@revealui/core 0.0.1-pre.3 → 0.2.0

package/dist/security/auth.js

@@ -0,0 +1,474 @@
+/**
+ * Authentication System
+ *
+ * JWT-based authentication with session management, token refresh, and OAuth support
+ */
+import { createHmac, randomBytes } from 'node:crypto';
+import { jwtVerify, SignJWT } from 'jose';
+const DEFAULT_CONFIG = {
+    jwtAlgorithm: 'HS256',
+    accessTokenExpiry: 3600, // 1 hour
+    refreshTokenExpiry: 604800, // 7 days
+    issuer: 'revealui',
+    audience: 'revealui-app',
+    sessionTimeout: 1800, // 30 minutes
+    refreshThreshold: 300, // 5 minutes before expiry
+};
+/**
+ * Authentication system
+ */
+export class AuthSystem {
+    static MAX_SESSIONS = 10_000;
+    config;
+    sessions = new Map();
+    refreshTokens = new Map(); // refreshToken -> userId
+    sessionCleanupInterval;
+    constructor(config) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+        this.startSessionCleanup();
+    }
+    /**
+     * Authenticate user with credentials
+     */
+    async authenticate(_email, _password, _deviceInfo) {
+        // This would integrate with your authentication backend
+        // For now, this is a placeholder implementation
+        throw new Error('Implement authenticate() with your auth backend');
+    }
+    /**
+     * Create JWT token
+     */
+    async createToken(user, expiresIn = this.config.accessTokenExpiry) {
+        const now = Math.floor(Date.now() / 1000);
+        const expiresAt = now + expiresIn;
+        const payload = {
+            sub: user.id,
+            email: user.email,
+            roles: user.roles,
+            permissions: user.permissions,
+            iat: now,
+            exp: expiresAt,
+            iss: this.config.issuer,
+            aud: this.config.audience,
+        };
+        const accessToken = await this.encodeJWT(payload);
+        // Create refresh token
+        const refreshToken = this.generateRefreshToken(user.id);
+        return {
+            accessToken,
+            refreshToken,
+            expiresAt: expiresAt * 1000, // Convert to ms
+            tokenType: 'Bearer',
+        };
+    }
+    /**
+     * Verify and decode JWT token
+     */
+    async verifyToken(token) {
+        try {
+            const payload = await this.decodeJWT(token);
+            // Check expiration
+            const now = Math.floor(Date.now() / 1000);
+            if (payload.exp && payload.exp < now) {
+                throw new Error('Token expired');
+            }
+            // Check issuer
+            if (payload.iss !== this.config.issuer) {
+                throw new Error('Invalid token issuer');
+            }
+            // Check audience
+            if (payload.aud !== this.config.audience) {
+                throw new Error('Invalid token audience');
+            }
+            return payload;
+        }
+        catch (error) {
+            throw new Error(`Token verification failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        }
+    }
+    /**
+     * Refresh access token
+     */
+    async refreshAccessToken(refreshToken) {
+        const userId = this.refreshTokens.get(refreshToken);
+        if (!userId) {
+            throw new Error('Invalid refresh token');
+        }
+        // Get user session
+        const session = Array.from(this.sessions.values()).find((s) => s.user.id === userId);
+        if (!session) {
+            throw new Error('Session not found');
+        }
+        // Create new access token
+        return await this.createToken(session.user);
+    }
+    /**
+     * Create session
+     */
+    createSession(user, token, deviceInfo) {
+        const now = Date.now();
+        // Evict oldest session if at capacity
+        if (this.sessions.size >= AuthSystem.MAX_SESSIONS) {
+            let oldestKey;
+            let oldestTime = Number.POSITIVE_INFINITY;
+            for (const [key, session] of this.sessions.entries()) {
+                if (session.lastActivity < oldestTime) {
+                    oldestTime = session.lastActivity;
+                    oldestKey = key;
+                }
+            }
+            if (oldestKey) {
