@nu-art/user-account-backend 0.400.5

package/_entity/failed-login-attempt/ModuleBE_FailedLoginAttemptDB.d.ts

@@ -0,0 +1,50 @@
+import { DBApiConfigV3, ModuleBE_BaseDB } from '@nu-art/thunderstorm-backend';
+import { DB_FailedLoginAttempt, DBProto_FailedLoginAttempt } from '@nu-art/user-account-shared';
+import { UniqueId } from '@nu-art/ts-common';
+import { OnUserLogin } from '../account/index.js';
+import { SafeDB_Account } from '@nu-art/user-account-shared';
+type Config = DBApiConfigV3<DBProto_FailedLoginAttempt> & {
+    loginBlockedTTL: number;
+    maxLoginAttempts: number;
+    documentTTL: number;
+};
+/**
+ * Manage and handle login failed attempts,
+ * Default login blocked timer is 5 minutes
+ */
+export declare class ModuleBE_FailedLoginAttemptDB_Class extends ModuleBE_BaseDB<DBProto_FailedLoginAttempt, Config> implements OnUserLogin {
+    constructor();
+    __onUserLogin(account: SafeDB_Account): Promise<DB_FailedLoginAttempt | undefined>;
+    /**
+     * Failed login attempt handler, will take care of updating or managing
+     * failed login attempt event.
+     * @param accountId The account that failed login.
+     */
+    updateFailedLoginAttempt: (accountId: UniqueId) => Promise<[import("@nu-art/ts-common").DB_BaseObject & {
+        __metadata1?: any;
+        __hardDelete?: boolean;
+        __created: number;
+        __updated: number;
+        _v?: string;
+        _originDocId?: UniqueId;
+    } & {
+        accountId: UniqueId;
+        count: number;
+        loginSuccessfulAt?: number;
+    }, void[]] | undefined>;
+    /**
+     * After a successful login attempt use this function to validate if user isn't blocked
+     * or if block time elapsed
+     * @param accountId The account that successfully logged in
+     */
+    private onLoginSuccessful;
+    private getExistingLoginAttempt;
+    private isLoginBlocked;
+    private isTTLExpired;
+    private incrementLoginAttempt;
+    private assertLoginBlock;
+    private createNewLoginAttempt;
+    private handleBlockedLogin;
+}
+export declare const ModuleBE_FailedLoginAttemptDB: ModuleBE_FailedLoginAttemptDB_Class;
+export {};

