firstly 0.0.10 → 0.0.12

package/esm/auth/server/handleAuth.js

@@ -0,0 +1,140 @@
+import { redirect } from '@sveltejs/kit';
+import { repo } from 'remult';
+import { read } from '@kitql/internals';
+import { FFAuthProvider } from '../Entities';
+import { ff_createSession } from './helperFirstly';
+import { getSafeOptions } from './module';
+export const handleAuth = async ({ event, resolve }) => {
+    const oSafe = getSafeOptions();
+    if (event.url.pathname === oSafe.firstlyData.props.ui?.paths?.verify_email) {
+        const token = event.url.searchParams.get('token') ?? '';
+        if (!oSafe.password.enabled) {
+            throw Error('Password is not enabled!');
+        }
+        const account = await repo(oSafe.Account).findFirst({
+            token,
+            provider: FFAuthProvider.PASSWORD.id,
+        });
+        if (!account) {
+            throw new Error('Invalid token');
+        }
+        if (account.expiresAt && account.expiresAt < new Date()) {
+            throw new Error('token expired');
+        }
+        // update elements
+        account.token = undefined;
+        account.expiresAt = undefined;
+        account.lastVerifiedAt = new Date();
+        await repo(oSafe.Account).save(account);
+        await ff_createSession(account.userId);
+        redirect(302, oSafe.redirectUrl);
+    }
+    if (oSafe.firstlyData.props.ui?.paths?.base &&
+        event.url.pathname.startsWith(oSafe.firstlyData.props.ui.paths.base)) {
+        const content = read(`${oSafe.uiStaticPath}index.html`);
+        return new Response(content + `<script>const firstlyData = ${JSON.stringify(oSafe.firstlyData)}</script>`, {
+            headers: { 'content-type': 'text/html' },
+        });
+    }
+    if (event.url.pathname.startsWith('/api/static')) {
+        const content = read(`${oSafe.uiStaticPath}${event.url.pathname.replaceAll('/api/static/', '')}`);
+        if (content) {
+            const seg = event.url.pathname.split('.');
+            const map = {
+                js: 'text/javascript',
+                css: 'text/css',
+                svg: 'image/svg+xml',
+            };
+            return new Response(content, {
+                headers: { 'content-type': map[seg[seg.length - 1]] ?? 'text/plain' },
+            });
+        }
+    }
+    if (event.url.pathname === '/api/auth_callback') {
+        const code = event.url.searchParams.get('code');
+        const state = event.url.searchParams.get('state');
+        const keys = oSafe.providers?.oAuths?.map((c) => c.name) ?? [];
+        let storedState = null;
+        let keyState = null;
+        for (const key of keys) {
+            storedState = event.cookies.get(`${key}_oauth_state`) ?? null;
+            if (storedState) {
+                keyState = key;
+                break;
+            }
+        }
+        const redirectUrlCookie = event.cookies.get(`remult_redirect`);
+        if (redirectUrlCookie) {
+            event.cookies.delete(`remult_redirect`, { path: '/' });
+        }
+        const redirectUrl = redirectUrlCookie ?? oSafe.redirectUrl;
+        if (!code || !state || !storedState || state !== storedState || !keyState) {
+            redirect(302, redirectUrl);
+        }
+        const selectedOAuth = oSafe.providers?.oAuths?.find((c) => c.name === keyState);
+        if (selectedOAuth && code) {
+            const tokens = (await selectedOAuth
+                .getArcticProvider()
+                .validateAuthorizationCode(code));
+            let info;
+            try {
+                info = await selectedOAuth.getUserInfo(tokens);
+            }
+            catch (error) {
+                console.error(error);
+                redirect(302, redirectUrl);
+            }
+            if (!info.providerUserId) {
+                redirect(302, redirectUrl);
+            }
+            let account = await repo(oSafe.Account).findFirst({
+                provider: keyState,
+                providerUserId: info.providerUserId,
+            });
+            if (!account) {
+                if (!oSafe.signUp) {
+                    console.error("You can't signup by yourself! Contact the administrator.");
+                    // throw Error("You can't signup by yourself! Contact the administrator.")
+                    redirect(302, redirectUrl);
+                }
+                // for each info.name, we check if it exists take the first option
+                // and add the providerUserId to the name if no option available
+                let nameToUse = '';
+                for (let i = 0; i < info.nameOptions.length; i++) {
+                    const existingUser = await repo(oSafe.User).findOne({
+                        where: { identifier: info.nameOptions[i] },
+                    });
+                    if (existingUser) {
+                        // Don't do anything
+                    }
+                    else {
+                        nameToUse = info.nameOptions[i];
+                        break;
+                    }
+                }
+                if (nameToUse === '') {
+                    nameToUse = `${info.nameOptions[0]}-${info.providerUserId}`;
+                }
+                const user = repo(oSafe.User).create();
+                user.identifier = nameToUse;
+                account = repo(oSafe.Account).create();
+                account.provider = keyState;
+                account.providerUserId = info.providerUserId;
+                account.token = tokens.accessToken();
+                account.userId = user.id;
+                account.lastVerifiedAt = new Date();
+                await repo(oSafe.User).save(user);
+                await repo(oSafe.Account).save(account);
+            }
+            else {
+                account.token = tokens.accessToken();
+                await repo(oSafe.Account).save(account);
+            }
+            await ff_createSession(account.userId);
+            event.cookies.delete(`${keyState}_oauth_state`, { path: '/' });
+            event.cookies.delete(`code_verifier`, { path: '/' });
+        }
+        redirect(302, redirectUrl);
+    }
+    return resolve(event);
+};

