create-fluxstack 1.4.1 → 1.5.0

package/plugins/crypto-auth/server/index.ts

@@ -3,7 +3,20 @@
  */
 
 export { CryptoAuthService } from './CryptoAuthService'
-export type { SessionData, AuthResult, CryptoAuthConfig } from './CryptoAuthService'
+export type { AuthResult, CryptoAuthConfig } from './CryptoAuthService'
 
 export { AuthMiddleware } from './AuthMiddleware'
-export type { AuthMiddlewareConfig, AuthMiddlewareResult } from './AuthMiddleware'
+export type { AuthMiddlewareConfig, AuthMiddlewareResult } from './AuthMiddleware'
+
+// Middlewares Elysia
+export {
+  cryptoAuthRequired,
+  cryptoAuthAdmin,
+  cryptoAuthPermissions,
+  cryptoAuthOptional,
+  getCryptoAuthUser,
+  isCryptoAuthAuthenticated,
+  isCryptoAuthAdmin,
+  hasCryptoAuthPermission
+} from './middlewares'
+export type { CryptoAuthUser, CryptoAuthMiddlewareOptions } from './middlewares'

package/plugins/crypto-auth/server/middlewares/cryptoAuthAdmin.ts

@@ -0,0 +1,65 @@
+/**
+ * Middleware que REQUER privilégios de administrador
+ * Bloqueia requisições não autenticadas (401) ou sem privilégios admin (403)
+ */
+
+import { Elysia } from 'elysia'
+import { createGuard } from '@/core/server/middleware/elysia-helpers'
+import type { Logger } from '@/core/utils/logger'
+import { validateAuthSync, type CryptoAuthUser } from './helpers'
+
+export interface CryptoAuthMiddlewareOptions {
+  logger?: Logger
+}
+
+export const cryptoAuthAdmin = (options: CryptoAuthMiddlewareOptions = {}) => {
+  return new Elysia({ name: 'crypto-auth-admin' })
+    .derive(async ({ request }) => {
+      const result = await validateAuthSync(request as Request, options.logger)
+
+      if (result.success && result.user) {
+        ;(request as any).user = result.user
+      }
+
+      return {}
+    })
+    .use(
+      createGuard({
+        name: 'crypto-auth-admin-check',
+        check: ({ request }) => {
+          const user = (request as any).user as CryptoAuthUser | undefined
+          return user && user.isAdmin
+        },
+        onFail: (set, { request }) => {
+          const user = (request as any).user as CryptoAuthUser | undefined
+
+          if (!user) {
+            set.status = 401
+            return {
+              error: {
+                message: 'Authentication required',
+                code: 'CRYPTO_AUTH_REQUIRED',
+                statusCode: 401
+              }
+            }
+          }
+
+          options.logger?.warn('Admin access denied', {
+            publicKey: user.publicKey.substring(0, 8) + '...',
+            permissions: user.permissions
+          })
+
+          set.status = 403
+          return {
+            error: {
+              message: 'Admin privileges required',
+              code: 'ADMIN_REQUIRED',
+              statusCode: 403,
+              yourPermissions: user.permissions
+            }
+          }
+        }
+      })
+    )
+    .as('plugin')
+}

package/plugins/crypto-auth/server/middlewares/cryptoAuthOptional.ts

@@ -0,0 +1,26 @@
+/**
+ * Middleware OPCIONAL - adiciona user se autenticado, mas não requer
+ * Não bloqueia requisições não autenticadas - permite acesso público
+ */
+
+import { Elysia } from 'elysia'
+import type { Logger } from '@/core/utils/logger'
+import { validateAuthSync } from './helpers'
+
+export interface CryptoAuthMiddlewareOptions {
+  logger?: Logger
+}
+
+export const cryptoAuthOptional = (options: CryptoAuthMiddlewareOptions = {}) => {
+  return new Elysia({ name: 'crypto-auth-optional' })
+    .derive(async ({ request }) => {
+      const result = await validateAuthSync(request as Request, options.logger)
+
+      if (result.success && result.user) {
+        ;(request as any).user = result.user
+      }
+
+      return {}
+    })
+    .as('plugin')
+}

