@blazedpath/commons 0.0.4 → 0.0.6

package/blz-security/middleware/HapiServerAzureAd.js

@@ -103,7 +103,7 @@ class HapiServerAzureAd {
 					// To refresh the tokens, Azure uses a silent re authentication
 					const silentRereshTokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenSilent({
 						account: tokenInfo.account, // If token exists in yar. Account should always exist
-						scopes: me.authServerConfig.authServer.scope.split(" ")?? ["user.read"],
+						scopes: me.authServerConfig.authServer.scope.split(" ") ?? ["user.read"],
 					});
 					const obtainedTokens = {};
 					// Check if the silent refresh token was successful
@@ -166,7 +166,7 @@ class HapiServerAzureAd {
 				});
 
 				let userRelog = request.yar.get('userRelog');
-				request.yar.set('pkv',pkce.verifier)
+				request.yar.set('pkv', pkce.verifier)
 				request.yar.commit(h);
 				if (userRelog && request.path !== '/') {
 					return h.redirect('/');
@@ -193,7 +193,7 @@ class HapiServerAzureAd {
 					const tokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenByCode({
 						code: authCode,
 						redirectUri: me.getRedirectUri(request, 'auth/callback'),
-						scopes: me.authServerConfig.authServer.scope.split(" ")?? ["user.read"],
+						scopes: me.authServerConfig.authServer.scope.split(" ") ?? ["user.read"],
 						codeVerifier: pkceverifier,
 					});
 					let obtainedTokens = {
@@ -253,7 +253,7 @@ class HapiServerAzureAd {
 					const tokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenByCode({
 						code: authCode,
 						redirectUri: me.getRedirectUri(request, 'auth/callback'),
-						scopes: me.authServerConfig.authServer.scope.split(" ")?? ["user.read"],
+						scopes: me.authServerConfig.authServer.scope.split(" ") ?? ["user.read"],
 						codeVerifier: pkceverifier,
 						responseMode: 'form_post'
 					});
@@ -352,6 +352,45 @@ class HapiServerAzureAd {
 				}
 			}
 		})
+
+		hapiServer.route({
+			method: 'GET',
+			path: '/check-authorize',
+			handler: async (request, h) => {
+				try {
+					const resourcePath = request.query.path;
+					const action = request.query.action;
+					const roles = request.query.roles;
+					const domains = request.query.domains;
+					let parsedRoles;
+					if (Array.isArray(roles)) {
+						parsedRoles = roles;
+					} else if (typeof roles === 'string') {
+						parsedRoles = roles.split(',').map(r => r.trim());
+					} else {
+						parsedRoles = [];
+					}
+					let parsedDomains;
+					if (Array.isArray(domains)) {
+						parsedDomains = domains;
+					} else if (typeof domains === 'string') {
+						parsedDomains = domains.split(',').map(d => d.trim());
+					} else {
+						parsedDomains = [];
+					}
+					const result = await securityService.checkAuthorize(
+						resourcePath,
+						action,
+						parsedRoles,
+						parsedDomains
+					);
+					return h.response(JSON.stringify(result)).takeover()
+				} catch (err) {
+					return errorResponse(h, err, 401)
+				}
+			}
+		})
+
 		// /get-user-info
 		hapiServer.route({
 			method: 'GET',
@@ -406,7 +445,7 @@ class HapiServerAzureAd {
 						checkSessionUrl: me.getBaseUrl(request) + 'check-session'
 					})
 					return h.response(content)
-                            .header('Content-Type', 'text/html')
+						.header('Content-Type', 'text/html')
 				} catch (err) {
 					return errorResponse(h, err, 500)
 				}
@@ -426,7 +465,7 @@ class HapiServerAzureAd {
 					// check if token is about to be expired
 					tokenIsExpired.expired = await me.tokenAboutToExpire(tokenInfo.token, 0.5);
 					if (tokenIsExpired.expired) {
-						let params = { 
+						let params = {
 							redirectUri: me.getRedirectUri(request, 'auth/callback'),
 							scopes: me.authServerConfig.authServer.scope.split(" "),
 						}

