wabe 0.6.9 → 0.6.11

package/src/server/index.ts

@@ -0,0 +1,334 @@
+import type { DatabaseConfig } from '../database'
+import { DatabaseController } from '../database/DatabaseController'
+import { type EnumInterface, Schema, type SchemaInterface } from '../schema/Schema'
+import { GraphQLError, GraphQLObjectType, GraphQLSchema } from 'graphql'
+import { GraphQLSchema as WabeGraphQLSchema } from '../graphql'
+import type { AuthenticationConfig } from '../authentication/interface'
+import { type WabeRoute, defaultRoutes } from './routes'
+import { type Hook, getDefaultHooks } from '../hooks'
+import { generateCodegen } from './generateCodegen'
+import { defaultAuthenticationMethods } from '../authentication/defaultAuthentication'
+import { Wobe, cors, rateLimit } from 'wobe'
+import type { Context, CorsOptions, RateLimitOptions } from 'wobe'
+import type { WabeContext } from './interface'
+import { initializeRoles } from '../authentication/roles'
+import type { EmailConfig } from '../email'
+import { EmailController } from '../email/EmailController'
+import { FileController } from '../file/FileController'
+import { defaultSessionHandler } from './defaultSessionHandler'
+import type { CronConfig } from '../cron'
+import type { FileConfig } from '../file'
+import { WobeGraphqlYogaPlugin } from 'wobe-graphql-yoga'
+
+type SecurityConfig = {
+	corsOptions?: CorsOptions
+	rateLimit?: RateLimitOptions
+	hideSensitiveErrorMessage?: boolean
+	disableCSRFProtection?: boolean
+	allowIntrospectionInProduction?: boolean
+	maxGraphqlDepth?: number
+}
+
+export * from './interface'
+export * from './routes'
+
+export const defaultRoles = ['DashboardAdmin']
+
+export interface WabeConfig<T extends WabeTypes> {
+	port: number
+	isProduction: boolean
+	hostname?: string
+	security?: SecurityConfig
+	schema?: SchemaInterface<T>
+	graphqlSchema?: GraphQLSchema
+	database: DatabaseConfig<T>
+	codegen?:
+		| {
+				enabled: true
+				path: string
+		  }
+		| { enabled?: false }
+	authentication?: AuthenticationConfig<T>
+	routes?: WabeRoute[]
+	rootKey: string
+	hooks?: Hook<T, any>[]
+	email?: EmailConfig
+	file?: FileConfig<T>
+	crons?: CronConfig<T>
+}
+
+export type WabeTypes = {
+	types: Record<any, any>
+	where: Record<any, any>
+	scalars: string
+	enums: Record<any, any>
+}
+
+export type WobeCustomContext<T extends WabeTypes> = Context & {
+	wabe: WabeContext<T>
+}
+
+type WabeControllers<T extends WabeTypes> = {
+	database: DatabaseController<T>
+	email?: EmailController
+	file?: FileController
+}
+
+export class Wabe<T extends WabeTypes> {
+	public server: Wobe<WobeCustomContext<T>>
+
+	public config: WabeConfig<T>
+	public controllers: WabeControllers<T>
+
+	constructor({
+		isProduction,
+		port,
+		hostname,
+		security,
+		schema,
+		database,
+		authentication,
+		rootKey,
+		codegen,
+		hooks,
+		file,
+		email,
+		routes,
+		crons,
+	}: WabeConfig<T>) {
+		this.config = {
+			isProduction,
+			port,
+			hostname,
+			security,
+			schema,
+			database,
+			codegen,
+			authentication,
+			rootKey,
+			hooks,
+			email,
+			routes,
+			file,
+			crons,
+		}
+
+		this.server = new Wobe<WobeCustomContext<T>>({ hostname }).get('/health', (context) => {
+			context.res.status = 200
+			context.res.send('OK')
+		})
+
+		this.controllers = {
+			database: new DatabaseController<T>(database.adapter),
+			email: email?.adapter ? new EmailController(email.adapter) : undefined,
+			file: file?.adapter ? new FileController(file.adapter, this) : undefined,
+		}
+
+		this.loadCrons()
+		this.loadAuthenticationMethods()
+		this.loadRoleEnum()
+		this.loadRoutes()
+		this.loadHooks()
+	}
+
+	loadCrons() {
+		if (!this.config.crons) return
+
+		const crons = this.config.crons.map((cron) => ({
+			...cron,
+			job: cron.cron(this),
+		}))
+
+		this.config.crons = crons
+	}
+
+	loadRoleEnum() {
+		const roles = [...defaultRoles, ...(this.config.authentication?.roles || [])]
+
+		const roleEnum: EnumInterface = {
+			name: 'RoleEnum',
+			values: roles.reduce(
+				(acc, currentRole) => {
+					acc[currentRole] = currentRole
+					return acc
+				},
+				{} as Record<string, any>,
+			),
+		}
+
+		this.config.schema = {
+			...this.config.schema,
+			enums: [...(this.config.schema?.enums || []), roleEnum],
+		}
+	}
+
+	loadAuthenticationMethods() {
+		this.config.authentication = {
+			...this.config.authentication,
+			customAuthenticationMethods: [
+				...defaultAuthenticationMethods<T>(),
