@sockethub/data-layer 1.0.0-alpha.3 → 1.0.0-alpha.5

package/src/credentials-store.ts

@@ -1,76 +1,124 @@
-import SecureStore from 'secure-store-redis';
-import debug, {Debugger} from 'debug';
-import {IActivityStream, CallbackInterface} from "@sockethub/schemas";
-import crypto from "@sockethub/crypto";
-import {RedisConfigProps, RedisConfigUrl} from "./types";
+import { crypto } from "@sockethub/crypto";
+import type { CredentialsObject } from "@sockethub/schemas";
+import debug, { type Debugger } from "debug";
+import SecureStore from "secure-store-redis";
+
+import type { RedisConfig } from "./types.js";
+
+export interface CredentialsStoreInterface {
+    get(
+        actor: string,
+        credentialsHash: string | undefined,
+    ): Promise<CredentialsObject | undefined>;
+    save(actor: string, creds: CredentialsObject): Promise<number>;
+}
+
+export async function verifySecureStore(config: RedisConfig): Promise<void> {
+    const log = debug("sockethub:data-layer:credentials-store");
+    const ss = new SecureStore({
+        redis: config,
+    });
+    await ss.init();
+    await ss.disconnect();
+    log("redis connection verified");
+}
 
 /**
- * Encapsulates the storing and fetching of credential objects.
+ * Secure, encrypted storage for user credentials with session-based isolation.
+ *
+ * Provides automatic encryption/decryption of credential objects stored in Redis,
+ * ensuring that sensitive authentication data is never stored in plaintext.
+ * Each session gets its own isolated credential store.
+ *
+ * @example
+ * ```typescript
+ * const store = new CredentialsStore('session123', secret, redisConfig);
+ *
+ * // Store credentials
+ * await store.save('user@example.com', {
+ *   username: 'user',
+ *   password: 'secret',
+ *   server: 'irc.freenode.net'
+ * });
+ *
+ * // Retrieve credentials
+ * const creds = await store.get('user@example.com', credentialsHash);
+ * ```
  */
-export default class CredentialsStore {
-  readonly uid: string;
-  private readonly store: SecureStore;
-  private readonly log: Debugger;
+export class CredentialsStore implements CredentialsStoreInterface {
+    readonly uid: string;
+    store: SecureStore;
+    objectHash: (o: unknown) => string;
+    private readonly log: Debugger;
 
-  /**
-   * @param parentId - The ID of the parent instance (eg. sockethub itself)
-   * @param sessionId - The ID of the session (socket.io connection)
-   * @param secret - The encryption secret (parent + session secrets)
-   * @param redisConfig - Connect info for redis
-   */
-  constructor(
-    parentId: string,
-    sessionId: string,
-    secret: string,
-    redisConfig: RedisConfigProps | RedisConfigUrl
-  ) {
-    this.uid = `sockethub:data-layer:credentials-store:${parentId}:${sessionId}`;
-    this.store = new SecureStore({
-      namespace: this.uid,
-      secret: secret,
-      redis: redisConfig
-    });
-    this.log = debug(this.uid);
-  }
+    /**
+     * Creates a new CredentialsStore instance.
+     *
+     * @param parentId - Unique identifier for the parent instance (e.g. server ID)
+     * @param sessionId - Client session identifier for credential isolation
+     * @param secret - 32-character encryption secret for credential security
+     * @param redisConfig - Redis connection configuration
+     * @throws Error if secret is not exactly 32 characters
+     */
+    constructor(
+        parentId: string,
+        sessionId: string,
+        secret: string,
+        redisConfig: RedisConfig,
+    ) {
+        if (secret.length !== 32) {
+            throw new Error(
+                "CredentialsStore secret must be 32 chars in length",
+            );
+        }
+        this.uid = `sockethub:data-layer:credentials-store:${parentId}:${sessionId}`;
+        this.log = debug(this.uid);
+        this.initCrypto();
+        this.initSecureStore(secret, redisConfig);
+        this.log("initialized");
+    }
 
-  /**
-   * Gets the credentials for a given actor ID
-   * @param actor
-   * @param credentialHash
-   */
-  async get(actor: string, credentialHash: string): Promise<IActivityStream> {
-    this.log(`get credentials for ${actor}`);
-    return new Promise((resolve, reject) => {
-      this.store.get(actor, (err, credentials) => {
-        if (err) { return reject(err.toString()); }
-        if (!credentials) { return resolve(undefined); }
+    initCrypto() {
+        this.objectHash = crypto.objectHash;
+    }
 
