@nytejs/auth 1.0.1

package/src/core.ts

@@ -0,0 +1,215 @@
+/*
+ * This file is part of the Nyte.js Project.
+ * Copyright (c) 2026 itsmuzin
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { NyteRequest, NyteResponse } from 'nyte';
+import type { AuthConfig, AuthProviderClass, User, Session } from './types';
+import { SessionManager } from './jwt';
+
+export class HWebAuth {
+    private config: AuthConfig;
+    private sessionManager: SessionManager;
+
+    constructor(config: AuthConfig) {
+        this.config = {
+            session: { strategy: 'jwt', maxAge: 86400, ...config.session },
+            pages: { signIn: '/auth/signin', signOut: '/auth/signout', ...config.pages },
+            ...config
+        };
+
+        this.sessionManager = new SessionManager(
+            config.secret,
+            this.config.session?.maxAge || 86400
+        );
+    }
+
+    /**
+     * Middleware para adicionar autenticação às rotas
+     */
+    private async middleware(req: NyteRequest): Promise<{ session: Session | null; user: User | null }> {
+        const token = this.getTokenFromRequest(req);
+
+        if (!token) {
+            return { session: null, user: null };
+        }
+
+        const session = this.sessionManager.verifySession(token);
+        return {
+            session,
+            user: session?.user || null
+        };
+    }
+
+    /**
+     * Autentica um usuário usando um provider específico
+     */
+    async signIn(providerId: string, credentials: Record<string, string>): Promise<{ session: Session; token: string } | { redirectUrl: string } | null> {
+        const provider = this.config.providers.find(p => p.id === providerId);
+        if (!provider) {
+            console.error(`[hweb-auth] Provider not found: ${providerId}`);
+            return null;
+        }
+
+        try {
+            // Usa o método handleSignIn do provider
+            const result = await provider.handleSignIn(credentials);
+
+            if (!result) return null;
+
+            // Se resultado é string, é URL de redirecionamento OAuth
+            if (typeof result === 'string') {
+                return { redirectUrl: result };
+            }
+
+            // Se resultado é User, cria sessão
+            const user = result as User;
+
+            // Callback de signIn se definido
+            if (this.config.callbacks?.signIn) {
+                const allowed = await this.config.callbacks.signIn(user, { provider: providerId }, {});
+                if (!allowed) return null;
+            }
+
+            const sessionResult = this.sessionManager.createSession(user);
+
+            // Callback de sessão se definido
+            if (this.config.callbacks?.session) {
+                sessionResult.session = await this.config.callbacks.session({session: sessionResult.session, user, provider: providerId});
+            }
+
+            return sessionResult;
+        } catch (error) {
+            console.error(`[hweb-auth] Error signing in with provider ${providerId}:`, error);
+            return null;
+        }
+    }
+
+    /**
+     * Faz logout do usuário
+     */
+    async signOut(req: NyteRequest): Promise<NyteResponse> {
+        // Busca a sessão atual para saber qual provider usar
+        const { session } = await this.middleware(req);
+
+        if (session?.user?.provider) {
+            const provider = this.config.providers.find(p => p.id === session.user.provider);
+            if (provider && provider.handleSignOut) {
+                try {
