@twin.org/api-auth-entity-storage-service 0.0.3-next.22 → 0.0.3-next.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (76) hide show
  1. package/dist/es/entities/authenticationAuditEntry.js +101 -0
  2. package/dist/es/entities/authenticationAuditEntry.js.map +1 -0
  3. package/dist/es/entities/authenticationRateEntry.js +37 -0
  4. package/dist/es/entities/authenticationRateEntry.js.map +1 -0
  5. package/dist/es/index.js +9 -0
  6. package/dist/es/index.js.map +1 -1
  7. package/dist/es/models/IAuthHeaderProcessorConstructorOptions.js.map +1 -1
  8. package/dist/es/models/IEntityStorageAuthenticationAdminServiceConstructorOptions.js.map +1 -1
  9. package/dist/es/models/IEntityStorageAuthenticationAuditServiceConfig.js +4 -0
  10. package/dist/es/models/IEntityStorageAuthenticationAuditServiceConfig.js.map +1 -0
  11. package/dist/es/models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js +2 -0
  12. package/dist/es/models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js.map +1 -0
  13. package/dist/es/models/IEntityStorageAuthenticationRateServiceConfig.js +2 -0
  14. package/dist/es/models/IEntityStorageAuthenticationRateServiceConfig.js.map +1 -0
  15. package/dist/es/models/IEntityStorageAuthenticationRateServiceConstructorOptions.js +2 -0
  16. package/dist/es/models/IEntityStorageAuthenticationRateServiceConstructorOptions.js.map +1 -0
  17. package/dist/es/models/IEntityStorageAuthenticationServiceConfig.js +0 -2
  18. package/dist/es/models/IEntityStorageAuthenticationServiceConfig.js.map +1 -1
  19. package/dist/es/models/IEntityStorageAuthenticationServiceConstructorOptions.js.map +1 -1
  20. package/dist/es/processors/authHeaderProcessor.js +18 -4
  21. package/dist/es/processors/authHeaderProcessor.js.map +1 -1
  22. package/dist/es/restEntryPoints.js +7 -0
  23. package/dist/es/restEntryPoints.js.map +1 -1
  24. package/dist/es/routes/entityStorageAuthenticationAuditRoutes.js +174 -0
  25. package/dist/es/routes/entityStorageAuthenticationAuditRoutes.js.map +1 -0
  26. package/dist/es/schema.js +4 -0
  27. package/dist/es/schema.js.map +1 -1
  28. package/dist/es/services/entityStorageAuthenticationAdminService.js +59 -4
  29. package/dist/es/services/entityStorageAuthenticationAdminService.js.map +1 -1
  30. package/dist/es/services/entityStorageAuthenticationAuditService.js +178 -0
  31. package/dist/es/services/entityStorageAuthenticationAuditService.js.map +1 -0
  32. package/dist/es/services/entityStorageAuthenticationRateService.js +202 -0
  33. package/dist/es/services/entityStorageAuthenticationRateService.js.map +1 -0
  34. package/dist/es/services/entityStorageAuthenticationService.js +152 -8
  35. package/dist/es/services/entityStorageAuthenticationService.js.map +1 -1
  36. package/dist/es/utils/tokenHelper.js +11 -1
  37. package/dist/es/utils/tokenHelper.js.map +1 -1
  38. package/dist/types/entities/authenticationAuditEntry.d.ts +49 -0
  39. package/dist/types/entities/authenticationRateEntry.d.ts +17 -0
  40. package/dist/types/index.d.ts +9 -0
  41. package/dist/types/models/IAuthHeaderProcessorConstructorOptions.d.ts +5 -0
  42. package/dist/types/models/IEntityStorageAuthenticationAdminServiceConstructorOptions.d.ts +5 -0
  43. package/dist/types/models/IEntityStorageAuthenticationAuditServiceConfig.d.ts +9 -0
  44. package/dist/types/models/IEntityStorageAuthenticationAuditServiceConstructorOptions.d.ts +15 -0
  45. package/dist/types/models/IEntityStorageAuthenticationRateServiceConfig.d.ts +10 -0
  46. package/dist/types/models/IEntityStorageAuthenticationRateServiceConstructorOptions.d.ts +20 -0
  47. package/dist/types/models/IEntityStorageAuthenticationServiceConfig.d.ts +17 -1
  48. package/dist/types/models/IEntityStorageAuthenticationServiceConstructorOptions.d.ts +10 -0
  49. package/dist/types/routes/entityStorageAuthenticationAuditRoutes.d.ts +29 -0
  50. package/dist/types/services/entityStorageAuthenticationAuditService.d.ts +59 -0
  51. package/dist/types/services/entityStorageAuthenticationRateService.d.ts +60 -0
  52. package/dist/types/services/entityStorageAuthenticationService.d.ts +6 -0
  53. package/dist/types/utils/tokenHelper.d.ts +2 -1
  54. package/docs/changelog.md +16 -0
  55. package/docs/reference/classes/AuthenticationAuditEntry.md +101 -0
  56. package/docs/reference/classes/AuthenticationRateEntry.md +37 -0
  57. package/docs/reference/classes/EntityStorageAuthenticationAdminService.md +4 -4
  58. package/docs/reference/classes/EntityStorageAuthenticationAuditService.md +157 -0
  59. package/docs/reference/classes/EntityStorageAuthenticationRateService.md +227 -0
  60. package/docs/reference/classes/EntityStorageAuthenticationService.md +26 -0
  61. package/docs/reference/classes/TokenHelper.md +7 -1
  62. package/docs/reference/functions/authenticationAuditCreate.md +31 -0
  63. package/docs/reference/functions/authenticationAuditQuery.md +31 -0
  64. package/docs/reference/functions/generateRestRoutesAuthenticationAudit.md +25 -0
  65. package/docs/reference/index.md +12 -0
  66. package/docs/reference/interfaces/IAuthHeaderProcessorConstructorOptions.md +14 -0
  67. package/docs/reference/interfaces/IEntityStorageAuthenticationAdminServiceConstructorOptions.md +14 -0
  68. package/docs/reference/interfaces/IEntityStorageAuthenticationAuditServiceConfig.md +11 -0
  69. package/docs/reference/interfaces/IEntityStorageAuthenticationAuditServiceConstructorOptions.md +25 -0
  70. package/docs/reference/interfaces/IEntityStorageAuthenticationRateServiceConfig.md +17 -0
  71. package/docs/reference/interfaces/IEntityStorageAuthenticationRateServiceConstructorOptions.md +39 -0
  72. package/docs/reference/interfaces/IEntityStorageAuthenticationServiceConfig.md +43 -1
  73. package/docs/reference/interfaces/IEntityStorageAuthenticationServiceConstructorOptions.md +28 -0
  74. package/docs/reference/variables/tagsAuthenticationAudit.md +5 -0
  75. package/locales/en.json +10 -1
  76. package/package.json +5 -4
package/dist/es/entities/authenticationAuditEntry.js ADDED
@@ -0,0 +1,101 @@
1
+ // Copyright 2026 IOTA Stiftung.
2
+ // SPDX-License-Identifier: Apache-2.0.
3
+ import { entity, property } from "@twin.org/entity";
4
+ /**
5
+ * Class defining the storage for authentication audit entries.
6
+ */
7
+ let AuthenticationAuditEntry = class AuthenticationAuditEntry {
8
+ /**
9
+ * The unique identifier for the audit entry.
10
+ */
11
+ id;
12
+ /**
13
+ * The timestamp of the audit entry in ISO 8601 format.
14
+ */
15
+ dateCreated;
16
+ /**
17
+ * The audit event that occurred.
18
+ */
19
+ event;
20
+ /**
21
+ * The actor identifier, could be e-mail, username, or other unique identifier.
22
+ */
23
+ actorId;
24
+ /**
25
+ * The node identifier associated with the audit entry, if applicable.
26
+ */
27
+ nodeId;
28
+ /**
29
+ * The organization identifier associated with the audit entry, if applicable.
30
+ */
31
+ organizationId;
32
+ /**
33
+ * The tenant identifier associated with the audit entry, if applicable.
34
+ */
35
+ tenantId;
36
+ /**
37
+ * The hashed IP addresses of the client.
38
+ */
39
+ ipAddressHashes;
40
+ /**
41
+ * The user agent string of the client.
42
+ */
43
+ userAgent;
44
+ /**
45
+ * The correlation ID for request tracing.
46
+ */
47
+ correlationId;
48
+ /**
49
+ * Additional data related to the audit entry, such as IP address, user agent, etc.
