@travetto/auth-web 7.1.4 → 8.0.0-alpha.1

package/README.md

@@ -52,7 +52,7 @@ export interface Authenticator<T = unknown, C = unknown, P extends Principal = P
    *
    * @returns Valid principal if authenticated
    * @returns undefined if authentication is valid, but incomplete (multi-step)
-   * @throws AppError if authentication fails
+   * @throws Error if authentication fails
    */
   authenticate(payload: T, context?: C): Promise<P | undefined> | P | undefined;
 }
@@ -110,7 +110,7 @@ export class AppConfig {
 The symbol `FB_AUTH` is what will be used to reference providers at runtime.  This was chosen, over `class` references due to the fact that most providers will not be defined via a new class, but via an [@InjectableFactory](https://github.com/travetto/travetto/tree/main/module/di/src/decorator.ts#L48) method.
 
 ## Maintaining Auth Context
-The [AuthContextInterceptor](https://github.com/travetto/travetto/tree/main/module/auth-web/src/interceptors/context.ts#L20) acts as the bridge between the [Authentication](https://github.com/travetto/travetto/tree/main/module/auth#readme "Authentication scaffolding for the Travetto framework") and [Web API](https://github.com/travetto/travetto/tree/main/module/web#readme "Declarative support for creating Web Applications") modules.  It serves to take an authenticated principal (via the [WebRequest](https://github.com/travetto/travetto/tree/main/module/web/src/types/request.ts#L11)/[WebResponse](https://github.com/travetto/travetto/tree/main/module/web/src/types/response.ts#L3)) and integrate it into the [AuthContext](https://github.com/travetto/travetto/tree/main/module/auth/src/context.ts#L14). Leveraging [WebAuthConfig](https://github.com/travetto/travetto/tree/main/module/auth-web/src/config.ts#L8)'s configuration allows for basic control of how the principal is encoded and decoded, primarily with the choice between using a header or a cookie, and which header, or cookie value is specifically referenced.  Additionally, the encoding process allows for auto-renewing of the token (on by default). The information is encoded into the [JWT](https://jwt.io/) appropriately, and when encoding using cookies, is also  set as the expiry time for the cookie.  
+The [AuthContextInterceptor](https://github.com/travetto/travetto/tree/main/module/auth-web/src/interceptors/context.ts#L20) acts as the bridge between the [Authentication](https://github.com/travetto/travetto/tree/main/module/auth#readme "Authentication scaffolding for the Travetto framework") and [Web API](https://github.com/travetto/travetto/tree/main/module/web#readme "Declarative support for creating Web Applications") modules.  It serves to take an authenticated principal (via the [WebRequest](https://github.com/travetto/travetto/tree/main/module/web/src/types/request.ts#L11)/[WebResponse](https://github.com/travetto/travetto/tree/main/module/web/src/types/response.ts#L3)) and integrate it into the [AuthContext](https://github.com/travetto/travetto/tree/main/module/auth/src/context.ts#L14). Leveraging [WebAuthConfig](https://github.com/travetto/travetto/tree/main/module/auth-web/src/config.ts#L9)'s configuration allows for basic control of how the principal is encoded and decoded, primarily with the choice between using a header or a cookie, and which header, or cookie value is specifically referenced.  Additionally, the encoding process allows for auto-renewing of the token (on by default). The information is encoded into the [JWT](https://jwt.io/) appropriately, and when encoding using cookies, is also  set as the expiry time for the cookie.  
 
 **Note for Cookie Use:** The automatic renewal, update, seamless receipt and transmission of the [Principal](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L7) cookie act as a light-weight session.  Generally the goal is to keep the token as small as possible, but for small amounts of data, this pattern proves to be fairly sufficient at maintaining a decentralized state. 
 
