@toa.io/extensions.exposition 1.0.0-alpha.14 → 1.0.0-alpha.143

package/source/directives/auth/Federation.ts

@@ -0,0 +1,84 @@
+import assert from 'node:assert'
+import type { Directive, Identity, Context } from './types'
+import type { Parameter } from '../../RTD'
+
+export class Federation implements Directive {
+  private readonly matchers: Array<[keyof Claims, Matcher]>
+
+  public constructor (options: Options) {
+    this.matchers = (Object.entries(options) as Array<[keyof Claims, string]>)
+      .map(([key, value]) => [key, toMatcher(value)])
+
+    assert.ok(this.matchers.length > 0, '`auth:claims` requires at least one property defined')
+  }
+
+  public authorize (identity: Identity | null, context: Context, parameters: Parameter[]): boolean {
+    if (identity === null || !('claims' in identity))
+      return false
+
+    const claims = (identity as FederatedIdentity).claims
+
+    for (const [key, match] of this.matchers)
+      if (!match(claims[key], context, parameters))
+        return false
+
+    return true
+  }
+}
+
+function toMatcher (expression: string): Matcher {
+  if (expression.startsWith(':')) {
+    const key = expression.slice(1) as 'authority'
+
+    if (key === 'authority')
+      return (value, context) => matches(value, context[key])
+
+    if (key === 'domain')
+      return (value, context) => {
+        return Array.isArray(value)
+          ? value.some((iss) => codomain(iss, context))
+          : codomain(value, context)
+      }
+
+    throw new Error('Unknown `auth:claims` syntax: ' + expression)
+  }
+
+  if (expression.startsWith('/:')) {
+    const name = expression.slice(2)
+
+    return (value, _, parameters) => parameters
+      .some((parameter) => parameter.name === name && matches(value, parameter.value))
+  }
+
+  return (value) => matches(value, expression)
+}
+
+function matches (value: string | string[], reference: string): boolean {
+  return Array.isArray(value)
+    ? value.includes(reference)
+    : value === reference
+}
+
+function codomain (iss: string, context: Context): boolean {
+  const hostname = new URL(iss).hostname
+  const dot = hostname.indexOf('.')
+  const basename = dot === -1 ? hostname : hostname.slice(dot)
+
+  return context.authority.slice(-basename.length) === basename
+}
+
+type Matcher = (value: string | string[], context: Context, parameters: Parameter[]) => boolean
+
+interface Claims {
+  iss: string
+  sub: string
+  aud: string | string[]
+}
+
+interface Options extends Partial<Claims> {
+  iss: string
+}
+
+interface FederatedIdentity extends Identity {
+  claims: Claims
+}

package/source/directives/auth/Id.ts

@@ -8,7 +8,7 @@ export class Id implements Directive {
     this.parameter = parameter
   }
 
-  public authorize (identity: Identity | null, _: any, parameters: Parameter[]): boolean {
+  public authorize (identity: Identity | null, _: unknown, parameters: Parameter[]): boolean {
     if (identity === null)
       return false
 

package/source/directives/auth/Incept.ts

@@ -1,47 +1,85 @@
-import { type Maybe } from '@toa.io/types'
+import assert from 'node:assert'
+import { console } from 'openspan'
 import * as http from '../../HTTP'
-import { type Directive, type Discovery, type Identity, type Input, type Schemes } from './types'
 import { split } from './split'
-import { PROVIDERS } from './schemes'
+import { create } from './create'
+import { PROVIDERS, INCEPTION } from './schemes'
+import type { Maybe } from '@toa.io/types'
+import type { Directive, Discovery, Identity, Context, Schemes } from './types'
 
 export class Incept implements Directive {
-  private readonly property: string
-  private readonly discovery: Discovery
-  private readonly schemes: Schemes = {} as unknown as Schemes
+  private static readonly schemes: Schemes = {} as unknown as Schemes
+  private static discovery: Discovery
+
+  private readonly property: string | null
 
   public constructor (property: string, discovery: Discovery) {
-    this.property = property
-    this.discovery = discovery
-  }
+    assert.ok(property === null || typeof property === 'string',
+      '`auth:incept` value must be a string or null')
 
-  public authorize (identity: Identity | null, input: Input): boolean {
-    return identity === null && 'authorization' in input.request.headers
+    this.property = property
+    Incept.discovery ??= discovery
   }
 
