@verisoft/security-core 20.0.0 → 20.1.0

package/.eslintrc.json

@@ -0,0 +1,48 @@
+{
+  "extends": ["../../../../.eslintrc.base.json"],
+  "ignorePatterns": ["!**/*"],
+  "overrides": [
+    {
+      "files": ["*.ts"],
+      "extends": [
+        "plugin:@nx/angular",
+        "plugin:@angular-eslint/template/process-inline-templates"
+      ],
+      "rules": {
+        "@angular-eslint/directive-selector": [
+          "error",
+          {
+            "type": "attribute",
+            "prefix": "",
+            "style": "camelCase"
+          }
+        ],
+        "@angular-eslint/component-selector": [
+          "error",
+          {
+            "type": "element",
+            "prefix": "v-sec",
+            "style": "kebab-case"
+          }
+        ]
+      }
+    },
+    {
+      "files": ["*.html"],
+      "extends": ["plugin:@nx/angular-template"],
+      "rules": {}
+    },
+    {
+      "files": ["*.json"],
+      "parser": "jsonc-eslint-parser",
+      "rules": {
+        "@nx/dependency-checks": [
+          "error",
+          {
+            "ignoredFiles": ["{projectRoot}/eslint.config.{js,cjs,mjs}"]
+          }
+        ]
+      }
+    }
+  ]
+}

package/jest.config.ts

@@ -0,0 +1,21 @@
+export default {
+  displayName: 'security-core',
+  preset: '../../../../jest.preset.js',
+  setupFilesAfterEnv: ['<rootDir>/src/test-setup.ts'],
+  coverageDirectory: '../../../../coverage/src/libs/security/core',
+  transform: {
+    '^.+\\.(ts|mjs|js|html)$': [
+      'jest-preset-angular',
+      {
+        tsconfig: '<rootDir>/tsconfig.spec.json',
+        stringifyContentPathRegex: '\\.(html|svg)$',
+      },
+    ],
+  },
+  transformIgnorePatterns: ['node_modules/(?!.*\\.mjs$)'],
+  snapshotSerializers: [
+    'jest-preset-angular/build/serializers/no-ng-attributes',
+    'jest-preset-angular/build/serializers/ng-snapshot',
+    'jest-preset-angular/build/serializers/html-comment',
+  ],
+};

package/ng-package.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "../../../../node_modules/ng-packagr/ng-package.schema.json",
+  "dest": "../../../../dist/src/libs/security/core",
+  "lib": {
+    "entryFile": "src/index.ts"
+  }
+}

package/package.json

@@ -1,25 +1,11 @@
 {
   "name": "@verisoft/security-core",
-  "version": "20.0.0",
+  "version": "20.1.0",
   "peerDependencies": {
     "@angular/core": "~20.2.0",
     "@angular/router": "~20.2.0",
     "@ngrx/store": "~20.0.0",
     "rxjs": "~7.8.0"
   },
-  "sideEffects": false,
-  "module": "fesm2022/verisoft-security-core.mjs",
-  "typings": "index.d.ts",
-  "exports": {
-    "./package.json": {
-      "default": "./package.json"
-    },
-    ".": {
-      "types": "./index.d.ts",
-      "default": "./fesm2022/verisoft-security-core.mjs"
-    }
-  },
-  "dependencies": {
-    "tslib": "^2.3.0"
-  }
-}
+  "sideEffects": false
+}

package/project.json

@@ -0,0 +1,36 @@
+{
+  "name": "security-core",
+  "$schema": "../../../../node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "src/libs/security/core/src",
+  "prefix": "lib",
+  "projectType": "library",
+  "tags": [],
+  "targets": {
+    "build": {
+      "executor": "@nx/angular:package",
+      "outputs": ["{workspaceRoot}/dist/src/libs/security/core"],
+      "options": {
+        "project": "src/libs/security/core/ng-package.json"
+      },
+      "configurations": {
+        "production": {
+          "tsConfig": "src/libs/security/core/tsconfig.lib.prod.json"
+        },
+        "development": {
+          "tsConfig": "src/libs/security/core/tsconfig.lib.json"
+        }
+      },
+      "defaultConfiguration": "production"
+    },
+    "test": {
+      "executor": "@nx/jest:jest",
+      "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
+      "options": {
+        "jestConfig": "src/libs/security/core/jest.config.ts"
+      }
+    },
+    "lint": {
+      "executor": "@nx/eslint:lint"
+    }
+  }
+}