package/blz-security/middleware/HapiServerKeycloak.js

@@ -101,8 +101,7 @@ class HapiServerKeycloak {
             if (!authServer.scope || !authServer.scope.split(' ').some((reg) => reg === 'openid')) {
                 authServer.scope = `openid ${authServer.scope || ''}`
                 authServer.scope.trim();
-            }
-            this.authServerConfig.authServer.scope ? this.authServerConfig.authServer.scope.trim().replace(/\s+/g, '%20') : 'openid';
+            }            
             if (authServer.tokenEndpoint && !authServer.tokenEndpoint.match(/https.*/)) {
                 hapiServer.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
                 hapiServer.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
@@ -349,6 +348,45 @@ class HapiServerKeycloak {
                 }
             }
         })
+
+        hapiServer.route({
+            method: 'GET',
+            path: '/check-authorize',
+            handler: async (request, h) => {
+              try {
+                const resourcePath = request.query.path;
+                const action = request.query.action;
+                const roles = request.query.roles;
+                const domains = request.query.domains;
+                let parsedRoles;
+                if (Array.isArray(roles)) {
+                  parsedRoles = roles;
+                } else if (typeof roles === 'string') {
+                  parsedRoles = roles.split(',').map(r => r.trim());
+                } else {
+                  parsedRoles = [];
+                }
+                let parsedDomains;
+                if (Array.isArray(domains)) {
+                  parsedDomains = domains;
+                } else if (typeof domains === 'string') {
+                  parsedDomains = domains.split(',').map(d => d.trim());
+                } else {
+                  parsedDomains = [];
+                }
+                const result = await securityService.checkAuthorize(
+                  resourcePath,
+                  action,
+                  parsedRoles,
+                  parsedDomains
+                );
+                return h.response(JSON.stringify(result)).takeover()
+              } catch (err) {
+                return errorResponse(h, err, 401)
+              }
+            }
+          })
+
         // /get-user-info
         hapiServer.route({
             method: 'GET',

package/blz-security/middleware/HapiServerSimToken.js

@@ -123,6 +123,45 @@ class HapiServerSimToken {
                     .code(200)
             }
         })
+
+        hapiServer.route({
+            method: 'GET',
+            path: '/check-authorize',
+            handler: async (request, h) => {
+              try {
+                const resourcePath = request.query.path;
+                const action = request.query.action;
+                const roles = request.query.roles;
+                const domains = request.query.domains;
+                let parsedRoles;
+                if (Array.isArray(roles)) {
+                  parsedRoles = roles;
+                } else if (typeof roles === 'string') {
+                  parsedRoles = roles.split(',').map(r => r.trim());
+                } else {
+                  parsedRoles = [];
+                }
+                let parsedDomains;
+                if (Array.isArray(domains)) {
+                  parsedDomains = domains;
+                } else if (typeof domains === 'string') {
+                  parsedDomains = domains.split(',').map(d => d.trim());
+                } else {
+                  parsedDomains = [];
+                }
+                const result = await securityService.checkAuthorize(
+                  resourcePath,
+                  action,
+                  parsedRoles,
+                  parsedDomains
+                );
+                return h.response(JSON.stringify(result)).takeover()
+              } catch (err) {
+                return errorResponse(h, err, 401)
+              }
+            }
+          })
+
         // /get-user-info
         hapiServer.route({
             path: '/get-user-info',

package/blz-security/middleware/hapi.js

@@ -267,6 +267,46 @@ class Hapi {
         }
       })
 
+      context.route({
+        method: 'GET',
+        path: '/check-authorize',
+        handler: async (request, h) => {
+          try {
+            const resourcePath = request.query.path;
+            const action = request.query.action;
+            const roles = request.query.roles;
+            const domains = request.query.domains;
+            let parsedRoles;
+            if (Array.isArray(roles)) {
+              parsedRoles = roles;
+            } else if (typeof roles === 'string') {
+              parsedRoles = roles.split(',').map(r => r.trim());
+            } else {
+              parsedRoles = [];
+            }
+            let parsedDomains;
+            if (Array.isArray(domains)) {
+              parsedDomains = domains;
+            } else if (typeof domains === 'string') {
+              parsedDomains = domains.split(',').map(d => d.trim());
+            } else {
+              parsedDomains = [];
+            }
+            const result = await securityService.checkAuthorize(
+              resourcePath,
+              action,
+              parsedRoles,
+              parsedDomains
+            );
+            return h.response(JSON.stringify(result)).takeover()
+          } catch (err) {
+            return errorResponse(h, err, 401)
+          }
+        }
+      })
+
+      
+
       context.route({
         method: 'GET',
         path: '/get-user-info',

