s3db.js 13.6.0 → 14.0.2

package/src/plugins/identity/index.js

@@ -30,13 +30,19 @@ import { Plugin } from '../plugin.class.js';
 import { requirePluginDependency } from '../concerns/plugin-dependencies.js';
 import tryFn from '../../concerns/try-fn.js';
 import { OAuth2Server } from './oauth2-server.js';
+import { RateLimiter } from './concerns/rate-limit.js';
+import { resolveResourceNames } from '../concerns/resource-names.js';
+import { prepareResourceConfigs } from './concerns/config.js';
+import { PluginError } from '../../errors.js';
 import {
   BASE_USER_ATTRIBUTES,
   BASE_TENANT_ATTRIBUTES,
   BASE_CLIENT_ATTRIBUTES,
-  validateResourcesConfig,
   mergeResourceConfig
 } from './concerns/resource-schemas.js';
+import { verifyPassword } from './concerns/password.js';
+import { createBuiltInAuthDrivers } from './drivers/index.js';
+import { AuthDriver } from './drivers/auth-driver.interface.js';
 
 /**
  * Identity Provider Plugin class
@@ -51,31 +57,32 @@ export class IdentityPlugin extends Plugin {
   constructor(options = {}) {
     super(options);
 
-    // Validate required resources configuration
-    const resourcesValidation = validateResourcesConfig(options.resources);
-    if (!resourcesValidation.valid) {
-      throw new Error(
-        'IdentityPlugin configuration error:\n' +
-        resourcesValidation.errors.join('\n')
-      );
-    }
+    this._internalResourceOverrides = options.resourceNames || options.internalResources || {};
+    this._internalResourceDescriptors = {
+      oauthKeys: {
+        defaultName: 'plg_identity_oauth_keys',
+        override: this._internalResourceOverrides.oauthKeys
+      },
+      authCodes: {
+        defaultName: 'plg_identity_auth_codes',
+        override: this._internalResourceOverrides.authCodes
+      },
+      sessions: {
+        defaultName: 'plg_identity_sessions',
+        override: this._internalResourceOverrides.sessions
+      },
+      passwordResetTokens: {
+        defaultName: 'plg_identity_password_reset_tokens',
+        override: this._internalResourceOverrides.passwordResetTokens
+      },
+      mfaDevices: {
+        defaultName: 'plg_identity_mfa_devices',
+        override: this._internalResourceOverrides.mfaDevices
+      }
+    };
+    this.internalResourceNames = this._resolveInternalResourceNames();
 
-    // Validate resource configs (will throw if invalid)
-    mergeResourceConfig(
-      { attributes: BASE_USER_ATTRIBUTES },
-      options.resources.users,
-      'users'
-    );
-    mergeResourceConfig(
-      { attributes: BASE_TENANT_ATTRIBUTES },
-      options.resources.tenants,
-      'tenants'
-    );
-    mergeResourceConfig(
-      { attributes: BASE_CLIENT_ATTRIBUTES },
-      options.resources.clients,
-      'clients'
-    );
+    const normalizedResources = prepareResourceConfigs(options.resources);
 
     this.config = {
       // Server configuration
@@ -86,7 +93,7 @@ export class IdentityPlugin extends Plugin {
       // OAuth2/OIDC configuration
       issuer: options.issuer || `http://localhost:${options.port || 4000}`,
       supportedScopes: options.supportedScopes || ['openid', 'profile', 'email', 'offline_access'],
-      supportedGrantTypes: options.supportedGrantTypes || ['authorization_code', 'client_credentials', 'refresh_token'],
+      supportedGrantTypes: options.supportedGrantTypes || ['authorization_code', 'refresh_token', 'client_credentials', 'password'],
       supportedResponseTypes: options.supportedResponseTypes || ['code', 'token', 'id_token'],
 
       // Token expiration
@@ -96,21 +103,9 @@ export class IdentityPlugin extends Plugin {
       authCodeExpiry: options.authCodeExpiry || '10m',
 
