create-fluxstack 1.12.0 → 1.13.0

package/app/server/auth/AuthManager.ts

@@ -0,0 +1,213 @@
+/**
+ * FluxStack Auth - Auth Manager
+ *
+ * Orquestrador central do sistema de autenticação.
+ * Factory pattern com lazy resolution e cache de guards.
+ *
+ * Inspirado no AuthManager do Laravel:
+ * - Resolve guards por nome (ou default)
+ * - Extensível com extend() para guards customizados
+ * - Resolve providers automaticamente da config
+ *
+ * ```ts
+ * // Usar guard padrão
+ * const user = await auth.guard().user()
+ *
+ * // Usar guard específico
+ * const apiUser = await auth.guard('api').user()
+ *
+ * // Registrar guard customizado
+ * auth.extend('jwt', (name, config, provider) => new JWTGuard(...))
+ * ```
+ */
+
+import type {
+  Guard,
+  UserProvider,
+  GuardConfig,
+  GuardFactory,
+  RequestContext,
+} from './contracts'
+import { SessionGuard } from './guards/SessionGuard'
+import { TokenGuard } from './guards/TokenGuard'
+import { SessionManager } from './sessions/SessionManager'
+import { cacheManager } from '@server/cache'
+
+export interface AuthManagerConfig {
+  defaults: {
+    guard: string
+    provider: string
+  }
+  guards: Record<string, GuardConfig>
+  providers: Record<string, ProviderConfig>
+}
+
+export interface ProviderConfig {
+  driver: string
+  [key: string]: unknown
+}
+
+export class AuthManager {
+  private config: AuthManagerConfig
+  private guards = new Map<string, Guard>()
+  private customGuardFactories = new Map<string, GuardFactory>()
+  private providerInstances = new Map<string, UserProvider>()
+  private customProviderFactories = new Map<string, (config: ProviderConfig) => UserProvider>()
+  private sessionManager: SessionManager
+
+  constructor(config: AuthManagerConfig, sessionManager: SessionManager) {
+    this.config = config
+    this.sessionManager = sessionManager
+  }
+
+  /**
+   * Retorna um guard por nome (ou o default).
+   * Guards são criados uma vez e reutilizados.
+   */
+  guard(name?: string): Guard {
+    const guardName = name ?? this.config.defaults.guard
+
+    if (this.guards.has(guardName)) {
+      return this.guards.get(guardName)!
+    }
+
+    const guard = this.resolve(guardName)
+    this.guards.set(guardName, guard)
+    return guard
+  }
+
+  /**
+   * Inicializa todos os guards com o contexto da request.
+   * Deve ser chamado no middleware, antes de qualquer uso.
+   */
+  setRequest(context: RequestContext): void {
+    for (const guard of this.guards.values()) {
+      guard.setRequest(context)
+    }
+    // Também resetar guards não-instanciados para forçar re-resolve com novo context
+  }
+
+  /**
+   * Cria um guard novo (sem cache) com o context da request.
+   * Útil quando precisa de um guard fresco para cada request.
+   */
+  freshGuard(name?: string, context?: RequestContext): Guard {
+    const guardName = name ?? this.config.defaults.guard
+    const guard = this.resolve(guardName)
+    if (context) {
+      guard.setRequest(context)
+    }
+    return guard
+  }
+
+  /**
+   * Registra um guard driver customizado.
+   *
+   * ```ts
+   * auth.extend('jwt', (name, config, provider) => {
+   *   return new JWTGuard(name, provider, config.secret)
+   * })
+   * ```
+   */
+  extend(driver: string, factory: GuardFactory): void {
+    this.customGuardFactories.set(driver, factory)
+  }
+
+  /**
+   * Registra um provider customizado.
+   *
+   * ```ts
+   * auth.extendProvider('drizzle', (config) => {
+   *   return new DrizzleUserProvider(db, config.table)
+   * })
+   * ```
+   */
+  extendProvider(driver: string, factory: (config: ProviderConfig) => UserProvider): void {
+    this.customProviderFactories.set(driver, factory)
+  }
+
+  /**
+   * Registra uma instância de provider diretamente.
+   */
+  registerProvider(name: string, provider: UserProvider): void {
+    this.providerInstances.set(name, provider)
+  }
+
+  /** Retorna o nome do guard padrão */
+  getDefaultGuardName(): string {
+    return this.config.defaults.guard
+  }
+
+  /** Retorna a config */
+  getConfig(): AuthManagerConfig {
+    return this.config
+  }
+
+  /** Resolve um guard por nome */
+  private resolve(name: string): Guard {
+    const guardConfig = this.config.guards[name]
+    if (!guardConfig) {
+      throw new Error(
+        `Auth guard '${name}' not configured. ` +
+        `Available: ${Object.keys(this.config.guards).join(', ')}`
+      )
+    }
+
+    // Resolver provider
+    const provider = this.resolveProvider(guardConfig.provider)
+
+    // Verificar custom factory primeiro
+    if (this.customGuardFactories.has(guardConfig.driver)) {
+      return this.customGuardFactories.get(guardConfig.driver)!(name, guardConfig, provider)
+    }
+
+    // Built-in drivers
+    switch (guardConfig.driver) {
+      case 'session':
+        return new SessionGuard(name, provider, this.sessionManager)
+
+      case 'token':
+        return new TokenGuard(
+          name,
+          provider,
+          cacheManager.driver(),
+          guardConfig.tokenTtl as number | undefined
+        )
+
+      default:
+        throw new Error(
+          `Auth guard driver '${guardConfig.driver}' not supported. ` +
+          `Use auth.extend('${guardConfig.driver}', factory) to register it.`
+        )
+    }
+  }
+
+  /** Resolve um provider por nome */
+  private resolveProvider(name: string): UserProvider {
+    // Cache de instâncias
+    if (this.providerInstances.has(name)) {
+      return this.providerInstances.get(name)!
+    }
+
+    const providerConfig = this.config.providers[name]
+    if (!providerConfig) {
+      throw new Error(
+        `Auth provider '${name}' not configured. ` +
+        `Available: ${Object.keys(this.config.providers).join(', ')}`
+      )
+    }
+
+    // Custom factory
+    if (this.customProviderFactories.has(providerConfig.driver)) {
+      const provider = this.customProviderFactories.get(providerConfig.driver)!(providerConfig)
+      this.providerInstances.set(name, provider)
+      return provider
+    }
+
+    throw new Error(
+      `Auth provider driver '${providerConfig.driver}' not supported. ` +
+      `Use auth.extendProvider('${providerConfig.driver}', factory) to register it, ` +
+      `or use auth.registerProvider('${name}', providerInstance) to register directly.`
+    )
+  }
+}

