@soapjs/soap-auth 0.3.1 → 0.3.2

package/build/strategies/base-auth.strategy.js

@@ -1,70 +1,44 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.BaseAuthStrategy = void 0;
-const errors_1 = require("../errors");
+const session_errors_1 = require("../session/session.errors");
+const account_lock_service_1 = require("../services/account-lock.service");
+const mfa_service_1 = require("../services/mfa.service");
+const rate_limit_service_1 = require("../services/rate-limit.service");
+const role_service_1 = require("../services/role.service");
+const auth_throttle_service_1 = require("../services/auth-throttle.service");
 class BaseAuthStrategy {
     config;
     session;
     logger;
+    accountLock;
+    mfa;
+    rateLimit;
+    role;
+    throttle;
     constructor(config, session, logger) {
         this.config = config;
         this.session = session;
         this.logger = logger;
-    }
-    async init() {
-        return Promise.resolve();
-    }
-    async isAccountLocked(account) {
-        if (await this.config.lock.isAccountLocked?.(account)) {
-            throw new errors_1.AccountLockedError();
+        if (config.mfa) {
+            this.mfa = new mfa_service_1.MfaService(config.mfa, logger);
         }
-        return false;
-    }
-    async isAuthorized(user) {
-        if (this.config.role.authorizeByRoles && this.config.role.roles) {
-            const hasAccess = await this.config.role.authorizeByRoles(user, this.config.role.roles);
-            if (!hasAccess) {
-                throw new errors_1.UnauthorizedRoleError();
-            }
+        if (config.lock) {
+            this.accountLock = new account_lock_service_1.AccountLockService(config.lock, logger);
         }
-        return true;
-    }
-    async checkRateLimit(data) {
-        if (this.config.rateLimit.checkRateLimit &&
-            (await this.config.rateLimit.checkRateLimit(data))) {
-            throw new errors_1.RateLimitExceededError();
+        if (config.rateLimit) {
+            this.rateLimit = new rate_limit_service_1.RateLimitService(config.rateLimit, logger);
         }
-    }
-    async checkMfa(user, context) {
-        try {
-            if (this.config.mfa?.isMfaRequired?.(user)) {
-                const mfaCode = this.config.mfa?.extractMfaCode?.(context);
-                if (!mfaCode) {
-                    await this.config.mfa.sendMfaCode?.(user, context);
-                    throw new Error("2FA required. A verification code has been sent.");
-                }
-                const attempts = (await this.config.mfa.getMfaAttempts?.(user)) || 0;
-                if (this.config.mfa.maxMfaAttempts &&
-                    attempts >= this.config.mfa.maxMfaAttempts) {
-                    this.logger?.warn(`User ${user} exceeded maximum MFA attempts.`);
-                    await this.config.mfa.lockMfaOnFailure?.(user);
-                    throw new Error("Your account has been temporarily locked due to too many failed 2FA attempts.");
-                }
-                const isValidMfa = await this.config.mfa.validateMfaCode?.(user, mfaCode);
-                if (!isValidMfa) {
-                    this.logger?.warn(`Invalid MFA code attempt for user: ${user}`);
-                    await this.config.mfa.incrementMfaAttempts?.(user);
-                    throw new Error("Invalid 2FA code provided.");
-                }
-                await this.config.mfa.resetMfaAttempts?.(user);
-                this.logger?.info(`2FA successfully validated for user: ${user}`);
-            }
+        if (config.role) {
+            this.role = new role_service_1.RoleService(config.role, logger);
         }
-        catch (error) {
-            this.logger?.error(`2FA validation error for user: ${user}`, error);
-            throw error;
+        if (config.throttle) {
+            this.throttle = new auth_throttle_service_1.AuthThrottleService(config.throttle, logger);
         }
     }
+    async init() {
+        return Promise.resolve();
+    }
     async onSuccess(action, context) {
         try {
             await this.config.onSuccess?.(action, context);
@@ -74,11 +48,30 @@ class BaseAuthStrategy {
         }
     }
     async onFailure(action, context) {
+        this.logger?.error(`${action} failed:`, context.error);
         try {
             await this.config.onFailure?.(action, context);
         }
-        catch (error) {
-            this.logger?.error(error);
+        catch (e) {
+            this.logger?.error(e);
+        }
+    }
+    async authenticateWithSession(context) {
+        if (this.rateLimit) {
+            await this.rateLimit.checkRateLimit(context);
+        }
+        if (this.session) {
+            let sessionId = this.session.getSessionId(context);
+            if (!sessionId)
+                throw new session_errors_1.MissingSessionIdError();
+            const sessionData = await this.session.getSessionData(sessionId);
+            if (!sessionData)
+                throw new session_errors_1.InvalidSessionError();
+            const user = sessionData.user;
+            if (this.role) {
+                await this.role.isAuthorized(user);
+            }
+            return { user };
         }
     }
 }