       // Resource configuration (REQUIRED)
-      // User must declare: users, tenants, clients with full resource config
-      resources: {
-        users: {
-          userConfig: options.resources.users,      // Store user's full config
-          mergedConfig: null                         // Will be populated in _createResources()
-        },
-        tenants: {
-          userConfig: options.resources.tenants,
-          mergedConfig: null
-        },
-        clients: {
-          userConfig: options.resources.clients,
-          mergedConfig: null
-        }
-      },
+      resources: normalizedResources,
+
+      resourceNames: this.internalResourceNames,
 
       // CORS configuration
       cors: {
@@ -318,6 +313,23 @@ export class IdentityPlugin extends Plugin {
         }
       },
 
+      // Rate Limiting Configuration
+      rateLimit: {
+        enabled: options.rateLimit?.enabled !== false,
+        login: {
+          windowMs: options.rateLimit?.login?.windowMs || 60000,
+          max: options.rateLimit?.login?.max ?? 10
+        },
+        token: {
+          windowMs: options.rateLimit?.token?.windowMs || 60000,
+          max: options.rateLimit?.token?.max ?? 60
+        },
+        authorize: {
+          windowMs: options.rateLimit?.authorize?.windowMs || 60000,
+          max: options.rateLimit?.authorize?.max ?? 30
+        }
+      },
+
       // Features (MVP - Phase 1)
       features: {
         // Endpoints (can be disabled individually)
@@ -353,7 +365,9 @@ export class IdentityPlugin extends Plugin {
         // emailVerification: { enabled: false, required: false },
         // passwordPolicy: { enabled: false, minLength: 8, ... },
         // webhooks: { enabled: false, endpoints: [], events: [] }
-      }
+      },
+
+      authDrivers: options.authDrivers || {}
     };
 
     this.server = null;
@@ -375,6 +389,24 @@ export class IdentityPlugin extends Plugin {
     this.usersResource = null;
     this.tenantsResource = null;
     this.clientsResource = null;
+
+    // Rate limiters
+    this.rateLimiters = this._createRateLimiters();
+    this.authDrivers = new Map();
+    this.authDriverInstances = [];
+  }
+
+  _resolveInternalResourceNames() {
+    return resolveResourceNames('identity', this._internalResourceDescriptors, {
+      namespace: this.namespace
+    });
+  }
+
+  onNamespaceChanged() {
+    this.internalResourceNames = this._resolveInternalResourceNames();
+    if (this.config) {
+      this.config.resourceNames = this.internalResourceNames;
+    }
   }
 
   /**
@@ -388,6 +420,34 @@ export class IdentityPlugin extends Plugin {
     });
   }
 
+  /**
+   * Initialize rate limiters for sensitive endpoints
+   * @private
+   * @returns {Object<string, RateLimiter>}
+   */
+  _createRateLimiters() {
+    if (!this.config.rateLimit.enabled) {
+      return {};
+    }
+
+    const limiters = {};
+    const { login, token, authorize } = this.config.rateLimit;
+
+    if (login?.max > 0 && login?.windowMs > 0) {
+      limiters.login = new RateLimiter(login);
+    }
+
+    if (token?.max > 0 && token?.windowMs > 0) {
+      limiters.token = new RateLimiter(token);
+    }
+
+    if (authorize?.max > 0 && authorize?.windowMs > 0) {
+      limiters.authorize = new RateLimiter(authorize);
+    }
+
+    return limiters;
+  }
+
   /**
    * Install plugin
    */
@@ -428,6 +488,9 @@ export class IdentityPlugin extends Plugin {
     // Initialize MFA Manager
     await this._initializeMFAManager();
 
