@xtaskjs/security 1.0.0 → 1.0.2

package/src/strategies.ts

@@ -1,227 +0,0 @@
-import { createDecipheriv } from "crypto";
-import { Strategy as PassportStrategyBase } from "passport-strategy";
-import {
-  RegisteredJweSecurityStrategyOptions,
-  RegisteredSecurityStrategyOptions,
-  SecurityValidationContext,
-} from "./types";
-
-export const defaultBearerTokenExtractor = (request: any): string | null => {
-  const headerValue =
-    request?.headers?.authorization ||
-    request?.headers?.Authorization ||
-    request?.authorization;
-
-  if (typeof headerValue !== "string") {
-    return null;
-  }
-
-  const match = headerValue.match(/^Bearer\s+(.+)$/i);
-  return match?.[1] || null;
-};
-
-const decodeBase64Url = (value: string): Buffer => {
-  const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
-  const padding = normalized.length % 4 === 0 ? "" : "=".repeat(4 - (normalized.length % 4));
-  return Buffer.from(`${normalized}${padding}`, "base64");
-};
-
-const decodeJsonSegment = (value: string): Record<string, any> => {
-  return ensureRecord(JSON.parse(decodeBase64Url(value).toString("utf-8")));
-};
-
-const normalizeDecryptionKey = (value: any): Buffer => {
-  if (Buffer.isBuffer(value)) {
-    return value;
-  }
-
-  if (value instanceof Uint8Array) {
-    return Buffer.from(value);
-  }
-
-  return Buffer.from(String(value), "utf-8");
-};
-
-const toUnixTime = (): number => Math.floor(Date.now() / 1000);
-
-const toClockToleranceSeconds = (value?: number | string): number => {
-  if (typeof value === "number" && Number.isFinite(value)) {
-    return value;
-  }
-
-  if (typeof value === "string") {
-    const parsed = Number(value);
-    return Number.isFinite(parsed) ? parsed : 0;
-  }
-
-  return 0;
-};
-
-const normalizeAudience = (value: unknown): string[] => {
-  if (Array.isArray(value)) {
-    return value.map((item) => String(item));
-  }
-  if (typeof value === "string") {
-    return [value];
-  }
-  return [];
-};
-
-const validateJweClaims = (
-  payload: Record<string, any>,
-  definition: RegisteredJweSecurityStrategyOptions
-): void => {
-  const now = toUnixTime();
-  const clockTolerance = toClockToleranceSeconds(definition.clockTolerance);
-
-  if (typeof payload.exp === "number" && now - clockTolerance >= payload.exp) {
-    throw new Error("Token expired");
-  }
-
-  if (typeof payload.nbf === "number" && now + clockTolerance < payload.nbf) {
-    throw new Error("Token is not active yet");
-  }
-
-  if (definition.issuer) {
-    const expectedIssuers = Array.isArray(definition.issuer)
-      ? definition.issuer
-      : [definition.issuer];
-    if (!expectedIssuers.includes(String(payload.iss || ""))) {
-      throw new Error("Token issuer is not allowed");
-    }
-  }
-
-  if (definition.audience) {
-    const expectedAudiences = Array.isArray(definition.audience)
-      ? definition.audience
-      : [definition.audience];
-    const actualAudiences = normalizeAudience(payload.aud);
-    const hasAudience = expectedAudiences.some((audience) => actualAudiences.includes(audience));
-    if (!hasAudience) {
-      throw new Error("Token audience is not allowed");
-    }
-  }
-};
-
-const ensureRecord = (value: any): Record<string, any> => {
-  if (value && typeof value === "object" && !Array.isArray(value)) {
-    return value;
-  }
-  return {};
-};
-
-export const resolveValidatedUser = async (
-  definition: RegisteredSecurityStrategyOptions,
-  payload: Record<string, any>,
-  context: SecurityValidationContext
-): Promise<any | false> => {
-  if (!definition.validate) {
-    return payload;
-  }
-
