hightjs 0.1.1

package/src/auth/core.ts

@@ -0,0 +1,143 @@
+import { HightJSRequest, HightJSResponse } from '../api/http';
+import type { AuthConfig, AuthProvider, User, Session } from './types';
+import { SessionManager } from './jwt';
+
+export class HWebAuth {
+    private config: AuthConfig;
+    private sessionManager: SessionManager;
+
+    constructor(config: AuthConfig) {
+        this.config = {
+            session: { strategy: 'jwt', maxAge: 86400, ...config.session },
+            pages: { signIn: '/auth/signin', signOut: '/auth/signout', ...config.pages },
+            ...config
+        };
+
+        this.sessionManager = new SessionManager(
+            config.secret,
+            this.config.session?.maxAge || 86400
+        );
+    }
+
+    /**
+     * Middleware para adicionar autenticação às rotas
+     */
+    private async middleware(req: HightJSRequest): Promise<{ session: Session | null; user: User | null }> {
+        const token = this.getTokenFromRequest(req);
+
+        if (!token) {
+            return { session: null, user: null };
+        }
+
+        const session = this.sessionManager.verifySession(token);
+        return {
+            session,
+            user: session?.user || null
+        };
+    }
+
+    /**
+     * Autentica um usuário com credenciais
+     */
+    async signIn(provider: string, credentials: Record<string, string>): Promise<{ session: Session; token: string } | null> {
+        const authProvider = this.config.providers.find(p => p.id === provider);
+        if (!authProvider || authProvider.type !== 'credentials') {
+            return null;
+        }
+
+        if (!authProvider.authorize) {
+            return null;
+        }
+
+        try {
+            const user = await authProvider.authorize(credentials);
+            if (!user) return null;
+
+            // Callback de signIn se definido
+            if (this.config.callbacks?.signIn) {
+                const allowed = await this.config.callbacks.signIn(user, { provider }, {});
+                if (!allowed) return null;
+            }
+
+            const result = this.sessionManager.createSession(user);
+
+            // Callback de sessão se definido
+            if (this.config.callbacks?.session) {
+                result.session = await this.config.callbacks.session(result.session, user);
+            }
+
+            return result;
+        } catch (error) {
+            console.error('[hweb-auth] Erro no signIn:', error);
+            return null;
+        }
+    }
+
+    /**
+     * Faz logout do usuário
+     */
+    signOut(): HightJSResponse {
+        return HightJSResponse
+            .json({ success: true })
+            .clearCookie('hweb-auth-token', {
+                path: '/',
+                httpOnly: true,
+                secure: true, // Always use secure cookies
+                sameSite: 'strict' // Stronger CSRF protection
+            });
+    }
+
+    /**
+     * Obtém a sessão atual
+     */
+    async getSession(req: HightJSRequest): Promise<Session | null> {
+        const { session } = await this.middleware(req);
+        return session;
+    }
+
+    /**
+     * Verifica se o usuário está autenticado
+     */
+    async isAuthenticated(req: HightJSRequest): Promise<boolean> {
+        const session = await this.getSession(req);
+        return session !== null;
+    }
+
+
+    /**
+     * Cria resposta com cookie de autenticação - Secure implementation
+     */
+    createAuthResponse(token: string, data: any): HightJSResponse {
+        return HightJSResponse
+            .json(data)
+            .cookie('hweb-auth-token', token, {
+                httpOnly: true,
+                secure: true, // Always secure, even in development
+                sameSite: 'strict', // Prevent CSRF attacks
+                maxAge: (this.config.session?.maxAge || 86400) * 1000,
+                path: '/',
+                domain: undefined // Let browser set automatically for security
+            })
+            .header('X-Content-Type-Options', 'nosniff')
+            .header('X-Frame-Options', 'DENY')
+            .header('X-XSS-Protection', '1; mode=block')
+            .header('Referrer-Policy', 'strict-origin-when-cross-origin');
+    }
+
+    /**
+     * Extrai token da requisição (cookie ou header)
+     */
+    private getTokenFromRequest(req: HightJSRequest): string | null {
+        // Primeiro tenta pegar do cookie
+        const cookieToken = req.cookie('hweb-auth-token');
+        if (cookieToken) return cookieToken;
+
+        // Depois tenta do header Authorization
+        const authHeader = req.header('authorization');
+        if (authHeader && typeof authHeader === 'string' && authHeader.startsWith('Bearer ')) {
+            return authHeader.substring(7);
+        }
+
+        return null;
+    }
+}

