wabe 0.6.12 → 0.6.14

package/src/server/index.ts

@@ -1,336 +0,0 @@
-import type { DatabaseConfig } from '../database'
-import { DatabaseController } from '../database/DatabaseController'
-import { type EnumInterface, Schema, type SchemaInterface } from '../schema/Schema'
-import { GraphQLObjectType, GraphQLSchema, NoSchemaIntrospectionCustomRule } from 'graphql'
-import { GraphQLSchema as WabeGraphQLSchema } from '../graphql'
-import type { AuthenticationConfig } from '../authentication/interface'
-import { type WabeRoute, defaultRoutes } from './routes'
-import { type Hook, getDefaultHooks } from '../hooks'
-import { generateCodegen } from './generateCodegen'
-import { defaultAuthenticationMethods } from '../authentication/defaultAuthentication'
-import { Wobe, cors, rateLimit } from 'wobe'
-import type { Context, CorsOptions, RateLimitOptions } from 'wobe'
-import type { WabeContext } from './interface'
-import { initializeRoles } from '../authentication/roles'
-import type { EmailConfig } from '../email'
-import { EmailController } from '../email/EmailController'
-import { FileController } from '../file/FileController'
-import { defaultSessionHandler } from './defaultSessionHandler'
-import type { CronConfig } from '../cron'
-import type { FileConfig } from '../file'
-import { WobeGraphqlYogaPlugin } from 'wobe-graphql-yoga'
-
-type SecurityConfig = {
-	corsOptions?: CorsOptions
-	rateLimit?: RateLimitOptions
-	hideSensitiveErrorMessage?: boolean
-	disableCSRFProtection?: boolean
-	disableGraphQLDashboard?: boolean
-	disableIntrospection?: boolean
-	maxGraphqlDepth?: number
-}
-
-export * from './interface'
-export * from './routes'
-
-export const defaultRoles = ['DashboardAdmin']
-
-export interface WabeConfig<T extends WabeTypes> {
-	port: number
-	isProduction: boolean
-	hostname?: string
-	security?: SecurityConfig
-	schema?: SchemaInterface<T>
-	graphqlSchema?: GraphQLSchema
-	database: DatabaseConfig<T>
-	codegen?:
-		| {
-				enabled: true
-				path: string
-		  }
-		| { enabled?: false }
-	authentication?: AuthenticationConfig<T>
-	routes?: WabeRoute[]
-	rootKey: string
-	hooks?: Hook<T, any>[]
-	email?: EmailConfig
-	file?: FileConfig<T>
-	crons?: CronConfig<T>
-}
-
-export type WabeTypes = {
-	types: Record<any, any>
-	where: Record<any, any>
-	scalars: string
-	enums: Record<any, any>
-}
-
-export type WobeCustomContext<T extends WabeTypes> = Context & {
-	wabe: WabeContext<T>
-}
-
-type WabeControllers<T extends WabeTypes> = {
-	database: DatabaseController<T>
-	email?: EmailController
-	file?: FileController
-}
-
-export class Wabe<T extends WabeTypes> {
-	public server: Wobe<WobeCustomContext<T>>
-
-	public config: WabeConfig<T>
-	public controllers: WabeControllers<T>
-
-	constructor({
-		isProduction,
-		port,
-		hostname,
-		security,
-		schema,
-		database,
-		authentication,
-		rootKey,
-		codegen,
-		hooks,
-		file,
-		email,
-		routes,
-		crons,
-	}: WabeConfig<T>) {
-		this.config = {
-			isProduction,
-			port,
-			hostname,
-			security,
-			schema,
-			database,
