@blazedpath/commons 0.0.4

package/blz-security/middleware/hapi.js

@@ -0,0 +1,515 @@
+/**
+ * @author Blazedpath Team
+ * @implements Protecting all resources through hapi middleware
+ * @description Hapi.js (derived from Http-API) is an open-source Node.js
+ * framework used to build powerful and scalable web applications.
+ * @see https://hapi.dev/api/
+ */
+
+const Uma = require('../implementations/uma')
+const Jsonwebtoken = require('jsonwebtoken') // Implementations of JSON Web Tokens.
+const {
+  Exception,
+  getFullUrl,
+  getHost,
+  getPathname,
+  getTemplate,
+  getTokenTolerance,
+  trace,
+  errorResponse
+} = require('../helpers/utils')
+
+let contextConfig = {}
+let securityService = null
+
+class Hapi {
+  constructor (oidc, cookiesName) {
+    this.oidc = oidc
+    this.COOKIE_NAMES = cookiesName
+    this.activateTraceApiMethod = false
+    this.queryStringLimit = null;
+    this.securityLoginTokenExpToleranceSeconds = 3600 * 5; // Default 5 hours
+  }
+
+  async connect (_securityService, context, config) {
+    contextConfig = config
+    securityService = _securityService
+    const { authServer, accessTokenSimulation, activateTraceApiMethod } = config
+    if (activateTraceApiMethod) {
+      this.activateTraceApiMethod = activateTraceApiMethod
+    }
+    let oidcConfiguration = {}
+    const stateOption = {
+      clearInvalid: true,
+      encoding: 'base64',
+      isSecure: true,
+      isHttpOnly: true,
+      isSameSite: 'Lax',
+      path: '/',
+      strictHeader: true
+    }
+    if (accessTokenSimulation && !authServer) {
+      context.config = config
+      context.state(this.COOKIE_NAMES.ACCESS_TOKEN, stateOption)
+      this.authServerSimulation(context)
+    } else {
+      try {
+        if (authServer.sessionCookiesDomain) {
+          stateOption.domain = authServer.sessionCookiesDomain
+        }
+        const isHttpOnlyForSessionState = authServer.isHttpOnlyForSessionState !== undefined ? authServer.isHttpOnlyForSessionState : false
+        context.state(this.COOKIE_NAMES.SID, stateOption)
+        stateOption.encoding = 'none'
+        stateOption.strictHeader = false
+        stateOption.isHttpOnly = isHttpOnlyForSessionState
+        context.state(this.COOKIE_NAMES.SESSION_STATE, stateOption)
+        oidcConfiguration = await this.configuration(authServer)
+        if (!authServer.scope || !authServer.scope.split(' ').some((reg) => reg === 'openid')) {
+          authServer.scope = `openid ${authServer.scope || ''}`
+        }
+        if (authServer.tokenEndpoint && !authServer.tokenEndpoint.match(/https.*/)) {
+          context.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
+          context.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
+        }
+        trace('INFO', 'The following configuration was initialized')
+        const securityConfiguration = Object.fromEntries(Object.entries(authServer).filter((entry) => !['clientSecret', 'PrivateKey', 'PublicKey'].includes(entry[0])))
+        trace('INFO', oidcConfiguration.tokenEndpoint ? oidcConfiguration : securityConfiguration)
+      } catch (err) {
+        trace('ERROR', `Exception ${err.message}`)
+        trace('ERROR', err.stack)
+      }
+      context.ext('onPreHandler', async (request, h) => {
+        const unprotectedPaths = [/\/health/, /\/metrics/]
