@tstdl/base 0.93.86 → 0.93.89

package/authentication/server/subject.service.js

@@ -5,73 +5,55 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
 import { BadRequestError } from '../../errors/bad-request.error.js';
-import { formatPersonName } from '../../formats/formats.js';
 import { Singleton } from '../../injector/index.js';
 import { injectRepository } from '../../orm/server/index.js';
 import { mailPattern } from '../../utils/patterns.js';
-import { assertNotNull, isDefined, isUndefined } from '../../utils/type-guards.js';
-import { ServiceAccount, Subject, SubjectType, SystemAccount, User, UserStatus } from '../models/index.js';
+import { isDefined, isUndefined } from '../../utils/type-guards.js';
+import { ServiceAccount, Subject, SubjectStatus, SubjectType, SystemAccount, User } from '../models/index.js';
 let SubjectService = class SubjectService {
     #subjectRepository = injectRepository(Subject);
     #systemAccountRepository = injectRepository(SystemAccount);
     #userRepository = injectRepository(User);
     #serviceAccountRepository = injectRepository(ServiceAccount);
-    async getSubject(id) {
-        return await this.#subjectRepository.load(id);
+    async getSubject(id, options) {
+        return await this.#subjectRepository.load(id, options);
     }
-    async tryGetSubject(id) {
-        return await this.#subjectRepository.tryLoad(id);
+    async tryGetSubject(id, options) {
+        return await this.#subjectRepository.tryLoad(id, options);
     }
-    async getSystemAccountSubject(tenantId, identifier) {
-        return await this.#subjectRepository.transaction(async (tx) => {
-            let systemAccount = await this.#systemAccountRepository.withTransaction(tx).tryLoadByQuery({
+    async getSystemAccount(tenantId, identifier) {
+        const systemAccount = await this.#systemAccountRepository.tryLoadByQuery({
+            tenantId,
+            identifier,
+        });
+        if (isUndefined(systemAccount)) {
+            return await this.#systemAccountRepository.insert({
+                type: SubjectType.System,
                 tenantId,
                 identifier,
+                status: SubjectStatus.Active,
+                displayName: `System: ${identifier}`,
+                lastActivityTimestamp: null,
             });
-            if (isUndefined(systemAccount)) {
-                systemAccount = await this.#systemAccountRepository.withTransaction(tx).insert({
-                    tenantId,
-                    identifier,
-                });
-                return await this.#subjectRepository.withTransaction(tx).insert({
-                    type: SubjectType.System,
-                    tenantId,
-                    systemAccountId: systemAccount.id,
-                    displayName: `System: ${identifier}`,
-                    userId: null,
-                    serviceAccountId: null,
-                });
-            }
-            return await this.#subjectRepository.withTransaction(tx).loadByQuery({
-                tenantId,
-                systemAccountId: systemAccount.id,
-            });
-        });
+        }
+        return systemAccount;
     }
     async createUser(data) {
         const { tenantId, email, firstName, lastName, status } = data;
-        return await this.#userRepository.transaction(async (tx) => {
-            const user = await this.#userRepository.withTransaction(tx).insert({
-                tenantId,
-                email,
-                firstName,
-                lastName,
-                status: status ?? UserStatus.Active,
-            });
-            await this.#subjectRepository.withTransaction(tx).insert({
-                tenantId,
-                type: SubjectType.User,
-                displayName: `${firstName} ${lastName}`,
-                systemAccountId: null,
-                userId: user.id,
-                serviceAccountId: null,
-            });
-            return user;
+        return await this.#userRepository.insert({
+            type: SubjectType.User,
+            tenantId,
+            email,
+            firstName,
+            lastName,
+            status: status ?? SubjectStatus.Active,
+            lastActivityTimestamp: null,
         });
     }
     async updateUser(tenantId, userId, data) {
         const { firstName, lastName, status } = data;
         await this.#userRepository.transaction(async (tx) => {
+            const userRepository = this.#userRepository.withTransaction(tx);
             const updateData = {};
             if (isDefined(firstName)) {
                 updateData.firstName = firstName;
@@ -83,10 +65,7 @@ let SubjectService = class SubjectService {
                 updateData.status = status;
             }
             if (Object.keys(updateData).length > 0) {
-                const updatedUser = await this.#userRepository.withTransaction(tx).updateByQuery({ tenantId, userId }, updateData);
-                if (isDefined(firstName) || isDefined(lastName)) {
-                    await this.#subjectRepository.withTransaction(tx).updateByQuery({ tenantId, userId }, { displayName: formatPersonName(updatedUser) });
-                }
+                await userRepository.updateByQuery({ tenantId, id: userId }, updateData);
             }
         });
     }
@@ -95,10 +74,10 @@ let SubjectService = class SubjectService {
