Start auth framework

src/auth/Authentication.ts

@@ -0,0 +1,16 @@
+import {Inject, Injectable} from '../di'
+import {Unit} from '../lifecycle/Unit'
+import {Logging} from '../service/Logging'
+
+/**
+ * Unit class that bootstraps the authentication framework.
+ */
+@Injectable()
+export class Authentication extends Unit {
+    @Inject()
+    protected readonly logging!: Logging
+
+    async up(): Promise<void> {
+        this.container()
+    }
+}

src/auth/SecurityContext.ts

@@ -0,0 +1,122 @@
+import {Inject, Injectable} from '../di'
+import {EventBus} from '../event/EventBus'
+import {Awaitable, Maybe} from '../util'
+import {Authenticatable, AuthenticatableRepository} from './types'
+import {UserAuthenticatedEvent} from './event/UserAuthenticatedEvent'
+import {UserFlushedEvent} from './event/UserFlushedEvent'
+
+/**
+ * Base-class for a context that authenticates users and manages security.
+ */
+@Injectable()
+export abstract class SecurityContext {
+    @Inject()
+    protected readonly bus!: EventBus
+
+    /** The currently authenticated user, if one exists. */
+    private authenticatedUser?: Authenticatable
+
+    constructor(
+        /** The repository from which to draw users. */
+        protected readonly repository: AuthenticatableRepository,
+
+        /** The name of this context. */
+        public readonly name: string,
+    ) { }
+
+    /**
+     * Called when the context is created. Can be used by child-classes to do setup work.
+     */
+    initialize(): Awaitable<void> {}  // eslint-disable-line @typescript-eslint/no-empty-function
+
+    /**
+     * Authenticate the given user, without persisting the authentication.
+     * That is, when the lifecycle ends, the user will be unauthenticated implicitly.
+     * @param user
+     */
+    async authenticateOnce(user: Authenticatable): Promise<void> {
+        this.authenticatedUser = user
+        await this.bus.dispatch(new UserAuthenticatedEvent(user, this))
+    }
+
+    /**
+     * Authenticate the given user and persist the authentication.
+     * @param user
+     */
+    async authenticate(user: Authenticatable): Promise<void> {
+        this.authenticatedUser = user
+        await this.persist()
+        await this.bus.dispatch(new UserAuthenticatedEvent(user, this))
+    }
+
+    /**
+     * Attempt to authenticate a user based on their credentials.
+     * If the credentials are valid, the user will be authenticated, but the authentication
+     * will not be persisted. That is, when the lifecycle ends, the user will be
+     * unauthenticated implicitly.
+     * @param credentials
+     */
+    async attemptOnce(credentials: Record<string, string>): Promise<Maybe<Authenticatable>> {
+        const user = await this.repository.getByCredentials(credentials)
+        if ( user ) {
+            await this.authenticateOnce(user)
+            return user
+        }
+    }
+
+    /**
+     * Attempt to authenticate a user based on their credentials.
+     * If the credentials are valid, the user will be authenticated and the
+     * authentication will be persisted.
+     * @param credentials
+     */
+    async attempt(credentials: Record<string, string>): Promise<Maybe<Authenticatable>> {
+        const user = await this.repository.getByCredentials(credentials)
+        if ( user ) {
+            await this.authenticate(user)
+            return user
+        }
+    }
+
+    /**
+     * Unauthenticate the current user, if one exists, but do not persist the change.
+     */
+    async flushOnce(): Promise<void> {
+        const user = this.authenticatedUser
+        if ( user ) {
+            this.authenticatedUser = undefined
+            await this.bus.dispatch(new UserFlushedEvent(user, this))
+        }
+    }
+
+    /**
+     * Unauthenticate the current user, if one exists, and persist the change.
+     */
+    async flush(): Promise<void> {
+        const user = this.authenticatedUser
+        if ( user ) {
+            this.authenticatedUser = undefined
+            await this.persist()
+            await this.bus.dispatch(new UserFlushedEvent(user, this))
+        }
+    }
+
+    /**
+     * Write the current state of the security context to whatever storage
+     * medium the context's host provides.
+     */
+    abstract persist(): Awaitable<void>
+
+    /**
+     * Get the credentials for the current user from whatever storage medium
+     * the context's host provides.
+     */
+    abstract getCredentials(): Awaitable<Record<string, string>>
+
+    /**
+     * Get the currently authenticated user, if one exists.
+     */
+    getUser(): Maybe<Authenticatable> {
+        return this.authenticatedUser
+    }
+}

