms: ["HS256"]
+          });
+          if (payload.jti) {
+            await this.refreshTokenStore.revokeAll(String(payload.sub));
+          }
+        } catch {
+        }
+      }
+      res.clearCookie(this.refreshTokenCookieName, {
+        ...this.cookieOptions,
+        maxAge: 0
+      });
+    }
+    if (this.csrf) {
+      res.clearCookie("csrf_token", { path: "/", maxAge: 0 });
+    }
+    await this.emitAudit({
+      action: "logout",
+      ip: req.ip ?? req.socket?.remoteAddress,
+      success: true
+    });
+  }
+  async refresh(req, res) {
+    if (!this.refreshTokenEnabled || !this.refreshTokenStore) {
+      return null;
+    }
+    const refreshCookie = req.cookies?.[this.refreshTokenCookieName];
+    if (!refreshCookie) {
+      return null;
+    }
+    let payload;
+    try {
+      payload = (0, import_jsonwebtoken2.verify)(refreshCookie, this.jwtSecret, {
+        algorithms: ["HS256"]
+      });
+    } catch {
+      return null;
+    }
+    if (!payload.jti) {
+      return null;
+    }
+    const stored = await this.refreshTokenStore.find(payload.jti);
+    if (!stored) {
+      return null;
+    }
+    await this.refreshTokenStore.revoke(payload.jti);
+    const userId = String(payload.sub);
+    const user = await this.prismaModel.findUnique({
+      where: { [this.idField]: userId }
+    });
+    if (!user) {
+      return null;
+    }
+    const accessToken = (0, import_jsonwebtoken2.sign)(
+      { sub: userId },
+      this.jwtSecret,
+      { expiresIn: this.jwtExpiresIn, algorithm: "HS256" }
+    );
+    res.cookie(this.cookieName, accessToken, this.cookieOptions);
+    await this.issueRefreshToken(userId, res);
+    if (this.csrf) {
+      const csrfToken = (0, import_node_crypto.randomBytes)(32).toString("hex");
+      res.cookie("csrf_token", csrfToken, {
+        httpOnly: false,
+        sameSite: this.cookieOptions.sameSite,
+        path: "/",
+        secure: this.cookieOptions.secure
+      });
+    }
+    await this.emitAudit({
+      action: "refresh",
+      userId,
+      ip: req.ip ?? req.socket?.remoteAddress,
+      success: true
+    });
+    return this.transformUser(user);
+  }
+  async issueRefreshToken(userId, res) {
+    const jti = (0, import_node_crypto.randomUUID)();
+    const expiresInMs = typeof this.refreshTokenExpiresIn === "number" ? this.refreshTokenExpiresIn * 1e3 : parseDuration(this.refreshTokenExpiresIn);
+    const expiresAt = new Date(Date.now() + expiresInMs);
+    const refreshToken = (0, import_jsonwebtoken2.sign)(
+      { sub: userId, jti },
+      this.jwtSecret,
+      { expiresIn: this.refreshTokenExpiresIn, algorithm: "HS256" }
+    );
+    await this.refreshTokenStore.save(jti, userId, expiresAt);
+    res.cookie(this.refreshTokenCookieName, refreshToken, {
+      ...this.cookieOptions,
+      path: "/"
+    });
+  }
+  async emitAudit(partial) {
+    if (!this.onAudit) return;
+    await this.onAudit({ ...partial, timestamp: /* @__PURE__ */ new Date() });
   }
 };
 // Annotate the CommonJS export names for ESM import in node:
@@ -233,5 +621,11 @@ var JwtPrismaCookieAuthDriver = class {
   AUTH_DRIVER,
   AuthController,
   AuthModule,
-  JwtPrismaCookieAuthDriver
+  InMemoryLockoutStore,
+  InMemoryRefreshTokenStore,
+  JwtAuthGuard,
+  JwtPrismaCookieAuthDriver,
+  ROLES_KEY,
+  Roles,
+  RolesGuard
 });