@toa.io/extensions.exposition 1.0.0-alpha.0 → 1.0.0-alpha.100

package/source/directives/auth/Incept.ts

@@ -15,28 +15,34 @@ export class Incept implements Directive {
   }
 
   public authorize (identity: Identity | null, input: Input): boolean {
-    return identity === null && 'authorization' in input.headers
+    return identity === null && 'authorization' in input.request.headers
   }
 
-  public async settle (request: Input, response: http.OutgoingMessage): Promise<void> {
+  public async settle (input: Input, response: http.OutgoingMessage): Promise<void> {
     const id = response.body?.[this.property]
 
     if (id === undefined)
       throw new http.Conflict('Identity inception has failed as the response body ' +
-        ` does not contain the '${this.property}' property.`)
+        `does not contain the '${this.property}' property`)
 
-    const [scheme, credentials] = split(request.headers.authorization as string)
+    const [scheme, credentials] = split(input.request.headers.authorization!)
     const provider = PROVIDERS[scheme]
 
     this.schemes[scheme] ??= await this.discovery[provider]
 
     const identity = await this.schemes[scheme]
-      .invoke<Maybe<Identity>>('create', { input: { id, credentials } })
+      .invoke<Maybe<Identity>>('incept', {
+      input: {
+        authority: input.authority,
+        id,
+        credentials
+      }
+    })
 
     if (identity instanceof Error)
-      throw new http.Conflict(identity)
+      throw new http.UnprocessableEntity(identity)
 
-    request.identity = identity
-    request.identity.scheme = scheme
+    input.identity = identity
+    input.identity.scheme = scheme
   }
 }

package/source/directives/auth/Role.test.ts

@@ -2,6 +2,7 @@ import { type Component } from '@toa.io/core'
 import { generate } from 'randomstring'
 import { Role } from './Role'
 import { type Identity } from './types'
+import type { Parameter } from '../../RTD'
 
 const remote = {
   invoke: jest.fn()
@@ -16,16 +17,26 @@ beforeEach(() => {
 it('should return false if not matched', async () => {
   const roles = ['admin', 'user']
   const directive = new Role(roles, discovery)
-  const identity: Identity = { id: generate(), scheme: '', refresh: false }
+
+  const identity: Identity = {
+    id: generate(),
+    scheme: '',
+    refresh: false
+  }
 
   remote.invoke.mockResolvedValueOnce(['guest'])
 
-  const result = await directive.authorize(identity)
+  const result = await directive.authorize(identity, undefined, [])
 
   expect(result).toBe(false)
 
   expect(remote.invoke)
-    .toBeCalledWith('list', { query: { criteria: `identity==${identity.id}`, limit: 1024 } })
+    .toBeCalledWith('list', {
+      query: {
+        criteria: `identity==${identity.id}`,
+        limit: 1024
+      }
+    })
 })
 
 it('should return true on exact match', async () => {
@@ -52,11 +63,47 @@ it('should return false on non-scope substring match', async () => {
   expect(result).toBe(false)
 })
 
-async function match (expected: string[], actual: string[]): Promise<boolean> {
+it('should return true on match with parameters', async () => {
+  const result = await match(['app:{org}:reviews'],
+    ['app:29e54ae1:reviews'], [{
+      name: 'org',
+      value: '29e54ae1'
+    }])
+
+  expect(result).toBe(true)
+})
+
+it('should return true on match with parameters', async () => {
+  const result = await match(['app:{org}:reviews'],
+    ['app:29e54ae1:reviews'], [{
+      name: 'org',
+      value: '29e54ae1'
+    }])
+
+  expect(result).toBe(true)
+})
+
+it('should return false on mismatch with parameters', async () => {
+  const result = await match(['app:{org}:reviews'],
+    ['app:29e54ae1:reviews'], [{
+      name: 'org',
+      value: '88584c9b'
+    }])
+
+  expect(result).toBe(false)
+})
+
+async function match
+(expected: string[], actual: string[], parameters: Parameter[] = []): Promise<boolean> {
   const directive = new Role(expected, discovery)
-  const identity: Identity = { id: generate(), scheme: '', refresh: false }
+
+  const identity: Identity = {
+    id: generate(),
+    scheme: '',
+    refresh: false
+  }
 
   remote.invoke.mockResolvedValueOnce(actual)
 
