proteum 1.0.0-1

package/server/services/auth/index.ts

@@ -0,0 +1,250 @@
+/*----------------------------------
+- DEPENDANCES
+----------------------------------*/
+
+// Npm
+import jwt from 'jsonwebtoken';
+import type express from 'express';
+import type http from 'http';
+
+// Core
+import { Application } from '@server/app';
+import Service from '@server/app/service';
+import type { TAnyRouter } from '@server/services/router';
+import { 
+    default as Router, Request as ServerRequest,
+} from '@server/services/router';
+import { InputError, AuthRequired, Forbidden } from '@common/errors';
+
+/*----------------------------------
+- TYPES
+----------------------------------*/
+
+export type TUserRole = typeof UserRoles[number]
+
+export type THttpRequest = express.Request | http.IncomingMessage;
+
+/*----------------------------------
+- CONFIG
+----------------------------------*/
+
+const LogPrefix = '[auth]'
+
+export const UserRoles = ['USER', 'ADMIN', 'TEST', 'DEV'] as const
+
+/*----------------------------------
+- SERVICE CONVIG
+----------------------------------*/
+
+export type TConfig = {
+    debug: boolean,
+    logoutUrl: string,
+    jwt: {
+        // 2048 bits
+        key: string,
+        expiration: number,
+    },
+}
+
+export type THooks = {
+    
+}
+
+export type TBasicUser = {
+    type: string,
+    name: string | null,
+    email: string,
+    roles: string[]
+}
+
+export type TBasicJwtSession = (
+    { apiKey: string }
+    |
+    { email: string }
+)
+
+/*----------------------------------
+- SERVICE
+----------------------------------*/
+export default abstract class AuthService<
+    TUser extends TBasicUser,
+    TApplication extends Application,
+    TJwtSession extends TBasicJwtSession = TBasicJwtSession,
+    TRequest extends ServerRequest<TAnyRouter> = ServerRequest<TAnyRouter>,
+> extends Service<TConfig, THooks, TApplication, TApplication> {
+
+    //public abstract login( ...args: any[] ): Promise<{ user: TUser, token: string }>;
+    public abstract decodeSession( jwt: TJwtSession, req: THttpRequest ): Promise<TUser | null>;
+
+    // https://beeceptor.com/docs/concepts/authorization-header/#examples
+    public async decode( req: THttpRequest, withData: true ): Promise<TUser | null>;
+    public async decode( req: THttpRequest, withData?: false ): Promise<TJwtSession | null>;
+    public async decode( req: THttpRequest, withData: boolean = false ): Promise<TJwtSession | TUser | null> {
+
+        this.config.debug && console.log(LogPrefix, 'Decode:', { cookie: req.cookies['authorization'] });
+        
+        // Get auth token
+        const authMethod = this.getAuthMethod(req);
+        if (authMethod === null)
+            return null;
+        const { tokenType, token } = authMethod;
+
+        // Get auth session
+        const session = this.getAuthSession(tokenType, token);
+        if (session === null)
+            return null;
+
+        // Return email only
+        if (!withData) {
+            this.config.debug && console.log(LogPrefix, `Auth user successfull. Return email only`);
+            return session;
+        }
+
+        // Deserialize full user data
+        this.config.debug && console.log(LogPrefix, `Deserialize user`, session);
+        const user = await this.decodeSession(session, req);
+        if (user === null)
+            return null;
+
+        this.config.debug && console.log(LogPrefix, `Deserialized user:`, user.name);
+
+        return {
+            ...user,
+            _token: token
+        };    
+    }
+
+    private getAuthMethod( req: THttpRequest ): null | { token: string, tokenType?: string } {
+
+        let token: string | undefined;
+        let tokenType: string | undefined;
+        if (typeof req.headers['authorization'] === 'string') {
+
+            ([ tokenType, token ] = req.headers['authorization'].split(' '));
+
