ecrs-auth-core 1.0.63 → 1.0.64

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/auth.module.js +152 -155
  2. package/dist/guards/api-key.guard.d.ts +15 -17
  3. package/dist/guards/api-key.guard.js +182 -195
  4. package/dist/index.d.ts +28 -29
  5. package/dist/index.js +51 -53
  6. package/package.json +1 -1
  7. package/dist/services/encryption.service.d.ts +0 -16
  8. package/dist/services/encryption.service.js +0 -70
package/dist/auth.module.js CHANGED
@@ -1,155 +1,152 @@
1
- "use strict";
2
- var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
- var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
- if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
- else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
- return c > 3 && r && Object.defineProperty(target, key, r), r;
7
- };
8
- var AuthCoreModule_1;
9
- Object.defineProperty(exports, "__esModule", { value: true });
10
- exports.AuthCoreModule = exports.AUTH_CORE_OPTIONS = void 0;
11
- const common_1 = require("@nestjs/common");
12
- const jwt_1 = require("@nestjs/jwt");
13
- const auth_service_1 = require("./auth.service");
14
- const auth_controller_1 = require("./auth.controller");
15
- const jwt_strategy_1 = require("./jwt/jwt.strategy");
16
- const jwt_guard_1 = require("./jwt/jwt.guard");
17
- const module_guard_1 = require("./guards/module.guard");
18
- const roles_guard_1 = require("./guards/roles.guard");
19
- const feature_guard_1 = require("./guards/feature.guard");
20
- const route_guard_1 = require("./guards/route.guard");
21
- const permission_guard_1 = require("./guards/permission.guard");
22
- const api_key_guard_1 = require("./guards/api-key.guard");
23
- const encryption_service_1 = require("./services/encryption.service");
24
- exports.AUTH_CORE_OPTIONS = 'AUTH_CORE_OPTIONS';
25
- // @Global()
26
- // @Module({})
27
- // export class AuthCoreModule {
28
- // static registerAsync(options: {
29
- // inject: any[];
30
- // useFactory: (...args: any[]) => Promise<AuthCoreOptions>;
31
- // }): DynamicModule {
32
- // const asyncProvider = {
33
- // provide: AUTH_CORE_OPTIONS,
34
- // inject: options.inject,
35
- // useFactory: options.useFactory,
36
- // };
37
- // return {
38
- // module: AuthCoreModule,
39
- // imports: [
40
- // JwtModule.registerAsync({
41
- // inject: options.inject,
42
- // useFactory: async (...args: any[]) => {
43
- // const config = await options.useFactory(...args);
44
- // console.log("🔐 JWT Secret from AUTH_CORE_OPTIONS:", config.jwtSecret);
45
- // console.log("⏳ JWT Expiry:", config.jwtExpiresIn);
46
- // return {
47
- // secret: config.jwtSecret,
48
- // signOptions: { expiresIn: config.jwtExpiresIn },
49
- // };
50
- // },
51
- // }),
52
- // ],
53
- // providers: [
54
- // asyncProvider,
55
- // {
56
- // provide: 'MODULE_CONFIG',
57
- // useFactory: (options: AuthCoreOptions) => options.moduleConfig || {},
58
- // inject: [AUTH_CORE_OPTIONS],
59
- // },
60
- // AuthService,
61
- // JwtStrategy,
62
- // JwtAuthGuard,
63
- // ModuleGuard,
64
- // RolesGuard,
65
- // FeatureGuard,
66
- // RouteGuard,
67
- // PermissionGuard,
68
- // ],
69
- // controllers: [AuthController],
70
- // exports: [
71
- // AuthService,
72
- // JwtStrategy,
73
- // JwtAuthGuard,
74
- // ModuleGuard,
75
- // RolesGuard,
76
- // FeatureGuard,
77
- // RouteGuard,
78
- // PermissionGuard,
79
- // JwtModule,
80
- // ],
81
- // };
82
- // }
83
- // }
84
- let AuthCoreModule = AuthCoreModule_1 = class AuthCoreModule {
85
- static registerAsync(options) {
86
- const asyncProvider = {
87
- provide: exports.AUTH_CORE_OPTIONS,
88
- inject: options.inject,
89
- useFactory: options.useFactory,
90
- };
91
- return {
92
- module: AuthCoreModule_1,
93
- imports: [
94
- jwt_1.JwtModule.registerAsync({
95
- inject: options.inject,
96
- useFactory: async (...args) => {
97
- const config = await options.useFactory(...args);
98
- console.log('🔐 JWT Secret from AUTH_CORE_OPTIONS:', config.jwtSecret);
99
- console.log('⏳ JWT Expiry:', config.jwtExpiresIn);
100
- return {
101
- secret: config.jwtSecret,
102
- signOptions: { expiresIn: config.jwtExpiresIn },
103
- };
104
- },
105
- }),
106
- ],
107
- providers: [
108
- asyncProvider,
109
- {
110
- provide: 'MODULE_CONFIG',
111
- useFactory: (opts) => opts.moduleConfig || {},
112
- inject: [exports.AUTH_CORE_OPTIONS],
113
- },
114
- {
115
- provide: 'API_KEY_REPOSITORY',
116
- useFactory: (opts) => opts.repositories?.apiKeyRepo || null,
117
- inject: [exports.AUTH_CORE_OPTIONS],
118
- },
119
