fix(serve): update authenticator and auth middleware test cases

- update "httpBasicAuthenticator" to change apache-md5 to general md5 for hashing.
- refactor to update "httpBasicAuthenticator" test cases.
- add "simpleTokenAuthenticator" test cases.
- add "passwordFileAuthenticator" test cases.
- update "authMiddleware" to activate authenticator and update test cases.

Author: kokokuo

package.json

@@ -8,7 +8,6 @@
   "private": true,
   "dependencies": {
     "@koa/cors": "^3.3.0",
-    "apache-md5": "^1.1.7",
     "class-validator": "^0.13.2",
     "commander": "^9.4.0",
     "dayjs": "^1.11.2",
@@ -23,6 +22,7 @@
     "koa-router": "^10.1.1",
     "koa2-ratelimit": "^1.1.1",
     "lodash": "^4.17.21",
+    "md5": "^2.3.0",
     "nunjucks": "^3.2.3",
     "openapi3-ts": "^2.0.2",
     "ora": "^5.4.1",
@@ -52,6 +52,7 @@
     "@types/koa2-ratelimit": "^0.9.3",
     "@types/koa__cors": "^3.3.0",
     "@types/lodash": "^4.14.182",
+    "@types/md5": "^2.3.2",
     "@types/node": "16.11.7",
     "@types/supertest": "^2.0.12",
     "@types/uuid": "^8.3.4",
@@ -63,7 +64,6 @@
     "eslint": "~8.12.0",
     "eslint-config-prettier": "8.1.0",
     "from2": "^2.3.0",
-    "is-base64": "^1.1.0",
     "jest": "27.5.1",
     "mongoose": "^6.5.2",
     "nx": "14.0.3",

packages/serve/src/containers/types.ts

@@ -5,8 +5,7 @@ export const TYPES = {
   PaginationTransformer: Symbol.for('PaginationTransformer'),
   Route: Symbol.for('Route'),
   RouteGenerator: Symbol.for('RouteGenerator'),
-  // Authenticator
-  UserAuthOptions: Symbol.for('UserAuthOptions'),
+
   // Application
   AppConfig: Symbol.for('AppConfig'),
   VulcanApplication: Symbol.for('VulcanApplication'),

packages/serve/src/lib/auth/httpBasicAuthenticator.ts

@@ -1,13 +1,14 @@
 import * as fs from 'fs';
 import * as readline from 'readline';
-import md5 from 'apache-md5';
+import * as md5 from 'md5';
 import {
   BaseAuthenticator,
   KoaContext,
   AuthStatus,
   AuthResult,
 } from '@vulcan-sql/serve/models';
 import { VulcanExtensionId, VulcanInternalExtension } from '@vulcan-sql/core';
+import { isEmpty } from 'lodash';
 
 interface AuthUserOptions {
   /* user name */
@@ -16,82 +17,89 @@ interface AuthUserOptions {
   attr: { [field: string]: string | boolean | number };
 }
 
-interface PasswordFileOptions {
+interface HTPasswdFileOptions {
   /** password file path */
   ['path']: string;
   /** each user information */
   ['users']: Array<AuthUserOptions>;
 }
 
-interface TokenListOptions {
+export interface AuthUserListOptions {
   /* user name */
   name: string;
-  /* hashed password by apache md5 */
-  hashPassword: string;
+  /* hashed password by md5 */
+  md5Password: string;
   /* the user attribute which could used after auth successful */
   attr: { [field: string]: string | boolean | number };
 }
 
 export interface BasicOptions {
-  ['password-file']?: PasswordFileOptions;
-  ['token-users']?: Array<TokenListOptions>;
+  ['htpasswd-file']?: HTPasswdFileOptions;
+  ['users-list']?: Array<AuthUserListOptions>;
 }
 
 type UserCredentialsMap = {
   [name: string]: {
-    /* hashed password by apache md5 */
-    hashPassword: string;
+    /* hashed password by md5 */
+    md5Password: string;
     /* the user attribute which could used after auth successful */
     attr: { [field: string]: string | boolean | number };
   };
 };
 
