npm - dms-middleware-auth - Versions diffs - 1.1.8 → 1.2.0 - Mend

dms-middleware-auth 1.1.8 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/auth.middleware.js CHANGED Viewed

@@ -365,10 +365,11 @@ let AuthMiddleware = AuthMiddleware_1 = class AuthMiddleware {
     // -------------------------
     async cacheSetSeconds(key, value, _ttlSeconds) {
         try {
-            // Force a consistent one-day TTL in seconds to avoid store-specific unit surprises
-            const ttlSec = AuthMiddleware_1.ONE_DAY_SECONDS;
-            await this.cacheManager.set(key, value, ttlSec);
-            this.logger.debug(`Cache set: ${key} (TTL: ${ttlSec}s)`);
+            // Force a consistent one-day TTL in seconds; clamp to avoid 32-bit timer overflow even if a store multiplies by 1000
+            // Use a simple, safe 24-hour TTL; 86,400s (86,400,000ms if misread as ms) is far below the Node timer limit.
+            const ttlSeconds = AuthMiddleware_1.LIC_CACHE_TTL_SECONDS; // 24 * 60 * 60
+            await this.cacheManager.set(key, value, ttlSeconds);
+            this.logger.debug(`Cache set: ${key} (TTL: ${ttlSeconds}s)`);
         }
         catch (e) {
             this.logger.error(`Cache set failed for key=${key}: ${e?.message || e}`, e?.stack);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "dms-middleware-auth",
-  "version": "1.1.8",
+  "version": "1.2.0",
   "description": "Reusable middleware for authentication and authorization in NestJS applications.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -25,7 +25,6 @@
     "@types/express": "^5.0.0",
     "@types/jest": "^29.5.14",
     "@types/jsonwebtoken": "^9.0.7",
-    "@types/node-forge": "^1.3.14",
     "jest": "^29.7.0",
     "ts-jest": "^29.3.4",
     "typescript": "^5.7.2"

