@soapjs/soap-auth 0.1.1 → 0.2.0

package/build/strategies/{credential-based-auth.strategy.js → credential-auth.strategy.js}

@@ -1,9 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CredentialBasedAuthStrategy = void 0;
+exports.CredentialAuthStrategy = void 0;
 const errors_1 = require("../errors");
 const base_auth_strategy_1 = require("./base-auth.strategy");
-class CredentialBasedAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy {
+class CredentialAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy {
     config;
     session;
     logger;
@@ -13,34 +13,73 @@ class CredentialBasedAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy
         this.session = session;
         this.logger = logger;
     }
+    async storeUserSession(user, context) {
+        if (!this.session || !this.config.session) {
+            this.logger?.info("Session management is not configured. Skipping session storage.");
+            return;
+        }
+        let sessionId = this.config.session.getSessionId?.(context);
+        if (!sessionId) {
+            sessionId = this.config.session.generateSessionId
+                ? this.config.session.generateSessionId(user, context)
+                : `sid-${Date.now()}-${Math.random().toString(36).substring(7)}`;
+        }
+        const sessionData = this.config.session.createSessionData
+            ? this.config.session.createSessionData(user, context)
+            : { user };
+        if (this.config.session.store) {
+            await this.config.session.store.setSession(sessionId, sessionData);
+        }
+        else {
+            await this.session.set(sessionId, sessionData);
+        }
+        this.config.session.embedSessionId?.(context, sessionId);
+        this.logger?.info(`Stored user session with ID: ${sessionId}`);
+    }
+    async handleAuthenticationError(error, context) {
+        this.logger?.error("Authentication failed:", error);
+        await this.onFailure("login", { context, error });
+        throw new errors_1.AuthError(error, "Authentication failed.");
+    }
+    async preAuthChecks(identifier) {
+        await this.isAccountLocked(identifier);
+        await this.checkFailedAttempts(identifier);
+        await this.checkRateLimit(identifier);
+        await this.checkPasswordExpiry(identifier);
+    }
+    async handleFailedLogin(identifier) {
+        await this.config.failedAttempts.incrementFailedAttempts?.(identifier);
+    }
+    async handleSuccessfulLogin(identifier) {
+        await this.config.failedAttempts.resetFailedAttempts?.(identifier);
+    }
+    async finalizeAuthentication(user, context) {
+        await this.checkMfa(user, context);
+        await this.isAuthorized(user);
+        await this.storeUserSession(user, context);
+    }
     async authenticate(context) {
         try {
             const credentials = await this.extractCredentials(context);
             if (!credentials)
                 throw new errors_1.MissingCredentialsError();
-            await this.isAccountLocked(credentials.identifier);
-            await this.checkFailedAttempts(credentials.identifier);
-            await this.checkRateLimit(credentials.identifier);
-            await this.checkPasswordExpiry(credentials.identifier);
-            const valid = await this.verifyCredentials(credentials);
+            await this.preAuthChecks(credentials.identifier);
+            const valid = await this.verifyCredentials(credentials.identifier, credentials.password);
             if (!valid) {
-                await this.config.login.incrementFailedAttempts?.(credentials.identifier);
+                await this.handleFailedLogin(credentials.identifier);
                 throw new errors_1.InvalidCredentialsError();
             }
-            await this.config.login.resetFailedAttempts?.(credentials.identifier);
-            const user = await this.retrieveUser(credentials);
+            await this.handleSuccessfulLogin(credentials.identifier);
+            const user = await this.retrieveUser(credentials.identifier);
             if (!user)
                 throw new errors_1.UserNotFoundError();
-            await this.checkMfa(user, context);
-            await this.isAuthorized(user);
-            await this.handleSession(user, context);
