threadforge 0.1.0

package/shared/auth.js

@@ -0,0 +1,475 @@
+/**
+ * ForgeHost Shared Auth Service
+ *
+ * A template auth service for multi-project hosting. Provides:
+ *   - Login/register with email + password
+ *   - JWT tokens with project_id claims
+ *   - SSO flow for cross-project authentication
+ *   - Token refresh and validation
+ *
+ * Uses the shared (unscoped) Postgres for the public.users table
+ * and shared Redis for sessions. Since this is a shared service
+ * (no _projectId), plugins connect without scoping.
+ *
+ * Customize this template for your deployment.
+ */
+
+import { createHash, createHmac, randomBytes, scryptSync, timingSafeEqual } from "node:crypto";
+import { Service } from "../src/services/Service.js";
+
+// Lazy JWT_SECRET getter — refuses to start with weak/missing secret
+let _jwtSecret;
+function getJwtSecret() {
+  if (_jwtSecret) return _jwtSecret;
+  const secret = process.env.FORGE_JWT_SECRET;
+  if (!secret || secret.length < 32) {
+    throw new Error("FORGE_JWT_SECRET must be set and at least 32 characters");
+  }
+  _jwtSecret = secret;
+  return _jwtSecret;
+}
+
+const TOKEN_EXPIRY = 3600; // 1 hour in seconds
+const REFRESH_EXPIRY = 86400 * 30; // 30 days in seconds
+
+// SSO state store with TTL (CSRF protection)
+const ssoStateStore = new Map();
+const SSO_STATE_TTL = 5 * 60 * 1000; // 5 minutes
+const MAX_SSO_STATES = 10000;
+
+// Periodic cleanup instead of per-entry timers (avoids timer handle exhaustion)
+setInterval(() => {
+  const now = Date.now();
+  for (const [state, timestamp] of ssoStateStore.entries()) {
+    if (now - timestamp > SSO_STATE_TTL) ssoStateStore.delete(state);
+  }
+}, 60 * 1000).unref?.();
+
+function createSsoState() {
+  if (ssoStateStore.size >= MAX_SSO_STATES) {
+    // Evict oldest entries if at capacity
+    const now = Date.now();
+    for (const [state, timestamp] of ssoStateStore.entries()) {
+      if (now - timestamp > SSO_STATE_TTL) ssoStateStore.delete(state);
+    }
+    if (ssoStateStore.size >= MAX_SSO_STATES) {
+      throw new Error("SSO state store capacity exceeded");
+    }
+  }
+  const state = randomBytes(16).toString("hex");
+  ssoStateStore.set(state, Date.now());
+  return state;
+}
+function consumeSsoState(state) {
+  if (!state || !ssoStateStore.has(state)) return false;
+  const timestamp = ssoStateStore.get(state);
+  ssoStateStore.delete(state);
+  // Reject expired states even if still in the map
+  if (Date.now() - timestamp > SSO_STATE_TTL) return false;
+  return true;
+}
+
+// Account lockout tracker
+const loginAttempts = new Map();
+const MAX_ATTEMPTS = 5;
+const LOCKOUT_WINDOW_MS = 15 * 60 * 1000;
+function checkLockout(email) {
+  const record = loginAttempts.get(email);
+  if (!record) return false;
+  const now = Date.now();
+  record.timestamps = record.timestamps.filter((t) => now - t < LOCKOUT_WINDOW_MS);
+  if (record.timestamps.length === 0) { loginAttempts.delete(email); return false; }
+  return record.timestamps.length >= MAX_ATTEMPTS;
+}
+function recordFailedAttempt(email) {
+  let record = loginAttempts.get(email);
+  if (!record) { record = { timestamps: [] }; loginAttempts.set(email, record); }
+  record.timestamps.push(Date.now());
+  setTimeout(() => {
+    const r = loginAttempts.get(email);
+    if (r) { r.timestamps = r.timestamps.filter((t) => Date.now() - t < LOCKOUT_WINDOW_MS); if (r.timestamps.length === 0) loginAttempts.delete(email); }
+  }, LOCKOUT_WINDOW_MS).unref?.();
+}
+function resetAttempts(email) { loginAttempts.delete(email); }
+
+function hashRefreshToken(token) {
+  return createHash("sha256").update(token).digest("hex");
+}
+
+// Email validation — ASCII-only, no consecutive dots, min 2-char TLD
+function isValidEmail(email) {
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]{2,}$/.test(email)) return false;
+  if (!/^[\x20-\x7E]+$/.test(email)) return false; // ASCII-only
+  if (/\.\./.test(email)) return false; // no consecutive dots
+  const [, domain] = email.split("@");
+  if (!domain || /^\.|\.$/g.test(domain)) return false; // no leading/trailing dots in domain
+  return true;
+}
+
+export default class AuthService extends Service {
+  static contract = {
+    expose: ["validateToken", "refreshToken"],
