s3db.js 13.6.1 → 14.0.2

package/src/plugins/api/auth/oidc-auth.js

@@ -107,20 +107,49 @@ export function validateOidcConfig(config) {
  * @returns {Promise<{user: Object, created: boolean}>} User object and creation status
  */
 async function getOrCreateUser(usersResource, claims, config) {
-  const userId = claims.email || claims.preferred_username || claims.sub;
-
-  if (!userId) {
-    throw new Error('Cannot extract user ID from OIDC claims (no email/preferred_username/sub)');
+  const {
+    autoCreateUser = true,
+    userIdClaim = 'sub',
+    fallbackIdClaims = ['email', 'preferred_username'],
+    lookupFields = ['email', 'preferred_username']
+  } = config;
+
+  const candidateIds = [];
+  if (userIdClaim && claims[userIdClaim]) {
+    candidateIds.push(String(claims[userIdClaim]));
+  }
+  for (const field of fallbackIdClaims) {
+    if (!field || field === userIdClaim) continue;
+    const value = claims[field];
+    if (value) {
+      candidateIds.push(String(value));
+    }
   }
 
-  // Try to get existing user
   let user = null;
-  let userExists = false;
-  try {
-    user = await usersResource.get(userId);
-    userExists = true;
-  } catch (err) {
-    // User not found, will create below
+  // Try direct lookups by id
+  for (const candidate of candidateIds) {
+    try {
+      user = await usersResource.get(candidate);
+      break;
+    } catch (_) {
+      // Not found, continue with next candidate
+    }
+  }
+
+  // Fallback: query by lookup fields
+  if (!user) {
+    const fields = Array.isArray(lookupFields) ? lookupFields : [lookupFields];
+    for (const field of fields) {
+      if (!field) continue;
+      const value = claims[field];
+      if (!value) continue;
+      const results = await usersResource.query({ [field]: value }, { limit: 1 });
+      if (results.length > 0) {
+        user = results[0];
+        break;
+      }
+    }
   }
 
   const now = new Date().toISOString();
@@ -180,12 +209,22 @@ async function getOrCreateUser(usersResource, claims, config) {
     return { user, created: false };
   }
 
-  // Create new user
+  if (!autoCreateUser) {
+    return { user: null, created: false };
+  }
+
+  // Determine ID for new user
+  const newUserId = candidateIds[0];
+
+  if (!newUserId) {
+    throw new Error('Cannot determine user ID from OIDC claims');
+  }
+
   const newUser = {
-    id: userId,
-    email: claims.email || userId,
-    username: claims.preferred_username || claims.email || userId,
-    name: claims.name || claims.email || userId,
+    id: newUserId,
+    email: claims.email || newUserId,
+    username: claims.preferred_username || claims.email || newUserId,
+    name: claims.name || claims.email || newUserId,
     picture: claims.picture || null,
     role: config.defaultRole || 'user',
     scopes: config.defaultScopes || ['openid', 'profile', 'email'],
@@ -279,6 +318,9 @@ export function createOIDCHandler(config, app, usersResource, events = null) {
     postLogoutRedirect: '/',
     idpLogout: true,
     autoCreateUser: true,
+    userIdClaim: 'sub',
+    fallbackIdClaims: ['email', 'preferred_username'],
+    lookupFields: ['email', 'preferred_username'],
     autoRefreshTokens: true,
     refreshThreshold: 300000, // 5 minutes before expiry
     cookieSecure: process.env.NODE_ENV === 'production',
@@ -477,12 +519,19 @@ export function createOIDCHandler(config, app, usersResource, events = null) {
       // Auto-create/update user
       let user = null;
       let userCreated = false;
-      if (autoCreateUser && usersResource) {
+      if (usersResource) {
         try {
           const result = await getOrCreateUser(usersResource, idTokenClaims, finalConfig);
           user = result.user;
           userCreated = result.created;
 
