alepha 0.15.1 → 0.15.2

package/dist/security/index.js

@@ -1721,13 +1721,32 @@ var SecurityProvider = class {
 		on: "start",
 		handler: async () => {
 			if (this.alepha.isProduction() && this.secretKey === DEFAULT_APP_SECRET) this.log.warn("Using default APP_SECRET in production is not recommended. Please set a strong APP_SECRET value.");
-			for (const realm of this.realms) if (realm.secret) {
-				const secret = typeof realm.secret === "function" ? realm.secret() : realm.secret;
-				this.jwt.setKeyLoader(realm.name, secret);
+			for (const realm of this.realms) {
+				if (realm.secret) {
+					const secret = typeof realm.secret === "function" ? realm.secret() : realm.secret;
+					this.jwt.setKeyLoader(realm.name, secret);
+				}
+				if (!realm.resolvers || realm.resolvers.length === 0) this.registerResolver(this.createDefaultJwtResolver(realm.name), realm.name);
 			}
 		}
 	});
 	/**
+	* Creates a default JWT resolver for a realm.
+	*/
+	createDefaultJwtResolver(realmName) {
+		return {
+			priority: 100,
+			onRequest: async (req) => {
+				const auth = req.headers.authorization;
+				if (!auth?.startsWith("Bearer ")) return null;
+				const token = auth.slice(7);
+				if (!token.includes(".")) return null;
+				const { result } = await this.jwt.parse(token, realmName);
+				return this.createUserFromPayload(result.payload, realmName);
+			}
+		};
+	}
+	/**
 	* Adds a role to one or more realms.
 	*
 	* @param role
@@ -1846,6 +1865,82 @@ var SecurityProvider = class {
 		};
 	}
 	/**
+	* Generic user creation from any source (JWT, API key, etc.).
+	* Handles permission checking, ownership, default roles.
+	*/
+	createUser(userInfo, options = {}) {
+		const realmRoles = this.getRoles(options.realm).filter((it) => it.default);
+		const roles = [...userInfo.roles ?? []];
+		for (const role of realmRoles) if (!roles.includes(role.name)) roles.push(role.name);
+		let ownership;
+		if (options.permission) {
+			const check = this.checkPermission(options.permission, ...roles);
+			if (!check.isAuthorized) throw new SecurityError(`User is not allowed to access '${this.permissionToString(options.permission)}'`);
+			ownership = check.ownership;
+		}
+		return {
+			...userInfo,
+			roles,
+			ownership,
+			realm: options.realm
+		};
+	}
+	/**
+	* Register a resolver to a realm.
+	* Resolvers are sorted by priority (lower = first).
+	*/
+	registerResolver(resolver, realmName) {
+		const realm = this.getRealm(realmName);
+		if (!realm.resolvers) realm.resolvers = [];
+		realm.resolvers.push(resolver);
+		realm.resolvers.sort((a, b) => (a.priority ?? 100) - (b.priority ?? 100));
+	}
+	/**
+	* Get a realm by name.
+	* Throws if realm not found.
+	*/
+	getRealm(realmName) {
+		const realm = realmName ? this.realms.find((it) => it.name === realmName) : this.realms[0];
+		if (!realm) throw new RealmNotFoundError(realmName ?? "default");
+		return realm;
+	}
+	/**
+	* Resolve user from request using registered resolvers.
+	* Returns undefined if no resolver could authenticate (no auth provided).
+	* Throws UnauthorizedError if auth was provided but invalid.
+	*
+	* Note: This method tries resolvers from ALL realms to find a match,
+	* regardless of the `realm` option. The `realm` option is only used for
+	* permission checking after the user is resolved.
+	*/
+	async resolveUserFromServerRequest(req, options = {}) {
+		const allResolvers = [];
+		for (const realm of this.realms) for (const resolver of realm.resolvers ?? []) allResolvers.push({
+			resolver,
+			realmName: realm.name
+		});
+		allResolvers.sort((a, b) => (a.resolver.priority ?? 100) - (b.resolver.priority ?? 100));
+		for (const { resolver, realmName } of allResolvers) {
+			let userInfo;
+			try {
+				userInfo = await resolver.onRequest(req);
+			} catch {
+				continue;
+			}
+			if (userInfo) {
+				const user = this.createUser(userInfo, {
+					realm: realmName,
+					permission: options.permission
+				});
+				await this.alepha.events.emit("security:user:created", {
+					realm: realmName,
+					user
+				});
+				return user;
+			}
+		}
+	}
+	/**
 	* Checks if the user has the specified permission.
 	*
 	* Bonus: we check also if the user has "ownership" flag.
@@ -2117,8 +2212,34 @@ var IssuerPrimitive = class extends Primitive {
 			name: this.name,
 			profile: this.options.profile,
 			secret: "jwks" in this.options ? this.options.jwks : this.options.secret,
-			roles
+			roles,
+			resolvers: []
 		});
+		for (const resolver of this.options.resolvers ?? []) this.registerResolver(resolver);
+		this.registerResolver(this.createJwtResolver());
+	}
+	/**
+	* Creates the default JWT resolver.
