alepha 0.18.2 → 0.18.3

package/src/server/auth/providers/ServerAuthProvider.ts

@@ -35,6 +35,12 @@ export class ServerAuthProvider {
   protected readonly dateTimeProvider = $inject(DateTimeProvider);
   protected readonly serverLinksProvider = $inject(ServerLinksProvider);
 
+  public get identities(): Array<AuthPrimitive> {
+    return this.alepha
+      .primitives($auth)
+      .filter((auth) => !auth.options.disabled);
+  }
+
   protected readonly authorizationCode = $cookie({
     name: "authorizationCode",
     ttl: [15, "minutes"],
@@ -58,47 +64,6 @@ export class ServerAuthProvider {
     schema: tokensSchema,
   });
 
-  public get identities(): Array<AuthPrimitive> {
-    return this.alepha
-      .primitives($auth)
-      .filter((auth) => !auth.options.disabled);
-  }
-
-  public getAuthenticationProviders(
-    filters: { realmName?: string } = {},
-  ): AuthenticationProvider[] {
-    const providers: AuthenticationProvider[] = [];
-
-    for (const identity of this.identities) {
-      if (filters.realmName) {
-        const issuer = identity.issuer;
-        if (!issuer || issuer.name !== filters.realmName) {
-          continue;
-        }
-      }
-
-      const type =
-        "oidc" in identity.options
-          ? "OIDC"
-          : "oauth" in identity.options
-            ? "OAUTH2"
-            : "credentials" in identity.options
-              ? "CREDENTIALS"
-              : undefined;
-
-      if (!type) {
-        continue;
-      }
-
-      providers.push({
-        name: identity.name,
-        type,
-      });
-    }
-
-    return providers;
-  }
-
   protected readonly configure = $hook({
     on: "configure",
     handler: async () => {
@@ -108,20 +73,6 @@ export class ServerAuthProvider {
     },
   });
 
-  protected getAccessTokens(tokens: Tokens) {
-    const idp = this.provider(tokens.provider);
-
-    if (
-      "oidc" in idp.options &&
-      !("realm" in idp.options) &&
-      idp.options.oidc?.useIdToken
-    ) {
-      return tokens.id_token;
-    }
-
-    return tokens.access_token;
-  }
-
   /**
    * Fill request headers with access token from cookies or fallback to provider's fallback function.
    */
@@ -135,7 +86,7 @@ export class ServerAuthProvider {
       if (cookies) {
         const tokens = await this.cookiesToTokens(cookies);
         if (tokens) {
-          request.headers.authorization = `Bearer ${this.getAccessTokens(tokens)}`;
+          request.headers.authorization = `Bearer ${this.extractAccessToken(tokens)}`;
           this.log.trace("Access token set in request headers", {
             provider: tokens.provider,
           });
@@ -157,86 +108,6 @@ export class ServerAuthProvider {
     },
   });
 
-  /**
-   * Convert cookies to tokens.
-   * If the tokens are expired, try to refresh them using the refresh token.
-   */
-  protected async cookiesToTokens(
-    cookies: Cookies,
-  ): Promise<Tokens | undefined> {
-    const tokens = this.getTokens(cookies);
-    if (!tokens) {
-      // no cookie, no tokens
-      this.log.trace("No tokens found in cookies");
-      return;
-    }
-
-    this.log.trace("Tokens found in cookies", {
-      expires_in: tokens.expires_in,
-      issued_at: tokens.issued_at,
-    });
-
-    // check if tokens are expired
-    const refreshedTokens = await this.refreshTokens(tokens);
-    if (!refreshedTokens) {
-      this.tokens.del({ cookies });
-      // 08/25: exception here will go to Server error handler, not the React one
-      // better to remove cookie & session and let the page handle 401 Unauthorized
-      //throw new SessionExpiredError("Session expired. Please login again.");
-      return;
-    }
-
-    if (refreshedTokens.access_token !== tokens.access_token) {
-      this.setTokens(refreshedTokens, cookies);
-    }
-
-    return refreshedTokens;
-  }
-
-  protected async refreshTokens(tokens: Tokens): Promise<Tokens | undefined> {
-    if (tokens.expires_in && tokens.issued_at) {
-      const gracePeriodSec = 10;
-      const expiresAt = tokens.issued_at + (tokens.expires_in - gracePeriodSec);
-
-      if (expiresAt < this.dateTimeProvider.now().unix()) {
-        this.log.trace("Tokens are expired");
-
-        // oh no, it is expired
-        if (tokens.refresh_token) {
-          this.log.trace("Trying to refresh tokens using refresh token");
-          // but has refresh token!
-          try {
-            const provider = this.provider(tokens);
-            const result = await provider.refresh(
-              tokens.refresh_token,
-              tokens.access_token,
-            );
-            const newTokens = {
-              ...result,
-              provider: tokens.provider,
-              issued_at: this.dateTimeProvider.now().unix(),
-            };
-
-            this.log.debug("Tokens refreshed successfully");
-
-            return newTokens;
-          } catch (e) {
-            this.log.warn("Failed to refresh token", e);
-          }
-        }
-
-        // session expired and no (valid) refresh token
-        return;
-      }
-    }
-
-    if (!tokens.issued_at && tokens.access_token) {
-      return;
-    }
-
-    return tokens;
-  }
-
   // -------------------------------------------------------------------------------------------------------------------
 
