@nocobase/plugin-auth 1.6.0-beta.2 → 1.6.0-beta.4

package/dist/node_modules/ms/package.json

@@ -0,0 +1 @@
+{"name":"ms","version":"2.1.3","description":"Tiny millisecond conversion utility","repository":"vercel/ms","main":"./index","files":["index.js"],"scripts":{"precommit":"lint-staged","lint":"eslint lib/* bin/*","test":"mocha tests.js"},"eslintConfig":{"extends":"eslint:recommended","env":{"node":true,"es6":true}},"lint-staged":{"*.js":["npm run lint","prettier --single-quote --write","git add"]},"license":"MIT","devDependencies":{"eslint":"4.18.2","expect.js":"0.3.1","husky":"0.14.3","lint-staged":"5.0.0","mocha":"4.0.1","prettier":"2.0.5"},"_lastModified":"2025-02-11T04:45:10.179Z"}

package/dist/server/basic-auth.js

@@ -72,7 +72,10 @@ class BasicAuth extends import_auth.BaseAuth {
     const field = this.userCollection.getField("password");
     const valid = await field.verify(password, user.password);
     if (!valid) {
-      ctx.throw(401, ctx.t("The username/email or password is incorrect, please re-enter", { ns: import_preset.namespace }));
+      ctx.throw(401, ctx.t("The username/email or password is incorrect, please re-enter", { ns: import_preset.namespace }), {
+        code: "INCORRECT_PASSWORD",
+        user
+      });
     }
     return user;
   }

package/dist/server/collections/authenticators.js

@@ -34,6 +34,7 @@ var authenticators_default = (0, import_database.defineCollection)({
   dumpRules: {
     group: "third-party"
   },
+  migrationRules: ["overwrite", "schema-only"],
   shared: true,
   name: "authenticators",
   sortable: true,

package/dist/server/collections/issued-tokens.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+declare const _default: import("@nocobase/database").CollectionOptions;
+export default _default;

package/dist/server/collections/issued-tokens.js

@@ -0,0 +1,70 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var issued_tokens_exports = {};
+__export(issued_tokens_exports, {
+  default: () => issued_tokens_default
+});
+module.exports = __toCommonJS(issued_tokens_exports);
+var import_database = require("@nocobase/database");
+var import_constants = require("../../constants");
+var issued_tokens_default = (0, import_database.defineCollection)({
+  name: import_constants.issuedTokensCollectionName,
+  migrationRules: ["schema-only"],
+  autoGenId: false,
+  createdAt: true,
+  updatedAt: true,
+  fields: [
+    {
+      name: "id",
+      type: "uuid",
+      primaryKey: true,
+      allowNull: false,
+      interface: "input"
+    },
+    {
+      type: "bigInt",
+      name: "signInTime",
+      allowNull: false
+    },
+    {
+      name: "jti",
+      type: "uuid",
+      allowNull: false,
+      index: true
+    },
+    {
+      type: "bigInt",
+      name: "issuedTime",
+      allowNull: false
+    },
+    {
+      type: "bigInt",
+      name: "userId",
+      allowNull: false
+    }
+  ]
+});

package/dist/server/collections/token-blacklist.js

@@ -34,6 +34,7 @@ var token_blacklist_default = (0, import_database.defineCollection)({
   dumpRules: {
     group: "log"
   },
+  migrationRules: ["schema-only"],
   shared: true,
   name: "tokenBlacklist",
   model: "TokenBlacklistModel",

package/dist/server/collections/token-poilcy-config.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+declare const _default: import("@nocobase/database").CollectionOptions;
+export default _default;