+                this.destroySession(oldestKey);
+            }
+        }
+        const session = {
+            user,
+            token,
+            createdAt: now,
+            lastActivity: now,
+            expiresAt: now + this.config.sessionTimeout * 1000,
+            deviceInfo,
+        };
+        this.sessions.set(user.id, session);
+        if (token.refreshToken) {
+            this.refreshTokens.set(token.refreshToken, user.id);
+        }
+        return session;
+    }
+    /**
+     * Get session
+     */
+    getSession(userId) {
+        const session = this.sessions.get(userId);
+        if (!session) {
+            return undefined;
+        }
+        // Check if session expired
+        if (Date.now() > session.expiresAt) {
+            this.destroySession(userId);
+            return undefined;
+        }
+        return session;
+    }
+    /**
+     * Update session activity
+     */
+    updateSessionActivity(userId) {
+        const session = this.sessions.get(userId);
+        if (session) {
+            session.lastActivity = Date.now();
+            session.expiresAt = Date.now() + this.config.sessionTimeout * 1000;
+        }
+    }
+    /**
+     * Destroy session
+     */
+    destroySession(userId) {
+        const session = this.sessions.get(userId);
+        if (session?.token.refreshToken) {
+            this.refreshTokens.delete(session.token.refreshToken);
+        }
+        this.sessions.delete(userId);
+    }
+    /**
+     * Destroy all sessions for user
+     */
+    destroyAllSessions(userId) {
+        this.destroySession(userId);
+    }
+    /**
+     * Check if token needs refresh
+     */
+    shouldRefreshToken(token) {
+        const timeUntilExpiry = token.expiresAt - Date.now();
+        return timeUntilExpiry < this.config.refreshThreshold * 1000;
+    }
+    /**
+     * Get user from token
+     */
+    async getUserFromToken(token) {
+        try {
+            const payload = await this.verifyToken(token);
+            return {
+                id: payload.sub,
+                email: payload.email,
+                roles: payload.roles,
+                permissions: payload.permissions,
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Encode JWT using jose library (Web Crypto API)
+     */
+    async encodeJWT(payload) {
+        const secret = new TextEncoder().encode(this.config.jwtSecret);
+        const alg = this.config.jwtAlgorithm === 'RS256' ? 'RS256' : this.config.jwtAlgorithm;
+        const builder = new SignJWT({
+            email: payload.email,
+            roles: payload.roles,
+            permissions: payload.permissions,
+        })
+            .setProtectedHeader({ alg })
+            .setSubject(payload.sub)
+            .setIssuedAt(payload.iat)
+            .setExpirationTime(payload.exp);
+        if (payload.iss)
+            builder.setIssuer(payload.iss);
+        if (payload.aud)
+            builder.setAudience(payload.aud);
+        return builder.sign(secret);
+    }
+    /**
+     * Decode and verify JWT using jose library (Web Crypto API)
+     */
+    async decodeJWT(token) {
+        const secret = new TextEncoder().encode(this.config.jwtSecret);
+        const { payload } = await jwtVerify(token, secret);
+        return payload;
+    }
+    /**
+     * Generate cryptographically secure refresh token
+     */
+    generateRefreshToken(userId) {
+        const token = randomBytes(32).toString('hex');
+        return `${userId}.${token}`;
+    }
+    /**
+     * Start session cleanup interval
+     */
+    startSessionCleanup() {
+        this.sessionCleanupInterval = setInterval(() => {
+            const now = Date.now();
+            for (const [userId, session] of this.sessions.entries()) {
+                if (now > session.expiresAt) {
+                    this.destroySession(userId);
+                }
+            }
+        }, 60000); // Every minute
+    }
+    /**
+     * Stop session cleanup
+     */
+    destroy() {
+        if (this.sessionCleanupInterval) {
+            clearInterval(this.sessionCleanupInterval);
+        }
+    }
+}
+/**
+ * OAuth provider configurations
+ */
+export const OAuthProviders = {
