@semapps/auth 1.1.0 → 1.1.2

package/index.js

@@ -3,7 +3,6 @@ module.exports = {
   AuthLocalService: require('./services/auth.local'),
   AuthOIDCService: require('./services/auth.oidc'),
   AuthAccountService: require('./services/account'),
-  AuthCapabilitiesService: require('./services/capabilities'),
   AuthJWTService: require('./services/jwt'),
   AuthMigrationService: require('./services/migration'),
   AuthMailService: require('./services/mail')

package/mixins/auth.js

@@ -1,12 +1,62 @@
 const passport = require('passport');
 const { Errors: E } = require('moleculer-web');
 const { TripleStoreAdapter } = require('@semapps/triplestore');
-const urlJoin = require('url-join');
 const AuthAccountService = require('../services/account');
 const AuthJWTService = require('../services/jwt');
-const CapabilitiesService = require('../services/capabilities');
 
-/** @type {import('moleculer').ServiceSchema} */
+/**
+ * Auth Mixin that handles authentication and authorization for routes
+ * that requested this.
+ *
+ * The authorization and authentication actions check for a valid `authorization` header.
+ * If the bearer token is a server-signed JWT identifying the user, `ctx.meta.tokenPayload` and
+ * `ctx.meta.webId` are set. Setting either `authorization` or `authentication` suffices.
+ *
+ * # Authentication
+ * In the `authenticate` action, the webId is set to `anon`, if no `authorization` header is present.
+ *
+ * # Authorization
+ * In contrast, the `authorize` action throws an unauthorized error,
+ * if no `authorization` header is present.
+ * @see https://moleculer.services/docs/0.13/moleculer-web.html#Authentication
+ *
+ * ## Capability Authorization
+ * Additionally, the `authorize` action supports capability authorization based on
+ * Verifiable Credentials (VCs), if `opts.authorizeWithCapability` is set to `true`.
+ *
+ * **WARNING**: This does not make any assertions about the validity of the capabilities'
+ * content (`credentialSubject`). What *is* checked:
+ * - the delegation chain was correct
+ * - all signatures are valid
+ * - the `controller`s of the keys (`verificationMethod`) used in the proofs to sign
+ *   the VC capabilities and presentation are correct. I.e. the controller resolves to
+ *   the WebId/controller identifier document (CID) which lists the key.\
+ *   This means that *you know who signed the presentation and capabilities* on the way.
+ *
+ * NO BUSINESS LOGIC IS CHECKED.\
+ * It is still necessary to verify if the request itself is valid.
+ * There would be no error when the `credentialSubject` says: "A is allowed to read B"
+ * while the statement is actually made by "C" and not by "B".\
+ *
+ * @see https://moleculer.services/docs/0.13/moleculer-web.html#Authorization
+ *
+ * @example Configuration for a new route
+ * ```js
+ * ctx.call('api.addRoute', {
+ *   path: path.join(basePath, '/your/route'),
+ *   name: 'your-route-name',
+ *   aliases: {
+ *     'GET /': 'your.action.here',
+ *   },
+ *   // Set to true, to run authorization action.
+ *   authorization: true,
+ *   // Set to true, to run authenticate action.
+ *   authentication: false,
+ * });
+ * ```
+ *
+ * @type {import('moleculer').ServiceSchema}
+ */
 const AuthMixin = {
   settings: {
     baseUrl: null,
@@ -14,6 +64,8 @@ const AuthMixin = {
     capabilitiesPath: undefined,
     registrationAllowed: true,
     reservedUsernames: [],
+    minPasswordLength: 1,
+    minUsernameLength: 1,
     webIdSelection: [],
     accountSelection: [],
     accountsDataset: 'settings',
@@ -21,7 +73,8 @@ const AuthMixin = {
   },
   dependencies: ['api'],
   async created() {
-    const { jwtPath, reservedUsernames, accountsDataset, podProvider } = this.settings;
+    const { jwtPath, reservedUsernames, minPasswordLength, minUsernameLength, accountsDataset, podProvider } =
+      this.settings;
 
     this.broker.createService({
       mixins: [AuthJWTService],
@@ -30,13 +83,9 @@ const AuthMixin = {
 
     this.broker.createService({
       mixins: [AuthAccountService],
-      settings: { reservedUsernames },
+      settings: { reservedUsernames, minPasswordLength, minUsernameLength },
       adapter: new TripleStoreAdapter({ type: 'AuthAccount', dataset: accountsDataset })
     });
-
-    if (podProvider) {
-      this.broker.createService({ mixins: [CapabilitiesService], settings: { path: this.settings.capabilitiesPath } });
-    }
   },
   async started() {
     if (!this.passportId) throw new Error('this.passportId must be set in the service creation.');
@@ -73,33 +122,28 @@ const AuthMixin = {
       }
 
