npm - qa360 - Versions diffs - 2.3.0 → 2.3.1 - Mend

qa360 2.3.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (507) hide show

package/dist/core/auth/digest-auth-provider.js ADDED Viewed

@@ -0,0 +1,244 @@
+/**
+ * Digest Authentication Provider
+ *
+ * Implements HTTP Digest Authentication (RFC 2617).
+ * Handles challenge-response flow with nonce handling.
+ *
+ * P1 Feature: Digest Auth is more secure than Basic Auth as it doesn't send
+ * the password in plaintext. Instead, it uses a challenge-response mechanism
+ * with MD5 hashing.
+ *
+ * Algorithm:
+ * 1. Client makes request without auth
+ * 2. Server responds with 401 and WWW-Authenticate header containing:
+ *    - realm: Protection space
+ *    - nonce: Server-generated unique value
+ *    - qop: Quality of protection (auth or auth-int)
+ *    - opaque: Client should return unchanged
+ * 3. Client calculates response using MD5 and retries
+ *
+ * Response calculation:
+ * HA1 = MD5(username:realm:password)
+ * HA2 = MD5(method:digestURI)
+ * response = MD5(HA1:nonce:HA2)  // simplified
+ */
+import { createCacheKey, authCache } from './index.js';
+/**
+ * Generates MD5 hash using Node.js crypto
+ */
+function md5Hash(data) {
+    const crypto = require('node:crypto');
+    return crypto.createHash('md5').update(data).digest('hex');
+}
+/**
+ * Generates a client nonce (cnonce)
+ */
+function generateCnonce() {
+    const crypto = require('node:crypto');
+    return crypto.randomBytes(16).toString('hex').substring(0, 32);
+}
+/**
+ * Parses WWW-Authenticate header for Digest challenge
+ * @example
+ * parseDigestHeader('Digest realm="test", nonce="abc123", qop="auth"')
+ * // => { realm: 'test', nonce: 'abc123', qop: 'auth' }
+ */
+export function parseDigestHeader(header) {
+    if (!header.toLowerCase().startsWith('digest ')) {
+        return null;
+    }
+    const challengePart = header.substring(7);
+    const result = {};
+    // Parse key="value" pairs
+    const pairs = challengePart.match(/(\w+)="([^"]*)"/g);
+    if (!pairs) {
+        return null;
+    }
+    for (const pair of pairs) {
+        const match = pair.match(/(\w+)="([^"]*)"/);
+        if (match) {
+            const [, key, value] = match;
+            result[key] = value;
+        }
+    }
+    if (!result.realm || !result.nonce) {
+        return null;
+    }
+    return result;
+}
+/**
+ * Calculates Digest response
+ * @param username Username
+ * @param password Password
+ * @param realm Realm from challenge
+ * @param nonce Nonce from challenge
+ * @param method HTTP method
+ * @param uri Request URI
+ * @param qop Quality of protection
+ * @param opaque Opaque value from challenge
+ * @param nc Nonce count
+ * @param cnonce Client nonce
+ */
+export function calculateDigestResponse(username, password, realm, nonce, method, uri, qop, opaque, nc = '00000001', cnonce) {
+    const clientCnonce = cnonce || generateCnonce();
+    // HA1 = MD5(username:realm:password)
+    const ha1 = md5Hash(`${username}:${realm}:${password}`);
+    // HA2 = MD5(method:uri)
+    const ha2 = md5Hash(`${method}:${uri}`);
+    // Response
+    let response;
+    if (qop) {
+        // response = MD5(HA1:nonce:nc:cnonce:qop:HA2)
+        response = md5Hash(`${ha1}:${nonce}:${nc}:${clientCnonce}:${qop}:${ha2}`);
+    }
+    else {
+        // response = MD5(HA1:nonce:HA2)
+        response = md5Hash(`${ha1}:${nonce}:${ha2}`);
+    }
+    // Build Authorization header value
+    const parts = [
+        `username="${username}"`,
+        `realm="${realm}"`,
+        `nonce="${nonce}"`,
+        `uri="${uri}"`,
+        `response="${response}"`,
+        `algorithm=MD5`,
+    ];
+    if (qop) {
+        parts.push(`qop=${qop}`);
+        parts.push(`nc=${nc}`);
+        parts.push(`cnonce="${clientCnonce}"`);
+    }
+    if (opaque) {
+        parts.push(`opaque="${opaque}"`);
+    }
+    return `Digest ${parts.join(', ')}`;
+}
+/**
+ * Digest Authentication Provider
+ */
+export class DigestAuthProvider {
+    type = 'digest';
+    storedChallenges = new Map();
+    nonceCounters = new Map();
+    async authenticate(config) {
+        const { username, password, realm, cache } = config;
+        if (!username || !password) {
