frontend-hamroun 1.1.90 → 1.2.0

package/src/backend/auth.ts

@@ -0,0 +1,543 @@
+import { Request, Response, NextFunction } from 'express';
+import jwt from 'jsonwebtoken';
+import bcrypt from 'bcrypt';
+import crypto from 'crypto';
+
+/**
+ * Authentication configuration options
+ */
+export interface AuthOptions {
+  /**
+   * Secret key for JWT signing
+   */
+  jwtSecret: string;
+  
+  /**
+   * Secret key for refresh token signing (defaults to jwtSecret if not provided)
+   */
+  refreshSecret?: string;
+  
+  /**
+   * JWT token expiration time (default: '15m')
+   */
+  tokenExpiration?: string;
+  
+  /**
+   * Refresh token expiration time (default: '7d')
+   */
+  refreshExpiration?: string;
+  
+  /**
+   * Number of bcrypt salt rounds (default: 10)
+   */
+  saltRounds?: number;
+  
+  /**
+   * Custom user finder function
+   */
+  findUser?: (username: string) => Promise<any>;
+  
+  /**
+   * Custom password verification (defaults to bcrypt compare)
+   */
+  verifyPassword?: (password: string, hashedPassword: string) => Promise<boolean>;
+  
+  /**
+   * Custom function to save refresh token
+   */
+  saveRefreshToken?: (userId: string, token: string, expires: Date) => Promise<void>;
+  
+  /**
+   * Custom function to verify refresh token
+   */
+  verifyRefreshToken?: (userId: string, token: string) => Promise<boolean>;
+  
+  /**
+   * Use secure cookies for tokens (default: process.env.NODE_ENV === 'production')
+   */
+  secureCookies?: boolean;
+  
+  /**
+   * Cookie domain
+   */
+  cookieDomain?: string;
+  
+  /**
+   * Use HTTP-only cookies (default: true)
+   */
+  httpOnlyCookies?: boolean;
+  
+  /**
+   * Implement rate limiting for login attempts (default: true)
+   */
+  rateLimit?: boolean;
+}
+
+/**
+ * Token pair containing access and refresh tokens
+ */
+export interface TokenPair {
+  accessToken: string;
+  refreshToken: string;
+  expiresIn: number;
+}
+
+/**
+ * Authentication service
+ */
+export class Auth {
+  private options: AuthOptions;
+  private loginAttempts: Map<string, { count: number, resetTime: number }> = new Map();
+  
+  constructor(options: AuthOptions) {
+    this.options = {
+      tokenExpiration: '15m',
+      refreshExpiration: '7d',
+      saltRounds: 10,
+      secureCookies: process.env.NODE_ENV === 'production',
+      httpOnlyCookies: true,
+      rateLimit: true,
+      ...options,
+      refreshSecret: options.refreshSecret || options.jwtSecret
+    };
+    
+    if (!options.jwtSecret) {
+      throw new Error('JWT secret is required for authentication');
+    }
+    
+    // Set default password verification if not provided
+    if (!this.options.verifyPassword) {
+      this.options.verifyPassword = this.verifyPasswordWithBcrypt;
+    }
+  }
+  
+  /**
+   * Hash a password using bcrypt
+   */
+  async hashPassword(password: string): Promise<string> {
+    return await bcrypt.hash(password, this.options.saltRounds || 10);
+  }
+  
+  /**
+   * Verify a password against a hash using bcrypt
+   */
+  private async verifyPasswordWithBcrypt(password: string, hashedPassword: string): Promise<boolean> {
+    return await bcrypt.compare(password, hashedPassword);
+  }
+  
+  /**
+   * Generate a cryptographically secure random token
+   */
+  generateSecureToken(length = 32): string {
+    return crypto.randomBytes(length).toString('hex');
+  }
+  
+  /**
+   * Generate token pair (access token + refresh token)
+   */
+  generateTokenPair(payload: any): TokenPair {
+    // Calculate expiration times
+    const expiresIn = this.getExpirationSeconds(this.options.tokenExpiration || '15m');
+    
+    // Generate the access token
+    const accessToken = jwt.sign(
+      { ...payload, type: 'access' }, 
+      this.options.jwtSecret, 