-  return definition.validate(payload, context);
-};
-
-const toJweKey = async (definition: RegisteredJweSecurityStrategyOptions): Promise<any> => {
-  const key =
-    typeof definition.resolveDecryptionKey === "function"
-      ? await definition.resolveDecryptionKey()
-      : definition.decryptionKey;
-
-  if (typeof key === "string") {
-    return new TextEncoder().encode(key);
-  }
-
-  return key;
-};
-
-export class JweStrategy extends PassportStrategyBase {
-  declare public readonly name: string;
-  declare public success: (user: any, info?: any) => void;
-  declare public fail: (challenge?: any, status?: number) => void;
-  declare public error: (error: Error) => void;
-  declare public pass: () => void;
-  private readonly definition: RegisteredJweSecurityStrategyOptions;
-  private readonly resolveValidationContext?: () => Partial<SecurityValidationContext>;
-
-  constructor(
-    definition: RegisteredJweSecurityStrategyOptions,
-    resolveValidationContext?: () => Partial<SecurityValidationContext>
-  ) {
-    super();
-    this.definition = definition;
-    this.name = definition.name;
-    this.resolveValidationContext = resolveValidationContext;
-  }
-
-  authenticate(request: any): void {
-    void this.run(request);
-  }
-
-  private async run(request: any): Promise<void> {
-    const extractor = this.definition.jwtFromRequest || defaultBearerTokenExtractor;
-    const token = extractor(request);
-
-    if (!token) {
-      this.fail({ message: "Missing bearer token" }, 401);
-      return;
-    }
-
-    try {
-      const [protectedHeader, encryptedKey, iv, ciphertext, tag] = token.split(".");
-      if (!protectedHeader || encryptedKey === undefined || !iv || !ciphertext || !tag) {
-        throw new Error("Malformed JWE token");
-      }
-
-      const header = decodeJsonSegment(protectedHeader);
-      if (header.alg !== "dir") {
-        throw new Error(`Unsupported JWE alg '${String(header.alg || "")}'`);
-      }
-
-      if (header.enc !== "A256GCM") {
-        throw new Error(`Unsupported JWE enc '${String(header.enc || "")}'`);
-      }
-
-      if (encryptedKey.length > 0) {
-        throw new Error("Compact JWE with direct encryption must not include an encrypted key segment");
-      }
-
-      const key = normalizeDecryptionKey(await toJweKey(this.definition));
-      if (key.length !== 32) {
-        throw new Error("JWE decryption key must be 32 bytes for dir/A256GCM tokens");
-      }
-
-      const decipher = createDecipheriv("aes-256-gcm", key, decodeBase64Url(iv));
-      decipher.setAAD(Buffer.from(protectedHeader, "utf-8"));
-      decipher.setAuthTag(decodeBase64Url(tag));
-      const plaintext = Buffer.concat([
-        decipher.update(decodeBase64Url(ciphertext)),
-        decipher.final(),
-      ]);
-      const payload = ensureRecord(JSON.parse(plaintext.toString("utf-8")));
-      validateJweClaims(payload, this.definition);
-      const user = await resolveValidatedUser(this.definition, payload, {
-        ...this.resolveValidationContext?.(),
-        request,
-        token,
-        strategyName: this.definition.name,
-        kind: this.definition.kind,
-      });
-
-      if (!user) {
-        this.fail({ message: "Unauthorized", claims: payload }, 401);
-        return;
-      }
-
-      this.success(user, {
-        claims: payload,
-        protectedHeader: header,
-        strategy: this.definition.name,
-        kind: this.definition.kind,
-      });
-    } catch (error: any) {
-      const message = typeof error?.message === "string" ? error.message : "Unauthorized";
-      this.fail({ message }, 401);
-    }
-  }
-}