+            return {
+                success: false,
+                error: 'Username and password are required for Digest auth'
+            };
+        }
+        const cacheKey = this.getCacheKey(config);
+        // Check cache first
+        if (cache?.enabled !== false) {
+            const cached = authCache.get(cacheKey);
+            if (cached) {
+                return { success: true, credentials: cached };
+            }
+        }
+        // For Digest auth, we need to make an initial request to get the challenge
+        // This will be handled by the adapter when it receives a 401
+        // For now, return credentials that can be used to build the header
+        const credentials = {
+            type: 'digest',
+            username,
+            password, // Store password securely for challenge response
+            realm,
+            headers: {
+                // Placeholder - actual header will be built on 401 response
+                'X-Digest-Auth-User': username,
+            }
+        };
+        // Cache if enabled
+        if (cache?.enabled !== false) {
+            const ttl = cache?.ttl || 3600;
+            authCache.set(cacheKey, credentials, ttl);
+        }
+        return {
+            success: true,
+            credentials
+        };
+    }
+    /**
+     * Stores a Digest challenge received from server
+     */
+    storeChallenge(url, challenge) {
+        this.storedChallenges.set(url, challenge);
+    }
+    /**
+     * Retrieves stored challenge for a URL
+     */
+    getChallenge(url) {
+        return this.storedChallenges.get(url);
+    }
+    /**
+     * Builds Authorization header for a request using stored challenge
+     */
+    async buildAuthorizationHeader(url, method, config) {
+        const challenge = this.getChallenge(url);
+        if (!challenge) {
+            return null;
+        }
+        const uri = new URL(url).pathname + new URL(url).search;
+        const nc = this.getNonceCount(challenge.nonce);
+        const cnonce = generateCnonce();
+        return calculateDigestResponse(config.username, config.password, challenge.realm, challenge.nonce, method, uri, challenge.qop, challenge.opaque, nc, cnonce);
+    }
+    /**
+     * Gets next nonce count for a given nonce
+     */
+    getNonceCount(nonce) {
+        const current = this.nonceCounters.get(nonce) || 0;
+        this.nonceCounters.set(nonce, current + 1);
+        return current.toString(16).padStart(8, '0');
+    }
+    /**
+     * Handles 401 response and returns new request headers
+     */
+    async handleChallenge(url, method, authenticateHeader, config) {
+        const challenge = parseDigestHeader(authenticateHeader);
+        if (!challenge) {
+            return null;
+        }
+        this.storeChallenge(url, challenge);
+        const authHeader = await this.buildAuthorizationHeader(url, method, config);
+        if (!authHeader) {
+            return null;
+        }
+        return {
+            'Authorization': authHeader
+        };
+    }
+    async clear(config) {
+        const key = this.getCacheKey(config);
+        authCache.clear(key);
+    }
+    async validate(config) {
+        return !!(config.username && config.password);
+    }
+    getCacheKey(config) {
+        const crypto = require('node:crypto');
+        const hash = crypto
+            .createHash('sha256')
+            .update(`${config.username}:${config.realm || ''}`)
+            .digest('hex')
+            .substring(0, 16);
+        return createCacheKey('digest', hash);
+    }
+    /**
+     * Clears stored challenges and counters
+     */
+    clearState() {
+        this.storedChallenges.clear();
+        this.nonceCounters.clear();
+    }
+}
+/**
+ * Creates a Digest auth provider instance
+ */
+export function createDigestAuthProvider() {
+    return new DigestAuthProvider();
+}
+// Re-export types and utilities
+// Types are exported from index.ts

package/dist/core/auth/hcaptcha-handler.d.ts ADDED Viewed

@@ -0,0 +1,103 @@
+/**
+ * hCaptcha Handler
+ *
+ * Supports hCaptcha (privacy-focused CAPTCHA alternative)
+ *
+ * Test mode bypass uses hCaptcha's official test keys:
