@soapjs/soap-auth 0.3.3 → 0.4.4

package/.claude/settings.local.json

@@ -0,0 +1,20 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm run *)",
+      "Bash(npx tsc *)",
+      "Bash(npm audit *)",
+      "Bash(npm uninstall *)",
+      "Bash(npm install *)",
+      "Bash(echo \"=== SOAP-EXPRESS src ===\" && find /Users/rad/git/soapjs/soap-express/src -type f -name \"*.ts\" | grep -v __tests__ | grep -v \".test.\" | sort && echo \"\" && echo \"=== SOAP-EXPRESS package.json ===\" && cat /Users/rad/git/soapjs/soap-express/package.json)",
+      "Bash(echo \"=== SOAP src \\(http + common\\) ===\" && find /Users/rad/git/soapjs/soap/src -type f -name \"*.ts\" | grep -v __tests__ | grep -v \".test.\" | grep -E \"\\(http|common|config\\)\" | sort)",
+      "Bash(cat /Users/rad/git/soapjs/soap/package.json | grep '\"version\"' | head -1)",
+      "Bash(grep -rln \"AuthStrategy\\\\|\\\\.configure\\(\\\\|\\\\.middleware\\(\\\\|serializeUser\\\\|AuthConfig\\\\b\" src --include=\"*.test.ts\")",
+      "Bash(grep -rln \"AuthStrategy\\\\|AuthConfig\" src/**/__tests__)",
+      "Bash(npm pack *)",
+      "Read(//Users/rad/git/soapjs/**)",
+      "Bash(npm view *)",
+      "Bash(grep -v \"^$\")"
+    ]
+  }
+}

package/build/errors.d.ts

@@ -20,7 +20,7 @@ export declare class UserNotFoundError extends Error {
     constructor();
 }
 export declare class InvalidCredentialsError extends Error {
-    constructor();
+    constructor(message?: string);
 }
 export declare class MissingTokenError extends Error {
     readonly tokenType: "Access" | "Refresh";

package/build/errors.js

@@ -50,8 +50,8 @@ class UserNotFoundError extends Error {
 }
 exports.UserNotFoundError = UserNotFoundError;
 class InvalidCredentialsError extends Error {
-    constructor() {
-        super("Invalid credentials: Authentication failed.");
+    constructor(message) {
+        super(`Invalid credentials: ${message || 'Authentication failed.'}`);
         this.name = "InvalidCredentialsError";
     }
 }

package/build/index.d.ts

@@ -5,3 +5,4 @@ export * from "./tools";
 export * from "./errors";
 export * from "./types";
 export * from "./soap-auth";
+export * from "./utils/validation";

package/build/index.js

@@ -21,3 +21,4 @@ __exportStar(require("./tools"), exports);
 __exportStar(require("./errors"), exports);
 __exportStar(require("./types"), exports);
 __exportStar(require("./soap-auth"), exports);
+__exportStar(require("./utils/validation"), exports);

package/build/services/auth-throttle.service.d.ts

@@ -2,8 +2,8 @@ import * as Soap from "@soapjs/soap";
 import { AuthThrottleConfig } from "../types";
 export declare class AuthThrottleService {
     private config;
-    private logger;
-    constructor(config: AuthThrottleConfig, logger: Soap.Logger);
+    private logger?;
+    constructor(config: AuthThrottleConfig, logger?: Soap.Logger);
     checkFailedAttempts(identifier: string): Promise<void>;
     incrementFailedAttempts(account: any): Promise<void>;
     resetFailedAttempts(account: any): Promise<void>;

package/build/services/auth-throttle.service.js

@@ -17,11 +17,11 @@ class AuthThrottleService {
                     (await this.config.getFailedAttempts?.(identifier)) || 0;
             }
             catch (e) {
-                this.logger.error("Check failed attempts:", e);
+                this.logger?.error("Check failed attempts:", e);
             }
             if (Number.isInteger(failedAttempts) &&
                 failedAttempts >= this.config.maxFailedAttempts) {
-                this.logger.warn(`User ${identifier} is temporarily locked out.`);
+                this.logger?.warn(`User ${identifier} is temporarily locked out.`);
                 throw new errors_1.AccountLockedError();
             }
         }

package/build/services/index.d.ts

@@ -6,3 +6,4 @@ export * from "./password.service";
 export * from "./pkce.service";
 export * from "./rate-limit.service";
 export * from "./role.service";
+export * from "./totp.service";

