authenik8-core 0.1.0

package/src/createAuthenik8.ts

@@ -0,0 +1,66 @@
+import {SecurityModule} from "./security/ipService";
+import  {RefreshService } from "./auth/refreshService"
+import {Authenik8Config} from "./types/config";
+import  {Incognito} from "./auth/guestModeService"
+import {requireAdmin} from "./middleware/adminService";
+import {JWTService} from "./auth/jwtAuth"
+import { initializeRedisClient } from "./redis/redisService"
+import {Authenik8Instance} from "./types/public"
+import {RedisTokenStore} from "./storage/RedisTokenStore"
+
+export const createAuthenik8 = async (config:Authenik8Config): Promise<Authenik8Instance> =>{
+
+const redisClient = config.redis ?? await initializeRedisClient()
+const tokenStore = new RedisTokenStore(redisClient);
+
+	const jwtService =new JWTService({
+	jwtSecret:config.jwtSecret,
+	expiry:config.jwtExpiry,
+	redisClient:redisClient
+	});
+
+	const refreshService = new RefreshService({
+	tokenStore,
+	accessTokenSecret:config.jwtSecret,
+	refreshTokenSecret:config.refreshSecret,
+	accessTokenExpiry:config.jwtExpiry,
+	rotateRefreshTokens:true
+	});
+
+	const security = new SecurityModule({
+	redisClient:config.redis,
+	rateLimiterEnabled: true,
+	helmetEnabled:true,
+	whiteListEnabled:true
+	});
+return{
+	//auth
+	redis:redisClient,
+	signToken:jwtService.signToken.bind(jwtService),
+	verifyToken:jwtService.verifyToken.bind(jwtService),
+	guestToken:jwtService.guestToken.bind(jwtService),
+	
+	//refresh
+	refreshToken:
+		refreshService.refresh.bind(refreshService),
+	generateRefreshToken: refreshService.generateRefreshToken.bind(refreshService),
+//security
+   rateLimit: security.rateLimiterMiddleware(),
+    ipWhitelist: security.whiteListMiddleware(),
+    helmet: security.helmetMiddleware(),
+
+    //Whitelist management
+    addIP: security.addIP.bind(security),
+    removeIP: security.removeIP.bind(security),
+    listIPs: security.listIPs.bind(security),
+
+
+	//middleware
+requireAdmin :requireAdmin({ jwtSecret:
+	config.jwtSecret,
+			   redis:redisClient
+}),
+incognito:Incognito
+
+}
+}

package/src/index.ts

@@ -0,0 +1 @@
+export {createAuthenik8} from "./createAuthenik8";

package/src/middleware/adminService.ts

@@ -0,0 +1,50 @@
+
+import {Request, Response, NextFunction} from "express";
+import jwt from "jsonwebtoken";
+import {Authenik8Config} from "../types/config";
+import { RequireAdminOptions } from "../types/admin";
+
+
+interface JwtPayload {
+id:string;
+role: string;
+}
+
+
+
+export const requireAdmin=(options:RequireAdminOptions)=>{
+	const {jwtSecret,redis}= options;
+return(req:Request, res:Response,next:NextFunction)=>{
+
+const authHeader = req.headers.authorization
+const cookieToken =req.cookies?.token
+
+let token:string | undefined;
+
+
+if(authHeader && authHeader.startsWith("Bearer")){
+	token=authHeader.split(" ")[1];
+
+}
+if (!token && cookieToken){
+token = cookieToken
+}
+
+if(!token){
+return res.status(401).json({error:"Unauthorized:No token provided"});}
+try{
+        const decoded = jwt.verify(token,options.jwtSecret) as JwtPayload;
+
+        if(typeof decoded.role !== "string"){
+        res.status(403).json({error:"Forbidden: Admin only"})
+        }
+	const payload = decoded as JwtPayload
+
+(req as any).user =decoded;
+next();
+}catch(error){
+	return
+res.status(401).json({error:"Invalid or expired token"})
+}
+}
+}

