propro-utils 1.3.8

package/src/index.js

@@ -0,0 +1,68 @@
+const {
+  validateEnvironmentVariables,
+} = require("./server/middleware/validateEnv");
+let _serverAuth, _clientAuth;
+
+/**
+ * Middleware for handling both server-side and client-side authentication.
+ *
+ * @param {Object} options - Configuration options for the middleware.
+ * @param {boolean} [options.useServerAuth=true] - A boolean flag to enable server-side authentication.
+ * @param {Object} [options.serverOptions={}] - Configuration options for server-side authentication.
+ *   Example:
+ *   {
+ *     jwtSecret: 'HubHubJWTSecret', // Secret key for JWT token verification
+ *     tokenExpiry: 3600, // Token expiry time in seconds
+ *     authUrl: 'https://propro.so/auth', // URL of the authentication server
+ *     clientId: 'propro', // Client ID
+ *     clientSecret: 'propro', // Client secret
+ *     clientUrl: 'https://propro.so', // URL of the authentication client
+ *     redirectUri: 'https://propro.so/callback', // Redirect URI
+ *     validateUser: async (userId) => {  }, // Function to validate user
+ *     onAuthFailRedirect: '/login', // URL to redirect on authentication failure
+ *     additionalChecks: async (req) => {  }, // Additional custom checks for requests
+ *   }
+ * @param {boolean} [options.useClientAuth=false] - A boolean flag to enable client-side authentication.
+ * @param {Object} [options.clientOptions={}] - Configuration options for client-side authentication.
+ *
+ * @returns {Function} An Express middleware function.
+ *
+ * Example usage:
+ * app.use(proproAuthMiddleware({
+ *   useServerAuth: true,
+ *   serverOptions: {
+ *     jwtSecret: 'HubHubJWTSecret',
+ *     tokenExpiry: 3600,
+ *     validateUser: async (userId) => {  },
+ *     onAuthFailRedirect: '/login',
+ *     additionalChecks: async (req) => { },
+ *   },
+ *   useClientAuth: false,
+ * }));
+ */
+module.exports = function proproAuthMiddleware(options = {}) {
+  validateEnvironmentVariables([
+    "AUTH_URL",
+    "CLIENT_ID",
+    "CLIENT_SECRET",
+    "CLIENT_URL",
+    "REDIRECT_URI",
+  ]);
+  return (req, res, next) => {
+    try {
+      // Lazy loading and initializing server and client authentication modules with options
+      if (options.useServerAuth) {
+        _serverAuth = _serverAuth || require("./server")(options.serverOptions);
+        _serverAuth(req, res, next);
+      } else if (options.useClientAuth) {
+        _clientAuth = _clientAuth || require("./client")(options.clientOptions);
+        _clientAuth(req, res, next);
+      } else {
+        next();
+      }
+    } catch (error) {
+      console.error("Error in authentication middleware:", error);
+      next(error);
+    }
+  };
+};

