@toa.io/extensions.exposition 0.20.0-dev.8 → 0.20.0

package/components/context.toa.yaml

@@ -0,0 +1,15 @@
+# used for development only
+
+name: exposition
+packages: '*'
+registry: localhost
+
+amqp: amqp://localhost
+mongodb: mongodb://localhost
+
+configuration:
+  identity.tokens:
+    key0: k3.local.pIZT8-9Fa6U_QtfQHOSStfGtmyzPINyKQq2Xk-hd7vA
+
+exposition:
+  debug: true

package/components/identity.bans/manifest.toa.yaml

@@ -0,0 +1,18 @@
+namespace: identity
+name: bans
+
+entity:
+  schema:
+    banned: false
+  initialized: true
+
+operations:
+  assign:
+    input:
+      banned: true
+
+exposition:
+  isolated: true
+  /:id:
+    auth:role: system:identity:bans
+    PUT: assign

package/components/identity.basic/events/principal.js

@@ -0,0 +1,9 @@
+'use strict'
+
+exports.condition = function (event, context) {
+  return event.state.username === context.configuration.principal
+}
+
+exports.payload = function (event) {
+  return { id: event.state.id }
+}

package/components/identity.basic/manifest.toa.yaml

@@ -0,0 +1,50 @@
+namespace: identity
+name: basic
+
+entity:
+  schema:
+    username*: string
+    password*: string
+  initialized: true
+
+operations:
+  transit:
+    concurrency: retry
+    input:
+      username: string
+      password: string
+  incept:
+    forward: transit
+    query: false
+    input:
+      username*: string
+      password*: string
+  create:
+    input:
+      id*: string
+      credentials*: string
+    output:
+      id: string
+  authenticate:
+    input: string
+    output:
+      identity:
+        id: string
+
+configuration:
+  rounds: 10
+  pepper: ''
+  principal: string
+  username+: ^\S{1,16}$
+  password+: ^\S{8,32}$
+
+exposition:
+  isolated: true
+  /:
+    anonymous: true
+    POST: incept
+  /:id:
+    auth:role: system:identity:basic
+    auth:scheme: basic
+    auth:id: id
+    PATCH: transit

package/components/identity.basic/source/authenticate.ts

@@ -0,0 +1,29 @@
+import { atob } from 'buffer'
+import { compare } from 'bcryptjs'
+import { type Query } from '@toa.io/types'
+import { Nope, type Nopeable } from 'nopeable'
+import { type Context } from './types'
+
+export async function computation (input: string, context: Context): Promise<Nopeable<Output>> {
+  const [username, password] = atob(input).split(':')
+  const query: Query = { criteria: `username==${username}` }
+  const credentials = await context.local.observe({ query })
+
+  if (credentials instanceof Nope)
+    return credentials
+
+  if (credentials === null)
+    return new Nope('NOT_FOUND')
+
+  const spicy = password + context.configuration.pepper
+  const match = await compare(spicy, credentials.password)
+
+  if (match) return { identity: { id: credentials.id } }
+  else return new Nope('PASSWORD_MISMATCH')
+}
+
+interface Output {
+  identity: {
+    id: string
+  }
+}

package/components/identity.basic/source/create.ts

@@ -0,0 +1,19 @@
+import { type Nopeable } from 'nopeable'
+import { type Context } from './types'
+
+export async function effect
+(input: CreateInput, context: Context): Promise<Nopeable<CreateOutput>> {
+  const [username, password] = atob(input.credentials).split(':')
+  const request = { input: { username, password }, query: { id: input.id } }
+
+  return await context.local.transit(request)
+}
+
+interface CreateInput {
+  id: string
+  credentials: string
+}
+
+interface CreateOutput {
+  id: string
+}

