@semapps/auth 1.1.3 → 1.2.0

package/services/auth.local.ts

@@ -0,0 +1,276 @@
+import path from 'path';
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'pass... Remove this comment to see the full error message
+import { Strategy } from 'passport-local';
+import { ServiceSchema } from 'moleculer';
+import AuthMixin from '../mixins/auth.ts';
+import sendToken from '../middlewares/sendToken.ts';
+import AuthMailService from './mail.ts';
+
+import { Errors } from 'moleculer';
+
+const { MoleculerError } = Errors;
+
+/** @type {import('moleculer').ServiceSchema} */
+const AuthLocalService = {
+  name: 'auth' as const,
+  mixins: [AuthMixin],
+  settings: {
+    baseUrl: null,
+    jwtPath: null,
+    registrationAllowed: true,
+    reservedUsernames: [],
+    minPasswordLength: 1,
+    minUsernameLength: 1,
+    webIdSelection: [],
+    accountSelection: [],
+    formUrl: null,
+    mail: {
+      from: null,
+      transport: {
+        host: null,
+        port: null
+      },
+      defaults: {
+        locale: null,
+        frontUrl: null
+      }
+    }
+  },
+  dependencies: ['webid'],
+  async created() {
+    const { mail } = this.settings;
+
+    this.passportId = 'local';
+
+    if (mail !== false) {
+      // @ts-expect-error TS(2345): Argument of type '{ mixins: { name: "auth.mail"; m... Remove this comment to see the full error message
+      this.broker.createService({
+        mixins: [AuthMailService],
+        settings: {
+          ...mail
+        }
+      });
+    }
+  },
+  actions: {
+    signup: {
+      async handler(ctx) {
+        const { username, email, password, ...rest } = ctx.params;
+
+        // This is going to get in our way otherwise when waiting for completions.
+        // @ts-expect-error TS(2339): Property 'skipObjectsWatcher' does not exist on ty... Remove this comment to see the full error message
+        ctx.meta.skipObjectsWatcher = true;
+
+        let accountData = await ctx.call('auth.account.create', {
+          username,
+          email,
+          password,
+          ...this.pickAccountData(rest)
+        });
+
+        try {
+          const profileData = { nick: accountData.username, email: accountData.email, ...rest };
+          const webId = await ctx.call('webid.createWebId', this.pickWebIdData(profileData), {
+            meta: {
+              isSignup: true // Allow services to handle directly the webId creation if it is generated by the AuthService
+            }
+          });
+
+          // Link the webId with the account
+          accountData = await ctx.call('auth.account.attachWebId', { accountUri: accountData['@id'], webId });
+
+          ctx.emit('auth.registered', { webId, profileData, accountData });
+
+          const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId } });
+
+          return { token, webId, newUser: true };
+        } catch (e) {
+          // Delete account if resource creation failed, or it may cause problems when retrying
+          await ctx.call('auth.account.remove', { id: accountData['@id'] });
+          throw e;
+        }
+      }
+    },
+
+    login: {
+      async handler(ctx) {
+        const { username, password } = ctx.params;
+
+        const accountData = await ctx.call('auth.account.verify', { username, password });
+
+        ctx.emit('auth.connected', { webId: accountData.webId, accountData }, { meta: { webId: null, dataset: null } });
+
+        const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId: accountData.webId } });
+
+        return { token, webId: accountData.webId, newUser: false };
+      }
+    },
+
+    logout: {
+      async handler(ctx) {
+        // @ts-expect-error TS(2339): Property '$statusCode' does not exist on type '{}'... Remove this comment to see the full error message
+        ctx.meta.$statusCode = 302;
+        // @ts-expect-error TS(2339): Property '$location' does not exist on type '{}'.
+        ctx.meta.$location = ctx.params.redirectUrl || this.settings.formUrl;
+        // @ts-expect-error TS(2339): Property 'webId' does not exist on type '{}'.
+        ctx.emit('auth.disconnected', { webId: ctx.meta.webId });
+      }
+    },
+
+    redirectToForm: {
+      async handler(ctx) {
+        if (this.settings.formUrl) {
+          const formUrl = new URL(this.settings.formUrl);
+          if (ctx.params) {