+        } else if (('cookies' in req) && typeof req.cookies['authorization'] === 'string') {
+
+            token = req.cookies['authorization'];
+            tokenType = 'Bearer';
+
+        } else 
+            return null;
+
+        if (token === undefined)
+            return null;
+
+        return { tokenType, token };
+    }
+
+    private getAuthSession( tokenType: string | undefined, token: string ): TJwtSession | null {
+
+        let session: TJwtSession;
+
+        // API Key
+        if (tokenType === 'Apikey') {
+
+            const [accountType] = token.split('-');
+
+            this.config.debug && console.log(LogPrefix, `Auth via API Key`, token);
+            session = { accountType, apiKey: token } as TJwtSession;
+
+        // JWT
+        } else if (tokenType === 'Bearer') {
+            this.config.debug && console.log(LogPrefix, `Auth via JWT token`, token);
+            try {
+                session = jwt.verify(token, this.config.jwt.key, { 
+                    maxAge: this.config.jwt.expiration 
+                });
+            } catch (error) {
+                console.warn(LogPrefix, "Failed to decode jwt token:", token);
+                return null;
+                //throw new Forbidden(`The JWT token provided in the Authorization header is invalid`);
+            }
+        } else 
+            return null;
+            //throw new InputError(`The authorization scheme provided in the Authorization header is unsupported.`);
+
+        return session;
+    }
+
+    public createSession( session: TJwtSession, request: TRequest ): string {
+
+        this.config.debug && console.info(LogPrefix, `Creating new session:`, session);
+
+        const token = jwt.sign(session, this.config.jwt.key);
+
+        this.config.debug && console.info(LogPrefix, `Generated JWT token for session:` + token);
+
+        request.res.cookie('authorization', token, {
+            maxAge: this.config.jwt.expiration,
+        });
+
+        return token;
+    }
+
+    public logout( request: TRequest ) {
+
+        const user = request.user;
+        if (!user) return;
+
+        this.config.debug && console.info(LogPrefix, `Logout ${user.name}`);
+        request.res.clearCookie('authorization');
+    }
+
+    public check( 
+        request: TRequest, 
+        role: TUserRole, 
+        motivation?: string, 
+        dataForDebug?: { [key: string]: any }
+    ): TUser;
+
+    public check( 
+        request: TRequest, 
+        role: false, 
+        motivation?: string, 
+        dataForDebug?: { [key: string]: any }
+    ): null;
+
+    public check( 
+        request: TRequest, 
+        role: TUserRole | false = 'USER', 
+        motivation?: string, 
+        dataForDebug?: { [key: string]: any }
+    ): TUser | null {
+
+        const user = request.user;
+
+        this.config.debug && console.warn(LogPrefix, `Check auth, role = ${role}. Current user =`, user?.name, motivation);
+
+        if (user === undefined) {
+
+            throw new Error(`request.user has not been decoded.`);
+
+        // Shoudln't be logged
+        } else if (role === false) {
+
+            return user;
+
+        // Not connected
+        } else if (user === null) {
+
+            console.warn(LogPrefix, "Refusé pour anonyme (" + request.ip + ")");
+            throw new AuthRequired('Please login to continue', motivation, dataForDebug);
+            
+        // Insufficient permissions
+        } else if (!user.roles.includes(role)) {
+
+            console.warn(LogPrefix, "Refusé: " + role + " pour " + user.name + " (" + (user.roles || 'role inconnu') + ")");
+
+            throw new Forbidden("You do not have sufficient permissions to access this resource.");
+
+        } else {
+
+            this.config.debug && console.warn(LogPrefix, "Autorisé " + role + " pour " + user.name + " (" + user.roles + ")");
+
+        }
+
+        return user;
+    }
+
+}