package/src/server/index.js

@@ -0,0 +1,108 @@
+require("dotenv").config();
+const {
+  verifyJWT,
+  exchangeToken,
+  VerifyAccount,
+} = require("./middleware/verifyToken");
+// Main middleware function
+function proproAuthMiddleware(options = {}) {
+  const {
+    secret = "RESTFULAPIs",
+    authUrl = process.env.AUTH_URL,
+    clientId = process.env.CLIENT_ID,
+    clientSecret = process.env.CLIENT_SECRET,
+    clientUrl = process.env.CLIENT_URL,
+    redirectUri = process.env.REDIRECT_URI,
+    appName = process.env.APP_NAME,
+  } = options;
+
+  return async (req, res, next) => {
+    try {
+      // Try to get the token from the Authorization header
+      let token;
+      if (req.headers.authorization?.startsWith("Bearer ")) {
+        token = req.headers.authorization.split(" ")[1];
+      } else {
+        // If not present in Authorization header, try to get it from cookies
+        token = req.cookies['x-access-token'];
+      }
+
+      if (token) {
+        const verifiedToken = verifyJWT(token, secret);
+        if (verifiedToken) {
+          req.account = verifiedToken;
+        } else {
+          // If token is invalid or expired, try to refresh it
+          const refreshToken = req.cookies['x-refresh-token'];
+          if (refreshToken) {
+            const newTokenData = await refreshToken(authUrl, refreshToken, clientId, clientSecret);
+            if (newTokenData) {
+              // Set the new tokens in the cookies
+              res.cookie("x-refresh-token", newTokenData.tokens.refresh.token, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === "production",
+              });
+
+              res.cookie("x-access-token", newTokenData.tokens.access.token, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === "production",
+              });
+
+              req.account = verifyJWT(newTokenData.tokens.access.token, secret);
+            }
+          }
+        }
+      } else {
+        req.account = undefined;
+      }
+
+      if (!["/api/auth", "/api/callback"].includes(req.path)) {
+        return next();
+      }
+
+      if (req.path === "/api/auth") {
+        const authClientUrl = `${clientUrl}/signin`;
+        const redirectUrl = `${authClientUrl}?response_type=code&appName=${appName}&client_id=${clientId}&redirect_uri=${encodeURIComponent(
+          redirectUri
+        )}`;
+        res.status(200).json({ redirectUrl });
+      }
+
+      if (req.path === "/api/callback") {
+        const code = req.query.code;
+        if (!code) {
+          return res.status(400).send("No code received");
+        }
+
+        console.log("code", code);
+
+        const tokenData = await exchangeToken(
+          authUrl,
+          code,
+          clientId,
+          clientSecret,
+          redirectUri
+        );
+
+        res.cookie("x-refresh-token", tokenData.tokens.refresh.token, {
+          httpOnly: true,
+          secure: process.env.NODE_ENV === "production",
+        });
+
+        res.cookie("x-access-token", tokenData.tokens.access.token, {
+          httpOnly: true,
+          secure: process.env.NODE_ENV === "production",
+        });
+
+        const redirectUrl = `http://${tokenData.redirectUrl}/`;
+
+        return res.redirect(redirectUrl);
+      }
+    } catch (error) {
+      console.error("Error in proproAuthMiddleware:", error);
+      res.status(500).send("Internal Server Error");
+    }
+  };
+}
+
+module.exports = proproAuthMiddleware;

package/src/server/middleware/index.js

@@ -0,0 +1,3 @@
+module.exports.refreshTokenMiddleware = require("./refreshToken");
+module.exports.verifyTokenMiddleware = require("./verifyToken");
+module.exports.validateEnv = require("./validateEnv");

