@oxyhq/services 5.7.5 → 5.8.1

package/lib/module/node/createAuth.js

@@ -2,10 +2,423 @@
 
 import express from 'express';
 import { OxyServices } from '../core';
+import { jwtDecode } from 'jwt-decode';
+
+// Types for enhanced authentication
+
+// User cache for performance
+class UserCache {
+  cache = new Map();
+  constructor(ttl = 300) {
+    // 5 minutes default
+    this.ttl = ttl * 1000;
+  }
+  set(userId, user) {
+    this.cache.set(userId, {
+      user,
+      expiresAt: Date.now() + this.ttl
+    });
+  }
+  get(userId) {
+    const item = this.cache.get(userId);
+    if (!item || Date.now() > item.expiresAt) {
+      this.cache.delete(userId);
+      return null;
+    }
+    return item.user;
+  }
+  clear() {
+    this.cache.clear();
+  }
+}
+
+/**
+ * Enhanced OxyAuth class for backend authentication
+ */
+export class OxyAuth {
+  userCache = null;
+  constructor(options) {
+    this.options = {
+      loadFullUser: true,
+      enableSessionAuth: true,
+      enableDeviceAuth: true,
+      cacheUserData: true,
+      userCacheTTL: 300,
+      ...options
+    };
+    this.oxy = new OxyServices({
+      baseURL: options.baseURL
+    });
+    if (this.options.cacheUserData) {
+      this.userCache = new UserCache(this.options.userCacheTTL);
+    }
+  }
+
+  /**
+   * Create authentication middleware
+   */
+  createAuthMiddleware(options = {}) {
+    return async (req, res, next) => {
+      try {
+        const result = await this.authenticateRequest(req);
+        if (!result.valid && options.required !== false) {
+          const error = {
+            message: 'Authentication required',
+            code: 'AUTH_REQUIRED'
+          };
+          if (options.onError) {
+            options.onError(error, req, res);
+          } else {
+            res.status(401).json(error);
+          }
+          return;
+        }
+
+        // Check roles if specified
+        if (result.valid && options.roles && result.user) {
+          const hasRole = options.roles.some(role => result.user.roles?.includes(role) || result.user.role === role);
+          if (!hasRole) {
+            const error = {
+              message: 'Insufficient permissions',
+              code: 'INSUFFICIENT_ROLES'
+            };
+            if (options.onError) {
+              options.onError(error, req, res);
+            } else {
+              res.status(403).json(error);
+            }
+            return;
+          }
+        }
+
+        // Check permissions if specified
+        if (result.valid && options.permissions && result.userId) {
+          for (const permission of options.permissions) {
+            const hasPermission = await this.hasPermission(result.userId, permission);
+            if (!hasPermission) {
+              const error = {
+                message: 'Insufficient permissions',
+                code: 'INSUFFICIENT_PERMISSIONS'
+              };
+              if (options.onError) {
+                options.onError(error, req, res);
+              } else {
+                res.status(403).json(error);
+              }
+              return;
+            }
+          }
+        }
+        next();
+      } catch (error) {
+        if (options.onError) {
+          options.onError(error, req, res);
+        } else {
+          res.status(500).json({
+            message: 'Authentication error'
+          });
+        }
+      }
+    };
+  }
+
+  /**
+   * Authenticate request and populate user data
+   */
+  async authenticateRequest(req) {
+    // Try JWT token first
+    const authHeader = req.headers.authorization;
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+      const token = authHeader.substring(7);
+      const result = await this.validateToken(token);
+      if (result.valid) {
+        req.user = result.user;
+        req.userId = result.userId;
+        req.accessToken = token;
+        return {
+          ...result,
+          accessToken: token
+        };
+      }
+    }
+
+    // Try session-based auth
+    if (this.options.enableSessionAuth) {
+      const sessionId = req.headers['x-session-id'];
+      if (sessionId) {
+        const result = await this.validateSession(sessionId);
+        if (result.valid) {
+          req.user = result.user;
+          req.userId = result.userId;
+          req.sessionId = sessionId;
+          return result;
+        }
+      }
+    }
+
+    // Try device-based auth
+    if (this.options.enableDeviceAuth) {
+      const deviceFingerprint = req.headers['x-device-fingerprint'];
+      const userId = req.headers['x-user-id'];
+      if (deviceFingerprint && userId) {
