@prsm/auth 1.0.0

package/src/__tests__/prsm.test.js

@@ -0,0 +1,215 @@
+import { describe, it, expect, beforeAll, afterAll } from "vitest"
+import request from "supertest"
+import { createTestApp, createTestDatabase } from "./test-setup.js"
+import { createAuthContext, createAuthTables, dropAuthTables, ActivityLogger, AuthStatus, AuthRole, AuthActivityAction, TwoFactorMechanism } from "../index.js"
+import { ensureListener, notifyInvalidation, wasInvalidatedSince, closeInvalidationListeners } from "../invalidation.js"
+
+/**
+ * @param {() => boolean} predicate
+ * @param {number} timeoutMs
+ */
+async function waitFor(predicate, timeoutMs = 4000) {
+  const start = Date.now()
+  while (Date.now() - start < timeoutMs) {
+    if (predicate()) return true
+    await new Promise((r) => setTimeout(r, 50))
+  }
+  return false
+}
+
+describe("optional limiter (duck-typed @prsm/limit)", () => {
+  let app
+  let cleanup
+  let allowed = true
+
+  beforeAll(async () => {
+    // duck-typed limiter using the tokenBucket verb (take); auth should not care
+    const limiter = { take: async () => ({ allowed, retryAfter: 1000 }) }
+    const ctx = await createTestApp({ tablePrefix: "prsm_lim_", limiter })
+    app = ctx.app
+    cleanup = ctx.cleanup
+
+    await request(app).post("/register").send({ email: "lim@example.com", password: "password123" })
+    // verify so login can proceed when allowed
+    const pool = ctx.pool
+    await pool.query(`UPDATE prsm_lim_accounts SET verified = true WHERE email = $1`, ["lim@example.com"])
+  })
+
+  afterAll(async () => {
+    await cleanup()
+  })
+
+  it("permits login when the limiter allows it", async () => {
+    allowed = true
+    const res = await request(app).post("/login").send({ email: "lim@example.com", password: "password123" })
+    expect(res.status).toBe(200)
+  })
+
+  it("rejects login with RateLimitedError when the limiter denies it", async () => {
+    allowed = false
+    const res = await request(app).post("/login").send({ email: "lim@example.com", password: "password123" })
+    expect(res.status).toBe(401)
+    expect(res.body.errorType).toBe("RateLimitedError")
+  })
+})
+
+describe("optional tracer (duck-typed @prsm/trace)", () => {
+  let app
+  let cleanup
+  const spans = []
+
+  beforeAll(async () => {
+    const tracer = {
+      span: (name, attributes, fn) => {
+        spans.push(name)
+        return fn()
+      },
+    }
+    const ctx = await createTestApp({ tablePrefix: "prsm_trc_", tracer })
+    app = ctx.app
+    cleanup = ctx.cleanup
+
+    await request(app).post("/register").send({ email: "trc@example.com", password: "password123" })
+    await ctx.pool.query(`UPDATE prsm_trc_accounts SET verified = true WHERE email = $1`, ["trc@example.com"])
+  })
+
+  afterAll(async () => {
+    await cleanup()
+  })
+
+  it("wraps login in a tracing span", async () => {
+    await request(app).post("/login").send({ email: "trc@example.com", password: "password123" })
+    expect(spans).toContain("auth.login")
+  })
+})
+
+describe("createAuthContext devtools surface", () => {
+  let pool
+  let config
+  let ctx
+
+  beforeAll(async () => {
+    pool = await createTestDatabase()
+    config = { db: pool, tablePrefix: "prsm_ctx_", minPasswordLength: 6 }
+    await dropAuthTables(config)
+    await createAuthTables(config)
+    ctx = createAuthContext(config)
+  })
+
+  afterAll(async () => {
+    await closeInvalidationListeners()
+    await pool.end()
+  })
+
+  it("lists accounts with a total count", async () => {
+    await ctx.createUser({ email: "a@example.com", password: "password123" }, "u-a")
+    await ctx.createUser({ email: "b@example.com", password: "password123" }, "u-b")
+    const { accounts, total } = await ctx.listAccounts({ limit: 10 })
+    expect(total).toBe(2)
+    expect(accounts.length).toBe(2)
+  })
+
+  it("searches accounts by email", async () => {
+    const { accounts, total } = await ctx.listAccounts({ search: "a@" })
+    expect(total).toBe(1)
+    expect(accounts[0].email).toBe("a@example.com")
+  })
+
+  it("gets a single account by identifier", async () => {
+    const account = await ctx.getAccount({ email: "b@example.com" })
+    expect(account.user_id).toBe("u-b")
+  })
+
+  it("throws UserNotFoundError for a missing account", async () => {
+    await expect(ctx.getAccount({ email: "nope@example.com" })).rejects.toThrow("User not found")
+  })
+
+  it("exposes the role map", () => {
