@verisoft/security-core 18.6.0 → 18.7.0

package/.eslintrc.json

@@ -0,0 +1,48 @@
+{
+  "extends": ["../../../../.eslintrc.base.json"],
+  "ignorePatterns": ["!**/*"],
+  "overrides": [
+    {
+      "files": ["*.ts"],
+      "extends": [
+        "plugin:@nx/angular",
+        "plugin:@angular-eslint/template/process-inline-templates"
+      ],
+      "rules": {
+        "@angular-eslint/directive-selector": [
+          "error",
+          {
+            "type": "attribute",
+            "prefix": "",
+            "style": "camelCase"
+          }
+        ],
+        "@angular-eslint/component-selector": [
+          "error",
+          {
+            "type": "element",
+            "prefix": "v-sec",
+            "style": "kebab-case"
+          }
+        ]
+      }
+    },
+    {
+      "files": ["*.html"],
+      "extends": ["plugin:@nx/angular-template"],
+      "rules": {}
+    },
+    {
+      "files": ["*.json"],
+      "parser": "jsonc-eslint-parser",
+      "rules": {
+        "@nx/dependency-checks": [
+          "error",
+          {
+            "ignoredFiles": ["{projectRoot}/eslint.config.{js,cjs,mjs}"]
+          }
+        ]
+      }
+    }
+  ]
+}

package/README.md

@@ -1,7 +1,56 @@
 # security-core
 
-This library was generated with [Nx](https://nx.dev).
+The `security-core` library provides authentication, authorization, and security-related utilities for the Verisoft Frontend workspace.
 
-## Running unit tests
+## Features
 
-Run `nx test security-core` to execute the unit tests.
+- Authentication and authorization helpers
+- Security-related Angular services and guards
+- Shared security interfaces and types
+
+## Installation
+
+This package is intended for internal use within the monorepo. To use it in another library or app, add it as a dependency in your `project.json`:
+
+```json
+"dependencies": {
+  "security-core": "*"
+}
+```
+
+## Usage
+
+Import the required modules, services, or utilities from `security-core`:
+
+```typescript
+import { AuthService } from '@verisoft/security-core';
+```
+
+## Development
+
+### Building
+
+Run the following command to build the library:
+
+```sh
+nx build security-core
+```
+
+### Running Unit Tests
+
+To execute the unit tests for this library:
+
+```sh
+nx test security-core
+```
+
+## Contributing
+
+1. Fork the repository and create your branch from `master`.
+2. Make your changes and add tests if needed.
+3. Run `nx test security-core` to ensure all tests pass.
+4. Submit a pull request.
+
+## License
+
+This project is licensed under the MIT License.

package/jest.config.ts

@@ -0,0 +1,21 @@
+export default {
+  displayName: 'security-core',
+  preset: '../../../../jest.preset.js',
+  setupFilesAfterEnv: ['<rootDir>/src/test-setup.ts'],
+  coverageDirectory: '../../../../coverage/src/libs/security/core',
+  transform: {
+    '^.+\\.(ts|mjs|js|html)$': [
+      'jest-preset-angular',
+      {
+        tsconfig: '<rootDir>/tsconfig.spec.json',
+        stringifyContentPathRegex: '\\.(html|svg)$',
+      },
+    ],
+  },
+  transformIgnorePatterns: ['node_modules/(?!.*\\.mjs$)'],
+  snapshotSerializers: [
+    'jest-preset-angular/build/serializers/no-ng-attributes',
+    'jest-preset-angular/build/serializers/ng-snapshot',
+    'jest-preset-angular/build/serializers/html-comment',
+  ],
+};

package/ng-package.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "../../../../node_modules/ng-packagr/ng-package.schema.json",
+  "dest": "../../../../dist/src/libs/security/core",
+  "lib": {
+    "entryFile": "src/index.ts"
+  }
+}

package/package.json

@@ -1,27 +1,11 @@
-{
-  "name": "@verisoft/security-core",
-  "version": "18.6.0",
-  "peerDependencies": {
-    "@angular/core": "^18.2.0",
-    "rxjs": "~7.8.0",
-    "@angular/router": "18.2.8",
-    "@ngrx/store": "18.0.2"
-  },
-  "sideEffects": false,
-  "module": "fesm2022/verisoft-security-core.mjs",
-  "typings": "index.d.ts",
-  "exports": {
-    "./package.json": {
-      "default": "./package.json"
-    },
-    ".": {
-      "types": "./index.d.ts",
-      "esm2022": "./esm2022/verisoft-security-core.mjs",
-      "esm": "./esm2022/verisoft-security-core.mjs",
-      "default": "./fesm2022/verisoft-security-core.mjs"
-    }
-  },
-  "dependencies": {
-    "tslib": "^2.3.0"
-  }
-}
+{
+  "name": "@verisoft/security-core",
+  "version": "18.7.0",
+  "peerDependencies": {
+    "@angular/core": "^18.2.0",
+    "rxjs": "~7.8.0",
+    "@angular/router": "18.2.8",
+    "@ngrx/store": "18.0.2"
+  },
+  "sideEffects": false
+}