package/src/tokens.ts

@@ -1,16 +0,0 @@
-export const SECURITY_PASSPORT_TOKEN = "xtask:security:passport";
-export const SECURITY_LIFECYCLE_TOKEN = "xtask:security:lifecycle";
-export const SECURITY_AUTHENTICATION_SERVICE_TOKEN = "xtask:security:authentication-service";
-export const SECURITY_AUTHORIZATION_SERVICE_TOKEN = "xtask:security:authorization-service";
-
-export const getPassportToken = (): string => SECURITY_PASSPORT_TOKEN;
-
-export const getSecurityLifecycleToken = (): string => SECURITY_LIFECYCLE_TOKEN;
-
-export const getAuthenticationServiceToken = (): string => {
-  return SECURITY_AUTHENTICATION_SERVICE_TOKEN;
-};
-
-export const getAuthorizationServiceToken = (): string => {
-  return SECURITY_AUTHORIZATION_SERVICE_TOKEN;
-};

package/src/types.ts

@@ -1,94 +0,0 @@
-import type { Container } from "@xtaskjs/core";
-
-export type SecurityStrategyKind = "jwt" | "jwe";
-export type SecurityRoleMatchingMode = "any" | "all";
-export type SecurityTokenExtractor = (request: any) => string | null | undefined;
-export type SecurityRoleExtractor = (payload: Record<string, any>, user: any) => string[] | undefined;
-
-export interface SecurityValidationContext {
-  request: any;
-  response?: any;
-  token: string;
-  strategyName: string;
-  kind: SecurityStrategyKind;
-  container?: Container;
-}
-
-export type SecurityValidateFn = (
-  payload: Record<string, any>,
-  context: SecurityValidationContext
-) => any | false | Promise<any | false>;
-
-interface BaseSecurityStrategyOptions {
-  name?: string;
-  default?: boolean;
-  jwtFromRequest?: SecurityTokenExtractor;
-  extractRoles?: SecurityRoleExtractor;
-  validate?: SecurityValidateFn;
-}
-
-export interface JwtSecurityStrategyOptions extends BaseSecurityStrategyOptions {
-  kind?: "jwt";
-  secretOrKey?: any;
-  secretOrKeyProvider?: any;
-  issuer?: string | string[];
-  audience?: string | string[];
-  algorithms?: string[];
-  ignoreExpiration?: boolean;
-  jsonWebTokenOptions?: Record<string, any>;
-  passReqToCallback?: boolean;
-}
-
-export interface JweSecurityStrategyOptions extends BaseSecurityStrategyOptions {
-  kind?: "jwe";
-  decryptionKey?: any;
-  resolveDecryptionKey?: () => any | Promise<any>;
-  issuer?: string | string[];
-  audience?: string | string[];
-  clockTolerance?: number | string;
-}
-
-export type SecurityStrategyOptions = JwtSecurityStrategyOptions | JweSecurityStrategyOptions;
-
-export interface RegisteredJwtSecurityStrategyOptions extends JwtSecurityStrategyOptions {
-  kind: "jwt";
-  name: string;
-}
-
-export interface RegisteredJweSecurityStrategyOptions extends JweSecurityStrategyOptions {
-  kind: "jwe";
-  name: string;
-}
-
-export type RegisteredSecurityStrategyOptions =
-  | RegisteredJwtSecurityStrategyOptions
-  | RegisteredJweSecurityStrategyOptions;
-
-export interface ResolvedSecurityMetadata {
-  allowAnonymous: boolean;
-  strategies: string[];
-  roles: string[];
-  roleMode: SecurityRoleMatchingMode;
-}
-
-export interface AuthenticatedOptions {
-  strategies?: string | string[];
-}
-
-export interface RolesOptions {
-  roles: string[];
-  mode?: SecurityRoleMatchingMode;
-  strategies?: string | string[];
-}
-
-export interface SecurityAuthenticationResult {
-  success: boolean;
-  statusCode?: number;
-  challenge?: any;
-  strategy?: string;
-  token?: string;
-  user?: any;
-  claims?: Record<string, any>;
-  roles: string[];
-  info?: any;
-}