package/src/redis/redisService.ts

@@ -0,0 +1,137 @@
+import dotenv from "dotenv";
+import {RedisStore}  from "connect-redis";
+import Redis ,{ Redis as RedisCon }from "ioredis";
+dotenv.config();
+
+
+
+
+interface RedisConfig{
+url?: string;
+host?: string 
+port?: number;
+password?: string;
+maxRetriesPerRequest?:number;
+connectTimeout: number;
+}
+
+interface RedisStoreOptions{
+prefix?: string;
+ttl?: number;
+}
+
+interface SetupRedisOptions{
+redisConfig?: Partial<RedisConfig>;
+storeOptions?:Partial<RedisStoreOptions>;
+}
+
+let redisClientInstance:RedisCon | null = null
+let redisStoreInstance:RedisStore |null = null
+
+const DEFAULT_REDIS_CONFIG: RedisConfig = {
+host:process.env.REDIS_HOST ?? "redis",
+port: Number(process.env.REDIS_PORT ?? "6379"),
+maxRetriesPerRequest: 10,
+connectTimeout: 5000
+}
+
+const DEFAULT_STORE_OPTIONS : RedisStoreOptions = {
+prefix: "session",
+ttl: 86400
+}
+
+const validateRedisConfig = (config:RedisConfig) => {
+  if (!config.url && !config.host) {
+    throw new Error("Redis configuration requires either URL or host/port");
+  }
+  
+  if (config.url && !config.url.startsWith("redis://")  &&  !config.url.startsWith("rediss://")
+     ) {
+    throw new Error("Redis URL must use 'redis://' protocol");
+  }
+
+};
+
+const getRedisConfig = (options?:Partial<RedisConfig>):  RedisConfig => {
+ const port = options?.port ?
+	 Number(options.port) :
+	 process.env.REDIS_PORT ? Number(process.env.REDIS_PORT) : 
+	 Number(DEFAULT_REDIS_CONFIG.port);
+
+const config: RedisConfig = {
+...DEFAULT_REDIS_CONFIG,	  
+    host: options?.host || process.env.REDIS_HOST|| DEFAULT_REDIS_CONFIG.host,
+    port: port,
+    password: options?.password || process.env.REDIS_PASSWORD|| undefined,
+    ...options
+  };
+
+  validateRedisConfig(config);
+  return config;
+};
+
+const setupRedis = async (options?: SetupRedisOptions) => {
+
+  try {
+    const config = getRedisConfig(options?.redisConfig);
+	  const storeOptions = {...DEFAULT_STORE_OPTIONS, ...options?.storeOptions}
+    
+    const redisClient = new Redis({
+    host: config.host as string,
+    port:Number(config.port) ,
+    connectTimeout:config.connectTimeout,
+    password :config.password,
+    retryStrategy:(times:number)=> Math.min(times * 50,2000),
+    maxRetriesPerRequest:config.maxRetriesPerRequest
+    });
+
+      await new Promise<void>((resolve, reject)=>{
+      redisClient.once("ready", async () =>{
+      try{
+      const pong = await redisClient.ping();
+      console.log("Redis ping response:",pong);
+      resolve();
+      }catch(err){
+      reject(err);
+       }
+      })
+      redisClient.once("error",(err)=>{
+      reject(err);
+       })
+      });
+      
+      const redisStore = new RedisStore({
+      client: redisClient,
+      prefix:storeOptions.prefix,
+      ttl:storeOptions.ttl
+      });
+
+    
+    redisClient.on("error", (err:Error) => {
+      console.error("Redis client error:", err);
+    });
+
+    redisClient.on("ready", () => {
+      console.log("Redis client is ready");
+    });
+
+    redisClient.on("reconnecting", () => {
+      console.log("Redis client reconnecting...");
+    });
+
+    return{ redisClient, redisStore };
+  } catch (error) {
+    console.error("Redis setup failed:", error);
+    throw error; 
+  }
+};
+const initializeRedisClient =async () => {
+if(!redisClientInstance){
+const {redisClient} = await setupRedis();
+redisClientInstance= redisClient;
+}
+return redisClientInstance
+};
+
+export {setupRedis, initializeRedisClient};
+export type {RedisConfig, RedisStoreOptions, SetupRedisOptions}