package/plugins/crypto-auth/server/middlewares/cryptoAuthPermissions.ts

@@ -0,0 +1,76 @@
+/**
+ * Middleware que REQUER permissões específicas
+ * Bloqueia requisições sem as permissões necessárias (403)
+ */
+
+import { Elysia } from 'elysia'
+import { createGuard } from '@/core/server/middleware/elysia-helpers'
+import type { Logger } from '@/core/utils/logger'
+import { validateAuthSync, type CryptoAuthUser } from './helpers'
+
+export interface CryptoAuthMiddlewareOptions {
+  logger?: Logger
+}
+
+export const cryptoAuthPermissions = (
+  requiredPermissions: string[],
+  options: CryptoAuthMiddlewareOptions = {}
+) => {
+  return new Elysia({ name: 'crypto-auth-permissions' })
+    .derive(async ({ request }) => {
+      const result = await validateAuthSync(request as Request, options.logger)
+
+      if (result.success && result.user) {
+        ;(request as any).user = result.user
+      }
+
+      return {}
+    })
+    .use(
+      createGuard({
+        name: 'crypto-auth-permissions-check',
+        check: ({ request }) => {
+          const user = (request as any).user as CryptoAuthUser | undefined
+
+          if (!user) return false
+
+          const userPermissions = user.permissions
+          return requiredPermissions.every(
+            perm => userPermissions.includes(perm) || userPermissions.includes('admin')
+          )
+        },
+        onFail: (set, { request }) => {
+          const user = (request as any).user as CryptoAuthUser | undefined
+
+          if (!user) {
+            set.status = 401
+            return {
+              error: {
+                message: 'Authentication required',
+                code: 'CRYPTO_AUTH_REQUIRED',
+                statusCode: 401
+              }
+            }
+          }
+
+          options.logger?.warn('Permission denied', {
+            publicKey: user.publicKey.substring(0, 8) + '...',
+            required: requiredPermissions,
+            has: user.permissions
+          })
+
+          set.status = 403
+          return {
+            error: {
+              message: 'Insufficient permissions',
+              code: 'PERMISSION_DENIED',
+              statusCode: 403,
+              required: requiredPermissions,
+              yours: user.permissions
+            }
+          }
+        }
+      })
+    )
+    .as('plugin')
+}

package/plugins/crypto-auth/server/middlewares/cryptoAuthRequired.ts

@@ -0,0 +1,45 @@
+/**
+ * Middleware que REQUER autenticação
+ * Bloqueia requisições não autenticadas com 401
+ */
+
+import { Elysia } from 'elysia'
+import { createGuard } from '@/core/server/middleware/elysia-helpers'
+import type { Logger } from '@/core/utils/logger'
+import { validateAuthSync } from './helpers'
+
+export interface CryptoAuthMiddlewareOptions {
+  logger?: Logger
+}
+
+export const cryptoAuthRequired = (options: CryptoAuthMiddlewareOptions = {}) => {
+  return new Elysia({ name: 'crypto-auth-required' })
+    .derive(async ({ request }) => {
+      const result = await validateAuthSync(request as Request, options.logger)
+
+      if (result.success && result.user) {
+        ;(request as any).user = result.user
+      }
+
+      return {}
+    })
+    .use(
+      createGuard({
+        name: 'crypto-auth-check',
+        check: ({ request }) => {
+          return !!(request as any).user
+        },
+        onFail: (set) => {
+          set.status = 401
+          return {
+            error: {
+              message: 'Authentication required',
+              code: 'CRYPTO_AUTH_REQUIRED',
+              statusCode: 401
+            }
+          }
+        }
+      })
+    )
+    .as('plugin')
+}

