@blazedpath/commons 0.0.4

package/blz-security/middleware/hapiServer.js

@@ -0,0 +1,974 @@
+/**
+ * @author Blazedpath Team
+ * @implements Protecting all resources through hapi middleware
+ * @description Hapi.js (derived from Http-API) is an open-source Node.js
+ * framework used to build powerful and scalable web applications.
+ * @see https://hapi.dev/api/
+ */
+const Uma = require('../implementations/uma')
+const Jsonwebtoken = require('jsonwebtoken') // Implementations of JSON Web Tokens.
+const {
+  Exception,
+  getFullUrl,
+  getHost,
+  getProtocol,
+  getPathname,
+  getTemplate,
+  getTokenTolerance,
+  trace,
+  errorResponse
+} = require('../helpers/utils')
+// HapiServer Modules
+const hapiYar = require('@hapi/yar');
+const hapiJwt = require('@hapi/jwt');
+const hapiCookie = require('@hapi/cookie')
+// Quick Http Fetch using axios
+const axios = require('axios');
+// Crypto for code_verifier in token exchange
+const crypto = require('crypto');
+var jwkToPem = require('jwk-to-pem');
+// Uses Issue to cache manage and logout (generators/customs not sure why yet)
+const { Issuer, generators, custom } = require('openid-client') // OpenID Certified Relying Party.
+const { METADATA } = require('../helpers/consts')
+// Azure AD rotates keys, so we jwk used to routinly fetch them
+const jwksClient = require('jwks-rsa') // Retrieve RSA public keys from a JWKS.
+// MS authenticator library
+const { ConfidentialClientApplication } = require('@azure/msal-node');
+
+let contextConfig = {}
+let securityService = null
+
+class HapiServer {
+  constructor (openIdConnect, cookiesName, cache) {
+    this.openIdConnect = openIdConnect
+    this.COOKIE_NAMES = cookiesName
+    this.activateTraceApiMethod = false
+    this.queryStringLimit = null;
+    this.securityLoginTokenExpToleranceSeconds = 3600 * 5; // Default 5 hours
+    this.authServerConfig = null;
+    this.authServerFullLoginUrl = null;
+    // This cache stores locally the jwt token set for refresh and logout.
+    this.cache = cache;
+    // To terminate sessions
+    this.clientOidc = null;
+    // This client keeps a refresh of the rotating keys
+    this.clientJwk = null;
+    this.publicKeyFetch = null;
+  }
+
+  async connect (_securityService, hapiServer, config) {
+    contextConfig = config
+    this.authServerConfig = contextConfig;
+    securityService = _securityService
+    const { authServer, accessTokenSimulation, activateTraceApiMethod } = config
+    if (activateTraceApiMethod) {
+      this.activateTraceApiMethod = activateTraceApiMethod
+    }
+    let oidcConfiguration = {}
+    const stateOption = {
+      clearInvalid: true,
+      encoding: 'base64',
+      isSecure: true,
+      isHttpOnly: true,
+      isSameSite: 'Lax',
+      path: '/',
+      strictHeader: true
+    }
+    if (accessTokenSimulation && !authServer) {
+      hapiServer.config = config
+      hapiServer.state(this.COOKIE_NAMES.ACCESS_TOKEN, stateOption)
+      this.authServerSimulation(context)
+    } else {
+      try {
+        if (authServer.sessionCookiesDomain) {
+          stateOption.domain = authServer.sessionCookiesDomain
+        }
+        const isHttpOnlyForSessionState = authServer.isHttpOnlyForSessionState !== undefined ? authServer.isHttpOnlyForSessionState : false
+        // hapiServer.state(this.COOKIE_NAMES.SID, stateOption)
+        // stateOption.encoding = 'none'
+        // stateOption.strictHeader = false
+        // stateOption.isHttpOnly = isHttpOnlyForSessionState
+        hapiServer.state(this.COOKIE_NAMES.SESSION_STATE, stateOption)
+        oidcConfiguration = await this.configuration(authServer)
+        if (oidcConfiguration.clientOidc) {
+          this.clientOidc = oidcConfiguration.clientOidc;
+        }
+        if (!authServer.scope || !authServer.scope.split(' ').some((reg) => reg === 'openid')) {
+          authServer.scope = `openid ${authServer.scope || ''}`
+        }
+        if (authServer.tokenEndpoint && !authServer.tokenEndpoint.match(/https.*/)) {
+          hapiServer.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
+          hapiServer.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
+        }
+        trace('INFO', 'The following configuration was initialized')
+        const securityConfiguration = Object.fromEntries(Object.entries(authServer).filter((entry) => !['clientSecret', 'PrivateKey', 'PublicKey'].includes(entry[0])))
+        trace('INFO', oidcConfiguration.tokenEndpoint ? oidcConfiguration : securityConfiguration)
+      } catch (err) {
+        trace('ERROR', `Exception ${err.message}`)
+        trace('ERROR', err.stack)
+      }
+
+      this.prepareMemoryValues();
+      // Add Plugins
+      this.configurePlugins(hapiServer);
+      // onPreAuth: Here we check if the jwtToken is stored in the yar, refresh, and recompose the authorization header before hapi jwt module auth.