+    // Initialize authentication drivers
+    await this._initializeAuthDrivers();
+
     if (this.config.verbose) {
       console.log('[Identity Plugin] Installed successfully');
     }
@@ -438,10 +501,12 @@ export class IdentityPlugin extends Plugin {
    * @private
    */
   async _createOAuth2Resources() {
+    const names = this.internalResourceNames;
+
     // 1. OAuth Keys Resource (RSA keys for token signing)
     const [okKeys, errKeys, keysResource] = await tryFn(() =>
       this.database.createResource({
-        name: 'plg_oauth_keys',
+        name: names.oauthKeys,
         attributes: {
           kid: 'string|required',
           publicKey: 'string|required',
@@ -460,12 +525,12 @@ export class IdentityPlugin extends Plugin {
     if (okKeys) {
       this.oauth2KeysResource = keysResource;
       if (this.config.verbose) {
-        console.log('[Identity Plugin] Created plg_oauth_keys resource');
+        console.log(`[Identity Plugin] Created ${names.oauthKeys} resource`);
       }
-    } else if (this.database.resources.plg_oauth_keys) {
-      this.oauth2KeysResource = this.database.resources.plg_oauth_keys;
+    } else if (this.database.resources[names.oauthKeys]) {
+      this.oauth2KeysResource = this.database.resources[names.oauthKeys];
       if (this.config.verbose) {
-        console.log('[Identity Plugin] Using existing plg_oauth_keys resource');
+        console.log(`[Identity Plugin] Using existing ${names.oauthKeys} resource`);
       }
     } else {
       throw errKeys;
@@ -474,7 +539,7 @@ export class IdentityPlugin extends Plugin {
     // 2. OAuth Authorization Codes Resource (authorization_code flow)
     const [okCodes, errCodes, codesResource] = await tryFn(() =>
       this.database.createResource({
-        name: 'plg_auth_codes',
+        name: names.authCodes,
         attributes: {
           code: 'string|required',
           clientId: 'string|required',
@@ -496,12 +561,12 @@ export class IdentityPlugin extends Plugin {
     if (okCodes) {
       this.oauth2AuthCodesResource = codesResource;
       if (this.config.verbose) {
-        console.log('[Identity Plugin] Created plg_auth_codes resource');
+        console.log(`[Identity Plugin] Created ${names.authCodes} resource`);
       }
-    } else if (this.database.resources.plg_auth_codes) {
-      this.oauth2AuthCodesResource = this.database.resources.plg_auth_codes;
+    } else if (this.database.resources[names.authCodes]) {
+      this.oauth2AuthCodesResource = this.database.resources[names.authCodes];
       if (this.config.verbose) {
-        console.log('[Identity Plugin] Using existing plg_auth_codes resource');
+        console.log(`[Identity Plugin] Using existing ${names.authCodes} resource`);
       }
     } else {
       throw errCodes;
@@ -510,7 +575,7 @@ export class IdentityPlugin extends Plugin {
     // 3. Sessions Resource (user sessions for UI/admin)
     const [okSessions, errSessions, sessionsResource] = await tryFn(() =>
       this.database.createResource({
-        name: 'plg_sessions',
+        name: names.sessions,
         attributes: {
           userId: 'string|required',
           expiresAt: 'string|required',
@@ -528,12 +593,12 @@ export class IdentityPlugin extends Plugin {
     if (okSessions) {
       this.sessionsResource = sessionsResource;
       if (this.config.verbose) {
-        console.log('[Identity Plugin] Created plg_sessions resource');
+        console.log(`[Identity Plugin] Created ${names.sessions} resource`);
       }
