@soapjs/soap-auth 0.3.1 → 0.3.2

package/build/services/auth-throttle.service.d.ts

@@ -0,0 +1,10 @@
+import * as Soap from "@soapjs/soap";
+import { AuthThrottleConfig } from "../types";
+export declare class AuthThrottleService {
+    private config;
+    private logger;
+    constructor(config: AuthThrottleConfig, logger: Soap.Logger);
+    checkFailedAttempts(identifier: string): Promise<void>;
+    incrementFailedAttempts(account: any): Promise<void>;
+    resetFailedAttempts(account: any): Promise<void>;
+}

package/build/services/auth-throttle.service.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthThrottleService = void 0;
+const errors_1 = require("../errors");
+class AuthThrottleService {
+    config;
+    logger;
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+    }
+    async checkFailedAttempts(identifier) {
+        let failedAttempts;
+        if (this.config?.maxFailedAttempts) {
+            try {
+                failedAttempts =
+                    (await this.config.getFailedAttempts?.(identifier)) || 0;
+            }
+            catch (e) {
+                this.logger.error("Check failed attempts:", e);
+            }
+            if (Number.isInteger(failedAttempts) &&
+                failedAttempts >= this.config.maxFailedAttempts) {
+                this.logger.warn(`User ${identifier} is temporarily locked out.`);
+                throw new errors_1.AccountLockedError();
+            }
+        }
+    }
+    async incrementFailedAttempts(account) {
+        if (this.config?.incrementFailedAttempts) {
+            await this.config.incrementFailedAttempts(account);
+            const failedAttempts = (await this.config.getFailedAttempts?.(account)) || 0;
+            if (this.config?.maxFailedAttempts &&
+                failedAttempts >= this.config.maxFailedAttempts) {
+                throw new errors_1.AccountLockedError();
+            }
+        }
+    }
+    async resetFailedAttempts(account) {
+        await this.config?.resetFailedAttempts?.(account);
+    }
+}
+exports.AuthThrottleService = AuthThrottleService;

package/build/services/index.d.ts

@@ -0,0 +1,8 @@
+export * from "./account-lock.service";
+export * from "./auth-throttle.service";
+export * from "./jwks.service";
+export * from "./mfa.service";
+export * from "./password.service";
+export * from "./pkce.service";
+export * from "./rate-limit.service";
+export * from "./role.service";

package/build/{factories → services}/index.js

@@ -14,6 +14,11 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./auth-strategy.factory"), exports);
-__exportStar(require("./http-auth-strategy.factory"), exports);
-__exportStar(require("./socket-auth-strategy.factory"), exports);
+__exportStar(require("./account-lock.service"), exports);
+__exportStar(require("./auth-throttle.service"), exports);
+__exportStar(require("./jwks.service"), exports);
+__exportStar(require("./mfa.service"), exports);
+__exportStar(require("./password.service"), exports);
+__exportStar(require("./pkce.service"), exports);
+__exportStar(require("./rate-limit.service"), exports);
+__exportStar(require("./role.service"), exports);

package/build/services/jwks.service.d.ts

@@ -0,0 +1,7 @@
+import { JwksConfig } from "../strategies/oauth2/oauth2.types";
+export declare class JwtService {
+    private config;
+    private client;
+    constructor(config: JwksConfig);
+    verify(idToken: string): Promise<Record<string, any> | null>;
+}

package/build/services/jwks.service.js

@@ -0,0 +1,41 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtService = void 0;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const oauth2_errors_1 = require("../strategies/oauth2/oauth2.errors");
+class JwtService {
+    config;
+    client;
+    constructor(config) {
+        this.config = config;
+        this.client = (0, jwks_rsa_1.default)({ jwksUri: this.config.jwksUri });
+    }
+    async verify(idToken) {
+        try {
+            const decodedHeader = jsonwebtoken_1.default.decode(idToken, { complete: true });
+            if (!decodedHeader?.header?.kid) {
+                throw new oauth2_errors_1.InvalidIdTokenError("Invalid ID Token structure.");
+            }
+            const key = await this.client.getSigningKey(decodedHeader.header.kid);
+            const publicKey = key.getPublicKey();
+            const payload = jsonwebtoken_1.default.verify(idToken, publicKey, {
+                algorithms: this.config.algorithms || ["RS256"],
+                issuer: this.config.issuer,
+                audience: this.config.audience,
+            });
+            if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+                throw new oauth2_errors_1.InvalidIdTokenError("ID Token has expired");
+            }
+            return payload;
+        }
+        catch (error) {
+            console.error("JWT verification failed:", error);
+            throw error;
+        }
+    }
+}
+exports.JwtService = JwtService;