package/build/strategies/basic/__tests__/basic.strategy.test.d.ts

@@ -0,0 +1 @@
+export {};

package/build/strategies/basic/__tests__/basic.strategy.test.js

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const basic_strategy_1 = require("../basic.strategy");
+const errors_1 = require("../../../errors");
+describe("BasicStrategy", () => {
+    let strategy;
+    let mockConfig;
+    let mockSession;
+    let mockJwt;
+    beforeEach(() => {
+        mockConfig = {
+            credentials: {
+                extractCredentials: jest.fn(),
+                verifyCredentials: jest.fn(),
+            },
+            user: {
+                fetchUser: jest.fn(),
+            },
+            routes: {
+                login: {},
+                logout: {},
+            },
+        };
+        mockSession = {
+            issueSession: jest.fn(),
+        };
+        mockJwt = {
+            issueTokens: jest.fn(),
+        };
+        strategy = new basic_strategy_1.BasicStrategy(mockConfig, mockSession, mockJwt);
+    });
+    describe("extractCredentials", () => {
+        it("should extract credentials from Authorization header", () => {
+            mockConfig.credentials.extractCredentials = null;
+            const username = "testuser";
+            const password = "securepassword";
+            const encoded = Buffer.from(`${username}:${password}`).toString("base64");
+            const context = { headers: { authorization: `Basic ${encoded}` } };
+            const credentials = strategy.extractCredentials(context);
+            expect(credentials).toEqual({ identifier: username, password });
+        });
+        it("should throw MissingCredentialsError if Authorization header is missing", () => {
+            const context = { headers: {} };
+            expect(() => strategy.extractCredentials(context)).toThrow(errors_1.MissingCredentialsError);
+        });
+        it("should throw InvalidCredentialsError if Authorization header is malformed", () => {
+            const context = { headers: { authorization: "Bearer token" } };
+            mockConfig.credentials.extractCredentials = null;
+            expect(() => strategy.extractCredentials(context)).toThrow(errors_1.InvalidCredentialsError);
+        });
+        it("should throw InvalidCredentialsError if Authorization header is not base64-encoded properly", () => {
+            const context = { headers: { authorization: "Basic not_base64_data" } };
+            mockConfig.credentials.extractCredentials = null;
+            expect(() => strategy.extractCredentials(context)).toThrow(errors_1.InvalidCredentialsError);
+        });
+        it("should throw InvalidCredentialsError if decoded credentials are invalid", () => {
+            const encoded = Buffer.from(`username`).toString("base64");
+            const context = { headers: { authorization: `Basic ${encoded}` } };
+            mockConfig.credentials.extractCredentials = null;
+            expect(() => strategy.extractCredentials(context)).toThrow(errors_1.InvalidCredentialsError);
+        });
+    });
+    describe("verifyCredentials", () => {
+        it("should verify valid credentials", async () => {
+            mockConfig.credentials.verifyCredentials.mockResolvedValue(true);
+            const result = await strategy.verifyCredentials("testuser", "password");
+            expect(result).toBe(true);
+            expect(mockConfig.credentials.verifyCredentials).toHaveBeenCalledWith("testuser", "password");
+        });
+        it("should return false if credentials are invalid", async () => {
+            mockConfig.credentials.verifyCredentials.mockResolvedValue(false);
+            const result = await strategy.verifyCredentials("testuser", "wrongpass");
+            expect(result).toBe(false);
+            expect(mockConfig.credentials.verifyCredentials).toHaveBeenCalledWith("testuser", "wrongpass");
+        });
+    });
+    describe("fetchUser", () => {
+        it("should retrieve user data when credentials are valid", async () => {
+            const mockUser = { id: 1, username: "testuser" };
+            mockConfig.user.fetchUser.mockResolvedValue(mockUser);
+            const user = await strategy.fetchUser({
+                identifier: "testuser",
+                password: "securepassword",
+            });
+            expect(user).toEqual(mockUser);
+            expect(mockConfig.user.fetchUser).toHaveBeenCalledWith({
+                identifier: "testuser",
+                password: "securepassword",
+            });
+        });
+        it("should return null if user is not found", async () => {
+            mockConfig.user.fetchUser.mockResolvedValue(null);
+            const user = await strategy.fetchUser({
+                identifier: "unknownuser",
+                password: "securepassword",
+            });
+            expect(user).toBeNull();
+            expect(mockConfig.user.fetchUser).toHaveBeenCalledWith({
+                identifier: "unknownuser",
+                password: "securepassword",
+            });
+        });
+    });
+});

