shogun-core
Version:
SHOGUN CORE - Core library for Shogun Ecosystem
345 lines (344 loc) • 16.3 kB
JavaScript
/**
* Challenge-Response Authentication Plugin
*
* Implements a secure two-step authentication flow where the private key
* never leaves the client. Flow:
*
* 1. Client requests a challenge from the server (sends username + password)
* 2. Server verifies password, returns a random challenge string
* 3. Client signs the challenge with its SEA private key
* 4. Server verifies the signature using the stored public key
* 5. Server issues a JWT token on success
*
* Based on the challenge-response pattern from GunAuth.
*/
var __extends = (this && this.__extends) || (function () {
var extendStatics = function (d, b) {
extendStatics = Object.setPrototypeOf ||
({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
function (d, b) { for (var p in b) if (Object.prototype.hasOwnProperty.call(b, p)) d[p] = b[p]; };
return extendStatics(d, b);
};
return function (d, b) {
if (typeof b !== "function" && b !== null)
throw new TypeError("Class extends value " + String(b) + " is not a constructor or null");
extendStatics(d, b);
function __() { this.constructor = d; }
d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
};
})();
var __assign = (this && this.__assign) || function () {
__assign = Object.assign || function(t) {
for (var s, i = 1, n = arguments.length; i < n; i++) {
s = arguments[i];
for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
t[p] = s[p];
}
return t;
};
return __assign.apply(this, arguments);
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __generator = (this && this.__generator) || function (thisArg, body) {
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype);
return g.next = verb(0), g["throw"] = verb(1), g["return"] = verb(2), typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
function verb(n) { return function (v) { return step([n, v]); }; }
function step(op) {
if (f) throw new TypeError("Generator is already executing.");
while (g && (g = 0, op[0] && (_ = 0)), _) try {
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
if (y = 0, t) op = [op[0] & 2, t.value];
switch (op[0]) {
case 0: case 1: t = op; break;
case 4: _.label++; return { value: op[1], done: false };
case 5: _.label++; y = op[1]; op = [0]; continue;
case 7: op = _.ops.pop(); _.trys.pop(); continue;
default:
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
if (t[2]) _.ops.pop();
_.trys.pop(); continue;
}
op = body.call(thisArg, _);
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
}
};
var __read = (this && this.__read) || function (o, n) {
var m = typeof Symbol === "function" && o[Symbol.iterator];
if (!m) return o;
var i = m.call(o), r, ar = [], e;
try {
while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
}
catch (error) { e = { error: error }; }
finally {
try {
if (r && !r.done && (m = i["return"])) m.call(i);
}
finally { if (e) throw e.error; }
}
return ar;
};
var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
if (ar || !(i in from)) {
if (!ar) ar = Array.prototype.slice.call(from, 0, i);
ar[i] = from[i];
}
}
return to.concat(ar || Array.prototype.slice.call(from));
};
import { BasePlugin } from '../base.js';
import { PluginCategory } from '../../interfaces/shogun.js';
var ChallengePlugin = /** @class */ (function (_super) {
__extends(ChallengePlugin, _super);
function ChallengePlugin() {
var _this = _super.apply(this, __spreadArray([], __read(arguments), false)) || this;
_this.name = 'challenge';
_this.version = '1.0.0';
_this.description = 'Challenge-response authentication using Gun SEA signatures';
_this._category = PluginCategory.Authentication;
_this.config = {
serverUrl: '',
challengeEndpoint: '/login-challenge',
verifyEndpoint: '/login-verify',
timeout: 10000,
};
return _this;
}
/**
* Configure the challenge plugin
* @param config - Challenge configuration
*/
ChallengePlugin.prototype.configure = function (config) {
this.config = __assign(__assign({}, this.config), config);
};
/**
* Get SEA safely from various sources
*/
ChallengePlugin.prototype.getSEA = function () {
var _a, _b;
var core = this.core;
if (core) {
var sea = (_a = core.db) === null || _a === void 0 ? void 0 : _a.sea;
if (sea)
return sea;
}
if ((_b = globalThis.Gun) === null || _b === void 0 ? void 0 : _b.SEA)
return globalThis.Gun.SEA;
if (globalThis.SEA)
return globalThis.SEA;
return null;
};
/**
* Request an authentication challenge from the server.
