@node-c/domain-iam 1.0.0-alpha8 → 1.0.0-beta0

package/src/services/authenticationUserLocal/iam.authenticationUserLocal.service.ts

@@ -0,0 +1,171 @@
+import crypto from 'crypto';
+
+import {
+  AppConfigDomainIAM,
+  AppConfigDomainIAMAuthenticationStep,
+  ApplicationError,
+  ConfigProviderService
+} from '@node-c/core';
+
+import ld from 'lodash';
+
+import {
+  IAMAuthenticationUserLocalCompleteData,
+  IAMAuthenticationUserLocalCompleteOptions,
+  IAMAuthenticationUserLocalCompleteResult,
+  IAMAuthenticationUserLocalGetUserCreateAccessTokenConfigResult,
+  IAMAuthenticationUserLocalInitiateData,
+  IAMAuthenticationUserLocalInitiateOptions,
+  IAMAuthenticationUserLocalInitiateResult
+} from './iam.authenticationUserLocal.definitions';
+
+import { IAMAuthenticationService } from '../authentication';
+import { IAMMFAService, IAMMFAType } from '../mfa';
+
+// TODO: add a LocalSecret service to take care of the hashing logic and reuse it here
+export class IAMAuthenticationUserLocalService<
+  CompleteContext extends object,
+  InitiateContext extends object
+> extends IAMAuthenticationService<CompleteContext, InitiateContext> {
+  constructor(
+    protected configProvider: ConfigProviderService,
+    protected moduleName: string,
+    // eslint-disable-next-line no-unused-vars
+    protected serviceName: string,
+    // eslint-disable-next-line no-unused-vars
+    protected mfaServices?: Record<IAMMFAType, IAMMFAService<object, object>>
+  ) {
+    super(configProvider, moduleName);
+    this.isLocal = true;
+  }
+
+  async complete(
+    data: IAMAuthenticationUserLocalCompleteData,
+    options: IAMAuthenticationUserLocalCompleteOptions<CompleteContext>
+  ): Promise<IAMAuthenticationUserLocalCompleteResult> {
+    const { configProvider, moduleName, mfaServices, serviceName } = this;
+    const { defaultUserIdentifierField } = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
+    const { mfaData, mfaType } = data;
+    const { context, mfaOptions } = options;
+    const userIdentifierField = options.contextIdentifierField || defaultUserIdentifierField;
+    const userIdentifierValue = context[userIdentifierField as keyof CompleteContext];
+    let mfaUsed = false;
+    let mfaValid = false;
+    if (mfaType) {
+      const mfaService = mfaServices?.[mfaType];
+      if (!mfaService) {
+        console.error(
+          `[${moduleName}][${serviceName}]: Login attempt failed for user "${userIdentifierValue}" - MFA service ${mfaType} not configured.`
+        );
+        throw new ApplicationError('Authentication failed.');
+      }
+      if (!mfaData) {
+        console.error(
+          `[${moduleName}][${serviceName}]: Login attempt failed for user "${userIdentifierValue}" - no MFA data provided.`
+        );
+        throw new ApplicationError('Authentication failed.');
+      }
+      const mfaResult = await mfaService.complete(mfaData, { ...(mfaOptions || {}), context });
+      mfaUsed = true;
+      mfaValid = mfaResult.valid;
+    }
+    return { mfaUsed, mfaValid, valid: true };
+  }
+
+  getUserCreateAccessTokenConfig(): IAMAuthenticationUserLocalGetUserCreateAccessTokenConfigResult {
+    const { configProvider, moduleName, serviceName } = this;
+    const moduleConfig = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
+    const { steps } = moduleConfig.authServiceSettings![serviceName];
+    const defaultConfig: IAMAuthenticationUserLocalGetUserCreateAccessTokenConfigResult = {
+      [AppConfigDomainIAMAuthenticationStep.Complete]: {
+        cache: {
+          settings: {
+            cacheFieldName: 'userId',
+            inputFieldName: 'options.context.id'
+          },
+          use: {
+            options: { overwrite: true, use: true }
+          }
+        },
+        findUser: true,
+        findUserBeforeAuth: true,
+        validWithoutUser: false
+      },
+      [AppConfigDomainIAMAuthenticationStep.Initiate]: {
+        cache: {
+          populate: {
+            options: [{ cacheFieldName: 'context', inputFieldName: 'options.context' }]
+          },
+          settings: {
+            cacheFieldName: 'userId',
+            inputFieldName: 'options.context.id'
+          }
+        },
+        findUser: true,
+        findUserBeforeAuth: true,
+        validWithoutUser: false
+      }
+    };
+    return ld.merge(defaultConfig, steps || {});
+  }
+
+  async initiate(
+    data: IAMAuthenticationUserLocalInitiateData,
+    options: IAMAuthenticationUserLocalInitiateOptions<InitiateContext>
+  ): Promise<IAMAuthenticationUserLocalInitiateResult> {
+    const { configProvider, moduleName, mfaServices, serviceName } = this;
+    const moduleConfig = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
+    const { secretKeyHMACAlgorithm, hashingSecret } = moduleConfig.authServiceSettings![serviceName].secretKey!;
+    const { mfaData, mfaType, password: authPassword } = data;
+    const {
+      context,
+      context: { password: userPassword },
+      mfaOptions
+    } = options;
+    const userIdentifierField = options.contextIdentifierField || moduleConfig.defaultUserIdentifierField;
+    const userIdentifierValue = context[userIdentifierField as keyof InitiateContext];
+    let mfaUsed = false;
+    let mfaValid = false;
+    let wrongPassword = false;
+    if (!secretKeyHMACAlgorithm || !hashingSecret || !userPassword) {
+      wrongPassword = true;
+      console.error(
+        `[${moduleName}][${serviceName}]: secretKeyHMACAlgorithm, hashingSecret and/or userPassword not provided.`
+      );
+    } else {
+      const computedPassword = crypto
+        .createHmac(secretKeyHMACAlgorithm, hashingSecret)
+        .update(`${authPassword}`)
+        .digest('hex')
+        .toString();
+      if (computedPassword !== userPassword) {
+        wrongPassword = true;
+      }
+    }
+    if (wrongPassword) {
+      console.error(
+        `[${moduleName}][${serviceName}]: Login attempt failed for user "${userIdentifierValue}" - wrong password.`
+      );
+      throw new ApplicationError('Authentication failed.');
+    }
+    if (mfaType) {
+      const mfaService = mfaServices?.[mfaType];
+      if (!mfaService) {
+        console.error(
+          `[${moduleName}][${serviceName}]: Login attempt failed for user "${userIdentifierValue}" - MFA service ${mfaType} not configured.`
+        );
+        throw new ApplicationError('Authentication failed.');
+      }
+      if (!mfaData) {
+        console.error(
+          `[${moduleName}][${serviceName}]: Login attempt failed for user "${userIdentifierValue}" - no MFA data provided.`
+        );
+        throw new ApplicationError('Authentication failed.');
+      }
+      const mfaResult = await mfaService.initiate(mfaData, { ...(mfaOptions || {}), context });
+      mfaUsed = true;
+      mfaValid = mfaResult.valid;
+    }
+    return { mfaUsed, mfaValid, valid: true };
+  }
+}

