hightjs 0.4.0 → 0.5.1

package/src/auth/jwt.ts

@@ -1,210 +0,0 @@
-/*
- * This file is part of the HightJS Project.
- * Copyright (c) 2025 itsmuzin
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-import crypto from 'crypto';
-import type { User, Session } from './types';
-
-export class JWTManager {
-    private secret: string;
-
-    constructor(secret?: string) {
-        if (!secret && !process.env.HWEB_AUTH_SECRET) {
-            throw new Error('JWT secret is required. Set HWEB_AUTH_SECRET environment variable or provide secret parameter.');
-        }
-
-        this.secret = secret || process.env.HWEB_AUTH_SECRET!;
-
-        if (this.secret.length < 32) {
-            throw new Error('JWT secret must be at least 32 characters long for security.');
-        }
-    }
-
-    /**
-     * Cria um JWT token com validação de algoritmo
-     */
-    sign(payload: any, expiresIn: number = 86400): string {
-        const header = { alg: 'HS256', typ: 'JWT' };
-        const now = Math.floor(Date.now() / 1000);
-
-        // Sanitize payload to prevent injection
-        const sanitizedPayload = this.sanitizePayload(payload);
-
-        const tokenPayload = {
-            ...sanitizedPayload,
-            iat: now,
-            exp: now + expiresIn,
-            alg: 'HS256' // Prevent algorithm confusion attacks
-        };
-
-        const encodedHeader = this.base64UrlEncode(JSON.stringify(header));
-        const encodedPayload = this.base64UrlEncode(JSON.stringify(tokenPayload));
-
-        const signature = this.createSignature(encodedHeader + '.' + encodedPayload);
-
-        return `${encodedHeader}.${encodedPayload}.${signature}`;
-    }
-
-    /**
-     * Verifica e decodifica um JWT token com validação rigorosa
-     */
-    verify(token: string): any | null {
-        try {
-            if (!token || typeof token !== 'string') return null;
-
-            const parts = token.split('.');
-            if (parts.length !== 3) return null;
-
-            const [headerEncoded, payloadEncoded, signature] = parts;
-
-            // Decode and validate header
-            const header = JSON.parse(this.base64UrlDecode(headerEncoded));
-            if (header.alg !== 'HS256' || header.typ !== 'JWT') {
-                return null; // Prevent algorithm confusion attacks
-            }
-
-            // Verifica a assinatura usando constant-time comparison
-            const expectedSignature = this.createSignature(headerEncoded + '.' + payloadEncoded);
-            if (!this.constantTimeEqual(signature, expectedSignature)) return null;
-
-            // Decodifica o payload
-            const decodedPayload = JSON.parse(this.base64UrlDecode(payloadEncoded));
-
-            // Validate algorithm in payload matches header
-            if (decodedPayload.alg !== 'HS256') return null;
-
-            // Verifica expiração com margem de erro de 30 segundos
-            const now = Math.floor(Date.now() / 1000);
-            if (decodedPayload.exp && decodedPayload.exp < (now - 30)) {
-                return null;
-            }
-
-            // Validate issued at time (not too far in future)
-            if (decodedPayload.iat && decodedPayload.iat > (now + 300)) {
-                return null;
-            }
-
-            return decodedPayload;
-        } catch (error) {
-            return null;
-        }
-    }
-
-    private sanitizePayload(payload: any): any {
-        if (typeof payload !== 'object' || payload === null) {
-            return {};
-        }
-
-        const sanitized: any = {};
-        for (const [key, value] of Object.entries(payload)) {
-            // Skip dangerous properties
-            if (key.startsWith('__') || key === 'constructor' || key === 'prototype') {
-                continue;
-            }
-            sanitized[key] = value;
-        }
-        return sanitized;
-    }
-
-    private constantTimeEqual(a: string, b: string): boolean {
-        if (a.length !== b.length) return false;
-
-        let result = 0;
-        for (let i = 0; i < a.length; i++) {
-            result |= a.charCodeAt(i) ^ b.charCodeAt(i);
-        }
-        return result === 0;
-    }
-
-    private base64UrlEncode(str: string): string {
-        return Buffer.from(str)
-            .toString('base64')
-            .replace(/\+/g, '-')
-            .replace(/\//g, '_')
-            .replace(/=/g, '');
-    }
-
-    private base64UrlDecode(str: string): string {
-        str += '='.repeat(4 - str.length % 4);
-        return Buffer.from(str.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString();
-    }
-
-    private createSignature(data: string): string {
-        return crypto
-            .createHmac('sha256', this.secret)
-            .update(data)
-            .digest('base64')
-            .replace(/\+/g, '-')
-            .replace(/\//g, '_')
-            .replace(/=/g, '');
-    }
-}
-
-export class SessionManager {
-    private jwtManager: JWTManager;
-    private maxAge: number;
-
-    constructor(secret?: string, maxAge: number = 86400) {
-        this.jwtManager = new JWTManager(secret);
-        this.maxAge = maxAge;
-    }
-
-    /**
-     * Cria uma nova sessão
-     */
