samanbayaka 0.0.15 → 0.0.17

package/README.md

@@ -35,7 +35,7 @@ Once the package is installed, you can import the library using import or requir
 import sbk from "samanbayaka"
 ```
 # Prerequisites
-It is assumed that NATS, Redpanda, and Redis are installed and properly configured. All services should be discoverable through the /etc/hosts file.
+It is assumed that NATS, Redpanda, Redis, and Etcd are installed and properly configured. All services should be discoverable through the /etc/hosts file.
 #### Minimum required Node.js version: >= 22.x.x
 ```bash
 node -v
@@ -256,7 +256,7 @@ pnpm install samanbayaka
 touch index.mjs
 ```
 
-Open index.mjs and paste the following:
+Open `index.mjs` and paste the following:
 ```bash
 import sbk from "samanbayaka"
 await sbk.loadGatewayService()
@@ -280,7 +280,7 @@ pnpm install samanbayaka
 touch index.mjs
 ```
 
-Open index.mjs and paste the following:
+Open `index.mjs` and paste the following:
 ```bash
 import sbk from "samanbayaka"
 await sbk.loadFeatureService({
@@ -339,7 +339,7 @@ pnpm install samanbayaka
 touch index.mjs
 ```
 
-Open index.mjs and paste the following:
+Open `index.mjs` and paste the following:
 ```bash
 import sbk from "samanbayaka"
 await sbk.auxBrokerService(
@@ -372,13 +372,13 @@ touch index.mjs
 ```
 An auxiliary service, such as a `consumer` that subscribe messages from the `STUDENT` topic having group name `junior`, can be created as follows:
 ```js
-mkdir producer-kafka-student-junior
-cd producer-kafka-student-junior
+mkdir consumer-kafka-student-junior
+cd consumer-kafka-student-junior
 pnpm init
 pnpm install samanbayaka
 touch index.mjs
 ```
-Open index.mjs and paste the following:
+Open `index.mjs` and paste the following:
 ```bash
 import sbk from "samanbayaka"
 await sbk.auxBrokerService(
@@ -426,7 +426,7 @@ pnpm init
 pnpm install samanbayaka
 touch demo.mjs
 ```
-Open and edit the demo.mjs file as follows
+Open and edit the `demo.mjs` file as follows
 ```bash
 import sbk from "samanbayaka"
 await sbk.loadDemo()
@@ -436,6 +436,11 @@ Run the service, demo
 node demo.mjs
 ```
 
+## Documentation
+
+* [Dockers]
+  * [etcd](docs/dockers/etcd.md)
+
 <p align="center" style="margin-top: 100px;">
   <img src="https://moleculer.services/images/banner.png" alt="Moleculer Logo" width="600">
 </p>

package/commit-hash.mjs

@@ -1 +1 @@
-export const COMMIT_HASH = '2205c3b';
+export const COMMIT_HASH = '7052c65';

package/docs/dockers/etcd.md

@@ -0,0 +1,126 @@
+# Dockers
+## Etcd
+To manage configurations centrally, use the docker-compose.yml file to run Etcd.
+```bash
+mkdir -p etcd
+cd etcd
+touch docker-compose.yml
+export ETCD_ROOT_PW=<your_root_pass>
+export ETCD_CONFIG_ADMIN_PW=<your_config_admin_pass>
+```
+
+Open `docker-compose.yml` and paste the following:
+```yml
+services:
+  etcd:
+    image: quay.io/coreos/etcd:v3.5.5
+    container_name: sbk-etcd
+
+    ports:
+      - "<your_api_port>:2379"
+      - "<your_cluster_port>:2380"
+
+    volumes:
+      - /usr/local/etc/samanbayaka:/etcd-data
+
+    command:
+      - /usr/local/bin/etcd
+      - --name=etcd
+      - --data-dir=/etcd-data
+      - --listen-client-urls=http://0.0.0.0:2379
+      - --advertise-client-urls=http://etcd:2379
+      - --listen-peer-urls=http://0.0.0.0:2380
+      - --initial-advertise-peer-urls=http://etcd:2380
+      - --initial-cluster=etcd=http://etcd:2380
+      - --initial-cluster-state=new
+
+    restart: unless-stopped
+
+  etcd-init:
+    image: quay.io/coreos/etcd:v3.5.5
+    depends_on:
+      - etcd
+
+    volumes:
+      - /usr/local/etc/samanbayaka:/etcd-data
+
+    environment:
+      - ETCDCTL_API=3
+
+    entrypoint: 
+      - /bin/sh
+      - -c
+
+    command:
+      - |
+        set -e
+
+        echo "waiting for etcd..."