package/src/auth/index.ts

@@ -0,0 +1,9 @@
+// Exportações principais do sistema de autenticação
+export * from './types';
+export * from './providers';
+export * from './core';
+export * from './routes';
+export * from './jwt';
+
+export { CredentialsProvider } from './providers';
+export { createAuthRoutes } from './routes';

package/src/auth/jwt.ts

@@ -0,0 +1,194 @@
+import crypto from 'crypto';
+import type { User, Session } from './types';
+
+export class JWTManager {
+    private secret: string;
+
+    constructor(secret?: string) {
+        if (!secret && !process.env.HWEB_AUTH_SECRET) {
+            throw new Error('JWT secret is required. Set HWEB_AUTH_SECRET environment variable or provide secret parameter.');
+        }
+
+        this.secret = secret || process.env.HWEB_AUTH_SECRET!;
+
+        if (this.secret.length < 32) {
+            throw new Error('JWT secret must be at least 32 characters long for security.');
+        }
+    }
+
+    /**
+     * Cria um JWT token com validação de algoritmo
+     */
+    sign(payload: any, expiresIn: number = 86400): string {
+        const header = { alg: 'HS256', typ: 'JWT' };
+        const now = Math.floor(Date.now() / 1000);
+
+        // Sanitize payload to prevent injection
+        const sanitizedPayload = this.sanitizePayload(payload);
+
+        const tokenPayload = {
+            ...sanitizedPayload,
+            iat: now,
+            exp: now + expiresIn,
+            alg: 'HS256' // Prevent algorithm confusion attacks
+        };
+
+        const encodedHeader = this.base64UrlEncode(JSON.stringify(header));
+        const encodedPayload = this.base64UrlEncode(JSON.stringify(tokenPayload));
+
+        const signature = this.createSignature(encodedHeader + '.' + encodedPayload);
+
+        return `${encodedHeader}.${encodedPayload}.${signature}`;
+    }
+
+    /**
+     * Verifica e decodifica um JWT token com validação rigorosa
+     */
+    verify(token: string): any | null {
+        try {
+            if (!token || typeof token !== 'string') return null;
+
+            const parts = token.split('.');
+            if (parts.length !== 3) return null;
+
+            const [headerEncoded, payloadEncoded, signature] = parts;
+
+            // Decode and validate header
+            const header = JSON.parse(this.base64UrlDecode(headerEncoded));
+            if (header.alg !== 'HS256' || header.typ !== 'JWT') {
+                return null; // Prevent algorithm confusion attacks
+            }
+
+            // Verifica a assinatura usando constant-time comparison
+            const expectedSignature = this.createSignature(headerEncoded + '.' + payloadEncoded);
+            if (!this.constantTimeEqual(signature, expectedSignature)) return null;
+
+            // Decodifica o payload
+            const decodedPayload = JSON.parse(this.base64UrlDecode(payloadEncoded));
+
+            // Validate algorithm in payload matches header
+            if (decodedPayload.alg !== 'HS256') return null;
+
+            // Verifica expiração com margem de erro de 30 segundos
+            const now = Math.floor(Date.now() / 1000);
+            if (decodedPayload.exp && decodedPayload.exp < (now - 30)) {
+                return null;
+            }
+
+            // Validate issued at time (not too far in future)
+            if (decodedPayload.iat && decodedPayload.iat > (now + 300)) {
+                return null;
+            }
+
+            return decodedPayload;
+        } catch (error) {
+            return null;
+        }
+    }
+
+    private sanitizePayload(payload: any): any {
+        if (typeof payload !== 'object' || payload === null) {
+            return {};
+        }
+
+        const sanitized: any = {};
+        for (const [key, value] of Object.entries(payload)) {
+            // Skip dangerous properties
+            if (key.startsWith('__') || key === 'constructor' || key === 'prototype') {
+                continue;
+            }
+            sanitized[key] = value;
+        }
+        return sanitized;
+    }
+
+    private constantTimeEqual(a: string, b: string): boolean {
+        if (a.length !== b.length) return false;
+
+        let result = 0;
+        for (let i = 0; i < a.length; i++) {
+            result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+        }
+        return result === 0;
+    }
+
+    private base64UrlEncode(str: string): string {
+        return Buffer.from(str)
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+    }
+
+    private base64UrlDecode(str: string): string {
+        str += '='.repeat(4 - str.length % 4);
+        return Buffer.from(str.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString();
+    }
+
+    private createSignature(data: string): string {
+        return crypto
+            .createHmac('sha256', this.secret)
+            .update(data)
+            .digest('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+    }
+}
+
+export class SessionManager {
+    private jwtManager: JWTManager;
+    private maxAge: number;
+
+    constructor(secret?: string, maxAge: number = 86400) {
+        this.jwtManager = new JWTManager(secret);
+        this.maxAge = maxAge;
+    }
+
+    /**
+     * Cria uma nova sessão
+     */
+    createSession(user: User): { session: Session; token: string } {
+        const expires = new Date(Date.now() + this.maxAge * 1000).toISOString();
+
+        const session: Session = {
+            user,
+            expires
+        };
+
+        const token = this.jwtManager.sign({
+            ...user
+        }, this.maxAge);
+
+        return { session, token };
+    }
+
+    /**
+     * Verifica uma sessão a partir do token
+     */
+    verifySession(token: string): Session | null {
+        try {
+            const payload = this.jwtManager.verify(token);
+            if (!payload) return null;
+
+            const session: Session = {
+                user: payload,
+                expires: new Date(payload.exp * 1000).toISOString()
+            };
+
+            return session;
+        } catch (error) {
+            return null;
+        }
+    }
+
+    /**
+     * Atualiza uma sessão existente
+     */
+    updateSession(token: string): { session: Session; token: string } | null {
+        const currentSession = this.verifySession(token);
+        if (!currentSession) return null;
+
+        return this.createSession(currentSession.user);
+    }
+}