-    createSession(user: User): { session: Session; token: string } {
-        const expires = new Date(Date.now() + this.maxAge * 1000).toISOString();
-
-        const session: Session = {
-            user,
-            expires
-        };
-
-        const token = this.jwtManager.sign({
-            ...user
-        }, this.maxAge);
-
-        return { session, token };
-    }
-
-    /**
-     * Verifica uma sessão a partir do token
-     */
-    verifySession(token: string): Session | null {
-        try {
-            const payload = this.jwtManager.verify(token);
-            if (!payload) return null;
-
-            const session: Session = {
-                user: payload,
-                expires: new Date(payload.exp * 1000).toISOString()
-            };
-
-            return session;
-        } catch (error) {
-            return null;
-        }
-    }
-
-    /**
-     * Atualiza uma sessão existente
-     */
-    updateSession(token: string): { session: Session; token: string } | null {
-        const currentSession = this.verifySession(token);
-        if (!currentSession) return null;
-
-        return this.createSession(currentSession.user);
-    }
-}

package/src/auth/providers/credentials.ts

@@ -1,139 +0,0 @@
-/*
- * This file is part of the HightJS Project.
- * Copyright (c) 2025 itsmuzin
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-import type { AuthProviderClass, User, AuthRoute } from '../types';
-import { HightJSRequest, HightJSResponse } from '../../api/http';
-
-export interface CredentialsConfig {
-    id?: string;
-    name?: string;
-    credentials: Record<string, {
-        label: string;
-        type: string;
-        placeholder?: string;
-    }>;
-    authorize: (credentials: Record<string, string>) => Promise<User | null> | User | null;
-}
-
-/**
- * Provider para autenticação com credenciais (email/senha)
- *
- * Este provider permite autenticação usando email/senha ou qualquer outro
- * sistema de credenciais customizado. Você define a função authorize
- * que será chamada para validar as credenciais.
- *
- * Exemplo de uso:
- * ```typescript
- * new CredentialsProvider({
- *   name: "Credentials",
- *   credentials: {
- *     email: { label: "Email", type: "email" },
- *     password: { label: "Password", type: "password" }
- *   },
- *   async authorize(credentials) {
- *     // Aqui você faz a validação com seu banco de dados
- *     const user = await validateUser(credentials.email, credentials.password);
- *     if (user) {
- *       return { id: user.id, name: user.name, email: user.email };
- *     }
- *     return null;
- *   }
- * })
- * ```
- */
-export class CredentialsProvider implements AuthProviderClass {
-    public readonly id: string;
-    public readonly name: string;
-    public readonly type: string = 'credentials';
-
-    private config: CredentialsConfig;
-
-    constructor(config: CredentialsConfig) {
-        this.config = config;
-        this.id = config.id || 'credentials';
-        this.name = config.name || 'Credentials';
-    }
-
-    /**
-     * Método principal para autenticar usuário com credenciais
-     */
-    async handleSignIn(credentials: Record<string, string>): Promise<User | null> {
-        try {
-            if (!this.config.authorize) {
-                throw new Error('Authorize function not provided');
-            }
-
-            const user = await this.config.authorize(credentials);
-
-            if (!user) {
-                return null;
-            }
-
-            // Adiciona informações do provider ao usuário
-            return {
-                ...user,
-                provider: this.id,
-                providerId: user.id || user.email || 'unknown'
-            };
-
-        } catch (error) {
-            console.error(`[${this.id} Provider] Error during sign in:`, error);
-            return null;
-        }
-    }
-
-
-
-    /**
-     * Retorna configuração pública do provider
-     */
-    getConfig(): any {
-        return {
-            id: this.id,
-            name: this.name,
-            type: this.type,
-            credentials: this.config.credentials
-        };
-    }
-
-    /**
-     * Valida se as credenciais fornecidas são válidas
-     */
-    validateCredentials(credentials: Record<string, string>): boolean {
-        for (const [key, field] of Object.entries(this.config.credentials)) {
-            if (!credentials[key]) {
-                console.warn(`[${this.id} Provider] Missing required credential: ${key}`);
-                return false;
-            }
-
-            // Validações básicas por tipo
-            if (field.type === 'email' && !this.isValidEmail(credentials[key])) {
-                console.warn(`[${this.id} Provider] Invalid email format: ${credentials[key]}`);
-                return false;
-            }
-        }
-
-        return true;
-    }
-
-    /**
-     * Validação simples de email
-     */
-    private isValidEmail(email: string): boolean {
-        const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-        return emailRegex.test(email);
-    }
-}

package/src/auth/providers/discord.ts

@@ -1,239 +0,0 @@
-/*
- * This file is part of the HightJS Project.