package/src/services/authenticationUserLocal/index.ts

@@ -0,0 +1,2 @@
+export * from './iam.authenticationUserLocal.definitions';
+export * from './iam.authenticationUserLocal.service';

package/src/services/authorization/iam.authorization.definitions.ts

@@ -0,0 +1,55 @@
+import { GenericObject } from '@node-c/core';
+
+export enum AuthorizationCheckErrorCode {
+  // eslint-disable-next-line no-unused-vars
+  FGANoAccessToModule = 'FGA_NO_ACCESS',
+  // eslint-disable-next-line no-unused-vars
+  RBACNoAccessToModule = 'RBAC_NO_ACCESS_TO_MODULE',
+  // eslint-disable-next-line no-unused-vars
+  RBACNoAccessToResource = 'RBAC_NO_ACCESS_TO_RESOURCE'
+}
+
+export interface AuthorizationPoint<Id> {
+  allowedInputData?: GenericObject;
+  allowedOutputData?: GenericObject;
+  forbiddenInputData?: GenericObject;
+  forbiddenOutputData?: GenericObject;
+  id: Id;
+  inputDataFieldName?: string;
+  moduleName: string;
+  name: string;
+  requiredStaticData?: GenericObject;
+  resources?: string[];
+  // required when resources is set
+  resourceContext?: string;
+  userFieldName?: string;
+  // userTypes: GenericObject[];
+}
+
+export interface AuthorizationStaticCheckAccessOptions {
+  moduleName: string;
+  resource?: string;
+  resourceContext?: string;
+}
+
+export interface AuthorizationStaticCheckAccessResult {
+  authorizationPoints: GenericObject<AuthorizationPoint<unknown>>;
+  errorCode?: AuthorizationCheckErrorCode;
+  hasAccess: boolean;
+  inputDataToBeMutated: GenericObject;
+  noMatchForResource: boolean;
+}
+
+export interface AuthorizationUser<AuthorizationPointId> {
+  currentAuthorizationPoints: GenericObject<AuthorizationPoint<AuthorizationPointId>>;
+}
+
+export interface AuthorizeApiKeyData {
+  apiKey: string;
+  signature?: string;
+  signatureContent?: string;
+}
+
+export interface AuthorizeApiKeyOptions {
+  config: { apiKey?: string; apiSecret?: string; apiSecretAlgorithm?: string };
+}

