@stonecrop/casl-middleware 0.7.0

package/src/middleware/introspection.ts

@@ -0,0 +1,258 @@
+import { GraphQLError } from 'graphql'
+import type { Context, MiddlewareOptions } from '../types'
+
+export interface IntrospectionConfig {
+	/**
+	 * Whether to allow introspection queries at all
+	 * @default true in development, false in production
+	 */
+	enabled?: boolean
+
+	/**
+	 * Roles that are allowed to introspect the schema
+	 * If undefined, all authenticated users can introspect
+	 */
+	allowedRoles?: string[]
+
+	/**
+	 * Allow unauthenticated introspection
+	 * @default false
+	 */
+	allowAnonymous?: boolean
+
+	/**
+	 * Custom function to determine if introspection is allowed
+	 */
+	customCheck?: (context: Context) => boolean | Promise<boolean>
+
+	/**
+	 * Types to hide from introspection based on user permissions
+	 * Maps type names to required permissions
+	 */
+	typePermissions?: Record<string, { action: string; subject: string }>
+
+	/**
+	 * Fields to hide from introspection based on user permissions
+	 * Maps "Type.field" to required permissions
+	 */
+	fieldPermissions?: Record<string, { action: string; subject: string }>
+}
+
+/**
+ * Middleware to restrict GraphQL introspection based on user permissions
+ */
+export const createIntrospectionMiddleware = (config: IntrospectionConfig = {}) => {
+	const {
+		enabled = process.env.NODE_ENV !== 'production',
+		allowedRoles,
+		allowAnonymous = false,
+		customCheck,
+		typePermissions = {},
+		fieldPermissions = {},
+	} = config
+
+	return async (resolve: any, root: any, args: any, context: Context, info: any) => {
+		// Check if this is an introspection query
+		const isIntrospection =
+			info.fieldName === '__schema' ||
+			info.fieldName === '__type' ||
+			info.parentType?.name === '__Schema' ||
+			info.parentType?.name === '__Type'
+
+		if (!isIntrospection) {
+			// Not an introspection query, continue normally
+			return resolve(root, args, context, info)
+		}
+
+		// Check if introspection is enabled
+		if (!enabled) {
+			throw new GraphQLError('Introspection is disabled')
+		}
+
+		// Custom check function
+		if (customCheck) {
+			const allowed = await customCheck(context)
+			if (!allowed) {
+				throw new GraphQLError('Introspection not allowed')
+			}
+		}
+
+		// Check authentication
+		if (!context.user && !allowAnonymous) {
+			throw new GraphQLError('Authentication required for introspection')
+		}
+
+		// Check role-based access
+		if (allowedRoles && allowedRoles.length > 0) {
+			const userRoles = context.user?.roles || []
+			const hasAllowedRole = allowedRoles.some(role => userRoles.includes(role))
+
+			if (!hasAllowedRole) {
+				throw new GraphQLError('Insufficient permissions for introspection')
+			}
+		}
+
+		// Check CASL-based permissions
+		if (context.ability) {
+			// Check if user can read schema
+			if (!context.ability.can('read', '__Schema')) {
+				throw new GraphQLError('Permission denied for schema introspection')
+			}
+		}
+
+		// Get the result
+		let result = await resolve(root, args, context, info)
+
+		// Filter the result based on permissions
+		if (result && (typePermissions || fieldPermissions)) {
+			result = filterIntrospectionResult(result, context, {
+				typePermissions,
+				fieldPermissions,
+			})
+		}
+
+		return result
+	}
+}
+
+/**
+ * Filter introspection results based on user permissions
+ */
+function filterIntrospectionResult(
+	result: any,
+	context: Context,
+	config: {
+		typePermissions?: Record<string, { action: string; subject: string }>
+		fieldPermissions?: Record<string, { action: string; subject: string }>
+	}
+): any {
+	if (!context.ability) return result
+
+	// Filter __schema result
+	if (result && result.types) {
+		result.types = result.types.filter((type: any) => {
+			// Check if user has permission to see this type
+			const permission = config.typePermissions?.[type.name]
+			if (permission) {
+				return context.ability!.can(permission.action, permission.subject)
+			}
+			return true // Show types without specific permissions
+		})
+
+		// Filter fields within types
+		result.types.forEach((type: any) => {
+			if (type.fields) {
+				type.fields = type.fields.filter((field: any) => {
+					const fieldKey = `${type.name}.${field.name}`
+					const permission = config.fieldPermissions?.[fieldKey]