package/src/auth.middleware.ts CHANGED Viewed

@@ -47,11 +47,11 @@ export class AuthMiddleware implements NestMiddleware, OnModuleInit {
   // Cache TTLs (safe by design; prevents timer overflow)
   private static readonly LIC_CACHE_TTL_SECONDS = 24 * 60 * 60; // 24 hours TTL for licence
-  private static readonly CLIENT_TOKEN_TTL_MAX_SECONDS = 60 * 60; // 1 hour cap
-  private static readonly CLIENT_TOKEN_TTL_SAFETY_SKEW_SECONDS = 30; // Refresh a bit early
-  private static readonly ROLE_ATTRIBUTES_TTL_SECONDS = 24 * 60 * 60; // 24 hours TTL for role attributes
-  private static readonly ONE_DAY_SECONDS = 24 * 60 * 60;
+  private static readonly CLIENT_TOKEN_TTL_MAX_SECONDS = 60 * 60; // 1 hour cap
+  private static readonly CLIENT_TOKEN_TTL_SAFETY_SKEW_SECONDS = 30; // Refresh a bit early
+  private static readonly ROLE_ATTRIBUTES_TTL_SECONDS = 24 * 60 * 60; // 24 hours TTL for role attributes
+  private static readonly ONE_DAY_SECONDS = 24 * 60 * 60;
   constructor(
     @Inject(CACHE_MANAGER) private readonly cacheManager: Cache,
@@ -182,38 +182,38 @@ export class AuthMiddleware implements NestMiddleware, OnModuleInit {
   // -------------------------
   // Graceful shutdown for EKS
   // -------------------------
-  private stopServer() {
-    if (AuthMiddleware.shutdownInitiated) return;
-    AuthMiddleware.shutdownInitiated = true;
-    this.logger.warn('Initiating graceful shutdown due to licence expiry');
-    // Give the response a moment to flush, then SIGTERM, then force exit after 5s
-    setTimeout(() => {
-      try {
-        process.kill(process.pid, 'SIGTERM');
-      } catch {
-        process.exit(1);
-      }
+  private stopServer() {
+    if (AuthMiddleware.shutdownInitiated) return;
+    AuthMiddleware.shutdownInitiated = true;
+    this.logger.warn('Initiating graceful shutdown due to licence expiry');
+    // Give the response a moment to flush, then SIGTERM, then force exit after 5s
+    setTimeout(() => {
+      try {
+        process.kill(process.pid, 'SIGTERM');
+      } catch {
+        process.exit(1);
+      }
       if (!AuthMiddleware.shutdownTimer) {
         AuthMiddleware.shutdownTimer = setTimeout(() => {
           this.logger.error('Force exit after SIGTERM timeout');
           process.exit(1);
         }, 5000);
-      }
-    }, 500);
-  }
+      }
+    }, 500);
+  }
   // -------------------------
   // Licence validate flow (called at boot / can be called again if needed)
   // -------------------------
-  private async checkLicenceAndValidate(realm: string, publicKey: string): Promise<boolean> {
-    try {
-      if (AuthMiddleware.licenceExpired) return false;
-      // If we already have an expiry and it's still valid, no need to fetch again
-      if (
+  private async checkLicenceAndValidate(realm: string, publicKey: string): Promise<boolean> {
+    try {
+      if (AuthMiddleware.licenceExpired) return false;
+      // If we already have an expiry and it's still valid, no need to fetch again
+      if (
         AuthMiddleware.licenceValidatedUntilMs &&
         Date.now() < AuthMiddleware.licenceValidatedUntilMs + AuthMiddleware.CLOCK_TOLERANCE_MS
       ) {
@@ -229,21 +229,21 @@ export class AuthMiddleware implements NestMiddleware, OnModuleInit {
         // 1) Try cache first (short TTL)
         const cachedToken = (await this.cacheManager.get('client_Licence_token')) as string | undefined;
         if (cachedToken) {
-          const ok = await this.validateLicence(cachedToken, publicKey, realm, this.options.keycloakUrl, false);
-          if (ok) {
-            this.logger.log('Licence validated from cache');
-            return true;
-          }
-        }
+          const ok = await this.validateLicence(cachedToken, publicKey, realm, this.options.keycloakUrl, false);
+          if (ok) {
+            this.logger.log('Licence validated from cache');
+            return true;
+          }
+        }
         // 2) Fetch from licensing service
         this.logger.log('Fetching licence from service');
         const token = await this.getLicencingTokenFromService(realm);
-        const ok = await this.validateLicence(token, publicKey, realm, this.options.keycloakUrl, true);
-        if (ok) {
-          this.logger.log('Licence validated from service');
-        }
+        const ok = await this.validateLicence(token, publicKey, realm, this.options.keycloakUrl, true);
+        if (ok) {
+          this.logger.log('Licence validated from service');
+        }
         return ok;
       })();
@@ -259,19 +259,19 @@ export class AuthMiddleware implements NestMiddleware, OnModuleInit {
     }
   }
-  private async validateLicence(
-    tokenJwt: string,
-    publicKey: string,
-    realm: string,
-    keycloakUrl: string,
-    updateCache: boolean
-  ): Promise<boolean> {
-    try {
-      const payload: any = this.verifyLicenceJwt(tokenJwt, publicKey, realm, keycloakUrl);
-      // Your custom claim: lic_end
-      const licEndMs = this.normalizeEpochMs(payload?.lic_end);
-      const now = Date.now();
+  private async validateLicence(
+    tokenJwt: string,
+    publicKey: string,
+    realm: string,
+    keycloakUrl: string,
+    updateCache: boolean
+  ): Promise<boolean> {
+    try {
+      const payload: any = this.verifyLicenceJwt(tokenJwt, publicKey, realm, keycloakUrl);
+      // Your custom claim: lic_end
+      const licEndMs = this.normalizeEpochMs(payload?.lic_end);
+      const now = Date.now();
       if (!licEndMs) {
         this.logger.error('Licence token missing lic_end');
@@ -398,17 +398,17 @@ export class AuthMiddleware implements NestMiddleware, OnModuleInit {
   // -------------------------
   // JWT helpers
   // -------------------------
-  private verifyLicenceJwt(token: string, publicKey: string, realm: string, keycloakUrl: string) {
-    const publicKeys = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
-    const issuer = `${keycloakUrl}/realms/${realm}`;
-    return jwt.verify(token, publicKeys, {
-      algorithms: ['RS256'],
-      issuer,
-      clockTolerance: 60,
-    });
-  }
+  private verifyLicenceJwt(token: string, publicKey: string, realm: string, keycloakUrl: string) {
+    const publicKeys = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
+    const issuer = `${keycloakUrl}/realms/${realm}`;
+    return jwt.verify(token, publicKeys, {
+      algorithms: ['RS256'],
+      issuer,
+      clockTolerance: 60,
+    });
+  }
   private decodeAccessToken(authHeader: string, publicKey: string) {
     const token = this.extractBearerToken(authHeader);
@@ -438,14 +438,15 @@ export class AuthMiddleware implements NestMiddleware, OnModuleInit {
   }
   // -------------------------
-  // Cache helper with overflow protection
-  // -------------------------
-  private async cacheSetSeconds(key: string, value: any, _ttlSeconds: number) {
-    try {
-      // Force a consistent one-day TTL in seconds to avoid store-specific unit surprises
-      const ttlSec = AuthMiddleware.ONE_DAY_SECONDS;
-      await this.cacheManager.set(key, value, ttlSec);
-      this.logger.debug(`Cache set: ${key} (TTL: ${ttlSec}s)`);
+  // Cache helper with overflow protection
+  // -------------------------
+  private async cacheSetSeconds(key: string, value: any, _ttlSeconds: number) {
+    try {
+      // Force a consistent one-day TTL in seconds; clamp to avoid 32-bit timer overflow even if a store multiplies by 1000
+      // Use a simple, safe 24-hour TTL; 86,400s (86,400,000ms if misread as ms) is far below the Node timer limit.
+      const ttlSeconds = AuthMiddleware.LIC_CACHE_TTL_SECONDS; // 24 * 60 * 60
+      await this.cacheManager.set(key, value, ttlSeconds);
+      this.logger.debug(`Cache set: ${key} (TTL: ${ttlSeconds}s)`);
     } catch (e: any) {
       this.logger.error(`Cache set failed for key=${key}: ${e?.message || e}`, e?.stack);
     }