-    } else if (this.database.resources.plg_sessions) {
-      this.sessionsResource = this.database.resources.plg_sessions;
+    } else if (this.database.resources[names.sessions]) {
+      this.sessionsResource = this.database.resources[names.sessions];
       if (this.config.verbose) {
-        console.log('[Identity Plugin] Using existing plg_sessions resource');
+        console.log(`[Identity Plugin] Using existing ${names.sessions} resource`);
       }
     } else {
       throw errSessions;
@@ -542,7 +607,7 @@ export class IdentityPlugin extends Plugin {
     // 4. Password Reset Tokens Resource (for password reset flow)
     const [okResetTokens, errResetTokens, resetTokensResource] = await tryFn(() =>
       this.database.createResource({
-        name: 'plg_password_reset_tokens',
+        name: names.passwordResetTokens,
         attributes: {
           userId: 'string|required',
           token: 'string|required',
@@ -559,12 +624,12 @@ export class IdentityPlugin extends Plugin {
     if (okResetTokens) {
       this.passwordResetTokensResource = resetTokensResource;
       if (this.config.verbose) {
-        console.log('[Identity Plugin] Created plg_password_reset_tokens resource');
+        console.log(`[Identity Plugin] Created ${names.passwordResetTokens} resource`);
       }
-    } else if (this.database.resources.plg_password_reset_tokens) {
-      this.passwordResetTokensResource = this.database.resources.plg_password_reset_tokens;
+    } else if (this.database.resources[names.passwordResetTokens]) {
+      this.passwordResetTokensResource = this.database.resources[names.passwordResetTokens];
       if (this.config.verbose) {
-        console.log('[Identity Plugin] Using existing plg_password_reset_tokens resource');
+        console.log(`[Identity Plugin] Using existing ${names.passwordResetTokens} resource`);
       }
     } else {
       throw errResetTokens;
@@ -574,7 +639,7 @@ export class IdentityPlugin extends Plugin {
     if (this.config.mfa.enabled) {
       const [okMFA, errMFA, mfaResource] = await tryFn(() =>
         this.database.createResource({
-          name: 'plg_mfa_devices',
+          name: names.mfaDevices,
           attributes: {
             userId: 'string|required',
             type: 'string|required',              // 'totp', 'sms', 'email'
@@ -600,15 +665,15 @@ export class IdentityPlugin extends Plugin {
       if (okMFA) {
         this.mfaDevicesResource = mfaResource;
         if (this.config.verbose) {
-          console.log('[Identity Plugin] Created plg_mfa_devices resource');
+          console.log(`[Identity Plugin] Created ${names.mfaDevices} resource`);
         }
-      } else if (this.database.resources.plg_mfa_devices) {
-        this.mfaDevicesResource = this.database.resources.plg_mfa_devices;
+      } else if (this.database.resources[names.mfaDevices]) {
+        this.mfaDevicesResource = this.database.resources[names.mfaDevices];
         if (this.config.verbose) {
-          console.log('[Identity Plugin] Using existing plg_mfa_devices resource');
+          console.log(`[Identity Plugin] Using existing ${names.mfaDevices} resource`);
         }
       } else {
-        console.warn('[Identity Plugin] MFA enabled but failed to create plg_mfa_devices resource:', errMFA?.message);
+        console.warn(`[Identity Plugin] MFA enabled but failed to create ${names.mfaDevices} resource:`, errMFA?.message);
       }
     }
   }
@@ -748,6 +813,7 @@ export class IdentityPlugin extends Plugin {
     });
 