package/build/services/mfa.service.d.ts

@@ -0,0 +1,12 @@
+import * as Soap from "@soapjs/soap";
+import { MfaConfig } from "../types";
+export declare class MfaService<TContext = unknown, TUser = unknown> {
+    private config;
+    private logger;
+    constructor(config: MfaConfig, logger: Soap.Logger);
+    checkMfa(user: TUser, context: TContext): Promise<void>;
+    protected lockMfaOnFailure(user: TUser): void;
+    protected getMfaAttempts(user: TUser): Promise<number>;
+    protected incrementMfaAttempts(user: TUser): void;
+    protected resetMfaAttempts(user: TUser): void;
+}

package/build/services/mfa.service.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MfaService = void 0;
+class MfaService {
+    config;
+    logger;
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+    }
+    async checkMfa(user, context) {
+        try {
+            if (this.config.isMfaRequired?.(user)) {
+                const mfaCode = this.config.extractMfaCode?.(context);
+                if (!mfaCode) {
+                    await this.config.sendMfaCode?.(user, context);
+                    throw new Error("2FA required. A verification code has been sent.");
+                }
+                const attempts = (await this.getMfaAttempts(user)) || 0;
+                if (this.config.maxMfaAttempts &&
+                    attempts >= this.config.maxMfaAttempts) {
+                    this.logger?.warn(`User ${user} exceeded maximum MFA attempts.`);
+                    await this.lockMfaOnFailure(user);
+                    throw new Error("Your account has been temporarily locked due to too many failed 2FA attempts.");
+                }
+                const isValidMfa = await this.config.validateMfaCode?.(user, mfaCode);
+                if (!isValidMfa) {
+                    this.logger?.warn(`Invalid MFA code attempt for user: ${user}`);
+                    await this.incrementMfaAttempts(user);
+                    throw new Error("Invalid 2FA code provided.");
+                }
+                await this.resetMfaAttempts(user);
+                this.logger?.info(`2FA successfully validated for user: ${user}`);
+            }
+        }
+        catch (error) {
+            this.logger?.error(`2FA validation error for user: ${user}`, error);
+            throw error;
+        }
+    }
+    lockMfaOnFailure(user) {
+        try {
+            this.config.lockMfaOnFailure?.(user);
+        }
+        catch (error) {
+            this.logger?.error(error);
+        }
+    }
+    async getMfaAttempts(user) {
+        try {
+            return this.config.getMfaAttempts?.(user);
+        }
+        catch (error) {
+            this.logger?.error(error);
+        }
+    }
+    incrementMfaAttempts(user) {
+        try {
+            this.config.incrementMfaAttempts?.(user);
+        }
+        catch (error) {
+            this.logger?.error(error);
+        }
+    }
+    resetMfaAttempts(user) {
+        try {
+            this.config.resetMfaAttempts?.(user);
+        }
+        catch (error) {
+            this.logger?.error(error);
+        }
+    }
+}
+exports.MfaService = MfaService;

package/build/services/password.service.d.ts

@@ -0,0 +1,14 @@
+import * as Soap from "@soapjs/soap";
+import { PasswordPolicyConfig } from "../types";
+export declare class PasswordService {
+    private config;
+    private logger;
+    constructor(config: PasswordPolicyConfig, logger: Soap.Logger);
+    validatePassword(password: string): Promise<boolean>;
+    getLastPasswordChange(identifier: string): Promise<Date>;
+    generateResetToken(identifier: string): Promise<string>;
+    sendResetEmail(identifier: string, token: string): Promise<void>;
+    validateResetToken(token: string): Promise<boolean>;
+    updatePassword(identifier: string, newPassword: string): Promise<void>;
+    isPasswordChangeRequired(identifier: string): Promise<boolean>;
+}