package/src/index.ts

@@ -0,0 +1 @@
+export * from './lib';

package/src/lib/directives/has-permission.directive.ts

@@ -0,0 +1,54 @@
+import {
+  Directive,
+  Input,
+  TemplateRef,
+  ViewContainerRef,
+  OnDestroy,
+} from '@angular/core';
+import { distinctUntilChanged, Subscription } from 'rxjs';
+import { AuthContextService } from '../services';
+
+@Directive({
+  standalone: true,
+  selector: '[hasPermission]',
+})
+export class HasPermissionDirective<T> implements OnDestroy {
+  private requiredPermissions: string | string[] = '';
+  private sub?: Subscription;
+
+  constructor(
+    private templateRef: TemplateRef<T>,
+    private viewContainer: ViewContainerRef,
+    private authContext: AuthContextService
+  ) {}
+
+  @Input()
+  set hasPermission(value: string | string[]) {
+    this.requiredPermissions = value;
+    this.updateView();
+  }
+
+  ngOnDestroy(): void {
+    this.unregister();
+  }
+
+  private unregister() {
+    this.sub?.unsubscribe();
+  }
+
+  private updateView(): void {
+    this.unregister();
+    if (this.requiredPermissions || this.requiredPermissions.length) {
+      this.sub = this.authContext
+        .hasRequiredPermission(this.requiredPermissions)
+        .pipe(distinctUntilChanged())
+        .subscribe((hasPerm) => {
+          if (hasPerm) {
+            this.viewContainer.createEmbeddedView(this.templateRef);
+          } else {
+            this.viewContainer.clear();
+          }
+        });
+    }
+  }
+}

package/src/lib/directives/has-role.directive.ts

@@ -0,0 +1,54 @@
+import {
+  Directive,
+  Input,
+  TemplateRef,
+  ViewContainerRef,
+  OnDestroy,
+} from '@angular/core';
+import { distinctUntilChanged, Subscription } from 'rxjs';
+import { AuthContextService } from '../services';
+
+@Directive({
+  standalone: true,
+  selector: '[hasRole]',
+})
+export class HasRoleDirective<T> implements OnDestroy {
+  private requiredRoles: string | string[] | undefined;
+  private sub?: Subscription;
+
+  constructor(
+    private templateRef: TemplateRef<T>,
+    private viewContainer: ViewContainerRef,
+    private authContext: AuthContextService
+  ) {}
+
+  @Input()
+  set hasRole(value: string | string[]) {
+    this.requiredRoles = value;
+    this.updateView();
+  }
+
+  ngOnDestroy(): void {
+    this.unregister();
+  }
+
+  private unregister() {
+    this.sub?.unsubscribe();
+  }
+
+  private updateView(): void {
+    this.unregister();
+    if (this.requiredRoles || this.requiredRoles?.length) {
+      this.sub = this.authContext
+        .hasRequiredRole(this.requiredRoles)
+        .pipe(distinctUntilChanged())
+        .subscribe((hasRole) => {
+          if (hasRole) {
+            this.viewContainer.createEmbeddedView(this.templateRef);
+          } else {
+            this.viewContainer.clear();
+          }
+        });
+    }
+  }
+}

package/src/lib/directives/index.ts

@@ -0,0 +1,2 @@
+export * from './has-permission.directive';
+export * from './has-role.directive';