         if (!mailPattern.test(email)) {
             throw new BadRequestError(`Invalid email format.`);
         }
-        await this.#userRepository.updateByQuery({ tenantId, userId }, { email });
+        await this.#userRepository.updateByQuery({ tenantId, id: userId }, { email });
     }
-    async getUserSubject(tenantId, userId) {
-        return await this.#subjectRepository.loadByQuery({ tenantId, userId });
+    async getUser(tenantId, userId) {
+        return await this.#userRepository.loadByQuery({ tenantId, id: userId });
     }
     async getUserByEmail(tenantId, email) {
         return await this.#userRepository.loadByQuery({ tenantId, email });
@@ -111,48 +90,71 @@ let SubjectService = class SubjectService {
         return isDefined(user);
     }
     async getUserBySubject(subject) {
-        assertNotNull(subject.userId, 'Subject is not a user subject');
-        return await this.#userRepository.load(subject.userId);
+        if (subject instanceof User) {
+            return subject;
+        }
+        if (subject.type != SubjectType.User) {
+            throw new BadRequestError('Subject is not a user subject');
+        }
+        return await this.#userRepository.loadByQuery({ tenantId: subject.tenantId, id: subject.id });
     }
     async loadManyUsersByEmails(tenantId, emails) {
         return await this.#userRepository.loadManyByQuery({ tenantId, email: { $in: emails } });
     }
     async createServiceAccount(data) {
-        const { tenantId, description, parent } = data;
-        return await this.#serviceAccountRepository.transaction(async (tx) => {
-            const serviceAccount = await this.#serviceAccountRepository.withTransaction(tx).insert({
-                tenantId,
-                description,
-                parent,
-            });
-            await this.#subjectRepository.withTransaction(tx).insert({
-                tenantId,
-                type: SubjectType.ServiceAccount,
-                displayName: description,
-                userId: null,
-                systemAccountId: null,
-                serviceAccountId: serviceAccount.id,
-            });
-            return serviceAccount;
+        const { tenantId, description, displayName, parent, status } = data;
+        return await this.#serviceAccountRepository.insert({
+            type: SubjectType.ServiceAccount,
+            tenantId,
+            description,
+            displayName,
+            parent,
+            status: status ?? SubjectStatus.Active,
+            lastActivityTimestamp: null,
         });
     }
     async updateServiceAccount(tenantId, serviceAccountId, data) {
-        const { displayName, description } = data;
-        await this.#subjectRepository.transaction(async (tx) => {
-            if (isDefined(displayName)) {
-                await this.#subjectRepository.withTransaction(tx).updateByQuery({ tenantId, serviceAccountId }, { displayName });
-            }
-            if (isDefined(description)) {
-                await this.#serviceAccountRepository.withTransaction(tx).updateByQuery({ tenantId, serviceAccountId }, { description });
-            }
-        });
+        const { displayName, description, status } = data;
+        const update = {};
+        if (isDefined(displayName)) {
+            update.displayName = displayName;
+        }
+        if (isDefined(description)) {
+            update.description = description;
+        }
+        if (isDefined(status)) {
+            update.status = status;
+        }
+        if (Object.keys(update).length > 0) {
+            await this.#serviceAccountRepository.updateByQuery({ tenantId, id: serviceAccountId }, update);
+        }
     }
-    async getServiceAccountSubject(tenantId, serviceAccountId) {
-        return await this.#subjectRepository.loadByQuery({ tenantId, serviceAccountId });
+    async getServiceAccount(tenantId, serviceAccountId) {
+        return await this.#serviceAccountRepository.loadByQuery({ tenantId, id: serviceAccountId });
     }
     async getServiceAccountBySubject(subject) {
-        assertNotNull(subject.serviceAccountId, 'Subject is not a service account subject');
-        return await this.#serviceAccountRepository.load(subject.serviceAccountId);
+        if (subject instanceof ServiceAccount) {
+            return subject;
+        }
+        if (subject.type != SubjectType.ServiceAccount) {
+            throw new BadRequestError('Subject is not a service account subject');
+        }
+        return await this.#serviceAccountRepository.loadByQuery({ tenantId: subject.tenantId, id: subject.id });
+    }
+    async exists(tenantId, id) {
+        return await this.#subjectRepository.hasByQuery({ tenantId, id });
+    }
+    async deleteUser(tenantId, userId) {
+        await this.#userRepository.deleteByQuery({ tenantId, id: userId });
+    }
+    async deleteServiceAccount(tenantId, serviceAccountId) {
+        await this.#serviceAccountRepository.deleteByQuery({ tenantId, id: serviceAccountId });
+    }
+    async listUsers(tenantId) {
+        return await this.#userRepository.loadManyByQuery({ tenantId });
+    }
+    async listServiceAccounts(tenantId) {
+        return await this.#serviceAccountRepository.loadManyByQuery({ tenantId });
     }
 };
 SubjectService = __decorate([