+    routes: [
+      { method: "POST", path: "/login", handler: "login" },
+      { method: "POST", path: "/register", handler: "register" },
+      { method: "POST", path: "/validate", handler: "validateToken" },
+      { method: "POST", path: "/refresh", handler: "refreshToken" },
+      { method: "GET", path: "/sso", handler: "ssoRedirect" },
+      { method: "GET", path: "/sso/callback", handler: "ssoCallback" },
+    ],
+  };
+
+  // ── Redis-backed SSO state (cluster-safe) ──
+
+  async _createSsoState() {
+    if (this.redis) {
+      const state = randomBytes(16).toString("hex");
+      await this.redis.set(`sso:${state}`, "1", "EX", Math.ceil(SSO_STATE_TTL / 1000));
+      return state;
+    }
+    return createSsoState();
+  }
+
+  async _consumeSsoState(state) {
+    if (this.redis) {
+      if (!state) return false;
+      const val = await this.redis.get(`sso:${state}`);
+      if (!val) return false;
+      await this.redis.del(`sso:${state}`);
+      return true;
+    }
+    return consumeSsoState(state);
+  }
+
+  // ── Redis-backed lockout tracking (cluster-safe) ──
+
+  async _checkLockout(email) {
+    if (this.redis) {
+      const count = await this.redis.get(`lockout:${email}`);
+      return count !== null && parseInt(count, 10) >= MAX_ATTEMPTS;
+    }
+    return checkLockout(email);
+  }
+
+  async _recordFailedAttempt(email) {
+    if (this.redis) {
+      const key = `lockout:${email}`;
+      await this.redis.incr(key);
+      await this.redis.expire(key, Math.ceil(LOCKOUT_WINDOW_MS / 1000));
+      return;
+    }
+    recordFailedAttempt(email);
+  }
+
+  async _resetAttempts(email) {
+    if (this.redis) {
+      await this.redis.del(`lockout:${email}`);
+      return;
+    }
+    resetAttempts(email);
+  }
+
+  async onStart(ctx) {
+    ctx.logger.info("Auth service ready");
+
+    // Ensure users table exists (shared schema, not project-scoped)
+    if (this.pg) {
+      await this.pg.query(`
+        CREATE TABLE IF NOT EXISTS public.users (
+          id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+          email TEXT UNIQUE NOT NULL,
+          password_hash TEXT NOT NULL,
+          projects TEXT[] DEFAULT '{}',
+          role TEXT DEFAULT 'user',
+          created_at TIMESTAMPTZ DEFAULT NOW(),
+          updated_at TIMESTAMPTZ DEFAULT NOW()
+        )
+      `);
+    }
+  }
+
+  /**
+   * Login with email + password.
+   * Returns JWT with project_id claim based on the requested project.
+   */
+  async login(body) {
+    const { email, password, project_id } = body ?? {};
+    if (!email || !password) {
+      return { error: "Email and password required", status: 400 };
+    }
+    const normalizedEmail = email.toLowerCase().trim();
+    if (!isValidEmail(normalizedEmail)) {
+      return { error: "Invalid email format", status: 400 };
+    }
+    if (await this._checkLockout(normalizedEmail)) {
+      return { error: "Too many failed attempts. Try again later.", status: 429 };
+    }
+
+    const result = await this.pg.query("SELECT * FROM public.users WHERE LOWER(email) = $1", [normalizedEmail]);
+    const user = result.rows[0];
+    if (!user) {
+      await this._recordFailedAttempt(normalizedEmail);
+      return { error: "Invalid credentials", status: 401 };
+    }
+
+    if (!verifyPassword(password, user.password_hash)) {
+      await this._recordFailedAttempt(normalizedEmail);
+      return { error: "Invalid credentials", status: 401 };
+    }
+
+    await this._resetAttempts(normalizedEmail);
+
+    // Validate project access
+    if (project_id && !user.projects.includes(project_id)) {
+      return { error: "No access to project", status: 403 };
+    }
+
+    const token = createToken(user, project_id);
+    const refreshToken = randomBytes(32).toString("hex");
+
+    // Hash before storing -- never store raw refresh tokens server-side
+    if (this.redis) {
+      const hashed = hashRefreshToken(refreshToken);
+      await this.redis.set(
+        `refresh:${hashed}`,
+        JSON.stringify({ userId: user.id, projectId: project_id }),
+        "EX",
+        REFRESH_EXPIRY,
+      );
+    }
+
+    return { token, refreshToken, expiresIn: TOKEN_EXPIRY };
+  }
+
+  /**
+   * Register a new user.