package/app/server/auth/DevAuthProvider.ts

@@ -0,0 +1,66 @@
+// 🧪 DevAuthProvider - Provider de desenvolvimento para testes de auth
+//
+// Aceita tokens simples para facilitar testes da demo de autenticação.
+// NÃO USAR EM PRODUÇÃO!
+//
+// Tokens válidos:
+//   - "admin-token" → role: admin, permissions: all
+//   - "user-token"  → role: user, permissions: básicas
+//   - "mod-token"   → role: moderator, permissions: moderação
+
+import type {
+  LiveAuthProvider,
+  LiveAuthCredentials,
+  LiveAuthContext,
+} from '@core/server/live/auth/types'
+import { AuthenticatedContext } from '@core/server/live/auth/LiveAuthContext'
+
+interface DevUser {
+  id: string
+  name: string
+  roles: string[]
+  permissions: string[]
+}
+
+const DEV_USERS: Record<string, DevUser> = {
+  'admin-token': {
+    id: 'admin-1',
+    name: 'Admin User',
+    roles: ['admin', 'user'],
+    permissions: ['users.read', 'users.write', 'users.delete', 'chat.read', 'chat.write', 'chat.admin'],
+  },
+  'user-token': {
+    id: 'user-1',
+    name: 'Regular User',
+    roles: ['user'],
+    permissions: ['chat.read', 'chat.write'],
+  },
+  'mod-token': {
+    id: 'mod-1',
+    name: 'Moderator',
+    roles: ['moderator', 'user'],
+    permissions: ['chat.read', 'chat.write', 'chat.moderate'],
+  },
+}
+
+export class DevAuthProvider implements LiveAuthProvider {
+  readonly name = 'dev'
+
+  async authenticate(credentials: LiveAuthCredentials): Promise<LiveAuthContext | null> {
+    const token = credentials.token as string
+    if (!token) return null
+
+    const user = DEV_USERS[token]
+    if (!user) return null
+
+    return new AuthenticatedContext(
+      {
+        id: user.id,
+        name: user.name,
+        roles: user.roles,
+        permissions: user.permissions,
+      },
+      token
+    )
+  }
+}