+    google: {
+        authorizationUrl: 'https://accounts.google.com/o/oauth2/v2/auth',
+        tokenUrl: 'https://oauth2.googleapis.com/token',
+        userInfoUrl: 'https://www.googleapis.com/oauth2/v2/userinfo',
+        scope: ['openid', 'email', 'profile'],
+    },
+    github: {
+        authorizationUrl: 'https://github.com/login/oauth/authorize',
+        tokenUrl: 'https://github.com/login/oauth/access_token',
+        userInfoUrl: 'https://api.github.com/user',
+        scope: ['user:email'],
+    },
+    microsoft: {
+        authorizationUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
+        tokenUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
+        userInfoUrl: 'https://graph.microsoft.com/v1.0/me',
+        scope: ['openid', 'email', 'profile'],
+    },
+};
+/**
+ * OAuth client
+ */
+export class OAuthClient {
+    config;
+    constructor(config) {
+        this.config = {
+            ...config,
+            ...OAuthProviders[config.provider],
+        };
+    }
+    /**
+     * Get authorization URL
+     */
+    getAuthorizationUrl(state) {
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            redirect_uri: this.config.redirectUri,
+            response_type: 'code',
+            scope: (this.config.scope || []).join(' '),
+        });
+        if (state) {
+            params.append('state', state);
+        }
+        return `${this.config.authorizationUrl}?${params.toString()}`;
+    }
+    /**
+     * Exchange code for token
+     */
+    async exchangeCodeForToken(code) {
+        const response = await fetch(this.config.tokenUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: new URLSearchParams({
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+                code,
+                grant_type: 'authorization_code',
+                redirect_uri: this.config.redirectUri,
+            }),
+        });
+        if (!response.ok) {
+            throw new Error('Failed to exchange code for token');
+        }
+        return response.json();
+    }
+    /**
+     * Get user info
+     */
+    async getUserInfo(accessToken) {
+        const response = await fetch(this.config.userInfoUrl, {
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+            },
+        });
+        if (!response.ok) {
+            throw new Error('Failed to fetch user info');
+        }
+        return response.json();
+    }
+}
+/**
+ * Password hashing utilities
+ *
+ * Uses PBKDF2 with a random salt for secure password hashing.
+ * For even stronger hashing, use bcryptjs (available in @revealui/auth).
+ */
+export class PasswordHasher {
+    static ITERATIONS = 100000;
+    static KEY_LENGTH = 64;
+    static DIGEST = 'sha512';
+    /**
+     * Hash password with PBKDF2 and random salt
+     */
+    static async hash(password) {
+        const { pbkdf2, randomBytes: rb } = await import('node:crypto');
+        const salt = rb(16).toString('hex');
+        return new Promise((resolve, reject) => {
+            pbkdf2(password, salt, PasswordHasher.ITERATIONS, PasswordHasher.KEY_LENGTH, PasswordHasher.DIGEST, (err, derivedKey) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve(`${salt}:${derivedKey.toString('hex')}`);
+            });
+        });
+    }
+    /**
+     * Verify password against stored hash
+     */
+    static async verify(password, storedHash) {
+        const { pbkdf2, timingSafeEqual } = await import('node:crypto');
+        const [salt, hash] = storedHash.split(':');
+        if (!(salt && hash)) {
+            return false;
+        }
+        return new Promise((resolve, reject) => {
+            pbkdf2(password, salt, PasswordHasher.ITERATIONS, PasswordHasher.KEY_LENGTH, PasswordHasher.DIGEST, (err, derivedKey) => {
+                if (err)
+                    reject(err);
+                else {
+                    const derived = Buffer.from(derivedKey.toString('hex'), 'utf-8');
+                    const expected = Buffer.from(hash, 'utf-8');
+                    if (derived.length !== expected.length) {
+                        resolve(false);
+                    }
+                    else {
+                        resolve(timingSafeEqual(derived, expected));