+            await this.finalizeAuthentication(user, context);
+            this.auditLoginAttempt(credentials.identifier, true, context);
             return { user };
         }
         catch (e) {
-            const error = new errors_1.AuthError(e, "Authentication failed.");
-            this.logger.error("Authentication failed:", error);
-            await this.config.logout.onFailure?.({ context, error: error });
-            throw error;
+            this.auditLoginAttempt(null, false, context);
+            return this.handleAuthenticationError(e, context);
         }
     }
     async handleSession(user, context) {
@@ -53,78 +92,87 @@ class CredentialBasedAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy
         try {
             if (this.session) {
                 const sessionId = this.session.getSessionId?.(context);
-                if (!sessionId) {
+                if (!sessionId)
                     throw new Error("Session ID is missing in the context.");
-                }
                 await this.session.destroy(sessionId);
-                this.logger.info(`Session destroyed successfully, sessionId: ${sessionId}`);
+                this.logger?.info(`Session destroyed: ${sessionId}`);
             }
-            await this.config.logout.onSuccess?.(context);
-            this.logger.info(`User logged out successfully.`);
+            await this.onSuccess("logout", context);
         }
         catch (e) {
             const error = new errors_1.AuthError(e, "Logout process failed.");
-            this.logger.error("Error during logout:", e);
-            await this.config.logout.onFailure?.({ context, error: e });
+            this.logger?.error("Error during logout:", error);
+            await this.onFailure("logout", { context, error });
             throw error;
         }
     }
     async requestPasswordReset(identifier, email) {
         try {
-            if (!this.config.passwordReset?.generateResetToken) {
+            if (!this.config?.passwordPolicy.generateResetToken) {
                 throw new Error("Password reset token generation is not configured.");
             }
-            const token = await this.config.passwordReset.generateResetToken(identifier);
+            const token = await this.config.passwordPolicy.generateResetToken(identifier);
             if (email) {
-                await this.config.passwordReset.sendResetEmail?.(email, token);
+                await this.config.passwordPolicy.sendResetEmail?.(email, token);
             }
-            await this.config.passwordReset.onSuccess?.({ identifier });
+            await this.onSuccess("request_password_reset", { identifier });
             this.logger.info(`Password reset requested for identifier: ${identifier}`);
         }
         catch (e) {
             const error = new errors_1.AuthError(e, "Password reset request error.");
             this.logger.error("Password reset request error:", e);
-            await this.config.passwordReset.onFailure?.({ identifier, error: e });
+            await this.onFailure("request_password_reset", {
+                identifier,
+                error: e,
+            });
             throw error;
         }
     }
     async resetPassword(identifier, token, newPassword) {
         try {
-            if (!this.config.passwordReset?.validateResetToken) {
+            if (!this.config.passwordPolicy?.validateResetToken) {
                 throw new Error("Password reset token validation is not configured.");
             }
-            const isValid = await this.config.passwordReset.validateResetToken(token);
+            const isValid = await this.config.passwordPolicy.validateResetToken(token);
             if (!isValid) {
                 throw new Error("Invalid or expired reset token.");
             }
-            await this.config.passwordReset.updatePassword(identifier, newPassword);
-            await this.config.passwordReset.onSuccess?.({ identifier });
+            await this.config.passwordPolicy.updatePassword(identifier, newPassword);
+            await this.onSuccess("password_reset", { identifier });
             this.logger.info(`Password successfully reset for identifier: ${identifier}`);
+            this.auditPasswordChange(identifier);
         }
