dauth-md-node 3.0.2 → 4.0.0

package/src/router.ts

@@ -0,0 +1,444 @@
+import { Router, Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import { getServerBasePath } from './api/utils/config';
+import {
+  deriveEncryptionKey,
+  encryptSession,
+  decryptSessionWithKeys,
+  SessionPayload,
+} from './session';
+import { generateCsrfToken, verifyCsrf } from './csrf';
+
+export interface DauthRouterOptions {
+  domainName: string;
+  tsk: string;
+  dauthUrl?: string;
+  cookieName?: string;
+  csrfCookieName?: string;
+  maxAge?: number;
+  secure?: boolean;
+  previousTsk?: string;
+  sessionSalt?: string;
+}
+
+interface ResolvedConfig {
+  domainName: string;
+  dauthBasePath: string;
+  cookieName: string;
+  csrfCookieName: string;
+  maxAgeMs: number;
+  secure: boolean;
+  encKeys: Buffer[];
+}
+
+// Refresh lock to prevent race conditions on concurrent token rotation
+const refreshLocks = new Map<string, Promise<SessionPayload | null>>();
+
+function lockKey(refreshToken: string): string {
+  return refreshToken.substring(0, 16);
+}
+
+function clearStaleLocks(): void {
+  if (refreshLocks.size > 100) refreshLocks.clear();
+}
+
+async function resolveConfig(
+  opts: DauthRouterOptions
+): Promise<ResolvedConfig> {
+  const secure =
+    opts.secure ?? process.env.NODE_ENV !== 'development';
+  const cookieName =
+    opts.cookieName ??
+    (secure ? '__Host-dauth-session' : 'dauth-session');
+  const csrfCookieName =
+    opts.csrfCookieName ?? (secure ? '__Host-csrf' : 'csrf-token');
+  const maxAgeMs = (opts.maxAge ?? 30 * 24 * 3600) * 1000;
+
+  const keys: Buffer[] = [];
+  keys.push(await deriveEncryptionKey(opts.tsk, opts.sessionSalt));
+  if (opts.previousTsk) {
+    keys.push(
+      await deriveEncryptionKey(opts.previousTsk, opts.sessionSalt)
+    );
+  }
+
+  let dauthBasePath: string;
+  if (opts.dauthUrl) {
+    dauthBasePath = `${opts.dauthUrl.replace(/\/+$/, '')}/api/v1`;
+  } else {
+    dauthBasePath = getServerBasePath();
+  }
+
+  return {
+    domainName: opts.domainName,
+    dauthBasePath,
+    cookieName,
+    csrfCookieName,
+    maxAgeMs,
+    secure,
+    encKeys: keys,
+  };
+}
+
+function setSessionCookie(
+  res: Response,
+  payload: SessionPayload,
+  config: ResolvedConfig
+): void {
+  const encrypted = encryptSession(payload, config.encKeys[0]);
+  const cookieOpts: Record<string, unknown> = {
+    httpOnly: true,
+    secure: config.secure,
+    sameSite: 'lax',
+    maxAge: config.maxAgeMs,
+    path: '/',
+  };
+  // __Host- prefix requires no domain attribute
+  if (!config.secure) {
+    // Dev mode: no __Host- prefix, no domain restriction needed
+  }
+  res.cookie(config.cookieName, encrypted, cookieOpts);
+}
+
+function setCsrfCookie(res: Response, config: ResolvedConfig): void {
+  const csrfToken = generateCsrfToken();
+  res.cookie(config.csrfCookieName, csrfToken, {
+    httpOnly: false,
+    secure: config.secure,
+    sameSite: 'lax',
+    maxAge: config.maxAgeMs,
+    path: '/',
+  });
+}
+
+function clearCookies(res: Response, config: ResolvedConfig): void {
+  const baseOpts = { path: '/', secure: config.secure };
+  res.clearCookie(config.cookieName, baseOpts);
+  res.clearCookie(config.csrfCookieName, baseOpts);
+}
+
+function readSession(
+  req: Request,
+  config: ResolvedConfig
+): SessionPayload | null {
+  const cookie = req.cookies?.[config.cookieName];
+  if (!cookie) return null;
+  return decryptSessionWithKeys(cookie, config.encKeys);
+}
+
+function isTokenExpiringSoon(token: string, thresholdMs = 300_000): boolean {
+  try {
+    const decoded = jwt.decode(token) as { exp?: number } | null;
+    if (!decoded?.exp) return true;
+    return decoded.exp * 1000 - Date.now() < thresholdMs;
+  } catch {
+    return true;
+  }
+}
+
+async function maybeRefreshTokens(
+  session: SessionPayload,
+  config: ResolvedConfig,
+  res: Response
+): Promise<SessionPayload> {
+  if (!isTokenExpiringSoon(session.accessToken)) return session;
+
+  const key = lockKey(session.refreshToken);
+  clearStaleLocks();
+
+  const existingLock = refreshLocks.get(key);
+  if (existingLock) {
+    const result = await existingLock;
+    return result ?? session;
+  }
+
+  const refreshPromise = (async (): Promise<SessionPayload | null> => {
+    try {
+      const response = await fetch(
+        `${config.dauthBasePath}/app/${config.domainName}/refresh-token`,
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            refreshToken: session.refreshToken,
+          }),
+        }
+      );
+      if (!response.ok) return null;
+      const data = (await response.json()) as {
+        accessToken?: string;
+        refreshToken?: string;
+      };
+      if (!data.accessToken || !data.refreshToken) return null;
+      const newSession: SessionPayload = {
