@plyaz/auth 1.0.0 → 1.0.2

package/src/strategies/traditional-auth.strategy.ts

@@ -1,35 +1,35 @@
-import { randomBytes, pbkdf2Sync } from 'crypto';
-import type { UserRepository } from '../db/repositories/user.repository';
-import type { SessionManager } from '../core/session/session.manager';
-import type { AuthTokens, AuthUser, Session } from '@plyaz/types';
-import { AuthenticationError } from '@plyaz/errors';
-import { NUMERIX } from '@plyaz/config';
-import type { JwtManager } from '@/core/jwt/jwt.manager';
+import { randomBytes, pbkdf2Sync } from "crypto";
+import type { UserRepository } from "../db/repositories/user.repository";
+import type { SessionManager } from "../core/session/session.manager";
+import type { AuthTokens, AuthUser, Session } from "@plyaz/types";
+import { AuthenticationError } from "@plyaz/errors";
+import { NUMERIX } from "@plyaz/config";
+import type { JwtManager } from "@/core/jwt/jwt.manager";
 
 export class TraditionalAuthStrategy {
   constructor(
     private userRepo: UserRepository,
     private jwtManager: JwtManager,
-    private sessionManager: SessionManager
+    private sessionManager: SessionManager,
   ) {}
 
   async authenticate(email: string, password: string): Promise<AuthUser> {
     const user = await this.userRepo.findByEmail(email);
     if (!user?.passwordHash) {
-      throw new AuthenticationError('AUTH_INVALID_CREDENTIALS');
+      throw new AuthenticationError("AUTH_INVALID_CREDENTIALS");
     }
 
     const isValid = await this.verifyPassword(password, user.passwordHash);
     if (!isValid) {
-      throw new AuthenticationError('AUTH_INVALID_CREDENTIALS');
+      throw new AuthenticationError("AUTH_INVALID_CREDENTIALS");
     }
 
     if (!user.isActive) {
-      throw new AuthenticationError('AUTH_ACCOUNT_LOCKED');
+      throw new AuthenticationError("AUTH_ACCOUNT_LOCKED");
     }
 
     if (user.isSuspended) {
-      throw new AuthenticationError('AUTH_ACCOUNT_SUSPENDED');
+      throw new AuthenticationError("AUTH_ACCOUNT_SUSPENDED");
     }
 
     return user;
@@ -38,16 +38,28 @@ export class TraditionalAuthStrategy {
   async hashPassword(password: string): Promise<string> {
     const SALT_LENGTH = 32;
     const HASH_LENGTH = 64;
-    const salt = randomBytes(SALT_LENGTH).toString('hex');
-    const hash = pbkdf2Sync(password, salt, NUMERIX.THOUSAND, HASH_LENGTH, 'sha512').toString('hex');
+    const salt = randomBytes(SALT_LENGTH).toString("hex");
+    const hash = pbkdf2Sync(
+      password,
+      salt,
+      NUMERIX.THOUSAND,
+      HASH_LENGTH,
+      "sha512",
+    ).toString("hex");
     return `pbkdf2$${salt}$${hash}`;
   }
 
   async verifyPassword(password: string, hash: string): Promise<boolean> {
     const HASH_LENGTH = 64;
-    if (hash.startsWith('pbkdf2$')) {
-      const [, salt, storedHash] = hash.split('$');
-      const computedHash = pbkdf2Sync(password, salt, NUMERIX.THOUSAND, HASH_LENGTH, 'sha512').toString('hex');
+    if (hash.startsWith("pbkdf2$")) {
+      const [, salt, storedHash] = hash.split("$");
+      const computedHash = pbkdf2Sync(
+        password,
+        salt,
+        NUMERIX.THOUSAND,
+        HASH_LENGTH,
+        "sha512",
+      ).toString("hex");
       return computedHash === storedHash;
     }
     return false;
@@ -63,7 +75,7 @@ export class TraditionalAuthStrategy {
     // Check if user already exists
     const existingUser = await this.userRepo.findByEmail(data.email);
     if (existingUser) {
-      throw new AuthenticationError('AUTH_INVALID_CREDENTIALS');
+      throw new AuthenticationError("AUTH_INVALID_CREDENTIALS");
     }
 