+   */
+  async register(body) {
+    const { email, password, project_id } = body ?? {};
+    if (!email || !password) {
+      return { error: "Email and password required", status: 400 };
+    }
+    const normalizedEmail = email.toLowerCase().trim();
+    if (!isValidEmail(normalizedEmail)) {
+      return { error: "Invalid email format", status: 400 };
+    }
+    if (password.length < 12) {
+      return { error: "Password must be at least 12 characters", status: 400 };
+    }
+    // Require at least 3 of: uppercase, lowercase, digit, special character
+    const typesPresent = [/[A-Z]/, /[a-z]/, /[0-9]/, /[^A-Za-z0-9]/].filter((re) => re.test(password)).length;
+    if (typesPresent < 3) {
+      return { error: "Password must contain at least 3 of: uppercase, lowercase, digits, special characters", status: 400 };
+    }
+
+    // Check if email already exists
+    const existing = await this.pg.query("SELECT id FROM public.users WHERE LOWER(email) = $1", [normalizedEmail]);
+    if (existing.rows.length > 0) {
+      return { error: "Email already registered", status: 409 };
+    }
+
+    const id = randomBytes(16).toString("hex");
+    const passwordHash = hashPassword(password);
+    const projects = project_id ? [project_id] : [];
+
+    await this.pg.query(
+      "INSERT INTO public.users (id, email, password_hash, projects) VALUES ($1, $2, $3, $4)",
+      [id, normalizedEmail, passwordHash, projects],
+    );
+
+    const token = createToken({ id, email: normalizedEmail, role: "user", projects }, project_id);
+    return { token, userId: id, expiresIn: TOKEN_EXPIRY };
+  }
+
+  /**
+   * Validate a JWT token. Called by other services to verify auth.
+   */
+  async validateToken(body) {
+    const { token } = body ?? {};
+    if (!token) return { valid: false, error: "No token provided" };
+
+    const payload = decodeToken(token);
+    if (!payload) return { valid: false, error: "Invalid token" };
+
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp && payload.exp < now) {
+      return { valid: false, error: "Token expired" };
+    }
+
+    return { valid: true, payload };
+  }
+
+  /**
+   * Refresh an expired token using a refresh token.
+   */
+  async refreshToken(body) {
+    const { refreshToken } = body ?? {};
+    if (!refreshToken) return { error: "Refresh token required", status: 400 };
+
+    if (!this.redis) return { error: "Session storage unavailable", status: 503 };
+
+    const hashedToken = hashRefreshToken(refreshToken);
+    const data = await this.redis.get(`refresh:${hashedToken}`);
+    if (!data) return { error: "Invalid refresh token", status: 401 };
+
+    let parsed;
+    try {
+      parsed = JSON.parse(Buffer.isBuffer(data) ? data.toString() : data);
+    } catch {
+      return { error: "Invalid refresh token data", status: 401 };
+    }
+
+    const result = await this.pg.query("SELECT * FROM public.users WHERE id = $1", [parsed.userId]);
+    const user = result.rows[0];
+    if (!user) return { error: "User not found", status: 401 };
+
+    // Delete old refresh token
+    await this.redis.del(`refresh:${hashedToken}`);
+
+    // Issue new tokens
+    const token = createToken(user, parsed.projectId);
+    const newRefreshToken = randomBytes(32).toString("hex");
+
+    await this.redis.set(
+      `refresh:${hashRefreshToken(newRefreshToken)}`,
+      JSON.stringify({ userId: user.id, projectId: parsed.projectId }),
+      "EX",
+      REFRESH_EXPIRY,
+    );
+
+    return { token, refreshToken: newRefreshToken, expiresIn: TOKEN_EXPIRY };
+  }
+
+  /**
+   * SSO redirect — initiates cross-project authentication.