+      // Http protocol does not redirect all headers on a 3XX code.
+      hapiServer.ext('onPreAuth', async (request, h) => {
+        // Retrieve the token from the yar storage, second parameter absent so that the token is not lost on read
+        let tokenInfo = request.yar.get('jwtToken');
+        if(tokenInfo) {
+          // check if token is about to be expired, if expired, update
+          let aboutToExpire = await me.tokenAboutToExpire(tokenInfo.token, 10);
+          if (aboutToExpire) {
+            if (me.authServerConfig.authServer.msalClient) {
+              // Get session name from yar storage: should be in request.yar.get('jwtToken')
+
+              // To refresh the tokens, Azure uses a silent re authentication
+              const silentRereshTokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenSilent({
+                account: tokenInfo.account,  // Use stored account details
+                scopes: ["User.Read"],     // Adjust scopes as needed
+              });
+              //let refreshedTokens = await this.silentAuthenticationAzure({redirectUri: me.getBaseUrl(request), idToken: tokenInfo.token})
+              // Check that all the needed data comes in the silent Authentication, if not send to relog
+              if (silentRereshTokenResponse && silentRereshTokenResponse.idToken) {
+                // Update the session with the new access token
+                const session =  request.yar.get('session');
+                request.yar.set('session', {
+                  ...session,
+                  token: silentRereshTokenResponse.accessToken
+                });
+                const obtainedTokens = {};
+                obtainedTokens.tokenType = 'Bearer';
+                obtainedTokens.token = silentRereshTokenResponse.idToken;
+                obtainedTokens.tokenSubType = 'id_token';
+                obtainedTokens.account = silentRereshTokenResponse.account;
+                request.yar.set('jwtToken', obtainedTokens );
+                // let refreshedTokenInfo = { tokenType: 'Bearer', token: refreshedTokens.id_token, tokenSubType: 'id_token'};
+                // request.yar.set('jwtToken', refreshedTokenInfo);
+                // tokenInfo = refreshedTokenInfo;
+                await request.yar.commit(h);
+              } else {
+                // no valid set of tokens has returned, clear the yar storage and continue
+                request.yar.get('jwtToken', true);
+                await request.yar.commit(h);
+                delete request.headers.authorization; // Remove the authorization header
+                return h.continue;
+              }
+            } else {
+              // If Provider is Keycloak, execute this block
+              // If refresh token is expired as well, then the user MUST re-login
+              let isRefreshTokenExpired = await this.isRefreshTokenExpired(tokenInfo.refreshToken);
+              let refreshTokenPresent = 'refreshToken' in tokenInfo;
+              if (isRefreshTokenExpired && refreshTokenPresent) {
+                // clear token from cookies and exit
+                request.yar.get('jwtToken', true);
+                delete request.headers.authorization; // Remove the authorization header
+                await request.yar.commit(h);
+                return h.continue;
+              } else {
+                // If refresh token is present and not expired, attempt refresh
+                let refreshedTokens = await this.refreshToken(tokenInfo.refreshToken);
+                // Check that this method returned a valid set of tokens
+                if (refreshedTokens && refreshedTokens.token_type &&
+                    refreshedTokens.id_token && refreshedTokens.session_state && 
+                    refreshedTokens.access_token && refreshedTokens.refresh_token ) {
+                  let refreshedTokenInfo = { tokenType: 'Bearer', token: refreshedTokens.id_token, tokenSubType: 'id_token', refreshToken: refreshedTokens.refresh_token };
+                  request.yar.set('jwtToken', refreshedTokenInfo);
+                  await request.yar.commit(h);
+                  tokenInfo = refreshedTokenInfo;
+                } else {
+                  // Refresh token failed, clear and continue
+                  request.yar.get('jwtToken', true);
+                  delete request.headers.authorization;
+                  await request.yar.commit(h);
+                  return h.continue;
+                }
+              }
+            }
+          }
+          switch(tokenInfo.tokenType) {
+            case 'Bearer':
+            case 'bearer': {
+              request.headers.authorization = `Bearer ${tokenInfo.token}`;
+              break;
+            }
+            default:
+              break;
+          }
+        }
+        return h.continue;
+    });
+      hapiServer.ext('onPreResponse', async (request, h) => {
+        const response = request.response;
+ 
+        let authError = request.yar.get('authError', true);
+        // By this point, token refresh was already attempted in onPreAuth event, so it redirects to login on unauthorized
+        if (response.isBoom && response.output.statusCode === 401 && !request.path.startsWith('/auth/callback') && !authError) {
+          if (this.authServerConfig.authServer.provider=== 'ad-azure') {
+            return h.redirect('/login').takeover();
+            const authUrl = await this.authServerConfig.authServer.msalClient.getAuthCodeUrl({
+               redirectUri: me.getBaseUrl(request) + 'auth/callback',
+               scopes: ['user.read'],
