@toa.io/extensions.exposition 1.0.0-alpha.0 → 1.0.0-alpha.10

package/source/directives/auth/{Family.ts → Authorization.ts}

@@ -1,3 +1,4 @@
+import assert from 'node:assert'
 import { match } from 'matchacho'
 import * as http from '../../HTTP'
 import { Anonymous } from './Anonymous'
@@ -6,13 +7,14 @@ import { Role } from './Role'
 import { Rule } from './Rule'
 import { Incept } from './Incept'
 import { Echo } from './Echo'
-import { split } from './split'
 import { Scheme } from './Scheme'
+import { Delegate } from './Delegate'
+import { split } from './split'
 import { PRIMARY, PROVIDERS } from './schemes'
+import type { Output } from '../../io'
 import type { Component } from '@toa.io/core'
 import type { Remotes } from '../../Remotes'
-import type { Family, Output } from '../../Directive'
-import type { Parameter } from '../../RTD'
+import type { Parameter, DirectiveFamily } from '../../RTD'
 import type {
   AuthenticationResult,
   Ban,
@@ -25,7 +27,8 @@ import type {
   Schemes
 } from './types'
 
-class Authorization implements Family<Directive, Extension> {
+export class Authorization implements DirectiveFamily<Directive, Extension> {
+  public readonly depends: string[] = ['Vary']
   public readonly name: string = 'auth'
   public readonly mandatory: boolean = true
 
@@ -35,24 +38,25 @@ class Authorization implements Family<Directive, Extension> {
   private bans: Component | null = null
 
   public create (name: string, value: any, remotes: Remotes): Directive {
-    const Class = CLASSES[name]
+    assert.ok(name in constructors,
+      `Directive '${name}' is not provided by the '${this.name}' family.`)
 
-    if (Class === undefined)
-      throw new Error(`Directive '${name}' is not provided by the '${this.name}' family.`)
+    const Class = constructors[name]
 
     for (const name of REMOTES)
       this.discovery[name] ??= remotes.discover('identity', name)
 
     return match(Class,
-      Role, () => new Role(value, this.discovery.roles),
-      Rule, () => new Rule(value, this.create.bind(this)),
-      Incept, () => new Incept(value, this.discovery),
+      Role, () => new Role(value as string | string[], this.discovery.roles),
+      Rule, () => new Rule(value as Record<string, string>, this.create.bind(this)),
+      Incept, () => new Incept(value as string, this.discovery),
       () => new Class(value))
   }
 
-  public async preflight
-  (directives: Directive[], input: Input, parameters: Parameter[]): Promise<Output> {
-    const identity = await this.resolve(input.headers.authorization)
+  public async preflight (directives: Directive[],
+    input: Input,
+    parameters: Parameter[]): Promise<Output> {
+    const identity = await this.resolve(input.request.headers.authorization)
 
     input.identity = identity
 
@@ -63,41 +67,38 @@ class Authorization implements Family<Directive, Extension> {
         return directive.reply?.(identity) ?? null
     }
 
-    if (identity === null) throw new http.Unauthorized()
-    else throw new http.Forbidden()
+    if (identity === null)
+      throw new http.Unauthorized()
+    else
+      throw new http.Forbidden()
   }
 
-  public async settle
-  (directives: Directive[], request: Input, response: http.OutgoingMessage): Promise<void> {
-    for (const directive of directives)
-      await directive.settle?.(request, response)
+  public async settle (directives: Directive[],
+    request: Input,
+    response: http.OutgoingMessage): Promise<void> {
+    for (const directive of directives) await directive.settle?.(request, response)
 
     const identity = request.identity
 
-    if (identity === null)
-      return
+    if (identity === null) return
 
-    if (identity.scheme === PRIMARY && !identity.refresh)
-      return
+    if (identity.scheme === PRIMARY && !identity.refresh) return
 
     // Role directive may have already set the value
-    if (identity.roles === undefined)
-      await Role.set(identity, this.discovery.roles)
+    if (identity.roles === undefined) await Role.set(identity, this.discovery.roles)
 
     this.tokens ??= await this.discovery.tokens
 
     const token = await this.tokens.invoke<string>('encrypt', { input: { identity } })
     const authorization = `Token ${token}`
 
