@oxyhq/services 5.7.5 → 5.8.1

package/src/node/createAuth.ts

@@ -1,13 +1,463 @@
-import express from 'express';
-import type { Request, Response } from 'express';
+import express, { Request, Response } from 'express';
+import type { NextFunction } from 'express-serve-static-core';
 import { OxyServices } from '../core';
+import { jwtDecode } from 'jwt-decode';
+
+// Types for enhanced authentication
+export interface AuthRequest extends Request {
+  user?: any;
+  userId?: string;
+  accessToken?: string;
+  sessionId?: string;
+  deviceFingerprint?: string;
+}
+
+export interface AuthOptions {
+  baseURL: string;
+  jwtSecret?: string; // For local JWT validation
+  loadFullUser?: boolean;
+  enableSessionAuth?: boolean;
+  enableDeviceAuth?: boolean;
+  cacheUserData?: boolean;
+  userCacheTTL?: number; // in seconds
+}
+
+export interface AuthMiddlewareOptions {
+  required?: boolean;
+  loadFullUser?: boolean;
+  roles?: string[];
+  permissions?: string[];
+  onError?: (error: any, req: AuthRequest, res: Response) => void;
+}
+
+export interface TokenValidationResult {
+  valid: boolean;
+  userId?: string;
+  user?: any;
+  error?: string;
+  code?: string;
+  expiresAt?: number;
+  cached?: boolean;
+}
+
+// User cache for performance
+class UserCache {
+  private cache = new Map<string, { user: any; expiresAt: number }>();
+  private ttl: number;
+
+  constructor(ttl: number = 300) { // 5 minutes default
+    this.ttl = ttl * 1000;
+  }
+
+  set(userId: string, user: any): void {
+    this.cache.set(userId, {
+      user,
+      expiresAt: Date.now() + this.ttl
+    });
+  }
+
+  get(userId: string): any | null {
+    const item = this.cache.get(userId);
+    if (!item || Date.now() > item.expiresAt) {
+      this.cache.delete(userId);
+      return null;
+    }
+    return item.user;
+  }
+
+  clear(): void {
+    this.cache.clear();
+  }
+}
+
+/**
+ * Enhanced OxyAuth class for backend authentication
+ */
+export class OxyAuth {
+  private oxy: OxyServices;
+  private options: AuthOptions;
+  private userCache: UserCache | null = null;
+
+  constructor(options: AuthOptions) {
+    this.options = {
+      loadFullUser: true,
+      enableSessionAuth: true,
+      enableDeviceAuth: true,
+      cacheUserData: true,
+      userCacheTTL: 300,
+      ...options
+    };
+
+    this.oxy = new OxyServices({ baseURL: options.baseURL });
+    
+    if (this.options.cacheUserData) {
+      this.userCache = new UserCache(this.options.userCacheTTL);
+    }
+  }
+
+  /**
+   * Create authentication middleware
+   */
+  createAuthMiddleware(options: AuthMiddlewareOptions = {}): (req: AuthRequest, res: Response, next: NextFunction) => Promise<void> {
+    return async (req: AuthRequest, res: Response, next: NextFunction) => {
+      try {
+        const result = await this.authenticateRequest(req);
+        
+        if (!result.valid && options.required !== false) {
+          const error = { message: 'Authentication required', code: 'AUTH_REQUIRED' };
+          if (options.onError) {
+            options.onError(error, req, res);
+          } else {
+            res.status(401).json(error);
+          }
+          return;
+        }
+
+        // Check roles if specified
+        if (result.valid && options.roles && result.user) {
+          const hasRole = options.roles.some(role => 
+            result.user.roles?.includes(role) || result.user.role === role
+          );
+          if (!hasRole) {
+            const error = { message: 'Insufficient permissions', code: 'INSUFFICIENT_ROLES' };
+            if (options.onError) {
+              options.onError(error, req, res);
+            } else {
+              res.status(403).json(error);
+            }
+            return;
+          }
+        }
+
+        // Check permissions if specified
+        if (result.valid && options.permissions && result.userId) {
+          for (const permission of options.permissions) {
+            const hasPermission = await this.hasPermission(result.userId!, permission);
