@oxyhq/services 5.8.1 → 5.8.3

package/src/node/createAuth.ts

@@ -1,463 +1,13 @@
-import express, { Request, Response } from 'express';
-import type { NextFunction } from 'express-serve-static-core';
+import express from 'express';
+import type { Request, Response } from 'express';
 import { OxyServices } from '../core';
-import { jwtDecode } from 'jwt-decode';
-
-// Types for enhanced authentication
-export interface AuthRequest extends Request {
-  user?: any;
-  userId?: string;
-  accessToken?: string;
-  sessionId?: string;
-  deviceFingerprint?: string;
-}
-
-export interface AuthOptions {
-  baseURL: string;
-  jwtSecret?: string; // For local JWT validation
-  loadFullUser?: boolean;
-  enableSessionAuth?: boolean;
-  enableDeviceAuth?: boolean;
-  cacheUserData?: boolean;
-  userCacheTTL?: number; // in seconds
-}
-
-export interface AuthMiddlewareOptions {
-  required?: boolean;
-  loadFullUser?: boolean;
-  roles?: string[];
-  permissions?: string[];
-  onError?: (error: any, req: AuthRequest, res: Response) => void;
-}
-
-export interface TokenValidationResult {
-  valid: boolean;
-  userId?: string;
-  user?: any;
-  error?: string;
-  code?: string;
-  expiresAt?: number;
-  cached?: boolean;
-}
-
-// User cache for performance
-class UserCache {
-  private cache = new Map<string, { user: any; expiresAt: number }>();
-  private ttl: number;
-
-  constructor(ttl: number = 300) { // 5 minutes default
-    this.ttl = ttl * 1000;
-  }
-
-  set(userId: string, user: any): void {
-    this.cache.set(userId, {
-      user,
-      expiresAt: Date.now() + this.ttl
-    });
-  }
-
-  get(userId: string): any | null {
-    const item = this.cache.get(userId);
-    if (!item || Date.now() > item.expiresAt) {
-      this.cache.delete(userId);
-      return null;
-    }
-    return item.user;
-  }
-
-  clear(): void {
-    this.cache.clear();
-  }
-}
-
-/**
- * Enhanced OxyAuth class for backend authentication
- */
-export class OxyAuth {
-  private oxy: OxyServices;
-  private options: AuthOptions;
-  private userCache: UserCache | null = null;
-
-  constructor(options: AuthOptions) {
-    this.options = {
-      loadFullUser: true,
-      enableSessionAuth: true,
-      enableDeviceAuth: true,
-      cacheUserData: true,
-      userCacheTTL: 300,
-      ...options
-    };
-
-    this.oxy = new OxyServices({ baseURL: options.baseURL });
-    
-    if (this.options.cacheUserData) {
-      this.userCache = new UserCache(this.options.userCacheTTL);
-    }
-  }
-
-  /**
-   * Create authentication middleware
-   */
-  createAuthMiddleware(options: AuthMiddlewareOptions = {}): (req: AuthRequest, res: Response, next: NextFunction) => Promise<void> {
-    return async (req: AuthRequest, res: Response, next: NextFunction) => {
-      try {
-        const result = await this.authenticateRequest(req);
-        
-        if (!result.valid && options.required !== false) {
-          const error = { message: 'Authentication required', code: 'AUTH_REQUIRED' };
-          if (options.onError) {
-            options.onError(error, req, res);
-          } else {
-            res.status(401).json(error);
-          }
-          return;
-        }
-
-        // Check roles if specified
-        if (result.valid && options.roles && result.user) {
-          const hasRole = options.roles.some(role => 
-            result.user.roles?.includes(role) || result.user.role === role
-          );
-          if (!hasRole) {
-            const error = { message: 'Insufficient permissions', code: 'INSUFFICIENT_ROLES' };
-            if (options.onError) {
-              options.onError(error, req, res);
-            } else {
-              res.status(403).json(error);
-            }
-            return;
-          }
-        }
-
-        // Check permissions if specified
-        if (result.valid && options.permissions && result.userId) {
-          for (const permission of options.permissions) {
-            const hasPermission = await this.hasPermission(result.userId!, permission);
-            if (!hasPermission) {