         catch (e) {
             const error = new errors_1.AuthError(e, "Password reset error");
             this.logger.error("Password reset error:", e);
-            await this.config.passwordReset.onFailure?.({ identifier, error: e });
+            await this.onFailure("password_reset", {
+                identifier,
+                error: e,
+            });
             throw error;
         }
     }
     async changePassword(identifier, oldPassword, newPassword) {
         try {
-            if (!this.config.login.verifyUserCredentials) {
+            if (!this.config.credentials.verifyCredentials) {
                 throw new Error("Credential verification is not configured.");
             }
-            const isAuthenticated = await this.config.login.verifyUserCredentials(identifier, oldPassword);
+            const isAuthenticated = await this.config.credentials.verifyCredentials(identifier, oldPassword);
             if (!isAuthenticated) {
                 throw new errors_1.InvalidCredentialsError();
             }
-            await this.config.passwordReset?.updatePassword?.(identifier, newPassword);
-            await this.config.passwordReset?.onSuccess?.({ identifier });
+            await this.config.passwordPolicy?.updatePassword?.(identifier, newPassword);
+            await this.onSuccess("change_password", { identifier });
             this.logger.info(`Password changed successfully for identifier: ${identifier}`);
+            this.auditPasswordChange(identifier);
         }
         catch (e) {
             const error = new errors_1.AuthError(e, "Change password error");
             this.logger.error("Change password error:", e);
-            await this.config.passwordReset?.onFailure?.({ identifier, error: e });
+            await this.onFailure("change_password", {
+                identifier,
+                error: e,
+            });
             throw error;
         }
     }
@@ -140,7 +188,8 @@ class CredentialBasedAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy
     async checkFailedAttempts(identifier) {
         try {
             if (this.config.security?.maxFailedLoginAttempts) {
-                const failedAttempts = (await this.config.login.getFailedAttempts?.(identifier)) || 0;
+                const failedAttempts = (await this.config.failedAttempts.getFailedAttempts?.(identifier)) ||
+                    0;
                 if (failedAttempts >= this.config.security.maxFailedLoginAttempts) {
                     this.logger.warn(`User ${identifier} is temporarily locked out.`);
                     throw new errors_1.AccountLockedError();
@@ -151,8 +200,8 @@ class CredentialBasedAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy
             this.logger.error("Check failed attempts:", e);
         }
     }
-    async isAccountLocked(account, ...args) {
-        if (await this.config.lock.isAccountLocked?.(account, ...args)) {
+    async isAccountLocked(account) {
+        if (await this.config.lock.isAccountLocked?.(account)) {
             throw new errors_1.AccountLockedError();
         }
         if (typeof account === "string" && this.config.security?.lockoutDuration) {
@@ -172,9 +221,9 @@ class CredentialBasedAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy
         return false;
     }
     async incrementFailedAttempts(account) {
-        if (this.config.login.incrementFailedAttempts) {
-            await this.config.login.incrementFailedAttempts(account);
-            const failedAttempts = (await this.config.login.getFailedAttempts?.(account)) || 0;
+        if (this.config.failedAttempts.incrementFailedAttempts) {
+            await this.config.failedAttempts.incrementFailedAttempts(account);
+            const failedAttempts = (await this.config.failedAttempts.getFailedAttempts?.(account)) || 0;
             if (this.config.security?.maxFailedLoginAttempts &&
                 failedAttempts >= this.config.security.maxFailedLoginAttempts) {
                 const lockoutKey = `lockout:${account}`;
@@ -202,4 +251,4 @@ class CredentialBasedAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy
         }
     }
 }
-exports.CredentialBasedAuthStrategy = CredentialBasedAuthStrategy;
+exports.CredentialAuthStrategy = CredentialAuthStrategy;