+    expect(ctx.getRoles()).toBe(AuthRole)
+  })
+
+  it("returns table stats", async () => {
+    const stats = await ctx.getStats()
+    expect(stats.accounts).toBe(2)
+  })
+
+  it("returns recent activity entries", async () => {
+    const activity = await ctx.getRecentActivity(10)
+    expect(Array.isArray(activity)).toBe(true)
+  })
+
+  // regression: metadata is a JSONB column, so node-pg returns it already
+  // parsed. getRecentActivity used to call JSON.parse on it unconditionally,
+  // which threw and made the method silently return [] for any row with
+  // metadata. it must round-trip metadata as a parsed object and surface the
+  // parsed user-agent fields
+  it("round-trips activity metadata and parses the user agent", async () => {
+    const account = await ctx.getAccount({ email: "a@example.com" })
+    const logger = new ActivityLogger(config)
+    const req = {
+      headers: { "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36" },
+      socket: { remoteAddress: "10.0.0.9" },
+    }
+    await logger.logActivity(account.id, AuthActivityAction.Login, req, true, { email: "a@example.com", remember: true })
+
+    const activity = await ctx.getRecentActivity(10, account.id)
+    expect(activity.length).toBeGreaterThan(0)
+    const entry = activity[0]
+    expect(entry.action).toBe(AuthActivityAction.Login)
+    expect(entry.metadata).toEqual({ email: "a@example.com", remember: true })
+    expect(entry.browser).toBe("Chrome")
+  })
+
+  it("exposes the status map", () => {
+    expect(ctx.getStatuses()).toBe(AuthStatus)
+  })
+
+  it("exposes the two-factor mechanism map", () => {
+    expect(ctx.getMechanisms()).toBe(TwoFactorMechanism)
+  })
+
+  it("reflects role changes through getAccount", async () => {
+    await ctx.addRoleForUserBy({ email: "a@example.com" }, AuthRole.Admin)
+    const account = await ctx.getAccount({ email: "a@example.com" })
+    expect((account.rolemask & AuthRole.Admin) === AuthRole.Admin).toBe(true)
+  })
+})
+
+describe("cross-instance invalidation (postgres LISTEN/NOTIFY)", () => {
+  let pool
+  let config
+
+  beforeAll(async () => {
+    pool = await createTestDatabase()
+    config = { db: pool, tablePrefix: "prsm_inv_", minPasswordLength: 6, invalidation: { listen: true } }
+    await dropAuthTables(config)
+    await createAuthTables(config)
+    ensureListener(config)
+  })
+
+  afterAll(async () => {
+    await closeInvalidationListeners()
+    await pool.end()
+  })
+
+  it("delivers an explicit notify to the listener", async () => {
+    // give the LISTEN connection a moment to attach, then notify
+    await waitFor(() => false, 300)
+    await notifyInvalidation(config, 4242)
+    const got = await waitFor(() => wasInvalidatedSince(config, 4242, 0))
+    expect(got).toBe(true)
+  })
+
+  it("notifies when a security-relevant account field changes", async () => {
+    const ctx = createAuthContext(config)
+    const account = await ctx.createUser({ email: "inv@example.com", password: "password123" }, "u-inv")
+    const since = Date.now() - 1
+    await ctx.setStatusForUserBy({ accountId: account.id }, AuthStatus.Banned)
+    const got = await waitFor(() => wasInvalidatedSince(config, account.id, since))
+    expect(got).toBe(true)
+  })
+
+  it("does not report invalidation for an untouched account", () => {
+    expect(wasInvalidatedSince(config, 999999, 0)).toBe(false)
+  })
+})

package/src/__tests__/test-setup.js

@@ -0,0 +1,385 @@
+import express from "express"
+import session from "express-session"
+import cookieParser from "cookie-parser"
+import pg from "pg"
+import { createAuthMiddleware, createAuthTables, dropAuthTables, AuthRole, closeInvalidationListeners } from "../index.js"
+
+const { Pool } = pg
+
+export async function createTestDatabase() {
+  const url = process.env.AUTH_TEST_POSTGRES_URL
+  // keep test pools small so the whole suite can't exhaust postgres connections
+  const poolOptions = { max: 15, idleTimeoutMillis: 1000 }
+  const pool = url
+    ? new Pool({ connectionString: url, ...poolOptions })
+    : new Pool({
+        host: process.env.PGHOST || "localhost",
+        port: parseInt(process.env.PGPORT || "5432"),
+        database: process.env.PGDATABASE || "auth_test",
+        user: process.env.PGUSER || "auth",
+        password: process.env.PGPASSWORD || "auth_password",
+        ...poolOptions,
+      })
+
+  try {
+    await pool.query("SELECT NOW()")