package/_entity/failed-login-attempt/ModuleBE_FailedLoginAttemptDB.js

@@ -0,0 +1,105 @@
+import { ModuleBE_BaseDB } from '@nu-art/thunderstorm-backend';
+import { DBDef_FailedLoginAttempt, DefaultMaxLoginAttempts, ErrorType_LoginBlocked } from '@nu-art/user-account-shared';
+import { ApiException, currentTimeMillis, exists, Format_HHmmss_DDMMYYYY, formatTimestamp, Minute } from '@nu-art/ts-common';
+import { HttpCodes } from '@nu-art/ts-common/core/exceptions/http-codes';
+import { dispatch_OnLoginFailed } from '../login-attempts/dispatchers.js';
+/**
+ * Manage and handle login failed attempts,
+ * Default login blocked timer is 5 minutes
+ */
+export class ModuleBE_FailedLoginAttemptDB_Class extends ModuleBE_BaseDB {
+    constructor() {
+        super(DBDef_FailedLoginAttempt);
+        this.setDefaultConfig({
+            loginBlockedTTL: 5 * Minute, // default login block is 5 minutes
+            maxLoginAttempts: DefaultMaxLoginAttempts,
+            documentTTL: 3 * Minute
+        });
+    }
+    __onUserLogin(account) {
+        return this.onLoginSuccessful(account._id);
+    }
+    //######################### Public Logic #########################
+    /**
+     * Failed login attempt handler, will take care of updating or managing
+     * failed login attempt event.
+     * @param accountId The account that failed login.
+     */
+    updateFailedLoginAttempt = async (accountId) => {
+        // Fetch the existing attempt
+        const existingLoginAttempt = await this.getExistingLoginAttempt(accountId);
+        if (!existingLoginAttempt) {
+            return this.createNewLoginAttempt(accountId);
+        }
+        // Check if the login is already blocked
+        if (this.isLoginBlocked(existingLoginAttempt)) {
+            return this.handleBlockedLogin(existingLoginAttempt);
+        }
+        // Check if TTL has expired
+        if (this.isTTLExpired(existingLoginAttempt) || exists(existingLoginAttempt.loginSuccessfulAt)) {
+            return this.createNewLoginAttempt(accountId);
+        }
+        // Update the failed login attempt
+        return this.incrementLoginAttempt(existingLoginAttempt);
+    };
+    //######################### Internal Logic #########################
+    /**
+     * After a successful login attempt use this function to validate if user isn't blocked
+     * or if block time elapsed
+     * @param accountId The account that successfully logged in
+     */
+    onLoginSuccessful = async (accountId) => {
+        const loginAttempt = await this.getExistingLoginAttempt(accountId);
+        // fail fast if there's no login attempts document
+        if (!loginAttempt)
+            return;
+        // update login timestamp if login is successful and not blocked
+        if (loginAttempt.count < this.config.maxLoginAttempts) {
+            loginAttempt.loginSuccessfulAt = currentTimeMillis();
+            return this.set.item(loginAttempt);
+        }
+        // if the login is still blocked throw blocked error
+        if (this.assertLoginBlock(loginAttempt))
+            return this.handleBlockedLogin(loginAttempt);
+    };
+    // Separate functions to improve logic separation
+    getExistingLoginAttempt = async (accountId) => {
+        return (await this.query.custom({
+            where: { accountId },
+            limit: 1,
+            orderBy: [{ key: '__created', order: 'desc' }]
+        }))[0];
+    };
+    isLoginBlocked = (loginAttempt) => {
+        return loginAttempt.count >= this.config.maxLoginAttempts && this.assertLoginBlock(loginAttempt);
+    };
+    isTTLExpired = (loginAttempt) => {
+        return loginAttempt.__created + this.config.documentTTL < currentTimeMillis();
+    };
+    incrementLoginAttempt = async (loginAttempt) => {
+        loginAttempt.count++;
+        const updatedDoc = await this.set.item(loginAttempt);
+        await dispatch_OnLoginFailed.dispatchModuleAsync(loginAttempt.accountId);
+        if (updatedDoc.count >= this.config.maxLoginAttempts) {
+            return this.handleBlockedLogin(updatedDoc);
+        }
+    };
+    assertLoginBlock = (loginAttempt) => {
+        const blockedUntil = loginAttempt.__updated + this.config.loginBlockedTTL;
+        return currentTimeMillis() < blockedUntil;
+    };
+    createNewLoginAttempt = async (accountId) => {
+        return Promise.all([this.set.item({
+                accountId: accountId,
+                count: 1
+            }), dispatch_OnLoginFailed.dispatchModuleAsync(accountId)]);
+    };
+    handleBlockedLogin = (blockedLogin) => {
+        const loginBlockedUntil = blockedLogin.__updated + this.config.loginBlockedTTL;
+        throw new ApiException(HttpCodes._4XX.FORBIDDEN.code, `Login is blocked until ${formatTimestamp(Format_HHmmss_DDMMYYYY, loginBlockedUntil)}`).setErrorBody({
+            type: ErrorType_LoginBlocked,
+            data: { blockedUntil: loginBlockedUntil }
+        });
+    };
+}
+export const ModuleBE_FailedLoginAttemptDB = new ModuleBE_FailedLoginAttemptDB_Class();

package/_entity/failed-login-attempt/index.d.ts

@@ -0,0 +1,2 @@
+export * from './ModuleBE_FailedLoginAttemptDB.js';
+export * from './module-pack.js';

package/_entity/failed-login-attempt/index.js

@@ -0,0 +1,2 @@
+export * from './ModuleBE_FailedLoginAttemptDB.js';
+export * from './module-pack.js';

