dms-middleware-auth 1.0.7 → 1.0.9

package/__tests__/auth.middleware.spec.ts

@@ -0,0 +1,131 @@
+import { AuthMiddleware } from '../src/auth.middleware';
+import { HttpStatusCode } from 'axios';
+
+const baseOptions = {
+  publicKey: 'PUBLIC_KEY',
+  keycloakUrl: '',
+  realm: '',
+  clientId: 'client',
+  clientSecret: '',
+  clientUuid: '',
+};
+
+const createCacheMock = (initial: Record<string, any> = {}) => {
+  const store = { ...initial };
+  return {
+    get: jest.fn(async (key: string) => store[key]),
+    set: jest.fn(async (key: string, value: any) => {
+      store[key] = value;
+    }),
+  };
+};
+
+const createRes = () => {
+  const res: any = {
+    status: jest.fn().mockReturnThis(),
+    json: jest.fn(),
+  };
+  return res;
+};
+
+const createReq = (override: Record<string, any> = {}) =>
+  ({
+    headers: { authorization: 'Bearer access-token' },
+    originalUrl: '/route',
+    body: {},
+    ...override,
+  } as any);
+
+describe('AuthMiddleware licensing', () => {
+  beforeEach(() => {
+    jest.restoreAllMocks();
+    jest.clearAllMocks();
+    jest.useRealTimers();
+    // Reset static flags/timers between tests
+    const cls: any = AuthMiddleware;
+    if (cls.shutdownTimer) {
+      clearTimeout(cls.shutdownTimer);
+    }
+    cls.licenceExpired = false;
+    cls.shutdownTimer = null;
+  });
+
+  it('allows requests when licence is valid (supports seconds epoch)', async () => {
+    const cache = createCacheMock({ client_access_token: 'cached-client-token' });
+    const middleware = new AuthMiddleware(cache as any, baseOptions as any);
+
+    jest.spyOn(middleware as any, 'getLicencingDetails').mockResolvedValue({
+      code: HttpStatusCode.Ok,
+      data: 'licence-token',
+    });
+    jest.spyOn(middleware as any, 'verifyJwt').mockReturnValue({
+      lic_end: Math.floor(Date.now() / 1000) + 60, // seconds epoch
+    });
+    jest
+      .spyOn(middleware as any, 'decodeAccessToken')
+      .mockReturnValue({
+        resource_access: { client: { roles: ['admin'] } },
+        preferred_username: 'user',
+      });
+    jest.spyOn(middleware as any, 'getClientRoleAttributes').mockResolvedValue({
+      attributes: { '/route': '{"params":"false"}' },
+    });
+
+    const req = createReq();
+    const res = createRes();
+    const next = jest.fn();
+
+    await middleware.use(req, res as any, next);
+
+    expect(res.status).not.toHaveBeenCalled();
+    expect(next).toHaveBeenCalledTimes(1);
+    expect(cache.set).toHaveBeenCalledWith('client_Licence_token', 'licence-token');
+  });
+
+  it('rejects and schedules shutdown when licence is expired', async () => {
+    jest.useFakeTimers();
+    const cache = createCacheMock({ client_access_token: 'cached-client-token' });
+    const middleware = new AuthMiddleware(cache as any, baseOptions as any);
+
+    jest.spyOn(middleware as any, 'getLicencingDetails').mockResolvedValue({
+      code: HttpStatusCode.Ok,
+      data: 'licence-token',
+    });
+    jest.spyOn(middleware as any, 'verifyJwt').mockReturnValue({
+      lic_end: Date.now() - 1, // already expired (ms epoch)
+    });
+    const exitSpy = jest.spyOn(process, 'exit').mockImplementation((() => undefined) as any);
+
+    const req = createReq();
+    const res = createRes();
+    const next = jest.fn();
+
+    await middleware.use(req, res as any, next);
+
+    expect(res.status).toHaveBeenCalledWith(HttpStatusCode.Forbidden);
+    expect(res.json).toHaveBeenCalled();
+    expect(next).not.toHaveBeenCalled();
+    expect((AuthMiddleware as any).licenceExpired).toBe(true);
+
+    // advance time to trigger shutdown timer
+    jest.advanceTimersByTime(2 * 60 * 1000);
+    expect(exitSpy).toHaveBeenCalledWith(1);
+  });
+
+  it('immediately rejects when already marked expired', async () => {
+    const cache = createCacheMock();
+    (AuthMiddleware as any).licenceExpired = true;
+    const middleware = new AuthMiddleware(cache as any, baseOptions as any);
+    const checkSpy = jest.spyOn(middleware as any, 'checkLicenceAndValidate');
+
+    const req = createReq();
+    const res = createRes();
+    const next = jest.fn();
+
+    await middleware.use(req, res as any, next);
+
+    expect(checkSpy).not.toHaveBeenCalled();
+    expect(res.status).toHaveBeenCalledWith(HttpStatusCode.Forbidden);
+    expect(next).not.toHaveBeenCalled();
+  });
+});

