alepha 0.14.3 → 0.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -5
- package/dist/api/audits/index.d.ts +620 -811
- package/dist/api/audits/index.d.ts.map +1 -1
- package/dist/api/files/index.d.ts +185 -377
- package/dist/api/files/index.d.ts.map +1 -1
- package/dist/api/files/index.js +0 -1
- package/dist/api/files/index.js.map +1 -1
- package/dist/api/jobs/index.d.ts +245 -435
- package/dist/api/jobs/index.d.ts.map +1 -1
- package/dist/api/notifications/index.d.ts +238 -429
- package/dist/api/notifications/index.d.ts.map +1 -1
- package/dist/api/parameters/index.d.ts +236 -427
- package/dist/api/parameters/index.d.ts.map +1 -1
- package/dist/api/users/index.browser.js +1 -2
- package/dist/api/users/index.browser.js.map +1 -1
- package/dist/api/users/index.d.ts +1010 -1196
- package/dist/api/users/index.d.ts.map +1 -1
- package/dist/api/users/index.js +178 -151
- package/dist/api/users/index.js.map +1 -1
- package/dist/api/verifications/index.d.ts +17 -17
- package/dist/api/verifications/index.d.ts.map +1 -1
- package/dist/batch/index.d.ts +122 -122
- package/dist/batch/index.d.ts.map +1 -1
- package/dist/batch/index.js +1 -2
- package/dist/batch/index.js.map +1 -1
- package/dist/bucket/index.d.ts +163 -163
- package/dist/bucket/index.d.ts.map +1 -1
- package/dist/cache/core/index.d.ts +46 -46
- package/dist/cache/core/index.d.ts.map +1 -1
- package/dist/cache/redis/index.d.ts.map +1 -1
- package/dist/cli/index.d.ts +384 -285
- package/dist/cli/index.d.ts.map +1 -1
- package/dist/cli/index.js +1113 -623
- package/dist/cli/index.js.map +1 -1
- package/dist/command/index.d.ts +299 -300
- package/dist/command/index.d.ts.map +1 -1
- package/dist/command/index.js +13 -9
- package/dist/command/index.js.map +1 -1
- package/dist/core/index.browser.js +445 -103
- package/dist/core/index.browser.js.map +1 -1
- package/dist/core/index.d.ts +733 -625
- package/dist/core/index.d.ts.map +1 -1
- package/dist/core/index.js +446 -103
- package/dist/core/index.js.map +1 -1
- package/dist/core/index.native.js +445 -103
- package/dist/core/index.native.js.map +1 -1
- package/dist/datetime/index.d.ts +44 -44
- package/dist/datetime/index.d.ts.map +1 -1
- package/dist/datetime/index.js +4 -4
- package/dist/datetime/index.js.map +1 -1
- package/dist/email/index.d.ts +97 -50
- package/dist/email/index.d.ts.map +1 -1
- package/dist/email/index.js +129 -33
- package/dist/email/index.js.map +1 -1
- package/dist/fake/index.d.ts +7981 -14
- package/dist/fake/index.d.ts.map +1 -1
- package/dist/file/index.d.ts +523 -390
- package/dist/file/index.d.ts.map +1 -1
- package/dist/file/index.js +253 -1
- package/dist/file/index.js.map +1 -1
- package/dist/lock/core/index.d.ts +208 -208
- package/dist/lock/core/index.d.ts.map +1 -1
- package/dist/lock/redis/index.d.ts.map +1 -1
- package/dist/logger/index.d.ts +25 -26
- package/dist/logger/index.d.ts.map +1 -1
- package/dist/logger/index.js +12 -2
- package/dist/logger/index.js.map +1 -1
- package/dist/mcp/index.d.ts +197 -197
- package/dist/mcp/index.d.ts.map +1 -1
- package/dist/mcp/index.js +1 -1
- package/dist/mcp/index.js.map +1 -1
- package/dist/orm/chunk-DtkW-qnP.js +38 -0
- package/dist/orm/index.browser.js.map +1 -1
- package/dist/orm/index.bun.js +2814 -0
- package/dist/orm/index.bun.js.map +1 -0
- package/dist/orm/index.d.ts +1228 -1216
- package/dist/orm/index.d.ts.map +1 -1
- package/dist/orm/index.js +2041 -1967
- package/dist/orm/index.js.map +1 -1
- package/dist/queue/core/index.d.ts +248 -248
- package/dist/queue/core/index.d.ts.map +1 -1
- package/dist/queue/redis/index.d.ts.map +1 -1
- package/dist/redis/index.bun.js +285 -0
- package/dist/redis/index.bun.js.map +1 -0
- package/dist/redis/index.d.ts +118 -136
- package/dist/redis/index.d.ts.map +1 -1
- package/dist/redis/index.js +18 -38
- package/dist/redis/index.js.map +1 -1
- package/dist/retry/index.d.ts +69 -69
- package/dist/retry/index.d.ts.map +1 -1
- package/dist/router/index.d.ts +6 -6
- package/dist/router/index.d.ts.map +1 -1
- package/dist/scheduler/index.d.ts +25 -25
- package/dist/scheduler/index.d.ts.map +1 -1
- package/dist/security/index.browser.js +5 -1
- package/dist/security/index.browser.js.map +1 -1
- package/dist/security/index.d.ts +417 -254
- package/dist/security/index.d.ts.map +1 -1
- package/dist/security/index.js +386 -86
- package/dist/security/index.js.map +1 -1
- package/dist/server/auth/index.d.ts +110 -110
- package/dist/server/auth/index.d.ts.map +1 -1
- package/dist/server/auth/index.js +20 -20
- package/dist/server/auth/index.js.map +1 -1
- package/dist/server/cache/index.d.ts +62 -47
- package/dist/server/cache/index.d.ts.map +1 -1
- package/dist/server/cache/index.js +56 -3
- package/dist/server/cache/index.js.map +1 -1
- package/dist/server/compress/index.d.ts +6 -0
- package/dist/server/compress/index.d.ts.map +1 -1
- package/dist/server/compress/index.js +36 -1
- package/dist/server/compress/index.js.map +1 -1
- package/dist/server/cookies/index.d.ts +6 -6
- package/dist/server/cookies/index.d.ts.map +1 -1
- package/dist/server/cookies/index.js +3 -3
- package/dist/server/cookies/index.js.map +1 -1
- package/dist/server/core/index.browser.js +2 -2
- package/dist/server/core/index.browser.js.map +1 -1
- package/dist/server/core/index.d.ts +242 -150
- package/dist/server/core/index.d.ts.map +1 -1
- package/dist/server/core/index.js +294 -125
- package/dist/server/core/index.js.map +1 -1
- package/dist/server/cors/index.d.ts +11 -12
- package/dist/server/cors/index.d.ts.map +1 -1
- package/dist/server/health/index.d.ts +0 -1
- package/dist/server/health/index.d.ts.map +1 -1
- package/dist/server/helmet/index.d.ts +2 -2
- package/dist/server/helmet/index.d.ts.map +1 -1
- package/dist/server/links/index.browser.js.map +1 -1
