npm - wabe - Versions diffs - 0.6.9 → 0.6.10 - Mend

wabe 0.6.9 → 0.6.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (158) hide show

package/README.md +138 -32
package/bucket/b.txt +1 -0
package/dev/index.ts +215 -0
package/dist/authentication/Session.d.ts +4 -1
package/dist/authentication/interface.d.ts +16 -0
package/dist/email/interface.d.ts +1 -1
package/dist/graphql/resolvers.d.ts +4 -2
package/dist/hooks/index.d.ts +1 -0
package/dist/index.d.ts +0 -1
package/dist/index.js +8713 -8867
package/dist/server/index.d.ts +4 -2
package/dist/utils/crypto.d.ts +7 -0
package/dist/utils/helper.d.ts +4 -1
package/generated/schema.graphql +16 -14
package/generated/wabe.ts +4 -4
package/package.json +15 -15
package/src/authentication/OTP.test.ts +69 -0
package/src/authentication/OTP.ts +66 -0
package/src/authentication/Session.test.ts +665 -0
package/src/authentication/Session.ts +529 -0
package/src/authentication/defaultAuthentication.ts +214 -0
package/src/authentication/index.ts +3 -0
package/src/authentication/interface.ts +157 -0
package/src/authentication/oauth/GitHub.test.ts +105 -0
package/src/authentication/oauth/GitHub.ts +133 -0
package/src/authentication/oauth/Google.test.ts +105 -0
package/src/authentication/oauth/Google.ts +110 -0
package/src/authentication/oauth/Oauth2Client.test.ts +225 -0
package/src/authentication/oauth/Oauth2Client.ts +140 -0
package/src/authentication/oauth/index.ts +2 -0
package/src/authentication/oauth/utils.test.ts +35 -0
package/src/authentication/oauth/utils.ts +28 -0
package/src/authentication/providers/EmailOTP.test.ts +138 -0
package/src/authentication/providers/EmailOTP.ts +93 -0
package/src/authentication/providers/EmailPassword.test.ts +187 -0
package/src/authentication/providers/EmailPassword.ts +130 -0
package/src/authentication/providers/EmailPasswordSRP.test.ts +206 -0
package/src/authentication/providers/EmailPasswordSRP.ts +184 -0
package/src/authentication/providers/GitHub.ts +30 -0
package/src/authentication/providers/Google.ts +30 -0
package/src/authentication/providers/OAuth.test.ts +185 -0
package/src/authentication/providers/OAuth.ts +112 -0
package/src/authentication/providers/PhonePassword.test.ts +187 -0
package/src/authentication/providers/PhonePassword.ts +129 -0
package/src/authentication/providers/QRCodeOTP.test.ts +79 -0
package/src/authentication/providers/QRCodeOTP.ts +65 -0
package/src/authentication/providers/index.ts +6 -0
package/src/authentication/resolvers/refreshResolver.test.ts +37 -0
package/src/authentication/resolvers/refreshResolver.ts +20 -0
package/src/authentication/resolvers/signInWithResolver.inte.test.ts +59 -0
package/src/authentication/resolvers/signInWithResolver.test.ts +307 -0
package/src/authentication/resolvers/signInWithResolver.ts +102 -0
package/src/authentication/resolvers/signOutResolver.test.ts +41 -0
package/src/authentication/resolvers/signOutResolver.ts +22 -0
package/src/authentication/resolvers/signUpWithResolver.test.ts +186 -0
package/src/authentication/resolvers/signUpWithResolver.ts +69 -0
package/src/authentication/resolvers/verifyChallenge.test.ts +136 -0
package/src/authentication/resolvers/verifyChallenge.ts +69 -0
package/src/authentication/roles.test.ts +59 -0
package/src/authentication/roles.ts +40 -0
package/src/authentication/utils.test.ts +99 -0
package/src/authentication/utils.ts +43 -0
package/src/cache/InMemoryCache.test.ts +62 -0
package/src/cache/InMemoryCache.ts +45 -0
package/src/cron/index.test.ts +17 -0
package/src/cron/index.ts +46 -0