+          if (!user) {
+            return c.json({
+              error: 'User not provisioned',
+              message: 'User does not exist in configured auth resource'
+            }, 403);
+          }
+
           // Emit user events
           if (events) {
             if (userCreated) {

package/src/plugins/api/auth/strategies/base-strategy.class.js

@@ -0,0 +1,74 @@
+/**
+ * BaseAuthStrategy - Abstract base for auth strategies
+ *
+ * All auth strategies extend this class and implement createMiddleware()
+ */
+
+export class BaseAuthStrategy {
+  constructor({ drivers, authResource, oidcMiddleware, verbose }) {
+    this.drivers = drivers || [];
+    this.authResource = authResource;
+    this.oidcMiddleware = oidcMiddleware;
+    this.verbose = verbose;
+  }
+
+  /**
+   * Extract driver configs from drivers array
+   * @param {Array<string>} driverNames - Names of drivers to extract
+   * @returns {Object} Driver configs
+   * @protected
+   */
+  extractDriverConfigs(driverNames) {
+    const configs = {
+      jwt: {},
+      apiKey: {},
+      basic: {},
+      oauth2: {}
+    };
+
+    for (const driverDef of this.drivers) {
+      const driverName = driverDef.driver;
+      const driverConfig = driverDef.config || {};
+
+      // Skip if not in requested drivers
+      if (driverNames && !driverNames.includes(driverName)) {
+        continue;
+      }
+
+      // Skip oauth2-server and oidc drivers (handled separately)
+      if (driverName === 'oauth2-server' || driverName === 'oidc') {
+        continue;
+      }
+
+      // Map driver configs
+      if (driverName === 'jwt') {
+        configs.jwt = {
+          secret: driverConfig.jwtSecret || driverConfig.secret,
+          expiresIn: driverConfig.jwtExpiresIn || driverConfig.expiresIn || '7d'
+        };
+      } else if (driverName === 'apiKey') {
+        configs.apiKey = {
+          headerName: driverConfig.headerName || 'X-API-Key'
+        };
+      } else if (driverName === 'basic') {
+        configs.basic = {
+          realm: driverConfig.realm || 'API Access',
+          passphrase: driverConfig.passphrase || 'secret'
+        };
+      } else if (driverName === 'oauth2') {
+        configs.oauth2 = driverConfig;
+      }
+    }
+
+    return configs;
+  }
+
+  /**
+   * Create auth middleware (must be implemented by subclasses)
+   * @abstract
+   * @returns {Function} Hono middleware
+   */
+  createMiddleware() {
+    throw new Error('createMiddleware() must be implemented by subclass');
+  }
+}

package/src/plugins/api/auth/strategies/factory.class.js

@@ -0,0 +1,63 @@
+/**
+ * AuthStrategyFactory - Creates appropriate auth strategy based on config
+ *
+ * Strategy selection priority:
+ * 1. PathRulesStrategy - if pathRules is defined (modern, recommended)
+ * 2. PathBasedStrategy - if pathAuth is defined (legacy)
+ * 3. GlobalAuthStrategy - default (all drivers, optional auth)
+ *
+ * @example
+ * const strategy = AuthStrategyFactory.create(config);
+ * const middleware = strategy.createMiddleware();
+ */
+
+import { GlobalAuthStrategy } from './global-strategy.class.js';
+import { PathBasedAuthStrategy } from './path-based-strategy.class.js';
+import { PathRulesAuthStrategy } from './path-rules-strategy.class.js';
+
+export class AuthStrategyFactory {
+  /**
+   * Create appropriate auth strategy based on config
+   * @param {Object} config - Auth configuration
+   * @param {Array} config.drivers - Auth driver configurations
+   * @param {Object} config.authResource - Users resource for authentication
+   * @param {Function} config.oidcMiddleware - OIDC middleware (if configured)
+   * @param {Array} [config.pathRules] - Modern path rules (priority 1)
+   * @param {Object} [config.pathAuth] - Legacy path auth config (priority 2)
+   * @param {Object} [config.events] - Event emitter
+   * @param {boolean} [config.verbose] - Enable verbose logging
+   * @returns {BaseAuthStrategy} Auth strategy instance
+   */
+  static create({ drivers, authResource, oidcMiddleware, pathRules, pathAuth, events, verbose }) {
+    // Priority 1: PathRules (modern API)
+    if (pathRules && pathRules.length > 0) {
+      return new PathRulesAuthStrategy({
+        drivers,
+        authResource,
+        oidcMiddleware,
+        pathRules,
+        events,
+        verbose
+      });
+    }
+
+    // Priority 2: PathAuth (legacy)
+    if (pathAuth) {
+      return new PathBasedAuthStrategy({
+        drivers,
+        authResource,
+        oidcMiddleware,
+        pathAuth,
+        verbose
+      });
+    }
+
+    // Priority 3: Global (default)
+    return new GlobalAuthStrategy({
+      drivers,
+      authResource,
+      oidcMiddleware,
+      verbose
+    });
+  }
+}