package/src/security/ipService.ts

@@ -0,0 +1,180 @@
+
+import helmet from  "helmet";
+import Redis from "ioredis";
+import type {StringValue} from "ms"
+import { RequestHandler } from "express";
+import {RateLimiterRedis} from "rate-limiter-flexible";
+import { Request, Response, NextFunction } from "express";
+import { HelmetOptions } from "helmet";
+
+
+const WHITELIST_KEY ="whitelist:ips";
+const IP_EXPIRATION_SECONDS = 7 * 24 * 60 * 60;
+const DEFAULT_JWT_EXPIRY = "1h"
+
+ interface CSPDirectives{
+ [key: string]: Array<string | boolean>;
+ }
+
+interface DynamicWhiteList{
+isAllowed : (ip:string)=> Promise<boolean>;
+addIp: (ip: string)=> Promise<void>;
+removeIp: (ip: string)=> Promise<void>;
+getAll:() => Promise<string[]>;
+middleware: () => (req:Request, res: Response, next:any)=> Promise<void>;
+listIP:(ip:string)=> Promise<void>;
+}
+
+const JWT_SECRET =process.env.JWT_SECRET || "Boo";
+const EXPIRY = "1h";
+
+export interface SecurityOptions{
+ redisClient?: Redis;
+jwtSecret?:string;
+jwtExpiry?:StringValue;
+rateLimitPoints?:number;
+rateLimitDuration?:number;
+rateLimitBlock?:number;
+rateLimiterEnabled?:boolean;
+enableWhitelist?:boolean;
+enableRateLimiter?:boolean;
+enableHelmet?:boolean;
+whiteListEnabled?:boolean;
+helmetEnabled?:boolean;
+}
+
+export class SecurityModule{
+private redisClient:Redis;
+private jwtSecret:string;
+private jwtExpiry:StringValue;
+private rateLimiter?: RateLimiterRedis;
+private whiteListEnabled:boolean;
+private helmetEnabled:boolean;
+private rateLimiterEnabled:boolean;
+
+
+constructor(options: SecurityOptions = {})
+{
+this.jwtSecret=options.jwtSecret || process.env.JWT_SECRET ||  "Boo" ;
+this.jwtExpiry = options.jwtExpiry ||  DEFAULT_JWT_EXPIRY;
+this.whiteListEnabled = options.whiteListEnabled ?? true;
+this.helmetEnabled = options.helmetEnabled ?? true;
+this.rateLimiterEnabled = options.rateLimiterEnabled ?? true;
+
+this.redisClient = options.redisClient || new Redis({
+host:process.env.REDIS_HOST || "127.0.0.1",
+port:Number(process.env.REDIS_PORT || 6379),
+enableOfflineQueue: false,
+retryStrategy:(times)=> Math.min(times * 50 , 2000),
+maxRetriesPerRequest:10,
+})
+
+if(this.rateLimiterEnabled){
+this.rateLimiter = new RateLimiterRedis({
+storeClient: this.redisClient,
+keyPrefix:"rate_limit",
+points:options.rateLimitPoints || 100,
+duration:options.rateLimitDuration || 60,
+blockDuration: options.rateLimitBlock || 300,
+
+})
+}
+this.redisClient.on("error",(err)=>
+ console.error("Security Redis error:",err)
+ );
+this.redisClient.on("connect",() =>{
+console.log("SecurityRedis  Connected to:",this.redisClient.options.host);
+		   
+})
+}
+
+
+async isAllowed(ip:string):Promise<boolean>{
+if(!this.whiteListEnabled)
+return true;
+
+try{
+const exists = await this.redisClient.sismember(WHITELIST_KEY,ip);
+ if (exists ===1) return true;
+
+
+if( ip === "::1" || ip === "127.0.0.1")
+return true;
+const entries = await this.redisClient.smembers(WHITELIST_KEY)
+
+for (const entry of entries){
+if(entry.includes("/"))
+	{
+	const CIDR = (await import("ip-cidr")).default;
+	if(new CIDR(entry).contains(ip)) return true;
+	}
+}
+return false;
+
+}catch(err){
+console.error("whitelist check error:",err);
+return false;
+}
+}
+
+async addIP(ipOrCIDR:string,ttl:number =IP_EXPIRATION_SECONDS){
+await this.redisClient.sadd(WHITELIST_KEY,ipOrCIDR);
+await this.redisClient.expire(WHITELIST_KEY,ttl)
+}
+async removeIP(ipOrCIDR:string){
+await this.redisClient.srem(WHITELIST_KEY,ipOrCIDR);
+}
+
+async listIPs(): Promise<string[]>{
+return await this.redisClient.smembers(WHITELIST_KEY);
+}
+
+whiteListMiddleware(){
+return async(req: Request,res:Response, next:NextFunction)=>{
+ if(!this.whiteListEnabled) return next();
+
+const clientIP = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.ip!;
+
+if(await this.isAllowed(clientIP!))return next();
+  res.status(403).json({error:"Access denied"});
+  }
+}
+rateLimiterMiddleware(){
+return (req:Request, res:Response, next:NextFunction)=>{
+if (!this.rateLimiter || !this.rateLimiterEnabled)return next();
+const ip = req.ip || req.socket.remoteAddress || "unknown";
+this.rateLimiter.consume(ip).then(()=> next()).catch(()=> res.status(429).send("Too many Requests"));
+};
+}
+
+helmetMiddleware():RequestHandler{
+if(!this.helmetEnabled){
+return(req: Request,  res:Response, next:NextFunction)=> next();}
+ 
+const helmetDirectives={
+defaultSrc:["'self'"],
+scriptSrc:["'self'","'unsafe-inline'","trusted-cdn.com"],
+styleSrc:["'self'"],
+imgSrc:["'self'","data:","trusted-cdn.com"],
+fontSrc:["'self'","trusted-cdn.com"],
+connectSrc:["'self'","api.trusted-domain.com"],
+frameSrc:["'none'"],
+objectSrc:["'none'"],
+upgradeInsecureRequests: [],
+reportUri: "/csp-violation-report",
+};
+
+return helmet({
+contentSecurityPolicy:{
+directives:helmetDirectives, reportOnly:process.env.NODE_ENV !== "production"},
+hsts:{maxAge:315366000,
+includeSubDomains:true,preload:true},
+xxsFilter:true,
+noSniff:true,
+frameguard:{action:"deny"},
+referrerPolicy:{policy:"same-origin"},
+}as HelmetOptions);
+}
+}
+
+