+        const unprotectedExtensions = ['.ico', '.jpg', '.jpeg', '.gif', '.png', '.pdf', '.svg', '.html', '.htm', '.css', '.js', '.js.map', '.json', '.woff', '.woff2']
+        const requestUrl = getFullUrl(request)
+        if(this.activateTraceApiMethod){
+          if(requestUrl.includes('\/api\/')){
+            console.log(requestUrl + ' - ' + request.method.toUpperCase());
+          }
+        }
+        try {
+          const { session_state: qrSessionState, code } = request.query
+          const ckSessionState = request.state[this.COOKIE_NAMES.SESSION_STATE]
+          const sid = request.state[this.COOKIE_NAMES.SID]
+          const tokenSet = await this.oidc.tokenSet()
+          const uma = await Uma.permission()
+          const href = h.request.url.href || requestUrl
+
+          // Check for malicios query string parameters
+          if (this.queryStringLimit) {
+            const { limit } = request.query; // Access the query parameter "limit"
+            // Check if the limit is greater than the configured
+            if (limit && parseInt(limit, 10) > this.queryStringLimit) {
+              const error = new Error('Bad Request.');
+              error.name = 'BadRequest';
+              error.code = 400;
+              throw error;
+            }
+          }
+          if (unprotectedPaths.some((reg) => reg.test(request.path)) || unprotectedExtensions.some((ext) => requestUrl.endsWith(ext))) {
+            return h.continue
+          }
+          if (getHost(request).includes('0.0.0.0') && context.states.cookies[this.COOKIE_NAMES.SID].isSecure) {
+            trace('WARN', `Accessing ${getHost(request)} doesn't ensure a secure context for writing cookies.`)
+            context.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
+            context.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
+          }
+          trace('INFO', `Navigating to ${requestUrl}`)
+          if (!request.state) {
+            throw new Exception('Error when getting cookies', 'CookiesError', 404)
+          } else if (code && ckSessionState && qrSessionState && qrSessionState !== ckSessionState) {
+            trace('ERROR', `The Session cookie ${ckSessionState} doesn't match with the query session ${qrSessionState}`)
+            return h
+              .response()
+              .unstate(this.COOKIE_NAMES.SID)
+              .unstate(this.COOKIE_NAMES.SESSION_STATE)
+              .redirect(requestUrl)
+              .takeover()
+          } else if (ckSessionState && sid) {
+            // pasa por aca si sid=falsy
+            const tokens = await tokenSet.tokens(ckSessionState)
+            if (authServer.umaUri) {
+              let badUmaUri = false
+              const hrefParts = href.split('/')
+              if (hrefParts.length > 0) {
+                const lastHrefPart = hrefParts[hrefParts.length - 1]
+                badUmaUri = lastHrefPart.indexOf('.') !== -1
+              }
+              if (!badUmaUri) {
+                tokens.access_token = await uma.ticket({ tokenUrl: authServer.tokenEndpoint, token: tokens.access_token, audience: authServer.clientId })
+                trace('INFO', 'Generating uma ticket:')
+              }
+            }
+            if (this.validSid(sid)) {
+              return h.continue
+            }
+            else {
+              // valid Sid checks for invalid, or expired values.