50
+ */
51
+ data;
52
+ };
53
+ __decorate([
54
+ property({ type: "string", isPrimary: true }),
55
+ __metadata("design:type", String)
56
+ ], AuthenticationAuditEntry.prototype, "id", void 0);
57
+ __decorate([
58
+ property({ type: "string", isSecondary: true }),
59
+ __metadata("design:type", String)
60
+ ], AuthenticationAuditEntry.prototype, "dateCreated", void 0);
61
+ __decorate([
62
+ property({ type: "string", isSecondary: true }),
63
+ __metadata("design:type", String)
64
+ ], AuthenticationAuditEntry.prototype, "event", void 0);
65
+ __decorate([
66
+ property({ type: "string", isSecondary: true, optional: true }),
67
+ __metadata("design:type", String)
68
+ ], AuthenticationAuditEntry.prototype, "actorId", void 0);
69
+ __decorate([
70
+ property({ type: "string", isSecondary: true, optional: true }),
71
+ __metadata("design:type", String)
72
+ ], AuthenticationAuditEntry.prototype, "nodeId", void 0);
73
+ __decorate([
74
+ property({ type: "string", isSecondary: true, optional: true }),
75
+ __metadata("design:type", String)
76
+ ], AuthenticationAuditEntry.prototype, "organizationId", void 0);
77
+ __decorate([
78
+ property({ type: "string", isSecondary: true, optional: true }),
79
+ __metadata("design:type", String)
80
+ ], AuthenticationAuditEntry.prototype, "tenantId", void 0);
81
+ __decorate([
82
+ property({ type: "array", optional: true }),
83
+ __metadata("design:type", Array)
84
+ ], AuthenticationAuditEntry.prototype, "ipAddressHashes", void 0);
85
+ __decorate([
86
+ property({ type: "string", optional: true }),
87
+ __metadata("design:type", String)
88
+ ], AuthenticationAuditEntry.prototype, "userAgent", void 0);
89
+ __decorate([
90
+ property({ type: "string", optional: true }),
91
+ __metadata("design:type", String)
92
+ ], AuthenticationAuditEntry.prototype, "correlationId", void 0);
93
+ __decorate([
94
+ property({ type: "object", optional: true }),
95
+ __metadata("design:type", Object)
96
+ ], AuthenticationAuditEntry.prototype, "data", void 0);
97
+ AuthenticationAuditEntry = __decorate([
98
+ entity()
99
+ ], AuthenticationAuditEntry);
100
+ export { AuthenticationAuditEntry };
101
+ //# sourceMappingURL=authenticationAuditEntry.js.map
package/dist/es/entities/authenticationAuditEntry.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"authenticationAuditEntry.js","sourceRoot":"","sources":["../../../src/entities/authenticationAuditEntry.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEpD;;GAEG;AAEI,IAAM,wBAAwB,GAA9B,MAAM,wBAAwB;IACpC;;OAEG;IAEI,EAAE,CAAU;IAEnB;;OAEG;IAEI,WAAW,CAAU;IAE5B;;OAEG;IAEI,KAAK,CAAU;IAEtB;;OAEG;IAEI,OAAO,CAAU;IAExB;;OAEG;IAEI,MAAM,CAAU;IAEvB;;OAEG;IAEI,cAAc,CAAU;IAE/B;;OAEG;IAEI,QAAQ,CAAU;IAEzB;;OAEG;IAEI,eAAe,CAAY;IAElC;;OAEG;IAEI,SAAS,CAAU;IAE1B;;OAEG;IAEI,aAAa,CAAU;IAE9B;;OAEG;IAEI,IAAI,CAAW;CACtB,CAAA;AA7DO;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;;oDAC3B;AAMZ;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;;6DACpB;AAMrB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;;uDAC1B;AAMf;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;yDACxC;AAMjB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;wDACzC;AAMhB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;gEACjC;AAMxB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;0DACvC;AAMlB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;iEACV;AAM3B;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;2DACnB;AAMnB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;+DACf;AAMvB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;sDACvB;AAjEV,wBAAwB;IADpC,MAAM,EAAE;GACI,wBAAwB,CAkEpC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { entity, property } from \"@twin.org/entity\";\n\n/**\n * Class defining the storage for authentication audit entries.\n */\n@entity()\nexport class AuthenticationAuditEntry {\n\t/**\n\t * The unique identifier for the audit entry.\n\t */\n\t@property({ type: \"string\", isPrimary: true })\n\tpublic id!: string;\n\n\t/**\n\t * The timestamp of the audit entry in ISO 8601 format.\n\t */\n\t@property({ type: \"string\", isSecondary: true })\n\tpublic dateCreated!: string;\n\n\t/**\n\t * The audit event that occurred.\n\t */\n\t@property({ type: \"string\", isSecondary: true })\n\tpublic event!: string;\n\n\t/**\n\t * The actor identifier, could be e-mail, username, or other unique identifier.\n\t */\n\t@property({ type: \"string\", isSecondary: true, optional: true })\n\tpublic actorId?: string;\n\n\t/**\n\t * The node identifier associated with the audit entry, if applicable.\n\t */\n\t@property({ type: \"string\", isSecondary: true, optional: true })\n\tpublic nodeId?: string;\n\n\t/**\n\t * The organization identifier associated with the audit entry, if applicable.\n\t */\n\t@property({ type: \"string\", isSecondary: true, optional: true })\n\tpublic organizationId?: string;\n\n\t/**\n\t * The tenant identifier associated with the audit entry, if applicable.\n\t */\n\t@property({ type: \"string\", isSecondary: true, optional: true })\n\tpublic tenantId?: string;\n\n\t/**\n\t * The hashed IP addresses of the client.\n\t */\n\t@property({ type: \"array\", optional: true })\n\tpublic ipAddressHashes?: string[];\n\n\t/**\n\t * The user agent string of the client.\n\t */\n\t@property({ type: \"string\", optional: true })\n\tpublic userAgent?: string;\n\n\t/**\n\t * The correlation ID for request tracing.\n\t */\n\t@property({ type: \"string\", optional: true })\n\tpublic correlationId?: string;\n\n\t/**\n\t * Additional data related to the audit entry, such as IP address, user agent, etc.\n\t */\n\t@property({ type: \"object\", optional: true })\n\tpublic data?: unknown;\n}\n"]}
package/dist/es/entities/authenticationRateEntry.js ADDED
@@ -0,0 +1,37 @@
1
+ // Copyright 2026 IOTA Stiftung.
2
+ // SPDX-License-Identifier: Apache-2.0.
3
+ import { entity, property } from "@twin.org/entity";
4
+ /**
5
+ * Class defining the storage for authentication rate entries.
6
+ */
7
+ let AuthenticationRateEntry = class AuthenticationRateEntry {
8
+ /**
9
+ * The id for the rate entry.
10
+ */
11
+ id;
12
+ /**
13
+ * Array of ISO date strings representing timestamps of failed attempts.
14
+ */
15
+ timestamps;
16
+ /**
17
+ * Last modification time in ISO date format.
18
+ */
19
+ dateModified;
20
+ };
21
+ __decorate([
22
+ property({ type: "string", isPrimary: true }),
23
+ __metadata("design:type", String)
24
+ ], AuthenticationRateEntry.prototype, "id", void 0);
25
+ __decorate([
26
+ property({ type: "array", itemType: "string" }),
27
+ __metadata("design:type", Array)
28
+ ], AuthenticationRateEntry.prototype, "timestamps", void 0);
29
+ __decorate([
30
+ property({ type: "string" }),
31
+ __metadata("design:type", String)
32
+ ], AuthenticationRateEntry.prototype, "dateModified", void 0);
33
+ AuthenticationRateEntry = __decorate([
34
+ entity()
35
+ ], AuthenticationRateEntry);
36
+ export { AuthenticationRateEntry };
37
+ //# sourceMappingURL=authenticationRateEntry.js.map
package/dist/es/entities/authenticationRateEntry.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"authenticationRateEntry.js","sourceRoot":"","sources":["../../../src/entities/authenticationRateEntry.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEpD;;GAEG;AAEI,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IACnC;;OAEG;IAEI,EAAE,CAAU;IAEnB;;OAEG;IAEI,UAAU,CAAY;IAE7B;;OAEG;IAEI,YAAY,CAAU;CAC7B,CAAA;AAbO;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;;mDAC3B;AAMZ;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;;2DACnB;AAMtB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;6DACA;AAjBjB,uBAAuB;IADnC,MAAM,EAAE;GACI,uBAAuB,CAkBnC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { entity, property } from \"@twin.org/entity\";\n\n/**\n * Class defining the storage for authentication rate entries.\n */\n@entity()\nexport class AuthenticationRateEntry {\n\t/**\n\t * The id for the rate entry.\n\t */\n\t@property({ type: \"string\", isPrimary: true })\n\tpublic id!: string;\n\n\t/**\n\t * Array of ISO date strings representing timestamps of failed attempts.\n\t */\n\t@property({ type: \"array\", itemType: \"string\" })\n\tpublic timestamps!: string[];\n\n\t/**\n\t * Last modification time in ISO date format.\n\t */\n\t@property({ type: \"string\" })\n\tpublic dateModified!: string;\n}\n"]}
package/dist/es/index.js CHANGED
@@ -1,18 +1,27 @@
1
1
  // Copyright 2024 IOTA Stiftung.
2
2
  // SPDX-License-Identifier: Apache-2.0.
3
+ export * from "./entities/authenticationAuditEntry.js";
4
+ export * from "./entities/authenticationRateEntry.js";
3
5
  export * from "./entities/authenticationUser.js";
4
6
  export * from "./models/IAuthHeaderProcessorConfig.js";
5
7
  export * from "./models/IAuthHeaderProcessorConstructorOptions.js";
6
8
  export * from "./models/IEntityStorageAuthenticationAdminServiceConfig.js";
7
9
  export * from "./models/IEntityStorageAuthenticationAdminServiceConstructorOptions.js";
10
+ export * from "./models/IEntityStorageAuthenticationAuditServiceConfig.js";
11
+ export * from "./models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js";
12
+ export * from "./models/IEntityStorageAuthenticationRateServiceConfig.js";
13
+ export * from "./models/IEntityStorageAuthenticationRateServiceConstructorOptions.js";
8
14
  export * from "./models/IEntityStorageAuthenticationServiceConfig.js";
9
15
  export * from "./models/IEntityStorageAuthenticationServiceConstructorOptions.js";
10
16
  export * from "./processors/authHeaderProcessor.js";
11
17
  export * from "./restEntryPoints.js";
12
18
  export * from "./routes/entityStorageAuthenticationAdminRoutes.js";
19
+ export * from "./routes/entityStorageAuthenticationAuditRoutes.js";
13
20
  export * from "./routes/entityStorageAuthenticationRoutes.js";
14
21
  export * from "./schema.js";
15
22
  export * from "./services/entityStorageAuthenticationAdminService.js";
23
+ export * from "./services/entityStorageAuthenticationAuditService.js";
24
+ export * from "./services/entityStorageAuthenticationRateService.js";
16
25
  export * from "./services/entityStorageAuthenticationService.js";
17
26
  export * from "./utils/tokenHelper.js";
18
27
  //# sourceMappingURL=index.js.map
package/dist/es/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,kCAAkC,CAAC;AACjD,cAAc,wCAAwC,CAAC;AACvD,cAAc,oDAAoD,CAAC;AACnE,cAAc,4DAA4D,CAAC;AAC3E,cAAc,wEAAwE,CAAC;AACvF,cAAc,uDAAuD,CAAC;AACtE,cAAc,mEAAmE,CAAC;AAClF,cAAc,qCAAqC,CAAC;AACpD,cAAc,sBAAsB,CAAC;AACrC,cAAc,oDAAoD,CAAC;AACnE,cAAc,+CAA+C,CAAC;AAC9D,cAAc,aAAa,CAAC;AAC5B,cAAc,uDAAuD,CAAC;AACtE,cAAc,kDAAkD,CAAC;AACjE,cAAc,wBAAwB,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./entities/authenticationUser.js\";\nexport * from \"./models/IAuthHeaderProcessorConfig.js\";\nexport * from \"./models/IAuthHeaderProcessorConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationAdminServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationAdminServiceConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationServiceConstructorOptions.js\";\nexport * from \"./processors/authHeaderProcessor.js\";\nexport * from \"./restEntryPoints.js\";\nexport * from \"./routes/entityStorageAuthenticationAdminRoutes.js\";\nexport * from \"./routes/entityStorageAuthenticationRoutes.js\";\nexport * from \"./schema.js\";\nexport * from \"./services/entityStorageAuthenticationAdminService.js\";\nexport * from \"./services/entityStorageAuthenticationService.js\";\nexport * from \"./utils/tokenHelper.js\";\n"]}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,wCAAwC,CAAC;AACvD,cAAc,uCAAuC,CAAC;AACtD,cAAc,kCAAkC,CAAC;AACjD,cAAc,wCAAwC,CAAC;AACvD,cAAc,oDAAoD,CAAC;AACnE,cAAc,4DAA4D,CAAC;AAC3E,cAAc,wEAAwE,CAAC;AACvF,cAAc,4DAA4D,CAAC;AAC3E,cAAc,wEAAwE,CAAC;AACvF,cAAc,2DAA2D,CAAC;AAC1E,cAAc,uEAAuE,CAAC;AACtF,cAAc,uDAAuD,CAAC;AACtE,cAAc,mEAAmE,CAAC;AAClF,cAAc,qCAAqC,CAAC;AACpD,cAAc,sBAAsB,CAAC;AACrC,cAAc,oDAAoD,CAAC;AACnE,cAAc,oDAAoD,CAAC;AACnE,cAAc,+CAA+C,CAAC;AAC9D,cAAc,aAAa,CAAC;AAC5B,cAAc,uDAAuD,CAAC;AACtE,cAAc,uDAAuD,CAAC;AACtE,cAAc,sDAAsD,CAAC;AACrE,cAAc,kDAAkD,CAAC;AACjE,cAAc,wBAAwB,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./entities/authenticationAuditEntry.js\";\nexport * from \"./entities/authenticationRateEntry.js\";\nexport * from \"./entities/authenticationUser.js\";\nexport * from \"./models/IAuthHeaderProcessorConfig.js\";\nexport * from \"./models/IAuthHeaderProcessorConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationAdminServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationAdminServiceConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationAuditServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationRateServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationRateServiceConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationServiceConstructorOptions.js\";\nexport * from \"./processors/authHeaderProcessor.js\";\nexport * from \"./restEntryPoints.js\";\nexport * from \"./routes/entityStorageAuthenticationAdminRoutes.js\";\nexport * from \"./routes/entityStorageAuthenticationAuditRoutes.js\";\nexport * from \"./routes/entityStorageAuthenticationRoutes.js\";\nexport * from \"./schema.js\";\nexport * from \"./services/entityStorageAuthenticationAdminService.js\";\nexport * from \"./services/entityStorageAuthenticationAuditService.js\";\nexport * from \"./services/entityStorageAuthenticationRateService.js\";\nexport * from \"./services/entityStorageAuthenticationService.js\";\nexport * from \"./utils/tokenHelper.js\";\n"]}
