@xtaskjs/security 1.0.0 → 1.0.2

package/dist/types.d.ts

@@ -0,0 +1,76 @@
+import type { Container } from "@xtaskjs/core";
+export type SecurityStrategyKind = "jwt" | "jwe";
+export type SecurityRoleMatchingMode = "any" | "all";
+export type SecurityTokenExtractor = (request: any) => string | null | undefined;
+export type SecurityRoleExtractor = (payload: Record<string, any>, user: any) => string[] | undefined;
+export interface SecurityValidationContext {
+    request: any;
+    response?: any;
+    token: string;
+    strategyName: string;
+    kind: SecurityStrategyKind;
+    container?: Container;
+}
+export type SecurityValidateFn = (payload: Record<string, any>, context: SecurityValidationContext) => any | false | Promise<any | false>;
+interface BaseSecurityStrategyOptions {
+    name?: string;
+    default?: boolean;
+    jwtFromRequest?: SecurityTokenExtractor;
+    extractRoles?: SecurityRoleExtractor;
+    validate?: SecurityValidateFn;
+}
+export interface JwtSecurityStrategyOptions extends BaseSecurityStrategyOptions {
+    kind?: "jwt";
+    secretOrKey?: any;
+    secretOrKeyProvider?: any;
+    issuer?: string | string[];
+    audience?: string | string[];
+    algorithms?: string[];
+    ignoreExpiration?: boolean;
+    jsonWebTokenOptions?: Record<string, any>;
+    passReqToCallback?: boolean;
+}
+export interface JweSecurityStrategyOptions extends BaseSecurityStrategyOptions {
+    kind?: "jwe";
+    decryptionKey?: any;
+    resolveDecryptionKey?: () => any | Promise<any>;
+    issuer?: string | string[];
+    audience?: string | string[];
+    clockTolerance?: number | string;
+}
+export type SecurityStrategyOptions = JwtSecurityStrategyOptions | JweSecurityStrategyOptions;
+export interface RegisteredJwtSecurityStrategyOptions extends JwtSecurityStrategyOptions {
+    kind: "jwt";
+    name: string;
+}
+export interface RegisteredJweSecurityStrategyOptions extends JweSecurityStrategyOptions {
+    kind: "jwe";
+    name: string;
+}
+export type RegisteredSecurityStrategyOptions = RegisteredJwtSecurityStrategyOptions | RegisteredJweSecurityStrategyOptions;
+export interface ResolvedSecurityMetadata {
+    allowAnonymous: boolean;
+    strategies: string[];
+    roles: string[];
+    roleMode: SecurityRoleMatchingMode;
+}
+export interface AuthenticatedOptions {
+    strategies?: string | string[];
+}
+export interface RolesOptions {
+    roles: string[];
+    mode?: SecurityRoleMatchingMode;
+    strategies?: string | string[];
+}
+export interface SecurityAuthenticationResult {
+    success: boolean;
+    statusCode?: number;
+    challenge?: any;
+    strategy?: string;
+    token?: string;
+    user?: any;
+    claims?: Record<string, any>;
+    roles: string[];
+    info?: any;
+}
+export {};

package/dist/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xtaskjs/security",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "xtaskjs security integration package",
   "author": "Javier Rodriguez Soler",
   "homepage": "https://xtaskjs.com",
@@ -13,8 +13,14 @@
       "default": "./dist/index.js"
     }
   },
+  "files": [
+    "dist",
+    "README.md",
+    "CHANGELOG.md"
+  ],
   "scripts": {
-    "build": "rm -rf dist && tsc",
+    "build": "npm run build --prefix ../core && rm -rf dist && tsc",
+    "prepack": "npm run build",
     "test": "jest --passWithNoTests",
     "test:coverage": "jest --coverage --runInBand",
     "coverage:open": "xdg-open coverage/lcov-report/index.html"
@@ -33,8 +39,8 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@xtaskjs/common": "^1.0.13",
-    "@xtaskjs/core": "^1.0.13",
+    "@xtaskjs/common": "^1.0.16",
+    "@xtaskjs/core": "^1.0.16",
     "passport": "^0.7.0",
     "passport-jwt": "^4.0.1",
     "passport-strategy": "^1.0.0"
@@ -52,4 +58,4 @@
     "tsconfig-paths": "^4.2.0",
     "typescript": "^5.9.2"
   }
-}
+}

