@soapjs/soap-auth 0.1.0

package/build/strategies/oauth2/oauth2.strategy.js

@@ -0,0 +1,259 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuth2Strategy = void 0;
+const axios_1 = __importDefault(require("axios"));
+const errors_1 = require("../../errors");
+const token_based_auth_strategy_1 = require("../token-based-auth.strategy");
+const oauth2_tools_1 = require("./oauth2.tools");
+class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy {
+    config;
+    accessTokenHandler;
+    refreshTokenHandler;
+    session;
+    logger;
+    constructor(config, accessTokenHandler, refreshTokenHandler, session, logger) {
+        super(config, accessTokenHandler, refreshTokenHandler, session, logger);
+        this.config = config;
+        this.accessTokenHandler = accessTokenHandler;
+        this.refreshTokenHandler = refreshTokenHandler;
+        this.session = session;
+        this.logger = logger;
+        this.config.scope = this.config.scope ?? "openid profile email";
+    }
+    async authenticate(context) {
+        try {
+            let user;
+            let refreshToken;
+            let accessToken = await this.accessTokenHandler.retrieve?.(context);
+            if (!accessToken) {
+                this.logger?.info("No access token found, checking for refresh token.");
+                refreshToken = await this.refreshTokenHandler?.retrieve?.(context);
+                if (refreshToken) {
+                    this.logger?.info("Found refresh token, attempting to refresh access token.");
+                    const newTokens = await this.refreshAccessToken(context);
+                    accessToken = newTokens.accessToken;
+                    this.accessTokenHandler.embed?.(context, accessToken);
+                    if (newTokens.refreshToken) {
+                        refreshToken = newTokens.refreshToken;
+                        this.refreshTokenHandler?.embed?.(context, newTokens.refreshToken);
+                    }
+                }
+                else {
+                    this.logger?.info("No refresh token found, attempting authentication using grant type.");
+                    switch (this.config.grantType) {
+                        case "authorization_code":
+                            const authorizationCode = this.extractAuthorizationCode(context);
+                            this.verifyAuthorizationCode(context, authorizationCode);
+                            const tokenResult = await this.exchangeCodeForToken(context, authorizationCode);
+                            accessToken = tokenResult.accessToken;
+                            refreshToken = tokenResult.refreshToken;
+                            break;
+                        case "client_credentials":
+                            this.logger?.info("Using client credentials grant.");
+                            const clientCredResult = await this.exchangeClientCredentials();
+                            accessToken = clientCredResult.accessToken;
+                            break;
+                        case "password":
+                            this.logger?.info("Using password grant.");
+                            if (!this.config.credentials) {
+                                throw new Error("Missing credentials for password grant.");
+                            }
+                            const passwordResult = await this.exchangePasswordGrant();
+                            accessToken = passwordResult.accessToken;
+                            break;
+                        default:
+                            throw new Error(`Unsupported grant type: ${this.config.grantType}`);
+                    }
+                    this.accessTokenHandler.embed?.(context, accessToken);
+                    if (refreshToken) {
+                        this.refreshTokenHandler?.embed?.(context, refreshToken);
+                    }
+                }
+            }
+            else if (accessToken && (await this.isTokenExpired(accessToken))) {
+                this.logger?.info("Access token expired, attempting refresh.");
+                refreshToken = await this.refreshTokenHandler?.retrieve?.(context);
+                if (!refreshToken) {
+                    throw new errors_1.MissingTokenError("Refresh");
+                }
+                const newTokens = await this.refreshAccessToken(context);
+                accessToken = newTokens.accessToken;
+                this.accessTokenHandler.embed?.(context, accessToken);
+                if (newTokens.refreshToken && newTokens.refreshToken !== refreshToken) {
+                    refreshToken = newTokens.refreshToken;
+                    this.refreshTokenHandler?.embed?.(context, newTokens.refreshToken);
+                }
+            }
+            if (!accessToken) {
+                throw new errors_1.MissingTokenError("Access");
+            }
+            user = await this.retrieveUser(accessToken);
+            if (!user) {
+                throw new errors_1.UserNotFoundError();
+            }
+            await this.isAuthorized(user);
+            return { user, tokens: { accessToken, refreshToken } };
+        }
+        catch (error) {
+            this.logger?.error("OAuth2 authentication failed:", error);
+            throw new errors_1.AuthError(error, "OAuth2 authentication failed.");
+        }
+    }
+    verifyAuthorizationCode(context, code) {
+        if (!code) {
+            this.logger?.warn("Authorization code missing, redirecting user.");
+            const authUrl = this.buildAuthorizationUrl(context);
+            this.redirectUser(context, authUrl);
+            throw new errors_1.MissingAuthorizationCodeError();
+        }
+    }
+    extractAuthorizationCode(context) {
+        if (typeof context === "object" && "query" in context) {