+            for (const [key, value] of Object.entries(ctx.params)) {
+              formUrl.searchParams.set(key, value);
+            }
+          }
+          // @ts-expect-error TS(2339): Property '$statusCode' does not exist on type '{}'... Remove this comment to see the full error message
+          ctx.meta.$statusCode = 302;
+          // @ts-expect-error TS(2339): Property '$location' does not exist on type '{}'.
+          ctx.meta.$location = formUrl.toString();
+        } else {
+          throw new Error('No formUrl defined in auth.local settings');
+        }
+      }
+    },
+
+    resetPassword: {
+      async handler(ctx) {
+        const { email } = ctx.params;
+
+        const account = await ctx.call('auth.account.findByEmail', { email });
+
+        if (!account) {
+          throw new MoleculerError('email.not.exists', 400, 'BAD_REQUEST');
+        }
+
+        const token = await ctx.call('auth.account.generateResetPasswordToken', { webId: account.webId });
+
+        await ctx.call('auth.mail.sendResetPasswordEmail', {
+          account,
+          token
+        });
+      }
+    },
+
+    setNewPassword: {
+      async handler(ctx) {
+        const { email, token, password } = ctx.params;
+
+        const account = await ctx.call('auth.account.findByEmail', { email });
+
+        if (!account) {
+          throw new MoleculerError('email.not.exists', 400, 'BAD_REQUEST');
+        }
+
+        await ctx.call('auth.account.setNewPassword', { webId: account.webId, token, password });
+      }
+    }
+  },
+  methods: {
+    getStrategy() {
+      return new Strategy(
+        {
+          passReqToCallback: true // We want to have access to req below
+        },
+        (req: any, username: any, password: any, done: any) => {
+          req.$ctx
+            .call('auth.login', req.$params)
+            .then((returnedData: any) => {
+              done(null, returnedData);
+            })
+            .catch((e: any) => {
+              done(new MoleculerError(e.message, 401), false);
+            });
+        }
+      );
+    },
+    getApiRoutes(basePath) {
+      const loginRoute = {
+        path: path.join(basePath, '/auth/login'),
+        name: 'auth-login',
+        use: [this.passport.initialize()],
+        aliases: {
+          'POST /': [this.passport.authenticate(this.passportId, { session: false }), sendToken]
+        }
+      };
+
+      const logoutRoute = {
+        path: path.join(basePath, '/auth/logout'),
+        name: 'auth-logout',
+        aliases: {
+          'GET /': 'auth.logout'
+        }
+      };
+
+      const signupRoute = {
+        path: path.join(basePath, '/auth/signup'),
+        name: 'auth-signup',
+        aliases: {
+          'POST /': 'auth.signup'
+        }
+      };
+
+      const formRoute = {
+        path: path.join(basePath, '/auth'),
+        name: 'auth',
+        aliases: {
+          'GET /': 'auth.redirectToForm'
+        }
+      };
+
+      const resetPasswordRoute = {
+        path: path.join(basePath, '/auth/reset_password'),
+        name: 'auth-reset-password',
+        aliases: {
+          'POST /': 'auth.resetPassword'
+        }
+      };
+      const setNewPasswordRoute = {
+        path: path.join(basePath, '/auth/new_password'),
+        name: 'auth-new-password',
+        aliases: {
+          'POST /': 'auth.setNewPassword'
+        }
+      };
+
+      const accountSettingsRoute = {
+        path: path.join(basePath, '/auth/account'),
+        name: 'auth-account',
+        aliases: {
+          'GET /': 'auth.account.findSettingsByWebId',
+          'POST /': 'auth.account.updateAccountSettings'
+        },
+        authorization: true
+      };
+
+      const routes = [
+        loginRoute,
+        logoutRoute,
+        formRoute,
+        resetPasswordRoute,
+        setNewPasswordRoute,
+        accountSettingsRoute
+      ];
+
+      if (this.settings.registrationAllowed) {
+        return [...routes, signupRoute];
+      }
+
+      return routes;
+    }
+  }
+} satisfies ServiceSchema;
+
+export default AuthLocalService;
+
+declare global {
+  export namespace Moleculer {
+    export interface AllServices {
+      // @ts-expect-error TS(2717): Subsequent property declarations must have the sam... Remove this comment to see the full error message
+      [AuthLocalService.name]: typeof AuthLocalService;
+    }
+  }
+}