package/src/database/DatabaseController.test.ts +625 -0
package/src/database/DatabaseController.ts +983 -0
package/src/database/index.test.ts +1230 -0
package/src/database/index.ts +9 -0
package/src/database/interface.ts +312 -0
package/src/email/DevAdapter.ts +8 -0
package/src/email/EmailController.test.ts +29 -0
package/src/email/EmailController.ts +13 -0
package/src/email/index.ts +2 -0
package/src/email/interface.ts +36 -0
package/src/email/templates/sendOtpCode.ts +120 -0
package/src/file/FileController.ts +28 -0
package/src/file/FileDevAdapter.ts +54 -0
package/src/file/hookDeleteFile.ts +27 -0
package/src/file/hookReadFile.ts +70 -0
package/src/file/hookUploadFile.ts +53 -0
package/src/file/index.test.ts +979 -0
package/src/file/index.ts +2 -0
package/src/file/interface.ts +42 -0
package/src/graphql/GraphQLSchema.test.ts +4399 -0
package/src/graphql/GraphQLSchema.ts +928 -0
package/src/graphql/index.ts +2 -0
package/src/graphql/parseGraphqlSchema.ts +94 -0
package/src/graphql/parser.test.ts +217 -0
package/src/graphql/parser.ts +566 -0
package/src/graphql/pointerAndRelationFunction.ts +200 -0
package/src/graphql/resolvers.ts +467 -0
package/src/graphql/tests/aggregation.test.ts +1123 -0
package/src/graphql/tests/e2e.test.ts +596 -0
package/src/graphql/tests/scalars.test.ts +250 -0
package/src/graphql/types.ts +219 -0
package/src/hooks/HookObject.test.ts +122 -0
package/src/hooks/HookObject.ts +168 -0
package/src/hooks/authentication.ts +76 -0
package/src/hooks/createUser.test.ts +77 -0
package/src/hooks/createUser.ts +10 -0
package/src/hooks/defaultFields.test.ts +187 -0
package/src/hooks/defaultFields.ts +40 -0
package/src/hooks/deleteSession.test.ts +181 -0
package/src/hooks/deleteSession.ts +20 -0
package/src/hooks/hashFieldHook.test.ts +163 -0
package/src/hooks/hashFieldHook.ts +97 -0
package/src/hooks/index.test.ts +207 -0
package/src/hooks/index.ts +430 -0
package/src/hooks/permissions.test.ts +424 -0
package/src/hooks/permissions.ts +113 -0
package/src/hooks/protected.test.ts +551 -0
package/src/hooks/protected.ts +72 -0
package/src/hooks/searchableFields.test.ts +166 -0
package/src/hooks/searchableFields.ts +98 -0
package/src/hooks/session.test.ts +138 -0
package/src/hooks/session.ts +78 -0
package/src/hooks/setEmail.test.ts +216 -0
package/src/hooks/setEmail.ts +35 -0
package/src/hooks/setupAcl.test.ts +589 -0
package/src/hooks/setupAcl.ts +29 -0
package/src/index.ts +9 -0
package/src/schema/Schema.test.ts +484 -0
package/src/schema/Schema.ts +795 -0
package/src/schema/defaultResolvers.ts +94 -0
package/src/schema/index.ts +1 -0
package/src/schema/resolvers/meResolver.test.ts +62 -0
package/src/schema/resolvers/meResolver.ts +14 -0
package/src/schema/resolvers/newFile.ts +0 -0
package/src/schema/resolvers/resetPassword.test.ts +345 -0
package/src/schema/resolvers/resetPassword.ts +64 -0
package/src/schema/resolvers/sendEmail.test.ts +118 -0
package/src/schema/resolvers/sendEmail.ts +21 -0
package/src/schema/resolvers/sendOtpCode.test.ts +153 -0
package/src/schema/resolvers/sendOtpCode.ts +52 -0
package/src/security.test.ts +3461 -0
package/src/server/defaultSessionHandler.test.ts +66 -0
package/src/server/defaultSessionHandler.ts +115 -0
package/src/server/generateCodegen.ts +476 -0
package/src/server/index.test.ts +552 -0
package/src/server/index.ts +354 -0
package/src/server/interface.ts +11 -0
package/src/server/routes/authHandler.ts +187 -0
package/src/server/routes/index.ts +40 -0
package/src/utils/crypto.test.ts +41 -0
