wabe 0.6.12 → 0.6.13

package/src/authentication/defaultAuthentication.ts

@@ -1,209 +0,0 @@
-import type { WabeTypes } from '..'
-import type { CustomAuthenticationMethods, ProviderInterface } from './interface'
-import { GitHub, QRCodeOTP } from './providers'
-import { Google } from './providers'
-import { EmailOTP } from './providers/EmailOTP'
-import { EmailPassword } from './providers/EmailPassword'
-import { EmailPasswordSRPChallenge, EmailPasswordSRP } from './providers/EmailPasswordSRP'
-import { PhonePassword } from './providers/PhonePassword'
-
-export const defaultAuthenticationMethods = <T extends WabeTypes>(): CustomAuthenticationMethods<
-	T,
-	ProviderInterface<T>
->[] => [
-	{
-		name: 'emailPasswordSRPChallenge',
-		input: {
-			email: {
-				type: 'Email',
-				required: true,
-			},
-			clientPublic: {
-				type: 'String',
-				required: true,
-			},
-			clientSessionProof: {
-				type: 'String',
-				required: true,
-			},
-		},
-		// @ts-expect-error
-		provider: new EmailPasswordSRPChallenge(),
-		isSecondaryFactor: true,
-	},
-	{
-		name: 'emailPasswordSRP',
-		input: {
-			email: {
-				type: 'Email',
-				required: true,
-			},
-			clientPublic: {
-				type: 'String',
-			},
-			salt: {
-				type: 'String',
-			},
-			verifier: {
-				type: 'String',
-			},
-		},
-		dataToStore: {
-			email: {
-				type: 'Email',
-				required: true,
-			},
-			salt: {
-				type: 'String',
-				required: true,
-			},
-			verifier: {
-				type: 'String',
-				required: true,
-			},
-			serverSecret: {
-				type: 'String',
-			},
-		},
-		// @ts-expect-error
-		provider: new EmailPasswordSRP(),
-	},
-	{
-		name: 'emailOTP',
-		input: {
-			email: {
-				type: 'Email',
-				required: true,
-			},
-			otp: {
-				type: 'String',
-				required: true,
-			},
-		},
-		// @ts-expect-error
-		provider: new EmailOTP(),
-		isSecondaryFactor: true,
-	},
-	{
-		name: 'qrCodeOTP',
-		input: {
-			email: {
-				type: 'Email',
-				required: true,
-			},
-			otp: {
-				type: 'String',
-				required: true,
-			},
-		},
-		// @ts-expect-error
-		provider: new QRCodeOTP(),
-		isSecondaryFactor: true,
-	},
-	{
-		name: 'phonePassword',
-		input: {
-			phone: {
-				type: 'Phone',
-				required: true,
-			},
-			password: {
-				type: 'Hash',
-				required: true,
-			},
-		},
-		dataToStore: {
-			phone: {
-				type: 'Phone',
-				required: true,
-			},
-			password: {
-				type: 'Hash',
-				required: true,
-			},
-		},
-		// @ts-expect-error
-		provider: new PhonePassword(),
-	},
-	{
-		name: 'emailPassword',
-		input: {
-			email: {
-				type: 'Email',
-				required: true,
-			},
-			password: {
-				type: 'Hash',
-				required: true,
-			},
-		},
-		dataToStore: {
-			email: {
-				type: 'Email',
-				required: true,
-			},
-			password: {
-				type: 'Hash',
-				required: true,
-			},
-		},
-		// @ts-expect-error
-		provider: new EmailPassword(),
-	},
-	{
-		name: 'google',
-		input: {
-			authorizationCode: {
-				type: 'String',
-				required: true,
-			},
-			codeVerifier: {
-				type: 'String',
-				required: true,
-			},
-		},
-		dataToStore: {
-			email: {
-				type: 'Email',
-				required: true,
-			},
-			verifiedEmail: {
-				type: 'Boolean',
-				required: true,
-			},
-		},
-		// There is no signUp method for Google provider
-		// @ts-expect-error
-		provider: new Google(),
-	},
-	{
-		name: 'github',
-		input: {
-			authorizationCode: {
-				type: 'String',
-				required: true,
-			},
-			codeVerifier: {
-				type: 'String',
-				required: true,
-			},
-		},
-		dataToStore: {
-			email: {
-				type: 'Email',
-				required: true,
-			},
-			avatarUrl: {
-				type: 'String',
-				required: true,
-			},
-			username: {
-				type: 'String',
-				required: true,
-			},
-		},
-		// There is no signUp method for Google provider
-		// @ts-expect-error
-		provider: new GitHub(),
-	},
-]