+            return context.query.code || null;
+        }
+        return null;
+    }
+    redirectUser(context, authUrl) {
+        if (typeof context === "object" && "response" in context) {
+            context.response.redirect(authUrl);
+        }
+        else {
+            this.logger?.warn("Redirect attempted in unsupported context.");
+        }
+    }
+    buildAuthorizationUrl(context) {
+        let authorizationUrl = `${this.config.endpoints.authorizationUrl}?client_id=${this.config.clientId}&redirect_uri=${encodeURIComponent(this.config.redirectUri)}&response_type=code&scope=${this.config.scope ?? ""}`;
+        if (this.config.pkce?.enabled) {
+            const codeVerifier = this.config.pkce.generateCodeVerifier
+                ? this.config.pkce.generateCodeVerifier()
+                : oauth2_tools_1.OAuth2Tools.generateCodeVerifier();
+            const codeChallenge = oauth2_tools_1.OAuth2Tools.generateCodeChallenge(codeVerifier);
+            this.config.pkce.storeCodeVerifier?.(context, codeVerifier);
+            authorizationUrl += `&code_challenge=${codeChallenge}&code_challenge_method=S256`;
+        }
+        return authorizationUrl;
+    }
+    async exchangeCodeForToken(context, code) {
+        const data = {
+            grant_type: "authorization_code",
+            client_id: this.config.clientId,
+            code,
+            redirect_uri: this.config.redirectUri,
+        };
+        if (this.config.pkce?.enabled) {
+            const codeVerifier = this.config.pkce.retrieveCodeVerifier?.(context);
+            if (!codeVerifier) {
+                throw new Error("Missing PKCE code verifier in context.");
+            }
+            data.code_verifier = codeVerifier;
+        }
+        else if (this.config.clientSecret) {
+            data.client_secret = this.config.clientSecret;
+        }
+        const response = await fetch(this.config.endpoints.tokenUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams(data).toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`Token exchange failed with status: ${response.status}`);
+        }
+        const tokenData = await response.json();
+        return {
+            accessToken: tokenData.access_token,
+            refreshToken: tokenData.refresh_token,
+        };
+    }
+    handleAuthorizationRedirect(context) {
+        try {
+            const authUrl = this.buildAuthorizationUrl(context);
+            this.redirectUser(context, authUrl);
+        }
+        catch (error) {
+            this.logger?.error("Authorization redirect failed:", error);
+            throw new errors_1.AuthError(error, "Authorization redirect failed.");
+        }
+    }
+    async retrieveUser(accessToken) {
+        try {
+            if (!this.config.endpoints.userInfoUrl) {
+                throw new Error("User info endpoint not configured.");
+            }
+            const response = await axios_1.default.get(this.config.endpoints.userInfoUrl, {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            return (await this.config.validateUser?.(response.data)) || null;
+        }
+        catch (error) {
+            this.logger?.error("Failed to fetch user information:", error);
+            return null;
+        }
+    }
+    async exchangeClientCredentials() {
+        const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
+            grant_type: "client_credentials",
+            client_id: this.config.clientId,
+            client_secret: this.config.clientSecret,
+        });
+        return { accessToken: response.data.access_token };
+    }
+    async exchangePasswordGrant() {
+        if (!this.config.credentials) {
+            throw new Error("Missing credentials for password grant.");
+        }
+        const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
+            grant_type: "password",
+            client_id: this.config.clientId,
+            client_secret: this.config.clientSecret,
+            username: this.config.credentials.username,
+            password: this.config.credentials.password,
+        });
+        return { accessToken: response.data.access_token };
+    }
+    async refreshAccessToken(context) {
+        try {
+            const refreshToken = await this.refreshTokenHandler?.retrieve?.(context);
+            if (!refreshToken) {
+                throw new errors_1.MissingTokenError("Refresh");
+            }
+            const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
+                grant_type: "refresh_token",
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+                refresh_token: refreshToken,
+            });
+            const refreshedTokens = {
+                accessToken: response.data.access_token,
+                refreshToken: response.data.refresh_token,
+            };
+            await this.accessTokenHandler.embed?.(context, refreshedTokens.accessToken);
+            if (refreshedTokens.refreshToken) {
+                await this.refreshTokenHandler?.embed?.(context, refreshedTokens.refreshToken);
+            }
+            return refreshedTokens;
+        }
+        catch (error) {
+            this.logger?.error("Token refresh failed:", error);
+            throw new errors_1.AuthError(error, "Token refresh failed.");
+        }
+    }
+    async revokeToken(token) {
+        if (!this.config.endpoints.revocationUrl)
+            return;
+        try {
+            await axios_1.default.post(this.config.endpoints.revocationUrl, {
+                token,
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+            });
+            this.logger?.info("Token revoked successfully.");
+        }
+        catch (error) {
+            this.logger?.error("Failed to revoke token:", error);
+        }
+    }
+}
+exports.OAuth2Strategy = OAuth2Strategy;