+              const error = new Error('Invalid sid.');
+              error.name = 'ExpiredSid';
+              error.code = 401;
+              throw error;
+            }
+          } else if (code && sid) {
+            trace('INFO', 'Generating token:')
+            const tokensSet = await tokenSet.generate({ code, scope: authServer.scope, redirectUri: this.getRedirectUri(request), sid })
+            if (!tokensSet) {
+              return await this.authenticate(h, authServer.scope)
+            }
+            trace('INFO', `Set token for session_state:${tokensSet.session_state}`)
+            // trace('INFO', tokensSet)
+            return h
+              .response()
+              .state(this.COOKIE_NAMES.SID, sid)
+              .state(this.COOKIE_NAMES.SESSION_STATE, tokensSet.session_state)
+              .redirect(requestUrl)
+              .takeover()
+          } else if ((!sid && ckSessionState) || (!ckSessionState && sid)) {
+            const error = new Error('Token is Invalid.');
+            error.name = 'TokenInvalid';
+            error.code = 401;
+            throw error;
+          } else {
+            return await this.authenticate(h, authServer.scope)
+          }
+        } catch (err) {
+          let { code, name, message } = err
+          trace('ERROR', `${name}:${message}`)
+          code = parseInt(code) || (err.response ? err.response.statusCode : 500)
+          const errorList = ['pkce', 'code', 'jwt']
+          if (errorList.some((error) => message.includes(error)) && code !== 403) {
+            trace('ERROR', `Forbidden ${message}`)
+            return h
+              .response()
+              .unstate(this.COOKIE_NAMES.SID)
+              .unstate(this.COOKIE_NAMES.SESSION_STATE)
+              .redirect(requestUrl)
+              .takeover()
+          }
+          if (code === 403 || code === 401) {
+            if (name === 'ExpirationError' || name === 'TokenInvalid' || (name === 'TokenError' && getPathname(request) === '/')) {
+              return h
+                .response()
+                .unstate(this.COOKIE_NAMES.SID)
+                .unstate(this.COOKIE_NAMES.SESSION_STATE)
+                .redirect('/logout')
+                .takeover()
+            } else if (name === 'ExpiredSid') {
+              return h
+                .response()
+                .unstate(this.COOKIE_NAMES.SID)
+                .unstate(this.COOKIE_NAMES.SESSION_STATE)
+                .code(401)
+                .redirect('/logout')
+                .takeover()
+            } else {
+              return h
+                .response()
+                .code(401)
+                .unstate(this.COOKIE_NAMES.SID)
+                .unstate(this.COOKIE_NAMES.SESSION_STATE)
+                .takeover()
+            }
+          }
+          return h
+            .response({ name, message })
+            .code(code || 500)
+            .unstate(this.COOKIE_NAMES.SID)
+            .unstate(this.COOKIE_NAMES.SESSION_STATE)
+            .takeover()
+        }
+      })
+      const me = this
+      context.route({
+        method: 'GET',
+        path: '/get-authorization',
+        handler: async (request, h) => {
+          try {
+            const { session_state: ckSessionState } = request.state
+            if (!ckSessionState) {
+              throw new Exception("old Hapi get-authorization: Session cookie doesn't exist.", 'CookiesError', 404)
+            }
+            const tokenSet = await me.oidc.tokenSet()
+            const tokens = await tokenSet.tokens(ckSessionState)
+            const uma = await Uma.permission()
+            const token = await uma.ticket({ tokenUrl: authServer.tokenEndpoint || authServer.tokenUrl, token: tokens.access_token, audience: authServer.clientId })
+            const sourceData = Jsonwebtoken.decode(token.access_token)
+            return h.response(JSON.stringify(sourceData.authorization)).takeover()
+          } catch (err) {
+            return errorResponse(h, err, 401)
+          }
+        }
+      })
+
+      context.route({
+        method: 'GET',
+        path: '/get-security-rules',
+        handler: async (request, h) => {
+          try {
+            const securityRules = await securityService.getFrontendSecurityRules(request)
+            return h.response(JSON.stringify(securityRules)).takeover()
+          } catch (err) {
+            return errorResponse(h, err, 401)