+				...(this.config.authentication?.customAuthenticationMethods || []),
+			],
+		}
+	}
+
+	loadHooks() {
+		if (this.config.hooks?.find((hook) => hook.priority <= 0))
+			throw new Error('Hook priority <= 0 is reserved for internal uses')
+
+		this.config.hooks = [...getDefaultHooks(), ...(this.config.hooks || [])]
+	}
+
+	loadRoutes() {
+		const wabeRoutes = [
+			...defaultRoutes(this.config.file?.devDirectory || `${__dirname}/../../bucket`),
+			...(this.config.routes || []),
+		]
+
+		wabeRoutes.forEach((route) => {
+			const { method } = route
+
+			switch (method) {
+				case 'GET':
+					this.server.get(route.path, route.handler)
+					break
+				case 'POST':
+					this.server.post(route.path, route.handler)
+					break
+				case 'PUT':
+					this.server.put(route.path, route.handler)
+					break
+				case 'DELETE':
+					this.server.delete(route.path, route.handler)
+					break
+				default:
+					throw new Error('Invalid method for default route')
+			}
+		})
+	}
+
+	async start() {
+		if (this.config.authentication?.session && !this.config.authentication.session.jwtSecret)
+			throw new Error('Authentication session requires jwt secret')
+
+		const wabeSchema = new Schema(this.config)
+
+		this.config.schema = wabeSchema.schema
+
+		await this.controllers.database.initializeDatabase(wabeSchema.schema)
+
+		const graphqlSchema = new WabeGraphQLSchema(wabeSchema)
+
+		const types = graphqlSchema.createSchema()
+
+		this.config.graphqlSchema = new GraphQLSchema({
+			query: new GraphQLObjectType({
+				name: 'Query',
+				fields: types.queries,
+			}),
+			mutation: new GraphQLObjectType({
+				name: 'Mutation',
+				fields: types.mutations,
+			}),
+			types: [...types.scalars, ...types.enums, ...types.objects],
+		})
+
+		if (
+			!this.config.isProduction &&
+			process.env.NODE_ENV !== 'test' &&
+			this.config.codegen &&
+			this.config.codegen.enabled &&
+			this.config.codegen.path.length > 0
+		) {
+			await generateCodegen({
+				path: this.config.codegen.path,
+				schema: wabeSchema.schema,
+				graphqlSchema: this.config.graphqlSchema,
+			})
+
+			// If we just want codegen we exit before server created.
+			// Not the best solution but useful to avoid multiple source of truth
+			if (process.env.CODEGEN) process.exit(0)
+		}
+
+		this.server.options(
+			'/*',
+			(ctx) => {
+				return ctx.res.send('OK')
+			},
+			cors(this.config.security?.corsOptions),
+		)
+
+		const rateLimitOptions = this.config.security?.rateLimit
+
+		if (rateLimitOptions) this.server.beforeHandler(rateLimit(rateLimitOptions))
+
+		this.server.beforeHandler(cors(this.config.security?.corsOptions))
+
+		// Set the wabe context
+		this.server.beforeHandler(
+			// @ts-expect-error
+			this.config.authentication?.sessionHandler ||
+				// @ts-expect-error
+				defaultSessionHandler(this),
+		)
+
+		const maxDepth = this.config.security?.maxGraphqlDepth ?? 50
+
+		await this.server.usePlugin(
+			WobeGraphqlYogaPlugin({
+				schema: this.config.graphqlSchema,
+				maskedErrors: this.config.security?.hideSensitiveErrorMessage || this.config.isProduction,
+				allowIntrospection: !!this.config.security?.allowIntrospectionInProduction,
+				maxDepth,
+				allowMultipleOperations: true,
+				graphqlEndpoint: '/graphql',
+				plugins: [
+					{
+						// @ts-expect-error
+						onValidate: ({ addValidationRule }) => {
+							// @ts-expect-error
+							addValidationRule((context) => {
+								return {
+									// @ts-expect-error
+									Field(node) {
+										const introspectionFields = [
+											'__schema',
+											'__type',
+											'__typeKind',
+											'__field',
+											'__inputValue',
+											'__enumValue',
+											'__directive',
+										]
+
+										if (introspectionFields.includes(node.name.value)) {
+											context.reportError(
+												new GraphQLError('GraphQL introspection is not allowed in production'),
+											)
+										}
+									},
+								}
+							})
+						},
+					},
+				],
+				context: async (ctx): Promise<WabeContext<T>> => ctx.wabe,
+			}),
+		)
+
+		this.server.listen(this.config.port, ({ port }) => {
+			if (!process.env.TEST) console.log(`Server is running on port ${port}`)
+		})
+
+		// @ts-expect-error
+		await initializeRoles(this)
+	}
+
+	async close() {
+		await this.controllers.database.close()
+		await this.server.stop()
+	}
+}
+
+export { generateCodegen }