package/dist/server/collections/token-poilcy-config.js

@@ -0,0 +1,57 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var token_poilcy_config_exports = {};
+__export(token_poilcy_config_exports, {
+  default: () => token_poilcy_config_default
+});
+module.exports = __toCommonJS(token_poilcy_config_exports);
+var import_database = require("@nocobase/database");
+var import_constants = require("../../constants");
+var token_poilcy_config_default = (0, import_database.defineCollection)({
+  name: import_constants.tokenPolicyCollectionName,
+  migrationRules: ["overwrite", "schema-only"],
+  autoGenId: false,
+  createdAt: true,
+  createdBy: true,
+  updatedAt: true,
+  updatedBy: true,
+  fields: [
+    {
+      name: "key",
+      type: "string",
+      primaryKey: true,
+      allowNull: false,
+      interface: "input"
+    },
+    {
+      type: "json",
+      name: "config",
+      allowNull: false,
+      defaultValue: {}
+    }
+  ]
+});

package/dist/server/collections/users-authenticators.js

@@ -35,6 +35,7 @@ var users_authenticators_default = (0, import_database.defineCollection)({
     group: "user"
   },
   shared: true,
+  migrationRules: ["schema-only", "overwrite"],
   name: "usersAuthenticators",
   model: "UserAuthModel",
   createdBy: true,

package/dist/server/index.d.ts

@@ -8,4 +8,6 @@
  */
 export { BasicAuth } from './basic-auth';
 export { AuthModel } from './model/authenticator';
+export { presetAuthType } from '../preset';
 export { default } from './plugin';
+export * from '../constants';

package/dist/server/index.js

@@ -25,6 +25,7 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
 var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
   // If the importer is in node compatibility mode or this is not an ESM
   // file that has been converted to a CommonJS file using a Babel-
@@ -38,14 +39,19 @@ var server_exports = {};
 __export(server_exports, {
   AuthModel: () => import_authenticator.AuthModel,
   BasicAuth: () => import_basic_auth.BasicAuth,
-  default: () => import_plugin.default
+  default: () => import_plugin.default,
+  presetAuthType: () => import_preset.presetAuthType
 });
 module.exports = __toCommonJS(server_exports);
 var import_basic_auth = require("./basic-auth");
 var import_authenticator = require("./model/authenticator");
+var import_preset = require("../preset");
 var import_plugin = __toESM(require("./plugin"));
+__reExport(server_exports, require("../constants"), module.exports);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuthModel,
-  BasicAuth
+  BasicAuth,
+  presetAuthType,
+  ...require("../constants")
 });

package/dist/server/migrations/20241229080941-create-token-policy-config.d.ts

@@ -0,0 +1,14 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Migration } from '@nocobase/server';
+export default class extends Migration {
+    on: string;
+    appVersion: string;
+    up(): Promise<void>;
+}

package/dist/server/migrations/20241229080941-create-token-policy-config.js

@@ -0,0 +1,58 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var create_token_policy_config_exports = {};
+__export(create_token_policy_config_exports, {
+  default: () => create_token_policy_config_default
+});
+module.exports = __toCommonJS(create_token_policy_config_exports);
+var import_server = require("@nocobase/server");
+var import_constants = require("../../constants");
+class create_token_policy_config_default extends import_server.Migration {
+  on = "afterLoad";
+  // 'beforeLoad' or 'afterLoad'
+  appVersion = "<1.6.1";
+  async up() {
+    const tokenPolicyRepo = this.app.db.getRepository(import_constants.tokenPolicyCollectionName);
+    const tokenPolicy = await tokenPolicyRepo.findOne({ filterByTk: import_constants.tokenPolicyRecordKey });
+    if (tokenPolicy) {
+      this.app.authManager.tokenController.setConfig(tokenPolicy.config);
+    } else {
+      const config = {
+        tokenExpirationTime: "1d",
+        sessionExpirationTime: "7d",
+        expiredTokenRenewLimit: "1d"
+      };
+      await tokenPolicyRepo.create({
+        values: {
+          key: import_constants.tokenPolicyRecordKey,
+          config
+        }
+      });
+      this.app.authManager.tokenController.setConfig(config);
+    }
+  }
+}