package/repro_bug.ts DELETED Viewed

@@ -1,37 +0,0 @@
-const licEndString = "1774981740000";
-const CLOCK_TOLERANCE_MS = 60000;
-function normalizeEpochMs(epoch: any): number | null {
-    if (!epoch || (typeof epoch === 'number' && Number.isNaN(epoch))) {
-        return null;
-    }
-    // Buggy logic: relying on implicit conversion but returning original type
-    if (epoch < 1_000_000_000_000) {
-        return epoch * 1000;
-    }
-    return epoch;
-}
-const now = Date.now();
-const licEndMs = normalizeEpochMs(licEndString);
-console.log(`licEndMs Type: ${typeof licEndMs}, Value: ${licEndMs}`);
-// Simulate the logic in auth.middleware.ts
-const delay = ((licEndMs as any) + CLOCK_TOLERANCE_MS) - now;
-console.log(`Delay: ${delay}`);
-if (delay > 2147483647) {
-    console.log("Delay exceeds 32-bit signed integer limit! This often causes setTimeout to fire immediately (overflow to 1).");
-}
-console.log("Setting timeout...");
-const timer = setTimeout(() => {
-    console.log("BUG REPRODUCED: Timeout fired immediately despite huge delay!");
-}, delay);
-// Keep alive for a bit to see if it fires immediately
-setTimeout(() => {
-    console.log("Finished waiting 2s");
-    clearTimeout(timer);
-}, 2000);

package/test_specific_date.ts DELETED Viewed

@@ -1,76 +0,0 @@
-import { AuthMiddleware } from './src/auth.middleware';
-import * as jwt from 'jsonwebtoken';
-import * as crypto from 'crypto';
-async function runTest() {
-    console.log("--- Starting Thorough Test for Date 1774981740000 ---");
-    // 1. Setup Mocks
-    const mockCache = {
-        get: async (key: string) => undefined,
-        set: async (key: string, val: any, ttl: any) => {
-            console.log(`[MockCache] set key=${key}, ttl=${ttl}`);
-        },
-    } as any;
-    const { publicKey, privateKey } = crypto.generateKeyPairSync('rsa', {
-        modulusLength: 2048,
-    });
-    let publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' }) as string;
-    // Strip headers as AuthMiddleware adds them
-    const publicKeyBody = publicKeyPem
-        .replace('-----BEGIN PUBLIC KEY-----\n', '')
-        .replace('\n-----END PUBLIC KEY-----\n', '');
-    const mockOptions = {
-        publicKey: publicKeyBody,
-        keycloakUrl: 'http://localhost:8080',
-        realm: 'test-realm',
-        clientId: 'test-client',
-        clientSecret: 'secret',
-        clientUuid: 'uuid',
-        bypassURL: '/health',
-    };
-    const authMiddleware = new AuthMiddleware(mockCache, mockOptions);
-    // 2. Create Token with specific date
-    const licEnd = 1774981740000;
-    const payload = {
-        lic_end: licEnd
-    };
-    const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string;
-    const token = jwt.sign(payload, privateKeyPem, { algorithm: 'RS256', noTimestamp: true });
-    console.log(`Test Token: ${token}`);
-    console.log(`Current Time (Date.now()): ${Date.now()}`);
-    console.log(`User's Date to test: ${licEnd}`);
-    // 3. Run Validation
-    console.log("\n--- Calling validateLicence ---");
-    // We can access private methods using any cast for testing
-    const result = await (authMiddleware as any).validateLicence(token, publicKeyBody, true);
-    console.log(`\nResult Status: ${result.status}`);
-    if (result.status) {
-        console.log("SUCCESS: Middleware accepted the future date.");
-    } else {
-        console.error("FAILURE: Middleware rejected the future date.");
-    }
-    // 4. Check if expired flag was set
-    const isExpired = (AuthMiddleware as any).licenceExpired;
-    console.log(`AuthMiddleware.licenceExpired: ${isExpired}`);
-    // 5. Cleanup Timer
-    if ((AuthMiddleware as any).licenceExpiryTimer) {
-        console.log("Clearing expiry timer...");
-        clearTimeout((AuthMiddleware as any).licenceExpiryTimer);
-    }
-}
-runTest().catch(console.error);

