firstly 0.0.10 → 0.0.12

package/esm/auth/{AuthController.server.js → server/AuthController.server.js}

@@ -1,49 +1,25 @@
-import { generateCodeVerifier, generateState } from 'arctic';
-import { DEV } from 'esm-env';
-import { generateId } from 'lucia';
-import { createDate, TimeSpan } from 'oslo';
-import { remult } from 'remult';
+import { decodeHex, encodeHexLowerCase } from '@oslojs/encoding';
+import { createTOTPKeyURI, generateTOTP, verifyTOTPWithGracePeriod } from '@oslojs/otp';
+import { generateState } from 'arctic';
+import { EntityError, remult, repo } from 'remult';
 import { green, magenta, yellow } from '@kitql/helpers';
-import { AUTH_OPTIONS, getSafeOptions, lucia } from '.';
-import { sendMail } from '../mail';
-import { logAuth } from './client';
-import { FFAuthProvider } from './client/Entities.js';
-import { createOrExtendSession } from './helper';
-import { mergeRoles } from './RoleHelpers';
-async function getArgon() {
-    const { Argon2id } = await import('oslo/password');
-    return new Argon2id({
-        ...AUTH_OPTIONS.providers?.password?.argon2Settings,
-    });
-}
-async function passwordVerify(hash, password) {
-    const argon = await getArgon();
-    return await argon.verify(hash, password);
-}
-async function passwordHash(password) {
-    const argon = await getArgon();
-    return await argon.hash(password);
-}
-function checkPassword(password) {
-    if (typeof password !== 'string' || password.length < 6 || password.length > 255) {
-        throw Error('Invalid password');
-    }
-}
+import { sendMail } from '../../mail/server/index.js';
+import { FFAuthProvider } from '../Entities.js';
+import { invalidateSession } from './helperDb.js';
+import { ff_createSession } from './helperFirstly.js';
+import { createDate, generateAndEncodeToken } from './helperOslo.js';
+import { deleteSessionTokenCookie, setOAuthStateCookie, setRedirectCookie, } from './helperRemultServer.js';
+import { mergeRoles } from './helperRole.js';
+import { AUTH_OPTIONS, authModuleRaw, getSafeOptions } from './module.js';
 export class AuthControllerServer {
     /**
      * Sign out the current user
      */
     static async signOut() {
         if (remult.user?.session.id) {
-            await lucia.invalidateSession(remult.user?.session.id);
+            await invalidateSession(remult.user?.session.id);
         }
-        // Lucia is advertising for createBlankSessionCookie (and not delete Cookie)
-        // remult.context.deleteCookie(lucia.sessionCookieName, { path: '/' })
-        const sessionCookie = lucia.createBlankSessionCookie();
-        remult.context.setCookie(sessionCookie.name, sessionCookie.value, {
-            path: '/',
-            ...sessionCookie.attributes,
-        });
+        deleteSessionTokenCookie();
     }
     /**
      * Sign in with a demo account
@@ -52,58 +28,60 @@ export class AuthControllerServer {
     static async signInDemo(name) {
         const accounts = AUTH_OPTIONS.providers?.demo ?? [];
         if (accounts.length === 0) {
-            throw new Error(`Demo accounts are not enabled!`);
+            throw new EntityError({ message: `Demo accounts are not enabled!` });
         }
         const account = accounts.find((a) => a.name === name);
         if (!account) {
-            throw new Error(`${name} not found as demo account!`);
+            throw new EntityError({ message: `${name} not found as demo account!` });
         }
         const oSafe = getSafeOptions();
-        let user = await remult.repo(oSafe.User).findFirst({ identifier: name });
+        let user = await repo(oSafe.User).findFirst({ identifier: name });
         if (!user) {
-            user = remult.repo(oSafe.User).create();
+            user = repo(oSafe.User).create();
         }
         user.identifier = name;
         const r = mergeRoles(user.roles, account.roles);
         user.roles = r.roles;
-        await remult.repo(oSafe.User).save(user);
-        await createOrExtendSession(user.id);
+        await repo(oSafe.User).save(user);
+        await ff_createSession(user.id);
         return "You're in with demo account!";
     }
     /**
      * This is for login / password authentication invite
      */
-    static async invite(email) {
+    static async invite(emailParam) {
+        const email = emailParam.toLowerCase();
         const oSafe = getSafeOptions();
-        const existingAccount = await remult.repo(oSafe.Account).findOne({
+        const existingAccount = await repo(oSafe.Account).findOne({
             where: {
                 providerUserId: email,
                 provider: FFAuthProvider.PASSWORD.id,
             },
         });
         if (existingAccount) {
-            // throw Error("Already invited !")
