prostgles-server 4.2.159 → 4.2.161

package/lib/Auth/AuthTypes.ts

@@ -0,0 +1,280 @@
+import { Express, NextFunction, Request, Response } from "express";
+import { AnyObject, FieldFilter, IdentityProvider, UserLike } from "prostgles-types";
+import { DB } from "../Prostgles";
+import { DBOFullyTyped } from "../DBSchemaBuilder";
+import { PRGLIOSocket } from "../DboBuilder/DboBuilderTypes";
+import type { AuthenticateOptions } from "passport";
+import type { StrategyOptions as GoogleStrategy, Profile as GoogleProfile } from "passport-google-oauth20";
+import type { StrategyOptions as GitHubStrategy, Profile as GitHubProfile } from "passport-github2";
+import type { MicrosoftStrategyOptions } from "passport-microsoft";
+import type { StrategyOptions as FacebookStrategy, Profile as FacebookProfile } from "passport-facebook";
+import Mail from "nodemailer/lib/mailer";
+
+type Awaitable<T> = T | Promise<T>;
+
+export type ExpressReq = Request;
+export type ExpressRes = Response;
+
+export type LoginClientInfo = {
+  ip_address: string;
+  ip_address_remote: string | undefined;
+  x_real_ip: string | undefined;
+  user_agent: string | undefined;
+};
+
+export type BasicSession = {
+
+  /** Must be hard to bruteforce */
+  sid: string;
+
+  /** UNIX millisecond timestamp */
+  expires: number;
+
+  /** On expired */
+  onExpiration: "redirect" | "show_error";
+};
+export type AuthClientRequest = { socket: PRGLIOSocket } | { httpReq: ExpressReq };
+
+type ThirdPartyProviders = {
+  facebook?: Pick<FacebookStrategy, "clientID" | "clientSecret"> & {
+    authOpts?: AuthenticateOptions;
+  };
+  google?: Pick<GoogleStrategy, "clientID" | "clientSecret"> & {
+    authOpts?: AuthenticateOptions;
+  };
+  github?: Pick<GitHubStrategy, "clientID" | "clientSecret"> & {
+    authOpts?: AuthenticateOptions;
+  };
+  microsoft?: Pick<MicrosoftStrategyOptions, "clientID" | "clientSecret"> & {
+    authOpts?: AuthenticateOptions;
+  };
+};
+
+export type SMTPConfig = {
+  type: "smtp";
+  host: string;
+  port: number;
+  secure: boolean;
+  user: string;
+  pass: string;
+} | {
+  type: "aws-ses";
+  region: string;
+  accessKeyId: string;
+  secretAccessKey: string;
+  /**
+   * Sending rate per second
+   * Defaults to 1
+   */
+  sendingRate?: number;
+}
+
+export type Email = {
+  from: string;
+  to: string;
+  subject: string;
+  html: string;
+  text?: string;
+  attachments?: { filename: string; content: string; }[] | Mail.Attachment[];
+}
+
+type EmailWithoutTo = Omit<Email, "to">;
+
+type EmailProvider = 
+| {
+  signupType: "withMagicLink";
+  onRegistered: (data: { username: string; }) => void | Promise<void>;
+  emailMagicLink:  {
+    onSend: (data: { email: string; magicLinkPath: string; }) => EmailWithoutTo | Promise<EmailWithoutTo>;
+    smtp: SMTPConfig;
+  };
+} 
+| {
+  signupType: "withPassword";
+  onRegistered: (data: { username: string; password: string; }) => void | Promise<void>;
+  /**
+   * Defaults to 8
+   */
+  minPasswordLength?: number;
+  /**
+   * If provided, the user will be required to confirm their email address
+   */
+  emailConfirmation?: {
+    onSend: (data: { email: string; confirmationUrlPath: string; }) => EmailWithoutTo | Promise<EmailWithoutTo>;
+    smtp: SMTPConfig;
+    onConfirmed: (data: { confirmationCode: string; }) => void | Promise<void>;
+  };
+};
+
+export type AuthProviderUserData = 
+| {
+  provider: "google";
+  profile: GoogleProfile;
+  accessToken: string; 
+  refreshToken: string;
+}
+| {
+  provider: "github";
+  profile: GitHubProfile;
+  accessToken: string; 
+  refreshToken: string;
+}
+| {
+  provider: "facebook";
+  profile: FacebookProfile;
+  accessToken: string; 
+  refreshToken: string;
+}
+| {
+  provider: "microsoft";
+  profile: any;
+  accessToken: string; 
+  refreshToken: string;
+}
+
+export type RegistrationData = 
+| {
+  provider: "email";
+  profile: {
+    username: string;
+    password: string;
+  }
+} 
+| AuthProviderUserData;
+
+export type AuthRegistrationConfig<S> = {
+  email?: EmailProvider;
+
+  OAuthProviders?: ThirdPartyProviders;
+
+  /**
+   * Required for social login callback
+   */
+  websiteUrl: string;
+
+  /**
+   * Used to stop abuse
+   */