+             });
+       
+             return h.redirect(authUrl);
+          }
+          // Create the url query string parameters. with a random code verifier, store in yar and get the codeChallenge
+          const codeVerifier = crypto.randomBytes(32).toString('base64url');
+          request.yar.set('code_verifier', codeVerifier); // For PKCE auth flow
+          request.yar.set('originalUrlPathName', me.getFullUrl(request)); // For redirect after login
+          await request.yar.commit(h);
+
+          const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
+          const responseType = 'code'; // Authorization code grant
+          const redirectUri = me.getBaseUrl(request) + 'auth/callback';
+          const codeChallengeMethod = 'S256'; // PKCE method
+          const scope = (authServer.scope) ? authServer.scope.replace(/\s+/g, '%20') : 'openid';
+      
+          const authLoginUrlWithParams = new URL(authServer.authorizationEndpoint);
+          authLoginUrlWithParams.searchParams.set('client_id', me.authServerConfig.authServer.clientId);
+          authLoginUrlWithParams.searchParams.set('response_type', responseType);
+          authLoginUrlWithParams.searchParams.set('redirect_uri', redirectUri);
+          authLoginUrlWithParams.searchParams.set('scope', scope);
+          authLoginUrlWithParams.searchParams.set('code_challenge', codeChallenge);
+          authLoginUrlWithParams.searchParams.set('code_challenge_method', codeChallengeMethod);
+      
+          // Redirect to Keycloak
+          return h.redirect(authLoginUrlWithParams.toString()).takeover();
+        }
+        return h.continue;
+      });
+      // /login so that i can redirect my user to a login.
+      hapiServer.route({
+        method: 'GET',
+        path: '/login',
+        options: {
+          auth: false, // Disable authentication for this route
+        },
+        handler: async (request, h) => {
+          const authUrl = await me.authServerConfig.authServer.msalClient.getAuthCodeUrl({
+            redirectUri: me.getBaseUrl(request) + 'auth/callback',
+            scopes: ['user.read'],
+          });
+    
+          return h.redirect(authUrl);
+        }
+      });
+      // /auth/callback
+      // Resolves the jwt token on a callback after the login (keycloak/azure)
+      hapiServer.route({
+        method: 'GET',
+        path: '/auth/callback',
+        options: {
+          auth: false, // Disable authentication for this route
+        },
+        handler: async (request, h) => {
+          const authCode = request.query.code;
+          if (!authCode) {
+            return h.response('Authorization code missing').code(400);
+          }
+          try {
+            let obtainedTokens = {};
+            // If we have azure-AD use that lifecycle
+            if (me.authServerConfig.authServer.msalClient) {
+              if (!authCode) {
+                return h.response('Missing authorization code').code(400);
+              }
+      
+              try {
+                const tokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenByCode({
+                  code: authCode,
+                  redirectUri: me.getBaseUrl(request) + 'auth/callback',
+                  scopes: ['user.read'],
+                });
+      
+                request.yar.set('session', { token: tokenResponse.accessToken, user: tokenResponse.account });
+                obtainedTokens.tokenType = 'Bearer';
+                obtainedTokens.token = tokenResponse.idToken;
+                obtainedTokens.tokenSubType = 'id_token';
+                obtainedTokens.account = tokenResponse.account;
+                //return h.redirect('/');
+              } catch (error) {
+                console.error('Auth error:', error);
+                return h.response('Authentication failed').code(500);
+              }
+            } else {
+              // This code-block is for keycloak or other oauth0 for now
+              // Grab the code verifier
+              let codeVerifier = request.yar.get('code_verifier', true);
+              tokenResponse = await axios.post(
+                me.authServerConfig.authServer.tokenEndpoint,
+                new URLSearchParams({
+                  grant_type: 'authorization_code',
+                  client_id: me.authServerConfig.authServer.clientId,
+                  client_secret: me.authServerConfig.authServer.clientSecret, // If required
+                  code: authCode,
+                  redirect_uri: me.getRedirectUri(request),
+                  code_verifier: codeVerifier
+                }).toString(),
+                {
+                  headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                  },
+                }
+              );
+              if (!tokenResponse.statusText ==='OK') {
+                throw new Error('Failed to exchange code for tokens');
+              }
+              obtainedTokens.tokenType = 'Bearer';
+              obtainedTokens.token = tokenResponse.data.id_token;
+              obtainedTokens.tokenSubType = 'id_token';
+              obtainedTokens.refreshToken = tokenResponse.data.refresh_token;
+            }
+            let originalUrlPathName = request.yar.get('originalUrlPathName') ?? '/'
+            // Set session state
+            const sessionState = request.query.session_state;
+            h.state(this.COOKIE_NAMES.SESSION_STATE, sessionState);
+
+            // Store the JWT token in the `Authorization` header or a cookie
+            switch (obtainedTokens.tokenType){
+              case 'Bearer':
+              case 'bearer': {