- package/dist/server/links/index.d.ts +123 -124
- package/dist/server/links/index.d.ts.map +1 -1
- package/dist/server/links/index.js +1 -2
- package/dist/server/links/index.js.map +1 -1
- package/dist/server/metrics/index.d.ts.map +1 -1
- package/dist/server/multipart/index.d.ts +6 -6
- package/dist/server/multipart/index.d.ts.map +1 -1
- package/dist/server/proxy/index.d.ts +102 -103
- package/dist/server/proxy/index.d.ts.map +1 -1
- package/dist/server/rate-limit/index.d.ts +16 -16
- package/dist/server/rate-limit/index.d.ts.map +1 -1
- package/dist/server/static/index.d.ts +44 -44
- package/dist/server/static/index.d.ts.map +1 -1
- package/dist/server/static/index.js +4 -0
- package/dist/server/static/index.js.map +1 -1
- package/dist/server/swagger/index.d.ts +48 -49
- package/dist/server/swagger/index.d.ts.map +1 -1
- package/dist/server/swagger/index.js +3 -5
- package/dist/server/swagger/index.js.map +1 -1
- package/dist/sms/index.d.ts +13 -11
- package/dist/sms/index.d.ts.map +1 -1
- package/dist/sms/index.js +7 -7
- package/dist/sms/index.js.map +1 -1
- package/dist/thread/index.d.ts +71 -72
- package/dist/thread/index.d.ts.map +1 -1
- package/dist/topic/core/index.d.ts +318 -318
- package/dist/topic/core/index.d.ts.map +1 -1
- package/dist/topic/redis/index.d.ts +6 -6
- package/dist/topic/redis/index.d.ts.map +1 -1
- package/dist/vite/index.d.ts +5805 -249
- package/dist/vite/index.d.ts.map +1 -1
- package/dist/vite/index.js +599 -513
- package/dist/vite/index.js.map +1 -1
- package/dist/websocket/index.browser.js +6 -6
- package/dist/websocket/index.browser.js.map +1 -1
- package/dist/websocket/index.d.ts +247 -247
- package/dist/websocket/index.d.ts.map +1 -1
- package/dist/websocket/index.js +6 -6
- package/dist/websocket/index.js.map +1 -1
- package/package.json +9 -14
- package/src/api/files/controllers/AdminFileStatsController.ts +0 -1
- package/src/api/users/atoms/realmAuthSettingsAtom.ts +5 -0
- package/src/api/users/controllers/{UserRealmController.ts → RealmController.ts} +11 -11
- package/src/api/users/entities/users.ts +1 -1
- package/src/api/users/index.ts +8 -8
- package/src/api/users/primitives/{$userRealm.ts → $realm.ts} +17 -19
- package/src/api/users/providers/{UserRealmProvider.ts → RealmProvider.ts} +26 -30
- package/src/api/users/schemas/{userRealmConfigSchema.ts → realmConfigSchema.ts} +2 -2
- package/src/api/users/services/CredentialService.ts +7 -7
- package/src/api/users/services/IdentityService.ts +4 -4
- package/src/api/users/services/RegistrationService.spec.ts +25 -27
- package/src/api/users/services/RegistrationService.ts +38 -27
- package/src/api/users/services/SessionCrudService.ts +3 -3
- package/src/api/users/services/SessionService.spec.ts +3 -3
- package/src/api/users/services/SessionService.ts +28 -9
- package/src/api/users/services/UserService.ts +7 -7
- package/src/batch/providers/BatchProvider.ts +1 -2
- package/src/cli/apps/AlephaCli.ts +0 -2
- package/src/cli/apps/AlephaPackageBuilderCli.ts +38 -19
- package/src/cli/assets/apiHelloControllerTs.ts +18 -0
- package/src/cli/assets/apiIndexTs.ts +16 -0
- package/src/cli/assets/claudeMd.ts +303 -0
- package/src/cli/assets/mainBrowserTs.ts +2 -2
- package/src/cli/assets/mainServerTs.ts +24 -0
- package/src/cli/assets/webAppRouterTs.ts +15 -0
- package/src/cli/assets/webHelloComponentTsx.ts +16 -0
- package/src/cli/assets/webIndexTs.ts +16 -0
- package/src/cli/atoms/buildOptions.ts +88 -0
- package/src/cli/commands/build.ts +70 -87
- package/src/cli/commands/db.ts +21 -22
- package/src/cli/commands/deploy.ts +17 -5
- package/src/cli/commands/dev.ts +22 -14
- package/src/cli/commands/format.ts +8 -2
- package/src/cli/commands/gen/env.ts +53 -0
- package/src/cli/commands/gen/openapi.ts +1 -1
- package/src/cli/commands/gen/resource.ts +15 -0
- package/src/cli/commands/gen.ts +7 -1
- package/src/cli/commands/init.ts +74 -30
- package/src/cli/commands/lint.ts +8 -2
- package/src/cli/commands/test.ts +8 -3
- package/src/cli/commands/typecheck.ts +5 -1
- package/src/cli/commands/verify.ts +5 -3
- package/src/cli/defineConfig.ts +49 -7
- package/src/cli/index.ts +0 -1
- package/src/cli/services/AlephaCliUtils.ts +39 -589
- package/src/cli/services/PackageManagerUtils.ts +301 -0
- package/src/cli/services/ProjectScaffolder.ts +306 -0
- package/src/command/helpers/Runner.spec.ts +2 -2
- package/src/command/helpers/Runner.ts +16 -4
- package/src/command/primitives/$command.ts +0 -6
- package/src/command/providers/CliProvider.ts +1 -3
- package/src/core/Alepha.ts +42 -0
- package/src/core/__tests__/Alepha-graph.spec.ts +4 -0
- package/src/core/index.shared.ts +1 -0
- package/src/core/index.ts +2 -0
- package/src/core/primitives/$hook.ts +6 -2
- package/src/core/primitives/$module.spec.ts +4 -0
- package/src/core/providers/AlsProvider.ts +1 -1
- package/src/core/providers/CodecManager.spec.ts +12 -6
- package/src/core/providers/CodecManager.ts +26 -6
- package/src/core/providers/EventManager.ts +169 -13
- package/src/core/providers/KeylessJsonSchemaCodec.spec.ts +621 -0
- package/src/core/providers/KeylessJsonSchemaCodec.ts +407 -0
- package/src/core/providers/StateManager.spec.ts +27 -16
- package/src/email/providers/LocalEmailProvider.spec.ts +111 -87
- package/src/email/providers/LocalEmailProvider.ts +52 -15
- package/src/email/providers/NodemailerEmailProvider.ts +167 -56
- package/src/file/errors/FileError.ts +7 -0
- package/src/file/index.ts +9 -1
- package/src/file/providers/MemoryFileSystemProvider.ts +393 -0
- package/src/logger/index.ts +15 -3
- package/src/mcp/transports/StdioMcpTransport.ts +1 -1
- package/src/orm/index.browser.ts +1 -19
- package/src/orm/index.bun.ts +77 -0
- package/src/orm/index.shared-server.ts +22 -0
- package/src/orm/index.shared.ts +15 -0
- package/src/orm/index.ts +13 -39