package/build/strategies/oauth2/oauth2.tools.d.ts

@@ -0,0 +1,4 @@
+export declare class OAuth2Tools {
+    static generateCodeVerifier(): string;
+    static generateCodeChallenge(codeVerifier: string): string;
+}

package/build/strategies/oauth2/oauth2.tools.js

@@ -0,0 +1,22 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuth2Tools = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+class OAuth2Tools {
+    static generateCodeVerifier() {
+        return crypto_1.default.randomBytes(32).toString("hex");
+    }
+    static generateCodeChallenge(codeVerifier) {
+        return crypto_1.default
+            .createHash("sha256")
+            .update(codeVerifier)
+            .digest("base64")
+            .replace(/\+/g, "-")
+            .replace(/\//g, "_")
+            .replace(/=+$/, "");
+    }
+}
+exports.OAuth2Tools = OAuth2Tools;

package/build/strategies/oauth2/oauth2.types.d.ts

@@ -0,0 +1,29 @@
+import { TokenBasedAuthStrategyConfig } from "../../types";
+export interface OAuth2Endpoints {
+    authorizationUrl: string;
+    tokenUrl: string;
+    userInfoUrl?: string;
+    introspectionUrl?: string;
+    revocationUrl?: string;
+}
+export interface OAuth2StrategyConfig<TContext = unknown, TUser = unknown> extends TokenBasedAuthStrategyConfig<TContext, TUser>, PKCEConfig<TContext> {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scope?: string;
+    grantType: "authorization_code" | "client_credentials" | "password" | "refresh_token";
+    endpoints: OAuth2Endpoints;
+    validateUser?: (tokenPayload: any) => Promise<TUser | null>;
+    credentials?: {
+        username: string;
+        password: string;
+    };
+}
+export interface PKCEConfig<TContext> {
+    pkce?: {
+        enabled?: boolean;
+        generateCodeVerifier?: () => string;
+        storeCodeVerifier?: (context: TContext, codeVerifier: string) => void;
+        retrieveCodeVerifier?: (context: TContext) => string | null;
+    };
+}

package/build/strategies/oauth2/oauth2.types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/build/strategies/token-based-auth.strategy.d.ts

@@ -0,0 +1,25 @@
+import * as Soap from "@soapjs/soap";
+import { AuthResult, TokenBasedAuthStrategyConfig } from "../types";
+import { BaseAuthStrategy } from "./base-auth.strategy";
+import { TokenHandlerConfig } from "../types";
+import { SessionHandler } from "../session/session-handler";
+export declare abstract class TokenBasedAuthStrategy<TContext = unknown, TUser = unknown> extends BaseAuthStrategy<TContext, TUser> {
+    protected config: TokenBasedAuthStrategyConfig<TContext, TUser>;
+    protected accessTokenHandler: TokenHandlerConfig;
+    protected refreshTokenHandler?: TokenHandlerConfig;
+    protected session?: SessionHandler;
+    protected logger?: Soap.Logger;
+    constructor(config: TokenBasedAuthStrategyConfig<TContext, TUser>, accessTokenHandler: TokenHandlerConfig, refreshTokenHandler?: TokenHandlerConfig, session?: SessionHandler, logger?: Soap.Logger);
+    protected retrieveUser(decodedToken: any): Promise<TUser | null>;
+    authenticate(context: TContext): Promise<AuthResult<TUser>>;
+    logout(context: TContext): Promise<void>;
+    generateTokens(user: TUser, context: TContext): Promise<{
+        accessToken: string;
+        refreshToken?: string;
+    }>;
+    rotateToken(context: TContext): Promise<{
+        accessToken: string;
+        refreshToken?: string;
+    }>;
+    isTokenExpired(token: string): Promise<boolean>;
+}