package/dist/auth.middleware.d.ts

@@ -8,14 +8,26 @@ interface AuthMiddlewareOptions {
     clientId: string;
     clientSecret: string;
     clientUuid: string;
+    bypassURL: string;
 }
 export declare class AuthMiddleware implements NestMiddleware {
     private cacheManager;
     private readonly options;
+    private static licenceExpired;
+    private static shutdownTimer;
+    private static readonly licenceExpiredMessage;
     constructor(cacheManager: Cache, options: AuthMiddlewareOptions);
     use(req: any, res: Response, next: NextFunction): Promise<void | Response<any, Record<string, any>>>;
     private clientLogin;
     private getUserDetails;
     private getClientRoleAttributes;
+    private checkLicenceAndValidate;
+    private getLicencingDetails;
+    private validateLicence;
+    private markLicenceExpired;
+    private normalizeEpochMs;
+    private verifyJwt;
+    private decodeAccessToken;
+    private extractBearerToken;
 }
 export {};

package/dist/auth.middleware.js

@@ -44,30 +44,38 @@ var __metadata = (this && this.__metadata) || function (k, v) {
 var __param = (this && this.__param) || function (paramIndex, decorator) {
     return function (target, key) { decorator(target, key, paramIndex); }
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
+var AuthMiddleware_1;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthMiddleware = void 0;
 const common_1 = require("@nestjs/common");
 const jwt = __importStar(require("jsonwebtoken"));
-const axios_1 = __importDefault(require("axios"));
+const axios_1 = __importStar(require("axios"));
 const cache_manager_1 = require("@nestjs/cache-manager");
-let AuthMiddleware = class AuthMiddleware {
+const process = __importStar(require("node:process"));
+let AuthMiddleware = AuthMiddleware_1 = class AuthMiddleware {
     constructor(cacheManager, options) {
         this.cacheManager = cacheManager;
         this.options = options;
     }
     async use(req, res, next) {
-        const authHeader = req.headers['authorization'];
-        if (!authHeader || !authHeader.startsWith('Bearer ')) {
-            return res.status(401).json({ message: 'Bearer token required' });
-        }
-        const { publicKey, clientId } = this.options;
+        const { publicKey, clientId, realm, bypassURL } = this.options;
         try {
-            const token = authHeader.split(' ')[1];
-            const publicKeys = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
-            const decoded = jwt.verify(token, publicKeys, { algorithms: ['RS256'] });
+            if (AuthMiddleware_1.licenceExpired) {
+                return res.status(axios_1.HttpStatusCode.Forbidden).json({ message: AuthMiddleware_1.licenceExpiredMessage });
+            }
+            // fetching the licence and validating. 
+            const validate_lic = await this.checkLicenceAndValidate(realm, publicKey);
+            if (!validate_lic) {
+                return res.status(axios_1.HttpStatusCode.Forbidden).json({ message: AuthMiddleware_1.licenceExpiredMessage });
+            }
+            else if (req.originalUrl == bypassURL && validate_lic) {
+                return next();
+            }
+            const authHeader = req.headers['authorization'];
+            if (!authHeader || !authHeader.startsWith('Bearer ')) {
+                return res.status(401).json({ message: 'Bearer token required' });
+            }
+            const decoded = this.decodeAccessToken(authHeader, publicKey);
             // Cache the client token
             let clientToken = await this.cacheManager.get('client_access_token');
             if (!clientToken) {
@@ -94,7 +102,7 @@ let AuthMiddleware = class AuthMiddleware {
                 const apiPermission = JSON.parse(clientAttributes[req.originalUrl]);
                 if (apiPermission?.params === "true") {
                     const event = req?.body?.event;
-                    const url = req?.originalUrl + `?params=${event}`;
+                    const url = req?.originalUrl + `?action=${event}`;
                     if (!clientAttributes[url]) {
                         return res.status(403).json({ message: 'Access denied for event' });
                     }
@@ -160,9 +168,124 @@ let AuthMiddleware = class AuthMiddleware {
             throw new Error(`Failed to fetch client role attributes: ${error.response?.data?.error_description || error.message}`);
         }
     }
+    async checkLicenceAndValidate(realm, publicKey) {
+        try {
+            // Reuse cached licence when possible; short-circuit if already marked expired.