- package/src/orm/providers/drivers/BunPostgresProvider.ts +3 -5
- package/src/orm/providers/drivers/BunSqliteProvider.ts +1 -1
- package/src/orm/providers/drivers/CloudflareD1Provider.ts +4 -0
- package/src/orm/providers/drivers/DatabaseProvider.ts +4 -0
- package/src/orm/providers/drivers/PglitePostgresProvider.ts +4 -0
- package/src/orm/services/Repository.ts +8 -0
- package/src/queue/core/providers/WorkerProvider.spec.ts +48 -32
- package/src/redis/index.bun.ts +35 -0
- package/src/redis/providers/BunRedisProvider.ts +12 -43
- package/src/redis/providers/BunRedisSubscriberProvider.ts +2 -3
- package/src/redis/providers/NodeRedisProvider.ts +16 -34
- package/src/{server/security → security}/__tests__/BasicAuth.spec.ts +11 -11
- package/src/{server/security → security}/__tests__/ServerSecurityProvider-realm.spec.ts +21 -16
- package/src/{server/security/providers → security/__tests__}/ServerSecurityProvider.spec.ts +5 -5
- package/src/security/index.browser.ts +5 -0
- package/src/security/index.ts +90 -7
- package/src/security/primitives/{$realm.spec.ts → $issuer.spec.ts} +11 -11
- package/src/security/primitives/{$realm.ts → $issuer.ts} +20 -17
- package/src/security/primitives/$role.ts +5 -5
- package/src/security/primitives/$serviceAccount.spec.ts +5 -5
- package/src/security/primitives/$serviceAccount.ts +3 -3
- package/src/{server/security → security}/providers/ServerSecurityProvider.ts +5 -7
- package/src/server/auth/primitives/$auth.ts +10 -10
- package/src/server/auth/primitives/$authCredentials.ts +3 -3
- package/src/server/auth/primitives/$authGithub.ts +3 -3
- package/src/server/auth/primitives/$authGoogle.ts +3 -3
- package/src/server/auth/providers/ServerAuthProvider.ts +13 -13
- package/src/server/cache/providers/ServerCacheProvider.spec.ts +183 -0
- package/src/server/cache/providers/ServerCacheProvider.ts +95 -10
- package/src/server/compress/providers/ServerCompressProvider.ts +61 -2
- package/src/server/cookies/providers/ServerCookiesProvider.ts +3 -3
- package/src/server/core/helpers/ServerReply.ts +2 -2
- package/src/server/core/providers/NodeHttpServerProvider.ts +25 -6
- package/src/server/core/providers/ServerBodyParserProvider.ts +19 -23
- package/src/server/core/providers/ServerLoggerProvider.ts +23 -19
- package/src/server/core/providers/ServerProvider.ts +155 -22
- package/src/server/core/providers/ServerRouterProvider.ts +259 -115
- package/src/server/core/providers/ServerTimingProvider.ts +2 -2
- package/src/server/links/index.ts +1 -1
- package/src/server/links/providers/LinkProvider.ts +1 -1
- package/src/server/static/providers/ServerStaticProvider.ts +10 -0
- package/src/server/swagger/index.ts +1 -1
- package/src/server/swagger/providers/ServerSwaggerProvider.ts +5 -8
- package/src/sms/providers/LocalSmsProvider.spec.ts +153 -111
- package/src/sms/providers/LocalSmsProvider.ts +8 -7
- package/src/vite/helpers/boot.ts +28 -17
- package/src/vite/helpers/importViteReact.ts +13 -0
- package/src/vite/index.ts +1 -21
- package/src/vite/plugins/viteAlephaDev.ts +16 -1
- package/src/vite/plugins/viteAlephaSsrPreload.ts +222 -0
- package/src/vite/tasks/buildClient.ts +11 -0
- package/src/vite/tasks/buildServer.ts +59 -4
- package/src/vite/tasks/devServer.ts +71 -0
- package/src/vite/tasks/generateCloudflare.ts +7 -0
- package/src/vite/tasks/index.ts +2 -1
- package/dist/server/security/index.browser.js +0 -13
- package/dist/server/security/index.browser.js.map +0 -1
- package/dist/server/security/index.d.ts +0 -173
- package/dist/server/security/index.d.ts.map +0 -1
- package/dist/server/security/index.js +0 -311
- package/dist/server/security/index.js.map +0 -1
- package/src/cli/assets/appRouterTs.ts +0 -9
- package/src/cli/assets/mainTs.ts +0 -13
- package/src/cli/assets/viteConfigTs.ts +0 -14
- package/src/cli/commands/run.ts +0 -24
- package/src/server/security/index.browser.ts +0 -10
- package/src/server/security/index.ts +0 -94
- package/src/vite/plugins/viteAlepha.ts +0 -37
- package/src/vite/plugins/viteAlephaBuild.ts +0 -281
- /package/src/{server/security → security}/primitives/$basicAuth.ts +0 -0
- /package/src/{server/security → security}/providers/ServerBasicAuthProvider.ts +0 -0
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/
|
|
1
|
+
{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/interfaces/UserAccountToken.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/providers/ServerBasicAuthProvider.ts","../../src/security/primitives/$basicAuth.ts","../../src/security/providers/JwtProvider.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$issuer.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$role.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/providers/ServerSecurityProvider.ts","../../src/security/index.ts"],"mappings":";;;;;;;;;cAGa,qBAAA,UAAqB,OAAA;EAAA,EAAA,EAiDhC,OAAA,CAAA,OAAA;EAAA,IAAA;;;;;;;;KAEU,WAAA,GAAc,MAAA,QAAc,qBAAA;;;;AChDxC;;;UAAiB,gBAAA,SAAyB,WAAA;EAAA;;;EAAA,KAAA;EAAA;;;EAAA,KAAA;EAAA;;;;EAAA,SAAA;AAAA;;;;ACE1C;;;;ACRA;cDQa,uBAAA,SAAgC,iBAAA;EAAA,SAAA,IAAA;EAAA,YAAA;AAAA;;;cCRhC,sBAAA,SAA+B,KAAA;EAAA,YAAA,IAAA;AAAA;;;cCA/B,aAAA,SAAsB,KAAA;EAAA,IAAA;EAAA,SAAA,MAAA;AAAA;;;UCWlB,gBAAA;EAAA,QAAA;EAAA,QAAA;AAAA;AAAA,UAKA,wBAAA,SAAiC,gBAAA;EAAA;EAAA,IAAA;EAAA;EAAA,KAAA;AAAA;AAAA,cASrC,uBAAA;EAAA,mBAAA,MAAA,EACc,MAAA;EAAA,mBAAA,GAAA,EAAA,cAAA,CACH,MAAA;EAAA,mBAAA,cAAA,EACW,oBAAA;EAAA,mBAAA,KAAA;EAAA;;;EAAA,SAAA,eAAA,EAMA,wBAAA;EAAA;;;EAAA,aAAA,MAAA,EAKL,wBAAA;EAAA,SAAA,OAAA,EAAwB,OAAA,CAI7B,aAAA;EAAA;;;EAAA,SAAA,SAAA,EAAA,OAAA,CA8BE,aAAA;EAAA;;;EAAA,SAAA,eAAA,EAAA,OAAA,CAiBM,aAAA;EAAA;;;EAAA,UAAA,OAAA,EAaL,aAAA,EAAA,OAAA,EAAwB,gBAAA;EAAA;;;;EAAA,UAAA,0BAAA,aAAA,UAAA,aAAA,UAAA,gBAAA,UAAA,gBAAA;EAAA;;;;EAAA,UAAA,YAAA,KAAA,EAyErB,MAAA,EAAA,QAAA,EAAkB,MAAA;EAAA;;;EAAA,UAAA,iBAAA,OAAA,EAeX,aAAA;AAAA;AAAA,cAKzB,WAAA,GAAA,KAAA,cAAA,KAAA;EAAA,KAAA,EAEQ,gBAAA;AAAA;;;;AC1LrB;;;cAAa,UAAA;EAAA,CAAA,OAAA,EACF,wBAAA,GACR,0BAAA;EAAA;;UAMc,0BAAA;EAAA,SAAA,IAAA;EAAA,SAAA,OAAA,EAEG,wBAAA;EAAA,KAAA,CAAA,OAAA,EACH,aAAA,EAAA,OAAA,GAAyB,gBAAA;AAAA;AAAA,cAG7B,kBAAA,SACH,SAAA,CAAU,wBAAA,aACP,0BAAA;EAAA,mBAAA,uBAAA,EAE+B,uBAAA;EAAA,IAAA,KAAA;EAAA,UAAA,OAAA;EAAA;;;EAAA,MAAA,OAAA,EAcpB,aAAA,EAAA,OAAA,GAAyB,gBAAA;AAAA;;;;ACnBjD;;cAAa,WAAA;EAAA,mBAAA,GAAA,EAAW,cAAA,CACA,MAAA;EAAA,mBAAA,QAAA,EACO,eAAA;EAAA,mBAAA,gBAAA,EACM,gBAAA;EAAA,mBAAA,OAAA,EACT,WAAA;EAAA;;;;;;EAAA,aAAA,IAAA,UAAA,eAAA,WAQkC,aAAA;EAAA;;;;;;;EAAA,MAAA,KAAA,UAAA,OAAA,WAAA,OAAA,GAwChD,gBAAA,GACT,OAAA,CAAQ,cAAA;EAAA;;;;;;AA0Fb;;;EA1Fa,OAAA,OAAA,EAyDA,kBAAA,EAAA,OAAA,WAAA,WAAA,GAEK,cAAA,GACb,OAAA;EAAA;;AA8BL;;;;EA9BK,UAAA,YAAA,GAAA;AAAA;AAAA,KA8BO,SAAA,IAAA,eAAA,GACQ,mBAAA,EAAA,KAAA,GACV,iBAAA,KACL,OAAA,CAAQ,SAAA,GAAY,SAAA;AAAA,UAER,eAAA;EAAA,IAAA;EAAA,SAAA,EAEJ,SAAA;EAAA,SAAA;AAAA;AAAA,UAII,cAAA;EAAA,MAAA,GACN,OAAA,CAAQ,mBAAA;AAAA;AAAA,UAGF,kBAAA,SAA2B,UAAA;EAAA,GAAA;EAAA,IAAA;EAAA,KAAA;EAAA,KAAA;EAAA,aAAA;EAAA,YAAA;IAAA,KAAA;EAAA;AAAA;AAAA,UAW3B,cAAA;EAAA,OAAA;EAAA,MAAA,EAEP,eAAA,CAAgB,kBAAA;AAAA;;;cCjMb,gBAAA,UAAgB,OAAA;EAAA,IAAA,EA8B3B,OAAA,CAAA,OAAA;EAAA,KAAA;;;;;KAEU,UAAA,GAAa,MAAA,QAAc,gBAAA;;;cChC1B,UAAA,UAAU,OAAA;EAAA,IAAA,EAqCrB,OAAA,CAAA,OAAA;EAAA,WAAA;;;;;;;;KAEU,IAAA,GAAO,MAAA,QAAc,UAAA;;;cCnBpB,kBAAA;AAAA,cAEP,SAAA,EAIJ,OAAA,CAJa,OAAA;EAAA,UAAA,EAIb,OAAA,CAAA,OAAA;AAAA;AAAA;EAAA,UAAA,GAAA,SAGsB,OAAA,CAAQ,MAAA,QAAc,SAAA;AAAA;AAAA,cAGjC,gBAAA;EAAA,mBAAA,iBAAA;EAAA,mBAAA,iBAAA,EAEyB,MAAA;EAAA,mBAAA,0BAAA,EACS,MAAA;EAAA,mBAAA,GAAA,EAAA,cAAA,CAGvB,MAAA;EAAA,mBAAA,GAAA,EACA,WAAA;EAAA,mBAAA,GAAA;IAAA,UAAA;EAAA;EAAA,mBAAA,MAAA,EAEG,MAAA;EAAA,IAAA,UAAA;EAAA;;;EAAA,mBAAA,WAAA,EASO,UAAA;EAAA;;;EAAA,mBAAA,MAAA,EAKL,KAAA;EAAA,UAAA,KAAA,EAAK,OAAA,CAmBjB,aAAA;EAAA;;;;;;EAAA,WAAA,IAAA,EAyBS,IAAA,KAAA,MAAA,aAA4B,IAAA;EAAA;;;;;EAAA,iBAAA,GAAA,EAgEvB,UAAA,YAAsB,UAAA;EAAA,YAAA,KAAA,EA+DzB,KAAA;EAAA;;;;;;;;EAAA,YAAA,KAAA,UAAA,KAAA,EAiBqB,IAAA,KAAS,OAAA;EAAA;;;;;;;;EAAA,sBAAA,OAAA,EAwB7C,UAAA,EAAA,SAAA,YAER,WAAA;EAAA;;;;;;;;EAAA,gBAAA,cAAA,WA4CwB,UAAA,KAAA,WAAA,aAExB,mBAAA;EAAA;;;EAAA,oBAAA,aAAA,WAAA,OAAA;IAAA,UAAA,GA2Fc,UAAA;IAAA,KAAA;IAAA,MAAA,GAEJ,gBAAA;EAAA,IAEV,OAAA,CAAQ,gBAAA;EAAA;;;;;;;EAAA,IAAA,QAAA,UAAA,UAAA,WA2DuC,UAAA;EAAA;;;EAAA,UAAA,QAAA,UAAA,UAAA,WAS3B,UAAA;EAAA;;;;;EAAA,mBAAA,UAAA,EAUe,UAAA;EAAA,UAAA,GAmBlB,KAAA;EAAA;;;;;EAAA,SAAA,KAAA,YASa,IAAA;EAAA;;;;;;;EAAA,eAAA,IAAA;IAAA,KAAA,GAgBvB,KAAA,CAAM,IAAA;IAAA,KAAA;EAAA,IAEZ,UAAA;EAAA;;;;;;EAAA,iBAAA,OAAA,EA+F6B,MAAA;EAAA,wBAAA,OAAA,EAiBtB,MAAA;EAAA;;;;;EAAA,oBAAA,OAAA,EAeyB,MAAA;EAAA,sBAAA,OAAA,EAKzB,MAAA;EAAA,uBAAA,OAAA,EAsBA,MAAA;EAAA,oBAAA,OAAA,EAiByB,MAAA;EAAA;;;;AA4DtC;;EA5DsC,mBAAA,OAAA,EAkBD,MAAA;EAAA,4BAAA,OAAA,EAoBxB,MAAA;AAAA;AAAA;;AAsBb;AAtBa,UAsBI,KAAA;EAAA,IAAA;EAAA,KAAA,EAGR,IAAA;EAAA;;;;;EAAA,MAAA,YAOW,aAAA;EAAA;;;;EAAA,OAAA,IAAA,GAAA,EAMF,MAAA,kBAAwB,WAAA;AAAA;AAAA,UAGzB,mBAAA;EAAA,YAAA;EAAA,SAAA;AAAA;;;;AC/vBjB;;;;;cAAa,OAAA;EAAA,CAAA,OAAA,EAAoB,sBAAA,GAAyB,eAAA;EAAA;;KAM9C,sBAAA;EAAA;;;;EAAA,IAAA;EAAA;;;EAAA,WAAA;EAAA;;;EAAA,KAAA,GAeF,KAAA,UAAe,IAAA;EAAA;;;EAAA,QAAA,GAKZ,cAAA;EAAA;;;EAAA,OAAA,IAAA,UAAA,EAKY,MAAA,kBAAwB,WAAA;AAAA,KAC5C,cAAA,GAAiB,cAAA;AAAA,UAEL,cAAA;EAAA,WAAA;IAAA;;;;IAAA,UAAA,GAMA,YAAA;EAAA;EAAA,YAAA;IAAA;;;;IAAA,UAAA,GAQA,YAAA;EAAA;EAAA,eAAA,IAAA,IAAA,EAMP,WAAA,EAAA,MAAA;IAAA,SAAA;EAAA,MAIH,OAAA;IAAA,YAAA;IAAA,SAAA;EAAA;EAAA,gBAAA,IAAA,YAAA,aAKwC,OAAA;IAAA,IAAA,EACrC,WAAA;IAAA,SAAA;IAAA,SAAA;EAAA;EAAA,eAAA,IAAA,YAAA,aAKoC,OAAA;AAAA;AAAA,KAGlC,cAAA;EAAA;AAOZ;AASA;EAhBY,MAAA;AAAA;AAAA,UAOK,cAAA;EAAA;AASjB;;EATiB,IAAA,mBAIQ,aAAA;AAAA;AAAA,cAKZ,eAAA,SAAwB,SAAA,CAAU,sBAAA;EAAA,mBAAA,gBAAA,EACV,gBAAA;EAAA,mBAAA,gBAAA,EACA,gBAAA;EAAA,mBAAA,GAAA,EACb,WAAA;EAAA,mBAAA,GAAA,EAAA,cAAA,CACA,MAAA;EAAA,IAAA,KAAA;EAAA,IAAA,sBAAA,GAMc,QAAA;EAAA,IAAA,uBAAA,GAMC,QAAA;EAAA,UAAA,OAAA;EAAA;;;EAAA,SAAA,GA+BlB,IAAA;EAAA;;;EAAA,SAAA,KAAA,EAOU,IAAA,KAAS,OAAA;EAAA;;;EAAA,cAAA,IAAA,WAOF,IAAA;EAAA,WAAA,KAAA,WAQI,OAAA,CAAQ,UAAA;EAAA;;;EAAA,YAAA,IAAA,EASxC,WAAA,EAAA,YAAA;IAAA,GAAA;IAAA,aAAA;IAAA,wBAAA;EAAA,IAML,OAAA,CAAQ,mBAAA;EAAA,yBAAA,UAAA,WAAA,YAuFR,OAAA;IAAA,MAAA,EACO,mBAAA;IAAA,IAAA,EACF,WAAA;EAAA;AAAA;AAAA,UAgEO,kBAAA;EAAA,GAAA;EAAA,KAAA;EAAA,KAAA;AAAA;AAAA,UAMA,mBAAA;EAAA,YAAA;EAAA,UAAA;EAAA,UAAA;EAAA,SAAA;EAAA,aAAA;EAAA,wBAAA;EAAA,KAAA;AAAA;;;;ACxVjB;;cAAa,WAAA;EAAA,CAAA,OAAA,GACF,0BAAA,GACR,mBAAA;EAAA;;UAMc,0BAAA;EAAA;AAmBjB;;EAnBiB,IAAA;EAAA;AAmBjB;;EAnBiB,KAAA;EAAA;AAmBjB;;EAnBiB,WAAA;AAAA;AAAA,cAmBJ,mBAAA,SAA4B,SAAA,CAAU,0BAAA;EAAA,mBAAA,gBAAA,EACd,gBAAA;EAAA,IAAA,KAAA;EAAA,IAAA,MAAA;EAAA,SAAA;EAAA,UAAA,OAAA;EAAA;;;EAAA,IAAA,IAAA,GAyBjB,WAAA;AAAA;;;;ACpDpB;;cAAa,KAAA;EAAA,CAAA,OAAA,GAAkB,oBAAA,GAA4B,aAAA;EAAA;;UAM1C,oBAAA;EAAA;AAuBjB;;EAvBiB,IAAA;EAAA;AAuBjB;;EAvBiB,WAAA;EAAA,MAAA,YAWG,eAAA;EAAA,WAAA,GAEJ,KAAA;IAAA,IAAA;IAAA,SAAA;IAAA,OAAA;EAAA;AAAA;AAAA,cAUH,aAAA,SAAsB,SAAA,CAAU,oBAAA;EAAA,mBAAA,gBAAA,EACR,gBAAA;EAAA,IAAA,KAAA;EAAA,UAAA,OAAA;EAAA;;;EAAA,IAAA,OAAA,YA0BL,eAAA;EAAA,IAAA,UAAA,WAIE,mBAAA;EAAA,MAAA,UAAA,WAIE,mBAAA,GAAmB,mBAAA;AAAA;;;;ACvCvD;AAuHA;;;;;AAYA;AAiBA;AAIA;;;;ACpLA;;;;ACcA;;;;;;;;;;;cFca,eAAA,GAAA,OAAA,EACF,8BAAA,KACR,uBAAA;AAAA,KAqHS,8BAAA;EAAA,WAAA;AAAA;EAAA,MAAA,EAIE,oCAAA;AAAA;EAAA,MAAA,EAGA,eAAA;EAAA,IAAA,EACF,WAAA;AAAA;AAAA,UAIK,oCAAA;EAAA;AAiBjB;AAIA;EArBiB,GAAA;EAAA;AAiBjB;AAIA;EArBiB,QAAA;EAAA;AAiBjB;AAIA;EArBiB,YAAA;AAAA;AAAA,UAiBA,uBAAA;EAAA,KAAA,QACF,OAAA;AAAA;AAAA,UAGE,mBAAA;EAAA,QAAA,GACJ,mBAAA;AAAA;;;cCrLA,cAAA;EAAA,aAAA,QAAA,WACkC,OAAA;EAAA,eAAA,QAAA,UAAA,MAAA,WAS1C,OAAA;EAAA,WAAA;AAAA;;;cCIQ,sBAAA;EAAA,mBAAA,GAAA,EAAsB,cAAA,CACX,MAAA;EAAA,mBAAA,gBAAA,EACa,gBAAA;EAAA,mBAAA,WAAA,EACL,WAAA;EAAA,mBAAA,MAAA,EACL,MAAA;EAAA,mBAAA,WAAA,EAAA,OAAA,CAEK,aAAA;EAAA,mBAAA,eAAA,EAAA,OAAA,CA8BI,aAAA;EAAA,mBAAA,SAAA,EAAA,OAAA,CA8CN,aAAA;EAAA,UAAA,MAAA,IAAA,EAgEN,gBAAA,EAAA,MAAA,EAA0B,iBAAA;EAAA;;;;;;;AAgIlD;;;;EAhIkD,UAAA,mCAAA,OAAA;IAAA,IAAA,GAsB5B,gBAAA;EAAA,GAAA,UAAA,GACL,UAAA,GACZ,gBAAA;EAAA,UAAA,eAAA,GA6DyB,gBAAA;EAAA,mBAAA,eAAA,EAAgB,OAAA,CAQV,aAAA;AAAA;AAAA,KAmCxB,iBAAA;EAAA,KAAA;EAAA,KAAA,GAEF,gBAAA;AAAA;;;;;;;YCjQE,WAAA;IAAA;EAAA;EAAA,UAAA,KAAA;IAAA;;;;;;IAAA,uCAW+B,gBAAA;IAAA;;;;;IAAA,+BAOR,WAAA;EAAA;AAAA;AAAA;EAAA,UAAA,aAAA;IAAA,IAAA,GAMxB,gBAAA;EAAA;EAAA,UAAA,mBAAA;IAAA,IAAA,EAID,gBAAA;EAAA;EAAA,UAAA,WAAA;IAAA;;;;IAAA,MAAA,aAQa,iBAAA;EAAA;EAAA,UAAA,oBAAA,SAGkB,YAAA;IAAA;;;;AA4BzC;AA2BA;;IAvDyC,IAAA,GAQ9B,gBAAA;EAAA;AAAA;AAAA;;;;;AAoBX;AA2BA;;;;;;;;;;AA/CW,cAoBE,cAAA,EAAc,OAAA,CAAA,OAAA,CAsBzB,OAAA,CAtByB,MAAA;AAAA;AA2B3B;;AA3B2B,cA2Bd,oBAAA,EAAoB,OAAA,CAAA,OAAA,CAAiB,OAAA,CAAjB,MAAA"}
