@nu-art/user-account-backend 0.400.5

package/_entity/session/ModuleBE_SessionDB.js

@@ -0,0 +1,233 @@
+import { ApiException, currentTimeMillis, Day, Dispatcher, filterKeys, isErrorOfType, JwtTools, md5, MUSTNeverHappenException } from '@nu-art/ts-common';
+import { ModuleBE_BaseDB } from '@nu-art/thunderstorm-backend';
+import { DBDef_Session } from '@nu-art/user-account-shared';
+import { Header_Authorization, MemKey_DB_Session, MemKey_Jwt, MemKey_SessionData, SessionKey_Account_BE } from './consts.js';
+import { MemKey_HttpResponse } from '@nu-art/thunderstorm-backend/modules/server/consts';
+import { ResponseHeaderKey_JWTToken } from '@nu-art/thunderstorm-shared';
+import { ModuleBE_JWT } from './ModuleBE_JWT.js';
+import { HttpCodes } from '@nu-art/ts-common/core/exceptions/http-codes';
+export const dispatch_CollectSessionData = new Dispatcher('__collectSessionData');
+export const Const_Default_SessionJWT_SecretKey = 'jwt-signer--account-session';
+export class ModuleBE_SessionDB_Class extends ModuleBE_BaseDB {
+    jwtHandler;
+    constructor() {
+        super(DBDef_Session);
+        this.setDefaultConfig({
+            sessionTTLms: Day,
+            rotationFactor: 0.5,
+            maxPrevSession: 10,
+            jwtSigner: {
+                secretKey: Const_Default_SessionJWT_SecretKey
+            }
+        });
+    }
+    init() {
+        super.init();
+        this.jwtHandler = ModuleBE_JWT.jwtHandler({
+            label: 'Session-JWT',
+            ttlInMs: Day,
+            rotationIntervalInMs: 2 * Day,
+            ...this.config.jwtSigner
+        });
+    }
+    collectSessionData = async (content, transaction) => {
+        const collectedData = (await dispatch_CollectSessionData.dispatchModuleAsync(content, transaction));
+        return collectedData.reduce((sessionData, moduleSessionData) => {
+            // We don't skip existing keys. This allows us to override session data provided by infra, with session data provided by app. If wanted, add flag to symbolize this is intentional to all relevant places.
+            sessionData[moduleSessionData.key] = moduleSessionData.value;
+            return sessionData;
+        }, { ...content });
+    };
+    token = {
+        create: async (initialClaims, ttlInMs, transaction) => {
+            const claims = await this.collectSessionData(initialClaims, transaction);
+            return await this.jwtHandler.create(claims, ttlInMs ?? this.config.sessionTTLms);
+        },
+        refresh: async (jwtOrigin) => {
+            const claims = await this.token.verify(jwtOrigin);
+            return await this.jwtHandler.create(claims, (claims.exp - claims.iat) * 1000);
+        },
+        verify: async (jwt) => {
+            const result = await this.jwtHandler.verifySignature(jwt);
+            if (!result.validated)
+                throw HttpCodes._4XX.UNAUTHORIZED('JWT received in request is invalid');
+            return result.claims;
+        }
+    };
+    __session = {
+        shouldRefresh: async (jwt) => {
+            // Decode the JWT to retrieve its claims (issued and expiry time).
+            const sessionData = await this.jwtHandler.assert(jwt);
+            if (SessionKey_Account_BE.get(sessionData).type === 'service') {
+                this.logWarning('Cannot refresh session for a service account. This is not allowed.');
+                return false;
+            }
+            // Extract timestamps from the session data.
+            const issuedAt = sessionData.iat; // Issued timestamp (in seconds since epoch).
+            const expiresAt = sessionData.exp; // Expiry timestamp.
+            // Compute total session TTL (in seconds).
+            const totalTTL = expiresAt - issuedAt;
+            // Compute the remaining time to expiry.
+            const remainingTTL = expiresAt - Math.floor(currentTimeMillis() / 1000); // Current time in seconds.
+            // Determine if the session should be rotated:
+            return remainingTTL / totalTTL < this.config.rotationFactor;
+        },
+        refresh: async (dbSession = MemKey_DB_Session.get(), transaction) => {
+            this.logInfo(`Refreshing JWT for Account: ${dbSession.accountId}`);
+            const jwt = await this.token.refresh(dbSession.sessionIdJwt);
+            const content = {
+                linkedSessionId: dbSession._id,
+                prevSessions: dbSession.validSessionJwtMd5s,
+                initialClaims: {
+                    accountId: dbSession.accountId,
+                    deviceId: dbSession.deviceId,
+                    label: `refreshed from ${dbSession._id}`,
+                }
+            };
+            return await this._session.save(content, jwt, transaction);
+        },
+        reissue: async (dbSession = MemKey_DB_Session.get(), transaction) => {
+            this.logInfo(`Reissuing JWT for Account: ${dbSession.accountId} from Session: ${dbSession._id}`);
+            const claims = await this.token.verify(dbSession.sessionIdJwt);
+            const initialClaims = {
+                accountId: claims.accountId,
+                deviceId: claims.deviceId,
+                label: `reissued from ${dbSession._id}`,
+            };
+            const jwt = await this.token.create(initialClaims, (claims.exp - claims.iat) * 1000, transaction);
+            const content = {
+                linkedSessionId: dbSession._id,
+                prevSessions: dbSession.validSessionJwtMd5s,
+                initialClaims: initialClaims
+            };
+            return await this._session.save(content, jwt, transaction);
+        }
+    };
+    _session = {
+        query: {
+            byJwt: async (jwt, transaction) => {
+                return await this.query.uniqueCustom({
+                    // We use an md5 to save and query for the session object. The original sessionId(JWT) is too big.
+                    where: { validSessionJwtMd5s: { $ac: md5(jwt) } },
+                    orderBy: [{ key: '__created', order: 'desc' }],
+                    limit: 1
+                }, transaction);