+                request.yar.set('jwtToken', obtainedTokens);
+                await request.yar.commit(h);
+                return h.redirect(originalUrlPathName).takeover();
+              }
+              default: {
+                break;
+
+              }
+            }
+            return h.continue; // Continue in case no token_type -> no auth header configured
+          } catch (error) {
+            request.yar.set('authError', true);
+            await request.yar.commit(h);
+            console.error('Failed to exchange code for token:', error.response?.data || error.message);
+            return h.response('Failed to authenticate').code(500).takeover();
+          }
+        },
+      });      
+      const me = this
+      // /get-authorization
+      hapiServer.route({
+        method: 'GET',
+        path: '/get-authorization',
+        handler: async (request, h) => {
+          try {
+            const { session_state: ckSessionState } = request.state
+            if (!ckSessionState) {
+              
+              throw new Exception("Hapi get-authorization: Session cookie doesn't exist.", 'CookiesError', 404)
+            }
+            const tokenSet = await me.openIdConnect.tokenSet()
+            const tokens = await tokenSet.tokens(ckSessionState)
+            const uma = await Uma.permission()
+            const token = await uma.ticket({ tokenUrl: authServer.tokenEndpoint || authServer.tokenUrl, token: tokens.access_token, audience: authServer.clientId })
+            const sourceData = Jsonwebtoken.decode(token.access_token)
+            return h.response(JSON.stringify(sourceData.authorization)).takeover()
+          } catch (err) {
+            return errorResponse(h, err, 401)
+          }
+        }
+      })
+      // /get-security-rules
+      hapiServer.route({
+        method: 'GET',
+        path: '/get-security-rules',
+        handler: async (request, h) => {
+          try {
+            const securityRules = await securityService.getFrontendSecurityRules(request)
+            return h.response(JSON.stringify(securityRules)).takeover()
+          } catch (err) {
+            return errorResponse(h, err, 401)
+          }
+        }
+      })
+      // /get-permissions
+      hapiServer.route({
+        method: 'GET',
+        path: '/get-permissions',
+        handler: async (request, h) => {
+          try {
+            const permissions = await securityService.getPermissions()
+            return h.response(JSON.stringify(permissions)).takeover()
+          } catch (err) {
+            return errorResponse(h, err, 401)
+          }
+        }
+      })
+      // /get-user-info
+      hapiServer.route({
+        method: 'GET',
+        path: '/get-user-info',
+        handler: async (request, h) => {
+          try {
+            const userInfo = await securityService.getUserInfo(request)
+            return h
+              .response(JSON.stringify(userInfo))
+              .takeover()
+          } catch (err) {
+            return errorResponse(h, err, 500)
+          }
+        }
+      })
+      // /logout
+      hapiServer.route({
+        path: '/logout',
+        method: 'GET',
+        handler: async (request, h) => {
+          try {
+            const ckSessionState = request.state[this.COOKIE_NAMES.SESSION_STATE]
+            request.yar.clear('jwtToken');
+            await request.yar.commit(h);
+            let endSessionUrl = await me.endSessionUrl(me.getRedirectUri(request), me.clientOidc);
+            return h
+              .response()
+              .unstate(this.COOKIE_NAMES.SID)
+              .unstate(this.COOKIE_NAMES.SESSION_STATE)
+              .unstate(this.COOKIE_NAMES.AUTH_TOKEN)
+              .redirect(endSessionUrl)
+              .takeover()
+          } catch (err) {
+            return errorResponse(h, err, 500)
+          }
+        }
+      })
+      // /invalid-session
+      hapiServer.route({
+        path: '/invalid-session',
+        method: 'GET',
+        handler: async (request, h) => {
+          try {
+            const endSessionUrl = await me.openIdConnect.endSessionUrl({
+              redirectUri: this.getRedirectUri(request),
+              sessionState: request.state[this.COOKIE_NAMES.SESSION_STATE]
+            })
+            return h
+              .response()
+              .unstate(this.COOKIE_NAMES.SID)
+              .unstate(this.COOKIE_NAMES.SESSION_STATE)
+              .redirect(endSessionUrl)
+              .takeover()
+          } catch (err) {
+            return errorResponse(h, err, 500)
+          }
+        }
+      })
+      // /check-session-iframe.html
+      hapiServer.route({
+        path: '/check-session-iframe.html',
+        method: 'GET',
+        handler: async (_request, h) => {
+          try {
+            let content = '<html/>'
+            if (authServer && authServer.checkSessionIframe) {
+              const { checkSessionIframe: sessionIframeUrl, clientId, sessionCookiesPrefix } = authServer
+              if (sessionIframeUrl && sessionIframeUrl.includes('https://')) {
+                trace('INFO', `Session management url: ${sessionIframeUrl}`)
+                content = getTemplate('session-iframe', {
+                  sessionIframeUrl,
+                  clientId,
+                  sessionCookiesPrefix: sessionCookiesPrefix || ''
+                })
+              } else {
+                trace('WARN', 'For session management, it is necessary to get the value from a cookie called session_state, and as a good practice, it should have reached a secure context [TLS].')