package/build/services/index.js

@@ -22,3 +22,4 @@ __exportStar(require("./password.service"), exports);
 __exportStar(require("./pkce.service"), exports);
 __exportStar(require("./rate-limit.service"), exports);
 __exportStar(require("./role.service"), exports);
+__exportStar(require("./totp.service"), exports);

package/build/services/password.service.d.ts

@@ -1,14 +1,16 @@
 import * as Soap from "@soapjs/soap";
-import { PasswordPolicyConfig } from "../types";
+import { NewPasswordOptions, PasswordInfo, PasswordPolicyConfig } from "../types";
 export declare class PasswordService {
     private config;
     private logger;
     constructor(config: PasswordPolicyConfig, logger: Soap.Logger);
-    validatePassword(password: string): Promise<boolean>;
-    getLastPasswordChange(identifier: string): Promise<Date>;
+    private validateConfig;
+    validatePassword(password: string, previousPassword?: string): Promise<void>;
+    getPasswordPasswordInfo(identifier: string): Promise<PasswordInfo>;
     generateResetToken(identifier: string): Promise<string>;
     sendResetEmail(identifier: string, token: string): Promise<void>;
-    validateResetToken(token: string): Promise<boolean>;
-    updatePassword(identifier: string, newPassword: string): Promise<void>;
+    validateResetToken(token: string): Promise<void>;
+    updatePassword(identifier: string, newPassword: string, passwordOptions?: NewPasswordOptions): Promise<void>;
     isPasswordChangeRequired(identifier: string): Promise<boolean>;
+    generatePassword(identifier: string, options: NewPasswordOptions): Promise<string>;
 }