package/esm/auth/server/helperDb.d.ts

@@ -0,0 +1,10 @@
+import { type UserInfo } from 'remult';
+export declare function createSession(token: string, userId: string): Promise<import("..").FFAuthUserSession>;
+export declare function validateSessionToken(token: string): Promise<{
+    user: UserInfo | undefined;
+    freshSession: {
+        sessionToken: string;
+        expiresAt: Date;
+    } | undefined;
+}>;
+export declare function invalidateSession(sessionId: string): Promise<void>;

package/esm/auth/server/helperDb.js

@@ -0,0 +1,56 @@
+import { repo } from 'remult';
+import { encodeToken } from './helperOslo';
+import { getSafeOptions } from './module';
+export async function createSession(token, userId) {
+    const sessionId = encodeToken(token);
+    const oSafe = getSafeOptions();
+    const session = await repo(oSafe.Session).insert({
+        id: sessionId,
+        userId,
+        expiresAt: new Date(Date.now() + oSafe.session.expiresInMs),
+    });
+    return session;
+}
+export async function validateSessionToken(token) {
+    const sessionId = encodeToken(token);
+    const oSafe = getSafeOptions();
+    const sessionDb = await repo(oSafe.Session).findId(sessionId);
+    if (!sessionDb) {
+        return { user: undefined, freshSession: undefined };
+    }
+    // TODO TRANSFORM
+    const session = {
+        //
+        id: sessionDb.id,
+        userId: sessionDb.userId,
+        expiresAt: sessionDb.expiresAt,
+    };
+    // TODO: Why I can't do 1 query ?!
+    const userDb = await repo(oSafe.User).findId(sessionDb.userId);
+    if (!userDb) {
+        await invalidateSession(sessionId);
+        return { user: undefined, freshSession: undefined };
+    }
+    const user = oSafe.transformDbUserToClientUser(sessionDb, userDb);
+    const sessionExpired = Date.now() >= session.expiresAt.getTime();
+    if (sessionExpired) {
+        await repo(oSafe.Session).delete(sessionId);
+        return { user: undefined, freshSession: undefined };
+    }
+    // To not renew non stop... Let's wait 10% of the session expires
+    const renewSession = Date.now() >= session.expiresAt.getTime() - oSafe.session.expiresInMs * 0.9;
+    if (renewSession) {
+        session.expiresAt = new Date(Date.now() + oSafe.session.expiresInMs);
+        await repo(oSafe.Session).update(sessionId, { expiresAt: session.expiresAt });
+        return { user, freshSession: { sessionToken: token, expiresAt: session.expiresAt } };
+    }
+    return { user, freshSession: undefined };
+}
+export async function invalidateSession(sessionId) {
+    const oSafe = getSafeOptions();
+    try {
+        // silent error. If the session is already deleted, it will throw an error
+        await repo(oSafe.Session).delete(sessionId);
+    }
+    catch (error) { }
+}

package/esm/auth/server/helperFirstly.d.ts

@@ -0,0 +1 @@
+export declare const ff_createSession: (userId: string) => Promise<void>;

package/esm/auth/server/helperFirstly.js

@@ -0,0 +1,8 @@
+import { createSession } from './helperDb';
+import { generateToken } from './helperOslo';
+import { setSessionTokenCookie } from './helperRemultServer';
+export const ff_createSession = async (userId) => {
+    const token = generateToken();
+    const session = await createSession(token, userId);
+    setSessionTokenCookie(token, session.expiresAt);
+};

