@blazedpath/commons 0.0.4

package/blz-security/helpers/consts.js

@@ -0,0 +1,229 @@
+/**
+ * @see https://openid.net/specs/openid-connect-core-1_0.html
+ * @description OpenID Connect Core
+ * @version 1.0
+ * @param OP OpenId Provider
+ * @param RP Relying Party (Client)
+ */
+
+/**
+ * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
+ * @description OP configuration document.
+ *
+ */
+const OIDC_DISCOVERY = '/.well-known/openid-configuration'
+
+/**
+ * @description Encrypt with AES the word "BLAZEDPATH" with the same secret key in md5 and the output to be base64.
+ * @argument md5 E6F712AA790EE519C2E39177576CD0F0
+ * @argument output base64
+ */
+const SIGNATURE = 'LSL/e9tVTTK5VovRt9qQgg=='
+/**
+ * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+ * @description Document listing OP endpoint URLs.
+ */
+const METADATA = [
+  {
+    name: 'issuer',
+    description: 'URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.',
+    type: 'REQUIRED'
+  },
+  {
+    name: 'authorization_endpoint',
+    description: 'URL of the OP OAuth 2.0 Authorization Endpoint.',
+    type: 'REQUIRED'
+  },
+  {
+    name: 'token_endpoint',
+    description: 'URL of the OP OAuth 2.0 Token Endpoint.',
+    type: 'REQUIRED'
+  },
+  {
+    name: 'userinfo_endpoint',
+    description: 'URL of the OP UserInfo Endpoint.',
+    type: 'RECOMMENDED'
+  },
+  {
+    name: 'jwks_uri',
+    description: 'URL of the OP JSON Web Key Set [JWK] document.',
+    type: 'REQUIRED'
+  },
+  {
+    name: 'registration_endpoint',
+    description: 'URL of the OP Dynamic Client Registration Endpoint.',
+    type: 'RECOMMENDED'
+  },
+  {
+    name: 'scopes_supported',
+    description: 'JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.',
+    type: 'RECOMMENDED'
+  },
+  {
+    name: 'response_types_supported',
+    description: 'JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.',
+    type: 'REQUIRED'
+  },
+  {
+    name: 'response_modes_supported',
+    description: 'JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'grant_types_supported',
+    description: 'JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'acr_values_supported',
+    description: 'JSON array containing a list of the Authentication Context Class References that this OP supports.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'subject_types_supported',
+    description: 'JSON array containing a list of the Subject Identifier types that this OP supports.',
+    type: 'REQUIRED'
+  },
+  {
+    name: 'id_token_signing_alg_values_supported',
+    description: 'JSON array containing a list of the JWS signing algorithms supported by the OP for the ID Token to encode the Claims in a JWT.',
+    type: 'REQUIRED'
+  },
+  {
+    name: 'id_token_encryption_alg_values_supported',
+    description: 'JSON array containing a list of the JWE encryption algorithms supported by the OP for the ID Token to encode the Claims in a JWT.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'id_token_encryption_enc_values_supported',
+    description: 'JSON array containing a list of the JWE encryption algorithms supported by the OP for the ID Token to encode the Claims in a JWT.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'userinfo_signing_alg_values_supported',
+    description: 'JSON array containing a list of the JWS [JWS] signing algorithms [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'userinfo_encryption_alg_values_supported',
+    description: 'JSON array containing a list of the JWE [JWE] encryption algorithms [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT ',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'userinfo_encryption_enc_values_supported',
+    description: 'JSON array containing a list of the JWE encryption algorithms [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'request_object_signing_alg_values_supported',
+    description: 'JSON array containing a list of the JWS signing algorithms supported by the OP for Request Objects.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'request_object_encryption_alg_values_supported',
+    description: 'JSON array containing a list of the JWE encryption algorithms supported by the OP for Request Objects.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'request_object_encryption_enc_values_supported',
+    description: 'JSON array containing a list of the JWE encryption algorithms supported by the OP for Request Objects',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'token_endpoint_auth_methods_supported',
+    description: 'JSON array containing a list of Client Authentication methods supported by this Token Endpoint.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'token_endpoint_auth_signing_alg_values_supported',
