@travetto/auth 5.1.0 → 6.0.0-rc.0

package/README.md

@@ -29,7 +29,11 @@ export interface Principal<D = AnyMap> {
   /**
    * Primary identifier for a user
    */
-  id: string;
+  readonly id: string;
+  /**
+   * Unique identifier for the principal's lifecycle
+   */
+  readonly sessionId?: string;
   /**
    * Date of expiration
    */
@@ -38,22 +42,18 @@ export interface Principal<D = AnyMap> {
    * Date of issuance
    */
   issuedAt?: Date;
-  /**
-   * Max age in seconds a principal is valid
-   */
-  maxAge?: number;
   /**
    * The source of the issuance
    */
-  issuer?: string;
+  readonly issuer?: string;
   /**
    * Supplemental details
    */
-  details: D;
+  readonly details: D;
   /**
    * List of all provided permissions
    */
-  permissions?: string[];
+  readonly permissions?: string[];
 }
 ```
 
@@ -126,15 +126,23 @@ export class AuthService {
    * @param authenticators List of valid authentication sources
    */
   async authenticate<T, C>(payload: T, context: C, authenticators: symbol[]): Promise<Principal | undefined>;
+  /**
+   * Manage expiry state, renewing if allowed
+   */
+  manageExpiry(p?: Principal): void;
+  /**
+   * Enforce expiry, invalidating the principal if expired
+   */
+  enforceExpiry(p?: Principal): Principal | undefined;
 }
 ```
 
-The [AuthService](https://github.com/travetto/travetto/tree/main/module/auth/src/service.ts#L12) operates as the owner of the current auth state for a given "request".  "Request" here implies a set of operations over a period of time, with the http request/response model being an easy point of reference.  This could also tie to a CLI operation, or any other invocation that requires some concept of authentication and authorization. 
+The [AuthService](https://github.com/travetto/travetto/tree/main/module/auth/src/service.ts#L14) operates as the owner of the current auth state for a given "request".  "Request" here implies a set of operations over a period of time, with the http request/response model being an easy point of reference.  This could also tie to a CLI operation, or any other invocation that requires some concept of authentication and authorization. 
 
 The service allows for storing and retrieving the active [Principal Contract](https://github.com/travetto/travetto/tree/main/module/auth/src/types/principal.ts#L8), and/or the actively persisted auth token.  This is extremely useful for other parts of the framework that may request authenticated information (if available).  [Rest Auth](https://github.com/travetto/travetto/tree/main/module/auth-rest#readme "Rest authentication integration support for the Travetto framework") makes heavy use of this state for enforcing routes when authentication is required. 
 
 ### Login
-"Logging in" can be thought of going through the action of finding a single source that can authenticate the identity for the request credentials.  Some times there may be more than one valid source of authentication that you want to leverage, and the first one to authenticate wins. The [AuthService](https://github.com/travetto/travetto/tree/main/module/auth/src/service.ts#L12) operates in this fashion, in which a set of credentials and potential [Authenticator Contract](https://github.com/travetto/travetto/tree/main/module/auth/src/types/authenticator.ts#L14)s are submitted, and the service will attempt to authenticate.  
+"Logging in" can be thought of going through the action of finding a single source that can authenticate the identity for the request credentials.  Some times there may be more than one valid source of authentication that you want to leverage, and the first one to authenticate wins. The [AuthService](https://github.com/travetto/travetto/tree/main/module/auth/src/service.ts#L14) operates in this fashion, in which a set of credentials and potential [Authenticator Contract](https://github.com/travetto/travetto/tree/main/module/auth/src/types/authenticator.ts#L14)s are submitted, and the service will attempt to authenticate.  
 