package/src/utils/crypto.ts +121 -0
package/src/utils/export.ts +13 -0
package/src/utils/helper.ts +195 -0
package/src/utils/index.test.ts +11 -0
package/src/utils/index.ts +201 -0
package/src/utils/preload.ts +8 -0
package/src/utils/testHelper.ts +117 -0
package/tsconfig.json +32 -0
package/bunfig.toml +0 -4
package/dist/ai/index.d.ts +0 -1
package/dist/ai/interface.d.ts +0 -9
/package/dist/server/{defaultHandlers.d.ts → defaultSessionHandler.d.ts} +0 -0

package/src/authentication/Session.ts ADDED Viewed

@@ -0,0 +1,529 @@
+import jwt, { verify, type SignOptions } from 'jsonwebtoken'
+import crypto from 'node:crypto'
+import type { WabeContext } from '../server/interface'
+import type { User } from '../../generated/wabe'
+import type { WabeConfig } from '../server'
+import { contextWithRoot } from '../utils/export'
+import type { DevWabeTypes } from '../utils/helper'
+import {
+	encryptDeterministicToken,
+	decryptDeterministicToken,
+} from '../utils/crypto'
+const getJwtSecret = (context: WabeContext<DevWabeTypes>): string => {
+	const secret = context.wabe.config.authentication?.session?.jwtSecret
+	if (!secret) throw new Error('Authentication session requires jwtSecret')
+	return secret
+}
+const safeVerify = (
+	token: string,
+	secret: string,
+	options: Pick<SignOptions, 'audience' | 'issuer'> = {},
+) => {
+	try {
+		return !!verify(token, secret, options)
+	} catch {
+		return false
+	}
+}
+const getTokenSecret = (context: WabeContext<DevWabeTypes>): string =>
+	context.wabe.config.authentication?.session?.tokenSecret ??
+	getJwtSecret(context)
+const getTokenEncryptionKey = (context: WabeContext<DevWabeTypes>) =>
+	crypto.createHash('sha256').update(getTokenSecret(context)).digest()
+const getJwtVerifyOptions = (context: WabeContext<DevWabeTypes>) => {
+	const opts: Pick<SignOptions, 'audience' | 'issuer'> = {}
+	const audience = context.wabe.config.authentication?.session?.jwtAudience
+	const issuer = context.wabe.config.authentication?.session?.jwtIssuer
+	if (audience) opts.audience = audience
+	if (issuer) opts.issuer = issuer
+	return opts
+}
+export class Session {
+	private accessToken: string | undefined = undefined
+	private refreshToken: string | undefined = undefined
+	getAccessTokenExpireAt(config: WabeConfig<DevWabeTypes>) {
+		const customExpiresInMs =
+			config?.authentication?.session?.accessTokenExpiresInMs
+		if (!customExpiresInMs) return new Date(Date.now() + 1000 * 60 * 15) // 15 minutes in ms
+		return new Date(Date.now() + customExpiresInMs)
+	}
+	_getRefreshTokenExpiresInMs(config: WabeConfig<DevWabeTypes>) {
+		const customExpiresInMs =
+			config?.authentication?.session?.refreshTokenExpiresInMs
+		if (!customExpiresInMs) return 1000 * 60 * 60 * 24 * 7 // 7 days in ms
+		return customExpiresInMs
+	}
+	getRefreshTokenExpireAt(config: WabeConfig<DevWabeTypes>) {
+		const expiresInMs = this._getRefreshTokenExpiresInMs(config)
+		return new Date(Date.now() + expiresInMs)
+	}
+	async meFromAccessToken(
+		{ accessToken, csrfToken }: { accessToken: string; csrfToken: string },
+		context: WabeContext<DevWabeTypes>,
+	): Promise<{
+		sessionId: string | null
+		user: User | null
+		accessToken: string | null
+		refreshToken?: string | null
+	}> {
+		const verifyOptions = getJwtVerifyOptions(context)
+		if (!safeVerify(accessToken, getJwtSecret(context), verifyOptions)) {
+			return {
+				sessionId: null,
+				user: null,
+				accessToken: null,
+				refreshToken: null,
+			}
+		}
+		const encryptedAccessToken = encryptDeterministicToken(