+    description: 'JSON array containing a list of the JWS signing algorithms supported by the Token Endpoint for the signature on the JWT.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'display_values_supported',
+    description: 'JSON array containing a list of the display parameter values that the OP supports',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'claim_types_supported',
+    description: 'JSON array containing a list of the Claim Types that the OP supports.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'claims_supported',
+    description: 'JSON array containing a list of the Claim Names of the Claims that the OP may be able to supply values for.',
+    type: 'RECOMMENDED'
+  },
+  {
+    name: 'service_documentation',
+    description: 'URL of a page containing human-readable information that developers might want or need to know when using the OP.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'claims_locales_supported',
+    description: 'Languages and scripts supported for values in Claims being returned.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'ui_locales_supported',
+    description: 'Languages and scripts supported for the user interface.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'claims_parameter_supported',
+    description: 'Boolean value specifying whether the OP supports use of the claims parameter.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'request_parameter_supported',
+    description: 'Boolean value specifying whether the OP supports use of the request parameter.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'request_uri_parameter_supported',
+    description: 'Boolean value specifying whether the OP supports use of the request_uri parameter.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'require_request_uri_registration',
+    description: 'Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'op_policy_uri',
+    description: 'URL that the OP provides to the person registering the Client to read about the OP requirements on how the Relying Party can use the data provided by the OP.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'op_tos_uri',
+    description: 'URL that the OP provides to the person registering the Client to read about OP terms of service',
+    type: 'OPTIONAL'
+  },
+  // @see https://openid.net/specs/openid-connect-session-1_0.html
+  {
+    name: 'check_session_iframe',
+    description: 'URL of an OP iframe that supports cross-origin communications for session state information with the RP Client',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'end_session_endpoint',
+    description: 'OAuth logout URI that the client can use to initiate logout on the server.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'backchannel_logout_supported',
+    description: 'Boolean value specifying whether the OP supports back-channel logout.',
+    type: 'OPTIONAL'
+  },
+  {
+    name: 'backchannel_logout_session_supported',
+    description: 'Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP.',
+    type: 'OPTIONAL'
+  }
+]
+
+module.exports = {
+  METADATA,
+  OIDC_DISCOVERY,
+  SIGNATURE
+}

package/blz-security/helpers/utils.js

@@ -0,0 +1,267 @@
+// const Boxen = require('boxen')
+const Fs = require('fs')
+const Handlebars = require('handlebars')
+const Path = require('path')
+const jsonpath = require('jsonpath')
+// const { startupBoxOptions } = require('../config/global')
+const BlzConfig = require('../../blz-config/index')
+
+const hasTracing = process.env.TRACING || false
+
+/**
+ * @name Template
+ * @description Function to get the template through the key and context data.
+ * @api private
+ * @param {String} key
+ * @param {*} data Context data
+ * @returns {String} Template with html structure.
+ */
+const getTemplate = (key, data) => {
+  let file = Path.join(Path.dirname(__dirname), 'templates', `${key}.html`)
+  if (!Fs.existsSync(file)) {
+    throw new Exception(`The template doesn't exist with the key ${key}`, 'TemplateError', 404)
+  }
+  file = Fs.readFileSync(file, 'utf-8')
+  return Handlebars.compile(file)(data)
+}
+
+/**
+ * @name log
+ * @api private
+ * @Description Event logging function
+ * @param {*} Object with unstructured properties.
+ */
+function log ({ inBox, color, message, withDateTime = false }) {
+  const _time = withDateTime ? `[${new Date().toLocaleString()}]` : ''
+  message = `${_time} ${message}`
+  console.log(message)
+}
+
+/**
+ * @name filePathList
+ * @api private
+ * @description Get list of files with path and folder name recursively.
+ * @param {String} path Absolute path of the folder to be analyzed.
+ * @param {String} folderName Name of the folder to compare recursively to get the files.
+ * @param {[]} listFiles List of files to be added after the recursive search criteria are met.