package/services/{auth.oidc.js → auth.oidc.ts}

@@ -1,13 +1,16 @@
-const urlJoin = require('url-join');
-const { Issuer, Strategy, custom } = require('openid-client');
+import urlJoin from 'url-join';
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'open... Remove this comment to see the full error message
+import { Issuer, Strategy, custom } from 'openid-client';
+
+import { ServiceSchema } from 'moleculer';
+import AuthSSOMixin from '../mixins/auth.sso.ts';
 
 custom.setHttpOptionsDefaults({
   timeout: 10000
 });
-const AuthSSOMixin = require('../mixins/auth.sso');
 
 const AuthOIDCService = {
-  name: 'auth',
+  name: 'auth' as const,
   mixins: [AuthSSOMixin],
   settings: {
     baseUrl: null,
@@ -51,13 +54,13 @@ const AuthOIDCService = {
           params,
           passReqToCallback: true
         },
-        (req, tokenset, userinfo, done) => {
+        (req: any, tokenset: any, userinfo: any, done: any) => {
           req.$ctx
             .call('auth.loginOrSignup', { ssoData: userinfo })
-            .then(loginData => {
+            .then((loginData: any) => {
               done(null, loginData);
             })
-            .catch(e => {
+            .catch((e: any) => {
               console.error(e);
               done(null, false);
             });
@@ -65,6 +68,15 @@ const AuthOIDCService = {
       );
     }
   }
-};
+} satisfies ServiceSchema;
+
+export default AuthOIDCService;
 
-module.exports = AuthOIDCService;
+declare global {
+  export namespace Moleculer {
+    export interface AllServices {
+      // @ts-expect-error TS(2717): Subsequent property declarations must have the sam... Remove this comment to see the full error message
+      [AuthOIDCService.name]: typeof AuthOIDCService;
+    }
+  }
+}

package/services/jwt.ts

@@ -0,0 +1,127 @@
+import fs from 'fs';
+import path from 'path';
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'json... Remove this comment to see the full error message
+import jwt from 'jsonwebtoken';
+import crypto from 'crypto';
+import { ServiceSchema } from 'moleculer';
+
+/**
+ * Service that creates and validates JSON web tokens(JWT).
+ * Tokens are signed against this server's keys.
+ * This is useful for generating/validating authentication tokens.
+ *
+ * TODO: Tokens do not expire.
+ */
+const AuthJwtSchema = {
+  name: 'auth.jwt' as const,
+  settings: {
+    jwtPath: null
+  },
+  async created() {
+    const privateKeyPath = path.resolve(this.settings.jwtPath, 'jwtRS256.key');
+    const publicKeyPath = path.resolve(this.settings.jwtPath, 'jwtRS256.key.pub');
+
+    if (!fs.existsSync(privateKeyPath) && !fs.existsSync(publicKeyPath)) {
+      this.logger.info('JWT keypair not found, generating...');
+      if (!fs.existsSync(this.settings.jwtPath)) {
+        fs.mkdirSync(this.settings.jwtPath);
+      }
+      await this.actions.generateKeyPair({ privateKeyPath, publicKeyPath });
+    }
+
+    this.privateKey = fs.readFileSync(privateKeyPath);
+    this.publicKey = fs.readFileSync(publicKeyPath);
+  },
+  actions: {
+    generateKeyPair: {
+      handler(ctx) {
+        const { privateKeyPath, publicKeyPath } = ctx.params;
+
+        return new Promise((resolve, reject) => {
+          crypto.generateKeyPair(
+            'rsa',
+            {
+              modulusLength: 4096,
+              publicKeyEncoding: {
+                type: 'spki',
+                format: 'pem'
+              },
+              privateKeyEncoding: {
+                type: 'pkcs8',
+                format: 'pem'
+              }
+            },
+            (err, publicKey, privateKey) => {
+              if (err) {
+                reject(err);
+              } else {
+                fs.writeFile(privateKeyPath, privateKey, err => {
+                  if (err) {
+                    reject(err);
+                  } else {
+                    fs.writeFile(publicKeyPath, publicKey, err => {
+                      if (err) {
+                        reject(err);
+                      } else {
+                        resolve({ privateKey, publicKey });
+                      }
+                    });
+                  }
+                });
+              }
+            }
+          );
+        });
+      }
+    },
+
+    generateServerSignedToken: {
+      async handler(ctx) {
+        const { payload } = ctx.params;
+        return jwt.sign(payload, this.privateKey, { algorithm: 'RS256' });
+      }
+    },
+
+    verifyServerSignedToken: {
+      /** Verifies that the token was signed by this server. */
+      async handler(ctx) {
+        const { token } = ctx.params;
+        try {
+          return jwt.verify(token, this.publicKey, { algorithms: ['RS256'] });
+        } catch (err) {
+          return false;
+        }
+      }
+    },
+
+    generateUnsignedToken: {
+      async handler(ctx) {
+        const { payload } = ctx.params;
+        const token = jwt.sign(payload, null, { algorithm: 'none' });
+        return token;
+      }
+    },
+
+    decodeToken: {
+      // Warning, this does NOT verify if signature is valid
+      async handler(ctx) {
+        const { token } = ctx.params;
+        try {
+          return jwt.decode(token);
+        } catch (err) {
+          return false;
+        }
+      }
+    }
+  }
+} satisfies ServiceSchema;
+
+export default AuthJwtSchema;
+
+declare global {
+  export namespace Moleculer {
+    export interface AllServices {
+      [AuthJwtSchema.name]: typeof AuthJwtSchema;
+    }
+  }
+}