+	*/
+	createJwtResolver() {
+		return {
+			priority: 100,
+			onRequest: async (req) => {
+				const auth = req.headers.authorization;
+				if (!auth?.startsWith("Bearer ")) return null;
+				const token = auth.slice(7);
+				if (!token.includes(".")) return null;
+				const { result } = await this.jwt.parse(token, this.name);
+				return this.securityProvider.createUserFromPayload(result.payload, this.name);
+			}
+		};
+	}
+	/**
+	* Register a resolver to this issuer.
+	* Resolvers are sorted by priority (lower = first).
+	*/
+	registerResolver(resolver) {
+		this.securityProvider.registerResolver(resolver, this.name);
 	}
 	/**
 	* Get all roles in the issuer.
@@ -2363,6 +2484,7 @@ var ServerSecurityProvider = class {
 	securityProvider = $inject(SecurityProvider);
 	jwtProvider = $inject(JwtProvider);
 	alepha = $inject(Alepha);
+	resolvers = [];
 	onConfigure = $hook({
 		on: "configure",
 		handler: async () => {
@@ -2407,15 +2529,23 @@ var ServerSecurityProvider = class {
 			}
 			if (isBasicAuth(route.secure)) return;
 			const permission = this.securityProvider.getPermissions().find((it) => it.path === route.path && it.method === route.method);
-			if (!request.headers.authorization && !route.secure && !permission) {
-				this.log.trace("Skipping security check for route - no authorization header and not secure");
-				return;
-			}
+			const realm = typeof route.secure === "object" ? route.secure.realm : void 0;
 			try {
-				request.user = await this.securityProvider.createUserFromToken(request.headers.authorization, { permission });
+				request.user = await this.securityProvider.resolveUserFromServerRequest(request, {
+					permission,
+					realm
+				});
+				if (!request.user) {
+					if (route.secure || permission) {
+						if (!request.headers.authorization) throw new InvalidTokenError("Invalid authorization header, maybe token is missing ?");
+						throw new UnauthorizedError("Authentication required");
+					}
+					this.log.trace("Skipping security check for route - no auth provided and not required");
+					return;
+				}
 				if (typeof route.secure === "object") this.check(request.user, route.secure);
 				this.alepha.store.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
-				this.log.trace("User set from request token", {
+				this.log.trace("User set from request", {
 					user: request.user,
 					permission
 				});
@@ -2450,11 +2580,8 @@ var ServerSecurityProvider = class {
 		if (type === "system") user = fromSystem;
 		else if (type === "context") user = fromContext;
 		else user = fromOptions ?? fromContext ?? fromSystem;
-		if (!user) {
-			if (this.alepha.isTest() && !("user" in options)) return this.createTestUser();
-			throw new UnauthorizedError("User is required for calling this action");
-		}
-		const roles = user.roles ?? (this.alepha.isTest() ? this.securityProvider.getRoles().map((role) => role.name) : []);
+		if (!user) throw new UnauthorizedError("User is required for calling this action");
+		const roles = user.roles ?? [];
 		let ownership;
 		if (permission) {
 			const result = this.securityProvider.checkPermission(permission, ...roles);
@@ -2477,7 +2604,7 @@ var ServerSecurityProvider = class {
 		on: "client:onRequest",
 		handler: async ({ request, options }) => {
 			if (!this.alepha.isTest()) return;
-			if ("user" in options && options.user === void 0) return;
+			if (!options.user) return;
 			request.headers = new Headers(request.headers);
 			if (!request.headers.has("authorization")) {
 				const test = this.createTestUser();
@@ -2635,19 +2762,23 @@ const roleSchema = t.object({
 //#endregion
 //#region ../../src/security/index.ts
 /**
-* Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.
+* | type | quality | stability |
+* |------|---------|-----------|
+* | backend | epic | stable |
 *
-* The security module enables building secure applications using primitives like `$issuer`, `$role`, and `$permission`
-* on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless
-* integration with various authentication providers and user management systems.
+* Complete authentication and authorization system with JWT, RBAC, and multi-issuer support.
 *
-* When used with `AlephaServer`, this module automatically registers `ServerSecurityProvider` and `ServerBasicAuthProvider`
-* to protect HTTP routes and actions with JWT and Basic Auth.
+* **Features:**
+* - JWT token issuer with role definitions
+* - Role-based access control (RBAC)
+* - Fine-grained permissions
+* - HTTP Basic Authentication
+* - Service-to-service authentication
+* - Multi-issuer support for federated auth
+* - JWKS (JSON Web Key Set) for external issuers
+* - Token refresh logic
+* - User profile extraction from JWT
 *
-* @see {@link $issuer}
-* @see {@link $role}
-* @see {@link $permission}
-* @see {@link $basicAuth}
 * @module alepha.security
 */
 const AlephaSecurity = $module({