@nocobase/plugin-auth 1.6.0-alpha.2 → 1.6.0-alpha.21

package/dist/server/token-blacklist.js

@@ -37,11 +37,22 @@ class TokenBlacklistService {
       try {
         this.bloomFilter = await plugin.app.cacheManager.createBloomFilter();
         await this.bloomFilter.reserve(this.cacheKey, 1e-3, 1e6);
-        const data = await this.repo.find({ fields: ["token"], raw: true });
+        const data = await this.repo.find({
+          fields: ["token"],
+          filter: {
+            expiration: {
+              $dateAfter: /* @__PURE__ */ new Date()
+            }
+          },
+          raw: true
+        });
         const tokens = data.map((item) => item.token);
+        if (!tokens.length) {
+          return;
+        }
         await this.bloomFilter.mAdd(this.cacheKey, tokens);
       } catch (error) {
-        plugin.app.logger.error("token-blacklist: create bloom filter failed", error);
+        plugin.app.logger.warn("token-blacklist: create bloom filter failed", error);
         this.bloomFilter = null;
       }
     });

package/dist/server/token-controller.d.ts

@@ -0,0 +1,40 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { ITokenControlService, TokenPolicyConfig, NumericTokenPolicyConfig, TokenInfo } from '@nocobase/auth';
+import type { SystemLogger } from '@nocobase/logger';
+import { Cache } from '@nocobase/cache';
+import Application from '@nocobase/server';
+import Database from '@nocobase/database';
+type TokenControlService = ITokenControlService;
+export declare class TokenController implements TokenControlService {
+    cache: Cache;
+    app: Application;
+    db: Database;
+    logger: SystemLogger;
+    constructor({ cache, app, logger }: {
+        cache: Cache;
+        app: Application;
+        logger: SystemLogger;
+    });
+    setTokenInfo(id: string, value: TokenInfo): Promise<void>;
+    getConfig(): Promise<NumericTokenPolicyConfig>;
+    setConfig(config: TokenPolicyConfig): Promise<void>;
+    removeSessionExpiredTokens(userId: number): Promise<any>;
+    add({ userId }: {
+        userId: number;
+    }): Promise<{
+        jti: `${string}-${string}-${string}-${string}-${string}`;
+        issuedTime: number;
+        signInTime: number;
+        renewed: boolean;
+        userId: number;
+    }>;
+    renew: TokenControlService['renew'];
+}
+export {};