       if (method === 'Bearer') {
-        const payload = await ctx.call('auth.jwt.verifyToken', { token });
+        const payload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
         if (payload) {
           ctx.meta.tokenPayload = payload;
           ctx.meta.webId = payload.webId;
           return Promise.resolve(payload);
         }
+
+        // Check if token is a capability.
+        if (route.opts.authorizeWithCapability) {
+          return this.validateCapability(ctx, token);
+        }
+
         // Invalid token
         // TODO make sure token is deleted client-side
-        ctx.meta.webId = 'anon';
         return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
-      } else if ((method === 'Capability' || req.$params.capability) && this.settings.podProvider) {
-        const capabilityUri = token || req.$params.capability;
-        const capability = await this.actions.getValidateCapability({
-          capabilityUri,
-          username: req.parsedUrl.match(/[^/]+/)[0]
-        });
-
-        ctx.meta.webId = 'anon';
-        req.$ctx.meta.webId = 'anon';
-        req.$ctx.meta.authorization = { capability };
-        return Promise.resolve(null);
       }
 
       // No valid auth method given.
       ctx.meta.webId = 'anon';
       return Promise.resolve(null);
     },
+
     // See https://moleculer.services/docs/0.13/moleculer-web.html#Authorization
     async authorize(ctx) {
       const { route, req, res } = ctx.params;
@@ -108,97 +152,31 @@ const AuthMixin = {
       const [method, token] = req.headers.authorization && req.headers.authorization.split(' ');
 
       if (!token) {
-        ctx.meta.webId = 'anon';
         return Promise.reject(new E.UnAuthorizedError(E.ERR_NO_TOKEN));
       }
+      if (method !== 'Bearer') {
+        return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+      }
 
-      if (method === 'Bearer') {
-        const payload = await ctx.call('auth.jwt.verifyToken', { token });
-        if (payload) {
-          ctx.meta.tokenPayload = payload;
-          ctx.meta.webId = payload.webId;
-          return Promise.resolve(payload);
-        }
-      } else if ((method === 'Capability' || req.$params.capability) && this.settings.podProvider) {
-        const capabilityUri = token || req.$params.capability;
-        const capability = await this.actions.getValidateCapability({
-          capabilityUri,
-          username: req.parsedUrl.match(/[^/]+/)[0]
-        });
-
-        ctx.meta.webId = 'anon';
+      // Validate if the token was signed by server (registered user).
+      const serverSignedPayload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
+      if (serverSignedPayload) {
+        ctx.meta.tokenPayload = serverSignedPayload;
+        ctx.meta.webId = serverSignedPayload.webId;
+        return Promise.resolve(serverSignedPayload);
+      }
 
-        req.$ctx.meta.webId = 'anon';
-        req.$ctx.meta.authorization = { capability };
-        if (capability) {
-          return Promise.resolve(null);
-        }
+      // Check if token is a capability.
+      if (route.opts.authorizeWithCapability) {
+        return this.validateCapability(ctx, token);
       }
 
       return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
     },
-    getValidateCapability: {
-      params: {
-        capabilityUri: {
-          type: 'string',
-          required: true
-        },
-        webId: {
-          type: 'string',
-          optional: true
-        },
-        username: {
-          type: 'string',
-          optional: true
-        }
-      },
-      /**
-       * Checks, if the provided capabilityUri is a valid URI and within the resource owner's cap container.
-       * @returns {Promise<object>} The stored capability object or undefined, if the capability is not valid.
-       */
-      async handler(ctx) {
-        let { capabilityUri, webId, username } = ctx.params;
-        /** @type {string} */
-        const baseUrlTrailing = urlJoin(this.settings.baseUrl, '/');
-        webId = webId || baseUrlTrailing + username;
-
-        const podUrl = await ctx.call('solid-storage.getUrl', { webId });
-
-        // Check if capabilityUri is within the resource owner's pod
-        if (!webId?.startsWith(baseUrlTrailing) || !capabilityUri?.startsWith(podUrl)) {
-          return undefined;
-        }
-
-        // Check, if capUri is a valid URI.
-        try {
-          // eslint-disable-next-line no-new
-          new URL(capabilityUri);
-        } catch {
-          return undefined;
-        }
-
-        // Check if capabilityUri is within the resource owner's cap container.
-        const resourceCapContainerUri = await ctx.call('capabilities.getContainerUri', {
-          webId
-        });
-
-        if (
-          !(await ctx.call('ldp.container.includes', {
-            containerUri: resourceCapContainerUri,
-            resourceUri: capabilityUri,
-            webId: 'system'
-          }))
-        ) {
-          return undefined;
-        }
-
-        return await ctx.call('capabilities.get', { resourceUri: capabilityUri });
-      }
-    },
 