package/services/mail.ts

@@ -0,0 +1,67 @@
+import path from 'path';
+import urlJoin from 'url-join';
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'mole... Remove this comment to see the full error message
+import MailService from 'moleculer-mail';
+import { ServiceSchema } from 'moleculer';
+import { fileURLToPath } from 'url';
+
+// @ts-expect-error TS(1470): The 'import.meta' meta-property is not allowed in ... Remove this comment to see the full error message
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+const AuthMailSchema = {
+  name: 'auth.mail' as const,
+  mixins: [MailService],
+  settings: {
+    defaults: {
+      locale: 'en',
+      frontUrl: null
+    },
+    templateFolder: path.join(__dirname, '../templates'),
+    from: null,
+    transport: null
+  },
+  actions: {
+    sendResetPasswordEmail: {
+      async handler(ctx) {
+        const { account, token } = ctx.params;
+
+        await this.actions.send(
+          {
+            to: account.email,
+            template: 'reset-password',
+            locale: this.getTemplateLocale(account.preferredLocale || this.settings.defaults.locale),
+            data: {
+              account,
+              resetUrl: `${urlJoin(this.settings.defaults.frontUrl, 'login')}?new_password=true&token=${token}`
+            }
+          },
+          {
+            parentCtx: ctx
+          }
+        );
+      }
+    }
+  },
+  methods: {
+    getTemplateLocale(userLocale) {
+      switch (userLocale) {
+        case 'fr':
+          return 'fr-FR';
+        case 'en':
+          return 'en-EN';
+        default:
+          return 'en-EN';
+      }
+    }
+  }
+} satisfies ServiceSchema;
+
+export default AuthMailSchema;
+
+declare global {
+  export namespace Moleculer {
+    export interface AllServices {
+      [AuthMailSchema.name]: typeof AuthMailSchema;
+    }
+  }
+}

package/services/migration.ts

@@ -0,0 +1,43 @@
+import { MIME_TYPES } from '@semapps/mime-types';
+import { getSlugFromUri } from '@semapps/ldp';
+import { ServiceSchema } from 'moleculer';
+
+const AuthMigrationSchema = {
+  name: 'auth.migration' as const,
+  actions: {
+    migrateUsersToAccounts: {
+      async handler(ctx) {
+        const { usersContainer, emailPredicate, usernamePredicate } = ctx.params;
+
+        const results = await ctx.call('ldp.container.get', { containerUri: usersContainer, accept: MIME_TYPES.JSON });
+
+        for (const user of results['ldp:contains']) {
+          if (user[emailPredicate]) {
+            try {
+              await ctx.call('auth.account.create', {
+                email: user[emailPredicate],
+                username: usernamePredicate ? user[usernamePredicate] : getSlugFromUri(user.id),
+                webId: user.id
+              });
+            } catch (e) {
+              // @ts-expect-error TS(18046): 'e' is of type 'unknown'.
+              console.log(`Unable to create account for user ${user.id}. Error message: ${e.message}`);
+            }
+          } else {
+            console.log(`No email found for user ${user.id}`);
+          }
+        }
+      }
+    }
+  }
+} satisfies ServiceSchema;
+
+export default AuthMigrationSchema;
+
+declare global {
+  export namespace Moleculer {
+    export interface AllServices {
+      [AuthMigrationSchema.name]: typeof AuthMigrationSchema;
+    }
+  }
+}