+   * Redirect user to auth.{defaultDomain}/sso?redirect={origin}&project={id}
+   */
+  async ssoRedirect(body, params, req) {
+    const redirect = req?.query?.redirect;
+    const projectId = req?.query?.project;
+
+    if (!redirect) {
+      return { error: "redirect parameter required", status: 400 };
+    }
+    if (!validateRedirect(redirect)) {
+      return { error: "Invalid redirect URL", status: 400 };
+    }
+
+    // Check existing auth BEFORE creating SSO state (avoids memory waste + replay risk)
+    const authHeader = req?.headers?.authorization;
+    if (authHeader?.startsWith("Bearer ")) {
+      const payload = decodeToken(authHeader.slice(7));
+      const now = Math.floor(Date.now() / 1000);
+      if (payload && (!payload.exp || payload.exp > now)) {
+        const token = createToken(
+          { id: payload.sub, email: payload.email, role: payload.role, projects: payload.projects },
+          projectId,
+        );
+        const sep = redirect.includes("?") ? "&" : "?";
+        return { redirect: `${redirect}${sep}token=${token}` };
+      }
+    }
+
+    // Only create SSO state when authentication is actually required
+    const state = await this._createSsoState();
+    const sep = redirect.includes("?") ? "&" : "?";
+    return { redirect: `${redirect}${sep}auth_required=true&project=${projectId ?? ""}&state=${state}` };
+  }
+
+  /**
+   * SSO callback — validates token from SSO flow.
+   */
+  async ssoCallback(body, params, req) {
+    const token = req?.query?.token;
+    const state = req?.query?.state;
+    if (!state || !(await this._consumeSsoState(state))) {
+      return { error: "Invalid or missing state parameter", status: 400 };
+    }
+    if (!token) return { error: "Token required", status: 400 };
+
+    const result = await this.validateToken({ token });
+    return result;
+  }
+}
+
+// scrypt-based password hashing (replaces HMAC-SHA256)
+function hashPassword(password) {
+  const salt = randomBytes(16);
+  const hash = scryptSync(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 256 * 1024 * 1024 });
+  return salt.toString("hex") + ":" + hash.toString("hex");
+}
+
+function verifyPassword(password, stored) {
+  const parts = stored.split(":");
+  if (parts.length !== 2) return false;
+  const salt = Buffer.from(parts[0], "hex");
+  const storedHash = Buffer.from(parts[1], "hex");
+  const derivedHash = scryptSync(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 256 * 1024 * 1024 });
+  if (storedHash.length !== derivedHash.length) return false;
+  return timingSafeEqual(storedHash, derivedHash);
+}
+
+// Redirect URL validation for SSO
+function validateRedirect(redirect) {
+  const allowedHosts = process.env.FORGE_ALLOWED_REDIRECT_HOSTS;
+  if (!allowedHosts) {
+    return redirect.startsWith("/") && !redirect.startsWith("//");
+  }
+  try {
+    const url = new URL(redirect);
+    if (!['http:', 'https:'].includes(url.protocol)) return false;
+    const allowed = allowedHosts.split(",").map((h) => h.trim()).filter(Boolean);
+    return allowed.includes(url.hostname);
+  } catch {
+    return redirect.startsWith("/") && !redirect.startsWith("//");
+  }
+}
+
+function createToken(user, projectId) {
+  const now = Math.floor(Date.now() / 1000);
+  const payload = {
+    sub: user.id,
+    email: user.email,
+    project_id: projectId ?? null,
+    projects: user.projects ?? [],
+    role: user.role ?? "user",
+    iat: now,
+    exp: now + TOKEN_EXPIRY,
+  };
+
+  const header = Buffer.from(JSON.stringify({ alg: "HS256", typ: "JWT" })).toString("base64url");
+  const claims = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const signature = createHmac("sha256", getJwtSecret()).update(`${header}.${claims}`).digest("base64url");
+
+  return `${header}.${claims}.${signature}`;
+}
+
+function decodeToken(token) {
+  try {
+    const [header, claims, signature] = token.split(".");
+    if (!header || !claims || !signature) return null;
+
+    // Validate algorithm — reject alg:none and algorithm confusion attacks
+    const headerObj = JSON.parse(Buffer.from(header, "base64url").toString());
+    if (!headerObj.alg) return null;
+    if (headerObj.alg !== "HS256") return null;
+    if (headerObj.typ && headerObj.typ !== "JWT") return null;
+
+    const expected = createHmac("sha256", getJwtSecret())
+      .update(`${header}.${claims}`)
+      .digest("base64url");
+
+    // Timing-safe comparison to prevent side-channel attacks
+    const sigBuf = Buffer.from(signature);
+    const expBuf = Buffer.from(expected);
+    if (sigBuf.length !== expBuf.length) return null;
+    if (!timingSafeEqual(sigBuf, expBuf)) return null;
+
+    return JSON.parse(Buffer.from(claims, "base64url").toString());
+  } catch {
+    return null;
+  }
+}
+
+// Exported for testing
+export { hashPassword, verifyPassword, isValidEmail, validateRedirect, createSsoState, consumeSsoState, checkLockout, recordFailedAttempt, resetAttempts };