package/dist/es/models/IAuthHeaderProcessorConstructorOptions.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"IAuthHeaderProcessorConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IAuthHeaderProcessorConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IAuthHeaderProcessorConfig } from \"./IAuthHeaderProcessorConfig.js\";\n\n/**\n * Options for the AuthHeaderProcessor constructor.\n */\nexport interface IAuthHeaderProcessorConstructorOptions {\n\t/**\n\t * The vault for the private keys.\n\t * @default vault\n\t */\n\tvaultConnectorType?: string;\n\n\t/**\n\t * The configuration for the processor.\n\t */\n\tconfig?: IAuthHeaderProcessorConfig;\n}\n"]}
1
+ {"version":3,"file":"IAuthHeaderProcessorConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IAuthHeaderProcessorConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IAuthHeaderProcessorConfig } from \"./IAuthHeaderProcessorConfig.js\";\n\n/**\n * Options for the AuthHeaderProcessor constructor.\n */\nexport interface IAuthHeaderProcessorConstructorOptions {\n\t/**\n\t * The admin service.\n\t * @default authentication-admin\n\t */\n\tauthenticationAdminServiceType?: string;\n\n\t/**\n\t * The vault for the private keys.\n\t * @default vault\n\t */\n\tvaultConnectorType?: string;\n\n\t/**\n\t * The configuration for the processor.\n\t */\n\tconfig?: IAuthHeaderProcessorConfig;\n}\n"]}
package/dist/es/models/IEntityStorageAuthenticationAdminServiceConstructorOptions.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"IEntityStorageAuthenticationAdminServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationAdminServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationAdminServiceConfig } from \"./IEntityStorageAuthenticationAdminServiceConfig.js\";\n\n/**\n * Options for the EntityStorageAuthenticationAdminService constructor.\n */\nexport interface IEntityStorageAuthenticationAdminServiceConstructorOptions {\n\t/**\n\t * The entity storage for the users.\n\t * @default authentication-user\n\t */\n\tuserEntityStorageType?: string;\n\n\t/**\n\t * The configuration for the authentication.\n\t */\n\tconfig?: IEntityStorageAuthenticationAdminServiceConfig;\n}\n"]}
1
+ {"version":3,"file":"IEntityStorageAuthenticationAdminServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationAdminServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationAdminServiceConfig } from \"./IEntityStorageAuthenticationAdminServiceConfig.js\";\n\n/**\n * Options for the EntityStorageAuthenticationAdminService constructor.\n */\nexport interface IEntityStorageAuthenticationAdminServiceConstructorOptions {\n\t/**\n\t * The entity storage for the users.\n\t * @default authentication-user\n\t */\n\tuserEntityStorageType?: string;\n\n\t/**\n\t * The audit service.\n\t * @default authentication-audit\n\t */\n\tauthenticationAuditServiceType?: string;\n\n\t/**\n\t * The configuration for the authentication.\n\t */\n\tconfig?: IEntityStorageAuthenticationAdminServiceConfig;\n}\n"]}
package/dist/es/models/IEntityStorageAuthenticationAuditServiceConfig.js ADDED
@@ -0,0 +1,4 @@
1
+ // Copyright 2026 IOTA Stiftung.
2
+ // SPDX-License-Identifier: Apache-2.0.
3
+ export {};
4
+ //# sourceMappingURL=IEntityStorageAuthenticationAuditServiceConfig.js.map
package/dist/es/models/IEntityStorageAuthenticationAuditServiceConfig.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"IEntityStorageAuthenticationAuditServiceConfig.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationAuditServiceConfig.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Config for the EntityStorageAuthenticationAuditService constructor.\n */\nexport interface IEntityStorageAuthenticationAuditServiceConfig {\n\t/**\n\t * The server-side salt for hashing IP addresses in audit logs, if configured.\n\t */\n\tipHashSalt?: string;\n}\n"]}
package/dist/es/models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=IEntityStorageAuthenticationAuditServiceConstructorOptions.js.map
package/dist/es/models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"IEntityStorageAuthenticationAuditServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationAuditServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationAuditServiceConfig } from \"./IEntityStorageAuthenticationAuditServiceConfig.js\";\n\n/**\n * Options for the EntityStorageAuthenticationAuditService constructor.\n */\nexport interface IEntityStorageAuthenticationAuditServiceConstructorOptions {\n\t/**\n\t * The entity storage for the audit entries.\n\t * @default authentication-audit-entry\n\t */\n\tauthenticationAuditEntryStorageType?: string;\n\n\t/**\n\t * The configuration for the authentication audit service.\n\t */\n\tconfig?: IEntityStorageAuthenticationAuditServiceConfig;\n}\n"]}
package/dist/es/models/IEntityStorageAuthenticationRateServiceConfig.js ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=IEntityStorageAuthenticationRateServiceConfig.js.map
package/dist/es/models/IEntityStorageAuthenticationRateServiceConfig.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"IEntityStorageAuthenticationRateServiceConfig.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationRateServiceConfig.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n/**\n * Configuration for the entity storage authentication rate service.\n */\nexport interface IEntityStorageAuthenticationRateServiceConfig {\n\t/**\n\t * Interval between cleanup runs in minutes.\n\t * @default 5\n\t */\n\tcleanupIntervalMinutes?: number;\n}\n"]}
package/dist/es/models/IEntityStorageAuthenticationRateServiceConstructorOptions.js ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=IEntityStorageAuthenticationRateServiceConstructorOptions.js.map
package/dist/es/models/IEntityStorageAuthenticationRateServiceConstructorOptions.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"IEntityStorageAuthenticationRateServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationRateServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationRateServiceConfig } from \"./IEntityStorageAuthenticationRateServiceConfig.js\";\n\n/**\n * Options for the EntityStorageAuthenticationRateService constructor.\n */\nexport interface IEntityStorageAuthenticationRateServiceConstructorOptions {\n\t/**\n\t * The entity storage for authentication rate entries.\n\t * @default authentication-rate-entry\n\t */\n\tauthenticationRateEntryStorageType?: string;\n\n\t/**\n\t * The task scheduler component type.\n\t * @default task-scheduler\n\t */\n\ttaskSchedulerComponentType?: string;\n\n\t/**\n\t * The configuration for the authentication rate service.\n\t */\n\tconfig?: IEntityStorageAuthenticationRateServiceConfig;\n}\n"]}
package/dist/es/models/IEntityStorageAuthenticationServiceConfig.js CHANGED
@@ -1,4 +1,2 @@
1
- // Copyright 2024 IOTA Stiftung.
2
- // SPDX-License-Identifier: Apache-2.0.
3
1
  export {};
4
2
  //# sourceMappingURL=IEntityStorageAuthenticationServiceConfig.js.map
package/dist/es/models/IEntityStorageAuthenticationServiceConfig.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"IEntityStorageAuthenticationServiceConfig.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationServiceConfig.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Configuration for the entity storage authentication service.\n */\nexport interface IEntityStorageAuthenticationServiceConfig {\n\t/**\n\t * The name of the key to retrieve from the vault for signing JWT.\n\t * @default auth-signing\n\t */\n\tsigningKeyName?: string;\n\n\t/**\n\t * The default time to live for the JWT.\n\t * @default 1440\n\t */\n\tdefaultTtlMinutes?: number;\n}\n"]}
1
+ {"version":3,"file":"IEntityStorageAuthenticationServiceConfig.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationServiceConfig.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IAuthenticationRateActionConfig } from \"@twin.org/api-auth-entity-storage-models\";\n\n/**\n * Configuration for the entity storage authentication service.\n */\nexport interface IEntityStorageAuthenticationServiceConfig {\n\t/**\n\t * The name of the key to retrieve from the vault for signing JWT.\n\t * @default auth-signing\n\t */\n\tsigningKeyName?: string;\n\n\t/**\n\t * The default time to live for the JWT.\n\t * @default 60\n\t */\n\tdefaultTtlMinutes?: number;\n\n\t/**\n\t * Optional override for login failure rate limit.\n\t * @default { maxAttempts: 5, windowMinutes: 15 }\n\t */\n\tloginRateLimit?: IAuthenticationRateActionConfig;\n\n\t/**\n\t * Optional override for password change rate limit.\n\t * @default { maxAttempts: 5, windowMinutes: 15 }\n\t */\n\tpasswordChangeRateLimit?: IAuthenticationRateActionConfig;\n\n\t/**\n\t * Optional override for token refresh rate limit.\n\t * @default { maxAttempts: 30, windowMinutes: 60 }\n\t */\n\ttokenRefreshRateLimit?: IAuthenticationRateActionConfig;\n}\n"]}
package/dist/es/models/IEntityStorageAuthenticationServiceConstructorOptions.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"IEntityStorageAuthenticationServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationServiceConfig } from \"./IEntityStorageAuthenticationServiceConfig.js\";\n\n/**\n * Options for the EntityStorageAuthenticationService constructor.\n */\nexport interface IEntityStorageAuthenticationServiceConstructorOptions {\n\t/**\n\t * The entity storage for the users.\n\t * @default authentication-user\n\t */\n\tuserEntityStorageType?: string;\n\n\t/**\n\t * The vault for the private keys.\n\t * @default vault\n\t */\n\tvaultConnectorType?: string;\n\n\t/**\n\t * The admin service.\n\t * @default authentication-admin\n\t */\n\tauthenticationAdminServiceType?: string;\n\n\t/**\n\t * The configuration for the authentication.\n\t */\n\tconfig?: IEntityStorageAuthenticationServiceConfig;\n}\n"]}
1
+ {"version":3,"file":"IEntityStorageAuthenticationServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationServiceConfig } from \"./IEntityStorageAuthenticationServiceConfig.js\";\n\n/**\n * Options for the EntityStorageAuthenticationService constructor.\n */\nexport interface IEntityStorageAuthenticationServiceConstructorOptions {\n\t/**\n\t * The entity storage for the users.\n\t * @default authentication-user\n\t */\n\tuserEntityStorageType?: string;\n\n\t/**\n\t * The vault for the private keys.\n\t * @default vault\n\t */\n\tvaultConnectorType?: string;\n\n\t/**\n\t * The admin service.\n\t * @default authentication-admin\n\t */\n\tauthenticationAdminServiceType?: string;\n\n\t/**\n\t * The audit service.\n\t * @default authentication-audit\n\t */\n\tauthenticationAuditServiceType?: string;\n\n\t/**\n\t * The rate service.\n\t * @default authentication-rate\n\t */\n\tauthenticationRateServiceType?: string;\n\n\t/**\n\t * The configuration for the authentication.\n\t */\n\tconfig?: IEntityStorageAuthenticationServiceConfig;\n}\n"]}
package/dist/es/processors/authHeaderProcessor.js CHANGED
@@ -1,8 +1,6 @@
1
- // Copyright 2024 IOTA Stiftung.