package/build/strategies/token-based-auth.strategy.js

@@ -0,0 +1,124 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenBasedAuthStrategy = void 0;
+const base_auth_strategy_1 = require("./base-auth.strategy");
+const errors_1 = require("../errors");
+class TokenBasedAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy {
+    config;
+    accessTokenHandler;
+    refreshTokenHandler;
+    session;
+    logger;
+    constructor(config, accessTokenHandler, refreshTokenHandler, session, logger) {
+        super(config, session, logger);
+        this.config = config;
+        this.accessTokenHandler = accessTokenHandler;
+        this.refreshTokenHandler = refreshTokenHandler;
+        this.session = session;
+        this.logger = logger;
+    }
+    retrieveUser(decodedToken) {
+        return this.config.login.retrieveUserData(decodedToken);
+    }
+    async authenticate(context) {
+        try {
+            let accessToken = await this.accessTokenHandler.retrieve?.(context);
+            await this.checkRateLimit(context);
+            if (accessToken) {
+                try {
+                    const decoded = await this.accessTokenHandler.verify?.(accessToken);
+                    const user = await this.retrieveUser(decoded);
+                    if (!user) {
+                        throw new errors_1.UserNotFoundError();
+                    }
+                    await this.isAuthorized(user);
+                    return { user, tokens: { accessToken } };
+                }
+                catch (error) {
+                    this.logger?.warn("Access token is invalid or expired, trying refresh token...");
+                }
+            }
+            const refreshToken = await this.refreshTokenHandler?.retrieve?.(context);
+            if (!refreshToken) {
+                throw new errors_1.MissingTokenError();
+            }
+            accessToken = await this.refreshTokenHandler?.rotate?.(refreshToken);
+            this.accessTokenHandler.embed?.(context, accessToken);
+            const decoded = await this.accessTokenHandler.verify?.(accessToken);
+            const user = await this.retrieveUser(decoded);
+            if (!user) {
+                throw new errors_1.UserNotFoundError();
+            }
+            await this.isAuthorized(user);
+            return { user, tokens: { accessToken, refreshToken } };
+        }
+        catch (error) {
+            this.logger?.error("Authentication failed:", error);
+            throw new errors_1.AuthError(error, "Authentication failed.");
+        }
+    }
+    async logout(context) {
+        try {
+            await this.accessTokenHandler.remove?.(context);
+            if (this.refreshTokenHandler) {
+                await this.refreshTokenHandler.remove?.(context);
+            }
+            await this.config.logout.onSuccess?.(context);
+            this.logger?.info("User logged out successfully.");
+        }
+        catch (error) {
+            this.logger?.error("Error during logout:", error);
+            await this.config.logout.onFailure?.({ context, error });
+            throw new errors_1.AuthError(error, "Logout process failed.");
+        }
+    }
+    async generateTokens(user, context) {
+        const payload = { userId: user.id, roles: user.roles };
+        const accessToken = this.accessTokenHandler.generate?.(payload);
+        if (!accessToken)
+            throw new Error("Failed to generate access token.");
+        await this.accessTokenHandler.store?.(accessToken, user, +this.accessTokenHandler.expiresIn);
+        this.accessTokenHandler.embed?.(context, accessToken);
+        let refreshToken;
+        if (this.refreshTokenHandler) {
+            refreshToken = this.refreshTokenHandler.generate?.(payload);
+            if (refreshToken) {
+                await this.refreshTokenHandler.store?.(refreshToken, user, +this.refreshTokenHandler.expiresIn);
+                this.refreshTokenHandler.embed?.(context, refreshToken);
+            }
+        }
+        return { accessToken, refreshToken };
+    }
+    async rotateToken(context) {
+        try {
+            if (!this.refreshTokenHandler) {
+                throw new Error("Refresh token handler is not configured.");
+            }
+            const refreshToken = await this.refreshTokenHandler.retrieve?.(context);
+            if (!refreshToken) {
+                throw new errors_1.MissingTokenError("Refresh");
+            }
+            const newAccessToken = await this.refreshTokenHandler.rotate?.(refreshToken);
+            this.accessTokenHandler.embed?.(context, newAccessToken);
+            return { accessToken: newAccessToken, refreshToken };
+        }
+        catch (error) {
+            this.logger?.error("Token rotation failed:", error);
+            throw new errors_1.InvalidTokenError("Refresh");
+        }
+    }
+    async isTokenExpired(token) {
+        try {
+            const decoded = JSON.parse(Buffer.from(token.split(".")[1], "base64").toString());
+            if (!decoded.exp)
+                return false;
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch (error) {
+            this.logger?.warn("Failed to decode token:", error);
+            return false;
+        }
+    }
+}
+exports.TokenBasedAuthStrategy = TokenBasedAuthStrategy;

