@travetto/auth-web 6.0.0-rc.5 → 6.0.0-rc.7

package/README.md

@@ -59,7 +59,7 @@ export interface Authenticator<T = unknown, C = unknown, P extends Principal = P
 ```
 
 The only required method to be defined is the `authenticate` method.  This takes in a pre-principal payload and a filter context with a [WebRequest](https://github.com/travetto/travetto/tree/main/module/web/src/types/request.ts#L11), and is responsible for:
-   *  Returning an [Principal](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L7) if authentication was successful
+   *  Returning an [Principal](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L8) if authentication was successful
    *  Throwing an error if it failed
    *  Returning undefined if the authentication is multi-staged and has not completed yet
 
@@ -112,9 +112,9 @@ The symbol `FB_AUTH` is what will be used to reference providers at runtime.  Th
 ## Maintaining Auth Context
 The [AuthContextInterceptor](https://github.com/travetto/travetto/tree/main/module/auth-web/src/interceptors/context.ts#L19) acts as the bridge between the [Authentication](https://github.com/travetto/travetto/tree/main/module/auth#readme "Authentication scaffolding for the Travetto framework") and [Web API](https://github.com/travetto/travetto/tree/main/module/web#readme "Declarative api for Web Applications with support for the dependency injection.") modules.  It serves to take an authenticated principal (via the [WebRequest](https://github.com/travetto/travetto/tree/main/module/web/src/types/request.ts#L11)/[WebResponse](https://github.com/travetto/travetto/tree/main/module/web/src/types/response.ts#L3)) and integrate it into the [AuthContext](https://github.com/travetto/travetto/tree/main/module/auth/src/context.ts#L14). Leveraging [WebAuthConfig](https://github.com/travetto/travetto/tree/main/module/auth-web/src/config.ts#L8)'s configuration allows for basic control of how the principal is encoded and decoded, primarily with the choice between using a header or a cookie, and which header, or cookie value is specifically referenced.  Additionally, the encoding process allows for auto-renewing of the token (on by default). The information is encoded into the [JWT](https://jwt.io/) appropriately, and when encoding using cookies, is also  set as the expiry time for the cookie.  
 
-**Note for Cookie Use:** The automatic renewal, update, seamless receipt and transmission of the [Principal](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L7) cookie act as a light-weight session.  Generally the goal is to keep the token as small as possible, but for small amounts of data, this pattern proves to be fairly sufficient at maintaining a decentralized state. 
+**Note for Cookie Use:** The automatic renewal, update, seamless receipt and transmission of the [Principal](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L8) cookie act as a light-weight session.  Generally the goal is to keep the token as small as possible, but for small amounts of data, this pattern proves to be fairly sufficient at maintaining a decentralized state. 
 
-The [PrincipalCodec](https://github.com/travetto/travetto/tree/main/module/auth-web/src/types.ts#L10) contract is the primary interface for reading and writing [Principal](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L7) data out of the [WebRequest](https://github.com/travetto/travetto/tree/main/module/web/src/types/request.ts#L11). This contract is flexible by design, allowing for all sorts of usage. [JWTPrincipalCodec](https://github.com/travetto/travetto/tree/main/module/auth-web/src/codec.ts#L15) is the default [PrincipalCodec](https://github.com/travetto/travetto/tree/main/module/auth-web/src/types.ts#L10), leveraging [JWT](https://jwt.io/)s for encoding/decoding the principal information.
+The [PrincipalCodec](https://github.com/travetto/travetto/tree/main/module/auth-web/src/types.ts#L10) contract is the primary interface for reading and writing [Principal](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L8) data out of the [WebRequest](https://github.com/travetto/travetto/tree/main/module/web/src/types/request.ts#L11). This contract is flexible by design, allowing for all sorts of usage. [JWTPrincipalCodec](https://github.com/travetto/travetto/tree/main/module/auth-web/src/codec.ts#L15) is the default [PrincipalCodec](https://github.com/travetto/travetto/tree/main/module/auth-web/src/types.ts#L10), leveraging [JWT](https://jwt.io/)s for encoding/decoding the principal information.
 
 **Code: JWTPrincipalCodec**
 ```typescript
@@ -287,7 +287,7 @@ export class SampleAuth {
 }
 ```
 
-[@Authenticated](https://github.com/travetto/travetto/tree/main/module/auth-web/src/decorator.ts#L25) and [@Unauthenticated](https://github.com/travetto/travetto/tree/main/module/auth-web/src/decorator.ts#L37) will simply enforce whether or not a user is logged in and throw the appropriate error messages as needed. Additionally, the [Principal](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L7) is accessible as a resource that can be exposed as a [@ContextParam](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/param.ts#L61) on an [@Injectable](https://github.com/travetto/travetto/tree/main/module/di/src/decorator.ts#L29) class.