+  onProviderLoginStart?: (data: { provider: IdentityProvider; dbo: DBOFullyTyped<S>, db: DB; req: ExpressReq, res: ExpressRes; clientInfo: LoginClientInfo }) => Promise<{ error: string; } | { ok: true; }>;
+
+  /**
+   * Used to identify abuse
+   */
+  onProviderLoginFail?: (data: { provider: IdentityProvider; error: any; dbo: DBOFullyTyped<S>, db: DB; req: ExpressReq, res: ExpressRes; clientInfo: LoginClientInfo }) => void | Promise<void>;
+};
+
+export type SessionUser<ServerUser extends UserLike = UserLike, ClientUser extends UserLike = UserLike> = {
+  /** 
+   * This user will be available in all serverside prostgles options
+   * id and type values will be available in the prostgles.user session variable in postgres
+   * */
+  user: ServerUser;
+  /**
+   * Controls which fields from user are available in postgres session variable
+   */
+  sessionFields?: FieldFilter<ServerUser>;
+  /**
+   * User data sent to the authenticated client
+   */
+  clientUser: ClientUser;
+}
+
+export type AuthResult<SU = SessionUser> = SU & { sid: string; } | {
+  user?: undefined; 
+  clientUser?: undefined; 
+  sid?: string;
+} | undefined;
+
+export type AuthRequestParams<S, SUser extends SessionUser> = { db: DB, dbo: DBOFullyTyped<S>; getUser: () => Promise<AuthResult<SUser>> }
+
+export type Auth<S = void, SUser extends SessionUser = SessionUser> = {
+  /**
+   * Name of the cookie or socket hadnshake query param that represents the session id. 
+   * Defaults to "session_id"
+   */
+  sidKeyName?: string;
+
+  /**
+   * Response time rounding in milliseconds to prevent timing attacks on login. Login response time should always be a multiple of this value. Defaults to 500 milliseconds
+   */
+  responseThrottle?: number;
+
+  /**
+   * Will setup auth routes 
+   *  /login
+   *  /logout
+   *  /magic-link/:id
+   */
+  expressConfig?: {
+
+    /**
+     * Express app instance. If provided Prostgles will attempt to set sidKeyName to user cookie
+     */
+    app: Express;
+
+    /**
+     * Options used in setting the cookie after a successful login
+     */
+    cookieOptions?: AnyObject;
+
+    /**
+     * False by default. If false and userRoutes are provided then the socket will request window.location.reload if the current url is on a user route.
+     */
+    disableSocketAuthGuard?: boolean;
+
+    /**
+     * If provided, any client requests to NOT these routes (or their subroutes) will be redirected to loginRoute (if logged in) and then redirected back to the initial route after logging in
+     * If logged in the user is allowed to access these routes
+     */
+    publicRoutes?: string[];
+
+    /**
+     * Will attach a app.use listener and will expose getUser
+     * Used for blocking access
+     */
+    use?: (args: { req: ExpressReq; res: ExpressRes, next: NextFunction } & AuthRequestParams<S, SUser>) => void | Promise<void>;
+
+    /**
+     * Will be called after a GET request is authorised
+     * This means that 
+     */
+    onGetRequestOK?: (
+      req: ExpressReq, 
+      res: ExpressRes, 
+      params: AuthRequestParams<S, SUser>
+    ) => any;
+
+    /**
+     * If defined, will check the magic link id and log in the user and redirect to the returnUrl if set
+     */
+    magicLinks?: {
+
+      /**
+       * Used in creating a session/logging in using a magic link
+       */
+      check: (magicId: string, dbo: DBOFullyTyped<S>, db: DB, client: LoginClientInfo) => Awaitable<BasicSession | undefined>;
+    }
+
+    registrations?: AuthRegistrationConfig<S>;
+  }
+
+  /**
+   * undefined sid is allowed to enable public users
+   */
+  getUser: (sid: string | undefined, dbo: DBOFullyTyped<S>, db: DB, client: AuthClientRequest & LoginClientInfo) => Awaitable<AuthResult<SUser>>;
+
+  login?: (params: LoginParams, dbo: DBOFullyTyped<S>, db: DB, client: LoginClientInfo) => Awaitable<BasicSession> | BasicSession;
+  logout?: (sid: string | undefined, dbo: DBOFullyTyped<S>, db: DB) => Awaitable<any>;
+
+  /**
+   * If provided then session info will be saved on socket.__prglCache and reused from there
+   */
+  cacheSession?: {
+    getSession: (sid: string | undefined, dbo: DBOFullyTyped<S>, db: DB) => Awaitable<BasicSession>
+  }
+}
+
+
+export type LoginParams = 
+| { type: "username"; username: string; password: string; [key: string]: any }
+| ({ type: "provider"; } & AuthProviderUserData)