+        accessToken: data.accessToken,
+        refreshToken: data.refreshToken,
+      };
+      setSessionCookie(res, newSession, config);
+      return newSession;
+    } catch {
+      return null;
+    }
+  })();
+
+  refreshLocks.set(key, refreshPromise);
+
+  // Timeout safety net: clean lock after 10s
+  const timeout = setTimeout(() => refreshLocks.delete(key), 10_000);
+  refreshPromise.finally(() => {
+    clearTimeout(timeout);
+    refreshLocks.delete(key);
+  });
+
+  const result = await refreshPromise;
+  return result ?? session;
+}
+
+export function dauthRouter(opts: DauthRouterOptions): Router {
+  const router = Router();
+  let configPromise: Promise<ResolvedConfig> | null = null;
+
+  async function getConfig(): Promise<ResolvedConfig> {
+    if (!configPromise) configPromise = resolveConfig(opts);
+    return configPromise;
+  }
+
+  // POST /exchange-code — no CSRF (no prior session)
+  router.post('/exchange-code', async (req: Request, res: Response) => {
+    const config = await getConfig();
+    const { code } = req.body;
+    if (!code) {
+      return res
+        .status(400)
+        .send({ status: 'code-required', message: 'Code required' });
+    }
+
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/exchange-code`,
+      {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ code }),
+      }
+    );
+    if (!response.ok) {
+      return res
+        .status(response.status)
+        .send({ status: 'code-invalid', message: 'Code invalid' });
+    }
+    const data = (await response.json()) as {
+      accessToken: string;
+      refreshToken: string;
+      isNewUser: boolean;
+    };
+
+    setSessionCookie(
+      res,
+      {
+        accessToken: data.accessToken,
+        refreshToken: data.refreshToken,
+      },
+      config
+    );
+    setCsrfCookie(res, config);
+
+    // Fetch user data to return
+    const userResponse = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: 'GET',
+        headers: { Authorization: data.accessToken },
+      }
+    );
+    const userData = (await userResponse.json()) as {
+      user?: unknown;
+      domain?: unknown;
+    };
+
+    return res.status(200).send({
+      user: userData.user,
+      domain: userData.domain,
+      isNewUser: data.isNewUser,
+    });
+  });
+
+  // GET /session — no CSRF (read-only)
+  router.get('/session', async (req: Request, res: Response) => {
+    const config = await getConfig();
+    const session = readSession(req, config);
+    if (!session) {
+      return res
+        .status(401)
+        .send({ status: 'no-session', message: 'Not authenticated' });
+    }
+
+    const refreshed = await maybeRefreshTokens(session, config, res);
+
+    const userResponse = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: 'GET',
+        headers: { Authorization: refreshed.accessToken },
+      }
+    );
+    if (!userResponse.ok) {
+      clearCookies(res, config);
+      return res
+        .status(401)
+        .send({ status: 'session-invalid', message: 'Session expired' });
+    }
+    const userData = (await userResponse.json()) as {
+      user?: unknown;
+      domain?: unknown;
+    };
+    return res.status(200).send({
+      user: userData.user,
+      domain: userData.domain,
+    });
+  });
+
+  // POST /logout — CSRF required
+  router.post('/logout', async (req: Request, res: Response) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res
+        .status(403)
+        .send({ status: 'csrf-invalid', message: 'CSRF token invalid' });
+    }
+    const session = readSession(req, config);
+    if (session) {
+      // Revoke refresh token server-to-server (fire-and-forget)
+      fetch(
+        `${config.dauthBasePath}/app/${config.domainName}/logout`,
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            refreshToken: session.refreshToken,
+          }),
+        }
+      ).catch(() => {});
+    }
+    clearCookies(res, config);
+    return res
+      .status(200)
+      .send({ status: 'success', message: 'Logged out' });
+  });
+
+  // PATCH /user — CSRF required
+  router.patch('/user', async (req: Request, res: Response) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res
+        .status(403)
+        .send({ status: 'csrf-invalid', message: 'CSRF token invalid' });
+    }
+    const session = readSession(req, config);
+    if (!session) {
+      return res
+        .status(401)
+        .send({ status: 'no-session', message: 'Not authenticated' });
+    }
+    const refreshed = await maybeRefreshTokens(session, config, res);
+
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: 'PATCH',
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: refreshed.accessToken,
+        },
+        body: JSON.stringify(req.body),