package/components/identity.basic/source/transit.ts

@@ -0,0 +1,64 @@
+import { genSalt, hash } from 'bcryptjs'
+import { type Operation } from '@toa.io/types'
+import { Nope, type Nopeable } from 'nopeable'
+import { type Context, type Entity, type TransitInput, type TransitOutput } from './types'
+
+export class Transition implements Operation {
+  private rounds: number = 10
+  private pepper: string = ''
+  private principal?: string
+  private tokens: Tokens = undefined as unknown as Tokens
+  private usernameRx: RegExp[] = []
+  private passwrodRx: RegExp[] = []
+
+  public mount (context: Context): void {
+    this.rounds = context.configuration.rounds
+    this.pepper = context.configuration.pepper
+    this.principal = context.configuration.principal
+    this.tokens = context.remote.identity.tokens
+
+    this.usernameRx = toRx(context.configuration.username)
+    this.passwrodRx = toRx(context.configuration.password)
+  }
+
+  public async execute (input: TransitInput, object: Entity): Promise<Nopeable<TransitOutput>> {
+    const existent = object._version !== 0
+
+    if (existent)
+      await this.tokens.revoke({ query: { id: object.id } })
+
+    if (input.username !== undefined) {
+      if (existent && object.username === this.principal)
+        return new Nope('PRINCIPAL_LOCKED', 'Principal username cannot be changed.')
+
+      if (invalid(input.username, this.usernameRx))
+        return new Nope('INVALID_USERNAME', 'Username is not meeting the requirements.')
+
+      object.username = input.username
+    }
+
+    if (input.password !== undefined) {
+      if (invalid(input.password, this.passwrodRx))
+        return new Nope('INVALID_PASSWORD', 'Password is not meeting the requirements.')
+
+      const salt = await genSalt(this.rounds)
+      const spicy = input.password + this.pepper
+
+      object.password = await hash(spicy, salt)
+    }
+
+    return { id: object.id }
+  }
+}
+
+function toRx (input: string | string[]): RegExp[] {
+  const expressions = typeof input === 'string' ? [input] : input
+
+  return expressions.map((expression) => new RegExp(expression))
+}
+
+function invalid (value: string, expressions: RegExp[]): boolean {
+  return expressions.some((expression) => !expression.test(value))
+}
+
+type Tokens = Context['remote']['identity']['tokens']

package/components/identity.basic/source/types.ts

@@ -0,0 +1,42 @@
+import { type Call, type Observation, type Query } from '@toa.io/types'
+
+export interface Context {
+  local: {
+    observe: Observation<Entity>
+    transit: Call<TransitOutput, TransitInput>
+  }
+  remote: {
+    identity: {
+      tokens: {
+        revoke: Call<void, IdentityTokensRevokeInput>
+      }
+    }
+  }
+  configuration: {
+    readonly rounds: number
+    readonly pepper: string
+    readonly principal?: string
+    readonly username: string | string[]
+    readonly password: string | string[]
+  }
+}
+
+export interface Entity {
+  readonly id: string
+  readonly _version: number
+  username: string
+  password: string
+}
+
+export interface TransitInput {
+  username?: string
+  password?: string
+}
+
+export interface TransitOutput {
+  id: string
+}
+
+interface IdentityTokensRevokeInput {
+  query: Query
+}

package/components/identity.basic/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./operations",
+  },
+  "include": [
+    "source"
+  ]
+}

package/components/identity.roles/manifest.toa.yaml

@@ -0,0 +1,31 @@
+namespace: identity
+name: roles
+
+entity:
+  schema:
+    identity*: string
+    role*: string
+
+operations:
+  transit:
+    query: false
+    input:
+      identity*: string
+      role*: string
+  list:
+    output: [string]
+  principal:
+    input:
+      id: string
+
+receivers:
+  identity.basic.principal: principal
+
+exposition:
+  isolated: true
+  /:identity:
+    auth:role: system:identity:roles
+    POST: transit
+    GET:
+      auth:id: identity
+      endpoint: list

package/components/identity.roles/source/list.ts

@@ -0,0 +1,7 @@
+export function observation (_: unknown, objects: Entity[]): string[] {
+  return objects.map(({ role }) => role)
+}
+
+interface Entity {
+  role: string
+}

package/components/identity.roles/source/principal.ts

@@ -0,0 +1,20 @@
+import { type Call } from '@toa.io/types'
+
+export async function effect (input: Identity, context: Context): Promise<void> {
+  await context.local.transit({ input: { identity: input.id, role: 'system' } })
+}
+
+interface Identity {
+  id: string
+}
+
+export interface Context {
+  local: {
+    transit: Call<void, TransitInput>
+  }
+}
+
+interface TransitInput {
+  identity: string
+  role: string
+}

package/components/identity.roles/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./operations",
+  },
+  "include": [
+    "source"
+  ]
+}

package/components/identity.tokens/manifest.toa.yaml

@@ -0,0 +1,39 @@
+namespace: identity
+name: tokens
+
+entity:
+  schema:
+    revokedAt: number   # timestamp
+  initialized: true
+
+operations:
+  encrypt:
+    input:
+      identity*: &identity
+        id: string
+        ...: true
+      lifetime: number # seconds
+    output: string
+  decrypt:
+    input: string
+    output:
+      identity: *identity
+      iat: string
+      exp: string
+      refresh: boolean
+  authenticate:
+    input: string
+    output:
+      identity: *identity
+      refresh: boolean
+  revoke:
+    concurrency: retry
+
+receivers:
+  identity.bans.updated: revoke
+
+configuration:
+  key0*: string
+  key1: string
+  lifetime: 2592000 # seconds, 30 days
+  refresh: 600      # seconds, 10 minutes

package/components/identity.tokens/receivers/identity.bans.updated.js

@@ -0,0 +1,3 @@
+'use strict'
+
+exports.request = (payload) => ({ query: { id: payload.id } })