+                    }
+                }
+            });
+        });
+    }
+}
+/**
+ * Two-factor authentication
+ */
+export class TwoFactorAuth {
+    /**
+     * Generate TOTP secret
+     */
+    static generateSecret() {
+        const crypto = globalThis.crypto;
+        if (!crypto) {
+            throw new Error('Crypto API not available');
+        }
+        const buffer = new Uint8Array(20);
+        crypto.getRandomValues(buffer);
+        return TwoFactorAuth.base32Encode(buffer);
+    }
+    /**
+     * Generate TOTP code
+     */
+    static generateCode(secret, timestamp) {
+        const time = Math.floor((timestamp || Date.now()) / 30000);
+        const hmacDigest = TwoFactorAuth.hmac(secret, time.toString());
+        const offset = hmacDigest[hmacDigest.length - 1] & 0x0f;
+        const code = (((hmacDigest[offset] & 0x7f) << 24) |
+            ((hmacDigest[offset + 1] & 0xff) << 16) |
+            ((hmacDigest[offset + 2] & 0xff) << 8) |
+            (hmacDigest[offset + 3] & 0xff)) %
+            1000000;
+        return code.toString().padStart(6, '0');
+    }
+    /**
+     * Verify TOTP code
+     */
+    static verifyCode(secret, code, window = 1) {
+        const timestamp = Date.now();
+        // Check current and adjacent time windows
+        for (let i = -window; i <= window; i++) {
+            const testTime = timestamp + i * 30000;
+            const testCode = TwoFactorAuth.generateCode(secret, testTime);
+            if (testCode === code) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Base32 encode
+     */
+    static base32Encode(buffer) {
+        const alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+        let result = '';
+        let bits = 0;
+        let value = 0;
+        for (const byte of buffer) {
+            if (byte === undefined)
+                continue;
+            value = (value << 8) | byte;
+            bits += 8;
+            while (bits >= 5) {
+                result += alphabet[(value >>> (bits - 5)) & 31];
+                bits -= 5;
+            }
+        }
+        if (bits > 0) {
+            result += alphabet[(value << (5 - bits)) & 31];
+        }
+        return result;
+    }
+    /**
+     * HMAC-SHA1 implementation for TOTP
+     */
+    static hmac(key, message) {
+        const hmacDigest = createHmac('sha1', key).update(message).digest();
+        return new Uint8Array(hmacDigest);
+    }
+}

package/dist/security/authorization.d.ts

@@ -0,0 +1,235 @@
+/**
+ * Authorization System
+ *
+ * Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)
+ */
+export interface Permission {
+    resource: string;
+    action: string;
+    conditions?: Record<string, unknown>;
+}
+export interface Role {
+    id: string;
+    name: string;
+    description?: string;
+    permissions: Permission[];
+    inherits?: string[];
+}
+export interface Policy {
+    id: string;
+    name: string;
+    effect: 'allow' | 'deny';
+    resources: string[];
+    actions: string[];
+    conditions?: PolicyCondition[];
+    priority?: number;
+}
+export interface PolicyCondition {
+    field: string;
+    operator: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'contains';
+    value: unknown;
+}
+export interface AuthorizationContext {
+    user: {
+        id: string;
+        roles: string[];
+        attributes?: Record<string, unknown>;
+    };
+    resource?: {
+        type: string;
+        id?: string;
+        owner?: string;
+        attributes?: Record<string, unknown>;
+    };
+    environment?: {
+        time?: Date;
+        ip?: string;
+        userAgent?: string;
+    };
+}
+/**
+ * Authorization system
+ */
+export declare class AuthorizationSystem {
+    private roles;
+    private policies;
+    /**
+     * Register role
+     */
+    registerRole(role: Role): void;
+    /**
+     * Get role
+     */
+    getRole(roleId: string): Role | undefined;
+    /**
+     * Register policy
+     */
+    registerPolicy(policy: Policy): void;
+    /**
+     * Check if user has permission (RBAC)
+     */
+    hasPermission(userRoles: string[], resource: string, action: string): boolean;
+    /**