+            // Already invited, it's all good.
         }
         else {
-            const token = generateId(40);
+            const token = generateAndEncodeToken();
             // TODO: Do we create the user or just the account ?!
             // TODO 2: Invite is by mail... But the invitee can log with another provider... So what do we do?! maybe not checking the provider... and updating?
-            // const user = await remult.repo(oSafe.User).insert({
+            // const user = await repo(oSafe.User).insert({
             //   identifier: email,
             // })
-            await remult.repo(oSafe.Account).insert({
+            oSafe.providers?.password?.verifyMailExpiresIn;
+            await repo(oSafe.Account).insert({
                 provider: FFAuthProvider.PASSWORD.id,
                 providerUserId: email,
                 // userId: user.id,
                 // hashPassword: await passwordHash(password),
                 token: token,
-                expiresAt: createDate(new TimeSpan(AUTH_OPTIONS.providers?.password?.verifyMailExpiresIn ?? 5 * 60, 's')),
+                expiresAt: createDate(AUTH_OPTIONS.providers?.password?.verifyMailExpiresIn ?? 5 * 60),
                 lastVerifiedAt: undefined,
             });
-            const url = `${remult.context.url.origin}${oSafe.firstlyData.props.ui?.paths.reset_password}?token=${token}`;
+            const url = `${remult.context.request.url.origin}${oSafe.firstlyData.props.ui?.paths.reset_password}?token=${token}`;
             if (AUTH_OPTIONS?.invitationSend) {
                 await AUTH_OPTIONS?.invitationSend({ email, url });
-                logAuth.success(`${green('[custom]')}${magenta('[invitationSend]')} (${yellow(url)})`);
+                authModuleRaw.log.success(`${green('[custom]')}${magenta('[invitationSend]')} (${yellow(url)})`);
                 return 'Mail sent !';
             }
             else {
@@ -128,7 +106,7 @@ export class AuthControllerServer {
                         ],
                     },
                 });
-                logAuth.success(`${magenta('[invitationSend]')} (${yellow(url)})`);
+                authModuleRaw.log.success(`${magenta('[invitationSend]')} (${yellow(url)})`);
                 return 'Demo Mail sent !';
             }
         }
@@ -138,54 +116,55 @@ export class AuthControllerServer {
      * This is for login / password authentication SignUp
      * _(The first param `email` can be "anything")_
      */
-    static async signUpPassword(email, password) {
+    static async signUpPassword(emailParam, password) {
+        const email = emailParam.toLowerCase();
         const oSafe = getSafeOptions();
         if (!oSafe.signUp) {
-            throw Error("You can't signup by yourself! Contact the administrator.");
+            throw new EntityError({ message: "You can't signup by yourself! Contact the administrator." });
         }
-        if (!oSafe.password_enabled) {
-            throw Error('Password is not enabled!');
+        if (!oSafe.password.enabled) {
+            throw new EntityError({ message: 'Password is not enabled!' });
         }
-        const existingAccount = await remult.repo(oSafe.Account).findOne({
+        const existingAccount = await repo(oSafe.Account).findOne({
             where: {
                 providerUserId: email,
                 provider: FFAuthProvider.PASSWORD.id,
             },
         });
         if (existingAccount) {
-            throw Error("You can't signup twice !");
+            throw new EntityError({ message: "You can't signup twice !" });
         }
-        checkPassword(password);
-        const token = generateId(40);
+        oSafe.password.validatePassword(password);
+        const token = generateAndEncodeToken();
         await remult.dataProvider.transaction(async () => {
-            const user = await remult.repo(oSafe.User).insert({
+            const user = await repo(oSafe.User).insert({
                 identifier: email,
             });
-            await remult.repo(oSafe.Account).insert({
+            await repo(oSafe.Account).insert({