+      }
+    );
+    const data = await response.json();
+    return res.status(response.status).send(data);
+  });
+
+  // DELETE /user — CSRF required
+  router.delete('/user', async (req: Request, res: Response) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res
+        .status(403)
+        .send({ status: 'csrf-invalid', message: 'CSRF token invalid' });
+    }
+    const session = readSession(req, config);
+    if (!session) {
+      return res
+        .status(401)
+        .send({ status: 'no-session', message: 'Not authenticated' });
+    }
+
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: 'DELETE',
+        headers: { Authorization: session.accessToken },
+      }
+    );
+    const data = await response.json();
+    clearCookies(res, config);
+    return res.status(response.status).send(data);
+  });
+
+  // GET /profile-redirect — CSRF required (generates profile code)
+  router.get(
+    '/profile-redirect',
+    async (req: Request, res: Response) => {
+      const config = await getConfig();
+      if (!verifyCsrf(req, config.csrfCookieName)) {
+        return res.status(403).send({
+          status: 'csrf-invalid',
+          message: 'CSRF token invalid',
+        });
+      }
+      const session = readSession(req, config);
+      if (!session) {
+        return res.status(401).send({
+          status: 'no-session',
+          message: 'Not authenticated',
+        });
+      }
+      const refreshed = await maybeRefreshTokens(
+        session,
+        config,
+        res
+      );
+
+      const response = await fetch(
+        `${config.dauthBasePath}/app/${config.domainName}/profile-code`,
+        {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            Authorization: refreshed.accessToken,
+          },
+        }
+      );
+      if (!response.ok) {
+        return res.status(response.status).send({
+          status: 'profile-code-error',
+          message: 'Could not generate profile code',
+        });
+      }
+      const data = (await response.json()) as { code: string };
+
+      // Build redirect URL to dauth frontend
+      const dauthFrontendUrl = opts.dauthUrl
+        ? opts.dauthUrl.replace(/\/+$/, '')
+        : process.env.DAUTH_URL
+          ? process.env.DAUTH_URL.replace(/\/+$/, '')
+          : process.env.NODE_ENV === 'development'
+            ? 'http://localhost:5185'
+            : 'https://dauth.ovh';
+
+      return res.status(200).send({
+        redirectUrl: `${dauthFrontendUrl}/${config.domainName}/update-user?code=${data.code}`,
+      });
+    }
+  );
+
+  return router;
+}

package/src/session.ts

@@ -0,0 +1,81 @@
+import crypto from 'crypto';
+
+export interface SessionPayload {
+  accessToken: string;
+  refreshToken: string;
+}
+
+const INFO = 'dauth-cookie-enc-v1';
+const DEFAULT_SALT = Buffer.from(
+  'a3f8c1d7e9b24f6081c5d3a7e2f49b0653d81f7a2e94c0b6d8f3a5e1c7b09d42',
+  'hex'
+);
+
+export async function deriveEncryptionKey(
+  tsk: string,
+  salt?: string
+): Promise<Buffer> {
+  const saltBuf = salt ? Buffer.from(salt, 'hex') : DEFAULT_SALT;
+  return new Promise((resolve, reject) => {
+    crypto.hkdf(
+      'sha256',
+      Buffer.from(tsk),
+      saltBuf,
+      INFO,
+      32,
+      (err, derivedKey) => {
+        if (err) return reject(err);
+        resolve(Buffer.from(derivedKey));
+      }
+    );
+  });
+}
+
+export function encryptSession(
+  payload: SessionPayload,
+  key: Buffer
+): string {
+  const nonce = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce);
+  const plaintext = JSON.stringify(payload);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, 'utf8'),
+    cipher.final(),
+  ]);
+  const authTag = cipher.getAuthTag();
+  // Format: base64(nonce + ciphertext + authTag)
+  return Buffer.concat([nonce, encrypted, authTag]).toString('base64');
+}
+
+export function decryptSession(
+  ciphertext: string,
+  key: Buffer
+): SessionPayload | null {
+  try {
+    const buf = Buffer.from(ciphertext, 'base64');
+    if (buf.length < 12 + 16) return null; // nonce(12) + authTag(16) minimum
+    const nonce = buf.subarray(0, 12);
+    const authTag = buf.subarray(buf.length - 16);
+    const encrypted = buf.subarray(12, buf.length - 16);
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, nonce);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([
+      decipher.update(encrypted),
+      decipher.final(),
+    ]);
+    return JSON.parse(decrypted.toString('utf8')) as SessionPayload;
+  } catch {
+    return null;
+  }
+}
+
+export function decryptSessionWithKeys(
+  ciphertext: string,
+  keys: Buffer[]
+): SessionPayload | null {
+  for (const key of keys) {
+    const result = decryptSession(ciphertext, key);
+    if (result) return result;
+  }
+  return null;
+}