hightjs 0.1.1

package/dist/auth/core.js

@@ -0,0 +1,124 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HWebAuth = void 0;
+const http_1 = require("../api/http");
+const jwt_1 = require("./jwt");
+class HWebAuth {
+    constructor(config) {
+        this.config = {
+            session: { strategy: 'jwt', maxAge: 86400, ...config.session },
+            pages: { signIn: '/auth/signin', signOut: '/auth/signout', ...config.pages },
+            ...config
+        };
+        this.sessionManager = new jwt_1.SessionManager(config.secret, this.config.session?.maxAge || 86400);
+    }
+    /**
+     * Middleware para adicionar autenticação às rotas
+     */
+    async middleware(req) {
+        const token = this.getTokenFromRequest(req);
+        if (!token) {
+            return { session: null, user: null };
+        }
+        const session = this.sessionManager.verifySession(token);
+        return {
+            session,
+            user: session?.user || null
+        };
+    }
+    /**
+     * Autentica um usuário com credenciais
+     */
+    async signIn(provider, credentials) {
+        const authProvider = this.config.providers.find(p => p.id === provider);
+        if (!authProvider || authProvider.type !== 'credentials') {
+            return null;
+        }
+        if (!authProvider.authorize) {
+            return null;
+        }
+        try {
+            const user = await authProvider.authorize(credentials);
+            if (!user)
+                return null;
+            // Callback de signIn se definido
+            if (this.config.callbacks?.signIn) {
+                const allowed = await this.config.callbacks.signIn(user, { provider }, {});
+                if (!allowed)
+                    return null;
+            }
+            const result = this.sessionManager.createSession(user);
+            // Callback de sessão se definido
+            if (this.config.callbacks?.session) {
+                result.session = await this.config.callbacks.session(result.session, user);
+            }
+            return result;
+        }
+        catch (error) {
+            console.error('[hweb-auth] Erro no signIn:', error);
+            return null;
+        }
+    }
+    /**
+     * Faz logout do usuário
+     */
+    signOut() {
+        return http_1.HightJSResponse
+            .json({ success: true })
+            .clearCookie('hweb-auth-token', {
+            path: '/',
+            httpOnly: true,
+            secure: true, // Always use secure cookies
+            sameSite: 'strict' // Stronger CSRF protection
+        });
+    }
+    /**
+     * Obtém a sessão atual
+     */
+    async getSession(req) {
+        const { session } = await this.middleware(req);
+        return session;
+    }
+    /**
+     * Verifica se o usuário está autenticado
+     */
+    async isAuthenticated(req) {
+        const session = await this.getSession(req);
+        return session !== null;
+    }
+    /**
+     * Cria resposta com cookie de autenticação - Secure implementation
+     */
+    createAuthResponse(token, data) {
+        return http_1.HightJSResponse
+            .json(data)
+            .cookie('hweb-auth-token', token, {
+            httpOnly: true,
+            secure: true, // Always secure, even in development
+            sameSite: 'strict', // Prevent CSRF attacks
+            maxAge: (this.config.session?.maxAge || 86400) * 1000,
+            path: '/',
+            domain: undefined // Let browser set automatically for security
+        })
+            .header('X-Content-Type-Options', 'nosniff')
+            .header('X-Frame-Options', 'DENY')
+            .header('X-XSS-Protection', '1; mode=block')
+            .header('Referrer-Policy', 'strict-origin-when-cross-origin');
+    }
+    /**
+     * Extrai token da requisição (cookie ou header)
+     */
+    getTokenFromRequest(req) {
+        // Primeiro tenta pegar do cookie
+        const cookieToken = req.cookie('hweb-auth-token');
+        if (cookieToken)
+            return cookieToken;
+        // Depois tenta do header Authorization
+        const authHeader = req.header('authorization');
+        if (authHeader && typeof authHeader === 'string' && authHeader.startsWith('Bearer ')) {
+            return authHeader.substring(7);
+        }
+        return null;
+    }
+}
+exports.HWebAuth = HWebAuth;