package/src/server/middleware/oauth.test.js

@@ -0,0 +1,203 @@
+describe('Test Middleware', () => {
+  // Middleware correctly verifies JWT token and sets user in request object
+  const jwt = require('jsonwebtoken');
+  const middleware = require('../middleware');
+
+  jest.mock('jsonwebtoken');
+
+  describe('Set user if the jwt is valid', () => {
+    it('should set user in request object when JWT token is valid', () => {
+      const req = {
+        headers: {
+          authorization: 'JWT validToken',
+        },
+      };
+      const res = {};
+      const next = jest.fn();
+      const decode = { username: 'testUser' };
+      jwt.verify.mockImplementation((token, secret, callback) => {
+        callback(null, decode);
+      });
+
+      middleware(req, res, next);
+
+      expect(req.user).toEqual(decode);
+      expect(next).toHaveBeenCalled();
+    });
+  });
+
+  // GET request to '/test-refresh-token' returns JSON with message and access token
+  const request = require('supertest');
+  const app = require('..');
+
+  describe('return a message and an access token', () => {
+    it('should return JSON with message and access token', async () => {
+      const response = await request(app)
+        .get('/test-refresh-token')
+        .set('Authorization', 'JWT validToken');
+
+      expect(response.status).toBe(200);
+      expect(response.body.message).toBe('Access granted with a new token');
+      expect(response.body.accessToken).toBeDefined();
+    });
+  });
+
+  // GET request to '/auth' redirects to authorization server URL with correct parameters
+  const request = require('supertest');
+  const app = require('..');
+
+  describe('redirect with correct parameter', () => {
+    it('should redirect to authorization server URL with correct parameters', async () => {
+      process.env.AUTH_URL = 'http://auth-server.com';
+      process.env.CLIENT_ID = 'testClientId';
+      process.env.REDIRECT_URI = 'http://client.com/callback';
+
+      const response = await request(app).get('/auth');
+
+      expect(response.status).toBe(302);
+      expect(response.header.location).toBe(
+        'http://auth-server.com/oauth/authorize?response_type=code&client_id=testClientId&redirect_uri=http%3A%2F%2Fclient.com%2Fcallback',
+      );
+    });
+  });
+
+  // Authorization header is missing or invalid
+  const middleware = require('../middleware');
+
+  describe('Set user to undefined on missing header', () => {
+    it('should set user to undefined when authorization header is missing or invalid', () => {
+      const req = {
+        headers: {},
+      };
+      const res = {};
+      const next = jest.fn();
+
+      middleware(req, res, next);
+
+      expect(req.user).toBeUndefined();
+      expect(next).toHaveBeenCalled();
+    });
+  });
+
+  // No authorization code received in '/callback' endpoint
+  const request = require('supertest');
+  const app = require('..');
+
+  describe('Error when excchange code is received', () => {
+    it('should return 400 when no authorization code is received', async () => {
+      const response = await request(app).get('/callback');
+
+      expect(response.status).toBe(400);
+      expect(response.text).toBe('No code received');
+    });
+  });
+
+  // Error occurs during token exchange in '/callback' endpoint
+  const request = require('supertest');
+  const axios = require('axios');
+  const app = require('..');
+
+  jest.mock('axios');
+
+  describe('Error during token exchange', () => {
+    it('should return 500 when error occurs during token exchange', async () => {
+      const req = {
+        query: {
+          code: 'validCode',
+        },
+      };
+      const res = {};
+      axios.post.mockRejectedValue(new Error('Test error'));
+
+      const response = await request(app).get('/callback').query(req.query);
+
+      expect(response.status).toBe(500);
+      expect(response.text).toBe('Internal Server Error');
+    });
+  });
+
+  // GET request to '/callback' exchanges authorization code for access token and sets cookie
+  it('should exchange authorization code for access token and set cookie', async () => {
+    const req = {
+      query: {
+        code: 'authorizationCode',
+      },
+    };
+    const res = {
+      status: jest.fn().mockReturnThis(),
+      send: jest.fn(),
+      redirect: jest.fn(),
+      cookie: jest.fn(),
+    };
+    const tokenResponse = {
+      data: {
+        access_token: 'accessToken',
+        refresh_token: 'refreshToken',
+      },
+    };
+    axios.post.mockResolvedValue(tokenResponse);
+
+    await callback(req, res);
+
+    expect(axios.post).toHaveBeenCalledWith(
+      `${process.env.AUTH_URL}/oauth/token`,
+      qs.stringify({
+        grant_type: 'authorization_code',
+        code: req.query.code,
+        redirect_uri: process.env.REDIRECT_URI,
+        client_id: process.env.CLIENT_ID,
+        client_secret: process.env.CLIENT_SECRET,
+      }),
+      {
+        headers: {
+          'Content-Type': 'application/json',
+        },
+      },
+    );
+    expect(res.cookie).toHaveBeenCalledWith(
+      'token',
+      tokenResponse.data.access_token,
+      {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+      },
+    );
+    expect(res.redirect).toHaveBeenCalledWith(
+      `${process.env.CLIENT_URL}/?access_token=${tokenResponse.data.access_token}&refresh_token=${tokenResponse.data.refresh_token}`,
+    );
+  });
+
+  // Unauthorized user receives 401 status code
+  it('should return 401 status code for unauthorized user', () => {
+    const req = {};
+    const res = {
+      status: jest.fn().mockReturnThis(),
+      send: jest.fn(),
+    };
+
+    middleware(req, res);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.send).toHaveBeenCalledWith('Unauthorized');
+  });
+
+  // Invalid redirect URI returns error in '/auth' endpoint
+  it('should return error for invalid redirect URI', () => {
+    const req = {};
+    const res = {
+      status: jest.fn().mockReturnThis(),
+      send: jest.fn(),
+    };
+    const authServerUrl = `${process.env.AUTH_URL}/oauth/authorize`;
+    const clientId = process.env.CLIENT_ID;
+    const redirectUri = process.env.REDIRECT_URI;
+
+    auth(req, res);
+
+    expect(res.redirect).toHaveBeenCalledWith(
+      `${authServerUrl}?response_type=code&client_id=${clientId}&redirect_uri=${encodeURIComponent(
+        redirectUri,
+      )}`,
+    );
+  });
+});