+					if (permission) {
+						return context.ability!.can(permission.action, permission.subject)
+					}
+					return true
+				})
+			}
+		})
+	}
+
+	// Filter __type result
+	if (result && result.fields) {
+		const typeName = result.name
+		result.fields = result.fields.filter((field: any) => {
+			const fieldKey = `${typeName}.${field.name}`
+			const permission = config.fieldPermissions?.[fieldKey]
+			if (permission) {
+				return context.ability!.can(permission.action, permission.subject)
+			}
+			return true
+		})
+	}
+
+	return result
+}
+
+/**
+ * Postgraphile plugin for introspection control
+ */
+export const createPostgraphileIntrospectionPlugin = (config: IntrospectionConfig) => {
+	return {
+		name: 'IntrospectionControlPlugin',
+		version: '1.0.0',
+
+		// Disable introspection in GraphiQL based on config
+		grafast: {
+			hooks: {
+				GraphQLSchema(schema: any) {
+					if (!config.enabled) {
+						// Remove introspection from schema
+						// This is a simplified approach - real implementation would be more complex
+						console.warn('Introspection control in Postgraphile requires custom implementation')
+					}
+					return schema
+				},
+			},
+		},
+	}
+}
+
+/**
+ * Utility to create ability rules for introspection
+ */
+export const createIntrospectionAbilityRules = (user?: {
+	roles?: string[]
+}): Array<{ action: string; subject: string }> => {
+	const rules: Array<{ action: string; subject: string }> = []
+
+	if (!user) {
+		// Anonymous users cannot introspect
+		return rules
+	}
+
+	const roles = user.roles || []
+
+	// Admins can introspect everything
+	if (roles.includes('admin')) {
+		rules.push({ action: 'read', subject: '__Schema' })
+		rules.push({ action: 'read', subject: '__Type' })
+		return rules
+	}
+
+	// Developers can introspect
+	if (roles.includes('developer')) {
+		rules.push({ action: 'read', subject: '__Schema' })
+		rules.push({ action: 'read', subject: '__Type' })
+		return rules
+	}
+
+	// Regular users get limited introspection
+	if (roles.includes('user')) {
+		// They can see the schema but not all types
+		rules.push({ action: 'read', subject: '__Schema' })
+		// Specific types they can see would be added here
+	}
+
+	return rules
+}
+
+/**
+ * Example: Combine introspection with CASL middleware
+ */
+export const createSecureGraphQLMiddleware = (options: {
+	casl?: MiddlewareOptions
+	introspection?: IntrospectionConfig
+}) => {
+	const middlewares: any[] = []
+
+	// Add introspection control
+	if (options.introspection) {
+		middlewares.push(createIntrospectionMiddleware(options.introspection))
+	}
+
+	// Combine all middlewares
+	return (resolve: any, root: any, args: any, context: any, info: any) => {
+		const chain = middlewares.reduceRight(
+			(next, middleware) => () => middleware(next, root, args, context, info),
+			() => resolve(root, args, context, info)
+		)
+		return chain()
+	}
+}

package/src/middleware/jwt.ts

@@ -0,0 +1,394 @@
+import jwt from 'jsonwebtoken'
+import { AbilityBuilder, PureAbility } from '@casl/ability'
+import type { Context, User } from '../types'
+import { defaultAbilityBuilder } from './ability'
+
+export interface JWTConfig {
+	enabled?: boolean
+	secret?: string
+	publicKey?: string
+	algorithms?: jwt.Algorithm[]
+	issuer?: string
+	audience?: string
+	extractUser?: (payload: any) => User | undefined
+	headerName?: string // Default: 'authorization'
+	tokenPrefix?: string // Default: 'Bearer '
+	optional?: boolean // If true, continues without error if no token
+	maxAge?: string // Maximum age of token (e.g., '1h', '7d')
+}
+
+export interface JWTPayload extends jwt.JwtPayload {
+	sub?: string // Subject (user id)
+	roles?: string[]
+	permissions?: Array<{
+		action: string
+		subject: string
+		conditions?: any
+	}>
+	[key: string]: any
+}
+
+/**
+ * Default user extractor from JWT payload
+ */
+const defaultUserExtractor = (payload: JWTPayload): User | undefined => {
+	if (!payload.sub) return undefined
+
+	return {
+		id: payload.sub,
+		roles: payload.roles || [],
+		...payload, // Include any additional claims
+	}
+}
+
+/**
+ * JWT middleware factory for GraphQL servers
+ *
+ * @example
+ * ```typescript
+ * // In Nuxt Yoga
+ * export default defineNuxtConfig({
+ *   yoga: {
+ *     middleware: [