+              }
+            }
+            return h
+              .response(content)
+              .header('Content-Type', 'text/html')
+          } catch (err) {
+            return errorResponse(h, err, 500)
+          }
+        }
+      });
+    }
+  }
+
+  authServerSimulation (context) {
+    if (!context.config || !context.config.accessTokenSimulation) {
+      throw new Exception('Error parsing metadata for simulation', 'ConfigurationError', 404)
+    }
+    let { algorithm, payload, secret } = context.config.accessTokenSimulation
+    const me = this
+    context.ext('onPreAuth', async function (request, h) {
+      if (request.state && request.state[me.COOKIE_NAMES.ACCESS_TOKEN]) {
+        return h.continue
+      } else {
+        switch (algorithm) {
+          case 'HMAC-SHA384': {
+            algorithm = 'HS384'
+            break
+          }
+          case 'HMAC-SHA512': {
+            algorithm = 'HS512'
+            break
+          }
+          default: {
+            algorithm = 'HS256'
+          }
+        }
+        const jwt = me.openIdConnect.jwt().sign({ payload, secret, algorithm })
+        return h
+          .response()
+          .state(me.COOKIE_NAMES.ACCESS_TOKEN, jwt)
+          .redirect(me.getRedirectUri(request))
+          .takeover()
+      }
+    })
+    // /get-authorization
+    context.route({
+      path: '/get-authorization',
+      method: 'GET',
+      handler: async function (_request, h) {
+        return h
+          .response('[]')
+          .code(200)
+      }
+    })
+    // /get-security-rules
+    context.route({
+      path: '/get-security-rules',
+      method: 'GET',
+      handler: async function (_request, h) {
+        let securityRules = []
+        if (securityService && context.config.accessTokenSimulation.playload) {
+          const groups = securityService.getGroups(context.config.accessTokenSimulation.playload)
+          securityRules = securityService.getFrontendSecurityRules([groups])
+        }
+        return h
+          .response(JSON.stringify(securityRules))
+          .code(200)
+      }
+    })
+    // /get-permissions
+    context.route({
+      path: '/get-permissions',
+      method: 'GET',
+      handler: async function (_request, h) {
+        const permissions = (securityService) ? securityService.getPermissions() : []
+        return h
+          .response(JSON.stringify(permissions))
+          .code(200)
+      }
+    })
+    // /get-user-info
+    context.route({
+      path: '/get-user-info',
+      method: 'GET',
+      handler: async function (_request, h) {
+        return h
+          .response(JSON.stringify(payload))
+          .code(200)
+      }
+    })
+    // /logout
+    context.route({
+      path: '/logout',
+      method: 'GET',
+      handler: async function (_request, h) {
+        return h
+          .response()
+          .unstate(this.COOKIE_NAMES.ACCESS_TOKEN)
+          .takeover()
+      }
+    })
+  }
+
+  getRedirectUri (request) {
+    return contextConfig.authServer.redirectUri || getFullUrl(request)
+  }
+  getFullUrl (request) {
+    return `${getProtocol(request)}://${getHost(request)}${getPathname(request)}`
+  }
+  getBaseUrl (request) {
+    return `${getProtocol(request)}://${getHost(request)}/`
+  }
+  async authenticate (h, scope) {
+    const { request } = h
+    const pkceCode = await this.openIdConnect.pkceCode()
+    const requestUrl = getFullUrl(request)
+    let oidcMetadata = await this.openIdConnect.oidcMetadata()
+    if (!oidcMetadata || !oidcMetadata.openid_configuration) {
+      oidcMetadata = await this.configuration(contextConfig.authServer)
+    }
+    if (requestUrl.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source + getHost(request) + /\/?$/.source))) {
+      const authorizationUrl = await this.openIdConnect.authorizationUrl({ scope, redirectUri: this.getRedirectUri(request), pkceCode })
+      trace('INFO', `Authenticate redirecting to ${authorizationUrl}`)
+      return h
+        .response()
+        .state(this.COOKIE_NAMES.SID, pkceCode)
+        .redirect(authorizationUrl)
+        .takeover()
+    } else if (getPathname(request) === '/logout') {
+      return h.continue
+    } else {
+      const tokenSet = await this.openIdConnect.tokenSet()
+      const { state } = request
+      if (tokenSet && state && state[this.COOKIE_NAMES.SESSION_STATE]) {
+        const tokens = await tokenSet.tokens(state[this.COOKIE_NAMES.SESSION_STATE])
+        if (!tokens || tokens.refresh_expires_in <= getTokenTolerance(0)) {
+          throw new Exception('Error when getting token', 'ExpirationError', 403)
+        }
+        return h.continue
+      } else {
+        return h
+          .response()
+          .code(401)
+          .takeover()
+      }
+    }
+  }
+
+  async configurePlugins (server) {
+    // Add Yar to save info in the cookies across session calls
+    const hapiYarPassword = process.env.blz_hapiYarPassword || 'your-super-secure-yar-atleast-32-bytes-password';
+    await server.register({
+      plugin: hapiYar,
+      options: {
+        cookieOptions: {
+          password: hapiYarPassword,
+          isSecure: true,                  // Use true in production
+          isHttpOnly: true,
+          isSameSite: 'Lax',              // 'Strict', 'Lax', or 'None'
+          clearInvalid: true,
+          ignoreErrors: true
+        },
+        storeBlank: false, // Prevent saving blank sessions
+        maxCookieSize: 0   // Use server-side storage for larger payloads
+      }
+    });
+    // Register @hapi/jwt plugin
+    await server.register(hapiJwt);
+
+    // Check for static certificate or rotating.
