@blazedpath/commons 0.0.4

package/blz-security/middleware/HapiServerSimToken.js

@@ -0,0 +1,247 @@
+/**
+ * @author Blazedpath Team
+ * @implements Protecting all resources through hapi middleware
+ * @description Hapi.js (derived from Http-API) is an open-source Node.js
+ * framework used to build powerful and scalable web applications.
+ * @see https://hapi.dev/api/
+ */
+const {
+    Exception,
+    getFullUrl,
+    getHost,
+    getPathname,
+    getTokenTolerance,
+    trace
+} = require('../helpers/utils')
+
+// Uses Issue to cache manage and logout (generators/customs not sure why yet)
+const {
+    Issuer
+} = require('openid-client') // OpenID Certified Relying Party.
+
+// Self sign library
+const jwToken = require('jsonwebtoken');
+
+let securityService = null
+
+class HapiServerSimToken {
+    constructor(openIdConnect, cookiesName, cache) {
+        this.openIdConnect = openIdConnect
+        this.COOKIE_NAMES = cookiesName
+        this.authServerConfig = null;
+        // This cache stores locally the jwt token set for refresh and logout.
+        this.cache = cache;
+        // To terminate sessions
+        this.clientOidc = null;
+    }
+
+    async connect(_securityService, hapiServer, config) {
+        this.authServerConfig = config;
+        securityService = _securityService
+        const stateOption = {
+            clearInvalid: true,
+            encoding: 'base64',
+            isSecure: true,
+            isHttpOnly: true,
+            isSameSite: 'Lax',
+            path: '/',
+            strictHeader: true
+        }
+        hapiServer.config = config
+        hapiServer.state(this.COOKIE_NAMES.ACCESS_TOKEN, stateOption)
+        this.authServerSimulation(hapiServer)
+    }
+
+    authServerSimulation(hapiServer) {
+        if (!hapiServer.config || !hapiServer.config.accessTokenSimulation) {
+            throw new Exception('Error parsing metadata for simulation', 'ConfigurationError', 404)
+        }
+        let {
+            simaAlgorithm,
+            payload,
+            secret
+        } = hapiServer.config.accessTokenSimulation
+        const me = this
+        hapiServer.ext('onPreAuth', async function(request, h) {
+            if (request.state && request.state[me.COOKIE_NAMES.ACCESS_TOKEN]) {
+                return h.continue
+            } else {
+                switch (simaAlgorithm) {
+                    case 'HMAC-SHA384': {
+                        simaAlgorithm = 'HS384'
+                        break
+                    }
+                    case 'HMAC-SHA512': {
+                        simaAlgorithm = 'HS512'
+                        break
+                    }
+                    default: {
+                        simaAlgorithm = 'HS256'
+                    }
+                }
+                const token = jwToken.sign(payload, secret, { expiresIn: '1h', algorithm: simaAlgorithm });
+                return h
+                    .response()
+                    .state(me.COOKIE_NAMES.ACCESS_TOKEN, token)
+                    .redirect(getFullUrl(request))
+                    .takeover()
+            }
+        })
+        // /get-authorization
+        hapiServer.route({
+            path: '/get-authorization',
+            method: 'GET',
+            handler: async function(_request, h) {
+                return h
+                    .response('[]')
+                    .code(200)
+            }
+        })
+        // /get-security-rules
+        hapiServer.route({
+            path: '/get-security-rules',
+            method: 'GET',
+            handler: async function(_request, h) {
+                let securityRules = []
+                if (securityService && hapiServer.config.accessTokenSimulation.playload) {
+                    const groups = securityService.getGroups(hapiServer.config.accessTokenSimulation.playload)
+                    securityRules = securityService.getFrontendSecurityRules([groups])
+                }
+                return h
+                    .response(JSON.stringify(securityRules))
+                    .code(200)
+            }
+        })
+        // /get-permissions
+        hapiServer.route({
+            path: '/get-permissions',
+            method: 'GET',
+            handler: async function(_request, h) {
+                const permissions = (securityService) ? securityService.getPermissions() : []
+                return h
+                    .response(JSON.stringify(permissions))
+                    .code(200)
+            }
+        })
+        // /get-user-info
+        hapiServer.route({
+            path: '/get-user-info',
+            method: 'GET',