package/lib/Auth/getSafeReturnURL.ts

@@ -0,0 +1,35 @@
+export const getSafeReturnURL = (returnURL: string, returnUrlParamName: string, quiet = false) => {
+  /** Dissalow redirect to other domains */
+  if(returnURL) {
+    const allowedOrigin = "https://localhost";
+    const { origin, pathname, search, searchParams } = new URL(returnURL, allowedOrigin);
+    if(
+      origin !== allowedOrigin ||
+      returnURL !== `${pathname}${search}` ||
+      searchParams.get(returnUrlParamName)
+    ){
+      if(!quiet){
+        console.error(`Unsafe returnUrl: ${returnURL}. Redirecting to /`);
+      }
+      return "/";
+    }
+
+    return returnURL;
+  }
+}
+
+const issue = ([
+  ["https://localhost", "/"],
+  ["//localhost.bad.com", "/"],
+  ["//localhost.com", "/"],
+  ["/localhost/com", "/localhost/com"],
+  ["/localhost/com?here=there", "/localhost/com?here=there"],
+  ["/localhost/com?returnUrl=there", "/"],
+  ["//http://localhost.com", "/"],
+  ["//abc.com", "/"],
+  ["///abc.com", "/"],
+] as const).find(([returnURL, expected]) => getSafeReturnURL(returnURL, "returnUrl", true) !== expected);
+
+if(issue){
+  throw new Error(`getSafeReturnURL failed for ${issue[0]}. Expected: ${issue[1]}`);
+}

package/lib/Auth/sendEmail.ts

@@ -0,0 +1,83 @@
+import { Email, SMTPConfig } from "./AuthTypes";
+import nodemailer from "nodemailer";
+import aws from "@aws-sdk/client-ses";
+import SESTransport from "nodemailer/lib/ses-transport";
+
+type SESTransporter =  nodemailer.Transporter<SESTransport.SentMessageInfo, SESTransport.Options>;
+type SMTPTransporter = nodemailer.Transporter<nodemailer.SentMessageInfo, nodemailer.TransportOptions>;
+type Transporter = SESTransporter | SMTPTransporter;
+
+const transporterCache: Map<string, Transporter> = new Map();
+
+/**
+ * Allows sending emails using nodemailer default config or AWS SES
+ * https://www.nodemailer.com/transports/ses/
+ */
+export const sendEmail = (smptConfig: SMTPConfig, email: Email) => {
+  const configStr = JSON.stringify(smptConfig);
+  const transporter = transporterCache.get(configStr) ?? getTransporter(smptConfig);
+  if(!transporterCache.has(configStr)){
+    transporterCache.set(configStr, transporter);
+  }
+
+  return send(transporter, email);
+}
+
+const getTransporter = (smptConfig: SMTPConfig) => {
+  let transporter: Transporter | undefined;
+  if(smptConfig.type === "aws-ses"){
+    const { 
+      region, 
+      accessKeyId, 
+      secretAccessKey,
+      /**
+       * max 1 messages/second
+       */
+      sendingRate = 1 
+    } = smptConfig;
+    const ses = new aws.SES({
+      apiVersion: "2010-12-01",
+      region,
+      credentials: {
+        accessKeyId,
+        secretAccessKey
+      }
+    });
+
+    transporter = nodemailer.createTransport({
+      SES: { ses, aws },
+      maxConnections: 1,
+      sendingRate 
+    });
+
+  } else {
+    const { user, pass, host, port, secure } = smptConfig;
+    transporter = nodemailer.createTransport({
+      host,
+      port,
+      secure,
+      auth: { user, pass }
+    });
+  }
+
+  return transporter;
+}
+
+const send = (transporter: Transporter, email: Email) => {
+  return new Promise((resolve, reject) => {
+    transporter.once('idle', () => {
+      if (transporter.isIdle()) {
+        transporter.sendMail(
+          email,
+          (err, info) => {
+            if(err){
+              reject(err);
+            } else {
+              resolve(info);
+            }
+          }
+        );
+      }
+    });
+  });
+};