@@ -121,9 +121,9 @@ The [PrincipalCodec](https://github.com/travetto/travetto/tree/main/module/auth-
 import type { Jwt, Verifier, SupportedAlgorithms } from 'njwt';
 
 import { type AuthContext, AuthenticationError, type AuthToken, type Principal } from '@travetto/auth';
-import { Injectable, Inject } from '@travetto/di';
+import { Injectable, Inject, PostConstruct } from '@travetto/di';
 import { type WebResponse, type WebRequest, type WebAsyncContext, CookieJar } from '@travetto/web';
-import { AppError, castTo, TimeUtil } from '@travetto/runtime';
+import { RuntimeError, castTo, TimeUtil } from '@travetto/runtime';
 
 import { CommonPrincipalCodecSymbol, type PrincipalCodec } from './types.ts';
 import type { WebAuthConfig } from './config.ts';
@@ -146,7 +146,8 @@ export class JWTPrincipalCodec implements PrincipalCodec {
   #verifier: Verifier;
   #algorithm: SupportedAlgorithms = 'HS256';
 
-  async postConstruct(): Promise<void> {
+  @PostConstruct()
+  async finalizeVerifier(): Promise<void> {
     // Weird issue with their ES module support
     const { default: { createVerifier } } = await import('njwt');
     this.#verifier = createVerifier()
@@ -186,13 +187,13 @@ export class JWTPrincipalCodec implements PrincipalCodec {
   async create(value: Principal, keyId: string = 'default'): Promise<string> {
     const entry = this.config.keyMap[keyId];
     if (!entry) {
-      throw new AppError('Requested unknown key for signing');
+      throw new RuntimeError('Requested unknown key for signing');
     }
     // Weird issue with their ES module support
     const { default: { create } } = await import('njwt');
     const jwt = create({}, '-')
       .setExpiration(value.expiresAt!)
-      .setIssuedAt(TimeUtil.asSeconds(value.issuedAt!))
+      .setIssuedAt(TimeUtil.duration((value.issuedAt ?? new Date()).getTime(), 's'))
       .setClaim('core', castTo({ ...value }))
       .setIssuer(value.issuer!)
       .setJti(value.sessionId!)
@@ -225,7 +226,7 @@ A trivial/sample custom [PrincipalCodec](https://github.com/travetto/travetto/tr
 import type { Principal } from '@travetto/auth';
 import type { PrincipalCodec } from '@travetto/auth-web';
 import { Injectable } from '@travetto/di';
-import { BinaryUtil } from '@travetto/runtime';
+import { BinaryMetadataUtil } from '@travetto/runtime';
 import type { WebResponse, WebRequest } from '@travetto/web';
 
 @Injectable()
@@ -234,7 +235,7 @@ export class CustomCodec implements PrincipalCodec {
 
   decode(request: WebRequest): Promise<Principal | undefined> | Principal | undefined {
     const [userId, sig] = request.headers.get('USER_ID')?.split(':') ?? [];
-    if (userId && sig === BinaryUtil.hash(userId + this.secret)) {
+    if (userId && sig === BinaryMetadataUtil.hash(userId + this.secret)) {
       let principal: Principal | undefined;
       // Lookup user from db, remote system, etc.,
       return principal;
@@ -243,7 +244,7 @@ export class CustomCodec implements PrincipalCodec {
   }
   encode(response: WebResponse, data: Principal | undefined): WebResponse {
     if (data) {
-      response.headers.set('USER_ID', `${data.id}:${BinaryUtil.hash(data.id + this.secret)}`);
+      response.headers.set('USER_ID', `${data.id}:${BinaryMetadataUtil.hash(data.id + this.secret)}`);
     }
     return response;
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@travetto/auth-web",
-  "version": "7.1.4",
+  "version": "8.0.0-alpha.1",
   "type": "module",
   "description": "Web authentication integration support for the Travetto framework",
   "keywords": [
@@ -27,13 +27,13 @@
     "directory": "module/auth-web"
   },
   "dependencies": {
-    "@travetto/auth": "^7.1.4",
-    "@travetto/config": "^7.1.4",
-    "@travetto/web": "^7.1.4",
+    "@travetto/auth": "^8.0.0-alpha.1",
+    "@travetto/config": "^8.0.0-alpha.1",
+    "@travetto/web": "^8.0.0-alpha.1",
     "njwt": "^2.0.1"
   },
   "peerDependencies": {
-    "@travetto/test": "^7.1.4"
+    "@travetto/test": "^8.0.0-alpha.1"
   },
   "peerDependenciesMeta": {
     "@travetto/test": {

package/src/codec.ts

@@ -1,9 +1,9 @@
 import type { Jwt, Verifier, SupportedAlgorithms } from 'njwt';
 
 import { type AuthContext, AuthenticationError, type AuthToken, type Principal } from '@travetto/auth';
-import { Injectable, Inject } from '@travetto/di';
+import { Injectable, Inject, PostConstruct } from '@travetto/di';
 import { type WebResponse, type WebRequest, type WebAsyncContext, CookieJar } from '@travetto/web';
-import { AppError, castTo, TimeUtil } from '@travetto/runtime';
+import { RuntimeError, castTo, TimeUtil } from '@travetto/runtime';
 
 import { CommonPrincipalCodecSymbol, type PrincipalCodec } from './types.ts';
 import type { WebAuthConfig } from './config.ts';
@@ -26,7 +26,8 @@ export class JWTPrincipalCodec implements PrincipalCodec {
   #verifier: Verifier;
   #algorithm: SupportedAlgorithms = 'HS256';
 