package/authentication/tests/authentication-ancillary.service.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/authentication-ancillary.service.test.js

@@ -0,0 +1,13 @@
+import { describe, expect, test } from 'vitest';
+import { runInInjectionContext } from '../../injector/index.js';
+import { setupIntegrationTest } from '../../unit-test/index.js';
+import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
+describe('AuthenticationAncillaryService', () => {
+    test('default implementation should be abstract or have defaults', async () => {
+        const { injector } = await setupIntegrationTest({ modules: { authentication: true } });
+        await runInInjectionContext(injector, async () => {
+            const service = await injector.resolveAsync(DefaultAuthenticationAncillaryService);
+            expect(await service.canImpersonate({}, {}, {})).toBe(true);
+        });
+    });
+});

package/authentication/tests/authentication-secret-requirements.validator.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/authentication-secret-requirements.validator.test.js

@@ -0,0 +1,29 @@
+import { describe, expect, it } from 'vitest';
+import { SecretRequirementsError } from '../errors/secret-requirements.error.js';
+import { DefaultAuthenticationSecretRequirementsValidator } from '../server/authentication-secret-requirements.validator.js';
+describe('DefaultAuthenticationSecretRequirementsValidator', () => {
+    const validator = new DefaultAuthenticationSecretRequirementsValidator();
+    it('should return success when password is strong and not pwned', async () => {
+        // A very long random string is unlikely to be pwned and will be strong
+        const result = await validator.testSecretRequirements('Very-Strong-And-Long-Password-2026!@#$%^&*()');
+        expect(result.success).toBe(true);
+    });
+    it('should return failure when password is pwned', async () => {
+        // "password" is definitely pwned
+        const result = await validator.testSecretRequirements('password');
+        expect(result.success).toBe(false);
+        expect(result.reason).toContain('exposed in data breach');
+    });
+    it('should return failure when password is too weak', async () => {
+        // "abc" is too weak (and likely pwned)
+        const result = await validator.testSecretRequirements('abc');
+        expect(result.success).toBe(false);
+        expect(result.reason).toBeDefined();
+    });
+    it('should throw SecretRequirementsError on validation failure', async () => {
+        await expect(validator.validateSecretRequirements('abc')).rejects.toThrow(SecretRequirementsError);
+    });
+    it('should not throw on validation success', async () => {
+        await expect(validator.validateSecretRequirements('Very-Strong-And-Long-Password-2026!@#$%^&*()')).resolves.not.toThrow();
+    });
+});

package/authentication/tests/authentication.api-controller.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/authentication.api-controller.test.js