package/src/authentication/index.ts

@@ -1,4 +0,0 @@
-export * from './interface'
-export * from './oauth'
-export * from './OTP'
-export * from './Session'

package/src/authentication/interface.ts

@@ -1,177 +0,0 @@
-import type { User } from '../../generated/wabe'
-import type { WabeContext } from '../server/interface'
-import type { SchemaFields } from '../schema'
-import type { WabeTypes, WobeCustomContext } from '../server'
-import type { SelectType } from '../database/interface'
-
-export enum ProviderEnum {
-	google = 'google',
-	github = 'github',
-}
-
-export interface ProviderConfig {
-	clientId: string
-	clientSecret: string
-}
-
-export type AuthenticationEventsOptions<T extends WabeTypes, K> = {
-	context: WabeContext<T>
-	input: K
-}
-
-export type AuthenticationEventsOptionsWithUserId<
-	T extends WabeTypes,
-	K,
-> = AuthenticationEventsOptions<T, K> & {
-	userId: string
-}
-
-export type OnSendChallengeOptions<T extends WabeTypes> = {
-	context: WabeContext<T>
-	user: T['types']['User']
-}
-
-export type OnVerifyChallengeOptions<T extends WabeTypes, K> = {
-	context: WabeContext<T>
-	input: K
-}
-
-export type ProviderInterface<T extends WabeTypes, K = any> = {
-	onSignIn: (options: AuthenticationEventsOptions<T, K>) => Promise<{
-		user: Partial<User>
-		srp?: {
-			salt: string
-			serverPublic: string
-		}
-	}>
-	onSignUp: (
-		options: AuthenticationEventsOptions<T, K>,
-	) => Promise<{ authenticationDataToSave: any }>
-	onUpdateAuthenticationData?: (
-		options: AuthenticationEventsOptionsWithUserId<T, K>,
-	) => Promise<{ authenticationDataToSave: any }>
-}
-
-export type SecondaryProviderInterface<T extends WabeTypes, K = any> = {
-	onSendChallenge?: (options: OnSendChallengeOptions<T>) => Promise<void> | void
-	onVerifyChallenge: (options: OnVerifyChallengeOptions<T, K>) =>
-		| Promise<{
-				userId: string
-				srp?: { serverSessionProof: string }
-		  } | null>
-		| ({ userId: string; srp?: { serverSessionProof: string } } | null)
-}
-
-export type CustomAuthenticationMethods<
-	T extends WabeTypes,
-	U = ProviderInterface<T> | SecondaryProviderInterface<T>,
-	K = SchemaFields<T>,
-	W = SchemaFields<T>,
-> = {
-	name: string
-	input: K
-	dataToStore?: W
-	provider: U
-	isSecondaryFactor?: boolean
-}
-
-export type RoleConfig = Array<string>
-
-export interface SessionConfig<T extends WabeTypes> {
-	/**
-	 * The time in milliseconds that the access token will expire
-	 */
-	accessTokenExpiresInMs?: number
-	/**
-	 * The time in milliseconds that the refresh token will expire
-	 */
-	refreshTokenExpiresInMs?: number
-	/**
-	 * Set to true to automatically store the session tokens in cookies
-	 */
-	cookieSession?: boolean
-	/**
-	 * The JWT secret used to sign the session tokens
-	 */
-	jwtSecret: string
-	/**
-	 * Optional audience to embed and verify in JWTs
-	 */
-	jwtAudience?: string
-	/**
-	 * Optional issuer to embed and verify in JWTs
-	 */
-	jwtIssuer?: string
-	/**
-	 * Secret dedicated to CSRF token HMAC (defaults to jwtSecret)
-	 */
-	csrfSecret?: string
-	/**
-	 * Secret used to encrypt session tokens at rest (defaults to jwtSecret)
-	 */
-	tokenSecret?: string
-	/**
-	 * A selection of fields to include in the JWT token in the "user" fields
-	 */
-	jwtTokenFields?: SelectType<T, 'User', keyof T['types']['User']>
-}
-
-export interface AuthenticationRateLimitConfig {
-	/**
-	 * Enable this rate limiter. Enabled by default in production.
-	 */
-	enabled?: boolean
-	maxAttempts?: number
-	windowMs?: number
-	blockDurationMs?: number
-}
-
-export interface AuthenticationSecurityConfig {
-	signInRateLimit?: AuthenticationRateLimitConfig
-	signUpRateLimit?: AuthenticationRateLimitConfig
-	verifyChallengeRateLimit?: AuthenticationRateLimitConfig
-	mfaChallengeTtlMs?: number
-	/**
-	 * Require a valid challenge token during verifyChallenge in production.
-	 */
-	requireMfaChallengeInProduction?: boolean
-}
-
-export interface AuthenticationConfig<T extends WabeTypes> {
-	session?: SessionConfig<T>
-	roles?: RoleConfig
-	successRedirectPath?: string
-	failureRedirectPath?: string
-	frontDomain?: string
-	backDomain?: string
-	providers?: Partial<Record<ProviderEnum, ProviderConfig>>
-	customAuthenticationMethods?: CustomAuthenticationMethods<T>[]
-	sessionHandler?: (context: WobeCustomContext<T>) => void | Promise<void>
-	disableSignUp?: boolean
-	security?: AuthenticationSecurityConfig
-}
-
-export interface CreateTokenFromAuthorizationCodeOptions {
-	code: string
-}
-
-export interface refreshTokenOptions {
-	refreshToken: string
-}
-
-export interface Provider {
-	createTokenFromAuthorizationCode(options: CreateTokenFromAuthorizationCodeOptions): Promise<void>
-	refreshToken(options: refreshTokenOptions): Promise<void>
-}
-
-export enum AuthenticationProvider {
-	GitHub = 'github',
-	Google = 'google',
-	EmailPassword = 'emailPassword',
-	PhonePassword = 'phonePassword',
-}
-
-export enum SecondaryFactor {
-	EmailOTP = 'emailOTP',
-	QRCodeOTP = 'qrcodeOTP',
-}

