@nestjs-kitchen/authz 1.0.0

package/dist/jwt/jwt-authz.guard.d.ts

@@ -0,0 +1,60 @@
+import * as rxjs from 'rxjs';
+import * as _nestjs_common from '@nestjs/common';
+import { ExecutionContext } from '@nestjs/common';
+import { AsyncLocalStorage } from 'node:async_hooks';
+import { Reflector } from '@nestjs/core';
+import { AuthzProviderClass } from '../authz.provider.js';
+import { AuthzError } from '../errors.js';
+import { JwtAlsType } from './jwt-authz-als.middleware.js';
+import { JwtAuthzOptions } from './jwt-authz.interface.js';
+import 'express';
+import '../constants.js';
+import '../utils/types.js';
+import '@nestjs/common/interfaces';
+import 'crypto';
+import 'jsonwebtoken';
+import './extract-jwt.js';
+import 'cookie';
+
+declare const createJwtAuthzGuard: ([JWT_STRATEGY, AUTHZ_PROVIDER, JWT_AUTHZ_OPTIONS, ALS_PROVIDER, JWT_META_KEY, JWT_REFRESH_META_KEY]: [string, any, any, any, any, any]) => _nestjs_common.Type<Omit<{
+    readonly reflector: Reflector;
+    readonly authzProvider: AuthzProviderClass<unknown, unknown>;
+    readonly jwtAuthzOptions: JwtAuthzOptions;
+    readonly als: AsyncLocalStorage<JwtAlsType<unknown>>;
+    getAuthenticateOptions(): {
+        property: string;
+        session: boolean;
+    };
+    /**
+     *
+     * recives err, user, info from JwtStrategy.validate
+     *
+     * will return request.user=null if allowAnonymous=true
+     *
+     * @param _err will always be null
+     * @param user if user is null, then info will be AuthError. if user is defined, then info will be undefined.
+     * @param info AuthzError or undefined
+     * @returns
+     */
+    handleRequest<T>(_err: unknown, user: T, info?: AuthzError): T;
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    logIn<TRequest extends {
+        logIn: Function;
+    } = any>(request: TRequest): Promise<void>;
+    getRequest(context: ExecutionContext): any;
+}, "als" | "jwtAuthzOptions" | "reflector" | "authzProvider">>;
+declare const createJwtRefreshAuthzGuard: ([JWT_REFRESH_STRATEGY, JWT_AUTHZ_OPTIONS]: [string, any]) => _nestjs_common.Type<Omit<{
+    readonly jwtAuthzOptions: JwtAuthzOptions;
+    getAuthenticateOptions(): {
+        property: string;
+        session: boolean;
+    };
+    handleRequest<T>(_err: unknown, user: T, info?: AuthzError): T;
+    canActivate(context: ExecutionContext): boolean | Promise<boolean> | rxjs.Observable<boolean>;
+    logIn<TRequest extends {
+        logIn: Function;
+    } = any>(request: TRequest): Promise<void>;
+    getRequest(context: ExecutionContext): any;
+}, "jwtAuthzOptions">>;
+
+export { createJwtAuthzGuard, createJwtRefreshAuthzGuard };

