@blazedpath/commons 0.0.4

package/blz-security/middleware/HapiServerAzureAd.js

@@ -0,0 +1,641 @@
+/**
+ * @author Blazedpath Team
+ * @implements Protecting all resources through hapi middleware
+ * @description Hapi.js (derived from Http-API) is an open-source Node.js
+ * framework used to build powerful and scalable web applications.
+ * @see https://hapi.dev/api/
+ */
+const Uma = require('../implementations/uma.js')
+const Jsonwebtoken = require('jsonwebtoken') // Implementations of JSON Web Tokens.
+const {
+	Exception,
+	getFullUrl,
+	getHost,
+	getProtocol,
+	getPathname,
+	getTemplate,
+	getTokenTolerance,
+	trace,
+	errorResponse
+} = require('../helpers/utils.js')
+// HapiServer Modules
+const hapiYar = require('@hapi/yar');
+const hapiJwt = require('@hapi/jwt');
+const hapiCookie = require('@hapi/cookie')
+
+// Azure AD rotates keys, so we jwk used to routinly fetch them
+const jwksClient = require('jwks-rsa') // Retrieve RSA public keys from a JWKS.
+// MS authenticator library
+const {
+	ConfidentialClientApplication
+} = require('@azure/msal-node');
+const crypto = require("crypto"); // FOR PKCE in msal
+const { saveVerifier, getVerifier } = require('../implementations/pkceCacheStore.js');
+
+let securityService = null
+
+// This class is defined to work with Azure AD.
+class HapiServerAzureAd {
+	constructor(openIdConnect, cookiesName, cache) {
+		this.openIdConnect = openIdConnect
+		this.COOKIE_NAMES = cookiesName
+		this.activateTraceApiMethod = false
+		this.queryStringLimit = null;
+		this.securityLoginTokenExpToleranceSeconds = 3600 * 5; // Default 5 hours
+		this.authServerConfig = null;
+		this.authServerFullLoginUrl = null;
+		// This cache stores locally the jwt token set for refresh and logout.
+		this.cache = cache;
+		// To terminate sessions
+		// This client keeps a refresh of the rotating keys
+		this.clientJwk = null;
+		this.publicKeyFetch = null;
+	}
+
+	async connect(_securityService, hapiServer, config) {
+		this.authServerConfig = config;
+		securityService = _securityService
+		const {
+			authServer,
+			activateTraceApiMethod
+		} = config
+		if (activateTraceApiMethod) {
+			this.activateTraceApiMethod = activateTraceApiMethod
+		}
+		const stateOption = {
+			clearInvalid: true,
+			encoding: 'base64',
+			isSecure: true,
+			isHttpOnly: true,
+			isSameSite: 'Lax',
+			path: '/',
+			strictHeader: true
+		}
+		try {
+			if (authServer.sessionCookiesDomain) {
+				stateOption.domain = authServer.sessionCookiesDomain
+			}
+			stateOption.isHttpOnly = authServer.isHttpOnlyForSessionState ?? false;
+			hapiServer.state(this.COOKIE_NAMES.SESSION_STATE, stateOption);
+			if (!authServer.scope || !authServer.scope.split(' ').some((reg) => reg === 'openid')) {
+				authServer.scope = `openid ${authServer.scope || ''}`
+			}
+			if (authServer.tokenEndpoint && !authServer.tokenEndpoint.match(/https.*/)) {
+				hapiServer.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
+				hapiServer.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
+			}
+		} catch (err) {
+			console.error('ERROR', `Exception ${err.message}`, err)
+			trace('ERROR', err.stack)
+		}
+
+		// Add Plugins
+		this.configurePlugins(hapiServer);
+		// onPreAuth: Here we check if the jwtToken is stored in the yar, refresh, and recompose the authorization header before hapi jwt module auth.
+		// Http protocol does not redirect all headers on a 3XX code.