+  } catch (error) {
+    throw new Error("Failed to connect to test database. Make sure to run: make up")
+  }
+
+  return pool
+}
+
+/**
+ * @param {Partial<import("../index.js").AuthConfig>} [configOverrides]
+ */
+export async function createTestApp(configOverrides) {
+  const pool = await createTestDatabase()
+
+  const app = express()
+
+  app.use(express.json())
+  app.use(cookieParser())
+  app.use(
+    session({
+      secret: "test-secret-key-for-testing-only",
+      resave: false,
+      saveUninitialized: false,
+      cookie: { secure: false, httpOnly: true },
+    }),
+  )
+
+  const authConfig = {
+    db: pool,
+    tablePrefix: "test_",
+    minPasswordLength: 6,
+    maxPasswordLength: 50,
+    rememberDuration: "7d",
+    rememberCookieName: "test_remember_token",
+    resyncInterval: "30s",
+    ...configOverrides,
+  }
+
+  await dropAuthTables(authConfig)
+  await createAuthTables(authConfig)
+
+  app.use(createAuthMiddleware(authConfig))
+
+  app.post("/register", async (req, res) => {
+    try {
+      const { email, password, userId, requireConfirmation } = req.body
+      let confirmationToken
+
+      const account = await req.auth.register(
+        email,
+        password,
+        userId || undefined,
+        requireConfirmation
+          ? (token) => {
+              confirmationToken = token
+            }
+          : undefined,
+      )
+
+      res.json({
+        success: true,
+        account: {
+          id: account.id,
+          email: account.email,
+          verified: account.verified,
+          status: account.status,
+          user_id: account.user_id,
+        },
+        confirmationToken,
+      })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/login", async (req, res) => {
+    try {
+      const { email, password, remember } = req.body
+      await req.auth.login(email, password, remember)
+      res.json({ success: true })
+    } catch (error) {
+      res.status(401).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/logout", async (req, res) => {
+    try {
+      await req.auth.logout()
+      res.json({ success: true })
+    } catch (error) {
+      res.status(500).json({ error: error.message })
+    }
+  })
+
+  app.get("/profile", async (req, res) => {
+    if (!req.auth.isLoggedIn()) {
+      return res.status(401).json({ error: "Not logged in" })
+    }
+
+    res.json({
+      id: req.auth.getId(),
+      email: req.auth.getEmail(),
+      status: req.auth.getStatus(),
+      statusName: req.auth.getStatusName(),
+      verified: req.auth.getVerified(),
+      hasPassword: req.auth.hasPassword(),
+      roles: req.auth.getRoleNames(),
+      remembered: req.auth.isRemembered(),
+      isAdmin: await req.auth.isAdmin(),
+      hasRole: req.query.role ? await req.auth.hasRole(parseInt(req.query.role)) : undefined,
+    })
+  })
+
+  app.post("/confirm-email", async (req, res) => {
+    try {
+      const { token, autoLogin } = req.body
+      if (autoLogin) {
+        await req.auth.confirmEmailAndLogin(token)
+      } else {
+        const email = await req.auth.confirmEmail(token)
+        res.json({ success: true, email })
+        return
+      }
+      res.json({ success: true })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/reset-password", async (req, res) => {
+    try {
+      const { email, expiresAfter, maxRequests } = req.body
+      let resetToken
+
+      await req.auth.resetPassword(email, expiresAfter || "1h", maxRequests || 3, (token) => {
+        resetToken = token
+      })
+
+      res.json({ success: true, resetToken })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/confirm-reset", async (req, res) => {
+    try {
+      const { token, password, logout } = req.body
+      await req.auth.confirmResetPassword(token, password, logout)
+      res.json({ success: true })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/change-email", async (req, res) => {
+    try {
+      const { newEmail } = req.body
+      let confirmationToken
+
+      await req.auth.changeEmail(newEmail, (token) => {
+        confirmationToken = token
+      })
+
+      res.json({ success: true, confirmationToken })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/verify-password", async (req, res) => {
+    try {
+      const { password } = req.body
+      const isValid = await req.auth.verifyPassword(password)
+      res.json({ success: true, isValid })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/logout-everywhere", async (req, res) => {