package/dist/auth/index.d.ts

@@ -0,0 +1,7 @@
+export * from './types';
+export * from './providers';
+export * from './core';
+export * from './routes';
+export * from './jwt';
+export { CredentialsProvider } from './providers';
+export { createAuthRoutes } from './routes';

package/dist/auth/index.js

@@ -0,0 +1,27 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthRoutes = exports.CredentialsProvider = void 0;
+// Exportações principais do sistema de autenticação
+__exportStar(require("./types"), exports);
+__exportStar(require("./providers"), exports);
+__exportStar(require("./core"), exports);
+__exportStar(require("./routes"), exports);
+__exportStar(require("./jwt"), exports);
+var providers_1 = require("./providers");
+Object.defineProperty(exports, "CredentialsProvider", { enumerable: true, get: function () { return providers_1.CredentialsProvider; } });
+var routes_1 = require("./routes");
+Object.defineProperty(exports, "createAuthRoutes", { enumerable: true, get: function () { return routes_1.createAuthRoutes; } });

package/dist/auth/jwt.d.ts

@@ -0,0 +1,41 @@
+import type { User, Session } from './types';
+export declare class JWTManager {
+    private secret;
+    constructor(secret?: string);
+    /**
+     * Cria um JWT token com validação de algoritmo
+     */
+    sign(payload: any, expiresIn?: number): string;
+    /**
+     * Verifica e decodifica um JWT token com validação rigorosa
+     */
+    verify(token: string): any | null;
+    private sanitizePayload;
+    private constantTimeEqual;
+    private base64UrlEncode;
+    private base64UrlDecode;
+    private createSignature;
+}
+export declare class SessionManager {
+    private jwtManager;
+    private maxAge;
+    constructor(secret?: string, maxAge?: number);
+    /**
+     * Cria uma nova sessão
+     */
+    createSession(user: User): {
+        session: Session;
+        token: string;
+    };
+    /**
+     * Verifica uma sessão a partir do token
+     */
+    verifySession(token: string): Session | null;
+    /**
+     * Atualiza uma sessão existente
+     */
+    updateSession(token: string): {
+        session: Session;
+        token: string;
+    } | null;
+}