package/esm/auth/server/helperOslo.d.ts

@@ -0,0 +1,7 @@
+export declare function generateId(): string;
+export declare function generateToken(): string;
+export declare function encodeToken(token: string): string;
+export declare function generateAndEncodeToken(): string;
+export declare function createDate(timeSpan_seconds: number, options?: {
+    from?: Date;
+}): Date;

package/esm/auth/server/helperOslo.js

@@ -0,0 +1,24 @@
+import { sha256 } from '@oslojs/crypto/sha2';
+import { encodeBase32LowerCase, encodeBase64url, encodeHexLowerCase } from '@oslojs/encoding';
+export function generateId() {
+    // ID with 120 bits of entropy, or about the same as UUID v4.
+    const bytes = crypto.getRandomValues(new Uint8Array(15));
+    const id = encodeBase32LowerCase(bytes);
+    return id;
+}
+export function generateToken() {
+    const bytes = crypto.getRandomValues(new Uint8Array(18));
+    const token = encodeBase64url(bytes);
+    return token;
+}
+export function encodeToken(token) {
+    const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+    return sessionId;
+}
+export function generateAndEncodeToken() {
+    return encodeToken(generateToken());
+}
+export function createDate(timeSpan_seconds, options) {
+    const from = options?.from ?? new Date();
+    return new Date(from.getTime() + timeSpan_seconds * 1000);
+}

package/esm/auth/server/helperRemultServer.d.ts

@@ -0,0 +1,5 @@
+export declare function setSessionTokenCookie(token: string, expiresAt: Date): void;
+export declare function deleteSessionTokenCookie(): void;
+export declare function setCodeVerifierCookie(codeVerifier: string): void;
+export declare function setOAuthStateCookie(provider: string, state: string): void;
+export declare function setRedirectCookie(redirect: string): void;

package/esm/auth/server/helperRemultServer.js

@@ -0,0 +1,44 @@
+import { DEV } from 'esm-env';
+import { remult } from 'remult';
+import { getSafeOptions } from './module';
+export function setSessionTokenCookie(token, expiresAt) {
+    const oSafe = getSafeOptions();
+    if (remult.context.setCookie) {
+        remult.context.setCookie(oSafe.session.cookieName, token, {
+            expires: expiresAt,
+            path: '/',
+        });
+    }
+}
+export function deleteSessionTokenCookie() {
+    const oSafe = getSafeOptions();
+    remult.context.deleteCookie(oSafe.session.cookieName, {
+        path: '/',
+    });
+}
+export function setCodeVerifierCookie(codeVerifier) {
+    remult.context.setCookie('code_verifier', codeVerifier, {
+        secure: !DEV,
+        path: '/',
+        httpOnly: true,
+        maxAge: 60 * 10, // 10 min
+    });
+}
+export function setOAuthStateCookie(provider, state) {
+    remult.context.setCookie(`${provider}_oauth_state`, state, {
+        path: '/',
+        secure: !DEV,
+        httpOnly: true,
+        maxAge: 60 * 10,
+        sameSite: 'lax',
+    });
+}
+export function setRedirectCookie(redirect) {
+    remult.context.setCookie(`remult_redirect`, redirect, {
+        path: '/',
+        secure: !DEV,
+        httpOnly: true,
+        maxAge: 60 * 10,
+        sameSite: 'lax',
+    });
+}

package/esm/auth/{RoleHelpers.d.ts → server/helperRole.d.ts}

@@ -1,6 +1,6 @@
 import type { ClassType } from 'remult';
 import { Log } from '@kitql/helpers';
-import { FFAuthUser } from './client/Entities';
+import { FFAuthUser } from '../Entities';
 /**
  * will merge the roles and remove duplicates
  * will return a new array & a status if the array was changed

package/esm/auth/{RoleHelpers.js → server/helperRole.js}

@@ -1,7 +1,7 @@
 import { repo } from 'remult';
 import { cyan, green, Log, yellow } from '@kitql/helpers';
 import { env } from '$env/dynamic/private';
-import { FFAuthUser } from './client/Entities';
+import { FFAuthUser } from '../Entities';
 /**
  * will merge the roles and remove duplicates
  * will return a new array & a status if the array was changed