package/test/security.integration.test.ts

@@ -1,325 +0,0 @@
-import "reflect-metadata";
-import { createCipheriv, randomBytes } from "crypto";
-import { describe, beforeEach, afterEach, expect, test } from "@jest/globals";
-import { Controller, Get } from "@xtaskjs/common";
-import { ApplicationLifeCycle, Container, registerControllerRoutes } from "@xtaskjs/core";
-import {
-  AllowAnonymous,
-  Authenticated,
-  Auth,
-  InjectAuthenticationService,
-  Roles,
-  SecurityAuthenticationService,
-  clearRegisteredSecurityStrategies,
-  getAuthenticationServiceToken,
-  initializeSecurityIntegration,
-  registerJweStrategy,
-  registerJwtStrategy,
-  shutdownSecurityIntegration,
-} from "../src";
-
-const jwtSecret = new TextEncoder().encode("jwt-secret-for-tests-1234567890");
-const jweSecret = new TextEncoder().encode("0123456789abcdef0123456789abcdef");
-
-const encodeBase64Url = (value: Buffer | string): string => {
-  return Buffer.from(value)
-    .toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/g, "");
-};
-
-const createDirA256GcmJwe = (payload: Record<string, any>, key: Uint8Array): string => {
-  const protectedHeader = { alg: "dir", enc: "A256GCM" };
-  const protectedHeaderSegment = encodeBase64Url(JSON.stringify(protectedHeader));
-  const iv = randomBytes(12);
-  const cipher = createCipheriv("aes-256-gcm", Buffer.from(key), iv);
-  cipher.setAAD(Buffer.from(protectedHeaderSegment, "utf-8"));
-  const ciphertext = Buffer.concat([
-    cipher.update(Buffer.from(JSON.stringify(payload), "utf-8")),
-    cipher.final(),
-  ]);
-  const tag = cipher.getAuthTag();
-
-  return [
-    protectedHeaderSegment,
-    "",
-    encodeBase64Url(iv),
-    encodeBase64Url(ciphertext),
-    encodeBase64Url(tag),
-  ].join(".");
-};
-
-describe("@xtaskjs/security integration", () => {
-  beforeEach(async () => {
-    clearRegisteredSecurityStrategies();
-    await shutdownSecurityIntegration();
-  });
-
-  afterEach(async () => {
-    clearRegisteredSecurityStrategies();
-    await shutdownSecurityIntegration();
-  });
-
-  test("authenticates JWT requests and registers services in the container", async () => {
-    const jsonwebtoken = require("jsonwebtoken");
-
-    class UserDirectory {
-      private readonly users = new Map<string, { id: string; roles: string[]; active: boolean }>([
-        ["alice", { id: "alice", roles: ["admin"], active: true }],
-        ["blocked", { id: "blocked", roles: ["admin"], active: false }],
-      ]);
-
-      findActiveUser(id: string) {
-        const user = this.users.get(id);
-        if (!user || !user.active) {
-          return undefined;
-        }
-        return user;
-      }
-    }
-
-    registerJwtStrategy({
-      name: "default",
-      default: true,
-      secretOrKey: jwtSecret,
-      validate: async (payload, context) => {
-        if (payload.tenant !== "xtaskjs") {
-          return false;
-        }
-
-        const directory = context.container?.get(UserDirectory);
-        const user = directory?.findActiveUser(String(payload.sub || ""));
-        if (!user) {
-          return false;
-        }
-
-        return {
-          id: user.id,
-          sub: user.id,
-          roles: user.roles,
-          claims: payload,
-        };
-      },
-    });
-
-    const container = new Container();
-    container.register(UserDirectory, { scope: "singleton" });
-    await initializeSecurityIntegration(container);
-
-    class SecurityConsumer {
-      constructor(
-        @InjectAuthenticationService()
-        public readonly authentication: SecurityAuthenticationService
-      ) {}
-    }
-
-    container.register(SecurityConsumer, { scope: "singleton" });
-
-    const injected = container.get(SecurityConsumer);
-    const byName = container.getByName<SecurityAuthenticationService>(getAuthenticationServiceToken());
-
-    expect(injected.authentication).toBeInstanceOf(SecurityAuthenticationService);
-    expect(byName).toBeInstanceOf(SecurityAuthenticationService);
-
-    @Controller("secure")
-    class SecureController {
-      @Get("/profile")
-      @Authenticated()
-      @Roles("admin")
-      profile(req: any) {
-        return {
-          sub: req.user.sub,
-          roles: req.auth.roles,
-        };
-      }
-
-      @Get("/health")
-      @AllowAnonymous()
-      health() {
-        return { ok: true };
-      }
-    }
-
-    const token = jsonwebtoken.sign(
-      { sub: "alice", tenant: "xtaskjs", roles: ["admin"] },
-      Buffer.from(jwtSecret),
-      { algorithm: "HS256", expiresIn: "2h" }
-    );
-
-    const lifecycle = new ApplicationLifeCycle();
-    registerControllerRoutes(new SecureController(), lifecycle);
-
-    const request: any = { headers: { authorization: `Bearer ${token}` } };