package/src/security/limiter.ts

@@ -0,0 +1,116 @@
+import dotenv from "dotenv";
+import Redis,{Redis as RedisClient}  from "ioredis"
+import {setupRedis} from "../redis/redisService" 
+import {Request, Response, NextFunction} from "express"
+dotenv.config()
+
+
+class TokenBucket{
+private redis: RedisClient
+
+
+constructor(redisClient:RedisClient){
+this.redis = redisClient;
+}
+
+async consume(key:string, capacity:number, refillRate:number): Promise<{
+allowed:boolean;
+remaining:number;
+retryAfter?:number;
+}>{
+const now = Date.now();
+const results = await this.redis
+.pipeline()
+.hgetall(`rate_limit:${key}`)
+.exec();
+const data= results?.[0]?.[1] ?? {} 
+const bucket = data as {tokens?: string;lastRefill?: string}
+|| {} ;
+const currentToken = parseFloat(bucket.tokens || capacity.toString ());
+const lastRefill = parseFloat(bucket.lastRefill || now.toString())
+const timeElapsed= (now - lastRefill) / 1000;
+const newToken =  Math.min(capacity,  currentToken + (timeElapsed * refillRate))
+
+if (newToken < 1){
+return{
+allowed:false,
+remaining:Math.floor(newToken),
+retryAfter:Math.ceil((1 - newToken) / refillRate)
+}
+}
+await this.redis.hset(`rate_limit:${key}`,{
+tokens:(newToken - 1).toString(),
+lastRefill: now.toString()
+})
+this.redis.expire(`rate_limit:${key}`, 3600)
+
+
+
+return {allowed:true ,remaining:Math.floor(newToken - 1)};
+ }
+}
+
+let tokenBucket: TokenBucket;
+
+
+export const initializeRateLimiter = async () => {
+const redisClient = (await setupRedis()).redisClient;
+tokenBucket = new TokenBucket(redisClient);
+};
+const createRatelimiter = (config:{
+capacity:number;
+refillRate: number;
+keyGenerator: (req:Request)=> string;
+})=>{
+return async(req:Request, res:Response, next:NextFunction): Promise<void> =>{
+const key = config.keyGenerator(req);
+const {allowed, remaining, retryAfter}= await tokenBucket.consume(
+key,
+config.capacity,
+config.refillRate
+)
+res.set({
+"X-RateLimit-Limit": config.capacity.toString(),
+"X-RateLimit-Remaining":remaining.toString(),
+...(!allowed && {"Retry-After": retryAfter?.toString() || "1"})
+})
+if(allowed){
+
+return next();
+}else{
+res.status(429).json({
+error:`Too many requests`
+ })
+}
+ }
+}
+
+
+const RATE_LIMIT_CONFIGS= {
+	OTP:{
+	keyPrefix:"otp_limiter",
+	refillRate: 0.1,
+	capacity:3,
+	keyGenerator: (req:Request)=>{
+		const email =req.body?.email;
+	 return email || req.ip  || "unknown"
+}
+	},
+
+
+	LOGIN:{
+	keyPrefix:"login_limiter",
+        capacity:10,
+        refillRate:2,
+	keyGenerator:(req: Request): string => req.ip || "unknown"
+	}
+};
+
+initializeRateLimiter().catch((err) => {
+  console.error("Failed to initialize rate limiters:", err);
+  process.exit(1);
+})
+
+
+export const OTPLimiterMiddleware =createRatelimiter(RATE_LIMIT_CONFIGS.OTP);
+export const LoginLimiterMiddleware = () => createRatelimiter(RATE_LIMIT_CONFIGS.LOGIN);