package/src/plugins/api/auth/strategies/global-strategy.class.js

@@ -0,0 +1,44 @@
+/**
+ * GlobalAuthStrategy - Global authentication for all routes
+ *
+ * Uses all configured auth drivers with optional=true
+ * (guards control actual authorization)
+ */
+
+import { BaseAuthStrategy } from './base-strategy.class.js';
+import { createAuthMiddleware } from '../index.js';
+
+export class GlobalAuthStrategy extends BaseAuthStrategy {
+  createMiddleware() {
+    const methods = [];
+    const driverConfigs = this.extractDriverConfigs(null); // all drivers
+
+    for (const driverDef of this.drivers) {
+      const driverName = driverDef.driver;
+
+      // Skip oauth2-server and oidc
+      if (driverName === 'oauth2-server' || driverName === 'oidc') {
+        continue;
+      }
+
+      if (!methods.includes(driverName)) {
+        methods.push(driverName);
+      }
+    }
+
+    if (this.verbose) {
+      console.log(`[GlobalAuthStrategy] Using global auth with methods: ${methods.join(', ')}`);
+    }
+
+    return createAuthMiddleware({
+      methods,
+      jwt: driverConfigs.jwt,
+      apiKey: driverConfigs.apiKey,
+      basic: driverConfigs.basic,
+      oauth2: driverConfigs.oauth2,
+      oidc: this.oidcMiddleware || null,
+      usersResource: this.authResource,
+      optional: true  // Let guards handle authorization
+    });
+  }
+}

package/src/plugins/api/auth/strategies/path-based-strategy.class.js

@@ -0,0 +1,83 @@
+/**
+ * PathBasedAuthStrategy - Path-based authentication using pathAuth config
+ *
+ * Legacy path-based auth system (before pathRules was introduced)
+ * Matches request path against pathAuth patterns
+ */
+
+import { BaseAuthStrategy } from './base-strategy.class.js';
+import { createAuthMiddleware } from '../index.js';
+import { findBestMatch } from '../../utils/path-matcher.js';
+
+export class PathBasedAuthStrategy extends BaseAuthStrategy {
+  constructor({ drivers, authResource, oidcMiddleware, pathAuth, verbose }) {
+    super({ drivers, authResource, oidcMiddleware, verbose });
+    this.pathAuth = pathAuth;
+  }
+
+  createMiddleware() {
+    if (this.verbose) {
+      console.log('[PathBasedAuthStrategy] Using legacy pathAuth system');
+    }
+
+    return async (c, next) => {
+      const requestPath = c.req.path;
+
+      // Find best matching rule
+      const matchedRule = findBestMatch(this.pathAuth, requestPath);
+
+      if (this.verbose) {
+        if (matchedRule) {
+          console.log(`[PathBasedAuthStrategy] Path ${requestPath} matched rule: ${matchedRule.pattern}`);
+        } else {
+          console.log(`[PathBasedAuthStrategy] Path ${requestPath} no pathAuth rule matched (using global auth)`);
+        }
+      }
+
+      // No rule matched - use global auth (all drivers, optional)
+      if (!matchedRule) {
+        const methods = this.drivers
+          .map(d => d.driver)
+          .filter(d => d !== 'oauth2-server' && d !== 'oidc');
+
+        const driverConfigs = this.extractDriverConfigs(null);
+
+        const globalAuth = createAuthMiddleware({
+          methods,
+          jwt: driverConfigs.jwt,
+          apiKey: driverConfigs.apiKey,
+          basic: driverConfigs.basic,
+          oauth2: driverConfigs.oauth2,
+          oidc: this.oidcMiddleware || null,
+          usersResource: this.authResource,
+          optional: true
+        });
+
+        return await globalAuth(c, next);
+      }
+
+      // Rule matched - check if auth is required
+      if (!matchedRule.required) {
+        // Public path - no auth required
+        return await next();
+      }
+
+      // Auth required - apply with specific drivers from rule
+      const ruleMethods = matchedRule.drivers || [];
+      const driverConfigs = this.extractDriverConfigs(ruleMethods);
+
+      const ruleAuth = createAuthMiddleware({
+        methods: ruleMethods,
+        jwt: driverConfigs.jwt,
+        apiKey: driverConfigs.apiKey,
+        basic: driverConfigs.basic,
+        oauth2: driverConfigs.oauth2,
+        oidc: this.oidcMiddleware || null,
+        usersResource: this.authResource,
+        optional: false  // Auth is required
+      });
+
+      return await ruleAuth(c, next);
+    };
+  }
+}

