Code-MCP

import jwt from 'jsonwebtoken'; import bcrypt from 'bcrypt'; import { Request, Response, NextFunction } from 'express'; // ============================================ // Configuration // ============================================ const JWT_SECRET = process.env.JWT_SECRET || 'your-super-secret-key-change-in-production'; const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '24h'; const BCRYPT_ROUNDS = 12; // ============================================ // Types // ============================================ export interface TokenPayload { userId: string; email: string; role: 'user' | 'admin'; } export interface AuthRequest extends Request { user?: TokenPayload; } // ============================================ // Password Hashing // ============================================ export async function hashPassword(password: string): Promise<string> { return bcrypt.hash(password, BCRYPT_ROUNDS); } export async function verifyPassword(password: string, hash: string): Promise<boolean> { return bcrypt.compare(password, hash); } // ============================================ // JWT Token Functions // ============================================ export function generateToken(payload: TokenPayload): string { return jwt.sign(payload, JWT_SECRET, { expiresIn: JWT_EXPIRES_IN }); } export function verifyToken(token: string): TokenPayload | null { try { return jwt.verify(token, JWT_SECRET) as TokenPayload; } catch { return null; } } export function decodeToken(token: string): TokenPayload | null { try { return jwt.decode(token) as TokenPayload; } catch { return null; } } // ============================================ // Middleware // ============================================ export function authMiddleware(req: AuthRequest, res: Response, next: NextFunction) { const authHeader = req.headers.authorization; if (!authHeader?.startsWith('Bearer ')) { return res.status(401).json({ error: 'No token provided' }); } const token = authHeader.split(' ')[1]; const payload = verifyToken(token); if (!payload) { return res.status(401).json({ error: 'Invalid or expired token' }); } req.user = payload; next(); } export function requireRole(...roles: string[]) { return (req: AuthRequest, res: Response, next: NextFunction) => { if (!req.user) { return res.status(401).json({ error: 'Authentication required' }); } if (!roles.includes(req.user.role)) { return res.status(403).json({ error: 'Insufficient permissions' }); } next(); }; } export function optionalAuth(req: AuthRequest, res: Response, next: NextFunction) { const authHeader = req.headers.authorization; if (authHeader?.startsWith('Bearer ')) { const token = authHeader.split(' ')[1]; const payload = verifyToken(token); if (payload) { req.user = payload; } } next(); } // ============================================ // Refresh Token (In-Memory - Use Redis in production) // ============================================ const refreshTokens = new Map<string, { userId: string; expiresAt: Date }>(); export function generateRefreshToken(userId: string): string { const token = Buffer.from(`${userId}-${Date.now()}-${Math.random()}`).toString('base64'); const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days refreshTokens.set(token, { userId, expiresAt }); return token; } export function validateRefreshToken(token: string): string | null { const data = refreshTokens.get(token); if (!data) return null; if (data.expiresAt < new Date()) { refreshTokens.delete(token); return null; } return data.userId; } export function revokeRefreshToken(token: string): void { refreshTokens.delete(token); } // ============================================ // Rate Limiting (Simple In-Memory) // ============================================ const requestCounts = new Map<string, { count: number; resetAt: Date }>(); export function rateLimiter(maxRequests: number, windowMs: number) { return (req: Request, res: Response, next: NextFunction) => { const ip = req.ip || req.socket.remoteAddress || 'unknown'; const now = new Date(); const record = requestCounts.get(ip); if (!record || record.resetAt < now) { requestCounts.set(ip, { count: 1, resetAt: new Date(now.getTime() + windowMs) }); return next(); } if (record.count >= maxRequests) { const retryAfter = Math.ceil((record.resetAt.getTime() - now.getTime()) / 1000); res.set('Retry-After', retryAfter.toString()); return res.status(429).json({ error: 'Too many requests', retryAfter, }); } record.count++; next(); }; } // ============================================ // CSRF Protection // ============================================ const csrfTokens = new Map<string, Date>(); export function generateCsrfToken(): string { const token = Buffer.from(`${Date.now()}-${Math.random()}`).toString('base64'); csrfTokens.set(token, new Date(Date.now() + 3600000)); // 1 hour return token; } export function csrfProtection(req: Request, res: Response, next: NextFunction) { if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) { return next(); } const token = req.headers['x-csrf-token'] as string; if (!token || !csrfTokens.has(token)) { return res.status(403).json({ error: 'Invalid CSRF token' }); } const expiry = csrfTokens.get(token)!; if (expiry < new Date()) { csrfTokens.delete(token); return res.status(403).json({ error: 'CSRF token expired' }); } next(); } // ============================================ // Security Headers Middleware // ============================================ export function securityHeaders(req: Request, res: Response, next: NextFunction) { res.set({ 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Content-Type-Options': 'nosniff', 'X-Frame-Options': 'DENY', 'X-XSS-Protection': '1; mode=block', 'Referrer-Policy': 'strict-origin-when-cross-origin', 'Content-Security-Policy': "default-src 'self'", }); next(); }