package/server/services/auth/old.ts

@@ -0,0 +1,277 @@
+
+import md5 from 'md5';
+import { OAuth2Client, LoginTicket } from 'google-auth-library';
+
+
+
+type AuthResponse = {
+    token: string,
+    redirect: string,   
+    user: User
+}
+
+export default class {
+
+
+    protected async ready() {
+
+        // Google auth client
+        if (this.config.google) {
+
+            const httpConfig = this.app.http.publicUrl;
+
+            this.googleClient = new OAuth2Client(
+                this.config.google.web.clientId, // Google Client ID
+                this.config.google.web.secret, // Private key
+                httpConfig + "/auth/google/response" // Redirect url
+            );
+        }
+    }
+
+    
+    private googleClient: OAuth2Client | undefined;
+
+    public async FromGoogle(request: ServerRequest): Promise<string> {
+
+        if (!this.googleClient)
+            throw new Forbidden(`Authentication method disabled.`);
+
+        // Register  start time, so we can determine the signup time to display
+        request.response?.cookie('signupstart', Date.now());
+
+        // Google auth doesn't support local env
+        // So we simulate that  google sent a response with the user email
+        if (app.env.name === 'local') {
+            const { redirect } =  await this.Auth("tbsoftwares23@gmail.com", request, true);
+            return redirect;
+        }
+
+        return this.googleClient.generateAuthUrl({
+            access_type: 'offline',
+            scope: [
+                "email", "profile"
+            ]
+        });
+
+    }
+
+    public async GoogleResponse(
+        type: 'code' | 'token',
+        codeOrToken: string | undefined,
+        request: ServerRequest,
+    ): Promise<AuthResponse> {
+
+        const googleConfig = this.config.google;
+        if (!this.googleClient || !googleConfig)
+            throw new Forbidden(`Authentication method disabled.`);
+
+        if (codeOrToken === undefined)
+            throw new Forbidden("Bad code / token");
+
+        if (type === 'code') {
+            const r = await this.googleClient.getToken(codeOrToken);
+            return this.GoogleResponse('token', r.tokens.id_token, request);
+        }
+
+        this.config.debug && console.log(LogPrefix, "Auth via google", googleConfig);
+
+        let ticket: LoginTicket;
+        try {
+            ticket = await this.googleClient.verifyIdToken({
+                idToken: codeOrToken,
+                audience: [
+                    googleConfig.web.clientId,
+                    googleConfig.android.clientId,
+                ]
+            });
+        } catch (error) {
+            throw new Forbidden(`Google denied your login attempt: ` + error.message + `. If you don't think it's normal, please contact us.`);
+        }
+
+        const payload = ticket.getPayload();
+        if (payload === undefined)
+            throw new Forbidden("Invalid payload");
+        const { email, sub: google_id } = payload;
+
+        if (email === undefined)
+            throw new Forbidden("Unable to get your email address from the Google sign-in.");
+
+        return await this.Auth(email, request, true);
+
+    }
+
+    /**
+     * Login u
+     * @param email Email that identifies the account to log in
+     * @param request Used to call security-related features
+     * @param canPass true when from 3rd party auth, we're sure the email is owned bu the current user
+     * @param userInfo User field to update (eg: lastLogin)
+     * @returns 
+     */
+    public async Auth( 
+        email: string, 
+        request: ServerRequest, 
+        canPass: boolean = false,
+        userInfo: Partial<User> = {} 
+    ): Promise<AuthResponse> {
+
+        let user = await this.getData('email = ' + this.sql.esc(email));
+        let ip: IP;
+        let redirect: string;
+        if (!user) { // Signup
+
+            ip = await request.detect.botsAndMultiaccount();
+
+            // Create user
+            ({ user, redirect } = await this.Signup(email, request));
+
+        } else if (!canPass) { // Send login email
+
+            throw new Forbidden("This option is not available");
+
+            // If the current IP was used to connect to another account that the current
+            ip = await request.detect.botsAndMultiaccount(user.email);
