s3db.js 13.6.0 → 14.0.2

package/src/plugins/identity/rsa-keys.js

@@ -5,7 +5,8 @@
  * Zero external dependencies - uses Node.js crypto only
  */
 
-import { generateKeyPairSync, createSign, createVerify, createHash } from 'crypto';
+import { generateKeyPairSync, createSign, createVerify, createHash, createPublicKey } from 'crypto';
+import { PluginError } from '../../errors.js';
 
 /**
  * Generate RSA key pair for RS256
@@ -74,7 +75,13 @@ export function createRS256Token(payload, privateKey, kid, expiresIn = '15m') {
   // Parse expiresIn
   const match = expiresIn.match(/^(\d+)([smhd])$/);
   if (!match) {
-    throw new Error('Invalid expiresIn format. Use: 60s, 30m, 24h, 7d');
+    throw new PluginError('Invalid expiresIn format. Use: 60s, 30m, 24h, 7d', {
+      pluginName: 'IdentityPlugin',
+      operation: 'createToken',
+      statusCode: 400,
+      retriable: false,
+      suggestion: 'Provide a duration string ending with s, m, h, or d (e.g., "15m" for 15 minutes).'
+    });
   }
 
   const [, value, unit] = match;
@@ -174,19 +181,15 @@ export function getKidFromToken(token) {
   }
 }
 
-/**
- * Import createPublicKey for JWK conversion
- */
-import { createPublicKey } from 'crypto';
-
 /**
  * Key Manager class - manages key rotation and storage
  */
 export class KeyManager {
   constructor(keyResource) {
     this.keyResource = keyResource;
-    this.currentKey = null;
-    this.keys = new Map(); // kid → key
+    this.keysByPurpose = new Map(); // purpose -> Map(kid -> key)
+    this.currentKeys = new Map();   // purpose -> active key
+    this.keysByKid = new Map();     // kid -> key
   }
 
   /**
@@ -199,36 +202,34 @@ export class KeyManager {
     if (existingKeys.length > 0) {
       // Load keys into memory
       for (const keyRecord of existingKeys) {
-        this.keys.set(keyRecord.kid, {
-          publicKey: keyRecord.publicKey,
-          privateKey: keyRecord.privateKey,
-          kid: keyRecord.kid,
-          createdAt: keyRecord.createdAt,
-          active: keyRecord.active
+        this._storeKeyRecord({
+          ...keyRecord,
+          purpose: keyRecord.purpose || 'oauth'
         });
-
-        if (keyRecord.active) {
-          this.currentKey = keyRecord;
-        }
       }
     }
 
     // If no active key, generate one
-    if (!this.currentKey) {
-      await this.rotateKey();
+    if (!this.currentKeys.get('oauth')) {
+      await this.rotateKey('oauth');
     }
   }
 
   /**
    * Rotate keys - generate new key pair
    */
-  async rotateKey() {
+  async rotateKey(purpose = 'oauth') {
+    const normalizedPurpose = this._normalizePurpose(purpose);
     const keyPair = generateKeyPair();
 
     // Mark old keys as inactive
-    const oldKeys = await this.keyResource.query({ active: true });
+    const oldKeys = await this.keyResource.query({ active: true, purpose: normalizedPurpose });
     for (const oldKey of oldKeys) {
       await this.keyResource.update(oldKey.id, { active: false });
+      const stored = this.keysByKid.get(oldKey.kid);
+      if (stored) {
+        stored.active = false;
+      }
     }
 
     // Store new key
@@ -239,11 +240,11 @@ export class KeyManager {
       algorithm: keyPair.algorithm,
       use: keyPair.use,
       active: true,
-      createdAt: keyPair.createdAt
+      createdAt: keyPair.createdAt,
+      purpose: normalizedPurpose
     });
 