+ * - Site key: 10000000-ffff-ffff-ffff-000000000001
+ * - Secret key: 0x0000000000000000000000000000000000000000
+ *
+ * @see https://docs.hcaptcha.com/#integration-testing-test-keys
+ */
+export interface HcaptchaConfig {
+    /** Site key for hCaptcha */
+    siteKey?: string;
+    /** Use test mode (always returns valid token) */
+    testMode?: boolean;
+    /** CSS selector for the hCaptcha container */
+    selector?: string;
+    /** Timeout for solving (ms) */
+    timeout?: number;
+    /** hCaptcha is invisible/challenge-only */
+    isInvisible?: boolean;
+}
+export interface HcaptchaTokenResponse {
+    success: boolean;
+    token: string;
+    challengeTs?: string;
+    hostname?: string;
+    errorCodes?: string[];
+}
+export declare const HCAPTCHA_TEST_SITE_KEY = "10000000-ffff-ffff-ffff-000000000001";
+export declare const HCAPTCHA_TEST_SECRET = "0x0000000000000000000000000000000000000000";
+export declare class HcaptchaHandler {
+    private testMode;
+    private timeout;
+    constructor(options?: {
+        testMode?: boolean;
+        timeout?: number;
+    });
+    /**
+     * Detect if hCaptcha is present on the page
+     */
+    detectHcaptcha(page: any): Promise<{
+        present: boolean;
+        siteKey?: string;
+        isInvisible?: boolean;
+    }>;
+    /**
+     * Solve hCaptcha
+     *
+     * In test mode, injects a test token
+     * In production, waits for user interaction
+     */
+    solve(page: any, config?: HcaptchaConfig): Promise<HcaptchaTokenResponse>;
+    /**
+     * Solve hCaptcha in test mode
+     */
+    private solveTestMode;
+    /**
+     * Solve hCaptcha in production mode (requires human interaction)
+     */
+    private solveProduction;
+    /**
+     * Execute hCaptcha (for invisible hCaptcha)
+     */
+    execute(page: any, config?: HcaptchaConfig): Promise<HcaptchaTokenResponse>;
+    /**
+     * Verify an hCaptcha token (server-side simulation)
+     *
+     * In real usage, this would call hCaptcha's siteverify API:
+     * POST https://hcaptcha.com/siteverify
+     */
+    verifyToken(token: string, secret?: string): Promise<HcaptchaTokenResponse>;
+    /**
+     * Wait for hCaptcha to be ready
+     */
+    waitForReady(page: any, timeout?: number): Promise<boolean>;
+    /**
+     * Inject test site key into page
+     */
+    injectTestSiteKey(page: any, elementSelector: string): Promise<void>;
+    /**
+     * Generate a test token for mocking
+     */
+    private generateTestToken;
+    private sleep;
+    /**
+     * Reset all hCaptcha widgets on the page
+     */
+    reset(page: any): Promise<void>;
+    /**
+     * Get the current response token from hCaptcha
+     */
+    getResponse(page: any, widgetId?: string): Promise<string | null>;
+}
+/**
+ * Factory function to create an hCaptcha handler
+ */
+export declare function createHcaptchaHandler(options?: {
+    testMode?: boolean;
+    timeout?: number;
+}): HcaptchaHandler;
+export default HcaptchaHandler;

package/dist/core/auth/hcaptcha-handler.js ADDED Viewed

@@ -0,0 +1,288 @@
+/**
+ * hCaptcha Handler
+ *
+ * Supports hCaptcha (privacy-focused CAPTCHA alternative)
+ *
+ * Test mode bypass uses hCaptcha's official test keys:
+ * - Site key: 10000000-ffff-ffff-ffff-000000000001
+ * - Secret key: 0x0000000000000000000000000000000000000000
+ *
+ * @see https://docs.hcaptcha.com/#integration-testing-test-keys
+ */
+// Test keys from hCaptcha (always return valid responses)
+export const HCAPTCHA_TEST_SITE_KEY = '10000000-ffff-ffff-ffff-000000000001';
+export const HCAPTCHA_TEST_SECRET = '0x0000000000000000000000000000000000000000';
+// Common hCaptcha selectors
+const HCAPTCHA_SELECTORS = [
+    'iframe[src*="hcaptcha"]',
+    'div.h-captcha',
+    'div[data-hcaptcha]',
+    'div[data-sitekey*="0x"]',
+];
+const BYPASS_SCRIPT = (siteKey, testMode) => `
+  (function() {
+    if (typeof window.hcaptcha !== 'undefined') {
+      window.__qa360_hcaptcha_ready = true;
+      return;
+    }
+    // Mock hcaptcha object for test mode
+    if (${testMode}) {
+      window.hcaptcha = {
+        ready: function(cb) { cb(); },
+        execute: function(siteKey, options) {
+          return Promise.resolve({