+
+            // Send email with link to /auth/token (expiration 5 min)
+
+            // Route /auth/:token: check si même ip, même device
+
+        } else { // Login 
+
+            redirect = config.logoutUrl;
+            
+        }
+
+        /*await this.sql`
+            INSERT INTO UserLogin SET
+                user = ${user.email},
+                date = NOW(),
+                ip = ${request.ip},
+                device = ${request.deviceString()}
+        `.run();*/
+
+        const token = request.auth.login(user.email);
+
+        return { token, user, redirect };
+
+    }
+
+    public async Signup(email: string, request: ServerRequest, moreInfos: Partial<User> = {}) {
+
+        let username = email.split('@')[0];
+
+        // Prefix username if alreasy existing
+        const duplicates = await this.sql`
+            FROM User 
+            WHERE name REGEXP CONCAT('^', ${username}, '[0-9]*$');
+        `.count();
+
+        if (duplicates !== 0)
+            username += duplicates;
+
+        const user: Partial<User> = {
+            email,
+            emailHash: md5(email),
+            name: username,
+            referrer: request.cookies.r,
+            utm: request.cookies.utm,
+            ...moreInfos
+        }
+
+        // Hook
+        if (this.beforeSignup !== undefined)
+            await this.beforeSignup( user );
+            
+        // Referrer
+        if (user.referrer !== undefined) {
+
+            const refExists = await this.sql`FROM User WHERE name = ${user.referrer}`.exists();
+            if (!refExists)
+                user.referrer = undefined;
+            else {
+                
+                await this.sql.upsert('UserStats', { 
+                    user: user.referrer,
+                    date: new Date,
+                    refSignups: 1 
+                }, ['refSignups'], {
+                    upsertMode: 'increment'
+                });
+            }
+        }
+            
+        // Create user
+        await this.sql.insert('User', user);
+        await this.sql.update('logs.IP', { user_name: username }, { address: request.ip });
+
+        // Hook
+        let redirect: string = '/';
+        if (this.afterSignup !== undefined)
+            ({ redirect } = await this.afterSignup(user));
+
+        // TODO: download user avatar from gravatar
+        // remove user.emailHash
+
+        // Notif email
+        await this.email.send({
+            to: app.identity.author.email,
+            subject: app.identity.name + ": New User",
+            html: JSON.stringify(user)
+        });
+
+        // TODO
+        // this.hook.signup(user);
+        //Achievements.activity(user, 'just signed up', null);
+
+        // Instanciation
+        return { user, redirect };
+
+    }
+
+    public async setReferrer( referrer: unknown, { user, response, cookies, req, detect, request }: ServerRequest) {
+
+        if (!response || user)
+            return;
+
+        // Source tracking
+        if (!cookies.utm) {
+
+            const data = req.query;
+
+            const utm = [data.utm_medium, data.utm_source, data.utm_campaign]
+                .filter(a => a !== undefined);
+
+            response.cookie('utm', utm.join(','));
+        }
+
+        // Referral program
+        if (cookies.r === undefined && typeof referrer === "string") {
+
+            const conflict = await detect.conflictOfInterest( referrer, request );
+            if (conflict)
+                return;
+
+            // Check if user exists
+            const referrerExists = await this.sql`FROM User WHERE name = ${referrer}`.count();
+            if (referrerExists === 0)
+                return;
+
+            // await secutity.detectCheatAttempts();
+            // => Check IP (reprendre code existant)
+            // => Check si IP pas déjà utilisée par un autre membre (1 compte par IP)
+
+            // Tracking cookie for signup
+            response.cookie('r', referrer);
+
+            // Count the clic 
+            await this.sql.upsert('UserStats', { 
+                user: referrer,
+                date: new Date,
+                refClics: 1 
+            }, ['refClics'], {
+                upsertMode: 'increment'
+            });
+        }
+
+    }
+}