- * Copyright (c) 2025 itsmuzin
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-import type {AuthProviderClass, AuthRoute, User} from '../types';
-import {HightJSRequest, HightJSResponse} from '../../api/http';
-
-export interface DiscordConfig {
-    id?: string;
-    name?: string;
-    clientId: string;
-    clientSecret: string;
-    callbackUrl?: string;
-    successUrl?: string;
-    // Escopos OAuth, padrão: ['identify', 'email']
-    scope?: string[];
-}
-
-/**
- * Provider para autenticação com Discord OAuth2
- *
- * Este provider permite autenticação usando Discord OAuth2.
- * Automaticamente gerencia o fluxo OAuth completo e rotas necessárias.
- *
- * Exemplo de uso:
- * ```typescript
- * new DiscordProvider({
- * clientId: process.env.DISCORD_CLIENT_ID!,
- * clientSecret: process.env.DISCORD_CLIENT_SECRET!,
- * callbackUrl: "http://localhost:3000/api/auth/callback/discord"
- * })
- * ```
- *
- * Fluxo de autenticação:
- * 1. GET /api/auth/signin/discord - Gera URL e redireciona para Discord
- * 2. Discord redireciona para /api/auth/callback/discord com código
- * 3. Provider troca código por token e busca dados do usuário
- * 4. Retorna objeto User com dados do Discord
- */
-export class DiscordProvider implements AuthProviderClass {
-    public readonly id: string;
-    public readonly name: string;
-    public readonly type: string = 'discord';
-
-    private config: DiscordConfig;
-    private readonly defaultScope = ['identify', 'email'];
-
-    constructor(config: DiscordConfig) {
-        this.config = config;
-        this.id = config.id || 'discord';
-        this.name = config.name || 'Discord';
-    }
-
-    /**
-     * Método para gerar URL OAuth (usado pelo handleSignIn)
-     */
-    handleOauth(credentials: Record<string, string> = {}): string {
-        return this.getAuthorizationUrl();
-    }
-
-    /**
-     * Método principal - agora redireciona para OAuth ou processa callback
-     */
-    async handleSignIn(credentials: Record<string, string>): Promise<User | string | null> {
-        // Se tem código, é callback - processa autenticação
-        if (credentials.code) {
-            return await this.processOAuthCallback(credentials);
-        }
-
-        // Se não tem código, é início do OAuth - retorna URL
-        return this.handleOauth(credentials);
-    }
-
-    /**
-     * Processa o callback OAuth (código → usuário)
-     */
-    private async processOAuthCallback(credentials: Record<string, string>): Promise<User | null> {
-        try {
-            const { code } = credentials;
-            if (!code) {
-                throw new Error('Authorization code not provided');
-            }
-
-
-            // Troca o código por access token
-            const tokenResponse = await fetch('https://discord.com/api/oauth2/token', {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/x-www-form-urlencoded',
-                },
-                body: new URLSearchParams({
-                    client_id: this.config.clientId,
-                    client_secret: this.config.clientSecret,
-                    grant_type: 'authorization_code',
-                    code,
-                    redirect_uri: this.config.callbackUrl || '',
-                }),
-            });
-
-            if (!tokenResponse.ok) {
-                const error = await tokenResponse.text();
-                // O erro original "Invalid \"code\" in request." acontece aqui.