+
+        for i in $(seq 1 30); do
+          etcdctl --endpoints=http://etcd:2379 endpoint health && break
+          echo "retry $$i..."
+          sleep 2
+        done
+
+        echo "etcd initialized"
+
+        echo "Creating the root role"
+        etcdctl --endpoints=http://etcd:2379 role add root || true
+
+        echo "Creating the root user"
+        etcdctl --endpoints=http://etcd:2379 user add root:${ETCD_ROOT_PW} || true
+
+        echo "Granting the root role to the root user"
+        etcdctl --endpoints=http://etcd:2379 user grant-role root root
+
+        echo "Enable authentication"
+        etcdctl --endpoints=http://etcd:2379 auth enable || true
+
+        # -------------------------------------------------------
+
+        echo "Creating admin role"
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} role add admin
+
+        echo "Granting broad permissions"
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} role grant-permission --prefix=true admin readwrite /
+
+        echo "Creating configadmin user"
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} user add configadmin:${ETCD_CONFIG_ADMIN_PW}
+
+        echo "Assign role"
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} user grant-role configadmin admin
+
+        # ---------------------------------------------------------
+
+        echo "Creating Roles and Granting"
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} role add gateway
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} role grant-permission --prefix=true gateway read /config/yaml/nats
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} role grant-permission --prefix=true gateway read /config/yaml/auth
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} role grant-permission --prefix=true gateway read /config/yaml/catch
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} role grant-permission --prefix=true gateway read /config/yaml/telemetry
+
+        # ---------------------------------------------------------
+        
+        echo "Creating User and Assign Role"
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} user add <your_user>:<your_pass>
+        etcdctl --endpoints=http://etcd:2379 --user=root:${ETCD_ROOT_PW} user grant-role apigtwy gateway
+
+        # ---------------------------------------------------------
+
+        etcdctl --endpoints=http://etcd:2379 --user=configadmin:${ETCD_CONFIG_ADMIN_PW} put /config/yaml/nats "$(cat /etcd-data/nats.yml)" || true
+
+        #etcdctl --endpoints=http://etcd:2379 --user=<your_user>:<your_pass> get /config/yaml/nats
+
+
+        echo "etcd initialization completed"
+```
+Optionally verify:
+```bash
+docker ps | grep 'sbk-etcd'
+```
+Optionally check health:
+```bash
+docker exec sbk-etcd etcdctl --endpoints=http://etcd:2379 endpoint health
+```
+---

package/helper/utility/access-token-validator.mjs

@@ -0,0 +1,171 @@
+import ApiGateway from "moleculer-web"
+import jwt from "jsonwebtoken"
+import jwksClient from "jwks-rsa"
+
+const OPENID_CONFIG = {
+  url: "https://accounts.google.com/.well-known/openid-configuration",
+  clientId: "184045176764-ugg28aegdro383pintufun14uubtt374.apps.googleusercontent.com",
+  jwksClient: {
+    cache: true,
+    cacheMaxEntries: 5,
+    cacheMaxAge: 10 * 60 * 1000,
+    rateLimit: true,
+    jwksRequestsPerMinute: 10,
+  },
+  jwtVerifyAlgo: ["RS256"],
+  client: {},
+  issuer: "",
+}
+
+// let client
+// let issuer
+
+/**
+ * Retrieves the public signing key corresponding to a JWT `kid`.