package/app/server/auth/HashManager.ts

@@ -0,0 +1,123 @@
+/**
+ * FluxStack Auth - Hash Manager
+ *
+ * Abstração de password hashing usando APIs nativas do Bun.
+ * Suporta bcrypt e argon2id. Inclui needsRehash() para
+ * migração transparente de algoritmos.
+ *
+ * ```ts
+ * const hash = await Hash.make('my-password')
+ * const valid = await Hash.check('my-password', hash)
+ * ```
+ */
+
+export type HashAlgorithm = 'bcrypt' | 'argon2id'
+
+export interface HashOptions {
+  algorithm?: HashAlgorithm
+  /** Cost/rounds para bcrypt (default: 10) */
+  bcryptRounds?: number
+  /** Memory cost para argon2 em KiB (default: 65536) */
+  argon2MemoryCost?: number
+  /** Time cost para argon2 (default: 2) */
+  argon2TimeCost?: number
+}
+
+export class HashManager {
+  private algorithm: HashAlgorithm
+  private bcryptRounds: number
+  private argon2MemoryCost: number
+  private argon2TimeCost: number
+
+  constructor(options: HashOptions = {}) {
+    this.algorithm = options.algorithm ?? 'bcrypt'
+    this.bcryptRounds = options.bcryptRounds ?? 10
+    this.argon2MemoryCost = options.argon2MemoryCost ?? 65536
+    this.argon2TimeCost = options.argon2TimeCost ?? 2
+  }
+
+  /**
+   * Cria hash de uma password.
+   */
+  async make(plaintext: string): Promise<string> {
+    if (this.algorithm === 'argon2id') {
+      return Bun.password.hash(plaintext, {
+        algorithm: 'argon2id',
+        memoryCost: this.argon2MemoryCost,
+        timeCost: this.argon2TimeCost,
+      })
+    }
+
+    return Bun.password.hash(plaintext, {
+      algorithm: 'bcrypt',
+      cost: this.bcryptRounds,
+    })
+  }
+
+  /**
+   * Verifica se plaintext corresponde ao hash.
+   */
+  async check(plaintext: string, hash: string): Promise<boolean> {
+    return Bun.password.verify(plaintext, hash)
+  }
+
+  /**
+   * Verifica se o hash precisa ser re-gerado.
+   * Útil para migrar de bcrypt → argon2 ou mudar rounds.
+   *
+   * Uso típico: após login bem-sucedido, verificar e re-hash se necessário.
+   */
+  needsRehash(hash: string): boolean {
+    if (this.algorithm === 'bcrypt') {
+      // bcrypt hashes começam com $2b$ ou $2a$
+      if (!hash.startsWith('$2b$') && !hash.startsWith('$2a$')) {
+        return true // Hash não é bcrypt, precisa migrar
+      }
+      // Verificar rounds: $2b$10$ → rounds = 10
+      const roundsMatch = hash.match(/^\$2[ab]\$(\d+)\$/)
+      if (roundsMatch) {
+        const currentRounds = parseInt(roundsMatch[1], 10)
+        return currentRounds !== this.bcryptRounds
+      }
+      return false
+    }
+
+    if (this.algorithm === 'argon2id') {
+      return !hash.startsWith('$argon2id$')
+    }
+
+    return false
+  }
+
+  /** Retorna o algoritmo atual */
+  getAlgorithm(): HashAlgorithm {
+    return this.algorithm
+  }
+}
+
+/** Instância global do hash manager (configurada no boot) */
+let hashInstance: HashManager | null = null
+
+export function getHashManager(): HashManager {
+  if (!hashInstance) {
+    hashInstance = new HashManager()
+  }
+  return hashInstance
+}
+
+export function setHashManager(manager: HashManager): void {
+  hashInstance = manager
+}
+
+/** Atalho para uso direto */
+export const Hash = {
+  async make(plaintext: string): Promise<string> {
+    return getHashManager().make(plaintext)
+  },
+  async check(plaintext: string, hash: string): Promise<boolean> {
+    return getHashManager().check(plaintext, hash)
+  },
+  needsRehash(hash: string): boolean {
+    return getHashManager().needsRehash(hash)
+  },
+}