package/build/strategies/index.d.ts

@@ -0,0 +1,16 @@
+export * from "./api-key/api-key.errors";
+export * from "./api-key/api-key.strategy";
+export * from "./api-key/api-key.types";
+export * from "./base-auth.strategy";
+export * from "./basic/basic.strategy";
+export * from "./basic/basic.types";
+export * from "./credential-auth.strategy";
+export * from "./jwt/jwt.strategy";
+export * from "./jwt/jwt.tools";
+export * from "./jwt/jwt.types";
+export * from "./local/local.strategy";
+export * from "./local/local.types";
+export * from "./oauth2/oauth2.strategy";
+export * from "./oauth2/oauth2.tools";
+export * from "./oauth2/oauth2.types";
+export * from "./token-auth.strategy";

package/build/strategies/index.js

@@ -0,0 +1,32 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./api-key/api-key.errors"), exports);
+__exportStar(require("./api-key/api-key.strategy"), exports);
+__exportStar(require("./api-key/api-key.types"), exports);
+__exportStar(require("./base-auth.strategy"), exports);
+__exportStar(require("./basic/basic.strategy"), exports);
+__exportStar(require("./basic/basic.types"), exports);
+__exportStar(require("./credential-auth.strategy"), exports);
+__exportStar(require("./jwt/jwt.strategy"), exports);
+__exportStar(require("./jwt/jwt.tools"), exports);
+__exportStar(require("./jwt/jwt.types"), exports);
+__exportStar(require("./local/local.strategy"), exports);
+__exportStar(require("./local/local.types"), exports);
+__exportStar(require("./oauth2/oauth2.strategy"), exports);
+__exportStar(require("./oauth2/oauth2.tools"), exports);
+__exportStar(require("./oauth2/oauth2.types"), exports);
+__exportStar(require("./token-auth.strategy"), exports);

package/build/strategies/jwt/jwt.strategy.d.ts

@@ -1,10 +1,25 @@
 import * as Soap from "@soapjs/soap";
-import { TokenBasedAuthStrategy } from "../token-based-auth.strategy";
+import { TokenAuthStrategy } from "../token-auth.strategy";
 import { JwtConfig } from "./jwt.types";
 import { SessionHandler } from "../../session/session-handler";
-export declare class JwtStrategy<TContext = unknown, TUser = unknown> extends TokenBasedAuthStrategy<TContext, TUser> {
+import { TokenConfig } from "../../types";
+export declare class JwtStrategy<TContext = unknown, TUser = unknown> extends TokenAuthStrategy<TContext, TUser> {
     protected config: JwtConfig<TContext, TUser>;
     protected session?: SessionHandler;
     protected logger?: Soap.Logger;
+    protected accessTokenConfig: TokenConfig<TContext>;
+    protected refreshTokenConfig: TokenConfig<TContext>;
     constructor(config: JwtConfig<TContext, TUser>, session?: SessionHandler, logger?: Soap.Logger);
+    protected invalidateRefreshToken(token: string): Promise<void>;
+    protected verifyAccessToken(token: string): Promise<any>;
+    protected verifyRefreshToken(token: string): Promise<any>;
+    protected generateAccessToken(payload: any): Promise<string>;
+    protected generateRefreshToken(payload: any): Promise<string>;
+    protected storeAccessToken(token: string, context: TContext): Promise<void>;
+    protected storeRefreshToken(token: string, context: TContext): Promise<void>;
+    protected embedAccessToken(token: string, context: TContext): void;
+    protected embedRefreshToken(token: string, context: TContext): void;
+    protected retrieveAccessToken(context: TContext): Promise<string | undefined>;
+    protected retrieveRefreshToken(context: TContext): Promise<string | undefined>;
+    logout(context: TContext): Promise<void>;
 }