-    this.currentKey = keyRecord;
-    this.keys.set(keyRecord.kid, keyRecord);
+    this._storeKeyRecord(keyRecord);
 
     return keyRecord;
   }
@@ -251,22 +252,50 @@ export class KeyManager {
   /**
    * Get current active key
    */
-  getCurrentKey() {
-    return this.currentKey;
+  getCurrentKey(purpose = 'oauth') {
+    return this.currentKeys.get(this._normalizePurpose(purpose)) || null;
   }
 
   /**
    * Get key by kid
    */
   getKey(kid) {
-    return this.keys.get(kid);
+    return this.keysByKid.get(kid) || null;
+  }
+
+  /**
+   * Ensure a purpose has an active key
+   * @param {string} purpose
+   * @returns {Promise<Object>}
+   */
+  async ensurePurpose(purpose = 'oauth') {
+    const normalizedPurpose = this._normalizePurpose(purpose);
+    const current = this.currentKeys.get(normalizedPurpose);
+
+    if (current) {
+      return current;
+    }
+
+    // Try to find active key in storage
+    const [active] = await this.keyResource.query({ purpose: normalizedPurpose, active: true });
+    if (active) {
+      this._storeKeyRecord({
+        ...active,
+        purpose: active.purpose || normalizedPurpose
+      });
+      return this.currentKeys.get(normalizedPurpose);
+    }
+
+    return await this.rotateKey(normalizedPurpose);
   }
 
   /**
    * Get all public keys in JWKS format
    */
   async getJWKS() {
-    const keys = Array.from(this.keys.values()).map(key => ({
+    const keys = Array.from(this.keysByKid.values())
+      .filter(key => key.active)
+      .map(key => ({
       kty: 'RSA',
       use: 'sig',
       alg: 'RS256',
@@ -280,15 +309,25 @@ export class KeyManager {
   /**
    * Create JWT with current active key
    */
-  createToken(payload, expiresIn = '15m') {
-    if (!this.currentKey) {
-      throw new Error('No active key available');
+  createToken(payload, expiresIn = '15m', purpose = 'oauth') {
+    const normalizedPurpose = this._normalizePurpose(purpose);
+    const activeKey = this.currentKeys.get(normalizedPurpose);
+
+    if (!activeKey) {
+      throw new PluginError(`No active key available for purpose "${normalizedPurpose}"`, {
+        pluginName: 'IdentityPlugin',
+        operation: 'createToken',
+        statusCode: 503,
+        retriable: true,
+        suggestion: 'Generate or rotate keys before issuing tokens for this purpose.',
+        metadata: { purpose: normalizedPurpose }
+      });
     }
 
     return createRS256Token(
       payload,
-      this.currentKey.privateKey,
-      this.currentKey.kid,
+      activeKey.privateKey,
+      activeKey.kid,
       expiresIn
     );
   }
@@ -311,6 +350,47 @@ export class KeyManager {
 
     return verifyRS256Token(token, key.publicKey);
   }
+
+  /**
+   * Normalize purpose name
+   * @param {string} purpose
+   * @returns {string}
+   * @private
+   */
+  _normalizePurpose(purpose) {
+    return typeof purpose === 'string' && purpose.trim().length > 0
+      ? purpose.trim()
+      : 'oauth';
+  }
+
+  /**
+   * Store key record in caches
+   * @param {Object} record
+   * @private
+   */
+  _storeKeyRecord(record) {
+    const purpose = this._normalizePurpose(record.purpose);
+    const entry = {
+      publicKey: record.publicKey,
+      privateKey: record.privateKey,
+      kid: record.kid,
+      createdAt: record.createdAt,
+      active: record.active,
+      purpose,
+      id: record.id
+    };
+
+    if (!this.keysByPurpose.has(purpose)) {
+      this.keysByPurpose.set(purpose, new Map());
+    }
+
+    this.keysByPurpose.get(purpose).set(entry.kid, entry);
+    this.keysByKid.set(entry.kid, entry);
+
+    if (entry.active) {
+      this.currentKeys.set(purpose, entry);
+    }
+  }
 }
 
 export default {

package/src/plugins/identity/server.js

@@ -12,6 +12,7 @@ import {
   createLoggingMiddleware
 } from '../shared/middlewares/index.js';
 import { idGenerator } from '../../concerns/id.js';
+import { createJsonRateLimitMiddleware } from './concerns/rate-limit.js';
 