-    if (response.headers === undefined)
-      response.headers = new Headers()
+    if (response.headers === undefined) response.headers = new Headers()
 
     response.headers.set('authorization', authorization)
   }
 
   private async resolve (authorization: string | undefined): Promise<Identity | null> {
-    if (authorization === undefined)
-      return null
+    if (authorization === undefined) return null
 
     const [scheme, credentials] = split(authorization)
     const provider = PROVIDERS[scheme]
@@ -107,16 +108,15 @@ class Authorization implements Family<Directive, Extension> {
 
     this.schemes[scheme] ??= await this.discovery[provider]
 
-    const result = await this.schemes[scheme]
-      .invoke<AuthenticationResult>('authenticate', { input: credentials })
+    const result = await this.schemes[scheme].invoke<AuthenticationResult>('authenticate', {
+      input: credentials
+    })
 
-    if (result instanceof Error)
-      return null
+    if (result instanceof Error) return null
 
     const identity = result.identity
 
-    if (scheme !== PRIMARY && await this.banned(identity))
-      throw new http.Unauthorized()
+    if (scheme !== PRIMARY && (await this.banned(identity))) throw new http.Unauthorized()
 
     identity.scheme = scheme
     identity.refresh = result.refresh
@@ -133,16 +133,15 @@ class Authorization implements Family<Directive, Extension> {
   }
 }
 
-const CLASSES: Record<string, new (value: any, argument?: any) => Directive> = {
+const constructors: Record<string, new (value: any, argument?: any) => Directive> = {
   anonymous: Anonymous,
   id: Id,
   role: Role,
   rule: Rule,
   incept: Incept,
   scheme: Scheme,
-  echo: Echo
+  echo: Echo,
+  delegate: Delegate
 }
 
-const REMOTES: Remote[] = ['basic', 'tokens', 'roles', 'bans']
-
-export = new Authorization()
+const REMOTES: Remote[] = ['basic', 'federation', 'tokens', 'roles', 'bans']

package/source/directives/auth/Delegate.ts

@@ -0,0 +1,32 @@
+import { BadRequest } from '../../HTTP'
+import { type Directive, type Identity } from './types'
+import type { Input } from '../../io'
+
+export class Delegate implements Directive {
+  private readonly property: string
+
+  public constructor (property: string) {
+    this.property = property
+  }
+
+  public authorize (identity: Identity | null, context: Input): boolean {
+    if (identity === null)
+      return false
+
+    context.pipelines.body.push((body) => this.embed(body, identity))
+
+    return true
+  }
+
+  private embed (body: unknown, identity: Identity): Record<string, unknown> {
+    check(body)
+    body[this.property] = identity
+
+    return body
+  }
+}
+
+function check (body: unknown): asserts body is Record<string, unknown> {
+  if (typeof body !== 'object' || body === null)
+    throw new BadRequest('Invalid request body.')
+}

package/source/directives/auth/Incept.ts

@@ -15,28 +15,33 @@ export class Incept implements Directive {
   }
 
   public authorize (identity: Identity | null, input: Input): boolean {
-    return identity === null && 'authorization' in input.headers
+    return identity === null && 'authorization' in input.request.headers
   }
 
-  public async settle (request: Input, response: http.OutgoingMessage): Promise<void> {
+  public async settle (input: Input, response: http.OutgoingMessage): Promise<void> {
     const id = response.body?.[this.property]
 
     if (id === undefined)
       throw new http.Conflict('Identity inception has failed as the response body ' +
         ` does not contain the '${this.property}' property.`)
 
-    const [scheme, credentials] = split(request.headers.authorization as string)
+    const [scheme, credentials] = split(input.request.headers.authorization!)
     const provider = PROVIDERS[scheme]
 
     this.schemes[scheme] ??= await this.discovery[provider]
 
     const identity = await this.schemes[scheme]
-      .invoke<Maybe<Identity>>('create', { input: { id, credentials } })
+      .invoke<Maybe<Identity>>('create', {
+      input: {
+        id,
+        credentials
+      }
+    })
 
     if (identity instanceof Error)
       throw new http.Conflict(identity)
 
-    request.identity = identity
-    request.identity.scheme = scheme
+    input.identity = identity
+    input.identity.scheme = scheme
   }
 }

package/source/directives/auth/Role.ts

@@ -14,10 +14,12 @@ export class Role implements Directive {
   public static async set (identity: Identity, discovery: Promise<Component>): Promise<void> {
     this.remote ??= await discovery
 