     async impersonate(ctx) {
       const { webId } = ctx.params;
-      return await ctx.call('auth.jwt.generateToken', {
+      return await ctx.call('auth.jwt.generateServerSignedToken', {
         payload: {
           webId
         }
@@ -206,6 +184,34 @@ const AuthMixin = {
     }
   },
   methods: {
+    async validateCapability(ctx, token) {
+      // We accept VC Presentations to invoke capabilities here. It must be encoded as JWT.
+      // We do not use the VC-JOSE spec to sign and envelop presentations. Instead we go
+      // with embedded signatures. This way, the signature persists within the resource.
+
+      // Decode JTW to JSON.
+      const decodedToken = await ctx.call('auth.jwt.decodeToken', { token });
+      if (!decodedToken) return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+
+      // Verify that decoded JSON token is a valid VC presentation.
+      const {
+        verified: isCapSignatureVerified,
+        presentation: verifiedPresentation,
+        presentationResult
+      } = await ctx.call('crypto.vc.verifier.verifyCapabilityPresentation', {
+        verifiablePresentation: decodedToken,
+        options: {
+          maxChainLength: ctx.params.route.opts.maxChainLength
+        }
+      });
+      if (!isCapSignatureVerified) return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+
+      // VC Capability is verified.
+      ctx.meta.webId = presentationResult?.results?.[0]?.purposeResult?.holder || 'anon';
+      ctx.meta.authorization = { capabilityPresentation: verifiedPresentation };
+
+      return Promise.resolve(verifiedPresentation);
+    },
     getStrategy() {
       throw new Error('getStrategy must be implemented by the service');
     },

package/mixins/auth.sso.js

@@ -60,7 +60,7 @@ const AuthSSOMixin = {
         );
       }
 
-      const token = await ctx.call('auth.jwt.generateToken', { payload: { webId } });
+      const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId } });
 
       return { token, newUser };
     }

package/package.json

@@ -1,14 +1,14 @@
 {
   "name": "@semapps/auth",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Authentification module for SemApps",
   "license": "Apache-2.0",
   "author": "Virtual Assembly",
   "dependencies": {
-    "@semapps/ldp": "1.1.0",
-    "@semapps/middlewares": "1.1.0",
-    "@semapps/mime-types": "1.1.0",
-    "@semapps/triplestore": "1.1.0",
+    "@semapps/ldp": "1.1.2",
+    "@semapps/middlewares": "1.1.2",
+    "@semapps/mime-types": "1.1.2",
+    "@semapps/triplestore": "1.1.2",
     "bcrypt": "^5.0.1",
     "express-session": "^1.17.0",
     "jsonwebtoken": "^8.5.1",
@@ -21,6 +21,7 @@
     "passport-cas2": "0.0.12",
     "passport-local": "^1.0.0",
     "pug": "^3.0.2",
+    "speakingurl": "^14.0.1",
     "url-join": "^4.0.1"
   },
   "publishConfig": {
@@ -29,5 +30,5 @@
   "engines": {
     "node": ">=14"
   },
-  "gitHead": "950728b27cb5ef1c7a396482ec028c27b41db181"
+  "gitHead": "35ec922a369a84225e0b7761ef36dbeb8c327316"
 }

package/services/account.js

@@ -1,53 +1,88 @@
 const bcrypt = require('bcrypt');
+const createSlug = require('speakingurl');
 const DbService = require('moleculer-db');
 const { TripleStoreAdapter } = require('@semapps/triplestore');
 const crypto = require('crypto');
 
+// Taken from https://stackoverflow.com/a/9204568/7900695
+const emailRegexp = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
 module.exports = {
   name: 'auth.account',
   mixins: [DbService],
   adapter: new TripleStoreAdapter({ type: 'AuthAccount', dataset: 'settings' }),
   settings: {
     idField: '@id',
-    reservedUsernames: ['relay']
+    reservedUsernames: ['relay'],
+    minPasswordLength: 1,
+    minUsernameLength: 1
   },
   dependencies: ['triplestore'],
   actions: {
     async create(ctx) {
       let { uuid, username, password, email, webId, ...rest } = ctx.params;
-      const hashedPassword = password ? await this.hashPassword(password) : undefined;
 