package/src/authentication/oauth/GitHub.test.ts

@@ -1,91 +0,0 @@
-import { describe, expect, it, spyOn } from 'bun:test'
-import { GitHub } from './GitHub'
-import { OAuth2Client } from './Oauth2Client'
-
-describe('GitHub oauth', () => {
-	const config = {
-		port: 3001,
-		authentication: {
-			backDomain: 'api.wabe.dev',
-			providers: {
-				github: {
-					clientId: 'clientId',
-					clientSecret: 'clientSecret',
-				},
-			},
-		},
-	} as any
-
-	const githubOauth = new GitHub(config)
-
-	it('should create authorization url', () => {
-		const spyOauth2ClientCreateAuthorizationUrl = spyOn(
-			OAuth2Client.prototype,
-			'createAuthorizationURL',
-		).mockReturnValue(new URL('https://url') as never)
-
-		const authorizationUrl = githubOauth.createAuthorizationURL('state', 'codeVerifier')
-
-		expect(authorizationUrl.toString()).toBe(
-			'https://url/?access_type=offline&prompt=select_account',
-		)
-		expect(spyOauth2ClientCreateAuthorizationUrl).toHaveBeenCalledTimes(1)
-		expect(spyOauth2ClientCreateAuthorizationUrl).toHaveBeenCalledWith({
-			state: 'state',
-			codeVerifier: 'codeVerifier',
-			scopes: ['read:user', 'user:email'],
-		})
-
-		spyOauth2ClientCreateAuthorizationUrl.mockRestore()
-	})
-
-	it('should validate authorization code', async () => {
-		const spyOauth2ClientValidateAuthorizationCode = spyOn(
-			OAuth2Client.prototype,
-			'validateAuthorizationCode',
-		).mockResolvedValue({
-			access_token: 'access_token',
-			refresh_token: 'refresh_token',
-			expires_in: 3600,
-		})
-
-		const res = await githubOauth.validateAuthorizationCode('code', 'codeVerifier')
-
-		expect(spyOauth2ClientValidateAuthorizationCode).toHaveBeenCalledTimes(1)
-		expect(spyOauth2ClientValidateAuthorizationCode).toHaveBeenCalledWith('code', {
-			authenticateWith: 'request_body',
-			credentials: 'clientSecret',
-			codeVerifier: 'codeVerifier',
-		})
-
-		// +100 to avoid flaky
-		expect((res.accessTokenExpiresAt?.getTime() || 0) + 100).toBeGreaterThanOrEqual(
-			Date.now() + 3600 * 1000,
-		)
-
-		spyOauth2ClientValidateAuthorizationCode.mockRestore()
-	})
-
-	it('should refresh access token', async () => {
-		const spyOauth2ClientRefreshAccessToken = spyOn(
-			OAuth2Client.prototype,
-			'refreshAccessToken',
-		).mockResolvedValue({
-			access_token: 'access_token',
-			expires_in: 3600,
-		})
-
-		const res = await githubOauth.refreshAccessToken('refresh_token')
-
-		expect(spyOauth2ClientRefreshAccessToken).toHaveBeenCalledTimes(1)
-		expect(spyOauth2ClientRefreshAccessToken).toHaveBeenCalledWith('refresh_token', {
-			authenticateWith: 'request_body',
-			credentials: 'clientSecret',
-		})
-
-		expect(res.accessToken).toBe('access_token')
-		expect(res.accessTokenExpiresAt?.getTime()).toBeGreaterThanOrEqual(Date.now() + 3600 * 1000)
-
-		spyOauth2ClientRefreshAccessToken.mockRestore()
-	})
-})

