Merge branch 'development'

.github/workflows/tests.yml

@@ -14,7 +14,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        cfengine: [ "lucee@5", "adobe@2018", "adobe@2021" ]
+        cfengine: [ "lucee@5", "adobe@2018", "adobe@2021", "adobe@2023" ]
     steps:
       - name: Checkout Repository
         uses: actions/[email protected]

.markdownlint.json

@@ -6,5 +6,6 @@
 	"no-multiple-blanks": {
 		"maximum": 2
 	},
-	"no-inline-html" : false
-}
+	"no-inline-html" : false,
+	"no-hard-tabs" : false
+}

.vscode/settings.json

@@ -9,6 +9,11 @@
 			"logicalPath": "/testbox",
 			"directoryPath": "./testbox",
 			"isPhysicalDirectoryPath" :false
+		},
+		{
+			"logicalPath": "/cbsecurity",
+			"directoryPath": "./modules/cbsecurity",
+			"isPhysicalDirectoryPath" :false
 		}
 	]
 }

box.json

@@ -1,6 +1,6 @@
 {
     "name":"REST APP Template",
-    "version":"7.2.0",
+    "version":"7.3.0",
     "location":"forgeboxStorage",
     "author":"You",
     "slug":"cbtemplate-rest",

changelog.md

@@ -9,6 +9,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Vscode mappings for cbsecurity
+- Tons of inline docs for module configurations so newbies can find what they need
+- Leveraging the auth `User` of the `cbsecurity` module, so we can reuse what's already been built.
+
 ## [7.2.0] - 2023-05-19
 
 ### Fixed

config/modules/cbauth.cfc

@@ -1,7 +1,30 @@
 component {
 
+	/**
+	 * Configure CBAuth for operation
+	 * https://cbauth.ortusbooks.com/installation-and-usage#configuration
+	 */
 	function configure(){
-		return { "userServiceClass" : "UserService" };
+		return {
+			/**
+			 *--------------------------------------------------------------------------
+			 * User Service Class
+			 *--------------------------------------------------------------------------
+			 * The user service class to use for authentication which must implement IUserService
+			 * https://cbauth.ortusbooks.com/iuserservice
+			 * The User object that this class returns must implement IUser as well
+			 * https://cbauth.ortusbooks.com/iauthuser
+			 */
+			"userServiceClass" : "UserService",
+			/**
+			 *-------------------------------------------------------------------------
+			 * Storage Classes
+			 *-------------------------------------------------------------------------
+			 * Which storages to use for tracking session and the request scope
+			 */
+			"sessionStorage" : "SessionStorage@cbstorages",
+			"requestStorage" : "RequestStorage@cbstorages"
+		};
 	}
 