+                    await provider.handleSignOut();
+                } catch (error) {
+                    console.error(`[hweb-auth] Signout error on provider ${provider.id}:`, error);
+                }
+            }
+        }
+
+        return NyteResponse
+            .json({ success: true })
+            .clearCookie('hweb-auth-token', {
+                path: '/',
+                httpOnly: true,
+                secure: this.config.secureCookies || false,
+                sameSite: 'strict'
+            });
+    }
+
+    /**
+     * Obtém a sessão atual
+     */
+    async getSession(req: NyteRequest): Promise<Session | null> {
+        const { session } = await this.middleware(req);
+        return session;
+    }
+
+    /**
+     * Verifica se o usuário está autenticado
+     */
+    async isAuthenticated(req: NyteRequest): Promise<boolean> {
+        const session = await this.getSession(req);
+        return session !== null;
+    }
+
+    /**
+     * Retorna todos os providers disponíveis (dados públicos)
+     */
+    getProviders(): any[] {
+        return this.config.providers.map(provider => ({
+            id: provider.id,
+            name: provider.name,
+            type: provider.type,
+            config: provider.getConfig ? provider.getConfig() : {}
+        }));
+    }
+
+    /**
+     * Busca um provider específico
+     */
+    getProvider(id: string): AuthProviderClass | null {
+        return this.config.providers.find(p => p.id === id) || null;
+    }
+
+    /**
+     * Retorna todas as rotas adicionais dos providers
+     */
+    getAllAdditionalRoutes(): Array<{ provider: string; route: any }> {
+        const routes: Array<{ provider: string; route: any }> = [];
+
+        for (const provider of this.config.providers) {
+            if (provider.additionalRoutes) {
+                for (const route of provider.additionalRoutes) {
+                    routes.push({ provider: provider.id, route });
+                }
+            }
+        }
+
+        return routes;
+    }
+
+    /**
+     * Cria resposta com cookie de autenticação - Secure implementation
+     */
+    createAuthResponse(token: string, data: any): NyteResponse {
+        return NyteResponse
+            .json(data)
+            .cookie('hweb-auth-token', token, {
+                httpOnly: true,
+                secure: this.config.secureCookies || false, // Always secure, even in development
+                sameSite: 'strict', // Prevent CSRF attacks
+                maxAge: (this.config.session?.maxAge || 86400) * 1000,
+                path: '/',
+                domain: undefined // Let browser set automatically for security
+            })
+            .header('X-Content-Type-Options', 'nosniff')
+            .header('X-Frame-Options', 'DENY')
+            .header('X-XSS-Protection', '1; mode=block')
+            .header('Referrer-Policy', 'strict-origin-when-cross-origin');
+    }
+
+    /**
+     * Extrai token da requisição (cookie ou header)
+     */
+    private getTokenFromRequest(req: NyteRequest): string | null {
+        // Primeiro tenta pegar do cookie
+        const cookieToken = req.cookie('hweb-auth-token');
+        if (cookieToken) return cookieToken;
+
+        // Depois tenta do header Authorization
+        const authHeader = req.header('authorization');
+        if (authHeader && typeof authHeader === 'string' && authHeader.startsWith('Bearer ')) {
+            return authHeader.substring(7);
+        }
+
+        return null;
+    }
+}