package/src/lib/guards/auth.guard.ts

@@ -0,0 +1,55 @@
+import { inject, Injectable } from '@angular/core';
+import {
+  ActivatedRouteSnapshot,
+  CanActivate,
+  CanActivateChild,
+  Router,
+  UrlTree,
+} from '@angular/router';
+import { map, Observable, of, switchMap } from 'rxjs';
+import { SecurityConfig } from '../models';
+import { hasRequiredPermission } from '../models/functions';
+import { SECURITY_CONFIG } from '../provider';
+import { AuthContextService } from '../services';
+
+@Injectable({
+  providedIn: 'root',
+})
+export class AuthGuard implements CanActivate, CanActivateChild {
+  private config = inject<SecurityConfig>(SECURITY_CONFIG);
+  private router = inject(Router);
+  private authContext = inject(AuthContextService);
+
+  canActivate(route: ActivatedRouteSnapshot): Observable<boolean | UrlTree> {
+    return this.checkPermissionsAndRolesAndNavigate(route, this.config.notAuthorizedPage);
+  }
+
+  canActivateChild(
+    childRoute: ActivatedRouteSnapshot
+  ): Observable<boolean | UrlTree> {
+    return this.checkPermissionsAndRolesAndNavigate(childRoute, this.config.notAuthorizedPage);
+  }
+
+  private checkPermissionsAndRolesAndNavigate(
+    route: ActivatedRouteSnapshot,
+    notAuthorizedUrl: string | undefined
+  ): Observable<boolean | UrlTree> {
+    const requiredPermissions = route.data['permissions'] as | string | string[] | undefined;
+    const requiredRoles = route.data['roles'] as string | string[] | undefined;
+
+    return this.authContext.user$.pipe(
+      map(
+        (user) => user &&
+          (!requiredPermissions ||
+            hasRequiredPermission(user, requiredPermissions)) &&
+          (!requiredRoles || hasRequiredPermission(user, requiredRoles))
+      ),
+      switchMap((hasPermission) => {
+        if (!hasPermission && notAuthorizedUrl) {
+          return of(this.router.parseUrl(notAuthorizedUrl));
+        }
+        return of(!!hasPermission);
+      })
+    );
+  }
+}

package/src/lib/guards/index.ts

@@ -0,0 +1 @@
+export * from './auth.guard';

package/src/lib/index.ts

@@ -0,0 +1,6 @@
+export * from './directives';
+export * from './guards';
+export * from './models';
+export * from './services';
+export * from './state';
+export * from './provider';

package/src/lib/models/authenticated-user.model.ts

@@ -0,0 +1,8 @@
+export interface AuthenticatedUser {
+    userId?: string;
+    userName: string;
+    email: string;
+    displayName?: string;
+    roles: string[] | undefined;
+    permissions: string[] | undefined;
+}

package/src/lib/models/config.model.ts

@@ -0,0 +1,9 @@
+
+export interface SecurityConfig {
+    tokenStorageKey: string;
+    contextTokenStorageKey?: string;
+    loginPage?: string;
+    logoutPage?: string;
+    notAuthorizedPage?: string;
+    sendTokenHeader?: boolean;
+}