-  async postConstruct(): Promise<void> {
+  @PostConstruct()
+  async finalizeVerifier(): Promise<void> {
     // Weird issue with their ES module support
     const { default: { createVerifier } } = await import('njwt');
     this.#verifier = createVerifier()
@@ -66,13 +67,13 @@ export class JWTPrincipalCodec implements PrincipalCodec {
   async create(value: Principal, keyId: string = 'default'): Promise<string> {
     const entry = this.config.keyMap[keyId];
     if (!entry) {
-      throw new AppError('Requested unknown key for signing');
+      throw new RuntimeError('Requested unknown key for signing');
     }
     // Weird issue with their ES module support
     const { default: { create } } = await import('njwt');
     const jwt = create({}, '-')
       .setExpiration(value.expiresAt!)
-      .setIssuedAt(TimeUtil.asSeconds(value.issuedAt!))
+      .setIssuedAt(TimeUtil.duration((value.issuedAt ?? new Date()).getTime(), 's'))
       .setClaim('core', castTo({ ...value }))
       .setIssuer(value.issuer!)
       .setJti(value.sessionId!)

package/src/config.ts

@@ -1,5 +1,6 @@
 import { Config } from '@travetto/config';
-import { Runtime, AppError, BinaryUtil } from '@travetto/runtime';
+import { PostConstruct } from '@travetto/di';
+import { Runtime, RuntimeError, BinaryMetadataUtil } from '@travetto/runtime';
 import { Ignore, Secret } from '@travetto/schema';
 
 type KeyEntry = { key: string, id: string };
@@ -17,13 +18,14 @@ export class WebAuthConfig {
   @Ignore()
   keyMap: Record<string, KeyEntry> & { default?: KeyEntry } = {};
 
-  postConstruct(): void {
+  @PostConstruct()
+  finalize(): void {
     if (!this.signingKey && Runtime.production) {
-      throw new AppError('The default signing key is only valid for development use, please specify a config value at web.auth.signingKey');
+      throw new RuntimeError('The default signing key is only valid for development use, please specify a config value at web.auth.signingKey');
     }
     this.signingKey ??= 'dummy';
 
-    const all = [this.signingKey].flat().map(key => ({ key, id: BinaryUtil.hash(key, 8) }));
+    const all = [this.signingKey].flat().map(key => ({ key, id: BinaryMetadataUtil.hash(key, { length: 8 }) }));
     this.keyMap = Object.fromEntries(all.map(entry => [entry.id, entry]));
     this.keyMap.default = all[0];
   }

package/src/interceptors/context.ts

@@ -1,6 +1,6 @@
 import { toConcrete } from '@travetto/runtime';
 import type { WebInterceptor, WebAsyncContext, WebInterceptorCategory, WebChainedContext, WebResponse } from '@travetto/web';
-import { Injectable, Inject, DependencyRegistryIndex } from '@travetto/di';
+import { Injectable, Inject, DependencyRegistryIndex, PostConstruct } from '@travetto/di';
 import type { AuthContext, AuthService, AuthToken, Principal } from '@travetto/auth';
 import { Required } from '@travetto/schema';
 
@@ -37,7 +37,8 @@ export class AuthContextInterceptor implements WebInterceptor {
   @Inject()
   webAsyncContext: WebAsyncContext;
 