package/server/services/auth/router/index.ts

@@ -0,0 +1,95 @@
+/*----------------------------------
+- DEPENDANCES
+----------------------------------*/
+
+// Npm
+
+// Core
+import { 
+    default as Router, Request as ServerRequest, Response as ServerResponse, TAnyRoute,
+    RouterService, TAnyRouter
+} from '@server/services/router';
+
+import type { Application } from '@server/app';
+
+import type { TRouterServiceArgs } from '@server/services/router/service';
+
+// Specific
+import type { default as UsersService, TUserRole, TBasicUser } from '..';
+import UsersRequestService from './request';
+
+/*----------------------------------
+- TYPES
+----------------------------------*/
+
+
+/*----------------------------------
+- CONFIG
+----------------------------------*/
+
+const LogPrefix = '[router][auth]';
+
+/*----------------------------------
+- SERVICE
+----------------------------------*/
+export default class AuthenticationRouterService<
+    TApplication extends Application = Application,
+    TUser extends TBasicUser = TApplication["app"]["userType"],
+    TRouter extends TAnyRouter = TAnyRouter,
+    TRequest extends ServerRequest<TRouter> = ServerRequest<TRouter>,
+> extends RouterService<{}, TRouter> {
+
+    /*----------------------------------
+    - LIFECYCLE
+    ----------------------------------*/
+
+    public users: UsersService<TUser, Application>;
+
+    public constructor( getConfig: TRouterServiceArgs[0], app: TApplication ) {
+        super( getConfig, app );
+
+        this.users = this.config.users;
+    }
+
+    protected async ready() {
+
+        // Decode current user
+        this.parent.on('request', async (request: TRequest) => {
+
+            // TODO: Typings. (context.user ?)
+            const decoded = await this.users.decode( request.req, true);
+
+            request.user = decoded || null;
+        })
+
+        // Check route permissions
+        this.parent.on('resolved', async (
+            route: TAnyRoute, 
+            request: TRequest, 
+            response: ServerResponse<TRouter>
+        ) => {
+
+            if (route.options.auth !== undefined) {
+
+                // Basic auth check
+                this.users.check(request, route.options.auth);
+
+                // Redirect to logged page
+                if (route.options.auth === false && request.user && route.options.redirectLogged)
+                    response.redirect(route.options.redirectLogged);
+            }
+        })
+    }
+
+    protected async shutdown() {
+
+    }
+
+    /*----------------------------------
+    - ROUTER SERVICE LIFECYCLE
+    ----------------------------------*/
+
+    public requestService( request: TRequest ): UsersRequestService<TRouter, TUser> {
+        return new UsersRequestService( request, this );
+    }   
+}

package/server/services/auth/router/request.ts

@@ -0,0 +1,54 @@
+/*----------------------------------
+- DEPENDANCES
+----------------------------------*/
+
+// Npm
+import jwt from 'jsonwebtoken';
+
+// Core
+import type { default as Router, Request as ServerRequest, TAnyRouter } from '@server/services/router';
+import RequestService from '@server/services/router/request/service';
+import { InputError, AuthRequired, Forbidden } from '@common/errors';
+
+// Specific
+import type AuthenticationRouterService from '.';
+import type { default as UsersManagementService, TUserRole } from '..';
+
+// Types
+import type { TBasicUser } from '@server/services/auth';
+
+/*----------------------------------
+- TYPES
+----------------------------------*/
+
+/*----------------------------------
+- MODULE
+----------------------------------*/
+export default class UsersRequestService<
+    TRouter extends TAnyRouter,
+    TUser extends TBasicUser
+> extends RequestService {
+
+    public constructor( 
+        request: ServerRequest<TRouter>,
+        public auth: AuthenticationRouterService,
+        public users = auth.users,
+    ) {
+        super(request);
+    }
+
+    public login( email: string ) {
+        return this.users.login( this.request, email );
+    }
+
+    public logout() {
+        return this.users.logout( this.request );
+    }
+
+    // TODO: return user type according to entity
+    public check(role: TUserRole, motivation?: string, dataForDebug?: {}): TUser;
+    public check(role: false, motivation?: string, dataForDebug?: {}): null;
+    public check(role: TUserRole | boolean = 'USER', motivation?: string, dataForDebug?: {}): TUser | null {
+        return this.users.check( this.request, role, motivation, dataForDebug );
+    }
+}

package/server/services/auth/router/service.json

@@ -0,0 +1,6 @@
+{
+    "id": "Core/Users/Router",
+    "name": "RouteUser",
+    "parent": "router",
+    "dependences": []
+}

package/server/services/auth/service.json

@@ -0,0 +1,6 @@
+{
+    "id": "Core/Users",
+    "name": "Users",
+    "parent": "app",
+    "dependences": []
+}