+            if (AuthMiddleware_1.licenceExpired) {
+                return false;
+            }
+            const lic_token = await this.cacheManager.get('client_Licence_token');
+            if (!lic_token) {
+                const response = await this.getLicencingDetails(realm);
+                if (response.code === axios_1.HttpStatusCode.InternalServerError) {
+                    return false;
+                }
+                else {
+                    const validate = await this.validateLicence(response.data, publicKey);
+                    if (validate.status && validate.ttl) {
+                        await this.cacheManager.set('client_Licence_token', response.data, validate.ttl);
+                    }
+                    return validate.status;
+                }
+            }
+            else {
+                return await this.validateLicence(lic_token, publicKey);
+            }
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    async getLicencingDetails(realm) {
+        try {
+            const url = 'https://iiuuckued274sisadalbpf7ivu0eiblk.lambda-url.ap-south-1.on.aws/';
+            const body = { "client_name": realm };
+            const response = await axios_1.default.post(url, body);
+            if (response.status === axios_1.HttpStatusCode.Ok) {
+                return {
+                    code: axios_1.HttpStatusCode.Ok,
+                    data: response.data.token
+                };
+            }
+            else {
+                return {
+                    code: axios_1.HttpStatusCode.InternalServerError,
+                    message: "InternalServer error"
+                };
+            }
+        }
+        catch (error) {
+            return {
+                code: axios_1.HttpStatusCode.InternalServerError,
+                data: error?.response?.data || error?.message || 'Licencing service error'
+            };
+        }
+    }
+    async validateLicence(lic_data, publicKey) {
+        try {
+            const token = await this.verifyJwt(lic_data, publicKey);
+            const licEndMs = this.normalizeEpochMs(token?.lic_end);
+            // Reject when licence end (epoch) is missing or already in the past.
+            if (!licEndMs) {
+                return {
+                    status: false
+                };
+            }
+            if (licEndMs <= Date.now()) {
+                this.markLicenceExpired();
+                return {
+                    status: false
+                };
+            }
+            else {
+                return {
+                    status: true,
+                    ttl: (licEndMs - Date.now()) > 0 ? (licEndMs - Date.now()) : null
+                };
+            }
+        }
+        catch (error) {
+            this.markLicenceExpired();
+            return false;
+        }
+    }
+    markLicenceExpired() {
+        if (!AuthMiddleware_1.licenceExpired) {
+            AuthMiddleware_1.licenceExpired = true;
+        }
+        if (!AuthMiddleware_1.shutdownTimer) {
+            AuthMiddleware_1.shutdownTimer = setTimeout(() => {
+                process.exit(1);
+            }, 2 * 60 * 1000); // waiting two minutes after shutdowning server.
+        }
+    }
+    normalizeEpochMs(epoch) {
+        if (!epoch || Number.isNaN(epoch)) {
+            return null;
+        }
+        // Accept seconds or milliseconds since Unix epoch and normalize to ms for Date.now() comparison.
+        if (epoch < 1_000_000_000_000) {
+            return epoch * 1000;
+        }
+        return epoch;
+    }
+    verifyJwt(token, publicKey) {
+        const publicKeys = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
+        return jwt.verify(token, publicKeys, { algorithms: ['RS256'] });
+    }
+    decodeAccessToken(authHeader, publicKey) {
+        const token = this.extractBearerToken(authHeader);
+        return this.verifyJwt(token, publicKey);
+    }
+    extractBearerToken(authHeader) {
+        return authHeader.split(' ')[1];
+    }
 };
 exports.AuthMiddleware = AuthMiddleware;
-exports.AuthMiddleware = AuthMiddleware = __decorate([
+AuthMiddleware.licenceExpired = false;
+AuthMiddleware.shutdownTimer = null;
+AuthMiddleware.licenceExpiredMessage = "server Licence is expired!. please renew";
+exports.AuthMiddleware = AuthMiddleware = AuthMiddleware_1 = __decorate([
     (0, common_1.Injectable)(),
     __param(0, (0, common_1.Inject)(cache_manager_1.CACHE_MANAGER)),
     __param(1, (0, common_1.Inject)('AUTH_MIDDLEWARE_OPTIONS')),

