@revealui/core 0.2.1 → 0.5.0

package/dist/security/auth.js

@@ -1,476 +0,0 @@
-/**
- * Authentication System
- *
- * JWT-based authentication with session management, token refresh, and OAuth support
- */
-import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
-import { jwtVerify, SignJWT } from 'jose';
-const DEFAULT_CONFIG = {
-    jwtAlgorithm: 'HS256',
-    accessTokenExpiry: 3600, // 1 hour
-    refreshTokenExpiry: 604800, // 7 days
-    issuer: 'revealui',
-    audience: 'revealui-app',
-    sessionTimeout: 1800, // 30 minutes
-    refreshThreshold: 300, // 5 minutes before expiry
-};
-/**
- * Authentication system
- */
-export class AuthSystem {
-    static MAX_SESSIONS = 10_000;
-    config;
-    sessions = new Map();
-    refreshTokens = new Map(); // refreshToken -> userId
-    sessionCleanupInterval;
-    constructor(config) {
-        this.config = { ...DEFAULT_CONFIG, ...config };
-        this.startSessionCleanup();
-    }
-    /**
-     * Authenticate user with credentials
-     */
-    async authenticate(_email, _password, _deviceInfo) {
-        // This would integrate with your authentication backend
-        // For now, this is a placeholder implementation
-        throw new Error('Implement authenticate() with your auth backend');
-    }
-    /**
-     * Create JWT token
-     */
-    async createToken(user, expiresIn = this.config.accessTokenExpiry) {
-        const now = Math.floor(Date.now() / 1000);
-        const expiresAt = now + expiresIn;
-        const payload = {
-            sub: user.id,
-            email: user.email,
-            roles: user.roles,
-            permissions: user.permissions,
-            iat: now,
-            exp: expiresAt,
-            iss: this.config.issuer,
-            aud: this.config.audience,
-        };
-        const accessToken = await this.encodeJWT(payload);
-        // Create refresh token
-        const refreshToken = this.generateRefreshToken(user.id);
-        return {
-            accessToken,
-            refreshToken,
-            expiresAt: expiresAt * 1000, // Convert to ms
-            tokenType: 'Bearer',
-        };
-    }
-    /**
-     * Verify and decode JWT token
-     */
-    async verifyToken(token) {
-        try {
-            const payload = await this.decodeJWT(token);
-            // Check expiration
-            const now = Math.floor(Date.now() / 1000);
-            if (payload.exp && payload.exp < now) {
-                throw new Error('Token expired');
-            }
-            // Check issuer
-            if (payload.iss !== this.config.issuer) {
-                throw new Error('Invalid token issuer');
-            }
-            // Check audience
-            if (payload.aud !== this.config.audience) {
-                throw new Error('Invalid token audience');
-            }
-            return payload;
-        }
-        catch (error) {
-            throw new Error(`Token verification failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
-        }
-    }
-    /**
-     * Refresh access token
-     */
-    async refreshAccessToken(refreshToken) {
-        const userId = this.refreshTokens.get(refreshToken);
-        if (!userId) {
-            throw new Error('Invalid refresh token');
-        }
-        // Get user session
-        const session = Array.from(this.sessions.values()).find((s) => s.user.id === userId);
-        if (!session) {
-            throw new Error('Session not found');
-        }
-        // Create new access token
-        return await this.createToken(session.user);
-    }
-    /**
-     * Create session
-     */
-    createSession(user, token, deviceInfo) {
-        const now = Date.now();
-        // Evict oldest session if at capacity
-        if (this.sessions.size >= AuthSystem.MAX_SESSIONS) {
-            let oldestKey;
-            let oldestTime = Number.POSITIVE_INFINITY;
-            for (const [key, session] of this.sessions.entries()) {
-                if (session.lastActivity < oldestTime) {
-                    oldestTime = session.lastActivity;
-                    oldestKey = key;
-                }
-            }
-            if (oldestKey) {
-                this.destroySession(oldestKey);
-            }
-        }
-        const session = {
-            user,
-            token,