-    const query: Query = { criteria: `identity==${identity.id}`, limit: 1024 }
-    const roles: string[] = await this.remote.invoke('list', { query })
+    const query: Query = {
+      criteria: `identity==${identity.id}`,
+      limit: 1024
+    }
 
-    identity.roles = roles
+    identity.roles = await this.remote.invoke('list', { query })
   }
 
   public async authorize (identity: Identity | null): Promise<boolean> {

package/source/directives/auth/Rule.ts

@@ -1,5 +1,5 @@
 import { type Parameter } from '../../RTD'
-import { type Directive, type Identity } from './types'
+import type { Input, Directive, Identity } from './types'
 
 export class Rule implements Directive {
   private readonly directives: Directive[] = []
@@ -13,7 +13,7 @@ export class Rule implements Directive {
   }
 
   public async authorize
-  (identity: Identity | null, input: any, parameters: Parameter[]): Promise<boolean> {
+  (identity: Identity | null, input: Input, parameters: Parameter[]): Promise<boolean> {
     for (const directive of this.directives) {
       const authorized = await directive.authorize(identity, input, parameters)
 

package/source/directives/auth/Scheme.ts

@@ -12,10 +12,10 @@ export class Scheme implements Directive {
   }
 
   public authorize (_: Identity | null, input: Input): boolean {
-    if (input.headers.authorization === undefined)
+    if (input.request.headers.authorization === undefined)
       return false
 
-    const [scheme] = split(input.headers.authorization)
+    const [scheme] = split(input.request.headers.authorization)
 
     if (scheme !== this.scheme)
       throw new http.Forbidden(this.Scheme +

package/source/directives/auth/index.ts

@@ -1,3 +1,3 @@
-import Family from './Family'
+import { Authorization } from './Authorization'
 
-export = Family
+export const authorization = new Authorization()

package/source/directives/auth/schemes.ts

@@ -2,7 +2,8 @@ import { type Remote, type Scheme } from './types'
 
 export const PROVIDERS: Record<Scheme, Remote> = {
   basic: 'basic',
-  token: 'tokens'
+  token: 'tokens',
+  bearer: 'federation'
 }
 
 export const PRIMARY: Scheme = 'token'

package/source/directives/auth/types.ts

@@ -2,11 +2,14 @@ import { type Component } from '@toa.io/core'
 import { type Maybe } from '@toa.io/types'
 import { type Parameter } from '../../RTD'
 import type * as http from '../../HTTP'
-import type * as directive from '../../Directive'
+import type * as io from '../../io'
 
 export interface Directive {
-  authorize: (identity: Identity | null, input: Input, parameters: Parameter[]) =>
-  boolean | Promise<boolean>
+  authorize: (
+    identity: Identity | null,
+    input: Input,
+    parameters: Parameter[],
+  ) => boolean | Promise<boolean>
 
   reply?: (identity: Identity | null) => http.OutgoingMessage
 
@@ -28,10 +31,10 @@ export interface Ban {
   banned: boolean
 }
 
-export type Input = directive.Input & Extension
+export type Input = io.Input & Extension
 export type AuthenticationResult = Maybe<{ identity: Identity, refresh: boolean }>
 
-export type Scheme = 'basic' | 'token'
-export type Remote = 'basic' | 'tokens' | 'roles' | 'bans'
+export type Scheme = 'basic' | 'token' | 'bearer'
+export type Remote = 'basic' | 'federation' | 'tokens' | 'roles' | 'bans'
 export type Discovery = Record<Remote, Promise<Component>>
 export type Schemes = Record<Scheme, Component>

package/source/directives/cache/{Family.ts → Cache.ts}

@@ -1,10 +1,11 @@
-import { type Input, type Output, type Family } from '../../Directive'
 import { Control } from './Control'
-import { type Directive } from './types'
 import { Exact } from './Exact'
+import type { Input, Output } from '../../io'
+import type { Directive } from './types'
+import type { DirectiveFamily } from '../../RTD'
 import type * as http from '../../HTTP'
 
-class Cache implements Family<Directive> {
+export class Cache implements DirectiveFamily<Directive> {
   public readonly name: string = 'cache'
   public readonly mandatory: boolean = false
 