-                throw new Error(`Failed to exchange code for token: ${error}`);
-            }
-
-            const tokens = await tokenResponse.json();
-
-            // Busca dados do usuário
-            const userResponse = await fetch('https://discord.com/api/users/@me', {
-                headers: {
-                    'Authorization': `Bearer ${tokens.access_token}`,
-                },
-            });
-
-            if (!userResponse.ok) {
-                throw new Error('Failed to fetch user data');
-            }
-
-            const discordUser = await userResponse.json();
-
-            // Retorna objeto User padronizado
-            return {
-                id: discordUser.id,
-                name: discordUser.global_name || discordUser.username,
-                email: discordUser.email,
-                image: discordUser.avatar
-                    ? `https://cdn.discordapp.com/avatars/${discordUser.id}/${discordUser.avatar}.png`
-                    : null,
-                username: discordUser.username,
-                discriminator: discordUser.discriminator,
-                provider: this.id,
-                providerId: discordUser.id,
-                accessToken: tokens.access_token,
-                refreshToken: tokens.refresh_token
-            };
-
-        } catch (error) {
-            console.error(`[${this.id} Provider] Error during OAuth callback:`, error);
-            return null;
-        }
-    }
-
-    /**
-     * Rotas adicionais específicas do Discord OAuth
-     */
-    public additionalRoutes: AuthRoute[] = [
-        // Rota de callback do Discord
-        {
-            method: 'GET',
-            path: '/api/auth/callback/discord',
-            handler: async (req: HightJSRequest, params: any) => {
-                const url = new URL(req.url || '', 'http://localhost');
-                const code = url.searchParams.get('code');
-
-                if (!code) {
-                    return HightJSResponse.json({ error: 'Authorization code not provided' }, { status: 400 });
-                }
-
-                try {
-                    // CORREÇÃO: O fluxo correto é delegar o 'code' para o endpoint de signin
-                    // principal, que processará o código uma única vez. A implementação anterior
-                    // usava o código duas vezes, causando o erro 'invalid_grant'.
-                    const authResponse = await fetch(`${req.headers.origin || 'http://localhost:3000'}/api/auth/signin`, {
-                        method: 'POST',
-                        headers: {
-                            'Content-Type': 'application/json',
-                        },
-                        body: JSON.stringify({
-                            provider: this.id,
-                            code,
-                        })
-                    });
-
-                    if (authResponse.ok) {
-                        // Propaga o cookie de sessão retornado pelo endpoint de signin
-                        // e redireciona o usuário para a página de sucesso.
-                        const setCookieHeader = authResponse.headers.get('set-cookie');
-
-                        if(this.config.successUrl) {
-                            return HightJSResponse
-                                .redirect(this.config.successUrl)
-                                .header('Set-Cookie', setCookieHeader || '');
-                        }
-                        return HightJSResponse.json({ success: true })
-                            .header('Set-Cookie', setCookieHeader || '');
-                    } else {
-                        const errorText = await authResponse.text();
-                        console.error(`[${this.id} Provider] Session creation failed during callback. Status: ${authResponse.status}, Body: ${errorText}`);
-                        return HightJSResponse.json({ error: 'Session creation failed' }, { status: 500 });
-                    }
-
-                } catch (error) {
-                    console.error(`[${this.id} Provider] Callback handler fetch error:`, error);
-                    return HightJSResponse.json({ error: 'Internal server error' }, { status: 500 });
-                }
-            }
-        }
-    ];
-
-    /**
-     * Gera URL de autorização do Discord
-     */
-    getAuthorizationUrl(): string {
-        const params = new URLSearchParams({
-            client_id: this.config.clientId,
-            redirect_uri: this.config.callbackUrl || '',
-            response_type: 'code',
-            scope: (this.config.scope || this.defaultScope).join(' ')
-        });
-
-        return `https://discord.com/api/oauth2/authorize?${params.toString()}`;
-    }
-
-    /**
-     * Retorna configuração pública do provider
-     */
-    getConfig(): any {
-        return {
-            id: this.id,
-            name: this.name,
-            type: this.type,
-            clientId: this.config.clientId, // Público
-            scope: this.config.scope || this.defaultScope,
-            callbackUrl: this.config.callbackUrl
-        };
-    }
-}