firstly 0.0.11 → 0.0.13

package/esm/auth/server/handleAuth.js

@@ -0,0 +1,140 @@
+import { redirect } from '@sveltejs/kit';
+import { repo } from 'remult';
+import { read } from '@kitql/internals';
+import { FFAuthProvider } from '../Entities';
+import { ff_createSession } from './helperFirstly';
+import { getSafeOptions } from './module';
+export const handleAuth = async ({ event, resolve }) => {
+    const oSafe = getSafeOptions();
+    if (event.url.pathname === oSafe.firstlyData.props.ui?.paths?.verify_email) {
+        const token = event.url.searchParams.get('token') ?? '';
+        if (!oSafe.password.enabled) {
+            throw Error('Password is not enabled!');
+        }
+        const account = await repo(oSafe.Account).findFirst({
+            token,
+            provider: FFAuthProvider.PASSWORD.id,
+        });
+        if (!account) {
+            throw new Error('Invalid token');
+        }
+        if (account.expiresAt && account.expiresAt < new Date()) {
+            throw new Error('token expired');
+        }
+        // update elements
+        account.token = undefined;
+        account.expiresAt = undefined;
+        account.lastVerifiedAt = new Date();
+        await repo(oSafe.Account).save(account);
+        await ff_createSession(account.userId);
+        redirect(302, oSafe.redirectUrl);
+    }
+    if (oSafe.firstlyData.props.ui?.paths?.base &&
+        event.url.pathname.startsWith(oSafe.firstlyData.props.ui.paths.base)) {
+        const content = read(`${oSafe.uiStaticPath}index.html`);
+        return new Response(content + `<script>const firstlyData = ${JSON.stringify(oSafe.firstlyData)}</script>`, {
+            headers: { 'content-type': 'text/html' },
+        });
+    }
+    if (event.url.pathname.startsWith('/api/static')) {
+        const content = read(`${oSafe.uiStaticPath}${event.url.pathname.replaceAll('/api/static/', '')}`);
+        if (content) {
+            const seg = event.url.pathname.split('.');
+            const map = {
+                js: 'text/javascript',
+                css: 'text/css',
+                svg: 'image/svg+xml',
+            };
+            return new Response(content, {
+                headers: { 'content-type': map[seg[seg.length - 1]] ?? 'text/plain' },
+            });
+        }
+    }
+    if (event.url.pathname === '/api/auth_callback') {
+        const code = event.url.searchParams.get('code');
+        const state = event.url.searchParams.get('state');
+        const keys = oSafe.providers?.oAuths?.map((c) => c.name) ?? [];
+        let storedState = null;
+        let keyState = null;
+        for (const key of keys) {
+            storedState = event.cookies.get(`${key}_oauth_state`) ?? null;
+            if (storedState) {
+                keyState = key;
+                break;
+            }
+        }
+        const redirectUrlCookie = event.cookies.get(`remult_redirect`);
+        if (redirectUrlCookie) {
+            event.cookies.delete(`remult_redirect`, { path: '/' });
+        }
+        const redirectUrl = redirectUrlCookie ?? oSafe.redirectUrl;
+        if (!code || !state || !storedState || state !== storedState || !keyState) {
+            redirect(302, redirectUrl);
+        }
+        const selectedOAuth = oSafe.providers?.oAuths?.find((c) => c.name === keyState);
+        if (selectedOAuth && code) {
+            const tokens = (await selectedOAuth
+                .getArcticProvider()
+                .validateAuthorizationCode(code));
+            let info;
+            try {
+                info = await selectedOAuth.getUserInfo(tokens);
+            }
+            catch (error) {
+                console.error(error);
+                redirect(302, redirectUrl);
+            }
+            if (!info.providerUserId) {
+                redirect(302, redirectUrl);
+            }
+            let account = await repo(oSafe.Account).findFirst({
+                provider: keyState,
+                providerUserId: info.providerUserId,
+            });
+            if (!account) {
+                if (!oSafe.signUp) {
+                    console.error("You can't signup by yourself! Contact the administrator.");
+                    // throw Error("You can't signup by yourself! Contact the administrator.")
+                    redirect(302, redirectUrl);
+                }
+                // for each info.name, we check if it exists take the first option
+                // and add the providerUserId to the name if no option available
+                let nameToUse = '';
+                for (let i = 0; i < info.nameOptions.length; i++) {
+                    const existingUser = await repo(oSafe.User).findOne({
+                        where: { identifier: info.nameOptions[i] },
+                    });
+                    if (existingUser) {
+                        // Don't do anything
+                    }
+                    else {
+                        nameToUse = info.nameOptions[i];
+                        break;
+                    }
+                }
+                if (nameToUse === '') {
+                    nameToUse = `${info.nameOptions[0]}-${info.providerUserId}`;
+                }
+                const user = repo(oSafe.User).create();
+                user.identifier = nameToUse;
+                account = repo(oSafe.Account).create();
+                account.provider = keyState;
+                account.providerUserId = info.providerUserId;
+                account.token = tokens.accessToken();
+                account.userId = user.id;
+                account.lastVerifiedAt = new Date();
+                await repo(oSafe.User).save(user);
+                await repo(oSafe.Account).save(account);
+            }
+            else {
+                account.token = tokens.accessToken();
+                await repo(oSafe.Account).save(account);
+            }
+            await ff_createSession(account.userId);
+            event.cookies.delete(`${keyState}_oauth_state`, { path: '/' });
+            event.cookies.delete(`code_verifier`, { path: '/' });
+        }
+        redirect(302, redirectUrl);
+    }
+    return resolve(event);
+};