package/build/strategies/basic/basic.strategy.d.ts

@@ -1,19 +1,17 @@
 import * as Soap from "@soapjs/soap";
 import { CredentialAuthStrategy } from "../credential-auth.strategy";
-import { BasicContext, BasicStrategyConfig } from "./basic.types";
+import { BasicStrategyConfig } from "./basic.types";
 import { SessionHandler } from "../../session/session-handler";
-export declare class BasicStrategy<TContext extends BasicContext = BasicContext, TUser = unknown> extends CredentialAuthStrategy<TContext, TUser> {
+import { JwtStrategy } from "../jwt/jwt.strategy";
+export declare class BasicStrategy<TContext = unknown, TUser = unknown> extends CredentialAuthStrategy<TContext, TUser> {
     protected config: BasicStrategyConfig<TContext, TUser>;
     protected session?: SessionHandler;
+    protected jwt?: JwtStrategy<TContext, TUser>;
     protected logger?: Soap.Logger;
-    constructor(config: BasicStrategyConfig<TContext, TUser>, session?: SessionHandler, logger?: Soap.Logger);
+    constructor(config: BasicStrategyConfig<TContext, TUser>, session?: SessionHandler, jwt?: JwtStrategy<TContext, TUser>, logger?: Soap.Logger);
     protected extractCredentials(context?: TContext): {
         identifier: string;
         password: string;
     };
     protected verifyCredentials(identifier: string, password: string): Promise<boolean>;
-    protected retrieveUser(credentials: {
-        identifier: string;
-        password: string;
-    }): Promise<TUser | null>;
 }

package/build/strategies/basic/basic.strategy.js

@@ -3,18 +3,21 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.BasicStrategy = void 0;
 const credential_auth_strategy_1 = require("../credential-auth.strategy");
 const errors_1 = require("../../errors");
+const basic_tools_1 = require("./basic.tools");
 class BasicStrategy extends credential_auth_strategy_1.CredentialAuthStrategy {
     config;
     session;
+    jwt;
     logger;
-    constructor(config, session, logger) {
-        super(config, session, logger);
+    constructor(config, session, jwt, logger) {
+        super((0, basic_tools_1.prepareBasicConfig)(config), session, jwt, logger);
         this.config = config;
         this.session = session;
+        this.jwt = jwt;
         this.logger = logger;
     }
     extractCredentials(context) {
-        const authHeader = this.config.credentials.extractCredentials
+        const authHeader = this.config.credentials?.extractCredentials
             ? this.config.credentials.extractCredentials(context)
             : context?.headers?.authorization ||
                 context?.headers?.["x-custom-auth"] ||
@@ -41,8 +44,5 @@ class BasicStrategy extends credential_auth_strategy_1.CredentialAuthStrategy {
     async verifyCredentials(identifier, password) {
         return this.config.credentials.verifyCredentials(identifier, password);
     }
-    async retrieveUser(credentials) {
-        return this.config.user.getUserData(credentials.identifier);
-    }
 }
 exports.BasicStrategy = BasicStrategy;