+			accessToken,
+			getTokenEncryptionKey(context),
+		)
+		const sessions = await context.wabe.controllers.database.getObjects({
+			className: '_Session',
+			where: {
+				accessTokenEncrypted: { equalTo: encryptedAccessToken },
+				OR: [
+					{
+						accessTokenExpiresAt: {
+							greaterThanOrEqualTo: new Date(),
+						},
+					},
+					{
+						refreshTokenExpiresAt: {
+							greaterThanOrEqualTo: new Date(),
+						},
+					},
+				],
+			},
+			select: {
+				id: true,
+				user: true,
+				accessTokenExpiresAt: true,
+				refreshTokenExpiresAt: true,
+				refreshTokenEncrypted: true,
+			},
+			first: 1,
+			context,
+		})
+		if (sessions.length === 0)
+			return {
+				sessionId: null,
+				user: null,
+				accessToken: null,
+				refreshToken: null,
+			}
+		const session = sessions[0]
+		if (!session || !session?.user)
+			return {
+				sessionId: null,
+				user: null,
+				accessToken: null,
+				refreshToken: null,
+			}
+		// CSRF check only for cookie-based sessions (enabled by default unless explicitly disabled)
+		if (
+			context.wabe.config.authentication?.session?.cookieSession &&
+			context.wabe.config.security?.disableCSRFProtection !== true
+		) {
+			const [receivedHmacHex, receivedRandomValue] = csrfToken.split('.')
+			if (!receivedHmacHex || !receivedRandomValue)
+				return {
+					sessionId: null,
+					user: null,
+					accessToken: null,
+					refreshToken: null,
+				}
+			const currentSessionId = session.id
+			const message = `${currentSessionId.length}!${currentSessionId}!${receivedRandomValue?.length}!${receivedRandomValue}`
+			const csrfSecret =
+				context.wabe.config.authentication?.session?.csrfSecret ||
+				getJwtSecret(context)
+			const expectedHmac = crypto
+				.createHmac('sha256', csrfSecret)
+				.update(message)
+				.digest('hex')
+			const isValid = crypto.timingSafeEqual(
+				Buffer.from(receivedHmacHex || '', 'hex'),
+				Buffer.from(expectedHmac, 'hex'),
+			)
+			if (!isValid)
+				return {
+					sessionId: null,
+					user: null,
+					accessToken: null,
+					refreshToken: null,
+				}
+		}
+		// User check
+		const user = session.user
+		const userWithRole = await context.wabe.controllers.database.getObject({
+			className: 'User',
+			select: {
+				role: true,
+			},
+			context,
+			id: user.id,
+		})
+		// If access token is expired and refresh token is not expired
+		if (
+			new Date(session.accessTokenExpiresAt) < new Date() &&
+			new Date(session.refreshTokenExpiresAt) >= new Date() &&
+			session.refreshTokenEncrypted
+		) {
+			const decryptedRefreshToken = decryptDeterministicToken(
+				session.refreshTokenEncrypted as string,
+				getTokenEncryptionKey(context),
+			)
+			if (!decryptedRefreshToken)
+				return {
+					sessionId: null,
+					user: null,
+					accessToken: null,
+					refreshToken: null,
+				}
+			const { accessToken: newAccessToken, refreshToken: newRefreshToken } =
+				await this.refresh(accessToken, decryptedRefreshToken, context)
+			return {
+				sessionId: session.id,
+				user: {
+					...user,
+					role: userWithRole?.role,
+				},
+				accessToken: newAccessToken,
+				refreshToken: newRefreshToken,
+			}
+		}
+		return {
+			sessionId: session.id,
+			user: {
+				...user,
+				role: userWithRole?.role,
+			},
+			accessToken,
+			refreshToken: decryptDeterministicToken(
+				session.refreshTokenEncrypted as string,
+				getTokenEncryptionKey(context),
+			),
+		}
+	}
+	async create(userId: string, context: WabeContext<DevWabeTypes>) {