+            if (!hasPermission) {
+              const error = { message: 'Insufficient permissions', code: 'INSUFFICIENT_PERMISSIONS' };
+              if (options.onError) {
+                options.onError(error, req, res);
+              } else {
+                res.status(403).json(error);
+              }
+              return;
+            }
+          }
+        }
+
+        next();
+      } catch (error) {
+        if (options.onError) {
+          options.onError(error, req, res);
+        } else {
+          res.status(500).json({ message: 'Authentication error' });
+        }
+      }
+    };
+  }
+
+  /**
+   * Authenticate request and populate user data
+   */
+  private async authenticateRequest(req: AuthRequest): Promise<TokenValidationResult & { accessToken?: string }> {
+    // Try JWT token first
+    const authHeader = req.headers.authorization;
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+      const token = authHeader.substring(7);
+      const result = await this.validateToken(token);
+      if (result.valid) {
+        req.user = result.user;
+        req.userId = result.userId;
+        req.accessToken = token;
+        return { ...result, accessToken: token };
+      }
+    }
+
+    // Try session-based auth
+    if (this.options.enableSessionAuth) {
+      const sessionId = req.headers['x-session-id'] as string;
+      if (sessionId) {
+        const result = await this.validateSession(sessionId);
+        if (result.valid) {
+          req.user = result.user;
+          req.userId = result.userId;
+          req.sessionId = sessionId;
+          return result;
+        }
+      }
+    }
+
+    // Try device-based auth
+    if (this.options.enableDeviceAuth) {
+      const deviceFingerprint = req.headers['x-device-fingerprint'] as string;
+      const userId = req.headers['x-user-id'] as string;
+      if (deviceFingerprint && userId) {
+        const result = await this.validateDevice(userId, deviceFingerprint);
+        if (result.valid) {
+          req.user = result.user;
+          req.userId = result.userId;
+          req.deviceFingerprint = deviceFingerprint;
+          return result;
+        }
+      }
+    }
+
+    return { valid: false, error: 'No valid authentication found' };
+  }
+
+  /**
+   * Validate JWT token
+   */
+  async validateToken(token: string): Promise<TokenValidationResult> {
+    try {
+      // Local JWT validation if secret is provided
+      if (this.options.jwtSecret) {
+        const decoded = jwtDecode(token) as any;
+        const currentTime = Math.floor(Date.now() / 1000);
+        
+        if (decoded.exp && decoded.exp < currentTime) {
+          return {
+            valid: false,
+            error: 'Token expired',
+            code: 'TOKEN_EXPIRED',
+            expiresAt: decoded.exp
+          };
+        }
+
+        const userId = decoded.userId || decoded.id;
+        if (!userId) {
+          return {
+            valid: false,
+            error: 'Invalid token payload',
+            code: 'INVALID_PAYLOAD'
+          };
+        }
+
+        // Get user data from cache or API
+        let user = this.userCache?.get(userId);
+        const cached = !!user;
+        
+        if (!user && this.options.loadFullUser) {
+          try {
+            user = await this.oxy.getUserById(userId);
+            this.userCache?.set(userId, user);
+          } catch (error) {
+            user = { id: userId };
+          }
+        } else if (!user) {
+          user = { id: userId };
+        }
+
+        return {
+          valid: true,
+          userId,
+          user,
+          expiresAt: decoded.exp,
+          cached
+        };
+      }
+
+      // Remote validation using OxyServices
+      const tempOxy = new OxyServices({ baseURL: this.oxy.getBaseURL() });
+      tempOxy.setTokens(token, '');
+      
+      const isValid = await tempOxy.validate();
+      if (!isValid) {
+        return {
+          valid: false,
+          error: 'Invalid token',
+          code: 'INVALID_TOKEN'