|
package/dist/security/index.js
CHANGED
|
@@ -1,32 +1,149 @@
|
|
|
1
1
|
import { $context, $env, $hook, $inject, $module, Alepha, AlephaError, AppNotStartedError, ContainerLockedError, KIND, Primitive, createPrimitive, t } from "alepha";
|
|
2
|
-
import { $
|
|
2
|
+
import { $action, AlephaServer, ForbiddenError, HttpError, ServerRouterProvider, UnauthorizedError } from "alepha/server";
|
|
3
3
|
import { createSecretKey, randomBytes, randomUUID, scrypt, timingSafeEqual } from "node:crypto";
|
|
4
|
+
import { $logger } from "alepha/logger";
|
|
4
5
|
import { DateTimeProvider } from "alepha/datetime";
|
|
5
6
|
import { SignJWT, createLocalJWKSet, createRemoteJWKSet, jwtVerify } from "jose";
|
|
6
7
|
import { JWTClaimValidationFailed, JWTExpired } from "jose/errors";
|
|
7
8
|
import { promisify } from "node:util";
|
|
8
|
-
import { UnauthorizedError } from "alepha/server";
|
|
9
9
|
|
|
10
|
-
//#region ../../src/security/
|
|
11
|
-
var
|
|
12
|
-
|
|
13
|
-
|
|
10
|
+
//#region ../../src/security/providers/ServerBasicAuthProvider.ts
|
|
11
|
+
var ServerBasicAuthProvider = class {
|
|
12
|
+
alepha = $inject(Alepha);
|
|
13
|
+
log = $logger();
|
|
14
|
+
routerProvider = $inject(ServerRouterProvider);
|
|
15
|
+
realm = "Secure Area";
|
|
16
|
+
/**
|
|
17
|
+
* Registered basic auth primitives with their configurations
|
|
18
|
+
*/
|
|
19
|
+
registeredAuths = [];
|
|
20
|
+
/**
|
|
21
|
+
* Register a basic auth configuration (called by primitives)
|
|
22
|
+
*/
|
|
23
|
+
registerAuth(config) {
|
|
24
|
+
this.registeredAuths.push(config);
|
|
25
|
+
}
|
|
26
|
+
onStart = $hook({
|
|
27
|
+
on: "start",
|
|
28
|
+
handler: async () => {
|
|
29
|
+
for (const auth of this.registeredAuths) if (auth.paths) for (const pattern of auth.paths) {
|
|
30
|
+
const matchedRoutes = this.routerProvider.getRoutes(pattern);
|
|
31
|
+
for (const route of matchedRoutes) route.secure = { basic: {
|
|
32
|
+
username: auth.username,
|
|
33
|
+
password: auth.password
|
|
34
|
+
} };
|
|
35
|
+
}
|
|
36
|
+
if (this.registeredAuths.length > 0) this.log.info(`Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`);
|
|
37
|
+
}
|
|
38
|
+
});
|
|
39
|
+
/**
|
|
40
|
+
* Hook into server:onRequest to check basic auth
|
|
41
|
+
*/
|
|
42
|
+
onRequest = $hook({
|
|
43
|
+
on: "server:onRequest",
|
|
44
|
+
handler: async ({ route, request }) => {
|
|
45
|
+
const routeAuth = route.secure;
|
|
46
|
+
if (typeof routeAuth === "object" && "basic" in routeAuth && routeAuth.basic) this.checkAuth(request, routeAuth.basic);
|
|
47
|
+
}
|
|
48
|
+
});
|
|
49
|
+
/**
|
|
50
|
+
* Hook into action:onRequest to check basic auth for actions
|
|
51
|
+
*/
|
|
52
|
+
onActionRequest = $hook({
|
|
53
|
+
on: "action:onRequest",
|
|
54
|
+
handler: async ({ action, request }) => {
|
|
55
|
+
const routeAuth = action.route.secure;
|
|
56
|
+
if (isBasicAuth(routeAuth)) this.checkAuth(request, routeAuth.basic);
|
|
57
|
+
}
|
|
58
|
+
});
|
|
59
|
+
/**
|
|
60
|
+
* Check basic authentication
|
|
61
|
+
*/
|
|
62
|
+
checkAuth(request, options) {
|
|
63
|
+
const authHeader = request.headers?.authorization;
|
|
64
|
+
if (!authHeader || !authHeader.startsWith("Basic ")) {
|
|
65
|
+
this.sendAuthRequired(request);
|
|
66
|
+
throw new HttpError({
|
|
67
|
+
status: 401,
|
|
68
|
+
message: "Authentication required"
|
|
69
|
+
});
|
|
70
|
+
}
|
|
71
|
+
const base64Credentials = authHeader.slice(6);
|
|
72
|
+
const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8");
|
|
73
|
+
const colonIndex = credentials.indexOf(":");
|
|
74
|
+
const username = colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;
|
|
75
|
+
const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : "";
|
|
76
|
+
if (!this.timingSafeCredentialCheck(username, password, options.username, options.password)) {
|
|
77
|
+
this.sendAuthRequired(request);
|
|
78
|
+
this.log.warn(`Failed basic auth attempt for user`, { username });
|
|
79
|
+
throw new HttpError({
|
|
80
|
+
status: 401,
|
|
81
|
+
message: "Invalid credentials"
|
|
82
|
+
});
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
/**
|
|
86
|
+
* Performs a timing-safe comparison of credentials to prevent timing attacks.
|
|
87
|
+
* Always compares both username and password to avoid leaking which one is wrong.
|
|
88
|
+
*/
|
|
89
|
+
timingSafeCredentialCheck(inputUsername, inputPassword, expectedUsername, expectedPassword) {
|
|
90
|
+
const inputUserBuf = Buffer.from(inputUsername, "utf-8");
|
|
91
|
+
const expectedUserBuf = Buffer.from(expectedUsername, "utf-8");
|
|
92
|
+
const inputPassBuf = Buffer.from(inputPassword, "utf-8");
|
|
93
|
+
const expectedPassBuf = Buffer.from(expectedPassword, "utf-8");
|
|
94
|
+
return (this.safeCompare(inputUserBuf, expectedUserBuf) & this.safeCompare(inputPassBuf, expectedPassBuf)) === 1;
|
|
95
|
+
}
|
|
96
|
+
/**
|
|
97
|
+
* Compares two buffers in constant time, handling different lengths safely.