package/dist/server/plugin.js

@@ -41,6 +41,7 @@ __export(plugin_exports, {
 });
 module.exports = __toCommonJS(plugin_exports);
 var import_server = require("@nocobase/server");
+var import_utils = require("@nocobase/utils");
 var import_preset = require("../preset");
 var import_auth = __toESM(require("./actions/auth"));
 var import_authenticators = __toESM(require("./actions/authenticators"));
@@ -48,10 +49,31 @@ var import_basic_auth = require("./basic-auth");
 var import_authenticator = require("./model/authenticator");
 var import_storer = require("./storer");
 var import_token_blacklist = require("./token-blacklist");
-var import_utils = require("@nocobase/utils");
+var import_token_controller = require("./token-controller");
+var import_constants = require("../constants");
 class PluginAuthServer extends import_server.Plugin {
   cache;
   afterAdd() {
+    this.app.on("afterLoad", async () => {
+      if (this.app.authManager.tokenController) {
+        return;
+      }
+      const cache = await this.app.cacheManager.createCache({
+        name: "auth-token-controller",
+        prefix: "auth-token-controller"
+      });
+      const tokenController = new import_token_controller.TokenController({ cache, app: this.app, logger: this.app.log });
+      this.app.authManager.setTokenControlService(tokenController);
+      const tokenPolicyRepo = this.app.db.getRepository(import_constants.tokenPolicyCollectionName);
+      try {
+        const res = await tokenPolicyRepo.findOne({ filterByTk: import_constants.tokenPolicyRecordKey });
+        if (res) {
+          this.app.authManager.tokenController.setConfig(res.config);
+        }
+      } catch (error) {
+        this.app.logger.warn("access control config not exist, use default value");
+      }
+    });
   }
   async beforeLoad() {
     this.app.db.registerModels({ AuthModel: import_authenticator.AuthModel });
@@ -63,8 +85,10 @@ class PluginAuthServer extends import_server.Plugin {
       store: "memory"
     });
     const storer = new import_storer.Storer({
+      app: this.app,
       db: this.db,
-      cache: this.cache
+      cache: this.cache,
+      authManager: this.app.authManager
     });
     this.app.authManager.setStorer(storer);
     if (!this.app.authManager.jwt.blacklist) {
@@ -109,8 +133,8 @@ class PluginAuthServer extends import_server.Plugin {
     Object.entries(import_authenticators.default).forEach(
       ([action, handler]) => this.app.resourceManager.registerActionHandler(`authenticators:${action}`, handler)
     );
-    ["check", "signIn", "signUp"].forEach((action) => this.app.acl.allow("auth", action));
-    ["signOut", "changePassword"].forEach((action) => this.app.acl.allow("auth", action, "loggedIn"));
+    ["signIn", "signUp"].forEach((action) => this.app.acl.allow("auth", action));
+    ["check", "signOut", "changePassword"].forEach((action) => this.app.acl.allow("auth", action, "loggedIn"));
     this.app.acl.allow("authenticators", "publicList");