+        };
+      }
+
+      const userId = tempOxy.getCurrentUserId();
+      if (!userId) {
+        return {
+          valid: false,
+          error: 'Invalid token payload',
+          code: 'INVALID_PAYLOAD'
+        };
+      }
+
+      // Get user data
+      let user = this.userCache?.get(userId);
+      const cached = !!user;
+      
+      if (!user && this.options.loadFullUser) {
+        try {
+          user = await tempOxy.getUserById(userId);
+          this.userCache?.set(userId, user);
+        } catch (error) {
+          user = { id: userId };
+        }
+      } else if (!user) {
+        user = { id: userId };
+      }
+
+      return {
+        valid: true,
+        userId,
+        user,
+        cached
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: 'Token validation failed',
+        code: 'VALIDATION_ERROR'
+      };
+    }
+  }
+
+  /**
+   * Validate session-based authentication
+   */
+  async validateSession(sessionId: string, deviceFingerprint?: string): Promise<TokenValidationResult> {
+    try {
+      // This would integrate with your session management system
+      // For now, it's a placeholder implementation
+      return {
+        valid: false,
+        error: 'Session validation not implemented',
+        code: 'NOT_IMPLEMENTED'
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: 'Session validation failed',
+        code: 'VALIDATION_ERROR'
+      };
+    }
+  }
+
+  /**
+   * Validate device-based authentication
+   */
+  async validateDevice(userId: string, deviceFingerprint: string): Promise<TokenValidationResult> {
+    try {
+      // This would validate device fingerprint against stored data
+      // For now, it's a placeholder implementation
+      return {
+        valid: false,
+        error: 'Device validation not implemented',
+        code: 'NOT_IMPLEMENTED'
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: 'Device validation failed',
+        code: 'VALIDATION_ERROR'
+      };
+    }
+  }
+
+  /**
+   * Create role-based middleware
+   */
+  requireRole(roles: string | string[]): (req: AuthRequest, res: Response, next: NextFunction) => Promise<void> {
+    const roleArray = Array.isArray(roles) ? roles : [roles];
+    return this.createAuthMiddleware({
+      required: true,
+      roles: roleArray
+    });
+  }
+
+  /**
+   * Create permission-based middleware
+   */
+  requirePermission(permissions: string | string[]): (req: AuthRequest, res: Response, next: NextFunction) => Promise<void> {
+    const permissionArray = Array.isArray(permissions) ? permissions : [permissions];
+    return this.createAuthMiddleware({
+      required: true,
+      permissions: permissionArray
+    });
+  }
+
+  /**
+   * Create optional authentication middleware
+   */
+  optionalAuth(): (req: AuthRequest, res: Response, next: NextFunction) => Promise<void> {
+    return this.createAuthMiddleware({
+      required: false,
+      onError: () => {} // No error thrown for optional auth
+    });
+  }
+
+  /**
+   * Clear user cache
+   */
+  clearCache(): void {
+    this.userCache?.clear();
+  }
+
+  /**
+   * Check if user data is cached for a given token
+   */
+  isUserCached(token: string): boolean {
+    try {
+      const decoded = jwtDecode(token) as any;
+      const userId = decoded.userId || decoded.id;
+      return userId ? this.userCache?.get(userId) !== null : false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if user has a specific permission
+   */
+  async hasPermission(userId: string, permission: string): Promise<boolean> {
+    try {
+      // This is a placeholder implementation
+      // In a real implementation, you would check against user roles/permissions
+      const user = this.userCache?.get(userId) || await this.oxy.getUserById(userId);
+      return user?.permissions?.includes(permission) || user?.role === 'admin' || false;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Get OxyServices instance
+   */
+  getOxyServices(): OxyServices {
+    return this.oxy;
+  }
+}
 
