s3db.js 13.4.0 → 13.6.0

package/src/plugins/api/middlewares/security-headers.js

@@ -0,0 +1,120 @@
+/**
+ * Security Headers Middleware
+ *
+ * Adds standard security headers to all responses for enhanced protection.
+ * Helps prevent common web vulnerabilities like XSS, clickjacking, and MIME sniffing.
+ *
+ * Headers included:
+ * - Content-Security-Policy (CSP): Prevents XSS and data injection attacks
+ * - Strict-Transport-Security (HSTS): Forces HTTPS connections
+ * - X-Frame-Options: Prevents clickjacking
+ * - X-Content-Type-Options: Prevents MIME sniffing
+ * - Referrer-Policy: Controls referer information
+ * - X-XSS-Protection: Legacy XSS protection (for older browsers)
+ *
+ * @example
+ * import { createSecurityHeadersMiddleware } from './middlewares/security-headers.js';
+ *
+ * const middleware = createSecurityHeadersMiddleware({
+ *   headers: {
+ *     csp: "default-src 'self'; script-src 'self' 'unsafe-inline'",
+ *     hsts: { maxAge: 31536000, includeSubDomains: true },
+ *     xFrameOptions: 'DENY'
+ *   }
+ * });
+ *
+ * app.use('*', middleware);
+ */
+
+/**
+ * Create security headers middleware
+ *
+ * @param {Object} config - Security configuration
+ * @param {Object} config.headers - Header configuration
+ * @param {string} config.headers.csp - Content Security Policy
+ * @param {Object} config.headers.hsts - HSTS configuration
+ * @param {number} config.headers.hsts.maxAge - HSTS max age in seconds
+ * @param {boolean} config.headers.hsts.includeSubDomains - Include subdomains
+ * @param {boolean} config.headers.hsts.preload - Enable HSTS preload
+ * @param {string} config.headers.xFrameOptions - X-Frame-Options value (DENY, SAMEORIGIN, ALLOW-FROM)
+ * @param {string} config.headers.xContentTypeOptions - X-Content-Type-Options (nosniff)
+ * @param {string} config.headers.referrerPolicy - Referrer-Policy value
+ * @param {string} config.headers.xssProtection - X-XSS-Protection value
+ * @returns {Function} Hono middleware
+ */
+export function createSecurityHeadersMiddleware(config = {}) {
+  const defaults = {
+    csp: "default-src 'self'",
+    hsts: { maxAge: 31536000, includeSubDomains: true, preload: false },
+    xFrameOptions: 'DENY',
+    xContentTypeOptions: 'nosniff',
+    referrerPolicy: 'strict-origin-when-cross-origin',
+    xssProtection: '1; mode=block',
+    permissionsPolicy: 'geolocation=(), microphone=(), camera=()'
+  };
+
+  const settings = {
+    ...defaults,
+    ...(config.headers || {})
+  };
+
+  // Merge HSTS settings
+  if (config.headers?.hsts && typeof config.headers.hsts === 'object') {
+    settings.hsts = {
+      ...defaults.hsts,
+      ...config.headers.hsts
+    };
+  }
+
+  return async (c, next) => {
+    // Content Security Policy
+    if (settings.csp) {
+      c.header('Content-Security-Policy', settings.csp);
+    }
+
+    // HTTP Strict Transport Security
+    if (settings.hsts) {
+      const hsts = settings.hsts;
+      let hstsValue = `max-age=${hsts.maxAge}`;
+
+      if (hsts.includeSubDomains) {
+        hstsValue += '; includeSubDomains';
+      }
+
+      if (hsts.preload) {
+        hstsValue += '; preload';
+      }
+
+      c.header('Strict-Transport-Security', hstsValue);
+    }
+
+    // X-Frame-Options
+    if (settings.xFrameOptions) {
+      c.header('X-Frame-Options', settings.xFrameOptions);
+    }
+
+    // X-Content-Type-Options
+    if (settings.xContentTypeOptions) {
+      c.header('X-Content-Type-Options', settings.xContentTypeOptions);
+    }
+
+    // Referrer-Policy
+    if (settings.referrerPolicy) {
+      c.header('Referrer-Policy', settings.referrerPolicy);
+    }
+
+    // X-XSS-Protection (legacy, but still useful for older browsers)
+    if (settings.xssProtection) {
+      c.header('X-XSS-Protection', settings.xssProtection);
+    }
+
+    // Permissions-Policy (formerly Feature-Policy)
+    if (settings.permissionsPolicy) {
+      c.header('Permissions-Policy', settings.permissionsPolicy);
+    }
+
+    await next();
+  };
+}
+
+export default createSecurityHeadersMiddleware;

