@blazedpath/commons 0.2.2 → 0.3.1

package/blz-security/middleware/HapiServerAzureAd.js

@@ -1,681 +0,0 @@
-/**
- * @author Blazedpath Team
- * @implements Protecting all resources through hapi middleware
- * @description Hapi.js (derived from Http-API) is an open-source Node.js
- * framework used to build powerful and scalable web applications.
- * @see https://hapi.dev/api/
- */
-const Uma = require('../implementations/uma.js')
-const Jsonwebtoken = require('jsonwebtoken') // Implementations of JSON Web Tokens.
-const {
-	Exception,
-	getFullUrl,
-	getHost,
-	getProtocol,
-	getPathname,
-	getTemplate,
-	getTokenTolerance,
-	trace,
-	errorResponse
-} = require('../helpers/utils.js')
-// HapiServer Modules
-const hapiYar = require('@hapi/yar');
-const hapiJwt = require('@hapi/jwt');
-const hapiCookie = require('@hapi/cookie')
-
-// Azure AD rotates keys, so we jwk used to routinly fetch them
-const jwksClient = require('jwks-rsa') // Retrieve RSA public keys from a JWKS.
-// MS authenticator library
-const {
-	ConfidentialClientApplication
-} = require('@azure/msal-node');
-const crypto = require("crypto"); // FOR PKCE in msal
-const { saveVerifier, getVerifier } = require('../implementations/pkceCacheStore.js');
-
-let securityService = null
-
-// This class is defined to work with Azure AD.
-class HapiServerAzureAd {
-	constructor(openIdConnect, cookiesName, cache) {
-		this.openIdConnect = openIdConnect
-		this.COOKIE_NAMES = cookiesName
-		this.activateTraceApiMethod = false
-		this.queryStringLimit = null;
-		this.securityLoginTokenExpToleranceSeconds = 3600 * 5; // Default 5 hours
-		this.authServerConfig = null;
-		this.authServerFullLoginUrl = null;
-		// This cache stores locally the jwt token set for refresh and logout.
-		this.cache = cache;
-		// To terminate sessions
-		// This client keeps a refresh of the rotating keys
-		this.clientJwk = null;
-		this.publicKeyFetch = null;
-	}
-
-	async connect(_securityService, hapiServer, config) {
-		this.authServerConfig = config;
-		securityService = _securityService
-		const {
-			authServer,
-			activateTraceApiMethod
-		} = config
-		if (activateTraceApiMethod) {
-			this.activateTraceApiMethod = activateTraceApiMethod
-		}
-		const stateOption = {
-			clearInvalid: true,
-			encoding: 'base64',
-			isSecure: true,
-			isHttpOnly: true,
-			isSameSite: 'Lax',
-			path: '/',
-			strictHeader: true
-		}
-		try {
-			if (authServer.sessionCookiesDomain) {
-				stateOption.domain = authServer.sessionCookiesDomain
-			}
-			stateOption.isHttpOnly = authServer.isHttpOnlyForSessionState ?? false;
-			hapiServer.state(this.COOKIE_NAMES.SESSION_STATE, stateOption);
-			if (!authServer.scope || !authServer.scope.split(' ').some((reg) => reg === 'openid')) {
-				authServer.scope = `openid ${authServer.scope || ''}`
-			}
-			if (authServer.tokenEndpoint && !authServer.tokenEndpoint.match(/https.*/)) {
-				hapiServer.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
-				hapiServer.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
-			}
-		} catch (err) {
-			console.error('ERROR', `Exception ${err.message}`, err)
-			trace('ERROR', err.stack)
-		}
-
-		// Add Plugins
-		this.configurePlugins(hapiServer);
-		// onPreAuth: Here we check if the jwtToken is stored in the yar, refresh, and recompose the authorization header before hapi jwt module auth.
-		// Http protocol does not redirect all headers on a 3XX code.