- encryption_service_1.EncryptionService,
120
- auth_service_1.AuthService,
121
- jwt_strategy_1.JwtStrategy,
122
- jwt_guard_1.JwtAuthGuard,
123
- module_guard_1.ModuleGuard,
124
- roles_guard_1.RolesGuard,
125
- feature_guard_1.FeatureGuard,
126
- route_guard_1.RouteGuard,
127
- permission_guard_1.PermissionGuard,
128
- api_key_guard_1.ApiKeyGuard,
129
- ],
130
- controllers: [auth_controller_1.AuthController],
131
- exports: [
132
- // ⬇️ export these so Superadmin can resolve guard deps
133
- exports.AUTH_CORE_OPTIONS,
134
- 'MODULE_CONFIG',
135
- 'API_KEY_REPOSITORY',
136
- jwt_1.JwtModule,
137
- auth_service_1.AuthService,
138
- encryption_service_1.EncryptionService,
139
- jwt_strategy_1.JwtStrategy,
140
- jwt_guard_1.JwtAuthGuard,
141
- module_guard_1.ModuleGuard,
142
- roles_guard_1.RolesGuard,
143
- feature_guard_1.FeatureGuard,
144
- route_guard_1.RouteGuard,
145
- permission_guard_1.PermissionGuard,
146
- api_key_guard_1.ApiKeyGuard,
147
- ],
148
- };
149
- }
150
- };
151
- exports.AuthCoreModule = AuthCoreModule;
152
- exports.AuthCoreModule = AuthCoreModule = AuthCoreModule_1 = __decorate([
153
- (0, common_1.Global)(),
154
- (0, common_1.Module)({})
155
- ], AuthCoreModule);
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var AuthCoreModule_1;
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.AuthCoreModule = exports.AUTH_CORE_OPTIONS = void 0;
11
+ const common_1 = require("@nestjs/common");
12
+ const jwt_1 = require("@nestjs/jwt");
13
+ const auth_service_1 = require("./auth.service");
14
+ const auth_controller_1 = require("./auth.controller");
15
+ const jwt_strategy_1 = require("./jwt/jwt.strategy");
16
+ const jwt_guard_1 = require("./jwt/jwt.guard");
17
+ const module_guard_1 = require("./guards/module.guard");
18
+ const roles_guard_1 = require("./guards/roles.guard");
19
+ const feature_guard_1 = require("./guards/feature.guard");
20
+ const route_guard_1 = require("./guards/route.guard");
21
+ const permission_guard_1 = require("./guards/permission.guard");
22
+ const api_key_guard_1 = require("./guards/api-key.guard");
23
+ exports.AUTH_CORE_OPTIONS = 'AUTH_CORE_OPTIONS';
24
+ // @Global()
25
+ // @Module({})
26
+ // export class AuthCoreModule {
27
+ // static registerAsync(options: {
28
+ // inject: any[];
29
+ // useFactory: (...args: any[]) => Promise<AuthCoreOptions>;
30
+ // }): DynamicModule {
31
+ // const asyncProvider = {
32
+ // provide: AUTH_CORE_OPTIONS,
33
+ // inject: options.inject,
34
+ // useFactory: options.useFactory,
35
+ // };
36
+ // return {
37
+ // module: AuthCoreModule,
38
+ // imports: [
39
+ // JwtModule.registerAsync({
40
+ // inject: options.inject,
41
+ // useFactory: async (...args: any[]) => {
42
+ // const config = await options.useFactory(...args);
43
+ // console.log("🔐 JWT Secret from AUTH_CORE_OPTIONS:", config.jwtSecret);
44
+ // console.log(" JWT Expiry:", config.jwtExpiresIn);
45
+ // return {
46
+ // secret: config.jwtSecret,
47
+ // signOptions: { expiresIn: config.jwtExpiresIn },
48
+ // };
49
+ // },
50
+ // }),
51
+ // ],
52
+ // providers: [
53
+ // asyncProvider,
54
+ // {
55
+ // provide: 'MODULE_CONFIG',
56
+ // useFactory: (options: AuthCoreOptions) => options.moduleConfig || {},
57
+ // inject: [AUTH_CORE_OPTIONS],
58
+ // },
59
+ // AuthService,
60
+ // JwtStrategy,
61
+ // JwtAuthGuard,
62
+ // ModuleGuard,
63
+ // RolesGuard,
64
+ // FeatureGuard,
65
+ // RouteGuard,
66
+ // PermissionGuard,
67
+ // ],
68
+ // controllers: [AuthController],
69
+ // exports: [
70
+ // AuthService,
71
+ // JwtStrategy,
72
+ // JwtAuthGuard,
73
+ // ModuleGuard,
74
+ // RolesGuard,
75
+ // FeatureGuard,
76
+ // RouteGuard,
77
+ // PermissionGuard,
78
+ // JwtModule,
79
+ // ],
80
+ // };
81
+ // }
82
+ // }
83
+ let AuthCoreModule = AuthCoreModule_1 = class AuthCoreModule {
84
+ static registerAsync(options) {
85
+ const asyncProvider = {
86
+ provide: exports.AUTH_CORE_OPTIONS,
87
+ inject: options.inject,
88
+ useFactory: options.useFactory,
89
+ };
90
+ return {
91
+ module: AuthCoreModule_1,
92
+ imports: [
93
+ jwt_1.JwtModule.registerAsync({
94
+ inject: options.inject,
95
+ useFactory: async (...args) => {
96
+ const config = await options.useFactory(...args);
97
+ console.log('🔐 JWT Secret from AUTH_CORE_OPTIONS:', config.jwtSecret);
98
+ console.log(' JWT Expiry:', config.jwtExpiresIn);
99
+ return {
100
+ secret: config.jwtSecret,
101
+ signOptions: { expiresIn: config.jwtExpiresIn },
102
+ };
103
+ },
104
+ }),
105
+ ],
106
+ providers: [
107
+ asyncProvider,
108
+ {
109