+            }
+        },
+        return: async (dbSession) => {
+            const jwt = dbSession.sessionIdJwt;
+            MemKey_HttpResponse.get().setHeader(ResponseHeaderKey_JWTToken, jwt);
+            MemKey_SessionData.set(await JwtTools.decode(jwt));
+            MemKey_Jwt.set(jwt);
+            return jwt;
+        },
+        save: async (content, jwt, transaction) => {
+            const _id = md5(jwt);
+            const validSessionJwtMd5s = content.prevSessions ? [_id, ...content.prevSessions] : [_id];
+            if (validSessionJwtMd5s.length > this.config.maxPrevSession)
+                validSessionJwtMd5s.length = this.config.maxPrevSession;
+            const dbSession = filterKeys({
+                _id,
+                linkedSessionId: content.linkedSessionId,
+                validSessionJwtMd5s: validSessionJwtMd5s,
+                accountId: content.initialClaims.accountId,
+                deviceId: content.initialClaims.deviceId,
+                label: content.initialClaims.label,
+                sessionIdJwt: jwt,
+            }, ['linkedSessionId', 'label']);
+            return await this.set.item(dbSession, transaction);
+        },
+        create: Object.assign(async (content, ttlInMs, transaction) => {
+            this.logInfo(`Creating JWT for Account: ${content.initialClaims.accountId}`);
+            const jwt = await this.token.create(content.initialClaims, ttlInMs, transaction);
+            return await this._session.save(content, jwt, transaction);
+        }, {
+            andReturn: async (content, ttlInMs, transaction) => {
+                const dbSession = await this._session.create(content, ttlInMs, transaction);
+                return await this._session.return(dbSession);
+            },
+        }),
+        rotate: {
+            refreshIfNeeded: {
+                byJwt: async (jwt, transaction) => {
+                    if (!(await this.__session.shouldRefresh(jwt)))
+                        return;
+                    const dbSession = await this._session.query.byJwt(jwt, transaction);
+                    this.logInfo(`Refreshing Session by JWT for account(${dbSession.accountId}) sessionId(${dbSession._id})`);
+                    return await this.__session.refresh(dbSession, transaction);
+                },
+                bySession: async (dbSession = MemKey_DB_Session.get(), transaction) => {
+                    if (!(await this.__session.shouldRefresh(dbSession.sessionIdJwt)))
+                        return dbSession;
+                    this.logInfo(`Refreshing Session by dbSession for account(${dbSession.accountId}) sessionId(${dbSession._id})`);
+                    return await this.__session.refresh(dbSession, transaction);
+                }
+            },
+            reissue: {
+                byJwt: async (jwt, transaction) => {
+                    await this.jwtHandler.assert(jwt);
+                    const dbSession = await this._session.query.byJwt(jwt, transaction);
+                    return await this.__session.reissue(dbSession, transaction);
+                },
+                bySession: async (dbSession = MemKey_DB_Session.get(), transaction) => {
+                    await this.jwtHandler.assert(dbSession.sessionIdJwt);
+                    return await this.__session.reissue(dbSession, transaction);
+                }
+            }
+        },
+        invalidate: {
+            byJwt: async (jwt, transaction) => {
+                const session = await this._session.query.byJwt(jwt, transaction);
+                return await this._session.invalidate.bySession(session, transaction);
+            },
+            bySession: async (dbSession = MemKey_DB_Session.get(), transaction) => {
+                if (!dbSession)
+                    throw HttpCodes._4XX.UNAUTHORIZED('No session in context to invalidate');
+                await this.set.item({ ...dbSession, validSessionJwtMd5s: [] }, transaction);
+                this.logInfo(`Session invalidated for account: ${dbSession.accountId}, sessionId: ${dbSession._id}`);
+            }
+        }
+    };
+    Middleware = async () => {
+        const jwt = Header_Authorization.get(); //jwt
+        const expired = await this.jwtHandler.isExpired(jwt);
+        if (expired)
+            throw HttpCodes._4XX.UNAUTHORIZED('JWT received in request is expired');
+        const validationResult = await this.jwtHandler.verifySignature(jwt);
+        if (!validationResult.validated)
+            throw HttpCodes._4XX.FORBIDDEN('JWT received in request is invalid');
+        await this.locateSession(jwt);
+    };
+    async locateSession(jwt) {
+        try {
+            const { dbSession, claims } = await this.runTransaction(async (t) => {
+                let dbSession = await this._session.query.byJwt(jwt);
+                const latestJwtValidationResult = await this.jwtHandler.verifySignature(dbSession.sessionIdJwt);
+                if (!latestJwtValidationResult.validated)
+                    throw new MUSTNeverHappenException(`JWT received from DB is invalid Session id = ${dbSession._id}`);
+                dbSession = await this._session.rotate.refreshIfNeeded.bySession(dbSession);
+                return { dbSession, claims: latestJwtValidationResult.claims };
+            });
+            MemKey_DB_Session.set(dbSession);
+            MemKey_SessionData.set(claims);
+            MemKey_Jwt.set(dbSession.sessionIdJwt);
+            MemKey_HttpResponse.get().setHeader(ResponseHeaderKey_JWTToken, dbSession.sessionIdJwt);
+        }
+        catch (err) {
+            if (isErrorOfType(err, ApiException))
+                throw err;
+            this.logErrorBold(jwt);
+            throw HttpCodes._4XX.UNAUTHORIZED('JWT received in request is invalid', err);
+        }
+    }
+    async __collectSessionData(data) {
+        return {
+            key: 'session',
+            value: {
+                deviceId: data.deviceId,
+            }
+        };
+    }
+}
+;
+export const ModuleBE_SessionDB = new ModuleBE_SessionDB_Class();