 }

config/modules/cbsecurity.cfc

@@ -6,6 +6,8 @@ component {
 			 * --------------------------------------------------------------------------
 			 * Authentication Services
 			 * --------------------------------------------------------------------------
+			 * https://coldbox-security.ortusbooks.com/getting-started/configuration/authentication
+			 *
 			 * Here you will configure which service is in charge of providing authentication for your application.
 			 * By default we leverage the cbauth module which expects you to connect it to a database via your own User Service.
 			 *
@@ -15,15 +17,34 @@ component {
 			 * - custom : Any other service that adheres to our IAuthService interface
 			 */
 			authentication : {
-				// The WireBox ID of the authentication service to use which must adhere to the cbsecurity.interfaces.IAuthService interface.
+				// The WireBox ID of the auth service to use which must adhere to the cbsecurity.interfaces.IAuthService interface.
 				"provider"        : "authenticationService@cbauth",
 				// The name of the variable to use to store an authenticated user in prc scope on all incoming authenticated requests
 				"prcUserVariable" : "oCurrentUser"
 			},
+			/**
+			 * --------------------------------------------------------------------------
+			 * Basic Auth
+			 * --------------------------------------------------------------------------
+			 * https://coldbox-security.ortusbooks.com/getting-started/configuration/basic-auth
+			 *
+			 * If you are using the basicAuth authentication provider, then you can configure it here, else ignore or remove.
+			 */
+			basicAuth : {
+				// Hashing algorithm to use
+				hashAlgorithm  : "SHA-512",
+				// Iterates the number of times the hash is computed to create a more computationally intensive hash.
+				hashIterations : 5,
+				// User storage: The `key` is the username. The value is the user credentials that can include
+				// { roles: "", permissions : "", firstName : "", lastName : "", password : "" }
+				users          : {}
+			},
 			/**
 			 * --------------------------------------------------------------------------
 			 * Firewall Settings
 			 * --------------------------------------------------------------------------
+			 * https://coldbox-security.ortusbooks.com/getting-started/configuration/firewall
+			 *
 			 * The firewall is used to block/check access on incoming requests via security rules or via annotation on handler actions.
 			 * Here you can configure the operation of the firewall and especially what Validator will be in charge of verifying authentication/authorization
 			 * during a matched request.
@@ -69,7 +90,14 @@ component {
 					"provider" : { "source" : "", "properties" : {} }
 				}
 			},
-			// JWT Settings
+			/**
+			 * --------------------------------------------------------------------------
+			 * Json Web Tokens
+			 * --------------------------------------------------------------------------
+			 * https://coldbox-security.ortusbooks.com/getting-started/configuration/jwt
+			 *
+			 * Here you configure how JSON Web Tokens are created, validated and stored.
+			 */
 			jwt : {
 				// The issuer authority for the tokens, placed in the `iss` claim
 				issuer                     : "",
@@ -113,6 +141,8 @@ component {
 			 * --------------------------------------------------------------------------
 			 * Security Headers
 			 * --------------------------------------------------------------------------
+			 * https://coldbox-security.ortusbooks.com/getting-started/configuration/security-headers
+			 *
 			 * This section is the way to configure cbsecurity for header detection, inspection and setting for common
 			 * security exploits like XSS, ClickJacking, Host Spoofing, IP Spoofing, Non SSL usage, HSTS and much more.
 			 */
@@ -181,6 +211,8 @@ component {
 			 * --------------------------------------------------------------------------
 			 * Security Visualizer
 			 * --------------------------------------------------------------------------
+			 * https://coldbox-security.ortusbooks.com/getting-started/configuration/visualizer
+			 *
 			 * This is a debugging panel that when active, a developer can visualize security settings and more.
 			 * You can use the `securityRule` to define what rule you want to use to secure the visualizer but make sure the `secured` flag is turned to true.
 			 * You don't have to specify the `secureList` key, we will do that for you.
@@ -189,6 +221,29 @@ component {
 				"enabled"      : false,
 				"secured"      : false,
 				"securityRule" : {}
+			},
+			/**
+			 * --------------------------------------------------------------------------
+			 * Cross Site Request Forgery (CSRF)
+			 * --------------------------------------------------------------------------
+			 * https://coldbox-security.ortusbooks.com/getting-started/configuration/csrf
+			 *
+			 * This section is the way to configure cbsecurity for CSRF detection and mitigation.
+			 */
+			csrf : {
+				// By default we load up an interceptor that verifies all non-GET incoming requests against the token validations
+				enableAutoVerifier     : false,
+				// A list of events to exclude from csrf verification, regex allowed: e.g. stripe\..*
+				verifyExcludes         : [],
+				// By default, all csrf tokens have a life-span of 30 minutes. After 30 minutes, they expire and we aut-generate new ones.
+				// If you do not want expiring tokens, then set this value to 0
+				rotationTimeout        : 30,
+				// Enable the /cbcsrf/generate endpoint to generate cbcsrf tokens for secured users.
+				enableEndpoint         : false,
+				// The WireBox mapping to use for the CacheStorage
+				cacheStorage           : "CacheStorage@cbstorages",
+				// Enable/Disable the cbAuth login/logout listener in order to rotate keys
+				enableAuthTokenRotator : true
 			}
 		};
 	}

config/modules/cbswagger.cfc

@@ -1,5 +1,9 @@
 component {
 
+	/**
+	 * CBSwagger Configuration
+	 * https://github.com/coldbox-modules/cbswagger
+	 */
 	function configure(){
 		return {
 			// The route prefix to search.  Routes beginning with this prefix will be determined to be api routes

handlers/Auth.cfc

@@ -15,10 +15,11 @@ component extends="coldbox.system.RestHandler" {
 	 * @response    -401     ~auth/login/responses.json##401
 	 */
 	function login( event, rc, prc ){
-		param rc.email    = "";
+		param rc.username = "";
 		param rc.password = "";
 