                 provider: FFAuthProvider.PASSWORD.id,
                 providerUserId: email,
                 userId: user.id,
-                hashPassword: await passwordHash(password),
+                hashPassword: oSafe.password.passwordHash(password),
                 token: oSafe.verifiedMethod === 'auto' ? undefined : token,
                 expiresAt: oSafe.verifiedMethod === 'auto'
                     ? undefined
-                    : createDate(new TimeSpan(AUTH_OPTIONS.providers?.password?.verifyMailExpiresIn ?? 5 * 60, 's')),
+                    : createDate(AUTH_OPTIONS.providers?.password?.verifyMailExpiresIn ?? 5 * 60),
                 lastVerifiedAt: oSafe.verifiedMethod === 'auto' ? new Date() : undefined,
             });
         });
         if (oSafe.verifiedMethod === 'auto') {
-            const user = await remult.repo(oSafe.User).findFirst({
+            const user = await repo(oSafe.User).findFirst({
                 identifier: email,
             });
             if (user) {
-                await createOrExtendSession(user.id);
+                await ff_createSession(user.id);
             }
         }
         else {
-            const url = `${remult.context.url.origin}${oSafe.firstlyData.props.ui?.paths.verify_email}?token=${token}`;
+            const url = `${remult.context.request.url.origin}${oSafe.firstlyData.props.ui?.paths.verify_email}?token=${token}`;
             if (AUTH_OPTIONS.providers?.password?.verifyMailSend) {
                 await AUTH_OPTIONS.providers?.password.verifyMailSend({ email, url });
-                logAuth.success(`${green('[custom]')}${magenta('[verifyMailSend]')} (${yellow(url)})`);
+                authModuleRaw.log.success(`${green('[custom]')}${magenta('[verifyMailSend]')} (${yellow(url)})`);
             }
             else {
                 await sendMail('verifyMailSend', {
@@ -205,7 +184,7 @@ export class AuthControllerServer {
                         ],
                     },
                 });
-                logAuth.success(`${magenta('[verifyMailSend]')} (${yellow(url)})`);
+                authModuleRaw.log.success(`${magenta('[verifyMailSend]')} (${yellow(url)})`);
             }
         }
         return 'ok';
@@ -214,50 +193,54 @@ export class AuthControllerServer {
      * This is for login / password authentication SignIn
      * _(The first param `email` can be "anything")_
      */
-    static async signInPassword(email, password) {
+    static async signInPassword(emailParam, password) {
+        const email = emailParam.toLowerCase();
         const oSafe = getSafeOptions();
-        if (!oSafe.password_enabled) {
-            throw Error('Password is not enabled!');
+        if (!oSafe.password.enabled) {
+            throw new EntityError({ message: 'Password is not enabled!' });
         }
-        const existingAccount = await remult.repo(oSafe.Account).findOne({
+        const existingAccount = await repo(oSafe.Account).findOne({
             where: {
                 providerUserId: email,
                 provider: FFAuthProvider.PASSWORD.id,
             },
         });
         if (existingAccount) {
-            const validPassword = await passwordVerify(existingAccount?.hashPassword ?? '', password ?? '');
+            const validPassword = oSafe.password.passwordVerify(password ?? '', existingAccount?.hashPassword ?? '');
             if (validPassword) {
-                await createOrExtendSession(existingAccount.userId);
+                await ff_createSession(existingAccount.userId);
                 return 'ok';
             }
-            throw Error('Incorrect username or password');
+            authModuleRaw.log.error({ email, passwordLength: password.length });
+            throw new EntityError({ message: 'Incorrect username or password' });
         }
-        throw Error('Incorrect username or password.');
+        authModuleRaw.log.error({ email, passwordLength: password.length });
+        throw new EntityError({ message: 'Incorrect username or password.' });
     }
     /**
      * Forgot your password ? Send a mail to reset it.