 export interface CreateAuthOptions {
   baseURL: string;
+  jwtSecret?: string;
+  loadFullUser?: boolean;
+  enableSessionAuth?: boolean;
+  enableDeviceAuth?: boolean;
+  cacheUserData?: boolean;
+  userCacheTTL?: number;
 }
 
+/**
+ * Enhanced createAuth function that provides both router and middleware capabilities
+ * 
+ * This is a unified authentication system that:
+ * 1. Maintains backward compatibility with the old router-based approach
+ * 2. Adds powerful new middleware capabilities
+ * 3. Includes caching, role-based access, and performance optimizations
+ * 4. Supports multiple authentication strategies
+ */
 export function createAuth(options: CreateAuthOptions) {
-  const oxy = new OxyServices({ baseURL: options.baseURL });
+  // Create the enhanced OxyAuth instance
+  const authOptions: AuthOptions = {
+    baseURL: options.baseURL,
+    jwtSecret: options.jwtSecret,
+    loadFullUser: options.loadFullUser ?? true,
+    enableSessionAuth: options.enableSessionAuth ?? true,
+    enableDeviceAuth: options.enableDeviceAuth ?? true,
+    cacheUserData: options.cacheUserData ?? true,
+    userCacheTTL: options.userCacheTTL ?? 300
+  };
+
+  const oxyAuth = new OxyAuth(authOptions);
+  const oxy = oxyAuth.getOxyServices();
   const router = express.Router();
 
   // Helper to handle async route functions
@@ -22,95 +472,261 @@ export function createAuth(options: CreateAuthOptions) {
     }
   };
 
+  // Enhanced signup with validation
   router.post(
     '/signup',
     wrap(async (req, res) => {
       const { username, email, password } = req.body;
+      
+      // Enhanced validation
+      if (!username || !email || !password) {
+        return res.status(400).json({ 
+          message: 'Username, email, and password are required' 
+        });
+      }
+
       const result = await oxy.signUp(username, email, password);
       res.json(result);
     })
   );
 
+  // Enhanced login with device fingerprinting
   router.post(
     '/login',
     wrap(async (req, res) => {
-      const { username, password } = req.body;
+      const { username, password, deviceFingerprint } = req.body;
+      
+      if (!username || !password) {
+        return res.status(400).json({ 
+          message: 'Username and password are required' 
+        });
+      }
+
       const result = await oxy.login(username, password);
+      
+      // Store device fingerprint if provided
+      if (deviceFingerprint && result.user?.id) {
+        // This could be stored in a database for device tracking
+        console.log(`Device login: ${deviceFingerprint} for user ${result.user.id}`);
+      }
+
       res.json(result);
     })
   );
 
+  // Enhanced logout with session management
   router.post(
     '/logout',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1];
       const refreshToken = req.body.refreshToken;
+      const sessionId = req.body.sessionId;
+      
       if (token) oxy.setTokens(token, refreshToken);
-      await oxy.logout();
+      
+      // Enhanced logout with session tracking
+      if (sessionId) {
+        await oxy.logoutSession(sessionId);
+      } else {
+        await oxy.logout();
+      }
+      
       res.json({ success: true });
     })
   );
 
+  // Enhanced token refresh
   router.post(
     '/refresh',
     wrap(async (req, res) => {
       const refreshToken = req.body.refreshToken;
       const accessToken = req.headers.authorization?.split(' ')[1] || '';
+      
+      if (!refreshToken) {
+        return res.status(400).json({ message: 'Refresh token is required' });
+      }
+      
       oxy.setTokens(accessToken, refreshToken);
       const tokens = await oxy.refreshTokens();
       res.json(tokens);
     })
   );
 
+  // Enhanced token validation with caching
   router.get(
     '/validate',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
+      
+      if (!token) {
+        return res.status(401).json({ valid: false, message: 'No token provided' });
+      }
+      
       oxy.setTokens(token, '');
       const valid = await oxy.validate();
-      res.json({ valid });
+      
+      // Enhanced response with more details
+      res.json({ 
+        valid,
+        timestamp: new Date().toISOString(),
+        cached: oxyAuth.isUserCached(token) // Check if user data is cached
+      });
     })
   );
 