package/esm/auth/server/index.d.ts

@@ -0,0 +1,5 @@
+import * as arctic from 'arctic';
+export { auth, authModuleRaw } from './module';
+export { checkOAuthConfig } from './providers/helperProvider';
+export { github } from './providers/github';
+export { arctic };

package/esm/auth/server/index.js

@@ -0,0 +1,5 @@
+import * as arctic from 'arctic';
+export { auth, authModuleRaw } from './module';
+export { checkOAuthConfig } from './providers/helperProvider';
+export { github } from './providers/github';
+export { arctic };

package/esm/auth/server/module.d.ts

@@ -0,0 +1,238 @@
+import type { OAuth2Tokens } from 'arctic';
+import type { ClassType, UserInfo } from 'remult';
+import { Module } from '../../api';
+import type { RecursivePartial } from '../../utils/types';
+import { FFAuthAccount, FFAuthUser, FFAuthUserSession } from '../Entities';
+import type { firstlyData, firstlyDataAuth } from '../types';
+import { initRoleFromEnv } from './helperRole';
+export type { firstlyData };
+export type ProviderConfigured = Record<string, ProviderAuthorizationURLOptions>;
+export type ProviderAuthorizationURLOptions = string[];
+export type OAuth2UserInfo = {
+    raw?: any;
+    providerUserId: string;
+    /** Will take the first option available */
+    nameOptions: string[];
+};
+export type FFOAuth2Provider<T = any, LitName extends string = string> = {
+    name: LitName;
+    getArcticProvider: () => T;
+    authorizationURLOptions: () => ProviderAuthorizationURLOptions;
+    getUserInfo(tokens: OAuth2Tokens): Promise<OAuth2UserInfo>;
+};
+type AuthOptions<TUserEntity extends FFAuthUser = FFAuthUser, TSessionEntity extends FFAuthUserSession = FFAuthUserSession, TAccountEntity extends FFAuthAccount = FFAuthAccount> = {
+    customEntities?: {
+        User?: ClassType<TUserEntity>;
+        Session?: ClassType<TSessionEntity>;
+        Account?: ClassType<TAccountEntity>;
+    };
+    debug?: boolean;
+    ui?: false | RecursivePartial<firstlyDataAuth['ui']>;
+    /** Usefull to overwrite where the static files are */
+    uiStaticPath?: string;
+    session?: {
+        /** in milliseconds @default 30 days (1000 * 60 * 60 * 24 * 30) */
+        expiresIn?: number;
+        COOKIE_NAME?: string;
+    };
+    defaultRedirect?: string;
+    /**
+     * Can a user sign up by itself? Or we can join only by invitation ?
+     * If false, no one can sign up alone.
+     * @default true
+     **/
+    signUp?: boolean;
+    /**
+     * To be able to sign in user needs to be verified or not?
+     * ```
+     *  `Auto` =>  noting will be checked
+     *  `Email` => users needs to click a link in an email
+     *  `Manual` => an admin needs to verify the user and set verifiedAt in the database
+     * ```
+     * @default auto
+     **/
+    verifiedMethod?: 'auto' | 'email' | 'manual';
+    invitationSend?: (args: {
+        email: string;
+        url: string;
+    }) => Promise<void>;
+    transformDbUserToClientUser?: (session: TSessionEntity, user: TUserEntity) => UserInfo;
+    providers?: {
+        demo?: {
+            name: string;
+            roles?: string[];
+        }[];
+        password?: {
+            /**
+             * Reseting the password
+             */
+            resetPasswordSend?: (args: {
+                email: string;
+                url: string;
+            }) => Promise<void>;
+            /** in secondes @default 5 minutes */
+            resetPasswordExpiresIn?: number;
+            /**
+             * Verify the Mail
+             */
+            verifyMailSend?: (args: {
+                email: string;
+                url: string;
+            }) => Promise<void>;
+            /** in secondes @default 5 minutes */
+            verifyMailExpiresIn?: number;
+            settings?: {
+                bcrypt?: {
+                    /**
+                     * Validate the password or throw an error.
+                     *
+                     * Here is an example (and it's the default implementation):
+                     * ```
+                     * function validatePassword(password: string) {
+                     *   if (typeof password !== 'string' || password.length < 6 || password.length > 255) {
+                     *     throw new EntityError({ message: 'Invalid password' })
+                     *   }
+                     * }
+                     * ```
+                     */
+                    validatePassword?: (password: string) => void;
+                    /**
+                     * If you want to NOT use the default bcrypt, you can pass your own thing!
+                     */
+                    passwordHash?: (password: string) => string;
+                    /**
+                     * The number of rounds to use for the bcrypt hash.
+                     * @default 10
+                     */