+		const jwtTokenFields =
+			context.wabe.config.authentication?.session?.jwtTokenFields
+		const nowSeconds = Math.floor(Date.now() / 1000)
+		const result = jwtTokenFields
+			? await context.wabe.controllers.database.getObject({
+					className: 'User',
+					select: jwtTokenFields,
+					context,
+					id: userId,
+				})
+			: undefined
+		const secretKey = getJwtSecret(context)
+		const signOptions: SignOptions = { jwtid: crypto.randomUUID() }
+		const audience = context.wabe.config.authentication?.session?.jwtAudience
+		const issuer = context.wabe.config.authentication?.session?.jwtIssuer
+		if (audience) signOptions.audience = audience
+		if (issuer) signOptions.issuer = issuer
+		this.accessToken = jwt.sign(
+			{
+				userId,
+				user: result,
+				iat: nowSeconds,
+				exp: Math.floor(
+					this.getAccessTokenExpireAt(context.wabe.config).getTime() / 1000,
+				),
+			},
+			secretKey,
+			signOptions,
+		)
+		this.refreshToken = jwt.sign(
+			{
+				userId,
+				user: result,
+				iat: nowSeconds,
+				exp: Math.floor(
+					this.getRefreshTokenExpireAt(context.wabe.config).getTime() / 1000,
+				),
+			},
+			secretKey,
+			signOptions,
+		)
+		const accessTokenEncrypted = encryptDeterministicToken(
+			this.accessToken,
+			getTokenEncryptionKey(context),
+		)
+		const refreshTokenEncrypted = encryptDeterministicToken(
+			this.refreshToken,
+			getTokenEncryptionKey(context),
+		)
+		const res = await context.wabe.controllers.database.createObject({
+			className: '_Session',
+			context: contextWithRoot(context),
+			data: {
+				accessTokenEncrypted,
+				accessTokenExpiresAt: this.getAccessTokenExpireAt(context.wabe.config),
+				refreshTokenEncrypted,
+				refreshTokenExpiresAt: this.getRefreshTokenExpireAt(
+					context.wabe.config,
+				),
+				user: userId,
+			},
+			select: { id: true },
+		})
+		if (!res) throw new Error('Session not created')
+		const sessionId = res.id
+		const randomValue = crypto.randomBytes(16).toString('hex')
+		const message = `${sessionId.length}!${sessionId}!${randomValue.length}!${randomValue}`
+		const csrfSecret =
+			context.wabe.config.authentication?.session?.csrfSecret || secretKey
+		const hmac = crypto
+			.createHmac('sha256', csrfSecret)
+			.update(message)
+			.digest('hex')
+		const csrfToken = `${hmac}.${randomValue}`
+		return {
+			accessToken: this.accessToken,
+			refreshToken: this.refreshToken,
+			csrfToken,
+			sessionId: res.id,
+		}
+	}
+	async refresh(
+		accessToken: string,
+		refreshToken: string,
+		context: WabeContext<DevWabeTypes>,
+	) {
+		const secretKey = getJwtSecret(context)
+		const verifyOptions = getJwtVerifyOptions(context)
+		if (!safeVerify(accessToken, secretKey, verifyOptions))
+			return {
+				accessToken: null,
+				refreshToken: null,
+			}
+		if (!safeVerify(refreshToken, secretKey, verifyOptions))
+			return {
+				accessToken: null,
+				refreshToken: null,
+			}
+		const accessTokenEncrypted = encryptDeterministicToken(
+			accessToken,
+			getTokenEncryptionKey(context),
+		)
+		const incomingRefreshTokenEncrypted = encryptDeterministicToken(
+			refreshToken,
+			getTokenEncryptionKey(context),
+		)
+		const session = await context.wabe.controllers.database.getObjects({
+			className: '_Session',
+			where: {
+				accessTokenEncrypted: { equalTo: accessTokenEncrypted },
+				refreshTokenEncrypted: { equalTo: incomingRefreshTokenEncrypted },
+			},
+			select: {
+				id: true,
+				user: {
+					id: true,
+					role: {
+						id: true,
