npm - dms-middleware-auth - Versions diffs - 1.0.0 - Mend

dms-middleware-auth 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/auth.middleware.d.ts +21 -0
package/dist/auth.middleware.js +155 -0
package/dist/index.d.ts +1 -0
package/dist/index.js +17 -0
package/dist/keycloak.service.d.ts +6 -0
package/dist/keycloak.service.js +97 -0
package/package.json +29 -0
package/src/auth.middleware.ts +135 -0
package/src/index.ts +1 -0
package/tsconfig.json +22 -0
package/types/lru-cache.d.ts +5 -0

package/dist/auth.middleware.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { NestMiddleware } from '@nestjs/common';
+import { Response, NextFunction } from 'express';
+import { Cache } from 'cache-manager';
+interface AuthMiddlewareOptions {
+    publicKey: string;
+    keycloakUrl: string;
+    realm: string;
+    clientId: string;
+    clientSecret: string;
+    clientUuid: string;
+}
+export declare class AuthMiddleware implements NestMiddleware {
+    private cacheManager;
+    private readonly options;
+    constructor(cacheManager: Cache, options: AuthMiddlewareOptions);
+    use(req: any, res: Response, next: NextFunction): Promise<void | Response<any, Record<string, any>>>;
+    private clientLogin;
+    private getUserDetails;
+    private getClientRoleAttributes;
+}
+export {};

package/dist/auth.middleware.js ADDED Viewed

@@ -0,0 +1,155 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthMiddleware = void 0;
+const common_1 = require("@nestjs/common");
+const jwt = __importStar(require("jsonwebtoken"));
+const axios_1 = __importDefault(require("axios"));
+const cache_manager_1 = require("@nestjs/cache-manager");
+let AuthMiddleware = class AuthMiddleware {
+    constructor(cacheManager, options) {
+        this.cacheManager = cacheManager;
+        this.options = options;
+    }
+    async use(req, res, next) {
+        const authHeader = req.headers['authorization'];
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            return res.status(401).json({ message: 'Bearer token required' });
+        }
+        const { publicKey, clientId } = this.options;
+        try {
+            const token = authHeader.split(' ')[1];
+            const publicKeys = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
+            const decoded = jwt.verify(token, publicKeys, { algorithms: ['RS256'] });
+            // Cache the client token
+            let clientToken = await this.cacheManager.get('client_access_token');
+            if (!clientToken) {
+                clientToken = await this.clientLogin();
+                const decodedToken = jwt.decode(clientToken);
+                const ttl = (decodedToken.exp - Math.floor(Date.now() / 1000)) * 1000;
+                await this.cacheManager.set('client_access_token', clientToken, ttl);
+            }
+            // Cache client role attributes
+            const role = decoded.resource_access[clientId]?.roles?.[0];
+            const clientRoleName = `${clientId + role}`;
+            let clientAttributes = await this.cacheManager.get(clientRoleName);
+            if (!clientAttributes) {
+                clientAttributes = await this.getClientRoleAttributes(role, clientToken);
+                clientAttributes = JSON.stringify(clientAttributes.attributes);
+                await this.cacheManager.set(clientRoleName, clientAttributes, 0);
+            }
+            // Check route access
+            clientAttributes = JSON.parse(clientAttributes);
+            if (!clientAttributes[req.originalUrl]) {
+                return res.status(403).json({ message: 'Access denied for this route' });
+            }
+            // Cache user details
+            const userName = decoded.preferred_username;
+            let userAttributes = await this.cacheManager.get(userName);
+            if (!userAttributes) {
+                userAttributes = await this.getUserDetails(userName, clientToken);
+                userAttributes = JSON.stringify(userAttributes.attributes);
+                await this.cacheManager.set(userName, userAttributes, 0);
+            }
+            // Attach attributes to request
+            userAttributes = JSON.parse(userAttributes);
+            req['attributes'] = {
+                client: clientAttributes[req.originalUrl],
+                user: userAttributes,
+            };
+            return next();
+        }
+        catch (error) {
+            //   console.error('AuthMiddleware error:', error);
+            return res.status(500).json({ message: error.message });
+        }
+    }
+    async clientLogin() {
+        const { keycloakUrl, realm, clientId, clientSecret } = this.options;
+        try {
+            const response = await axios_1.default.post(`${keycloakUrl}/realms/${realm}/protocol/openid-connect/token`, new URLSearchParams({
+                grant_type: 'client_credentials',
+                client_id: clientId,
+                client_secret: clientSecret,
+            }).toString(), { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } });
+            return response.data.access_token;
+        }
+        catch (error) {
+            throw new Error(`Failed to obtain client token: ${error.response?.data?.error_description || error.message}`);
+        }
+    }
+    async getUserDetails(username, token) {
+        const { keycloakUrl, realm } = this.options;
+        try {
+            const response = await axios_1.default.get(`${keycloakUrl}/admin/realms/${realm}/users?username=${username}`, { headers: { Authorization: `Bearer ${token}` } });
+            return response.data[0];
+        }
+        catch (error) {
+            throw new Error(`Failed to fetch user details: ${error.response?.data?.error_description || error.message}`);
+        }
+    }
+    async getClientRoleAttributes(role, token) {
+        const { keycloakUrl, realm, clientUuid } = this.options;
+        try {
+            const response = await axios_1.default.get(`${keycloakUrl}/admin/realms/${realm}/clients/${clientUuid}/roles/${role}`, { headers: { Authorization: `Bearer ${token}` } });
+            return response.data;
+        }
+        catch (error) {
+            throw new Error(`Failed to fetch client role attributes: ${error.response?.data?.error_description || error.message}`);
+        }
+    }
+};
+exports.AuthMiddleware = AuthMiddleware;
+exports.AuthMiddleware = AuthMiddleware = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)(cache_manager_1.CACHE_MANAGER)),
+    __param(1, (0, common_1.Inject)('AUTH_MIDDLEWARE_OPTIONS')),
+    __metadata("design:paramtypes", [Object, Object])
+], AuthMiddleware);