package/dist/auth/jwt.js

@@ -0,0 +1,169 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionManager = exports.JWTManager = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+class JWTManager {
+    constructor(secret) {
+        if (!secret && !process.env.HWEB_AUTH_SECRET) {
+            throw new Error('JWT secret is required. Set HWEB_AUTH_SECRET environment variable or provide secret parameter.');
+        }
+        this.secret = secret || process.env.HWEB_AUTH_SECRET;
+        if (this.secret.length < 32) {
+            throw new Error('JWT secret must be at least 32 characters long for security.');
+        }
+    }
+    /**
+     * Cria um JWT token com validação de algoritmo
+     */
+    sign(payload, expiresIn = 86400) {
+        const header = { alg: 'HS256', typ: 'JWT' };
+        const now = Math.floor(Date.now() / 1000);
+        // Sanitize payload to prevent injection
+        const sanitizedPayload = this.sanitizePayload(payload);
+        const tokenPayload = {
+            ...sanitizedPayload,
+            iat: now,
+            exp: now + expiresIn,
+            alg: 'HS256' // Prevent algorithm confusion attacks
+        };
+        const encodedHeader = this.base64UrlEncode(JSON.stringify(header));
+        const encodedPayload = this.base64UrlEncode(JSON.stringify(tokenPayload));
+        const signature = this.createSignature(encodedHeader + '.' + encodedPayload);
+        return `${encodedHeader}.${encodedPayload}.${signature}`;
+    }
+    /**
+     * Verifica e decodifica um JWT token com validação rigorosa
+     */
+    verify(token) {
+        try {
+            if (!token || typeof token !== 'string')
+                return null;
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const [headerEncoded, payloadEncoded, signature] = parts;
+            // Decode and validate header
+            const header = JSON.parse(this.base64UrlDecode(headerEncoded));
+            if (header.alg !== 'HS256' || header.typ !== 'JWT') {
+                return null; // Prevent algorithm confusion attacks
+            }
+            // Verifica a assinatura usando constant-time comparison
+            const expectedSignature = this.createSignature(headerEncoded + '.' + payloadEncoded);
+            if (!this.constantTimeEqual(signature, expectedSignature))
+                return null;
+            // Decodifica o payload
+            const decodedPayload = JSON.parse(this.base64UrlDecode(payloadEncoded));
+            // Validate algorithm in payload matches header
+            if (decodedPayload.alg !== 'HS256')
+                return null;
+            // Verifica expiração com margem de erro de 30 segundos
+            const now = Math.floor(Date.now() / 1000);
+            if (decodedPayload.exp && decodedPayload.exp < (now - 30)) {
+                return null;
+            }
+            // Validate issued at time (not too far in future)
+            if (decodedPayload.iat && decodedPayload.iat > (now + 300)) {
+                return null;
+            }
+            return decodedPayload;
+        }
+        catch (error) {
+            return null;
+        }
+    }
+    sanitizePayload(payload) {
+        if (typeof payload !== 'object' || payload === null) {
+            return {};
+        }
+        const sanitized = {};
+        for (const [key, value] of Object.entries(payload)) {
+            // Skip dangerous properties
+            if (key.startsWith('__') || key === 'constructor' || key === 'prototype') {
+                continue;
+            }
+            sanitized[key] = value;
+        }
+        return sanitized;
+    }
+    constantTimeEqual(a, b) {
+        if (a.length !== b.length)
+            return false;
+        let result = 0;
+        for (let i = 0; i < a.length; i++) {
+            result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+        }
+        return result === 0;
+    }
+    base64UrlEncode(str) {
+        return Buffer.from(str)
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+    }
+    base64UrlDecode(str) {
+        str += '='.repeat(4 - str.length % 4);
+        return Buffer.from(str.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString();
+    }
+    createSignature(data) {
+        return crypto_1.default
+            .createHmac('sha256', this.secret)
+            .update(data)
+            .digest('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+    }
+}
+exports.JWTManager = JWTManager;
+class SessionManager {
+    constructor(secret, maxAge = 86400) {
+        this.jwtManager = new JWTManager(secret);
+        this.maxAge = maxAge;
+    }
+    /**
+     * Cria uma nova sessão
+     */
+    createSession(user) {
+        const expires = new Date(Date.now() + this.maxAge * 1000).toISOString();
+        const session = {
+            user,
+            expires
+        };
+        const token = this.jwtManager.sign({
+            ...user
+        }, this.maxAge);
+        return { session, token };
+    }
+    /**
+     * Verifica uma sessão a partir do token
+     */
+    verifySession(token) {
+        try {
+            const payload = this.jwtManager.verify(token);
+            if (!payload)
+                return null;
+            const session = {
+                user: payload,
+                expires: new Date(payload.exp * 1000).toISOString()
+            };
+            return session;
+        }
+        catch (error) {
+            return null;
+        }
+    }
+    /**
+     * Atualiza uma sessão existente
+     */
+    updateSession(token) {
+        const currentSession = this.verifySession(token);
+        if (!currentSession)
+            return null;
+        return this.createSession(currentSession.user);
+    }
+}
+exports.SessionManager = SessionManager;

package/dist/auth/providers.d.ts

@@ -0,0 +1,5 @@
+import type { AuthProvider, CredentialsConfig } from './types';
+/**
+ * Provider para autenticação com credenciais (email/senha)
+ */
+export declare function CredentialsProvider(config: CredentialsConfig): AuthProvider;

package/dist/auth/providers.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CredentialsProvider = CredentialsProvider;
+/**
+ * Provider para autenticação com credenciais (email/senha)
+ */
+function CredentialsProvider(config) {
+    return {
+        id: config.id || 'credentials',
+        name: config.name || 'Credentials',
+        type: 'credentials',
+        authorize: config.authorize
+    };
+}

package/dist/auth/react/index.d.ts

@@ -0,0 +1,6 @@
+export * from '../react';
+export * from '../client';
+export * from '../components';
+export { getSession } from '../client';
+export { useSession, useAuth, SessionProvider } from '../react';
+export { ProtectedRoute, AuthGuard, GuestOnly } from '../components';