package/src/plugins/api/middlewares/session-tracking.js

@@ -0,0 +1,194 @@
+/**
+ * Session Tracking Middleware
+ *
+ * Tracks user sessions for analytics and monitoring purposes.
+ * Creates persistent session IDs stored in encrypted cookies.
+ *
+ * Features:
+ * - Encrypted session IDs (AES-256-GCM)
+ * - Optional database storage
+ * - Auto-update on each request
+ * - Custom session enrichment
+ * - IP, User-Agent, Referer tracking
+ *
+ * @example
+ * import { createSessionTrackingMiddleware } from './middlewares/session-tracking.js';
+ *
+ * const middleware = createSessionTrackingMiddleware({
+ *   enabled: true,
+ *   resource: 'sessions',
+ *   cookieName: 'session_id',
+ *   passphrase: process.env.SESSION_SECRET,
+ *   updateOnRequest: true,
+ *   enrichSession: async ({ session, context }) => ({
+ *     userAgent: context.req.header('user-agent'),
+ *     ip: context.req.header('x-forwarded-for')
+ *   })
+ * }, db);
+ *
+ * app.use('*', middleware);
+ *
+ * // In route handlers:
+ * app.get('/r/:id', async (c) => {
+ *   const sessionId = c.get('sessionId');
+ *   const session = c.get('session');
+ *   console.log('Session:', sessionId);
+ * });
+ */
+
+import { encrypt, decrypt } from '../../../concerns/crypto.js';
+import { idGenerator } from '../../../concerns/id.js';
+
+/**
+ * Create session tracking middleware
+ *
+ * @param {Object} config - Session configuration
+ * @param {boolean} config.enabled - Enable session tracking (default: false)
+ * @param {string} config.resource - Resource name for DB storage (optional)
+ * @param {string} config.cookieName - Cookie name (default: 'session_id')
+ * @param {number} config.cookieMaxAge - Cookie max age in ms (default: 30 days)
+ * @param {boolean} config.cookieSecure - Secure flag (default: production mode)
+ * @param {string} config.cookieSameSite - SameSite policy (default: 'Strict')
+ * @param {boolean} config.updateOnRequest - Update session on each request (default: true)
+ * @param {string} config.passphrase - Encryption passphrase (required)
+ * @param {Function} config.enrichSession - Custom session enrichment function
+ * @param {Object} db - Database instance
+ * @returns {Function} Hono middleware
+ */
+export function createSessionTrackingMiddleware(config = {}, db) {
+  const {
+    enabled = false,
+    resource = null,
+    cookieName = 'session_id',
+    cookieMaxAge = 2592000000, // 30 days
+    cookieSecure = process.env.NODE_ENV === 'production',
+    cookieSameSite = 'Strict',
+    updateOnRequest = true,
+    passphrase = null,
+    enrichSession = null
+  } = config;
+
+  // If disabled, return no-op middleware
+  if (!enabled) {
+    return async (c, next) => await next();
+  }
+
+  // Validate required config
+  if (!passphrase) {
+    throw new Error('sessionTracking.passphrase is required when sessionTracking.enabled = true');
+  }
+
+  // Get sessions resource if configured
+  const sessionsResource = resource && db ? db.resources[resource] : null;
+
+  return async (c, next) => {
+    let session = null;
+    let sessionId = null;
+    let isNewSession = false;
+
+    // 1. Check if session cookie exists
+    const sessionCookie = c.req.cookie(cookieName);
+
+    if (sessionCookie) {
+      try {
+        // Decrypt session ID
+        sessionId = await decrypt(sessionCookie, passphrase);