+          }
+        }
+      })
+
+      context.route({
+        method: 'GET',
+        path: '/get-permissions',
+        handler: async (request, h) => {
+          try {
+            const permissions = await securityService.getPermissions()
+            return h.response(JSON.stringify(permissions)).takeover()
+          } catch (err) {
+            return errorResponse(h, err, 401)
+          }
+        }
+      })
+
+      context.route({
+        method: 'GET',
+        path: '/get-user-info',
+        handler: async (request, h) => {
+          try {
+            const userInfo = await securityService.getUserInfo(request)
+            return h
+              .response(JSON.stringify(userInfo))
+              .takeover()
+          } catch (err) {
+            return errorResponse(h, err, 500)
+          }
+        }
+      })
+      context.route({
+        path: '/logout',
+        method: 'GET',
+        handler: async (request, h) => {
+          try {
+            const ckSessionState = request.state[this.COOKIE_NAMES.SESSION_STATE]
+            return h
+              .response()
+              .unstate(this.COOKIE_NAMES.SID)
+              .unstate(this.COOKIE_NAMES.SESSION_STATE)
+              .redirect(await me.oidc.endSessionUrl({
+                sessionState: ckSessionState,
+                redirectUri: this.getRedirectUri(request)
+              }))
+              .takeover()
+          } catch (err) {
+            return errorResponse(h, err, 500)
+          }
+        }
+      })
+      context.route({
+        path: '/invalid-session',
+        method: 'GET',
+        handler: async (request, h) => {
+          try {
+            const endSessionUrl = await me.oidc.endSessionUrl({
+              redirectUri: this.getRedirectUri(request),
+              sessionState: request.state[this.COOKIE_NAMES.SESSION_STATE]
+            })
+            return h
+              .response()
+              .unstate(this.COOKIE_NAMES.SID)
+              .unstate(this.COOKIE_NAMES.SESSION_STATE)
+              .redirect(endSessionUrl)
+              .takeover()
+          } catch (err) {
+            return errorResponse(h, err, 500)
+          }
+        }
+      })
+
+      context.route({
+        path: '/check-session-iframe.html',
+        method: 'GET',
+        handler: async (_request, h) => {
+          try {
+            let content = '<html/>'
+            if (authServer && authServer.checkSessionIframe) {
+              const { checkSessionIframe: sessionIframeUrl, clientId, sessionCookiesPrefix } = authServer
+              if (sessionIframeUrl && sessionIframeUrl.includes('https://')) {
+                trace('INFO', `Session management url: ${sessionIframeUrl}`)
+                content = getTemplate('session-iframe', {
+                  sessionIframeUrl,
+                  clientId,
+                  sessionCookiesPrefix: sessionCookiesPrefix || ''
+                })
+              } else {
+                trace('WARN', 'For session management, it is necessary to get the value from a cookie called session_state, and as a good practice, it should have reached a secure context [TLS].')
+              }
+            }
+            return h
+              .response(content)
+              .header('Content-Type', 'text/html')
+          } catch (err) {
+            return errorResponse(h, err, 500)
+          }
+        }
+      })
+    }
+  }
+  validSid(sid){
+    let decodedSid = Jsonwebtoken.decode(sid);
+    if (!decodedSid) {
+      return false;
+    }
+    // checks for expiration against current time, with 5' tolerance
+    if (decodedSid.exp)
+      return (decodedSid.exp + this.securityLoginTokenExpToleranceSeconds > (Date.now() / 1000))
+    else
+      return false;
+  }
+
+  authServerSimulation (context) {
+    if (!context.config || !context.config.accessTokenSimulation) {
+      throw new Exception('Error parsing metadata for simulation', 'ConfigurationError', 404)
+    }
+    let { algorithm, payload, secret } = context.config.accessTokenSimulation
+    const me = this
+    context.ext('onPreAuth', async function (request, h) {
+      if (request.state && request.state[me.COOKIE_NAMES.ACCESS_TOKEN]) {
+        return h.continue
+      } else {
+        switch (algorithm) {
+          case 'HMAC-SHA384': {
+            algorithm = 'HS384'
+            break
+          }
+          case 'HMAC-SHA512': {