package/plugins/crypto-auth/server/middlewares/helpers.ts

@@ -0,0 +1,140 @@
+/**
+ * Crypto Auth Middleware Helpers
+ * Funções compartilhadas para validação de autenticação
+ */
+
+import type { Logger } from '@/core/utils/logger'
+
+export interface CryptoAuthUser {
+  publicKey: string
+  isAdmin: boolean
+  permissions: string[]
+}
+
+/**
+ * Get auth service from global
+ */
+export function getAuthService() {
+  const service = (global as any).cryptoAuthService
+  if (!service) {
+    throw new Error('CryptoAuthService not initialized. Make sure crypto-auth plugin is loaded.')
+  }
+  return service
+}
+
+/**
+ * Get auth middleware from global
+ */
+export function getAuthMiddleware() {
+  const middleware = (global as any).cryptoAuthMiddleware
+  if (!middleware) {
+    throw new Error('AuthMiddleware not initialized. Make sure crypto-auth plugin is loaded.')
+  }
+  return middleware
+}
+
+/**
+ * Extract and validate authentication from request
+ * Versão SÍNCRONA para evitar problemas com Elysia
+ */
+export function extractAuthHeaders(request: Request): {
+  publicKey: string
+  timestamp: number
+  nonce: string
+  signature: string
+} | null {
+  const headers = request.headers
+  const publicKey = headers.get('x-public-key')
+  const timestampStr = headers.get('x-timestamp')
+  const nonce = headers.get('x-nonce')
+  const signature = headers.get('x-signature')
+
+  if (!publicKey || !timestampStr || !nonce || !signature) {
+    return null
+  }
+
+  const timestamp = parseInt(timestampStr, 10)
+  if (isNaN(timestamp)) {
+    return null
+  }
+
+  return { publicKey, timestamp, nonce, signature }
+}
+
+/**
+ * Build message for signature verification
+ */
+export function buildMessage(request: Request): string {
+  const url = new URL(request.url)
+  return `${request.method}:${url.pathname}`
+}
+
+/**
+ * Validate authentication synchronously
+ */
+export async function validateAuthSync(request: Request, logger?: Logger): Promise<{
+  success: boolean
+  user?: CryptoAuthUser
+  error?: string
+}> {
+  try {
+    const authHeaders = extractAuthHeaders(request)
+
+    if (!authHeaders) {
+      return {
+        success: false,
+        error: 'Missing authentication headers'
+      }
+    }
+
+    const authService = getAuthService()
+    const message = buildMessage(request)
+
+    const result = await authService.validateRequest({
+      publicKey: authHeaders.publicKey,
+      timestamp: authHeaders.timestamp,
+      nonce: authHeaders.nonce,
+      signature: authHeaders.signature,
+      message
+    })
+
+    return result
+  } catch (error) {
+    logger?.error('Auth validation error', { error })
+    return {
+      success: false,
+      error: error instanceof Error ? error.message : 'Unknown error'
+    }
+  }
+}
+
+/**
+ * Helper: Obter usuário autenticado do request
+ */
+export function getCryptoAuthUser(request: Request): CryptoAuthUser | null {
+  return (request as any).user || null
+}
+
+/**
+ * Helper: Verificar se request está autenticado
+ */
+export function isCryptoAuthAuthenticated(request: Request): boolean {
+  return !!(request as any).user
+}
+
+/**
+ * Helper: Verificar se usuário é admin
+ */
+export function isCryptoAuthAdmin(request: Request): boolean {
+  const user = getCryptoAuthUser(request)
+  return user?.isAdmin || false
+}
+
+/**
+ * Helper: Verificar se usuário tem permissão específica
+ */
+export function hasCryptoAuthPermission(request: Request, permission: string): boolean {
+  const user = getCryptoAuthUser(request)
+  if (!user) return false
+  return user.permissions.includes(permission) || user.permissions.includes('admin')
+}

package/plugins/crypto-auth/server/middlewares/index.ts

@@ -0,0 +1,22 @@
+/**
+ * Crypto Auth Middlewares
+ * Exports centralizados de todos os middlewares
+ */
+
+// Middlewares
+export { cryptoAuthRequired } from './cryptoAuthRequired'
+export { cryptoAuthAdmin } from './cryptoAuthAdmin'
+export { cryptoAuthOptional } from './cryptoAuthOptional'
+export { cryptoAuthPermissions } from './cryptoAuthPermissions'
+
+// Helpers
+export {
+  getCryptoAuthUser,
+  isCryptoAuthAuthenticated,
+  isCryptoAuthAdmin,
+  hasCryptoAuthPermission,
+  type CryptoAuthUser
+} from './helpers'
+
+// Types
+export type { CryptoAuthMiddlewareOptions } from './cryptoAuthRequired'

package/plugins/crypto-auth/server/middlewares.ts

@@ -0,0 +1,19 @@
+/**
+ * Crypto Auth Middlewares
+ * Middlewares Elysia para autenticação criptográfica
+ *
+ * Uso:
+ * ```typescript
+ * import { cryptoAuthRequired, cryptoAuthAdmin } from '@/plugins/crypto-auth/server'
+ *
+ * export const myRoutes = new Elysia()
+ *   .use(cryptoAuthRequired())
+ *   .get('/protected', ({ request }) => {
+ *     const user = getCryptoAuthUser(request)
+ *     return { user }
+ *   })
+ * ```
+ */
+
+// Re-export tudo do módulo middlewares
+export * from './middlewares/index'

