create-fluxstack 1.5.0 → 1.5.2

package/plugins/crypto-auth/server/AuthMiddleware.ts

@@ -1,181 +0,0 @@
-/**
- * Middleware de Autenticação Simplificado
- * Apenas valida autenticação - routing é feito pelos middlewares Elysia
- */
-
-import type { RequestContext } from '../../../core/plugins/types'
-import type { CryptoAuthService } from './CryptoAuthService'
-
-export interface Logger {
-    debug(message: string, meta?: any): void
-    info(message: string, meta?: any): void
-    warn(message: string, meta?: any): void
-    error(message: string, meta?: any): void
-}
-
-export interface AuthMiddlewareConfig {
-    logger?: Logger
-}
-
-export interface AuthMiddlewareResult {
-    success: boolean
-    error?: string
-    user?: {
-        publicKey: string
-        isAdmin: boolean
-        permissions: string[]
-    }
-}
-
-export class AuthMiddleware {
-    private authService: CryptoAuthService
-    private logger?: Logger
-
-    constructor(authService: CryptoAuthService, config: AuthMiddlewareConfig = {}) {
-        this.authService = authService
-        this.logger = config.logger
-    }
-
-    /**
-     * Autenticar requisição (sem path matching - é responsabilidade dos middlewares Elysia)
-     */
-    async authenticate(context: RequestContext): Promise<AuthMiddlewareResult> {
-        const path = context.path
-        const method = context.method
-
-        // Extrair headers de autenticação
-        const authHeaders = this.extractAuthHeaders(context.headers)
-        if (!authHeaders) {
-            this.logger?.warn("Headers de autenticação ausentes", {
-                path,
-                method,
-                headers: Object.keys(context.headers)
-            })
-
-            return {
-                success: false,
-                error: "Headers de autenticação obrigatórios"
-            }
-        }
-
-        // Validar assinatura da requisição
-        try {
-            const validationResult = await this.authService.validateRequest({
-                publicKey: authHeaders.publicKey,
-                timestamp: authHeaders.timestamp,
-                nonce: authHeaders.nonce,
-                signature: authHeaders.signature,
-                message: this.buildMessage(context)
-            })
-
-            if (!validationResult.success) {
-                this.logger?.warn("Falha na validação da assinatura", {
-                    path,
-                    method,
-                    publicKey: authHeaders.publicKey.substring(0, 8) + "...",
-                    error: validationResult.error
-                })
-
-                return {
-                    success: false,
-                    error: validationResult.error
-                }
-            }
-
-            this.logger?.debug("Requisição autenticada com sucesso", {
-                path,
-                method,
-                publicKey: authHeaders.publicKey.substring(0, 8) + "...",
-                isAdmin: validationResult.user?.isAdmin
-            })
-
-            return {
-                success: true,
-                user: validationResult.user
-            }
-        } catch (error) {
-            this.logger?.error("Erro durante autenticação", {
-                path,
-                method,
-                error
-            })
-
-            return {
-                success: false,
-                error: "Erro interno de autenticação"
-            }
-        }
-    }
-
-    /**
-     * Extrair headers de autenticação
-     */
-    private extractAuthHeaders(headers: Record<string, string>): {
-        publicKey: string
-        timestamp: number
-        nonce: string
-        signature: string
-    } | null {
-        const publicKey = headers['x-public-key']
-        const timestampStr = headers['x-timestamp']
-        const nonce = headers['x-nonce']
-        const signature = headers['x-signature']
-
-        if (!publicKey || !timestampStr || !nonce || !signature) {
-            return null
-        }
-
-        const timestamp = parseInt(timestampStr, 10)
-        if (isNaN(timestamp)) {
-            return null
-        }
-
-        return {
-            publicKey,
-            timestamp,
-            nonce,
-            signature
-        }
-    }
-
-    /**
-     * Construir mensagem para assinatura
-     */
-    private buildMessage(context: RequestContext): string {
-        // Incluir método, path e body (se houver) na mensagem
-        let message = `${context.method}:${context.path}`
-
-        if (context.body && typeof context.body === 'string') {
-            message += `:${context.body}`
-        } else if (context.body && typeof context.body === 'object') {
-            message += `:${JSON.stringify(context.body)}`
-        }
-
-        return message
-    }
-
-    /**
-     * Verificar se usuário tem permissão
-     */
-    hasPermission(user: any, requiredPermission: string): boolean {
-        if (!user || !user.permissions) {
-            return false
-        }
-
-        return user.permissions.includes(requiredPermission) || user.permissions.includes('admin')
-    }
-
-    /**
-     * Verificar se usuário é admin
-     */
-    isAdmin(user: any): boolean {
-        return user && user.isAdmin === true
-    }
-
-    /**
-     * Obter estatísticas do serviço de autenticação
-     */
-    getStats() {
-        return this.authService.getStats()
-    }
-}