package/build/tools/session.tools.d.ts

@@ -0,0 +1,6 @@
+import { SessionData } from "../types";
+export declare class SessionTools {
+    static defaultGenerateSessionId(): string;
+    static defaultCreateSessionData(user?: unknown, context?: unknown): SessionData;
+    static defaultDeliverSessionId(context: any, value: string): void;
+}

package/build/tools/session.tools.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionTools = void 0;
+const uuid_1 = require("uuid");
+class SessionTools {
+    static defaultGenerateSessionId() {
+        return (0, uuid_1.v4)();
+    }
+    static defaultCreateSessionData(user, context) {
+        return {};
+    }
+    static defaultDeliverSessionId(context, value) {
+    }
+}
+exports.SessionTools = SessionTools;

package/build/tools/token.tools.d.ts

@@ -0,0 +1,7 @@
+import { BodyStorageOptions, CookieStorageOptions, HeaderStorageOptions, SessionStorageOptions } from "../types";
+export declare class TokenTools {
+    static storeInHeader<TContext = unknown>(context: TContext, token: string, options?: HeaderStorageOptions): void;
+    static storeInCookie<TContext = unknown>(context: TContext, token: string, options?: CookieStorageOptions, isAccessToken?: boolean): void;
+    static storeInBody<TContext = unknown>(context: TContext, token: string, options?: BodyStorageOptions, isAccessToken?: boolean): void;
+    static storeInSession<TContext = unknown>(context: TContext, token: string, options?: SessionStorageOptions, isAccessToken?: boolean): void;
+}

package/build/tools/token.tools.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenTools = void 0;
+class TokenTools {
+    static storeInHeader(context, token, options) {
+        const headerName = options?.headerName ?? "Authorization";
+        context.setHeader(headerName, token);
+    }
+    static storeInCookie(context, token, options, isAccessToken = true) {
+        const cookieName = options?.cookieName ?? (isAccessToken ? "AccessToken" : "RefreshToken");
+        const ctx = context;
+        ctx.res.cookie(cookieName, token, {
+            httpOnly: options?.httpOnly ?? true,
+            secure: options?.secure ?? true,
+            sameSite: options?.sameSite ?? "Lax",
+            maxAge: options?.maxAge ?? 3600000,
+        });
+    }
+    static storeInBody(context, token, options, isAccessToken = true) {
+        const ctx = context;
+        ctx.body = ctx.body || {};
+        const fieldName = options?.name ?? (isAccessToken ? "accessToken" : "refreshToken");
+        ctx.body[fieldName] = token;
+    }
+    static storeInSession(context, token, options, isAccessToken = true) {
+        const ctx = context;
+        ctx.session = ctx.session || {};
+        const sessionKey = options?.name ?? (isAccessToken ? "accessToken" : "refreshToken");
+        ctx.session[sessionKey] = token;
+    }
+}
+exports.TokenTools = TokenTools;

package/build/tools/tools.d.ts

@@ -0,0 +1,3 @@
+export declare const generateUUID: () => Promise<string>;
+export declare const generateSecureToken: (tokenLength?: number, encoding?: string) => Promise<string>;
+export declare function resolveConfig<T>(strategyConfig: T | undefined, globalConfig: T | undefined): T | undefined;

package/build/tools/tools.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveConfig = exports.generateSecureToken = exports.generateUUID = void 0;
+const crypto_1 = require("crypto");
+const uuid_1 = require("uuid");
+const generateUUID = async () => {
+    return Promise.resolve((0, uuid_1.v4)());
+};
+exports.generateUUID = generateUUID;
+const generateSecureToken = async (tokenLength = 32, encoding = "hex") => {
+    return new Promise((resolve, reject) => {
+        (0, crypto_1.randomBytes)(tokenLength, (err, buffer) => {
+            if (err)
+                return reject(err);
+            resolve(buffer.toString(encoding));
+        });
+    });
+};
+exports.generateSecureToken = generateSecureToken;
+function resolveConfig(strategyConfig, globalConfig) {
+    return strategyConfig || globalConfig;
+}
+exports.resolveConfig = resolveConfig;