     // Hash password
@@ -76,21 +88,21 @@ export class TraditionalAuthStrategy {
       firstName: data.firstName,
       lastName: data.lastName,
       passwordHash,
-      authProvider: 'EMAIL',
+      authProvider: "EMAIL",
       isActive: true,
-      isVerified: false
-    } );
+      isVerified: false,
+    });
 
     // Create session
     const session = await this.sessionManager.createSession(user.id, {
-      provider: 'EMAIL',
-      userAgent: 'test',
-      ipAddress: '127.0.0.1'
+      provider: "EMAIL",
+      userAgent: "test",
+      ipAddress: "127.0.0.1",
     });
 
     // Generate tokens
     const tokens = this.jwtManager.generateTokens(user);
-     
+
     return { user, session, tokens };
   }
 
@@ -103,9 +115,9 @@ export class TraditionalAuthStrategy {
 
     // Create session
     const session = await this.sessionManager.createSession(user.id, {
-      provider: 'EMAIL',
-      userAgent: 'test',
-      ipAddress: '127.0.0.1'
+      provider: "EMAIL",
+      userAgent: "test",
+      ipAddress: "127.0.0.1",
     });
 
     // Generate tokens
@@ -113,4 +125,4 @@ export class TraditionalAuthStrategy {
 
     return { user, session, tokens };
   }
-}
+}

package/src/tokens/index.ts

@@ -1,4 +1,4 @@
-export * from './token-validator';
-export * from './refresh-token-manager';
-export * from '../core/jwt/jwt.manager';
-export * from '../core/blacklist/token.blacklist';
+export * from "./token-validator";
+export * from "./refresh-token-manager";
+export * from "../core/jwt/jwt.manager";
+export * from "../core/blacklist/token.blacklist";

package/src/tokens/refresh-token-manager.ts

@@ -3,31 +3,30 @@
 /**
  * @fileoverview Refresh token manager for @plyaz/auth
  * @module @plyaz/auth/tokens/refresh-token-manager
- * 
+ *
  * @description
  * Manages refresh token lifecycle including generation, validation, rotation,
  * and revocation. Implements security best practices like token rotation
  * and family tracking to prevent token theft and replay attacks.
- * 
+ *
  * @example
  * ```typescript
  * import { RefreshTokenManager } from '@plyaz/auth';
- * 
+ *
  * const manager = new RefreshTokenManager({
  *   secretKey: 'your-secret-key',
  *   tokenTTL: 604800, // 7 days
  *   enableRotation: true
  * });
- * 
+ *
  * const tokens = await manager.generateTokenPair(userId, sessionId);
  * ```
  */
 
-import { sign, verify } from 'jsonwebtoken';
-import { randomBytes } from 'crypto';
-import { TokenBlacklist } from '../core/blacklist/token.blacklist';
-import { AuthenticationError } from '@plyaz/errors';
-
+import { sign, verify } from "jsonwebtoken";
+import { randomBytes } from "crypto";
+import { TokenBlacklist } from "../core/blacklist/token.blacklist";
+import { AuthenticationError } from "@plyaz/errors";
 
 /**
  * Refresh token manager configuration
@@ -78,7 +77,7 @@ export interface RefreshTokenPayload {
   /** Token generation number */
   generation?: number;
   /** Token type */
-  type: 'refresh';
+  type: "refresh";
   /** Issued at */
   iat: number;
   /** Expires at */
@@ -102,7 +101,7 @@ export interface AccessTokenPayload {
   /** User permissions */
   permissions?: string[];
   /** Token type */
-  type: 'access';
+  type: "access";
   /** Issued at */
   iat: number;
   /** Expires at */
@@ -142,7 +141,10 @@ export class RefreshTokenManager {
 
   constructor(config: RefreshTokenManagerConfig) {
     this.config = config;
-    this.blacklist = new TokenBlacklist({ keyPrefix: 'token:', defaultTTL: 3600 });
+    this.blacklist = new TokenBlacklist({
+      keyPrefix: "token:",
+      defaultTTL: 3600,
+    });
   }
 