+    let keysFetch = true;
+    if (true) {
+      // Azure rotating certificates, prepare for the hapi jwt module
+      this.startupJwksClient();
+      // set up the function in this.publickKeyFetch
+      this.startupPublickKeyFetch();
+      keysFetch = this.publicKeyFetch;
+    } else {
+      // Esto es para un certificado estatico. Keycloak lo permite
+      const response = await axios.get(this.authServerConfig.authServer.jwksUri);
+      const jwks = response.data; // JWKS data is directly accessible from response.data
+      const kidValue = this.authServerConfig.authServer.oAuthKid; // Kid from keycloak/azure, in realm settings
+      const key = jwks.keys.find(k => k.kid === kidValue);
+      if (!key) throw new Error(`Key with ID ${kid} not found`);
+      const pemPublicKey = jwkToPem(key);
+      this.authServerConfig.authServer.PublicKey = pemPublicKey;
+      keysFetch = {
+          key: pemPublicKey,
+          algorithms: ['RS256'],
+          kid: kidValue
+      };
+    }
+    if (this.authServerConfig.authServer.provider=== 'ad-azure') {
+      const tenant_id = this.authServerConfig.authServer.issuer.match(/login\.microsoftonline\.com\/([^/]+)/)?.[1]
+      this.authServerConfig.authServer.msalConfig = {
+        auth: {
+          clientId: this.authServerConfig.authServer.clientId,
+          authority: `https://login.microsoftonline.com/${tenant_id}`,
+          clientSecret: this.authServerConfig.authServer.clientSecret,
+        },
+      };
+      const msalClient = new ConfidentialClientApplication(this.authServerConfig.authServer.msalConfig);
+      this.authServerConfig.authServer.msalClient = msalClient;
+    }
+    
+
+    // Define the auth strategy
+    server.auth.strategy('jwtAuth', 'jwt', {
+    keys: keysFetch,
+    verify: {
+      aud: this.authServerConfig.authServer.clientId,
+      iss: this.authServerConfig.authServer.issuer,
+      exp: true, // validate expiration
+      sub: false
+    },
+    validate: false
+    // validate: async (artifacts, request, h) => {
+    //     // Validate the token payload (you can perform additional checks here if needed)
+    //     const { exp } = artifacts.decoded.payload;
+        
+    //     if (Date.now() >= exp * 1000) {
+    //         throw h.unauthorized('Token expired', { redirectToLogin: true });
+    //     }
+        
+    //     return { isValid: true, credentials: artifacts.decoded.payload };
+    // }
+    });
+
+    // Register the @hapi/cookie plugin
+    await server.register(hapiCookie);
+
+    // Define the cookie-based auth strategy
+    server.auth.strategy('cookieAuth', 'cookie', {
+      cookie: {
+          name: 'sid', // Primary session cookie
+          password: 'supersecretpasswordmustbeatleast32characterslong', // Encryption key
+          isSecure: true, // Should be true in production
+          isHttpOnly: true, // Prevents client-side JavaScript access
+          isSameSite: 'Lax', // Protects against CSRF
+      },
+      keepAlive: true, // automatically sets the session cookie after validation to extend the current session for a new ttl duration. Defaults to false.