package/plugins/crypto-auth/server/CryptoAuthService.ts

@@ -1,186 +0,0 @@
-/**
- * Serviço de Autenticação Criptográfica
- * Implementa autenticação baseada em Ed25519 - SEM SESSÕES
- * Cada requisição é validada pela assinatura da chave pública
- */
-
-import { ed25519 } from '@noble/curves/ed25519'
-import { sha256 } from '@noble/hashes/sha256'
-import { hexToBytes } from '@noble/hashes/utils'
-
-export interface Logger {
-  debug(message: string, meta?: any): void
-  info(message: string, meta?: any): void
-  warn(message: string, meta?: any): void
-  error(message: string, meta?: any): void
-}
-
-export interface AuthResult {
-  success: boolean
-  error?: string
-  user?: {
-    publicKey: string
-    isAdmin: boolean
-    permissions: string[]
-  }
-}
-
-export interface CryptoAuthConfig {
-  maxTimeDrift: number
-  adminKeys: string[]
-  logger?: Logger
-}
-
-export class CryptoAuthService {
-  private config: CryptoAuthConfig
-  private logger?: Logger
-  private usedNonces: Map<string, number> = new Map() // Para prevenir replay attacks
-
-  constructor(config: CryptoAuthConfig) {
-    this.config = config
-    this.logger = config.logger
-
-    // Limpar nonces antigos a cada 5 minutos
-    setInterval(() => {
-      this.cleanupOldNonces()
-    }, 5 * 60 * 1000)
-  }
-
-  /**
-   * Validar assinatura de requisição
-   * PRINCIPAL: Valida se assinatura é válida para a chave pública fornecida
-   */
-  async validateRequest(data: {
-    publicKey: string
-    timestamp: number
-    nonce: string
-    signature: string
-    message?: string
-  }): Promise<AuthResult> {
-    try {
-      const { publicKey, timestamp, nonce, signature, message = "" } = data
-
-      // Validar chave pública
-      if (!this.isValidPublicKey(publicKey)) {
-        return {
-          success: false,
-          error: "Chave pública inválida"
-        }
-      }
-
-      // Verificar drift de tempo (previne replay de requisições antigas)
-      const now = Date.now()
-      const timeDrift = Math.abs(now - timestamp)
-      if (timeDrift > this.config.maxTimeDrift) {
-        return {
-          success: false,
-          error: "Timestamp inválido ou expirado"
-        }
-      }
-
-      // Verificar nonce (previne replay attacks)
-      const nonceKey = `${publicKey}:${nonce}`
-      if (this.usedNonces.has(nonceKey)) {
-        return {
-          success: false,
-          error: "Nonce já utilizado (possível replay attack)"
-        }
-      }
-
-      // Construir mensagem para verificação
-      const messageToVerify = `${publicKey}:${timestamp}:${nonce}:${message}`
-      const messageHash = sha256(new TextEncoder().encode(messageToVerify))
-
-      // Verificar assinatura usando chave pública
-      const publicKeyBytes = hexToBytes(publicKey)
-      const signatureBytes = hexToBytes(signature)
-
-      const isValidSignature = ed25519.verify(signatureBytes, messageHash, publicKeyBytes)
-
-      if (!isValidSignature) {
-        this.logger?.warn("Assinatura inválida", {
-          publicKey: publicKey.substring(0, 8) + "..."
-        })
-        return {
-          success: false,
-          error: "Assinatura inválida"
-        }
-      }
-
-      // Marcar nonce como usado
-      this.usedNonces.set(nonceKey, timestamp)
-
-      // Verificar se é admin
-      const isAdmin = this.config.adminKeys.includes(publicKey)
-      const permissions = isAdmin ? ['admin', 'read', 'write', 'delete'] : ['read']
-
-      this.logger?.debug("Requisição autenticada", {
-        publicKey: publicKey.substring(0, 8) + "...",
-        isAdmin,
-        permissions
-      })
-
-      return {
-        success: true,
-        user: {
-          publicKey,
-          isAdmin,
-          permissions
-        }
-      }
-    } catch (error) {
-      this.logger?.error("Erro ao validar requisição", { error })
-      return {
-        success: false,
-        error: "Erro interno ao validar requisição"
-      }
-    }
-  }
-
-  /**
-   * Verificar se uma chave pública é válida
-   */
-  private isValidPublicKey(publicKey: string): boolean {
-    try {
-      if (publicKey.length !== 64) {
-        return false
-      }
-      
-      const bytes = hexToBytes(publicKey)
-      return bytes.length === 32
-    } catch {
-      return false
-    }
-  }
-
-  /**
-   * Limpar nonces antigos (previne crescimento infinito da memória)
-   */
-  private cleanupOldNonces(): void {
-    const now = Date.now()
-    const maxAge = this.config.maxTimeDrift * 2 // Dobro do tempo máximo permitido
-    let cleanedCount = 0
-
-    for (const [nonceKey, timestamp] of this.usedNonces.entries()) {
-      if (now - timestamp > maxAge) {
-        this.usedNonces.delete(nonceKey)
-        cleanedCount++
-      }
-    }
-
-    if (cleanedCount > 0) {
-      this.logger?.debug(`Limpeza de nonces: ${cleanedCount} nonces antigos removidos`)
-    }
-  }
-
-  /**
-   * Obter estatísticas do serviço
-   */
-  getStats() {
-    return {
-      usedNoncesCount: this.usedNonces.size,
-      adminKeys: this.config.adminKeys.length,
-      maxTimeDrift: this.config.maxTimeDrift
-    }
-  }
-}