|
|
98
|
+
* Returns 1 if equal, 0 if not equal.
|
|
99
|
+
*/
|
|
100
|
+
safeCompare(input, expected) {
|
|
101
|
+
if (input.length !== expected.length) {
|
|
102
|
+
timingSafeEqual(input, input);
|
|
103
|
+
return 0;
|
|
104
|
+
}
|
|
105
|
+
return timingSafeEqual(input, expected) ? 1 : 0;
|
|
106
|
+
}
|
|
107
|
+
/**
|
|
108
|
+
* Send WWW-Authenticate header
|
|
109
|
+
*/
|
|
110
|
+
sendAuthRequired(request) {
|
|
111
|
+
request.reply.setHeader("WWW-Authenticate", `Basic realm="${this.realm}"`);
|
|
14
112
|
}
|
|
15
113
|
};
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
//#region ../../src/security/errors/InvalidTokenError.ts
|
|
19
|
-
var InvalidTokenError = class extends Error {
|
|
20
|
-
status = 401;
|
|
114
|
+
const isBasicAuth = (value) => {
|
|
115
|
+
return typeof value === "object" && !!value && "basic" in value && !!value.basic;
|
|
21
116
|
};
|
|
22
117
|
|
|
23
118
|
//#endregion
|
|
24
|
-
//#region ../../src/security/
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
119
|
+
//#region ../../src/security/primitives/$basicAuth.ts
|
|
120
|
+
/**
|
|
121
|
+
* Declares HTTP Basic Authentication for server routes.
|
|
122
|
+
* This primitive provides methods to protect routes with username/password authentication.
|
|
123
|
+
*/
|
|
124
|
+
const $basicAuth = (options) => {
|
|
125
|
+
return createPrimitive(BasicAuthPrimitive, options);
|
|
126
|
+
};
|
|
127
|
+
var BasicAuthPrimitive = class extends Primitive {
|
|
128
|
+
serverBasicAuthProvider = $inject(ServerBasicAuthProvider);
|
|
129
|
+
get name() {
|
|
130
|
+
return this.options.name ?? `${this.config.propertyKey}`;
|
|
131
|
+
}
|
|
132
|
+
onInit() {
|
|
133
|
+
this.serverBasicAuthProvider.registerAuth(this.options);
|
|
134
|
+
}
|
|
135
|
+
/**
|
|
136
|
+
* Checks basic auth for the given request using this primitive's configuration.
|
|
137
|
+
*/
|
|
138
|
+
check(request, options) {
|
|
139
|
+
const mergedOptions = {
|
|
140
|
+
...this.options,
|
|
141
|
+
...options
|
|
142
|
+
};
|
|
143
|
+
this.serverBasicAuthProvider.checkAuth(request, mergedOptions);
|
|
28
144
|
}
|
|
29
145
|
};
|
|
146
|
+
$basicAuth[KIND] = BasicAuthPrimitive;
|
|
30
147
|
|
|
31
148
|
//#endregion
|
|
32
149
|
//#region ../../src/security/errors/SecurityError.ts
|
|
@@ -137,6 +254,28 @@ var JwtProvider = class {
|
|
|
137
254
|
}
|
|
138
255
|
};
|
|
139
256
|
|
|
257
|
+
//#endregion
|
|
258
|
+
//#region ../../src/security/errors/InvalidPermissionError.ts
|
|
259
|
+
var InvalidPermissionError = class extends Error {
|
|
260
|
+
constructor(name) {
|
|
261
|
+
super(`Permission '${name}' is invalid`);
|
|
262
|
+
}
|
|
263
|
+
};
|
|
264
|
+
|
|
265
|
+
//#endregion
|
|
266
|
+
//#region ../../src/security/errors/InvalidTokenError.ts
|
|
267
|
+
var InvalidTokenError = class extends Error {
|
|
268
|
+
status = 401;
|
|
269
|
+
};
|
|
270
|
+
|
|
271
|
+
//#endregion
|
|
272
|
+
//#region ../../src/security/errors/RealmNotFoundError.ts
|
|
273
|
+
var RealmNotFoundError = class extends Error {
|
|
274
|
+
constructor(realm) {
|
|
275
|
+
super(`Realm '${realm}' not found`);
|
|
276
|
+
}
|
|
277
|
+
};
|
|
278
|
+
|
|
140
279
|
//#endregion
|
|
141
280
|
//#region ../../src/security/providers/SecurityProvider.ts
|
|
142
281
|
const DEFAULT_APP_SECRET = "05759934015388327323179852515731";
|
|
@@ -530,50 +669,17 @@ var SecurityProvider = class {
|
|
|
530
669
|
};
|
|
531
670
|
|
|
532
671
|
//#endregion
|
|
533
|
-
//#region ../../src/security/primitives/$
|
|
534
|
-
/**
|
|
535
|
-
* Create a new permission.
|
|
536
|
-
*/
|
|
537
|
-
const $permission = (options = {}) => {
|
|
538
|
-
return createPrimitive(PermissionPrimitive, options);
|
|
539
|
-
};
|
|
540
|
-
var PermissionPrimitive = class extends Primitive {
|
|
541
|
-
securityProvider = $inject(SecurityProvider);
|
|
542
|
-
get name() {
|
|
543
|
-
return this.options.name || this.config.propertyKey;
|
|
544
|
-
}
|
|
545
|
-
get group() {
|
|
546
|
-
return this.options.group || this.config.service.name;
|
|
547
|
-
}
|
|
548
|
-
toString() {
|
|
549
|
-
return `${this.group}:${this.name}`;
|
|
550
|
-
}
|
|
551
|
-
onInit() {
|
|
552
|
-
this.securityProvider.createPermission({
|
|
553
|
-
name: this.name,
|
|
554
|
-
group: this.group,
|
|
555
|
-
description: this.options.description
|
|
556
|
-
});
|
|
557
|
-
}
|
|
558
|
-
/**
|
|
559
|
-
* Check if the user has the permission.
|
|
560
|
-
*/
|
|
561
|
-
can(user) {
|
|
562
|
-
if (!user?.roles) return false;
|
|
563
|
-
return this.securityProvider.checkPermission(this, ...user.roles).isAuthorized;
|
|
564
|
-
}
|
|
565
|
-
};
|
|
566
|
-
$permission[KIND] = PermissionPrimitive;
|
|
567
|
-
|
|
568
|
-
//#endregion
|
|
569
|
-
//#region ../../src/security/primitives/$realm.ts
|
|
672
|
+
//#region ../../src/security/primitives/$issuer.ts
|
|
570
673
|
/**
|
|
571
|
-
* Create a new
|
|
674
|
+
* Create a new issuer.
|
|
675
|
+
*
|
|
676
|
+
* An issuer is responsible for creating and verifying JWT tokens.
|
|
677
|
+
* It can be internal (with a secret) or external (with a JWKS).
|
|
572
678
|
*/
|
|
573
|
-
const $
|
|
574
|
-
return createPrimitive(
|
|
679
|
+
const $issuer = (options) => {
|
|
680
|
+
return createPrimitive(IssuerPrimitive, options);
|
|
575
681
|
};
|
|
576
|
-
var
|
|
682
|
+
var IssuerPrimitive = class extends Primitive {
|
|
577
683
|
securityProvider = $inject(SecurityProvider);
|
|
578
684
|
dateTimeProvider = $inject(DateTimeProvider);
|
|
579
685
|
jwt = $inject(JwtProvider);
|
|
@@ -604,13 +710,13 @@ var RealmPrimitive = class extends Primitive {
|
|
|
604
710
|
});
|
|
605
711
|
}
|
|
606
712
|
/**
|
|
607
|
-
* Get all roles in the
|
|
713
|
+
* Get all roles in the issuer.
|
|
608
714
|
*/
|
|
609
715
|
getRoles() {
|
|
610
716
|
return this.securityProvider.getRoles(this.name);
|
|
611
717
|
}
|
|
612
718
|
/**
|
|
613
|
-
* Set all roles in the
|
|
719
|
+
* Set all roles in the issuer.
|
|
614
720
|
*/
|
|
615
721
|
async setRoles(roles) {
|
|
616
722
|
await this.securityProvider.updateRealm(this.name, roles);
|
|
@@ -718,7 +824,43 @@ var RealmPrimitive = class extends Primitive {
|
|
|
718
824
|
};
|
|
719
825
|
}
|
|
720
826
|
};
|
|
721
|
-
$
|
|
827
|
+
$issuer[KIND] = IssuerPrimitive;
|
|
828
|
+
|
|
829
|
+
//#endregion
|
|
830
|
+
//#region ../../src/security/primitives/$permission.ts
|
|
831
|
+
/**
|
|
832
|
+
* Create a new permission.