   /**
@@ -157,7 +159,7 @@ export class RefreshTokenManager {
     userId: string,
     sessionId: string,
     userRoles?: string[],
-    userPermissions?: string[]
+    userPermissions?: string[],
   ): Promise<TokenPair> {
     const now = Math.floor(Date.now() / 1000);
     const accessTokenExp = now + this.config.accessTokenTTL;
@@ -175,7 +177,7 @@ export class RefreshTokenManager {
         sessionId,
         generation,
         createdAt: new Date(),
-        lastUsedAt: new Date()
+        lastUsedAt: new Date(),
       });
     }
 
@@ -185,11 +187,11 @@ export class RefreshTokenManager {
       sessionId,
       roles: userRoles,
       permissions: userPermissions,
-      type: 'access',
+      type: "access",
       iat: now,
       exp: accessTokenExp,
       iss: this.config.issuer,
-      aud: this.config.audience
+      aud: this.config.audience,
     };
 
     // Create refresh token payload
@@ -198,22 +200,26 @@ export class RefreshTokenManager {
       sessionId,
       family,
       generation,
-      type: 'refresh',
+      type: "refresh",
       iat: now,
       exp: refreshTokenExp,
       iss: this.config.issuer,
-      aud: this.config.audience
+      aud: this.config.audience,
     };
 
     // Sign tokens
-    const accessToken = sign(accessPayload, this.config.secretKey, { algorithm: 'HS256' });
-    const refreshToken = sign(refreshPayload, this.config.secretKey, { algorithm: 'HS256' });
+    const accessToken = sign(accessPayload, this.config.secretKey, {
+      algorithm: "HS256",
+    });
+    const refreshToken = sign(refreshPayload, this.config.secretKey, {
+      algorithm: "HS256",
+    });
 
     return {
       accessToken,
       refreshToken,
       accessTokenExpiresAt: new Date(accessTokenExp * 1000),
-      refreshTokenExpiresAt: new Date(refreshTokenExp * 1000)
+      refreshTokenExpiresAt: new Date(refreshTokenExp * 1000),
     };
   }
 
@@ -227,7 +233,7 @@ export class RefreshTokenManager {
   async refreshTokenPair(
     refreshToken: string,
     userRoles?: string[],
-    userPermissions?: string[]
+    userPermissions?: string[],
   ): Promise<TokenPair> {
     // Validate refresh token
     const payload = await this.validateRefreshToken(refreshToken);
@@ -247,7 +253,7 @@ export class RefreshTokenManager {
       payload.sub,
       payload.sessionId,
       userRoles,
-      userPermissions
+      userPermissions,
     );
 
     // Update token family
@@ -256,11 +262,11 @@ export class RefreshTokenManager {
       if (family) {
         family.generation++;
         family.lastUsedAt = new Date();
-        
+
         // Enforce family size limit
         if (family.generation > this.config.maxFamilySize) {
           await this.revokeTokenFamily(payload.family);
-          throw new AuthenticationError('AUTH_TOKEN_INVALID');
+          throw new AuthenticationError("AUTH_TOKEN_INVALID");
         }
       }
     }
@@ -273,41 +279,41 @@ export class RefreshTokenManager {
    * @param refreshToken - Refresh token to validate
    * @returns Decoded payload
    */
-  async validateRefreshToken(refreshToken: string): Promise<RefreshTokenPayload> {
+  async validateRefreshToken(
+    refreshToken: string,
+  ): Promise<RefreshTokenPayload> {
     try {
       // Check if token is blacklisted
       if (await this.blacklist.isBlacklisted(refreshToken)) {
-        throw new AuthenticationError('AUTH_TOKEN_REVOKED');
+        throw new AuthenticationError("AUTH_TOKEN_REVOKED");
       }
 
       // Verify token
       const payload = verify(refreshToken, this.config.secretKey, {
         issuer: this.config.issuer,
         audience: this.config.audience,
-        algorithms: ['HS256']
+        algorithms: ["HS256"],
       }) as RefreshTokenPayload;
 