 /**
  * Create Express-style response adapter for Hono context
@@ -22,15 +23,123 @@ import { idGenerator } from '../../concerns/id.js';
 function createExpressStyleResponse(c) {
   let statusCode = 200;
 
-  return {
+  const response = {
     status(code) {
       statusCode = code;
       return this;
     },
     json(data) {
       return c.json(data, statusCode);
+    },
+    header(name, value) {
+      c.header(name, value);
+      return this;
+    },
+    setHeader(name, value) {
+      c.header(name, value);
+      return this;
+    },
+    send(data) {
+      if (data === undefined || data === null) {
+        return c.body('', statusCode);
+      }
+
+      if (typeof data === 'string' || data instanceof Uint8Array) {
+        return c.body(data, statusCode);
+      }
+
+      // Fallback to JSON serialization for objects
+      return c.json(data, statusCode);
+    },
+    redirect(url, code = 302) {
+      return c.redirect(url, code);
+    }
+  };
+
+  return response;
+}
+
+/**
+ * Parse cookies from request header
+ * @param {string} cookieHeader
+ * @returns {Object}
+ */
+function parseCookies(cookieHeader) {
+  if (!cookieHeader) {
+    return {};
+  }
+
+  return cookieHeader
+    .split(';')
+    .map(part => part.trim())
+    .filter(Boolean)
+    .reduce((acc, part) => {
+      const [key, ...rest] = part.split('=');
+      acc[key] = decodeURIComponent(rest.join('=') || '');
+      return acc;
+    }, {});
+}
+
+/**
+ * Create Express-style request adapter for Hono context
+ * @param {Object} c - Hono context
+ * @returns {Promise<Object>} Express-style request object
+ */
+async function createExpressStyleRequest(c) {
+  const cached = c.get('expressStyleRequest');
+  if (cached) {
+    return cached;
+  }
+
+  const raw = c.req.raw;
+  const headers = {};
+  raw.headers.forEach((value, key) => {
+    headers[key.toLowerCase()] = value;
+  });
+
+  const url = new URL(raw.url);
+  let body = undefined;
+  const contentType = headers['content-type']?.split(';')[0].trim();
+
+  try {
+    if (contentType === 'application/json') {
+      body = await c.req.json();
+    } else if (
+      contentType === 'application/x-www-form-urlencoded' ||
+      contentType === 'multipart/form-data'
+    ) {
+      body = await c.req.parseBody();
+    }
+  } catch {
+    body = undefined;
+  }
+
+  const query = Object.fromEntries(url.searchParams.entries());
+  const cookies = parseCookies(headers.cookie);
+  const clientIp =
+    c.get('clientIp') ||
+    c.req.header('x-forwarded-for')?.split(',')[0]?.trim() ||
+    c.req.header('x-real-ip') ||
+    'unknown';
+
+  const expressReq = {
+    method: raw.method,
+    url: raw.url,
+    originalUrl: raw.url,
+    path: url.pathname,
+    headers,
+    query,
+    body: body ?? {},
+    cookies,
+    ip: clientIp,
+    protocol: url.protocol.replace(':', ''),
+    get(name) {
+      return headers[name.toLowerCase()];
     }
   };
+
+  c.set('expressStyleRequest', expressReq);
+  return expressReq;
 }
 
 /**
@@ -75,10 +184,7 @@ export class IdentityServer {
     // Global ban check middleware
     this.app.use('*', async (c, next) => {
       // Extract IP address
-      const ip = c.req.header('x-forwarded-for')?.split(',')[0]?.trim() ||
-                 c.req.header('x-real-ip') ||
-                 c.env?.ip ||
-                 'unknown';
+      const ip = this._extractClientIp(c);
 
