@onlineapps/service-validator-core 1.0.2

package/src/security/tokenManager.js

@@ -0,0 +1,194 @@
+const jwt = require('jsonwebtoken');
+const crypto = require('crypto');
+
+class TokenManager {
+  constructor(config = {}) {
+    this.secret = config.secret || process.env.VALIDATION_TOKEN_SECRET || this.generateSecret();
+    this.expiresIn = config.expiresIn || '24h';
+    this.algorithm = config.algorithm || 'HS256';
+    this.issuer = config.issuer || 'validation-core';
+    this.usedTokens = new Set(); // Track used tokens for single-use enforcement
+  }
+
+  /**
+   * Generate a secure secret if none provided
+   * @returns {string} Generated secret
+   */
+  generateSecret() {
+    return crypto.randomBytes(64).toString('hex');
+  }
+
+  /**
+   * Generate a pre-validation token with a new random secret
+   * @param {object} payload - Token payload
+   * @returns {Promise<object>} Generated token and secret
+   */
+  async generateToken(payload) {
+    const tokenId = crypto.randomBytes(16).toString('hex');
+
+    // Generate a random secret for this specific token
+    const tokenSecret = crypto.randomBytes(64).toString('hex');
+
+    const tokenPayload = {
+      ...payload,
+      jti: tokenId, // JWT ID for tracking single use
+      iat: Math.floor(Date.now() / 1000),
+      iss: this.issuer,
+      type: payload.type || 'pre-validation'
+    };
+
+    const options = {
+      expiresIn: this.expiresIn,
+      algorithm: this.algorithm
+    };
+
+    const token = jwt.sign(tokenPayload, tokenSecret, options);
+
+    // Return both token and secret
+    return {
+      token,
+      secret: tokenSecret,
+      tokenId
+    };
+  }
+
+  /**
+   * Verify and decode a token
+   * @param {string} token - Token to verify
+   * @param {string} secret - Secret to verify with (optional, uses provided secret)
+   * @returns {Promise<object>} Decoded payload
+   */
+  async verifyToken(token, secret = null) {
+    try {
+      // Use provided secret or fall back to instance secret
+      const verifySecret = secret || this.secret;
+
+      // Verify token signature and expiration
+      const decoded = jwt.verify(token, verifySecret, {
+        algorithms: [this.algorithm],
+        issuer: this.issuer
+      });
+
+      // Check if token has already been used (single-use enforcement)
+      if (decoded.jti && this.usedTokens.has(decoded.jti)) {
+        throw new Error('Token has already been used');
+      }
+
+      // Mark token as used
+      if (decoded.jti) {
+        this.usedTokens.add(decoded.jti);
+
+        // Clean up old tokens after expiry (prevent memory leak)
+        if (this.usedTokens.size > 10000) {
+          this.cleanupUsedTokens();
+        }
+      }
+
+      return decoded;
+    } catch (error) {
+      if (error.name === 'TokenExpiredError') {
+        throw new Error('Token has expired');
+      } else if (error.name === 'JsonWebTokenError') {
+        throw new Error('Invalid token');
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Generate a validation request token (for service-to-validator communication)
+   * @param {object} preValidationResult - Pre-validation results
+   * @param {string} serviceName - Service requesting validation
+   * @returns {Promise<string>} Request token
+   */
+  async generateRequestToken(preValidationResult, serviceName) {
+    if (!preValidationResult.success) {
+      throw new Error('Cannot generate request token for failed pre-validation');
+    }
+
+    return this.generateToken({
+      type: 'validation-request',
+      serviceName,
+      preValidation: {
+        timestamp: preValidationResult.timestamp,
+        checks: preValidationResult.checks
+      },
+      expiresIn: '1h' // Shorter expiry for request tokens
+    });
+  }
+
+  /**
+   * Verify a validation request token
+   * @param {string} token - Request token
+   * @returns {Promise<object>} Token payload
+   */
+  async verifyRequestToken(token) {
+    const decoded = await this.verifyToken(token);
+
+    if (decoded.type !== 'validation-request') {
+      throw new Error('Invalid token type for validation request');
+    }
+
+    if (!decoded.preValidation) {
+      throw new Error('Missing pre-validation data in request token');
+    }
+
+    return decoded;
+  }
+
+  /**
+   * Clean up expired tokens from used tokens set
+   */
+  cleanupUsedTokens() {
+    // In a production environment, this would check expiry times
+    // For now, we'll clear half of the oldest tokens
+    const tokensToKeep = Array.from(this.usedTokens).slice(-5000);
+    this.usedTokens = new Set(tokensToKeep);
+  }
+
+  /**
+   * Revoke a token (add to blacklist)