-              const error = { message: 'Insufficient permissions', code: 'INSUFFICIENT_PERMISSIONS' };
-              if (options.onError) {
-                options.onError(error, req, res);
-              } else {
-                res.status(403).json(error);
-              }
-              return;
-            }
-          }
-        }
-
-        next();
-      } catch (error) {
-        if (options.onError) {
-          options.onError(error, req, res);
-        } else {
-          res.status(500).json({ message: 'Authentication error' });
-        }
-      }
-    };
-  }
-
-  /**
-   * Authenticate request and populate user data
-   */
-  private async authenticateRequest(req: AuthRequest): Promise<TokenValidationResult & { accessToken?: string }> {
-    // Try JWT token first
-    const authHeader = req.headers.authorization;
-    if (authHeader && authHeader.startsWith('Bearer ')) {
-      const token = authHeader.substring(7);
-      const result = await this.validateToken(token);
-      if (result.valid) {
-        req.user = result.user;
-        req.userId = result.userId;
-        req.accessToken = token;
-        return { ...result, accessToken: token };
-      }
-    }
-
-    // Try session-based auth
-    if (this.options.enableSessionAuth) {
-      const sessionId = req.headers['x-session-id'] as string;
-      if (sessionId) {
-        const result = await this.validateSession(sessionId);
-        if (result.valid) {
-          req.user = result.user;
-          req.userId = result.userId;
-          req.sessionId = sessionId;
-          return result;
-        }
-      }
-    }
-
-    // Try device-based auth
-    if (this.options.enableDeviceAuth) {
-      const deviceFingerprint = req.headers['x-device-fingerprint'] as string;
-      const userId = req.headers['x-user-id'] as string;
-      if (deviceFingerprint && userId) {
-        const result = await this.validateDevice(userId, deviceFingerprint);
-        if (result.valid) {
-          req.user = result.user;
-          req.userId = result.userId;
-          req.deviceFingerprint = deviceFingerprint;
-          return result;
-        }
-      }
-    }
-
-    return { valid: false, error: 'No valid authentication found' };
-  }
-
-  /**
-   * Validate JWT token
-   */
-  async validateToken(token: string): Promise<TokenValidationResult> {
-    try {
-      // Local JWT validation if secret is provided
-      if (this.options.jwtSecret) {
-        const decoded = jwtDecode(token) as any;
-        const currentTime = Math.floor(Date.now() / 1000);
-        
-        if (decoded.exp && decoded.exp < currentTime) {
-          return {
-            valid: false,
-            error: 'Token expired',
-            code: 'TOKEN_EXPIRED',
-            expiresAt: decoded.exp
-          };
-        }
-
-        const userId = decoded.userId || decoded.id;
-        if (!userId) {
-          return {
-            valid: false,
-            error: 'Invalid token payload',
-            code: 'INVALID_PAYLOAD'
-          };
-        }
-
-        // Get user data from cache or API
-        let user = this.userCache?.get(userId);
-        const cached = !!user;
-        
-        if (!user && this.options.loadFullUser) {
-          try {
-            user = await this.oxy.getUserById(userId);
-            this.userCache?.set(userId, user);
-          } catch (error) {
-            user = { id: userId };
-          }
-        } else if (!user) {
-          user = { id: userId };
-        }
-
-        return {
-          valid: true,
-          userId,
-          user,
-          expiresAt: decoded.exp,
-          cached
-        };
-      }
-
-      // Remote validation using OxyServices
-      const tempOxy = new OxyServices({ baseURL: this.oxy.getBaseURL() });
-      tempOxy.setTokens(token, '');
-      
-      const isValid = await tempOxy.validate();
-      if (!isValid) {
-        return {
-          valid: false,
-          error: 'Invalid token',
-          code: 'INVALID_TOKEN'
-        };
-      }
-
-      const userId = tempOxy.getCurrentUserId();
