@vatts/auth 1.0.1 → 1.0.2-alpha.2

package/dist/client.js

@@ -26,7 +26,7 @@ async function getSession() {
         return data.session || null;
     }
     catch (error) {
-        console.error('[hweb-auth] Error fetching session:', error);
+        console.error('[vatts-auth] Error fetching session:', error);
         return null;
     }
 }
@@ -45,7 +45,7 @@ async function getCsrfToken() {
         return data.csrfToken || null;
     }
     catch (error) {
-        console.error('[hweb-auth] Error fetching CSRF token:', error);
+        console.error('[vatts-auth] Error fetching CSRF token:', error);
         return null;
     }
 }
@@ -64,7 +64,7 @@ async function getProviders() {
         return data.providers || [];
     }
     catch (error) {
-        console.error('[hweb-auth] Error searching for providers:', error);
+        console.error('[vatts-auth] Error searching for providers:', error);
         return null;
     }
 }
@@ -119,7 +119,7 @@ async function signIn(provider = 'credentials', options = {}) {
         }
     }
     catch (error) {
-        console.error('[hweb-auth] Error on signIn:', error);
+        console.error('[vatts-auth] Error on signIn:', error);
         return {
             error: 'Network error',
             status: 500,
@@ -141,6 +141,6 @@ async function signOut(options = {}) {
         }
     }
     catch (error) {
-        console.error('[hweb-auth] Error on signOut:', error);
+        console.error('[vatts-auth] Error on signOut:', error);
     }
 }

package/dist/core.d.ts

@@ -1,6 +1,6 @@
 import { VattsRequest, VattsResponse } from 'vatts';
 import type { AuthConfig, AuthProviderClass, Session } from './types';
-export declare class HWebAuth {
+export declare class VattsAuth {
     private config;
     private sessionManager;
     constructor(config: AuthConfig);

package/dist/core.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.HWebAuth = void 0;
+exports.VattsAuth = void 0;
 /*
  * This file is part of the Vatts.js Project.
  * Copyright (c) 2026 itsmuzin
@@ -19,7 +19,7 @@ exports.HWebAuth = void 0;
  */
 const vatts_1 = require("vatts");
 const jwt_1 = require("./jwt");
-class HWebAuth {
+class VattsAuth {
     constructor(config) {
         this.config = {
             session: { strategy: 'jwt', maxAge: 86400, ...config.session },
@@ -48,7 +48,7 @@ class HWebAuth {
     async signIn(providerId, credentials) {
         const provider = this.config.providers.find(p => p.id === providerId);
         if (!provider) {
-            console.error(`[hweb-auth] Provider not found: ${providerId}`);
+            console.error(`[vatts-auth] Provider not found: ${providerId}`);
             return null;
         }
         try {
@@ -76,7 +76,7 @@ class HWebAuth {
             return sessionResult;
         }
         catch (error) {
-            console.error(`[hweb-auth] Error signing in with provider ${providerId}:`, error);
+            console.error(`[vatts-auth] Error signing in with provider ${providerId}:`, error);
             return null;
         }
     }
@@ -93,13 +93,13 @@ class HWebAuth {
                     await provider.handleSignOut();
                 }
                 catch (error) {
-                    console.error(`[hweb-auth] Signout error on provider ${provider.id}:`, error);
+                    console.error(`[vatts-auth] Signout error on provider ${provider.id}:`, error);
                 }
             }
         }
         return vatts_1.VattsResponse
             .json({ success: true })
-            .clearCookie('hweb-auth-token', {
+            .clearCookie('vatts-auth-token', {
             path: '/',
             httpOnly: true,
             secure: this.config.secureCookies || false,
@@ -157,7 +157,7 @@ class HWebAuth {
     createAuthResponse(token, data) {
         return vatts_1.VattsResponse
             .json(data)
-            .cookie('hweb-auth-token', token, {
+            .cookie('vatts-auth-token', token, {
             httpOnly: true,
             secure: this.config.secureCookies || false, // Always secure, even in development
             sameSite: 'strict', // Prevent CSRF attacks
@@ -165,17 +165,21 @@ class HWebAuth {
             path: '/',
             domain: undefined // Let browser set automatically for security
         })
+            // SECURITY: Comprehensive security headers
             .header('X-Content-Type-Options', 'nosniff')
             .header('X-Frame-Options', 'DENY')
             .header('X-XSS-Protection', '1; mode=block')
-            .header('Referrer-Policy', 'strict-origin-when-cross-origin');
+            .header('Referrer-Policy', 'strict-origin-when-cross-origin')
+            .header('Content-Security-Policy', "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';")
+            .header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
+            .header('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
     }
     /**
      * Extrai token da requisição (cookie ou header)
      */
     getTokenFromRequest(req) {
         // Primeiro tenta pegar do cookie
-        const cookieToken = req.cookie('hweb-auth-token');
+        const cookieToken = req.cookie('vatts-auth-token');
         if (cookieToken)
             return cookieToken;
         // Depois tenta do header Authorization
@@ -186,4 +190,4 @@ class HWebAuth {
         return null;
     }
 }
-exports.HWebAuth = HWebAuth;
+exports.VattsAuth = VattsAuth;