package/src/server/interface.ts

@@ -0,0 +1,11 @@
+import type { WobeResponse } from 'wobe'
+import type { Wabe, WabeTypes } from '.'
+
+export interface WabeContext<T extends WabeTypes> {
+	response?: WobeResponse
+	user?: T['types']['User'] | null
+	sessionId?: string | null
+	isRoot: boolean
+	wabe: Wabe<T>
+	isGraphQLCall?: boolean
+}

package/src/server/routes/authHandler.ts

@@ -0,0 +1,169 @@
+import type { Context } from 'wobe'
+import type { WabeContext } from '../interface'
+import { ProviderEnum } from '../../authentication/interface'
+import { getGraphqlClient } from '../../utils/helper'
+import { gql } from 'graphql-request'
+import { Google } from '../../authentication/oauth'
+import { generateRandomValues } from '../../authentication/oauth/utils'
+import { GitHub } from '../../authentication/oauth/GitHub'
+
+/*
+- Generate code verifier (back)
+- Sent post request to a route on back with code verifier in url (back)
+- Generate code challenge (back)
+- Redirect the user to google auth page with code challenge (back -> front)
+- User sign in with google (front)
+- The user is redirected to the route with the code (front -> back)
+- Get the code from the url (back)
+- Validate and sign in with google provider (back)
+*/
+
+// https://www.rfc-editor.org/rfc/rfc7636#section-4.4 not precise the storage of codeVerifier
+export const oauthHandlerCallback = async (context: Context, wabeContext: WabeContext<any>) => {
+	try {
+		const state = decodeURIComponent(context.query.state || '')
+		const code = decodeURIComponent(context.query.code || '')
+
+		const stateInCookie = context.getCookie('state')
+
+		if (state !== stateInCookie) throw new Error('Authentication failed')
+
+		const codeVerifier = context.getCookie('code_verifier')
+		const provider = context.getCookie('provider')
+
+		const { signInWith } = await getGraphqlClient(wabeContext.wabe.config.port).request<any>(
+			gql`
+				mutation signInWith(
+					$authorizationCode: String!
+					$codeVerifier: String!
+				) {
+					signInWith(
+						input: {
+							authentication: {
+								${provider}: {
+									authorizationCode: $authorizationCode
+									codeVerifier: $codeVerifier
+								}
+							}
+						}
+					){
+						accessToken
+						refreshToken
+					}
+				}
+			`,
+			{
+				authorizationCode: code,
+				codeVerifier,
+			},
+		)
+
+		const { accessToken, refreshToken } = signInWith
+
+		const isCookieSession = !!wabeContext.wabe.config.authentication?.session?.cookieSession
+
+		context.res.setCookie('accessToken', accessToken, {
+			// If cookie session we put httpOnly to true, otherwise the front will need to get it
+			// So we keep it to false
+			httpOnly: isCookieSession,
+			path: '/',
+			maxAge:
+				(wabeContext.wabe.config.authentication?.session?.accessTokenExpiresInMs ||
+					60 * 15 * 1000) / 1000, // 15 minutes in seconds
+			sameSite: 'None',
+			secure: true,
+		})
+
+		context.res.setCookie('refreshToken', refreshToken, {
+			// If cookie session we put httpOnly to true, otherwise the front will need to get it
+			// So we keep it to false
+			httpOnly: isCookieSession,
+			path: '/',
+			maxAge:
+				(wabeContext.wabe.config.authentication?.session?.accessTokenExpiresInMs ||
+					60 * 15 * 1000) / 1000, // 15 minutes in seconds
+			sameSite: 'None',
+			secure: true,
+		})
+
+		context.redirect(wabeContext.wabe.config.authentication?.successRedirectPath || '/')
+	} catch {
+		context.redirect(wabeContext.wabe.config.authentication?.failureRedirectPath || '/')
+	}
+}
+
+export const authHandler = (
+	context: Context,
+	wabeContext: WabeContext<any>,
+	provider: ProviderEnum,
+) => {
+	if (!wabeContext.wabe.config) throw new Error('Wabe config not found')
+
+	context.res.setCookie('provider', provider, {
+		httpOnly: true,
+		path: '/',
+		maxAge: 60 * 5, // 5 minutes
+		secure: true,
+	})
+
+	switch (provider) {
+		case ProviderEnum.google: {
+			const googleOauth = new Google(wabeContext.wabe.config)
+
+			const state = generateRandomValues()
+			const codeVerifier = generateRandomValues()
+
+			context.res.setCookie('code_verifier', codeVerifier, {
+				httpOnly: true,
+				path: '/',
+				maxAge: 60 * 5, // 5 minutes
+				secure: true,
+			})
+
+			context.res.setCookie('state', state, {
+				httpOnly: true,
+				path: '/',
+				maxAge: 60 * 5, // 5 minutes
+				secure: true,
+			})
+
+			const authorizationURL = googleOauth.createAuthorizationURL(state, codeVerifier, {
+				scopes: ['email'],
+			})
+
+			context.redirect(authorizationURL.toString())
+
+			break
+		}
+		case ProviderEnum.github: {
+			const githubOauth = new GitHub(wabeContext.wabe.config)
+
+			const state = generateRandomValues()
+			const codeVerifier = generateRandomValues()
+
+			context.res.setCookie('code_verifier', codeVerifier, {
+				httpOnly: true,
+				path: '/',
+				maxAge: 60 * 5, // 5 minutes
+				secure: true,
+			})
+
+			context.res.setCookie('state', state, {
+				httpOnly: true,
+				path: '/',
+				maxAge: 60 * 5, // 5 minutes
+				secure: true,
+			})
+
+			const authorizationURL = githubOauth.createAuthorizationURL(state, codeVerifier, {
+				scopes: ['email'],
+			})
+
+			context.redirect(authorizationURL.toString())
+
+			break
+		}
+		default:
+			break
+	}
+}