package/project.json

@@ -0,0 +1,36 @@
+{
+  "name": "security-core",
+  "$schema": "../../../../node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "src/libs/security/core/src",
+  "prefix": "lib",
+  "projectType": "library",
+  "tags": [],
+  "targets": {
+    "build": {
+      "executor": "@nx/angular:package",
+      "outputs": ["{workspaceRoot}/dist/{projectRoot}"],
+      "options": {
+        "project": "src/libs/security/core/ng-package.json"
+      },
+      "configurations": {
+        "production": {
+          "tsConfig": "src/libs/security/core/tsconfig.lib.prod.json"
+        },
+        "development": {
+          "tsConfig": "src/libs/security/core/tsconfig.lib.json"
+        }
+      },
+      "defaultConfiguration": "production"
+    },
+    "test": {
+      "executor": "@nx/jest:jest",
+      "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
+      "options": {
+        "jestConfig": "src/libs/security/core/jest.config.ts"
+      }
+    },
+    "lint": {
+      "executor": "@nx/eslint:lint"
+    }
+  }
+}

package/src/index.ts

@@ -0,0 +1 @@
+export * from './lib';

package/src/lib/directives/has-permission.directive.ts

@@ -0,0 +1,54 @@
+import {
+  Directive,
+  Input,
+  TemplateRef,
+  ViewContainerRef,
+  OnDestroy,
+} from '@angular/core';
+import { distinctUntilChanged, Subscription } from 'rxjs';
+import { AuthContextService } from '../services';
+
+@Directive({
+  standalone: true,
+  selector: '[hasPermission]',
+})
+export class HasPermissionDirective<T> implements OnDestroy {
+  private requiredPermissions: string | string[] = '';
+  private sub?: Subscription;
+
+  constructor(
+    private templateRef: TemplateRef<T>,
+    private viewContainer: ViewContainerRef,
+    private authContext: AuthContextService
+  ) {}
+
+  @Input()
+  set hasPermission(value: string | string[]) {
+    this.requiredPermissions = value;
+    this.updateView();
+  }
+
+  ngOnDestroy(): void {
+    this.unregister();
+  }
+
+  private unregister() {
+    this.sub?.unsubscribe();
+  }
+
+  private updateView(): void {
+    this.unregister();
+    if (this.requiredPermissions || this.requiredPermissions.length) {
+      this.sub = this.authContext
+        .hasRequiredPermission(this.requiredPermissions)
+        .pipe(distinctUntilChanged())
+        .subscribe((hasPerm) => {
+          if (hasPerm) {
+            this.viewContainer.createEmbeddedView(this.templateRef);
+          } else {
+            this.viewContainer.clear();
+          }
+        });
+    }
+  }
+}

package/src/lib/directives/has-role.directive.ts

@@ -0,0 +1,54 @@
+import {
+  Directive,
+  Input,
+  TemplateRef,
+  ViewContainerRef,
+  OnDestroy,
+} from '@angular/core';
+import { distinctUntilChanged, Subscription } from 'rxjs';
+import { AuthContextService } from '../services';
+
+@Directive({
+  standalone: true,
+  selector: '[hasRole]',
+})
+export class HasRoleDirective<T> implements OnDestroy {
+  private requiredRoles: string | string[] | undefined;
+  private sub?: Subscription;
+
+  constructor(
+    private templateRef: TemplateRef<T>,
+    private viewContainer: ViewContainerRef,
+    private authContext: AuthContextService
+  ) {}
+
+  @Input()
+  set hasRole(value: string | string[]) {
+    this.requiredRoles = value;
+    this.updateView();
+  }
+
+  ngOnDestroy(): void {
+    this.unregister();
+  }
+
+  private unregister() {
+    this.sub?.unsubscribe();
+  }
+
+  private updateView(): void {
+    this.unregister();
+    if (this.requiredRoles || this.requiredRoles?.length) {
+      this.sub = this.authContext
+        .hasRequiredRole(this.requiredRoles)
+        .pipe(distinctUntilChanged())
+        .subscribe((hasRole) => {
+          if (hasRole) {
+            this.viewContainer.createEmbeddedView(this.templateRef);
+          } else {
+            this.viewContainer.clear();
+          }
+        });
+    }
+  }
+}

package/{lib/directives/index.d.ts → src/lib/directives/index.ts}

@@ -1,2 +1,2 @@
-export * from './has-permission.directive';
-export * from './has-role.directive';
+export * from './has-permission.directive';
+export * from './has-role.directive';