+            response: 'TEST_HCAPTCHA_TOKEN',
+            key: '${siteKey}'
+          });
+        },
+        render: function(container, options) {
+          return 'hcaptcha-widget-id';
+        },
+        reset: function(widgetId) {},
+        getResponse: function(widgetId) {
+          return 'TEST_HCAPTCHA_TOKEN';
+        },
+        getRespKey: function(widgetId) {
+          return '${siteKey}';
+        }
+      };
+      window.__qa360_hcaptcha_ready = true;
+    }
+  })();
+`;
+export class HcaptchaHandler {
+    testMode;
+    timeout;
+    constructor(options = {}) {
+        this.testMode = options.testMode ?? true;
+        this.timeout = options.timeout ?? 10000;
+    }
+    /**
+     * Detect if hCaptcha is present on the page
+     */
+    async detectHcaptcha(page) {
+        const result = await page.evaluate(() => {
+            // Check for hCaptcha elements
+            const hcaptchaDiv = document.querySelector('.h-captcha');
+            const dataAttr = document.querySelector('[data-hcaptcha]');
+            const hcaptchaIframe = document.querySelector('iframe[src*="hcaptcha"]');
+            // Check for invisible hCaptcha
+            const isInvisible = !!document.querySelector('[data-sitekey*="invisible"]') ||
+                !!document.querySelector('.h-captcha[data-size="invisible"]');
+            // Try to extract site key
+            let siteKey;
+            const siteKeyEl = document.querySelector('[data-sitekey]');
+            if (siteKeyEl) {
+                siteKey = siteKeyEl.getAttribute('data-sitekey') || undefined;
+            }
+            return {
+                present: !!(hcaptchaDiv || dataAttr || hcaptchaIframe),
+                siteKey,
+                isInvisible,
+            };
+        });
+        return result;
+    }
+    /**
+     * Solve hCaptcha
+     *
+     * In test mode, injects a test token
+     * In production, waits for user interaction
+     */
+    async solve(page, config = {}) {
+        const { testMode = this.testMode, selector } = config;
+        const detection = await this.detectHcaptcha(page);
+        if (!detection.present) {
+            return {
+                success: false,
+                token: '',
+                errorCodes: ['NO_HCAPTCHA_FOUND'],
+            };
+        }
+        if (testMode) {
+            return await this.solveTestMode(page, config);
+        }
+        // Production mode: Wait for user to solve
+        return await this.solveProduction(page, selector, detection.isInvisible);
+    }
+    /**
+     * Solve hCaptcha in test mode
+     */
+    async solveTestMode(page, config) {
+        const siteKey = config.siteKey || HCAPTCHA_TEST_SITE_KEY;
+        // Inject bypass script
+        await page.evaluate(BYPASS_SCRIPT(siteKey, true));
+        // Simulate successful callback
+        await page.evaluate((testToken) => {
+            // Dispatch custom event that hCaptcha fires on success
+            const event = new CustomEvent('hcaptcha-success', {
+                detail: { response: testToken }
+            });
+            window.dispatchEvent(event);
+            // Set response on any hCaptcha widgets
+            const widgets = document.querySelectorAll('.h-captcha');
+            widgets.forEach((widget) => {
+                widget.dataset.response = testToken;
+            });
+        }, this.generateTestToken());
+        return {
+            success: true,
+            token: this.generateTestToken(),
+            challengeTs: new Date().toISOString(),
+            hostname: 'test.hcaptcha.com',
+        };
+    }
+    /**
+     * Solve hCaptcha in production mode (requires human interaction)
+     */
+    async solveProduction(page, selector, isInvisible) {
+        const startTime = Date.now();
+        while (Date.now() - startTime < this.timeout) {
+            const result = await page.evaluate(() => {
+                if (typeof window.hcaptcha === 'undefined') {
+                    return { ready: false, token: null };
+                }
+                const response = window.hcaptcha.getResponse();
+                if (response) {
+                    return { ready: true, token: response };