+      { expiresIn: this.options.tokenExpiration }
+    );
+    
+    // Generate the refresh token
+    const refreshToken = jwt.sign(
+      { id: payload.id, type: 'refresh' },
+      this.options.refreshSecret!,
+      { expiresIn: this.options.refreshExpiration }
+    );
+    
+    return {
+      accessToken,
+      refreshToken,
+      expiresIn
+    };
+  }
+  
+  /**
+   * Convert JWT expiration time to seconds
+   */
+  private getExpirationSeconds(expiration: string): number {
+    const unit = expiration.charAt(expiration.length - 1);
+    const value = parseInt(expiration.slice(0, -1));
+    
+    switch (unit) {
+      case 's': return value;
+      case 'm': return value * 60;
+      case 'h': return value * 60 * 60;
+      case 'd': return value * 60 * 60 * 24;
+      default: return 3600; // Default 1 hour
+    }
+  }
+  
+  /**
+   * Verify a JWT token
+   */
+  verifyToken(token: string, type: 'access' | 'refresh' = 'access'): any {
+    try {
+      const secret = type === 'access' ? this.options.jwtSecret : this.options.refreshSecret;
+      const decoded = jwt.verify(token, secret!);
+      
+      // Verify token type matches expected type
+      if (typeof decoded === 'object' && decoded.type !== type) {
+        throw new Error('Invalid token type');
+      }
+      
+      return decoded;
+    } catch (error) {
+      throw new Error('Invalid or expired token');
+    }
+  }
+  
+  /**
+   * Set authentication cookies
+   */
+  setAuthCookies(res: Response, tokens: TokenPair): void {
+    // Set access token cookie
+    res.cookie('accessToken', tokens.accessToken, {
+      httpOnly: this.options.httpOnlyCookies,
+      secure: this.options.secureCookies,
+      domain: this.options.cookieDomain,
+      sameSite: 'strict',
+      maxAge: tokens.expiresIn * 1000
+    });
+    
+    // Set refresh token cookie with longer expiration
+    const refreshExpiresIn = this.getExpirationSeconds(this.options.refreshExpiration || '7d');
+    res.cookie('refreshToken', tokens.refreshToken, {
+      httpOnly: true, // Always HTTP only for refresh tokens
+      secure: this.options.secureCookies,
+      domain: this.options.cookieDomain,
+      sameSite: 'strict',
+      maxAge: refreshExpiresIn * 1000,
+      path: '/api/auth/refresh' // Restrict to refresh endpoint
+    });
+  }
+  
+  /**
+   * Clear authentication cookies
+   */
+  clearAuthCookies(res: Response): void {
+    res.clearCookie('accessToken');
+    res.clearCookie('refreshToken', { path: '/api/auth/refresh' });
+  }
+  
+  /**
+   * Check and handle rate limiting
+   */
+  private checkRateLimit(ip: string): boolean {
+    if (!this.options.rateLimit) {
+      return true;
+    }
+    
+    const now = Date.now();
+    const attempt = this.loginAttempts.get(ip);
+    
+    if (!attempt) {
+      this.loginAttempts.set(ip, { count: 1, resetTime: now + 3600000 });
+      return true;
+    }
+    
+    // Reset if time expired
+    if (now > attempt.resetTime) {
+      this.loginAttempts.set(ip, { count: 1, resetTime: now + 3600000 });
+      return true;
+    }
+    
+    // Check attempts
+    if (attempt.count >= 5) {
+      return false;
+    }
+    
+    // Increment counter
+    attempt.count++;
+    this.loginAttempts.set(ip, attempt);
+    return true;
+  }
+  
+  /**
+   * Login middleware to authenticate users
+   */
+  login = async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { username, password } = req.body;
+      const ip = req.ip || req.connection.remoteAddress || '';
+      
+      // Check rate limiting
+      if (!this.checkRateLimit(ip)) {
+        res.status(429).json({ 
+          success: false, 
+          message: 'Too many login attempts. Please try again later.' 