src/auth/contexts/SessionSecurityContext.ts

@@ -0,0 +1,23 @@
+import {SecurityContext} from '../SecurityContext'
+import {Inject, Injectable} from '../../di'
+import {Session} from '../../http/session/Session'
+import {Awaitable} from '../../util'
+
+/**
+ * Security context implementation that uses the session as storage.
+ */
+@Injectable()
+export class SessionSecurityContext extends SecurityContext {
+    @Inject()
+    protected readonly session!: Session
+
+    getCredentials(): Awaitable<Record<string, string>> {
+        return {
+            securityIdentifier: this.session.get('extollo.auth.securityIdentifier'),
+        }
+    }
+
+    persist(): Awaitable<void> {
+        this.session.set('extollo.auth.securityIdentifier', this.getUser()?.getIdentifier())
+    }
+}

src/auth/event/UserAuthenticatedEvent.ts

@@ -0,0 +1,27 @@
+import {Event} from '../../event/Event'
+import {SecurityContext} from '../SecurityContext'
+import {Awaitable, JSONState} from '../../util'
+import {Authenticatable} from '../types'
+
+/**
+ * Event fired when a user is authenticated.
+ */
+export class UserAuthenticatedEvent extends Event {
+    constructor(
+        public readonly user: Authenticatable,
+        public readonly context: SecurityContext,
+    ) {
+        super()
+    }
+
+    async dehydrate(): Promise<JSONState> {
+        return {
+            user: await this.user.dehydrate(),
+            contextName: this.context.name,
+        }
+    }
+
+    rehydrate(state: JSONState): Awaitable<void> {  // eslint-disable-line @typescript-eslint/no-unused-vars
+        // TODO fill this in
+    }
+}

src/auth/event/UserFlushedEvent.ts

@@ -0,0 +1,27 @@
+import {Event} from '../../event/Event'
+import {SecurityContext} from '../SecurityContext'
+import {Awaitable, JSONState} from '../../util'
+import {Authenticatable} from '../types'
+
+/**
+ * Event fired when a user is unauthenticated.
+ */
+export class UserFlushedEvent extends Event {
+    constructor(
+        public readonly user: Authenticatable,
+        public readonly context: SecurityContext,
+    ) {
+        super()
+    }
+
+    async dehydrate(): Promise<JSONState> {
+        return {
+            user: await this.user.dehydrate(),
+            contextName: this.context.name,
+        }
+    }
+
+    rehydrate(state: JSONState): Awaitable<void> {  // eslint-disable-line @typescript-eslint/no-unused-vars
+        // TODO fill this in
+    }
+}

src/auth/index.ts

@@ -0,0 +1,13 @@
+export * from './types'
+
+export * from './SecurityContext'
+
+export * from './event/UserAuthenticatedEvent'
+export * from './event/UserFlushedEvent'
+
+export * from './contexts/SessionSecurityContext'
+
+export * from './orm/ORMUser'
+export * from './orm/ORMUserRepository'
+
+export * from './Authentication'