-			codegen,
-			authentication,
-			rootKey,
-			hooks,
-			email,
-			routes,
-			file,
-			crons,
-		}
-
-		this.server = new Wobe<WobeCustomContext<T>>({ hostname }).get('/health', (context) => {
-			context.res.status = 200
-			context.res.send('OK')
-		})
-
-		this.controllers = {
-			database: new DatabaseController<T>(database.adapter),
-			email: email?.adapter ? new EmailController(email.adapter) : undefined,
-			file: file?.adapter ? new FileController(file.adapter, this) : undefined,
-		}
-
-		this.loadCrons()
-		this.loadAuthenticationMethods()
-		this.loadRoleEnum()
-		this.loadRoutes()
-		this.loadHooks()
-	}
-
-	loadCrons() {
-		if (!this.config.crons) return
-
-		const crons = this.config.crons.map((cron) => ({
-			...cron,
-			job: cron.cron(this),
-		}))
-
-		this.config.crons = crons
-	}
-
-	loadRoleEnum() {
-		const roles = [...defaultRoles, ...(this.config.authentication?.roles || [])]
-
-		const roleEnum: EnumInterface = {
-			name: 'RoleEnum',
-			values: roles.reduce(
-				(acc, currentRole) => {
-					acc[currentRole] = currentRole
-					return acc
-				},
-				{} as Record<string, any>,
-			),
-		}
-
-		this.config.schema = {
-			...this.config.schema,
-			enums: [...(this.config.schema?.enums || []), roleEnum],
-		}
-	}
-
-	loadAuthenticationMethods() {
-		this.config.authentication = {
-			...this.config.authentication,
-			customAuthenticationMethods: [
-				...defaultAuthenticationMethods<T>(),
-				...(this.config.authentication?.customAuthenticationMethods || []),
-			],
-		}
-	}
-
-	loadHooks() {
-		if (this.config.hooks?.find((hook) => hook.priority <= 0))
-			throw new Error('Hook priority <= 0 is reserved for internal uses')
-
-		this.config.hooks = [...getDefaultHooks(), ...(this.config.hooks || [])]
-	}
-
-	loadRoutes() {
-		const enableBucketRoute = !this.config.isProduction
-
-		const wabeRoutes = [
-			...defaultRoutes({
-				devDirectory: this.config.file?.devDirectory || `${__dirname}/../../bucket`,
-				enableBucketRoute,
-			}),
-			...(this.config.routes || []),
-		]
-
-		wabeRoutes.forEach((route) => {
-			const { method } = route
-
-			switch (method) {
-				case 'GET':
-					this.server.get(route.path, route.handler)
-					break
-				case 'POST':
-					this.server.post(route.path, route.handler)
-					break
-				case 'PUT':
-					this.server.put(route.path, route.handler)
-					break
-				case 'DELETE':
-					this.server.delete(route.path, route.handler)
-					break
-				default:
-					throw new Error('Invalid method for default route')
-			}
-		})
-	}
-
-	async start() {
-		if (!this.config.rootKey || this.config.rootKey.length === 0)
-			throw new Error('rootKey cannot be empty')
-
-		if (this.config.authentication?.session && !this.config.authentication.session.jwtSecret)
-			throw new Error('Authentication session requires jwt secret')
-
-		const wabeSchema = new Schema(this.config)
-
-		this.config.schema = wabeSchema.schema
-
-		await this.controllers.database.initializeDatabase(wabeSchema.schema)
-
-		const graphqlSchema = new WabeGraphQLSchema(wabeSchema)