package/blz-security/middleware/hapiServer.js

@@ -205,13 +205,7 @@ class HapiServer {
         // By this point, token refresh was already attempted in onPreAuth event, so it redirects to login on unauthorized
         if (response.isBoom && response.output.statusCode === 401 && !request.path.startsWith('/auth/callback') && !authError) {
           if (this.authServerConfig.authServer.provider=== 'ad-azure') {
-            return h.redirect('/login').takeover();
-            const authUrl = await this.authServerConfig.authServer.msalClient.getAuthCodeUrl({
-               redirectUri: me.getBaseUrl(request) + 'auth/callback',
-               scopes: ['user.read'],
-             });
-       
-             return h.redirect(authUrl);
+            return h.redirect('/login').takeover();            
           }
           // Create the url query string parameters. with a random code verifier, store in yar and get the codeChallenge
           const codeVerifier = crypto.randomBytes(32).toString('base64url');
@@ -312,7 +306,7 @@ class HapiServer {
                   },
                 }
               );
-              if (!tokenResponse.statusText ==='OK') {
+              if (!tokenResponse.statusText =='OK') {
                 throw new Error('Failed to exchange code for tokens');
               }
               obtainedTokens.tokenType = 'Bearer';
@@ -396,6 +390,45 @@ class HapiServer {
           }
         }
       })
+
+      context.route({
+        method: 'GET',
+        path: '/check-authorize',
+        handler: async (request, h) => {
+          try {
+            const resourcePath = request.query.path;
+            const action = request.query.action;
+            const roles = request.query.roles;
+            const domains = request.query.domains;
+            let parsedRoles;
+            if (Array.isArray(roles)) {
+              parsedRoles = roles;
+            } else if (typeof roles === 'string') {
+              parsedRoles = roles.split(',').map(r => r.trim());
+            } else {
+              parsedRoles = [];
+            }
+            let parsedDomains;
+            if (Array.isArray(domains)) {
+              parsedDomains = domains;
+            } else if (typeof domains === 'string') {
+              parsedDomains = domains.split(',').map(d => d.trim());
+            } else {
+              parsedDomains = [];
+            }
+            const result = await securityService.checkAuthorize(
+              resourcePath,
+              action,
+              parsedRoles,
+              parsedDomains
+            );
+            return h.response(JSON.stringify(result)).takeover()
+          } catch (err) {
+            return errorResponse(h, err, 401)
+          }
+        }
+      })
+      
       // /get-user-info
       hapiServer.route({
         method: 'GET',

package/blz-security/secureUrlService.js

@@ -9,8 +9,8 @@ module.exports = class SecureUrlService {
     validate(url, token, _session_key, timeoutMs) {       
         const path = decodeURIComponent(url.split('?')[0]); 
         if (!token) {
-          this.logger.error(`Token parameter 'tt' is missing in the URL. path:${path}`)
-          throw new Exception("Token parameter 'tt' is missing in the URL.", 'SecureUrlError', 404);
+          this.logger.error(`Token parameter 'sut' is missing in the URL. path:${path}`)
+          throw new Exception("Token parameter 'sut' is missing in the URL.", 'SecureUrlError', 404);
         }
         const session_key = isBase64(_session_key)?atob(_session_key):_session_key    
         const key = `${session_key}${btoa(path)}`;
@@ -26,13 +26,19 @@ module.exports = class SecureUrlService {
         } catch (e) {
           this.logger.error(`Malformed token content. path:${path} error: ${e.message}`)
           throw new Exception("Malformed token content.", 'SecureUrlError', 400);
-        }
-        const timeout = requestTime + timeoutMs
-        const time = Date.now()
-        const isValid = time < timeout && requestTime < time; 
+        }              
+        const now = Date.now();
+        const diff = Math.abs(now - requestTime);
+        const limit = parseInt(timeoutMs, 10);
+        const isValid = diff <= limit;        
         if (!isValid) {
+<<<<<<< HEAD:blazedpath-commons/blz-security/secureUrlService.js
           this.logger.error(`The token has expired. path:${path} timeout:${timeout} time: ${time}`)
           throw new Exception("The token has expired.", 'SecureUrlError', 408);
+=======
+          this.logger.error(`The token has expired. path:${path} requestTime:${requestTime} now: ${now} limit:${limit} diff:${diff}`)
+          throw new Exception("The token has expired.", 'SecureUrlError', 410);
+>>>>>>> develop:blz-commons/private-sources/blz-security/secureUrlService.js
         }        
     }
 

package/blz-security/securityService.js

@@ -406,4 +406,8 @@ module.exports = class SecurityService {
   logUnProtected() {
     this.logger.info('unprotected: ' + JSON.stringify(this.unProtected))
   }
+
+  async checkAuthorize (path, action, roles, domains) {
+    return this.authorizationService.checkAuthorize(path, action, roles, domains)
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blazedpath/commons",
-  "version": "0.0.4",
+  "version": "0.0.6",
   "description": "commos library for blazedpath applications",
   "main": "index.js",
   "types": "dist/index.d.ts",