package/src/services/authorization/iam.authorization.service.ts

@@ -0,0 +1,384 @@
+import crypto from 'crypto';
+
+import {
+  ApplicationError,
+  DataEntityService,
+  DomainEntityService,
+  DomainEntityServiceDefaultData,
+  DomainMethod,
+  GenericObject,
+  getNested,
+  setNested
+} from '@node-c/core';
+
+import ld from 'lodash';
+
+import {
+  AuthorizationCheckErrorCode,
+  AuthorizationStaticCheckAccessOptions,
+  AuthorizationStaticCheckAccessResult,
+  AuthorizationUser,
+  AuthorizeApiKeyData,
+  AuthorizeApiKeyOptions,
+  AuthorizationPoint as BaseAuthorizationPoint
+} from './iam.authorization.definitions';
+
+import { DecodedTokenContent, IAMTokenManagerService } from '../tokenManager';
+
+export class IAMAuthorizationService<
+  AuthorizationPoint extends BaseAuthorizationPoint<unknown> = BaseAuthorizationPoint<unknown>,
+  Data extends DomainEntityServiceDefaultData<Partial<AuthorizationPoint>> = DomainEntityServiceDefaultData<
+    Partial<AuthorizationPoint>
+  >,
+  TokenManager extends IAMTokenManagerService<object> = IAMTokenManagerService<object>
+> extends DomainEntityService<
+  AuthorizationPoint,
+  DataEntityService<AuthorizationPoint>,
+  Data,
+  Record<string, DataEntityService<Partial<AuthorizationPoint>>> | undefined
+> {
+  constructor(
+    protected dataAuthorizationPointsService: DataEntityService<AuthorizationPoint>,
+    protected defaultMethods: string[] = [DomainMethod.Find],
+    protected additionalDataEntityServices?: GenericObject<DataEntityService<Partial<AuthorizationPoint>>>,
+    // eslint-disable-next-line no-unused-vars
+    protected tokenManager?: TokenManager
+  ) {
+    super(dataAuthorizationPointsService, defaultMethods, additionalDataEntityServices);
+  }
+
+  async authorizeApiKey(data: AuthorizeApiKeyData, options: AuthorizeApiKeyOptions): Promise<{ valid: boolean }> {
+    const { apiKey, signature, signatureContent } = data;
+    const {
+      config: { apiKey: expectedApiKey, apiSecret, apiSecretAlgorithm }
+    } = options;
+    if (!apiKey) {
+      console.error('Missing api key.');
+      return { valid: false };
+    }
+    if (apiKey !== expectedApiKey) {
+      console.error('Invalid api key.');
+      return { valid: false };
+    }
+    if (apiSecret && apiSecretAlgorithm) {
+      if (!signature) {
+        console.error('Missing authorization signature.');
+        return { valid: false };
+      }
+      if (!signatureContent) {
+        console.error('Missing authorization signature content.');
+        return { valid: false };
+      }
+      const calcualtedSignature = crypto
+        .createHmac(apiSecretAlgorithm, apiSecret)
+        .update(signatureContent)
+        .digest('hex');
+      if (calcualtedSignature !== signature) {
+        console.error(`Invalid signature provided. Expected: ${calcualtedSignature}. Provided: ${signature}`);
+        return { valid: false };
+      }
+    }
+    return { valid: true };
+  }
+
+  // TODO: decouple from users
+  async authorizeBearer<UserTokenEnityFields = unknown>(
+    data: { authToken?: string; refreshToken?: string },
+    options?: { identifierDataField?: string }
+  ): Promise<{ newAuthToken?: string; tokenContent?: DecodedTokenContent<UserTokenEnityFields>; valid: boolean }> {
+    const { tokenManager } = this;
+    const { authToken, refreshToken } = data;
+    const { identifierDataField } = options || {};
+    if (!tokenManager) {
+      console.error('Token manager not configured.');
+      return { valid: false };
+    }
+    if (!authToken) {
+      console.error('Missing auth token.');
+      return { valid: false };
+    }
+    let newAuthToken: string | undefined;
+    let tokenContent: DecodedTokenContent<UserTokenEnityFields> | undefined;
+    try {
+      const tokenRes = await tokenManager.verifyAccessToken(authToken, {
+        deleteFromStoreIfExpired: true,