     this.app.acl.registerSnippet({
       name: `pm.${this.name}.authenticators`,
@@ -142,14 +166,18 @@ class PluginAuthServer extends import_server.Plugin {
         cache: this.app.cache,
         logger: this.app.logger
       });
-      const user = await auth.check();
-      if (!user) {
-        this.app.logger.error(`Invalid token: ${payload.token}`);
-        this.app.emit(`ws:removeTag`, {
-          clientId,
-          tagKey: "userId"
-        });
-        return;
+      let user;
+      try {
+        user = await auth.check();
+      } catch (error) {
+        if (!user) {
+          this.app.logger.error(error);
+          this.app.emit(`ws:removeTag`, {
+            clientId,
+            tagKey: "userId"
+          });
+          return;
+        }
       }
       this.app.emit(`ws:setTag`, {
         clientId,
@@ -250,24 +278,47 @@ class PluginAuthServer extends import_server.Plugin {
       },
       "auth:signOut"
     ]);
+    this.app.acl.registerSnippet({
+      name: `pm.security.token-policy`,
+      actions: [`${import_constants.tokenPolicyCollectionName}:*`]
+    });
+    this.app.db.on(`${import_constants.tokenPolicyCollectionName}.afterSave`, async (model) => {
+      var _a;
+      (_a = this.app.authManager.tokenController) == null ? void 0 : _a.setConfig(model.config);
+    });
   }
   async install(options) {
-    const repository = this.db.getRepository("authenticators");
-    const exist = await repository.findOne({ filter: { name: import_preset.presetAuthenticator } });
-    if (exist) {
+    const authRepository = this.db.getRepository("authenticators");
+    const exist = await authRepository.findOne({ filter: { name: import_preset.presetAuthenticator } });
+    if (!exist) {
+      await authRepository.create({
+        values: {
+          name: import_preset.presetAuthenticator,
+          authType: import_preset.presetAuthType,
+          description: "Sign in with username/email.",
+          enabled: true,
+          options: {
+            public: {
+              allowSignUp: true
+            }
+          }
+        }
+      });
+    }
+    const tokenPolicyRepo = this.app.db.getRepository(import_constants.tokenPolicyCollectionName);
+    const res = await tokenPolicyRepo.findOne({ filterByTk: import_constants.tokenPolicyRecordKey });
+    if (res) {
       return;
     }
-    await repository.create({
+    const config = {
+      tokenExpirationTime: "1d",
+      sessionExpirationTime: "7d",
+      expiredTokenRenewLimit: "1d"
+    };
+    await tokenPolicyRepo.create({
       values: {
-        name: import_preset.presetAuthenticator,
-        authType: import_preset.presetAuthType,
-        description: "Sign in with username/email.",
-        enabled: true,
-        options: {
-          public: {
-            allowSignUp: true
-          }
-        }
+        key: import_constants.tokenPolicyRecordKey,
+        config
       }
     });
   }

