@universis/janitor 1.9.0 → 1.11.0

package/README.md

@@ -82,6 +82,57 @@ Rate limit headers will be available only if the request is made from the same o
 }
 ```
 
+## AppRateLimitService
+
+`AppRateLimitService` is a configurable extension of [express-rate-limit](https://www.npmjs.com/package/express-rate-limit) for limiting service requests based on application settings.
+`AppRateLimitService` is an alternative to `RateLimitService` that allows you to configure rate limits based on container paths instead of service paths. This allows you to configure rate limits for all services in a container.
+
+You can register `AppRateLimitService` under application services:
+
+```json
+{
+    "services": [
+        {
+            "serviceType": "@universis/janitor#RateLimitService",
+            "strategyType": "@universis/janitor#AppRateLimitService"
+        }
+    ]
+}
+```
+
+The configuration should use the same structure as `RateLimitService` but under `settings/universis/rateLimit`:
+
+```json
+    {
+        "settings": {
+            "universis": {
+                "appRateLimit": {
+                    "profiles": [
+                        [
+                            "appRateLimitProfile",
+                            {
+                                "windowMs": 300000,
+                                "limit": 50,
+                                "legacyHeaders": true
+                            }
+                        ]
+                    ],
+                    "paths": [
+                            [
+                                "/api/users/me",
+                                {
+                                    "profile": "appRateLimitProfile"
+                                }
+                            ]
+                        ]
+                }
+            }
+        }
+    }
+```
+
+where paths are the container paths instead of service paths. The `AppRateLimitService` will apply the rate limit to all services in the container that match the path.
+
 
 ## SpeedLimitService
 
@@ -230,6 +281,61 @@ Speed limit headers will be available only if the request is made from the same
 }
 ```
 
+## AppSpeedLimitService
+
+`AppSpeedLimitService` is a configurable extension of [express-slow-down](https://www.npmjs.com/package/express-slow-down) for slowing down service responses based on application settings.
+
+`AppSpeedLimitService` is an alternative to `SpeedLimitService` that allows you to configure speed limits based on container paths instead of service paths. This allows you to configure speed limits for all services in a container.
+
+You can register `AppSpeedLimitService` under application services:
+
+```json
+{
+    "services": [
+        {
+            "serviceType": "@universis/janitor#SpeedLimitService",
+            "strategyType": "@universis/janitor#AppSpeedLimitService"
+        }
+    ]
+}
+```
+
+The configuration should use the same structure as `SpeedLimitService` but under `settings/universis/speedLimit`:
+
+```json
+    {
+        "settings": {
+            "universis": {
+                "appSpeedLimit": {
+                    "profiles": [
+                        [
+                            "appSpeedLimitProfile",
+                            {
+                                "windowMs": 300000,
+                                "delayAfter": 5,
+                                "delayMs": 500,
+                                "maxDelayMs": 20000,
+                                "headers": true
+                            }
+                        ]
+                    ],
+                    "paths": [
+                            [
+                                "/api/users/me",
+                                {
+                                    "profile": "appSpeedLimitProfile"
+                                }
+                            ]
+                        ]
+                }
+            }
+        }
+    }
+```
+
+where paths are the container paths instead of service paths. The `AppSpeedLimitService` will apply the speed limit to all services in the container that match the path.
+
+
 ## ScopeAccessConfiguration
 
 `ScopeAccessConfiguration` is a configurable application configuration strategy for limiting access to service endpoints based on user scopes.