+ *       createJWTMiddleware({
+ *         enabled: true,
+ *         secret: process.env.JWT_SECRET,
+ *         optional: true // Don't fail if no token
+ *       })
+ *     ]
+ *   }
+ * })
+ *
+ * // In Postgraphile
+ * const jwtPlugin = createPostgraphileJWTPlugin({
+ *   secret: process.env.JWT_SECRET,
+ *   extractUser: (payload) => ({
+ *     id: payload.user_id,
+ *     roles: payload.user_roles
+ *   })
+ * })
+ * ```
+ */
+export const createJWTMiddleware = (config: JWTConfig = {}) => {
+	const {
+		enabled = true,
+		secret,
+		publicKey,
+		algorithms = ['HS256'] as jwt.Algorithm[],
+		issuer,
+		audience,
+		headerName = 'authorization',
+		tokenPrefix = 'Bearer ',
+		optional = false,
+		extractUser = defaultUserExtractor,
+		maxAge,
+	} = config
+
+	// Validate configuration
+	if (enabled && !secret && !publicKey) {
+		throw new Error('JWT middleware requires either secret or publicKey')
+	}
+
+	return async (context: Context, next: () => Promise<any>) => {
+		// Skip if JWT is disabled
+		if (!enabled) {
+			return next()
+		}
+
+		try {
+			// Extract token from request headers
+			const authHeader =
+				context.req?.headers?.get?.(headerName) ||
+				context.request?.headers?.get?.(headerName) ||
+				context.headers?.[headerName]
+
+			if (!authHeader) {
+				if (optional) {
+					return next()
+				}
+				throw new Error('No authorization header found')
+			}
+
+			// Remove token prefix
+			const token = authHeader.startsWith(tokenPrefix) ? authHeader.slice(tokenPrefix.length) : authHeader
+
+			// Prepare verification options
+			const verifyOptions: jwt.VerifyOptions = {
+				algorithms,
+				...(issuer && { issuer }),
+				...(audience && { audience }),
+				...(maxAge && { maxAge }),
+			}
+
+			// Verify and decode token
+			const secretOrPublicKey = publicKey || secret!
+			const payload = jwt.verify(token, secretOrPublicKey, verifyOptions) as JWTPayload
+
+			// Extract user from payload
+			const user = extractUser(payload)
+
+			if (user) {
+				context.user = user
+				// Store the raw payload for potential use
+				context.jwtPayload = payload
+			}
+
+			// Continue to next middleware
+			return next()
+		} catch (error: any) {
+			if (optional) {
+				// Log error in development
+				if (process.env.NODE_ENV === 'development') {
+					console.warn('JWT verification failed (optional):', error.message)
+				}
+				// Continue without user if optional
+				return next()
+			}
+
+			// Re-throw with more specific error messages
+			if (error.name === 'TokenExpiredError') {
+				throw new Error('Token has expired')
+			} else if (error.name === 'JsonWebTokenError') {
+				throw new Error('Invalid token')
+			} else if (error.name === 'NotBeforeError') {
+				throw new Error('Token not active yet')
+			}
+
+			throw error
+		}
+	}
+}
+
+/**
+ * Create a JWT token with user data
+ */
+export const createJWT = (
+	user: User,
+	config: {
+		secret: string
+		expiresIn?: string | number
+		issuer?: string
+		audience?: string
+		additionalClaims?: Record<string, any>
+	}
+): string => {
+	const { secret, expiresIn = '1h', issuer, audience, additionalClaims = {} } = config
+
+	const payload: JWTPayload = {
+		sub: user.id,
+		roles: user.roles || [],
+		...additionalClaims,
+	}
+
+	const signOptions: jwt.SignOptions = {}
+
+	// Add optional fields only if they exist
+	if (issuer !== undefined) signOptions.issuer = issuer
+	if (audience !== undefined) signOptions.audience = audience
+	if (expiresIn !== undefined) signOptions.expiresIn = expiresIn as any // Type cast to avoid TS issues
+
+	return jwt.sign(payload, secret, signOptions)
+}
+
+/**
+ * Integration with CASL ability builder
+ */
+export const createJWTAbilityBuilder = (config: JWTConfig = {}) => {
+	return async (user?: User) => {
+		// If user has direct permissions in JWT, use those
+		const jwtPermissions = (user as any)?.permissions
+
+		if (jwtPermissions && Array.isArray(jwtPermissions)) {
+			// Build ability from JWT permissions
+			const { can, cannot, build } = new AbilityBuilder<PureAbility>(PureAbility as any)
+
+			jwtPermissions.forEach((permission: any) => {
+				if (permission.inverted) {
+					cannot(permission.action, permission.subject, permission.conditions)
+				} else {
+					can(permission.action, permission.subject, permission.conditions)