package/components/identity.tokens/source/authenticate.test.ts

@@ -0,0 +1,56 @@
+import { generate } from 'randomstring'
+import { type Configuration, type Context, type DecryptOutput, type Identity } from './types'
+import { Computation as Authenticate } from './authenticate'
+
+let configuration: Configuration
+let context: Context
+let output: DecryptOutput
+let authenticate: Authenticate
+
+const identity: Identity = { id: generate() }
+
+beforeEach(() => {
+  configuration = {
+    key0: 'k3.local.m28p8SrbS467t-2IUjQuSOqmjvi24TbXhyjAW_dOrog',
+    lifetime: 2592000,
+    refresh: 600
+  }
+
+  context = {
+    configuration,
+    local: {
+      decrypt: jest.fn(async () => (output)),
+      observe: jest.fn(async () => null)
+    }
+  }
+
+  authenticate = new Authenticate()
+  authenticate.mount(context)
+})
+
+it.each([
+  [true, -50],
+  [false, +50]
+])('should mark as stale: %s', async (expected: boolean, shift: number) => {
+  const now = Date.now()
+  const iat = new Date(now - configuration.refresh * 1000 + shift).toISOString()
+  const exp = new Date(now + 1000).toISOString()
+
+  output = { identity, exp, iat, refresh: false }
+
+  const result = await authenticate.execute('')
+
+  expect(result).toEqual({ identity, refresh: expected })
+})
+
+it.each([true, false])('should return stale: %s',
+  async (refresh) => {
+    const iat = new Date().toISOString()
+    const exp = new Date(Date.now() + 1000).toISOString()
+
+    output = { identity, exp, iat, refresh }
+
+    const result = await authenticate.execute('')
+
+    expect(result).toEqual({ identity, refresh })
+  })

package/components/identity.tokens/source/authenticate.ts

@@ -0,0 +1,38 @@
+import { Nope, type Nopeable } from 'nopeable'
+import { type Operation } from '@toa.io/types'
+import { type AuthenticateOutput, type Context } from './types'
+
+export class Computation implements Operation {
+  private refresh: number = 0
+  private decrypt: Context['local']['decrypt'] = undefined as unknown as Context['local']['decrypt']
+  private observe: Context['local']['observe'] = undefined as unknown as Context['local']['observe']
+
+  public mount (context: Context): void {
+    this.refresh = context.configuration.refresh * 1000
+    this.decrypt = context.local.decrypt
+    this.observe = context.local.observe
+  }
+
+  public async execute (token: string): Promise<Nopeable<AuthenticateOutput>> {
+    const claim = await this.decrypt({ input: token })
+
+    if (claim instanceof Nope)
+      return claim
+
+    const identity = claim.identity
+    const iat = new Date(claim.iat).getTime()
+    const transient = claim.exp !== undefined
+    const stale = transient && (iat + this.refresh < Date.now())
+
+    if (stale) {
+      const revocation = await this.observe({ query: { id: identity.id } })
+
+      if (revocation !== null && iat < revocation.revokedAt)
+        return new Nope('REVOKED')
+    }
+
+    const refresh = stale || claim.refresh
+
+    return { identity, refresh }
+  }
+}

package/components/identity.tokens/source/decrypt.test.ts

@@ -0,0 +1,59 @@
+import { generate } from 'randomstring'
+import { Effect as Encrypt } from './encrypt'
+import { computation as decrypt } from './decrypt'
+import { type Configuration, type Context, type Identity } from './types'
+
+let configuration: Configuration
+let context: Context
+let encrypt: Encrypt
+
+beforeEach(() => {
+  configuration = {
+    key0: 'k3.local.m28p8SrbS467t-2IUjQuSOqmjvi24TbXhyjAW_dOrog',
+    key1: 'k3.local.-498jfWenrZH-Dqw3-zQJih_hKzDgBgUMfe37OCqSOA',
+    lifetime: 1000,
+    refresh: 500
+  }
+
+  context = { configuration } as unknown as Context
+
+  encrypt = new Encrypt()
+  encrypt.mount(context)
+})
+
+it('should decrypt', async () => {
+  const identity: Identity = { id: generate() }
+  const lifetime = 100
+
+  const reply = await encrypt.execute({ identity, lifetime })
+
+  if (reply === undefined)
+    throw new Error('?')
+
+  const decrypted = await decrypt(reply, context)
+
+  expect(decrypted).toMatchObject({ identity, refresh: false })
+})
+
+it('should decrypt with key1', async () => {
+  const k1context = {
+    configuration: {
+      key0: configuration.key1
+    }
+  } as unknown as Context
+
+  encrypt = new Encrypt()
+  encrypt.mount(k1context)
+
+  const identity: Identity = { id: generate() }
+  const lifetime = 100
+
+  const encrypted = await encrypt.execute({ identity, lifetime })
+
+  if (encrypted === undefined)
+    throw new Error('?')
+
+  const decrypted = await decrypt(encrypted, context)
+
+  expect(decrypted).toMatchObject({ identity, refresh: true })
+})