package/src/server/middleware/refreshToken.js

@@ -0,0 +1,82 @@
+const axios = require("axios");
+const rateLimit = require("express-rate-limit");
+const refreshTokenCache = new Map();
+
+/**
+ * Rate limiter middleware for refresh requests.
+ *
+ * @type {import('express-rate-limit').RateLimit}
+ */
+const refreshLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
+  message:
+    "Too many refresh requests from this IP, please try again after 15 minutes",
+});
+
+/**
+ * Middleware function to refresh access token using refresh token.
+ * @async
+ * @function
+ * @param {Object} req - Express request object.
+ * @param {Object} res - Express response object.
+ * @param {Function} next - Express next middleware function.
+ * @returns {Promise<void>} - Promise object that represents the completion of the middleware function.
+ */
+const refreshTokenMiddleware = async (req, res, next) => {
+  // Apply rate limiting
+  refreshLimiter(req, res, async () => {
+    const refreshToken = req.headers["x-refresh-token"];
+
+    if (!refreshToken) {
+      return res.status(401).json({ error: "No refresh token provided" });
+    }
+
+    if (!isValidRefreshTokenFormat(refreshToken)) {
+      return res.status(400).json({ error: "Invalid refresh token format" });
+    }
+
+    if (refreshTokenCache.has(refreshToken)) {
+      req.newAccessToken = refreshTokenCache.get(refreshToken);
+      return next();
+    }
+
+    try {
+      const response = await axios.post(
+        `${process.env.AUTH_URL}/oauth/token`,
+        URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: refreshToken,
+          client_id: process.env.CLIENT_ID,
+          client_secret: process.env.CLIENT_SECRET,
+        }),
+        { headers: { "Content-Type": "application/x-www-form-urlencoded" } }
+      );
+
+      if (response.data && response.data.access_token) {
+        refreshTokenCache.set(refreshToken, response.data.access_token);
+        req.newAccessToken = response.data.access_token;
+        return next();
+      } else {
+        return res.status(401).json({ error: "Unable to refresh token" });
+      }
+    } catch (error) {
+      const statusCode = error.response?.status || 500;
+      const message = error.response?.data?.error || "Error refreshing token";
+      return res.status(statusCode).json({ error: message });
+    }
+  });
+};
+
+/**
+ * Checks if the given token is in a valid JWT format.
+ *
+ * @param {string} token - The token to validate.
+ * @returns {boolean} - True if the token is in a valid format, false otherwise.
+ */
+function isValidRefreshTokenFormat(token) {
+  const jwtPattern = /^[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+$/;
+  return jwtPattern.test(token);
+}
+
+module.exports = refreshTokenMiddleware;

