s3db.js 11.3.2 → 12.0.1

package/src/plugins/api/auth/index.js

@@ -0,0 +1,112 @@
+/**
+ * Authentication Factory - Create authentication middleware based on configuration
+ *
+ * Provides unified interface for multiple authentication methods
+ */
+
+import { jwtAuth } from './jwt-auth.js';
+import { apiKeyAuth } from './api-key-auth.js';
+import { basicAuth } from './basic-auth.js';
+import { unauthorized } from '../utils/response-formatter.js';
+
+/**
+ * Create authentication middleware that supports multiple auth methods
+ * @param {Object} options - Authentication options
+ * @param {Array<string>} options.methods - Allowed auth methods (['jwt', 'apiKey', 'basic'])
+ * @param {Object} options.jwt - JWT configuration
+ * @param {Object} options.apiKey - API Key configuration
+ * @param {Object} options.basic - Basic Auth configuration
+ * @param {Object} options.usersResource - Users resource
+ * @param {boolean} options.optional - If true, allows requests without auth
+ * @returns {Function} Hono middleware
+ */
+export function createAuthMiddleware(options = {}) {
+  const {
+    methods = [],
+    jwt: jwtConfig = {},
+    apiKey: apiKeyConfig = {},
+    basic: basicConfig = {},
+    usersResource,
+    optional = false
+  } = options;
+
+  // If no methods specified, allow all requests
+  if (methods.length === 0) {
+    return async (c, next) => await next();
+  }
+
+  // Create individual auth middlewares
+  const middlewares = [];
+
+  if (methods.includes('jwt') && jwtConfig.secret) {
+    middlewares.push({
+      name: 'jwt',
+      middleware: jwtAuth({
+        secret: jwtConfig.secret,
+        usersResource,
+        optional: true // Check all methods before rejecting
+      })
+    });
+  }
+
+  if (methods.includes('apiKey') && usersResource) {
+    middlewares.push({
+      name: 'apiKey',
+      middleware: apiKeyAuth({
+        headerName: apiKeyConfig.headerName || 'X-API-Key',
+        usersResource,
+        optional: true // Check all methods before rejecting
+      })
+    });
+  }
+
+  if (methods.includes('basic') && usersResource) {
+    middlewares.push({
+      name: 'basic',
+      middleware: basicAuth({
+        realm: basicConfig.realm || 'API Access',
+        usersResource,
+        passphrase: basicConfig.passphrase || 'secret',
+        optional: true // Check all methods before rejecting
+      })
+    });
+  }
+
+  // Return combined middleware
+  return async (c, next) => {
+    // Try each auth method
+    for (const { name, middleware } of middlewares) {
+      // Create a temporary next that captures success
+      let authSuccess = false;
+      const tempNext = async () => {
+        authSuccess = true;
+      };
+
+      // Try auth method
+      await middleware(c, tempNext);
+
+      // If auth succeeded, continue
+      if (authSuccess && c.get('user')) {
+        return await next();
+      }
+    }
+
+    // No auth method succeeded
+    if (optional) {
+      return await next();
+    }
+
+    // Require authentication
+    const response = unauthorized(
+      `Authentication required. Supported methods: ${methods.join(', ')}`
+    );
+    return c.json(response, response._status);
+  };
+}
+
+export default {
+  createAuthMiddleware,
+  jwtAuth,
+  apiKeyAuth,
+  basicAuth
+};