package/dist/server/storer.d.ts

@@ -6,18 +6,24 @@
  * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
-import { Storer as IStorer } from '@nocobase/auth';
+import { AuthManager, Storer as IStorer } from '@nocobase/auth';
 import { Cache } from '@nocobase/cache';
 import { Database } from '@nocobase/database';
+import { Application } from '@nocobase/server';
 import { AuthModel } from './model/authenticator';
 export declare class Storer implements IStorer {
     db: Database;
     cache: Cache;
+    app: Application;
+    authManager: AuthManager;
     key: string;
-    constructor({ db, cache }: {
+    constructor({ app, db, cache, authManager, }: {
+        app?: Application;
         db: Database;
         cache: Cache;
+        authManager: AuthManager;
     });
+    renderJsonTemplate(authenticator: any): any;
     getCache(): Promise<AuthModel[]>;
     setCache(authenticators: AuthModel[]): Promise<void>;
     get(name: string): Promise<AuthModel>;

package/dist/server/storer.js

@@ -32,21 +32,45 @@ module.exports = __toCommonJS(storer_exports);
 class Storer {
   db;
   cache;
+  app;
+  authManager;
   key = "authenticators";
-  constructor({ db, cache }) {
+  constructor({
+    app,
+    db,
+    cache,
+    authManager
+  }) {
+    this.app = app;
     this.db = db;
     this.cache = cache;
+    this.authManager = authManager;
     this.db.on("authenticators.afterSave", async (model) => {
       if (!model.enabled) {
         await this.cache.delValueInObject(this.key, model.name);
         return;
       }
-      await this.cache.setValueInObject(this.key, model.name, model);
+      await this.cache.setValueInObject(this.key, model.name, this.renderJsonTemplate(model));
     });
     this.db.on("authenticators.afterDestroy", async (model) => {
       await this.cache.delValueInObject(this.key, model.name);
     });
   }
+  renderJsonTemplate(authenticator) {
+    var _a, _b;
+    if (!authenticator) {
+      return authenticator;
+    }
+    const $env = (_a = this.app) == null ? void 0 : _a.environment;
+    if (!$env) {
+      return authenticator;
+    }
+    const config = this.authManager.getAuthConfig(authenticator.authType);
+    authenticator.dataValues.options = $env.renderJsonTemplate(authenticator.dataValues.options, {
+      omit: (_b = config == null ? void 0 : config.auth) == null ? void 0 : _b["optionsKeysNotAllowedInEnv"]
+    });
+    return authenticator;
+  }
   async getCache() {
     const authenticators = await this.cache.get(this.key);
     if (!authenticators) {
@@ -56,7 +80,7 @@ class Storer {
   }
   async setCache(authenticators) {
     const obj = authenticators.reduce((obj2, authenticator) => {
-      obj2[authenticator.name] = authenticator;
+      obj2[authenticator.name] = this.renderJsonTemplate(authenticator);
       return obj2;
     }, {});
     await this.cache.set(this.key, obj);
@@ -67,6 +91,7 @@ class Storer {
       const repo = this.db.getRepository("authenticators");
       authenticators = await repo.find({ filter: { enabled: true } });
       await this.setCache(authenticators);
+      authenticators = await this.getCache();
     }
     const authenticator = authenticators.find((authenticator2) => authenticator2.name === name);
     return authenticator || authenticators[0];

package/dist/server/token-blacklist.js

@@ -37,11 +37,22 @@ class TokenBlacklistService {
       try {
         this.bloomFilter = await plugin.app.cacheManager.createBloomFilter();
         await this.bloomFilter.reserve(this.cacheKey, 1e-3, 1e6);
-        const data = await this.repo.find({ fields: ["token"], raw: true });
+        const data = await this.repo.find({
+          fields: ["token"],
+          filter: {
+            expiration: {
+              $dateAfter: /* @__PURE__ */ new Date()
+            }
+          },
+          raw: true
+        });
         const tokens = data.map((item) => item.token);
+        if (!tokens.length) {
+          return;
+        }
         await this.bloomFilter.mAdd(this.cacheKey, tokens);
       } catch (error) {
-        plugin.app.logger.error("token-blacklist: create bloom filter failed", error);
+        plugin.app.logger.warn("token-blacklist: create bloom filter failed", error);
         this.bloomFilter = null;
       }
     });

package/dist/server/token-controller.d.ts

@@ -0,0 +1,40 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { ITokenControlService, TokenPolicyConfig, NumericTokenPolicyConfig, TokenInfo } from '@nocobase/auth';
+import type { SystemLogger } from '@nocobase/logger';
+import { Cache } from '@nocobase/cache';
+import Application from '@nocobase/server';
+import Database from '@nocobase/database';
+type TokenControlService = ITokenControlService;
+export declare class TokenController implements TokenControlService {
+    cache: Cache;
+    app: Application;
+    db: Database;
+    logger: SystemLogger;
+    constructor({ cache, app, logger }: {
+        cache: Cache;
+        app: Application;
+        logger: SystemLogger;
+    });
+    setTokenInfo(id: string, value: TokenInfo): Promise<void>;
+    getConfig(): Promise<NumericTokenPolicyConfig>;
+    setConfig(config: TokenPolicyConfig): Promise<void>;
+    removeSessionExpiredTokens(userId: number): Promise<any>;
+    add({ userId }: {
+        userId: number;
+    }): Promise<{
+        jti: `${string}-${string}-${string}-${string}-${string}`;
+        issuedTime: number;
+        signInTime: number;
+        renewed: boolean;
+        userId: number;
+    }>;
+    renew: TokenControlService['renew'];
+}
+export {};