-            createdAt: now,
-            lastActivity: now,
-            expiresAt: now + this.config.sessionTimeout * 1000,
-            deviceInfo,
-        };
-        this.sessions.set(user.id, session);
-        if (token.refreshToken) {
-            this.refreshTokens.set(token.refreshToken, user.id);
-        }
-        return session;
-    }
-    /**
-     * Get session
-     */
-    getSession(userId) {
-        const session = this.sessions.get(userId);
-        if (!session) {
-            return undefined;
-        }
-        // Check if session expired
-        if (Date.now() > session.expiresAt) {
-            this.destroySession(userId);
-            return undefined;
-        }
-        return session;
-    }
-    /**
-     * Update session activity
-     */
-    updateSessionActivity(userId) {
-        const session = this.sessions.get(userId);
-        if (session) {
-            session.lastActivity = Date.now();
-            session.expiresAt = Date.now() + this.config.sessionTimeout * 1000;
-        }
-    }
-    /**
-     * Destroy session
-     */
-    destroySession(userId) {
-        const session = this.sessions.get(userId);
-        if (session?.token.refreshToken) {
-            this.refreshTokens.delete(session.token.refreshToken);
-        }
-        this.sessions.delete(userId);
-    }
-    /**
-     * Destroy all sessions for user
-     */
-    destroyAllSessions(userId) {
-        this.destroySession(userId);
-    }
-    /**
-     * Check if token needs refresh
-     */
-    shouldRefreshToken(token) {
-        const timeUntilExpiry = token.expiresAt - Date.now();
-        return timeUntilExpiry < this.config.refreshThreshold * 1000;
-    }
-    /**
-     * Get user from token
-     */
-    async getUserFromToken(token) {
-        try {
-            const payload = await this.verifyToken(token);
-            return {
-                id: payload.sub,
-                email: payload.email,
-                roles: payload.roles,
-                permissions: payload.permissions,
-            };
-        }
-        catch {
-            return null;
-        }
-    }
-    /**
-     * Encode JWT using jose library (Web Crypto API)
-     */
-    async encodeJWT(payload) {
-        const secret = new TextEncoder().encode(this.config.jwtSecret);
-        const alg = this.config.jwtAlgorithm === 'RS256' ? 'RS256' : this.config.jwtAlgorithm;
-        const builder = new SignJWT({
-            email: payload.email,
-            roles: payload.roles,
-            permissions: payload.permissions,
-        })
-            .setProtectedHeader({ alg })
-            .setSubject(payload.sub)
-            .setIssuedAt(payload.iat)
-            .setExpirationTime(payload.exp);
-        if (payload.iss)
-            builder.setIssuer(payload.iss);
-        if (payload.aud)
-            builder.setAudience(payload.aud);
-        return builder.sign(secret);
-    }
-    /**
-     * Decode and verify JWT using jose library (Web Crypto API)
-     */
-    async decodeJWT(token) {
-        const secret = new TextEncoder().encode(this.config.jwtSecret);
-        const { payload } = await jwtVerify(token, secret);
-        return payload;
-    }
-    /**
-     * Generate cryptographically secure refresh token
-     */
-    generateRefreshToken(_userId) {
-        // Opaque token — userId is stored in the refreshTokens map, not leaked in the token itself
-        return randomBytes(32).toString('hex');
-    }
-    /**
-     * Start session cleanup interval
-     */
-    startSessionCleanup() {
-        this.sessionCleanupInterval = setInterval(() => {
-            const now = Date.now();
-            for (const [userId, session] of this.sessions.entries()) {
-                if (now > session.expiresAt) {
-                    this.destroySession(userId);
-                }
-            }
-        }, 60000); // Every minute
-    }
-    /**
-     * Stop session cleanup
-     */
-    destroy() {
-        if (this.sessionCleanupInterval) {
-            clearInterval(this.sessionCleanupInterval);
-        }
-    }
-}
-/**
- * OAuth provider configurations
- */
-export const OAuthProviders = {
-    google: {
-        authorizationUrl: 'https://accounts.google.com/o/oauth2/v2/auth',
-        tokenUrl: 'https://oauth2.googleapis.com/token',