package/src/storage/RedisTokenStore.ts

@@ -0,0 +1,99 @@
+
+import { Redis } from "ioredis";
+
+export class RedisTokenStore {
+	private prefix = "auth:v1";
+
+  constructor(private redis: Redis,private debug = false) {}
+
+
+  private key(...parts:string[]){
+  return `${this.prefix}:${parts.join(":")}`;
+  }
+
+private log(action:string,key:string, value?:any){
+if (this.debug){
+console.log(`[Redis ${action}]`,{key, value})
+ }
+}
+ async storeRefreshToken(token:string,userId:string,ttl:number){
+ const key = this.key("refresh", token);
+ await this.redis.set(key,userId, "EX",ttl);
+ this.log("SET", key, userId)
+
+}
+
+async getRefreshToken(token:string){
+const key = this.key("refresh",token);
+const value = await this.redis.get(key);
+this.log("GET",key , value);
+return value;
+}
+
+async deleteRefreshToken(token:string){
+const key = this.key("refresh",token);
+await this.redis.del(key);
+this.log("DEL",key);
+
+}
+
+async blacklistToken(token: string, ttl: number) {
+    const key = this.key("blacklist", token);
+    await this.redis.set(key, "1", "EX", ttl);
+    this.log("SET", key, "blacklisted");
+  }
+
+  async isBlacklisted(token: string) {
+    const key = this.key("blacklist", token);
+    const exists = await this.redis.exists(key);
+    this.log("CHECK", key, exists);
+    return exists === 1;
+  }
+
+  // Rate Limiting
+  async incrementRateLimit(ip: string, ttl: number) {
+    const key = this.key("rate", ip);
+
+    const count = await this.redis.incr(key);
+    if (count === 1) {
+      await this.redis.expire(key, ttl);
+    }
+
+    this.log("INCR", key, count);
+    return count;
+  }
+
+  // IP Whitelist
+  async addToWhitelist(ip: string) {
+    const key = this.key("whitelist", ip);
+    await this.redis.set(key, "1");
+    this.log("SET", key, "whitelisted");
+  }
+
+  async removeFromWhitelist(ip: string) {
+    const key = this.key("whitelist", ip);
+    await this.redis.del(key);
+    this.log("DEL", key);
+  }
+
+  async isWhitelisted(ip: string) {
+    const key = this.key("whitelist", ip);
+    const exists = await this.redis.exists(key);
+    this.log("CHECK", key, exists);
+    return exists === 1;
+  }
+async set(key: string, value: string, expiry?: number): Promise<void> {
+  console.log("REDIS SET:", key, value);
+
+  if (expiry) {
+    await this.redis.set(key, value, "EX", expiry);
+  } else {
+    await this.redis.set(key, value);
+  }
+}
+
+
+  async get(key: string): Promise<string | null> {
+  return this.redis.get(key);
+  }
+}

package/src/storage/userStorage.ts

@@ -0,0 +1,16 @@
+import {UserStore} from "../types/storage"
+
+export class Store{
+constructor(private userStore:UserStore){}
+
+async register(email:string, password:string){
+const exists = await this.userStore.findByEmail(email)
+
+if (exists){
+throw new Error("If a record of user exists an email will be sent");
+}
+return
+this.userStore.create({email,password});
+}
+
+}