package/build/services/password.service.js

@@ -22,57 +22,115 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PasswordService = void 0;
 const Soap = __importStar(require("@soapjs/soap"));
+const bcrypt_1 = __importDefault(require("bcrypt"));
+const crypto_1 = __importDefault(require("crypto"));
+const validation_1 = require("../utils/validation");
+const errors_1 = require("../errors");
 class PasswordService {
     config;
     logger;
     constructor(config, logger) {
         this.config = config;
         this.logger = logger;
+        this.validateConfig(config);
     }
-    async validatePassword(password) {
-        return this.config.validatePassword?.(password);
+    validateConfig(config) {
+        try {
+            validation_1.ValidationUtils.required(config, "config");
+            validation_1.ValidationUtils.object(config, "config");
+        }
+        catch (error) {
+            if (error instanceof validation_1.ValidationError) {
+                throw error;
+            }
+            throw new validation_1.ValidationError(`Invalid PasswordService configuration: ${error.message}`);
+        }
     }
-    async getLastPasswordChange(identifier) {
-        return this.config.getLastPasswordChange?.(identifier);
+    async validatePassword(password, previousPassword) {
+        validation_1.ValidationUtils.nonEmptyString(password, "password");
+        if (previousPassword !== undefined) {
+            validation_1.ValidationUtils.nonEmptyString(previousPassword, "previousPassword");
+        }
+        return this.config.validatePassword?.(password, previousPassword);
+    }
+    async getPasswordPasswordInfo(identifier) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        return this.config.getPasswordPasswordInfo?.(identifier);
     }
     async generateResetToken(identifier) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
         if (!this.config?.generateResetToken) {
             throw new Soap.NotImplementedError("generateResetToken");
         }
         return this.config.generateResetToken?.(identifier);
     }
     async sendResetEmail(identifier, token) {
-        if (!this.config?.sendResetEmail) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        validation_1.ValidationUtils.nonEmptyString(token, "token");
+        if (!this.config?.sendPasswordResetEmail) {
             throw new Soap.NotImplementedError("sendResetEmail");
         }
-        return this.config.sendResetEmail?.(identifier, token);
+        return this.config.sendPasswordResetEmail?.(identifier, token);
     }
     async validateResetToken(token) {
-        if (!this.config?.validateResetToken) {
+        validation_1.ValidationUtils.nonEmptyString(token, "token");
+        if (!this.config?.validatePasswordResetToken) {
             throw new Soap.NotImplementedError("validateResetToken");
         }
-        return this.config.validateResetToken?.(token);
+        const isValid = await this.config.validatePasswordResetToken(token);
+        if (isValid === false) {
+            throw new errors_1.ExpiredResetTokenError();
+        }
     }
-    async updatePassword(identifier, newPassword) {
+    async updatePassword(identifier, newPassword, passwordOptions) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        validation_1.ValidationUtils.nonEmptyString(newPassword, "newPassword");
+        if (passwordOptions) {
+            validation_1.ValidationUtils.object(passwordOptions, "passwordOptions");
+            if (passwordOptions.type) {
+                validation_1.ValidationUtils.oneOf(passwordOptions.type, "passwordOptions.type", ["default", "one-time", "temporary"]);
+            }
+        }
         if (!this.config?.updatePassword) {
             throw new Soap.NotImplementedError("updatePassword");
         }
-        return this.config.updatePassword?.(identifier, newPassword);
+        return this.config.updatePassword?.(identifier, newPassword, passwordOptions);
     }
     async isPasswordChangeRequired(identifier) {
-        if (this.config.passwordExpirationDays) {
-            if (!this.config.getLastPasswordChange) {
-                throw new Soap.NotImplementedError("getLastPasswordChange");
-            }
-            const lastChanged = await this.config.getLastPasswordChange(identifier);
-            return (lastChanged &&
-                Date.now() - Number(lastChanged) >
-                    this.config.passwordExpirationDays * 86400000);
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        const passwordInfo = await this.config.getPasswordPasswordInfo?.(identifier);
+        if (passwordInfo &&
+            (passwordInfo.type === "one-time" ||
+                (passwordInfo.type === "temporary" &&
+                    Number.isInteger(passwordInfo.expiresIn) &&
+                    Date.now() - passwordInfo.lastChangeDate.getTime() >
+                        passwordInfo.expiresIn))) {
+            return true;
         }
         return false;
     }
+    async generatePassword(identifier, options) {
+        validation_1.ValidationUtils.nonEmptyString(identifier, "identifier");
+        validation_1.ValidationUtils.required(options, "options");
+        validation_1.ValidationUtils.object(options, "options");
+        validation_1.ValidationUtils.oneOf(options.type, "options.type", ["default", "one-time", "temporary"]);
+        let plaintext;
+        if (this.config.generatePassword) {
+            plaintext = await this.config.generatePassword(identifier, options);
+        }
+        else {
+            plaintext = crypto_1.default.randomBytes(12).toString("base64url");
+        }
+        const salt = await bcrypt_1.default.genSalt(10);
+        const hashedPassword = await bcrypt_1.default.hash(plaintext, salt);
+        await this.updatePassword(identifier, hashedPassword, options);
+        return plaintext;
+    }
 }
 exports.PasswordService = PasswordService;

package/build/services/totp.service.d.ts

@@ -0,0 +1,16 @@
+export interface TotpOptions {
+    step?: number;
+    digits?: number;
+    window?: number;
+}
+export declare class TotpService {
+    private readonly step;
+    private readonly digits;
+    private readonly window;
+    constructor(options?: TotpOptions);
+    generateSecret(byteLength?: number): string;
+    generateOTP(secret: string, timestamp?: number): string;
+    verifyOTP(secret: string, code: string, timestamp?: number): boolean;
+    generateQRUri(secret: string, issuer: string, account: string): string;
+    generateBackupCodes(count?: number): string[];
+}