+ *
+ * Used by JWT verification libraries (such as `jsonwebtoken`)
+ * to dynamically resolve signing keys from a JWKS endpoint.
+ *
+ * @param {Object} header - Decoded JWT header.
+ * @param {string} header.kid - Key ID used to identify the signing key.
+ * @param {Function} callback - Callback function invoked after key retrieval.
+ * @param {Error|null} callback.err - Error object if key retrieval fails.
+ * @param {string|null} callback.key - PEM formatted public key.
+ *
+ * @returns {void}
+ */
+const getKey = (header, callback) => {
+
+  OPENID_CONFIG.client.getSigningKey(
+    header.kid,
+    (err, key) => {
+
+      if (err) {
+        callback(err)
+        return
+      }
+
+      callback(
+        null,
+        key.publicKey || key.rsaPublicKey
+      )
+    }
+  )
+
+}
+
+
+/**
+ * Initializes OpenID Connect configuration and JWKS client.
+ *
+ * Fetches the OpenID configuration document from the configured
+ * issuer endpoint and creates a cached JWKS client for JWT
+ * signature verification.
+ *
+ * The JWKS client supports:
+ * - Automatic key retrieval
+ * - In-memory caching
+ * - Request rate limiting
+ *
+ * @async
+ * @function initOpenId
+ *
+ * @throws {Error} Throws if the OpenID configuration request fails
+ * or the response cannot be parsed.
+ *
+ * @returns {Promise<void>}
+ */
+export const initOpenId = async () => {
+
+  const response = await fetch(OPENID_CONFIG.url)
+
+  if ( !response.ok ) {
+    throw new Error(
+      `OpenID configuration endpoint failed with status "${response.status}"`
+    )
+  }
+
+  const config = await response.json()
+
+  OPENID_CONFIG.issuer = config.issuer
+
+  OPENID_CONFIG.client = jwksClient({
+    ...OPENID_CONFIG.jwksClient,
+    ...{jwksUri: config.jwks_uri},
+  })
+
+}
+
+
+/**
+ * Authorizes the requester by validating the access token.
+ * The token can be provided either in the Bearer Authorization header
+ * or in cookies.
+ *
+ * @param {Context} ctx - Moleculer service context
+ * @param {Object} route - REST route configuration object
+ * @param {HTTP request<Object>} req - HTTP request object
+ * @returns {Promise<Object>} Authenticated user / authorization result
+ */
+export const authorize = async (ctx, route, req) => {
+
+  let token = null
+
+  const auth =
+    req.headers.authorization
+
+  if (auth?.startsWith("Bearer ")) {
+    token = auth.replace(/^Bearer\s+/i, "")
+  }
+
+
+  if (
+    !token &&
+    req.cookies?.id_token
+  ) {
+    token = req.cookies.id_token
+  }
+
+  if (!token) {
+    throw new ApiGateway.Errors.UnAuthorizedError(
+      ApiGateway.Errors.ERR_NO_TOKEN
+    )
+  }
+
+  try {
+
+    const decoded =
+      await new Promise((resolve, reject) => {
+
+        jwt.verify(
+          token,
+          getKey,
+          {
+            algorithms: OPENID_CONFIG.jwtVerifyAlgo,
+            issuer: OPENID_CONFIG.issuer,
+            audience: OPENID_CONFIG.clientId,
+          },
+
+          (err, decoded) => {
+
+            if (err) {
+              reject(err)
+              return
+            }
+
+            resolve(decoded)
+          }
+        )
+      })
+
+    ctx.broker.logger.debug({message: "Decoded Token Object", token: decoded})
+    ctx.meta.user = { name: decoded?.name, email: decoded?.email }
+    return decoded
+
+  } catch (err) {
+    throw new ApiGateway.Errors.UnAuthorizedError(
+      ApiGateway.Errors.ERR_INVALID_TOKEN
+    )
+  }
+}
+

package/index.mjs

@@ -19,7 +19,6 @@ import HybridCacher  from "#hMol/HybridCacher.mjs"
 import about from '#sAbt/index.mjs'
 import apiGateway from '#sApi/index.mjs'
 import { auxBrokerParamsValidator } from '#hUti/aux-broker-params-validator.mjs'
-
 import * as kafka from '#sKfk/index.mjs'
 import * as demo from '#sDmo/index.mjs'
 
@@ -27,7 +26,6 @@ import * as demo from '#sDmo/index.mjs'
 const BROKER_CONFIG = await getConfig('nats')
 const CATCHER_CONFIG = await getConfig('catcher')
 const TELEMETRY_CONFIG = await getConfig('telemetry')
-const KAFKA_CONFIG = await getConfig('kafkajs')
 
 const sbkLoggers = {
   "CustomPino": customLogger
@@ -155,7 +153,7 @@ export default {
       auxBroker = kafka
     }
     else {
-      throw new Error("The \"type\" value must be either \"kafka\" or \"mqtt\".")