-  public async settle (input: Input, response: http.OutgoingMessage): Promise<void> {
-    const id = response.body?.[this.property]
+  public static async incept (context: Context, id: string): Promise<Identity> {
+    const [scheme, credentials] = split(context.request.headers.authorization!)
+    const provider = PROVIDERS[scheme]
 
-    if (id === undefined)
-      throw new http.Conflict('Identity inception has failed as the response body ' +
-        ` does not contain the '${this.property}' property.`)
+    if (provider === undefined)
+      throw new http.BadRequest('Authentication scheme is not supported')
 
-    const [scheme, credentials] = split(input.request.headers.authorization!)
-    const provider = PROVIDERS[scheme]
+    if (!INCEPTION.includes(provider))
+      throw new http.BadRequest('Authentication scheme does not support identity inception')
 
-    this.schemes[scheme] ??= await this.discovery[provider]
+    Incept.schemes[scheme] ??= await Incept.discovery[provider]
 
-    const identity = await this.schemes[scheme]
-      .invoke<Maybe<Identity>>('create', {
+    const identity = await Incept.schemes[scheme].invoke<Maybe<Identity>>('incept', {
       input: {
+        authority: context.authority,
         id,
         credentials
       }
     })
 
     if (identity instanceof Error)
-      throw new http.Conflict(identity)
+      throw new http.UnprocessableEntity(identity)
+
+    identity.scheme = scheme
+    identity.roles = []
+
+    return identity
+  }
+
+  public authorize (identity: Identity | null): boolean {
+    return identity === null
+  }
+
+  public reply (context: Context): http.OutgoingMessage | null {
+    if (this.property !== null)
+      return null
+
+    const body = create(context.request.headers.authorization)
+
+    return { body }
+  }
+
+  public async settle (context: Context, response: http.OutgoingMessage): Promise<void> {
+    const id = response.body?.[this.property ?? 'id']
+
+    if (id === undefined) {
+      console.debug('Inception skipped: response does not contain expected property', {
+        property: this.property,
+        response
+      })
+
+      return
+    }
+
+    assert(typeof id === 'string', `Response body property "${this.property}" expected to be a string`)
 
-    input.identity = identity
-    input.identity.scheme = scheme
+    if (context.request.headers.authorization !== undefined)
+      context.identity = await Incept.incept(context, id)
+    else
+      context.identity = { id, scheme: null, refresh: true, roles: [] }
   }
 }

package/source/directives/auth/Input.ts

@@ -0,0 +1,72 @@
+import { Forbidden } from '../../HTTP'
+import type { Parameter } from '../../RTD'
+import type { Context, Directive, Identity, Create } from './types'
+
+export class Input implements Directive {
+  public priority = 0
+  private readonly statements: Statement[] = []
+
+  public constructor (declarations: Declaration[], create: Create) {
+    this.statements = declarations.map((declaration) => new Statement(declaration, create))
+  }
+
+  public async authorize
+  (identity: Identity | null, context: Context, parameters: Parameter[]): Promise<boolean> {
+    context.pipelines.body.push(async (body) => this.check(identity, context, parameters, body))
+
+    return false
+  }
+
+  // eslint-disable-next-line max-params
+  private async check (identity: Identity | null, context: Context, parameters: Parameter[], body: unknown): Promise<unknown> {
+    if (body === undefined || body === null || body.constructor !== Object)
+      return body
+
+    const settled = await Promise.allSettled(this.statements.map(async (statement) =>
+      statement.check(identity, context, parameters, body as Body)))
+
+    for (const result of settled)
+      if (result.status === 'rejected')
+        throw result.reason
+
+    return body
+  }
+}
+
+class Statement {
+  private readonly properties: string[]
+  private readonly directives: Directive[] = []
+
+  public constructor ({ prop, ...directives }: Declaration, create: Create) {
+    this.properties = typeof prop === 'string' ? [prop] : prop
+
+    for (const [name, value] of Object.entries(directives)) {
+      const directive = create(name, value)
+
+      this.directives.push(directive)
+    }
+  }
+
+  // eslint-disable-next-line max-params
+  public async check (identity: Identity | null, context: Context, parameters: Parameter[], body: Body): Promise<void> {
+    const match = this.properties.some((property) => property in body)
+
+    if (!match)
+      return
+
+    for (const directive of this.directives) {
+      const authorized = await directive.authorize(identity, context, parameters)
+
+      if (!authorized)
+        throw new Forbidden('Input property is not authorized')
+    }
+  }
+}
+
+export interface Declaration {
+  [key: Exclude<string, 'prop'>]: unknown
+
+  prop: string | string[]
+}
+
+type Body = Record<string, unknown>

package/source/directives/auth/Role.ts

@@ -15,7 +15,7 @@ export class Role implements Directive {
     this.dynamic = this.roles.some((role) => role.includes('{'))
   }
 