+   * @param {string} tokenOrJti - Token or JWT ID to revoke
+   */
+  revokeToken(tokenOrJti) {
+    try {
+      // Try to decode if it's a full token
+      const decoded = jwt.decode(tokenOrJti);
+      if (decoded && decoded.jti) {
+        this.usedTokens.add(decoded.jti);
+      } else {
+        // Assume it's a JTI directly
+        this.usedTokens.add(tokenOrJti);
+      }
+    } catch {
+      // If decode fails, assume it's a JTI
+      this.usedTokens.add(tokenOrJti);
+    }
+  }
+
+  /**
+   * Check if a token is revoked/used
+   * @param {string} token - Token to check
+   * @returns {boolean} True if revoked/used
+   */
+  isTokenRevoked(token) {
+    try {
+      const decoded = jwt.decode(token);
+      return decoded && decoded.jti && this.usedTokens.has(decoded.jti);
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Generate a fingerprint for validation data
+   * @param {object} validationData - Data to fingerprint
+   * @returns {string} Fingerprint hash
+   */
+  generateFingerprint(validationData) {
+    const sortedData = JSON.stringify(validationData, Object.keys(validationData).sort());
+    return crypto.createHash('sha256').update(sortedData).digest('hex');
+  }
+}
+
+module.exports = TokenManager;

package/src/validators/connectorValidator.js

@@ -0,0 +1,235 @@
+class ConnectorValidator {
+  constructor(requiredConnectors = []) {
+    this.requiredConnectors = requiredConnectors.length > 0 ? requiredConnectors : [
+      'connector-logger',
+      'connector-storage',
+      'connector-registry-client',
+      'connector-mq-client',
+      'connector-cookbook'
+    ];
+  }
+
+  /**
+   * Validates connector usage in service
+   * @param {object} metadata - Service metadata containing connector info
+   * @returns {Promise<object>} Validation result
+   */
+  async validate(metadata) {
+    const result = {
+      valid: true,
+      errors: [],
+      warnings: [],
+      info: {
+        connectors: {},
+        missingRequired: [],
+        additionalConnectors: []
+      }
+    };
+
+    try {
+      const connectors = metadata.connectors || {};
+
+      // Check for required connectors
+      for (const connectorName of this.requiredConnectors) {
+        const hasConnector = connectors[connectorName] !== undefined;
+        result.info.connectors[connectorName] = hasConnector;
+
+        if (!hasConnector) {
+          result.warnings.push(`Missing required connector: ${connectorName}`);
+          result.info.missingRequired.push(connectorName);
+        } else {
+          // Validate connector configuration
+          const connectorConfig = connectors[connectorName];
+          
+          if (typeof connectorConfig === 'object') {
+            // Check for version
+            if (!connectorConfig.version) {
+              result.warnings.push(`Connector ${connectorName} missing version information`);
+            } else {
+              // Validate version format
+              if (!this.isValidVersion(connectorConfig.version)) {
+                result.warnings.push(`Connector ${connectorName} has invalid version format: ${connectorConfig.version}`);
+              }
+            }
+
+            // Check if enabled
+            if (connectorConfig.enabled === false) {
+              result.warnings.push(`Connector ${connectorName} is disabled`);
+            }
+
+            // Check for configuration
+            if (!connectorConfig.config && connectorConfig.enabled !== false) {
+              result.info.connectors[connectorName] = {
+                present: true,
+                configured: false
+              };
+            } else {
+              result.info.connectors[connectorName] = {
+                present: true,
+                configured: true,
+                version: connectorConfig.version
+              };
+            }
+          }
+        }
+      }
+
+      // Check for additional connectors (not in required list)
+      Object.keys(connectors).forEach(connectorName => {
+        if (!this.requiredConnectors.includes(connectorName)) {
+          result.info.additionalConnectors.push(connectorName);
+        }
+      });
+
+      // Special checks for specific connectors
+      this.validateSpecialConnectors(connectors, result);
+
+      // Check health endpoint
+      if (!metadata.health && !metadata.healthEndpoint) {
+        result.warnings.push('Service should define a health check endpoint');
+      }
+
+      // Check for workflow support
+      if (!connectors['connector-cookbook']?.enabled) {
+        result.warnings.push('Service should support workflow processing via connector-cookbook');