package/dist/jwt/jwt-authz.guard.js

@@ -0,0 +1,182 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+var jwt_authz_guard_exports = {};
+__export(jwt_authz_guard_exports, {
+  createJwtAuthzGuard: () => createJwtAuthzGuard,
+  createJwtRefreshAuthzGuard: () => createJwtRefreshAuthzGuard
+});
+module.exports = __toCommonJS(jwt_authz_guard_exports);
+var import_common = require("@nestjs/common");
+var import_core = require("@nestjs/core");
+var import_passport = require("@nestjs/passport");
+var import_authz = require("../authz.provider");
+var import_errors = require("../errors");
+var import_utils = require("../utils");
+function _ts_decorate(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate, "_ts_decorate");
+function _ts_metadata(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata, "_ts_metadata");
+function _ts_param(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+}
+__name(_ts_param, "_ts_param");
+const createJwtAuthzGuard = /* @__PURE__ */ __name(([JWT_STRATEGY, AUTHZ_PROVIDER, JWT_AUTHZ_OPTIONS, ALS_PROVIDER, JWT_META_KEY, JWT_REFRESH_META_KEY]) => {
+  var _a;
+  let JwtAuthzGuard = (_a = class extends (0, import_passport.AuthGuard)(JWT_STRATEGY) {
+    constructor(reflector, authzProvider, jwtAuthzOptions, als) {
+      super();
+      __publicField(this, "reflector");
+      __publicField(this, "authzProvider");
+      __publicField(this, "jwtAuthzOptions");
+      __publicField(this, "als");
+      this.reflector = reflector, this.authzProvider = authzProvider, this.jwtAuthzOptions = jwtAuthzOptions, this.als = als;
+    }
+    getAuthenticateOptions() {
+      return {
+        property: this.jwtAuthzOptions.passportProperty,
+        session: false
+      };
+    }
+    /**
+    *
+    * recives err, user, info from JwtStrategy.validate
+    *
+    * will return request.user=null if allowAnonymous=true
+    *
+    * @param _err will always be null
+    * @param user if user is null, then info will be AuthError. if user is defined, then info will be undefined.
+    * @param info AuthzError or undefined
+    * @returns
+    */
+    handleRequest(_err, user, info) {
+      const store = (0, import_utils.getAlsStore)(this.als);
+      if (info) {
+        if (store.allowAnonymous && info.name === import_errors.AuthzAnonymousError.name) {
+          return user;
+        }
+        store.guardResult = false;
+        throw info;
+      }
+      return user;
+    }
+    async canActivate(context) {
+      const store = (0, import_utils.getAlsStore)(this.als);
+      if ((0, import_utils.isNotFalsy)(store.guardResult)) {
+        return store.guardResult;
+      }
+      const jwtRefreshMetaCollection = (0, import_utils.normalizedArray)(this.reflector.getAll(JWT_REFRESH_META_KEY, [
+        context.getClass(),
+        context.getHandler()
+      ]));
+      if (Boolean(this.jwtAuthzOptions.refresh) && jwtRefreshMetaCollection.length) {
+        store.guardResult = true;
+        return true;
+      }
+      const paramsList = (0, import_utils.normalizedArray)(this.reflector.getAll(JWT_META_KEY, [
+        context.getClass(),
+        context.getHandler()
+      ]));
+      const contextParamsList = (0, import_utils.getContextAuthzMetaParamsList)(paramsList, {
+        defaultOverride: this.jwtAuthzOptions.defaultOverride,
+        skipFalsyMetadata: this.jwtAuthzOptions.skipFalsyMetadata
+      });
+      if (!contextParamsList.length) {
+        return true;
+      }
+      const req = context.switchToHttp().getRequest();
+      store.allowAnonymous = (0, import_utils.getAllowAnonymous)(contextParamsList, {
+        defaultAllowAnonymous: this.jwtAuthzOptions.defaultAllowAnonymous
+      });
+      await super.canActivate(context);
+      if (typeof this.authzProvider.authorize !== "function") {
+        store.guardResult = true;
+        return true;
+      }
+      const user = (0, import_utils.getPassportProperty)(req);
+      if (!user && store.allowAnonymous) {
+        return true;
+      }
+      for (const ele of contextParamsList) {
+        if (!await this.authzProvider.authorize(user, ele.metaData)) {
+          return false;
+        }
+      }
+      return true;
+    }
+  }, __name(_a, "JwtAuthzGuard"), _a);
+  JwtAuthzGuard = _ts_decorate([
+    _ts_param(1, (0, import_common.Inject)(AUTHZ_PROVIDER)),
+    _ts_param(2, (0, import_common.Inject)(JWT_AUTHZ_OPTIONS)),
+    _ts_param(3, (0, import_common.Inject)(ALS_PROVIDER)),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+      typeof import_core.Reflector === "undefined" ? Object : import_core.Reflector,
+      typeof import_authz.AuthzProviderClass === "undefined" ? Object : import_authz.AuthzProviderClass,
+      typeof JwtAuthzOptions === "undefined" ? Object : JwtAuthzOptions,
+      typeof AsyncLocalStorage === "undefined" ? Object : AsyncLocalStorage
+    ])
+  ], JwtAuthzGuard);
+  return (0, import_common.mixin)(JwtAuthzGuard);
+}, "createJwtAuthzGuard");
+const createJwtRefreshAuthzGuard = /* @__PURE__ */ __name(([JWT_REFRESH_STRATEGY, JWT_AUTHZ_OPTIONS]) => {
+  var _a;
+  let JwtRefreshAuthzGuard = (_a = class extends (0, import_passport.AuthGuard)(JWT_REFRESH_STRATEGY) {
+    constructor(jwtAuthzOptions) {
+      super();
+      __publicField(this, "jwtAuthzOptions");
+      this.jwtAuthzOptions = jwtAuthzOptions;
+    }
+    getAuthenticateOptions() {
+      return {
+        property: this.jwtAuthzOptions.passportProperty,
+        session: false
+      };
+    }
+    handleRequest(_err, user, info) {
+      if (info) {
+        throw info;
+      }
+      return user;
+    }
+  }, __name(_a, "JwtRefreshAuthzGuard"), _a);
+  JwtRefreshAuthzGuard = _ts_decorate([
+    _ts_param(0, (0, import_common.Inject)(JWT_AUTHZ_OPTIONS)),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+      typeof JwtAuthzOptions === "undefined" ? Object : JwtAuthzOptions
+    ])
+  ], JwtRefreshAuthzGuard);
+  return (0, import_common.mixin)(JwtRefreshAuthzGuard);
+}, "createJwtRefreshAuthzGuard");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createJwtAuthzGuard,
+  createJwtRefreshAuthzGuard
+});