   /**
@@ -412,7 +283,7 @@ export class ServerAuthProvider {
         provider: query.provider,
         realm: query.realm,
       });
-      const oauth = provider.oauth;
+      const oauth = await provider.getOAuth();
       if (!oauth) {
         throw new SecurityError(
           `Auth provider '${query.provider}' does not support OAuth2`,
@@ -495,7 +366,7 @@ export class ServerAuthProvider {
       }
 
       const provider = this.provider(authorizationCode);
-      const oauth = provider.oauth;
+      const oauth = await provider.getOAuth();
       if (!oauth) {
         throw new SecurityError(
           `Auth provider '${provider.name}' does not support OAuth2`,
@@ -586,7 +457,7 @@ export class ServerAuthProvider {
         }
       }
 
-      const oauth = provider.oauth;
+      const oauth = await provider.getOAuth();
       if (!oauth) {
         reply.redirect(redirect, 302);
         return;
@@ -623,6 +494,45 @@ export class ServerAuthProvider {
     },
   });
 
+  // -------------------------------------------------------------------------------------------------------------------
+
+  public getAuthenticationProviders(
+    filters: { realmName?: string } = {},
+  ): AuthenticationProvider[] {
+    const providers: AuthenticationProvider[] = [];
+
+    for (const identity of this.identities) {
+      if (filters.realmName) {
+        const issuer = identity.issuer;
+        if (!issuer || issuer.name !== filters.realmName) {
+          continue;
+        }
+      }
+
+      const type =
+        "oidc" in identity.options
+          ? "OIDC"
+          : "oauth" in identity.options
+            ? "OAUTH2"
+            : "credentials" in identity.options
+              ? "CREDENTIALS"
+              : undefined;
+
+      if (!type) {
+        continue;
+      }
+
+      providers.push({
+        name: identity.name,
+        type,
+      });
+    }
+
+    return providers;
+  }
+
+  // -------------------------------------------------------------------------------------------------------------------
+
   /**
    * Find an auth provider by name and optionally by realm.
    * When realm is specified, it filters providers by both name and realm.
@@ -655,6 +565,42 @@ export class ServerAuthProvider {
     return identity;
   }
 
+  /**
+   * Convert cookies to tokens.
+   * If the tokens are expired, try to refresh them using the refresh token.
+   */
+  protected async cookiesToTokens(
+    cookies: Cookies,
+  ): Promise<Tokens | undefined> {
+    const tokens = this.getTokens(cookies);
+    if (!tokens) {
+      // no cookie, no tokens
+      this.log.trace("No tokens found in cookies");
+      return;
+    }
+
+    this.log.trace("Tokens found in cookies", {
+      expires_in: tokens.expires_in,
+      issued_at: tokens.issued_at,
+    });
+
+    // check if tokens are expired
+    const refreshedTokens = await this.refreshTokens(tokens);
+    if (!refreshedTokens) {
+      this.tokens.del({ cookies });
+      // 08/25: exception here will go to Server error handler, not the React one
+      // better to remove cookie & session and let the page handle 401 Unauthorized
+      //throw new SessionExpiredError("Session expired. Please login again.");
+      return;
+    }
+
+    if (refreshedTokens.access_token !== tokens.access_token) {
+      this.setTokens(refreshedTokens, cookies);
+    }
+
+    return refreshedTokens;
+  }
+
   protected getTokens(cookies?: Cookies): Tokens | undefined {
     return this.tokens.get({ cookies });
   }
@@ -674,8 +620,68 @@ export class ServerAuthProvider {
       ttl,
     });
   }
+
+  protected extractAccessToken(tokens: Tokens) {
+    const idp = this.provider(tokens.provider);
+
+    if (
+      "oidc" in idp.options &&
+      !("realm" in idp.options) &&
+      idp.options.oidc?.useIdToken
+    ) {
+      return tokens.id_token;
+    }
+
+    return tokens.access_token;
+  }
+
+  protected async refreshTokens(tokens: Tokens): Promise<Tokens | undefined> {
+    if (tokens.expires_in && tokens.issued_at) {
+      const gracePeriodSec = 10;
+      const expiresAt = tokens.issued_at + (tokens.expires_in - gracePeriodSec);
+
+      if (expiresAt < this.dateTimeProvider.now().unix()) {
+        this.log.trace("Tokens are expired");
+
+        // oh no, it is expired
+        if (tokens.refresh_token) {
+          this.log.trace("Trying to refresh tokens using refresh token");
+          // but has refresh token!
+          try {
+            const provider = this.provider(tokens);
+            const result = await provider.refresh(
+              tokens.refresh_token,
+              tokens.access_token,
+            );
+            const newTokens = {
+              ...result,
+              provider: tokens.provider,
+              issued_at: this.dateTimeProvider.now().unix(),
+            };
+
+            this.log.debug("Tokens refreshed successfully");
+
+            return newTokens;
+          } catch (e) {
+            this.log.warn("Failed to refresh token", e);
+          }
+        }
+
+        // session expired and no (valid) refresh token
+        return;
+      }
+    }
+
+    if (!tokens.issued_at && tokens.access_token) {
+      return;
+    }
+
+    return tokens;
+  }
 }
 