+ provide: 'MODULE_CONFIG',
110
+ useFactory: (opts) => opts.moduleConfig || {},
111
+ inject: [exports.AUTH_CORE_OPTIONS],
112
+ },
113
+ {
114
+ provide: 'API_KEY_REPOSITORY',
115
+ useFactory: (opts) => opts.repositories?.apiKeyRepo || null,
116
+ inject: [exports.AUTH_CORE_OPTIONS],
117
+ },
118
+ auth_service_1.AuthService,
119
+ jwt_strategy_1.JwtStrategy,
120
+ jwt_guard_1.JwtAuthGuard,
121
+ module_guard_1.ModuleGuard,
122
+ roles_guard_1.RolesGuard,
123
+ feature_guard_1.FeatureGuard,
124
+ route_guard_1.RouteGuard,
125
+ permission_guard_1.PermissionGuard,
126
+ api_key_guard_1.ApiKeyGuard,
127
+ ],
128
+ controllers: [auth_controller_1.AuthController],
129
+ exports: [
130
+ // ⬇️ export these so Superadmin can resolve guard deps
131
+ exports.AUTH_CORE_OPTIONS,
132
+ 'MODULE_CONFIG',
133
+ 'API_KEY_REPOSITORY',
134
+ jwt_1.JwtModule,
135
+ auth_service_1.AuthService,
136
+ jwt_strategy_1.JwtStrategy,
137
+ jwt_guard_1.JwtAuthGuard,
138
+ module_guard_1.ModuleGuard,
139
+ roles_guard_1.RolesGuard,
140
+ feature_guard_1.FeatureGuard,
141
+ route_guard_1.RouteGuard,
142
+ permission_guard_1.PermissionGuard,
143
+ api_key_guard_1.ApiKeyGuard,
144
+ ],
145
+ };
146
+ }
147
+ };
148
+ exports.AuthCoreModule = AuthCoreModule;
149
+ exports.AuthCoreModule = AuthCoreModule = AuthCoreModule_1 = __decorate([
150
+ (0, common_1.Global)(),
151
+ (0, common_1.Module)({})
152
+ ], AuthCoreModule);
package/dist/guards/api-key.guard.d.ts CHANGED
@@ -1,17 +1,15 @@
1
- import { CanActivate, ExecutionContext } from '@nestjs/common';
2
- import { Reflector } from '@nestjs/core';
3
- import { Repository } from 'typeorm';
4
- import { ApiKeyEntity } from '../entities/api-key.entity';
5
- import { EncryptionService } from '../services/encryption.service';
6
- export declare class ApiKeyGuard implements CanActivate {
7
- private readonly reflector;
8
- private readonly encryptionService;
9
- private apiKeyRepo;
10
- private rateLimitMap;
11
- constructor(reflector: Reflector, encryptionService: EncryptionService, apiKeyRepository?: Repository<ApiKeyEntity>);
12
- canActivate(context: ExecutionContext): Promise<boolean>;
13
- private extractApiKey;
14
- private validateApiKey;
15
- private getClientIp;
16
- private checkRateLimit;
17
- }
1
+ import { CanActivate, ExecutionContext } from '@nestjs/common';
2
+ import { Reflector } from '@nestjs/core';
3
+ import { Repository } from 'typeorm';
4
+ import { ApiKeyEntity } from '../entities/api-key.entity';
5
+ export declare class ApiKeyGuard implements CanActivate {
6
+ private readonly reflector;
7
+ private apiKeyRepo;
8
+ private rateLimitMap;
9
+ constructor(reflector: Reflector, apiKeyRepository?: Repository<ApiKeyEntity>);
10
+ canActivate(context: ExecutionContext): Promise<boolean>;
11
+ private extractApiKey;
12
+ private validateApiKey;
13
+ private getClientIp;
14
+ private checkRateLimit;
15
+ }
package/dist/guards/api-key.guard.js CHANGED
@@ -1,195 +1,182 @@
1
- "use strict";
2
- var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
- var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
- if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
- else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
- return c > 3 && r && Object.defineProperty(target, key, r), r;
7
- };
8
- var __metadata = (this && this.__metadata) || function (k, v) {
9
- if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
- };
11
- var __param = (this && this.__param) || function (paramIndex, decorator) {
12
- return function (target, key) { decorator(target, key, paramIndex); }
13
- };
14
- Object.defineProperty(exports, "__esModule", { value: true });
15
- exports.ApiKeyGuard = void 0;
16
- const common_1 = require("@nestjs/common");
17
- const core_1 = require("@nestjs/core");
18
- const typeorm_1 = require("typeorm");
19
- const encryption_service_1 = require("../services/encryption.service");
20
- let ApiKeyGuard = class ApiKeyGuard {
21
- constructor(reflector, encryptionService, apiKeyRepository) {
22
- this.reflector = reflector;
23
- this.encryptionService = encryptionService;
24
- this.rateLimitMap = new Map();
25
- if (apiKeyRepository) {
26
- this.apiKeyRepo = apiKeyRepository;
27
- }
28
- }
29
- async canActivate(context) {
30
- const options = this.reflector.get('api_key_options', context.getHandler());
31
- // If no @ApiKey decorator is present, skip this guard
32
- if (!options) {
33
- return true;
34
- }
35
- const request = context.switchToHttp().getRequest();
36
- const apiKey = this.extractApiKey(request);