package/build/services/password.service.js

@@ -0,0 +1,78 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasswordService = void 0;
+const Soap = __importStar(require("@soapjs/soap"));
+class PasswordService {
+    config;
+    logger;
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+    }
+    async validatePassword(password) {
+        return this.config.validatePassword?.(password);
+    }
+    async getLastPasswordChange(identifier) {
+        return this.config.getLastPasswordChange?.(identifier);
+    }
+    async generateResetToken(identifier) {
+        if (!this.config?.generateResetToken) {
+            throw new Soap.NotImplementedError("generateResetToken");
+        }
+        return this.config.generateResetToken?.(identifier);
+    }
+    async sendResetEmail(identifier, token) {
+        if (!this.config?.sendResetEmail) {
+            throw new Soap.NotImplementedError("sendResetEmail");
+        }
+        return this.config.sendResetEmail?.(identifier, token);
+    }
+    async validateResetToken(token) {
+        if (!this.config?.validateResetToken) {
+            throw new Soap.NotImplementedError("validateResetToken");
+        }
+        return this.config.validateResetToken?.(token);
+    }
+    async updatePassword(identifier, newPassword) {
+        if (!this.config?.updatePassword) {
+            throw new Soap.NotImplementedError("updatePassword");
+        }
+        return this.config.updatePassword?.(identifier, newPassword);
+    }
+    async isPasswordChangeRequired(identifier) {
+        if (this.config.passwordExpirationDays) {
+            if (!this.config.getLastPasswordChange) {
+                throw new Soap.NotImplementedError("getLastPasswordChange");
+            }
+            const lastChanged = await this.config.getLastPasswordChange(identifier);
+            return (lastChanged &&
+                Date.now() - Number(lastChanged) >
+                    this.config.passwordExpirationDays * 86400000);
+        }
+        return false;
+    }
+}
+exports.PasswordService = PasswordService;

package/build/services/pkce.service.d.ts

@@ -0,0 +1,14 @@
+import { PKCEConfig } from "../types";
+export declare class PKCEService<TContext> {
+    private config;
+    constructor(config: PKCEConfig<TContext>);
+    private defaultGenerateCodeChallenge;
+    generateCodeVerifier(context: TContext): Promise<string>;
+    extractCodeVerifier(context: TContext): string | undefined;
+    generateCodeChallenge(codeVerifier: string, context: TContext): Promise<string>;
+    extractCodeChallenge(context: TContext): string | undefined;
+    isCodeVerifierExpired(context: TContext): Promise<boolean>;
+    isCodeChallengeExpired(context: TContext): Promise<boolean>;
+    clearCodeVerifier(context: TContext): Promise<void>;
+    clearCodeChallenge(context: TContext): Promise<void>;
+}

package/build/services/pkce.service.js

@@ -0,0 +1,81 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PKCEService = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const tools_1 = require("../tools");
+class PKCEService {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    defaultGenerateCodeChallenge(verifier) {
+        return crypto_1.default
+            .createHash("sha256")
+            .update(verifier)
+            .digest("base64")
+            .replace(/\+/g, "-")
+            .replace(/\//g, "_")
+            .replace(/=+$/, "");
+    }
+    async generateCodeVerifier(context) {
+        const cv = this.config.verifier.generate?.() || (0, tools_1.generateRandomString)();
+        this.config.verifier.embed(context, cv);
+        const expirationTime = Date.now() + (this.config.verifier.expiresIn ?? 300) * 1000;
+        await this.config.verifier.persistence?.store(cv, {
+            expiration: expirationTime,
+        });
+        return cv;
+    }
+    extractCodeVerifier(context) {
+        return this.config.verifier.extract(context);
+    }
+    async generateCodeChallenge(codeVerifier, context) {
+        const challenge = this.config.challenge.generate?.(codeVerifier) ||
+            this.defaultGenerateCodeChallenge(codeVerifier);
+        this.config.challenge.embed(context, challenge);
+        const expirationTime = Date.now() + (this.config.challenge.expiresIn ?? 300) * 1000;
+        await this.config.challenge.persistence?.store?.(challenge, {
+            expiration: expirationTime,
+        });
+        return challenge;
+    }
+    extractCodeChallenge(context) {
+        return this.config.challenge.extract(context);
+    }
+    async isCodeVerifierExpired(context) {
+        const codeVerifier = this.extractCodeVerifier(context);
+        if (!codeVerifier)
+            return true;
+        const stored = await this.config.verifier?.persistence?.read?.(codeVerifier);
+        if (!stored || !stored.expiration)
+            return true;
+        return Date.now() > stored.expiration;
+    }
+    async isCodeChallengeExpired(context) {
+        const challenge = this.extractCodeChallenge(context);
+        if (!challenge)
+            return true;
+        const stored = await this.config.challenge?.persistence?.read?.(challenge);
+        if (!stored || !stored.expiration)
+            return true;
+        return Date.now() > stored.expiration;
+    }
+    async clearCodeVerifier(context) {
+        const cv = this.config.verifier.extract(context);
+        if (cv) {
+            await this.config.verifier.persistence?.remove?.(cv);
+            this.config.verifier.embed(context, "");
+        }
+    }
+    async clearCodeChallenge(context) {
+        const challenge = this.config.challenge.extract(context);
+        if (challenge) {
+            await this.config.challenge.persistence?.remove?.(challenge);
+            this.config.challenge.embed(context, "");
+        }
+    }
+}
+exports.PKCEService = PKCEService;