-        userInfoUrl: 'https://www.googleapis.com/oauth2/v2/userinfo',
-        scope: ['openid', 'email', 'profile'],
-    },
-    github: {
-        authorizationUrl: 'https://github.com/login/oauth/authorize',
-        tokenUrl: 'https://github.com/login/oauth/access_token',
-        userInfoUrl: 'https://api.github.com/user',
-        scope: ['user:email'],
-    },
-    microsoft: {
-        authorizationUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
-        tokenUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
-        userInfoUrl: 'https://graph.microsoft.com/v1.0/me',
-        scope: ['openid', 'email', 'profile'],
-    },
-};
-/**
- * OAuth client
- */
-export class OAuthClient {
-    config;
-    constructor(config) {
-        // Provider defaults fill in missing fields; user-provided config takes precedence
-        this.config = {
-            ...OAuthProviders[config.provider],
-            ...config,
-        };
-    }
-    /**
-     * Get authorization URL
-     */
-    getAuthorizationUrl(state) {
-        const params = new URLSearchParams({
-            client_id: this.config.clientId,
-            redirect_uri: this.config.redirectUri,
-            response_type: 'code',
-            scope: (this.config.scope || []).join(' '),
-        });
-        if (state) {
-            params.append('state', state);
-        }
-        return `${this.config.authorizationUrl}?${params.toString()}`;
-    }
-    /**
-     * Exchange code for token
-     */
-    async exchangeCodeForToken(code) {
-        const response = await fetch(this.config.tokenUrl, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/x-www-form-urlencoded',
-            },
-            body: new URLSearchParams({
-                client_id: this.config.clientId,
-                client_secret: this.config.clientSecret,
-                code,
-                grant_type: 'authorization_code',
-                redirect_uri: this.config.redirectUri,
-            }),
-        });
-        if (!response.ok) {
-            throw new Error('Failed to exchange code for token');
-        }
-        return response.json();
-    }
-    /**
-     * Get user info
-     */
-    async getUserInfo(accessToken) {
-        const response = await fetch(this.config.userInfoUrl, {
-            headers: {
-                Authorization: `Bearer ${accessToken}`,
-            },
-        });
-        if (!response.ok) {
-            throw new Error('Failed to fetch user info');
-        }
-        return response.json();
-    }
-}
-/**
- * Password hashing utilities
- *
- * Uses PBKDF2 with a random salt for secure password hashing.
- * For even stronger hashing, use bcryptjs (available in @revealui/auth).
- */
-export class PasswordHasher {
-    static ITERATIONS = 100000;
-    static KEY_LENGTH = 64;
-    static DIGEST = 'sha512';
-    /**
-     * Hash password with PBKDF2 and random salt
-     */
-    static async hash(password) {
-        const { pbkdf2, randomBytes: rb } = await import('node:crypto');
-        const salt = rb(16).toString('hex');
-        return new Promise((resolve, reject) => {
-            pbkdf2(password, salt, PasswordHasher.ITERATIONS, PasswordHasher.KEY_LENGTH, PasswordHasher.DIGEST, (err, derivedKey) => {
-                if (err)
-                    reject(err);
-                else
-                    resolve(`${salt}:${derivedKey.toString('hex')}`);
-            });
-        });
-    }
-    /**
-     * Verify password against stored hash
-     */
-    static async verify(password, storedHash) {
-        const { pbkdf2, timingSafeEqual } = await import('node:crypto');
-        const [salt, hash] = storedHash.split(':');
-        if (!(salt && hash)) {
-            return false;
-        }
-        return new Promise((resolve, reject) => {
-            pbkdf2(password, salt, PasswordHasher.ITERATIONS, PasswordHasher.KEY_LENGTH, PasswordHasher.DIGEST, (err, derivedKey) => {
-                if (err)
-                    reject(err);
-                else {
-                    const derived = Buffer.from(derivedKey.toString('hex'), 'utf-8');
-                    const expected = Buffer.from(hash, 'utf-8');
-                    if (derived.length !== expected.length) {
-                        resolve(false);
-                    }