package/dist/jwt/jwt-authz.interface.d.ts

@@ -0,0 +1,58 @@
+import * as crypto from 'crypto';
+import { VerifyOptions, SignOptions, Secret, PrivateKey, PublicKey } from 'jsonwebtoken';
+import { AuthzModuleBaseOptions } from '../utils/types.js';
+import { JwtFromRequestFunction } from './extract-jwt.js';
+import '@nestjs/common';
+import '@nestjs/common/interfaces';
+import 'express';
+import '../authz.provider.js';
+import 'cookie';
+
+type JwtOptions = Omit<VerifyOptions, 'algorithms' | 'audience' | 'issuer'> & SignOptions & {
+    jwtFromRequest: JwtFromRequestFunction | JwtFromRequestFunction[];
+    secret?: Secret;
+    privateKey?: PrivateKey;
+    publicKey?: PublicKey;
+};
+type JwtAuthzModuleOptions = Partial<AuthzModuleBaseOptions> & {
+    jwt: JwtOptions;
+    refresh?: JwtOptions;
+};
+declare const normalizedJwtAuthzModuleOptions: (options: JwtAuthzModuleOptions) => {
+    defaultOverride: boolean;
+    passportProperty: string;
+    skipFalsyMetadata: boolean;
+    defaultAllowAnonymous: boolean;
+    jwt: {
+        secretOrPrivateKey: string | Buffer<ArrayBufferLike> | crypto.KeyObject | {
+            key: string | Buffer;
+            passphrase: string;
+        } | crypto.PrivateKeyInput | crypto.JsonWebKeyInput | null;
+        secretOrPublicKey: string | Buffer<ArrayBufferLike> | crypto.KeyObject | {
+            key: string | Buffer;
+            passphrase: string;
+        } | crypto.JsonWebKeyInput | crypto.PublicKeyInput | null;
+        jwtFromRequest: JwtFromRequestFunction<any>[];
+        sign: SignOptions;
+        verify: VerifyOptions;
+    };
+    refresh: {
+        secretOrPrivateKey: string | Buffer<ArrayBufferLike> | crypto.KeyObject | {
+            key: string | Buffer;
+            passphrase: string;
+        } | crypto.PrivateKeyInput | crypto.JsonWebKeyInput | null;
+        secretOrPublicKey: string | Buffer<ArrayBufferLike> | crypto.KeyObject | {
+            key: string | Buffer;
+            passphrase: string;
+        } | crypto.JsonWebKeyInput | crypto.PublicKeyInput | null;
+        jwtFromRequest: JwtFromRequestFunction<any>[];
+        sign: SignOptions;
+        verify: VerifyOptions;
+    } | undefined;
+};
+type JwtAuthzOptions = ReturnType<typeof normalizedJwtAuthzModuleOptions>;
+interface RefreshPayload {
+    data: string;
+}
+
+export { type JwtAuthzModuleOptions, type JwtAuthzOptions, type JwtOptions, type RefreshPayload, normalizedJwtAuthzModuleOptions };