package/dist/jwt.js

@@ -23,13 +23,39 @@ exports.SessionManager = exports.JWTManager = void 0;
 const crypto_1 = __importDefault(require("crypto"));
 class JWTManager {
     constructor(secret) {
-        if (!secret && !process.env.HWEB_AUTH_SECRET) {
-            throw new Error('JWT secret is required. Set HWEB_AUTH_SECRET environment variable or provide secret parameter.');
+        if (!secret && !process.env.VATTS_AUTH_SECRET) {
+            throw new Error('JWT secret is required. Set VATTS_AUTH_SECRET environment variable or provide secret parameter.');
         }
-        this.secret = secret || process.env.HWEB_AUTH_SECRET;
+        this.secret = secret || process.env.VATTS_AUTH_SECRET;
+        // SECURITY: Enforce minimum secret length
         if (this.secret.length < 32) {
             throw new Error('JWT secret must be at least 32 characters long for security.');
         }
+        // SECURITY: Warn about weak/common secrets in development
+        const weakSecrets = [
+            'your-secret-key',
+            'vatts-test-secret-key-change-in-production',
+            'secret',
+            'changeme',
+            'password',
+            '12345678',
+            'test-secret',
+            'development-secret'
+        ];
+        if (weakSecrets.some(weak => this.secret.toLowerCase().includes(weak))) {
+            console.warn('\x1b[33m%s\x1b[0m', '⚠️  SECURITY WARNING: You are using a weak/common JWT secret!');
+            console.warn('\x1b[33m%s\x1b[0m', '   This is a CRITICAL security risk in production.');
+            console.warn('\x1b[33m%s\x1b[0m', '   Generate a strong secret: node -e "console.log(require(\'crypto\').randomBytes(64).toString(\'base64\'))"');
+            // SECURITY: Refuse to start in production with weak secret
+            if (process.env.NODE_ENV === 'production') {
+                throw new Error('PRODUCTION: Weak JWT secret detected. Application refused to start for security reasons.');
+            }
+        }
+        // SECURITY: Check for sufficient entropy (basic check)
+        const uniqueChars = new Set(this.secret).size;
+        if (uniqueChars < 16) {
+            console.warn('\x1b[33m%s\x1b[0m', '⚠️  WARNING: JWT secret has low entropy (few unique characters). Consider using a more random secret.');
+        }
     }
     /**
      * Cria um JWT token com validação de algoritmo
@@ -75,13 +101,14 @@ class JWTManager {
             // Validate algorithm in payload matches header
             if (decodedPayload.alg !== 'HS256')
                 return null;
-            // Verifica expiração com margem de erro de 30 segundos
+            // SECURITY: Verifica expiração com margem de erro de 5 segundos (clock skew)
+            // Reduzido de 30s para minimizar janela de replay attacks
             const now = Math.floor(Date.now() / 1000);
-            if (decodedPayload.exp && decodedPayload.exp < (now - 30)) {
+            if (decodedPayload.exp && decodedPayload.exp < (now - 5)) {
                 return null;
             }
-            // Validate issued at time (not too far in future)
-            if (decodedPayload.iat && decodedPayload.iat > (now + 300)) {
+            // SECURITY: Validate issued at time (not too far in future - 60s tolerance)
+            if (decodedPayload.iat && decodedPayload.iat > (now + 60)) {
                 return null;
             }
             return decodedPayload;
@@ -96,11 +123,21 @@ class JWTManager {
         }
         const sanitized = {};
         for (const [key, value] of Object.entries(payload)) {
-            // Skip dangerous properties
+            // SECURITY: Skip dangerous properties that could lead to prototype pollution
             if (key.startsWith('__') || key === 'constructor' || key === 'prototype') {
                 continue;
             }
-            sanitized[key] = value;
+            // SECURITY: Recursively sanitize nested objects to prevent deep prototype pollution
+            if (value && typeof value === 'object' && !Array.isArray(value)) {
+                sanitized[key] = this.sanitizePayload(value);
+            }
+            else if (Array.isArray(value)) {
+                // Sanitize arrays recursively
+                sanitized[key] = value.map(item => (item && typeof item === 'object') ? this.sanitizePayload(item) : item);
+            }
+            else {
+                sanitized[key] = value;
+            }
         }
         return sanitized;
     }
@@ -121,6 +158,11 @@ class JWTManager {
             .replace(/=/g, '');
     }
     base64UrlDecode(str) {
+        // SECURITY: Prevent DoS attacks with extremely large strings
+        // JWT tokens are typically < 4KB, we allow up to 16KB to be safe
+        if (str.length > 16384) {
+            throw new Error('Token too large');
+        }
         str += '='.repeat(4 - str.length % 4);
         return Buffer.from(str.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString();
     }