package/jest.config.js

@@ -0,0 +1,14 @@
+/** @type {import('jest').Config} */
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  testMatch: ['**/__tests__/**/*.spec.ts'],
+  clearMocks: true,
+  roots: ['<rootDir>'],
+  moduleFileExtensions: ['ts', 'js', 'json'],
+  globals: {
+    'ts-jest': {
+      tsconfig: '<rootDir>/tsconfig.jest.json',
+    },
+  },
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dms-middleware-auth",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "description": "Reusable middleware for authentication and authorization in NestJS applications.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -23,7 +23,10 @@
   "devDependencies": {
     "@types/axios": "^0.14.4",
     "@types/express": "^5.0.0",
+    "@types/jest": "^29.5.14",
     "@types/jsonwebtoken": "^9.0.7",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.3.4",
     "typescript": "^5.7.2"
   }
 }

package/src/auth.middleware.ts

@@ -1,10 +1,10 @@
-import { Inject, Injectable, NestMiddleware, UnauthorizedException } from '@nestjs/common';
-import { Request, Response, NextFunction } from 'express';
+import { Inject, Injectable, NestMiddleware } from '@nestjs/common';
+import { Response, NextFunction } from 'express';
 import * as jwt from 'jsonwebtoken';
-import axios from 'axios';
+import axios, { HttpStatusCode } from 'axios';
 import { CACHE_MANAGER } from '@nestjs/cache-manager';
 import { Cache } from 'cache-manager';
-
+import * as process from "node:process";
 interface AuthMiddlewareOptions {
   publicKey: string;
   keycloakUrl: string;
@@ -12,38 +12,50 @@ interface AuthMiddlewareOptions {
   clientId: string;
   clientSecret: string;
   clientUuid: string;
+  bypassURL: string;
 }
 
 @Injectable()
 export class AuthMiddleware implements NestMiddleware {
+  private static licenceExpired = false;
+  private static shutdownTimer: NodeJS.Timeout | null = null;
+  private static readonly licenceExpiredMessage = "server Licence is expired!. please renew";
+
   constructor(
     @Inject(CACHE_MANAGER) private cacheManager: Cache,
     @Inject('AUTH_MIDDLEWARE_OPTIONS') private readonly options: AuthMiddlewareOptions
   ) {}
 
   async use(req: any, res: Response, next: NextFunction) {
-    const authHeader = req.headers['authorization'];
 
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-      return res.status(401).json({ message: 'Bearer token required' });
-    }
 
-    const { publicKey, clientId } = this.options;
+    const { publicKey, clientId, realm, bypassURL } = this.options;
 
     try {
-      const token = authHeader.split(' ')[1];
-      const publicKeys: string = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
+        if (AuthMiddleware.licenceExpired) {
+        return res.status(HttpStatusCode.Forbidden).json({ message: AuthMiddleware.licenceExpiredMessage });
+      }
 
-      const decoded: any = jwt.verify(token, publicKeys, { algorithms: ['RS256'] });
+      // fetching the licence and validating. 
+      const validate_lic = await this.checkLicenceAndValidate(realm, publicKey);
+      if (!validate_lic) {
+        return res.status(HttpStatusCode.Forbidden).json({message: AuthMiddleware.licenceExpiredMessage});
+      }
+      else if (req.originalUrl == bypassURL && validate_lic ) {
+       return  next();
+      }
+      const authHeader = req.headers['authorization'];
 
+      if (!authHeader || !authHeader.startsWith('Bearer ')) {
+        return res.status(401).json({ message: 'Bearer token required' });
+      }
+      const decoded: any = this.decodeAccessToken(authHeader, publicKey)
       // Cache the client token
       let clientToken: any = await this.cacheManager.get('client_access_token');
       if (!clientToken) {
         clientToken = await this.clientLogin();
         const decodedToken: any = jwt.decode(clientToken);
         const ttl = (decodedToken.exp - Math.floor(Date.now() / 1000)) * 1000;
-        
-
         await this.cacheManager.set('client_access_token', clientToken, ttl );
       }
 
@@ -69,14 +81,13 @@ export class AuthMiddleware implements NestMiddleware {
         if (apiPermission?.params === "true")
         {
           const event = req?.body?.event;
-          const url = req?.originalUrl + `?params=${event}`;
+          const url = req?.originalUrl + `?action=${event}`;
           if (!clientAttributes[url]){
             return res.status(403).json({ message: 'Access denied for event' });
           }
         }
       }
 