+                }
+                return { ready: false, token: null };
+            });
+            if (result.ready && result.token) {
+                return {
+                    success: true,
+                    token: result.token,
+                    challengeTs: new Date().toISOString(),
+                };
+            }
+            await this.sleep(500);
+        }
+        return {
+            success: false,
+            token: '',
+            errorCodes: ['TIMEOUT'],
+        };
+    }
+    /**
+     * Execute hCaptcha (for invisible hCaptcha)
+     */
+    async execute(page, config = {}) {
+        const { testMode = this.testMode, isInvisible = false } = config;
+        if (testMode) {
+            return {
+                success: true,
+                token: this.generateTestToken(),
+                challengeTs: new Date().toISOString(),
+                hostname: 'test.hcaptcha.com',
+            };
+        }
+        const result = await page.evaluate(() => {
+            if (typeof window.hcaptcha === 'undefined') {
+                return { success: false, token: null };
+            }
+            return window.hcaptcha.execute().then((token) => ({
+                success: true,
+                token,
+            })).catch(() => ({
+                success: false,
+                token: null,
+            }));
+        });
+        if (!result.success) {
+            return {
+                success: false,
+                token: '',
+                errorCodes: ['EXECUTION_FAILED'],
+            };
+        }
+        return {
+            success: true,
+            token: result.token,
+        };
+    }
+    /**
+     * Verify an hCaptcha token (server-side simulation)
+     *
+     * In real usage, this would call hCaptcha's siteverify API:
+     * POST https://hcaptcha.com/siteverify
+     */
+    async verifyToken(token, secret) {
+        if (this.testMode) {
+            return {
+                success: true,
+                token,
+                challengeTs: new Date().toISOString(),
+                hostname: 'test.hcaptcha.com',
+            };
+        }
+        // Production: Would call siteverify endpoint
+        return {
+            success: false,
+            token,
+            errorCodes: ['SITEVERIFY_NOT_IMPLEMENTED'],
+        };
+    }
+    /**
+     * Wait for hCaptcha to be ready
+     */
+    async waitForReady(page, timeout = 10000) {
+        const startTime = Date.now();
+        while (Date.now() - startTime < timeout) {
+            const ready = await page.evaluate(() => typeof window.hcaptcha !== 'undefined');
+            if (ready)
+                return true;
+            await this.sleep(100);
+        }
+        return false;
+    }
+    /**
+     * Inject test site key into page
+     */
+    async injectTestSiteKey(page, elementSelector) {
+        await page.evaluate((sel, testKey) => {
+            const el = document.querySelector(sel);
+            if (el) {
+                el.setAttribute('data-sitekey', testKey);
+            }
+        }, elementSelector, HCAPTCHA_TEST_SITE_KEY);
+    }
+    /**
+     * Generate a test token for mocking
+     */
+    generateTestToken() {
+        const timestamp = Date.now();
+        return `TEST_HCAPTCHA_TOKEN_${timestamp}`;
+    }
+    sleep(ms) {
+        return new Promise(resolve => setTimeout(resolve, ms));
+    }
+    /**
+     * Reset all hCaptcha widgets on the page
+     */
+    async reset(page) {
+        await page.evaluate(() => {
+            if (typeof window.hcaptcha !== 'undefined') {
+                window.hcaptcha.reset();
+            }
+        });
+    }
+    /**
+     * Get the current response token from hCaptcha
+     */
+    async getResponse(page, widgetId) {
+        return await page.evaluate((id) => {
+            if (typeof window.hcaptcha === 'undefined') {
+                return null;
+            }
+            return window.hcaptcha.getResponse(id);
+        }, widgetId);
+    }
+}
+/**
+ * Factory function to create an hCaptcha handler
+ */
+export function createHcaptchaHandler(options) {
+    return new HcaptchaHandler(options);
+}
+export default HcaptchaHandler;