-        if (credentialHash) {
-          if (credentialHash !== crypto.objectHash(credentials.object)) {
-            return reject(
-              `provided credentials do not match existing platform instance for actor ${actor}`);
-          }
+    initSecureStore(secret: string, redisConfig: RedisConfig) {
+        this.store = new SecureStore({
+            uid: this.uid,
+            secret: secret,
+            redis: redisConfig,
+        });
+    }
+
+    /**
+     * Gets the credentials for a given actor ID
+     * @param actor
+     * @param credentialsHash - Optional hash to validate credentials. If undefined, validation is skipped.
+     */
+    async get(
+        actor: string,
+        credentialsHash: string | undefined,
+    ): Promise<CredentialsObject> {
+        this.log(`get credentials for ${actor}`);
+        const credentials: CredentialsObject = await this.store.get(actor);
+        if (!credentials) {
+            throw new Error(`credentials not found for ${actor}`);
         }
-        return resolve(credentials);
-      });
-    });
-  }
 
-  /**
-   * Saves the credentials for a given actor ID
-   * @param actor
-   * @param creds
-   * @param done
-   */
-  save(actor: string, creds: IActivityStream, done: CallbackInterface): void {
-    this.store.save(actor, creds, (err) => {
-      if (err) {
-        this.log('error saving credentials to store ' + err);
-        return done(err);
-      } else {
-        this.log(`credentials encrypted and saved`);
-        return done();
-      }
-    });
-  }
-}
+        if (credentialsHash) {
+            if (credentialsHash !== this.objectHash(credentials.object)) {
+                throw new Error(`invalid credentials for ${actor}`);
+            }
+        }
+        return credentials;
+    }
+
+    /**
+     * Saves the credentials for a given actor ID
+     * @param actor
+     * @param creds
+     */
+    async save(actor: string, creds: CredentialsObject): Promise<number> {
+        return this.store.save(actor, creds);
+    }
+}

package/src/index.ts

@@ -1,3 +1,27 @@
-export {default as CredentialsStore} from "./credentials-store";
-export {default as JobQueue} from "./job-queue";
-export * from "./types";
+import debug from "debug";
+
+import {
+    CredentialsStore,
+    type CredentialsStoreInterface,
+    verifySecureStore,
+} from "./credentials-store.js";
+import { JobQueue, verifyJobQueue } from "./job-queue.js";
+import { JobWorker } from "./job-worker.js";
+export * from "./types.js";
+import type { RedisConfig } from "./types.js";
+
+const log = debug("sockethub:data-layer");
+
+async function redisCheck(config: RedisConfig): Promise<void> {
+    log(`checking redis connection ${config.url}`);
+    await verifySecureStore(config);
+    await verifyJobQueue(config);
+}
+
+export {
+    redisCheck,
+    JobQueue,
+    JobWorker,
+    CredentialsStore,
+    type CredentialsStoreInterface,
+};

package/src/job-base.ts

@@ -0,0 +1,58 @@
+import EventEmitter from "node:events";
+import IORedis, { type Redis } from "ioredis";
+
+import { crypto, type Crypto } from "@sockethub/crypto";
+import type { ActivityStream } from "@sockethub/schemas";
+
+import type { JobDataDecrypted, JobEncrypted, RedisConfig } from "./types.js";
+
+export function createIORedisConnection(config: RedisConfig): Redis {
+    return new IORedis(config.url, {
+        enableOfflineQueue: false,
+        maxRetriesPerRequest: null,
+    });
+}
+
+export class JobBase extends EventEmitter {
+    protected crypto: Crypto;
+    private readonly secret: string;
+
+    constructor(secret: string) {
+        super();
+        if (secret.length !== 32) {
+            throw new Error(
+                `secret must be a 32 char string, length: ${secret.length}`,
+            );
+        }
+        this.secret = secret;
+        this.initCrypto();
+    }
+
+    initCrypto() {
+        this.crypto = crypto;
+    }
+
+    disconnectBase() {
+        this.removeAllListeners();
+    }
+
+    /**
+     * @param job
+     * @private
+     */
+    protected decryptJobData(job: JobEncrypted): JobDataDecrypted {
+        return {
+            title: job.data.title,
+            msg: this.decryptActivityStream(job.data.msg) as ActivityStream,
+            sessionId: job.data.sessionId,
+        };
+    }
+
+    protected decryptActivityStream(msg: string): ActivityStream {
+        return this.crypto.decrypt(msg, this.secret);
+    }
+
+    protected encryptActivityStream(msg: ActivityStream): string {
+        return this.crypto.encrypt(msg, this.secret);
+    }
+}