-
-		const types = graphqlSchema.createSchema()
-
-		this.config.graphqlSchema = new GraphQLSchema({
-			query: new GraphQLObjectType({
-				name: 'Query',
-				fields: types.queries,
-			}),
-			mutation: new GraphQLObjectType({
-				name: 'Mutation',
-				fields: types.mutations,
-			}),
-			types: [...types.scalars, ...types.enums, ...types.objects],
-		})
-
-		if (
-			!this.config.isProduction &&
-			process.env.NODE_ENV !== 'test' &&
-			this.config.codegen &&
-			this.config.codegen.enabled &&
-			this.config.codegen.path.length > 0
-		) {
-			await generateCodegen({
-				path: this.config.codegen.path,
-				schema: wabeSchema.schema,
-				graphqlSchema: this.config.graphqlSchema,
-			})
-
-			// If we just want codegen we exit before server created.
-			// Not the best solution but useful to avoid multiple source of truth
-			if (process.env.CODEGEN) process.exit(0)
-		}
-
-		this.server.options(
-			'/*',
-			(ctx) => {
-				return ctx.res.send('OK')
-			},
-			cors(this.config.security?.corsOptions),
-		)
-
-		const rateLimitOptions = this.config.security?.rateLimit
-
-		if (rateLimitOptions) this.server.beforeHandler(rateLimit(rateLimitOptions))
-
-		this.server.beforeHandler(cors(this.config.security?.corsOptions))
-
-		// Set the wabe context
-		this.server.beforeHandler(
-			// @ts-expect-error
-			this.config.authentication?.sessionHandler ||
-				// @ts-expect-error
-				defaultSessionHandler(this),
-		)
-
-		const maxDepth = this.config.security?.maxGraphqlDepth ?? 50
-
-		await this.server.usePlugin(
-			WobeGraphqlYogaPlugin({
-				schema: this.config.graphqlSchema,
-				allowGetRequests: !(this.config.security?.disableGraphQLDashboard ?? false),
-				maskedErrors: this.config.security?.hideSensitiveErrorMessage || this.config.isProduction,
-				allowIntrospection: !(this.config.security?.disableIntrospection ?? false),
-				maxDepth,
-				allowMultipleOperations: true,
-				graphqlEndpoint: '/graphql',
-				plugins: [
-					(() => {
-						const introspectionDisabled = new WeakSet<Request>()
-						return {
-							onRequestParse: ({ request }: { request: Request }) => {
-								if (!(this.config.security?.disableIntrospection ?? false)) return
-								introspectionDisabled.add(request)
-							},
-							onValidate: ({
-								addValidationRule,
-								context,
-							}: {
-								addValidationRule: (rule: unknown) => void
-								context: { request: Request }
-							}) => {
-								if (introspectionDisabled.has(context.request)) {
-									addValidationRule(NoSchemaIntrospectionCustomRule)
-								}
-							},
-						}
-					})(),
-				],
-				context: async (ctx): Promise<WabeContext<T>> => ctx.wabe,
-			}),
-		)
-
-		this.server.listen(this.config.port, ({ port }) => {
-			if (!process.env.TEST) console.log(`Server is running on port ${port}`)
-		})
-
-		// @ts-expect-error
-		await initializeRoles(this)
-	}
-
-	async close() {
-		await this.controllers.database.close()
-		await this.server.stop()
-	}
-}
-
-export { generateCodegen }