+// ---------------------------------------------------------------------------------------------------------------------
+
 export interface OAuth2Profile {
   sub: string; // Subject - unique ID per user (required by OpenID)
   email?: string;

package/src/server/cookies/providers/ServerCookiesProvider.ts

@@ -1,13 +1,13 @@
 import {
   createCipheriv,
   createDecipheriv,
+  createHash,
   createHmac,
   randomBytes,
   timingSafeEqual,
 } from "node:crypto";
 import { deflateRawSync, inflateRawSync } from "node:zlib";
 import {
-  $env,
   $hook,
   $inject,
   Alepha,
@@ -15,9 +15,9 @@ import {
   type Static,
   type TSchema,
 } from "alepha";
+import { SecretProvider } from "alepha/crypto";
 import { DateTimeProvider } from "alepha/datetime";
 import { $logger } from "alepha/logger";
-import { alephaSecurityEnvSchema } from "alepha/security";
 import type {
   Cookie,
   CookiePrimitiveOptions,
@@ -30,7 +30,7 @@ export class ServerCookiesProvider {
   protected readonly log = $logger();
   protected readonly cookieParser = $inject(CookieParser);
   protected readonly dateTimeProvider = $inject(DateTimeProvider);
-  protected readonly env = $env(alephaSecurityEnvSchema);
+  protected readonly secretProvider = $inject(SecretProvider);
 
   // crypto constants
   protected readonly ALGORITHM = "aes-256-gcm";
@@ -186,11 +186,7 @@ export class ServerCookiesProvider {
 
   protected encrypt(text: string): string {
     const iv = randomBytes(this.IV_LENGTH);
-    const cipher = createCipheriv(
-      this.ALGORITHM,
-      Buffer.from(this.secretKey()),
-      iv,
-    );
+    const cipher = createCipheriv(this.ALGORITHM, this.deriveKey(), iv);
     const encrypted = Buffer.concat([
       cipher.update(text, "utf8"),
       cipher.final(),
@@ -208,11 +204,7 @@ export class ServerCookiesProvider {
     );
 
     const encrypted = data.subarray(this.IV_LENGTH + this.AUTH_TAG_LENGTH);
-    const decipher = createDecipheriv(
-      this.ALGORITHM,
-      Buffer.from(this.secretKey()),
-      iv,
-    );
+    const decipher = createDecipheriv(this.ALGORITHM, this.deriveKey(), iv);
 
     decipher.setAuthTag(authTag);
 
@@ -224,19 +216,15 @@ export class ServerCookiesProvider {
     return decrypted.toString("utf8");
   }
 
-  public secretKey(): string {
-    let secret = this.env.APP_SECRET;
-    if (secret.length < 32) {
-      // pad secret to 32 bytes
-      secret = secret.padEnd(32, "0");
-    } else if (secret.length > 32) {
-      // truncate secret to 32 bytes
-      secret = secret.substring(0, 32);
-    }
-    return secret;
+  /**
+   * Derives a 32-byte key from APP_SECRET via SHA-256.
+   * Accepts any string length — no padding or truncation needed.
+   */
+  protected deriveKey(): Buffer {
+    return createHash("sha256").update(this.secretProvider.secretKey).digest();
   }
 
   protected sign(data: string): string {
-    return createHmac("sha256", this.secretKey()).update(data).digest("hex");
+    return createHmac("sha256", this.deriveKey()).update(data).digest("hex");
   }
 }

package/src/server/core/index.ts

@@ -17,6 +17,7 @@ import {
 } from "./primitives/$action.ts";
 import { $middleware } from "./primitives/$middleware.ts";
 import { $route } from "./primitives/$route.ts";
+import { $sse } from "./primitives/$sse.ts";
 import { BunHttpServerProvider } from "./providers/BunHttpServerProvider.ts";
 import { NodeHttpServerProvider } from "./providers/NodeHttpServerProvider.ts";
 import { ServerBodyParserProvider } from "./providers/ServerBodyParserProvider.ts";
@@ -111,6 +112,7 @@ export * from "./primitives/$action.ts";
 export * from "./primitives/$circuit.ts";
 export * from "./primitives/$middleware.ts";
 export * from "./primitives/$route.ts";
+export * from "./primitives/$sse.ts";
 export * from "./providers/BunHttpServerProvider.ts";
 export * from "./providers/NodeHttpServerProvider.ts";
 export * from "./providers/ServerCompressProvider.ts";
@@ -146,7 +148,7 @@ export * from "./services/UserAgentParser.ts";
  */
 export const AlephaServer = $module({
   name: "alepha.server",
-  primitives: [$route, $action, $middleware],
+  primitives: [$route, $action, $middleware, $sse],
   services: [
     ServerProvider,
     BunHttpServerProvider,