package/src/authentication/oauth/GitHub.ts

@@ -1,121 +0,0 @@
-import { OAuth2Client } from '.'
-import type { WabeConfig } from '../../server'
-import type { OAuth2ProviderWithPKCE, Tokens } from './utils'
-
-const authorizeEndpoint = 'https://github.com/login/oauth/authorize'
-const tokenEndpoint = 'https://github.com/login/oauth/access_token'
-
-interface AuthorizationCodeResponseBody {
-	access_token: string
-	refresh_token?: string
-	expires_in: number
-	id_token: string
-}
-
-interface RefreshTokenResponseBody {
-	access_token: string
-	expires_in: number
-}
-
-export class GitHub implements OAuth2ProviderWithPKCE {
-	private client: OAuth2Client
-	private clientSecret: string
-
-	constructor(config: WabeConfig<any>) {
-		const githubConfig = config.authentication?.providers?.github
-
-		if (!githubConfig) throw new Error('GitHub config not found')
-
-		const baseUrl = `http${config.isProduction ? 's' : ''}://${config.authentication?.backDomain || '127.0.0.1:' + config.port || 3001}`
-
-		const redirectURI = `${baseUrl}/auth/oauth/callback`
-
-		this.client = new OAuth2Client(
-			githubConfig.clientId,
-			authorizeEndpoint,
-			tokenEndpoint,
-			redirectURI,
-		)
-
-		this.clientSecret = githubConfig.clientSecret
-	}
-
-	createAuthorizationURL(
-		state: string,
-		codeVerifier: string,
-		options?: {
-			scopes?: string[]
-		},
-	): URL {
-		const scopes = options?.scopes ?? []
-		const url = this.client.createAuthorizationURL({
-			state,
-			codeVerifier,
-			scopes: [...scopes, 'read:user', 'user:email'],
-		})
-
-		url.searchParams.set('access_type', 'offline')
-		url.searchParams.set('prompt', 'select_account')
-
-		return url
-	}
-
-	async validateAuthorizationCode(code: string, codeVerifier: string): Promise<Tokens> {
-		const { access_token, expires_in, refresh_token, id_token } =
-			await this.client.validateAuthorizationCode<AuthorizationCodeResponseBody>(code, {
-				authenticateWith: 'request_body',
-				codeVerifier,
-				credentials: this.clientSecret,
-			})
-
-		return {
-			accessToken: access_token,
-			refreshToken: refresh_token,
-			accessTokenExpiresAt: new Date(Date.now() + expires_in * 1000),
-			idToken: id_token,
-		}
-	}
-
-	async refreshAccessToken(refreshToken: string): Promise<Tokens> {
-		const { access_token, expires_in } =
-			await this.client.refreshAccessToken<RefreshTokenResponseBody>(refreshToken, {
-				authenticateWith: 'request_body',
-				credentials: this.clientSecret,
-			})
-
-		return {
-			accessToken: access_token,
-			accessTokenExpiresAt: new Date(Date.now() + expires_in * 1000),
-		}
-	}
-
-	async getUserInfo(accessToken: string) {
-		const userInfoResponse = await fetch('https://api.github.com/user', {
-			headers: {
-				Authorization: `Bearer ${accessToken}`,
-				Accept: 'application/vnd.github.v3+json',
-			},
-		})
-
-		const userEmailResponse = await fetch('https://api.github.com/user/emails', {
-			headers: {
-				Authorization: `Bearer ${accessToken}`,
-				Accept: 'application/vnd.github.v3+json',
-			},
-		})
-
-		if (!userInfoResponse.ok || !userEmailResponse.ok)
-			throw new Error('Failed to fetch user information from GitHub')
-
-		const userInfo = await userInfoResponse.json()
-		const userEmails = await userEmailResponse.json()
-
-		const primaryEmail = userEmails.find((email: any) => email.primary)?.email
-
-		return {
-			email: primaryEmail || null,
-			username: userInfo.login,
-			avatarUrl: userInfo.avatar_url,
-		}
-	}
-}