37
- if (!apiKey) {
38
- throw new common_1.UnauthorizedException('API key is missing');
39
- }
40
- // Validate API key
41
- const validation = await this.validateApiKey(apiKey, request, options);
42
- if (!validation.valid) {
43
- throw new common_1.UnauthorizedException(validation.message || 'Invalid API key');
44
- }
45
- // Attach API key info to request for downstream use
46
- request.apiKey = validation.apiKey;
47
- request.apiKeyClient = {
48
- id: validation.apiKey?.id,
49
- clientName: validation.apiKey?.clientName,
50
- scope: validation.apiKey?.scope,
51
- };
52
- return true;
53
- }
54
- extractApiKey(request) {
55
- // Check 'X-API-Key' header
56
- const headerKey = request.headers['x-api-key'];
57
- if (headerKey) {
58
- return headerKey;
59
- }
60
- // Check 'api_key' query parameter
61
- if (request.query?.api_key) {
62
- return request.query.api_key;
63
- }
64
- // Check Authorization header (format: 'ApiKey <key>')
65
- const authHeader = request.headers.authorization;
66
- if (authHeader && authHeader.startsWith('ApiKey ')) {
67
- return authHeader.substring(7);
68
- }
69
- return null;
70
- }
71
- async validateApiKey(apiKey, request, options) {
72
- if (!this.apiKeyRepo) {
73
- return { valid: false, message: 'API key validation not configured' };
74
- }
75
- // Find all active API keys and compare hashes
76
- const records = await this.apiKeyRepo.find({
77
- where: { isActive: true },
78
- });
79
- let record = null;
80
- // Compare incoming key with hashed keys in database
81
- for (const dbRecord of records) {
82
- const isMatch = await this.encryptionService.compareKey(apiKey, dbRecord.key);
83
- if (isMatch) {
84
- record = dbRecord;
85
- break;
86
- }
87
- }
88
- if (!record) {
89
- return { valid: false, message: 'API key not found or inactive' };
90
- }
91
- // Check scope
92
- const requiredScope = options.scope || 'common';
93
- if (record.scope !== 'common' && record.scope !== requiredScope) {
94
- return {
95
- valid: false,
96
- message: `API key scope '${record.scope}' does not match required scope '${requiredScope}'`,
97
- };
98
- }
99
- // Check IP whitelist
100
- if (record.allowedIps) {
101
- const clientIp = this.getClientIp(request);
102
- const allowedIps = record.allowedIps.split(',').map((ip) => ip.trim());
103
- if (!allowedIps.includes(clientIp)) {
104
- return {
105
- valid: false,
106
- message: `Client IP '${clientIp}' is not whitelisted`,
107
- };
108
- }
109
- }
110
- // Check endpoint restriction
111
- if (record.allowedEndpoints) {
112
- const requestEndpoint = `${request.method} ${request.path}`;
113
- const allowedEndpoints = record.allowedEndpoints
114
- .split(',')
115
- .map((ep) => ep.trim());
116
- const isAllowed = allowedEndpoints.some((ep) => {
117
- // Support wildcard matching (e.g., 'GET /spot/*')
118
- if (ep.includes('*')) {
119
- const pattern = ep.replace(/\*/g, '.*');
120
- return new RegExp(`^${pattern}$`).test(requestEndpoint);
121
- }
122
- return ep === requestEndpoint;
123
- });
124
- if (!isAllowed) {
125
- return {
126
- valid: false,
127
- message: `Endpoint '${requestEndpoint}' is not allowed for this API key`,
128
- };
129
- }
130
- }
131
- // Check rate limit
132
- if (record.rateLimit) {
133
- const isRateLimited = this.checkRateLimit(apiKey, record.rateLimit);
134
- if (isRateLimited) {
135
- return {
136
- valid: false,
137
- message: `Rate limit exceeded (${record.rateLimit} requests per minute)`,
138
- };
139
- }
140
- }
141
- // Update last used timestamp
142
- if (this.apiKeyRepo) {
143
- await this.apiKeyRepo.update(record.id, {
144
- lastUsedAt: Date.now(),
145
- });
146
- }
147
- return { valid: true, apiKey: record };
148
- }
149
- getClientIp(request) {
150
- // Support common proxy headers
151
- const xForwardedFor = request.headers['x-forwarded-for'];
152
- if (xForwardedFor) {
153
- return xForwardedFor.split(',')[0].trim();
154
- }
155
- const xRealIp = request.headers['x-real-ip'];
156
- if (xRealIp) {
157
- return xRealIp;
158
- }
159
- return request.ip || request.connection.remoteAddress || 'unknown';
160
- }
161
- checkRateLimit(apiKey, rateLimit) {
162
- const now = Date.now();
163
- const limitData = this.rateLimitMap.get(apiKey);
164
- if (!limitData) {
165
- // First request, initialize
166
- this.rateLimitMap.set(apiKey, {
167
- count: 1,
168
- resetTime: now + 60000, // 1 minute
169
- });
170
- return false;
171
- }
172
- if (now > limitData.resetTime) {
173
- // Reset window expired
174
- this.rateLimitMap.set(apiKey, {