package/test_ttl_overflow.ts DELETED Viewed

@@ -1,31 +0,0 @@
-import { caching } from 'cache-manager';
-async function testTTL() {
-    console.log("--- Testing Cache TTL Overflow ---");
-    const cache = await caching('memory');
-    const largeTTL = 4351255821; // ~50 days in ms
-    console.log(`Setting key with TTL: ${largeTTL}ms`);
-    await cache.set('test_key', 'test_value', largeTTL);
-    const val = await cache.get('test_key');
-    console.log(`Immediate get: ${val}`);
-    if (!val) {
-        console.error("FAIL: Value expired immediately!");
-    } else {
-        console.log("Value still present. Waiting 2s to check again...");
-        await new Promise(resolve => setTimeout(resolve, 2000));
-        const val2 = await cache.get('test_key');
-        console.log(`After 2s get: ${val2}`);
-        if (!val2) {
-            console.error("FAIL: Value expired after 2s (likely overflow)!");
-        } else {
-            console.log("SUCCESS: Cache handles large TTL.");
-        }
-    }
-}
-testTTL().catch(console.error);

package/verify_fix_logic.ts DELETED Viewed

@@ -1,84 +0,0 @@
-const CLOCK_TOLERANCE_MS = 60000;
-const MAX_TIMEOUT_VAL = 2147483647;
-let licenceExpiryTimer: NodeJS.Timeout | null = null;
-let licenceExpired = false;
-function getUtcNowMs() {
-    return Date.now();
-}
-function normalizeEpochMs(epoch: number | string): number | null {
-    const epochNum = Number(epoch);
-    if (!epochNum || Number.isNaN(epochNum)) {
-        return null;
-    }
-    if (epochNum < 1_000_000_000_000) {
-        return epochNum * 1000;
-    }
-    return epochNum;
-}
-function markLicenceExpired() {
-    licenceExpired = true;
-    console.log("Licence marked as expired!");
-}
-function scheduleLicenceShutdown(licEndMs: number) {
-    if (!licEndMs) {
-        return;
-    }
-    const now = getUtcNowMs();
-    const delay = (licEndMs + CLOCK_TOLERANCE_MS) - now;
-    console.log(`Scheduling shutdown. LicEnd: ${licEndMs}, Now: ${now}, Full Delay: ${delay}`);
-    if (delay <= 0) {
-        console.log('Licence expired immediately (including tolerance).');
-        markLicenceExpired();
-        return;
-    }
-    if (licenceExpiryTimer) {
-        clearTimeout(licenceExpiryTimer);
-    }
-    // Check if delay fits in 32-bit int
-    const safeDelay = Math.min(delay, MAX_TIMEOUT_VAL);
-    console.log(`Setting timeout for ${safeDelay}ms`);
-    // In a real test we can't wait 24 days, so we'll just assert the logic is sound.
-    // If safeDelay < delay, it means we need to reschedule.
-    if (safeDelay < delay) {
-        console.log("Delay exceeds max timeout, scheduling recursive check...");
-    }
-    licenceExpiryTimer = setTimeout(() => {
-        const remaining = (licEndMs + CLOCK_TOLERANCE_MS) - getUtcNowMs();
-        console.log(`Timeout fired. Remaining: ${remaining}`);
-        if (remaining <= 0) {
-            markLicenceExpired();
-        } else {
-            scheduleLicenceShutdown(licEndMs);
-        }
-    }, Math.min(safeDelay, 1000)); // Override delay to 1s for test execution
-}
-// Test Case
-const licEndString = "1774981740000"; // Future date (approx 50 days from 2026-02-09)
-const licEndMs = normalizeEpochMs(licEndString);
-if (licEndMs) {
-    console.log(`Normalized LicEnd: ${licEndMs}`);
-    scheduleLicenceShutdown(licEndMs);
-} else {
-    console.error("Failed to normalize epoch");
-}
-// Wait for the test simulation
-setTimeout(() => {
-    console.log("Test finished.");
-}, 2000);