package/build/services/rate-limit.service.d.ts

@@ -0,0 +1,9 @@
+import * as Soap from "@soapjs/soap";
+import { RateLimitConfig } from "../types";
+export declare class RateLimitService {
+    private config;
+    private logger;
+    constructor(config: RateLimitConfig, logger: Soap.Logger);
+    incrementRequestCount(...args: unknown[]): Promise<void>;
+    checkRateLimit(data: unknown): Promise<void>;
+}

package/build/services/rate-limit.service.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimitService = void 0;
+const errors_1 = require("../errors");
+class RateLimitService {
+    config;
+    logger;
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+    }
+    async incrementRequestCount(...args) {
+        try {
+            await this.config.incrementRequestCount(...args);
+        }
+        catch (error) {
+            this.logger?.error(error);
+        }
+    }
+    async checkRateLimit(data) {
+        if (await this.config.checkRateLimit?.(data)) {
+            throw new errors_1.RateLimitExceededError();
+        }
+    }
+}
+exports.RateLimitService = RateLimitService;

package/build/services/role.service.d.ts

@@ -0,0 +1,9 @@
+import * as Soap from "@soapjs/soap";
+import { RoleAuthorizationConfig } from "../types";
+export declare class RoleService<TUser> {
+    private config;
+    private logger;
+    private roles;
+    constructor(config: RoleAuthorizationConfig, logger: Soap.Logger);
+    isAuthorized(user: TUser): Promise<boolean>;
+}

package/build/services/role.service.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RoleService = void 0;
+const errors_1 = require("../errors");
+class RoleService {
+    config;
+    logger;
+    roles;
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+        this.roles = config.roles || [];
+    }
+    async isAuthorized(user) {
+        if (typeof this.config.authorizeByRoles === "function" &&
+            Array.isArray(this.roles) &&
+            this.roles.length > 0) {
+            const hasAccess = await this.config.authorizeByRoles(user, this.roles);
+            if (!hasAccess) {
+                throw new errors_1.UnauthorizedRoleError();
+            }
+        }
+        return true;
+    }
+}
+exports.RoleService = RoleService;

package/build/session/__tests__/file.session-store.test.d.ts

@@ -0,0 +1 @@
+export {};