+        });
+        return;
+      }
+      
+      if (!username || !password) {
+        res.status(400).json({ 
+          success: false, 
+          message: 'Username and password are required' 
+        });
+        return;
+      }
+      
+      // Use custom find user function if provided
+      if (!this.options.findUser) {
+        res.status(500).json({ 
+          success: false, 
+          message: 'User finder function not configured' 
+        });
+        return;
+      }
+      
+      const user = await this.options.findUser(username);
+      
+      if (!user) {
+        res.status(401).json({ 
+          success: false, 
+          message: 'Invalid credentials' 
+        });
+        return;
+      }
+      
+      // Verify password
+      const isPasswordValid = await this.options.verifyPassword!(
+        password, 
+        user.password
+      );
+      
+      if (!isPasswordValid) {
+        res.status(401).json({ 
+          success: false, 
+          message: 'Invalid credentials' 
+        });
+        return;
+      }
+      
+      // Create a sanitized user object (without password)
+      const userWithoutPassword = { ...user };
+      delete userWithoutPassword.password;
+      
+      // Generate tokens
+      const tokenPair = this.generateTokenPair({
+        id: user.id || user._id,
+        username: user.username,
+        role: user.role || 'user'
+      });
+      
+      // Save refresh token if the function is provided
+      if (this.options.saveRefreshToken) {
+        const refreshExpiry = new Date();
+        refreshExpiry.setSeconds(refreshExpiry.getSeconds() + 
+          this.getExpirationSeconds(this.options.refreshExpiration || '7d'));
+          
+        await this.options.saveRefreshToken(
+          user.id || user._id,
+          tokenPair.refreshToken,
+          refreshExpiry
+        );
+      }
+      
+      // Set authentication cookies if using cookie-based auth
+      if (req.body.useCookies) {
+        this.setAuthCookies(res, tokenPair);
+      }
+      
+      res.json({
+        success: true,
+        message: 'Authentication successful',
+        tokens: tokenPair,
+        user: userWithoutPassword
+      });
+    } catch (error) {
+      console.error('Authentication error:', error);
+      res.status(500).json({ 
+        success: false, 
+        message: 'Authentication failed',
+        error: process.env.NODE_ENV !== 'production' ? (error as Error).message : undefined
+      });
+    }
+  };
+  
+  /**
+   * Refresh token handler
+   */
+  refreshToken = async (req: Request, res: Response): Promise<void> => {
+    try {
+      // Get refresh token from cookies or request body
+      const refreshToken = req.cookies?.refreshToken || req.body.refreshToken;
+      
+      if (!refreshToken) {
+        res.status(401).json({ 
+          success: false, 
+          message: 'Refresh token required' 
+        });
+        return;
+      }
+      
+      // Verify the refresh token
+      const decoded = this.verifyToken(refreshToken, 'refresh');
+      
+      // Check if token is still valid in database if verification function provided
+      if (this.options.verifyRefreshToken) {
+        const isValid = await this.options.verifyRefreshToken(decoded.id, refreshToken);
+        if (!isValid) {
+          this.clearAuthCookies(res);
+          res.status(401).json({ 
+            success: false, 
+            message: 'Invalid refresh token' 
+          });
+          return;
+        }
+      }
+      
+      // Generate new token pair
+      const tokenPair = this.generateTokenPair({
+        id: decoded.id,
+        // We need to fetch the user data again for complete payload
+        ...(this.options.findUser ? await this.options.findUser(decoded.id) : {})
+      });
+      
+      // Update refresh token in database if save function provided
+      if (this.options.saveRefreshToken) {
+        const refreshExpiry = new Date();
+        refreshExpiry.setSeconds(refreshExpiry.getSeconds() + 
+          this.getExpirationSeconds(this.options.refreshExpiration || '7d'));
+          
+        await this.options.saveRefreshToken(
+          decoded.id,
+          tokenPair.refreshToken,
+          refreshExpiry
+        );
+      }
+      
+      // Set cookies if cookie-based auth is used
+      const useCookies = req.cookies?.accessToken || req.body.useCookies;
+      if (useCookies) {
+        this.setAuthCookies(res, tokenPair);
+      }
+      
+      res.json({
+        success: true,
+        message: 'Token refreshed successfully',
+        tokens: tokenPair
+      });
+    } catch (error) {
+      this.clearAuthCookies(res);
+      res.status(401).json({ 
+        success: false, 
+        message: 'Invalid or expired refresh token',
+        error: process.env.NODE_ENV !== 'production' ? (error as Error).message : undefined
+      });
+    }
+  };
+  
+  /**
+   * Logout handler
+   */
+  logout = async (req: Request, res: Response): Promise<void> => {
+    try {
+      // Clear cookies
+      this.clearAuthCookies(res);
+      
+      // Invalidate refresh token if verification function provided
+      const refreshToken = req.cookies?.refreshToken || req.body.refreshToken;
+      if (refreshToken && this.options.saveRefreshToken) {
+        try {
+          const decoded = this.verifyToken(refreshToken, 'refresh');
+          