+						name: true,
+					},
+				},
+				refreshTokenEncrypted: true,
+				refreshTokenExpiresAt: true,
+			},
+			context: contextWithRoot(context),
+		})
+		if (!session.length)
+			return {
+				accessToken: null,
+				refreshToken: null,
+			}
+		if (!session[0]) throw new Error('Session not found')
+		const {
+			refreshTokenExpiresAt,
+			user,
+			refreshTokenEncrypted: storedRefreshTokenEncrypted,
+			id,
+		} = session[0]
+		if (new Date(refreshTokenExpiresAt) < new Date(Date.now()))
+			throw new Error('Refresh token expired')
+		const decryptedRefreshToken =
+			decryptDeterministicToken(
+				storedRefreshTokenEncrypted,
+				getTokenEncryptionKey(context),
+			) || refreshToken
+		if (!decryptedRefreshToken || decryptedRefreshToken !== refreshToken)
+			throw new Error('Invalid refresh token')
+		// Always rotate tokens on refresh
+		const userId = user?.id
+		if (!userId)
+			return {
+				accessToken: null,
+				refreshToken: null,
+			}
+		const jwtTokenFields =
+			context.wabe.config.authentication?.session?.jwtTokenFields
+		const result = jwtTokenFields
+			? await context.wabe.controllers.database.getObject({
+					className: 'User',
+					select: jwtTokenFields,
+					context,
+					id: userId,
+				})
+			: undefined
+		const nowSeconds = Math.floor(Date.now() / 1000)
+		const signOptions: SignOptions = { jwtid: crypto.randomUUID() }
+		const audience = context.wabe.config.authentication?.session?.jwtAudience
+		const issuer = context.wabe.config.authentication?.session?.jwtIssuer
+		if (audience) signOptions.audience = audience
+		if (issuer) signOptions.issuer = issuer
+		const newAccessToken = jwt.sign(
+			{
+				userId,
+				user: result,
+				iat: nowSeconds,
+				exp: Math.floor(
+					this.getAccessTokenExpireAt(context.wabe.config).getTime() / 1000,
+				),
+			},
+			secretKey,
+			signOptions,
+		)
+		const newRefreshToken = jwt.sign(
+			{
+				userId,
+				user: result,
+				iat: nowSeconds,
+				exp: Math.floor(
+					this.getRefreshTokenExpireAt(context.wabe.config).getTime() / 1000,
+				),
+			},
+			secretKey,
+			signOptions,
+		)
+		const newAccessTokenEncrypted = encryptDeterministicToken(
+			newAccessToken,
+			getTokenEncryptionKey(context),
+		)
+		const newRefreshTokenEncrypted = encryptDeterministicToken(
+			newRefreshToken,
+			getTokenEncryptionKey(context),
+		)
+		await context.wabe.controllers.database.updateObject({
+			className: '_Session',
+			context: contextWithRoot(context),
+			id,
+			data: {
+				accessTokenEncrypted: newAccessTokenEncrypted,
+				accessTokenExpiresAt: this.getAccessTokenExpireAt(context.wabe.config),
+				refreshTokenEncrypted: newRefreshTokenEncrypted,
+				refreshTokenExpiresAt: this.getRefreshTokenExpireAt(
+					context.wabe.config,
+				),
+			},
+			select: {},
+		})
+		return {
+			accessToken: newAccessToken,
+			refreshToken: newRefreshToken,
+		}
+	}
+	async delete(context: WabeContext<DevWabeTypes>) {
+		if (!context.sessionId) return
+		await context.wabe.controllers.database.deleteObject({
+			className: '_Session',
+			context: contextWithRoot(context),
+			id: context.sessionId,
+			select: {},
+		})
+	}
+	_isRefreshTokenExpired(
+		userRefreshTokenExpiresAt: Date,
+		refreshTokenAgeInMs: number,
+	) {
+		const refreshTokenEmittedAt =
+			userRefreshTokenExpiresAt.getTime() - refreshTokenAgeInMs
+		const numberOfMsSinceRefreshTokenEmitted =
+			Date.now() - refreshTokenEmittedAt
+		return numberOfMsSinceRefreshTokenEmitted >= 0.75 * refreshTokenAgeInMs
+	}
+}