+    try {
+      await req.auth.logoutEverywhere()
+      res.json({ success: true })
+    } catch (error) {
+      res.status(500).json({ error: error.message })
+    }
+  })
+
+  app.post("/logout-everywhere-else", async (req, res) => {
+    try {
+      await req.auth.logoutEverywhereElse()
+      res.json({ success: true })
+    } catch (error) {
+      res.status(500).json({ error: error.message })
+    }
+  })
+
+  // admin routes
+  app.post("/admin/create-user", async (req, res) => {
+    try {
+      const { email, password, userId, requireConfirmation } = req.body
+      let confirmationToken
+
+      const account = await req.auth.createUser(
+        { email, password },
+        userId || "test-admin-user-456",
+        requireConfirmation
+          ? (token) => {
+              confirmationToken = token
+            }
+          : undefined,
+      )
+
+      res.json({
+        success: true,
+        account: {
+          id: account.id,
+          email: account.email,
+          verified: account.verified,
+        },
+        confirmationToken,
+      })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/login-as", async (req, res) => {
+    try {
+      const identifier = req.body
+      await req.auth.loginAsUserBy(identifier)
+      res.json({ success: true })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/add-role", async (req, res) => {
+    try {
+      const { identifier, role } = req.body
+      await req.auth.addRoleForUserBy(identifier, role)
+      res.json({ success: true })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/remove-role", async (req, res) => {
+    try {
+      const { identifier, role } = req.body
+      await req.auth.removeRoleForUserBy(identifier, role)
+      res.json({ success: true })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/has-role", async (req, res) => {
+    try {
+      const { identifier, role } = req.body
+      const hasRole = await req.auth.hasRoleForUserBy(identifier, role)
+      res.json({ success: true, hasRole })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/change-password", async (req, res) => {
+    try {
+      const { identifier, password } = req.body
+      await req.auth.changePasswordForUserBy(identifier, password)
+      res.json({ success: true })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/set-status", async (req, res) => {
+    try {
+      const { identifier, status } = req.body
+      await req.auth.setStatusForUserBy(identifier, status)
+      res.json({ success: true })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/initiate-reset", async (req, res) => {
+    try {
+      const { identifier, expiresAfter } = req.body
+      let resetToken
+      await req.auth.initiatePasswordResetForUserBy(identifier, expiresAfter, (token) => {
+        resetToken = token
+      })
+      res.json({ success: true, resetToken })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/user-exists", async (req, res) => {
+    try {
+      const { email } = req.body
+      const exists = await req.auth.userExistsByEmail(email)
+      res.json({ success: true, exists })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/delete-user", async (req, res) => {
+    try {
+      const identifier = req.body
+      await req.auth.deleteUserBy(identifier)
+      res.json({ success: true })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  app.post("/admin/force-logout-user", async (req, res) => {
+    try {
+      const identifier = req.body
+      await req.auth.forceLogoutForUserBy(identifier)
+      res.json({ success: true })
+    } catch (error) {
+      res.status(400).json({ error: error.message, errorType: error.constructor.name })
+    }
+  })
+
+  // utility routes
+  app.post("/set-user-session", (req, res) => {
+    req.session.userId = req.body.userId || "test-user-123"
+    req.session.save((err) => {
+      if (err) {
+        return res.status(500).json({ error: "Failed to save session" })
+      }
+      res.json({ success: true })
+    })
+  })
+
+  app.get("/session-info", (req, res) => {
+    res.json({
+      sessionId: req.sessionID,
+      userId: req.session.userId,
+      auth: req.session.auth || null,
+    })
+  })
+
+  return {
+    app,
+    pool,
+    authConfig,
+    cleanup: async () => {
+      await closeInvalidationListeners()
+      await pool.end()
+    },
+  }
+}
+
+export { AuthRole }