-  return await directive.authorize(identity)
+  return await directive.authorize(identity, undefined, parameters)
 }

package/source/directives/auth/Role.ts

@@ -1,56 +1,66 @@
+import assert from 'node:assert'
 import { type Component, type Query } from '@toa.io/core'
 import { type Directive, type Identity } from './types'
+import type { Parameter } from '../../RTD'
 
 export class Role implements Directive {
   public static remote: Component | null = null
   private readonly roles: string[]
   private readonly discovery: Promise<Component>
+  private readonly dynamic: boolean
 
   public constructor (roles: string | string[], discovery: Promise<Component>) {
     this.roles = typeof roles === 'string' ? [roles] : roles
     this.discovery = discovery
+    this.dynamic = this.roles.some((role) => role.includes('{'))
   }
 
   public static async set (identity: Identity, discovery: Promise<Component>): Promise<void> {
     this.remote ??= await discovery
 
-    const query: Query = { criteria: `identity==${identity.id}`, limit: 1024 }
-    const roles: string[] = await this.remote.invoke('list', { query })
+    const query: Query = {
+      criteria: `identity==${identity.id}`,
+      limit: 1024
+    }
 
-    identity.roles = roles
+    identity.roles = await this.remote.invoke('list', { query })
   }
 
-  public async authorize (identity: Identity | null): Promise<boolean> {
+  public async authorize
+  (identity: Identity | null, _: unknown, parameters: Parameter[]): Promise<boolean> {
     if (identity === null)
       return false
 
     await Role.set(identity, this.discovery)
 
-    if (identity.roles === undefined)
+    if (identity.roles!.length === 0) // Role.set()
+
       return false
 
-    return this.match(identity.roles)
+    return this.match(identity.roles!, parameters)
   }
 
-  private match (roles: string[]): boolean {
+  private match (roles: string[], parameters: Parameter[]): boolean {
+    const required = this.dynamic ? this.substitute(parameters) : this.roles
+
     for (const role of roles) {
-      const index = this.roles.findIndex((expected) => compare(expected, role))
+      const ok = required.some((expected) => expected === role || expected.startsWith(role + ':'))
 
-      if (index !== -1)
+      if (ok)
         return true
     }
 
     return false
   }
-}
 
-function compare (expected: string, actual: string): boolean {
-  const exp = expected.split(':')
-  const act = actual.split(':')
+  private substitute (parameters: Parameter[]): string[] {
+    return this.roles.map((role) => role.replaceAll(/{(\w+)}/g, (_, key) => {
+      const value = parameters.find((parameter) => parameter.name === key)?.value
 
-  for (let i = 0; i < act.length; i++)
-    if (exp[i] !== act[i])
-      return false
+      assert.ok(value !== undefined,
+        `Role '${role}' requires '${key}' route parameter`)
 
-  return true
+      return value
+    }))
+  }
 }

package/source/directives/auth/Rule.ts

@@ -1,5 +1,5 @@
 import { type Parameter } from '../../RTD'
-import { type Directive, type Identity } from './types'
+import type { Input, Directive, Identity } from './types'
 
 export class Rule implements Directive {
   private readonly directives: Directive[] = []
@@ -13,7 +13,7 @@ export class Rule implements Directive {
   }
 
   public async authorize
-  (identity: Identity | null, input: any, parameters: Parameter[]): Promise<boolean> {
+  (identity: Identity | null, input: Input, parameters: Parameter[]): Promise<boolean> {
     for (const directive of this.directives) {
       const authorized = await directive.authorize(identity, input, parameters)
 

package/source/directives/auth/Scheme.ts

@@ -12,14 +12,14 @@ export class Scheme implements Directive {
   }
 
   public authorize (_: Identity | null, input: Input): boolean {
-    if (input.headers.authorization === undefined)
+    if (input.request.headers.authorization === undefined)
       return false
 