package/dist/index.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from './auth.middleware';

package/dist/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./auth.middleware"), exports);

package/dist/keycloak.service.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export declare class KeycloakService {
+    decodeToken(token: string): any;
+    clientLogin(options: any): Promise<any>;
+    getUserDetails(username: string, token: string, options: any): Promise<any>;
+    getClientRoleAttributes(role: string, token: string, options: any): Promise<any>;
+}

package/dist/keycloak.service.js ADDED Viewed

@@ -0,0 +1,97 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakService = void 0;
+const common_1 = require("@nestjs/common");
+const jwt = __importStar(require("jsonwebtoken"));
+const axios_1 = __importDefault(require("axios"));
+let KeycloakService = class KeycloakService {
+    decodeToken(token) {
+        try {
+            return jwt.decode(token);
+        }
+        catch (error) {
+            throw new Error('Invalid token');
+        }
+    }
+    // Verify the token's validity
+    async clientLogin(options) {
+        const { keycloakUrl, realm, clientId, clientSecret } = options;
+        try {
+            const response = await axios_1.default.post(`${keycloakUrl}/realms/${realm}/protocol/openid-connect/token`, new URLSearchParams({
+                grant_type: 'client_credentials',
+                client_id: clientId,
+                client_secret: clientSecret,
+            }).toString(), { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } });
+            return response.data.access_token;
+        }
+        catch (error) {
+            throw new Error(`Failed to obtain client token: ${error.response?.data?.error_description || error.message}`);
+        }
+    }
+    async getUserDetails(username, token, options) {
+        const { keycloakUrl, realm } = options;
+        try {
+            const response = await axios_1.default.get(`${keycloakUrl}/admin/realms/${realm}/users?username=${username}`, { headers: { Authorization: `Bearer ${token}` } });
+            return response.data[0];
+        }
+        catch (error) {
+            throw new Error(`Failed to fetch user details: ${error.response?.data?.error_description || error.message}`);
+        }
+    }
+    async getClientRoleAttributes(role, token, options) {
+        const { keycloakUrl, realm, clientUuid } = options;
+        try {
+            const response = await axios_1.default.get(`${keycloakUrl}/admin/realms/${realm}/clients/${clientUuid}/roles/${role}`, { headers: { Authorization: `Bearer ${token}` } });
+            return response.data;
+        }
+        catch (error) {
+            throw new Error(`Failed to fetch client role attributes: ${error.response?.data?.error_description || error.message}`);
+        }
+    }
+};
+exports.KeycloakService = KeycloakService;
+exports.KeycloakService = KeycloakService = __decorate([
+    (0, common_1.Injectable)()
+], KeycloakService);