package/esm/auth/server/handleGuard.d.ts

@@ -0,0 +1,16 @@
+import { type Handle } from '@sveltejs/kit';
+export type RouteGuardConfig = {
+    anonymous?: string[];
+    authenticated: string[];
+    redirectToLogin: string;
+    redirectAuthenticated: string;
+    /**
+     * We need this import
+     *
+     * `import { redirect } from '@sveltejs/kit'` */
+    redirect: (status: number, url: string) => void;
+};
+/**
+ * Creates a handle function with the provided route guard configuration
+ */
+export declare function handleGuard(config: RouteGuardConfig): Handle;

package/esm/auth/server/handleGuard.js

@@ -0,0 +1,67 @@
+import {} from '@sveltejs/kit';
+import { remult } from 'remult';
+/**
+ * Checks if a path matches a pattern that may include wildcards
+ * @param path The actual path to check
+ * @param pattern The pattern that may include wildcards (*)
+ */
+function pathMatchesPattern(path, pattern) {
+    // Convert the pattern to a regex
+    const regexPattern = pattern.replace(/\//g, '\\/').replace(/\*/g, '.*');
+    const regex = new RegExp(`^${regexPattern}$`);
+    return regex.test(path);
+}
+/**
+ * Checks if a path matches any of the patterns in the array
+ */
+function pathMatchesAnyPattern(path, patterns) {
+    return patterns.some((pattern) => pathMatchesPattern(path, pattern));
+}
+/**
+ * Creates a handle function with the provided route guard configuration
+ */
+export function handleGuard(config) {
+    return async ({ event, resolve }) => {
+        const path = event.url.pathname;
+        const fullUrl = event.url.pathname + event.url.search;
+        const isAuthenticated = !!remult.user;
+        // Check if the path is in the anonymous routes
+        const isAnonymousRoute = config.anonymous ? pathMatchesAnyPattern(path, config.anonymous) : false;
+        // Check if the path is in the authenticated routes
+        const isAuthenticatedRoute = pathMatchesAnyPattern(path, config.authenticated);
+        // Check if the current path is the login page
+        const isLoginPage = path === config.redirectToLogin || path === config.redirectToLogin.replace(/\/$/, '');
+        // Create login URL with redirect parameter
+        const createLoginUrl = (returnUrl) => {
+            const encodedReturnUrl = encodeURIComponent(returnUrl);
+            const separator = config.redirectToLogin.includes('?') ? '&' : '?';
+            return `${config.redirectToLogin}${separator}redirect=${encodedReturnUrl}`;
+        };
+        // Handle root path
+        if (path === config.redirectToLogin) {
+            if (isAuthenticated) {
+                config.redirect(302, config.redirectAuthenticated);
+            }
+            else {
+                // Only redirect if we're not already on the login page
+                if (!isLoginPage) {
+                    config.redirect(302, config.redirectToLogin);
+                }
+            }
+        }
+        // If user is not authenticated and tries to access an authenticated route
+        if (!isAuthenticated && isAuthenticatedRoute) {
+            // Redirect to login with the current URL as the redirect target
+            // Only redirect if we're not already on the login page
+            if (!isLoginPage) {
+                config.redirect(302, createLoginUrl(fullUrl));
+            }
+        }
+        // If user is authenticated and tries to access an anonymous-only route
+        // Only check if anonymous routes are defined
+        if (config.anonymous && isAuthenticated && isAnonymousRoute) {
+            config.redirect(302, config.redirectAuthenticated);
+        }
+        return resolve(event);
+    };
+}