package/_entity/session/consts.d.ts

@@ -0,0 +1,22 @@
+import { MemKey } from '@nu-art/ts-common/mem-storage/MemStorage';
+import { RecursiveObjectOfPrimitives, TypedKeyValue } from '@nu-art/ts-common';
+import { DB_Session } from '@nu-art/user-account-shared';
+import { HeaderKey } from '@nu-art/thunderstorm-backend';
+import { _SessionKey_Account } from '@nu-art/user-account-shared';
+export declare const MemKey_AccountEmail: MemKey<string>;
+export declare const MemKey_AccountId: MemKey<string>;
+export declare const MemKey_AccountType: MemKey<string>;
+export declare const MemKey_DB_Session: MemKey<DB_Session>;
+export declare const MemKey_SessionData: MemKey<RecursiveObjectOfPrimitives>;
+export declare const MemKey_Jwt: MemKey<string>;
+export declare const Header_Authorization: HeaderKey;
+export declare const Header_Origin: HeaderKey;
+export declare const Header_TabId: HeaderKey;
+export declare const Header_DeviceId: HeaderKey;
+export declare class SessionKey_BE<Binder extends TypedKeyValue<string | number, any>> {
+    private readonly key;
+    constructor(key: Binder['key']);
+    get(sessionData?: RecursiveObjectOfPrimitives): Binder['value'];
+}
+export declare const SessionKey_Account_BE: SessionKey_BE<_SessionKey_Account>;
+export declare function getAuditorId(): Promise<string>;