+        identifierDataField,
+        persistNewToken: true,
+        purgeStoreOnRenew: true,
+        refreshToken,
+        refreshTokenAccessTokenIdentifierDataField: 'accessToken'
+      });
+      tokenContent = tokenRes.content as unknown as DecodedTokenContent<UserTokenEnityFields>;
+      if (tokenRes.newToken) {
+        newAuthToken = tokenRes.newToken;
+      }
+    } catch (e) {
+      console.error('Failed to parse the access or refresh token:', e);
+      return { valid: false };
+    }
+    return { newAuthToken, tokenContent, valid: true };
+  }
+
+  async checkAccessWithStorage(): Promise<void> {
+    throw new ApplicationError('[IAMAuthorizationService.checkAccessWithStorage]: Method not implemented.');
+  }
+
+  static checkAccess<InputData = GenericObject>(
+    inputData: InputData,
+    user: AuthorizationUser<unknown>,
+    options: AuthorizationStaticCheckAccessOptions
+  ): AuthorizationStaticCheckAccessResult {
+    const { moduleName, resourceContext, resource } = options;
+    let hasResource = false;
+    if (resource) {
+      if (!resourceContext) {
+        throw new ApplicationError(
+          '[IAMAuthorizationService.checkAccess]: A resourceContext is required when providing a resource value.'
+        );
+      }
+      hasResource = true;
+    }
+    // check the access to the found authorization points
+    const mutatedInputData = ld.cloneDeep(inputData);
+    const usedAuthorizationPoints: GenericObject<BaseAuthorizationPoint<unknown>> = {};
+    const { currentAuthorizationPoints } = user;
+    let authorizationPointsCount = 0;
+    let authorizationPointsForDifferentModules = 0;
+    let authorizationPointsForDifferentContexts = 0;
+    let hasAccess = false;
+    let inputDataToBeMutated: GenericObject = {};
+    let noMatchForResource = false;
+    for (const apId in currentAuthorizationPoints) {
+      const apData = currentAuthorizationPoints[apId];
+      authorizationPointsCount++;
+      // RBAC - check whether the user has general access to the module.
+      if (moduleName !== apData.moduleName) {
+        authorizationPointsForDifferentModules++;
+        continue;
+      }
+      // RBAC - check whether the user has general access to the resource.
+      if (
+        hasResource &&
+        (!apData.resourceContext ||
+          apData.resourceContext !== resourceContext ||
+          !apData.resources?.includes(resource!))
+      ) {
+        authorizationPointsForDifferentContexts++;
+        continue;
+      }
+      // FGA - check whether the user has access based on specific input and user fields.
+      const { allowedInputData, forbiddenInputData, inputDataFieldName, requiredStaticData, userFieldName } = apData;
+      const hasStaticData = requiredStaticData && Object.keys(requiredStaticData).length;
+      const innerMutatedInputData = ld.cloneDeep(mutatedInputData) as GenericObject;
+      const innerInputDataToBeMutated: GenericObject = {};
+      hasAccess = true;
+      if (!noMatchForResource) {
+        noMatchForResource = true;
+      }
+      // 1. Required static data
+      if (hasStaticData) {
+        for (const fieldName in requiredStaticData) {
+          if (
+            !IAMAuthorizationService.testValue(
+              getNested({ inputData: innerMutatedInputData, user }, fieldName, { removeNestedFieldEscapeSign: true })
+                .unifiedValue,
+              requiredStaticData[fieldName]
+            )
+          ) {
+            hasAccess = false;
+            break;
+          }
+        }
+        if (!hasAccess) {
+          continue;
+        }
+      }
+      // 2. User field data vs input field data.
+      if (userFieldName && inputDataFieldName) {
+        const { paths: inputFieldPaths, unifiedValue: inputFieldValue } = getNested(
+          innerMutatedInputData,
+          inputDataFieldName,