-    const [scheme] = split(input.headers.authorization)
+    const [scheme] = split(input.request.headers.authorization)
 
     if (scheme !== this.scheme)
       throw new http.Forbidden(this.Scheme +
-        ' authentication scheme is required to access this resource.')
+        ' authentication scheme is required to access this resource')
 
     return false
   }

package/source/directives/auth/index.ts

@@ -1,3 +1,3 @@
-import Family from './Family'
+import { Authorization } from './Authorization'
 
-export = Family
+export const authorization = new Authorization()

package/source/directives/auth/schemes.ts

@@ -2,7 +2,8 @@ import { type Remote, type Scheme } from './types'
 
 export const PROVIDERS: Record<Scheme, Remote> = {
   basic: 'basic',
-  token: 'tokens'
+  token: 'tokens',
+  bearer: 'federation'
 }
 
 export const PRIMARY: Scheme = 'token'

package/source/directives/auth/split.ts

@@ -5,7 +5,7 @@ export function split (authorization: string): [Scheme, string] {
   const space = authorization.indexOf(' ')
 
   if (space === -1)
-    throw new http.Unauthorized('Malformed authorization header.')
+    throw new http.Unauthorized('Malformed authorization header')
 
   const Scheme = authorization.slice(0, space)
   const scheme = Scheme.toLowerCase() as Scheme

package/source/directives/auth/types.ts

@@ -2,11 +2,14 @@ import { type Component } from '@toa.io/core'
 import { type Maybe } from '@toa.io/types'
 import { type Parameter } from '../../RTD'
 import type * as http from '../../HTTP'
-import type * as directive from '../../Directive'
+import type * as io from '../../io'
 
 export interface Directive {
-  authorize: (identity: Identity | null, input: Input, parameters: Parameter[]) =>
-  boolean | Promise<boolean>
+  authorize: (
+    identity: Identity | null,
+    input: Input,
+    parameters: Parameter[]
+  ) => boolean | Promise<boolean>
 
   reply?: (identity: Identity | null) => http.OutgoingMessage
 
@@ -15,7 +18,7 @@ export interface Directive {
 
 export interface Identity {
   readonly id: string
-  scheme: string
+  scheme: string | null // null for transient identities
   roles?: string[]
   refresh: boolean
 }
@@ -28,10 +31,10 @@ export interface Ban {
   banned: boolean
 }
 
-export type Input = directive.Input & Extension
+export type Input = io.Input & Extension
 export type AuthenticationResult = Maybe<{ identity: Identity, refresh: boolean }>
 
-export type Scheme = 'basic' | 'token'
-export type Remote = 'basic' | 'tokens' | 'roles' | 'bans'
+export type Scheme = 'basic' | 'token' | 'bearer'
+export type Remote = 'basic' | 'federation' | 'tokens' | 'roles' | 'bans'
 export type Discovery = Record<Remote, Promise<Component>>
 export type Schemes = Record<Scheme, Component>

package/source/directives/cache/Cache.ts

@@ -0,0 +1,42 @@
+import { Control } from './Control'
+import { Exact } from './Exact'
+import type { Output } from '../../io'
+import type { AuthenticatedContext, Directive } from './types'
+import type { DirectiveFamily } from '../../RTD'
+import type * as http from '../../HTTP'
+
+export class Cache implements DirectiveFamily<Directive> {
+  public readonly name: string = 'cache'
+  public readonly mandatory: boolean = true
+
+  public create (name: string, value: any): Directive {
+    const Class = constructors[name]
+
+    if (Class === undefined)
+      throw new Error(`Directive 'cache:${name}' is not implemented`)
+
+    return new Class(value)
+  }
+
+  public preflight (): Output {
+    return null
+  }
+
+  public async settle
+  (directives: Directive[], context: AuthenticatedContext, response: http.OutgoingMessage): Promise<void> {
+    const directive = directives[0]
+
+    response.headers ??= new Headers()
+
+    if (directive === undefined) {
+      if (context.identity !== null && !Control.disabled(response.headers))
+        response.headers.set('cache-control', 'private')
+    } else
+      directive.set(context, response.headers)
+  }
+}
+
+const constructors: Record<string, new (value: any) => Directive> = {
+  control: Control,
+  exact: Exact
+}