package/_entity/failed-login-attempt/module-pack.d.ts

@@ -0,0 +1 @@
+export declare const ModulePackBE_FailedLoginAttemptDB: (import("./ModuleBE_FailedLoginAttemptDB.js").ModuleBE_FailedLoginAttemptDB_Class | import("@nu-art/thunderstorm-backend").ModuleBE_BaseApi_Class<import("@nu-art/user-account-shared").DBProto_FailedLoginAttempt>)[];

package/_entity/failed-login-attempt/module-pack.js

@@ -0,0 +1,3 @@
+import { createApisForDBModuleV3 } from '@nu-art/thunderstorm-backend';
+import { ModuleBE_FailedLoginAttemptDB } from './ModuleBE_FailedLoginAttemptDB.js';
+export const ModulePackBE_FailedLoginAttemptDB = [ModuleBE_FailedLoginAttemptDB, createApisForDBModuleV3(ModuleBE_FailedLoginAttemptDB)];

package/_entity/login-attempts/ModuleBE_LoginAttemptDB.d.ts

@@ -0,0 +1,36 @@
+import { DBApiConfigV3, ModuleBE_BaseDB } from '@nu-art/thunderstorm-backend';
+import { DBProto_LoginAttempt } from '@nu-art/user-account-shared';
+import { OnLoginFailed } from './dispatchers.js';
+import { OnUserLogin } from '../account/index.js';
+import { SafeDB_Account } from '@nu-art/user-account-shared';
+type Config = DBApiConfigV3<DBProto_LoginAttempt> & {};
+/**
+ * DB entity that collects login metadata and handles blocking of users that failed
+ * login credentials over a number of defined times
+ */
+export declare class ModuleBE_LoginAttemptDB_Class extends ModuleBE_BaseDB<DBProto_LoginAttempt, Config> implements OnLoginFailed, OnUserLogin {
+    /**
+     * Dispatcher that handles failed login events
+     * @param accountId The account id that failed login
+     */
+    __onLoginFailed(accountId: string): Promise<import("@nu-art/user-account-shared").DB_LoginAttempt>;
+    /**
+     * On successful event write successful event
+     * @param account The logged in account id
+     */
+    __onUserLogin(account: SafeDB_Account): Promise<import("@nu-art/user-account-shared").DB_LoginAttempt>;
+    constructor();
+    /**
+     * Default creator function that creates the db document of a login attempt,
+     * will be called from the dispatcher listeners that will define the attempt status
+     * @param accountId The account that attempted to log-in
+     * @param status The login attempts status
+     */
+    private createLoginAttempt;
+    /**
+     * Metadata object generator, for now resolving only device id and tries to resolve id (not always possible)
+     */
+    private collectLoginMetadata;
+}
+export declare const ModuleBE_LoginAttemptDB: ModuleBE_LoginAttemptDB_Class;
+export {};

package/_entity/login-attempts/ModuleBE_LoginAttemptDB.js

@@ -0,0 +1,51 @@
+import { ModuleBE_BaseDB, } from '@nu-art/thunderstorm-backend';
+import { DBDef_LoginAttempt, LoginStatus_Failed, LoginStatus_Success } from '@nu-art/user-account-shared';
+import { filterKeys } from '@nu-art/ts-common';
+import { MemKey_HttpRequest } from '@nu-art/thunderstorm-backend/modules/server/consts';
+/**
+ * DB entity that collects login metadata and handles blocking of users that failed
+ * login credentials over a number of defined times
+ */
+export class ModuleBE_LoginAttemptDB_Class extends ModuleBE_BaseDB {
+    /**
+     * Dispatcher that handles failed login events
+     * @param accountId The account id that failed login
+     */
+    __onLoginFailed(accountId) {
+        return this.createLoginAttempt(accountId, LoginStatus_Failed);
+    }
+    /**
+     * On successful event write successful event
+     * @param account The logged in account id
+     */
+    __onUserLogin(account) {
+        return this.createLoginAttempt(account._id, LoginStatus_Success);
+    }
+    constructor() {
+        super(DBDef_LoginAttempt);
+    }
+    /**
+     * Default creator function that creates the db document of a login attempt,
+     * will be called from the dispatcher listeners that will define the attempt status
+     * @param accountId The account that attempted to log-in
+     * @param status The login attempts status
+     */
+    createLoginAttempt = async (accountId, status) => {
+        return this.set.item({
+            accountId,
+            status,
+            metadata: this.collectLoginMetadata()
+        });
+    };
+    /**
+     * Metadata object generator, for now resolving only device id and tries to resolve id (not always possible)
+     */
+    collectLoginMetadata = () => {
+        const request = MemKey_HttpRequest.get();
+        return filterKeys({
+            ipAddress: request.headers['x-forwarded-for'] || request.socket.remoteAddress,
+            deviceId: request.body.deviceId
+        });
+    };
+}
+export const ModuleBE_LoginAttemptDB = new ModuleBE_LoginAttemptDB_Class();