package/src/lib/guards/auth.guard.ts

@@ -0,0 +1,55 @@
+import { inject, Injectable } from '@angular/core';
+import {
+  ActivatedRouteSnapshot,
+  CanActivate,
+  CanActivateChild,
+  Router,
+  UrlTree,
+} from '@angular/router';
+import { map, Observable, of, switchMap } from 'rxjs';
+import { SecurityConfig } from '../models';
+import { hasRequiredPermission } from '../models/functions';
+import { SECURITY_CONFIG } from '../provider';
+import { AuthContextService } from '../services';
+
+@Injectable({
+  providedIn: 'root',
+})
+export class AuthGuard implements CanActivate, CanActivateChild {
+  private config = inject<SecurityConfig>(SECURITY_CONFIG);
+  private router = inject(Router);
+  private authContext = inject(AuthContextService);
+
+  canActivate(route: ActivatedRouteSnapshot): Observable<boolean | UrlTree> {
+    return this.checkPermissionsAndRolesAndNavigate(route, this.config.notAuthorizedPage);
+  }
+
+  canActivateChild(
+    childRoute: ActivatedRouteSnapshot
+  ): Observable<boolean | UrlTree> {
+    return this.checkPermissionsAndRolesAndNavigate(childRoute, this.config.notAuthorizedPage);
+  }
+
+  private checkPermissionsAndRolesAndNavigate(
+    route: ActivatedRouteSnapshot,
+    notAuthorizedUrl: string | undefined
+  ): Observable<boolean | UrlTree> {
+    const requiredPermissions = route.data['permissions'] as | string | string[] | undefined;
+    const requiredRoles = route.data['roles'] as string | string[] | undefined;
+
+    return this.authContext.user$.pipe(
+      map(
+        (user) => user &&
+          (!requiredPermissions ||
+            hasRequiredPermission(user, requiredPermissions)) &&
+          (!requiredRoles || hasRequiredPermission(user, requiredRoles))
+      ),
+      switchMap((hasPermission) => {
+        if (!hasPermission && notAuthorizedUrl) {
+          return of(this.router.parseUrl(notAuthorizedUrl));
+        }
+        return of(!!hasPermission);
+      })
+    );
+  }
+}

package/{lib/guards/index.d.ts → src/lib/guards/index.ts}

@@ -1 +1 @@
-export * from './auth.guard';
+export * from './auth.guard';

package/{lib/index.d.ts → src/lib/index.ts}

@@ -1,6 +1,6 @@
-export * from './directives';
-export * from './guards';
-export * from './models';
-export * from './services';
-export * from './state';
-export * from './provider';
+export * from './directives';
+export * from './guards';
+export * from './models';
+export * from './services';
+export * from './state';
+export * from './provider';

package/{lib/models/authenticated-user.model.d.ts → src/lib/models/authenticated-user.model.ts}

@@ -1,8 +1,8 @@
-export interface AuthenticatedUser {
-    userId?: string;
-    userName: string;
-    email: string;
-    displayName?: string;
-    roles: string[] | undefined;
-    permissions: string[] | undefined;
-}
+export interface AuthenticatedUser {
+    userId?: string;
+    userName: string;
+    email: string;
+    displayName?: string;
+    roles: string[] | undefined;
+    permissions: string[] | undefined;
+}

package/{lib/models/config.model.d.ts → src/lib/models/config.model.ts}

@@ -1,8 +1,9 @@
-export interface SecurityConfig {
-    tokenStorageKey: string;
-    contextTokenStorageKey?: string;
-    loginPage?: string;
-    logoutPage?: string;
-    notAuthorizedPage?: string;
-    sendTokenHeader?: boolean;
-}
+
+export interface SecurityConfig {
+    tokenStorageKey: string;
+    contextTokenStorageKey?: string;
+    loginPage?: string;
+    logoutPage?: string;
+    notAuthorizedPage?: string;
+    sendTokenHeader?: boolean;
+}