-    const response: any = {};
-
-    const result = await lifecycle.dispatchControllerRoute(
-      "GET",
-      "/secure/profile",
-      request,
-      response
-    );
-
-    expect(result).toEqual({ sub: "alice", roles: ["admin"] });
-    expect(request.auth.isAuthenticated).toBe(true);
-    expect(request.auth.strategy).toBe("default");
-    expect(request.user.claims.tenant).toBe("xtaskjs");
-
-    const publicResult = await lifecycle.dispatchControllerRoute("GET", "/secure/health", {}, {});
-    expect(publicResult).toEqual({ ok: true });
-  });
-
-  test("uses validate callbacks for DI-backed user lookup and claim validation", async () => {
-    const jsonwebtoken = require("jsonwebtoken");
-
-    class AccountService {
-      private readonly accounts = new Map<string, { id: string; roles: string[]; active: boolean }>([
-        ["sarah", { id: "sarah", roles: ["editor"], active: true }],
-      ]);
-
-      findById(id: string) {
-        return this.accounts.get(id);
-      }
-    }
-
-    registerJwtStrategy({
-      name: "lookup",
-      default: true,
-      secretOrKey: jwtSecret,
-      validate: async (payload, context) => {
-        if (payload.tenant !== "docs") {
-          return false;
-        }
-
-        const service = context.container?.get(AccountService);
-        const account = service?.findById(String(payload.sub || ""));
-        if (!account || !account.active) {
-          return false;
-        }
-
-        return {
-          sub: account.id,
-          roles: account.roles,
-          claims: payload,
-        };
-      },
-    });
-
-    const container = new Container();
-    container.register(AccountService, { scope: "singleton" });
-    await initializeSecurityIntegration(container);
-
-    @Controller("docs")
-    class DocsController {
-      @Get("/me")
-      @Authenticated("lookup")
-      @Roles("editor")
-      me(req: any) {
-        return {
-          user: req.user.sub,
-          tenant: req.user.claims.tenant,
-        };
-      }
-    }
-
-    const validToken = jsonwebtoken.sign(
-      { sub: "sarah", tenant: "docs" },
-      Buffer.from(jwtSecret),
-      { algorithm: "HS256", expiresIn: "2h" }
-    );
-    const invalidTenantToken = jsonwebtoken.sign(
-      { sub: "sarah", tenant: "other" },
-      Buffer.from(jwtSecret),
-      { algorithm: "HS256", expiresIn: "2h" }
-    );
-
-    const lifecycle = new ApplicationLifeCycle();
-    registerControllerRoutes(new DocsController(), lifecycle);
-
-    await expect(
-      lifecycle.dispatchControllerRoute(
-        "GET",
-        "/docs/me",
-        { headers: { authorization: `Bearer ${invalidTenantToken}` } },
-        {}
-      )
-    ).rejects.toMatchObject({ statusCode: 401 });
-
-    const result = await lifecycle.dispatchControllerRoute(
-      "GET",
-      "/docs/me",
-      { headers: { authorization: `Bearer ${validToken}` } },
-      {}
-    );
-
-    expect(result).toEqual({ user: "sarah", tenant: "docs" });
-  });
-
-  test("authenticates JWE requests and rejects missing roles", async () => {
-    registerJweStrategy({
-      name: "encrypted",
-      default: true,
-      decryptionKey: jweSecret,
-    });
-
-    await initializeSecurityIntegration();
-
-    @Controller("reports")
-    class ReportsController {
-      @Get("/admin")
-      @Auth("encrypted")
-      @Roles({ roles: ["admin"], mode: "all" })
-      admin(req: any) {
-        return { user: req.user.sub };
-      }
-    }
-
-    const token = createDirA256GcmJwe(
-      {
-        sub: "bob",
-        roles: ["viewer"],
-        iat: Math.floor(Date.now() / 1000),
-        exp: Math.floor(Date.now() / 1000) + 60 * 60,
-      },
-      jweSecret
-    );
-
-    const lifecycle = new ApplicationLifeCycle();
-    registerControllerRoutes(new ReportsController(), lifecycle);
-
-    await expect(
-      lifecycle.dispatchControllerRoute(
-        "GET",
-        "/reports/admin",
-        { headers: { authorization: `Bearer ${token}` } },
-        {}
-      )
-    ).rejects.toMatchObject({ statusCode: 403 });
-  });
-
-  test("rejects requests without credentials", async () => {
-    registerJwtStrategy({
-      name: "default",
-      default: true,
-      secretOrKey: jwtSecret,
-    });
-
-    await initializeSecurityIntegration();
-
-    @Controller("users")
-    class UsersController {
-      @Get("/me")
-      @Authenticated()
-      me() {
-        return { ok: true };
-      }
-    }
-
-    const lifecycle = new ApplicationLifeCycle();
-    registerControllerRoutes(new UsersController(), lifecycle);
-
-    await expect(lifecycle.dispatchControllerRoute("GET", "/users/me", {}, {})).rejects.toMatchObject({
-      statusCode: 401,
-    });
-  });
-});