+
+        // Load from DB if resource configured
+        if (sessionsResource) {
+          const exists = await sessionsResource.exists(sessionId);
+          if (exists) {
+            session = await sessionsResource.get(sessionId);
+          }
+        } else {
+          // No DB storage - create minimal session object
+          session = { id: sessionId };
+        }
+      } catch (err) {
+        console.error('[SessionTracking] Failed to decrypt cookie:', err.message);
+        // Will create new session below
+      }
+    }
+
+    // 2. Create new session if needed
+    if (!session) {
+      isNewSession = true;
+      sessionId = idGenerator();
+
+      const sessionData = {
+        id: sessionId,
+        userAgent: c.req.header('user-agent') || null,
+        ip: c.req.header('x-forwarded-for') || c.req.header('x-real-ip') || null,
+        referer: c.req.header('referer') || null,
+        createdAt: new Date().toISOString(),
+        lastSeenAt: new Date().toISOString()
+      };
+
+      // Enrich with custom data
+      if (enrichSession && typeof enrichSession === 'function') {
+        try {
+          const enriched = await enrichSession({ session: sessionData, context: c });
+          if (enriched && typeof enriched === 'object') {
+            Object.assign(sessionData, enriched);
+          }
+        } catch (enrichErr) {
+          console.error('[SessionTracking] enrichSession failed:', enrichErr.message);
+        }
+      }
+
+      // Save to DB if resource configured
+      if (sessionsResource) {
+        try {
+          session = await sessionsResource.insert(sessionData);
+        } catch (insertErr) {
+          console.error('[SessionTracking] Failed to insert session:', insertErr.message);
+          session = sessionData; // Use in-memory fallback
+        }
+      } else {
+        session = sessionData;
+      }
+    }
+
+    // 3. Update session on each request (if enabled and not new)
+    else if (updateOnRequest && !isNewSession && sessionsResource) {
+      const updates = {
+        lastSeenAt: new Date().toISOString(),
+        lastUserAgent: c.req.header('user-agent') || null,
+        lastIp: c.req.header('x-forwarded-for') || c.req.header('x-real-ip') || null
+      };
+
+      // Fire-and-forget update (don't block request)
+      sessionsResource.update(sessionId, updates).catch((updateErr) => {
+        console.error('[SessionTracking] Failed to update session:', updateErr.message);
+      });
+
+      // Update local copy
+      Object.assign(session, updates);
+    }
+
+    // 4. Set/refresh cookie
+    try {
+      const encryptedSessionId = await encrypt(sessionId, passphrase);
+
+      c.header(
+        'Set-Cookie',
+        `${cookieName}=${encryptedSessionId}; ` +
+        `Max-Age=${Math.floor(cookieMaxAge / 1000)}; ` +
+        `Path=/; ` +
+        `HttpOnly; ` +
+        (cookieSecure ? 'Secure; ' : '') +
+        `SameSite=${cookieSameSite}`
+      );
+    } catch (encryptErr) {
+      console.error('[SessionTracking] Failed to encrypt session ID:', encryptErr.message);
+    }
+
+    // 5. Expose to context
+    c.set('sessionId', sessionId);
+    c.set('session', session);
+
+    await next();
+  };
+}
+
+export default createSessionTrackingMiddleware;