src/auth/orm/ORMUser.ts

@@ -0,0 +1,64 @@
+import {Field, FieldType, Model} from '../../orm'
+import {Authenticatable, AuthenticatableIdentifier} from '../types'
+import {Injectable} from '../../di'
+import * as bcrypt from 'bcrypt'
+import {Awaitable, JSONState} from '../../util'
+
+/**
+ * A basic ORM-driven user class.
+ */
+@Injectable()
+export class ORMUser extends Model<ORMUser> implements Authenticatable {
+
+    protected static table = 'users'
+
+    protected static key = 'user_id'
+
+    /** The primary key of the user in the table. */
+    @Field(FieldType.serial, 'user_id')
+    public userId!: number
+
+    /** The unique string-identifier of the user. */
+    @Field(FieldType.varchar)
+    public username!: string
+
+    /** The user's first name. */
+    @Field(FieldType.varchar, 'first_name')
+    public firstName!: string
+
+    /** The user's last name. */
+    @Field(FieldType.varchar, 'last_name')
+    public lastName!: string
+
+    /** The hashed and salted password of the user. */
+    @Field(FieldType.varchar, 'password_hash')
+    public passwordHash!: string
+
+    /** Human-readable display name of the user. */
+    getDisplayIdentifier(): string {
+        return `${this.firstName} ${this.lastName}`
+    }
+
+    /** Unique identifier of the user. */
+    getIdentifier(): AuthenticatableIdentifier {
+        return this.username
+    }
+
+    /** Check if the provided password is valid for the user. */
+    verifyPassword(password: string): Awaitable<boolean> {
+        return bcrypt.compare(password, this.passwordHash)
+    }
+
+    /** Change the user's password, hashing it. */
+    async setPassword(password: string): Promise<void> {
+        this.passwordHash = await bcrypt.hash(password, 10)
+    }
+
+    async dehydrate(): Promise<JSONState> {
+        return this.toQueryRow()
+    }
+
+    async rehydrate(state: JSONState): Promise<void> {
+        await this.assumeFromSource(state)
+    }
+}

src/auth/orm/ORMUserRepository.ts

@@ -0,0 +1,41 @@
+import {Authenticatable, AuthenticatableIdentifier, AuthenticatableRepository} from '../types'
+import {Awaitable, Maybe} from '../../util'
+import {ORMUser} from './ORMUser'
+import {Singleton} from '../../di'
+
+/**
+ * A user repository implementation that looks up users stored in the database.
+ */
+@Singleton()
+export class ORMUserRepository extends AuthenticatableRepository {
+    /** Look up the user by their username. */
+    getByIdentifier(id: AuthenticatableIdentifier): Awaitable<Maybe<Authenticatable>> {
+        return ORMUser.query<ORMUser>()
+            .where('username', '=', id)
+            .first()
+    }
+
+    /**
+     * Try to look up a user by the credentials provided.
+     * If a securityIdentifier is specified, look up the user by username.
+     * If username/password are specified, look up the user and verify the password.
+     * @param credentials
+     */
+    async getByCredentials(credentials: Record<string, string>): Promise<Maybe<Authenticatable>> {
+        if ( credentials.securityIdentifier ) {
+            return ORMUser.query<ORMUser>()
+                .where('username', '=', credentials.securityIdentifier)
+                .first()
+        }
+
+        if ( credentials.username && credentials.password ) {
+            const user = await ORMUser.query<ORMUser>()
+                .where('username', '=', credentials.username)
+                .first()
+
+            if ( user && await user.verifyPassword(credentials.password) ) {
+                return user
+            }
+        }
+    }
+}

src/auth/types.ts

@@ -0,0 +1,36 @@
+import {Awaitable, JSONState, Maybe, Rehydratable} from '../util'
+
+/** Value that can be used to uniquely identify a user. */
+export type AuthenticatableIdentifier = string | number
+
+/**
+ * Base class for entities that can be authenticated.
+ */
+export abstract class Authenticatable implements Rehydratable {
+
+    /** Get the unique identifier of the user. */
+    abstract getIdentifier(): AuthenticatableIdentifier
+
+    /** Get the human-readable identifier of the user. */
+    abstract getDisplayIdentifier(): string
+
+    abstract dehydrate(): Promise<JSONState>
+
+    abstract rehydrate(state: JSONState): Awaitable<void>
+}
+
+/**
+ * Base class for a repository that stores and recalls users.
+ */
+export abstract class AuthenticatableRepository {
+
+    /** Look up the user by their unique identifier. */
+    abstract getByIdentifier(id: AuthenticatableIdentifier): Awaitable<Maybe<Authenticatable>>
+
+    /**
+     * Attempt to look up and verify a user by their credentials.
+     * Returns the user if the credentials are valid.
+     * @param credentials
+     */
+    abstract getByCredentials(credentials: Record<string, string>): Awaitable<Maybe<Authenticatable>>
+}