package/src/auth/providers.ts

@@ -0,0 +1,13 @@
+import type { AuthProvider, CredentialsConfig } from './types';
+
+/**
+ * Provider para autenticação com credenciais (email/senha)
+ */
+export function CredentialsProvider(config: CredentialsConfig): AuthProvider {
+    return {
+        id: config.id || 'credentials',
+        name: config.name || 'Credentials',
+        type: 'credentials',
+        authorize: config.authorize
+    };
+}

package/src/auth/react/index.ts

@@ -0,0 +1,9 @@
+// Exportações do frontend
+export * from '../react';
+export * from '../client';
+export * from '../components';
+
+// Re-exports das funções mais usadas para conveniência
+export { getSession } from '../client';
+export { useSession, useAuth, SessionProvider } from '../react';
+export { ProtectedRoute, AuthGuard, GuestOnly } from '../components';

package/src/auth/react.tsx

@@ -0,0 +1,209 @@
+import React, { createContext, useContext, useEffect, useState, useCallback, ReactNode } from 'react';
+import type { Session, SessionContextType, SignInOptions, SignInResult, User } from './types';
+import {router} from "../client";
+
+const SessionContext = createContext<SessionContextType | undefined>(undefined);
+
+interface SessionProviderProps {
+    children: ReactNode;
+    basePath?: string;
+    refetchInterval?: number;
+    refetchOnWindowFocus?: boolean;
+}
+
+export function SessionProvider({
+    children,
+    basePath = '/api/auth',
+    refetchInterval = 0,
+    refetchOnWindowFocus = true
+}: SessionProviderProps) {
+    const [session, setSession] = useState<Session | null>(null);
+    const [status, setStatus] = useState<'loading' | 'authenticated' | 'unauthenticated'>('loading');
+
+    // Fetch da sessão atual
+    const fetchSession = useCallback(async (): Promise<Session | null> => {
+        try {
+            const response = await fetch(`${basePath}/session`, {
+                credentials: 'include'
+            });
+
+            if (!response.ok) {
+                setStatus('unauthenticated');
+                return null;
+            }
+
+            const data = await response.json();
+            const sessionData = data.session;
+
+            if (sessionData) {
+                setSession(sessionData);
+                setStatus('authenticated');
+                return sessionData;
+            } else {
+                setSession(null);
+                setStatus('unauthenticated');
+                return null;
+            }
+        } catch (error) {
+            console.error('[hweb-auth] Erro ao buscar sessão:', error);
+            setSession(null);
+            setStatus('unauthenticated');
+            return null;
+        }
+    }, [basePath]);
+
+    // SignIn function
+    const signIn = useCallback(async (
+        provider: string = 'credentials',
+        options: SignInOptions = {}
+    ): Promise<SignInResult | undefined> => {
+        try {
+            const { redirect = true, callbackUrl, ...credentials } = options;
+
+            const response = await fetch(`${basePath}/signin`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                },
+                credentials: 'include',
+                body: JSON.stringify({
+                    provider,
+                    ...credentials
+                })
+            });
+
+            const data = await response.json();
+
+            if (response.ok && data.success) {
+                // Atualiza a sessão após login bem-sucedido
+
+                if (redirect && typeof window !== 'undefined') {
+                    try {
+                        router.push(callbackUrl || '/');
+                    } catch (e) {