 Upon successful authentication, an optional [Authorizer Contract](https://github.com/travetto/travetto/tree/main/module/auth/src/types/authorizer.ts#L8) may be invoked to authorize the authenticated user.  The [Authenticator Contract](https://github.com/travetto/travetto/tree/main/module/auth/src/types/authenticator.ts#L14) is assumed to be only one within the system, and should be tied to the specific product you are building for.  The [Authorizer Contract](https://github.com/travetto/travetto/tree/main/module/auth/src/types/authorizer.ts#L8) should be assumed to have multiple sources, and are generally specific to external third parties.  All of these values are collected via the [Dependency Injection](https://github.com/travetto/travetto/tree/main/module/di#readme "Dependency registration/management and injection support.") module and will be auto-registered on startup. 
 

package/__index__.ts

@@ -1,6 +1,8 @@
 export * from './src/service';
 export * from './src/context';
+export * from './src/config';
 export * from './src/types/authenticator';
 export * from './src/types/authorizer';
 export * from './src/types/principal';
-export * from './src/types/error';
+export * from './src/types/error';
+export * from './src/types/token';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@travetto/auth",
-  "version": "5.1.0",
+  "version": "6.0.0-rc.0",
   "description": "Authentication scaffolding for the Travetto framework",
   "keywords": [
     "authentication",
@@ -23,7 +23,7 @@
     "directory": "module/auth"
   },
   "dependencies": {
-    "@travetto/context": "^5.1.0"
+    "@travetto/context": "^6.0.0-rc.0"
   },
   "travetto": {
     "displayName": "Authentication"

package/src/config.ts

@@ -0,0 +1,17 @@
+import { Config } from '@travetto/config';
+import { TimeSpan, TimeUtil } from '@travetto/runtime';
+import { Ignore } from '@travetto/schema';
+
+@Config('auth')
+export class AuthConfig {
+
+  maxAge: TimeSpan | number = '1h';
+  rollingRenew: boolean = true;
+
+  @Ignore()
+  maxAgeMs: number;
+
+  postConstruct(): void {
+    this.maxAgeMs = TimeUtil.asMillis(this.maxAge);
+  }
+}

package/src/context.ts

@@ -2,7 +2,7 @@
 import { Inject, Injectable } from '@travetto/di';
 import { AsyncContext, AsyncContextValue } from '@travetto/context';
 
-import { AuthToken } from './internal/types';
+import { AuthToken } from './types/token';
 import { Principal } from './types/principal';
 import { AuthenticatorState } from './types/authenticator';
 
@@ -15,7 +15,7 @@ type AuthContextShape = {
 @Injectable()
 export class AuthContext {
 
-  #auth = new AsyncContextValue<AuthContextShape>(this);
+  #value = new AsyncContextValue<AuthContextShape>(this);
 
   @Inject()
   context: AsyncContext;
@@ -25,49 +25,49 @@ export class AuthContext {
    * @private
    */
   init(): void {
-    this.#auth.set({});
+    this.#value.set({});
   }
 
   /**
    * Get the principal, if set
    */
   get principal(): Principal | undefined {
-    return this.#auth.get()?.principal;
+    return this.#value.get()?.principal;
   }
 
   /**
    * Set principal
    */
   set principal(p: Principal | undefined) {
-    this.#auth.get()!.principal = p;
+    this.#value.get()!.principal = p;
   }
 
   /**
    * Get the authentication token, if it exists
    */
   get authToken(): AuthToken | undefined {
-    return this.#auth.get()?.authToken;
+    return this.#value.get()?.authToken;
   }
 
   /**
    * Set/overwrite the user's authentication token
    */
   set authToken(token: AuthToken | undefined) {
-    this.#auth.get()!.authToken = token;
+    this.#value.get()!.authToken = token;
   }
 
   /**
    * Get the authenticator state, if it exists
    */
   get authenticatorState(): AuthenticatorState | undefined {
-    return this.#auth.get()?.authenticatorState;
+    return this.#value.get()?.authenticatorState;
   }
 
   /**
    * Set/overwrite the authenticator state
    */
   set authenticatorState(state: AuthenticatorState | undefined) {
-    this.#auth.get()!.authenticatorState = state;
+    this.#value.get()!.authenticatorState = state;
   }
 