package/_entity/login-attempts/dispatchers.d.ts

@@ -0,0 +1,5 @@
+import { Dispatcher, UniqueId } from '@nu-art/ts-common';
+export interface OnLoginFailed {
+    __onLoginFailed: (accountId: UniqueId) => void;
+}
+export declare const dispatch_OnLoginFailed: Dispatcher<OnLoginFailed, "__onLoginFailed", [accountId: string], void>;

package/_entity/login-attempts/dispatchers.js

@@ -0,0 +1,2 @@
+import { Dispatcher } from '@nu-art/ts-common';
+export const dispatch_OnLoginFailed = new Dispatcher('__onLoginFailed');

package/_entity/login-attempts/index.d.ts

@@ -0,0 +1,2 @@
+export * from './ModuleBE_LoginAttemptDB.js';
+export * from './module-pack.js';

package/_entity/login-attempts/index.js

@@ -0,0 +1,2 @@
+export * from './ModuleBE_LoginAttemptDB.js';
+export * from './module-pack.js';

package/_entity/login-attempts/module-pack.d.ts

@@ -0,0 +1 @@
+export declare const ModulePackBE_LoginAttemptDB: (import("./ModuleBE_LoginAttemptDB.js").ModuleBE_LoginAttemptDB_Class | import("@nu-art/thunderstorm-backend").ModuleBE_BaseApi_Class<import("@nu-art/user-account-shared").DBProto_LoginAttempt>)[];

package/_entity/login-attempts/module-pack.js

@@ -0,0 +1,3 @@
+import { createApisForDBModuleV3 } from '@nu-art/thunderstorm-backend';
+import { ModuleBE_LoginAttemptDB } from './ModuleBE_LoginAttemptDB.js';
+export const ModulePackBE_LoginAttemptDB = [ModuleBE_LoginAttemptDB, createApisForDBModuleV3(ModuleBE_LoginAttemptDB)];

package/_entity/session/ModuleBE_JWT.d.ts

@@ -0,0 +1,46 @@
+import { SecretKey } from '@nu-art/google-services-backend/modules/ModuleBE_SecretManager';
+import { JWT_BaseClaims, Logger, Module, RecursiveObjectOfPrimitives } from '@nu-art/ts-common';
+type HandlerConfig = {
+    ttlInMs: number;
+    rotationIntervalInMs: number;
+    maxSecrets: number;
+};
+type Config = {
+    rotationCheckInterval: number;
+    default: HandlerConfig;
+};
+export declare class JWT_Handler<T extends RecursiveObjectOfPrimitives> extends Logger {
+    private config;
+    readonly secret: SecretKey<string[]>;
+    private cache?;
+    constructor(config: HandlerConfig & {
+        label: string;
+        secretKey: string;
+        projectId?: string;
+    });
+    create(claims: T, ttlInMs?: number): Promise<string>;
+    private getSecret;
+    rotateSecret(): Promise<string[]>;
+    isActive(jwt: string): Promise<boolean>;
+    isExpired(jwt: string): Promise<boolean>;
+    verifySignature(jwt: string): Promise<{
+        validated: true;
+        claims: T & JWT_BaseClaims;
+    } | {
+        validated: false;
+    }>;
+    assert(jwt: string): Promise<T & JWT_BaseClaims>;
+}
+export declare class ModuleBE_JWT_Class extends Module<Config> {
+    private readonly handlers;
+    constructor();
+    init(): void;
+    jwtHandler<T extends RecursiveObjectOfPrimitives>(jwtConfig: Partial<HandlerConfig> & {
+        label: string;
+        secretKey: string;
+        projectId?: string;
+    }): JWT_Handler<T>;
+    rotateSecrets(): Promise<void>;
+}
+export declare const ModuleBE_JWT: ModuleBE_JWT_Class;
+export {};