package/esm/auth/server/helperDb.d.ts

@@ -0,0 +1,10 @@
+import { type UserInfo } from 'remult';
+export declare function createSession(token: string, userId: string): Promise<import("..").FFAuthUserSession>;
+export declare function validateSessionToken(token: string): Promise<{
+    user: UserInfo | undefined;
+    freshSession: {
+        sessionToken: string;
+        expiresAt: Date;
+    } | undefined;
+}>;
+export declare function invalidateSession(sessionId: string): Promise<void>;

package/esm/auth/server/helperDb.js

@@ -0,0 +1,56 @@
+import { repo } from 'remult';
+import { encodeToken } from './helperOslo';
+import { getSafeOptions } from './module';
+export async function createSession(token, userId) {
+    const sessionId = encodeToken(token);
+    const oSafe = getSafeOptions();
+    const session = await repo(oSafe.Session).insert({
+        id: sessionId,
+        userId,
+        expiresAt: new Date(Date.now() + oSafe.session.expiresInMs),
+    });
+    return session;
+}
+export async function validateSessionToken(token) {
+    const sessionId = encodeToken(token);
+    const oSafe = getSafeOptions();
+    const sessionDb = await repo(oSafe.Session).findId(sessionId);
+    if (!sessionDb) {
+        return { user: undefined, freshSession: undefined };
+    }
+    // TODO TRANSFORM
+    const session = {
+        //
+        id: sessionDb.id,
+        userId: sessionDb.userId,
+        expiresAt: sessionDb.expiresAt,
+    };
+    // TODO: Why I can't do 1 query ?!
+    const userDb = await repo(oSafe.User).findId(sessionDb.userId);
+    if (!userDb) {
+        await invalidateSession(sessionId);
+        return { user: undefined, freshSession: undefined };
+    }
+    const user = oSafe.transformDbUserToClientUser(sessionDb, userDb);
+    const sessionExpired = Date.now() >= session.expiresAt.getTime();
+    if (sessionExpired) {
+        await repo(oSafe.Session).delete(sessionId);
+        return { user: undefined, freshSession: undefined };
+    }
+    // To not renew non stop... Let's wait 10% of the session expires
+    const renewSession = Date.now() >= session.expiresAt.getTime() - oSafe.session.expiresInMs * 0.9;
+    if (renewSession) {
+        session.expiresAt = new Date(Date.now() + oSafe.session.expiresInMs);
+        await repo(oSafe.Session).update(sessionId, { expiresAt: session.expiresAt });
+        return { user, freshSession: { sessionToken: token, expiresAt: session.expiresAt } };
+    }
+    return { user, freshSession: undefined };
+}
+export async function invalidateSession(sessionId) {
+    const oSafe = getSafeOptions();
+    try {
+        // silent error. If the session is already deleted, it will throw an error
+        await repo(oSafe.Session).delete(sessionId);
+    }
+    catch (error) { }
+}

package/esm/auth/server/helperFirstly.d.ts

@@ -0,0 +1 @@
+export declare const ff_createSession: (userId: string) => Promise<void>;

package/esm/auth/server/helperFirstly.js

@@ -0,0 +1,8 @@
+import { createSession } from './helperDb';
+import { generateToken } from './helperOslo';
+import { setSessionTokenCookie } from './helperRemultServer';
+export const ff_createSession = async (userId) => {
+    const token = generateToken();
+    const session = await createSession(token, userId);
+    setSessionTokenCookie(token, session.expiresAt);
+};

package/esm/auth/server/helperOslo.d.ts

@@ -0,0 +1,7 @@
+export declare function generateId(): string;
+export declare function generateToken(): string;
+export declare function encodeToken(token: string): string;
+export declare function generateAndEncodeToken(): string;
+export declare function createDate(timeSpan_seconds: number, options?: {
+    from?: Date;
+}): Date;