+      throw new Error("The \"type\" value must be either \"kafka\" or \"mqtt\" or \"amqp\"")
     }
 
     opts.logLevel = logLevel
@@ -179,7 +177,6 @@ export default {
       )
     }
     
-
     /**
      * Start broker
      */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "samanbayaka",
-  "version": "0.0.15",
+  "version": "0.0.17",
   "description": "Moleculer Gateway service with kafka transporter",
   "homepage": "https://gitlab.com/dalal.suvendu/samanbayaka#readme",
   "bugs": {
@@ -43,6 +43,8 @@
     "cookie-parser": "^1.4.7",
     "helmet": "^8.1.0",
     "ioredis": "^5.10.1",
+    "jsonwebtoken": "^9.0.3",
+    "jwks-rsa": "^4.0.1",
     "kafkajs": "^2.2.4",
     "lru-cache": "^11.3.5",
     "moleculer": "0.15.0",

package/public/signin.html

@@ -0,0 +1,93 @@
+<button onclick="login()">Login with Google</button>
+<button onclick="callAPI()">Call API</button>
+
+<script>
+const CLIENT_ID = "184045176764-fmdarpud3fkpojo5p73mloetgrqrg65p.apps.googleusercontent.com";
+const REDIRECT_URI = "http://localhost:3000";
+const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+const TOKEN_URL = "https://oauth2.googleapis.com/token";
+
+// --- PKCE helpers ---
+function generateRandomString(length) {
+  const chars =
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  let result = "";
+  for (let i = 0; i < length; i++) {
+    result += chars.charAt(Math.floor(Math.random() * chars.length));
+  }
+  return result;
+}
+
+async function sha256(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return btoa(String.fromCharCode(...new Uint8Array(hash)))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+}
+
+// --- Step 1: login redirect ---
+async function login() {
+  const codeVerifier = generateRandomString(64);
+  const codeChallenge = await sha256(codeVerifier);
+
+  localStorage.setItem("code_verifier", codeVerifier);
+
+  const url =
+    `${AUTH_URL}?response_type=code` +
+    `&client_id=${CLIENT_ID}` +
+    `&redirect_uri=${REDIRECT_URI}` +
+    `&scope=openid%20email%20profile` +
+    `&code_challenge=${codeChallenge}` +
+    `&code_challenge_method=S256`;
+
+  window.location = url;
+}
+
+// --- Step 2: handle redirect ---
+async function handleRedirect() {
+  const params = new URLSearchParams(window.location.search);
+  const code = params.get("code");
+
+  if (!code) return;
+
+  const codeVerifier = localStorage.getItem("code_verifier");
+
+  const res = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: new URLSearchParams({
+      client_id: CLIENT_ID,
+      grant_type: "authorization_code",
+      code,
+      code_verifier: codeVerifier,
+      redirect_uri: REDIRECT_URI,
+    }),
+  });
+
+  const data = await res.json();
+
+  console.log("Access Token:", data.access_token);
+
+  localStorage.setItem("access_token", data.access_token);
+}
+
+// --- Step 3: call API ---
+async function callAPI() {
+  const token = localStorage.getItem("access_token");
+
+  const res = await fetch("http://localhost:4000/api/resource", {
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+  });
+
+  console.log(await res.json());
+}
+
+handleRedirect();
+</script>

package/services/about/index.mjs

@@ -3,7 +3,7 @@ import { pkgDtls } from '#hFil/esm-loading.mjs'
 export default {
   name: "about",