+[@Authenticated](https://github.com/travetto/travetto/tree/main/module/auth-web/src/decorator.ts#L25) and [@Unauthenticated](https://github.com/travetto/travetto/tree/main/module/auth-web/src/decorator.ts#L37) will simply enforce whether or not a user is logged in and throw the appropriate error messages as needed. Additionally, the [Principal](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L8) is accessible as a resource that can be exposed as a [@ContextParam](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/param.ts#L61) on an [@Injectable](https://github.com/travetto/travetto/tree/main/module/di/src/decorator.ts#L29) class.
 
 ## Multi-Step Login
 When authenticating, with a multi-step process, it is useful to share information between steps.  The `authenticatorState` of [AuthContext](https://github.com/travetto/travetto/tree/main/module/auth/src/context.ts#L14) field is intended to be a location in which that information is persisted. Currently only [passport](http://passportjs.org) support is included, when dealing with multi-step logins. This information can also be injected into a web endpoint method, using the [AuthenticatorState](https://github.com/travetto/travetto/tree/main/module/auth/src/types/authenticator.ts#L9) type;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@travetto/auth-web",
-  "version": "6.0.0-rc.5",
+  "version": "6.0.0-rc.7",
   "description": "Web authentication integration support for the Travetto framework",
   "keywords": [
     "authentication",
@@ -26,13 +26,13 @@
     "directory": "module/auth-web"
   },
   "dependencies": {
-    "@travetto/auth": "^6.0.0-rc.2",
+    "@travetto/auth": "^6.0.0-rc.3",
     "@travetto/config": "^6.0.0-rc.2",
-    "@travetto/web": "^6.0.0-rc.3",
+    "@travetto/web": "^6.0.0-rc.5",
     "njwt": "^2.0.1"
   },
   "peerDependencies": {
-    "@travetto/test": "^6.0.0-rc.2"
+    "@travetto/test": "^6.0.0-rc.3"
   },
   "peerDependenciesMeta": {
     "@travetto/test": {

package/support/test/server.ts

@@ -1,7 +1,7 @@
 import timers from 'node:timers/promises';
 import assert from 'node:assert';
 
-import { Controller, Get, WebHeaders, WebResponse, Post } from '@travetto/web';
+import { Controller, Get, WebHeaders, WebResponse, Post, Cookie, CookieJar } from '@travetto/web';
 import { Suite, Test } from '@travetto/test';
 import { DependencyRegistry, Inject, InjectableFactory } from '@travetto/di';
 import { AuthenticationError, Authenticator, AuthContext, AuthConfig } from '@travetto/auth';
@@ -90,16 +90,16 @@ export abstract class AuthWebServerSuite extends BaseWebSuite {
   @Inject()
   config: WebAuthConfig;
 
-  getCookie(headers: WebHeaders): string | undefined {
-    return headers.getSetCookie()[0];
+  getCookie(headers: WebHeaders): Cookie | undefined {
+    return new CookieJar().importSetCookieHeader(headers.getSetCookie()).getAll()[0];
   }
 
-  getCookieValue(headers: WebHeaders): string | undefined {
-    return this.getCookie(headers)?.split(';')[0];
+  getCookieHeader(headers: WebHeaders): string | undefined {
+    return new CookieJar().importSetCookieHeader(headers.getSetCookie()).exportCookieHeader();
   }
 
   getCookieExpires(headers: WebHeaders): Date | undefined {
-    const v = this.getCookie(headers)?.match('expires=([^;]+)(;|$)')?.[1];
+    const v = this.getCookie(headers)?.expires;
     return v ? new Date(v) : undefined;
   }
 
@@ -152,7 +152,7 @@ export abstract class AuthWebServerSuite extends BaseWebSuite {
       }
     }, false);
     assert(statusCode === 201);
-    const cookie = this.getCookieValue(headers);
+    const cookie = this.getCookieHeader(headers);
     assert(cookie);
 
     const { context: { httpStatusCode: lastStatus } } = await this.request({
@@ -225,7 +225,7 @@ export abstract class AuthWebServerSuite extends BaseWebSuite {
       }
     }, false);
     assert(statusCode === 201);
-    const cookie = this.getCookieValue(headers);
+    const cookie = this.getCookieHeader(headers);
     assert(cookie);
 
     const { body, context: { httpStatusCode: lastStatus } } = await this.request({
@@ -253,7 +253,7 @@ export abstract class AuthWebServerSuite extends BaseWebSuite {
     assert(statusCode === 201);
 
     const start = Date.now();
-    const cookie = this.getCookieValue(headers);
+    const cookie = this.getCookieHeader(headers);
     assert(cookie);
 
     const expires = this.getCookieExpires(headers);