      */
-    static async forgotPassword(email) {
+    static async forgotPassword(emailParam) {
+        const email = emailParam.toLowerCase();
         const oSafe = getSafeOptions();
-        if (!oSafe.password_enabled) {
-            throw Error('Password is not enabled!');
+        if (!oSafe.password.enabled) {
+            throw new EntityError({ message: 'Password is not enabled!' });
         }
-        const existingAccount = await remult.repo(oSafe.Account).findOne({
+        const existingAccount = await repo(oSafe.Account).findOne({
             where: {
                 providerUserId: email,
                 provider: FFAuthProvider.PASSWORD.id,
             },
         });
         if (existingAccount) {
-            const token = generateId(40);
+            const token = generateAndEncodeToken();
             existingAccount.token = token;
-            existingAccount.expiresAt = createDate(new TimeSpan(AUTH_OPTIONS.providers?.password?.resetPasswordExpiresIn ?? 5 * 60, 's'));
-            await remult.repo(oSafe.Account).save(existingAccount);
-            const url = `${remult.context.url.origin}${oSafe.firstlyData.props.ui?.paths.reset_password}?token=${token}`;
+            existingAccount.expiresAt = createDate(AUTH_OPTIONS.providers?.password?.resetPasswordExpiresIn ?? 5 * 60);
+            await repo(oSafe.Account).save(existingAccount);
+            const url = `${remult.context.request.url.origin}${oSafe.firstlyData.props.ui?.paths.reset_password}?token=${token}`;
             if (AUTH_OPTIONS.providers?.password?.resetPasswordSend) {
                 await AUTH_OPTIONS.providers?.password.resetPasswordSend({ email, url });
-                logAuth.success(`${green('[custom]')}${magenta('[resetPasswordSend]')} (${yellow(url)})`);
+                authModuleRaw.log.success(`${green('[custom]')}${magenta('[resetPasswordSend]')} (${yellow(url)})`);
                 return 'Mail sent !';
             }
             else {
@@ -282,119 +265,120 @@ export class AuthControllerServer {
                         ],
                     },
                 });
-                logAuth.success(`${magenta('[resetPasswordSend]')} (${yellow(url)})`);
+                authModuleRaw.log.success(`${magenta('[resetPasswordSend]')} (${yellow(url)})`);
                 return 'Demo Mail sent !';
             }
         }
-        throw new Error("Une erreur est survenue, contacte l'administrateur!");
+        throw new EntityError({ message: "Une erreur est survenue, contacte l'administrateur!" });
     }
     /**
      * Reset your password with a token
      */
     static async resetPassword(token, password) {
         const oSafe = getSafeOptions();
-        if (!oSafe.password_enabled) {
-            throw Error('Password is not enabled!');
+        if (!oSafe.password.enabled) {
+            throw new EntityError({ message: 'Password is not enabled!' });
         }
         const account = await remult
             .repo(oSafe.Account)
             .findFirst({ token, provider: FFAuthProvider.PASSWORD.id });
         if (!account) {
-            throw new Error('Invalid token');
+            throw new EntityError({ message: 'Invalid token' });
         }
         if (account.expiresAt && account.expiresAt < new Date()) {
-            throw new Error('token expired');
+            throw new EntityError({ message: 'token expired' });
         }
-        checkPassword(password);
+        oSafe.password.validatePassword(password);
         if (account.userId === undefined) {
-            const user = await remult.repo(oSafe.User).insert({ identifier: account.providerUserId });
+            const user = await repo(oSafe.User).insert({ identifier: account.providerUserId });
             account.userId = user.id;
         }
-        await lucia.invalidateUserSessions(account.userId);
+        await invalidateSession(account.userId);
         // update elements
-        account.hashPassword = await passwordHash(password);
+        account.hashPassword = oSafe.password.passwordHash(password);
         account.token = undefined;
         account.expiresAt = undefined;
         account.lastVerifiedAt = new Date();
-        await remult.repo(oSafe.Account).save(account);
-        await createOrExtendSession(account.userId);
+        await repo(oSafe.Account).save(account);