       // Store IP in context for later use
       c.set('clientIp', ip);
@@ -156,6 +262,30 @@ export class IdentityServer {
     }
   }
 
+  /**
+   * Extract client IP from request
+   * @param {import('hono').Context} c
+   * @returns {string}
+   * @private
+   */
+  _extractClientIp(c) {
+    return c.get('clientIp') ||
+      c.req.header('x-forwarded-for')?.split(',')[0]?.trim() ||
+      c.req.header('x-real-ip') ||
+      c.env?.ip ||
+      'unknown';
+  }
+
+  /**
+   * Create rate limit middleware for API endpoints
+   * @param {RateLimiter} limiter
+   * @returns {Function}
+   * @private
+   */
+  _createRateLimitMiddleware(limiter) {
+    return createJsonRateLimitMiddleware(limiter, (c) => this._extractClientIp(c));
+  }
+
   /**
    * Setup all routes
    * @private
@@ -270,59 +400,50 @@ export class IdentityServer {
       return;
     }
 
-    // OIDC Discovery endpoint
-    this.app.get('/.well-known/openid-configuration', async (c) => {
+    const rateLimiters = this.options.identityPlugin?.rateLimiters || {};
+    const wrap = (handler) => async (c) => {
+      const req = await createExpressStyleRequest(c);
       const res = createExpressStyleResponse(c);
-      return await oauth2Server.discoveryHandler(c.req, res);
-    });
+      return await handler.call(oauth2Server, req, res);
+    };
+
+    // OIDC Discovery endpoint
+    this.app.get('/.well-known/openid-configuration', wrap(oauth2Server.discoveryHandler));
 
     // JWKS (JSON Web Key Set) endpoint
-    this.app.get('/.well-known/jwks.json', async (c) => {
-      const res = createExpressStyleResponse(c);
-      return await oauth2Server.jwksHandler(c.req, res);
-    });
+    this.app.get('/.well-known/jwks.json', wrap(oauth2Server.jwksHandler));
 
     // OAuth2 Token endpoint
-    this.app.post('/oauth/token', async (c) => {
-      const res = createExpressStyleResponse(c);
-      return await oauth2Server.tokenHandler(c.req, res);
-    });
+    const tokenHandler = wrap(oauth2Server.tokenHandler);
+    if (rateLimiters.token) {
+      this.app.post('/oauth/token', this._createRateLimitMiddleware(rateLimiters.token), tokenHandler);
+    } else {
+      this.app.post('/oauth/token', tokenHandler);
+    }
 
     // OIDC UserInfo endpoint
-    this.app.get('/oauth/userinfo', async (c) => {
-      const res = createExpressStyleResponse(c);
-      return await oauth2Server.userinfoHandler(c.req, res);
-    });
+    this.app.get('/oauth/userinfo', wrap(oauth2Server.userinfoHandler));
 
     // Token introspection endpoint
-    this.app.post('/oauth/introspect', async (c) => {
-      const res = createExpressStyleResponse(c);
-      return await oauth2Server.introspectHandler(c.req, res);
-    });
-
-    // Authorization endpoint (GET for user consent UI)
-    this.app.get('/oauth/authorize', async (c) => {
-      const res = createExpressStyleResponse(c);
-      return await oauth2Server.authorizeHandler(c.req, res);
-    });
-
-    // Authorization endpoint (POST for processing login)
-    this.app.post('/oauth/authorize', async (c) => {
-      const res = createExpressStyleResponse(c);
-      return await oauth2Server.authorizePostHandler(c.req, res);
-    });
+    this.app.post('/oauth/introspect', wrap(oauth2Server.introspectHandler));
+
+    // Authorization endpoints
+    const authorizeGet = wrap(oauth2Server.authorizeHandler);
+    const authorizePost = wrap(oauth2Server.authorizePostHandler);
+    if (rateLimiters.authorize) {
+      const middleware = this._createRateLimitMiddleware(rateLimiters.authorize);
+      this.app.get('/oauth/authorize', middleware, authorizeGet);
+      this.app.post('/oauth/authorize', middleware, authorizePost);
+    } else {
+      this.app.get('/oauth/authorize', authorizeGet);
+      this.app.post('/oauth/authorize', authorizePost);
+    }
 