@@ -22,9 +23,9 @@ class Cache implements Family<Directive> {
   }
 
   public async settle
-  (directives: Directive[], request: Input, response: http.OutgoingMessage): Promise<void> {
+  (directives: Directive[], input: Input, response: http.OutgoingMessage): Promise<void> {
     response.headers ??= new Headers()
-    directives[0]?.set(request, response.headers)
+    directives[0]?.set(input, response.headers)
   }
 }
 
@@ -32,5 +33,3 @@ const constructors: Record<string, new (value: any) => Directive> = {
   control: Control,
   exact: Exact
 }
-
-export = new Cache()

package/source/directives/cache/Control.ts

@@ -1,5 +1,5 @@
 import { match } from 'matchacho'
-import type { AuthenticatedRequest, Directive } from './types'
+import type { AuthenticatedContext, Directive } from './types'
 
 export class Control implements Directive {
   protected readonly value: string
@@ -9,16 +9,16 @@ export class Control implements Directive {
     this.value = value
   }
 
-  public set (request: AuthenticatedRequest, headers: Headers): void {
-    if (!['GET', 'HEAD', 'OPTIONS'].includes(request.method))
+  public set (context: AuthenticatedContext, headers: Headers): void {
+    if (!['GET', 'HEAD', 'OPTIONS'].includes(context.request.method))
       return
 
-    this.cache ??= this.resolve(request)
+    this.cache ??= this.resolve(context)
 
     headers.set('cache-control', this.cache)
   }
 
-  protected resolve (request: AuthenticatedRequest): string {
+  protected resolve (request: AuthenticatedContext): string {
     if (request.identity === null)
       return this.value
 

package/source/directives/cache/index.ts

@@ -1,3 +1,3 @@
-import Family from './Family'
+import { Cache } from './Cache'
 
-export = Family
+export const cache = new Cache()

package/source/directives/cache/types.ts

@@ -1,9 +1,9 @@
-import { type Input } from '../../Directive'
+import type { Input } from '../../io'
 
 export interface Directive {
   set: (input: Input, headers: Headers) => void
 }
 
-export interface AuthenticatedRequest extends Input {
+export interface AuthenticatedContext extends Input {
   identity?: unknown | null
 }

package/source/directives/cors/CORS.ts

@@ -0,0 +1,62 @@
+import type { Input, Output } from '../../io'
+import type { Interceptor } from '../../Interception'
+
+export class CORS implements Interceptor {
+  public readonly name = 'cors'
+
+  private readonly requestHeaders = new Set<string>([
+    'accept',
+    'authorization',
+    'content-type',
+    'etag',
+    'if-match',
+    'if-none-match'
+  ])
+
+  private readonly headers = new Headers({
+    'access-control-allow-methods': 'GET, POST, PUT, PATCH, DELETE',
+    'access-control-allow-credentials': 'true',
+    'access-control-allow-headers': Array.from(this.requestHeaders).join(', '),
+    'access-control-max-age': '3600',
+    'cache-control': 'max-age=3600',
+    vary: 'origin'
+  })
+
+  public intercept (input: Input): Output {
+    const origin = input.request.headers.origin
+
+    if (origin === undefined)
+      return null
+
+    if (input.request.method === 'OPTIONS')
+      return this.preflightResponse(origin)
+
+    input.pipelines.response.push((output) => {
+      output.headers ??= new Headers()
+      output.headers.set('access-control-allow-origin', origin)
+      output.headers.set('access-control-expose-headers',
+        'authorization, content-type, content-length, etag')
+
+      const method = input.request.method
+
+      if (method === 'GET' || method === 'HEAD' || method === 'OPTIONS')
+        output.headers.append('vary', 'origin')
+    })
+
+    return null
+  }
+
+  public allow (header: string): void {
+    this.requestHeaders.add(header.toLowerCase())
+    this.headers.set('access-control-allow-headers', Array.from(this.requestHeaders).join(', '))
+  }
+
+  private preflightResponse (origin: string): Output {
+    this.headers.set('access-control-allow-origin', origin)
+
+    return {
+      status: 204,
+      headers: this.headers
+    }
+  }
+}

package/source/directives/cors/index.ts

@@ -0,0 +1,3 @@
+import { CORS } from './CORS'
+
+export const cors = new CORS()

package/source/directives/dev/{Family.ts → Development.ts}

@@ -1,13 +1,14 @@
-import { type Input, type Output, type Family } from '../../Directive'
 import { Stub } from './Stub'
 import { Throw } from './Throw'
 import { type Directive } from './types'
+import type { Input, Output } from '../../io'
+import type { DirectiveFamily } from '../../RTD'
 