package/tsconfig.json

@@ -0,0 +1,10 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "noEmit": false,
+    "rewriteRelativeImportExtensions": true,
+    "outDir": "dist",
+    "rootDir": "./"
+  },
+  "include": ["*"]
+}

package/index.js

@@ -1,9 +0,0 @@
-module.exports = {
-  AuthCASService: require('./services/auth.cas'),
-  AuthLocalService: require('./services/auth.local'),
-  AuthOIDCService: require('./services/auth.oidc'),
-  AuthAccountService: require('./services/account'),
-  AuthJWTService: require('./services/jwt'),
-  AuthMigrationService: require('./services/migration'),
-  AuthMailService: require('./services/mail')
-};

package/middlewares/localLogout.js

@@ -1,6 +0,0 @@
-const localLogout = (req, res, next) => {
-  req.logout(); // Passport logout
-  next();
-};
-
-module.exports = localLogout;

package/mixins/auth.sso.js

@@ -1,93 +0,0 @@
-const path = require('path');
-const session = require('express-session');
-const AuthMixin = require('./auth');
-const saveRedirectUrl = require('../middlewares/saveRedirectUrl');
-const redirectToFront = require('../middlewares/redirectToFront');
-const localLogout = require('../middlewares/localLogout');
-
-const AuthSSOMixin = {
-  mixins: [AuthMixin],
-  settings: {
-    baseUrl: null,
-    jwtPath: null,
-    registrationAllowed: true,
-    reservedUsernames: [],
-    webIdSelection: [],
-    // SSO-specific settings
-    sessionSecret: 's€m@pps',
-    selectSsoData: null
-  },
-  actions: {
-    async loginOrSignup(ctx) {
-      const { ssoData } = ctx.params;
-
-      const profileData = this.settings.selectSsoData ? await this.settings.selectSsoData(ssoData) : ssoData;
-
-      // TODO use UUID to identify unique accounts with SSO
-      const existingAccounts = await ctx.call('auth.account.find', { query: { email: profileData.email } });
-
-      let accountData;
-      let webId;
-      let newUser;
-      if (existingAccounts.length > 0) {
-        accountData = existingAccounts[0];
-        webId = accountData.webId;
-        newUser = false;
-
-        // TODO update account with recent profileData information
-
-        ctx.emit('auth.connected', { webId, accountData, ssoData }, { meta: { webId: null, dataset: null } });
-      } else {
-        if (!this.settings.registrationAllowed) {
-          throw new Error('registration.not-allowed');
-        }
-
-        accountData = await ctx.call('auth.account.create', {
-          uuid: profileData.uuid,
-          email: profileData.email,
-          username: profileData.username
-        });
-        webId = await ctx.call('webid.createWebId', this.pickWebIdData({ nick: accountData.username, ...profileData }));
-        newUser = true;
-
-        // Link the webId with the account
-        await ctx.call('auth.account.attachWebId', { accountUri: accountData['@id'], webId });
-
-        ctx.emit(
-          'auth.registered',
-          { webId, profileData, accountData, ssoData },
-          { meta: { webId: null, dataset: null } }
-        );
-      }
-
-      const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId } });
-
-      return { token, newUser };
-    }
-  },
-  methods: {
-    getApiRoutes(basePath) {
-      const sessionMiddleware = session({ secret: this.settings.sessionSecret, maxAge: null });
-      return [
-        {
-          path: path.join(basePath, '/auth'),
-          name: 'auth',
-          use: [sessionMiddleware, this.passport.initialize(), this.passport.session()],
-          aliases: {
-            'GET /': [saveRedirectUrl, this.passport.authenticate(this.passportId, { session: false }), redirectToFront]
-          }
-        },
-        {
-          path: path.join(basePath, '/auth/logout'),
-          name: 'auth-logout',
-          use: [sessionMiddleware, this.passport.initialize(), this.passport.session()],
-          aliases: {
-            'GET /': [saveRedirectUrl, localLogout, redirectToFront]
-          }
-        }
-      ];
-    }
-  }
-};
-
-module.exports = AuthSSOMixin;