-      if (!userId) {
-        return {
-          valid: false,
-          error: 'Invalid token payload',
-          code: 'INVALID_PAYLOAD'
-        };
-      }
-
-      // Get user data
-      let user = this.userCache?.get(userId);
-      const cached = !!user;
-      
-      if (!user && this.options.loadFullUser) {
-        try {
-          user = await tempOxy.getUserById(userId);
-          this.userCache?.set(userId, user);
-        } catch (error) {
-          user = { id: userId };
-        }
-      } else if (!user) {
-        user = { id: userId };
-      }
-
-      return {
-        valid: true,
-        userId,
-        user,
-        cached
-      };
-    } catch (error) {
-      return {
-        valid: false,
-        error: 'Token validation failed',
-        code: 'VALIDATION_ERROR'
-      };
-    }
-  }
-
-  /**
-   * Validate session-based authentication
-   */
-  async validateSession(sessionId: string, deviceFingerprint?: string): Promise<TokenValidationResult> {
-    try {
-      // This would integrate with your session management system
-      // For now, it's a placeholder implementation
-      return {
-        valid: false,
-        error: 'Session validation not implemented',
-        code: 'NOT_IMPLEMENTED'
-      };
-    } catch (error) {
-      return {
-        valid: false,
-        error: 'Session validation failed',
-        code: 'VALIDATION_ERROR'
-      };
-    }
-  }
-
-  /**
-   * Validate device-based authentication
-   */
-  async validateDevice(userId: string, deviceFingerprint: string): Promise<TokenValidationResult> {
-    try {
-      // This would validate device fingerprint against stored data
-      // For now, it's a placeholder implementation
-      return {
-        valid: false,
-        error: 'Device validation not implemented',
-        code: 'NOT_IMPLEMENTED'
-      };
-    } catch (error) {
-      return {
-        valid: false,
-        error: 'Device validation failed',
-        code: 'VALIDATION_ERROR'
-      };
-    }
-  }
-
-  /**
-   * Create role-based middleware
-   */
-  requireRole(roles: string | string[]): (req: AuthRequest, res: Response, next: NextFunction) => Promise<void> {
-    const roleArray = Array.isArray(roles) ? roles : [roles];
-    return this.createAuthMiddleware({
-      required: true,
-      roles: roleArray
-    });
-  }
-
-  /**
-   * Create permission-based middleware
-   */
-  requirePermission(permissions: string | string[]): (req: AuthRequest, res: Response, next: NextFunction) => Promise<void> {
-    const permissionArray = Array.isArray(permissions) ? permissions : [permissions];
-    return this.createAuthMiddleware({
-      required: true,
-      permissions: permissionArray
-    });
-  }
-
-  /**
-   * Create optional authentication middleware
-   */
-  optionalAuth(): (req: AuthRequest, res: Response, next: NextFunction) => Promise<void> {
-    return this.createAuthMiddleware({
-      required: false,
-      onError: () => {} // No error thrown for optional auth
-    });
-  }
-
-  /**
-   * Clear user cache
-   */
-  clearCache(): void {
-    this.userCache?.clear();
-  }
-
-  /**
-   * Check if user data is cached for a given token
-   */
-  isUserCached(token: string): boolean {
-    try {
-      const decoded = jwtDecode(token) as any;
-      const userId = decoded.userId || decoded.id;
-      return userId ? this.userCache?.get(userId) !== null : false;
-    } catch {
-      return false;
-    }
-  }
-
-  /**
-   * Check if user has a specific permission
-   */
-  async hasPermission(userId: string, permission: string): Promise<boolean> {
-    try {
-      // This is a placeholder implementation
-      // In a real implementation, you would check against user roles/permissions
-      const user = this.userCache?.get(userId) || await this.oxy.getUserById(userId);
-      return user?.permissions?.includes(permission) || user?.role === 'admin' || false;
-    } catch {
-      return false;
-    }
-  }
-
-  /**
-   * Get OxyServices instance
-   */
-  getOxyServices(): OxyServices {
-    return this.oxy;
-  }
-}
 