-/** The http basic authenticator  */
-@VulcanInternalExtension()
+/** The http basic authenticator.
+ *
+ *  Able to set user credentials by file path through "htpasswd-file" or list directly in config by "users-list".
+ *  The password must hash by md5 when setting into "htpasswd-file" or "users-list".
+ *
+ *  It authenticate by passing encode base64 {username}:{password} to authorization
+ */
+@VulcanInternalExtension('auth')
 @VulcanExtensionId('basic')
 export class BasicAuthenticator extends BaseAuthenticator<BasicOptions> {
   private usersCredentials: UserCredentialsMap = {};
   private options: BasicOptions = {};
   /** read basic options to initialize and load user credentials */
   public override async onActivate() {
     this.options = (this.getOptions() as BasicOptions) || this.options;
-    // load "token-users" in options
-    for (const option of this.options['token-users'] || []) {
-      const { name, hashPassword, attr } = option;
-      this.isMD5Hashed(hashPassword);
-      this.usersCredentials[name] = { hashPassword, attr };
+    // load "users-list" in options
+    for (const option of this.options['users-list'] || []) {
+      const { name, md5Password, attr } = option;
+      this.usersCredentials[name] = { md5Password, attr };
     }
-    // load "password-file" in options
-    if (!this.options['password-file']) return;
-    const { path, users } = this.options['password-file'];
+    // load "htpasswd-file" in options
+    if (!this.options['htpasswd-file']) return;
+    const { path, users } = this.options['htpasswd-file'];
 
     if (!fs.existsSync(path) || !fs.statSync(path).isFile()) return;
     const reader = readline.createInterface({
       input: fs.createReadStream(path),
     });
-    // username:hashPassword
+    // username:md5Password
     for await (const line of reader) {
       const name = line.split(':')[0] || '';
-      const hashPassword = line.split(':')[1] || '';
-      this.isMD5Hashed(hashPassword);
+      const md5Password = line.split(':')[1] || '';
       // if users exist the same name, add attr to here, or as empty
       this.usersCredentials[name] = {
-        hashPassword,
-        attr: users.find((user) => user.name === name)?.attr || {},
+        md5Password,
+        attr: users?.find((user) => user.name === name)?.attr || {},
       };
     }
   }
 
   public async authenticate(context: KoaContext) {
+    const incorrect = {
+      status: AuthStatus.INCORRECT,
+      type: this.getExtensionId()!,
+    };
+    if (isEmpty(this.options)) return incorrect;
+
     const authRequest = context.request.headers['authorization'];
     if (
       !authRequest ||
       !authRequest.toLowerCase().startsWith(this.getExtensionId()!)
     )
-      return {
-        status: AuthStatus.INCORRECT,
-        type: this.getExtensionId()!,
-      };
+      return incorrect;
 
     // validate request auth token
     const token = authRequest.trim().split(' ')[1];
@@ -117,10 +125,10 @@ export class BasicAuthenticator extends BaseAuthenticator<BasicOptions> {
     // if authenticated, return user data
     if (
       !(username in this.usersCredentials) ||
-      !(md5(password) === this.usersCredentials[username].hashPassword)
+      !(md5(password) === this.usersCredentials[username].md5Password)
     )
       throw new Error(
-        `authenticate user by ${this.getExtensionId()} type failed.`
+        `authenticate user by "${this.getExtensionId()}" type failed.`
       );
 
     return {
@@ -132,9 +140,4 @@ export class BasicAuthenticator extends BaseAuthenticator<BasicOptions> {
       },
     } as AuthResult;
   }
-
-  private isMD5Hashed(value: string) {
-    if (!value.startsWith('$apr1$'))
-      throw new Error(`"${this.getExtensionId()}" type must hash apache md5.`);
-  }
 }

packages/serve/src/lib/auth/passwordFileAuthenticator.ts

@@ -1,75 +1,84 @@
 import * as fs from 'fs';
 import * as readline from 'readline';
+import * as bcrypt from 'bcryptjs';
 import {
   BaseAuthenticator,
   KoaContext,
   AuthStatus,
   AuthResult,
 } from '@vulcan-sql/serve/models';
 import { VulcanExtensionId, VulcanInternalExtension } from '@vulcan-sql/core';
+import { isEmpty } from 'lodash';
 