package/plugins/crypto-auth/server/index.ts

@@ -1,22 +0,0 @@
-/**
- * Exportações do servidor de autenticação
- */
-
-export { CryptoAuthService } from './CryptoAuthService'
-export type { AuthResult, CryptoAuthConfig } from './CryptoAuthService'
-
-export { AuthMiddleware } from './AuthMiddleware'
-export type { AuthMiddlewareConfig, AuthMiddlewareResult } from './AuthMiddleware'
-
-// Middlewares Elysia
-export {
-  cryptoAuthRequired,
-  cryptoAuthAdmin,
-  cryptoAuthPermissions,
-  cryptoAuthOptional,
-  getCryptoAuthUser,
-  isCryptoAuthAuthenticated,
-  isCryptoAuthAdmin,
-  hasCryptoAuthPermission
-} from './middlewares'
-export type { CryptoAuthUser, CryptoAuthMiddlewareOptions } from './middlewares'

package/plugins/crypto-auth/server/middlewares/cryptoAuthAdmin.ts

@@ -1,65 +0,0 @@
-/**
- * Middleware que REQUER privilégios de administrador
- * Bloqueia requisições não autenticadas (401) ou sem privilégios admin (403)
- */
-
-import { Elysia } from 'elysia'
-import { createGuard } from '@/core/server/middleware/elysia-helpers'
-import type { Logger } from '@/core/utils/logger'
-import { validateAuthSync, type CryptoAuthUser } from './helpers'
-
-export interface CryptoAuthMiddlewareOptions {
-  logger?: Logger
-}
-
-export const cryptoAuthAdmin = (options: CryptoAuthMiddlewareOptions = {}) => {
-  return new Elysia({ name: 'crypto-auth-admin' })
-    .derive(async ({ request }) => {
-      const result = await validateAuthSync(request as Request, options.logger)
-
-      if (result.success && result.user) {
-        ;(request as any).user = result.user
-      }
-
-      return {}
-    })
-    .use(
-      createGuard({
-        name: 'crypto-auth-admin-check',
-        check: ({ request }) => {
-          const user = (request as any).user as CryptoAuthUser | undefined
-          return user && user.isAdmin
-        },
-        onFail: (set, { request }) => {
-          const user = (request as any).user as CryptoAuthUser | undefined
-
-          if (!user) {
-            set.status = 401
-            return {
-              error: {
-                message: 'Authentication required',
-                code: 'CRYPTO_AUTH_REQUIRED',
-                statusCode: 401
-              }
-            }
-          }
-
-          options.logger?.warn('Admin access denied', {
-            publicKey: user.publicKey.substring(0, 8) + '...',
-            permissions: user.permissions
-          })
-
-          set.status = 403
-          return {
-            error: {
-              message: 'Admin privileges required',
-              code: 'ADMIN_REQUIRED',
-              statusCode: 403,
-              yourPermissions: user.permissions
-            }
-          }
-        }
-      })
-    )
-    .as('plugin')
-}