package/src/server/routes/index.ts

@@ -0,0 +1,39 @@
+import { type WobeHandler, uploadDirectory } from 'wobe'
+import type { ProviderEnum } from '../../authentication/interface'
+import { authHandler, oauthHandlerCallback } from './authHandler'
+import type { WobeCustomContext } from '..'
+
+export interface WabeRoute {
+	method: 'GET' | 'POST' | 'PUT' | 'DELETE'
+	path: string
+	handler: WobeHandler<WobeCustomContext<any>>
+}
+
+export const defaultRoutes = (devDirectory: string): WabeRoute[] => {
+	const routes: WabeRoute[] = [
+		{
+			method: 'GET',
+			path: '/auth/oauth',
+			handler: (context) => {
+				const provider = context.query.provider
+
+				if (!provider) throw new Error('Authentication failed, provider not found')
+
+				// TODO: Maybe check if the value is in the enum
+				return authHandler(context, context.wabe, provider as ProviderEnum)
+			},
+		},
+		{
+			method: 'GET',
+			path: '/auth/oauth/callback',
+			handler: (context) => oauthHandlerCallback(context, context.wabe),
+		},
+		{
+			method: 'GET',
+			path: '/bucket/:filename',
+			handler: uploadDirectory({ directory: devDirectory }),
+		},
+	]
+
+	return routes
+}

package/src/utils/crypto.test.ts

@@ -0,0 +1,41 @@
+import { describe, expect, it } from 'bun:test'
+import { encryptDeterministicToken, decryptDeterministicToken } from './crypto'
+
+const key = Buffer.alloc(32, 1) // deterministic test key
+
+describe('crypto deterministic token helpers', () => {
+	it('should encrypt and decrypt deterministically with same key', () => {
+		const token = 'my-token'
+		const encrypted = encryptDeterministicToken(token, key)
+		const decrypted = decryptDeterministicToken(encrypted, key)
+
+		expect(decrypted).toBe(token)
+	})
+
+	it('should produce the same ciphertext for the same token/key', () => {
+		const token = 'stable'
+		const enc1 = encryptDeterministicToken(token, key)
+		const enc2 = encryptDeterministicToken(token, key)
+
+		expect(enc1).toBe(enc2)
+	})
+
+	it('should produce different ciphertexts for different tokens', () => {
+		const enc1 = encryptDeterministicToken('a', key)
+		const enc2 = encryptDeterministicToken('b', key)
+
+		expect(enc1).not.toBe(enc2)
+	})
+
+	it('should return null when decrypting with the wrong key', () => {
+		const token = 'secret'
+		const encrypted = encryptDeterministicToken(token, key)
+		const wrongKey = Buffer.alloc(32, 2)
+
+		expect(decryptDeterministicToken(encrypted, wrongKey)).toBeNull()
+	})
+
+	it('should return null on malformed ciphertext', () => {
+		expect(decryptDeterministicToken('bad:format', key)).toBeNull()
+	})
+})