package/app/server/auth/JWTAuthProvider.example.ts

@@ -0,0 +1,101 @@
+// 🔒 Exemplo: Como criar um LiveAuthProvider customizado (JWT)
+//
+// Este arquivo mostra como criar um provider de autenticação para Live Components.
+// Copie e adapte para o seu caso de uso.
+//
+// Registro:
+//   import { liveAuthManager } from '@core/server/live/auth'
+//   import { JWTAuthProvider } from './auth/JWTAuthProvider'
+//
+//   liveAuthManager.register(new JWTAuthProvider('your-secret-key'))
+
+import type {
+  LiveAuthProvider,
+  LiveAuthCredentials,
+  LiveAuthContext,
+} from '@core/server/live/auth/types'
+import { AuthenticatedContext } from '@core/server/live/auth/LiveAuthContext'
+
+/**
+ * Exemplo de provider JWT para Live Components.
+ *
+ * Em produção, use uma lib real como 'jose' ou 'jsonwebtoken'.
+ * Este exemplo usa decode simples para fins didáticos.
+ */
+export class JWTAuthProvider implements LiveAuthProvider {
+  readonly name = 'jwt'
+  private secret: string
+
+  constructor(secret: string) {
+    this.secret = secret
+  }
+
+  async authenticate(credentials: LiveAuthCredentials): Promise<LiveAuthContext | null> {
+    const token = credentials.token as string
+    if (!token) return null
+
+    try {
+      // Em produção: const payload = jwt.verify(token, this.secret)
+      const payload = this.decodeToken(token)
+      if (!payload) return null
+
+      return new AuthenticatedContext(
+        {
+          id: payload.sub,
+          roles: payload.roles || [],
+          permissions: payload.permissions || [],
+          name: payload.name,
+          email: payload.email,
+        },
+        token
+      )
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * (Opcional) Autorização customizada por action.
+   * Se implementado, é chamado ALÉM da verificação de roles/permissions.
+   * Útil para lógica de negócio complexa (ex: limites por plano, rate limiting).
+   */
+  async authorizeAction(
+    context: LiveAuthContext,
+    componentName: string,
+    action: string
+  ): Promise<boolean> {
+    // Exemplo: bloquear ações destrutivas fora do horário comercial
+    // const hour = new Date().getHours()
+    // if (action === 'deleteAll' && (hour < 9 || hour > 18)) return false
+
+    return true // Allow by default
+  }
+
+  /**
+   * (Opcional) Autorização customizada por sala.
+   * Útil para salas privadas, premium, etc.
+   */
+  async authorizeRoom(
+    context: LiveAuthContext,
+    roomId: string
+  ): Promise<boolean> {
+    // Exemplo: salas "vip-*" requerem role premium
+    // if (roomId.startsWith('vip-') && !context.hasRole('premium')) return false
+
+    return true // Allow by default
+  }
+
+  // Decode simplificado (NÃO USAR EM PRODUÇÃO - não valida assinatura)
+  private decodeToken(token: string): any {
+    try {
+      const parts = token.split('.')
+      if (parts.length !== 3) return null
+      const payload = JSON.parse(atob(parts[1]))
+      // Em produção: verificar expiração, assinatura, etc.
+      if (payload.exp && payload.exp * 1000 < Date.now()) return null
+      return payload
+    } catch {
+      return null
+    }
+  }
+}