175
- count: 1,
176
- resetTime: now + 60000,
177
- });
178
- return false;
179
- }
180
- // Still within window
181
- if (limitData.count >= rateLimit) {
182
- return true;
183
- }
184
- limitData.count++;
185
- return false;
186
- }
187
- };
188
- exports.ApiKeyGuard = ApiKeyGuard;
189
- exports.ApiKeyGuard = ApiKeyGuard = __decorate([
190
- (0, common_1.Injectable)(),
191
- __param(2, (0, common_1.Inject)('API_KEY_REPOSITORY')),
192
- __metadata("design:paramtypes", [core_1.Reflector,
193
- encryption_service_1.EncryptionService,
194
- typeorm_1.Repository])
195
- ], ApiKeyGuard);
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ var __param = (this && this.__param) || function (paramIndex, decorator) {
12
+ return function (target, key) { decorator(target, key, paramIndex); }
13
+ };
14
+ Object.defineProperty(exports, "__esModule", { value: true });
15
+ exports.ApiKeyGuard = void 0;
16
+ const common_1 = require("@nestjs/common");
17
+ const core_1 = require("@nestjs/core");
18
+ const typeorm_1 = require("typeorm");
19
+ let ApiKeyGuard = class ApiKeyGuard {
20
+ constructor(reflector, apiKeyRepository) {
21
+ this.reflector = reflector;
22
+ this.rateLimitMap = new Map();
23
+ if (apiKeyRepository) {
24
+ this.apiKeyRepo = apiKeyRepository;
25
+ }
26
+ }
27
+ async canActivate(context) {
28
+ const options = this.reflector.get('api_key_options', context.getHandler());
29
+ // If no @ApiKey decorator is present, skip this guard
30
+ if (!options) {
31
+ return true;
32
+ }
33
+ const request = context.switchToHttp().getRequest();
34
+ const apiKey = this.extractApiKey(request);
35
+ if (!apiKey) {
36
+ throw new common_1.UnauthorizedException('API key is missing');
37
+ }
38
+ // Validate API key
39
+ const validation = await this.validateApiKey(apiKey, request, options);
40
+ if (!validation.valid) {
41
+ throw new common_1.UnauthorizedException(validation.message || 'Invalid API key');
42
+ }
43
+ // Attach API key info to request for downstream use
44
+ request.apiKey = validation.apiKey;
45
+ request.apiKeyClient = {
46
+ id: validation.apiKey?.id,
47
+ clientName: validation.apiKey?.clientName,
48
+ scope: validation.apiKey?.scope,
49
+ };
50
+ return true;
51
+ }
52
+ extractApiKey(request) {
53
+ // Check 'X-API-Key' header
54
+ const headerKey = request.headers['x-api-key'];
55
+ if (headerKey) {
56
+ return headerKey;
57
+ }
58
+ // Check 'api_key' query parameter
59
+ if (request.query?.api_key) {
60
+ return request.query.api_key;
61
+ }
62
+ // Check Authorization header (format: 'ApiKey <key>')
63
+ const authHeader = request.headers.authorization;
64
+ if (authHeader && authHeader.startsWith('ApiKey ')) {
65
+ return authHeader.substring(7);
66
+ }
67
+ return null;
68
+ }
69
+ async validateApiKey(apiKey, request, options) {
70
+ if (!this.apiKeyRepo) {
71
+ return { valid: false, message: 'API key validation not configured' };
72
+ }
73
+ const record = await this.apiKeyRepo.findOne({
74
+ where: { key: apiKey, isActive: true },
75
+ });
76
+ if (!record) {
77
+ return { valid: false, message: 'API key not found or inactive' };
78
+ }
79
+ // Check scope
80
+ const requiredScope = options.scope || 'common';
81
+ if (record.scope !== 'common' && record.scope !== requiredScope) {
82
+ return {
83
+ valid: false,
84
+ message: `API key scope '${record.scope}' does not match required scope '${requiredScope}'`,
85
+ };
86
+ }
87
+ // Check IP whitelist
88
+ if (record.allowedIps) {
89
+ const clientIp = this.getClientIp(request);
90
+ const allowedIps = record.allowedIps.split(',').map((ip) => ip.trim());
91
+ if (!allowedIps.includes(clientIp)) {
92
+ return {
93
+ valid: false,
94
+ message: `Client IP '${clientIp}' is not whitelisted`,
95
+ };
96
+ }
97
+ }
98
+ // Check endpoint restriction
99
+ if (record.allowedEndpoints) {
100
+ const requestEndpoint = `${request.method} ${request.path}`;
101
+ const allowedEndpoints = record.allowedEndpoints
102
+ .split(',')
103
+ .map((ep) => ep.trim());
104
+ const isAllowed = allowedEndpoints.some((ep) => {
105
+ // Support wildcard matching (e.g., 'GET /spot/*')
106
+ if (ep.includes('*')) {
107
+ const pattern = ep.replace(/\*/g, '.*');
108
+ return new RegExp(`^${pattern}$`).test(requestEndpoint);
109
+ }
110
+ return ep === requestEndpoint;
111
+ });
112
+ if (!isAllowed) {
113
+ return {
114
+ valid: false,
115
+ message: `Endpoint '${requestEndpoint}' is not allowed for this API key`,
116
+ };
117
+ }
118
+ }
119
+ // Check rate limit
120
+ if (record.rateLimit) {