package/build/session/__tests__/file.session-store.test.js

@@ -0,0 +1,117 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const file_session_store_1 = require("../file.session-store");
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+jest.mock("fs/promises", () => ({
+    mkdir: jest.fn(),
+    readFile: jest.fn(),
+    writeFile: jest.fn(),
+    unlink: jest.fn(),
+    readdir: jest.fn(),
+}));
+describe("FileSessionStore", () => {
+    let store;
+    const mockSessionsDir = "/mock/sessions";
+    beforeEach(() => {
+        store = new file_session_store_1.FileSessionStore(mockSessionsDir);
+        jest.clearAllMocks();
+    });
+    describe("init", () => {
+        it("should create the sessions directory recursively", async () => {
+            await store.init();
+            expect(promises_1.default.mkdir).toHaveBeenCalledWith(mockSessionsDir, {
+                recursive: true,
+            });
+        });
+        it("should catch and log errors if mkdir fails", async () => {
+            const consoleSpy = jest
+                .spyOn(console, "error")
+                .mockImplementation(() => { });
+            promises_1.default.mkdir.mockRejectedValueOnce(new Error("mkdir error"));
+            await store.init();
+            expect(consoleSpy).toHaveBeenCalledWith("Error initializing session directory:", expect.any(Error));
+            consoleSpy.mockRestore();
+        });
+    });
+    describe("getSession", () => {
+        it("should return parsed JSON if file read is successful", async () => {
+            const mockData = { user: { id: "123" } };
+            promises_1.default.readFile.mockResolvedValueOnce(JSON.stringify(mockData));
+            const session = await store.getSession("session123");
+            expect(session).toEqual(mockData);
+            expect(promises_1.default.readFile).toHaveBeenCalledWith(path_1.default.join(mockSessionsDir, "session123"), "utf8");
+        });
+        it("should return null and log error if readFile fails", async () => {
+            const consoleSpy = jest
+                .spyOn(console, "error")
+                .mockImplementation(() => { });
+            promises_1.default.readFile.mockRejectedValueOnce(new Error("read error"));
+            const session = await store.getSession("badSession");
+            expect(session).toBeNull();
+            expect(consoleSpy).toHaveBeenCalledWith("Error getting session:", expect.any(Error));
+            consoleSpy.mockRestore();
+        });
+        it("should return null if JSON parse fails", async () => {
+            const consoleSpy = jest
+                .spyOn(console, "error")
+                .mockImplementation(() => { });
+            promises_1.default.readFile.mockResolvedValueOnce("invalid-json");
+            const session = await store.getSession("corruptSession");
+            expect(session).toBeNull();
+            expect(consoleSpy).toHaveBeenCalledWith("Error getting session:", expect.any(Error));
+            consoleSpy.mockRestore();
+        });
+    });
+    describe("setSession", () => {
+        it("should write stringified session data to a file", async () => {
+            const mockData = { user: { id: "xyz" } };
+            await store.setSession("sessionABC", mockData);
+            expect(promises_1.default.writeFile).toHaveBeenCalledWith(path_1.default.join(mockSessionsDir, "sessionABC"), JSON.stringify(mockData), "utf8");
+        });
+        it("should throw error if writeFile fails", async () => {
+            promises_1.default.writeFile.mockRejectedValueOnce(new Error("write error"));
+            await expect(store.setSession("sessionError", { user: { id: "1" } })).rejects.toThrow("write error");
+        });
+    });
+    describe("destroySession", () => {
+        it("should unlink the file associated with the session ID", async () => {
+            await store.destroySession("destroyMe");
+            expect(promises_1.default.unlink).toHaveBeenCalledWith(path_1.default.join(mockSessionsDir, "destroyMe"));
+        });
+        it("should ignore ENOENT errors (file not found)", async () => {
+            promises_1.default.unlink.mockRejectedValueOnce({ code: "ENOENT" });
+            await expect(store.destroySession("notExists")).resolves.toBeUndefined();
+        });
+        it("should rethrow other errors", async () => {
+            promises_1.default.unlink.mockRejectedValueOnce(new Error("unlink error"));
+            await expect(store.destroySession("sessionX")).rejects.toThrow("unlink error");
+        });
+    });
+    describe("touchSession", () => {
+        it("should call setSession with updated data", async () => {
+            const setSessionSpy = jest.spyOn(store, "setSession").mockResolvedValue();
+            const newData = { user: { id: "touchMe" } };
+            await store.touchSession("touchId", newData);
+            expect(setSessionSpy).toHaveBeenCalledWith("touchId", newData);
+        });
+    });
+    describe("getSessionIds", () => {
+        it("should return the base names of files in the sessions directory", async () => {
+            promises_1.default.readdir.mockResolvedValueOnce([
+                { name: "abc", isFile: () => true },
+                { name: "def.json", isFile: () => true },
+                { name: "subdir", isFile: () => false },
+            ]);
+            const result = await store.getSessionIds();
+            expect(result).toEqual(["abc", "def"]);
+        });
+        it("should throw if readdir fails", async () => {
+            promises_1.default.readdir.mockRejectedValueOnce(new Error("readdir error"));
+            await expect(store.getSessionIds()).rejects.toThrow("readdir error");
+        });
+    });
+});

package/build/session/__tests__/memory.session-store.test.d.ts

@@ -0,0 +1 @@
+export {};