package/dist/index.d.ts

@@ -1,14 +1,49 @@
-import { ApplicationService, ConfigurationStrategy, ConfigurationBase, ApplicationBase } from '@themost/common';
+import * as _themost_common from '@themost/common';
+import { ApplicationService, ApplicationBase, ConfigurationStrategy, ConfigurationBase, HttpForbiddenError, HttpError } from '@themost/common';
+import { Router, Application, Handler, Request as Request$1 } from 'express';
+import { Store, Options } from 'express-rate-limit';
+import { BehaviorSubject } from 'rxjs';
+import { Store as Store$1, Options as Options$1 } from 'express-slow-down';
 import RedisStore from 'rate-limit-redis';
-import { Handler, Request as Request$1 } from 'express';
 import { DataContext } from '@themost/data';
+import BearerStrategy from 'passport-http-bearer';
+import { Authenticator } from 'passport';
+
+declare type RateLimitStoreConstructor = new (...arg: unknown[]) => Store;
+
+declare interface RateLimitServiceConfiguration {
+    extends?: string;
+    storeType?: string;
+    profiles?: [string, Options][];
+    paths?: [string, ({ profile: string } | Options)][];
+}
 
 declare class RateLimitService extends ApplicationService {
+    constructor(app: _themost_common.ApplicationBase);
+    readonly loaded: BehaviorSubject<Router>;
+    getServiceContainer(): BehaviorSubject<Router | Application>;
+    getServiceName(): string;
+    getServiceConfiguration(): RateLimitServiceConfiguration;
+    set(path: string, options: { profile?: string } | Options): this;
+    unset(path: string): this;
+}
 
+declare type SpeedLimitStoreConstructor = new (...arg: unknown[]) => Store$1;
+
+declare interface SpeedLimitServiceConfiguration {
+    extends?: string;
+    storeType?: string;
+    profiles?: Map<string, Options$1>;
+    paths?: Map<string, ({ profile: string } | Options$1)>;
 }
 
 declare class SpeedLimitService extends ApplicationService {
-
+    constructor(app: ApplicationBase);
+    getServiceContainer(): BehaviorSubject<Router | Application>;
+    getServiceName(): string;
+    getServiceConfiguration(): SpeedLimitServiceConfiguration;
+    set(path: string, options: { profile?: string } | Options$1): this;
+    unset(path: string): this;
 }
 
 declare class RedisClientStore extends RedisStore {
@@ -209,5 +244,141 @@ declare class RemoteAddressValidator extends ApplicationService {
 
