create-fluxstack 1.5.2 → 1.5.4

package/plugins/crypto-auth/server/middlewares/helpers.ts

@@ -0,0 +1,140 @@
+/**
+ * Crypto Auth Middleware Helpers
+ * Funções compartilhadas para validação de autenticação
+ */
+
+import type { Logger } from '@/core/utils/logger'
+
+export interface CryptoAuthUser {
+  publicKey: string
+  isAdmin: boolean
+  permissions: string[]
+}
+
+/**
+ * Get auth service from global
+ */
+export function getAuthService() {
+  const service = (global as any).cryptoAuthService
+  if (!service) {
+    throw new Error('CryptoAuthService not initialized. Make sure crypto-auth plugin is loaded.')
+  }
+  return service
+}
+
+/**
+ * Get auth middleware from global
+ */
+export function getAuthMiddleware() {
+  const middleware = (global as any).cryptoAuthMiddleware
+  if (!middleware) {
+    throw new Error('AuthMiddleware not initialized. Make sure crypto-auth plugin is loaded.')
+  }
+  return middleware
+}
+
+/**
+ * Extract and validate authentication from request
+ * Versão SÍNCRONA para evitar problemas com Elysia
+ */
+export function extractAuthHeaders(request: Request): {
+  publicKey: string
+  timestamp: number
+  nonce: string
+  signature: string
+} | null {
+  const headers = request.headers
+  const publicKey = headers.get('x-public-key')
+  const timestampStr = headers.get('x-timestamp')
+  const nonce = headers.get('x-nonce')
+  const signature = headers.get('x-signature')
+
+  if (!publicKey || !timestampStr || !nonce || !signature) {
+    return null
+  }
+
+  const timestamp = parseInt(timestampStr, 10)
+  if (isNaN(timestamp)) {
+    return null
+  }
+
+  return { publicKey, timestamp, nonce, signature }
+}
+
+/**
+ * Build message for signature verification
+ */
+export function buildMessage(request: Request): string {
+  const url = new URL(request.url)
+  return `${request.method}:${url.pathname}`
+}
+
+/**
+ * Validate authentication synchronously
+ */
+export async function validateAuthSync(request: Request, logger?: Logger): Promise<{
+  success: boolean
+  user?: CryptoAuthUser
+  error?: string
+}> {
+  try {
+    const authHeaders = extractAuthHeaders(request)
+
+    if (!authHeaders) {
+      return {
+        success: false,
+        error: 'Missing authentication headers'
+      }
+    }
+
+    const authService = getAuthService()
+    const message = buildMessage(request)
+
+    const result = await authService.validateRequest({
+      publicKey: authHeaders.publicKey,
+      timestamp: authHeaders.timestamp,
+      nonce: authHeaders.nonce,
+      signature: authHeaders.signature,
+      message
+    })
+
+    return result
+  } catch (error) {
+    logger?.error('Auth validation error', { error })
+    return {
+      success: false,
+      error: error instanceof Error ? error.message : 'Unknown error'
+    }
+  }
+}
+
+/**
+ * Helper: Obter usuário autenticado do request
+ */
+export function getCryptoAuthUser(request: Request): CryptoAuthUser | null {
+  return (request as any).user || null
+}
+
+/**
+ * Helper: Verificar se request está autenticado
+ */
+export function isCryptoAuthAuthenticated(request: Request): boolean {
+  return !!(request as any).user
+}
+
+/**
+ * Helper: Verificar se usuário é admin
+ */
+export function isCryptoAuthAdmin(request: Request): boolean {
+  const user = getCryptoAuthUser(request)
+  return user?.isAdmin || false
+}
+
+/**
+ * Helper: Verificar se usuário tem permissão específica
+ */
+export function hasCryptoAuthPermission(request: Request, permission: string): boolean {
+  const user = getCryptoAuthUser(request)
+  if (!user) return false
+  return user.permissions.includes(permission) || user.permissions.includes('admin')
+}

package/plugins/crypto-auth/server/middlewares/index.ts

@@ -0,0 +1,22 @@
+/**
+ * Crypto Auth Middlewares
+ * Exports centralizados de todos os middlewares
+ */
+
+// Middlewares
+export { cryptoAuthRequired } from './cryptoAuthRequired'
+export { cryptoAuthAdmin } from './cryptoAuthAdmin'
+export { cryptoAuthOptional } from './cryptoAuthOptional'
+export { cryptoAuthPermissions } from './cryptoAuthPermissions'
+
+// Helpers
+export {
+  getCryptoAuthUser,
+  isCryptoAuthAuthenticated,
+  isCryptoAuthAdmin,
+  hasCryptoAuthPermission,
+  type CryptoAuthUser
+} from './helpers'
+
+// Types
+export type { CryptoAuthMiddlewareOptions } from './cryptoAuthRequired'