2
- // SPDX-License-Identifier: Apache-2.0.
3
1
  import { HttpErrorHelper } from "@twin.org/api-models";
4
2
  import { ContextIdHelper, ContextIdKeys, ContextIdStore } from "@twin.org/context";
5
- import { BaseError, Coerce, GeneralError, Is } from "@twin.org/core";
3
+ import { BaseError, Coerce, ComponentFactory, GeneralError, Is } from "@twin.org/core";
6
4
  import { VaultConnectorFactory } from "@twin.org/vault-models";
7
5
  import { CookieHelper, HeaderTypes, HttpStatusCode } from "@twin.org/web";
8
6
  import { TokenHelper } from "../utils/tokenHelper.js";
@@ -24,6 +22,11 @@ export class AuthHeaderProcessor {
24
22
  * @internal
25
23
  */
26
24
  _vaultConnector;
25
+ /**
26
+ * The user admin service.
27
+ * @internal
28
+ */
29
+ _authenticationAdminService;
27
30
  /**
28
31
  * The name of the key to retrieve from the vault for signing JWT.
29
32
  * @internal
@@ -45,6 +48,7 @@ export class AuthHeaderProcessor {
45
48
  */
46
49
  constructor(options) {
47
50
  this._vaultConnector = VaultConnectorFactory.get(options?.vaultConnectorType ?? "vault");
51
+ this._authenticationAdminService = ComponentFactory.get(options?.authenticationAdminServiceType ?? "authentication-admin");
48
52
  this._signingKeyName = options?.config?.signingKeyName ?? "auth-signing";
49
53
  this._cookieName = options?.config?.cookieName ?? AuthHeaderProcessor.DEFAULT_COOKIE_NAME;
50
54
  }
@@ -77,7 +81,17 @@ export class AuthHeaderProcessor {
77
81
  if (!Is.empty(route) && !(route.skipAuth ?? false)) {
78
82
  try {
79
83
  const tokenAndLocation = TokenHelper.extractTokenFromHeaders(request.headers, this._cookieName);
80
- const headerAndPayload = await TokenHelper.verify(this._vaultConnector, `${this._nodeId}/${this._signingKeyName}`, tokenAndLocation?.token, route.requiredScope);
84
+ const headerAndPayload = await TokenHelper.verify(this._vaultConnector, `${this._nodeId}/${this._signingKeyName}`, tokenAndLocation?.token, route.requiredScope, async (userIdentity, organizationIdentity) => {
85
+ const validParts = [];
86
+ const user = await this._authenticationAdminService.getByIdentity(userIdentity);
87
+ if (user?.userIdentity === userIdentity) {
88
+ validParts.push("user");
89
+ }
90
+ if (user?.organizationIdentity === organizationIdentity) {
91
+ validParts.push("organization");
92
+ }
93
+ return validParts;
94
+ });
81
95
  // If tenant id is defined in the context, then it must match the one in the token
82
96
  // but both can be undefined in a single tenant context
83
97
  if (contextIds?.[ContextIdKeys.Tenant] !== headerAndPayload?.payload?.tid) {
package/dist/es/processors/authHeaderProcessor.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authHeaderProcessor.js","sourceRoot":"","sources":["../../../src/processors/authHeaderProcessor.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EACN,eAAe,EAKf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACN,eAAe,EACf,aAAa,EACb,cAAc,EAEd,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AAErE,OAAO,EAAE,qBAAqB,EAAwB,MAAM,wBAAwB,CAAC;AACrF,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE1E,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEtD;;GAEG;AACH,MAAM,OAAO,mBAAmB;IAC/B;;;OAGG;IACI,MAAM,CAAU,mBAAmB,GAAW,cAAc,CAAC;IAEpE;;OAEG;IACI,MAAM,CAAU,UAAU,yBAAyC;IAE1E;;;OAGG;IACc,eAAe,CAAkB;IAElD;;;OAGG;IACc,eAAe,CAAS;IAEzC;;;OAGG;IACc,WAAW,CAAS;IAErC;;;OAGG;IACK,OAAO,CAAU;IAEzB;;;OAGG;IACH,YAAY,OAAgD;QAC3D,IAAI,CAAC,eAAe,GAAG,qBAAqB,CAAC,GAAG,CAAC,OAAO,EAAE,kBAAkB,IAAI,OAAO,CAAC,CAAC;QACzF,IAAI,CAAC,eAAe,GAAG,OAAO,EAAE,MAAM,EAAE,cAAc,IAAI,cAAc,CAAC;QACzE,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC,mBAAmB,CAAC;IAC3F,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,mBAAmB,CAAC,UAAU,CAAC;IACvC,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,KAAK,CAAC,wBAAiC;QACnD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,aAAa,EAAE,CAAC;QACxD,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;QACtD,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,GAAG,CACf,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC;gBACJ,MAAM,gBAAgB,GAAG,WAAW,CAAC,uBAAuB,CAC3D,OAAO,CAAC,OAAO,EACf,IAAI,CAAC,WAAW,CAChB,CAAC;gBAEF,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,MAAM,CAChD,IAAI,CAAC,eAAe,EACpB,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,EACzC,gBAAgB,EAAE,KAAK,EACvB,KAAK,CAAC,aAAa,CACnB,CAAC;gBAEF,kFAAkF;gBAClF,uDAAuD;gBACvD,IAAI,UAAU,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,gBAAgB,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;oBAC3E,MAAM,IAAI,YAAY,CAAC,mBAAmB,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;gBAC5E,CAAC;gBAED,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC;gBAC/D,UAAU,CAAC,aAAa,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;gBAEtF,cAAc,CAAC,SAAS,GAAG,gBAAgB,EAAE,KAAK,CAAC;gBACnD,cAAc,CAAC,iBAAiB,GAAG,gBAAgB,EAAE,QAAQ,CAAC;YAC/D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACvC,eAAe,CAAC,aAAa,CAAC,QAAQ,EAAE,KAAK,EAAE,cAAc,CAAC,YAAY,CAAC,CAAC;YAC7E,CAAC;QACF,CAAC;IACF,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,IAAI,CAChB,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,MAAM,qBAAqB,GAAG,cAAc,EAAE,aAAa,CAAC;QAC5D,MAAM,iBAAiB,GAAG,cAAc,EAAE,SAAS,CAAC;QAEpD,yFAAyF;QACzF,IACC,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC;YAChB,EAAE,CAAC,WAAW,CAAC,qBAAqB,CAAC;YACrC,cAAc,CAAC,iBAAiB,KAAK,eAAe,EACnD,CAAC;YACF,IACC,CAAC,qBAAqB,KAAK,OAAO,IAAI,qBAAqB,KAAK,SAAS,CAAC;gBAC1E,EAAE,CAAC,WAAW,CAAC,iBAAiB,CAAC,EAChC,CAAC;gBACF,QAAQ,CAAC,OAAO,KAAK,EAAE,CAAC;gBACxB,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC,YAAY,CAClE,IAAI,CAAC,WAAW,EAChB,iBAAiB,EACjB;oBACC,MAAM,EAAE,IAAI;oBACZ,QAAQ,EAAE,IAAI;oBACd,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,GAAG;iBACT,CACD,CAAC;YACH,CAAC;iBAAM,IAAI,qBAAqB,KAAK,QAAQ,EAAE,CAAC;gBAC/C,QAAQ,CAAC,OAAO,KAAK,EAAE,CAAC;gBACxB,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE;oBACrF,MAAM,EAAE,IAAI;oBACZ,QAAQ,EAAE,IAAI;oBACd,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,GAAG;iBACT,CAAC,CAAC;YACJ,CAAC;QACF,CAAC;IACF,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport {\n\tHttpErrorHelper,\n\ttype IBaseRoute,\n\ttype IBaseRouteProcessor,\n\ttype IHttpResponse,\n\ttype IHttpServerRequest\n} from \"@twin.org/api-models\";\nimport {\n\tContextIdHelper,\n\tContextIdKeys,\n\tContextIdStore,\n\ttype IContextIds\n} from \"@twin.org/context\";\nimport { BaseError, Coerce, GeneralError, Is } from \"@twin.org/core\";\nimport { nameof } from \"@twin.org/nameof\";\nimport { VaultConnectorFactory, type IVaultConnector } from \"@twin.org/vault-models\";\nimport { CookieHelper, HeaderTypes, HttpStatusCode } from \"@twin.org/web\";\nimport type { IAuthHeaderProcessorConstructorOptions } from \"../models/IAuthHeaderProcessorConstructorOptions.js\";\nimport { TokenHelper } from \"../utils/tokenHelper.js\";\n\n/**\n * Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.\n */\nexport class AuthHeaderProcessor implements IBaseRouteProcessor {\n\t/**\n\t * The default name for the access token as a cookie.\n\t * @internal\n\t */\n\tpublic static readonly DEFAULT_COOKIE_NAME: string = \"access_token\";\n\n\t/**\n\t * Runtime name for the class.\n\t */\n\tpublic static readonly CLASS_NAME: string = nameof<AuthHeaderProcessor>();\n\n\t/**\n\t * The vault for the keys.\n\t * @internal\n\t */\n\tprivate readonly _vaultConnector: IVaultConnector;\n\n\t/**\n\t * The name of the key to retrieve from the vault for signing JWT.\n\t * @internal\n\t */\n\tprivate readonly _signingKeyName: string;\n\n\t/**\n\t * The name of the cookie to use for the token.\n\t * @internal\n\t */\n\tprivate readonly _cookieName: string;\n\n\t/**\n\t * The node identity.\n\t * @internal\n\t */\n\tprivate _nodeId?: string;\n\n\t/**\n\t * Create a new instance of AuthCookiePreProcessor.\n\t * @param options Options for the processor.\n\t */\n\tconstructor(options?: IAuthHeaderProcessorConstructorOptions) {\n\t\tthis._vaultConnector = VaultConnectorFactory.get(options?.vaultConnectorType ?? \"vault\");\n\t\tthis._signingKeyName = options?.config?.signingKeyName ?? \"auth-signing\";\n\t\tthis._cookieName = options?.config?.cookieName ?? AuthHeaderProcessor.DEFAULT_COOKIE_NAME;\n\t}\n\n\t/**\n\t * Returns the class name of the component.\n\t * @returns The class name of the component.\n\t */\n\tpublic className(): string {\n\t\treturn AuthHeaderProcessor.CLASS_NAME;\n\t}\n\n\t/**\n\t * The service needs to be started when the application is initialized.\n\t * @param nodeLoggingComponentType The node logging component type.\n\t * @returns Nothing.\n\t */\n\tpublic async start(nodeLoggingComponentType?: string): Promise<void> {\n\t\tconst contextIds = await ContextIdStore.getContextIds();\n\t\tContextIdHelper.guard(contextIds, ContextIdKeys.Node);\n\t\tthis._nodeId = contextIds[ContextIdKeys.Node];\n\t}\n\n\t/**\n\t * Pre process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t */\n\tpublic async pre(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute | undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tif (!Is.empty(route) && !