-                    else {
-                        resolve(timingSafeEqual(derived, expected));
-                    }
-                }
-            });
-        });
-    }
-}
-/**
- * Two-factor authentication
- */
-export class TwoFactorAuth {
-    /**
-     * Generate TOTP secret
-     */
-    static generateSecret() {
-        const crypto = globalThis.crypto;
-        if (!crypto) {
-            throw new Error('Crypto API not available');
-        }
-        const buffer = new Uint8Array(20);
-        crypto.getRandomValues(buffer);
-        return TwoFactorAuth.base32Encode(buffer);
-    }
-    /**
-     * Generate TOTP code
-     */
-    static generateCode(secret, timestamp) {
-        const time = Math.floor((timestamp || Date.now()) / 30000);
-        const hmacDigest = TwoFactorAuth.hmac(secret, time.toString());
-        const offset = hmacDigest[hmacDigest.length - 1] & 0x0f;
-        const code = (((hmacDigest[offset] & 0x7f) << 24) |
-            ((hmacDigest[offset + 1] & 0xff) << 16) |
-            ((hmacDigest[offset + 2] & 0xff) << 8) |
-            (hmacDigest[offset + 3] & 0xff)) %
-            1000000;
-        return code.toString().padStart(6, '0');
-    }
-    /**
-     * Verify TOTP code
-     */
-    static verifyCode(secret, code, window = 1) {
-        const timestamp = Date.now();
-        // Check current and adjacent time windows
-        for (let i = -window; i <= window; i++) {
-            const testTime = timestamp + i * 30000;
-            const testCode = TwoFactorAuth.generateCode(secret, testTime);
-            if (testCode.length === code.length &&
-                timingSafeEqual(Buffer.from(testCode), Buffer.from(code))) {
-                return true;
-            }
-        }
-        return false;
-    }
-    /**
-     * Base32 encode
-     */
-    static base32Encode(buffer) {
-        const alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
-        let result = '';
-        let bits = 0;
-        let value = 0;
-        for (const byte of buffer) {
-            if (byte === undefined)
-                continue;
-            value = (value << 8) | byte;
-            bits += 8;
-            while (bits >= 5) {
-                result += alphabet[(value >>> (bits - 5)) & 31];
-                bits -= 5;
-            }
-        }
-        if (bits > 0) {
-            result += alphabet[(value << (5 - bits)) & 31];
-        }
-        return result;
-    }
-    /**
-     * HMAC-SHA1 implementation for TOTP
-     */
-    static hmac(key, message) {
-        const hmacDigest = createHmac('sha1', key).update(message).digest();
-        return new Uint8Array(hmacDigest);
-    }
-}

package/dist/security/authorization.d.ts

@@ -1,235 +0,0 @@
-/**
- * Authorization System
- *
- * Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)
- */
-export interface Permission {
-    resource: string;
-    action: string;
-    conditions?: Record<string, unknown>;
-}
-export interface Role {
-    id: string;
-    name: string;
-    description?: string;
-    permissions: Permission[];
-    inherits?: string[];
-}
-export interface Policy {
-    id: string;
-    name: string;
-    effect: 'allow' | 'deny';
-    resources: string[];
-    actions: string[];
-    conditions?: PolicyCondition[];
-    priority?: number;
-}
-export interface PolicyCondition {
-    field: string;
-    operator: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'contains';
-    value: unknown;
-}
-export interface AuthorizationContext {
-    user: {
-        id: string;
-        roles: string[];
-        attributes?: Record<string, unknown>;
-    };
-    resource?: {
-        type: string;
-        id?: string;
-        owner?: string;
-        attributes?: Record<string, unknown>;
-    };
-    environment?: {
-        time?: Date;
-        ip?: string;
-        userAgent?: string;
-    };
-}
-/**
- * Authorization system
- */
-export declare class AuthorizationSystem {
-    private roles;
-    private policies;
-    /**
-     * Register role
-     */
-    registerRole(role: Role): void;
-    /**
-     * Get role
-     */
-    getRole(roleId: string): Role | undefined;
-    /**
-     * Register policy
-     */
-    registerPolicy(policy: Policy): void;
-    /**
-     * Check if user has permission (RBAC)
-     */