package/dist/providers/credentials.d.ts

@@ -54,7 +54,7 @@ export declare class CredentialsProvider implements AuthProviderClass {
      */
     validateCredentials(credentials: Record<string, string>): boolean;
     /**
-     * Validação simples de email
+     * Validação robusta de email (RFC 5322 simplificado)
      */
     private isValidEmail;
 }

package/dist/providers/credentials.js

@@ -87,11 +87,32 @@ class CredentialsProvider {
         return true;
     }
     /**
-     * Validação simples de email
+     * Validação robusta de email (RFC 5322 simplificado)
      */
     isValidEmail(email) {
-        const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-        return emailRegex.test(email);
+        // SECURITY: Validate email length to prevent DoS
+        if (!email || email.length > 320) { // RFC 5321: max 320 chars
+            return false;
+        }
+        // SECURITY: More robust email validation regex
+        // Prevents common bypasses like multiple @, script tags, etc.
+        const emailRegex = /^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+        if (!emailRegex.test(email)) {
+            return false;
+        }
+        // SECURITY: Validate parts separately
+        const parts = email.split('@');
+        if (parts.length !== 2)
+            return false;
+        const [local, domain] = parts;
+        if (local.length > 64 || domain.length > 255) { // RFC 5321 limits
+            return false;
+        }
+        // SECURITY: Prevent consecutive dots
+        if (email.includes('..')) {
+            return false;
+        }
+        return true;
     }
 }
 exports.CredentialsProvider = CredentialsProvider;

package/dist/react.js

@@ -50,7 +50,7 @@ function SessionProvider({ children, basePath = '/api/auth', refetchInterval = 0
             }
         }
         catch (error) {
-            console.error('[hweb-auth] Error fetching session:', error);
+            console.error('[vatts-auth] Error fetching session:', error);
             setSession(null);
             setStatus('unauthenticated');
             return null;
@@ -106,7 +106,7 @@ function SessionProvider({ children, basePath = '/api/auth', refetchInterval = 0
             }
         }
         catch (error) {
-            console.error('[hweb-auth] Error on signIn:', error);
+            console.error('[vatts-auth] Error on signIn:', error);
             return {
                 error: 'Network error',
                 status: 500,
@@ -133,7 +133,7 @@ function SessionProvider({ children, basePath = '/api/auth', refetchInterval = 0
             }
         }
         catch (error) {
-            console.error('[hweb-auth] Error on signOut:', error);
+            console.error('[vatts-auth] Error on signOut:', error);
         }
     }, [basePath]);
     // Update session

package/dist/routes.d.ts

@@ -1,6 +1,6 @@
 import { VattsRequest } from 'vatts';
 import type { AuthConfig } from './types';
-import { HWebAuth } from './core';
+import { VattsAuth } from './core';
 /**
  * Cria o handler catch-all para /api/auth/[...value]
  */
@@ -12,5 +12,5 @@ export declare function createAuthRoutes(config: AuthConfig): {
     POST(req: VattsRequest, params: {
         [key: string]: string;
     }): Promise<any>;
-    auth: HWebAuth;
+    auth: VattsAuth;
 };

package/dist/routes.js

@@ -23,7 +23,7 @@ const core_1 = require("./core");
  * Cria o handler catch-all para /api/auth/[...value]
  */
 function createAuthRoutes(config) {
-    const auth = new core_1.HWebAuth(config);
+    const auth = new core_1.VattsAuth(config);
     /**
      * Handler principal que gerencia todas as rotas de auth
      * Uso: /api/auth/[...value].ts
@@ -102,9 +102,10 @@ async function handleSession(req, auth) {
  * Handler para GET /api/auth/csrf
  */
 async function handleCsrf(req) {
-    // Token CSRF simples para proteção
-    const csrfToken = Math.random().toString(36).substring(2, 15) +
-        Math.random().toString(36).substring(2, 15);
+    // SECURITY: Usa crypto.randomBytes para token criptograficamente seguro
+    // 32 bytes = 256 bits de entropia, codificado em base64url (URL-safe)
+    const crypto = await import('crypto');
+    const csrfToken = crypto.randomBytes(32).toString('base64url');
     return vatts_1.VattsResponse.json({ csrfToken });
 }
 /**
@@ -140,7 +141,7 @@ async function handleSignIn(req, auth) {
         });
     }
     catch (error) {
-        console.error('[hweb-auth] Error on handleSignIn:', error);
+        console.error('[vatts-auth] Error on handleSignIn:', error);
         return vatts_1.VattsResponse.json({ error: 'Authentication failed' }, { status: 500 });
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vatts/auth",
-  "version": "1.0.1",
+  "version": "1.0.2-alpha.2",
   "description": "Authentication package for Vatts.js framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -42,7 +42,7 @@
   "peerDependencies": {
     "react": "^19.2.0",
     "react-dom": "^19.2.0",
-    "vatts": "^1.0.1"
+    "vatts": "^1.0.2-alpha.2"
   },
   "peerDependenciesMeta": {
     "react-dom": {