-  public static async set (identity: Identity, discovery: Promise<Component>): Promise<void> {
+  public static async get (identity: Identity, discovery: Promise<Component>): Promise<string[]> {
     this.remote ??= await discovery
 
     const query: Query = {
@@ -23,7 +23,7 @@ export class Role implements Directive {
       limit: 1024
     }
 
-    identity.roles = await this.remote.invoke('list', { query })
+    return await this.remote.invoke('list', { query })
   }
 
   public async authorize
@@ -31,10 +31,7 @@ export class Role implements Directive {
     if (identity === null)
       return false
 
-    await Role.set(identity, this.discovery)
-
-    if (identity.roles === undefined)
-      return false
+    identity.roles ??= await Role.get(identity, this.discovery)
 
     return this.match(identity.roles, parameters)
   }
@@ -43,7 +40,7 @@ export class Role implements Directive {
     const required = this.dynamic ? this.substitute(parameters) : this.roles
 
     for (const role of roles) {
-      const ok = required.some((expected) => compare(expected, role))
+      const ok = required.some((expected) => expected === role || expected.startsWith(role + ':'))
 
       if (ok)
         return true
@@ -57,20 +54,9 @@ export class Role implements Directive {
       const value = parameters.find((parameter) => parameter.name === key)?.value
 
       assert.ok(value !== undefined,
-        `Role '${role}' requires '${key}' route parameter.`)
+        `Role '${role}' requires '${key}' route parameter`)
 
       return value
     }))
   }
 }
-
-function compare (expected: string, actual: string): boolean {
-  const exp = expected.split(':')
-  const act = actual.split(':')
-
-  for (let i = 0; i < act.length; i++)
-    if (exp[i] !== act[i])
-      return false
-
-  return true
-}

package/source/directives/auth/Rule.ts

@@ -1,5 +1,5 @@
 import { type Parameter } from '../../RTD'
-import type { Input, Directive, Identity } from './types'
+import type { Context, Directive, Identity, Create } from './types'
 
 export class Rule implements Directive {
   private readonly directives: Directive[] = []
@@ -13,9 +13,9 @@ export class Rule implements Directive {
   }
 
   public async authorize
-  (identity: Identity | null, input: Input, parameters: Parameter[]): Promise<boolean> {
+  (identity: Identity | null, context: Context, parameters: Parameter[]): Promise<boolean> {
     for (const directive of this.directives) {
-      const authorized = await directive.authorize(identity, input, parameters)
+      const authorized = await directive.authorize(identity, context, parameters)
 
       if (!authorized)
         return false
@@ -24,5 +24,3 @@ export class Rule implements Directive {
     return true
   }
 }
-
-type Create = (name: string, value: any, ...args: any[]) => Directive

package/source/directives/auth/Scheme.ts

@@ -1,5 +1,5 @@
 import * as http from '../../HTTP'
-import { type Directive, type Identity, type Input } from './types'
+import { type Directive, type Identity, type Context } from './types'
 import { split } from './split'
 
 export class Scheme implements Directive {
@@ -11,15 +11,15 @@ export class Scheme implements Directive {
     this.Scheme = scheme[0].toUpperCase() + scheme.substring(1)
   }
 
-  public authorize (_: Identity | null, input: Input): boolean {
-    if (input.request.headers.authorization === undefined)
+  public authorize (_: Identity | null, context: Context): boolean {
+    if (context.request.headers.authorization === undefined)
       return false
 
-    const [scheme] = split(input.request.headers.authorization)
+    const [scheme] = split(context.request.headers.authorization)
 
     if (scheme !== this.scheme)
       throw new http.Forbidden(this.Scheme +
-        ' authentication scheme is required to access this resource.')
+        ' authentication scheme is required to access this resource')
 
     return false
   }

package/source/directives/auth/create.ts

@@ -0,0 +1,11 @@
+import { newid } from '@toa.io/generic'
+import type { Identity } from './types'
+
+export function create (credentials?: string): Identity {
+  return {
+    id: newid(),
+    scheme: credentials?.split(' ')[0] ?? null,
+    refresh: false,
+    roles: []
+  }
+}

package/source/directives/auth/schemes.ts

@@ -6,4 +6,6 @@ export const PROVIDERS: Record<Scheme, Remote> = {
   bearer: 'federation'
 }
 