package/components/identity.tokens/source/decrypt.ts

@@ -0,0 +1,25 @@
+import { V3 } from 'paseto'
+import { Nope, type Nopeable } from 'nopeable'
+import { type Context, type Claim, type DecryptOutput } from './types'
+
+export async function computation (token: string, context: Context):
+Promise<Nopeable<DecryptOutput>> {
+  let refresh = false
+  let claim = await decrypt(token, context.configuration.key0)
+
+  if (claim === null && context.configuration.key1 !== undefined) {
+    refresh = true
+    claim = await decrypt(token, context.configuration.key1)
+  }
+
+  if (claim === null) return new Nope('INVALID_TOKEN', 'Invalid token')
+  else return { identity: claim.identity, iat: claim.iat, exp: claim.exp, refresh }
+}
+
+async function decrypt (token: string, key: string): Promise<Claim | null> {
+  try {
+    return await V3.decrypt<Claim>(token, key)
+  } catch {
+    return null
+  }
+}

package/components/identity.tokens/source/encrypt.test.ts

@@ -0,0 +1,35 @@
+import { generate } from 'randomstring'
+import { timeout } from '@toa.io/generic'
+import { Effect as Encrypt } from './encrypt'
+import { computation as decrypt } from './decrypt'
+import { type Context, type Identity } from './types'
+
+let encrypt: Encrypt
+
+const context: Context = {} as unknown as Context
+
+beforeEach(() => {
+  context.configuration = {
+    key0: 'k3.local.m28p8SrbS467t-2IUjQuSOqmjvi24TbXhyjAW_dOrog',
+    lifetime: 1000,
+    refresh: 2
+  }
+
+  encrypt = new Encrypt()
+  encrypt.mount(context)
+})
+
+it('should encrypt with given lifetime', async () => {
+  const identity: Identity = { id: generate() }
+  const lifetime = 0.1
+  const encrypted = await encrypt.execute({ identity, lifetime })
+
+  if (encrypted === undefined)
+    throw new Error('?')
+
+  await expect(decrypt(encrypted, context)).resolves.toMatchObject({ identity })
+
+  await timeout(lifetime * 1000)
+
+  await expect(decrypt(encrypted, context)).resolves.toMatchObject({ code: 'INVALID_TOKEN' })
+})

package/components/identity.tokens/source/encrypt.ts

@@ -0,0 +1,25 @@
+import { V3 } from 'paseto'
+import { type Operation } from '@toa.io/types'
+import { type Claim, type Context, type EncryptInput } from './types'
+
+export class Effect implements Operation {
+  private key: string = ''
+  private lifetime: number = 0
+
+  public mount (context: Context): void {
+    this.key = context.configuration.key0
+    this.lifetime = context.configuration.lifetime * 1000
+  }
+
+  public async execute (input: EncryptInput): Promise<string> {
+    const lifetime = input.lifetime === undefined ? this.lifetime : input.lifetime * 1000
+
+    const exp = lifetime === 0
+      ? undefined
+      : new Date(Date.now() + lifetime).toISOString()
+
+    const payload: Partial<Claim> = { identity: input.identity, exp }
+
+    return await V3.encrypt(payload, this.key)
+  }
+}

package/components/identity.tokens/source/revoke.ts

@@ -0,0 +1,5 @@
+import { type Entity } from './types'
+
+export function transition (_: never, object: Entity): void {
+  object.revokedAt = Date.now()
+}

package/components/identity.tokens/source/types.ts

@@ -0,0 +1,48 @@
+import { type Call, type Observation } from '@toa.io/types'
+
+export interface Context {
+  local: {
+    observe: Observation<Entity>
+    decrypt: Call<DecryptOutput, string>
+  }
+  configuration: Configuration
+}
+
+export interface Configuration {
+  readonly key0: string
+  readonly key1?: string
+  readonly lifetime: number
+  readonly refresh: number
+}
+
+export interface Entity {
+  identity: string
+  revokedAt: number
+}
+
+export interface Identity extends Record<string, any> {
+  id: string
+}
+
+export interface AuthenticateOutput {
+  identity: Identity
+  refresh: boolean
+}
+
+export interface EncryptInput {
+  identity: Identity
+  lifetime?: number
+}
+
+export interface DecryptOutput {
+  identity: Identity
+  iat: string
+  exp?: string
+  refresh: boolean
+}
+
+export interface Claim {
+  identity: Identity
+  iat: string
+  exp?: string
+}

package/components/identity.tokens/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./operations",
+  },
+  "include": [
+    "source"
+  ]
+}