package/dist/jwt/jwt-authz.interface.js

@@ -0,0 +1,94 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var jwt_authz_interface_exports = {};
+__export(jwt_authz_interface_exports, {
+  normalizedJwtAuthzModuleOptions: () => normalizedJwtAuthzModuleOptions
+});
+module.exports = __toCommonJS(jwt_authz_interface_exports);
+var import_constants = require("../constants");
+var import_utils = require("../utils");
+const normalizedJwtOptions = /* @__PURE__ */ __name((jwtOptions) => {
+  if (!jwtOptions) {
+    return void 0;
+  }
+  const { jwtFromRequest, algorithm, audience, clockTimestamp, clockTolerance, complete, ignoreExpiration, ignoreNotBefore, issuer, jwtid, maxAge, nonce, privateKey, publicKey, secret, subject, allowInsecureKeySizes, encoding, expiresIn, header, keyid, mutatePayload, noTimestamp, notBefore, allowInvalidAsymmetricKeyTypes } = jwtOptions;
+  const formattedJwtFromRequest = (0, import_utils.normalizedArray)(jwtFromRequest);
+  const algorithms = (0, import_utils.normalizedArray)(algorithm);
+  const sign = {
+    algorithm: algorithms?.[0],
+    audience,
+    issuer,
+    jwtid,
+    subject,
+    allowInsecureKeySizes,
+    encoding,
+    expiresIn,
+    header,
+    keyid,
+    mutatePayload,
+    notBefore,
+    noTimestamp,
+    allowInvalidAsymmetricKeyTypes
+  };
+  const verify = {
+    algorithms,
+    audience,
+    clockTimestamp,
+    clockTolerance,
+    complete,
+    ignoreExpiration,
+    ignoreNotBefore,
+    issuer,
+    jwtid,
+    maxAge,
+    nonce,
+    subject,
+    allowInvalidAsymmetricKeyTypes
+  };
+  let secretOrPrivateKey = secret;
+  let secretOrPublicKey = secret;
+  if (privateKey || publicKey) {
+    secretOrPrivateKey = privateKey;
+    secretOrPublicKey = publicKey;
+    if (secret) {
+      console.warn(`Both secret and privateKey/publicKey have been set, only privateKey/publicKey will take effect.`);
+    }
+  }
+  return {
+    secretOrPrivateKey: secretOrPrivateKey ?? null,
+    secretOrPublicKey: secretOrPublicKey ?? null,
+    jwtFromRequest: formattedJwtFromRequest ?? [],
+    sign: (0, import_utils.normalizedObject)(sign) ?? {},
+    verify: (0, import_utils.normalizedObject)(verify) ?? {}
+  };
+}, "normalizedJwtOptions");
+const normalizedJwtAuthzModuleOptions = /* @__PURE__ */ __name((options) => {
+  return {
+    defaultOverride: options?.defaultOverride || false,
+    passportProperty: options?.passportProperty || import_constants.DEFAULT_PASSPORT_PROPERTY_VALUE,
+    skipFalsyMetadata: options?.skipFalsyMetadata || false,
+    defaultAllowAnonymous: options.defaultAllowAnonymous || false,
+    jwt: normalizedJwtOptions(options?.jwt),
+    refresh: normalizedJwtOptions(options?.refresh)
+  };
+}, "normalizedJwtAuthzModuleOptions");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  normalizedJwtAuthzModuleOptions
+});