+        const result = await this.validateDevice(userId, deviceFingerprint);
+        if (result.valid) {
+          req.user = result.user;
+          req.userId = result.userId;
+          req.deviceFingerprint = deviceFingerprint;
+          return result;
+        }
+      }
+    }
+    return {
+      valid: false,
+      error: 'No valid authentication found'
+    };
+  }
+
+  /**
+   * Validate JWT token
+   */
+  async validateToken(token) {
+    try {
+      // Local JWT validation if secret is provided
+      if (this.options.jwtSecret) {
+        const decoded = jwtDecode(token);
+        const currentTime = Math.floor(Date.now() / 1000);
+        if (decoded.exp && decoded.exp < currentTime) {
+          return {
+            valid: false,
+            error: 'Token expired',
+            code: 'TOKEN_EXPIRED',
+            expiresAt: decoded.exp
+          };
+        }
+        const userId = decoded.userId || decoded.id;
+        if (!userId) {
+          return {
+            valid: false,
+            error: 'Invalid token payload',
+            code: 'INVALID_PAYLOAD'
+          };
+        }
+
+        // Get user data from cache or API
+        let user = this.userCache?.get(userId);
+        const cached = !!user;
+        if (!user && this.options.loadFullUser) {
+          try {
+            user = await this.oxy.getUserById(userId);
+            this.userCache?.set(userId, user);
+          } catch (error) {
+            user = {
+              id: userId
+            };
+          }
+        } else if (!user) {
+          user = {
+            id: userId
+          };
+        }
+        return {
+          valid: true,
+          userId,
+          user,
+          expiresAt: decoded.exp,
+          cached
+        };
+      }
+
+      // Remote validation using OxyServices
+      const tempOxy = new OxyServices({
+        baseURL: this.oxy.getBaseURL()
+      });
+      tempOxy.setTokens(token, '');
+      const isValid = await tempOxy.validate();
+      if (!isValid) {
+        return {
+          valid: false,
+          error: 'Invalid token',
+          code: 'INVALID_TOKEN'
+        };
+      }
+      const userId = tempOxy.getCurrentUserId();
+      if (!userId) {
+        return {
+          valid: false,
+          error: 'Invalid token payload',
+          code: 'INVALID_PAYLOAD'
+        };
+      }
+
+      // Get user data
+      let user = this.userCache?.get(userId);
+      const cached = !!user;
+      if (!user && this.options.loadFullUser) {
+        try {
+          user = await tempOxy.getUserById(userId);
+          this.userCache?.set(userId, user);
+        } catch (error) {
+          user = {
+            id: userId
+          };
+        }
+      } else if (!user) {
+        user = {
+          id: userId
+        };
+      }
+      return {
+        valid: true,
+        userId,
+        user,
+        cached
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: 'Token validation failed',
+        code: 'VALIDATION_ERROR'
+      };
+    }
+  }
+
+  /**
+   * Validate session-based authentication
+   */
+  async validateSession(sessionId, deviceFingerprint) {
+    try {
+      // This would integrate with your session management system
+      // For now, it's a placeholder implementation
+      return {
+        valid: false,
+        error: 'Session validation not implemented',
+        code: 'NOT_IMPLEMENTED'
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: 'Session validation failed',
+        code: 'VALIDATION_ERROR'
+      };
+    }
+  }
+
+  /**
+   * Validate device-based authentication
+   */
+  async validateDevice(userId, deviceFingerprint) {
+    try {
+      // This would validate device fingerprint against stored data
+      // For now, it's a placeholder implementation
+      return {
+        valid: false,
+        error: 'Device validation not implemented',
+        code: 'NOT_IMPLEMENTED'
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: 'Device validation failed',
+        code: 'VALIDATION_ERROR'
+      };
+    }
+  }
+
+  /**
+   * Create role-based middleware
+   */
+  requireRole(roles) {
+    const roleArray = Array.isArray(roles) ? roles : [roles];
+    return this.createAuthMiddleware({
+      required: true,
+      roles: roleArray
+    });
+  }
+
+  /**
+   * Create permission-based middleware
+   */
+  requirePermission(permissions) {
+    const permissionArray = Array.isArray(permissions) ? permissions : [permissions];
+    return this.createAuthMiddleware({
+      required: true,
+      permissions: permissionArray
+    });
+  }
+
+  /**
+   * Create optional authentication middleware
+   */
+  optionalAuth() {