package/src/lib/models/functions.spec.ts

@@ -0,0 +1,159 @@
+import { AuthenticatedUser } from './authenticated-user.model';
+import {
+  convertJWTToUser,
+  hasRequiredPermission,
+  hasRequiredRole,
+} from './functions';
+
+describe('Permissions Utils', () => {
+  let user: AuthenticatedUser;
+
+  beforeEach(() => {
+    user = {
+      userName: 'testUser',
+      email: 'test@email.cz',
+      displayName: 'Test User',
+      permissions: ['READ', 'WRITE', 'DELETE_USER'],
+      roles: ['ADMIN', 'USER'],
+    };
+  });
+
+  describe('hasRequiredPermission', () => {
+    it('should return false if user is undefined', () => {
+      expect(hasRequiredPermission(undefined, 'READ')).toBe(false);
+    });
+
+    it('should return false if user.permissions is undefined', () => {
+      const noPermissionsUser: AuthenticatedUser = {
+        ...user,
+        permissions: undefined,
+      };
+      expect(hasRequiredPermission(noPermissionsUser, 'READ')).toBe(false);
+    });
+
+    it('should return true for a single permission the user has', () => {
+      expect(hasRequiredPermission(user, 'READ')).toBe(true);
+    });
+
+    it('should return false for a single permission the user does not have', () => {
+      expect(hasRequiredPermission(user, 'UNKNOWN')).toBe(false);
+    });
+
+    it('should return true for comma-delimited permissions if user has ALL', () => {
+      expect(hasRequiredPermission(user, 'READ,WRITE')).toBe(true);
+    });
+
+    it('should return false for comma-delimited permissions if missing one', () => {
+      expect(hasRequiredPermission(user, 'READ,UPDATE_USER')).toBe(false);
+    });
+
+    it('should return true if user has ANY of the permissions in the array', () => {
+      expect(hasRequiredPermission(user, ['READ', 'UPDATE_USER'])).toBe(true);
+    });
+
+    it('should return false if user does not have ANY of the permissions in the array', () => {
+      expect(hasRequiredPermission(user, ['UPDATE_USER', 'CREATE_POST'])).toBe(
+        false
+      );
+    });
+  });
+
+  describe('hasRequiredRole', () => {
+    it('should return false if user is undefined', () => {
+      expect(hasRequiredRole(undefined, 'ADMIN')).toBe(false);
+    });
+
+    it('should return false if user.roles is undefined', () => {
+      const noRolesUser: AuthenticatedUser = { ...user, roles: undefined };
+      expect(hasRequiredRole(noRolesUser, 'ADMIN')).toBe(false);
+    });
+
+    it('should return true for a single role the user has', () => {
+      expect(hasRequiredRole(user, 'ADMIN')).toBe(true);
+    });
+
+    it('should return false for a single role the user does not have', () => {
+      expect(hasRequiredRole(user, 'MANAGER')).toBe(false);
+    });
+
+    it('should return true for comma-delimited roles if user has ALL', () => {
+      // user has 'ADMIN' and 'USER'
+      expect(hasRequiredRole(user, 'ADMIN,USER')).toBe(true);
+    });
+
+    it('should return false for comma-delimited roles if missing one', () => {
+      // user has 'ADMIN' and 'USER' but not 'MANAGER'
+      expect(hasRequiredRole(user, 'ADMIN,MANAGER')).toBe(false);
+    });
+
+    it('should return true if user has ANY of the roles in the array', () => {
+      expect(hasRequiredRole(user, ['USER', 'MANAGER'])).toBe(true);
+    });
+
+    it('should return false if user does not have ANY of the roles in the array', () => {
+      expect(hasRequiredRole(user, ['GUEST', 'MANAGER'])).toBe(false);
+    });
+  });
+
+  describe('convertJWTToUser', () => {
+    it('should return undefined if base64Token is undefined', () => {
+      expect(convertJWTToUser(undefined)).toBeUndefined();
+    });
+
+    it('should return undefined if base64Token is invalid', () => {
+      expect(convertJWTToUser('invalid.token')).toBeUndefined();
+    });
+
+    it('should return undefined if payload does not contain userName', () => {
+      const token =
+        btoa('header') + '.' + btoa(JSON.stringify({})) + '.signature';
+      expect(convertJWTToUser(token)).toBeUndefined();
+    });
+
+    it('should return a user object if payload contains userName', () => {
+      const payload = {
+        sub: 'testUser',
+        email: 'test@example.com',
+        name: 'Test User',
+        role: 'ADMIN',
+        permission: 'READ',
+      };
+      const token =
+        btoa('header') + '.' + btoa(JSON.stringify(payload)) + '.signature';
+      const user = convertJWTToUser(token);
+      expect(user).toEqual({
+        userName: 'testUser',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['ADMIN'],
+        permissions: ['READ'],
+      });
+    });
+
+    it('should return a user object if payload contains nameid', () => {
+      const payload = {
+        nameid: 'testUser',
+        email: 'test@example.com',
+        name: 'Test User',
+        role: 'ADMIN',
+        permission: 'READ',
+      };
+      const token =
+        btoa('header') + '.' + btoa(JSON.stringify(payload)) + '.signature';
+      const user = convertJWTToUser(token);
+      expect(user).toEqual({
+        userName: 'testUser',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['ADMIN'],
+        permissions: ['READ'],
+      });
+    });
+
+    it('should return undefined if an error occurs during parsing', () => {
+      const token =
+        btoa('header') + '.' + btoa('invalidPayload') + '.signature';
+      expect(convertJWTToUser(token)).toBeUndefined();
+    });
+  });
+});