+      }
+
+      // Check for logging
+      if (!connectors['connector-logger']) {
+        result.errors.push('connector-logger is critical for service observability');
+      }
+
+      // Determine overall validity
+      if (result.info.missingRequired.length > 0) {
+        result.valid = false;
+      }
+
+      if (result.errors.length > 0) {
+        result.valid = false;
+      }
+
+    } catch (error) {
+      result.valid = false;
+      result.errors.push(`Connector validation error: ${error.message}`);
+    }
+
+    return result;
+  }
+
+  /**
+   * Validate special connector requirements
+   * @param {object} connectors - Connectors configuration
+   * @param {object} result - Validation result object to update
+   */
+  validateSpecialConnectors(connectors, result) {
+    // MQ Client specific checks
+    if (connectors['connector-mq-client']) {
+      const mqConfig = connectors['connector-mq-client'];
+      if (mqConfig.config) {
+        if (!mqConfig.config.url && !mqConfig.config.host) {
+          result.warnings.push('connector-mq-client should have URL or host configured');
+        }
+      }
+    }
+
+    // Storage connector checks
+    if (connectors['connector-storage']) {
+      const storageConfig = connectors['connector-storage'];
+      if (storageConfig.config) {
+        if (!storageConfig.config.bucket && !storageConfig.config.defaultBucket) {
+          result.warnings.push('connector-storage should have bucket configured');
+        }
+      }
+    }
+
+    // Registry client checks
+    if (connectors['connector-registry-client']) {
+      const registryConfig = connectors['connector-registry-client'];
+      if (registryConfig.config) {
+        if (!registryConfig.config.serviceName) {
+          result.errors.push('connector-registry-client must have serviceName configured');
+        }
+      }
+    }
+
+    // Logger checks
+    if (connectors['connector-logger']) {
+      const loggerConfig = connectors['connector-logger'];
+      if (loggerConfig.config) {
+        if (!loggerConfig.config.level) {
+          result.warnings.push('connector-logger should have log level configured');
+        }
+      }
+    }
+  }
+
+  /**
+   * Check if version string is valid semver
+   * @param {string} version - Version string to validate
+   * @returns {boolean} Validation result
+   */
+  isValidVersion(version) {
+    // Simple semver check
+    const semverRegex = /^\d+\.\d+\.\d+(-[\w\.]+)?(\+[\w\.]+)?$/;
+    return semverRegex.test(version);
+  }
+
+  /**
+   * Generate connector report
+   * @param {object} metadata - Service metadata
+   * @returns {object} Connector report
+   */
+  generateReport(metadata) {
+    const connectors = metadata.connectors || {};
+    const report = {
+      summary: {
+        total: Object.keys(connectors).length,
+        required: this.requiredConnectors.length,
+        missing: 0,
+        disabled: 0
+      },
+      details: []
+    };
+
+    // Check each required connector
+    this.requiredConnectors.forEach(name => {
+      const connector = connectors[name];
+      const detail = {
+        name,
+        required: true,
+        present: !!connector,
+        enabled: connector ? connector.enabled !== false : false,
+        version: connector?.version || null,
+        configured: connector?.config ? true : false
+      };
+
+      if (!detail.present) {
+        report.summary.missing++;
+      }
+      if (detail.present && !detail.enabled) {
+        report.summary.disabled++;
+      }
+
+      report.details.push(detail);
+    });
+
+    // Add additional connectors
+    Object.keys(connectors).forEach(name => {
+      if (!this.requiredConnectors.includes(name)) {
+        const connector = connectors[name];
+        report.details.push({
+          name,
+          required: false,
+          present: true,
+          enabled: connector.enabled !== false,
+          version: connector.version || null,
+          configured: connector.config ? true : false
+        });
+      }
+    });
+
+    return report;
+  }
+}
+
+module.exports = ConnectorValidator;

package/src/validators/endpointValidator.js

@@ -0,0 +1,165 @@
+class EndpointValidator {
+  /**
+   * Validates service endpoints
+   * @param {Array} endpoints - Array of endpoint definitions
+   * @returns {Promise<object>} Validation result
+   */
+  async validate(endpoints) {
+    const result = {
+      valid: true,
+      errors: [],
+      warnings: [],
+      info: {}
+    };
+
+    try {
+      // Check if endpoints is an array
+      if (!Array.isArray(endpoints)) {
+        result.valid = false;