   actions: {
-    me: {
+    project: {
       rest: {
         method: "GET",
         path: "/"
@@ -34,5 +34,15 @@ export default {
         return `${pkgDtls.fullName} ${pkgDtls.version}`
       },
     },
+    profile: {
+      rest: {
+        method: "GET",
+        path: "/me"
+      },
+
+      handler: async(ctx) => {
+        return ctx.meta.user
+      }
+    }
   },
 }

package/services/bff/index.mjs

@@ -0,0 +1,37 @@
+import { pkgDtls } from '#hFil/esm-loading.mjs'
+
+export default {
+  name: "bff",
+  actions: {
+    signin: {
+      rest: {
+        method: "GET",
+        path: "/signin"
+      },
+
+      handler: async(ctx) => {
+        return `Welcome to ${pkgDtls.name} is a microservices-based project built with moleculer and moleculer-web, designed for scalable, high-performance service communication and API management.`
+      },
+    },
+    callback: {
+      rest: {
+        method: "GET",
+        path: "/callback"
+      },
+
+      handler: async(ctx) => {
+        return `${pkgDtls.fullName} ${pkgDtls.version}`
+      },
+    },
+    signout: {
+      rest: {
+        method: "GET",
+        path: "/signout"
+      },
+
+      handler: async(ctx) => {
+        return ctx.meta.user
+      }
+    }
+  },
+}

package/services/gateway/index.mjs

@@ -1,4 +1,4 @@
-/*index.mjs*/
+// index.mjs
 import ApiGateway from "moleculer-web"
 import OpenApi from "moleculer-auto-openapi"
 import cookieParser from "cookie-parser"
@@ -6,6 +6,7 @@ import helmet from "helmet"
 import compression from "compression"
 
 import {formatHttpErrors} from '#hUti/error-handler.mjs'
+import { initOpenId, authorize } from '#hUti/access-token-validator.mjs'
 
 export default {
   name: "gateway",
@@ -13,6 +14,13 @@ export default {
     ApiGateway,
   ],
 
+  async started() {
+    /**
+     * Initialize OpenID config
+     */
+    await initOpenId()
+  },
+
   settings: {
     port: process.env.SBK_PORT || 8765,
 
@@ -42,14 +50,33 @@ export default {
 
 
     routes: [
+      // Public routes
+      {
+        path: "/",
+        authorization: false,
+
+        whitelist: [
+          "bff.*",
+        ],
+
+        autoAliases: true,
+        mappingPolicy: "restrict",
+
+        bodyParsers: {
+          json: true,
+          urlencoded: { extended: true }
+        }
+      },
+
       /**
-       * API routes
+       * Protected API routes
        */
       {
         path: "/api",
+        authorization: true,
         whitelist: [
           /**
-           * Access any actions except 'system' service
+           * Access any actions except 'gateway' and 'system' service
            */
           /^(?!(gateway|system)\.)\w+(?:\.\w+)*$/
         ],
@@ -124,6 +151,7 @@ export default {
       //   this.logger.error("   Request error!", err.name, ":", err.message, "\n", err.stack, "\nData:", err.data);
       // }
       this.sendError(req, res, err)
-    }
+    },
+    authorize,
   },
 }

package/services/kafka/index.mjs

@@ -196,7 +196,7 @@ export const consumer = (opts, callback) => {
 
               if(interMessageDelayMs > 0 ){
                 // control message reading per second
-                await delay(1000)
+                await delay(interMessageDelayMs)
               }
             }