+export const INCEPTION: Remote[] = ['basic', 'federation']
+
 export const PRIMARY: Scheme = 'token'

package/source/directives/auth/split.ts

@@ -5,7 +5,7 @@ export function split (authorization: string): [Scheme, string] {
   const space = authorization.indexOf(' ')
 
   if (space === -1)
-    throw new http.Unauthorized('Malformed authorization header.')
+    throw new http.Unauthorized('Malformed authorization header')
 
   const Scheme = authorization.slice(0, space)
   const scheme = Scheme.toLowerCase() as Scheme

package/source/directives/auth/types.ts

@@ -5,21 +5,24 @@ import type * as http from '../../HTTP'
 import type * as io from '../../io'
 
 export interface Directive {
+  priority?: number
+
   authorize: (
     identity: Identity | null,
-    input: Input,
+    context: Context,
     parameters: Parameter[]
   ) => boolean | Promise<boolean>
 
-  reply?: (identity: Identity | null) => http.OutgoingMessage
+  reply?: (context: Context) => http.OutgoingMessage | null
 
-  settle?: (request: Input, response: http.OutgoingMessage) => Promise<void>
+  settle?: (context: Context, response: http.OutgoingMessage) => Promise<void>
 }
 
 export interface Identity {
   readonly id: string
-  scheme: string
   roles?: string[]
+  permissions?: Record<string, string[]>
+  scheme: string | null // null for transient identities
   refresh: boolean
 }
 
@@ -31,10 +34,12 @@ export interface Ban {
   banned: boolean
 }
 
-export type Input = io.Input & Extension
+export type Context = io.Input & Extension
 export type AuthenticationResult = Maybe<{ identity: Identity, refresh: boolean }>
 
 export type Scheme = 'basic' | 'token' | 'bearer'
 export type Remote = 'basic' | 'federation' | 'tokens' | 'roles' | 'bans'
 export type Discovery = Record<Remote, Promise<Component>>
 export type Schemes = Record<Scheme, Component>
+
+export type Create = (name: string, value: any, ...args: any[]) => Directive

package/source/directives/cache/Cache.ts

@@ -1,19 +1,19 @@
 import { Control } from './Control'
 import { Exact } from './Exact'
-import type { Input, Output } from '../../io'
-import type { Directive } from './types'
+import type { Output } from '../../io'
+import type { AuthenticatedContext, Directive } from './types'
 import type { DirectiveFamily } from '../../RTD'
 import type * as http from '../../HTTP'
 
 export class Cache implements DirectiveFamily<Directive> {
   public readonly name: string = 'cache'
-  public readonly mandatory: boolean = false
+  public readonly mandatory: boolean = true
 
   public create (name: string, value: any): Directive {
     const Class = constructors[name]
 
     if (Class === undefined)
-      throw new Error(`Directive 'cache:${name}' is not implemented.`)
+      throw new Error(`Directive 'cache:${name}' is not implemented`)
 
     return new Class(value)
   }
@@ -23,9 +23,18 @@ export class Cache implements DirectiveFamily<Directive> {
   }
 
   public async settle
-  (directives: Directive[], input: Input, response: http.OutgoingMessage): Promise<void> {
+  (directives: Directive[], context: AuthenticatedContext, response: http.OutgoingMessage): Promise<void> {
+    const directive = directives[0]
+
     response.headers ??= new Headers()
-    directives[0]?.set(input, response.headers)
+
+    if (directive === undefined) {
+      if (context.identity !== null && !Control.disabled(response.headers)) {
+        response.headers.set('cache-control', 'private')
+        response.headers.append('vary', 'authorization')
+      }
+    } else
+      directive.set(context, response.headers)
   }
 }
 

package/source/directives/cache/Control.ts

@@ -3,57 +3,83 @@ import type { AuthenticatedContext, Directive } from './types'
 
 export class Control implements Directive {
   protected readonly value: string
-  private cache: string | null = null
+  private control: string | null = null
+  private vary: boolean = false
 
   public constructor (value: string) {
     this.value = value
   }
 
+  public static disabled (headers: Headers): boolean {
+    const value = headers.get('cache-control')
+
+    if (value === null)
+      return false
+
+    const directives = mask(value)
+
+    return (directives & NO_STORE) === NO_STORE
+  }
+
   public set (context: AuthenticatedContext, headers: Headers): void {
     if (!['GET', 'HEAD', 'OPTIONS'].includes(context.request.method))
       return
 