+        result.errors.push('Endpoints must be an array');
+        return result;
+      }
+
+      // Check for at least one endpoint
+      if (endpoints.length === 0) {
+        result.valid = false;
+        result.errors.push('Service must define at least one endpoint');
+        return result;
+      }
+
+      result.info.count = endpoints.length;
+      const paths = new Set();
+      const validMethods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'];
+
+      // Validate each endpoint
+      for (let i = 0; i < endpoints.length; i++) {
+        const endpoint = endpoints[i];
+        const endpointPrefix = `Endpoint[${i}]`;
+
+        // Validate required fields
+        if (!endpoint.path) {
+          result.errors.push(`${endpointPrefix}: Missing required "path" field`);
+          continue;
+        }
+
+        if (!endpoint.method) {
+          result.errors.push(`${endpointPrefix} ${endpoint.path}: Missing required "method" field`);
+          continue;
+        }
+
+        // Validate path format
+        if (!endpoint.path.startsWith('/')) {
+          result.errors.push(`${endpointPrefix}: Path "${endpoint.path}" must start with /`);
+        }
+
+        // Validate method
+        const method = endpoint.method.toUpperCase();
+        if (!validMethods.includes(method)) {
+          result.errors.push(`${endpointPrefix} ${endpoint.path}: Invalid method "${endpoint.method}"`);
+        }
+
+        // Check for duplicates
+        const key = `${method} ${endpoint.path}`;
+        if (paths.has(key)) {
+          result.errors.push(`${endpointPrefix}: Duplicate endpoint definition: ${key}`);
+        }
+        paths.add(key);
+
+        // Validate handler
+        if (endpoint.handler) {
+          if (typeof endpoint.handler !== 'string' && typeof endpoint.handler !== 'function') {
+            result.errors.push(`${endpointPrefix} ${endpoint.path}: Handler must be a string or function`);
+          }
+        }
+
+        // Validate middleware (if present)
+        if (endpoint.middleware) {
+          if (!Array.isArray(endpoint.middleware)) {
+            result.warnings.push(`${endpointPrefix} ${endpoint.path}: Middleware should be an array`);
+          }
+        }
+
+        // Check for authentication
+        if (endpoint.auth === undefined) {
+          result.warnings.push(`${endpointPrefix} ${endpoint.path}: Consider explicitly setting auth requirement`);
+        }
+
+        // Validate rate limiting
+        if (endpoint.rateLimit && typeof endpoint.rateLimit !== 'object') {
+          result.warnings.push(`${endpointPrefix} ${endpoint.path}: Rate limit should be an object`);
+        }
+      }
+
+      // Additional checks
+      const hasMethods = {
+        GET: false,
+        POST: false,
+        PUT: false,
+        PATCH: false,
+        DELETE: false
+      };
+
+      endpoints.forEach(ep => {
+        if (ep.method) {
+          hasMethods[ep.method.toUpperCase()] = true;
+        }
+      });
+
+      // Check for REST compliance
+      if (hasMethods.POST && !hasMethods.GET) {
+        result.warnings.push('REST API should provide GET endpoints for resources that can be created');
+      }
+
+      if (hasMethods.DELETE && !hasMethods.GET) {
+        result.warnings.push('REST API should provide GET endpoints for resources that can be deleted');
+      }
+
+      result.info.methods = Object.keys(hasMethods).filter(m => hasMethods[m]);
+
+      if (result.errors.length > 0) {
+        result.valid = false;
+      }
+
+    } catch (error) {
+      result.valid = false;
+      result.errors.push(`Endpoint validation error: ${error.message}`);
+    }
+
+    return result;
+  }
+
+  /**
+   * Generate endpoint documentation
+   * @param {Array} endpoints - Array of endpoint definitions
+   * @returns {object} Generated documentation
+   */
+  generateDocumentation(endpoints) {
+    const docs = {
+      endpoints: [],
+      summary: {
+        total: endpoints.length,
+        byMethod: {}
+      }
+    };
+
+    const methodCounts = {};
+
+    endpoints.forEach(endpoint => {
+      const method = endpoint.method?.toUpperCase() || 'UNKNOWN';
+      methodCounts[method] = (methodCounts[method] || 0) + 1;
+
+      docs.endpoints.push({
+        method: method,
+        path: endpoint.path,
+        description: endpoint.description || 'No description provided',
+        auth: endpoint.auth !== undefined ? endpoint.auth : 'Not specified',
+        handler: endpoint.handler || 'Not specified'
+      });
+    });
+
+    docs.summary.byMethod = methodCounts;
+    return docs;
+  }
+}
+
+module.exports = EndpointValidator;