-  async postConstruct(): Promise<void> {
+  @PostConstruct()
+  async registerContextHandlers(): Promise<void> {
     this.codec ??= await DependencyRegistryIndex.getInstance(toConcrete<PrincipalCodec>(), CommonPrincipalCodecSymbol);
     this.webAsyncContext.registerSource(toConcrete<Principal>(), () => this.authContext.principal);
     this.webAsyncContext.registerSource(toConcrete<AuthToken>(), () => this.authContext.authToken);

package/src/interceptors/verify.ts

@@ -1,4 +1,4 @@
-import { AppError, Util } from '@travetto/runtime';
+import { RuntimeError, Util } from '@travetto/runtime';
 import type { WebInterceptor, WebInterceptorCategory, WebChainedContext, WebResponse, WebInterceptorContext } from '@travetto/web';
 import { Injectable, Inject } from '@travetto/di';
 import { Config } from '@travetto/config';
@@ -72,7 +72,7 @@ export class AuthVerifyInterceptor implements WebInterceptor<WebAuthVerifyConfig
         if (!principal) {
           throw new AuthenticationError('User is unauthenticated');
         } else if (!config.matcher(new Set(principal.permissions))) {
-          throw new AppError('Access denied', { category: 'permissions' });
+          throw new RuntimeError('Access denied', { category: 'permissions' });
         }
         break;
       }

package/support/test/server.ts

@@ -89,16 +89,20 @@ export abstract class AuthWebServerSuite extends BaseWebSuite {
   @Inject()
   config: WebAuthConfig;
 
-  getCookie(headers: WebHeaders): Cookie | undefined {
-    return new CookieJar().importSetCookieHeader(headers.getSetCookie()).getAll()[0];
+  async getCookie(headers: WebHeaders): Promise<Cookie | undefined> {
+    const jar = new CookieJar();
+    await jar.importSetCookieHeader(headers.getSetCookie());
+    return jar.getAll()[0];
   }
 
-  getCookieHeader(headers: WebHeaders): string | undefined {
-    return new CookieJar().importSetCookieHeader(headers.getSetCookie()).exportCookieHeader();
+  async getCookieHeader(headers: WebHeaders): Promise<string | undefined> {
+    const jar = new CookieJar();
+    await jar.importSetCookieHeader(headers.getSetCookie());
+    return jar.exportCookieHeader();
   }
 
-  getCookieExpires(headers: WebHeaders): Date | undefined {
-    const v = this.getCookie(headers)?.expires;
+  async getCookieExpires(headers: WebHeaders): Promise<Date | undefined> {
+    const v = (await this.getCookie(headers))?.expires;
     return v ? new Date(v) : undefined;
   }
 
@@ -151,7 +155,7 @@ export abstract class AuthWebServerSuite extends BaseWebSuite {
       }
     }, false);
     assert(statusCode === 201);
-    const cookie = this.getCookieHeader(headers);
+    const cookie = await this.getCookieHeader(headers);
     assert(cookie);
 
     const { context: { httpStatusCode: lastStatus } } = await this.request({
@@ -222,7 +226,7 @@ export abstract class AuthWebServerSuite extends BaseWebSuite {
       }
     }, false);
     assert(statusCode === 201);
-    const cookie = this.getCookieHeader(headers);
+    const cookie = await this.getCookieHeader(headers);
     assert(cookie);
 
     const { body, context: { httpStatusCode: lastStatus } } = await this.request({
@@ -250,17 +254,17 @@ export abstract class AuthWebServerSuite extends BaseWebSuite {
     assert(statusCode === 201);
 
     const start = Date.now();
-    const cookie = this.getCookieHeader(headers);
+    const cookie = await this.getCookieHeader(headers);
     assert(cookie);
 
-    const expires = this.getCookieExpires(headers);
+    const expires = await this.getCookieExpires(headers);
     assert(expires);
 
     const { headers: selfHeaders, context: { httpStatusCode: lastStatus } } = await this.request({
       context: { httpMethod: 'GET', path: '/test/auth/self' },
       headers: { cookie }
     }, false);
-    assert(this.getCookie(selfHeaders) === undefined);
+    assert(await this.getCookie(selfHeaders) === undefined);
     assert(lastStatus === 200);
 
     const used = (Date.now() - start);
@@ -272,9 +276,9 @@ export abstract class AuthWebServerSuite extends BaseWebSuite {
       headers: { cookie }
     }, false);
     assert(lastStatus2 === 200);
-    assert(this.getCookie(selfHeadersRenew));
+    assert(await this.getCookie(selfHeadersRenew));
 
-    const expiresRenew = this.getCookieExpires(selfHeadersRenew);
+    const expiresRenew = await this.getCookieExpires(selfHeadersRenew);
     assert(expiresRenew);
 
     const delta = expiresRenew.getTime() - expires.getTime();