-    this.cache ??= this.resolve(context)
+    this.control ??= this.resolve(context)
+
+    if (Control.disabled(headers))
+      return
+
+    headers.set('cache-control', this.control)
 
-    headers.set('cache-control', this.cache)
+    if (this.vary)
+      headers.append('vary', 'authorization')
   }
 
   protected resolve (request: AuthenticatedContext): string {
     if (request.identity === null)
       return this.value
 
-    const directives = this.mask()
+    const directives = mask(this.value)
+
+    if ((directives & PRIVATE) === PRIVATE)
+      this.vary = true
 
     if ((directives & (PUBLIC | NO_CACHE)) === PUBLIC)
       return 'no-cache, ' + this.value
 
-    if ((directives & (PUBLIC | PRIVATE)) === 0)
+    if ((directives & (PUBLIC | PRIVATE)) === 0) {
+      this.vary = true
+
       return 'private, ' + this.value
+    }
 
     return this.value
   }
+}
 
-  private mask (): number {
-    const directives = this.value.match(DIRECTIVES_RX)
+function mask (value: string): number {
+  const directives = value.match(DIRECTIVES_RX)
 
-    if (directives === null)
-      return 0
+  if (directives === null)
+    return 0
 
-    let mask = 0
+  let mask = 0
 
-    for (const directive of directives)
-      mask |= match<number>(directive,
-        'private', PRIVATE,
-        'public', PUBLIC,
-        'no-cache', NO_CACHE,
-        0)
+  for (const directive of directives)
+    mask |= match<number>(directive,
+      'private', PRIVATE,
+      'public', PUBLIC,
+      'no-cache', NO_CACHE,
+      'no-store', NO_STORE,
+      0)
 
-    return mask
-  }
+  return mask
 }
 
-const DIRECTIVES_RX = /\b(private|public|no-cache)\b/ig
+const DIRECTIVES_RX = /\b(private|public|no-cache|no-store)\b/ig
 
 const PUBLIC = 1
 const PRIVATE = 2
 const NO_CACHE = 4
+const NO_STORE = 8

package/source/directives/cors/CORS.ts

@@ -14,7 +14,7 @@ export class CORS implements Interceptor {
   ])
 
   private readonly headers = new Headers({
-    'access-control-allow-methods': 'GET, POST, PUT, PATCH, DELETE',
+    'access-control-allow-methods': 'GET, POST, PUT, PATCH, DELETE, LOCK, UNLOCK',
     'access-control-allow-credentials': 'true',
     'access-control-allow-headers': Array.from(this.requestHeaders).join(', '),
     'access-control-max-age': '3600',
@@ -34,8 +34,9 @@ export class CORS implements Interceptor {
     input.pipelines.response.push((output) => {
       output.headers ??= new Headers()
       output.headers.set('access-control-allow-origin', origin)
+      output.headers.set('access-control-allow-credentials', 'true')
       output.headers.set('access-control-expose-headers',
-        'authorization, content-type, content-length, etag')
+        'authorization, content-type, content-length, etag, last-modified')
 
       const method = input.request.method
 

package/source/directives/dev/Development.ts

@@ -1,5 +1,6 @@
 import { Stub } from './Stub'
 import { Throw } from './Throw'
+import { Sleep } from './Sleep'
 import { type Directive } from './types'
 import type { Input, Output } from '../../io'
 import type { DirectiveFamily } from '../../RTD'
@@ -12,24 +13,28 @@ export class Development implements DirectiveFamily<Directive> {
     const Class = constructors[name]
 
     if (Class === undefined)
-      throw new Error(`Directive 'dev:${name}' is not implemented.`)
+      throw new Error(`Directive 'dev:${name}' is not implemented`)
 
     return new Class(value)
   }
 
-  public preflight (directives: Directive[], input: Input): Output {
+  public async preflight (directives: Directive[], input: Input): Promise<Output> {
+    let output = null
+
     for (const directive of directives) {
-      const output = directive.apply(input)
+      const out = await directive.apply(input)
 
-      if (output !== null)
-        return output
+      if (out !== null)
+        if (output !== null) throw new Error('`dev` directives ambiguous output')
+        else output = out
     }
 
-    return null
+    return output
   }
 }
 
 const constructors: Record<string, new (value: any) => Directive> = {
   stub: Stub,
-  throw: Throw
+  throw: Throw,
+  sleep: Sleep
 }