(route.skipAuth ?? false)) {\n\t\t\ttry {\n\t\t\t\tconst tokenAndLocation = TokenHelper.extractTokenFromHeaders(\n\t\t\t\t\trequest.headers,\n\t\t\t\t\tthis._cookieName\n\t\t\t\t);\n\n\t\t\t\tconst headerAndPayload = await TokenHelper.verify(\n\t\t\t\t\tthis._vaultConnector,\n\t\t\t\t\t`${this._nodeId}/${this._signingKeyName}`,\n\t\t\t\t\ttokenAndLocation?.token,\n\t\t\t\t\troute.requiredScope\n\t\t\t\t);\n\n\t\t\t\t// If tenant id is defined in the context, then it must match the one in the token\n\t\t\t\t// but both can be undefined in a single tenant context\n\t\t\t\tif (contextIds?.[ContextIdKeys.Tenant] !== headerAndPayload?.payload?.tid) {\n\t\t\t\t\tthrow new GeneralError(AuthHeaderProcessor.CLASS_NAME, \"tenantIdMismatch\");\n\t\t\t\t}\n\n\t\t\t\tcontextIds[ContextIdKeys.User] = headerAndPayload.payload?.sub;\n\t\t\t\tcontextIds[ContextIdKeys.Organization] = Coerce.string(headerAndPayload.payload?.org);\n\n\t\t\t\tprocessorState.authToken = tokenAndLocation?.token;\n\t\t\t\tprocessorState.authTokenLocation = tokenAndLocation?.location;\n\t\t\t} catch (err) {\n\t\t\t\tconst error = BaseError.fromError(err);\n\t\t\t\tHttpErrorHelper.buildResponse(response, error, HttpStatusCode.unauthorized);\n\t\t\t}\n\t\t}\n\t}\n\n\t/**\n\t * Post process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t */\n\tpublic async post(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute | undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tconst responseAuthOperation = processorState?.authOperation;\n\t\tconst responseAuthToken = processorState?.authToken;\n\n\t\t// We don't populate the cookie if the incoming request was from an authorization header.\n\t\tif (\n\t\t\t!Is.empty(route) &&\n\t\t\tIs.stringValue(responseAuthOperation) &&\n\t\t\tprocessorState.authTokenLocation !== \"authorization\"\n\t\t) {\n\t\t\tif (\n\t\t\t\t(responseAuthOperation === \"login\" || responseAuthOperation === \"refresh\") &&\n\t\t\t\tIs.stringValue(responseAuthToken)\n\t\t\t) {\n\t\t\t\tresponse.headers ??= {};\n\t\t\t\tresponse.headers[HeaderTypes.SetCookie] = CookieHelper.createCookie(\n\t\t\t\t\tthis._cookieName,\n\t\t\t\t\tresponseAuthToken,\n\t\t\t\t\t{\n\t\t\t\t\t\tsecure: true,\n\t\t\t\t\t\thttpOnly: true,\n\t\t\t\t\t\tsameSite: \"None\",\n\t\t\t\t\t\tpath: \"/\"\n\t\t\t\t\t}\n\t\t\t\t);\n\t\t\t} else if (responseAuthOperation === \"logout\") {\n\t\t\t\tresponse.headers ??= {};\n\t\t\t\tresponse.headers[HeaderTypes.SetCookie] = CookieHelper.deleteCookie(this._cookieName, {\n\t\t\t\t\tsecure: true,\n\t\t\t\t\thttpOnly: true,\n\t\t\t\t\tsameSite: \"None\",\n\t\t\t\t\tpath: \"/\"\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t}\n}\n"]}
1
+ {"version":3,"file":"authHeaderProcessor.js","sourceRoot":"","sources":["../../../src/processors/authHeaderProcessor.ts"],"names":[],"mappings":"AAGA,OAAO,EACN,eAAe,EAKf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACN,eAAe,EACf,aAAa,EACb,cAAc,EAEd,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AAEvF,OAAO,EAAE,qBAAqB,EAAwB,MAAM,wBAAwB,CAAC;AACrF,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE1E,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEtD;;GAEG;AACH,MAAM,OAAO,mBAAmB;IAC/B;;;OAGG;IACI,MAAM,CAAU,mBAAmB,GAAW,cAAc,CAAC;IAEpE;;OAEG;IACI,MAAM,CAAU,UAAU,yBAAyC;IAE1E;;;OAGG;IACc,eAAe,CAAkB;IAElD;;;OAGG;IACc,2BAA2B,CAAgC;IAE5E;;;OAGG;IACc,eAAe,CAAS;IAEzC;;;OAGG;IACc,WAAW,CAAS;IAErC;;;OAGG;IACK,OAAO,CAAU;IAEzB;;;OAGG;IACH,YAAY,OAAgD;QAC3D,IAAI,CAAC,eAAe,GAAG,qBAAqB,CAAC,GAAG,CAAC,OAAO,EAAE,kBAAkB,IAAI,OAAO,CAAC,CAAC;QAEzF,IAAI,CAAC,2BAA2B,GAAG,gBAAgB,CAAC,GAAG,CACtD,OAAO,EAAE,8BAA8B,IAAI,sBAAsB,CACjE,CAAC;QAEF,IAAI,CAAC,eAAe,GAAG,OAAO,EAAE,MAAM,EAAE,cAAc,IAAI,cAAc,CAAC;QACzE,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC,mBAAmB,CAAC;IAC3F,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,mBAAmB,CAAC,UAAU,CAAC;IACvC,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,KAAK,CAAC,wBAAiC;QACnD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,aAAa,EAAE,CAAC;QACxD,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;QACtD,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,GAAG,CACf,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC;gBACJ,MAAM,gBAAgB,GAAG,WAAW,CAAC,uBAAuB,CAC3D,OAAO,CAAC,OAAO,EACf,IAAI,CAAC,WAAW,CAChB,CAAC;gBAEF,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,MAAM,CAChD,IAAI,CAAC,eAAe,EACpB,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,EACzC,gBAAgB,EAAE,KAAK,EACvB,KAAK,CAAC,aAAa,EACnB,KAAK,EAAE,YAAoB,EAAE,oBAA4B,EAAE,EAAE;oBAC5D,MAAM,UAAU,GAAG,EAAE,CAAC;oBACtB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,2BAA2B,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;oBAEhF,IAAI,IAAI,EAAE,YAAY,KAAK,YAAY,EAAE,CAAC;wBACzC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBACzB,CAAC;oBACD,IAAI,IAAI,EAAE,oBAAoB,KAAK,oBAAoB,EAAE,CAAC;wBACzD,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;oBACjC,CAAC;oBACD,OAAO,UAAU,CAAC;gBACnB,CAAC,CACD,CAAC;gBAEF,kFAAkF;gBAClF,uDAAuD;gBACvD,IAAI,UAAU,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,gBAAgB,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;oBAC3E,MAAM,IAAI,YAAY,CAAC,mBAAmB,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;gBAC5E,CAAC;gBAED,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC;gBAC/D,UAAU,CAAC,aAAa,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;gBAEtF,cAAc,CAAC,SAAS,GAAG,gBAAgB,EAAE,KAAK,CAAC;gBACnD,cAAc,CAAC,iBAAiB,GAAG,gBAAgB,EAAE,QAAQ,CAAC;YAC/D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACvC,eAAe,CAAC,aAAa,CAAC,QAAQ,EAAE,KAAK,EAAE,cAAc,CAAC,YAAY,CAAC,CAAC;YAC7E,CAAC;QACF,CAAC;IACF,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,IAAI,CAChB,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,MAAM,qBAAqB,GAAG,cAAc,EAAE,aAAa,CAAC;QAC5D,MAAM,iBAAiB,GAAG,cAAc,EAAE,SAAS,CAAC;QAEpD,yFAAyF;QACzF,IACC,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC;YAChB,EAAE,CAAC,WAAW,CAAC,qBAAqB,CAAC;YACrC,cAAc,CAAC,iBAAiB,KAAK,eAAe,EACnD,CAAC;YACF,IACC,CAAC,qBAAqB,KAAK,OAAO,IAAI,qBAAqB,KAAK,SAAS,CAAC;gBAC1E,EAAE,CAAC,WAAW,CAAC,iBAAiB,CAAC,EAChC,CAAC;gBACF,QAAQ,CAAC,OAAO,KAAK,EAAE,CAAC;gBACxB,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC,YAAY,CAClE,IAAI,CAAC,WAAW,EAChB,iBAAiB,EACjB;oBACC,MAAM,EAAE,IAAI;oBACZ,QAAQ,EAAE,IAAI;oBACd,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,GAAG;iBACT,CACD,CAAC;YACH,CAAC;iBAAM,IAAI,qBAAqB,KAAK,QAAQ,EAAE,CAAC;gBAC/C,QAAQ,CAAC,OAAO,KAAK,EAAE,CAAC;gBACxB,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE;oBACrF,MAAM,EAAE,IAAI;oBACZ,QAAQ,EAAE,IAAI;oBACd,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,GAAG;iBACT,CAAC,CAAC;YACJ,CAAC;QACF,CAAC;IACF,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IAuthenticationAdminComponent } from \"@twin.org/api-auth-entity-storage-models\";\nimport {\n\tHttpErrorHelper,\n\ttype IBaseRoute,\n\ttype IBaseRouteProcessor,\n\ttype IHttpResponse,\n\ttype IHttpServerRequest\n} from \"@twin.org/api-models\";\nimport {\n\tContextIdHelper,\n\tContextIdKeys,\n\tContextIdStore,\n\ttype IContextIds\n} from \"@twin.org/context\";\nimport { BaseError, Coerce, ComponentFactory, GeneralError, Is } from \"@twin.org/core\";\nimport { nameof } from \"@twin.org/nameof\";\nimport { VaultConnectorFactory, type IVaultConnector } from \"@twin.org/vault-models\";\nimport { CookieHelper, HeaderTypes, HttpStatusCode } from \"@twin.org/web\";\nimport type { IAuthHeaderProcessorConstructorOptions } from \"../models/IAuthHeaderProcessorConstructorOptions.js\";\nimport { TokenHelper } from \"../utils/tokenHelper.js\";\n\n/**\n * Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.\n */\nexport class AuthHeaderProcessor implements IBaseRouteProcessor {\n\t/**\n\t * The default name for the access token as a cookie.\n\t * @internal\n\t */\n\tpublic static readonly DEFAULT_COOKIE_NAME: string = \"access_token\";\n\n\t/**\n\t * Runtime name for the class.\n\t */\n\tpublic static readonly CLASS_NAME: string = nameof<AuthHeaderProcessor>();\n\n\t/**\n\t * The vault for the keys.\n\t * @internal\n\t */\n\tprivate readonly _vaultConnector: IVaultConnector;\n\n\t/**\n\t * The user admin service.\n\t * @internal\n\t */\n\tprivate readonly _authenticationAdminService: IAuthenticationAdminComponent;\n\n\t/**\n\t * The name of the key to retrieve from the vault for signing JWT.\n\t * @internal\n\t */\n\tprivate readonly _signingKeyName: string;\n\n\t/**\n\t * The name of the cookie to use for the token.\n\t * @internal\n\t */\n\tprivate readonly _cookieName: string;\n\n\t/**\n\t * The node identity.\n\t * @internal\n\t */\n\tprivate _nodeId?: string;\n\n\t/**\n\t * Create a new instance of AuthCookiePreProcessor.\n\t * @param options Options for the processor.