*
* @param serverUrl - Base URL of the auth server
* @param username - Username to authenticate as
* @param password - Password for initial server-side verification
* @returns Promise resolving to ChallengeData
* @throws Error if server rejects the request
*/
ChallengePlugin.prototype.requestChallenge = function (serverUrl, username, password) {
return __awaiter(this, void 0, void 0, function () {
var endpoint, url, controller, timeoutId, response, err, result, error_1;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
endpoint = this.config.challengeEndpoint || '/login-challenge';
url = "".concat(serverUrl).concat(endpoint);
controller = new AbortController();
timeoutId = setTimeout(function () { return controller.abort(); }, this.config.timeout || 10000);
_a.label = 1;
case 1:
_a.trys.push([1, 6, , 7]);
return [4 /*yield*/, fetch(url, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ username: username, password: password }),
signal: controller.signal,
})];
case 2:
response = _a.sent();
clearTimeout(timeoutId);
if (!!response.ok) return [3 /*break*/, 4];
return [4 /*yield*/, response
.json()
.catch(function () { return ({ error: 'Request failed' }); })];
case 3:
err = _a.sent();
throw new Error(err.error || "Challenge request failed: ".concat(response.status));
case 4: return [4 /*yield*/, response.json()];
case 5:
result = _a.sent();
if (!result.success) {
throw new Error(result.error || 'Challenge request rejected by server');
}
return [2 /*return*/, {
challengeId: result.challengeId,
challenge: result.challenge,
pub: result.pub,
expiresAt: result.expiresAt,
}];
case 6:
error_1 = _a.sent();
clearTimeout(timeoutId);
if (error_1.name === 'AbortError') {
throw new Error('Challenge request timed out');
}
throw error_1;
case 7: return [2 /*return*/];
}
});
});
};
/**
* Sign a challenge string with the user's SEA private key.
* The private key NEVER leaves the client.
*
* @param challenge - The challenge string to sign
* @param pair - The user's key pair (pub + priv)
* @returns Promise resolving to the signed challenge string
*/
ChallengePlugin.prototype.signChallenge = function (challenge, pair) {
return __awaiter(this, void 0, void 0, function () {
var sea, signed;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
sea = this.getSEA();
if (!sea || !sea.sign) {
throw new Error('SEA not available for challenge signing');
}
return [4 /*yield*/, sea.sign(challenge, pair)];
case 1:
signed = _a.sent();
if (!signed) {
throw new Error('Failed to sign challenge');
}
return [2 /*return*/, signed];
}
});
});
};
/**
* Verify a signed challenge against a public key.
* This is a helper that can be used server-side or for
* local verification in peer-to-peer scenarios.
*
* @param signedChallenge - The signed challenge data
* @param pubKey - The signer's public key
* @param expectedChallenge - The original challenge string
* @returns Promise resolving to true if valid
*/
ChallengePlugin.prototype.verifyChallenge = function (signedChallenge, pubKey, expectedChallenge) {
return __awaiter(this, void 0, void 0, function () {
var sea, verified;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
sea = this.getSEA();
if (!sea || !sea.verify) {
throw new Error('SEA not available for challenge verification');
}
return [4 /*yield*/, sea.verify(signedChallenge, pubKey)];
case 1:
verified = _a.sent();
return [2 /*return*/, verified === expectedChallenge];
}
});
});
};
/**
* Execute the full challenge-response login flow.
*
* 1. Request challenge from server
* 2. Sign challenge locally with private key
* 3. Send signature to server for verification
* 4. Receive auth token on success
*
* @param serverUrl - Base URL of the auth server
* @param username - Username to authenticate as
* @param password - Password for initial verification
* @param pair - The user's key pair
* @returns Promise with authentication result
*/
ChallengePlugin.prototype.login = function (serverUrl, username, password, pair) {
return __awaiter(this, void 0, void 0, function () {
var challengeData, signedChallenge, verifyEndpoint, url, controller_1, timeoutId, response, result, authResult, error_2;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
_a.trys.push([0, 5, , 6]);
return [4 /*yield*/, this.requestChallenge(serverUrl, username, password)];
case 1:
challengeData = _a.sent();
return [4 /*yield*/, this.signChallenge(challengeData.challenge, pair)];
case 2:
signedChallenge = _a.sent();
verifyEndpoint = this.config.verifyEndpoint || '/login-verify';
url = "".concat(serverUrl).concat(verifyEndpoint);
controller_1 = new AbortController();
timeoutId = setTimeout(function () { return controller_1.abort(); }, this.config.timeout || 10000);
return [4 /*yield*/, fetch(url, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
challengeId: challengeData.challengeId,
signedChallenge: signedChallenge,
}),
signal: controller_1.signal,
})];
case 3:
response = _a.sent();
clearTimeout(timeoutId);
return [4 /*yield*/, response.json()];
case 4:
result = _a.sent();
if (!result.success) {
return [2 /*return*/, {
success: false,
error: result.error || 'Challenge verification failed',
}];
}
authResult = {
success: true,
userPub: result.pub,
username: result.username || username,
sessionToken: result.token,
authMethod: 'challenge',
};
// Emit login event if core is available
if (this.core) {
this.core.emit('auth:login', {
userPub: result.pub,
method: 'password',
username: result.username || username,
});
}
return [2 /*return*/, authResult];
case 5:
error_2 = _a.sent();
return [2 /*return*/, {
success: false,
error: error_2.message || 'Challenge-response login failed',
}];
case 6: return [2 /*return*/];
}
});
});
};
return ChallengePlugin;
}(BasePlugin));
export { ChallengePlugin };