package/build/services/totp.service.js

@@ -0,0 +1,96 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TotpService = void 0;
+const crypto_1 = require("crypto");
+const BASE32_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function base32Encode(buf) {
+    let bits = 0;
+    let value = 0;
+    let output = "";
+    for (const byte of buf) {
+        value = (value << 8) | byte;
+        bits += 8;
+        while (bits >= 5) {
+            output += BASE32_CHARS[(value >>> (bits - 5)) & 31];
+            bits -= 5;
+        }
+    }
+    if (bits > 0) {
+        output += BASE32_CHARS[(value << (5 - bits)) & 31];
+    }
+    return output;
+}
+function base32Decode(str) {
+    const s = str.replace(/=+$/, "").toUpperCase();
+    const bytes = [];
+    let bits = 0;
+    let value = 0;
+    for (const ch of s) {
+        const idx = BASE32_CHARS.indexOf(ch);
+        if (idx === -1)
+            throw new Error(`Invalid base32 character: ${ch}`);
+        value = (value << 5) | idx;
+        bits += 5;
+        if (bits >= 8) {
+            bytes.push((value >>> (bits - 8)) & 255);
+            bits -= 8;
+        }
+    }
+    return Buffer.from(bytes);
+}
+function hotp(key, counter, digits) {
+    const buf = Buffer.alloc(8);
+    buf.writeBigUInt64BE(counter);
+    const hmac = (0, crypto_1.createHmac)("sha1", key).update(buf).digest();
+    const offset = hmac[hmac.length - 1] & 0x0f;
+    const code = ((hmac[offset] & 0x7f) << 24) |
+        ((hmac[offset + 1] & 0xff) << 16) |
+        ((hmac[offset + 2] & 0xff) << 8) |
+        (hmac[offset + 3] & 0xff);
+    return String(code % 10 ** digits).padStart(digits, "0");
+}
+class TotpService {
+    step;
+    digits;
+    window;
+    constructor(options = {}) {
+        this.step = options.step ?? 30;
+        this.digits = options.digits ?? 6;
+        this.window = options.window ?? 1;
+    }
+    generateSecret(byteLength = 20) {
+        return base32Encode((0, crypto_1.randomBytes)(byteLength));
+    }
+    generateOTP(secret, timestamp = Date.now()) {
+        const key = base32Decode(secret);
+        const counter = BigInt(Math.floor(timestamp / 1000 / this.step));
+        return hotp(key, counter, this.digits);
+    }
+    verifyOTP(secret, code, timestamp = Date.now()) {
+        if (!/^\d+$/.test(code) || code.length !== this.digits)
+            return false;
+        const key = base32Decode(secret);
+        const counter = BigInt(Math.floor(timestamp / 1000 / this.step));
+        for (let delta = -this.window; delta <= this.window; delta++) {
+            const expected = hotp(key, counter + BigInt(delta), this.digits);
+            if (expected === code)
+                return true;
+        }
+        return false;
+    }
+    generateQRUri(secret, issuer, account) {
+        const params = new URLSearchParams({
+            secret,
+            issuer,
+            algorithm: "SHA1",
+            digits: String(this.digits),
+            period: String(this.step),
+        });
+        const label = `${encodeURIComponent(issuer)}:${encodeURIComponent(account)}`;
+        return `otpauth://totp/${label}?${params.toString()}`;
+    }
+    generateBackupCodes(count = 8) {
+        return Array.from({ length: count }, () => (0, crypto_1.randomBytes)(6).toString("hex").toUpperCase());
+    }
+}
+exports.TotpService = TotpService;

package/build/session/session-handler.d.ts

@@ -7,6 +7,7 @@ export declare class SessionHandler<TContext = unknown, TUser = unknown, TData =
     private sessionKey;
     private headerKey;
     constructor(config: SessionConfig, logger?: Soap.Logger);
+    private validateConfig;
     setSessionId(context: TContext, sessionId: string): void;
     getSessionId(context: TContext): string | null;
     generateSessionId(): string;