-		var token = jwtAuth().attempt( rc.email, rc.password );
+		// This can throw a InvalidCredentials exception which is picked up by the REST handler
+		var token = jwtAuth().attempt( rc.username, rc.password );
 
 		event
 			.getResponse()
@@ -37,13 +38,13 @@ component extends="coldbox.system.RestHandler" {
 	 * @response    -400     ~auth/register/responses.json##400
 	 */
 	function register( event, rc, prc ){
-		param rc.fname    = "";
-		param rc.lname    = "";
-		param rc.email    = "";
-		param rc.password = "";
+		param rc.firstName = "";
+		param rc.lastName  = "";
+		param rc.username  = "";
+		param rc.password  = "";
 
 		// Populate, Validate, Create a new user
-		prc.oUser = userService.create( validateOrFail( populateModel( "User" ) ) );
+		prc.oUser = userService.create( populateModel( "User" ).validateOrFail() );
 
 		// Log them in if it was created!
 		event

models/User.cfc

@@ -1,119 +1,31 @@
 /**
  * A user in the system.
- * Implements CBSecurity's : IAuthUser and IJwtSubject interfaces
  *
+ * This user is based off the Auth User included in cbsecurity, which implements already several interfaces and properties.
  * - https://coldbox-security.ortusbooks.com/usage/authentication-services#iauthuser
  * - https://coldbox-security.ortusbooks.com/jwt/jwt-services#jwt-subject-interface
+ *
+ * It also leverages several delegates for Validation, Population, Authentication, Authorization and JWT Subject.
  */
-component accessors="true" {
-
-	/**
-	 * --------------------------------------------------------------------------
-	 * Properties
-	 * --------------------------------------------------------------------------
-	 */
-
-	property name="id"       default="";
-	property name="fname"    default="";
-	property name="lname"    default="";
-	property name="email"    default="";
-	property name="password" default="";
-	property name="permissions" type="array";
-
-	/**
-	 * --------------------------------------------------------------------------
-	 * Mementifier
-	 * --------------------------------------------------------------------------
-	 */
-	this.memento = {
-		defaultIncludes : [ "*" ],
-		defaultExcludes : [],
-		neverInclude    : [ "password" ]
-	};
-
-	/**
-	 * --------------------------------------------------------------------------
-	 * Validation
-	 * --------------------------------------------------------------------------
-	 */
-	this.constraints = {
-		fname    : { required : true },
-		lname    : { required : true },
-		email    : { required : true, type : "email" },
-		password : { required : true }
-	};
+component
+	accessors     ="true"
+	extends       ="cbsecurity.models.auth.User"
+	transientCache="false"
+	delegates     ="
+		Validatable@cbvalidation,
+		Population@cbDelegates,
+		Auth@cbSecurity,
+		Authorizable@cbSecurity,
+		JwtSubject@cbSecurity
+	"
+{
 
 	/**
 	 * Constructor
 	 */
 	function init(){
-		variables.permissions = [];
-
+		super.init();
 		return this;
 	}
 
-	/**
-	 * --------------------------------------------------------------------------
-	 * Authentication/Authorization Methods
-	 * --------------------------------------------------------------------------
-	 */
-
-	/**
-	 * Check if a user is loaded from the db or not
-	 */
-	boolean function isLoaded(){
-		return ( !isNull( variables.id ) && len( variables.id ) );
-	}
-
-	/**
-	 * Verify if the user has one or more of the passed in permissions
-	 *
-	 * @permission One or a list of permissions to check for access
-	 */
-	boolean function hasPermission( required permission ){
-		// If no permissions, then it a default value of true comes in
-		if ( isBoolean( arguments.permission ) && arguments.permission ) {
-			return true;
-		}
-
-		if ( isSimpleValue( arguments.permission ) ) {
-			arguments.permission = listToArray( arguments.permission );
-		}
-
-		return arguments.permission
-			.filter( function( item ){
-				return ( variables.permissions.findNoCase( item ) );
-			} )
-			.len();
-	}
-
-	/**
-	 * Verify if the user has one or more of the passed in roles
-	 *
-	 * @role One or a list of roles to check for access
-	 */
-	boolean function hasRole( required role ){
-		return true;
-	}
-
-	/**
-	 * --------------------------------------------------------------------------
-	 * IJwtSubject Methods
-	 * --------------------------------------------------------------------------
-	 */
-
-	/**
-	 * A struct of custom claims to add to the JWT token
-	 */
-	struct function getJwtCustomClaims(){
-		return {};
-	}
-
-	/**
-	 * This function returns an array of all the scopes that should be attached to the JWT token that will be used for authorization.
-	 */
-	array function getJwtScopes(){
-		return [];
-	}
-
 }