package/src/authentication/oauth/Google.test.ts

@@ -1,91 +0,0 @@
-import { describe, expect, it, spyOn } from 'bun:test'
-import { Google } from './Google'
-import { OAuth2Client } from './Oauth2Client'
-
-describe('Google oauth', () => {
-	const config = {
-		port: 3001,
-		authentication: {
-			backDomain: 'api.wabe.com',
-			providers: {
-				google: {
-					clientId: 'clientId',
-					clientSecret: 'clientSecret',
-				},
-			},
-		},
-	} as any
-
-	const googleOauth = new Google(config)
-
-	it('should create authorization url', () => {
-		const spyOauth2ClientCreateAuthorizationUrl = spyOn(
-			OAuth2Client.prototype,
-			'createAuthorizationURL',
-		).mockReturnValue(new URL('https://url') as never)
-
-		const authorizationUrl = googleOauth.createAuthorizationURL('state', 'codeVerifier')
-
-		expect(authorizationUrl.toString()).toBe(
-			'https://url/?access_type=offline&prompt=select_account',
-		)
-		expect(spyOauth2ClientCreateAuthorizationUrl).toHaveBeenCalledTimes(1)
-		expect(spyOauth2ClientCreateAuthorizationUrl).toHaveBeenCalledWith({
-			state: 'state',
-			codeVerifier: 'codeVerifier',
-			scopes: ['openid'],
-		})
-
-		spyOauth2ClientCreateAuthorizationUrl.mockRestore()
-	})
-
-	it('should validate authorization code', async () => {
-		const spyOauth2ClientValidateAuthorizationCode = spyOn(
-			OAuth2Client.prototype,
-			'validateAuthorizationCode',
-		).mockResolvedValue({
-			access_token: 'access_token',
-			refresh_token: 'refresh_token',
-			expires_in: 3600,
-		})
-
-		const res = await googleOauth.validateAuthorizationCode('code', 'codeVerifier')
-
-		expect(spyOauth2ClientValidateAuthorizationCode).toHaveBeenCalledTimes(1)
-		expect(spyOauth2ClientValidateAuthorizationCode).toHaveBeenCalledWith('code', {
-			authenticateWith: 'request_body',
-			credentials: 'clientSecret',
-			codeVerifier: 'codeVerifier',
-		})
-
-		// +100 to avoid flaky
-		expect((res.accessTokenExpiresAt?.getTime() || 0) + 100).toBeGreaterThanOrEqual(
-			Date.now() + 3600 * 1000,
-		)
-
-		spyOauth2ClientValidateAuthorizationCode.mockRestore()
-	})
-
-	it('should refresh access token', async () => {
-		const spyOauth2ClientRefreshAccessToken = spyOn(
-			OAuth2Client.prototype,
-			'refreshAccessToken',
-		).mockResolvedValue({
-			access_token: 'access_token',
-			expires_in: 3600,
-		})
-
-		const res = await googleOauth.refreshAccessToken('refresh_token')
-
-		expect(spyOauth2ClientRefreshAccessToken).toHaveBeenCalledTimes(1)
-		expect(spyOauth2ClientRefreshAccessToken).toHaveBeenCalledWith('refresh_token', {
-			authenticateWith: 'request_body',
-			credentials: 'clientSecret',
-		})
-
-		expect(res.accessToken).toBe('access_token')
-		expect(res.accessTokenExpiresAt?.getTime()).toBeGreaterThanOrEqual(Date.now() + 3600 * 1000)
-
-		spyOauth2ClientRefreshAccessToken.mockRestore()
-	})
-})