package/dist/auth/react/index.js

@@ -0,0 +1,32 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GuestOnly = exports.AuthGuard = exports.ProtectedRoute = exports.SessionProvider = exports.useAuth = exports.useSession = exports.getSession = void 0;
+// Exportações do frontend
+__exportStar(require("../react"), exports);
+__exportStar(require("../client"), exports);
+__exportStar(require("../components"), exports);
+// Re-exports das funções mais usadas para conveniência
+var client_1 = require("../client");
+Object.defineProperty(exports, "getSession", { enumerable: true, get: function () { return client_1.getSession; } });
+var react_1 = require("../react");
+Object.defineProperty(exports, "useSession", { enumerable: true, get: function () { return react_1.useSession; } });
+Object.defineProperty(exports, "useAuth", { enumerable: true, get: function () { return react_1.useAuth; } });
+Object.defineProperty(exports, "SessionProvider", { enumerable: true, get: function () { return react_1.SessionProvider; } });
+var components_1 = require("../components");
+Object.defineProperty(exports, "ProtectedRoute", { enumerable: true, get: function () { return components_1.ProtectedRoute; } });
+Object.defineProperty(exports, "AuthGuard", { enumerable: true, get: function () { return components_1.AuthGuard; } });
+Object.defineProperty(exports, "GuestOnly", { enumerable: true, get: function () { return components_1.GuestOnly; } });

package/dist/auth/react.d.ts

@@ -0,0 +1,22 @@
+import { ReactNode } from 'react';
+import type { SessionContextType, User } from './types';
+interface SessionProviderProps {
+    children: ReactNode;
+    basePath?: string;
+    refetchInterval?: number;
+    refetchOnWindowFocus?: boolean;
+}
+export declare function SessionProvider({ children, basePath, refetchInterval, refetchOnWindowFocus }: SessionProviderProps): import("react/jsx-runtime").JSX.Element;
+/**
+ * Hook para acessar a sessão atual
+ */
+export declare function useSession(): SessionContextType;
+/**
+ * Hook para verificar se o usuário está autenticado
+ */
+export declare function useAuth(): {
+    user: User | null;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+};
+export {};