package/src/server/interface.ts

@@ -1,11 +0,0 @@
-import type { WobeResponse } from 'wobe'
-import type { Wabe, WabeTypes } from '.'
-
-export interface WabeContext<T extends WabeTypes> {
-	response?: WobeResponse
-	user?: T['types']['User'] | null
-	sessionId?: string | null
-	isRoot: boolean
-	wabe: Wabe<T>
-	isGraphQLCall?: boolean
-}

package/src/server/routes/authHandler.ts

@@ -1,171 +0,0 @@
-import type { Context } from 'wobe'
-import type { WabeContext } from '../interface'
-import { ProviderEnum } from '../../authentication/interface'
-import { getGraphqlClient } from '../../utils/helper'
-import { gql } from 'graphql-request'
-import { Google } from '../../authentication/oauth'
-import { getSessionCookieSameSite } from '../../authentication/cookies'
-import { generateRandomValues } from '../../authentication/oauth/utils'
-import { GitHub } from '../../authentication/oauth/GitHub'
-
-/*
-- Generate code verifier (back)
-- Sent post request to a route on back with code verifier in url (back)
-- Generate code challenge (back)
-- Redirect the user to google auth page with code challenge (back -> front)
-- User sign in with google (front)
-- The user is redirected to the route with the code (front -> back)
-- Get the code from the url (back)
-- Validate and sign in with google provider (back)
-*/
-
-// https://www.rfc-editor.org/rfc/rfc7636#section-4.4 not precise the storage of codeVerifier
-export const oauthHandlerCallback = async (context: Context, wabeContext: WabeContext<any>) => {
-	try {
-		const state = decodeURIComponent(context.query.state || '')
-		const code = decodeURIComponent(context.query.code || '')
-
-		const stateInCookie = context.getCookie('state')
-
-		if (state !== stateInCookie) throw new Error('Authentication failed')
-
-		const codeVerifier = context.getCookie('code_verifier')
-		const provider = context.getCookie('provider')
-
-		const { signInWith } = await getGraphqlClient(wabeContext.wabe.config.port).request<any>(
-			gql`
-				mutation signInWith(
-					$authorizationCode: String!
-					$codeVerifier: String!
-				) {
-					signInWith(
-						input: {
-							authentication: {
-								${provider}: {
-									authorizationCode: $authorizationCode
-									codeVerifier: $codeVerifier
-								}
-							}
-						}
-					){
-						accessToken
-						refreshToken
-					}
-				}
-			`,
-			{
-				authorizationCode: code,
-				codeVerifier,
-			},
-		)
-
-		const { accessToken, refreshToken } = signInWith
-
-		const isCookieSession = !!wabeContext.wabe.config.authentication?.session?.cookieSession
-		const sameSite = getSessionCookieSameSite(wabeContext.wabe.config)
-
-		context.res.setCookie('accessToken', accessToken, {
-			// If cookie session we put httpOnly to true, otherwise the front will need to get it
-			// So we keep it to false
-			httpOnly: isCookieSession,
-			path: '/',
-			maxAge:
-				(wabeContext.wabe.config.authentication?.session?.accessTokenExpiresInMs ||
-					60 * 15 * 1000) / 1000, // 15 minutes in seconds
-			sameSite,
-			secure: true,
-		})
-
-		context.res.setCookie('refreshToken', refreshToken, {
-			// If cookie session we put httpOnly to true, otherwise the front will need to get it
-			// So we keep it to false
-			httpOnly: isCookieSession,
-			path: '/',
-			maxAge:
-				(wabeContext.wabe.config.authentication?.session?.accessTokenExpiresInMs ||
-					60 * 15 * 1000) / 1000, // 15 minutes in seconds
-			sameSite,
-			secure: true,
-		})
-
-		context.redirect(wabeContext.wabe.config.authentication?.successRedirectPath || '/')
-	} catch {
-		context.redirect(wabeContext.wabe.config.authentication?.failureRedirectPath || '/')
-	}
-}
-
-export const authHandler = (
-	context: Context,
-	wabeContext: WabeContext<any>,
-	provider: ProviderEnum,
-) => {
-	if (!wabeContext.wabe.config) throw new Error('Wabe config not found')
-
-	context.res.setCookie('provider', provider, {
-		httpOnly: true,
-		path: '/',
-		maxAge: 60 * 5, // 5 minutes
-		secure: true,
-	})
-
-	switch (provider) {
-		case ProviderEnum.google: {
-			const googleOauth = new Google(wabeContext.wabe.config)
-
-			const state = generateRandomValues()
-			const codeVerifier = generateRandomValues()
-
-			context.res.setCookie('code_verifier', codeVerifier, {
-				httpOnly: true,
-				path: '/',
-				maxAge: 60 * 5, // 5 minutes
-				secure: true,
-			})
-
-			context.res.setCookie('state', state, {
-				httpOnly: true,
-				path: '/',
-				maxAge: 60 * 5, // 5 minutes
-				secure: true,
-			})
-
-			const authorizationURL = googleOauth.createAuthorizationURL(state, codeVerifier, {
-				scopes: ['email'],
-			})
-
-			context.redirect(authorizationURL.toString())
-
-			break
-		}
-		case ProviderEnum.github: {
-			const githubOauth = new GitHub(wabeContext.wabe.config)
-
-			const state = generateRandomValues()
-			const codeVerifier = generateRandomValues()
-
-			context.res.setCookie('code_verifier', codeVerifier, {
-				httpOnly: true,
-				path: '/',
-				maxAge: 60 * 5, // 5 minutes
-				secure: true,
-			})
-
-			context.res.setCookie('state', state, {
-				httpOnly: true,
-				path: '/',
-				maxAge: 60 * 5, // 5 minutes
-				secure: true,
-			})
-
-			const authorizationURL = githubOauth.createAuthorizationURL(state, codeVerifier, {
-				scopes: ['email'],
-			})
-
-			context.redirect(authorizationURL.toString())
-
-			break
-		}
-		default:
-			break
-	}
-}