package/_entity/session/consts.js

@@ -0,0 +1,33 @@
+import { MemKey } from '@nu-art/ts-common/mem-storage/MemStorage';
+import { BadImplementationException, ImplementationMissingException } from '@nu-art/ts-common';
+import { HeaderKey } from '@nu-art/thunderstorm-backend';
+import { HeaderKey_Authorization, HeaderKey_DeviceId, HeaderKey_Origin, HeaderKey_TabId } from '@nu-art/thunderstorm-shared/headers';
+export const MemKey_AccountEmail = new MemKey('accounts--email', true);
+export const MemKey_AccountId = new MemKey('accounts--id', true);
+export const MemKey_AccountType = new MemKey('accounts--type', true);
+export const MemKey_DB_Session = new MemKey('db-session-object', false);
+export const MemKey_SessionData = new MemKey('jwt-claims', false);
+export const MemKey_Jwt = new MemKey('jwt-token', false);
+export const Header_Authorization = new HeaderKey(HeaderKey_Authorization, 403)
+    .setProcessor((v) => (v ?? '').trim().replace(/^bearer\s+/i, ''));
+export const Header_Origin = new HeaderKey(HeaderKey_Origin, 403);
+export const Header_TabId = new HeaderKey(HeaderKey_TabId);
+export const Header_DeviceId = new HeaderKey(HeaderKey_DeviceId);
+export class SessionKey_BE {
+    key;
+    constructor(key) {
+        this.key = key;
+    }
+    get(sessionData = MemKey_SessionData.get()) {
+        if (!(this.key in sessionData))
+            throw new BadImplementationException(`Couldn't find key "${this.key}" in session data`);
+        return sessionData[this.key];
+    }
+}
+export const SessionKey_Account_BE = new SessionKey_BE('account');
+export async function getAuditorId() {
+    const sessionData = SessionKey_Account_BE.get();
+    if (!sessionData)
+        throw new ImplementationMissingException('Trying to add auditorId without session data!');
+    return sessionData._id;
+}

package/_entity/session/index.d.ts

@@ -0,0 +1,3 @@
+export * from './module-pack.js';
+export * from './consts.js';
+export * from './ModuleBE_SessionDB.js';

package/_entity/session/index.js

@@ -0,0 +1,3 @@
+export * from './module-pack.js';
+export * from './consts.js';
+export * from './ModuleBE_SessionDB.js';

package/_entity/session/module-pack.d.ts

@@ -0,0 +1,2 @@
+import { Module } from '@nu-art/ts-common';
+export declare const ModulePackBE_SessionDB: Module[];

package/_entity/session/module-pack.js

@@ -0,0 +1,2 @@
+import { ModuleBE_SessionDB } from './ModuleBE_SessionDB.js';
+export const ModulePackBE_SessionDB = [ModuleBE_SessionDB];

package/_entity.d.ts

@@ -0,0 +1,8 @@
+export * from './_entity/account/index.js';
+export * from './_entity/account/index.js';
+export * from './_entity/session/index.js';
+export * from './_entity/session/index.js';
+export * from './_entity/login-attempts/index.js';
+export * from './_entity/login-attempts/index.js';
+export * from './_entity/failed-login-attempt/index.js';
+export * from './_entity/failed-login-attempt/index.js';

package/_entity.js

@@ -0,0 +1,8 @@
+export * from './_entity/account/index.js';
+export * from './_entity/account/index.js';
+export * from './_entity/session/index.js';
+export * from './_entity/session/index.js';
+export * from './_entity/login-attempts/index.js';
+export * from './_entity/login-attempts/index.js';
+export * from './_entity/failed-login-attempt/index.js';
+export * from './_entity/failed-login-attempt/index.js';

package/index.d.ts

@@ -0,0 +1,3 @@
+export * from './module-pack.js';
+export * from './_entity.js';
+export * from './SlackReporter.js';

package/index.js

@@ -0,0 +1,20 @@
+/*
+ * User secured registration and login management system..
+ *
+ * Copyright (C) 2020 Adam van der Kruk aka TacB0sS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export * from './module-pack.js';
+export * from './_entity.js';
+export * from './SlackReporter.js';