package/src/utils/crypto.ts

@@ -0,0 +1,105 @@
+import { randomBytes, createCipheriv, createDecipheriv, createHmac } from 'node:crypto'
+import { promisify } from 'node:util'
+
+const params = {
+	parallelism: 1,
+	tagLength: 64,
+	memory: 65536,
+	passes: 2,
+}
+
+/*
+ * Hash a string with Argon2id and PHC format
+ * @return : Returns the PHC format of the hashed text
+ */
+export const hashArgon2 = async (text: string) => {
+	if (process.versions.bun) return Bun.password.hash(text, { algorithm: 'argon2id' })
+
+	// Node support
+	const argon2 = promisify(require('node:crypto').argon2)
+
+	const nonce = randomBytes(16)
+
+	const result = await argon2('argon2id', {
+		message: text,
+		nonce,
+		...params,
+	})
+
+	return `$argon2id$v=19$m=${params.memory},t=${params.passes},p=${params.parallelism}$${nonce.toString('base64').replace(/=+$/, '')}$${result.toString('base64').replace(/=+$/, '')}`
+}
+
+/*
+ * Verify if a hash matchs with a string
+ * @return : Returns true if the password matchs with the hash, false otherwise
+ */
+export const verifyArgon2 = async (password: string, hash: string) => {
+	if (process.versions.bun) return Bun.password.verify(password, hash, 'argon2id')
+
+	// Node support
+	const [, algorithm, , paramString, nonceHex, storedHashHex] = hash.split('$')
+
+	const kvPairs = paramString?.split(',')
+	const parsedParams = Object.fromEntries(
+		kvPairs?.map((pair) => {
+			const [key, value] = pair.split('=')
+			return [key, Number.parseInt(value || '', 10)]
+		}) || [],
+	)
+
+	const memory = parsedParams.m
+	const passes = parsedParams.t
+	const parallelism = parsedParams.p
+
+	const newDerived = await promisify(require('node:crypto'))(algorithm, {
+		nonce: Buffer.from(nonceHex || '', 'base64'),
+		parallelism,
+		tagLength: 64,
+		memory,
+		passes,
+		message: password,
+	})
+
+	const isMatch = crypto.timingSafeEqual(
+		Buffer.from(newDerived),
+		Buffer.from(storedHashHex || '', 'base64'),
+	)
+
+	return isMatch
+}
+
+export const isArgon2Hash = (value: string): boolean =>
+	typeof value === 'string' && value.startsWith('$argon2')
+
+/**
+ * Deterministic AES-256-GCM encryption for tokens.
+ * IV is derived via HMAC-SHA256(key, token) to allow equality checks without storing plaintext.
+ * Caller must provide a strong 32-byte key (already derived/hashed).
+ */
+export const encryptDeterministicToken = (token: string, key: Buffer): string => {
+	const iv = createHmac('sha256', key).update(token).digest().subarray(0, 12)
+	const cipher = createCipheriv('aes-256-gcm', key, iv)
+	const encrypted = Buffer.concat([cipher.update(token, 'utf8'), cipher.final()])
+	const tag = cipher.getAuthTag()
+	return `${iv.toString('hex')}:${tag.toString('hex')}:${encrypted.toString('hex')}`
+}
+
+export const decryptDeterministicToken = (
+	encryptedToken: string | undefined,
+	key: Buffer,
+): string | null => {
+	if (!encryptedToken) return null
+	const [ivHex, tagHex, valueHex] = encryptedToken.split(':')
+	if (!ivHex || !tagHex || !valueHex) return null
+	try {
+		const iv = Buffer.from(ivHex, 'hex')
+		const tag = Buffer.from(tagHex, 'hex')
+		const encryptedValue = Buffer.from(valueHex, 'hex')
+		const decipher = createDecipheriv('aes-256-gcm', key, iv)
+		decipher.setAuthTag(tag)
+		const decrypted = Buffer.concat([decipher.update(encryptedValue), decipher.final()])
+		return decrypted.toString('utf8')
+	} catch {
+		return null
+	}
+}