package/src/plugins/api/auth/strategies/path-rules-strategy.class.js

@@ -0,0 +1,118 @@
+/**
+ * PathRulesAuthStrategy - Modern path-based auth using pathRules
+ *
+ * New path-based auth system with cleaner API:
+ * - pathRules: [{ path: '/admin/**', methods: ['oidc'], required: true }]
+ *
+ * More flexible than pathAuth and easier to configure
+ */
+
+import { BaseAuthStrategy } from './base-strategy.class.js';
+import { createPathBasedAuthMiddleware } from '../path-auth-matcher.js';
+import { jwtAuth } from '../jwt-auth.js';
+import { apiKeyAuth } from '../api-key-auth.js';
+import { basicAuth } from '../basic-auth.js';
+import { createOAuth2Handler } from '../oauth2-auth.js';
+
+export class PathRulesAuthStrategy extends BaseAuthStrategy {
+  constructor({ drivers, authResource, oidcMiddleware, pathRules, events, verbose }) {
+    super({ drivers, authResource, oidcMiddleware, verbose });
+    this.pathRules = pathRules;
+    this.events = events;
+  }
+
+  createMiddleware() {
+    // Build auth middlewares map by driver type
+    const authMiddlewares = {};
+
+    for (const driverDef of this.drivers) {
+      const driverType = driverDef.type || driverDef.driver;
+      const driverConfig = driverDef.config || driverDef;
+
+      // Skip oauth2-server
+      if (driverType === 'oauth2-server') {
+        continue;
+      }
+
+      // OIDC
+      if (driverType === 'oidc') {
+        if (this.oidcMiddleware) {
+          authMiddlewares.oidc = this.oidcMiddleware;
+        }
+        continue;
+      }
+
+      // JWT
+      if (driverType === 'jwt') {
+        authMiddlewares.jwt = jwtAuth({
+          secret: driverConfig.jwtSecret || driverConfig.secret,
+          expiresIn: driverConfig.jwtExpiresIn || driverConfig.expiresIn || '7d',
+          usersResource: this.authResource,
+          optional: true
+        });
+      }
+
+      // API Key
+      if (driverType === 'apiKey') {
+        authMiddlewares.apiKey = apiKeyAuth({
+          headerName: driverConfig.headerName || 'X-API-Key',
+          usersResource: this.authResource,
+          optional: true
+        });
+      }
+
+      // Basic Auth
+      if (driverType === 'basic') {
+        authMiddlewares.basic = basicAuth({
+          authResource: this.authResource,
+          usernameField: driverConfig.usernameField || 'email',
+          passwordField: driverConfig.passwordField || 'password',
+          passphrase: driverConfig.passphrase || 'secret',
+          adminUser: driverConfig.adminUser || null,
+          optional: true
+        });
+      }
+
+      // OAuth2
+      if (driverType === 'oauth2') {
+        const oauth2Handler = createOAuth2Handler(driverConfig, this.authResource);
+        authMiddlewares.oauth2 = async (c, next) => {
+          const user = await oauth2Handler(c);
+          if (user) {
+            c.set('user', user);
+            return await next();
+          }
+        };
+      }
+    }
+
+    if (this.verbose) {
+      console.log(`[PathRulesAuthStrategy] Path-based auth with ${this.pathRules.length} rules`);
+      console.log(`[PathRulesAuthStrategy] Available auth methods: ${Object.keys(authMiddlewares).join(', ')}`);
+    }
+
+    // Create and return path-based auth middleware
+    return createPathBasedAuthMiddleware({
+      rules: this.pathRules,
+      authMiddlewares,
+      unauthorizedHandler: (c, message) => {
+        // Content negotiation
+        const acceptHeader = c.req.header('accept') || '';
+        const acceptsHtml = acceptHeader.includes('text/html');
+
+        if (acceptsHtml) {
+          // Redirect to login if OIDC is available
+          if (authMiddlewares.oidc) {
+            return c.redirect('/auth/login', 302);
+          }
+        }
+
+        return c.json({
+          error: 'Unauthorized',
+          message
+        }, 401);
+      },
+      events: this.events
+    });
+  }
+}