package/src/plugins/api/routes/auth-routes.js

@@ -14,13 +14,16 @@ import tryFn from '../../../concerns/try-fn.js';
 
 /**
  * Create authentication routes
- * @param {Object} usersResource - s3db.js users resource
+ * @param {Object} authResource - s3db.js resource that manages authentication
  * @param {Object} config - Auth configuration
  * @returns {Hono} Hono app with auth routes
  */
-export function createAuthRoutes(usersResource, config = {}) {
+export function createAuthRoutes(authResource, config = {}) {
   const app = new Hono();
   const {
+    driver,                          // 'jwt' or 'basic'
+    usernameField = 'email',         // Field name for username (default: 'email')
+    passwordField = 'password',      // Field name for password (default: 'password')
     jwtSecret,
     jwtExpiresIn = '7d',
     passphrase = 'secret',
@@ -31,134 +34,172 @@ export function createAuthRoutes(usersResource, config = {}) {
   if (allowRegistration) {
     app.post('/register', asyncHandler(async (c) => {
       const data = await c.req.json();
-      const { username, password, email, role = 'user' } = data;
+      const username = data[usernameField];
+      const password = data[passwordField];
+      const role = data.role || 'user';
 
       // Validate input
       if (!username || !password) {
         const response = formatter.validationError([
-          { field: 'username', message: 'Username is required' },
-          { field: 'password', message: 'Password is required' }
+          { field: usernameField, message: `${usernameField} is required` },
+          { field: passwordField, message: `${passwordField} is required` }
         ]);
         return c.json(response, response._status);
       }
 
       if (password.length < 8) {
         const response = formatter.validationError([
-          { field: 'password', message: 'Password must be at least 8 characters' }
+          { field: passwordField, message: 'Password must be at least 8 characters' }
         ]);
         return c.json(response, response._status);
       }
 
       // Check if username already exists
-      const existing = await usersResource.query({ username });
+      const queryFilter = { [usernameField]: username };
+      const existing = await authResource.query(queryFilter);
       if (existing && existing.length > 0) {
-        const response = formatter.error('Username already exists', {
+        const response = formatter.error(`${usernameField} already exists`, {
           status: 409,
           code: 'CONFLICT'
         });
         return c.json(response, response._status);
       }
 
-      // Create user
-      const user = await usersResource.insert({
-        username,
-        password, // Will be auto-encrypted by schema (secret field)
-        email,
-        role,
-        active: true,
-        apiKey: generateApiKey(),
-        createdAt: new Date().toISOString()
-      });
+      // Create user with dynamic fields
+      // Only include fields from request + required auth fields
+      const { id, ...dataWithoutId } = data; // Exclude id from request data
+      const userData = {
+        ...dataWithoutId, // Include all fields from request except id
+        [usernameField]: username, // Override to ensure correct value
+        [passwordField]: password // Will be auto-encrypted by schema (secret field)
+      };
+
+      // Add optional fields only if not provided
+      if (!userData.role) {
+        userData.role = role;
+      }
+      if (userData.active === undefined) {
+        userData.active = true;
+      }
 
-      // Generate JWT token
+      const user = await authResource.insert(userData);
+
+      // Generate JWT token (only for JWT driver)
       let token = null;
-      if (jwtSecret) {
+      if (driver === 'jwt' && jwtSecret) {
         token = createToken(
-          { userId: user.id, username: user.username, role: user.role },
+          {
+            userId: user.id,
+            [usernameField]: user[usernameField],
+            role: user.role
+          },
           jwtSecret,
           jwtExpiresIn
         );
       }
 
       // Remove sensitive data from response
-      const { password: _, ...userWithoutPassword } = user;
+      const { [passwordField]: _, ...userWithoutPassword } = user;
 
       const response = formatter.created({
         user: userWithoutPassword,
-        token
+        ...(token && { token }) // Only include token if JWT driver
       }, `/auth/users/${user.id}`);
 
       return c.json(response, response._status);
     }));
   }
 
-  // POST /auth/login - Login with username/password
-  app.post('/login', asyncHandler(async (c) => {
-    const data = await c.req.json();
-    const { username, password } = data;
+  // POST /auth/login - Login with username/password (JWT driver only)
+  if (driver === 'jwt') {
+    app.post('/login', asyncHandler(async (c) => {
+      const data = await c.req.json();
+      const username = data[usernameField];
+      const password = data[passwordField];
 
-    // Validate input
-    if (!username || !password) {
-      const response = formatter.unauthorized('Username and password are required');
-      return c.json(response, response._status);
-    }
+      // Validate input
+      if (!username || !password) {
+        const response = formatter.unauthorized(`${usernameField} and ${passwordField} are required`);
+        return c.json(response, response._status);
+      }
 