121
+ const isRateLimited = this.checkRateLimit(apiKey, record.rateLimit);
122
+ if (isRateLimited) {
123
+ return {
124
+ valid: false,
125
+ message: `Rate limit exceeded (${record.rateLimit} requests per minute)`,
126
+ };
127
+ }
128
+ }
129
+ // Update last used timestamp
130
+ if (this.apiKeyRepo) {
131
+ await this.apiKeyRepo.update(record.id, {
132
+ lastUsedAt: Date.now(),
133
+ });
134
+ }
135
+ return { valid: true, apiKey: record };
136
+ }
137
+ getClientIp(request) {
138
+ // Support common proxy headers
139
+ const xForwardedFor = request.headers['x-forwarded-for'];
140
+ if (xForwardedFor) {
141
+ return xForwardedFor.split(',')[0].trim();
142
+ }
143
+ const xRealIp = request.headers['x-real-ip'];
144
+ if (xRealIp) {
145
+ return xRealIp;
146
+ }
147
+ return request.ip || request.connection.remoteAddress || 'unknown';
148
+ }
149
+ checkRateLimit(apiKey, rateLimit) {
150
+ const now = Date.now();
151
+ const limitData = this.rateLimitMap.get(apiKey);
152
+ if (!limitData) {
153
+ // First request, initialize
154
+ this.rateLimitMap.set(apiKey, {
155
+ count: 1,
156
+ resetTime: now + 60000, // 1 minute
157
+ });
158
+ return false;
159
+ }
160
+ if (now > limitData.resetTime) {
161
+ // Reset window expired
162
+ this.rateLimitMap.set(apiKey, {
163
+ count: 1,
164
+ resetTime: now + 60000,
165
+ });
166
+ return false;
167
+ }
168
+ // Still within window
169
+ if (limitData.count >= rateLimit) {
170
+ return true;
171
+ }
172
+ limitData.count++;
173
+ return false;
174
+ }
175
+ };
176
+ exports.ApiKeyGuard = ApiKeyGuard;
177
+ exports.ApiKeyGuard = ApiKeyGuard = __decorate([
178
+ (0, common_1.Injectable)(),
179
+ __param(1, (0, common_1.Inject)('API_KEY_REPOSITORY')),
180
+ __metadata("design:paramtypes", [core_1.Reflector,
181
+ typeorm_1.Repository])
182
+ ], ApiKeyGuard);
package/dist/index.d.ts CHANGED
@@ -1,29 +1,28 @@
1
- export * from './auth.module';
2
- export * from './auth.service';
3
- export * from './dtos/login.dto';
4
- export * from './dtos/login-response.dto';
5
- export * from './decorators/current-user.decorator';
6
- export * from './decorators/feature.decorator';
7
- export * from './decorators/has-permission.decorator';
8
- export * from './decorators/roles.decorator';
9
- export * from './decorators/route-permission.decorator';
10
- export * from './decorators/api-key.decorator';
11
- export * from './guards/module.guard';
12
- export * from './guards/roles.guard';
13
- export * from './guards/feature.guard';
14
- export * from './guards/route.guard';
15
- export * from './guards/permission.guard';
16
- export * from './guards/api-key.guard';
17
- export * from './jwt/jwt.guard';
18
- export * from './jwt/jwt.strategy';
19
- export * from './services/encryption.service';
20
- export * from './interfaces/auth-core-options.interface';
21
- export * from './entities/user.entity';
22
- export * from './entities/role.entity';
23
- export * from './entities/module.entity';
24
- export * from './entities/feature.entity';
25
- export * from './entities/module-route.entity';
26
- export * from './entities/user-feature-access.entity';
27
- export * from './entities/user-module-access.entity';
28
- export * from './entities/module-screen-permission.entity';
29
- export * from './entities/api-key.entity';
1
+ export * from './auth.module';
2
+ export * from './auth.service';
3
+ export * from './dtos/login.dto';
4
+ export * from './dtos/login-response.dto';
5
+ export * from './decorators/current-user.decorator';
6
+ export * from './decorators/feature.decorator';
7
+ export * from './decorators/has-permission.decorator';
8
+ export * from './decorators/roles.decorator';
9
+ export * from './decorators/route-permission.decorator';
10
+ export * from './decorators/api-key.decorator';
11
+ export * from './guards/module.guard';
12
+ export * from './guards/roles.guard';
13
+ export * from './guards/feature.guard';
14
+ export * from './guards/route.guard';
15
+ export * from './guards/permission.guard';
16
+ export * from './guards/api-key.guard';
17
+ export * from './jwt/jwt.guard';
18
+ export * from './jwt/jwt.strategy';
19
+ export * from './interfaces/auth-core-options.interface';
20
+ export * from './entities/user.entity';
21
+ export * from './entities/role.entity';
22
+ export * from './entities/module.entity';
23
+ export * from './entities/feature.entity';
24
+ export * from './entities/module-route.entity';
25
+ export * from './entities/user-feature-access.entity';
26