package/src/lib/models/functions.ts

@@ -0,0 +1,103 @@
+import { AuthenticatedUser } from './authenticated-user.model';
+
+export function hasRequiredPermission(
+  user: AuthenticatedUser | undefined,
+  permission: string | string[]
+): boolean {
+  return hasItems(user?.permissions, permission);
+}
+
+export function hasRequiredRole(
+  user: AuthenticatedUser | undefined,
+  role: string | string[]
+): boolean {
+  return hasItems(user?.roles, role);
+}
+
+function hasItems(
+  userItems: string[] | undefined,
+  neededItems: string | string[]
+): boolean {
+  if (!neededItems || !neededItems.length) {
+    return true;
+  }
+
+  if (!userItems || !userItems.length) {
+    return false;
+  }
+
+  const userItemsSet = new Set(userItems);
+  if (Array.isArray(neededItems)) {
+    return neededItems.some((item) => hasItems(userItems, item));
+  }
+
+  if (neededItems.includes(',')) {
+    const splitItems = neededItems.split(',').map((i) => i.trim());
+    return splitItems.every((i) => userItemsSet.has(i));
+  }
+
+  return userItemsSet.has(neededItems);
+}
+
+export function convertJWTToUser(
+  base64Token?: string
+): AuthenticatedUser | undefined {
+  if (!base64Token) {
+    return undefined;
+  }
+
+  try {
+    const parts = base64Token.split('.');
+    if (parts.length < 2) {
+      return undefined;
+    }
+    const payload = decodeJwtPayload(parts[1]);
+
+    const userName = payload['unique_name'] ?? payload['nameid'];
+    if (!userName) {
+      return undefined;
+    }
+
+    const user: AuthenticatedUser = {
+      userName,
+      userId: payload['nameid'],
+      email: payload['email'],
+      displayName: payload['name'],
+      roles: convertToArray(payload, 'role'),
+      permissions: convertToArray(payload, 'permission'),
+    };
+
+    return user;
+  } catch (error) {
+    return undefined;
+  }
+}
+
+export function decodeJwtPayload(jwt: string): any {
+  const base64 = jwt.replace(/-/g, '+').replace(/_/g, '/');
+
+  const jsonPayload = decodeURIComponent(
+    atob(base64)
+      .split('')
+      .map(c => '%' + c.charCodeAt(0).toString(16).padStart(2, '0'))
+      .join('')
+  );
+
+  return JSON.parse(jsonPayload);
+}
+
+function convertToArray(
+  item: { [key: string]: string | string[] },
+  propertyName: string
+): string[] | undefined {
+  const rawValue = item[propertyName];
+  if (!rawValue) {
+    return undefined;
+  }
+
+  if (Array.isArray(rawValue)) {
+    return rawValue;
+  }
+
+  return [rawValue];
+}

package/src/lib/models/index.ts

@@ -0,0 +1,3 @@
+export * from './authenticated-user.model';
+export * from './functions';
+export * from './config.model';

package/src/lib/provider.ts

@@ -0,0 +1,52 @@
+import { EnvironmentProviders, InjectionToken, ModuleWithProviders, NgModule, Provider, inject, provideAppInitializer } from '@angular/core';
+import { Router } from '@angular/router';
+import { StoreModule } from '@ngrx/store';
+import { AuthGuard } from './guards';
+import { SecurityConfig } from './models';
+import {
+  AuthContextService,
+  LocalStorageTokenProvider,
+  securityInitializerFactory,
+  TokenProvider,
+} from './services';
+import { SecurityFeature } from './state/feature';
+
+export function provideSecurity(
+  config: Partial<SecurityConfig> | undefined = undefined
+): (Provider | EnvironmentProviders)[] {
+  const securityConfig: SecurityConfig = {
+    tokenStorageKey: 'APP_TOKEN',
+    notAuthorizedPage: '/not-authorized',
+    ...(config ?? {}),
+  };
+  return [
+    AuthGuard,
+    SECURITY_INITIALIZER_PROVIDER,
+    { provide: SECURITY_CONTEXT_TOKEN_PROVIDER, useClass: LocalStorageTokenProvider },
+    { provide: SECURITY_CONFIG, useValue: securityConfig },
+  ];
+}
+
+@NgModule({
+  imports: [StoreModule.forFeature(SecurityFeature)],
+})
+export class SecurityModule {
+  static forRoot(
+    config?: Partial<SecurityConfig>
+  ): ModuleWithProviders<SecurityModule> {
+    return {
+      ngModule: SecurityModule,
+      providers: [...provideSecurity(config)],
+    };
+  }
+}
+
+export const SECURITY_CONTEXT_TOKEN_PROVIDER = new InjectionToken('SECURITY_CONTEXT_TOKEN_PROVIDER');
+
+export const SECURITY_CONFIG = new InjectionToken('SECURITY_CONFIG');
+
+
+export const SECURITY_INITIALIZER_PROVIDER: EnvironmentProviders = provideAppInitializer(() => {
+  const initializerFn = (securityInitializerFactory)(inject<TokenProvider>(SECURITY_CONTEXT_TOKEN_PROVIDER), inject(AuthContextService), inject<SecurityConfig>(SECURITY_CONFIG), inject(Router));
+  return initializerFn();
+});