|
|
833
|
+
*/
|
|
834
|
+
const $permission = (options = {}) => {
|
|
835
|
+
return createPrimitive(PermissionPrimitive, options);
|
|
836
|
+
};
|
|
837
|
+
var PermissionPrimitive = class extends Primitive {
|
|
838
|
+
securityProvider = $inject(SecurityProvider);
|
|
839
|
+
get name() {
|
|
840
|
+
return this.options.name || this.config.propertyKey;
|
|
841
|
+
}
|
|
842
|
+
get group() {
|
|
843
|
+
return this.options.group || this.config.service.name;
|
|
844
|
+
}
|
|
845
|
+
toString() {
|
|
846
|
+
return `${this.group}:${this.name}`;
|
|
847
|
+
}
|
|
848
|
+
onInit() {
|
|
849
|
+
this.securityProvider.createPermission({
|
|
850
|
+
name: this.name,
|
|
851
|
+
group: this.group,
|
|
852
|
+
description: this.options.description
|
|
853
|
+
});
|
|
854
|
+
}
|
|
855
|
+
/**
|
|
856
|
+
* Check if the user has the permission.
|
|
857
|
+
*/
|
|
858
|
+
can(user) {
|
|
859
|
+
if (!user?.roles) return false;
|
|
860
|
+
return this.securityProvider.checkPermission(this, ...user.roles).isAuthorized;
|
|
861
|
+
}
|
|
862
|
+
};
|
|
863
|
+
$permission[KIND] = PermissionPrimitive;
|
|
722
864
|
|
|
723
865
|
//#endregion
|
|
724
866
|
//#region ../../src/security/primitives/$role.ts
|
|
@@ -744,10 +886,10 @@ var RolePrimitive = class extends Primitive {
|
|
|
744
886
|
});
|
|
745
887
|
}
|
|
746
888
|
/**
|
|
747
|
-
* Get the
|
|
889
|
+
* Get the issuer of the role.
|
|
748
890
|
*/
|
|
749
|
-
get
|
|
750
|
-
return this.options.
|
|
891
|
+
get issuer() {
|
|
892
|
+
return this.options.issuer;
|
|
751
893
|
}
|
|
752
894
|
can(permission) {
|
|
753
895
|
return this.securityProvider.can(this.name, permission);
|
|
@@ -787,6 +929,160 @@ var CryptoProvider = class {
|
|
|
787
929
|
}
|
|
788
930
|
};
|
|
789
931
|
|
|
932
|
+
//#endregion
|
|
933
|
+
//#region ../../src/security/schemas/userAccountInfoSchema.ts
|
|
934
|
+
const userAccountInfoSchema = t.object({
|
|
935
|
+
id: t.text({ description: "Unique identifier for the user." }),
|
|
936
|
+
name: t.optional(t.text({ description: "Full name of the user." })),
|
|
937
|
+
email: t.optional(t.text({
|
|
938
|
+
description: "Email address of the user.",
|
|
939
|
+
format: "email"
|
|
940
|
+
})),
|
|
941
|
+
username: t.optional(t.text({ description: "Preferred username of the user." })),
|
|
942
|
+
picture: t.optional(t.text({ description: "URL to the user's profile picture." })),
|
|
943
|
+
sessionId: t.optional(t.text({ description: "Session identifier for the user, if applicable." })),
|
|
944
|
+
organizations: t.optional(t.array(t.text(), { description: "List of organizations the user belongs to." })),
|
|
945
|
+
roles: t.optional(t.array(t.text(), { description: "List of roles assigned to the user." }))
|
|
946
|
+
});
|
|
947
|
+
|
|
948
|
+
//#endregion
|
|
949
|
+
//#region ../../src/security/providers/ServerSecurityProvider.ts
|
|
950
|
+
var ServerSecurityProvider = class {
|
|
951
|
+
log = $logger();
|
|
952
|
+
securityProvider = $inject(SecurityProvider);
|
|
953
|
+
jwtProvider = $inject(JwtProvider);
|
|
954
|
+
alepha = $inject(Alepha);
|
|
955
|
+
onConfigure = $hook({
|
|
956
|
+
on: "configure",
|
|
957
|
+
handler: async () => {
|
|
958
|
+
for (const action of this.alepha.primitives($action)) {
|
|
959
|
+
if (action.options.disabled || action.options.secure === false || this.securityProvider.getRealms().length === 0) continue;
|
|
960
|
+
if (typeof action.options.secure !== "object") this.securityProvider.createPermission({
|
|
961
|
+
name: action.name,
|
|
962
|
+
group: action.group,
|
|
963
|
+
method: action.route.method,
|
|
964
|
+
path: action.route.path
|
|
965
|
+
});
|
|
966
|
+
}
|
|
967
|
+
}
|
|
968
|
+
});
|
|
969
|
+
onActionRequest = $hook({
|
|
970
|
+
on: "action:onRequest",
|
|
971
|
+
handler: async ({ action, request, options }) => {
|
|
972
|
+
if (action.options.secure === false && !options.user) {
|
|
973
|
+
this.log.trace("Skipping security check for route");
|
|
974
|
+
return;
|
|
975
|
+
}
|
|
976
|
+
if (isBasicAuth(action.route.secure)) return;
|
|
977
|
+
const permission = this.securityProvider.getPermissions().find((it) => it.path === action.route.path && it.method === action.route.method);
|
|
978
|
+
try {
|
|
979
|
+
request.user = this.createUserFromLocalFunctionContext(options, permission);
|
|
980
|
+
const route = action.route;
|
|
981
|
+
if (typeof route.secure === "object") this.check(request.user, route.secure);
|
|
982
|
+
this.alepha.store.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
|
|
983
|
+
} catch (error) {
|
|
984
|
+
if (action.options.secure || permission) throw error;
|
|
985
|
+
this.log.trace("Skipping security check for action");
|
|
986
|
+
}
|
|
987
|
+
}
|
|
988
|
+
});
|
|
989
|
+
onRequest = $hook({
|
|
990
|
+
on: "server:onRequest",
|
|
991
|
+
priority: "last",
|
|
992
|
+
handler: async ({ request, route }) => {
|
|
993
|
+
if (route.secure === false) {
|
|
994
|
+
this.log.trace("Skipping security check for route - explicitly disabled");
|
|
995
|
+
return;
|
|
996
|
+
}
|
|
997
|
+
if (isBasicAuth(route.secure)) return;
|
|
998
|
+
const permission = this.securityProvider.getPermissions().find((it) => it.path === route.path && it.method === route.method);
|
|
999
|
+
if (!request.headers.authorization && !route.secure && !permission) {
|
|
1000
|
+
this.log.trace("Skipping security check for route - no authorization header and not secure");
|
|
1001
|
+
return;
|
|
1002
|
+
}
|
|
1003
|
+
try {
|
|
1004
|
+
request.user = await this.securityProvider.createUserFromToken(request.headers.authorization, { permission });
|
|
1005
|
+
if (typeof route.secure === "object") this.check(request.user, route.secure);
|
|
1006
|
+
this.alepha.store.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
|
|
1007
|
+
this.log.trace("User set from request token", {
|
|
1008
|
+
user: request.user,
|
|
1009
|
+
permission
|
|
1010
|
+
});
|
|
1011
|
+
} catch (error) {
|
|
1012
|
+
if (route.secure || permission) throw error;
|
|
1013
|
+
this.log.trace("Skipping security check for route - error occurred", error);
|
|
1014
|
+
}
|
|
1015
|
+
}
|
|
1016
|
+
});
|
|
1017
|
+
check(user, secure) {
|
|
1018
|
+
if (secure.realm) {
|
|
1019
|
+
if (user.realm !== secure.realm) throw new ForbiddenError(`User must belong to realm '${secure.realm}' to access this route`);
|
|
1020
|
+
}
|
|
1021
|
+
}
|
|
1022
|
+
/**
|
|
1023
|
+
* Get the user account token for a local action call.
|
|
1024
|
+
* There are three possible sources for the user:
|
|
1025
|
+
* - `options.user`: the user passed in the options
|
|
1026
|
+
* - `"system"`: the system user from the state (you MUST set state `server.security.system.user`)
|
|
1027
|
+
* - `"context"`: the user from the request context (you MUST be in an HTTP request context)
|
|
1028
|
+
*
|
|
1029
|
+
* Priority order: `options.user` > `"system"` > `"context"`.
|
|
1030
|
+
*
|
|
1031
|
+
* In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.