package/lib/Auth/setAuthProviders.ts

@@ -0,0 +1,128 @@
+import type e from "express";
+import { RequestHandler } from "express";
+import { Strategy as FacebookStrategy } from "passport-facebook";
+import { Strategy as GitHubStrategy } from "passport-github2";
+import { Strategy as GoogleStrategy } from "passport-google-oauth20";
+import { Strategy as MicrosoftStrategy } from "passport-microsoft";
+import { AuthSocketSchema, getObjectEntries, isEmpty } from "prostgles-types";
+import { getErrorAsObject } from "../DboBuilder/dboBuilderUtils";
+import { removeExpressRouteByName } from "../FileManager/FileManager";
+import { AUTH_ROUTES_AND_PARAMS, AuthHandler, getLoginClientInfo } from "./AuthHandler";
+import { Auth } from './AuthTypes';
+import { setEmailProvider } from "./setEmailProvider";
+/** For some reason normal import is undefined */
+const passport = require("passport") as typeof import("passport");
+
+export const upsertNamedExpressMiddleware = (app: e.Express, handler: RequestHandler, name: string) => {
+  const funcName = name;
+  Object.defineProperty(handler, "name", { value: funcName });
+  removeExpressRouteByName(app, name);
+  app.use(handler);
+}
+
+export async function setAuthProviders (this: AuthHandler, { registrations, app }: Required<Auth>["expressConfig"]) {
+  if(!registrations) return;
+  const { onProviderLoginFail, onProviderLoginStart, websiteUrl, OAuthProviders } = registrations;
+
+  await setEmailProvider.bind(this)(app);
+
+  if(!OAuthProviders || isEmpty(OAuthProviders)){
+    return;
+  }
+
+  upsertNamedExpressMiddleware(app, passport.initialize(), "prostglesPassportMiddleware");
+
+  getObjectEntries(OAuthProviders).forEach(([providerName, providerConfig]) => {
+
+    if(!providerConfig?.clientID){
+      return;
+    }
+
+    const { authOpts, ...config } = providerConfig;
+    
+    const strategy = providerName === "google" ? GoogleStrategy :
+      providerName === "github" ? GitHubStrategy :
+      providerName === "facebook" ? FacebookStrategy :
+      providerName === "microsoft" ? MicrosoftStrategy : 
+      undefined
+    ;
+
+    const callbackPath = `${AUTH_ROUTES_AND_PARAMS.loginWithProvider}/${providerName}/callback`;
+    passport.use(
+      new (strategy as typeof GoogleStrategy)(
+        {
+          ...config,
+          callbackURL: `${websiteUrl}${callbackPath}`,
+        },
+        async (accessToken, refreshToken, profile, done) => {
+          // This callback is where you would normally store or retrieve user info from the database
+          return done(null, profile, { accessToken, refreshToken, profile });
+        }
+      )
+    );
+
+    app.get(`${AUTH_ROUTES_AND_PARAMS.loginWithProvider}/${providerName}`,
+      passport.authenticate(providerName, authOpts ?? {})
+    );
+
+    app.get(
+      callbackPath,
+      async (req, res) => {
+        try {
+          const clientInfo = getLoginClientInfo({ httpReq: req });
+          const db = this.db;
+          const dbo = this.dbo as any;
+          const args = { provider: providerName, req, res, clientInfo, db, dbo };
+          const startCheck = await onProviderLoginStart?.(args);
+          if(startCheck && "error" in startCheck){
+            res.status(500).json({ error: startCheck.error });
+            return;
+          }
+          passport.authenticate(
+            providerName, 
+            {
+              session: false, 
+              failureRedirect: "/login",
+              failWithError: true,
+            },
+            async (error: any, _profile: any, authInfo: any) => {
+              if(error){
+                await onProviderLoginFail?.({ ...args, error });
+                res.status(500).json({
+                  error: "Failed to login with provider",
+                });
+              } else {
+                this.loginThrottledAndSetCookie(req, res, { type: "provider", provider: providerName, ...authInfo })
+                .catch((e: any) => {
+                  res.status(500).json(getErrorAsObject(e));
+                });
+              }
+            } 
+          )(req, res);
+
+        } catch (_e) {
+          res.status(500).json({ error: "Something went wrong" });
+        }
+      }
+    );
+
+  });
+}
+
+export function getProviders(this: AuthHandler): AuthSocketSchema["providers"] | undefined {
+  const { registrations } = this.opts?.expressConfig ?? {}
+  if(!registrations) return undefined;
+  const {  OAuthProviders } = registrations;
+  if(!OAuthProviders || isEmpty(OAuthProviders)) return undefined;
+ 
+  const result: AuthSocketSchema["providers"] = {}
+  getObjectEntries(OAuthProviders).forEach(([providerName, config]) => {
+    if(config?.clientID){
+      result[providerName] = {
+        url: `${AUTH_ROUTES_AND_PARAMS.loginWithProvider}/${providerName}`,
+      }
+    }
+  });
+
+  return result;
+}