+     * Check access with policies (ABAC)
+     */
+    checkAccess(context: AuthorizationContext, resource: string, action: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Get all permissions for roles
+     */
+    private getUserPermissions;
+    /**
+     * Get applicable policies
+     */
+    private getApplicablePolicies;
+    /**
+     * Match resource pattern
+     */
+    private matchesResource;
+    /**
+     * Match action pattern
+     */
+    private matchesAction;
+    /**
+     * Evaluate policy conditions
+     */
+    private evaluateConditions;
+    /**
+     * Get value from context
+     */
+    private getContextValue;
+    /**
+     * Evaluate single condition
+     */
+    private evaluateCondition;
+    /**
+     * Check if user owns resource
+     */
+    ownsResource(userId: string, resource: {
+        owner?: string;
+    }): boolean;
+    /**
+     * Clear all roles and policies
+     */
+    clear(): void;
+}
+/**
+ * Global authorization instance
+ */
+export declare const authorization: AuthorizationSystem;
+/**
+ * Common roles
+ */
+export declare const CommonRoles: {
+    admin: {
+        id: string;
+        name: string;
+        description: string;
+        permissions: {
+            resource: string;
+            action: string;
+        }[];
+    };
+    user: {
+        id: string;
+        name: string;
+        description: string;
+        permissions: {
+            resource: string;
+            action: string;
+        }[];
+    };
+    guest: {
+        id: string;
+        name: string;
+        description: string;
+        permissions: {
+            resource: string;
+            action: string;
+        }[];
+    };
+};
+/**
+ * Permission builder
+ */
+export declare class PermissionBuilder {
+    private permission;
+    resource(resource: string): this;
+    action(action: string): this;
+    conditions(conditions: Record<string, unknown>): this;
+    build(): Permission;
+}
+/**
+ * Policy builder
+ */
+export declare class PolicyBuilder {
+    private policy;
+    id(id: string): this;
+    name(name: string): this;
+    allow(): this;
+    deny(): this;
+    resources(...resources: string[]): this;
+    actions(...actions: string[]): this;
+    condition(field: string, operator: PolicyCondition['operator'], value: unknown): this;
+    priority(priority: number): this;
+    build(): Policy;
+}
+/**
+ * Authorization decorators
+ */
+export declare function RequirePermission(resource: string, action: string): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+export declare function RequireRole(requiredRole: string): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+/**
+ * Authorization middleware
+ */
+export declare function createAuthorizationMiddleware<TRequest = unknown>(getUser: (request: TRequest) => {
+    id: string;
+    roles: string[];
+}, resource: string, action: string): (request: TRequest, next: () => Promise<unknown>) => Promise<unknown>;
+/**
+ * Resource ownership check
+ */
+export declare function canAccessResource(userId: string, userRoles: string[], resource: {
+    type: string;
+    id?: string;
+    owner?: string;
+}, action: string): boolean;
+/**
+ * Attribute-based access control helper
+ */
+export declare function checkAttributeAccess(context: AuthorizationContext, resource: string, action: string, requiredAttributes?: Record<string, unknown>): boolean;
+/**
+ * Permission cache for performance
+ */
+export declare class PermissionCache {
+    private cache;
+    private ttl;
+    constructor(ttl?: number);
+    /**
+     * Get cached permission
+     */
+    get(userId: string, resource: string, action: string): boolean | undefined;
+    /**
+     * Set cached permission
+     */
+    set(userId: string, resource: string, action: string, allowed: boolean): void;
+    /**
+     * Clear cache for user
+     */
+    clearUser(userId: string): void;
+    /**
+     * Clear all cache
+     */
+    clear(): void;
+    /**
+     * Get cache key
+     */
+    private getCacheKey;
+}
+/**
+ * Global permission cache
+ */
+export declare const permissionCache: PermissionCache;
+//# sourceMappingURL=authorization.d.ts.map