   /**
@@ -75,6 +75,6 @@ export class AuthContext {
    * @private
    */
   async clear(): Promise<void> {
-    this.#auth.set(undefined);
+    this.#value.set(undefined);
   }
 }

package/src/internal/types.ts

@@ -9,4 +9,3 @@ export class PrincipalTarget {
 }
 export class AuthorizerTarget { }
 export class AuthenticatorTarget { }
-export type AuthToken = { value: string, type: string };

package/src/service.ts

@@ -1,5 +1,6 @@
 
 import { DependencyRegistry, Inject, Injectable } from '@travetto/di';
+import { TimeUtil } from '@travetto/runtime';
 
 import { AuthenticatorTarget } from './internal/types';
 import { Principal } from './types/principal';
@@ -7,6 +8,7 @@ import { Authenticator } from './types/authenticator';
 import { Authorizer } from './types/authorizer';
 import { AuthenticationError } from './types/error';
 import { AuthContext } from './context';
+import { AuthConfig } from './config';
 
 @Injectable()
 export class AuthService {
@@ -14,6 +16,9 @@ export class AuthService {
   @Inject()
   authContext: AuthContext;
 
+  @Inject()
+  config: AuthConfig;
+
   #authenticators = new Map<symbol, Promise<Authenticator>>();
 
   @Inject()
@@ -72,4 +77,38 @@ export class AuthService {
     // Take the last error and return
     throw new AuthenticationError('Unable to authenticate', { cause: lastError });
   }
+
+  /**
+   * Manage expiry state, renewing if allowed
+   */
+  manageExpiry(p?: Principal): void {
+    if (!p) {
+      return;
+    }
+
+    if (this.config.maxAgeMs) {
+      p.expiresAt ??= TimeUtil.fromNow(this.config.maxAgeMs);
+    }
+
+    p.issuedAt ??= new Date();
+
+    if (p.expiresAt && this.config.maxAgeMs && this.config.rollingRenew) { // Session behavior
+      const end = p.expiresAt.getTime();
+      const midPoint = end - this.config.maxAgeMs / 2;
+      if (Date.now() > midPoint) { // If we are past the half way mark, renew the token
+        p.issuedAt = new Date();
+        p.expiresAt = TimeUtil.fromNow(this.config.maxAgeMs); // This will trigger a re-send
+      }
+    }
+  }
+
+  /**
+   * Enforce expiry, invalidating the principal if expired
+   */
+  enforceExpiry(p?: Principal): Principal | undefined {
+    if (p && p.expiresAt && p.expiresAt.getTime() < Date.now()) {
+      return undefined;
+    }
+    return p;
+  }
 }

package/src/types/principal.ts

@@ -2,14 +2,18 @@ import { AnyMap } from '@travetto/runtime';
 
 /**
  * A user principal, including permissions and details
- * @concrete ../internal/types#PrincipalTarget
  * @augments `@travetto/rest:Context`
+ * @concrete ../internal/types#PrincipalTarget
  */
 export interface Principal<D = AnyMap> {
   /**
    * Primary identifier for a user
    */
-  id: string;
+  readonly id: string;
+  /**
+   * Unique identifier for the principal's lifecycle
+   */
+  readonly sessionId?: string;
   /**
    * Date of expiration
    */
@@ -18,20 +22,16 @@ export interface Principal<D = AnyMap> {
    * Date of issuance
    */
   issuedAt?: Date;
-  /**
-   * Max age in seconds a principal is valid
-   */
-  maxAge?: number;
   /**
    * The source of the issuance
    */
-  issuer?: string;
+  readonly issuer?: string;
   /**
    * Supplemental details
    */
-  details: D;
+  readonly details: D;
   /**
    * List of all provided permissions
    */
-  permissions?: string[];
+  readonly permissions?: string[];
 }

package/src/types/token.ts

@@ -0,0 +1 @@
+export type AuthToken = { value: string, type: string };