-
       // Cache interface details
       /*const userName = decoded.preferred_username;
       let userAttributes: any = await this.cacheManager.get(userName);
@@ -151,4 +162,128 @@ export class AuthMiddleware implements NestMiddleware {
       throw new Error(`Failed to fetch client role attributes: ${error.response?.data?.error_description || error.message}`);
     }
   }
+
+  private async checkLicenceAndValidate(realm: string, publicKey:string) {
+    try {
+      // Reuse cached licence when possible; short-circuit if already marked expired.
+      if (AuthMiddleware.licenceExpired) {
+        return false;
+      }
+      const lic_token = await this.cacheManager.get( 'client_Licence_token' );
+      if (!lic_token) {
+        const response:any = await  this.getLicencingDetails(realm);
+        if (response.code === HttpStatusCode.InternalServerError) {
+          return false
+        }
+        else{
+          const validate:any = await this.validateLicence(response.data, publicKey);
+          if (validate.status && validate.ttl) {
+            await this.cacheManager.set('client_Licence_token', response.data, validate.ttl);
+          }
+        
+          return validate.status;
+        }
+      }
+      else {
+        return await this.validateLicence(lic_token, publicKey);
+      }
+    }
+    catch(error:any){
+      return false;
+
+    }
+  }
+  private async getLicencingDetails(realm: string) {
+    try{
+
+
+
+        const url = 'https://iiuuckued274sisadalbpf7ivu0eiblk.lambda-url.ap-south-1.on.aws/'
+        const body = {  "client_name": realm };
+
+        const response = await axios.post( url , body );
+        if (response.status === HttpStatusCode.Ok) {
+          return {
+            code: HttpStatusCode.Ok,
+            data: response.data.token
+          };
+        }
+        else {
+          return {
+            code: HttpStatusCode.InternalServerError,
+            message: "InternalServer error"
+          };
+        }
+
+    }catch(error:any){
+      return {
+        code: HttpStatusCode.InternalServerError,
+        data: error?.response?.data || error?.message || 'Licencing service error'
+      };
+    }
+  }
+  private async validateLicence(lic_data:any, publicKey:any){
+    try{
+      const token:any  = await this.verifyJwt(lic_data, publicKey);
+      const licEndMs = this.normalizeEpochMs(token?.lic_end);
+      // Reject when licence end (epoch) is missing or already in the past.
+      if (!licEndMs) {
+        return{
+          status: false
+        } 
+      }
+      if (licEndMs <= Date.now()) {
+        this.markLicenceExpired();
+        return {
+          status: false
+        } 
+      } else {
+
+        return {
+          status: true,
+          ttl: (licEndMs - Date.now()) > 0 ?  (licEndMs - Date.now()) : null
+        } 
+      }
+    }
+    catch(error:any){
+      this.markLicenceExpired();
+      return false;
+    }
+  }
+
+  private markLicenceExpired() {
+    if (!AuthMiddleware.licenceExpired) {
+      AuthMiddleware.licenceExpired = true;
+    }
+    if (!AuthMiddleware.shutdownTimer) {
+      AuthMiddleware.shutdownTimer = setTimeout(() => {
+        process.exit(1);
+      }, 2 * 60 * 1000); // waiting two minutes after shutdowning server.
+    }
+  }
+
+  private normalizeEpochMs(epoch: number): number | null {
+    if (!epoch || Number.isNaN(epoch)) {
+      return null;
+    }
+    // Accept seconds or milliseconds since Unix epoch and normalize to ms for Date.now() comparison.
+    if (epoch < 1_000_000_000_000) {
+      return epoch * 1000;
+    }
+    return epoch;
+  }
+
+  private verifyJwt(token: string, publicKey: string) {
+    const publicKeys = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
+    return jwt.verify(token, publicKeys, { algorithms: ['RS256'] });
+  }
+
+  private decodeAccessToken(authHeader: string, publicKey: string) {
+    const token = this.extractBearerToken(authHeader);
+    return this.verifyJwt(token, publicKey);
+  }
+
+  private extractBearerToken(authHeader: string) {
+    return authHeader.split(' ')[1];
+  }
 }

package/tsconfig.jest.json

@@ -0,0 +1,7 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "types": ["jest", "node", "lru-cache"]
+  },
+  "include": ["src/**/*", "**/*.spec.ts"]
+}