+          // Check if invalidateToken function exists, otherwise we just remove it from storage
+          if (typeof this.options.saveRefreshToken === 'function') {
+            // We pass null as the token to indicate deletion/invalidation
+            await this.options.saveRefreshToken(decoded.id, '', new Date());
+          }
+        } catch (e) {
+          // Token already invalid, nothing to do
+        }
+      }
+      
+      res.json({ success: true, message: 'Logged out successfully' });
+    } catch (error) {
+      console.error('Logout error:', error);
+      res.status(500).json({ success: false, message: 'Logout failed', error: (error as Error).message });
+    }
+  };
+  
+  /**
+   * Middleware to verify user is authenticated
+   */
+  authenticate = (req: Request, res: Response, next: NextFunction): void => {
+    try {
+      // Get token from Authorization header or cookies
+      let token = req.cookies?.accessToken;
+      
+      if (!token) {
+        const authHeader = req.headers.authorization;
+        if (authHeader && authHeader.startsWith('Bearer ')) {
+          token = authHeader.split(' ')[1];
+        }
+      }
+      
+      if (!token) {
+        res.status(401).json({ 
+          success: false, 
+          message: 'Authentication required' 
+        });
+        return;
+      }
+      
+      const decoded = this.verifyToken(token, 'access');
+      
+      // Add user info to request
+      (req as any).user = decoded;
+      
+      next();
+    } catch (error) {
+      res.status(401).json({ 
+        success: false, 
+        message: 'Invalid or expired token',
+        error: process.env.NODE_ENV !== 'production' ? (error as Error).message : undefined
+      });
+    }
+  };
+  
+  /**
+   * Middleware to check if user has required role
+   */
+  hasRole = (role: string | string[]) => {
+    return (req: Request, res: Response, next: NextFunction): void => {
+      const user = (req as any).user;
+      
+      if (!user) {
+        res.status(401).json({ 
+          success: false, 
+          message: 'Authentication required' 
+        });
+        return;
+      }
+      
+      const roles = Array.isArray(role) ? role : [role];
+      
+      if (roles.includes(user.role)) {
+        next();
+      } else {
+        res.status(403).json({ 
+          success: false, 
+          message: 'Insufficient permissions' 
+        });
+      }
+    };
+  };
+}
+
+/**
+ * Create an authentication service
+ */
+export function createAuth(options: AuthOptions): Auth {
+  return new Auth(options);
+}

package/src/backend/database.ts

@@ -0,0 +1,104 @@
+import mongoose from 'mongoose';
+import { DatabaseOptions } from './types';
+
+/**
+ * Database connector for MongoDB using Mongoose
+ */
+export  class DatabaseConnector {
+  private options: DatabaseOptions;
+  private connection: mongoose.Connection | null = null;
+  private _connected = false;  // Renamed from isConnected to _connected
+
+  constructor(options: DatabaseOptions) {
+    this.options = {
+      retryAttempts: 3,
+      retryDelay: 1000,
+      connectionTimeout: 10000,
+      autoIndex: true,
+      ...options
+    };
+  }
+
+  /**
+   * Connect to the database
+   */
+  async connect(): Promise<mongoose.Connection> {
+    try {
+      if (this._connected && this.connection) {
+        return this.connection;
+      }
+
+      // Set Mongoose options
+      mongoose.set('strictQuery', true);
+      
+      // Connect with retry logic
+      let attempts = 0;
+      while (attempts < (this.options.retryAttempts || 3)) {
+        try {
+          await mongoose.connect(this.options.uri, {
+            dbName: this.options.name,
+            connectTimeoutMS: this.options.connectionTimeout,
+            autoIndex: this.options.autoIndex,
+            ...this.options.options
+          });
+          break;
+        } catch (error) {
+          attempts++;
+          if (attempts >= (this.options.retryAttempts || 3)) {
+            throw error;
+          }
+          console.log(`Connection attempt ${attempts} failed. Retrying in ${this.options.retryDelay}ms...`);
+          await new Promise(resolve => setTimeout(resolve, this.options.retryDelay));
+        }
+      }
+
+      this.connection = mongoose.connection;
+      this._connected = true;
+
+      // Log successful connection
+      console.log(`Connected to MongoDB at ${this.options.uri}/${this.options.name}`);
+      
+      // Handle connection events
+      this.connection.on('error', (err) => {
+        console.error('MongoDB connection error:', err);
+        this._connected = false;
+      });
+
+      this.connection.on('disconnected', () => {
+        console.log('MongoDB disconnected');
+        this._connected = false;
+      });
+
+      return this.connection;
+    } catch (error) {
+      console.error('Failed to connect to MongoDB:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Disconnect from the database
+   */
+  async disconnect(): Promise<void> {
+    if (this.connection) {
+      await mongoose.disconnect();
+      this._connected = false;
+      this.connection = null;
+      console.log('Disconnected from MongoDB');
+    }
+  }
+
+  /**
+   * Check if connected to the database
+   */
+  isConnected(): boolean {
+    return this._connected;
+  }
+
+  /**
+   * Get the mongoose connection
+   */
+  getConnection(): mongoose.Connection | null {
+    return this.connection;
+  }
+}