package/dist/server/token-controller.js

@@ -0,0 +1,161 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var token_controller_exports = {};
+__export(token_controller_exports, {
+  TokenController: () => TokenController
+});
+module.exports = __toCommonJS(token_controller_exports);
+var import_auth = require("@nocobase/auth");
+var import_crypto = require("crypto");
+var import_ms = __toESM(require("ms"));
+var import_constants = require("../constants");
+const JTICACHEKEY = "token-jti";
+class TokenController {
+  cache;
+  app;
+  db;
+  logger;
+  constructor({ cache, app, logger }) {
+    this.cache = cache;
+    this.app = app;
+    this.logger = logger;
+  }
+  async setTokenInfo(id, value) {
+    const repo = this.app.db.getRepository(import_constants.issuedTokensCollectionName);
+    await repo.updateOrCreate({ filterKeys: ["id"], values: value });
+    await this.cache.set(`${JTICACHEKEY}:${id}`, value);
+    return;
+  }
+  getConfig() {
+    return this.cache.wrap("config", async () => {
+      const repo = this.app.db.getRepository(import_constants.tokenPolicyCollectionName);
+      const configRecord = await repo.findOne({ filterByTk: import_constants.tokenPolicyRecordKey });
+      if (!configRecord) return null;
+      const config = configRecord.config;
+      return {
+        tokenExpirationTime: (0, import_ms.default)(config.tokenExpirationTime),
+        sessionExpirationTime: (0, import_ms.default)(config.sessionExpirationTime),
+        expiredTokenRenewLimit: (0, import_ms.default)(config.expiredTokenRenewLimit)
+      };
+    });
+  }
+  setConfig(config) {
+    return this.cache.set("config", {
+      tokenExpirationTime: (0, import_ms.default)(config.tokenExpirationTime),
+      sessionExpirationTime: (0, import_ms.default)(config.sessionExpirationTime),
+      expiredTokenRenewLimit: (0, import_ms.default)(config.expiredTokenRenewLimit)
+    });
+  }
+  async removeSessionExpiredTokens(userId) {
+    const config = await this.getConfig();
+    const issuedTokenRepo = this.app.db.getRepository(import_constants.issuedTokensCollectionName);
+    const currTS = Date.now();
+    return issuedTokenRepo.destroy({
+      filter: {
+        userId,
+        signInTime: {
+          $lt: currTS - config.sessionExpirationTime
+        }
+      }
+    });
+  }
+  async add({ userId }) {
+    const jti = (0, import_crypto.randomUUID)();
+    const currTS = Date.now();
+    const data = {
+      jti,
+      issuedTime: currTS,
+      signInTime: currTS,
+      renewed: false,
+      userId
+    };
+    await this.setTokenInfo(jti, data);
+    try {
+      if (process.env.DB_DIALECT === "sqlite") {
+        await this.removeSessionExpiredTokens(userId);
+      } else {
+        this.removeSessionExpiredTokens(userId);
+      }
+    } catch (err) {
+      this.logger.error(err, { module: "auth", submodule: "token-controller", method: "removeSessionExpiredTokens" });
+    }
+    return data;
+  }
+  renew = async (jti) => {
+    const repo = this.app.db.getRepository(import_constants.issuedTokensCollectionName);
+    const model = this.app.db.getModel(import_constants.issuedTokensCollectionName);
+    const exists = await repo.findOne({ filter: { jti } });
+    if (!exists) {
+      this.logger.error("jti not found", {
+        module: "auth",
+        submodule: "token-controller",
+        method: "renew",
+        jti,
+        code: import_auth.AuthErrorCode.TOKEN_RENEW_FAILED
+      });
+      throw new import_auth.AuthError({
+        message: "Your session has expired. Please sign in again.",
+        code: import_auth.AuthErrorCode.TOKEN_RENEW_FAILED
+      });
+    }
+    const newId = (0, import_crypto.randomUUID)();
+    const issuedTime = Date.now();
+    const [count] = await model.update(
+      { jti: newId, issuedTime },
+      { where: { jti } }
+    );
+    if (count === 1) {
+      return { jti: newId, issuedTime };
+    } else {
+      this.logger.error("jti renew failed", {
+        module: "auth",
+        submodule: "token-controller",
+        method: "renew",
+        jti,
+        code: import_auth.AuthErrorCode.TOKEN_RENEW_FAILED
+      });
+      throw new import_auth.AuthError({
+        message: "Your session has expired. Please sign in again.",
+        code: import_auth.AuthErrorCode.TOKEN_RENEW_FAILED
+      });
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  TokenController
+});

package/dist/types.d.ts

@@ -0,0 +1,9 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+export type { TokenPolicyConfig as TokenPolicyConfig } from '@nocobase/auth';

package/dist/types.js

@@ -0,0 +1,24 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var types_exports = {};
+module.exports = __toCommonJS(types_exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nocobase/plugin-auth",
-  "version": "1.6.0-alpha.2",
+  "version": "1.6.0-alpha.21",
   "main": "./dist/server/index.js",
   "homepage": "https://docs.nocobase.com/handbook/auth",
   "homepage.zh-CN": "https://docs-cn.nocobase.com/handbook/auth",
@@ -11,6 +11,7 @@
     "@types/cron": "^2.0.1",
     "antd": "5.x",
     "cron": "^2.3.1",
+    "ms": "^2.1.3",
     "react": "^18.2.0",
     "react-i18next": "^11.15.1"
   },
@@ -26,8 +27,9 @@
   "displayName.zh-CN": "用户认证",
   "description": "User authentication management, including password, SMS, and support for Single Sign-On (SSO) protocols, with extensibility.",
   "description.zh-CN": "用户认证管理，包括基础的密码认证、短信认证、SSO 协议的认证等，可扩展。",
-  "gitHead": "08bbc34c21727fc0ad0880f397a42bf7741091ee",
+  "gitHead": "873cbaec9554e684781b8dc6cfd4386bb5cfa5b0",
   "keywords": [
-    "Authentication"
+    "Authentication",
+    "Security"
   ]
 }