+          {
+            removeNestedFieldEscapeSign: true
+          }
+        );
+        const { unifiedValue: userFieldValue } = getNested(user, userFieldName, { removeNestedFieldEscapeSign: true });
+        if (typeof userFieldValue === 'undefined') {
+          hasAccess = false;
+          continue;
+        }
+        if (typeof inputFieldValue === 'undefined') {
+          innerInputDataToBeMutated[inputDataFieldName] = userFieldValue;
+          setNested(innerMutatedInputData, inputDataFieldName, userFieldValue, {
+            removeNestedFieldEscapeSign: true,
+            setNestedArraysPerIndex: inputFieldPaths.length > 1
+          });
+        } else {
+          const allowedValues = IAMAuthorizationService.matchInputValues(innerMutatedInputData, {
+            [inputDataFieldName]: userFieldValue
+          })[inputDataFieldName] as unknown[];
+          const inputValueIsArray = inputFieldValue instanceof Array;
+          if (!allowedValues?.length) {
+            hasAccess = false;
+            continue;
+          }
+          if (inputValueIsArray) {
+            innerInputDataToBeMutated[inputDataFieldName] = allowedValues;
+            setNested(innerMutatedInputData, inputDataFieldName, allowedValues, { removeNestedFieldEscapeSign: true });
+          }
+        }
+      }
+      // 3. Input data whitelist
+      // WARNING: In an expressjs v5+ environment, this will only work properly if the query is mutable
+      if (allowedInputData && Object.keys(allowedInputData).length) {
+        const values = IAMAuthorizationService.matchInputValues(innerMutatedInputData, allowedInputData);
+        for (const key in values) {
+          innerInputDataToBeMutated[key] = values[key];
+          setNested(innerMutatedInputData, key, values[key], { removeNestedFieldEscapeSign: true });
+        }
+      }
+      // 4. Input data blacklist
+      if (forbiddenInputData && Object.keys(forbiddenInputData).length) {
+        const values = IAMAuthorizationService.matchInputValues(innerMutatedInputData, forbiddenInputData);
+        for (const key in values) {
+          innerInputDataToBeMutated[key] = undefined;
+          setNested(innerMutatedInputData, key, undefined, { removeNestedFieldEscapeSign: true });
+        }
+      }
+      inputDataToBeMutated = ld.merge(inputDataToBeMutated, innerInputDataToBeMutated);
+      usedAuthorizationPoints[apId] = apData;
+      break;
+    }
+    const returnData: AuthorizationStaticCheckAccessResult = {
+      authorizationPoints: usedAuthorizationPoints,
+      hasAccess,
+      inputDataToBeMutated,
+      noMatchForResource
+    };
+    if (!hasAccess) {
+      if (authorizationPointsForDifferentModules === authorizationPointsCount) {
+        returnData.errorCode = AuthorizationCheckErrorCode.RBACNoAccessToModule;
+      } else if (authorizationPointsForDifferentContexts === authorizationPointsCount) {
+        returnData.errorCode = AuthorizationCheckErrorCode.RBACNoAccessToResource;
+      } else {
+        returnData.errorCode = AuthorizationCheckErrorCode.FGANoAccessToModule;
+      }
+    }
+    return returnData;
+  }
+
+  static getValuesForTesting(valueToTest: unknown): unknown[] {
+    const values = [
+      valueToTest, // the value as-is
+      parseInt(valueToTest as string, 10), // the int equivalent of the value
+      parseFloat(valueToTest as string) // the float equivalent of the value
+    ];
+    // the boolean equivalent of the values
+    if (valueToTest === 'true') {
+      values.push(true);
+    } else if (valueToTest === 'false') {
+      values.push(false);
+    }
+    return values;
+  }
+
+  static matchInputValues(input: GenericObject, values: GenericObject): GenericObject {
+    const matchedValues: GenericObject = {};
+    for (const fieldName in values) {
+      const { paths: valuePaths, values: foundValues } = getNested(input, fieldName, {