package/build/strategies/jwt/jwt.strategy.js

@@ -5,77 +5,138 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.JwtStrategy = void 0;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
-const token_based_auth_strategy_1 = require("../token-based-auth.strategy");
+const token_auth_strategy_1 = require("../token-auth.strategy");
 const errors_1 = require("../../errors");
 const jwt_tools_1 = require("./jwt.tools");
-class JwtStrategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy {
+class JwtStrategy extends token_auth_strategy_1.TokenAuthStrategy {
     config;
     session;
     logger;
+    accessTokenConfig;
+    refreshTokenConfig;
     constructor(config, session, logger) {
-        if (!config.accessToken.secretKey) {
+        if (!config.accessToken.issuer.secretKey) {
             throw new errors_1.UndefinedTokenSecretError("Access");
         }
-        if (config.refreshToken && !config.refreshToken.secretKey) {
+        if (config.refreshToken && !config.refreshToken.issuer.secretKey) {
             throw new errors_1.UndefinedTokenSecretError("Refresh");
         }
-        const accessTokenConfig = (0, jwt_tools_1.prepareAccessTokenConfig)(config);
-        const refreshTokenConfig = (0, jwt_tools_1.prepareRefreshTokenConfig)(config);
-        super(config, {
-            ...accessTokenConfig,
-            generate(payload) {
-                return jsonwebtoken_1.default.sign(payload, accessTokenConfig.secretKey, accessTokenConfig.signOptions);
-            },
-            verify(token) {
-                try {
-                    if (!token)
-                        throw new errors_1.UndefinedTokenError("Access");
-                    if (!accessTokenConfig.secretKey)
-                        throw new errors_1.UndefinedTokenSecretError("Access");
-                    return new Promise((resolve, reject) => {
-                        jsonwebtoken_1.default.verify(token, accessTokenConfig.secretKey, accessTokenConfig.verifyOptions, (err, payload) => {
-                            if (err)
-                                reject(err);
-                            else
-                                resolve(payload);
-                        });
-                    });
-                }
-                catch (error) {
-                    this.logger?.error("JWT verification failed:", error);
-                    throw new errors_1.InvalidTokenError("Access");
-                }
-            },
-        }, {
-            ...refreshTokenConfig,
-            generate(payload) {
-                return jsonwebtoken_1.default.sign(payload, refreshTokenConfig.secretKey, refreshTokenConfig.signOptions);
-            },
-            verify(token) {
-                try {
-                    if (!token)
-                        throw new errors_1.UndefinedTokenError("Refresh");
-                    if (!refreshTokenConfig.secretKey)
-                        throw new errors_1.UndefinedTokenSecretError("Refresh");
-                    return new Promise((resolve, reject) => {
-                        jsonwebtoken_1.default.verify(token, refreshTokenConfig.secretKey, refreshTokenConfig.verifyOptions, (err, payload) => {
-                            if (err)
-                                reject(err);
-                            else
-                                resolve(payload);
-                        });
-                    });
-                }
-                catch (error) {
-                    this.logger?.error("JWT verification failed:", error);
-                    throw new errors_1.InvalidTokenError("Refresh");
-                }
-            },
-        });
+        super(config, session, logger);
         this.config = config;
         this.session = session;
         this.logger = logger;
+        this.accessTokenConfig = (0, jwt_tools_1.prepareAccessTokenConfig)(config.accessToken);
+        this.refreshTokenConfig = (0, jwt_tools_1.prepareRefreshTokenConfig)(config.refreshToken);
         this.logger?.info("JWTStrategy initialized with provided configurations.");
     }
+    async invalidateRefreshToken(token) {
+        await this.refreshTokenConfig.persistence.remove?.(token);
+    }
+    verifyAccessToken(token) {
+        try {
+            if (!token)
+                throw new errors_1.UndefinedTokenError("Access");
+            if (!this.accessTokenConfig.issuer.secretKey)
+                throw new errors_1.UndefinedTokenSecretError("Access");
+            return new Promise((resolve, reject) => {
+                jsonwebtoken_1.default.verify(token, this.accessTokenConfig.issuer.secretKey, this.accessTokenConfig.verifier.options, (err, payload) => {
+                    if (err)
+                        reject(err);