package/src/plugins/api/auth/jwt-auth.js

@@ -0,0 +1,169 @@
+/**
+ * JWT Authentication - JSON Web Token authentication middleware
+ *
+ * Provides stateless authentication using JWT tokens
+ */
+
+import { createHash } from 'crypto';
+import { unauthorized } from '../utils/response-formatter.js';
+
+/**
+ * Create JWT token (simple implementation without external dependencies)
+ * Note: In production, use 'jsonwebtoken' package for better security
+ * @param {Object} payload - Token payload
+ * @param {string} secret - JWT secret
+ * @param {string} expiresIn - Token expiration (e.g., '7d')
+ * @returns {string} JWT token
+ */
+export function createToken(payload, secret, expiresIn = '7d') {
+  // Parse expiresIn
+  const match = expiresIn.match(/^(\d+)([smhd])$/);
+  if (!match) {
+    throw new Error('Invalid expiresIn format. Use: 60s, 30m, 24h, 7d');
+  }
+
+  const [, value, unit] = match;
+  const multipliers = { s: 1, m: 60, h: 3600, d: 86400 };
+  const expiresInSeconds = parseInt(value) * multipliers[unit];
+
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const now = Math.floor(Date.now() / 1000);
+
+  const data = {
+    ...payload,
+    iat: now,
+    exp: now + expiresInSeconds
+  };
+
+  // Encode
+  const encodedHeader = Buffer.from(JSON.stringify(header)).toString('base64url');
+  const encodedPayload = Buffer.from(JSON.stringify(data)).toString('base64url');
+
+  // Sign
+  const signature = createHash('sha256')
+    .update(`${encodedHeader}.${encodedPayload}.${secret}`)
+    .digest('base64url');
+
+  return `${encodedHeader}.${encodedPayload}.${signature}`;
+}
+
+/**
+ * Verify JWT token
+ * @param {string} token - JWT token
+ * @param {string} secret - JWT secret
+ * @returns {Object|null} Decoded payload or null if invalid
+ */
+export function verifyToken(token, secret) {
+  try {
+    const [encodedHeader, encodedPayload, signature] = token.split('.');
+
+    if (!encodedHeader || !encodedPayload || !signature) {
+      return null;
+    }
+
+    // Verify signature
+    const expectedSignature = createHash('sha256')
+      .update(`${encodedHeader}.${encodedPayload}.${secret}`)
+      .digest('base64url');
+
+    if (signature !== expectedSignature) {
+      return null;
+    }
+
+    // Decode payload
+    const payload = JSON.parse(Buffer.from(encodedPayload, 'base64url').toString());
+
+    // Check expiration
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp && payload.exp < now) {
+      return null; // Expired
+    }
+
+    return payload;
+  } catch (err) {
+    return null;
+  }
+}
+
+/**
+ * Create JWT authentication middleware
+ * @param {Object} options - JWT options
+ * @param {string} options.secret - JWT secret key
+ * @param {Object} options.usersResource - Users resource for user lookup
+ * @param {boolean} options.optional - If true, allows requests without auth
+ * @returns {Function} Hono middleware
+ */
+export function jwtAuth(options = {}) {
+  const { secret, usersResource, optional = false } = options;
+
+  if (!secret) {
+    throw new Error('JWT secret is required');
+  }
+
+  return async (c, next) => {
+    const authHeader = c.req.header('authorization');
+
+    if (!authHeader) {
+      if (optional) {
+        return await next();
+      }
+
+      const response = unauthorized('No authorization header provided');
+      return c.json(response, response._status);
+    }
+
+    // Extract token from "Bearer <token>"
+    const match = authHeader.match(/^Bearer\s+(.+)$/i);
+    if (!match) {
+      const response = unauthorized('Invalid authorization header format. Use: Bearer <token>');
+      return c.json(response, response._status);
+    }
+
+    const token = match[1];
+
+    // Verify token
+    const payload = verifyToken(token, secret);
+
+    if (!payload) {
+      const response = unauthorized('Invalid or expired token');
+      return c.json(response, response._status);
+    }
+
+    // Optionally load user from database
+    if (usersResource && payload.userId) {
+      try {
+        const user = await usersResource.get(payload.userId);
+
+        if (!user) {
+          const response = unauthorized('User not found');
+          return c.json(response, response._status);
+        }
+
+        if (!user.active) {
+          const response = unauthorized('User account is inactive');
+          return c.json(response, response._status);
+        }
+
+        // Store user in context
+        c.set('user', user);
+        c.set('authMethod', 'jwt');
+      } catch (err) {
+        console.error('[JWT Auth] Error loading user:', err);
+        const response = unauthorized('Authentication error');
+        return c.json(response, response._status);
+      }
+    } else {
+      // Store payload as user
+      c.set('user', payload);
+      c.set('authMethod', 'jwt');
+    }
+
+    await next();
+  };
+}
+
+export default {
+  createToken,
+  verifyToken,
+  jwtAuth
+};