-    // Find user
-    const users = await usersResource.query({ username });
-    if (!users || users.length === 0) {
-      const response = formatter.unauthorized('Invalid credentials');
-      return c.json(response, response._status);
-    }
+      // Find user by username field
+      const queryFilter = { [usernameField]: username };
+      const users = await authResource.query(queryFilter);
+      if (!users || users.length === 0) {
+        const response = formatter.unauthorized('Invalid credentials');
+        return c.json(response, response._status);
+      }
 
-    const user = users[0];
+      const user = users[0];
 
-    if (!user.active) {
-      const response = formatter.unauthorized('User account is inactive');
-      return c.json(response, response._status);
-    }
+      // Check if user is active
+      if (user.active !== undefined && !user.active) {
+        const response = formatter.unauthorized('User account is inactive');
+        return c.json(response, response._status);
+      }
 
-    // Verify password (decrypt and compare)
-    // Note: In production, use proper password hashing (bcrypt, argon2)
-    const [ok, err, decrypted] = await tryFn(() =>
-      user.password // Password is already decrypted by autoDecrypt
-    );
+      // Verify password (compare with password field)
+      // For 'password' field type (bcrypt hash), use verifyPassword
+      // For 'secret' field type (AES encryption), compare directly
+      let isValid = false;
 
-    // For secret fields, we need to manually decrypt if autoDecrypt is off
-    // But by default autoDecrypt is true, so user.password should be plain text here
-    // Let's just compare directly since schema handles encryption/decryption
-    const isValid = user.password === password;
+      const storedPassword = user[passwordField];
+      if (!storedPassword) {
+        const response = formatter.unauthorized('Invalid credentials');
+        return c.json(response, response._status);
+      }
 
-    if (!isValid) {
-      const response = formatter.unauthorized('Invalid credentials');
-      return c.json(response, response._status);
-    }
+      // Check if it's a bcrypt hash (starts with $ or is compacted 53 chars)
+      const isBcryptHash = storedPassword.startsWith('$') || (storedPassword.length === 53 && !storedPassword.includes(':'));
 
-    // Update last login
-    await usersResource.update(user.id, {
-      lastLoginAt: new Date().toISOString()
-    });
+      if (isBcryptHash) {
+        // Import verifyPassword for bcrypt hashes
+        const { verifyPassword } = await import('../../../concerns/password-hashing.js');
+        isValid = await verifyPassword(password, storedPassword);
+      } else {
+        // For encrypted/secret fields, direct comparison
+        isValid = storedPassword === password;
+      }
 
-    // Generate JWT token
-    let token = null;
-    if (jwtSecret) {
-      token = createToken(
-        { userId: user.id, username: user.username, role: user.role },
-        jwtSecret,
-        jwtExpiresIn
-      );
-    }
+      if (!isValid) {
+        const response = formatter.unauthorized('Invalid credentials');
+        return c.json(response, response._status);
+      }
 
-    // Remove sensitive data from response
-    const { password: _, ...userWithoutPassword } = user;
+      // Update last login if field exists
+      if (user.lastLoginAt !== undefined) {
+        await authResource.update(user.id, {
+          lastLoginAt: new Date().toISOString()
+        });
+      }
 
-    const response = formatter.success({
-      user: userWithoutPassword,
-      token,
-      expiresIn: jwtExpiresIn
-    });
+      // Generate JWT token
+      let token = null;
+      if (jwtSecret) {
+        token = createToken(
+          {
+            userId: user.id,
+            [usernameField]: user[usernameField],
+            role: user.role
+          },
+          jwtSecret,
+          jwtExpiresIn
+        );
+      }
 
-    return c.json(response, response._status);
-  }));
+      // Remove sensitive data from response
+      const { [passwordField]: _, ...userWithoutPassword } = user;
+
+      const response = formatter.success({
+        user: userWithoutPassword,
+        token,
+        expiresIn: jwtExpiresIn
+      });
+
+      return c.json(response, response._status);
+    }));
+  }
 
   // POST /auth/token/refresh - Refresh JWT token
   if (jwtSecret) {