-interface AuthUserOptions {
+export interface PasswordFileUserOptions {
   /* user name */
   name: string;
   /* the user attribute which could used after auth successful */
   attr: { [field: string]: string | boolean | number };
 }
-export interface PasswordFileOptions {
+interface PasswordFileOptions {
   /** password file path */
-  ['path']: string;
+  ['path']?: string;
   /** each user information */
-  ['users']: Array<AuthUserOptions>;
+  ['users']?: Array<PasswordFileUserOptions>;
 }
 
 type UserCredentialsMap = {
   [name: string]: {
     /* hashed password by bcrypt */
-    hashPassword: string;
+    bcryptPassword: string;
     /* the user attribute which could used after auth successful */
     attr: { [field: string]: string | boolean | number };
   };
 };
 
-/** The password-file authenticator  */
-@VulcanInternalExtension()
+/** The password-file authenticator.
+ *
+ * Setting the password file with {username}:{bcrypt-password} format, we use the bcrypt round 10.
+ * Then authenticate by passing encode base64 {username}:{password} to authorization.
+ */
+@VulcanInternalExtension('auth')
 @VulcanExtensionId('password-file')
 export class PasswordFileAuthenticator extends BaseAuthenticator<PasswordFileOptions> {
   private usersCredentials: UserCredentialsMap = {};
-  private options: PasswordFileOptions = { path: '', users: [] };
+  private options: PasswordFileOptions = {};
 
   /** read password file and users info to initialize user credentials */
   public override async onActivate() {
     this.options = (this.getOptions() as PasswordFileOptions) || this.options;
     const { path, users } = this.options;
-    if (!fs.existsSync(path) || !fs.statSync(path).isFile()) return;
+    if (!path || !fs.existsSync(path) || !fs.statSync(path).isFile()) return;
     const reader = readline.createInterface({
       input: fs.createReadStream(path),
     });
-    // <username>:<hashed-password>
+    // <username>:<bcrypt-password>
     for await (const line of reader) {
       const name = line.split(':')[0] || '';
-      const hashPassword = line.split(':')[1] || '';
-      if (!hashPassword.startsWith('$2y$'))
-        throw new Error(`"${this.getExtensionId()}" type must hash bcrypt.`);
+      const bcryptPassword = line.split(':')[1] || '';
+      if (!isEmpty(bcryptPassword) && !bcryptPassword.startsWith('$2y$'))
+        throw new Error(`"${this.getExtensionId()}" type must bcrypt in file.`);
 
       // if users exist the same name, add attr to here, or as empty
       this.usersCredentials[name] = {
-        hashPassword,
-        attr: users.find((user) => user.name === name)?.attr || {},
+        bcryptPassword,
+        attr: users?.find((user) => user.name === name)?.attr || {},
       };
     }
   }
 
   public async authenticate(context: KoaContext) {
+    const incorrect = {
+      status: AuthStatus.INCORRECT,
+      type: this.getExtensionId()!,
+    };
+    if (isEmpty(this.options)) return incorrect;
+
     const authRequest = context.request.headers['authorization'];
     if (
       !authRequest ||
       !authRequest.toLowerCase().startsWith(this.getExtensionId()!)
     )
-      return {
-        status: AuthStatus.INCORRECT,
-        type: this.getExtensionId()!,
-      };
+      return incorrect;
     // validate request auth token
     const token = authRequest.trim().split(' ')[1];
     const bareToken = Buffer.from(token, 'base64').toString();
@@ -87,15 +96,18 @@ export class PasswordFileAuthenticator extends BaseAuthenticator<PasswordFileOpt
 
   private async verify(baredToken: string) {
     const username = baredToken.split(':')[0] || '';
-    // hashed password in token
-    const hashPassword = baredToken.split(':')[1] || '';
+    // bare password in token
+    const password = baredToken.split(':')[1] || '';
     // if authenticated, return user data
     if (
       !(username in this.usersCredentials) ||
-      !(this.usersCredentials[username].hashPassword === hashPassword)
+      !bcrypt.compareSync(
+        password,
+        this.usersCredentials[username].bcryptPassword
+      )
     )
       throw new Error(
-        `authenticate user by ${this.getExtensionId()} type authentication failed.`
+        `authenticate user by "${this.getExtensionId()}" type failed.`
       );
 
     return {