package/esm/auth/server/helperOslo.js

@@ -0,0 +1,24 @@
+import { sha256 } from '@oslojs/crypto/sha2';
+import { encodeBase32LowerCase, encodeBase64url, encodeHexLowerCase } from '@oslojs/encoding';
+export function generateId() {
+    // ID with 120 bits of entropy, or about the same as UUID v4.
+    const bytes = crypto.getRandomValues(new Uint8Array(15));
+    const id = encodeBase32LowerCase(bytes);
+    return id;
+}
+export function generateToken() {
+    const bytes = crypto.getRandomValues(new Uint8Array(18));
+    const token = encodeBase64url(bytes);
+    return token;
+}
+export function encodeToken(token) {
+    const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+    return sessionId;
+}
+export function generateAndEncodeToken() {
+    return encodeToken(generateToken());
+}
+export function createDate(timeSpan_seconds, options) {
+    const from = options?.from ?? new Date();
+    return new Date(from.getTime() + timeSpan_seconds * 1000);
+}

package/esm/auth/server/helperRemultServer.d.ts

@@ -0,0 +1,5 @@
+export declare function setSessionTokenCookie(token: string, expiresAt: Date): void;
+export declare function deleteSessionTokenCookie(): void;
+export declare function setCodeVerifierCookie(codeVerifier: string): void;
+export declare function setOAuthStateCookie(provider: string, state: string): void;
+export declare function setRedirectCookie(redirect: string): void;

package/esm/auth/server/helperRemultServer.js

@@ -0,0 +1,44 @@
+import { DEV } from 'esm-env';
+import { remult } from 'remult';
+import { getSafeOptions } from './module';
+export function setSessionTokenCookie(token, expiresAt) {
+    const oSafe = getSafeOptions();
+    if (remult.context.setCookie) {
+        remult.context.setCookie(oSafe.session.cookieName, token, {
+            expires: expiresAt,
+            path: '/',
+        });
+    }
+}
+export function deleteSessionTokenCookie() {
+    const oSafe = getSafeOptions();
+    remult.context.deleteCookie(oSafe.session.cookieName, {
+        path: '/',
+    });
+}
+export function setCodeVerifierCookie(codeVerifier) {
+    remult.context.setCookie('code_verifier', codeVerifier, {
+        secure: !DEV,
+        path: '/',
+        httpOnly: true,
+        maxAge: 60 * 10, // 10 min
+    });
+}
+export function setOAuthStateCookie(provider, state) {
+    remult.context.setCookie(`${provider}_oauth_state`, state, {
+        path: '/',
+        secure: !DEV,
+        httpOnly: true,
+        maxAge: 60 * 10,
+        sameSite: 'lax',
+    });
+}
+export function setRedirectCookie(redirect) {
+    remult.context.setCookie(`remult_redirect`, redirect, {
+        path: '/',
+        secure: !DEV,
+        httpOnly: true,
+        maxAge: 60 * 10,
+        sameSite: 'lax',
+    });
+}

package/esm/auth/{RoleHelpers.d.ts → server/helperRole.d.ts}

@@ -1,6 +1,6 @@
 import type { ClassType } from 'remult';
 import { Log } from '@kitql/helpers';
-import { FFAuthUser } from './client/Entities';
+import { FFAuthUser } from '../Entities';
 /**
  * will merge the roles and remove duplicates
  * will return a new array & a status if the array was changed

package/esm/auth/{RoleHelpers.js → server/helperRole.js}

@@ -1,7 +1,7 @@
 import { repo } from 'remult';
 import { cyan, green, Log, yellow } from '@kitql/helpers';
 import { env } from '$env/dynamic/private';
-import { FFAuthUser } from './client/Entities';
+import { FFAuthUser } from '../Entities';
 /**
  * will merge the roles and remove duplicates
  * will return a new array & a status if the array was changed

package/esm/auth/server/index.d.ts

@@ -0,0 +1,7 @@
+import * as arctic from 'arctic';
+import { handleAuth } from './handleAuth.js';
+import { handleGuard } from './handleGuard.js';
+export { auth, authModuleRaw } from './module';
+export { checkOAuthConfig } from './providers/helperProvider';
+export { github } from './providers/github';
+export { arctic, handleAuth, handleGuard };

package/esm/auth/server/index.js

@@ -0,0 +1,7 @@
+import * as arctic from 'arctic';
+import { handleAuth } from './handleAuth.js';
+import { handleGuard } from './handleGuard.js';
+export { auth, authModuleRaw } from './module';
+export { checkOAuthConfig } from './providers/helperProvider';
+export { github } from './providers/github';
+export { arctic, handleAuth, handleGuard };