package/source/directives/cache/Control.ts

@@ -1,59 +1,85 @@
 import { match } from 'matchacho'
-import type { AuthenticatedRequest, Directive } from './types'
+import type { AuthenticatedContext, Directive } from './types'
 
 export class Control implements Directive {
   protected readonly value: string
   private cache: string | null = null
+  private vary: boolean = false
 
   public constructor (value: string) {
     this.value = value
   }
 
-  public set (request: AuthenticatedRequest, headers: Headers): void {
-    if (!['GET', 'HEAD', 'OPTIONS'].includes(request.method))
+  public static disabled (headers: Headers): boolean {
+    const value = headers.get('cache-control')
+
+    if (value === null)
+      return false
+
+    const directives = mask(value)
+
+    return (directives & NO_STORE) === NO_STORE
+  }
+
+  public set (context: AuthenticatedContext, headers: Headers): void {
+    if (!['GET', 'HEAD', 'OPTIONS'].includes(context.request.method))
       return
 
-    this.cache ??= this.resolve(request)
+    this.cache ??= this.resolve(context)
+
+    if (Control.disabled(headers))
+      return
 
     headers.set('cache-control', this.cache)
+
+    if (this.vary !== null)
+      headers.append('vary', 'authorization')
   }
 
-  protected resolve (request: AuthenticatedRequest): string {
+  protected resolve (request: AuthenticatedContext): string {
     if (request.identity === null)
       return this.value
 
-    const directives = this.mask()
+    const directives = mask(this.value)
+
+    if ((directives & PRIVATE) === PRIVATE)
+      this.vary = true
 
     if ((directives & (PUBLIC | NO_CACHE)) === PUBLIC)
       return 'no-cache, ' + this.value
 
-    if ((directives & (PUBLIC | PRIVATE)) === 0)
+    if ((directives & (PUBLIC | PRIVATE)) === 0) {
+      this.vary = true
+
       return 'private, ' + this.value
+    }
 
     return this.value
   }
+}
 
-  private mask (): number {
-    const directives = this.value.match(DIRECTIVES_RX)
+function mask (value: string): number {
+  const directives = value.match(DIRECTIVES_RX)
 
-    if (directives === null)
-      return 0
+  if (directives === null)
+    return 0
 
-    let mask = 0
+  let mask = 0
 
-    for (const directive of directives)
-      mask |= match<number>(directive,
-        'private', PRIVATE,
-        'public', PUBLIC,
-        'no-cache', NO_CACHE,
-        0)
+  for (const directive of directives)
+    mask |= match<number>(directive,
+      'private', PRIVATE,
+      'public', PUBLIC,
+      'no-cache', NO_CACHE,
+      'no-store', NO_STORE,
+      0)
 
-    return mask
-  }
+  return mask
 }
 
-const DIRECTIVES_RX = /\b(private|public|no-cache)\b/ig
+const DIRECTIVES_RX = /\b(private|public|no-cache|no-store)\b/ig
 
 const PUBLIC = 1
 const PRIVATE = 2
 const NO_CACHE = 4
+const NO_STORE = 8

package/source/directives/cache/index.ts

@@ -1,3 +1,3 @@
-import Family from './Family'
+import { Cache } from './Cache'
 
-export = Family
+export const cache = new Cache()

package/source/directives/cache/types.ts

@@ -1,9 +1,9 @@
-import { type Input } from '../../Directive'
+import type { Input } from '../../io'
 
 export interface Directive {
   set: (input: Input, headers: Headers) => void
 }
 
-export interface AuthenticatedRequest extends Input {
+export interface AuthenticatedContext extends Input {
   identity?: unknown | null
 }