+		hapiServer.ext('onPreAuth', async (request, h) => {
+			// Retrieve the token from the yar storage
+			let tokenInfo = request.yar.get('jwtToken');
+			if (tokenInfo) {
+				// check if token is about to be expired, if expired, update
+				let aboutToExpire = await me.tokenAboutToExpire(tokenInfo.token, 10);
+				if (aboutToExpire) {
+					// To refresh the tokens, Azure uses a silent re authentication
+					const silentRereshTokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenSilent({
+						account: tokenInfo.account, // If token exists in yar. Account should always exist
+						scopes: me.authServerConfig.authServer.scope.split(" ")?? ["user.read"],
+					});
+					const obtainedTokens = {};
+					// Check if the silent refresh token was successful
+					if (silentRereshTokenResponse && silentRereshTokenResponse.idToken) {
+						obtainedTokens.tokenType = 'Bearer';
+						obtainedTokens.token = silentRereshTokenResponse.idToken;
+						obtainedTokens.tokenSubType = 'id_token';
+						obtainedTokens.account = silentRereshTokenResponse.account;
+						request.yar.set('jwtToken', obtainedTokens);
+						await request.yar.commit(h);
+					} else {
+						// no valid set of tokens has returned, clear the yar storage and continue
+						request.yar.set('userRelog', true);
+						obtainedTokens.account = tokenInfo.account;
+						request.yar.set('jwtToken', obtainedTokens);
+						await request.yar.commit(h);
+						delete request.headers.authorization; // Remove the authorization header
+						return h.continue;
+					}
+				}
+				switch (tokenInfo.tokenType) {
+					case 'Bearer':
+					case 'bearer': {
+						request.headers.authorization = `Bearer ${tokenInfo.token}`;
+						break;
+					}
+					default:
+						break;
+				}
+			}
+			return h.continue;
+		});
+		hapiServer.ext('onPreResponse', async (request, h) => {
+			const response = request.response;
+			// Seek to redirect to login on unauthorize
+			if (response.isBoom && response.output.statusCode === 401 && !request.path.startsWith('/auth/callback')) {
+				function base64URLEncode(buffer) {
+					return buffer.toString("base64")
+						.replace(/=/g, "")
+						.replace(/\+/g, "-")
+						.replace(/\//g, "_");
+				}
+				function createPKCECodes() {
+					const verifier = base64URLEncode(crypto.randomBytes(32));
+					const challenge = base64URLEncode(crypto.createHash("sha256").update(verifier).digest());
+					return { verifier, challenge };
+				}
+				const pkce = createPKCECodes();
+				// This state id helps keep yar storage for code verifier across responseMode: form_post requests
+				const stateId = crypto.randomBytes(16).toString('hex');
+				saveVerifier(stateId, pkce.verifier);
+
+				const authUrl = await this.authServerConfig.authServer.msalClient.getAuthCodeUrl({
+					redirectUri: me.getRedirectUri(request, 'auth/callback'),
+					scopes: me.authServerConfig.authServer.scope.split(" ") ?? ["user.read"],
+					codeChallenge: pkce.challenge,
+					codeChallengeMethod: "S256",
+					responseMode: 'form_post',
+					state: stateId
+				});
+
+				let userRelog = request.yar.get('userRelog');
+				request.yar.set('pkv',pkce.verifier)
+				request.yar.commit(h);
+				if (userRelog && request.path !== '/') {
+					return h.redirect('/');
+				} else {
+					return h.redirect(authUrl);
+				}
+			}
+			return h.continue;
+		});
+		// GET /auth/callback: Resolves the jwt token on a callback after the login (keycloak/azure)
+		hapiServer.route({
+			method: 'GET',
+			path: '/auth/callback',
+			options: {
+				auth: false, // Disable authentication for this route
+			},
+			handler: async (request, h) => {
+				const authCode = request.query.code;
+				if (!authCode) {
+					return h.response('Authorization code missing').code(400);