+      redirectTo: false, //function(request) {}, // Redirect if authentication fails
+    });
+    // Set default auth strategy to try both JWT and cookies
+    server.auth.default({
+        strategies: ['jwtAuth', 'cookieAuth'], // Try JWT first, then Cookie
+    });
+  }
+
+  async configuration (authServer) {
+    if (!authServer) {
+      throw new Exception('Error when getting configuration attributes ')
+    }
+    const { clientId, clientSecret } = authServer
+    await this.openIdConnect.client({ clientId, clientSecret })
+    if (authServer.openIdConfigurationEndpoint) {
+      return await this.openIdConnect.configuration(authServer.openIdConfigurationEndpoint)
+    } else {
+      // If configuration uri does not exist but the auth server form has been filled in.
+      return await this.openIdConnect.configuration({
+        issuer: authServer.issuer,
+        authorization_endpoint: authServer.authorizationEndpoint,
+        token_endpoint: authServer.tokenEndpoint,
+        userinfo_endpoint: authServer.userinfoEndpoint,
+        end_session_endpoint: authServer.endSessionEndpoint,
+        jwks_uri: authServer.jwksUri
+      })
+    }
+  }
+  async prepareMemoryValues(){
+    //this.authServerFullLoginUrl = ;
+  }
+  async endSessionUrl (redirectUri, clientOidc) {
+    redirectUri = redirectUri.replace(/logout|invalid-session/gmi, '')
+    // Log off specific session.
+    if (!clientOidc) {
+      throw new Error('Unable to get configuration from identity provider', 'ConfigurationError', 404);
+    }
+    return clientOidc.endSessionUrl({ post_logout_redirect_uri: redirectUri })
+  }
+  oidcMetadataKey() {
+    return this.authServerConfig.authServer.sessionCookiesDomain || 'oidcMetadata'
+  }
+  async configuration (context) {
+    let metadata = await this.cache.get(this.oidcMetadataKey())
+    if (typeof context === 'string' && !context.match(/(https?:\/\/.*):?(\d*)\/?(.*)/gi)) {
+      throw new Exception('Wrong OpenId Provider configuration URI entered', 'AttributeError', 403)
+    }
+    if (!metadata || !metadata.issuer) {
+      if (context.issuer) {
+        metadata = { ...(metadata || {}), ...context }
+      } else {
+        metadata = metadata || {}
+        metadata.openid_configuration = context
+        metadata = { ...metadata, ...(await Issuer.discover(context.issuer)) } // Discover an issuer configuration, must be an url
+      }
+      await this.cache.set(this.oidcMetadataKey(), metadata, 864e5) // 1 day of cache
+    }
+    return new Iss(metadata)
+  }
+  async refreshToken (refreshToken) {
+    // Make a POST request to Keycloak to refresh the token
+    const response = await axios.post(this.authServerConfig.authServer.tokenEndpoint, 
+      new URLSearchParams({
+        grant_type: 'refresh_token',
+        client_id: this.authServerConfig.authServer.clientId,
+        client_secret: this.authServerConfig.authServer.clientSecret,
+        refresh_token: refreshToken,
+      }).toString(),
+      {
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+      }
+    );
+    
+
+    if (!(response.status === 200)) {
+      const errorResponse = await response.json();
+      console.error('Error refreshing token:', errorResponse);
+      return errorResponse;
+    }
+    // Refresh token response may change from time to time, here are two possible responses
+    try {
+      return await response.json(); // all tokens refershed
+
+    } catch (error) {
+
+    }
+    try {
+      return response.data;
+    }
+    catch {
+
+    }
+   
+  }
+  async decodeJwtToken(token) {
+    const decodedToken = hapiJwt.token.decode(token);
+    return decodedToken;
+  }
+  async tokenAboutToExpire(token, minutesBeforeExpiration = 0) {
+    const decodedToken = hapiJwt.token.decode(token);
+    const expirationTime = decodedToken.decoded.payload.exp * 1000; // Convert to milliseconds
+    const currentTime = Date.now();
+    const expirationThreshold = minutesBeforeExpiration * 60 * 1000; // Convert minutes to milliseconds
+
+    // Check if the token is expired or about to expire within the specified minutes
+    const isAboutToExpire = expirationTime - currentTime <= expirationThreshold;
+    return isAboutToExpire;
+}
+  async isRefreshTokenExpired (refreshToken) {
+    try {
+      // Decode the token without verifying its signature.
+      const decodedRefreshToken =  hapiJwt.token.decode(refreshToken);
+      // Get the current timestamp (in seconds).