package/dist/auth/react.js

@@ -0,0 +1,175 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionProvider = SessionProvider;
+exports.useSession = useSession;
+exports.useAuth = useAuth;
+const jsx_runtime_1 = require("react/jsx-runtime");
+const react_1 = require("react");
+const client_1 = require("../client");
+const SessionContext = (0, react_1.createContext)(undefined);
+function SessionProvider({ children, basePath = '/api/auth', refetchInterval = 0, refetchOnWindowFocus = true }) {
+    const [session, setSession] = (0, react_1.useState)(null);
+    const [status, setStatus] = (0, react_1.useState)('loading');
+    // Fetch da sessão atual
+    const fetchSession = (0, react_1.useCallback)(async () => {
+        try {
+            const response = await fetch(`${basePath}/session`, {
+                credentials: 'include'
+            });
+            if (!response.ok) {
+                setStatus('unauthenticated');
+                return null;
+            }
+            const data = await response.json();
+            const sessionData = data.session;
+            if (sessionData) {
+                setSession(sessionData);
+                setStatus('authenticated');
+                return sessionData;
+            }
+            else {
+                setSession(null);
+                setStatus('unauthenticated');
+                return null;
+            }
+        }
+        catch (error) {
+            console.error('[hweb-auth] Erro ao buscar sessão:', error);
+            setSession(null);
+            setStatus('unauthenticated');
+            return null;
+        }
+    }, [basePath]);
+    // SignIn function
+    const signIn = (0, react_1.useCallback)(async (provider = 'credentials', options = {}) => {
+        try {
+            const { redirect = true, callbackUrl, ...credentials } = options;
+            const response = await fetch(`${basePath}/signin`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                },
+                credentials: 'include',
+                body: JSON.stringify({
+                    provider,
+                    ...credentials
+                })
+            });
+            const data = await response.json();
+            if (response.ok && data.success) {
+                // Atualiza a sessão após login bem-sucedido
+                if (redirect && typeof window !== 'undefined') {
+                    try {
+                        client_1.router.push(callbackUrl || '/');
+                    }
+                    catch (e) {
+                        window.location.href = callbackUrl || '/';
+                    }
+                }
+                await fetchSession();
+                return {
+                    ok: true,
+                    status: 200,
+                    url: callbackUrl || '/'
+                };
+            }
+            else {
+                return {
+                    error: data.error || 'Authentication failed',
+                    status: response.status,
+                    ok: false
+                };
+            }
+        }
+        catch (error) {
+            console.error('[hweb-auth] Erro no signIn:', error);
+            return {
+                error: 'Network error',
+                status: 500,
+                ok: false
+            };
+        }
+    }, [basePath, fetchSession]);
+    // SignOut function
+    const signOut = (0, react_1.useCallback)(async (options = {}) => {
+        try {
+            await fetch(`${basePath}/signout`, {
+                method: 'POST',
+                credentials: 'include'
+            });
+            setSession(null);
+            setStatus('unauthenticated');
+            if (typeof window !== 'undefined') {
+                try {
+                    client_1.router.push(options.callbackUrl || '/');
+                }
+                catch (e) {
+                    window.location.href = options.callbackUrl || '/';
+                }
+            }
+        }
+        catch (error) {
+            console.error('[hweb-auth] Erro no signOut:', error);
+        }
+    }, [basePath]);
+    // Update session
+    const update = (0, react_1.useCallback)(async () => {
+        return await fetchSession();
+    }, [fetchSession]);
+    // Initial session fetch
+    (0, react_1.useEffect)(() => {
+        fetchSession();
+    }, [fetchSession]);
+    // Refetch interval
+    (0, react_1.useEffect)(() => {
+        if (refetchInterval > 0) {
+            const interval = setInterval(() => {
+                if (status === 'authenticated') {
+                    fetchSession();
+                }
+            }, refetchInterval * 1000);
+            return () => clearInterval(interval);
+        }
+    }, [refetchInterval, status, fetchSession]);
+    // Refetch on window focus
+    (0, react_1.useEffect)(() => {
+        if (refetchOnWindowFocus) {
+            const handleFocus = () => {
+                if (status === 'authenticated') {
+                    fetchSession();
+                }
+            };
+            window.addEventListener('focus', handleFocus);
+            return () => window.removeEventListener('focus', handleFocus);
+        }
+    }, [refetchOnWindowFocus, status, fetchSession]);
+    const value = {
+        data: session,
+        status,
+        signIn,
+        signOut,
+        update
+    };
+    return ((0, jsx_runtime_1.jsx)(SessionContext.Provider, { value: value, children: children }));
+}
+/**
+ * Hook para acessar a sessão atual
+ */
+function useSession() {
+    const context = (0, react_1.useContext)(SessionContext);
+    if (context === undefined) {
+        throw new Error('useSession deve ser usado dentro de um SessionProvider');
+    }
+    return context;
+}
+/**
+ * Hook para verificar se o usuário está autenticado
+ */
+function useAuth() {
+    const { data: session, status } = useSession();
+    return {
+        user: session?.user || null,
+        isAuthenticated: status === 'authenticated',
+        isLoading: status === 'loading'
+    };
+}

package/dist/auth/routes.d.ts

@@ -0,0 +1,16 @@
+import { HightJSRequest, HightJSResponse } from '../api/http';
+import type { AuthConfig } from './types';
+import { HWebAuth } from './core';
+/**
+ * Cria o handler catch-all para /api/auth/[...value]
+ */
+export declare function createAuthRoutes(config: AuthConfig): {
+    pattern: string;
+    GET(req: HightJSRequest, params: {
+        [key: string]: string;
+    }): Promise<HightJSResponse>;
+    POST(req: HightJSRequest, params: {
+        [key: string]: string;
+    }): Promise<any>;
+    auth: HWebAuth;
+};