+				}
+				try {
+					let pkceverifier = request.yar.get('pkv');
+					const tokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenByCode({
+						code: authCode,
+						redirectUri: me.getRedirectUri(request, 'auth/callback'),
+						scopes: me.authServerConfig.authServer.scope.split(" ")?? ["user.read"],
+						codeVerifier: pkceverifier,
+					});
+					let obtainedTokens = {
+						tokenType: 'Bearer',
+						token: tokenResponse.idToken,
+						tokenSubType: 'id_token',
+						account: tokenResponse.account
+					};
+					request.yar.set('jwtToken', obtainedTokens);
+					let originalUrlPathName = request.yar.get('originalUrlPathName') ?? '/'
+					// Set session state
+					const sessionState = request.query.session_state;
+					h.state(this.COOKIE_NAMES.SESSION_STATE, sessionState);
+
+					// already reloged
+					request.yar.clear('userRelog');
+					// Store the JWT token in the `Authorization` header or a cookie
+					switch (obtainedTokens.tokenType) {
+						case 'Bearer':
+						case 'bearer': {
+							request.yar.set('jwtToken', obtainedTokens);
+							await request.yar.commit(h);
+							return h.redirect(originalUrlPathName);
+						}
+						default: {
+							break;
+						}
+					}
+					await request.yar.commit(h);
+					return h.redirect('/'); // Continue in case no token_type -> no auth header configured
+				} catch (error) {
+					request.yar.reset();
+					await request.yar.commit(h);
+					delete request.headers.authorization; // Remove the authorization header
+					console.error('Failed to obtain jwt token: ', error.response?.data ?? error.message);
+					return h.response('Failed to authenticate').code(500).takeover();
+				}
+			},
+		});
+		// POST /auth/callback: Resolves the jwt token on a callback after the login (keycloak/azure)
+		hapiServer.route({
+			method: 'POST',
+			path: '/auth/callback',
+			options: {
+				auth: false, // Disable authentication for this route
+			},
+			handler: async (request, h) => {
+				const authCode = request.payload.code;
+				if (!authCode) {
+					return h.response('Authorization code missing').code(400);
+				}
+				try {
+					//let pkceverifier = request.yar.get('pkv');
+					const stateId = request.payload.state;
+					//const pkceverifier = request.yar.get(`pkce:${stateId}`);
+					const pkceverifier = getVerifier(stateId)
+					const tokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenByCode({
+						code: authCode,
+						redirectUri: me.getRedirectUri(request, 'auth/callback'),
+						scopes: me.authServerConfig.authServer.scope.split(" ")?? ["user.read"],
+						codeVerifier: pkceverifier,
+						responseMode: 'form_post'
+					});
+					let obtainedTokens = {
+						tokenType: 'Bearer',
+						token: tokenResponse.idToken,
+						tokenSubType: 'id_token',
+						account: tokenResponse.account
+					};
+					request.yar.set('jwtToken', obtainedTokens);
+					let originalUrlPathName = request.yar.get('originalUrlPathName') ?? '/'
+					// Set session state
+					const sessionState = request.payload.session_state;
+					if (!sessionState) {
+						return h.response('Session State missing').code(400);
+					}
+					h.state(this.COOKIE_NAMES.SESSION_STATE, sessionState);
+
+
+					// already reloged
+					request.yar.clear('userRelog');
+					// Store the JWT token in the `Authorization` header or a cookie
+					switch (obtainedTokens.tokenType) {
+						case 'Bearer':
+						case 'bearer': {
+							request.yar.set('jwtToken', obtainedTokens);
+							await request.yar.commit(h);
+							return h.redirect(originalUrlPathName);
+						}
+						default: {
+							break;
+						}
+					}
+					await request.yar.commit(h);
+					return h.redirect('/'); // Continue in case no token_type -> no auth header configured