package/package.json ADDED Viewed

@@ -0,0 +1,29 @@
+{
+  "name": "dms-middleware-auth",
+  "version": "1.0.0",
+  "description": "Reusable middleware for authentication and authorization in NestJS applications.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "test": "jest"
+  },
+  "author": "dms-team",
+  "license": "MIT",
+  "dependencies": {
+    "@nestjs/cache-manager": "^2.3.0",
+    "@nestjs/common": "^10.4.13",
+    "@nestjs/core": "^10.4.13",
+    "axios": "^1.7.9",
+    "cache-manager": "^5.7.6",
+    "express": "^4.21.1",
+    "jsonwebtoken": "^9.0.2",
+    "lru-cache": "^11.0.2"
+  },
+  "devDependencies": {
+    "@types/axios": "^0.14.4",
+    "@types/express": "^5.0.0",
+    "@types/jsonwebtoken": "^9.0.7",
+    "typescript": "^5.7.2"
+  }
+}

package/src/auth.middleware.ts ADDED Viewed

@@ -0,0 +1,135 @@
+import { Inject, Injectable, NestMiddleware, UnauthorizedException } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+import * as jwt from 'jsonwebtoken';
+import axios from 'axios';
+import { CACHE_MANAGER } from '@nestjs/cache-manager';
+import { Cache } from 'cache-manager';
+interface AuthMiddlewareOptions {
+  publicKey: string;
+  keycloakUrl: string;
+  realm: string;
+  clientId: string;
+  clientSecret: string;
+  clientUuid: string;
+}
+@Injectable()
+export class AuthMiddleware implements NestMiddleware {
+  constructor(
+    @Inject(CACHE_MANAGER) private cacheManager: Cache,
+    @Inject('AUTH_MIDDLEWARE_OPTIONS') private readonly options: AuthMiddlewareOptions
+  ) {}
+  async use(req: any, res: Response, next: NextFunction) {
+    const authHeader = req.headers['authorization'];
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({ message: 'Bearer token required' });
+    }
+    const { publicKey, clientId } = this.options;
+    try {
+      const token = authHeader.split(' ')[1];
+      const publicKeys: string = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
+      const decoded: any = jwt.verify(token, publicKeys, { algorithms: ['RS256'] });
+      // Cache the client token
+      let clientToken: any = await this.cacheManager.get('client_access_token');
+      if (!clientToken) {
+        clientToken = await this.clientLogin();
+        const decodedToken: any = jwt.decode(clientToken);
+        const ttl = (decodedToken.exp - Math.floor(Date.now() / 1000)) * 1000;
+        await this.cacheManager.set('client_access_token', clientToken, ttl );
+      }
+      // Cache client role attributes
+      const role = decoded.resource_access[clientId]?.roles?.[0];
+      const clientRoleName = `${clientId+role}`;
+      let clientAttributes: any = await this.cacheManager.get(clientRoleName);
+      if (!clientAttributes) {
+        clientAttributes = await this.getClientRoleAttributes(role, clientToken);
+        clientAttributes = JSON.stringify(clientAttributes.attributes);
+        await this.cacheManager.set(clientRoleName, clientAttributes, 0);
+      }
+      // Check route access
+      clientAttributes = JSON.parse(clientAttributes);
+      if (!clientAttributes[req.originalUrl]) {
+        return res.status(403).json({ message: 'Access denied for this route' });
+      }
+      // Cache user details
+      const userName = decoded.preferred_username;
+      let userAttributes: any = await this.cacheManager.get(userName);
+      if (!userAttributes) {