package/plugins/crypto-auth/server/middlewares/cryptoAuthOptional.ts

@@ -1,26 +0,0 @@
-/**
- * Middleware OPCIONAL - adiciona user se autenticado, mas não requer
- * Não bloqueia requisições não autenticadas - permite acesso público
- */
-
-import { Elysia } from 'elysia'
-import type { Logger } from '@/core/utils/logger'
-import { validateAuthSync } from './helpers'
-
-export interface CryptoAuthMiddlewareOptions {
-  logger?: Logger
-}
-
-export const cryptoAuthOptional = (options: CryptoAuthMiddlewareOptions = {}) => {
-  return new Elysia({ name: 'crypto-auth-optional' })
-    .derive(async ({ request }) => {
-      const result = await validateAuthSync(request as Request, options.logger)
-
-      if (result.success && result.user) {
-        ;(request as any).user = result.user
-      }
-
-      return {}
-    })
-    .as('plugin')
-}

package/plugins/crypto-auth/server/middlewares/cryptoAuthPermissions.ts

@@ -1,76 +0,0 @@
-/**
- * Middleware que REQUER permissões específicas
- * Bloqueia requisições sem as permissões necessárias (403)
- */
-
-import { Elysia } from 'elysia'
-import { createGuard } from '@/core/server/middleware/elysia-helpers'
-import type { Logger } from '@/core/utils/logger'
-import { validateAuthSync, type CryptoAuthUser } from './helpers'
-
-export interface CryptoAuthMiddlewareOptions {
-  logger?: Logger
-}
-
-export const cryptoAuthPermissions = (
-  requiredPermissions: string[],
-  options: CryptoAuthMiddlewareOptions = {}
-) => {
-  return new Elysia({ name: 'crypto-auth-permissions' })
-    .derive(async ({ request }) => {
-      const result = await validateAuthSync(request as Request, options.logger)
-
-      if (result.success && result.user) {
-        ;(request as any).user = result.user
-      }
-
-      return {}
-    })
-    .use(
-      createGuard({
-        name: 'crypto-auth-permissions-check',
-        check: ({ request }) => {
-          const user = (request as any).user as CryptoAuthUser | undefined
-
-          if (!user) return false
-
-          const userPermissions = user.permissions
-          return requiredPermissions.every(
-            perm => userPermissions.includes(perm) || userPermissions.includes('admin')
-          )
-        },
-        onFail: (set, { request }) => {
-          const user = (request as any).user as CryptoAuthUser | undefined
-
-          if (!user) {
-            set.status = 401
-            return {
-              error: {
-                message: 'Authentication required',
-                code: 'CRYPTO_AUTH_REQUIRED',
-                statusCode: 401
-              }
-            }
-          }
-
-          options.logger?.warn('Permission denied', {
-            publicKey: user.publicKey.substring(0, 8) + '...',
-            required: requiredPermissions,
-            has: user.permissions
-          })
-
-          set.status = 403
-          return {
-            error: {
-              message: 'Insufficient permissions',
-              code: 'PERMISSION_DENIED',
-              statusCode: 403,
-              required: requiredPermissions,
-              yours: user.permissions
-            }
-          }
-        }
-      })
-    )
-    .as('plugin')
-}

package/plugins/crypto-auth/server/middlewares/cryptoAuthRequired.ts

@@ -1,45 +0,0 @@
-/**
- * Middleware que REQUER autenticação
- * Bloqueia requisições não autenticadas com 401
- */
-
-import { Elysia } from 'elysia'
-import { createGuard } from '@/core/server/middleware/elysia-helpers'
-import type { Logger } from '@/core/utils/logger'
-import { validateAuthSync } from './helpers'
-
-export interface CryptoAuthMiddlewareOptions {
-  logger?: Logger
-}
-
-export const cryptoAuthRequired = (options: CryptoAuthMiddlewareOptions = {}) => {
-  return new Elysia({ name: 'crypto-auth-required' })
-    .derive(async ({ request }) => {
-      const result = await validateAuthSync(request as Request, options.logger)
-
-      if (result.success && result.user) {
-        ;(request as any).user = result.user
-      }
-
-      return {}
-    })
-    .use(
-      createGuard({
-        name: 'crypto-auth-check',
-        check: ({ request }) => {
-          return !!(request as any).user
-        },
-        onFail: (set) => {
-          set.status = 401
-          return {
-            error: {
-              message: 'Authentication required',
-              code: 'CRYPTO_AUTH_REQUIRED',
-              statusCode: 401
-            }
-          }
-        }
-      })
-    )
-    .as('plugin')
-}