     // Client registration endpoint
-    this.app.post('/oauth/register', async (c) => {
-      const res = createExpressStyleResponse(c);
-      return await oauth2Server.registerClientHandler(c.req, res);
-    });
+    this.app.post('/oauth/register', wrap(oauth2Server.registerClientHandler));
 
     // Token revocation endpoint
-    this.app.post('/oauth/revoke', async (c) => {
-      const res = createExpressStyleResponse(c);
-      return await oauth2Server.revokeHandler(c.req, res);
-    });
+    this.app.post('/oauth/revoke', wrap(oauth2Server.revokeHandler));
 
     if (this.options.verbose) {
       console.log('[Identity Server] Mounted OAuth2/OIDC routes:');

package/src/plugins/identity/session-manager.js

@@ -10,6 +10,7 @@
 
 import { generateSessionId, calculateExpiration, isExpired } from './concerns/token-generator.js';
 import tryFn from '../../concerns/try-fn.js';
+import { PluginError } from '../../errors.js';
 
 /**
  * Default session configuration
@@ -43,7 +44,13 @@ export class SessionManager {
     this.cleanupTimer = null;
 
     if (!this.sessionResource) {
-      throw new Error('SessionManager requires a sessionResource');
+      throw new PluginError('SessionManager requires a sessionResource', {
+        pluginName: 'IdentityPlugin',
+        operation: 'SessionManager.constructor',
+        statusCode: 400,
+        retriable: false,
+        suggestion: 'Pass { sessionResource } when initializing IdentityPlugin or SessionManager.'
+      });
     }
 
     // Start automatic cleanup
@@ -66,7 +73,13 @@ export class SessionManager {
     const { userId, metadata = {}, ipAddress, userAgent, duration } = data;
 
     if (!userId) {
-      throw new Error('userId is required to create a session');
+      throw new PluginError('userId is required to create a session', {
+        pluginName: 'IdentityPlugin',
+        operation: 'SessionManager.createSession',
+        statusCode: 400,
+        retriable: false,
+        suggestion: 'Provide data.userId when calling createSession().'
+      });
     }
 
     // Generate session ID
@@ -91,7 +104,14 @@ export class SessionManager {
     );
 
     if (!ok) {
-      throw new Error(`Failed to create session: ${err.message}`);
+      throw new PluginError(`Failed to create session: ${err.message}`, {
+        pluginName: 'IdentityPlugin',
+        operation: 'SessionManager.createSession',
+        statusCode: 500,
+        retriable: false,
+        suggestion: 'Check session resource permissions and database connectivity.',
+        original: err
+      });
     }
 
     return {
@@ -155,13 +175,26 @@ export class SessionManager {
    */
   async updateSession(sessionId, metadata) {
     if (!sessionId) {
-      throw new Error('sessionId is required');
+      throw new PluginError('sessionId is required', {
+        pluginName: 'IdentityPlugin',
+        operation: 'SessionManager.updateSession',
+        statusCode: 400,
+        retriable: false,
+        suggestion: 'Provide a sessionId when calling updateSession().'
+      });
     }
 
     const session = await this.getSession(sessionId);
 
     if (!session) {
-      throw new Error('Session not found');
+      throw new PluginError('Session not found', {
+        pluginName: 'IdentityPlugin',
+        operation: 'SessionManager.updateSession',
+        statusCode: 404,
+        retriable: false,
+        suggestion: 'Ensure the session exists before updating metadata.',
+        sessionId
+      });
     }
 
     const updatedMetadata = { ...session.metadata, ...metadata };
@@ -173,7 +206,14 @@ export class SessionManager {
     );
 