package/babel.config.js

@@ -1,3 +0,0 @@
-module.exports = {
-  presets: ["next/babel"],
-};

package/index.ts

@@ -1 +0,0 @@
-export * from "./src";

package/jest.config.js

@@ -1,18 +0,0 @@
-/** @type {import("jest").Config} **/
-module.exports = {
-  testEnvironment: "node",
-  transform: {
-    "^.+\\.tsx?$": [
-      "ts-jest",
-      {
-        tsconfig: "<rootDir>/tsconfig.test.json",
-      },
-    ],
-  },
-  moduleNameMapper: {
-    "^@xtaskjs/common$": "<rootDir>/../common/src/index.ts",
-    "^@xtaskjs/common/(.*)$": "<rootDir>/../common/src/$1",
-    "^@xtaskjs/core$": "<rootDir>/../core/src/index.ts",
-    "^@xtaskjs/core/(.*)$": "<rootDir>/../core/src/$1"
-  },
-};

package/src/authentication.ts

@@ -1,27 +0,0 @@
-import { RouteExecutionContext } from "@xtaskjs/common";
-import { UnauthorizedError } from "@xtaskjs/core";
-import { getSecurityLifecycleManager } from "./lifecycle";
-import { SecurityAuthenticationResult } from "./types";
-
-export class SecurityAuthenticationService {
-  async authenticate(
-    context: RouteExecutionContext,
-    strategyNames?: string | string[]
-  ): Promise<SecurityAuthenticationResult> {
-    const result = await getSecurityLifecycleManager().authenticateContext(context, strategyNames);
-    if (!result.success) {
-      throw new UnauthorizedError(result.challenge?.message || "Unauthorized", {
-        message: result.challenge?.message || "Unauthorized",
-      });
-    }
-    return result;
-  }
-
-  async authenticateRequest(
-    request: any,
-    response?: any,
-    strategyNames?: string | string[]
-  ): Promise<SecurityAuthenticationResult> {
-    return getSecurityLifecycleManager().authenticateRequest(request, response, strategyNames);
-  }
-}

package/src/authorization.ts

@@ -1,66 +0,0 @@
-import { RouteAuthenticationContext, RouteExecutionContext } from "@xtaskjs/common";
-import { SecurityRoleMatchingMode } from "./types";
-
-const normalizeRoles = (input: unknown): string[] => {
-  if (Array.isArray(input)) {
-    return input
-      .map((value) => String(value || "").trim())
-      .filter((value) => value.length > 0);
-  }
-
-  if (typeof input === "string") {
-    return input
-      .split(/[\s,]+/)
-      .map((value) => value.trim())
-      .filter((value) => value.length > 0);
-  }
-
-  return [];
-};
-
-export class SecurityAuthorizationService {
-  getRoles(source: RouteExecutionContext | RouteAuthenticationContext | any): string[] {
-    if (!source) {
-      return [];
-    }
-
-    if (Array.isArray(source.roles)) {
-      return normalizeRoles(source.roles);
-    }
-
-    if (source.auth && Array.isArray(source.auth.roles)) {
-      return normalizeRoles(source.auth.roles);
-    }
-
-    if (Array.isArray(source.user?.roles) || typeof source.user?.roles === "string") {
-      return normalizeRoles(source.user.roles);
-    }
-
-    if (Array.isArray(source.claims?.roles) || typeof source.claims?.roles === "string") {
-      return normalizeRoles(source.claims.roles);
-    }
-
-    if (typeof source.claims?.scope === "string") {
-      return normalizeRoles(source.claims.scope);
-    }
-
-    return [];
-  }
-
-  isAuthorized(
-    source: RouteExecutionContext | RouteAuthenticationContext | any,
-    requiredRoles: string[],
-    mode: SecurityRoleMatchingMode = "any"
-  ): boolean {
-    if (requiredRoles.length === 0) {
-      return true;
-    }
-
-    const grantedRoles = new Set(this.getRoles(source));
-    if (mode === "all") {
-      return requiredRoles.every((role) => grantedRoles.has(role));
-    }
-
-    return requiredRoles.some((role) => grantedRoles.has(role));
-  }
-}