package/src/index.ts

@@ -0,0 +1,25 @@
+/*
+ * This file is part of the Nyte.js Project.
+ * Copyright (c) 2026 itsmuzin
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+// Exportações principais do sistema de autenticação
+export * from './types';
+export * from './providers';
+export * from './core';
+export * from './routes';
+export * from './jwt';
+
+export { CredentialsProvider, DiscordProvider, GoogleProvider } from './providers';
+export { createAuthRoutes } from './routes';

package/src/jwt.ts

@@ -0,0 +1,210 @@
+/*
+ * This file is part of the Nyte.js Project.
+ * Copyright (c) 2026 itsmuzin
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import crypto from 'crypto';
+import type { User, Session } from './types';
+
+export class JWTManager {
+    private secret: string;
+
+    constructor(secret?: string) {
+        if (!secret && !process.env.HWEB_AUTH_SECRET) {
+            throw new Error('JWT secret is required. Set HWEB_AUTH_SECRET environment variable or provide secret parameter.');
+        }
+
+        this.secret = secret || process.env.HWEB_AUTH_SECRET!;
+
+        if (this.secret.length < 32) {
+            throw new Error('JWT secret must be at least 32 characters long for security.');
+        }
+    }
+
+    /**
+     * Cria um JWT token com validação de algoritmo
+     */
+    sign(payload: any, expiresIn: number = 86400): string {
+        const header = { alg: 'HS256', typ: 'JWT' };
+        const now = Math.floor(Date.now() / 1000);
+
+        // Sanitize payload to prevent injection
+        const sanitizedPayload = this.sanitizePayload(payload);
+
+        const tokenPayload = {
+            ...sanitizedPayload,
+            iat: now,
+            exp: now + expiresIn,
+            alg: 'HS256' // Prevent algorithm confusion attacks
+        };
+
+        const encodedHeader = this.base64UrlEncode(JSON.stringify(header));
+        const encodedPayload = this.base64UrlEncode(JSON.stringify(tokenPayload));
+
+        const signature = this.createSignature(encodedHeader + '.' + encodedPayload);
+
+        return `${encodedHeader}.${encodedPayload}.${signature}`;
+    }
+
+    /**
+     * Verifica e decodifica um JWT token com validação rigorosa
+     */
+    verify(token: string): any | null {
+        try {
+            if (!token || typeof token !== 'string') return null;
+
+            const parts = token.split('.');
+            if (parts.length !== 3) return null;
+
+            const [headerEncoded, payloadEncoded, signature] = parts;
+
+            // Decode and validate header
+            const header = JSON.parse(this.base64UrlDecode(headerEncoded));
+            if (header.alg !== 'HS256' || header.typ !== 'JWT') {
+                return null; // Prevent algorithm confusion attacks
+            }
+
+            // Verifica a assinatura usando constant-time comparison
+            const expectedSignature = this.createSignature(headerEncoded + '.' + payloadEncoded);
+            if (!this.constantTimeEqual(signature, expectedSignature)) return null;
+
+            // Decodifica o payload
+            const decodedPayload = JSON.parse(this.base64UrlDecode(payloadEncoded));
+
+            // Validate algorithm in payload matches header
+            if (decodedPayload.alg !== 'HS256') return null;
+
+            // Verifica expiração com margem de erro de 30 segundos
+            const now = Math.floor(Date.now() / 1000);
+            if (decodedPayload.exp && decodedPayload.exp < (now - 30)) {
+                return null;
+            }
+
+            // Validate issued at time (not too far in future)
+            if (decodedPayload.iat && decodedPayload.iat > (now + 300)) {
+                return null;
+            }
+
+            return decodedPayload;
+        } catch (error) {
+            return null;
+        }
+    }
+
+    private sanitizePayload(payload: any): any {
+        if (typeof payload !== 'object' || payload === null) {
+            return {};
+        }
+
+        const sanitized: any = {};
+        for (const [key, value] of Object.entries(payload)) {
+            // Skip dangerous properties
+            if (key.startsWith('__') || key === 'constructor' || key === 'prototype') {
+                continue;
+            }
+            sanitized[key] = value;
+        }
+        return sanitized;
+    }
+
+    private constantTimeEqual(a: string, b: string): boolean {
+        if (a.length !== b.length) return false;
+
+        let result = 0;
+        for (let i = 0; i < a.length; i++) {
+            result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+        }
+        return result === 0;
+    }
+
+    private base64UrlEncode(str: string): string {
+        return Buffer.from(str)
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+    }
+
+    private base64UrlDecode(str: string): string {
+        str += '='.repeat(4 - str.length % 4);
+        return Buffer.from(str.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString();
+    }
+
+    private createSignature(data: string): string {
+        return crypto
+            .createHmac('sha256', this.secret)
+            .update(data)
+            .digest('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+    }
+}
+
+export class SessionManager {
+    private jwtManager: JWTManager;
+    private maxAge: number;
+
+    constructor(secret?: string, maxAge: number = 86400) {
+        this.jwtManager = new JWTManager(secret);
+        this.maxAge = maxAge;
+    }
+
+    /**
+     * Cria uma nova sessão
+     */
+    createSession(user: User): { session: Session; token: string } {
+        const expires = new Date(Date.now() + this.maxAge * 1000).toISOString();
+
+        const session: Session = {
+            user,
+            expires
+        };
+
+        const token = this.jwtManager.sign({
+            ...user
+        }, this.maxAge);
+
+        return { session, token };
+    }
+
+    /**
+     * Verifica uma sessão a partir do token
+     */
+    verifySession(token: string): Session | null {
+        try {
+            const payload = this.jwtManager.verify(token);
+            if (!payload) return null;
+
+            const session: Session = {
+                user: payload,
+                expires: new Date(payload.exp * 1000).toISOString()
+            };
+
+            return session;
+        } catch (error) {
+            return null;
+        }
+    }
+
+    /**
+     * Atualiza uma sessão existente
+     */
+    updateSession(token: string): { session: Session; token: string } | null {
+        const currentSession = this.verifySession(token);
+        if (!currentSession) return null;
+
+        return this.createSession(currentSession.user);
+    }
+}