     await this.oauth2Server.initialize();
+    this.oauth2Server.setIdentityPlugin(this);
 
     if (this.config.verbose) {
       console.log('[Identity Plugin] OAuth2 Server initialized');
@@ -938,6 +1004,277 @@ export class IdentityPlugin extends Plugin {
     }
   }
 
+  async _initializeAuthDrivers() {
+    const driverConfig = this.config.authDrivers;
+
+    if (driverConfig === false) {
+      this.authDrivers = new Map();
+      this.authDriverInstances = [];
+      return;
+    }
+    const disableBuiltIns = this._isPlainObject(driverConfig) && driverConfig.disableBuiltIns === true;
+
+    const context = {
+      database: this.database,
+      config: this.config,
+      resources: {
+        users: this.usersResource,
+        tenants: this.tenantsResource,
+        clients: this.clientsResource
+      },
+      helpers: {
+        password: {
+          verify: verifyPassword
+        }
+      }
+    };
+
+    const drivers = [];
+
+    if (!disableBuiltIns) {
+      const builtInOptions = this._extractBuiltInDriverOptions(driverConfig);
+      drivers.push(...createBuiltInAuthDrivers(builtInOptions));
+    }
+
+    drivers.push(...this._collectCustomAuthDrivers(driverConfig));
+
+    if (!drivers.length) {
+      this.authDrivers = new Map();
+      this.authDriverInstances = [];
+      return;
+    }
+
+    this.authDrivers = new Map();
+    this.authDriverInstances = [];
+
+    for (const driver of drivers) {
+      if (!driver || typeof driver.initialize !== 'function') {
+        throw new PluginError('Auth drivers must implement initialize(context)', {
+          pluginName: 'IdentityPlugin',
+          operation: 'initializeAuthDrivers',
+          statusCode: 500,
+          retriable: false,
+          suggestion: 'Ensure custom auth drivers extend AuthDriver and implement initialize(context).'
+        });
+      }
+
+      try {
+        await driver.initialize(context);
+      } catch (error) {
+        const driverName = driver.name || driver.constructor?.name || 'UnknownDriver';
+        throw new PluginError(`Failed to initialize auth driver "${driverName}": ${error.message}`, {
+          pluginName: 'IdentityPlugin',
+          operation: 'initializeAuthDrivers',
+          statusCode: 500,
+          retriable: false,
+          suggestion: 'Review driver configuration and ensure required dependencies are available.',
+          original: error,
+          metadata: { driverName }
+        });
+      }
+
+      const supportedTypes = Array.isArray(driver.supportedTypes) && driver.supportedTypes.length > 0
+        ? driver.supportedTypes
+        : driver.name
+          ? [driver.name]
+          : [];
+
+      if (!supportedTypes.length) {
+        const driverName = driver.constructor?.name || 'AuthDriver';
+        throw new PluginError(`Auth driver "${driverName}" must declare supportedTypes or name`, {
+          pluginName: 'IdentityPlugin',
+          operation: 'registerAuthDriver',
+          statusCode: 500,
+          retriable: false,
+          suggestion: 'Set driver.supportedTypes = ["password"] or provide a name property to map grants.',
+          metadata: { driverName }
+        });
+      }
+
+      for (const type of supportedTypes) {
+        if (!type) continue;
+        if (this.authDrivers.has(type)) {
+          const existingDriver = this.authDrivers.get(type);
+          const existingName = existingDriver?.name || existingDriver?.constructor?.name || 'AuthDriver';
+          const newName = driver.name || driver.constructor?.name || 'AuthDriver';
+          throw new PluginError(`Duplicate auth driver registration for type "${type}"`, {
+            pluginName: 'IdentityPlugin',
+            operation: 'registerAuthDriver',
+            statusCode: 409,
+            retriable: false,
+            suggestion: 'Remove duplicate registrations or use distinct driver types for each grant.',
+            metadata: { type, existingDriver: existingName, newDriver: newName }
+          });
+        }
+        this.authDrivers.set(type, driver);
+      }
+
+      this.authDriverInstances.push(driver);
+    }
+  }
+
+  getAuthDriver(type) {
+    return this.authDrivers.get(type);
+  }
+
+  _sanitizeAuthSubject(subject) {
+    if (!subject || typeof subject !== 'object') {
+      return subject;
+    }
+
+    const sensitiveFields = [
+      'password',
+      'passwordHash',
+      'password_hash',
+      'salt',
+      'secret',
+      'secrets',
+      'clientSecret',
+      'mfaSecret',
+      'totpSecret',
+      'backupCodes'
+    ];