     if (!ok) {
-      throw new Error(`Failed to update session: ${err.message}`);
+      throw new PluginError(`Failed to update session: ${err.message}`, {
+        pluginName: 'IdentityPlugin',
+        operation: 'SessionManager.updateSession',
+        statusCode: 500,
+        retriable: false,
+        suggestion: 'Check session resource permissions and database connectivity.',
+        original: err
+      });
     }
 
     return updated;
@@ -295,7 +335,13 @@ export class SessionManager {
       // Hono-style
       res.header('Set-Cookie', cookieValue);
     } else {
-      throw new Error('Unsupported response object');
+      throw new PluginError('Unsupported response object for session cookies', {
+        pluginName: 'IdentityPlugin',
+        operation: 'SessionManager.setSessionCookie',
+        statusCode: 400,
+        retriable: false,
+        suggestion: 'Pass an HTTP response object that implements setHeader() or header().' 
+      });
     }
   }
 

package/src/plugins/identity/ui/pages/mfa-verification.js

@@ -10,21 +10,22 @@ import { BaseLayout } from '../layouts/base.js';
  * Render MFA verification page
  * @param {Object} props - Page properties
  * @param {string} [props.error] - Error message
- * @param {string} props.token - JSON string with {email, password}
+ * @param {string} props.email - User email
  * @param {string} [props.remember] - Remember me flag
+ * @param {string} props.challenge - MFA challenge token
  * @param {Object} [props.config] - UI configuration
  * @returns {string} HTML string
  */
 export function MFAVerificationPage(props = {}) {
-  const { error = null, token, remember = '', config = {} } = props;
+  const {
+    error = null,
+    email = '',
+    remember = '0',
+    challenge,
+    config = {}
+  } = props;
 
-  // Parse token to get email/password
-  let userData = { email: '', password: '' };
-  try {
-    userData = JSON.parse(token);
-  } catch (err) {
-    // Fallback to empty values
-  }
+  const rememberValue = remember === '1' ? '1' : '0';
 
   const content = html`
     <section class="identity-login">
@@ -58,6 +59,7 @@ export function MFAVerificationPage(props = {}) {
         <header class="identity-login__form-header">
           <h2>Verify Your Identity</h2>
           <p>Enter the 6-digit code from your authenticator app.</p>
+          ${email ? html`<p class="identity-login__meta text-sm text-slate-400 mt-2">Signing in as <strong>${email}</strong></p>` : ''}
         </header>
 
         ${error ? html`
@@ -68,9 +70,6 @@ export function MFAVerificationPage(props = {}) {
 
         <!-- TOTP Token Form -->
         <form method="POST" action="/login" class="identity-login__form-body" id="mfa-form">
-          <input type="hidden" name="email" value="${userData.email}" />
-          <input type="hidden" name="password" value="${userData.password}" />
-          <input type="hidden" name="remember" value="${remember}" />
 
           <div class="identity-login__group">
             <label for="mfa_token">Verification Code</label>
@@ -91,6 +90,9 @@ export function MFAVerificationPage(props = {}) {
               The code refreshes every 30 seconds
             </p>
           </div>
+          <input type="hidden" name="email" value="${email}" />
+          <input type="hidden" name="remember" value="${rememberValue}" />
+          <input type="hidden" name="mfa_challenge" value="${challenge}" />
 
           <button type="submit" class="identity-login__submit">
             Verify
@@ -110,9 +112,9 @@ export function MFAVerificationPage(props = {}) {
 
         <!-- Backup Code Form (hidden by default) -->
         <form method="POST" action="/login" class="identity-login__form-body mt-6 hidden" id="backup-code-form">
-          <input type="hidden" name="email" value="${userData.email}" />
-          <input type="hidden" name="password" value="${userData.password}" />
-          <input type="hidden" name="remember" value="${remember}" />
+          <input type="hidden" name="email" value="${email}" />
+          <input type="hidden" name="remember" value="${rememberValue}" />
+          <input type="hidden" name="mfa_challenge" value="${challenge}" />
 
           <div class="identity-login__group">
             <label for="backup_code">Backup Code</label>