+      const currentTimestamp = Math.floor(Date.now() / 1000);
+
+      if (decodedRefreshToken && decodedRefreshToken.decoded && decodedRefreshToken.decoded.payload && decodedRefreshToken.decoded.payload.exp) {
+        return (decodedRefreshToken.decoded.payload.exp < currentTimestamp)
+      } else
+        return true;
+    } catch (error) {
+      // if there is an error treat as if expired, so a re-login is prompted
+      console.error('Failed to decode the token: Invalid Refresh token format', error);
+      return true;
+    }
+  }
+
+  async silentAuthenticationAzure ({redirectUri, idToken}) {
+    const authUrl = this.authServerConfig.authServer.authorizationEndpoint;
+    const decodedToken = await this.decodeJwtToken(idToken);
+  
+    try {
+      const response = await axios.get(authUrl, {
+        params: {
+          client_id: this.authServerConfig.authServer.clientId,
+          response_type: "id_token",
+          redirect_uri: redirectUri,
+          scope: this.authServerConfig.authServer.scope ?? 'openid',
+          prompt: "none",
+          response_mode: "fragment",
+          nonce: "random_nonce", // Should be a securely generated nonce
+          login_hint: decodedToken.decoded.payload.preferred_username
+        },
+        maxRedirects: 0, // Prevent following redirects automatically
+        validateStatus: (status) => status === 302 // Expecting a redirect response
+      });
+  
+      // Extract the token from the redirect location
+      const location = response.headers.location;
+      if (!location) throw new Error("No redirect location found");
+  
+      const params = new URLSearchParams(location.split("#")[1]);
+      if (params.has("id_token")) {
+        return { idToken: params.get("id_token") };
+      } else {
+        throw new Error("No ID token returned");
+      }
+    } catch (error) {
+      console.error("Silent authentication failed:", error.response?.data || error.message);
+      return null; // Handle failure gracefully
+    }
+  }
+
+  async startupJwksClient () {
+    // Azure rotating certificates, prepare for the hapi jwt module
+    this.clientJwk = jwksClient({
+      jwksUri: this.authServerConfig.authServer.jwksUri,
+      cache: true, // Cache signing keys to avoid frequent network calls
+      rateLimit: true, // Rate limit the number of requests to the JWKS URI
+      jwksRequestsPerMinute: 10, // Limit to 10 requests per minute
+    });
+  }
+  async startupPublickKeyFetch () {
+    // Function to get the signing key
+    const getKey = async (kid) => {
+      return new Promise((resolve, reject) => {
+        this.clientJwk.getSigningKey(kid, (err, key) => {
+          if (err) {
+            return reject(err);
+          }
+          const signingKey = key.getPublicKey(); // Public key for signature verification
+          resolve(signingKey);
+        });
+      });
+    };
+    this.publicKeyFetch = async (artifacts) => {
+      const kid = artifacts.decoded.header.kid; // Extract 'kid' from JWT header
+      return getKey(kid); // Fetch the corresponding public key
+    }
+  }
+}
+
+class Iss {
+  /**
+   * @constructor
+   * @param {Object} metadata
+   */
+  constructor (metadata) {
+    if (!metadata.id_token_signing_alg_values_supported) {
+      metadata.id_token_signing_alg_values_supported = ['RS256']
+    }
+    if (!metadata.response_types_supported) {
+      metadata.response_types_supported = ['code', 'none', 'id_token', 'token', 'id_token token', 'code id_token', 'code token', 'code id_token token']
+    }
+    if (!metadata.subject_types_supported) {
+      metadata.subject_types_supported = ['public']
+    }
+    const claimsRequired = METADATA.filter(({ type }) => type === 'REQUIRED');
+    const missingClaims = [];
+    
+    for (const claim of claimsRequired) {
+      const normalizedToCamelClaimName = claim.name.toLowerCase().replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());
+      const attributeCamelCase = metadata[normalizedToCamelClaimName]; // Directly access metadata
+      const attributeSnakeCase = metadata[claim.name]; // Directly access metadata
+      if (!attributeSnakeCase && !attributeCamelCase) {
+        missingClaims.push(claim);
+      }
+    }
+    
+    if (missingClaims.length > 0) {
+      console.error(JSON.stringify(missingClaims));
+      throw new Error(JSON.stringify(missingClaims));
+    }
+    
+    // Issuer needs the metadata in snake_case
+    const issuer = metadata.Client ? metadata : new Issuer(this.#camelToSnakeCase(metadata))
+    // Client instance for the authorization server of that issuer.
+    const clientPayload = {
+      client_id: metadata.clientId,
+      response_type: 'code'
+    }
+    if (metadata.clientSecret) {
+      clientPayload.client_secret = metadata.clientSecret
+    }
+    this.clientOidc = new issuer.Client(clientPayload);
+  }
+  #camelToSnakeCase (obj) {
+    const toSnakeCase = str => str.replace(/[A-Z]/g, letter => `_${letter.toLowerCase()}`);
+  
+    if (typeof obj !== 'object' || obj === null) return obj;
+  
+    if (Array.isArray(obj)) {
+        return obj.map(item => this.#camelToSnakeCase(item));
+    }
+  
+    return Object.entries(obj).reduce((acc, [key, value]) => {
+        const newKey = toSnakeCase(key);
+        acc[newKey] = typeof value === 'object' && value !== null 
+            ? this.#camelToSnakeCase(value) 
+            : value;
+        return acc;
+    }, {});
+  }
+}
+
+module.exports = {
+  HapiServer
+}