-      email = email && email.toLowerCase();
+      // FORMAT AND VERIFY PASSWORD
+
+      if (password) {
+        if (password.length < this.settings.minPasswordLength) {
+          throw new Error('password.too-short');
+        }
 
-      const emailExists = !email ? false : await ctx.call('auth.account.emailExists', { email });
-      if (emailExists) {
-        throw new Error('email.already.exists');
+        password = await this.hashPassword(password);
       }
 
+      // FORMAT AND VERIFY EMAIL
+
+      if (email) {
+        email = email.toLowerCase();
+
+        const emailExists = await ctx.call('auth.account.emailExists', { email });
+        if (emailExists) {
+          throw new Error('email.already.exists');
+        }
+
+        if (!emailRegexp.test(email)) {
+          throw new Error('email.invalid');
+        }
+      }
+
+      // FORMAT AND VERIFY USERNAME
+
       if (username) {
-        if (!ctx.meta.isSystemCall) await this.isValidUsername(ctx, username);
+        if (!ctx.meta.isSystemCall) {
+          const { isValid, error } = await this.isValidUsername(ctx, username);
+          if (!isValid) throw new Error(error);
+        }
       } else if (email) {
-        // If username is not provided, find an username based on the email
-        const usernameFromEmail = email.split('@')[0].toLowerCase();
-        let usernameValid = false;
-        let i = 0;
-        do {
-          username = i === 0 ? usernameFromEmail : usernameFromEmail + i;
-          try {
-            usernameValid = await this.isValidUsername(ctx, username);
-          } catch (e) {
-            // Do nothing, the loop will continue
+        // If username is not provided, find one automatically from the email (without errors)
+        username = createSlug(email.split('@')[0].toLowerCase());
+
+        let { isValid, error } = await this.isValidUsername(ctx, username);
+
+        if (!isValid) {
+          if (error === 'username.invalid' || error === 'username.too-short') {
+            // If username generated from email is invalid, use a generic name
+            username = 'user';
           }
-          i++;
-        } while (!usernameValid);
-      } else throw new Error('you must provide at least a username or an email address');
+
+          // If necessary, add a number after the username
+          let i = 0;
+          do {
+            username = i === 0 ? username : username + i;
+            ({ isValid } = await this.isValidUsername(ctx, username));
+          } while (!isValid);
+        }
+      } else {
+        throw new Error('You must provide at least a username or an email address');
+      }
 
       return await this._create(ctx, {
         ...rest,
         uuid,
         username,
         email,
-        hashedPassword,
+        hashedPassword: password,
         webId
       });
     },
@@ -151,7 +186,8 @@ module.exports = {
       return account?.username;
     },
     async findSettingsByWebId(ctx) {
-      const webId = ctx.params.webId || ctx.meta.webId;
+      const webId = ctx.meta.webId;
+
       const account = await ctx.call('auth.account.findByWebId', { webId });
 
       return {
@@ -219,23 +255,29 @@ module.exports = {
   },
   methods: {
     async isValidUsername(ctx, username) {
+      let error;
+
       // Ensure the username has no space or special characters
       if (!/^[a-z0-9\-+_.]+$/.exec(username)) {
-        throw new Error('username.invalid');
+        error = 'username.invalid';
+      }
+
+      if (username.length < this.settings.minUsernameLength) {
+        error = 'username.too-short';
       }
 
       // Ensure we don't use reservedUsernames
       if (this.settings.reservedUsernames.includes(username)) {
-        throw new Error('username.already.exists');
+        error = 'username.reserved';
       }
 
       // Ensure username doesn't already exist
       const usernameExists = await ctx.call('auth.account.usernameExists', { username });
       if (usernameExists) {
-        throw new Error('username.already.exists');
+        error = 'username.already.exists';
       }
 
-      return true;
+      return { isValid: !error, error };
     },
     async hashPassword(password) {
       return new Promise((resolve, reject) => {

package/services/auth.local.js

@@ -14,6 +14,8 @@ const AuthLocalService = {
     jwtPath: null,
     registrationAllowed: true,
     reservedUsernames: [],
+    minPasswordLength: 1,
+    minUsernameLength: 1,
     webIdSelection: [],
     accountSelection: [],
     formUrl: null,
@@ -47,13 +49,10 @@ const AuthLocalService = {
   actions: {
     async signup(ctx) {
       const { username, email, password, ...rest } = ctx.params;
+
       // This is going to get in our way otherwise when waiting for completions.
       ctx.meta.skipObjectsWatcher = true;
 