package/plugins/crypto-auth/server/middlewares.ts

@@ -0,0 +1,19 @@
+/**
+ * Crypto Auth Middlewares
+ * Middlewares Elysia para autenticação criptográfica
+ *
+ * Uso:
+ * ```typescript
+ * import { cryptoAuthRequired, cryptoAuthAdmin } from '@/plugins/crypto-auth/server'
+ *
+ * export const myRoutes = new Elysia()
+ *   .use(cryptoAuthRequired())
+ *   .get('/protected', ({ request }) => {
+ *     const user = getCryptoAuthUser(request)
+ *     return { user }
+ *   })
+ * ```
+ */
+
+// Re-export tudo do módulo middlewares
+export * from './middlewares/index'

package/test-crypto-auth.ts

@@ -0,0 +1,101 @@
+/**
+ * Script de teste para validar autenticação criptográfica
+ */
+
+import { ed25519 } from '@noble/curves/ed25519'
+import { sha256 } from '@noble/hashes/sha256'
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils'
+
+async function testCryptoAuth() {
+  console.log('🔐 Testando Autenticação Criptográfica Ed25519\n')
+
+  // 1. Gerar par de chaves
+  console.log('1️⃣ Gerando par de chaves Ed25519...')
+  const privateKey = ed25519.utils.randomPrivateKey()
+  const publicKeyBytes = ed25519.getPublicKey(privateKey)
+  const publicKey = bytesToHex(publicKeyBytes)
+  const privateKeyHex = bytesToHex(privateKey)
+
+  console.log(`   ✅ Chave pública: ${publicKey.substring(0, 16)}...`)
+  console.log(`   ✅ Chave privada: ${privateKeyHex.substring(0, 16)}... (NUNCA enviar ao servidor!)\n`)
+
+  // 2. Preparar requisição
+  console.log('2️⃣ Preparando requisição assinada...')
+  const url = '/api/crypto-auth/protected'
+  const method = 'GET'
+  const timestamp = Date.now()
+  const nonce = generateNonce()
+
+  // 3. Construir mensagem para assinar
+  const message = `${method}:${url}`
+  const fullMessage = `${publicKey}:${timestamp}:${nonce}:${message}`
+
+  console.log(`   📝 Mensagem: ${fullMessage.substring(0, 50)}...\n`)
+
+  // 4. Assinar mensagem
+  console.log('3️⃣ Assinando mensagem com chave privada...')
+  const messageHash = sha256(new TextEncoder().encode(fullMessage))
+  const signatureBytes = ed25519.sign(messageHash, privateKey)
+  const signature = bytesToHex(signatureBytes)
+
+  console.log(`   ✅ Assinatura: ${signature.substring(0, 32)}...\n`)
+
+  // 5. Fazer requisição ao servidor
+  console.log('4️⃣ Enviando requisição ao servidor...')
+  const response = await fetch('http://localhost:3000/api/crypto-auth/protected', {
+    method: 'GET',
+    headers: {
+      'x-public-key': publicKey,
+      'x-timestamp': timestamp.toString(),
+      'x-nonce': nonce,
+      'x-signature': signature
+    }
+  })
+
+  const data = await response.json()
+
+  console.log(`   📡 Status: ${response.status}`)
+  console.log(`   📦 Resposta:`, JSON.stringify(data, null, 2))
+
+  if (data.success) {
+    console.log('\n✅ SUCESSO! Assinatura validada corretamente pelo servidor!')
+    console.log(`   👤 Dados protegidos recebidos: ${data.data?.secretInfo}`)
+  } else {
+    console.log('\n❌ ERRO! Assinatura rejeitada pelo servidor')
+    console.log(`   ⚠️  Erro: ${data.error}`)
+  }
+
+  // 6. Testar replay attack (reutilizar mesma assinatura)
+  console.log('\n5️⃣ Testando proteção contra replay attack...')
+  const replayResponse = await fetch('http://localhost:3000/api/crypto-auth/protected', {
+    method: 'GET',
+    headers: {
+      'x-public-key': publicKey,
+      'x-timestamp': timestamp.toString(),
+      'x-nonce': nonce, // Mesmo nonce
+      'x-signature': signature // Mesma assinatura
+    }
+  })
+
+  const replayData = await replayResponse.json()
+
+  console.log(`   📡 Replay Status: ${replayResponse.status}`)
+  console.log(`   📦 Replay Response:`, JSON.stringify(replayData, null, 2))
+
+  if (!replayData.success && replayData.error?.includes('nonce')) {
+    console.log('   ✅ Proteção funcionando! Replay attack bloqueado.')
+  } else if (replayResponse.status === 401) {
+    console.log('   ✅ Proteção funcionando! Replay attack bloqueado (status 401).')
+  } else {
+    console.log('   ⚠️  ATENÇÃO: Replay attack NÃO foi bloqueado!')
+  }
+}
+
+function generateNonce(): string {
+  const bytes = new Uint8Array(16)
+  crypto.getRandomValues(bytes)
+  return bytesToHex(bytes)
+}
+
+// Executar teste
+testCryptoAuth().catch(console.error)