@@ -0,0 +1,88 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
+import { AuthenticationClientService } from '../../authentication/client/index.js';
+import { AuthenticationAncillaryService, AuthenticationService as AuthenticationServerService } from '../../authentication/server/index.js';
+import { HttpClientOptions } from '../../http/client/index.js';
+import { HttpServer } from '../../http/server/index.js';
+import { runInInjectionContext } from '../../injector/index.js';
+import { clearTenantData, setupIntegrationTest } from '../../unit-test/index.js';
+import { SubjectService } from '../server/subject.service.js';
+import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
+describe('AuthenticationApiController Integration', () => {
+    let injector;
+    let database;
+    let service;
+    let serverService;
+    let subjectService;
+    let server;
+    const schema = 'authentication';
+    const tenantId = crypto.randomUUID();
+    beforeAll(async () => {
+        ({ injector, database } = await setupIntegrationTest({
+            modules: { authentication: true, audit: true, keyValueStore: true, test: true, api: true, webServer: true },
+            authenticationAncillaryService: DefaultAuthenticationAncillaryService,
+        }));
+        await runInInjectionContext(injector, async () => {
+            server = injector.resolve(HttpServer);
+            const httpClientOptions = injector.resolve(HttpClientOptions);
+            httpClientOptions.baseUrl = `http://localhost:${server.port}`;
+            serverService = await injector.resolveAsync(AuthenticationServerService);
+            subjectService = await injector.resolveAsync(SubjectService);
+            service = await injector.resolveAsync(AuthenticationClientService);
+            service.initialize();
+        });
+    });
+    afterAll(async () => {
+        await server?.close(1000);
+        await injector?.dispose();
+    });
+    beforeEach(async () => {
+        await clearTenantData(database, schema, ['credentials', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+    });
+    test('login should work via API client', async () => {
+        await runInInjectionContext(injector, async () => {
+            const user = await subjectService.createUser({ tenantId, email: 'api-login@example.com', firstName: 'A', lastName: 'L' });
+            await serverService.setCredentials(user, 'Strong-Password-2026!');
+            await service.login({ tenantId, subject: user.id }, 'Strong-Password-2026!');
+            expect(service.isLoggedIn()).toBe(true);
+            expect(service.subjectId()).toBe(user.id);
+        });
+    });
+    test('checkSecret should work via API client', async () => {
+        const result = await service.checkSecret('abc');
+        expect(result.strength).toBeLessThan(2);
+    });
+    test('refresh should work via API client', async () => {
+        await runInInjectionContext(injector, async () => {
+            const user = await subjectService.createUser({ tenantId, email: 'api-refresh@example.com', firstName: 'A', lastName: 'L' });
+            await serverService.setCredentials(user, 'Strong-Password-2026!');
+            await service.login({ tenantId, subject: user.id }, 'Strong-Password-2026!');
+            const initialToken = service.token()?.jti;
+            await service.refresh();
+            expect(service.token()?.jti).not.toBe(initialToken);
+        });
+    });
+    test('impersonation should work via API client', async () => {
+        await runInInjectionContext(injector, async () => {
+            const admin = await subjectService.createUser({ tenantId, email: 'api-admin@example.com', firstName: 'A', lastName: 'D' });
+            const user = await subjectService.createUser({ tenantId, email: 'api-user@example.com', firstName: 'U', lastName: 'S' });
+            await serverService.setCredentials(admin, 'Admin-Pass-123!');
+            await service.login({ tenantId, subject: admin.id }, 'Admin-Pass-123!');
+            await service.impersonate(user.id);
+            expect(service.subjectId()).toBe(user.id);
+            expect(service.token()?.impersonator).toBe(admin.id);
+            await service.unimpersonate();
+            expect(service.subjectId()).toBe(admin.id);
+        });
+    });
+    test('secret reset should work via API client', async () => {
+        await runInInjectionContext(injector, async () => {
+            const user = await subjectService.createUser({ tenantId, email: 'api-reset@example.com', firstName: 'A', lastName: 'L' });
+            const ancillaryService = injector.resolve(AuthenticationAncillaryService);
+            await service.initResetSecret({ tenantId, subject: user.id }, undefined);
+            expect(ancillaryService.lastResetData).toBeDefined();
+            await service.resetSecret(ancillaryService.lastResetData.token, 'New-API-Pass-123!');
+            await service.login({ tenantId, subject: user.id }, 'New-API-Pass-123!');
+            expect(service.isLoggedIn()).toBe(true);
+        });
+    });
+});