+  // Enhanced sessions management
   router.get(
     '/sessions',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
+      
+      if (!token) {
+        return res.status(401).json({ message: 'Authentication required' });
+      }
+      
       oxy.setTokens(token, '');
       const sessions = await oxy.getUserSessions();
       res.json(sessions);
     })
   );
 
+  // Enhanced session deletion
   router.delete(
     '/sessions/:id',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
+      
+      if (!token) {
+        return res.status(401).json({ message: 'Authentication required' });
+      }
+      
       oxy.setTokens(token, '');
       const result = await oxy.logoutSession(req.params.id);
+      
+      // Clear cache for this user if logout was successful
+      if (result.success) {
+        oxyAuth.clearCache();
+      }
+      
       res.json(result);
     })
   );
 
+  // Enhanced logout other sessions
   router.post(
     '/sessions/logout-others',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
+      
+      if (!token) {
+        return res.status(401).json({ message: 'Authentication required' });
+      }
+      
       oxy.setTokens(token, '');
       const result = await oxy.logoutOtherSessions();
+      
+      // Clear cache for this user
+      if (result.success) {
+        oxyAuth.clearCache();
+      }
+      
       res.json(result);
     })
   );
 
+  // Enhanced logout all sessions
   router.post(
     '/sessions/logout-all',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
+      
+      if (!token) {
+        return res.status(401).json({ message: 'Authentication required' });
+      }
+      
       oxy.setTokens(token, '');
       const result = await oxy.logoutAllSessions();
+      
+      // Clear all cache
+      if (result.success) {
+        oxyAuth.clearCache();
+      }
+      
       res.json(result);
     })
   );
 
-  return { middleware: router };
+  // NEW: Get current user profile with caching
+  router.get(
+    '/profile',
+    wrap(async (req, res) => {
+      const token = req.headers.authorization?.split(' ')[1] || '';
+      
+      if (!token) {
+        return res.status(401).json({ message: 'Authentication required' });
+      }
+      
+      // Use the enhanced auth system for better performance
+      const validation = await oxyAuth.validateToken(token);
+      
+      if (!validation.valid) {
+        return res.status(401).json({ message: 'Invalid token' });
+      }
+      
+      res.json({
+        user: validation.user,
+        cached: validation.cached,
+        expiresAt: validation.expiresAt
+      });
+    })
+  );
+
+  // NEW: Check user permissions
+  router.post(
+    '/check-permissions',
+    wrap(async (req, res) => {
+      const token = req.headers.authorization?.split(' ')[1] || '';
+      const { permissions } = req.body;
+      
+      if (!token) {
+        return res.status(401).json({ message: 'Authentication required' });
+      }
+      
+      if (!permissions || !Array.isArray(permissions)) {
+        return res.status(400).json({ message: 'Permissions array is required' });
+      }
+      
+      const validation = await oxyAuth.validateToken(token);
+      
+      if (!validation.valid) {
+        return res.status(401).json({ message: 'Invalid token' });
+      }
+      
+      // Check each permission
+      const results = await Promise.all(
+        permissions.map(async (permission) => {
+          const hasPermission = await oxyAuth.hasPermission(validation.userId!, permission);
+          return { permission, granted: hasPermission };
+        })
+      );
+      
+      res.json({ permissions: results });
+    })
+  );
+
+  return { 
+    middleware: router,
+    // NEW: Expose the enhanced auth system
+    auth: oxyAuth,
+    // NEW: Convenience methods for middleware
+    requireAuth: (roles?: string | string[], permissions?: string | string[]) => 
+      oxyAuth.createAuthMiddleware({ 
+        required: true, 
+        roles: Array.isArray(roles) ? roles : roles ? [roles] : undefined,
+        permissions: Array.isArray(permissions) ? permissions : permissions ? [permissions] : undefined
+      }),
+    optionalAuth: () => oxyAuth.optionalAuth(),
+    requireRole: (roles: string | string[]) => oxyAuth.requireRole(roles),
+    requirePermission: (permissions: string | string[]) => oxyAuth.requirePermission(permissions)
+  };
 }