package/src/server/routes/index.ts

@@ -1,48 +0,0 @@
-import { type WobeHandler, uploadDirectory } from 'wobe'
-import type { ProviderEnum } from '../../authentication/interface'
-import { authHandler, oauthHandlerCallback } from './authHandler'
-import type { WobeCustomContext } from '..'
-
-export interface WabeRoute {
-	method: 'GET' | 'POST' | 'PUT' | 'DELETE'
-	path: string
-	handler: WobeHandler<WobeCustomContext<any>>
-}
-
-export const defaultRoutes = ({
-	devDirectory,
-	enableBucketRoute,
-}: {
-	devDirectory: string
-	enableBucketRoute: boolean
-}): WabeRoute[] => {
-	const routes: WabeRoute[] = [
-		{
-			method: 'GET',
-			path: '/auth/oauth',
-			handler: (context) => {
-				const provider = context.query.provider
-
-				if (!provider) throw new Error('Authentication failed, provider not found')
-
-				// TODO: Maybe check if the value is in the enum
-				return authHandler(context, context.wabe, provider as ProviderEnum)
-			},
-		},
-		{
-			method: 'GET',
-			path: '/auth/oauth/callback',
-			handler: (context) => oauthHandlerCallback(context, context.wabe),
-		},
-	]
-
-	if (enableBucketRoute) {
-		routes.push({
-			method: 'GET',
-			path: '/bucket/:filename',
-			handler: uploadDirectory({ directory: devDirectory }),
-		})
-	}
-
-	return routes
-}

package/src/utils/crypto.test.ts

@@ -1,41 +0,0 @@
-import { describe, expect, it } from 'bun:test'
-import { encryptDeterministicToken, decryptDeterministicToken } from './crypto'
-
-const key = Buffer.alloc(32, 1) // deterministic test key
-
-describe('crypto deterministic token helpers', () => {
-	it('should encrypt and decrypt deterministically with same key', () => {
-		const token = 'my-token'
-		const encrypted = encryptDeterministicToken(token, key)
-		const decrypted = decryptDeterministicToken(encrypted, key)
-
-		expect(decrypted).toBe(token)
-	})
-
-	it('should produce the same ciphertext for the same token/key', () => {
-		const token = 'stable'
-		const enc1 = encryptDeterministicToken(token, key)
-		const enc2 = encryptDeterministicToken(token, key)
-
-		expect(enc1).toBe(enc2)
-	})
-
-	it('should produce different ciphertexts for different tokens', () => {
-		const enc1 = encryptDeterministicToken('a', key)
-		const enc2 = encryptDeterministicToken('b', key)
-
-		expect(enc1).not.toBe(enc2)
-	})
-
-	it('should return null when decrypting with the wrong key', () => {
-		const token = 'secret'
-		const encrypted = encryptDeterministicToken(token, key)
-		const wrongKey = Buffer.alloc(32, 2)
-
-		expect(decryptDeterministicToken(encrypted, wrongKey)).toBeNull()
-	})
-
-	it('should return null on malformed ciphertext', () => {
-		expect(decryptDeterministicToken('bad:format', key)).toBeNull()
-	})
-})