+ export * from './entities/user-module-access.entity';
27
+ export * from './entities/module-screen-permission.entity';
28
+ export * from './entities/api-key.entity';
package/dist/index.js CHANGED
@@ -1,53 +1,51 @@
1
- "use strict";
2
- // src/index.ts
3
- var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
4
- if (k2 === undefined) k2 = k;
5
- var desc = Object.getOwnPropertyDescriptor(m, k);
6
- if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
7
- desc = { enumerable: true, get: function() { return m[k]; } };
8
- }
9
- Object.defineProperty(o, k2, desc);
10
- }) : (function(o, m, k, k2) {
11
- if (k2 === undefined) k2 = k;
12
- o[k2] = m[k];
13
- }));
14
- var __exportStar = (this && this.__exportStar) || function(m, exports) {
15
- for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
16
- };
17
- Object.defineProperty(exports, "__esModule", { value: true });
18
- __exportStar(require("./auth.module"), exports);
19
- __exportStar(require("./auth.service"), exports);
20
- // DTOs
21
- __exportStar(require("./dtos/login.dto"), exports);
22
- __exportStar(require("./dtos/login-response.dto"), exports);
23
- // Decorators
24
- __exportStar(require("./decorators/current-user.decorator"), exports);
25
- __exportStar(require("./decorators/feature.decorator"), exports);
26
- __exportStar(require("./decorators/has-permission.decorator"), exports);
27
- __exportStar(require("./decorators/roles.decorator"), exports);
28
- __exportStar(require("./decorators/route-permission.decorator"), exports);
29
- __exportStar(require("./decorators/api-key.decorator"), exports);
30
- // Guards
31
- __exportStar(require("./guards/module.guard"), exports);
32
- __exportStar(require("./guards/roles.guard"), exports);
33
- __exportStar(require("./guards/feature.guard"), exports);
34
- __exportStar(require("./guards/route.guard"), exports);
35
- __exportStar(require("./guards/permission.guard"), exports);
36
- __exportStar(require("./guards/api-key.guard"), exports);
37
- // JWT
38
- __exportStar(require("./jwt/jwt.guard"), exports);
39
- __exportStar(require("./jwt/jwt.strategy"), exports);
40
- // Services
41
- __exportStar(require("./services/encryption.service"), exports);
42
- // Interfaces
43
- __exportStar(require("./interfaces/auth-core-options.interface"), exports);
44
- // ✅ Entities
45
- __exportStar(require("./entities/user.entity"), exports);
46
- __exportStar(require("./entities/role.entity"), exports);
47
- __exportStar(require("./entities/module.entity"), exports);
48
- __exportStar(require("./entities/feature.entity"), exports);
49
- __exportStar(require("./entities/module-route.entity"), exports);
50
- __exportStar(require("./entities/user-feature-access.entity"), exports);
51
- __exportStar(require("./entities/user-module-access.entity"), exports);
52
- __exportStar(require("./entities/module-screen-permission.entity"), exports);
53
- __exportStar(require("./entities/api-key.entity"), exports);
1
+ "use strict";
2
+ // src/index.ts
3
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
4
+ if (k2 === undefined) k2 = k;
5
+ var desc = Object.getOwnPropertyDescriptor(m, k);
6
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
7
+ desc = { enumerable: true, get: function() { return m[k]; } };
8
+ }
9
+ Object.defineProperty(o, k2, desc);
10
+ }) : (function(o, m, k, k2) {
11
+ if (k2 === undefined) k2 = k;
12
+ o[k2] = m[k];
13
+ }));
14
+ var __exportStar = (this && this.__exportStar) || function(m, exports) {
15
+ for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
16
+ };
17
+ Object.defineProperty(exports, "__esModule", { value: true });
18
+ __exportStar(require("./auth.module"), exports);
19
+ __exportStar(require("./auth.service"), exports);
20
+ // DTOs
21
+ __exportStar(require("./dtos/login.dto"), exports);
22
+ __exportStar(require("./dtos/login-response.dto"), exports);
23
+ // Decorators
24
+ __exportStar(require("./decorators/current-user.decorator"), exports);
25
+ __exportStar(require("./decorators/feature.decorator"), exports);
26
+ __exportStar(require("./decorators/has-permission.decorator"), exports);
27
+ __exportStar(require("./decorators/roles.decorator"), exports);
28
+ __exportStar(require("./decorators/route-permission.decorator"), exports);
29
+ __exportStar(require("./decorators/api-key.decorator"), exports);
30
+ // Guards
31
+ __exportStar(require("./guards/module.guard"), exports);
32
+ __exportStar(require("./guards/roles.guard"), exports);
33
+ __exportStar(require("./guards/feature.guard"), exports);
34