package/lib/Auth/setEmailProvider.ts

@@ -0,0 +1,85 @@
+import e from "express";
+import { AUTH_ROUTES_AND_PARAMS, AuthHandler } from "./AuthHandler";
+import { Email, SMTPConfig } from "./AuthTypes";
+import { sendEmail } from "./sendEmail";
+import { promises } from "node:dns";
+
+export async function setEmailProvider(this: AuthHandler, app: e.Express) {
+  
+  const { email, websiteUrl } = this.opts?.expressConfig?.registrations ?? {};
+  if(!email) return;
+  if(websiteUrl){
+    await checkDmarc(websiteUrl);
+  }
+
+  app.post(AUTH_ROUTES_AND_PARAMS.emailSignup, async (req, res) => {
+    const { username, password } = req.body;
+    let validationError = "";
+    if(typeof username !== "string"){
+      validationError = "Invalid username";
+    }
+    if(email.signupType === "withPassword"){
+      const { minPasswordLength = 8 } = email;
+      if(typeof password !== "string"){
+        validationError = "Invalid password";
+      } else if(password.length < minPasswordLength){
+        validationError = `Password must be at least ${minPasswordLength} characters long`;
+      }
+    }
+    if(validationError){
+      res.status(400).json({ error: validationError });
+      return;
+    }
+    try {
+      let emailMessage: undefined | { message: Email; smtp: SMTPConfig };
+      if(email.signupType === "withPassword"){
+        if(email.emailConfirmation){
+          const { onSend, smtp } = email.emailConfirmation;
+          const message = await onSend({ email: username, confirmationUrlPath: `${websiteUrl}${AUTH_ROUTES_AND_PARAMS.confirmEmail}` });
+          emailMessage = { message: { ...message, to: username }, smtp };
+        }
+      } else {
+        const { emailMagicLink } = email;
+        const message = await emailMagicLink.onSend({ email: username, magicLinkPath: `${websiteUrl}${AUTH_ROUTES_AND_PARAMS.magicLinksRoute}` });
+        emailMessage = { message: { ...message, to: username }, smtp: emailMagicLink.smtp };
+      }
+
+      if(emailMessage){
+        await sendEmail(emailMessage.smtp, emailMessage.message);
+        res.json({ msg: "Email sent" });
+      }
+    } catch {
+      res.status(500).json({ error: "Failed to send email" });
+    }
+  });
+
+  if(email.signupType === "withPassword" && email.emailConfirmation){
+    app.get(AUTH_ROUTES_AND_PARAMS.confirmEmailExpressRoute, async (req, res) => {
+      const { id } = req.params ?? {};
+      try {
+        await email.emailConfirmation?.onConfirmed({ confirmationCode: id });
+        res.json({ msg: "Email confirmed" });
+      } catch (_e) {
+        res.status(500).json({ error: "Failed to confirm email" });
+      }
+    });
+  }
+}
+
+const checkDmarc = async (websiteUrl: string) => {
+  const { host, hostname } = new URL(websiteUrl);
+  const ignoredHosts = ["localhost", "127.0.0.1"]
+  if(!hostname || ignoredHosts.includes(hostname)){
+    return;
+  }
+  const dmarc = await promises.resolveTxt(`_dmarc.${host}`);
+  const dmarkTxt = dmarc[0]?.[0];
+  if(
+    !dmarkTxt?.includes("v=DMARC1") ||
+    (!dmarkTxt?.includes("p=reject") && !dmarkTxt?.includes("p=quarantine"))
+  ){
+    throw new Error("DMARC not set to reject/quarantine");
+  } else {
+    console.log("DMARC set to reject")
+  }
+}