 export interface CreateAuthOptions {
   baseURL: string;
-  jwtSecret?: string;
-  loadFullUser?: boolean;
-  enableSessionAuth?: boolean;
-  enableDeviceAuth?: boolean;
-  cacheUserData?: boolean;
-  userCacheTTL?: number;
 }
 
-/**
- * Enhanced createAuth function that provides both router and middleware capabilities
- * 
- * This is a unified authentication system that:
- * 1. Maintains backward compatibility with the old router-based approach
- * 2. Adds powerful new middleware capabilities
- * 3. Includes caching, role-based access, and performance optimizations
- * 4. Supports multiple authentication strategies
- */
 export function createAuth(options: CreateAuthOptions) {
-  // Create the enhanced OxyAuth instance
-  const authOptions: AuthOptions = {
-    baseURL: options.baseURL,
-    jwtSecret: options.jwtSecret,
-    loadFullUser: options.loadFullUser ?? true,
-    enableSessionAuth: options.enableSessionAuth ?? true,
-    enableDeviceAuth: options.enableDeviceAuth ?? true,
-    cacheUserData: options.cacheUserData ?? true,
-    userCacheTTL: options.userCacheTTL ?? 300
-  };
-
-  const oxyAuth = new OxyAuth(authOptions);
-  const oxy = oxyAuth.getOxyServices();
+  const oxy = new OxyServices({ baseURL: options.baseURL });
   const router = express.Router();
 
   // Helper to handle async route functions
@@ -472,261 +22,95 @@ export function createAuth(options: CreateAuthOptions) {
     }
   };
 
-  // Enhanced signup with validation
   router.post(
     '/signup',
     wrap(async (req, res) => {
       const { username, email, password } = req.body;
-      
-      // Enhanced validation
-      if (!username || !email || !password) {
-        return res.status(400).json({ 
-          message: 'Username, email, and password are required' 
-        });
-      }
-
       const result = await oxy.signUp(username, email, password);
       res.json(result);
     })
   );
 
-  // Enhanced login with device fingerprinting
   router.post(
     '/login',
     wrap(async (req, res) => {
-      const { username, password, deviceFingerprint } = req.body;
-      
-      if (!username || !password) {
-        return res.status(400).json({ 
-          message: 'Username and password are required' 
-        });
-      }
-
+      const { username, password } = req.body;
       const result = await oxy.login(username, password);
-      
-      // Store device fingerprint if provided
-      if (deviceFingerprint && result.user?.id) {
-        // This could be stored in a database for device tracking
-        console.log(`Device login: ${deviceFingerprint} for user ${result.user.id}`);
-      }
-
       res.json(result);
     })
   );
 
-  // Enhanced logout with session management
   router.post(
     '/logout',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1];
       const refreshToken = req.body.refreshToken;
-      const sessionId = req.body.sessionId;
-      
       if (token) oxy.setTokens(token, refreshToken);
-      
-      // Enhanced logout with session tracking
-      if (sessionId) {
-        await oxy.logoutSession(sessionId);
-      } else {
-        await oxy.logout();
-      }
-      
+      await oxy.logout();
       res.json({ success: true });
     })
   );
 
-  // Enhanced token refresh
   router.post(
     '/refresh',
     wrap(async (req, res) => {
       const refreshToken = req.body.refreshToken;
       const accessToken = req.headers.authorization?.split(' ')[1] || '';
-      
-      if (!refreshToken) {
-        return res.status(400).json({ message: 'Refresh token is required' });
-      }
-      
       oxy.setTokens(accessToken, refreshToken);
       const tokens = await oxy.refreshTokens();
       res.json(tokens);
     })
   );
 
-  // Enhanced token validation with caching
   router.get(
     '/validate',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
-      
-      if (!token) {
-        return res.status(401).json({ valid: false, message: 'No token provided' });
-      }
-      
       oxy.setTokens(token, '');
       const valid = await oxy.validate();
-      
-      // Enhanced response with more details
-      res.json({ 
-        valid,
-        timestamp: new Date().toISOString(),
-        cached: oxyAuth.isUserCached(token) // Check if user data is cached
-      });
+      res.json({ valid });
     })
   );
 