+ __exportStar(require("./guards/route.guard"), exports);
35
+ __exportStar(require("./guards/permission.guard"), exports);
36
+ __exportStar(require("./guards/api-key.guard"), exports);
37
+ // JWT
38
+ __exportStar(require("./jwt/jwt.guard"), exports);
39
+ __exportStar(require("./jwt/jwt.strategy"), exports);
40
+ // Interfaces
41
+ __exportStar(require("./interfaces/auth-core-options.interface"), exports);
42
+ // ✅ Entities
43
+ __exportStar(require("./entities/user.entity"), exports);
44
+ __exportStar(require("./entities/role.entity"), exports);
45
+ __exportStar(require("./entities/module.entity"), exports);
46
+ __exportStar(require("./entities/feature.entity"), exports);
47
+ __exportStar(require("./entities/module-route.entity"), exports);
48
+ __exportStar(require("./entities/user-feature-access.entity"), exports);
49
+ __exportStar(require("./entities/user-module-access.entity"), exports);
50
+ __exportStar(require("./entities/module-screen-permission.entity"), exports);
51
+ __exportStar(require("./entities/api-key.entity"), exports);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "ecrs-auth-core",
3
- "version": "1.0.63",
3
+ "version": "1.0.64",
4
4
  "description": "Centralized authentication and authorization module for ECRS apps",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
package/dist/services/encryption.service.d.ts DELETED
@@ -1,16 +0,0 @@
1
- export declare class EncryptionService {
2
- private readonly saltRounds;
3
- /**
4
- * Hash an API key using bcrypt
5
- * @param plainKey - The plain text API key
6
- * @returns Hashed key
7
- */
8
- hashKey(plainKey: string): Promise<string>;
9
- /**
10
- * Compare plain key with hashed key
11
- * @param plainKey - The plain text API key
12
- * @param hashedKey - The hashed key from database
13
- * @returns True if keys match, false otherwise
14
- */
15
- compareKey(plainKey: string, hashedKey: string): Promise<boolean>;
16
- }
package/dist/services/encryption.service.js DELETED
@@ -1,70 +0,0 @@
1
- "use strict";
2
- var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
- if (k2 === undefined) k2 = k;
4
- var desc = Object.getOwnPropertyDescriptor(m, k);
5
- if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
- desc = { enumerable: true, get: function() { return m[k]; } };
7
- }
8
- Object.defineProperty(o, k2, desc);
9
- }) : (function(o, m, k, k2) {
10
- if (k2 === undefined) k2 = k;
11
- o[k2] = m[k];
12
- }));
13
- var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
- Object.defineProperty(o, "default", { enumerable: true, value: v });
15
- }) : function(o, v) {
16
- o["default"] = v;
17
- });
18
- var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
19
- var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
20
- if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
21
- else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
22
- return c > 3 && r && Object.defineProperty(target, key, r), r;
23
- };
24
- var __importStar = (this && this.__importStar) || (function () {
25
- var ownKeys = function(o) {
26
- ownKeys = Object.getOwnPropertyNames || function (o) {
27
- var ar = [];
28
- for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
29
- return ar;
30
- };
31
- return ownKeys(o);
32
- };
33
- return function (mod) {
34
- if (mod && mod.__esModule) return mod;
35
- var result = {};
36
- if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
37
- __setModuleDefault(result, mod);
38
- return result;
39
- };
40
- })();
41
- Object.defineProperty(exports, "__esModule", { value: true });
42
- exports.EncryptionService = void 0;
43
- const common_1 = require("@nestjs/common");
44
- const bcrypt = __importStar(require("bcrypt"));
45
- let EncryptionService = class EncryptionService {
46
- constructor() {
47
- this.saltRounds = 10;
48
- }
49
- /**
50
- * Hash an API key using bcrypt
51
- * @param plainKey - The plain text API key
52
- * @returns Hashed key
53
- */
54
- async hashKey(plainKey) {
55
- return bcrypt.hash(plainKey, this.saltRounds);
56
- }
57
- /**
58
- * Compare plain key with hashed key
59
- * @param plainKey - The plain text API key
60
- * @param hashedKey - The hashed key from database
61
- * @returns True if keys match, false otherwise
62
- */
63
- async compareKey(plainKey, hashedKey) {
64
- return bcrypt.compare(plainKey, hashedKey);
65
- }
66
- };
67
- exports.EncryptionService = EncryptionService;
68
- exports.EncryptionService = EncryptionService = __decorate([
69
- (0, common_1.Injectable)()
70
- ], EncryptionService);