-      if (username && username.length < 2) {
-        throw new MoleculerError('The username must be at least 2 characters long', 400, 'BAD_REQUEST');
-      }
-
       let accountData = await ctx.call('auth.account.create', {
         username,
         email,
@@ -62,7 +61,7 @@ const AuthLocalService = {
       });
 
       try {
-        const profileData = { nick: username, email, ...rest };
+        const profileData = { nick: accountData.username, email: accountData.email, ...rest };
         const webId = await ctx.call('webid.createWebId', this.pickWebIdData(profileData), {
           meta: {
             isSignup: true // Allow services to handle directly the webId creation if it is generated by the AuthService
@@ -74,7 +73,7 @@ const AuthLocalService = {
 
         ctx.emit('auth.registered', { webId, profileData, accountData });
 
-        const token = await ctx.call('auth.jwt.generateToken', { payload: { webId } });
+        const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId } });
 
         return { token, webId, newUser: true };
       } catch (e) {
@@ -90,7 +89,7 @@ const AuthLocalService = {
 
       ctx.emit('auth.connected', { webId: accountData.webId, accountData }, { meta: { webId: null, dataset: null } });
 
-      const token = await ctx.call('auth.jwt.generateToken', { payload: { webId: accountData.webId } });
+      const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId: accountData.webId } });
 
       return { token, webId: accountData.webId, newUser: false };
     },

package/services/jwt.js

@@ -3,6 +3,13 @@ const path = require('path');
 const jwt = require('jsonwebtoken');
 const crypto = require('crypto');
 
+/**
+ * Service that creates and validates JSON web tokens(JWT).
+ * Tokens are signed against this server's keys.
+ * This is useful for generating/validating authentication tokens.
+ *
+ * TODO: Tokens do not expire.
+ */
 module.exports = {
   name: 'auth.jwt',
   settings: {
@@ -63,11 +70,12 @@ module.exports = {
         );
       });
     },
-    async generateToken(ctx) {
+    async generateServerSignedToken(ctx) {
       const { payload } = ctx.params;
       return jwt.sign(payload, this.privateKey, { algorithm: 'RS256' });
     },
-    async verifyToken(ctx) {
+    /** Verifies that the token was signed by this server. */
+    async verifyServerSignedToken(ctx) {
       const { token } = ctx.params;
       try {
         return jwt.verify(token, this.publicKey, { algorithms: ['RS256'] });
@@ -75,6 +83,11 @@ module.exports = {
         return false;
       }
     },
+    async generateUnsignedToken(ctx) {
+      const { payload } = ctx.params;
+      const token = jwt.sign(payload, null, { algorithm: 'none' });
+      return token;
+    },
     // Warning, this does NOT verify if signature is valid
     async decodeToken(ctx) {
       const { token } = ctx.params;

package/services/capabilities.js

@@ -1,69 +0,0 @@
-const { ControlledContainerMixin } = require('@semapps/ldp');
-const { MIME_TYPES } = require('@semapps/mime-types');
-
-const CAPABILITIES_ROUTE = '/capabilities';
-
-/**
- * Service to host the capabilities container.
- * @type {import('moleculer').ServiceSchema}
- */
-const CapabilitiesService = {
-  name: 'capabilities',
-  mixins: [ControlledContainerMixin],
-  settings: {
-    path: CAPABILITIES_ROUTE,
-    acceptedTypes: ['acl:Authorization'],
-    excludeFromMirror: true,
-    activateTombstones: false,
-    permissions: {},
-    newResourcesPermissions: {},
-    typeIndex: 'private'
-  },
-  hooks: {
-    before: {
-      /**
-       * Bypass authorization when getting the resource.
-       *
-       * The URI itself is considered the secret. So no more
-       * authorization is necessary at this point.
-       * If we decide to support capabilities with multiple
-       * authorization factors, this will have to change in
-       * the future.
-       */
-      get: ctx => {
-        ctx.params.webId = 'system';
-      }
-    }
-  },
-  actions: {
-    createCapability: {
-      params: {
-        webId: { type: 'string', optional: false },
-        accessTo: { type: 'string', optional: false },
-        mode: { type: 'string', optional: false }
-      },
-      async handler(ctx) {
-        const { accessTo, mode, webId } = ctx.params;
-
-        const capContainerUri = await this.actions.getContainerUri({ webId }, { parentCtx: ctx });
-
-        const capUri = await this.actions.post(
-          {
-            containerUri: capContainerUri,
-            resource: {
-              '@type': 'acl:Authorization',
-              'acl:accessTo': accessTo,
-              'acl:mode': mode
-            },
-            contentType: MIME_TYPES.JSON,
-            webId
-          },
-          { parentCtx: ctx }
-        );
-        return capUri;
-      }
-    }
-  }
-};
-
-module.exports = CapabilitiesService;