package/authentication/tests/authentication.api-request-token.provider.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/authentication.api-request-token.provider.test.js

@@ -0,0 +1,48 @@
+import { afterAll, beforeAll, describe, expect, test } from 'vitest';
+import { AuthenticationApiRequestTokenProvider } from '../../authentication/server/authentication-api-request-token.provider.js';
+import { AuthenticationService } from '../../authentication/server/index.js';
+import { runInInjectionContext } from '../../injector/index.js';
+import { setupIntegrationTest } from '../../unit-test/index.js';
+import { SubjectService } from '../server/subject.service.js';
+describe('AuthenticationApiRequestTokenProvider', () => {
+    let injector;
+    let authenticationService;
+    let subjectService;
+    let tokenProvider;
+    const tenantId = crypto.randomUUID();
+    beforeAll(async () => {
+        ({ injector } = await setupIntegrationTest({ modules: { authentication: true, test: true } }));
+        authenticationService = await injector.resolveAsync(AuthenticationService);
+        subjectService = await injector.resolveAsync(SubjectService);
+        tokenProvider = injector.resolve(AuthenticationApiRequestTokenProvider);
+    });
+    afterAll(async () => {
+        await injector?.dispose();
+    });
+    test('should extract and validate token', async () => {
+        await runInInjectionContext(injector, async () => {
+            const user = await subjectService.createUser({ tenantId, email: 'provider-test@example.com', firstName: 'P', lastName: 'T' });
+            const tokenResult = await authenticationService.getToken(user, undefined);
+            const request = {
+                headers: {
+                    tryGet: (name) => name == 'Authorization' ? `Bearer ${tokenResult.token}` : undefined,
+                },
+                cookies: {
+                    tryGet: () => undefined,
+                },
+            };
+            const data = { request };
+            const token = await tokenProvider.tryGetToken(data);
+            expect(token.payload.subject).toBe(user.id);
+        });
+    });
+    test('should return null if no token', async () => {
+        const request = {
+            headers: { tryGet: () => undefined },
+            cookies: { tryGet: () => undefined },
+        };
+        const data = { request };
+        const token = await tokenProvider.tryGetToken(data);
+        expect(token).toBeNull();
+    });
+});

package/authentication/tests/authentication.client-middleware.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/authentication.client-middleware.test.js

@@ -0,0 +1,23 @@
+import { of } from 'rxjs';
+import { describe, expect, test, vi } from 'vitest';
+import { HttpClientRequest } from '../../http/client/index.js';
+import { waitForAuthenticationCredentialsMiddleware } from '../client/http-client.middleware.js';
+describe('waitForAuthenticationCredentialsMiddleware', () => {
+    test('should wait for token and call next', async () => {
+        const authenticationServiceMock = {
+            token: vi.fn().mockReturnValue({ jti: 'test-token' }),
+            validToken$: of({ jti: 'test-token' }),
+            hasValidToken: true,
+        };
+        const middleware = waitForAuthenticationCredentialsMiddleware(authenticationServiceMock);
+        const request = new HttpClientRequest('http://localhost');
+        request.context = {
+            endpoint: {
+                credentials: true,
+            },
+        };
+        const next = vi.fn().mockResolvedValue(undefined);
+        await middleware({ request }, next);
+        expect(next).toHaveBeenCalled();
+    });
+});

package/authentication/tests/authentication.client-service.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/authentication.client-service.test.js