package/test-crypto-auth.ts

@@ -0,0 +1,101 @@
+/**
+ * Script de teste para validar autenticação criptográfica
+ */
+
+import { ed25519 } from '@noble/curves/ed25519'
+import { sha256 } from '@noble/hashes/sha256'
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils'
+
+async function testCryptoAuth() {
+  console.log('🔐 Testando Autenticação Criptográfica Ed25519\n')
+
+  // 1. Gerar par de chaves
+  console.log('1️⃣ Gerando par de chaves Ed25519...')
+  const privateKey = ed25519.utils.randomPrivateKey()
+  const publicKeyBytes = ed25519.getPublicKey(privateKey)
+  const publicKey = bytesToHex(publicKeyBytes)
+  const privateKeyHex = bytesToHex(privateKey)
+
+  console.log(`   ✅ Chave pública: ${publicKey.substring(0, 16)}...`)
+  console.log(`   ✅ Chave privada: ${privateKeyHex.substring(0, 16)}... (NUNCA enviar ao servidor!)\n`)
+
+  // 2. Preparar requisição
+  console.log('2️⃣ Preparando requisição assinada...')
+  const url = '/api/crypto-auth/protected'
+  const method = 'GET'
+  const timestamp = Date.now()
+  const nonce = generateNonce()
+
+  // 3. Construir mensagem para assinar
+  const message = `${method}:${url}`
+  const fullMessage = `${publicKey}:${timestamp}:${nonce}:${message}`
+
+  console.log(`   📝 Mensagem: ${fullMessage.substring(0, 50)}...\n`)
+
+  // 4. Assinar mensagem
+  console.log('3️⃣ Assinando mensagem com chave privada...')
+  const messageHash = sha256(new TextEncoder().encode(fullMessage))
+  const signatureBytes = ed25519.sign(messageHash, privateKey)
+  const signature = bytesToHex(signatureBytes)
+
+  console.log(`   ✅ Assinatura: ${signature.substring(0, 32)}...\n`)
+
+  // 5. Fazer requisição ao servidor
+  console.log('4️⃣ Enviando requisição ao servidor...')
+  const response = await fetch('http://localhost:3000/api/crypto-auth/protected', {
+    method: 'GET',
+    headers: {
+      'x-public-key': publicKey,
+      'x-timestamp': timestamp.toString(),
+      'x-nonce': nonce,
+      'x-signature': signature
+    }
+  })
+
+  const data = await response.json()
+
+  console.log(`   📡 Status: ${response.status}`)
+  console.log(`   📦 Resposta:`, JSON.stringify(data, null, 2))
+
+  if (data.success) {
+    console.log('\n✅ SUCESSO! Assinatura validada corretamente pelo servidor!')
+    console.log(`   👤 Dados protegidos recebidos: ${data.data?.secretInfo}`)
+  } else {
+    console.log('\n❌ ERRO! Assinatura rejeitada pelo servidor')
+    console.log(`   ⚠️  Erro: ${data.error}`)
+  }
+
+  // 6. Testar replay attack (reutilizar mesma assinatura)
+  console.log('\n5️⃣ Testando proteção contra replay attack...')
+  const replayResponse = await fetch('http://localhost:3000/api/crypto-auth/protected', {
+    method: 'GET',
+    headers: {
+      'x-public-key': publicKey,
+      'x-timestamp': timestamp.toString(),
+      'x-nonce': nonce, // Mesmo nonce
+      'x-signature': signature // Mesma assinatura
+    }
+  })
+
+  const replayData = await replayResponse.json()
+
+  console.log(`   📡 Replay Status: ${replayResponse.status}`)
+  console.log(`   📦 Replay Response:`, JSON.stringify(replayData, null, 2))
+
+  if (!replayData.success && replayData.error?.includes('nonce')) {
+    console.log('   ✅ Proteção funcionando! Replay attack bloqueado.')
+  } else if (replayResponse.status === 401) {
+    console.log('   ✅ Proteção funcionando! Replay attack bloqueado (status 401).')
+  } else {
+    console.log('   ⚠️  ATENÇÃO: Replay attack NÃO foi bloqueado!')
+  }
+}
+
+function generateNonce(): string {
+  const bytes = new Uint8Array(16)
+  crypto.getRandomValues(bytes)
+  return bytesToHex(bytes)
+}
+
+// Executar teste
+testCryptoAuth().catch(console.error)