+				}
+			})
+
+			return build()
+		}
+
+		// Fall back to role-based abilities
+		return defaultAbilityBuilder(user)
+	}
+}
+
+/**
+ * Postgraphile-specific JWT plugin
+ */
+export const createPostgraphileJWTPlugin = (config: JWTConfig) => {
+	return {
+		name: 'JWTAuthPlugin',
+		version: '1.0.0',
+
+		// Hook into Postgraphile's context building
+		grafast: {
+			hooks: {
+				async context(ctx: any, build: any) {
+					const middleware = createJWTMiddleware(config)
+
+					// Create a simple context object that the middleware can work with
+					const context = {
+						req: ctx.req,
+						headers: ctx.req?.headers,
+						user: undefined,
+						jwtPayload: undefined,
+					}
+
+					// Run the JWT middleware
+					await middleware(context, async () => {})
+
+					// Add user to Postgraphile context
+					if (context.user) {
+						return { ...ctx, user: context.user, jwtPayload: context.jwtPayload }
+					}
+
+					return ctx
+				},
+			},
+		},
+	}
+}
+
+/**
+ * Express/Koa middleware for REST endpoints
+ */
+export const createHTTPJWTMiddleware = (config: JWTConfig) => {
+	const jwtMiddleware = createJWTMiddleware(config)
+
+	// Express middleware
+	return async (req: any, res: any, next: any) => {
+		const context = {
+			req: {
+				headers: {
+					get: (name: string) => req.headers[name],
+				},
+			},
+			headers: req.headers,
+			user: undefined,
+			jwtPayload: undefined,
+		}
+
+		try {
+			await jwtMiddleware(context, async () => {})
+			req.user = context.user
+			req.jwtPayload = context.jwtPayload
+			next()
+		} catch (error: any) {
+			if (config.optional) {
+				next()
+			} else {
+				res.status(401).json({
+					error: error.message,
+					code: 'UNAUTHORIZED',
+				})
+			}
+		}
+	}
+}
+
+/**
+ * Refresh token utilities
+ */
+export const refreshTokenUtils = {
+	/**
+	 * Create access and refresh tokens
+	 */
+	createTokenPair: (
+		user: User,
+		config: {
+			accessSecret: string
+			refreshSecret: string
+			accessExpiresIn?: string
+			refreshExpiresIn?: string
+		}
+	) => {
+		const { accessSecret, refreshSecret, accessExpiresIn = '15m', refreshExpiresIn = '7d' } = config
+
+		const accessPayload: any = {
+			sub: user.id,
+			roles: user.roles,
+			type: 'access',
+		}
+
+		const refreshPayload: any = {
+			sub: user.id,
+			type: 'refresh',
+		}
+
+		// Create access token with proper options
+		const accessOptions: jwt.SignOptions = {}
+		if (accessExpiresIn) {
+			accessOptions.expiresIn = accessExpiresIn as any // Type cast to avoid TS issues
+		}
+
+		const accessToken = jwt.sign(accessPayload, accessSecret, accessOptions)
+
+		// Create refresh token with proper options
+		const refreshOptions: jwt.SignOptions = {}
+		if (refreshExpiresIn) {
+			refreshOptions.expiresIn = refreshExpiresIn as any // Type cast to avoid TS issues
+		}
+
+		const refreshToken = jwt.sign(refreshPayload, refreshSecret, refreshOptions)
+
+		return { accessToken, refreshToken }
+	},
+
+	/**
+	 * Verify refresh token and create new access token
+	 */
+	refreshAccessToken: async (
+		refreshToken: string,
+		config: {
+			accessSecret: string
+			refreshSecret: string
+			getUserById: (id: string) => Promise<User | null>
+			accessExpiresIn?: string
+		}
+	) => {
+		const { accessSecret, refreshSecret, getUserById, accessExpiresIn = '15m' } = config
+
+		try {
+			// Verify refresh token
+			const payload = jwt.verify(refreshToken, refreshSecret) as any
+
+			if (payload.type !== 'refresh') {
+				throw new Error('Invalid token type')
+			}
+
+			// Get fresh user data
+			const user = await getUserById(payload.sub)
+			if (!user) {
+				throw new Error('User not found')
+			}
+
+			// Create new access token
+			const accessPayload: any = {
+				sub: user.id,
+				roles: user.roles,
+				type: 'access',
+			}
+
+			// Create access token with proper options
+			const accessOptions: jwt.SignOptions = {}
+			if (accessExpiresIn) {
+				accessOptions.expiresIn = accessExpiresIn as any // Type cast to avoid TS issues
+			}
+
+			const accessToken = jwt.sign(accessPayload, accessSecret, accessOptions)
+
+			return { accessToken, user }
+		} catch (error: any) {
+			if (error.name === 'TokenExpiredError') {
+				throw new Error('Refresh token expired')
+			}
+			throw error
+		}
+	},
+}