+ * @returns
+ */
+const filePathList = (path, folderName, listFiles = []) => {
+  if (Fs.existsSync(path)) {
+    if (!Fs.lstatSync(path).isDirectory()) {
+      listFiles.push(path)
+    } else {
+      const folderList = Fs.readdirSync(path).filter((file) => Fs.statSync(Path.join(path, file)).isDirectory())
+      if (folderList && folderList.length > 0) {
+        for (const p in folderList) {
+          const folder = folderList[p]
+          if (folder === folderName) {
+            const files = Fs.readdirSync(Path.join(path, folder)).filter((file) => Fs.statSync(Path.join(path, folder, file)).isFile())
+            files.map((file) => listFiles.push(Path.join(path, folder, file)))
+          }
+          filePathList(Path.join(path, folder), folderName, listFiles)
+        }
+      }
+    }
+  }
+  return listFiles
+}
+
+/**
+ * @name getFullUrl
+ * @api private
+ * @description Get full URL
+ * @param {*} request
+ * @returns
+ */
+const getFullUrl = (request) => {
+  return `${getProtocol(request)}://${getHost(request)}${getPathname(request)}`
+}
+
+/**
+ * @name getHost
+ * @api private
+ * @description Get host URL
+ * @param {*} request
+ * @returns
+ */
+const getHost = (request) => {
+  // Use the host from the request's raw info (never trust x-forwarded headers here)
+  return request.info.host;
+};
+
+/**
+ * @name getPathname
+ * @api private
+ * @description Get pathname URL
+ * @param {*} request
+ * @returns
+ */
+const getPathname = (request) => {
+  const { pathname } = request.url
+  return pathname
+}
+
+/**
+ * @name getProtocol
+ * @api private
+ * @description Get protocol URL
+ * @param {*} request
+ * @returns
+ */
+const getProtocol = (request) => {
+  return request.server.info.protocol; // usually "http" or "https"
+};
+
+/**
+ * Event tracing
+ * @param {string} logLevel INFO, ERROR or WARN
+ * @param {string} message Log message
+ */
+const trace = (logLevel, message) => {
+  if (process.env.TRACING || hasTracing) {
+    let color = null
+    switch (logLevel) {
+      case 'ERROR': {
+        color = 'red'
+        break
+      }
+      case 'WARN': {
+        color = 'yellow'
+        break
+      }
+      default: {
+        color = 'green'
+      }
+    }
+    if (typeof message === 'object') {
+      Object.entries(message).map((entry) => {
+        if (entry && entry[0] && entry[1]) {
+          log({ message: `${entry[0]}: ${entry[1]}`, withDateTime: true, color })
+        }
+        return entry
+      })
+    } else {
+      log({ message, withDateTime: true, color })
+    }
+  }
+}
+
+const getMappingValues = (data, mappings) => {
+  const values = {}
+  for (const i in mappings) {
+    const mapping = mappings[i]
+    try {
+      let value = jsonpath.query(data, mapping.path)
+      if (mapping.pathIndex !== undefined) {
+        value = value[mapping.pathIndex]
+      }
+      if (mapping.regex) {
+        const regex = new RegExp(mapping.regex)
+        value = regex.exec(value)
+        if (mapping.regexGroup !== undefined) {
+          value = value[mapping.regexGroup]
+        }
+      }
+      if (mapping.split) {
+        value = value.split(mapping.split)
+      }
+      if (mapping.replaceRules) {
+        const replacement = []
+        for (const v in value) {
+          const oldValue = value[v]
+          const rule = mapping.replaceRules.find(x => x.oldValue === oldValue)
+          if (rule) {
+            replacement.push(rule.newValue)
+          }
+        }
+        value = replacement
+      }
+      values[mapping.itemKey] = value
+    } catch (error) {
+      throw new Error(`User info mapping ${JSON.stringify(mapping)} error: ${error}`)
+    }
+  }
+  return values
+}
+
+/**
+ * Handling exceptions
+ * @param {string} message
+ * @param {string} name
+ * @param {integer} code
+ */
+class Exception {
+  constructor(message, name, code) {
+    this.message = message
+    this.name = name
+    this.code = code
+  }
+}
+