package/module-pack.d.ts

@@ -0,0 +1,3 @@
+import { Module } from '@nu-art/ts-common';
+export declare const ModulePackBE_Accounts: Module[];
+export declare const ModulePackBE_Accounts_WOSAML: Module[];

package/module-pack.js

@@ -0,0 +1,35 @@
+/*
+ * User secured registration and login management system..
+ *
+ * Copyright (C) 2020 Adam van der Kruk aka TacB0sS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { ModulePackBE_AccountDB, ModulePackBE_FailedLoginAttemptDB, ModulePackBE_SAML, ModulePackBE_SessionDB } from './_entity.js';
+import { ModuleBE_SecretManager } from '@nu-art/google-services-backend/modules/ModuleBE_SecretManager';
+import { ModulePackBE_LoginAttemptDB } from './_entity/login-attempts/index.js';
+export const ModulePackBE_Accounts = [
+    ...ModulePackBE_AccountDB,
+    ...ModulePackBE_SAML,
+    ...ModulePackBE_SessionDB,
+    ...ModulePackBE_LoginAttemptDB,
+    ...ModulePackBE_FailedLoginAttemptDB,
+    ModuleBE_SecretManager
+];
+export const ModulePackBE_Accounts_WOSAML = [
+    ...ModulePackBE_AccountDB,
+    ...ModulePackBE_SessionDB,
+    ...ModulePackBE_LoginAttemptDB,
+    ...ModulePackBE_FailedLoginAttemptDB,
+    ModuleBE_SecretManager
+];

package/package.json

@@ -0,0 +1,81 @@
+{
+  "name": "@nu-art/user-account-backend",
+  "version": "0.400.5",
+  "description": "User Account Backend",
+  "keywords": [
+    "TacB0sS",
+    "create account",
+    "express",
+    "infra",
+    "login",
+    "nu-art",
+    "saml",
+    "thunderstorm",
+    "typescript",
+    "user-account"
+  ],
+  "homepage": "https://github.com/nu-art-js/user-account",
+  "bugs": {
+    "url": "https://github.com/nu-art-js/user-account/issues"
+  },
+  "publishConfig": {
+    "directory": "dist",
+    "linkDirectory": true
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+ssh://git@github.com:nu-art-js/user-account.git"
+  },
+  "license": "Apache-2.0",
+  "author": "TacB0sS",
+  "scripts": {
+    "build": "tsc",
+    "run-tests": "firebase emulators:exec \"npm run test\"",
+    "test": "ts-mocha -w -p src/test/tsconfig.json --timeout 0 --inspect=8107 --watch-files 'src/test/**/*.test.ts' src/test/**/*.test.ts"
+  },
+  "dependencies": {
+    "@nu-art/user-account-shared": "0.400.5",
+    "@nu-art/firebase-backend": "0.400.5",
+    "@nu-art/firebase-shared": "0.400.5",
+    "@nu-art/slack-backend": "0.400.5",
+    "@nu-art/slack-shared": "0.400.5",
+    "@nu-art/thunderstorm-backend": "0.400.5",
+    "@nu-art/thunderstorm-shared": "0.400.5",
+    "@nu-art/ts-common": "0.400.5",
+    "@nu-art/ts-styles": "0.400.5",
+    "express": "^4.18.2",
+    "firebase": "^11.9.0",
+    "firebase-admin": "13.4.0",
+    "firebase-functions": "6.3.2",
+    "moment": "^2.29.4",
+    "pako": "^2.1.0",
+    "react": "^18.0.0",
+    "request": "^2.88.0",
+    "saml2-js": "^4.0.1",
+    "xmlbuilder": "^15.1.1"
+  },
+  "devDependencies": {
+    "@nu-art/google-services-backend": "0.400.5",
+    "@types/react": "^18.0.0",
+    "@types/express": "^4.17.17",
+    "@types/history": "^4.7.2",
+    "@types/request": "^2.48.1",
+    "@types/saml2-js": "^1.6.8",
+    "@types/pako": "^2.0.0",
+    "@types/jsonwebtoken": "^9.0.6"
+  },
+  "unitConfig": {
+    "type": "typescript-lib"
+  },
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./index.d.ts",
+      "import": "./index.js"
+    },
+    "./*": {
+      "types": "./*.d.ts",
+      "import": "./*.js"
+    }
+  }
+}