 }
 
-export { DefaultScopeAccessConfiguration, EnableScopeAccessConfiguration, ExtendScopeAccessConfiguration, OAuth2ClientService, RateLimitService, RedisClientStore, RemoteAddressValidator, ScopeAccessConfiguration, ScopeString, SpeedLimitService, validateScope };
-export type { GenericUser, OAuth2AuthorizeUser, OAuth2MethodOptions, OAuth2ServiceSettings, OAuth2User, OAuth2UserProfile, ScopeAccessConfigurationElement, ScopeAccessConfigurationSection, UniversisConfigurationSection };
+declare class AppRateLimitService extends RateLimitService {
+    constructor(app: _themost_common.ApplicationBase);
+}
+
+declare class AppSpeedLimitService extends SpeedLimitService {
+    constructor(app: _themost_common.ApplicationBase);
+}
+
+declare class HttpBearerTokenRequired extends HttpError {
+    constructor() {
+        super(499, 'A token is required to fulfill the request.');
+        this.code = 'E_TOKEN_REQUIRED';
+        this.title = 'Token Required';
+    }
+}
+
+declare class HttpBearerTokenNotFound extends HttpError {
+    constructor() {
+        super(498, 'Token was not found.');
+        this.code = 'E_TOKEN_NOT_FOUND';
+        this.title = 'Invalid token';
+    }
+}
+
+declare class HttpBearerTokenExpired extends HttpError {
+    constructor() {
+        super(498, 'Token was expired or is in invalid state.');
+        this.code = 'E_TOKEN_EXPIRED';
+        this.title = 'Invalid token';
+    }
+}
+
+declare class HttpAccountDisabled extends HttpForbiddenError {
+    constructor() {
+        super('Access is denied. User account is disabled.');
+        this.code = 'E_ACCOUNT_DISABLED';
+        this.statusCode = 403.2;
+        this.title = 'Disabled account';
+    }
+}
+
+declare class HttpBearerStrategy extends BearerStrategy {
+    constructor() {
+        super({
+        passReqToCallback: true
+        },
+        /**
+         * @param {Request} req
+         * @param {string} token
+         * @param {Function} done
+         */
+        function(req, token, done) {
+            /**
+             * Gets OAuth2 client services
+             * @type {import('./OAuth2ClientService').OAuth2ClientService}
+             */
+            let client = req.context.getApplication().getStrategy(function OAuth2ClientService() {});
+            // if client cannot be found
+            if (client == null) {
+                // throw configuration error
+                return done(new Error('Invalid application configuration. OAuth2 client service cannot be found.'))
+            }
+            if (token == null) {
+                // throw 499 Token Required error
+                return done(new HttpBearerTokenRequired());
+            }
+            // get token info
+            client.getTokenInfo(req.context, token).then(info => {
+                if (info == null) {
+                    // the specified token cannot be found - 498 invalid token with specific code
+                    return done(new HttpBearerTokenNotFound());
+                }
+                // if the given token is not active throw token expired - 498 invalid token with specific code
+                if (!info.active) {
+                    return done(new HttpBearerTokenExpired());
+                }
+                // find user from token info
+                return (function () {
+                    /**
+                     * @type {import('./services/user-provisioning-mapper-service').UserProvisioningMapperService}
+                     */
+                    const mapper = req.context.getApplication().getService(function UserProvisioningMapperService() {});
+                    if (mapper == null) {
+                        return req.context.model('User').where('name').equal(info.username).silent().getItem();
+                    }
+                    return mapper.getUser(req.context, info);
+                })().then((user) => {
+                   // check if userProvisioning service is installed and try to find related user only if user not found
+                    if (user == null) {
+                        /**
+                         * @type {import('./services/user-provisioning-service').UserProvisioningService}
+                         */
+                        const service = req.context.getApplication().getService(function UserProvisioningService() {});
+                        if (service == null) {
+                            return user;
+                        }
+                        return service.validateUser(req.context, info);
+                    }
+                    return user;
+                }).then( user => {
+                    // user cannot be found and of course cannot be authenticated (throw forbidden error)
+                    if (user == null) {
+                        // write access log for forbidden
+                        return done(new HttpForbiddenError());
+                    }
+                    // check if user has enabled attribute
+                    if (Object.prototype.hasOwnProperty.call(user, 'enabled') && !user.enabled) {
+                        //if user.enabled is off throw forbidden error
+                        return done(new HttpAccountDisabled('Access is denied. User account is disabled.'));
+                    }
+                    // otherwise return user data
+                    return done(null, {
+                        'name': user.name,
+                        'authenticationProviderKey': user.id,
+                        'authenticationType':'Bearer',
+                        'authenticationToken': token,
+                        'authenticationScope': info.scope
+                    });
+                });
+            }).catch(err => {
+                // end log token info request with error
+                if (err && err.statusCode === 404) {
+                    // revert 404 not found returned by auth server to 498 invalid token
+                    return done(new HttpBearerTokenNotFound());
+                }
+                // otherwise continue with error
+                return done(err);
+            });
+        });
+    }
+}
+
+declare class PassportService extends ApplicationService {
+    getInstance(): Authenticator
+}
+
+export { AppRateLimitService, AppSpeedLimitService, DefaultScopeAccessConfiguration, EnableScopeAccessConfiguration, ExtendScopeAccessConfiguration, HttpAccountDisabled, HttpBearerStrategy, HttpBearerTokenExpired, HttpBearerTokenNotFound, HttpBearerTokenRequired, OAuth2ClientService, PassportService, RateLimitService, RedisClientStore, RemoteAddressValidator, ScopeAccessConfiguration, ScopeString, SpeedLimitService, validateScope };
+export type { GenericUser, OAuth2AuthorizeUser, OAuth2MethodOptions, OAuth2ServiceSettings, OAuth2User, OAuth2UserProfile, RateLimitServiceConfiguration, RateLimitStoreConstructor, ScopeAccessConfigurationElement, ScopeAccessConfigurationSection, SpeedLimitServiceConfiguration, SpeedLimitStoreConstructor, UniversisConfigurationSection };