-    hasPermission(userRoles: string[], resource: string, action: string): boolean;
-    /**
-     * Check access with policies (ABAC)
-     */
-    checkAccess(context: AuthorizationContext, resource: string, action: string): {
-        allowed: boolean;
-        reason?: string;
-    };
-    /**
-     * Get all permissions for roles
-     */
-    private getUserPermissions;
-    /**
-     * Get applicable policies
-     */
-    private getApplicablePolicies;
-    /**
-     * Match resource pattern
-     */
-    private matchesResource;
-    /**
-     * Match action pattern
-     */
-    private matchesAction;
-    /**
-     * Evaluate policy conditions
-     */
-    private evaluateConditions;
-    /**
-     * Get value from context
-     */
-    private getContextValue;
-    /**
-     * Evaluate single condition
-     */
-    private evaluateCondition;
-    /**
-     * Check if user owns resource
-     */
-    ownsResource(userId: string, resource: {
-        owner?: string;
-    }): boolean;
-    /**
-     * Clear all roles and policies
-     */
-    clear(): void;
-}
-/**
- * Global authorization instance
- */
-export declare const authorization: AuthorizationSystem;
-/**
- * Common roles
- */
-export declare const CommonRoles: {
-    admin: {
-        id: string;
-        name: string;
-        description: string;
-        permissions: {
-            resource: string;
-            action: string;
-        }[];
-    };
-    user: {
-        id: string;
-        name: string;
-        description: string;
-        permissions: {
-            resource: string;
-            action: string;
-        }[];
-    };
-    guest: {
-        id: string;
-        name: string;
-        description: string;
-        permissions: {
-            resource: string;
-            action: string;
-        }[];
-    };
-};
-/**
- * Permission builder
- */
-export declare class PermissionBuilder {
-    private permission;
-    resource(resource: string): this;
-    action(action: string): this;
-    conditions(conditions: Record<string, unknown>): this;
-    build(): Permission;
-}
-/**
- * Policy builder
- */
-export declare class PolicyBuilder {
-    private policy;
-    id(id: string): this;
-    name(name: string): this;
-    allow(): this;
-    deny(): this;
-    resources(...resources: string[]): this;
-    actions(...actions: string[]): this;
-    condition(field: string, operator: PolicyCondition['operator'], value: unknown): this;
-    priority(priority: number): this;
-    build(): Policy;
-}
-/**
- * Authorization decorators
- */
-export declare function RequirePermission(resource: string, action: string): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
-export declare function RequireRole(requiredRole: string): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
-/**
- * Authorization middleware
- */
-export declare function createAuthorizationMiddleware<TRequest = unknown>(getUser: (request: TRequest) => {
-    id: string;
-    roles: string[];
-}, resource: string, action: string): (request: TRequest, next: () => Promise<unknown>) => Promise<unknown>;
-/**
- * Resource ownership check
- */
-export declare function canAccessResource(userId: string, userRoles: string[], resource: {
-    type: string;
-    id?: string;
-    owner?: string;
-}, action: string): boolean;
-/**
- * Attribute-based access control helper
- */
-export declare function checkAttributeAccess(context: AuthorizationContext, resource: string, action: string, requiredAttributes?: Record<string, unknown>): boolean;
-/**
- * Permission cache for performance
- */
-export declare class PermissionCache {
-    private cache;
-    private ttl;
-    constructor(ttl?: number);
-    /**
-     * Get cached permission
-     */
-    get(userId: string, resource: string, action: string): boolean | undefined;
-    /**
-     * Set cached permission
-     */
-    set(userId: string, resource: string, action: string, allowed: boolean): void;
-    /**
-     * Clear cache for user
-     */
-    clearUser(userId: string): void;
-    /**
-     * Clear all cache
-     */
-    clear(): void;
-    /**
-     * Get cache key
-     */
-    private getCacheKey;
-}
-/**
- * Global permission cache
- */
-export declare const permissionCache: PermissionCache;
-//# sourceMappingURL=authorization.d.ts.map