package/app/server/auth/RateLimiter.ts

@@ -0,0 +1,106 @@
+/**
+ * FluxStack Auth - Rate Limiter
+ *
+ * Proteção contra brute-force. Usa o cache system modular.
+ * Inspirado no RateLimiter do Laravel (por chave: email+ip).
+ *
+ * ```ts
+ * const key = `login:${email}|${ip}`
+ * if (await rateLimiter.tooManyAttempts(key, 5)) {
+ *   const seconds = await rateLimiter.availableIn(key)
+ *   return { error: `Too many attempts. Try again in ${seconds}s` }
+ * }
+ * ```
+ */
+
+import type { CacheDriver } from '@server/cache/contracts'
+
+interface RateLimitEntry {
+  count: number
+  expiresAt: number
+}
+
+export class RateLimiter {
+  private cache: CacheDriver
+
+  constructor(cache: CacheDriver) {
+    this.cache = cache
+  }
+
+  /**
+   * Registra uma tentativa para a chave.
+   * @param key Chave identificadora (ex: 'login:user@email.com|127.0.0.1')
+   * @param decaySeconds Tempo em segundos até o contador resetar
+   */
+  async hit(key: string, decaySeconds: number = 60): Promise<number> {
+    const cacheKey = `rate_limit:${key}`
+    const entry = await this.cache.get<RateLimitEntry>(cacheKey)
+    const now = Date.now()
+
+    if (entry && entry.expiresAt > now) {
+      // Incrementar contador existente
+      const updated: RateLimitEntry = {
+        count: entry.count + 1,
+        expiresAt: entry.expiresAt,
+      }
+      const remainingTtl = Math.ceil((entry.expiresAt - now) / 1000)
+      await this.cache.set(cacheKey, updated, remainingTtl)
+      return updated.count
+    }
+
+    // Nova entrada
+    const newEntry: RateLimitEntry = {
+      count: 1,
+      expiresAt: now + (decaySeconds * 1000),
+    }
+    await this.cache.set(cacheKey, newEntry, decaySeconds)
+    return 1
+  }
+
+  /**
+   * Verifica se a chave excedeu o limite de tentativas.
+   */
+  async tooManyAttempts(key: string, maxAttempts: number): Promise<boolean> {
+    const attempts = await this.attempts(key)
+    return attempts >= maxAttempts
+  }
+
+  /**
+   * Retorna o número atual de tentativas para a chave.
+   */
+  async attempts(key: string): Promise<number> {
+    const cacheKey = `rate_limit:${key}`
+    const entry = await this.cache.get<RateLimitEntry>(cacheKey)
+
+    if (!entry) return 0
+    if (entry.expiresAt < Date.now()) return 0
+
+    return entry.count
+  }
+
+  /**
+   * Retorna quantos segundos até o rate limit expirar.
+   */
+  async availableIn(key: string): Promise<number> {
+    const cacheKey = `rate_limit:${key}`
+    const entry = await this.cache.get<RateLimitEntry>(cacheKey)
+
+    if (!entry) return 0
+    return Math.max(0, Math.ceil((entry.expiresAt - Date.now()) / 1000))
+  }
+
+  /**
+   * Retorna quantas tentativas restam.
+   */
+  async remainingAttempts(key: string, maxAttempts: number): Promise<number> {
+    const attempts = await this.attempts(key)
+    return Math.max(0, maxAttempts - attempts)
+  }
+
+  /**
+   * Limpa o rate limit para a chave (após login bem-sucedido).
+   */
+  async clear(key: string): Promise<void> {
+    await this.cache.delete(`rate_limit:${key}`)
+  }
+}