package/_entity/session/ModuleBE_JWT.js

@@ -0,0 +1,86 @@
+import { SecretKey } from '@nu-art/google-services-backend/modules/ModuleBE_SecretManager';
+import { currentTimeMillis, Day, filterDuplicates, generateHex, Hour, intervalHandler, JwtTools, Logger, merge, Module, MUSTNeverHappenException } from '@nu-art/ts-common';
+export class JWT_Handler extends Logger {
+    config;
+    secret;
+    cache;
+    constructor(config) {
+        super(config.label);
+        this.config = config;
+        this.secret = new SecretKey(config.secretKey, config.projectId);
+    }
+    async create(claims, ttlInMs = this.config.ttlInMs) {
+        const secret = await this.getSecret();
+        return await JwtTools.encode(claims, secret[0], { expiresIn: Math.floor((currentTimeMillis() + ttlInMs) / 1000) });
+    }
+    async getSecret() {
+        if (this.cache)
+            return this.cache;
+        return this.cache = await this.secret.get([generateHex(32)]);
+    }
+    async rotateSecret() {
+        delete this.cache;
+        let secret = await this.getSecret();
+        if (currentTimeMillis() < (await this.secret.modifiedTimestamp()) + this.config.rotationIntervalInMs)
+            return secret;
+        secret = [generateHex(32), ...secret];
+        if (secret.length > this.config.maxSecrets)
+            secret.length = this.config.maxSecrets;
+        await this.secret.set(secret);
+        return secret;
+    }
+    async isActive(jwt) {
+        return await JwtTools.isJwtActive(jwt);
+    }
+    async isExpired(jwt) {
+        return await JwtTools.isJwtExpired(jwt);
+    }
+    async verifySignature(jwt) {
+        jwt = jwt.replace(/^Bearer\s/, '');
+        const secrets = await this.getSecret();
+        this.logVerbose(`Verifying JWT signature with secrets:`, secrets, jwt);
+        for (const secret of secrets) {
+            try {
+                return { validated: true, claims: await JwtTools.verifySignature(jwt, secret) };
+            }
+            catch (ignore) {
+                this.logError('Error verifying JWT signature', ignore);
+            }
+        }
+        return { validated: false };
+    }
+    async assert(jwt) {
+        if (await this.isExpired(jwt))
+            throw new MUSTNeverHappenException(`JWT is expired: ${jwt}`);
+        const result = await this.verifySignature(jwt);
+        if (!result.validated)
+            throw new MUSTNeverHappenException(`JWT signature is invalid: ${jwt}`);
+        return result.claims;
+    }
+}
+export class ModuleBE_JWT_Class extends Module {
+    handlers = [];
+    constructor() {
+        super();
+        this.setDefaultConfig({
+            rotationCheckInterval: Hour,
+            default: {
+                ttlInMs: Hour,
+                rotationIntervalInMs: Day,
+                maxSecrets: 2,
+            }
+        });
+    }
+    init() {
+        intervalHandler(this.rotateSecrets, this.config.rotationCheckInterval);
+    }
+    jwtHandler(jwtConfig) {
+        const jwtHandler = new JWT_Handler(merge(this.config.default, jwtConfig));
+        this.handlers.push(jwtHandler);
+        return jwtHandler;
+    }
+    async rotateSecrets() {
+        await Promise.all(filterDuplicates(this.handlers, handler => `${handler.secret.secret.projectId}/${handler.secret.secret.key}`).map(handler => handler.rotateSecret()));
+    }
+}
+export const ModuleBE_JWT = new ModuleBE_JWT_Class();