@@ -0,0 +1,70 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
+import { AuthenticationClientService } from '../../authentication/client/index.js';
+import { AuthenticationService as AuthenticationServerService } from '../../authentication/server/index.js';
+import { HttpClientOptions } from '../../http/client/index.js';
+import { HttpServer } from '../../http/server/index.js';
+import { runInInjectionContext } from '../../injector/index.js';
+import { clearTenantData, setupIntegrationTest } from '../../unit-test/index.js';
+import { SubjectService } from '../server/subject.service.js';
+import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
+describe('AuthenticationClientService Integration', () => {
+    let injector;
+    let database;
+    let service;
+    let serverService;
+    let subjectService;
+    let server;
+    const schema = 'authentication';
+    const tenantId = crypto.randomUUID();
+    beforeAll(async () => {
+        ({ injector, database } = await setupIntegrationTest({
+            modules: { authentication: true, audit: true, keyValueStore: true, test: true, api: true, webServer: true },
+            authenticationAncillaryService: DefaultAuthenticationAncillaryService,
+        }));
+        await runInInjectionContext(injector, async () => {
+            server = injector.resolve(HttpServer);
+            const httpClientOptions = injector.resolve(HttpClientOptions);
+            httpClientOptions.baseUrl = `http://localhost:${server.port}`;
+            serverService = await injector.resolveAsync(AuthenticationServerService);
+            subjectService = await injector.resolveAsync(SubjectService);
+            service = await injector.resolveAsync(AuthenticationClientService);
+            service.initialize();
+        });
+    });
+    afterAll(async () => {
+        await server?.close(1000);
+        await injector?.dispose();
+    });
+    beforeEach(async () => {
+        await clearTenantData(database, schema, ['credentials', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+    });
+    test('login and logout should work', async () => {
+        await runInInjectionContext(injector, async () => {
+            const user = await subjectService.createUser({ tenantId, email: 'client-test@example.com', firstName: 'C', lastName: 'T' });
+            await serverService.setCredentials(user, 'Strong-Pass-2026!');
+            expect(service.isLoggedIn()).toBe(false);
+            await service.login({ tenantId, subject: user.id }, 'Strong-Pass-2026!');
+            expect(service.isLoggedIn()).toBe(true);
+            expect(service.subjectId()).toBe(user.id);
+            await service.logout();
+            expect(service.isLoggedIn()).toBe(false);
+        });
+    });
+    test('refresh should work', async () => {
+        await runInInjectionContext(injector, async () => {
+            const user = await subjectService.createUser({ tenantId, email: 'refresh-test@example.com', firstName: 'R', lastName: 'T' });
+            await serverService.setCredentials(user, 'Strong-Pass-2026!');
+            await service.login({ tenantId, subject: user.id }, 'Strong-Pass-2026!');
+            const initialToken = service.token()?.jti;
+            await service.refresh();
+            expect(service.token()?.jti).not.toBe(initialToken);
+            expect(service.isLoggedIn()).toBe(true);
+        });
+    });
+    test('checkSecret should work', async () => {
+        const result = await service.checkSecret('123');
+        expect(result.strength).toBeLessThan(2);
+        const strongResult = await service.checkSecret('Very-Strong-Password-2026-!@#$');
+        expect(strongResult.strength).toBeGreaterThanOrEqual(2);
+    });
+});

package/authentication/tests/authentication.service.test.d.ts

@@ -0,0 +1 @@
+export {};