+                        window.location.href = callbackUrl || '/';
+                    }
+
+                }
+                await fetchSession();
+
+                return {
+                    ok: true,
+                    status: 200,
+                    url: callbackUrl || '/'
+                };
+            } else {
+                return {
+                    error: data.error || 'Authentication failed',
+                    status: response.status,
+                    ok: false
+                };
+            }
+        } catch (error) {
+            console.error('[hweb-auth] Erro no signIn:', error);
+            return {
+                error: 'Network error',
+                status: 500,
+                ok: false
+            };
+        }
+    }, [basePath, fetchSession]);
+
+    // SignOut function
+    const signOut = useCallback(async (options: { callbackUrl?: string } = {}): Promise<void> => {
+        try {
+            await fetch(`${basePath}/signout`, {
+                method: 'POST',
+                credentials: 'include'
+            });
+
+            setSession(null);
+            setStatus('unauthenticated');
+
+            if (typeof window !== 'undefined') {
+                try {
+                    router.push(options.callbackUrl || '/');
+                } catch (e) {
+                    window.location.href = options.callbackUrl || '/';
+                }
+            }
+        } catch (error) {
+            console.error('[hweb-auth] Erro no signOut:', error);
+        }
+    }, [basePath]);
+
+    // Update session
+    const update = useCallback(async (): Promise<Session | null> => {
+        return await fetchSession();
+    }, [fetchSession]);
+
+    // Initial session fetch
+    useEffect(() => {
+        fetchSession();
+    }, [fetchSession]);
+
+    // Refetch interval
+    useEffect(() => {
+        if (refetchInterval > 0) {
+            const interval = setInterval(() => {
+                if (status === 'authenticated') {
+                    fetchSession();
+                }
+            }, refetchInterval * 1000);
+
+            return () => clearInterval(interval);
+        }
+    }, [refetchInterval, status, fetchSession]);
+
+    // Refetch on window focus
+    useEffect(() => {
+        if (refetchOnWindowFocus) {
+            const handleFocus = () => {
+                if (status === 'authenticated') {
+                    fetchSession();
+                }
+            };
+
+            window.addEventListener('focus', handleFocus);
+            return () => window.removeEventListener('focus', handleFocus);
+        }
+    }, [refetchOnWindowFocus, status, fetchSession]);
+
+    const value: SessionContextType = {
+        data: session,
+        status,
+        signIn,
+        signOut,
+        update
+    };
+
+    return (
+        <SessionContext.Provider value={value}>
+            {children}
+        </SessionContext.Provider>
+    );
+}
+
+/**
+ * Hook para acessar a sessão atual
+ */
+export function useSession(): SessionContextType {
+    const context = useContext(SessionContext);
+    if (context === undefined) {
+        throw new Error('useSession deve ser usado dentro de um SessionProvider');
+    }
+    return context;
+}
+
+/**
+ * Hook para verificar se o usuário está autenticado
+ */
+export function useAuth(): { user: User | null; isAuthenticated: boolean; isLoading: boolean } {
+    const { data: session, status } = useSession();
+
+    return {
+        user: session?.user || null,
+        isAuthenticated: status === 'authenticated',
+        isLoading: status === 'loading'
+    };
+}