package/_entity/session/ModuleBE_SessionDB.d.ts

@@ -0,0 +1,77 @@
+import { AnyPrimitive, Dispatcher, RecursiveObjectOfPrimitives, TypedKeyValue, UniqueId } from '@nu-art/ts-common';
+import { firestore } from 'firebase-admin';
+import { DBApiConfigV3, ModuleBE_BaseDB } from '@nu-art/thunderstorm-backend';
+import { DB_Session, DBProto_Session } from '@nu-art/user-account-shared';
+import Transaction = firestore.Transaction;
+export type BaseSessionClaims = {
+    accountId: string;
+    deviceId: string;
+    label: string;
+};
+export type Props_CreateSession = {
+    linkedSessionId?: string;
+    prevSessions?: UniqueId[];
+    initialClaims: BaseSessionClaims;
+};
+export interface CollectSessionData<R extends TypedKeyValue<any, AnyPrimitive>> {
+    __collectSessionData(data: BaseSessionClaims, transaction?: Transaction): Promise<R>;
+}
+export declare const dispatch_CollectSessionData: Dispatcher<CollectSessionData<TypedKeyValue<any, RecursiveObjectOfPrimitives>>, "__collectSessionData", [data: BaseSessionClaims, transaction?: firestore.Transaction | undefined], TypedKeyValue<any, RecursiveObjectOfPrimitives>>;
+export declare const Const_Default_SessionJWT_SecretKey = "jwt-signer--account-session";
+type Config = DBApiConfigV3<DBProto_Session> & {
+    sessionTTLms: number;
+    rotationFactor: number;
+    maxPrevSession: number;
+    jwtSigner: {
+        secretKey: string;
+        projectId?: string;
+    };
+};
+export declare class ModuleBE_SessionDB_Class extends ModuleBE_BaseDB<DBProto_Session, Config> implements CollectSessionData<TypedKeyValue<'session', {
+    deviceId: string;
+}>> {
+    private jwtHandler;
+    constructor();
+    init(): void;
+    private collectSessionData;
+    token: {
+        create: (initialClaims: BaseSessionClaims, ttlInMs?: number, transaction?: Transaction) => Promise<string>;
+        refresh: (jwtOrigin: string) => Promise<string>;
+        verify: (jwt: string) => Promise<BaseSessionClaims & RecursiveObjectOfPrimitives & import("@nu-art/ts-common").JWT_BaseClaims>;
+    };
+    private __session;
+    _session: {
+        query: {
+            byJwt: (jwt: string, transaction?: Transaction) => Promise<DB_Session>;
+        };
+        return: (dbSession: DB_Session) => Promise<string>;
+        save: (content: Props_CreateSession, jwt: string, transaction?: Transaction) => Promise<DB_Session>;
+        create: ((content: Props_CreateSession, ttlInMs?: number, transaction?: Transaction) => Promise<DB_Session>) & {
+            andReturn: (content: Props_CreateSession, ttlInMs?: number, transaction?: Transaction) => Promise<string>;
+        };
+        rotate: {
+            refreshIfNeeded: {
+                byJwt: (jwt: string, transaction?: Transaction) => Promise<DB_Session | undefined>;
+                bySession: (dbSession?: DB_Session, transaction?: Transaction) => Promise<DB_Session>;
+            };
+            reissue: {
+                byJwt: (jwt: string, transaction?: Transaction) => Promise<DB_Session>;
+                bySession: (dbSession?: DB_Session, transaction?: Transaction) => Promise<DB_Session>;
+            };
+        };
+        invalidate: {
+            byJwt: (jwt: string, transaction?: Transaction) => Promise<void>;
+            bySession: (dbSession?: DB_Session, transaction?: Transaction) => Promise<void>;
+        };
+    };
+    readonly Middleware: () => Promise<void>;
+    private locateSession;
+    __collectSessionData(data: BaseSessionClaims): Promise<{
+        key: "session";
+        value: {
+            deviceId: string;
+        };
+    }>;
+}
+export declare const ModuleBE_SessionDB: ModuleBE_SessionDB_Class;
+export {};