+        await ff_createSession(account.userId);
         return 'reseted';
     }
     /** OTP */
-    static async signInOTP(email) {
+    static async signInOTP(emailParam) {
+        const email = emailParam.toLowerCase();
         const oSafe = getSafeOptions();
-        if (!oSafe.otp_enabled) {
-            throw new Error(`OPT is not enabled!`);
+        if (!oSafe.otp.enabled) {
+            throw new EntityError({ message: `OPT is not enabled!` });
         }
         if (AUTH_OPTIONS.providers?.otp?.send) {
-            const { createTOTPKeyURI } = await import('oslo/otp');
-            const { encodeHex } = await import('oslo/encoding');
-            const { TOTPController } = await import('oslo/otp');
-            const secret = crypto.getRandomValues(new Uint8Array(20));
-            const otp = await new TOTPController({
-                period: new TimeSpan(AUTH_OPTIONS.providers?.otp.expiresIn ?? 30, 's'),
-                digits: AUTH_OPTIONS.providers?.otp.digits ?? 6,
-            }).generate(secret);
-            const secretEncoded = encodeHex(secret);
+            const key = crypto.getRandomValues(new Uint8Array(20));
+            const intervalInSeconds = AUTH_OPTIONS.providers?.otp?.expiresIn ?? 30;
+            const digits = AUTH_OPTIONS.providers?.otp.digits ?? 6;
+            const otp = generateTOTP(key, intervalInSeconds, digits);
+            const keyEncoded = encodeHexLowerCase(key);
             const issuer = AUTH_OPTIONS.providers.otp.issuer ?? 'firstly';
-            const uri = createTOTPKeyURI(issuer, email, secret);
+            const uri = createTOTPKeyURI(issuer, email, key, intervalInSeconds, digits);
             const oSafe = getSafeOptions();
-            let user = await remult.repo(oSafe.User).findFirst({ identifier: email });
+            let user = await repo(oSafe.User).findFirst({ identifier: email });
             if (!user) {
-                user = remult.repo(oSafe.User).create();
+                user = repo(oSafe.User).create();
             }
             user.identifier = email;
-            user = await remult.repo(oSafe.User).save(user);
+            user = await repo(oSafe.User).save(user);
             let account = await remult
                 .repo(oSafe.Account)
                 .findFirst({ userId: user.id, provider: FFAuthProvider.OTP.id });
             if (!account) {
-                account = remult.repo(oSafe.Account).create();
+                account = repo(oSafe.Account).create();
             }
             account.userId = user.id;
             account.provider = FFAuthProvider.OTP.id;
             account.token = otp;
-            account.hashPassword = secretEncoded;
-            await remult.repo(oSafe.Account).save(account);
+            account.hashPassword = keyEncoded;
+            await repo(oSafe.Account).save(account);
             await AUTH_OPTIONS.providers.otp?.send({ name: email, otp, uri });
-            logAuth.success(`name: ${yellow(email)}, otp: ${yellow(otp)}, uri: ${yellow(uri)}`);
+            authModuleRaw.log.success(`name: ${yellow(email)}, otp: ${yellow(otp)}, uri: ${yellow(uri)}`);
             return 'Mail sent !';
         }
         else {
-            logAuth.error(`You need to provide a otp.send hook in the auth options!`);
+            authModuleRaw.log.error(`You need to provide a otp.send hook in the auth options!`);
         }
         return 'Hum, something went wrong !';
     }
     /**
      * Verify the OTP code
      */
-    static async verifyOtp(email, otp) {
+    static async verifyOtp(emailParam, otp) {
+        const email = emailParam.toLowerCase();
         const oSafe = getSafeOptions();
-        const accounts = await remult.repo(oSafe.Account).find({
+        if (!oSafe.otp.enabled) {
+            throw new EntityError({ message: `OPT is not enabled!` });
+        }
+        const accounts = await repo(oSafe.Account).find({
             where: { token: String(otp), provider: FFAuthProvider.OTP.id },
         });
         if (accounts.length === 0) {
-            throw new Error('Invalid otp');
+            throw new EntityError({ message: 'Invalid otp' });
         }
         const account = accounts[0];
-        const user = await remult.repo(oSafe.User).findId(account.userId);
+        const user = await repo(oSafe.User).findId(account.userId);