       // Validate token type
-      if (payload.type !== 'refresh') {
-        throw new AuthenticationError('AUTH_TOKEN_INVALID');
+      if (payload.type !== "refresh") {
+        throw new AuthenticationError("AUTH_TOKEN_INVALID");
       }
 
       return payload;
-
     } catch (error) {
-  if (error instanceof Error) {
-    if (error.name === 'TokenExpiredError') {
-      throw new AuthenticationError('AUTH_TOKEN_EXPIRED');
-    }
-
-    if (error.name === 'JsonWebTokenError') {
-      throw new AuthenticationError('AUTH_TOKEN_INVALID');
-    }
-  }
+      if (error instanceof Error) {
+        if (error.name === "TokenExpiredError") {
+          throw new AuthenticationError("AUTH_TOKEN_EXPIRED");
+        }
 
-  throw error;
-}
+        if (error.name === "JsonWebTokenError") {
+          throw new AuthenticationError("AUTH_TOKEN_INVALID");
+        }
+      }
 
+      throw error;
+    }
   }
 
   /**
@@ -317,7 +323,7 @@ export class RefreshTokenManager {
   async revokeRefreshToken(refreshToken: string): Promise<void> {
     try {
       const payload = await this.validateRefreshToken(refreshToken);
-      
+
       // Add to blacklist
       await this.blacklist.add(refreshToken, payload.exp);
 
@@ -325,10 +331,12 @@ export class RefreshTokenManager {
       if (this.config.enableFamilyTracking && payload.family) {
         await this.revokeTokenFamily(payload.family);
       }
-
     } catch (error) {
       // Token might already be invalid, but still try to blacklist
-      await this.blacklist.add(refreshToken, Math.floor(Date.now() / 1000) + 3600);
+      await this.blacklist.add(
+        refreshToken,
+        Math.floor(Date.now() / 1000) + 3600,
+      );
     }
   }
 
@@ -378,7 +386,9 @@ export class RefreshTokenManager {
 
     for (const [familyId, family] of this.tokenFamilies.entries()) {
       // Consider family expired if not used for longer than token TTL
-      const expiredTime = new Date(family.lastUsedAt.getTime() + this.config.tokenTTL * 1000);
+      const expiredTime = new Date(
+        family.lastUsedAt.getTime() + this.config.tokenTTL * 1000,
+      );
       if (expiredTime < now) {
         expiredFamilies.push(familyId);
       }
@@ -397,28 +407,33 @@ export class RefreshTokenManager {
    * @param payload - Refresh token payload
    * @private
    */
-  private async validateTokenFamily(payload: RefreshTokenPayload): Promise<void> {
+  private async validateTokenFamily(
+    payload: RefreshTokenPayload,
+  ): Promise<void> {
     if (!payload.family) {
       return;
     }
 
     const family = this.tokenFamilies.get(payload.family);
-    
+
     if (!family) {
-      throw new AuthenticationError('AUTH_TOKEN_INVALID');
+      throw new AuthenticationError("AUTH_TOKEN_INVALID");
     }
 
     // Check if token generation is valid
     if (payload.generation !== family.generation) {
       // Potential token theft - revoke entire family
       await this.revokeTokenFamily(payload.family);
-      throw new AuthenticationError('AUTH_TOKEN_REVOKED');
+      throw new AuthenticationError("AUTH_TOKEN_REVOKED");
     }
 
     // Check if user and session match
-    if (family.userId !== payload.sub || family.sessionId !== payload.sessionId) {
+    if (
+      family.userId !== payload.sub ||
+      family.sessionId !== payload.sessionId
+    ) {
       await this.revokeTokenFamily(payload.family);
-      throw new AuthenticationError('AUTH_TOKEN_REVOKED');
+      throw new AuthenticationError("AUTH_TOKEN_REVOKED");
     }
   }
 
@@ -429,7 +444,7 @@ export class RefreshTokenManager {
    */
   private async revokeTokenFamily(familyId: string): Promise<void> {
     const family = this.tokenFamilies.get(familyId);
-    
+
     if (family) {
       // In a real implementation, this would blacklist all tokens in the family
       // For now, we just remove the family tracking
@@ -443,6 +458,6 @@ export class RefreshTokenManager {
    * @private
    */
   private generateFamilyId(): string {
-    return randomBytes(16).toString('hex');
+    return randomBytes(16).toString("hex");
   }
-}
+}