package/build/session/session-handler.js

@@ -1,8 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SessionHandler = void 0;
-const uuid_1 = require("uuid");
+const crypto_1 = require("crypto");
 const session_errors_1 = require("./session.errors");
+const validation_1 = require("../utils/validation");
 class SessionHandler {
     config;
     logger;
@@ -12,6 +13,7 @@ class SessionHandler {
     constructor(config, logger) {
         this.config = config;
         this.logger = logger;
+        this.validateConfig(config);
         if (!config.store) {
             throw new Error("Session store is required.");
         }
@@ -19,8 +21,37 @@ class SessionHandler {
         this.sessionKey = config.sessionKey || "SESSIONID";
         this.headerKey = config.sessionHeader || "x-session-id";
     }
+    validateConfig(config) {
+        try {
+            validation_1.ValidationUtils.required(config, "config");
+            validation_1.ValidationUtils.required(config.secret, "config.secret");
+            validation_1.ValidationUtils.nonEmptyString(config.secret, "config.secret");
+            validation_1.ValidationUtils.required(config.store, "config.store");
+            validation_1.ValidationUtils.object(config.store, "config.store");
+            if (config.sessionKey) {
+                validation_1.ValidationUtils.nonEmptyString(config.sessionKey, "config.sessionKey");
+            }
+            if (config.sessionHeader) {
+                validation_1.ValidationUtils.nonEmptyString(config.sessionHeader, "config.sessionHeader");
+            }
+            const requiredMethods = ['getSession', 'setSession', 'destroySession', 'touchSession', 'getSessionIds'];
+            for (const method of requiredMethods) {
+                if (typeof config.store[method] !== 'function') {
+                    throw new validation_1.ValidationError(`Session store must implement ${method} method`);
+                }
+            }
+        }
+        catch (error) {
+            if (error instanceof validation_1.ValidationError) {
+                throw error;
+            }
+            throw new validation_1.ValidationError(`Invalid SessionHandler configuration: ${error.message}`);
+        }
+    }
     setSessionId(context, sessionId) {
         try {
+            validation_1.ValidationUtils.required(context, "context");
+            validation_1.ValidationUtils.nonEmptyString(sessionId, "sessionId");
             if (this.config.embedSessionId) {
                 this.config.embedSessionId(context, sessionId);
                 return;
@@ -48,10 +79,12 @@ class SessionHandler {
         }
         catch (error) {
             this.config.logger?.error("Error setting session ID:", error);
+            throw error;
         }
     }
     getSessionId(context) {
         try {
+            validation_1.ValidationUtils.required(context, "context");
             if (this.config.getSessionId) {
                 return this.config.getSessionId(context);
             }
@@ -74,7 +107,7 @@ class SessionHandler {
         }
     }
     generateSessionId() {
-        return this.config.generateSessionId?.() || (0, uuid_1.v4)();
+        return this.config.generateSessionId?.() || (0, crypto_1.randomUUID)();
     }
     buildSessionData(data, context) {
         return this.config.createSessionData
@@ -83,6 +116,7 @@ class SessionHandler {
     }
     async getSessionData(sessionId) {
         try {
+            validation_1.ValidationUtils.nonEmptyString(sessionId, "sessionId");
             const data = await this.store.getSession(sessionId);
             return data;
         }
@@ -93,15 +127,14 @@ class SessionHandler {
     }
     async setSessionData(sessionId, data) {
         try {
-            if (!sessionId) {
-                this.config.logger?.warn("No session ID found, unable to set session.");
-                return;
-            }
+            validation_1.ValidationUtils.nonEmptyString(sessionId, "sessionId");
+            validation_1.ValidationUtils.required(data, "data");
             await this.store.setSession(sessionId, data);
             this.config.logger?.info(`Session set for ID: ${sessionId}`);
         }
         catch (error) {
             this.config.logger?.error("Error storing session data:", error);
+            throw error;
         }
     }
     async touch(sessionId, data) {

package/build/soap-auth.d.ts

@@ -1,17 +1,24 @@
-import { AuthCategories, AuthStrategy, SoapAuthConfig } from "./types";
+import * as Soap from "@soapjs/soap";
+import { AuthCategories, SoapAuthConfig } from "./types";
 export declare class SoapAuth {
     private requiredStrategyMethods;
     private strategies;
     private logger?;
     constructor(config: SoapAuthConfig);
+    private validateConfig;
+    private validateSessionConfig;
+    private validateJwtConfig;
+    private validateHttpStrategies;
+    private validateSocketStrategies;
     private isAuthStrategy;
-    addStrategy(strategyInstance: AuthStrategy | undefined, name: string, type: AuthCategories): void;
+    addStrategy(strategyInstance: Soap.AuthStrategy | undefined, name: string, type: AuthCategories): void;
     removeStrategy(name: string | string[], type: AuthCategories): void;
     hasStrategy(name: string, type: AuthCategories): boolean;
-    getStrategy<T extends AuthStrategy>(name: string, type: AuthCategories): T;
-    getHttpStrategy<T extends AuthStrategy>(name: string): T;
-    getSocketStrategy<T extends AuthStrategy>(name: string): T;
-    getEventStrategy<T extends AuthStrategy>(name: string): T;
+    getStrategy<T extends Soap.AuthStrategy>(name: string, type: AuthCategories): T;
+    getHttpStrategy<T extends Soap.AuthStrategy>(name: string): T;
+    getSocketStrategy<T extends Soap.AuthStrategy>(name: string): T;
+    getEventStrategy<T extends Soap.AuthStrategy>(name: string): T;
     listStrategies(type: AuthCategories): string[];
     init(sequential?: boolean): Promise<void>;
+    static create(config: SoapAuthConfig): Promise<SoapAuth>;
 }