-  // Enhanced sessions management
   router.get(
     '/sessions',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
-      
-      if (!token) {
-        return res.status(401).json({ message: 'Authentication required' });
-      }
-      
       oxy.setTokens(token, '');
       const sessions = await oxy.getUserSessions();
       res.json(sessions);
     })
   );
 
-  // Enhanced session deletion
   router.delete(
     '/sessions/:id',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
-      
-      if (!token) {
-        return res.status(401).json({ message: 'Authentication required' });
-      }
-      
       oxy.setTokens(token, '');
       const result = await oxy.logoutSession(req.params.id);
-      
-      // Clear cache for this user if logout was successful
-      if (result.success) {
-        oxyAuth.clearCache();
-      }
-      
       res.json(result);
     })
   );
 
-  // Enhanced logout other sessions
   router.post(
     '/sessions/logout-others',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
-      
-      if (!token) {
-        return res.status(401).json({ message: 'Authentication required' });
-      }
-      
       oxy.setTokens(token, '');
       const result = await oxy.logoutOtherSessions();
-      
-      // Clear cache for this user
-      if (result.success) {
-        oxyAuth.clearCache();
-      }
-      
       res.json(result);
     })
   );
 
-  // Enhanced logout all sessions
   router.post(
     '/sessions/logout-all',
     wrap(async (req, res) => {
       const token = req.headers.authorization?.split(' ')[1] || '';
-      
-      if (!token) {
-        return res.status(401).json({ message: 'Authentication required' });
-      }
-      
       oxy.setTokens(token, '');
       const result = await oxy.logoutAllSessions();
-      
-      // Clear all cache
-      if (result.success) {
-        oxyAuth.clearCache();
-      }
-      
       res.json(result);
     })
   );
 
-  // NEW: Get current user profile with caching
-  router.get(
-    '/profile',
-    wrap(async (req, res) => {
-      const token = req.headers.authorization?.split(' ')[1] || '';
-      
-      if (!token) {
-        return res.status(401).json({ message: 'Authentication required' });
-      }
-      
-      // Use the enhanced auth system for better performance
-      const validation = await oxyAuth.validateToken(token);
-      
-      if (!validation.valid) {
-        return res.status(401).json({ message: 'Invalid token' });
-      }
-      
-      res.json({
-        user: validation.user,
-        cached: validation.cached,
-        expiresAt: validation.expiresAt
-      });
-    })
-  );
-
-  // NEW: Check user permissions
-  router.post(
-    '/check-permissions',
-    wrap(async (req, res) => {
-      const token = req.headers.authorization?.split(' ')[1] || '';
-      const { permissions } = req.body;
-      
-      if (!token) {
-        return res.status(401).json({ message: 'Authentication required' });
-      }
-      
-      if (!permissions || !Array.isArray(permissions)) {
-        return res.status(400).json({ message: 'Permissions array is required' });
-      }
-      
-      const validation = await oxyAuth.validateToken(token);
-      
-      if (!validation.valid) {
-        return res.status(401).json({ message: 'Invalid token' });
-      }
-      
-      // Check each permission
-      const results = await Promise.all(
-        permissions.map(async (permission) => {
-          const hasPermission = await oxyAuth.hasPermission(validation.userId!, permission);
-          return { permission, granted: hasPermission };
-        })
-      );
-      
-      res.json({ permissions: results });
-    })
-  );
-
-  return { 
-    middleware: router,
-    // NEW: Expose the enhanced auth system
-    auth: oxyAuth,
-    // NEW: Convenience methods for middleware
-    requireAuth: (roles?: string | string[], permissions?: string | string[]) => 
-      oxyAuth.createAuthMiddleware({ 
-        required: true, 
-        roles: Array.isArray(roles) ? roles : roles ? [roles] : undefined,
-        permissions: Array.isArray(permissions) ? permissions : permissions ? [permissions] : undefined
-      }),
-    optionalAuth: () => oxyAuth.optionalAuth(),
-    requireRole: (roles: string | string[]) => oxyAuth.requireRole(roles),
-    requirePermission: (permissions: string | string[]) => oxyAuth.requirePermission(permissions)
-  };
+  return { middleware: router };
 }