-class Development implements Family<Directive> {
+export class Development implements DirectiveFamily<Directive> {
   public readonly name: string = 'dev'
   public readonly mandatory: boolean = false
 
-  public create (name: string, value: any): Directive {
+  public create (name: string, value: unknown): Directive {
     const Class = constructors[name]
 
     if (Class === undefined)
@@ -32,5 +33,3 @@ const constructors: Record<string, new (value: any) => Directive> = {
   stub: Stub,
   throw: Throw
 }
-
-export = new Development()

package/source/directives/dev/Stub.ts

@@ -1,10 +1,10 @@
-import { type Output } from '../../Directive'
-import { type Directive } from './types'
+import type { Output } from '../../io'
+import type { Directive } from './types'
 
 export class Stub implements Directive {
-  private readonly value: any
+  private readonly value: unknown
 
-  public constructor (value: any) {
+  public constructor (value: unknown) {
     this.value = value
   }
 

package/source/directives/dev/Throw.ts

@@ -1,10 +1,10 @@
-import { type Output } from '../../Directive'
-import { type Directive } from './types'
+import type { Output } from '../../io'
+import type { Directive } from './types'
 
 export class Throw implements Directive {
-  private readonly message: any
+  private readonly message: string
 
-  public constructor (message: any) {
+  public constructor (message: string) {
     this.message = message
   }
 

package/source/directives/dev/index.ts

@@ -1,3 +1,3 @@
-import Family from './Family'
+import { Development } from './Development'
 
-export = Family
+export const dev = new Development()

package/source/directives/dev/types.ts

@@ -1,4 +1,4 @@
-import { type Input, type Output } from '../../Directive'
+import type { Input, Output } from '../../io'
 
 export interface Directive {
   apply: (input: Input) => Output

package/source/directives/index.ts

@@ -1,7 +1,12 @@
-import { type Family } from '../Directive'
-import Dev from './dev'
-import Auth from './auth'
-import Cache from './cache'
-import Octets from './octets'
+import { authorization } from './auth'
+import { cache } from './cache'
+import { cors } from './cors'
+import { dev } from './dev'
+import { octets } from './octets'
+import { io } from './io'
+import { vary } from './vary'
+import type { DirectiveFamily } from '../RTD'
+import type { Interceptor } from '../Interception'
 
-export const families: Family[] = [Auth, Octets, Dev, Cache]
+export const families: DirectiveFamily[] = [authorization, io, cache, vary, octets, dev]
+export const interceptors: Interceptor[] = [cors]

package/source/directives/io/Directive.ts

@@ -0,0 +1,11 @@
+import type { Input } from '../../io'
+
+export interface Directive {
+  attach: (context: Input) => void
+}
+
+export interface Constructor {
+  validate: (value: unknown) => void
+
+  new (value: any): Directive
+}

package/source/directives/io/IO.ts

@@ -0,0 +1,43 @@
+import { Output } from './Output'
+import { Input } from './Input'
+import type { Constructor, Directive } from './Directive'
+import type { Input as Context } from '../../io'
+import type { DirectiveFamily } from '../../RTD'
+
+export class IO implements DirectiveFamily<Directive> {
+  public readonly name = 'io'
+  public readonly mandatory = true
+
+  public create (name: string, value: unknown): Directive {
+    if (!(name in constructors))
+      throw new Error(`Directive 'io:${name}' is not implemented.`)
+
+    const Directive = constructors[name]
+
+    Directive.validate(value)
+
+    return new Directive(value)
+  }
+
+  public preflight (directives: Directive[], context: Context): null {
+    let restricted = false
+
+    for (const directive of directives) {
+      restricted ||= directive instanceof Output
+
+      directive.attach(context)
+    }
+
+    if (!restricted)
+      DENIAL.attach(context)
+
+    return null
+  }
+}
+
+const constructors: Record<string, Constructor> = {
+  output: Output,
+  input: Input
+}
+
+const DENIAL: Output = new Output([])