package/src/configuration.ts

@@ -1,90 +0,0 @@
-import {
-  JweSecurityStrategyOptions,
-  JwtSecurityStrategyOptions,
-  RegisteredJweSecurityStrategyOptions,
-  RegisteredJwtSecurityStrategyOptions,
-  RegisteredSecurityStrategyOptions,
-} from "./types";
-
-const DEFAULT_STRATEGY_NAME = "default";
-const registeredStrategies = new Map<string, RegisteredSecurityStrategyOptions>();
-
-const resolveStrategyName = (
-  kind: RegisteredSecurityStrategyOptions["kind"],
-  requestedName?: string
-): string => {
-  if (typeof requestedName === "string" && requestedName.trim().length > 0) {
-    return requestedName.trim();
-  }
-
-  if (!registeredStrategies.has(DEFAULT_STRATEGY_NAME)) {
-    return DEFAULT_STRATEGY_NAME;
-  }
-
-  return `${kind}-${registeredStrategies.size + 1}`;
-};
-
-export const registerJwtStrategy = (
-  options: JwtSecurityStrategyOptions
-): RegisteredJwtSecurityStrategyOptions => {
-  const name = resolveStrategyName("jwt", options.name);
-  const definition: RegisteredJwtSecurityStrategyOptions = {
-    ...options,
-    kind: "jwt",
-    name,
-  };
-  registeredStrategies.set(name, definition);
-  return definition;
-};
-
-export const registerJweStrategy = (
-  options: JweSecurityStrategyOptions
-): RegisteredJweSecurityStrategyOptions => {
-  const name = resolveStrategyName("jwe", options.name);
-  const definition: RegisteredJweSecurityStrategyOptions = {
-    ...options,
-    kind: "jwe",
-    name,
-  };
-  registeredStrategies.set(name, definition);
-  return definition;
-};
-
-export const getRegisteredSecurityStrategies = (): RegisteredSecurityStrategyOptions[] => {
-  return Array.from(registeredStrategies.values());
-};
-
-export const clearRegisteredSecurityStrategies = (): void => {
-  registeredStrategies.clear();
-};
-
-export const getDefaultSecurityStrategyName = (): string | undefined => {
-  const explicitDefault = Array.from(registeredStrategies.values()).find(
-    (definition) => definition.default === true
-  );
-  if (explicitDefault) {
-    return explicitDefault.name;
-  }
-
-  if (registeredStrategies.size === 1) {
-    return Array.from(registeredStrategies.keys())[0];
-  }
-
-  if (registeredStrategies.has(DEFAULT_STRATEGY_NAME)) {
-    return DEFAULT_STRATEGY_NAME;
-  }
-
-  return undefined;
-};
-
-export const JwtSecurityStrategy = (options: JwtSecurityStrategyOptions): ClassDecorator => {
-  return () => {
-    registerJwtStrategy(options);
-  };
-};
-
-export const JweSecurityStrategy = (options: JweSecurityStrategyOptions): ClassDecorator => {
-  return () => {
-    registerJweStrategy(options);
-  };
-};