+				} catch (error) {
+					request.yar.reset();
+					await request.yar.commit(h);
+					delete request.headers.authorization; // Remove the authorization header
+					console.error('Failed to obtain jwt token: ', error.response?.data ?? error.message);
+					return h.response('Failed to authenticate').code(500).takeover();
+				}
+			},
+		});
+		const me = this
+		// /get-authorization
+		hapiServer.route({
+			method: 'GET',
+			path: '/get-authorization',
+			handler: async (request, h) => {
+				try {
+					const {
+						session_state: ckSessionState
+					} = request.state
+					if (!ckSessionState) {
+						throw new Exception("Azure get-authorization: Session cookie doesn't exist.", 'CookiesError', 404)
+					}
+					const tokenSet = await me.openIdConnect.tokenSet()
+					const tokens = await tokenSet.tokens(ckSessionState)
+					const uma = await Uma.permission()
+					const token = await uma.ticket({
+						tokenUrl: authServer.tokenEndpoint || authServer.tokenUrl,
+						token: tokens.access_token,
+						audience: authServer.clientId
+					})
+					const sourceData = Jsonwebtoken.decode(token.access_token)
+					return h.response(JSON.stringify(sourceData.authorization)).takeover()
+				} catch (err) {
+					return errorResponse(h, err, 401)
+				}
+			}
+		})
+		// /get-security-rules
+		hapiServer.route({
+			method: 'GET',
+			path: '/get-security-rules',
+			handler: async (request, h) => {
+				try {
+					const securityRules = await securityService.getFrontendSecurityRules(request)
+					return h.response(JSON.stringify(securityRules)).takeover()
+				} catch (err) {
+					return errorResponse(h, err, 401)
+				}
+			}
+		})
+		// /get-permissions
+		hapiServer.route({
+			method: 'GET',
+			path: '/get-permissions',
+			handler: async (request, h) => {
+				try {
+					const permissions = await securityService.getPermissions()
+					return h.response(JSON.stringify(permissions)).takeover()
+				} catch (err) {
+					return errorResponse(h, err, 401)
+				}
+			}
+		})
+		// /get-user-info
+		hapiServer.route({
+			method: 'GET',
+			path: '/get-user-info',
+			handler: async (request, h) => {
+				try {
+					const userInfo = await securityService.getUserInfo(request)
+					return h
+						.response(JSON.stringify(userInfo))
+						.takeover()
+				} catch (err) {
+					return errorResponse(h, err, 500)
+				}
+			}
+		})
+		// /logout
+		hapiServer.route({
+			path: '/logout',
+			method: 'GET',
+			options: {
+				auth: false
+			}, // No auth required for logout
+			handler: async (request, h) => {
+				try {
+					// Get the post-logout redirect URI (where the user will go after logout)
+					const postLogoutRedirectUri = encodeURIComponent(me.getBaseUrl(request));
+					// Construct the logout URL for Azure AD
+					const logoutUrl = `https://login.microsoftonline.com/${me.authServerConfig.authServer.tenantId}/oauth2/v2.0/logout?post_logout_redirect_uri=${postLogoutRedirectUri}`;
+
+					// Clear session
+					request.yar.clear('jwtToken');
+					request.yar.clear('userRelog');
+
+					return h.redirect(logoutUrl); // Redirect to Azure AD logout
+				} catch (error) {
+					console.error('Error logging out:', error);
+					return h.response('Logout failed').code(500);
+				}
+			},
+		});
+		// /check-session-iframe.html
+		// This method returns the htlm code for the iframe
+		hapiServer.route({
+			path: '/check-session-iframe.html',
+			method: 'GET',
+			options: {
+				auth: false
+			},
+			handler: async (request, h) => {
+				try {
+					let content = getTemplate('session-iframe-azure-ad', {
+						checkSessionUrl: me.getBaseUrl(request) + 'check-session'
+					})
+					return h.response(content)
+                            .header('Content-Type', 'text/html')
+				} catch (err) {