         if (user?.identifier !== email) {
-            throw new Error('Invalid otp.');
+            throw new EntityError({ message: 'Invalid otp.' });
         }
-        const { decodeHex } = await import('oslo/encoding');
-        const { TOTPController } = await import('oslo/otp');
-        const secretDecoded = decodeHex(account.hashPassword ?? '');
-        const validOTP = await new TOTPController().verify(String(otp), secretDecoded);
+        const intervalInSeconds = oSafe.providers?.otp?.expiresIn ?? 30;
+        const digits = oSafe.providers?.otp?.digits ?? 6;
+        const keyDecoded = decodeHex(account.hashPassword ?? '');
+        const validOTP = verifyTOTPWithGracePeriod(keyDecoded, intervalInSeconds, digits, otp, 30);
         if (!validOTP) {
-            throw new Error('Invalid otp!');
+            throw new EntityError({ message: 'Invalid otp!' });
         }
-        await lucia.invalidateUserSessions(account.userId);
+        await invalidateSession(account.userId);
         // update elements
         account.hashPassword = undefined;
         account.token = undefined;
         account.expiresAt = undefined;
-        await remult.repo(oSafe.Account).save(account);
-        await createOrExtendSession(account.userId);
+        await repo(oSafe.Account).save(account);
+        await ff_createSession(account.userId);
         return 'verified';
     }
     /** OAUTH */
@@ -417,17 +401,6 @@ export class AuthControllerServer {
             try {
                 const arcticProvider = selectedOAuth.getArcticProvider();
                 const args = [state];
-                if (selectedOAuth.isPKCE) {
-                    const codeVerifier = generateCodeVerifier();
-                    args.push(codeVerifier);
-                    // store code verifier as cookie
-                    remult.context.setCookie('code_verifier', codeVerifier, {
-                        secure: true, // set to false in localhost
-                        path: '/',
-                        httpOnly: true,
-                        maxAge: 60 * 10, // 10 min
-                    });
-                }
                 if (o.options) {
                     args.push(o.options);
                 }
@@ -436,35 +409,24 @@ export class AuthControllerServer {
                         args.push(selectedOAuth.authorizationURLOptions());
                     }
                 }
-                // @ts-ignore
                 const url = await arcticProvider.createAuthorizationURL(...args);
                 if (!url) {
-                    throw new Error('No url returned');
+                    throw new EntityError({ message: 'No url returned' });
                 }
-                remult.context.setCookie(`${o.provider}_oauth_state`, state, {
-                    path: '/',
-                    secure: !DEV,
-                    httpOnly: true,
-                    maxAge: 60 * 10,
-                    sameSite: 'lax',
-                });
+                setOAuthStateCookie(selectedOAuth.name, state);
                 if (o.redirect) {
-                    remult.context.setCookie(`remult_redirect`, o.redirect, {
-                        path: '/',
-                        secure: !DEV,
-                        httpOnly: true,
-                        maxAge: 60 * 10,
-                        sameSite: 'lax',
-                    });
+                    setRedirectCookie(o.redirect);
                 }
                 return url.toString();
             }
             catch (error) {
                 // display error for the server only
-                logAuth.error(error);
-                throw new Error(`${o.provider} not well configured!`);
+                authModuleRaw.log.error(error);
+                throw new EntityError({ message: `${selectedOAuth.name} not well configured!` });
             }
         }
-        throw new Error(`${o.provider} is not configured! (Module: auth, section: providers.oAuths: [${o.provider}] missing)`);
+        throw new EntityError({
+            message: `${o.provider} is not configured! (Module: auth, section: providers.oAuths: [${o.provider}] missing)`,
+        });
     }
 }

package/esm/auth/server/handleAuth.d.ts

@@ -0,0 +1,2 @@
+import { type Handle } from '@sveltejs/kit';
+export declare const handleAuth: Handle;