package/build/strategies/basic/basic.tools.d.ts

@@ -0,0 +1,2 @@
+import { BasicStrategyConfig } from "./basic.types";
+export declare const prepareBasicConfig: <TContext = any, TUser = any>(config: BasicStrategyConfig<TContext, TUser>) => BasicStrategyConfig<TContext, TUser>;

package/build/strategies/basic/basic.tools.js

@@ -0,0 +1,44 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prepareBasicConfig = void 0;
+const Soap = __importStar(require("@soapjs/soap"));
+const prepareBasicConfig = (config) => {
+    return Soap.removeUndefinedProperties({
+        ...config,
+        routes: {
+            ...config.routes,
+            login: {
+                path: config.routes.login.path || "/auth/basic/login",
+                method: config.routes.login.method || "POST",
+            },
+            logout: {
+                path: config.routes.logout.path || "/auth/basic/logout",
+                method: config.routes.logout.method || "POST",
+            },
+        },
+    });
+};
+exports.prepareBasicConfig = prepareBasicConfig;

package/build/strategies/credential-auth.strategy.d.ts

@@ -2,32 +2,22 @@ import * as Soap from "@soapjs/soap";
 import { AuthResult, CredentialAuthStrategyConfig } from "../types";
 import { BaseAuthStrategy } from "./base-auth.strategy";
 import { SessionHandler } from "../session/session-handler";
+import { JwtStrategy } from "./jwt/jwt.strategy";
+import { PasswordService } from "../services/password.service";
 export declare abstract class CredentialAuthStrategy<TContext = unknown, TUser = unknown> extends BaseAuthStrategy<TContext, TUser> {
     protected config: CredentialAuthStrategyConfig<TContext, TUser>;
     protected session?: SessionHandler;
+    protected jwt?: JwtStrategy<TContext, TUser>;
     protected logger?: Soap.Logger;
+    protected password: PasswordService;
     protected abstract verifyCredentials(identifier: string, password: string): Promise<boolean>;
     protected abstract extractCredentials(context: TContext): any;
-    protected abstract retrieveUser(credentials: any): Promise<TUser | null>;
-    constructor(config: CredentialAuthStrategyConfig<TContext, TUser>, session?: SessionHandler, logger?: Soap.Logger);
-    protected storeUserSession(user: TUser, context: TContext): Promise<void>;
-    protected handleAuthenticationError(error: Error, context: TContext): Promise<never>;
-    protected preAuthChecks(identifier: string): Promise<void>;
-    protected handleFailedLogin(identifier: string): Promise<void>;
-    protected handleSuccessfulLogin(identifier: string): Promise<void>;
-    protected finalizeAuthentication(user: TUser, context: TContext): Promise<void>;
+    constructor(config: CredentialAuthStrategyConfig<TContext, TUser>, session?: SessionHandler, jwt?: JwtStrategy<TContext, TUser>, logger?: Soap.Logger);
+    protected fetchUser(payload: unknown): Promise<TUser | null>;
     authenticate(context: TContext): Promise<AuthResult<TUser>>;
-    protected handleSession(user: TUser, context?: TContext): Promise<void>;
+    login(context: TContext): Promise<AuthResult<TUser>>;
     logout(context: TContext): Promise<void>;
     requestPasswordReset(identifier: string, email?: string): Promise<void>;
     resetPassword(identifier: string, token: string, newPassword: string): Promise<void>;
     changePassword(identifier: string, oldPassword: string, newPassword: string): Promise<void>;
-    protected auditLoginAttempt(identifier: string, success: boolean, context?: TContext): Promise<void>;
-    protected auditPasswordChange(identifier: string, context?: TContext): Promise<void>;
-    protected validatePasswordPolicy(password: string): boolean;
-    protected checkFailedAttempts(identifier: string): Promise<void>;
-    protected isAccountLocked(account: any): Promise<boolean>;
-    protected incrementFailedAttempts(account: any): Promise<void>;
-    protected notifyAccountLocked(identifier: string): Promise<void>;
-    protected checkPasswordExpiry(identifier: string): Promise<void>;
 }