+                    saltRounds?: number;
+                    /**
+                     * If you want to NOT use the default bcrypt, you can pass your own thing!
+                     */
+                    passwordVerify?: (password: string, hash: string) => boolean;
+                };
+            };
+        };
+        otp?: {
+            issuer?: string;
+            /** in secondes @default 30 seconds */
+            expiresIn?: number;
+            /** Number of digits @default 6 */
+            digits?: number;
+            send?: (data: {
+                name: string;
+                otp: string;
+                uri: string;
+            }) => Promise<void>;
+        };
+        oAuths?: FFOAuth2Provider[];
+    };
+};
+export declare let AUTH_OPTIONS: AuthOptions;
+export declare const getSafeOptions: <TUserEntity extends FFAuthUser = FFAuthUser, TSessionEntity extends FFAuthUserSession = FFAuthUserSession, TAccountEntity extends FFAuthAccount = FFAuthAccount>() => {
+    User: ClassType<TUserEntity>;
+    Session: ClassType<TSessionEntity>;
+    Account: ClassType<TAccountEntity>;
+    signUp: boolean;
+    password: {
+        enabled: boolean;
+        validatePassword: (password: string) => void;
+        passwordHash: (password: string) => string;
+        passwordVerify: (password: string, hash: string) => boolean;
+    };
+    otp: {
+        enabled: boolean;
+    };
+    verifiedMethod: "email" | "auto" | "manual";
+    redirectUrl: string;
+    firstlyData: firstlyData;
+    transformDbUserToClientUser: (session: TSessionEntity, user: TUserEntity) => UserInfo;
+    uiStaticPath: string;
+    session: {
+        expiresInMs: number;
+        cookieName: string;
+    };
+    providers: {
+        demo?: {
+            name: string;
+            roles?: string[];
+        }[];
+        password?: {
+            /**
+             * Reseting the password
+             */
+            resetPasswordSend?: (args: {
+                email: string;
+                url: string;
+            }) => Promise<void>;
+            /** in secondes @default 5 minutes */
+            resetPasswordExpiresIn?: number;
+            /**
+             * Verify the Mail
+             */
+            verifyMailSend?: (args: {
+                email: string;
+                url: string;
+            }) => Promise<void>;
+            /** in secondes @default 5 minutes */
+            verifyMailExpiresIn?: number;
+            settings?: {
+                bcrypt?: {
+                    /**
+                     * Validate the password or throw an error.
+                     *
+                     * Here is an example (and it's the default implementation):
+                     * ```
+                     * function validatePassword(password: string) {
+                     *   if (typeof password !== 'string' || password.length < 6 || password.length > 255) {
+                     *     throw new EntityError({ message: 'Invalid password' })
+                     *   }
+                     * }
+                     * ```
+                     */
+                    validatePassword?: (password: string) => void;
+                    /**
+                     * If you want to NOT use the default bcrypt, you can pass your own thing!
+                     */
+                    passwordHash?: (password: string) => string;
+                    /**
+                     * The number of rounds to use for the bcrypt hash.
+                     * @default 10
+                     */
+                    saltRounds?: number;
+                    /**
+                     * If you want to NOT use the default bcrypt, you can pass your own thing!
+                     */
+                    passwordVerify?: (password: string, hash: string) => boolean;
+                };
+            };
+        };
+        otp?: {
+            issuer?: string;
+            /** in secondes @default 30 seconds */
+            expiresIn?: number;
+            /** Number of digits @default 6 */
+            digits?: number;
+            send?: (data: {
+                name: string;
+                otp: string;
+                uri: string;
+            }) => Promise<void>;
+        };
+        oAuths?: FFOAuth2Provider[];
+    } | undefined;
+};
+export declare const authModuleRaw: Module;
+/**
+ * To enable authentication in your app in a few lines of code.
+ * _Info: index: -777_
+ */
+export declare const auth: <TUserEntity extends FFAuthUser = FFAuthUser, TSessionEntity extends FFAuthUserSession = FFAuthUserSession, TAccountEntity extends FFAuthAccount = FFAuthAccount>(o: AuthOptions<TUserEntity, TSessionEntity, TAccountEntity>) => Module;
+export { initRoleFromEnv };
+declare module 'remult' {
+    interface UserInfo {
+        session: {
+            id: string;
+            expiresAt: Date;
+        };
+    }
+}