package/dist/jwt/jwt-authz.module.d.ts

@@ -0,0 +1,80 @@
+import './extract-jwt.js';
+import * as _nestjs_core from '@nestjs/core';
+import { JwtAuthzOptions, JwtAuthzModuleOptions, JwtOptions } from './jwt-authz.interface.js';
+import { AuthzProviderClass } from '../authz.provider.js';
+import { AbstractConstructor, RoutesOptions, AuthzDecoParams, MethodParameters, ApplyDecorators, CookieOptionsWithSecret, AuthzModuleRoutesOptions, AuthzModuleBaseOptions } from '../utils/types.js';
+import { AsyncLocalStorage } from 'node:async_hooks';
+import * as _nestjs_common from '@nestjs/common';
+import { MiddlewareConsumer, DynamicModule, Type } from '@nestjs/common';
+import { AuthzError } from '../errors.js';
+import { JwtAlsType } from './jwt-authz-als.middleware.js';
+import 'cookie';
+import 'crypto';
+import 'jsonwebtoken';
+import '@nestjs/common/interfaces';
+import 'express';
+import '../constants.js';
+
+declare const ASYNC_OPTIONS_TYPE: _nestjs_common.ConfigurableModuleAsyncOptions<JwtAuthzModuleOptions, "createJwtAuthzModuleOptions"> & Partial<{
+    authzProvider?: Type<AuthzProviderClass<unknown, unknown>>;
+} & AuthzModuleRoutesOptions>;
+declare const OPTIONS_TYPE: Partial<AuthzModuleBaseOptions> & {
+    jwt: JwtOptions;
+    refresh?: JwtOptions;
+} & Partial<{
+    authzProvider?: Type<AuthzProviderClass<unknown, unknown>>;
+} & AuthzModuleRoutesOptions>;
+declare const createJwtAuthzModule: <P, U, T extends AuthzProviderClass<P, U>>(authzProvider: AbstractConstructor<T, P, U>) => {
+    AuthzModule: {
+        new (routesOpt: RoutesOptions): {
+            [x: string]: any;
+            readonly routesOpt: RoutesOptions;
+            configure(consumer: MiddlewareConsumer): void;
+        };
+        register(options: Omit<typeof OPTIONS_TYPE, "authzProvider">): DynamicModule;
+        registerAsync(options: Omit<typeof ASYNC_OPTIONS_TYPE, "authzProvider">): DynamicModule;
+    };
+    AuthzGuard: Type<Omit<{
+        readonly reflector: _nestjs_core.Reflector;
+        readonly authzProvider: AuthzProviderClass<unknown, unknown>;
+        readonly jwtAuthzOptions: JwtAuthzOptions;
+        readonly als: AsyncLocalStorage<JwtAlsType<unknown>>;
+        getAuthenticateOptions(): {
+            property: string;
+            session: boolean;
+        };
+        handleRequest<T_1>(_err: unknown, user: T_1, info?: AuthzError): T_1;
+        canActivate(context: _nestjs_common.ExecutionContext): Promise<boolean>;
+        logIn<TRequest extends {
+            logIn: Function;
+        } = any>(request: TRequest): Promise<void>;
+        getRequest(context: _nestjs_common.ExecutionContext): any;
+    }, "als" | "jwtAuthzOptions" | "reflector" | "authzProvider">> & {
+        Verify: (...args: AuthzDecoParams<MethodParameters<T, "authorize">[1]>) => ApplyDecorators;
+        NoVerify: () => MethodDecorator & ClassDecorator;
+        /**
+         * take highest priority
+         */
+        Refresh: () => MethodDecorator & ClassDecorator;
+        Apply: (...rest: Parameters<(...args: AuthzDecoParams<MethodParameters<T, "authorize">[1]>) => ApplyDecorators>) => <TFunction extends Function, Y>(target: TFunction | object, propertyKey?: string | symbol, descriptor?: TypedPropertyDescriptor<Y>) => void;
+    };
+    AuthzService: Type<Omit<{
+        readonly authzProvider: AuthzProviderClass<P, U>;
+        readonly jwtAuthzOptions: JwtAuthzOptions;
+        readonly als: AsyncLocalStorage<JwtAlsType<U>>;
+        logIn(user: U): Promise<{
+            token: string;
+            refresh: string;
+        } | {
+            token: string;
+            refresh?: undefined;
+        }>;
+        refresh(user?: U | undefined): Promise<{
+            token: string;
+        } | undefined>;
+        setCookie(name: string, value: string, options?: CookieOptionsWithSecret | undefined): void;
+        getUser(): U | undefined;
+    }, "als" | "jwtAuthzOptions" | "authzProvider">>;
+};
+
+export { createJwtAuthzModule };