+        removeNestedFieldEscapeSign: true
+      });
+      const allowedValue = values[fieldName];
+      const allowedValues = allowedValue instanceof Array ? allowedValue : [allowedValue];
+      const valuesToSet: unknown[] = [];
+      valuePaths.forEach((valuePath, valuePathIndex) => {
+        const valueAtIndex = foundValues[valuePathIndex];
+        let valueIsArray = false;
+        let valuesToCheck: unknown[] = [];
+        if (valueAtIndex instanceof Array) {
+          valuesToCheck = valueAtIndex;
+          valueIsArray = true;
+        } else {
+          valuesToCheck.push(valueAtIndex);
+        }
+        valuesToCheck.forEach(valueToCheck => {
+          for (const j in allowedValues) {
+            if (IAMAuthorizationService.testValue(valueToCheck, allowedValues[j])) {
+              valuesToSet.push(valueToCheck);
+              break;
+            }
+          }
+        });
+        if (!valuesToSet.length) {
+          matchedValues[valuePath] = undefined;
+          return;
+        }
+        matchedValues[valuePath] = valueIsArray ? valuesToSet : valuesToSet[0];
+      });
+    }
+    return matchedValues;
+  }
+
+  static processOutputData(
+    authorizationPoints: { [id: number]: BaseAuthorizationPoint<unknown> },
+    outputData: GenericObject
+  ): {
+    outputDataToBeMutated: GenericObject;
+  } {
+    const mutatedOutputData = ld.cloneDeep(outputData);
+    let outputDataToBeMutated: GenericObject = {};
+    for (const apId in authorizationPoints) {
+      const apData = authorizationPoints[apId];
+      const { allowedOutputData, forbiddenOutputData } = apData;
+      const innerMutatedOutputData = ld.cloneDeep(mutatedOutputData);
+      const innerOutputDataToBeMutated: GenericObject = {};
+      if (allowedOutputData && Object.keys(allowedOutputData).length) {
+        const values = IAMAuthorizationService.matchInputValues(innerMutatedOutputData, allowedOutputData);
+        for (const key in values) {
+          innerOutputDataToBeMutated[key] = values[key];
+          setNested(innerMutatedOutputData, key, values[key], { removeNestedFieldEscapeSign: true });
+        }
+      }
+      if (forbiddenOutputData && Object.keys(forbiddenOutputData).length) {
+        const values = IAMAuthorizationService.matchInputValues(innerMutatedOutputData, forbiddenOutputData);
+        for (const key in values) {
+          innerOutputDataToBeMutated[key] = undefined;
+          setNested(innerMutatedOutputData, key, undefined, { removeNestedFieldEscapeSign: true });
+        }
+      }
+      outputDataToBeMutated = ld.merge(outputDataToBeMutated, innerOutputDataToBeMutated);
+    }
+    return { outputDataToBeMutated };
+  }
+
+  static testValue(valueToTest: unknown, valueToTestAgainst: unknown): boolean {
+    if (
+      typeof valueToTestAgainst === 'string' &&
+      valueToTestAgainst.charAt(0) === '/' &&
+      valueToTestAgainst.charAt(valueToTestAgainst.length - 1) === '/'
+    ) {
+      const regex = new RegExp(valueToTestAgainst.substring(1, valueToTestAgainst.length - 1));
+      if (typeof valueToTest === 'undefined') {
+        return false;
+      }
+      return regex.test(typeof valueToTest === 'string' ? valueToTest : JSON.stringify(valueToTest));
+    }
+    if (
+      typeof valueToTest === 'object' &&
+      valueToTest !== null &&
+      typeof valueToTestAgainst === 'object' &&
+      valueToTestAgainst !== null
+    ) {
+      return JSON.stringify(valueToTest) === JSON.stringify(valueToTestAgainst);
+    }
+    const possibleValidValues = IAMAuthorizationService.getValuesForTesting(valueToTest);
+    let hasMatch = false;
+    for (const i in possibleValidValues) {
+      if (possibleValidValues[i] === valueToTestAgainst) {
+        hasMatch = true;
+        break;
+      }
+    }
+    return hasMatch;
+  }
+}