package/tsconfig.json

@@ -1,21 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2021",
-    "module": "commonjs",
-    "rootDir": "./src",
-    "outDir": "dist",
-    "esModuleInterop": true,
-    "experimentalDecorators": true,
-    "emitDecoratorMetadata": true,
-    "baseUrl": ".",
-    "paths": {
-      "@xtaskjs/common": ["../../dist/packages/common"],
-      "@xtaskjs/common/*": ["../../dist/packages/common/*"],
-      "@xtaskjs/core": ["../../dist/packages/core"],
-      "@xtaskjs/core/*": ["../../dist/packages/core/*"]
-    },
-    "declaration": true
-  },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules", "dist"]
-}

package/tsconfig.test.json

@@ -1,17 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2021",
-    "module": "commonjs",
-    "esModuleInterop": true,
-    "experimentalDecorators": true,
-    "emitDecoratorMetadata": true,
-    "baseUrl": ".",
-    "paths": {
-      "@xtaskjs/common": ["../common/src"],
-      "@xtaskjs/common/*": ["../common/src/*"],
-      "@xtaskjs/core": ["../core/src"],
-      "@xtaskjs/core/*": ["../core/src/*"]
-    }
-  },
-  "include": ["src/**/*", "test/**/*", "../common/src/**/*", "../core/src/**/*"]
-}