+            algorithm = 'HS512'
+            break
+          }
+          default: {
+            algorithm = 'HS256'
+          }
+        }
+        const jwt = me.oidc.jwt().sign({ payload, secret, algorithm })
+        return h
+          .response()
+          .state(me.COOKIE_NAMES.ACCESS_TOKEN, jwt)
+          .redirect(me.getRedirectUri(request))
+          .takeover()
+      }
+    })
+    context.route({
+      path: '/get-authorization',
+      method: 'GET',
+      handler: async function (_request, h) {
+        return h
+          .response('[]')
+          .code(200)
+      }
+    })
+    context.route({
+      path: '/get-security-rules',
+      method: 'GET',
+      handler: async function (_request, h) {
+        let securityRules = []
+        if (securityService && context.config.accessTokenSimulation.playload) {
+          const groups = securityService.getGroups(context.config.accessTokenSimulation.playload)
+          securityRules = securityService.getFrontendSecurityRules([groups])
+        }
+        return h
+          .response(JSON.stringify(securityRules))
+          .code(200)
+      }
+    })
+    context.route({
+      path: '/get-permissions',
+      method: 'GET',
+      handler: async function (_request, h) {
+        const permissions = (securityService) ? securityService.getPermissions() : []
+        return h
+          .response(JSON.stringify(permissions))
+          .code(200)
+      }
+    })
+    context.route({
+      path: '/get-user-info',
+      method: 'GET',
+      handler: async function (_request, h) {
+        return h
+          .response(JSON.stringify(payload))
+          .code(200)
+      }
+    })
+    context.route({
+      path: '/logout',
+      method: 'GET',
+      handler: async function (_request, h) {
+        return h
+          .response()
+          .unstate(this.COOKIE_NAMES.ACCESS_TOKEN)
+          .takeover()
+      }
+    })
+  }
+
+  getRedirectUri (request) {
+    return contextConfig.authServer.redirectUri || getFullUrl(request)
+  }
+
+  async authenticate (h, scope) {
+    const { request } = h
+    const pkceCode = await this.oidc.pkceCode()
+    const requestUrl = getFullUrl(request)
+    let oidcMetadata = await this.oidc.oidcMetadata()
+    if (!oidcMetadata || !oidcMetadata.openid_configuration) {
+      oidcMetadata = await this.configuration(contextConfig.authServer)
+    }
+    if (requestUrl.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source + getHost(request) + /\/?$/.source))) {
+      const authorizationUrl = await this.oidc.authorizationUrl({ scope, redirectUri: this.getRedirectUri(request), pkceCode })
+      trace('INFO', `Authenticate redirecting to ${authorizationUrl}`)
+      return h
+        .response()
+        .state(this.COOKIE_NAMES.SID, pkceCode)
+        .redirect(authorizationUrl)
+        .takeover()
+    } else if (getPathname(request) === '/logout') {
+      return h.continue
+    } else {
+      const tokenSet = await this.oidc.tokenSet()
+      const { state } = request
+      if (tokenSet && state && state[this.COOKIE_NAMES.SESSION_STATE]) {
+        const tokens = await tokenSet.tokens(state[this.COOKIE_NAMES.SESSION_STATE])
+        if (!tokens || tokens.refresh_expires_in <= getTokenTolerance(0)) {
+          throw new Exception('Error when getting token', 'ExpirationError', 403)
+        }
+        return h.continue
+      } else {
+        return h
+          .response()
+          .code(401)
+          .takeover()
+      }
+    }
+  }
+
+  async configuration (authServer) {
+    if (!authServer) {
+      throw new Exception('Error when getting configuration attributes ')
+    }
+    const { clientId, clientSecret } = authServer
+    await this.oidc.client({ clientId, clientSecret })
+    if (authServer.openIdConfigurationEndpoint) {
+      return await this.oidc.configuration(authServer.openIdConfigurationEndpoint)
+    } else {
+      // If configuration uri does not exist but the auth server form has been filled in.
+      return await this.oidc.configuration({
+        issuer: authServer.issuer,
+        authorization_endpoint: authServer.authorizationEndpoint,
+        token_endpoint: authServer.tokenEndpoint,
+        userinfo_endpoint: authServer.userinfoEndpoint,
+        end_session_endpoint: authServer.endSessionEndpoint,
+        jwks_uri: authServer.jwksUri
+      })
+    }
+  }
+}
+
+module.exports = {
+  Hapi
+}