package/src/services/authorization/index.ts

@@ -0,0 +1,2 @@
+export * from './iam.authorization.definitions';
+export * from './iam.authorization.service';

package/src/services/index.ts

@@ -0,0 +1,7 @@
+export * from './authentication';
+export * from './authenticationOAuth2';
+export * from './authenticationUserLocal';
+export * from './authorization';
+export * from './mfa';
+export * from './tokenManager';
+export * from './userManager';

package/src/services/mfa/iam.mfa.definitions.ts

@@ -0,0 +1,28 @@
+export interface IAMMFACompleteData {
+  type?: IAMMFAType;
+}
+
+export interface IAMMFACompleteOptions<Context> {
+  context: Context;
+}
+
+export enum IAMMFAType {
+  // eslint-disable-next-line no-unused-vars
+  Local = 'local'
+}
+
+export interface IAMMFACompleteResult {
+  valid: boolean;
+}
+
+export interface IAMMFAInitiateData {
+  type?: IAMMFAType;
+}
+
+export interface IAMMFAInitiateOptions<Context> {
+  context: Context;
+}
+
+export interface IAMMFAInitiateResult {
+  valid: boolean;
+}

package/src/services/mfa/iam.mfa.service.ts

@@ -0,0 +1,38 @@
+import { ApplicationError, ConfigProviderService } from '@node-c/core';
+
+import {
+  IAMMFACompleteData,
+  IAMMFACompleteOptions,
+  IAMMFACompleteResult,
+  IAMMFAInitiateData,
+  IAMMFAInitiateOptions,
+  IAMMFAInitiateResult
+} from './iam.mfa.definitions';
+
+// TODO: local MFA implementation
+export class IAMMFAService<CompleteContext extends object, InitiateContext extends object = object> {
+  constructor(
+    // eslint-disable-next-line no-unused-vars
+    protected configProvider: ConfigProviderService,
+    // eslint-disable-next-line no-unused-vars
+    protected moduleName: string
+  ) {}
+
+  async complete(
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _data: IAMMFACompleteData,
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _options: IAMMFACompleteOptions<CompleteContext>
+  ): Promise<IAMMFACompleteResult> {
+    throw new ApplicationError(`[${this.moduleName}][IAMMFAService]: Method "complete" not implemented.`);
+  }
+
+  async initiate(
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _data: IAMMFAInitiateData,
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _options: IAMMFAInitiateOptions<InitiateContext>
+  ): Promise<IAMMFAInitiateResult> {
+    throw new ApplicationError(`[${this.moduleName}][IAMMFAService]: Method "initiate" not implemented.`);
+  }
+}