+                    else
+                        resolve(payload);
+                });
+            });
+        }
+        catch (error) {
+            this.logger?.error("JWT verification failed:", error);
+            throw new errors_1.InvalidTokenError("Access");
+        }
+    }
+    verifyRefreshToken(token) {
+        try {
+            if (!token)
+                throw new errors_1.UndefinedTokenError("Refresh");
+            if (!this.refreshTokenConfig.issuer.secretKey)
+                throw new errors_1.UndefinedTokenSecretError("Refresh");
+            return new Promise((resolve, reject) => {
+                jsonwebtoken_1.default.verify(token, this.refreshTokenConfig.issuer.secretKey, this.refreshTokenConfig.verifier.options, (err, payload) => {
+                    if (err)
+                        reject(err);
+                    else
+                        resolve(payload);
+                });
+            });
+        }
+        catch (error) {
+            this.logger?.error("JWT verification failed:", error);
+            throw new errors_1.InvalidTokenError("Refresh");
+        }
+    }
+    generateAccessToken(payload) {
+        const options = this.accessTokenConfig.issuer.options || {};
+        return jsonwebtoken_1.default.sign(payload, this.accessTokenConfig.issuer.secretKey, {
+            ...options,
+            jti: payload.jti || crypto.randomUUID(),
+        });
+    }
+    generateRefreshToken(payload) {
+        const options = this.refreshTokenConfig.issuer.options || {};
+        return jsonwebtoken_1.default.sign(payload, this.refreshTokenConfig.issuer.secretKey, {
+            ...options,
+            jti: payload.jti || crypto.randomUUID(),
+        });
+    }
+    async storeAccessToken(token, context) {
+        if (this.accessTokenConfig.persistence.store) {
+            await this.accessTokenConfig.persistence.store(token, null, this.accessTokenConfig.issuer.options.expiresIn);
+        }
+    }
+    async storeRefreshToken(token, context) {
+        if (this.refreshTokenConfig.persistence.store) {
+            await this.refreshTokenConfig.persistence.store(token, null, this.refreshTokenConfig.issuer.options.expiresIn);
+        }
+    }
+    embedAccessToken(token, context) {
+        if (this.accessTokenConfig.embed) {
+            this.accessTokenConfig.embed(context, token);
+        }
+        else {
+            (0, jwt_tools_1.setDefaultJwtHeader)(token, context);
+        }
+    }
+    embedRefreshToken(token, context) {
+        if (this.refreshTokenConfig.embed) {
+            this.refreshTokenConfig.embed(context, token);
+        }
+        else {
+            (0, jwt_tools_1.setDefaultJwtCookie)(token, context);
+        }
+    }
+    retrieveAccessToken(context) {
+        if (this.accessTokenConfig.retrieve) {
+            return this.accessTokenConfig.retrieve(context);
+        }
+        else {
+            return (context.req.headers.authorization?.split(" ")[1] ||
+                context.request.headers.authorization?.split(" ")[1] ||
+                context.headers.authorization?.split(" ")[1]);
+        }
+    }
+    retrieveRefreshToken(context) {
+        if (this.refreshTokenConfig.retrieve) {
+            return this.refreshTokenConfig.retrieve(context);
+        }
+        return (context.req.cookies?.refreshToken ||
+            context.request.cookies?.refreshToken ||
+            context.cookies.refreshToken);
+    }
+    async logout(context) {
+        const refreshToken = await this.retrieveRefreshToken(context);
+        if (refreshToken) {
+            await this.invalidateRefreshToken(refreshToken);
+            (0, jwt_tools_1.clearDefaultJwtCookie)(context);
+            (0, jwt_tools_1.clearDefaultJwtHeader)(context);
+        }
+    }
 }
 exports.JwtStrategy = JwtStrategy;

package/build/strategies/jwt/jwt.tools.d.ts

@@ -1,3 +1,7 @@
-import { JwtAccessTokenConfig, JwtConfig, JwtRefreshTokenConfig } from "./jwt.types";
-export declare const prepareAccessTokenConfig: (config: JwtConfig) => JwtAccessTokenConfig;
-export declare const prepareRefreshTokenConfig: (config: JwtConfig) => JwtRefreshTokenConfig;
+import { TokenConfig } from "../../types";
+export declare const prepareAccessTokenConfig: <TContext = any>(config: TokenConfig<TContext>) => TokenConfig<TContext>;
+export declare const prepareRefreshTokenConfig: <TContext = any>(config: TokenConfig<TContext>) => TokenConfig<TContext>;
+export declare const setDefaultJwtCookie: (token: string, context: any) => void;
+export declare const setDefaultJwtHeader: (token: string, context: any) => void;
+export declare const clearDefaultJwtHeader: (context: any) => void;
+export declare const clearDefaultJwtCookie: (context: any) => void;