|
|
1032
|
+
*/
|
|
1033
|
+
createUserFromLocalFunctionContext(options, permission) {
|
|
1034
|
+
const fromOptions = typeof options.user === "object" ? options.user : void 0;
|
|
1035
|
+
const type = typeof options.user === "string" ? options.user : void 0;
|
|
1036
|
+
let user;
|
|
1037
|
+
const fromContext = this.alepha.context.get("request")?.user;
|
|
1038
|
+
const fromSystem = this.alepha.store.get("alepha.server.security.system.user");
|
|
1039
|
+
if (type === "system") user = fromSystem;
|
|
1040
|
+
else if (type === "context") user = fromContext;
|
|
1041
|
+
else user = fromOptions ?? fromContext ?? fromSystem;
|
|
1042
|
+
if (!user) {
|
|
1043
|
+
if (this.alepha.isTest() && !("user" in options)) return this.createTestUser();
|
|
1044
|
+
throw new UnauthorizedError("User is required for calling this action");
|
|
1045
|
+
}
|
|
1046
|
+
const roles = user.roles ?? (this.alepha.isTest() ? this.securityProvider.getRoles().map((role) => role.name) : []);
|
|
1047
|
+
let ownership;
|
|
1048
|
+
if (permission) {
|
|
1049
|
+
const result = this.securityProvider.checkPermission(permission, ...roles);
|
|
1050
|
+
if (!result.isAuthorized) throw new ForbiddenError(`Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`);
|
|
1051
|
+
ownership = result.ownership;
|
|
1052
|
+
}
|
|
1053
|
+
return {
|
|
1054
|
+
...user,
|
|
1055
|
+
ownership
|
|
1056
|
+
};
|
|
1057
|
+
}
|
|
1058
|
+
createTestUser() {
|
|
1059
|
+
return {
|
|
1060
|
+
id: randomUUID(),
|
|
1061
|
+
name: "Test",
|
|
1062
|
+
roles: this.securityProvider.getRoles().map((role) => role.name)
|
|
1063
|
+
};
|
|
1064
|
+
}
|
|
1065
|
+
onClientRequest = $hook({
|
|
1066
|
+
on: "client:onRequest",
|
|
1067
|
+
handler: async ({ request, options }) => {
|
|
1068
|
+
if (!this.alepha.isTest()) return;
|
|
1069
|
+
if ("user" in options && options.user === void 0) return;
|
|
1070
|
+
request.headers = new Headers(request.headers);
|
|
1071
|
+
if (!request.headers.has("authorization")) {
|
|
1072
|
+
const test = this.createTestUser();
|
|
1073
|
+
const user = typeof options?.user === "object" ? options.user : void 0;
|
|
1074
|
+
const sub = user?.id ?? test.id;
|
|
1075
|
+
const roles = user?.roles ?? test.roles;
|
|
1076
|
+
const token = await this.jwtProvider.create({
|
|
1077
|
+
sub,
|
|
1078
|
+
roles
|
|
1079
|
+
}, user?.realm ?? this.securityProvider.getRealms()[0]?.name);
|
|
1080
|
+
request.headers.set("authorization", `Bearer ${token}`);
|
|
1081
|
+
}
|
|
1082
|
+
}
|
|
1083
|
+
});
|
|
1084
|
+
};
|
|
1085
|
+
|
|
790
1086
|
//#endregion
|
|
791
1087
|
//#region ../../src/security/errors/InvalidCredentialsError.ts
|
|
792
1088
|
/**
|
|
@@ -893,7 +1189,7 @@ const $serviceAccount = (options) => {
|
|
|
893
1189
|
return { token: async () => {
|
|
894
1190
|
const tokenFromCache = getTokenFromCache();
|
|
895
1191
|
if (tokenFromCache) return tokenFromCache;
|
|
896
|
-
const token = await options.
|
|
1192
|
+
const token = await options.issuer.createToken(options.user);
|
|
897
1193
|
cacheToken({
|
|
898
1194
|
...token,
|
|
899
1195
|
issued_at: dateTimeProvider.now().unix()
|
|
@@ -925,50 +1221,54 @@ const roleSchema = t.object({
|
|
|
925
1221
|
}))
|
|
926
1222
|
});
|
|
927
1223
|
|
|
928
|
-
//#endregion
|
|
929
|
-
//#region ../../src/security/schemas/userAccountInfoSchema.ts
|
|
930
|
-
const userAccountInfoSchema = t.object({
|
|
931
|
-
id: t.text({ description: "Unique identifier for the user." }),
|
|
932
|
-
name: t.optional(t.text({ description: "Full name of the user." })),
|
|
933
|
-
email: t.optional(t.text({
|
|
934
|
-
description: "Email address of the user.",
|
|
935
|
-
format: "email"
|
|
936
|
-
})),
|
|
937
|
-
username: t.optional(t.text({ description: "Preferred username of the user." })),
|
|
938
|
-
picture: t.optional(t.text({ description: "URL to the user's profile picture." })),
|
|
939
|
-
sessionId: t.optional(t.text({ description: "Session identifier for the user, if applicable." })),
|
|
940
|
-
organizations: t.optional(t.array(t.text(), { description: "List of organizations the user belongs to." })),
|
|
941
|
-
roles: t.optional(t.array(t.text(), { description: "List of roles assigned to the user." }))
|
|
942
|
-
});
|
|
943
|
-
|
|
944
1224
|
//#endregion
|
|
945
1225
|
//#region ../../src/security/index.ts
|
|
946
1226
|
/**
|
|
947
1227
|
* Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.
|
|
948
1228
|
*
|
|
949
|
-
* The security module enables building secure applications using primitives like `$
|
|
1229
|
+
* The security module enables building secure applications using primitives like `$issuer`, `$role`, and `$permission`
|
|
950
1230
|
* on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless
|
|
951
1231
|
* integration with various authentication providers and user management systems.
|
|
952
1232
|
*
|
|
953
|
-
*
|
|
1233
|
+
* When used with `AlephaServer`, this module automatically registers `ServerSecurityProvider` and `ServerBasicAuthProvider`
|
|
1234
|
+
* to protect HTTP routes and actions with JWT and Basic Auth.
|
|
1235
|
+
*
|
|
1236
|
+
* @see {@link $issuer}
|
|
954
1237
|
* @see {@link $role}
|
|
955
1238
|
* @see {@link $permission}
|
|
1239
|
+
* @see {@link $basicAuth}
|
|
956
1240
|
* @module alepha.security
|
|
957
1241
|
*/
|
|
958
1242
|
const AlephaSecurity = $module({
|
|
959
1243
|
name: "alepha.security",
|
|
960
1244
|
primitives: [
|
|
961
|
-
$
|
|
1245
|
+
$issuer,
|
|
962
1246
|
$role,
|
|
963
|
-
$permission
|
|
1247
|
+
$permission,
|
|
1248
|
+
$basicAuth
|
|
964
1249
|
],
|
|
965
1250
|
services: [
|
|
966
1251
|
SecurityProvider,
|
|
967
1252
|
JwtProvider,
|
|
968
|
-
CryptoProvider
|
|
969
|
-
|
|
1253
|
+
CryptoProvider,
|
|
1254
|
+
ServerSecurityProvider,
|
|
1255
|
+
ServerBasicAuthProvider
|
|
1256
|
+
],
|
|
1257
|
+
register: (alepha) => {
|
|
1258
|
+
alepha.with(SecurityProvider);
|
|
1259
|
+
alepha.with(JwtProvider);
|
|
1260
|
+
alepha.with(CryptoProvider);
|
|
1261
|
+
if (alepha.has(AlephaServer)) {
|
|
1262
|
+
alepha.with(ServerSecurityProvider);
|
|
1263
|
+
alepha.with(ServerBasicAuthProvider);
|
|
1264
|
+
}
|
|
1265
|
+
}
|
|
970
1266
|
});
|
|
1267
|
+
/**
|
|
1268
|
+
* @deprecated Use `AlephaSecurity` instead. Server security providers are automatically registered when `AlephaServer` is available.
|
|
1269
|
+
*/
|
|
1270
|
+
const AlephaServerSecurity = AlephaSecurity;
|
|
971
1271
|
|
|
972
1272
|
//#endregion
|
|
973
|
-
export { $
|
|
1273
|
+
export { $basicAuth, $issuer, $permission, $role, $serviceAccount, AlephaSecurity, AlephaServerSecurity, BasicAuthPrimitive, CryptoProvider, DEFAULT_APP_SECRET, InvalidCredentialsError, InvalidPermissionError, IssuerPrimitive, JwtProvider, PermissionPrimitive, RolePrimitive, SecurityError, SecurityProvider, ServerBasicAuthProvider, ServerSecurityProvider, isBasicAuth, permissionSchema, roleSchema, userAccountInfoSchema };
|
|
974
1274
|
//# sourceMappingURL=index.js.map
|