+    return this.createAuthMiddleware({
+      required: false,
+      onError: () => {} // No error thrown for optional auth
+    });
+  }
+
+  /**
+   * Clear user cache
+   */
+  clearCache() {
+    this.userCache?.clear();
+  }
+
+  /**
+   * Check if user data is cached for a given token
+   */
+  isUserCached(token) {
+    try {
+      const decoded = jwtDecode(token);
+      const userId = decoded.userId || decoded.id;
+      return userId ? this.userCache?.get(userId) !== null : false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if user has a specific permission
+   */
+  async hasPermission(userId, permission) {
+    try {
+      // This is a placeholder implementation
+      // In a real implementation, you would check against user roles/permissions
+      const user = this.userCache?.get(userId) || (await this.oxy.getUserById(userId));
+      return user?.permissions?.includes(permission) || user?.role === 'admin' || false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Get OxyServices instance
+   */
+  getOxyServices() {
+    return this.oxy;
+  }
+}
+/**
+ * Enhanced createAuth function that provides both router and middleware capabilities
+ * 
+ * This is a unified authentication system that:
+ * 1. Maintains backward compatibility with the old router-based approach
+ * 2. Adds powerful new middleware capabilities
+ * 3. Includes caching, role-based access, and performance optimizations
+ * 4. Supports multiple authentication strategies
+ */
 export function createAuth(options) {
-  const oxy = new OxyServices({
-    baseURL: options.baseURL
-  });
+  // Create the enhanced OxyAuth instance
+  const authOptions = {
+    baseURL: options.baseURL,
+    jwtSecret: options.jwtSecret,
+    loadFullUser: options.loadFullUser ?? true,
+    enableSessionAuth: options.enableSessionAuth ?? true,
+    enableDeviceAuth: options.enableDeviceAuth ?? true,
+    cacheUserData: options.cacheUserData ?? true,
+    userCacheTTL: options.userCacheTTL ?? 300
+  };
+  const oxyAuth = new OxyAuth(authOptions);
+  const oxy = oxyAuth.getOxyServices();
   const router = express.Router();
 
   // Helper to handle async route functions
@@ -18,73 +431,237 @@ export function createAuth(options) {
       });
     }
   };
+
+  // Enhanced signup with validation
   router.post('/signup', wrap(async (req, res) => {
     const {
       username,
       email,
       password
     } = req.body;
+
+    // Enhanced validation
+    if (!username || !email || !password) {
+      return res.status(400).json({
+        message: 'Username, email, and password are required'
+      });
+    }
     const result = await oxy.signUp(username, email, password);
     res.json(result);
   }));
+
+  // Enhanced login with device fingerprinting
   router.post('/login', wrap(async (req, res) => {
     const {
       username,
-      password
+      password,
+      deviceFingerprint
     } = req.body;
+    if (!username || !password) {
+      return res.status(400).json({
+        message: 'Username and password are required'
+      });
+    }
     const result = await oxy.login(username, password);
+
+    // Store device fingerprint if provided
+    if (deviceFingerprint && result.user?.id) {
+      // This could be stored in a database for device tracking
+      console.log(`Device login: ${deviceFingerprint} for user ${result.user.id}`);
+    }
     res.json(result);
   }));
+
+  // Enhanced logout with session management
   router.post('/logout', wrap(async (req, res) => {
     const token = req.headers.authorization?.split(' ')[1];
     const refreshToken = req.body.refreshToken;
+    const sessionId = req.body.sessionId;
     if (token) oxy.setTokens(token, refreshToken);
-    await oxy.logout();
+
+    // Enhanced logout with session tracking
+    if (sessionId) {
+      await oxy.logoutSession(sessionId);
+    } else {
+      await oxy.logout();
+    }
     res.json({
       success: true
     });
   }));
+
+  // Enhanced token refresh
   router.post('/refresh', wrap(async (req, res) => {
     const refreshToken = req.body.refreshToken;
     const accessToken = req.headers.authorization?.split(' ')[1] || '';
+    if (!refreshToken) {
+      return res.status(400).json({
+        message: 'Refresh token is required'
+      });
+    }
     oxy.setTokens(accessToken, refreshToken);
     const tokens = await oxy.refreshTokens();
     res.json(tokens);
   }));
+
+  // Enhanced token validation with caching
   router.get('/validate', wrap(async (req, res) => {
     const token = req.headers.authorization?.split(' ')[1] || '';
+    if (!token) {
+      return res.status(401).json({