+
+    const sanitized = { ...subject };
+    for (const field of sensitiveFields) {
+      if (sanitized[field] !== undefined) {
+        delete sanitized[field];
+      }
+    }
+
+    return sanitized;
+  }
+
+  async authenticateWithPassword({ email, password, user }) {
+    const driver = this.getAuthDriver('password');
+    if (!driver) {
+      return {
+        success: false,
+        error: 'password_driver_not_configured',
+        statusCode: 500
+      };
+    }
+
+    const result = await driver.authenticate({
+      type: 'password',
+      email,
+      password,
+      user
+    });
+
+    if (result?.success && result.user) {
+      return {
+        ...result,
+        user: this._sanitizeAuthSubject(result.user)
+      };
+    }
+
+    return result;
+  }
+
+  _collectCustomAuthDrivers(config) {
+    const candidates = [];
+
+    const addCandidate = (candidate) => {
+      if (!candidate) return;
+
+      if (Array.isArray(candidate)) {
+        if (candidate.length > 0 && typeof candidate[0] === 'function') {
+          const [Ctor, options] = candidate;
+          const instance = new Ctor(options);
+          if (!(instance instanceof AuthDriver)) {
+            throw new PluginError('Custom auth driver constructors must extend AuthDriver', {
+              pluginName: 'IdentityPlugin',
+              operation: 'collectCustomAuthDrivers',
+              statusCode: 500,
+              retriable: false,
+              suggestion: 'Extend AuthDriver to ensure consistent interface for initialize/authenticate.'
+            });
+          }
+          candidates.push(instance);
+          return;
+        }
+        for (const item of candidate) {
+          addCandidate(item);
+        }
+        return;
+      }
+
+      if (candidate instanceof AuthDriver) {
+        candidates.push(candidate);
+        return;
+      }
+
+      if (typeof candidate === 'function') {
+        const instance = new candidate();
+        if (!(instance instanceof AuthDriver)) {
+          throw new PluginError('Custom auth driver constructors must extend AuthDriver', {
+            pluginName: 'IdentityPlugin',
+            operation: 'collectCustomAuthDrivers',
+            statusCode: 500,
+            retriable: false,
+            suggestion: 'Update the constructor to extend AuthDriver before registering it.'
+          });
+        }
+        candidates.push(instance);
+        return;
+      }
+
+      if (candidate && typeof candidate === 'object' &&
+        typeof candidate.initialize === 'function' &&
+        typeof candidate.authenticate === 'function'
+      ) {
+        candidates.push(candidate);
+        return;
+      }
+
+      throw new PluginError('Invalid auth driver provided. Drivers must extend AuthDriver.', {
+        pluginName: 'IdentityPlugin',
+        operation: 'collectCustomAuthDrivers',
+        statusCode: 400,
+        retriable: false,
+        suggestion: 'Provide an AuthDriver instance, subclass, or plain object with initialize/authenticate methods.'
+      });
+    };
+
+    if (Array.isArray(config)) {
+      addCandidate(config);
+      return candidates;
+    }
+
+    if (this._isPlainObject(config)) {
+      addCandidate(config.drivers);
+      addCandidate(config.custom);
+      addCandidate(config.customDrivers);
+    }
+
+    return candidates;
+  }
+
+  _extractBuiltInDriverOptions(config) {
+    if (!this._isPlainObject(config)) {
+      return {};
+    }
+
+    if (this._isPlainObject(config.builtIns)) {
+      return config.builtIns;
+    }
+
+    const {
+      drivers,
+      custom,
+      customDrivers,
+      disableBuiltIns,
+      ...builtInOptions
+    } = config;
+
+    return builtInOptions;
+  }
+
+  _isPlainObject(value) {
+    return value != null && typeof value === 'object' && !Array.isArray(value);
+  }
+
   /**
    * Start plugin
    */
@@ -1019,7 +1356,14 @@ export class IdentityPlugin extends Plugin {
 
     // Optionally delete OAuth2 resources
     if (purgeData) {
-      const resourcesToDelete = ['plg_oauth_keys', 'plg_oauth_clients', 'plg_auth_codes'];
+      const resourcesToDelete = new Set([
+        this.internalResourceNames.oauthKeys,
+        this.internalResourceNames.authCodes,
+        this.internalResourceNames.sessions,
+        this.internalResourceNames.passwordResetTokens,
+        this.internalResourceNames.mfaDevices,
+        'plg_oauth_clients'
+      ]);
 
       for (const resourceName of resourcesToDelete) {
         const [ok] = await tryFn(() => this.database.deleteResource(resourceName));