package/src/lib/models/functions.spec.ts

@@ -0,0 +1,159 @@
+import { AuthenticatedUser } from './authenticated-user.model';
+import {
+  convertJWTToUser,
+  hasRequiredPermission,
+  hasRequiredRole,
+} from './functions';
+
+describe('Permissions Utils', () => {
+  let user: AuthenticatedUser;
+
+  beforeEach(() => {
+    user = {
+      userName: 'testUser',
+      email: 'test@email.cz',
+      displayName: 'Test User',
+      permissions: ['READ', 'WRITE', 'DELETE_USER'],
+      roles: ['ADMIN', 'USER'],
+    };
+  });
+
+  describe('hasRequiredPermission', () => {
+    it('should return false if user is undefined', () => {
+      expect(hasRequiredPermission(undefined, 'READ')).toBe(false);
+    });
+
+    it('should return false if user.permissions is undefined', () => {
+      const noPermissionsUser: AuthenticatedUser = {
+        ...user,
+        permissions: undefined,
+      };
+      expect(hasRequiredPermission(noPermissionsUser, 'READ')).toBe(false);
+    });
+
+    it('should return true for a single permission the user has', () => {
+      expect(hasRequiredPermission(user, 'READ')).toBe(true);
+    });
+
+    it('should return false for a single permission the user does not have', () => {
+      expect(hasRequiredPermission(user, 'UNKNOWN')).toBe(false);
+    });
+
+    it('should return true for comma-delimited permissions if user has ALL', () => {
+      expect(hasRequiredPermission(user, 'READ,WRITE')).toBe(true);
+    });
+
+    it('should return false for comma-delimited permissions if missing one', () => {
+      expect(hasRequiredPermission(user, 'READ,UPDATE_USER')).toBe(false);
+    });
+
+    it('should return true if user has ANY of the permissions in the array', () => {
+      expect(hasRequiredPermission(user, ['READ', 'UPDATE_USER'])).toBe(true);
+    });
+
+    it('should return false if user does not have ANY of the permissions in the array', () => {
+      expect(hasRequiredPermission(user, ['UPDATE_USER', 'CREATE_POST'])).toBe(
+        false
+      );
+    });
+  });
+
+  describe('hasRequiredRole', () => {
+    it('should return false if user is undefined', () => {
+      expect(hasRequiredRole(undefined, 'ADMIN')).toBe(false);
+    });
+
+    it('should return false if user.roles is undefined', () => {
+      const noRolesUser: AuthenticatedUser = { ...user, roles: undefined };
+      expect(hasRequiredRole(noRolesUser, 'ADMIN')).toBe(false);
+    });
+
+    it('should return true for a single role the user has', () => {
+      expect(hasRequiredRole(user, 'ADMIN')).toBe(true);
+    });
+
+    it('should return false for a single role the user does not have', () => {
+      expect(hasRequiredRole(user, 'MANAGER')).toBe(false);
+    });
+
+    it('should return true for comma-delimited roles if user has ALL', () => {
+      // user has 'ADMIN' and 'USER'
+      expect(hasRequiredRole(user, 'ADMIN,USER')).toBe(true);
+    });
+
+    it('should return false for comma-delimited roles if missing one', () => {
+      // user has 'ADMIN' and 'USER' but not 'MANAGER'
+      expect(hasRequiredRole(user, 'ADMIN,MANAGER')).toBe(false);
+    });
+
+    it('should return true if user has ANY of the roles in the array', () => {
+      expect(hasRequiredRole(user, ['USER', 'MANAGER'])).toBe(true);
+    });
+
+    it('should return false if user does not have ANY of the roles in the array', () => {
+      expect(hasRequiredRole(user, ['GUEST', 'MANAGER'])).toBe(false);
+    });
+  });
+
+  describe('convertJWTToUser', () => {
+    it('should return undefined if base64Token is undefined', () => {
+      expect(convertJWTToUser(undefined)).toBeUndefined();
+    });
+
+    it('should return undefined if base64Token is invalid', () => {
+      expect(convertJWTToUser('invalid.token')).toBeUndefined();
+    });
+
+    it('should return undefined if payload does not contain userName', () => {
+      const token =
+        btoa('header') + '.' + btoa(JSON.stringify({})) + '.signature';
+      expect(convertJWTToUser(token)).toBeUndefined();
+    });
+
+    it('should return a user object if payload contains userName', () => {
+      const payload = {
+        sub: 'testUser',
+        email: 'test@example.com',
+        name: 'Test User',
+        role: 'ADMIN',
+        permission: 'READ',
+      };
+      const token =
+        btoa('header') + '.' + btoa(JSON.stringify(payload)) + '.signature';
+      const user = convertJWTToUser(token);
+      expect(user).toEqual({
+        userName: 'testUser',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['ADMIN'],
+        permissions: ['READ'],
+      });
+    });
+
+    it('should return a user object if payload contains nameid', () => {
+      const payload = {
+        nameid: 'testUser',
+        email: 'test@example.com',
+        name: 'Test User',
+        role: 'ADMIN',
+        permission: 'READ',
+      };
+      const token =
+        btoa('header') + '.' + btoa(JSON.stringify(payload)) + '.signature';
+      const user = convertJWTToUser(token);
+      expect(user).toEqual({
+        userName: 'testUser',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['ADMIN'],
+        permissions: ['READ'],
+      });
+    });
+
+    it('should return undefined if an error occurs during parsing', () => {
+      const token =
+        btoa('header') + '.' + btoa('invalidPayload') + '.signature';
+      expect(convertJWTToUser(token)).toBeUndefined();
+    });
+  });
+});