package/src/decorators.ts

@@ -1,79 +0,0 @@
-import { UseGuards } from "@xtaskjs/common";
-import { authenticationGuard, authorizationGuard } from "./guards";
-import {
-  normalizeStrategies,
-  setAllowAnonymousMetadata,
-  setAuthenticatedMetadata,
-  setRolesMetadata,
-} from "./metadata";
-import { AuthenticatedOptions, RolesOptions } from "./types";
-
-const applyDecorator = (
-  decorator: MethodDecorator & ClassDecorator,
-  target: any,
-  propertyKey?: string | symbol,
-  descriptor?: PropertyDescriptor
-): void => {
-  if (propertyKey === undefined) {
-    decorator(target);
-    return;
-  }
-
-  decorator(target, propertyKey, descriptor!);
-};
-
-const normalizeAuthenticatedOptions = (
-  value?: string | string[] | AuthenticatedOptions
-): AuthenticatedOptions => {
-  if (!value) {
-    return {};
-  }
-
-  if (typeof value === "string" || Array.isArray(value)) {
-    return { strategies: value };
-  }
-
-  return value;
-};
-
-export const Authenticated = (
-  value?: string | string[] | AuthenticatedOptions
-): MethodDecorator & ClassDecorator => {
-  const options = normalizeAuthenticatedOptions(value);
-  const strategies = normalizeStrategies(options.strategies);
-  const guardDecorator = UseGuards(authenticationGuard);
-
-  return (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => {
-    setAuthenticatedMetadata(target, propertyKey, strategies);
-    applyDecorator(guardDecorator, target, propertyKey, descriptor);
-  };
-};
-
-export const Auth = Authenticated;
-
-const normalizeRolesOptions = (value: RolesOptions | string, roles: string[]): RolesOptions => {
-  if (typeof value === "string") {
-    return { roles: [value, ...roles] };
-  }
-
-  return value;
-};
-
-export const Roles = (
-  value: RolesOptions | string,
-  ...roles: string[]
-): MethodDecorator & ClassDecorator => {
-  const options = normalizeRolesOptions(value, roles);
-  const guardDecorator = UseGuards(authorizationGuard);
-
-  return (target: any, propertyKey?: string | symbol, descriptor?: PropertyDescriptor) => {
-    setRolesMetadata(target, propertyKey, options);
-    applyDecorator(guardDecorator, target, propertyKey, descriptor);
-  };
-};
-
-export const AllowAnonymous = (): MethodDecorator & ClassDecorator => {
-  return (target: any, propertyKey?: string | symbol) => {
-    setAllowAnonymousMetadata(target, propertyKey);
-  };
-};

package/src/guards.ts

@@ -1,58 +0,0 @@
-import { GuardLike, RouteExecutionContext } from "@xtaskjs/common";
-import { ForbiddenError } from "@xtaskjs/core";
-import { SecurityAuthenticationService } from "./authentication";
-import { SecurityAuthorizationService } from "./authorization";
-import { resolveSecurityMetadata } from "./metadata";
-
-const AUTHENTICATION_GUARD_STATE_KEY = "xtask:security:authentication-checked";
-const AUTHORIZATION_GUARD_STATE_KEY = "xtask:security:authorization-checked";
-
-const authenticationService = new SecurityAuthenticationService();
-const authorizationService = new SecurityAuthorizationService();
-
-export const authenticationGuard: GuardLike = {
-  async canActivate(context: RouteExecutionContext): Promise<boolean> {
-    if (context.state[AUTHENTICATION_GUARD_STATE_KEY]) {
-      return true;
-    }
-
-    const metadata = resolveSecurityMetadata(context.controller?.constructor, context.handler);
-    if (metadata.allowAnonymous) {
-      context.state[AUTHENTICATION_GUARD_STATE_KEY] = true;
-      return true;
-    }
-
-    await authenticationService.authenticate(context, metadata.strategies);
-    context.state[AUTHENTICATION_GUARD_STATE_KEY] = true;
-    return true;
-  },
-};
-
-export const authorizationGuard: GuardLike = {
-  async canActivate(context: RouteExecutionContext): Promise<boolean> {
-    if (context.state[AUTHORIZATION_GUARD_STATE_KEY]) {
-      return true;
-    }
-
-    const metadata = resolveSecurityMetadata(context.controller?.constructor, context.handler);
-    if (metadata.allowAnonymous || metadata.roles.length === 0) {
-      context.state[AUTHORIZATION_GUARD_STATE_KEY] = true;
-      return true;
-    }
-
-    if (!context.auth.isAuthenticated) {
-      await authenticationGuard.canActivate(context);
-    }
-
-    if (!authorizationService.isAuthorized(context.auth, metadata.roles, metadata.roleMode)) {
-      throw new ForbiddenError("Forbidden", {
-        message: "Forbidden",
-        requiredRoles: metadata.roles,
-        actualRoles: context.auth.roles,
-      });
-    }
-
-    context.state[AUTHORIZATION_GUARD_STATE_KEY] = true;
-    return true;
-  },
-};