\n\t */\n\tconstructor(options?: IAuthHeaderProcessorConstructorOptions) {\n\t\tthis._vaultConnector = VaultConnectorFactory.get(options?.vaultConnectorType ?? \"vault\");\n\n\t\tthis._authenticationAdminService = ComponentFactory.get<IAuthenticationAdminComponent>(\n\t\t\toptions?.authenticationAdminServiceType ?? \"authentication-admin\"\n\t\t);\n\n\t\tthis._signingKeyName = options?.config?.signingKeyName ?? \"auth-signing\";\n\t\tthis._cookieName = options?.config?.cookieName ?? AuthHeaderProcessor.DEFAULT_COOKIE_NAME;\n\t}\n\n\t/**\n\t * Returns the class name of the component.\n\t * @returns The class name of the component.\n\t */\n\tpublic className(): string {\n\t\treturn AuthHeaderProcessor.CLASS_NAME;\n\t}\n\n\t/**\n\t * The service needs to be started when the application is initialized.\n\t * @param nodeLoggingComponentType The node logging component type.\n\t * @returns Nothing.\n\t */\n\tpublic async start(nodeLoggingComponentType?: string): Promise<void> {\n\t\tconst contextIds = await ContextIdStore.getContextIds();\n\t\tContextIdHelper.guard(contextIds, ContextIdKeys.Node);\n\t\tthis._nodeId = contextIds[ContextIdKeys.Node];\n\t}\n\n\t/**\n\t * Pre process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t */\n\tpublic async pre(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute | undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tif (!Is.empty(route) && !(route.skipAuth ?? false)) {\n\t\t\ttry {\n\t\t\t\tconst tokenAndLocation = TokenHelper.extractTokenFromHeaders(\n\t\t\t\t\trequest.headers,\n\t\t\t\t\tthis._cookieName\n\t\t\t\t);\n\n\t\t\t\tconst headerAndPayload = await TokenHelper.verify(\n\t\t\t\t\tthis._vaultConnector,\n\t\t\t\t\t`${this._nodeId}/${this._signingKeyName}`,\n\t\t\t\t\ttokenAndLocation?.token,\n\t\t\t\t\troute.requiredScope,\n\t\t\t\t\tasync (userIdentity: string, organizationIdentity: string) => {\n\t\t\t\t\t\tconst validParts = [];\n\t\t\t\t\t\tconst user = await this._authenticationAdminService.getByIdentity(userIdentity);\n\n\t\t\t\t\t\tif (user?.userIdentity === userIdentity) {\n\t\t\t\t\t\t\tvalidParts.push(\"user\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (user?.organizationIdentity === organizationIdentity) {\n\t\t\t\t\t\t\tvalidParts.push(\"organization\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn validParts;\n\t\t\t\t\t}\n\t\t\t\t);\n\n\t\t\t\t// If tenant id is defined in the context, then it must match the one in the token\n\t\t\t\t// but both can be undefined in a single tenant context\n\t\t\t\tif (contextIds?.[ContextIdKeys.Tenant] !== headerAndPayload?.payload?.tid) {\n\t\t\t\t\tthrow new GeneralError(AuthHeaderProcessor.CLASS_NAME, \"tenantIdMismatch\");\n\t\t\t\t}\n\n\t\t\t\tcontextIds[ContextIdKeys.User] = headerAndPayload.payload?.sub;\n\t\t\t\tcontextIds[ContextIdKeys.Organization] = Coerce.string(headerAndPayload.payload?.org);\n\n\t\t\t\tprocessorState.authToken = tokenAndLocation?.token;\n\t\t\t\tprocessorState.authTokenLocation = tokenAndLocation?.location;\n\t\t\t} catch (err) {\n\t\t\t\tconst error = BaseError.fromError(err);\n\t\t\t\tHttpErrorHelper.buildResponse(response, error, HttpStatusCode.unauthorized);\n\t\t\t}\n\t\t}\n\t}\n\n\t/**\n\t * Post process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t */\n\tpublic async post(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute | undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tconst responseAuthOperation = processorState?.authOperation;\n\t\tconst responseAuthToken = processorState?.authToken;\n\n\t\t// We don't populate the cookie if the incoming request was from an authorization header.\n\t\tif (\n\t\t\t!Is.empty(route) &&\n\t\t\tIs.stringValue(responseAuthOperation) &&\n\t\t\tprocessorState.authTokenLocation !== \"authorization\"\n\t\t) {\n\t\t\tif (\n\t\t\t\t(responseAuthOperation === \"login\" || responseAuthOperation === \"refresh\") &&\n\t\t\t\tIs.stringValue(responseAuthToken)\n\t\t\t) {\n\t\t\t\tresponse.headers ??= {};\n\t\t\t\tresponse.headers[HeaderTypes.SetCookie] = CookieHelper.createCookie(\n\t\t\t\t\tthis._cookieName,\n\t\t\t\t\tresponseAuthToken,\n\t\t\t\t\t{\n\t\t\t\t\t\tsecure: true,\n\t\t\t\t\t\thttpOnly: true,\n\t\t\t\t\t\tsameSite: \"None\",\n\t\t\t\t\t\tpath: \"/\"\n\t\t\t\t\t}\n\t\t\t\t);\n\t\t\t} else if (responseAuthOperation === \"logout\") {\n\t\t\t\tresponse.headers ??= {};\n\t\t\t\tresponse.headers[HeaderTypes.SetCookie] = CookieHelper.deleteCookie(this._cookieName, {\n\t\t\t\t\tsecure: true,\n\t\t\t\t\thttpOnly: true,\n\t\t\t\t\tsameSite: \"None\",\n\t\t\t\t\tpath: \"/\"\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t}\n}\n"]}
package/dist/es/restEntryPoints.js CHANGED
@@ -1,4 +1,5 @@
1
1
  import { generateRestRoutesAuthenticationAdmin, tagsAuthenticationAdmin } from "./routes/entityStorageAuthenticationAdminRoutes.js";
2
+ import { generateRestRoutesAuthenticationAudit, tagsAuthenticationAudit } from "./routes/entityStorageAuthenticationAuditRoutes.js";
2
3
  import { generateRestRoutesAuthentication, tagsAuthentication } from "./routes/entityStorageAuthenticationRoutes.js";
3
4
  export const restEntryPoints = [
4
5
  {
@@ -12,6 +13,12 @@ export const restEntryPoints = [
12
13
  defaultBaseRoute: "authentication/admin",
13
14
  tags: tagsAuthenticationAdmin,
14
15
  generateRoutes: generateRestRoutesAuthenticationAdmin
16
+ },
17
+ {
18
+ name: "authenticationAudit",
19
+ defaultBaseRoute: "authentication/audit",
20
+ tags: tagsAuthenticationAudit,
21
+ generateRoutes: generateRestRoutesAuthenticationAudit
15
22
  }
16
23
  ];
17
24
  //# sourceMappingURL=restEntryPoints.js.map
package/dist/es/restEntryPoints.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"restEntryPoints.js","sourceRoot":"","sources":["../../src/restEntryPoints.ts"],"names":[],"mappings":"AAGA,OAAO,EACN,qCAAqC,EACrC,uBAAuB,EACvB,MAAM,oDAAoD,CAAC;AAC5D,OAAO,EACN,gCAAgC,EAChC,kBAAkB,EAClB,MAAM,+CAA+C,CAAC;AAEvD,MAAM,CAAC,MAAM,eAAe,GAA2B;IACtD;QACC,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,gBAAgB;QAClC,IAAI,EAAE,kBAAkB;QACxB,cAAc,EAAE,gCAAgC;KAChD;IACD;QACC,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,sBAAsB;QACxC,IAAI,EAAE,uBAAuB;QAC7B,cAAc,EAAE,qCAAqC;KACrD;CACD,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IRestRouteEntryPoint } from \"@twin.org/api-models\";\nimport {\n\tgenerateRestRoutesAuthenticationAdmin,\n\ttagsAuthenticationAdmin\n} from \"./routes/entityStorageAuthenticationAdminRoutes.js\";\nimport {\n\tgenerateRestRoutesAuthentication,\n\ttagsAuthentication\n} from \"./routes/entityStorageAuthenticationRoutes.js\";\n\nexport const restEntryPoints: IRestRouteEntryPoint[] = [\n\t{\n\t\tname: \"authentication\",\n\t\tdefaultBaseRoute: \"authentication\",\n\t\ttags: tagsAuthentication,\n\t\tgenerateRoutes: generateRestRoutesAuthentication\n\t},\n\t{\n\t\tname: \"authenticationAdmin\",\n\t\tdefaultBaseRoute: \"authentication/admin\",\n\t\ttags: tagsAuthenticationAdmin,\n\t\tgenerateRoutes: generateRestRoutesAuthenticationAdmin\n\t}\n];\n"]}
1
+ {"version":3,"file":"restEntryPoints.js","sourceRoot":"","sources":["../../src/restEntryPoints.ts"],"names":[],"mappings":"AAGA,OAAO,EACN,qCAAqC,EACrC,uBAAuB,EACvB,MAAM,oDAAoD,CAAC;AAC5D,OAAO,EACN,qCAAqC,EACrC,uBAAuB,EACvB,MAAM,oDAAoD,CAAC;AAC5D,OAAO,EACN,gCAAgC,EAChC,kBAAkB,EAClB,MAAM,+CAA+C,CAAC;AAEvD,MAAM,CAAC,MAAM,eAAe,GAA2B;IACtD;QACC,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,gBAAgB;QAClC,IAAI,EAAE,kBAAkB;QACxB,cAAc,EAAE,gCAAgC;KAChD;IACD;QACC,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,sBAAsB;QACxC,IAAI,EAAE,uBAAuB;QAC7B,cAAc,EAAE,qCAAqC;KACrD;IACD;QACC,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,sBAAsB;QACxC,IAAI,EAAE,uBAAuB;QAC7B,cAAc,EAAE,qCAAqC;KACrD;CACD,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IRestRouteEntryPoint } from \"@twin.org/api-models\";\nimport {\n\tgenerateRestRoutesAuthenticationAdmin,\n\ttagsAuthenticationAdmin\n} from \"./routes/entityStorageAuthenticationAdminRoutes.js\";\nimport {\n\tgenerateRestRoutesAuthenticationAudit,\n\ttagsAuthenticationAudit\n} from \"./routes/entityStorageAuthenticationAuditRoutes.js\";\nimport {\n\tgenerateRestRoutesAuthentication,\n\ttagsAuthentication\n} from \"./routes/entityStorageAuthenticationRoutes.js\";\n\nexport const restEntryPoints: IRestRouteEntryPoint[] = [\n\t{\n\t\tname: \"authentication\",\n\t\tdefaultBaseRoute: \"authentication\",\n\t\ttags: tagsAuthentication,\n\t\tgenerateRoutes: generateRestRoutesAuthentication\n\t},\n\t{\n\t\tname: \"authenticationAdmin\",\n\t\tdefaultBaseRoute: \"authentication/admin\",\n\t\ttags: tagsAuthenticationAdmin,\n\t\tgenerateRoutes: generateRestRoutesAuthenticationAdmin\n\t},\n\t{\n\t\tname: \"authenticationAudit\",\n\t\tdefaultBaseRoute: \"authentication/audit\",\n\t\ttags: tagsAuthenticationAudit,\n\t\tgenerateRoutes: generateRestRoutesAuthenticationAudit\n\t}\n];\n"]}
package/dist/es/routes/entityStorageAuthenticationAuditRoutes.js ADDED
@@ -0,0 +1,174 @@
1
+ import { Coerce, ComponentFactory, Guards } from "@twin.org/core";
2
+ import { HeaderTypes, HttpStatusCode } from "@twin.org/web";
3
+ /**
4
+ * The source used when communicating about these routes.