package/source/directives/cors/CORS.ts

@@ -0,0 +1,63 @@
+import type { Input, Output } from '../../io'
+import type { Interceptor } from '../../Interception'
+
+export class CORS implements Interceptor {
+  public readonly name = 'cors'
+
+  private readonly requestHeaders = new Set<string>([
+    'accept',
+    'authorization',
+    'content-type',
+    'etag',
+    'if-match',
+    'if-none-match'
+  ])
+
+  private readonly headers = new Headers({
+    'access-control-allow-methods': 'GET, POST, PUT, PATCH, DELETE, LOCK, UNLOCK',
+    'access-control-allow-credentials': 'true',
+    'access-control-allow-headers': Array.from(this.requestHeaders).join(', '),
+    'access-control-max-age': '3600',
+    'cache-control': 'max-age=3600',
+    vary: 'origin'
+  })
+
+  public intercept (input: Input): Output {
+    const origin = input.request.headers.origin
+
+    if (origin === undefined)
+      return null
+
+    if (input.request.method === 'OPTIONS')
+      return this.preflightResponse(origin)
+
+    input.pipelines.response.push((output) => {
+      output.headers ??= new Headers()
+      output.headers.set('access-control-allow-origin', origin)
+      output.headers.set('access-control-allow-credentials', 'true')
+      output.headers.set('access-control-expose-headers',
+        'authorization, content-type, content-length, etag')
+
+      const method = input.request.method
+
+      if (method === 'GET' || method === 'HEAD' || method === 'OPTIONS')
+        output.headers.append('vary', 'origin')
+    })
+
+    return null
+  }
+
+  public allow (header: string): void {
+    this.requestHeaders.add(header.toLowerCase())
+    this.headers.set('access-control-allow-headers', Array.from(this.requestHeaders).join(', '))
+  }
+
+  private preflightResponse (origin: string): Output {
+    this.headers.set('access-control-allow-origin', origin)
+
+    return {
+      status: 204,
+      headers: this.headers
+    }
+  }
+}

package/source/directives/cors/index.ts

@@ -0,0 +1,3 @@
+import { CORS } from './CORS'
+
+export const cors = new CORS()

package/source/directives/dev/{Family.ts → Development.ts}

@@ -1,17 +1,18 @@
-import { type Input, type Output, type Family } from '../../Directive'
 import { Stub } from './Stub'
 import { Throw } from './Throw'
 import { type Directive } from './types'
+import type { Input, Output } from '../../io'
+import type { DirectiveFamily } from '../../RTD'
 
-class Development implements Family<Directive> {
+export class Development implements DirectiveFamily<Directive> {
   public readonly name: string = 'dev'
   public readonly mandatory: boolean = false
 
-  public create (name: string, value: any): Directive {
+  public create (name: string, value: unknown): Directive {
     const Class = constructors[name]
 
     if (Class === undefined)
-      throw new Error(`Directive '${name}' is not provided by the '${this.name}' family.`)
+      throw new Error(`Directive 'dev:${name}' is not implemented`)
 
     return new Class(value)
   }
@@ -32,5 +33,3 @@ const constructors: Record<string, new (value: any) => Directive> = {
   stub: Stub,
   throw: Throw
 }
-
-export = new Development()

package/source/directives/dev/Stub.ts

@@ -1,10 +1,10 @@
-import { type Output } from '../../Directive'
-import { type Directive } from './types'
+import type { Output } from '../../io'
+import type { Directive } from './types'
 
 export class Stub implements Directive {
-  private readonly value: any
+  private readonly value: unknown
 
-  public constructor (value: any) {
+  public constructor (value: unknown) {
     this.value = value
   }
 

package/source/directives/dev/Throw.ts

@@ -1,10 +1,10 @@
-import { type Output } from '../../Directive'
-import { type Directive } from './types'
+import type { Output } from '../../io'
+import type { Directive } from './types'
 
 export class Throw implements Directive {
-  private readonly message: any
+  private readonly message: string
 
-  public constructor (message: any) {
+  public constructor (message: string) {
     this.message = message
   }
 

package/source/directives/dev/index.ts

@@ -1,3 +1,3 @@
-import Family from './Family'
+import { Development } from './Development'
 
-export = Family
+export const dev = new Development()

package/source/directives/dev/types.ts

@@ -1,4 +1,4 @@
-import { type Input, type Output } from '../../Directive'
+import type { Input, Output } from '../../io'
 
 export interface Directive {
   apply: (input: Input) => Output