package/src/providers/credentials.ts

@@ -0,0 +1,138 @@
+/*
+ * This file is part of the Nyte.js Project.
+ * Copyright (c) 2026 itsmuzin
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import type { AuthProviderClass, User, AuthRoute } from '../types';
+
+export interface CredentialsConfig {
+    id?: string;
+    name?: string;
+    credentials: Record<string, {
+        label: string;
+        type: string;
+        placeholder?: string;
+    }>;
+    authorize: (credentials: Record<string, string>) => Promise<User | null> | User | null;
+}
+
+/**
+ * Provider para autenticação com credenciais (email/senha)
+ *
+ * Este provider permite autenticação usando email/senha ou qualquer outro
+ * sistema de credenciais customizado. Você define a função authorize
+ * que será chamada para validar as credenciais.
+ *
+ * Exemplo de uso:
+ * ```typescript
+ * new CredentialsProvider({
+ *   name: "Credentials",
+ *   credentials: {
+ *     email: { label: "Email", type: "email" },
+ *     password: { label: "Password", type: "password" }
+ *   },
+ *   async authorize(credentials) {
+ *     // Aqui você faz a validação com seu banco de dados
+ *     const user = await validateUser(credentials.email, credentials.password);
+ *     if (user) {
+ *       return { id: user.id, name: user.name, email: user.email };
+ *     }
+ *     return null;
+ *   }
+ * })
+ * ```
+ */
+export class CredentialsProvider implements AuthProviderClass {
+    public readonly id: string;
+    public readonly name: string;
+    public readonly type: string = 'credentials';
+
+    private config: CredentialsConfig;
+
+    constructor(config: CredentialsConfig) {
+        this.config = config;
+        this.id = config.id || 'credentials';
+        this.name = config.name || 'Credentials';
+    }
+
+    /**
+     * Método principal para autenticar usuário com credenciais
+     */
+    async handleSignIn(credentials: Record<string, string>): Promise<User | null> {
+        try {
+            if (!this.config.authorize) {
+                throw new Error('Authorize function not provided');
+            }
+
+            const user = await this.config.authorize(credentials);
+
+            if (!user) {
+                return null;
+            }
+
+            // Adiciona informações do provider ao usuário
+            return {
+                ...user,
+                provider: this.id,
+                providerId: user.id || user.email || 'unknown'
+            };
+
+        } catch (error) {
+            console.error(`[${this.id} Provider] Error during sign in:`, error);
+            return null;
+        }
+    }
+
+
+
+    /**
+     * Retorna configuração pública do provider
+     */
+    getConfig(): any {
+        return {
+            id: this.id,
+            name: this.name,
+            type: this.type,
+            credentials: this.config.credentials
+        };
+    }
+
+    /**
+     * Valida se as credenciais fornecidas são válidas
+     */
+    validateCredentials(credentials: Record<string, string>): boolean {
+        for (const [key, field] of Object.entries(this.config.credentials)) {
+            if (!credentials[key]) {
+                console.warn(`[${this.id} Provider] Missing required credential: ${key}`);
+                return false;
+            }
+
+            // Validações básicas por tipo
+            if (field.type === 'email' && !this.isValidEmail(credentials[key])) {
+                console.warn(`[${this.id} Provider] Invalid email format: ${credentials[key]}`);
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Validação simples de email
+     */
+    private isValidEmail(email: string): boolean {
+        const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+        return emailRegex.test(email);
+    }
+}