+            handler: async function(_request, h) {
+                return h
+                    .response(JSON.stringify(payload))
+                    .code(200)
+            }
+        })
+        // /logout
+        hapiServer.route({
+            path: '/logout',
+            method: 'GET',
+            handler: async function(_request, h) {
+                return h
+                    .response()
+                    .unstate(me.COOKIE_NAMES.ACCESS_TOKEN)
+                    .takeover()
+            }
+        })
+    }
+    async authenticate(h, scope) {
+        const {
+            request
+        } = h
+        const pkceCode = await this.openIdConnect.pkceCode()
+        const requestUrl = getFullUrl(request)
+        let oidcMetadata = await this.openIdConnect.oidcMetadata()
+        if (!oidcMetadata || !oidcMetadata.openid_configuration) {
+            oidcMetadata = await this.configuration(this.authServerConfig.authServer)
+        }
+        if (requestUrl.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source + getHost(request) + /\/?$/.source))) {
+            const authorizationUrl = await this.openIdConnect.authorizationUrl({
+                scope,
+                redirectUri: getFullUrl(request),
+                pkceCode
+            })
+            trace('INFO', `Authenticate redirecting to ${authorizationUrl}`)
+            return h
+                .response()
+                .state(this.COOKIE_NAMES.SID, pkceCode)
+                .redirect(authorizationUrl)
+                .takeover()
+        } else if (getPathname(request) === '/logout') {
+            return h.continue
+        } else {
+            const tokenSet = await this.openIdConnect.tokenSet()
+            const {
+                state
+            } = request
+            if (tokenSet && state && state[this.COOKIE_NAMES.SESSION_STATE]) {
+                const tokens = await tokenSet.tokens(state[this.COOKIE_NAMES.SESSION_STATE])
+                if (!tokens || tokens.refresh_expires_in <= getTokenTolerance(0)) {
+                    throw new Exception('Error when getting token', 'ExpirationError', 403)
+                }
+                return h.continue
+            } else {
+                return h
+                    .response()
+                    .code(401)
+                    .takeover()
+            }
+        }
+    }
+    oidcMetadataKey() {
+        return this.authServerConfig.authServer.sessionCookiesDomain || 'oidcMetadata'
+    }
+    async configuration(authServer) {
+        if (!authServer) {
+            throw new Exception('Error when getting configuration attributes ')
+        }
+        const {
+            clientId,
+            clientSecret
+        } = authServer
+        await this.openIdConnect.client({
+            clientId,
+            clientSecret
+        })
+        if (authServer.openIdConfigurationEndpoint) {
+            return await this.openIdConnect.configuration(authServer.openIdConfigurationEndpoint)
+        } else {
+            // If configuration uri does not exist but the auth server form has been filled in.
+            return await this.openIdConnect.configuration({
+                issuer: authServer.issuer,
+                authorization_endpoint: authServer.authorizationEndpoint,
+                token_endpoint: authServer.tokenEndpoint,
+                userinfo_endpoint: authServer.userinfoEndpoint,
+                end_session_endpoint: authServer.endSessionEndpoint,
+                jwks_uri: authServer.jwksUri
+            })
+        }
+    }
+    async configuration(context) {
+        let metadata = await this.cache.get(this.oidcMetadataKey())
+        if (typeof context === 'string' && !context.match(/(https?:\/\/.*):?(\d*)\/?(.*)/gi)) {
+            throw new Exception('Wrong OpenId Provider configuration URI entered', 'AttributeError', 403)
+        }
+        if (!metadata || !metadata.issuer) {
+            if (context.issuer) {
+                metadata = {
+                    ...(metadata || {}),
+                    ...context
+                }
+            } else {
+                metadata = metadata || {}
+                metadata.openid_configuration = context
+                metadata = {
+                    ...metadata,
+                    ...(await Issuer.discover(context.issuer))
+                } // Discover an issuer configuration, must be an url
+            }
+            await this.cache.set(this.oidcMetadataKey(), metadata, 864e5) // 1 day of cache
+        }
+        return new Iss(metadata)
+    }
+}
+
+module.exports = {
+    HapiServerSimToken
+}