+					return errorResponse(h, err, 500)
+				}
+			}
+		});
+		// /check-session
+		hapiServer.route({
+			path: '/check-session',
+			options: {
+				auth: false
+			},
+			method: 'GET',
+			handler: async (request, h) => {
+				let tokenInfo = request.yar.get('jwtToken');
+				let tokenIsExpired = { expired: false }
+				if (tokenInfo) {
+					// check if token is about to be expired
+					tokenIsExpired.expired = await me.tokenAboutToExpire(tokenInfo.token, 0.5);
+					if (tokenIsExpired.expired) {
+						let params = { 
+							redirectUri: me.getRedirectUri(request, 'auth/callback'),
+							scopes: me.authServerConfig.authServer.scope.split(" "),
+						}
+						tokenIsExpired.redirectUrl = await me.authServerConfig.authServer.msalClient.getAuthCodeUrl(params);
+						request.yar.clear('jwtToken');
+						request.yar.clear('userRelog');
+					}
+				}
+				return h.response(tokenIsExpired);
+			}
+		})
+	}
+	getRedirectUri(request, redirectPath) {
+		const baseUrl = this.authServerConfig.url ?? this.getBaseUrl(request);
+		const path = (redirectPath) ?? this.getPathname(request);
+		let url = new URL(path, baseUrl);
+
+		// If the hostname is not localhost, force HTTPS
+		if (url.hostname !== 'localhost' && url.hostname !== '127.0.0.1') {
+			url.protocol = 'https:';
+		}
+		return url.toString();
+	}
+	getFullUrl(request) {
+		return `${getProtocol(request)}://${getHost(request)}${getPathname(request)}`
+	}
+	getBaseUrl(request) {
+		return `${getProtocol(request)}://${getHost(request)}/`
+	}
+	async authenticate(h, scope) {
+		const {
+			request
+		} = h
+		const pkceCode = await this.openIdConnect.pkceCode()
+		const requestUrl = getFullUrl(request)
+		let oidcMetadata = await this.openIdConnect.oidcMetadata()
+		if (!oidcMetadata || !oidcMetadata.openid_configuration) {
+			oidcMetadata = await this.configuration(this.authServerConfig.authServer)
+		}
+		if (requestUrl.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source + getHost(request) + /\/?$/.source))) {
+			const authorizationUrl = await this.openIdConnect.authorizationUrl({
+				scope,
+				redirectUri: this.getRedirectUri(request),
+				pkceCode
+			})
+			trace('INFO', `Authenticate redirecting to ${authorizationUrl}`)
+			return h
+				.response()
+				.state(this.COOKIE_NAMES.SID, pkceCode)
+				.redirect(authorizationUrl)
+				.takeover()
+		} else if (getPathname(request) === '/logout') {
+			return h.continue
+		} else {
+			const tokenSet = await this.openIdConnect.tokenSet()
+			const {
+				state
+			} = request
+			if (tokenSet && state && state[this.COOKIE_NAMES.SESSION_STATE]) {
+				const tokens = await tokenSet.tokens(state[this.COOKIE_NAMES.SESSION_STATE])
+				if (!tokens || tokens.refresh_expires_in <= getTokenTolerance(0)) {
+					throw new Exception('Error when getting token', 'ExpirationError', 403)
+				}
+				return h.continue
+			} else {
+				return h
+					.response()
+					.code(401)
+					.takeover()
+			}
+		}
+	}
+
+	async configurePlugins(server) {
+		// Add Yar to save info in the cookies across session calls
+		const hapiYarPassword = process.env.blz_hapiYarPassword || 'your-super-secure-yar-atleast-32-bytes-password';
+		await server.register({
+			plugin: hapiYar,
+			options: {
+				name: 'yar_state',
+				cookieOptions: {
+					password: hapiYarPassword,
+					isSecure: true, // Use true in production
+					isHttpOnly: true,
+					isSameSite: 'Lax', // 'Strict', 'Lax', or 'None'
+					clearInvalid: true,
+					ignoreErrors: true
+				},
+				storeBlank: false, // Prevent saving blank sessions
+				maxCookieSize: 0 // Use server-side storage for larger payloads
+			}
+		});
+		// Register @hapi/jwt plugin
+		await server.register(hapiJwt);
+
+		// Check for static certificate or rotating.