package/src/server/middleware/refreshToken.test.js

@@ -0,0 +1,121 @@
+const rateLimit = require("express-rate-limit");
+const refreshToken = require("./refreshToken");
+
+jest.mock("express-rate-limit");
+
+describe("refreshLimiter", () => {
+  it("should be a rate limiter middleware", () => {
+    expect(rateLimit).toHaveBeenCalledWith({
+      windowMs: 15 * 60 * 1000,
+      max: 100,
+      message:
+        "Too many refresh requests from this IP, please try again after 15 minutes",
+    });
+  });
+
+  it("should be exported as a middleware function", () => {
+    expect(typeof refreshToken).toBe("function");
+  });
+
+  it("should use the rate limiter middleware", () => {
+    const mockUse = jest.fn();
+    const app = { use: mockUse };
+
+    refreshToken(app);
+
+    expect(mockUse).toHaveBeenCalledWith(rateLimit());
+  });
+});
+
+describe("refreshTokenMiddleware", () => {
+  const mockRequest = (refreshToken) => ({
+    headers: { "x-refresh-token": refreshToken },
+  });
+  const mockResponse = () => {
+    const res = {};
+    res.status = jest.fn().mockReturnValue(res);
+    res.json = jest.fn().mockReturnValue(res);
+    return res;
+  };
+  const mockNext = jest.fn();
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it("should return 401 if no refresh token is provided", async () => {
+    const req = mockRequest();
+    const res = mockResponse();
+
+    await refreshTokenMiddleware(req, res, mockNext);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({
+      error: "No refresh token provided",
+    });
+    expect(mockNext).not.toHaveBeenCalled();
+  });
+
+  it("should return 400 if refresh token has invalid format", async () => {
+    const req = mockRequest("invalid-token");
+    const res = mockResponse();
+
+    await refreshTokenMiddleware(req, res, mockNext);
+
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({
+      error: "Invalid refresh token format",
+    });
+    expect(mockNext).not.toHaveBeenCalled();
+  });
+
+  it("should return 401 if unable to refresh token", async () => {
+    const req = mockRequest("valid-token");
+    const res = mockResponse();
+    axios.post.mockRejectedValue({ response: { status: 401 } });
+
+    await refreshTokenMiddleware(req, res, mockNext);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({ error: "Unable to refresh token" });
+    expect(mockNext).not.toHaveBeenCalled();
+  });
+
+  it("should return 500 if an error occurs while refreshing token", async () => {
+    const req = mockRequest("valid-token");
+    const res = mockResponse();
+    axios.post.mockRejectedValue(new Error("Some error"));
+
+    await refreshTokenMiddleware(req, res, mockNext);
+
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({ error: "Error refreshing token" });
+    expect(mockNext).not.toHaveBeenCalled();
+  });
+
+  it("should set new access token and call next if refresh token is valid", async () => {
+    const req = mockRequest("valid-token");
+    const res = mockResponse();
+    axios.post.mockResolvedValue({
+      data: { access_token: "new-access-token" },
+    });
+
+    await refreshTokenMiddleware(req, res, mockNext);
+
+    expect(refreshTokenCache.has("valid-token")).toBe(true);
+    expect(refreshTokenCache.get("valid-token")).toBe("new-access-token");
+    expect(req.newAccessToken).toBe("new-access-token");
+    expect(mockNext).toHaveBeenCalled();
+  });
+
+  it("should use cached access token and call next if refresh token is already cached", async () => {
+    refreshTokenCache.set("valid-token", "cached-access-token");
+    const req = mockRequest("valid-token");
+    const res = mockResponse();
+
+    await refreshTokenMiddleware(req, res, mockNext);
+
+    expect(req.newAccessToken).toBe("cached-access-token");
+    expect(mockNext).toHaveBeenCalled();
+  });
+});

package/src/server/middleware/validateEnv.js

@@ -0,0 +1,12 @@
+function validateEnvironmentVariables(requiredVars) {
+  const missingVars = requiredVars.filter((varName) => !process.env[varName]);
+  if (missingVars.length > 0) {
+    throw new Error(
+      `Missing required environment variables: ${missingVars.join(", ")}`
+    );
+  }
+}
+
+module.exports = {
+  validateEnvironmentVariables,
+};