feat: add authentication utilities and configuration interfaces

Author: pphatdev

src/server/types/user.ts

@@ -0,0 +1,49 @@
+export interface AuthConfig {
+    jwtSecret: string;
+    jwtExpiresIn: string;
+    refreshTokenExpiresIn: string;
+    bcryptRounds: number;
+    maxLoginAttempts: number;
+    lockoutDuration: number; // minutes
+    maxSessionsPerUser: number;
+}
+
+
+export interface User {
+    id: string;
+    username: string;
+    email?: string;
+    password_hash: string;
+    name: string;
+    avatar?: string;
+    role: 'admin' | 'user' | 'viewer';
+    is_active: boolean;
+    failed_login_attempts: number;
+    locked_until?: Date;
+    last_login_at?: Date;
+    password_changed_at?: Date;
+    created_at: Date;
+    updated_at: Date;
+}
+
+export interface Session {
+    id: string;
+    user_id: string;
+    token_hash: string;
+    refresh_token_hash?: string;
+    ip_address?: string;
+    user_agent?: string;
+    is_valid: boolean;
+    expires_at: Date;
+    refresh_expires_at?: Date;
+    created_at: Date;
+    last_used_at: Date;
+}
+
+export interface JwtPayload {
+    userId: string;
+    username: string;
+    role: string;
+    sessionId: string;
+    type: 'access' | 'refresh';
+}

src/server/utils/auth.ts

@@ -0,0 +1,86 @@
+import path from 'path';
+import fs from 'fs-extra';
+import crypto from 'crypto';
+import { AuthConfig } from '../types/user.js';
+import { getDbClient } from './db.js';
+import { Request } from 'express';
+
+export const getAuthConfig = (): AuthConfig => {
+    const envPath = path.join(process.cwd(), 'env.json');
+    let envData: any = {};
+
+    if (fs.existsSync(envPath)) {
+        envData = JSON.parse(fs.readFileSync(envPath, 'utf-8'));
+    }
+
+    const authConfig = envData.auth || {};
+
+    return {
+        jwtSecret: authConfig.jwtSecret || process.env.JWT_SECRET || crypto.randomBytes(64).toString('hex'),
+        jwtExpiresIn: authConfig.jwtExpiresIn || '1h',
+        refreshTokenExpiresIn: authConfig.refreshTokenExpiresIn || '7d',
+        bcryptRounds: authConfig.bcryptRounds || 12,
+        maxLoginAttempts: authConfig.maxLoginAttempts || 5,
+        lockoutDuration: authConfig.lockoutDuration || 15,
+        maxSessionsPerUser: authConfig.maxSessionsPerUser || 5
+    };
+};
+
+
+/**
+ * Hash a token for secure storage
+ */
+export const hashToken = (token: string): string => {
+    return crypto.createHash('sha256').update(token).digest('hex');
+};
+
+
+/**
+ * Get client IP address
+ */
+export const getClientIp = (req: Request): string => {
+    const forwarded = req.headers['x-forwarded-for'];
+    if (typeof forwarded === 'string') {
+        return forwarded.split(',')[0].trim();
+    }
+    return req.ip || req.socket.remoteAddress || 'unknown';
+};
+
+/**
+ * Log audit event
+ */
+export const logAuditEvent = async (
+    userId: string | null,
+    action: string,
+    req: Request,
+    details?: any
+): Promise<void> => {
+    try {
+        const sql = getDbClient();
+        await sql`
+            INSERT INTO auth_audit_log (user_id, action, ip_address, user_agent, details)
+            VALUES (${userId}, ${action}, ${getClientIp(req)}, ${req.headers['user-agent'] || null}, ${details ? JSON.stringify(details) : null})
+        `;
+    } catch (error) {
+        console.error('Failed to log audit event:', error);
+    }
+};
+
+/**
+ * Parse duration string to milliseconds
+ */
+export const parseDuration = (duration: string): number => {
+    const match = duration.match(/^(\d+)([smhd])$/);
+    if (!match) return 3600000; // default 1 hour
+
+    const value = parseInt(match[1]);
+    const unit = match[2];
+
+    switch (unit) {
+        case 's': return value * 1000;
+        case 'm': return value * 60 * 1000;
+        case 'h': return value * 60 * 60 * 1000;
+        case 'd': return value * 24 * 60 * 60 * 1000;
+        default: return 3600000;
+    }
+};