package/src/utils/crypto.ts

@@ -1,105 +0,0 @@
-import { randomBytes, createCipheriv, createDecipheriv, createHmac } from 'node:crypto'
-import { promisify } from 'node:util'
-
-const params = {
-	parallelism: 1,
-	tagLength: 64,
-	memory: 65536,
-	passes: 2,
-}
-
-/*
- * Hash a string with Argon2id and PHC format
- * @return : Returns the PHC format of the hashed text
- */
-export const hashArgon2 = async (text: string) => {
-	if (process.versions.bun) return Bun.password.hash(text, { algorithm: 'argon2id' })
-
-	// Node support
-	const argon2 = promisify(require('node:crypto').argon2)
-
-	const nonce = randomBytes(16)
-
-	const result = await argon2('argon2id', {
-		message: text,
-		nonce,
-		...params,
-	})
-
-	return `$argon2id$v=19$m=${params.memory},t=${params.passes},p=${params.parallelism}$${nonce.toString('base64').replace(/=+$/, '')}$${result.toString('base64').replace(/=+$/, '')}`
-}
-
-/*
- * Verify if a hash matchs with a string
- * @return : Returns true if the password matchs with the hash, false otherwise
- */
-export const verifyArgon2 = async (password: string, hash: string) => {
-	if (process.versions.bun) return Bun.password.verify(password, hash, 'argon2id')
-
-	// Node support
-	const [, algorithm, , paramString, nonceHex, storedHashHex] = hash.split('$')
-
-	const kvPairs = paramString?.split(',')
-	const parsedParams = Object.fromEntries(
-		kvPairs?.map((pair) => {
-			const [key, value] = pair.split('=')
-			return [key, Number.parseInt(value || '', 10)]
-		}) || [],
-	)
-
-	const memory = parsedParams.m
-	const passes = parsedParams.t
-	const parallelism = parsedParams.p
-
-	const newDerived = await promisify(require('node:crypto'))(algorithm, {
-		nonce: Buffer.from(nonceHex || '', 'base64'),
-		parallelism,
-		tagLength: 64,
-		memory,
-		passes,
-		message: password,
-	})
-
-	const isMatch = crypto.timingSafeEqual(
-		Buffer.from(newDerived),
-		Buffer.from(storedHashHex || '', 'base64'),
-	)
-
-	return isMatch
-}
-
-export const isArgon2Hash = (value: string): boolean =>
-	typeof value === 'string' && value.startsWith('$argon2')
-
-/**
- * Deterministic AES-256-GCM encryption for tokens.
- * IV is derived via HMAC-SHA256(key, token) to allow equality checks without storing plaintext.
- * Caller must provide a strong 32-byte key (already derived/hashed).
- */
-export const encryptDeterministicToken = (token: string, key: Buffer): string => {
-	const iv = createHmac('sha256', key).update(token).digest().subarray(0, 12)
-	const cipher = createCipheriv('aes-256-gcm', key, iv)
-	const encrypted = Buffer.concat([cipher.update(token, 'utf8'), cipher.final()])
-	const tag = cipher.getAuthTag()
-	return `${iv.toString('hex')}:${tag.toString('hex')}:${encrypted.toString('hex')}`
-}
-
-export const decryptDeterministicToken = (
-	encryptedToken: string | undefined,
-	key: Buffer,
-): string | null => {
-	if (!encryptedToken) return null
-	const [ivHex, tagHex, valueHex] = encryptedToken.split(':')
-	if (!ivHex || !tagHex || !valueHex) return null
-	try {
-		const iv = Buffer.from(ivHex, 'hex')
-		const tag = Buffer.from(tagHex, 'hex')
-		const encryptedValue = Buffer.from(valueHex, 'hex')
-		const decipher = createDecipheriv('aes-256-gcm', key, iv)
-		decipher.setAuthTag(tag)
-		const decrypted = Buffer.concat([decipher.update(encryptedValue), decipher.final()])
-		return decrypted.toString('utf8')
-	} catch {
-		return null
-	}
-}