5
+ */
6
+ const ROUTES_SOURCE = "authenticationAuditRoutes";
7
+ /**
8
+ * The tag to associate with the routes.
9
+ */
10
+ export const tagsAuthenticationAudit = [
11
+ {
12
+ name: "Authentication Audit",
13
+ description: "Authentication audit endpoints for the REST server."
14
+ }
15
+ ];
16
+ /**
17
+ * The REST routes for authentication audit.
18
+ * @param baseRouteName Prefix to prepend to the paths.
19
+ * @param componentName The name of the component to use in the routes stored in the ComponentFactory.
20
+ * @returns The generated routes.
21
+ */
22
+ export function generateRestRoutesAuthenticationAudit(baseRouteName, componentName) {
23
+ const createRoute = {
24
+ operationId: "authenticationAuditCreate",
25
+ summary: "Create an authentication audit entry",
26
+ tag: tagsAuthenticationAudit[0].name,
27
+ method: "POST",
28
+ path: `${baseRouteName}`,
29
+ handler: async (httpRequestContext, request) => authenticationAuditCreate(httpRequestContext, componentName, request),
30
+ requestType: {
31
+ type: "IAuditCreateRequest",
32
+ examples: [
33
+ {
34
+ id: "authenticationAuditCreateRequestExample",
35
+ description: "The request to create an authentication audit entry.",
36
+ request: {
37
+ body: {
38
+ actorId: "user@example.com",
39
+ event: "login-success",
40
+ data: {
41
+ organizationIdentity: "did:example:org1"
42
+ }
43
+ }
44
+ }
45
+ }
46
+ ]
47
+ },
48
+ responseType: [
49
+ {
50
+ type: "ICreatedResponse",
51
+ examples: [
52
+ {
53
+ id: "authenticationAuditCreateResponseExample",
54
+ description: "The response for creating an authentication audit entry.",
55
+ response: {
56
+ statusCode: 201,
57
+ headers: {
58
+ [HeaderTypes.Location]: "018f0b53d5d5704fa3a06d6ed2478575"
59
+ }
60
+ }
61
+ }
62
+ ]
63
+ },
64
+ {
65
+ type: "IUnauthorizedResponse"
66
+ }
67
+ ],
68
+ requiredScope: ["user-admin"]
69
+ };
70
+ const queryRoute = {
71
+ operationId: "authenticationAuditQuery",
72
+ summary: "Query authentication audit entries",
73
+ tag: tagsAuthenticationAudit[0].name,
74
+ method: "GET",
75
+ path: `${baseRouteName}`,
76
+ handler: async (httpRequestContext, request) => authenticationAuditQuery(httpRequestContext, componentName, request),
77
+ requestType: {
78
+ type: "IAuditQueryRequest",
79
+ examples: [
80
+ {
81
+ id: "authenticationAuditQueryRequestExample",
82
+ description: "The request to query authentication audit entries.",
83
+ request: {
84
+ query: {
85
+ actorId: "user@example.com",
86
+ event: "login-success",
87
+ startDate: "2026-01-01T00:00:00.000Z",
88
+ endDate: "2026-01-31T23:59:59.999Z",
89
+ limit: "50"
90
+ }
91
+ }
92
+ }
93
+ ]
94
+ },
95
+ responseType: [
96
+ {
97
+ type: "IAuditQueryResponse",
98
+ examples: [
99
+ {
100
+ id: "authenticationAuditQueryResponseExample",
101
+ description: "The response for querying authentication audit entries.",
102
+ response: {
103
+ body: {
104
+ entries: [
105
+ {
106
+ id: "018f0b53d5d5704fa3a06d6ed2478575",
107
+ actorId: "user@example.com",
108
+ dateCreated: "2026-01-12T09:05:23.123Z",
109
+ event: "login-success",
110
+ data: {
111
+ organizationIdentity: "did:example:org1"
112
+ }
113
+ }
114
+ ],
115
+ cursor: "next-cursor"
116
+ }
117
+ }
118
+ }
119
+ ]
120
+ },
121
+ {
122
+ type: "IUnauthorizedResponse"
123
+ }
124
+ ],
125
+ requiredScope: ["user-admin"]
126
+ };
127
+ return [createRoute, queryRoute];
128
+ }
129
+ /**
130
+ * Create an authentication audit entry.
131
+ * @param httpRequestContext The request context for the API.
132
+ * @param componentName The name of the component to use in the routes.
133
+ * @param request The request.
134
+ * @returns The response object with additional http response properties.
135
+ */
136
+ export async function authenticationAuditCreate(httpRequestContext, componentName, request) {
137
+ Guards.object(ROUTES_SOURCE, "request", request);
138
+ Guards.object(ROUTES_SOURCE, "request.body", request.body);
139
+ const component = ComponentFactory.get(componentName);
140
+ const id = await component.create(request.body);
141
+ return {
142
+ statusCode: HttpStatusCode.created,
143
+ headers: {
144
+ [HeaderTypes.Location]: id
145
+ }
146
+ };
147
+ }
148
+ /**
149
+ * Query authentication audit entries.
150
+ * @param httpRequestContext The request context for the API.
151
+ * @param componentName The name of the component to use in the routes.
152
+ * @param request The request.
153
+ * @returns The response object with additional http response properties.
154
+ */
155
+ export async function authenticationAuditQuery(httpRequestContext, componentName, request) {
156
+ Guards.object(ROUTES_SOURCE, "request", request);
157
+ const component = ComponentFactory.get(componentName);
158
+ const result = await component.query({
159
+ actorId: request.query?.actorId,
160
+ organizationId: request.query?.organizationId,
161
+ tenantId: request.query?.tenantId,
162
+ nodeId: request.query?.nodeId,
163
+ event: request.query?.event,
164
+ startDate: request.query?.startDate,
165
+ endDate: request.query?.endDate
166
+ }, request.query?.cursor, Coerce.integer(request.query?.limit));
167
+ return {
168
+ body: {
169
+ entries: result.entries,
170
+ cursor: result.cursor
171
+ }
172
+ };
173
+ }
174
+ //# sourceMappingURL=entityStorageAuthenticationAuditRoutes.js.map
package/dist/es/routes/entityStorageAuthenticationAuditRoutes.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"entityStorageAuthenticationAuditRoutes.js","sourceRoot":"","sources":["../../../src/routes/entityStorageAuthenticationAuditRoutes.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE5D;;GAEG;AACH,MAAM,aAAa,GAAG,2BAA2B,CAAC;AAElD;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAW;IAC9C;QACC,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,qDAAqD;KAClE;CACD,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,qCAAqC,CACpD,aAAqB,EACrB,aAAqB;IAErB,MAAM,WAAW,GAAsD;QACtE,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,sCAAsC;QAC/C,GAAG,EAAE,uBAAuB,CAAC,CAAC,CAAC,CAAC,IAAI;QACpC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,GAAG,aAAa,EAAE;QACxB,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,OAAO,EAAE,EAAE,CAC9C,yBAAyB,CAAC,kBAAkB,EAAE,aAAa,EAAE,OAAO,CAAC;QACtE,WAAW,EAAE;YACZ,IAAI,uBAA+B;YACnC,QAAQ,EAAE;gBACT;oBACC,EAAE,EAAE,yCAAyC;oBAC7C,WAAW,EAAE,sDAAsD;oBACnE,OAAO,EAAE;wBACR,IAAI,EAAE;4BACL,OAAO,EAAE,kBAAkB;4BAC3B,KAAK,EAAE,eAAe;4BACtB,IAAI,EAAE;gCACL,oBAAoB,EAAE,kBAAkB;6BACxC;yBACD;qBACD;iBACD;aACD;SACD;QACD,YAAY,EAAE;YACb;gBACC,IAAI,oBAA4B;gBAChC,QAAQ,EAAE;oBACT;wBACC,EAAE,EAAE,0CAA0C;wBAC9C,WAAW,EAAE,0DAA0D;wBACvE,QAAQ,EAAE;4BACT,UAAU,EAAE,GAAG;4BACf,OAAO,EAAE;gCACR,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,kCAAkC;6BAC1D;yBACD;qBACD;iBACD;aACD;YACD;gBACC,IAAI,yBAAiC;aACrC;SACD;QACD,aAAa,EAAE,CAAC,YAAY,CAAC;KAC7B,CAAC;IAEF,MAAM,UAAU,GAAwD;QACvE,WAAW,EAAE,0BAA0B;QACvC,OAAO,EAAE,oCAAoC;QAC7C,GAAG,EAAE,uBAAuB,CAAC,CAAC,CAAC,CAAC,IAAI;QACpC,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,GAAG,aAAa,EAAE;QACxB,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,OAAO,EAAE,EAAE,CAC9C,wBAAwB,CAAC,kBAAkB,EAAE,aAAa,EAAE,OAAO,CAAC;QACrE,WAAW,EAAE;YACZ,IAAI,sBAA8B;YAClC,QAAQ,EAAE;gBACT;oBACC,EAAE,EAAE,wCAAwC;oBAC5C,WAAW,EAAE,oDAAoD;oBACjE,OAAO,EAAE;wBACR,KAAK,EAAE;4BACN,OAAO,EAAE,kBAAkB;4BAC3B,KAAK,EAAE,eAAe;4BACtB,SAAS,EAAE,0BAA0B;4BACrC,OAAO,EAAE,0BAA0B;4BACnC,KAAK,EAAE,IAAI;yBACX;qBACD;iBACD;aACD;SACD;QACD,YAAY,EAAE;YACb;gBACC,IAAI,uBAA+B;gBACnC,QAAQ,EAAE;oBACT;wBACC,EAAE,EAAE,yCAAyC;wBAC7C,WAAW,EAAE,yDAAyD;wBACtE,QAAQ,EAAE;4BACT,IAAI,EAAE;gCACL,OAAO,EAAE;oCACR;wCACC,EAAE,EAAE,kCAAkC;wCACtC,OAAO,EAAE,kBAAkB;wCAC3B,WAAW,EAAE,0BAA0B;wCACvC,KAAK,EAAE,eAAe;wCACtB,IAAI,EAAE;4CACL,oBAAoB,EAAE,kBAAkB;yCACxC;qCACD;iCACD;gCACD,MAAM,EAAE,aAAa;6BACrB;yBACD;qBACD;iBACD;aACD;YACD;gBACC,IAAI,yBAAiC;aACrC;SACD;QACD,aAAa,EAAE,CAAC,YAAY,CAAC;KAC7B,CAAC;IAEF,OAAO,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;AAClC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC9C,kBAAuC,EACvC,aAAqB,EACrB,OAA4B;IAE5B,MAAM,CAAC,MAAM,CAAsB,aAAa,aAAmB,OAAO,CAAC,CAAC;IAC5E,MAAM,CAAC,MAAM,CAA8B,aAAa,kBAAwB,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9F,MAAM,SAAS,GAAG,gBAAgB,CAAC,GAAG,CAAgC,aAAa,CAAC,CAAC;IACrF,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhD,OAAO;QACN,UAAU,EAAE,cAAc,CAAC,OAAO;QAClC,OAAO,EAAE;YACR,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,EAAE;SAC1B;KACD,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC7C,kBAAuC,EACvC,aAAqB,EACrB,OAA2B;IAE3B,MAAM,CAAC,MAAM,CAAqB,aAAa,aAAmB,OAAO,CAAC,CAAC;IAE3E,MAAM,SAAS,GAAG,gBAAgB,CAAC,GAAG,CAAgC,aAAa,CAAC,CAAC;IACrF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CACnC;QACC,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO;QAC/B,cAAc,EAAE,OAAO,CAAC,KAAK,EAAE,cAAc;QAC7C,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE,QAAQ;QACjC,MAAM,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM;QAC7B,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,KAAK;QAC3B,SAAS,EAAE,OAAO,CAAC,KAAK,EAAE,SAAS;QACnC,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO;KAC/B,EACD,OAAO,CAAC,KAAK,EAAE,MAAM,EACrB,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CACpC,CAAC;IAEF,OAAO;QACN,IAAI,EAAE;YACL,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,MAAM,EAAE,MAAM,CAAC,MAAM;SACrB;KACD,CAAC;AACH,CAAC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type {\n\tIAuditCreateRequest,\n\tIAuditQueryRequest,\n\tIAuditQueryResponse,\n\tIAuthenticationAuditComponent\n} from \"@twin.org/api-auth-entity-storage-models\";\nimport type {\n\tICreatedResponse,\n\tIHttpRequestContext,\n\tIRestRoute,\n\tITag,\n\tIUnauthorizedResponse\n} from \"@twin.org/api-models\";\nimport { Coerce, ComponentFactory, Guards } from \"@twin.org/core\";\nimport { nameof } from \"@twin.org/nameof\";\nimport { HeaderTypes, HttpStatusCode } from \"@twin.org/web\";\n\n/**\n * The source used when communicating about these routes.\n */\nconst ROUTES_SOURCE = \"authenticationAuditRoutes\";\n\n/**\n * The tag to associate with the routes.\n */\nexport const tagsAuthenticationAudit: ITag[] = [\n\t{\n\t\tname: \"Authentication Audit\",\n\t\tdescription: \"Authentication audit endpoints for the REST server.\"\n\t}\n];\n\n/**\n * The REST routes for authentication audit.\n * @param baseRouteName Prefix to prepend to the paths.\n * @param componentName The name of the component to use in the routes stored in the ComponentFactory.\n * @returns The generated routes.\n */\nexport function generateRestRoutesAuthenticationAudit(\n\tbaseRouteName: string,\n\tcomponentName: string\n): IRestRoute[] {\n\tconst createRoute: IRestRoute<IAuditCreateRequest, ICreatedResponse> = {\n\t\toperationId: \"authenticationAuditCreate\",\n\t\tsummary: \"Create an authentication audit entry\",\n\t\ttag: tagsAuthenticationAudit[0].name,\n\t\tmethod: \"POST\",\n\t\tpath: `${baseRouteName}`,\n\t\thandler: async (httpRequestContext, request) =>\n\t\t\tauthenticationAuditCreate(httpRequestContext, componentName, request),\n\t\trequestType: {\n\t\t\ttype: nameof<IAuditCreateRequest>(),\n\t\t\texamples: [\n\t\t\t\t{\n\t\t\t\t\tid: \"authenticationAuditCreateRequestExample\",\n\t\t\t\t\tdescription: \"The request to create an authentication audit entry.\",\n\t\t\t\t\trequest: {\n\t\t\t\t\t\tbody: {\n\t\t\t\t\t\t\tactorId: \"user@example.com\",\n\t\t\t\t\t\t\tevent: \"login-success\",\n\t\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\t\torganizationIdentity: \"did:example:org1\"\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\tresponseType: [\n\t\t\t{\n\t\t\t\ttype: nameof<ICreatedResponse>(),\n\t\t\t\texamples: [\n\t\t\t\t\t{\n\t\t\t\t\t\tid: \"authenticationAuditCreateResponseExample\",\n\t\t\t\t\t\tdescription: \"The response for creating an authentication audit entry.\",\n\t\t\t\t\t\tresponse: {\n\t\t\t\t\t\t\tstatusCode: 201,\n\t\t\t\t\t\t\theaders: {\n\t\t\t\t\t\t\t\t[HeaderTypes.Location]: \"018f0b53d5d5704fa3a06d6ed2478575\"\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t]\n\t\t\t},\n\t\t\t{\n\t\t\t\ttype: nameof<IUnauthorizedResponse>()\n\t\t\t}\n\t\t],\n\t\trequiredScope: [\"user-admin\"]\n\t};\n\n\tconst queryRoute: IRestRoute<IAuditQueryRequest, IAuditQueryResponse> = {\n\t\toperationId: \"authenticationAuditQuery\",\n\t\tsummary: \"Query authentication audit entries\",\n\t\ttag: tagsAuthenticationAudit[0].name,\n\t\tmethod: \"GET\",\n\t\tpath: `${baseRouteName}`,\n\t\thandler: async (httpRequestContext, request) =>\n\t\t\tauthenticationAuditQuery(httpRequestContext, componentName, request),\n\t\trequestType: {\n\t\t\ttype: nameof<IAuditQueryRequest>(),\n\t\t\texamples: [\n\t\t\t\t{\n\t\t\t\t\tid: \"authenticationAuditQueryRequestExample\",\n\t\t\t\t\tdescription: \"The request to query authentication audit entries.\",\n\t\t\t\t\trequest: {\n\t\t\t\t\t\tquery: {\n\t\t\t\t\t\t\tactorId: \"user@example.com\",\n\t\t\t\t\t\t\tevent: \"login-success\",\n\t\t\t\t\t\t\tstartDate: \"2026-01-01T00:00:00.000Z\",\n\t\t\t\t\t\t\tendDate: \"2026-01-31T23:59:59.999Z\",\n\t\t\t\t\t\t\tlimit: \"50\"\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\tresponseType: [\n\t\t\t{\n\t\t\t\ttype: nameof<IAuditQueryResponse>(),\n\t\t\t\texamples: [\n\t\t\t\t\t{\n\t\t\t\t\t\tid: \"authenticationAuditQueryResponseExample\",\n\t\t\t\t\t\tdescription: \"The response for querying authentication audit entries.\",\n\t\t\t\t\t\tresponse: {\n\t\t\t\t\t\t\tbody: {\n\t\t\t\t\t\t\t\tentries: [\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tid: \"018f0b53d5d5704fa3a06d6ed2478575\",\n\t\t\t\t\t\t\t\t\t\tactorId: \"user@example.com\",\n\t\t\t\t\t\t\t\t\t\tdateCreated: \"2026-01-12T09:05:23.123Z\",\n\t\t\t\t\t\t\t\t\t\tevent: \"login-success\",\n\t\t\t\t\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\t\t\t\t\torganizationIdentity: \"did:example:org1\"\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\tcursor: \"next-cursor\"\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t]\n\t\t\t},\n\t\t\t{\n\t\t\t\ttype: nameof<IUnauthorizedResponse>()\n\t\t\t}\n\t\t],\n\t\trequiredScope: [\"user-admin\"]\n\t};\n\n\treturn [createRoute, queryRoute];\n}\n\n/**\n * Create an authentication audit entry.\n * @param httpRequestContext The request context for the API.\n * @param componentName The name of the component to use in the routes.\n * @param request The request.\n * @returns The response object with additional http response properties.\n */\nexport async function authenticationAuditCreate(\n\thttpRequestContext: IHttpRequestContext,\n\tcomponentName: string,\n\trequest: IAuditCreateRequest\n): Promise<ICreatedResponse> {\n\tGuards.object<IAuditCreateRequest>(ROUTES_SOURCE, nameof(request), request);\n\tGuards.object<IAuditCreateRequest[\"body\"]>(ROUTES_SOURCE, nameof(request.body), request.body);\n\n\tconst component = ComponentFactory.get<IAuthenticationAuditComponent>(componentName);\n\tconst id = await component.create(request.body);\n\n\treturn {\n\t\tstatusCode: HttpStatusCode.created,\n\t\theaders: {\n\t\t\t[HeaderTypes.Location]: id\n\t\t}\n\t};\n}\n\n/**\n * Query authentication audit entries.\n * @param httpRequestContext The request context for the API.\n * @param componentName The name of the component to use in the routes.\n * @param request The request.\n * @returns The response object with additional http response properties.\n */\nexport async function authenticationAuditQuery(\n\thttpRequestContext: IHttpRequestContext,\n\tcomponentName: string,\n\trequest: IAuditQueryRequest\n): Promise<IAuditQueryResponse> {\n\tGuards.object<IAuditQueryRequest>(ROUTES_SOURCE, nameof(request), request);\n\n\tconst component = ComponentFactory.get<IAuthenticationAuditComponent>(componentName);\n\tconst result = await component.query(\n\t\t{\n\t\t\tactorId: request.query?.actorId,\n\t\t\torganizationId: request.query?.organizationId,\n\t\t\ttenantId: request.query?.tenantId,\n\t\t\tnodeId: request.query?.nodeId,\n\t\t\tevent: request.query?.event,\n\t\t\tstartDate: request.query?.startDate,\n\t\t\tendDate: request.query?.endDate\n\t\t},\n\t\trequest.query?.cursor,\n\t\tCoerce.integer(request.query?.limit)\n\t);\n\n\treturn {\n\t\tbody: {\n\t\t\tentries: result.entries,\n\t\t\tcursor: result.cursor\n\t\t}\n\t};\n}\n"]}
package/dist/es/schema.js CHANGED
@@ -1,11 +1,15 @@
1
1
  // Copyright 2024 IOTA Stiftung.
2
2
  // SPDX-License-Identifier: Apache-2.0.
3
3
  import { EntitySchemaFactory, EntitySchemaHelper } from "@twin.org/entity";
4
+ import { AuthenticationAuditEntry } from "./entities/authenticationAuditEntry.js";
5
+ import { AuthenticationRateEntry } from "./entities/authenticationRateEntry.js";
4
6
  import { AuthenticationUser } from "./entities/authenticationUser.js";
5
7
  /**
6
8
  * Initialize the schema for the authentication service.
7
9
  */
8
10
  export function initSchema() {
9
11
  EntitySchemaFactory.register("AuthenticationUser", () => EntitySchemaHelper.getSchema(AuthenticationUser));
12
+ EntitySchemaFactory.register("AuthenticationAuditEntry", () => EntitySchemaHelper.getSchema(AuthenticationAuditEntry));
13
+ EntitySchemaFactory.register("AuthenticationRateEntry", () => EntitySchemaHelper.getSchema(AuthenticationRateEntry));
10
14
  }
11
15
  //# sourceMappingURL=schema.js.map