+        userAttributes = await this.getUserDetails(userName, clientToken);
+        userAttributes = JSON.stringify(userAttributes.attributes);
+        await this.cacheManager.set(userName, userAttributes, 0);
+      }
+      // Attach attributes to request
+      userAttributes = JSON.parse(userAttributes);
+      req['attributes'] = {
+        client: clientAttributes[req.originalUrl],
+        user: userAttributes,
+      };
+      return next();
+    } catch (error:any) {
+    //   console.error('AuthMiddleware error:', error);
+      return res.status(500).json({ message: error.message });
+    }
+  }
+  private async clientLogin() {
+    const { keycloakUrl, realm, clientId, clientSecret } = this.options;
+    try {
+      const response = await axios.post(
+        `${keycloakUrl}/realms/${realm}/protocol/openid-connect/token`,
+        new URLSearchParams({
+          grant_type: 'client_credentials',
+          client_id: clientId,
+          client_secret: clientSecret,
+        }).toString(),
+        { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }
+      );
+      return response.data.access_token;
+    } catch (error:any) {
+      throw new Error(`Failed to obtain client token: ${error.response?.data?.error_description || error.message}`);
+    }
+  }
+  private async getUserDetails(username: string, token: string) {
+    const { keycloakUrl, realm } = this.options;
+    try {
+      const response = await axios.get(
+        `${keycloakUrl}/admin/realms/${realm}/users?username=${username}`,
+        { headers: { Authorization: `Bearer ${token}` } }
+      );
+      return response.data[0];
+    } catch (error:any) {
+      throw new Error(`Failed to fetch user details: ${error.response?.data?.error_description || error.message}`);
+    }
+  }
+  private async getClientRoleAttributes(role: string, token: string) {
+    const { keycloakUrl, realm, clientUuid } = this.options;
+    try {
+      const response = await axios.get(
+        `${keycloakUrl}/admin/realms/${realm}/clients/${clientUuid}/roles/${role}`,
+        { headers: { Authorization: `Bearer ${token}` } }
+      );
+      return response.data;
+    } catch (error:any) {
+      throw new Error(`Failed to fetch client role attributes: ${error.response?.data?.error_description || error.message}`);
+    }
+  }
+}

package/src/index.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from './auth.middleware';

package/tsconfig.json ADDED Viewed

@@ -0,0 +1,22 @@
+{
+    "compilerOptions": {
+      "module": "commonjs",
+      "target": "ES2021",
+      "declaration": true,
+      "outDir": "./dist",
+      "strict": true,                      // Keep strict mode for better type safety
+      "esModuleInterop": true,
+      "emitDecoratorMetadata": true,
+      "experimentalDecorators": true,
+      "skipLibCheck": true,                // Skip type checking for node_modules
+      "typeRoots": ["node_modules/@types", "./types"],
+      "types": ["node", "lru-cache"],
+      "baseUrl": ".",
+      "paths": {
+        "lru-cache": ["types/lru-cache.d.ts"]
+      }
+    },
+    "include": ["src/**/*"],
+    "exclude": ["node_modules", "dist", "**/*.spec.ts"]
+  }

package/types/lru-cache.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+declare module 'lru-cache' {
+    import { LRUCache } from 'lru-cache/dist/cjs/index.js';
+    export = LRUCache;
+  }