+		let keysFetch = true;
+		// Azure rotating certificates, prepare for the hapi jwt module
+		this.startupJwksClient();
+		// set up the function in this.publickKeyFetch
+		this.startupPublickKeyFetch();
+		keysFetch = this.publicKeyFetch;
+		const tenant_id = this.authServerConfig.authServer.issuer.match(/login\.microsoftonline\.com\/([^/]+)/)?.[1];
+		this.authServerConfig.authServer.tenantId = tenant_id;
+		this.authServerConfig.authServer.msalConfig = {
+			auth: {
+				clientId: this.authServerConfig.authServer.clientId,
+				authority: `https://login.microsoftonline.com/${tenant_id}`,
+				clientSecret: this.authServerConfig.authServer.clientSecret
+			},
+		};
+		const msalClient = new ConfidentialClientApplication(this.authServerConfig.authServer.msalConfig);
+		this.authServerConfig.authServer.msalClient = msalClient;
+
+		// Define the auth strategy
+		server.auth.strategy('jwtAuth', 'jwt', {
+			keys: keysFetch,
+			verify: {
+				aud: this.authServerConfig.authServer.clientId,
+				iss: this.authServerConfig.authServer.issuer,
+				exp: true, // validate expiration
+				sub: false
+			},
+			validate: false
+		});
+
+		// Register the @hapi/cookie plugin
+		await server.register(hapiCookie);
+
+		// Define the cookie-based auth strategy
+		server.auth.strategy('cookieAuth', 'cookie', {
+			cookie: {
+				name: 'sid', // Primary session cookie
+				password: 'supersecretpasswordmustbeatleast32characterslong', // Encryption key
+				isSecure: true, // Should be true in production
+				isHttpOnly: true, // Prevents client-side JavaScript access
+				isSameSite: 'Lax', // Protects against CSRF
+			},
+			keepAlive: true,
+			redirectTo: false,
+		});
+		// Set default auth strategy to try both JWT and cookies
+		server.auth.default({
+			strategies: ['jwtAuth', 'cookieAuth'], // Try JWT first, then Cookie
+		});
+	}
+
+	async decodeJwtToken(token) {
+		const decodedToken = hapiJwt.token.decode(token);
+		return decodedToken;
+	}
+	async tokenAboutToExpire(token, minutesBeforeExpiration = 0) {
+		if (!token)
+			return true;
+		const decodedToken = hapiJwt.token.decode(token);
+		const expirationTime = decodedToken.decoded.payload.exp * 1000; // Convert to milliseconds
+		const currentTime = Date.now();
+		const expirationThreshold = minutesBeforeExpiration * 60 * 1000; // Convert minutes to milliseconds
+
+		// Check if the token is expired or about to expire within the specified minutes
+		const isAboutToExpire = expirationTime - currentTime <= expirationThreshold;
+		return isAboutToExpire;
+	}
+	async isRefreshTokenExpired(refreshToken) {
+		try {
+			// Decode the token without verifying its signature.
+			const decodedRefreshToken = hapiJwt.token.decode(refreshToken);
+			// Get the current timestamp (in seconds).
+			const currentTimestamp = Math.floor(Date.now() / 1000);
+
+			if (decodedRefreshToken && decodedRefreshToken.decoded && decodedRefreshToken.decoded.payload && decodedRefreshToken.decoded.payload.exp) {
+				return (decodedRefreshToken.decoded.payload.exp < currentTimestamp)
+			} else
+				return true;
+		} catch (error) {
+			// if there is an error treat as if expired, so a re-login is prompted
+			console.error('Failed to decode the token: Invalid Refresh token format', error);
+			return true;
+		}
+	}
+	async startupJwksClient() {
+		// Azure rotating certificates, prepare for the hapi jwt module
+		this.clientJwk = jwksClient({
+			jwksUri: this.authServerConfig.authServer.jwksUri,
+			cache: true, // Cache signing keys to avoid frequent network calls
+			rateLimit: true, // Rate limit the number of requests to the JWKS URI
+			jwksRequestsPerMinute: 10, // Limit to 10 requests per minute
+		});
+	}
+	async startupPublickKeyFetch() {
+		// Function to get the signing key
+		const getKey = async (kid) => {
+			return new Promise((resolve, reject) => {
+				this.clientJwk.getSigningKey(kid, (err, key) => {
+					if (err) {
+						return reject(err);
+					}
+					const signingKey = key.getPublicKey(); // Public key for signature verification
+					resolve(signingKey);
+				});
+			});
+		};
+		this.publicKeyFetch = async (artifacts) => {
+			const kid = artifacts.decoded.header.kid; // Extract 'kid' from JWT header
+			return getKey(kid); // Fetch the corresponding public key
+		}
+	}
+}
+
+module.exports = {
+	HapiServerAzureAd
+}