+        valid: false,
+        message: 'No token provided'
+      });
+    }
     oxy.setTokens(token, '');
     const valid = await oxy.validate();
+
+    // Enhanced response with more details
     res.json({
-      valid
+      valid,
+      timestamp: new Date().toISOString(),
+      cached: oxyAuth.isUserCached(token) // Check if user data is cached
     });
   }));
+
+  // Enhanced sessions management
   router.get('/sessions', wrap(async (req, res) => {
     const token = req.headers.authorization?.split(' ')[1] || '';
+    if (!token) {
+      return res.status(401).json({
+        message: 'Authentication required'
+      });
+    }
     oxy.setTokens(token, '');
     const sessions = await oxy.getUserSessions();
     res.json(sessions);
   }));
+
+  // Enhanced session deletion
   router.delete('/sessions/:id', wrap(async (req, res) => {
     const token = req.headers.authorization?.split(' ')[1] || '';
+    if (!token) {
+      return res.status(401).json({
+        message: 'Authentication required'
+      });
+    }
     oxy.setTokens(token, '');
     const result = await oxy.logoutSession(req.params.id);
+
+    // Clear cache for this user if logout was successful
+    if (result.success) {
+      oxyAuth.clearCache();
+    }
     res.json(result);
   }));
+
+  // Enhanced logout other sessions
   router.post('/sessions/logout-others', wrap(async (req, res) => {
     const token = req.headers.authorization?.split(' ')[1] || '';
+    if (!token) {
+      return res.status(401).json({
+        message: 'Authentication required'
+      });
+    }
     oxy.setTokens(token, '');
     const result = await oxy.logoutOtherSessions();
+
+    // Clear cache for this user
+    if (result.success) {
+      oxyAuth.clearCache();
+    }
     res.json(result);
   }));
+
+  // Enhanced logout all sessions
   router.post('/sessions/logout-all', wrap(async (req, res) => {
     const token = req.headers.authorization?.split(' ')[1] || '';
+    if (!token) {
+      return res.status(401).json({
+        message: 'Authentication required'
+      });
+    }
     oxy.setTokens(token, '');
     const result = await oxy.logoutAllSessions();
+
+    // Clear all cache
+    if (result.success) {
+      oxyAuth.clearCache();
+    }
     res.json(result);
   }));
+
+  // NEW: Get current user profile with caching
+  router.get('/profile', wrap(async (req, res) => {
+    const token = req.headers.authorization?.split(' ')[1] || '';
+    if (!token) {
+      return res.status(401).json({
+        message: 'Authentication required'
+      });
+    }
+
+    // Use the enhanced auth system for better performance
+    const validation = await oxyAuth.validateToken(token);
+    if (!validation.valid) {
+      return res.status(401).json({
+        message: 'Invalid token'
+      });
+    }
+    res.json({
+      user: validation.user,
+      cached: validation.cached,
+      expiresAt: validation.expiresAt
+    });
+  }));
+
+  // NEW: Check user permissions
+  router.post('/check-permissions', wrap(async (req, res) => {
+    const token = req.headers.authorization?.split(' ')[1] || '';
+    const {
+      permissions
+    } = req.body;
+    if (!token) {
+      return res.status(401).json({
+        message: 'Authentication required'
+      });
+    }
+    if (!permissions || !Array.isArray(permissions)) {
+      return res.status(400).json({
+        message: 'Permissions array is required'
+      });
+    }
+    const validation = await oxyAuth.validateToken(token);
+    if (!validation.valid) {
+      return res.status(401).json({
+        message: 'Invalid token'
+      });
+    }
+
+    // Check each permission
+    const results = await Promise.all(permissions.map(async permission => {
+      const hasPermission = await oxyAuth.hasPermission(validation.userId, permission);
+      return {
+        permission,
+        granted: hasPermission
+      };
+    }));
+    res.json({
+      permissions: results
+    });
+  }));
   return {
-    middleware: router
+    middleware: router,
+    // NEW: Expose the enhanced auth system
+    auth: oxyAuth,
+    // NEW: Convenience methods for middleware
+    requireAuth: (roles, permissions) => oxyAuth.createAuthMiddleware({
+      required: true,
+      roles: Array.isArray(roles) ? roles : roles ? [roles] : undefined,
+      permissions: Array.isArray(permissions) ? permissions : permissions ? [permissions] : undefined
+    }),
+    optionalAuth: () => oxyAuth.optionalAuth(),
+    requireRole: roles => oxyAuth.requireRole(roles),
+    requirePermission: permissions => oxyAuth.requirePermission(permissions)
   };
 }
 //# sourceMappingURL=createAuth.js.map