+const getTokenTolerance = function (defaultValue = 30) {
+  return parseNumber(process.env.TOKEN_TOLERANCE, defaultValue)
+}
+
+const getRefreshTokenTolerance = function (defaultValue = 0) {
+  return parseNumber(process.env.REFRESH_TOKEN_TOLERANCE, defaultValue)
+}
+
+const parseNumber = function (valueToParse, defaultValueIfNaN) {
+  return valueToParse && !isNaN(valueToParse)
+    ? Number(valueToParse)
+    : defaultValueIfNaN
+}
+
+const getCookieName = function (cookieName = '') {
+  const config = BlzConfig.getConfig() || {}
+  const prefix = (config.authServer && config.authServer.sessionCookiesPrefix) || ''
+  return prefix + cookieName
+}
+
+const errorResponse = function (h, err, defaultCode = 500) {
+  const { code, name, message } = err
+  if (process.env.NODE_ENV === 'production') {
+    trace('ERROR', { name, message })
+    return h.response({ name }).code(parseInt(code) || defaultCode).takeover()
+  } else {
+    return h.response({ name, message }).code(parseInt(code) || defaultCode).takeover()
+  }
+}
+
+const isBase64 = function(str) {
+  if (typeof str !== 'string') return false;
+
+  // Verificás si tiene la forma típica de Base64 (múltiplo de 4, solo caracteres válidos)
+  const base64Regex = /^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?$/;
+
+  if (!base64Regex.test(str)) return false;
+
+  try {
+    // Intentás decodificarla
+    const decoded = Buffer.from(str, 'base64').toString('utf8');
+
+    // Verificás que al re-codificar vuelva a ser igual (esto filtra algunas falsos positivos)
+    return Buffer.from(decoded, 'utf8').toString('base64') === str.replace(/=*$/, '');
+  } catch (err) {
+    return false;
+  }
+}
+
+module.exports = {
+  Exception,
+  filePathList,
+  getCookieName,
+  getFullUrl,
+  getHost,
+  getMappingValues,
+  getPathname,
+  getProtocol,
+  getRefreshTokenTolerance,
+  getTemplate,
+  getTokenTolerance,
+  log,
+  trace,
+  errorResponse,
+  isBase64
+}

package/blz-security/implementations/cache.js

@@ -0,0 +1,90 @@
+const { LRUCache } = require('lru-cache')
+const IoRedis = require('ioredis')
+
+class LruCache {
+  constructor () {
+    this._cache = new LRUCache({ max: 500, maxSize: 5000, ttl: 1000 * 60 * 60 * 3, sizeCalculation: (value, key) => { return 1 } })
+  }
+
+  /**
+ * @name set
+ * @api private
+ * @description Maximum age in ms.
+ * @param {*} key key to be cached.
+ * @param {*} value value to be cached.
+ * @param {*} maxAge Maximum age in ms.
+ */
+  async set (key, value, maxAge) {
+    this._cache.set(key, value, maxAge)
+  }
+
+  /**
+ * @name get
+ * @api private
+ * @description Get the value that was cached.
+ * @param {*} key
+ * @returns
+ */
+  async get (key) {
+    return this._cache.get(key)
+  }
+
+  /**
+ * @name del
+ * @api private
+ * @description It was removing the value that was in the cache.
+ * @param {*} key
+ * @returns
+ */
+  async del (key) {
+    this._cache.delete(key)
+  }
+}
+
+class RedisCache {
+  constructor (cnx) {
+    this._cache = new IoRedis(cnx)
+  }
+
+  /**
+ * @name set
+ * @api private
+ * @description Maximum age in ms.
+ * @param {*} key key to be cached.
+ * @param {*} value value to be cached.
+ * @param {*} maxAge Maximum age in ms.
+ */
+  async set (key, value, maxAge) {
+    // https://stackoverflow.com/questions/41237001/nodejs-ioredis-how-to-set-expire-time-for-a-key
+    const _value = JSON.stringify(value)
+    await this._cache.set(key, _value, 'EX', maxAge / 1000)
+  }
+
+  /**
+ * @name get
+ * @api private
+ * @description Get the value that was cached.
+ * @param {*} key
+ * @returns
+ */
+  async get (key) {
+    const _value = await this._cache.get(key)
+    return _value ? JSON.parse(_value) : _value
+  }
+
+  /**
+ * @name del
+ * @api private
+ * @description It was removing the value that was in the cache.
+ * @param {*} key
+ * @returns
+ */
+  async del (key) {
+    await this._cache.del(key)
+  }
+}
+
+module.exports = {
+  RedisCache,
+  LruCache
+}