-		hapiServer.ext('onPreAuth', async (request, h) => {
-			// Retrieve the token from the yar storage
-			let tokenInfo = request.yar.get('jwtToken');
-			if (tokenInfo) {
-				// check if token is about to be expired, if expired, update
-				let aboutToExpire = await me.tokenAboutToExpire(tokenInfo.token, 10);
-				if (aboutToExpire) {
-					// To refresh the tokens, Azure uses a silent re authentication
-					const silentRereshTokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenSilent({
-						account: tokenInfo.account, // If token exists in yar. Account should always exist
-						scopes: me.authServerConfig.authServer.scope.split(" ") ?? ["user.read"],
-					});
-					const obtainedTokens = {};
-					// Check if the silent refresh token was successful
-					if (silentRereshTokenResponse && silentRereshTokenResponse.idToken) {
-						obtainedTokens.tokenType = 'Bearer';
-						obtainedTokens.token = silentRereshTokenResponse.idToken;
-						obtainedTokens.tokenSubType = 'id_token';
-						obtainedTokens.account = silentRereshTokenResponse.account;
-						request.yar.set('jwtToken', obtainedTokens);
-						await request.yar.commit(h);
-					} else {
-						// no valid set of tokens has returned, clear the yar storage and continue
-						request.yar.set('userRelog', true);
-						obtainedTokens.account = tokenInfo.account;
-						request.yar.set('jwtToken', obtainedTokens);
-						await request.yar.commit(h);
-						delete request.headers.authorization; // Remove the authorization header
-						return h.continue;
-					}
-				}
-				switch (tokenInfo.tokenType) {
-					case 'Bearer':
-					case 'bearer': {
-						request.headers.authorization = `Bearer ${tokenInfo.token}`;
-						break;
-					}
-					default:
-						break;
-				}
-			}
-			return h.continue;
-		});
-		hapiServer.ext('onPreResponse', async (request, h) => {
-			const response = request.response;
-			// Seek to redirect to login on unauthorize
-			if (response.isBoom && response.output.statusCode === 401 && !request.path.startsWith('/auth/callback')) {
-				function base64URLEncode(buffer) {
-					return buffer.toString("base64")
-						.replace(/=/g, "")
-						.replace(/\+/g, "-")
-						.replace(/\//g, "_");
-				}
-				function createPKCECodes() {
-					const verifier = base64URLEncode(crypto.randomBytes(32));
-					const challenge = base64URLEncode(crypto.createHash("sha256").update(verifier).digest());
-					return { verifier, challenge };
-				}
-				const pkce = createPKCECodes();
-				// This state id helps keep yar storage for code verifier across responseMode: form_post requests
-				const stateId = crypto.randomBytes(16).toString('hex');
-				saveVerifier(stateId, pkce.verifier);
-
-				const authUrl = await this.authServerConfig.authServer.msalClient.getAuthCodeUrl({
-					redirectUri: me.getRedirectUri(request, 'auth/callback'),
-					scopes: me.authServerConfig.authServer.scope.split(" ") ?? ["user.read"],
-					codeChallenge: pkce.challenge,
-					codeChallengeMethod: "S256",
-					responseMode: 'form_post',
-					state: stateId
-				});
-
-				let userRelog = request.yar.get('userRelog');
-				request.yar.set('pkv', pkce.verifier)
-				request.yar.commit(h);
-				if (userRelog && request.path !== '/') {
-					return h.redirect('/');
-				} else {
-					return h.redirect(authUrl);
-				}
-			}
-			return h.continue;
-		});
-		// GET /auth/callback: Resolves the jwt token on a callback after the login (keycloak/azure)
-		hapiServer.route({
-			method: 'GET',
-			path: '/auth/callback',
-			options: {
-				auth: false, // Disable authentication for this route
-			},
-			handler: async (request, h) => {
-				const authCode = request.query.code;
-				if (!authCode) {
-					return h.response('Authorization code missing').code(400);
-				}
-				try {
-					let pkceverifier = request.yar.get('pkv');
-					const tokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenByCode({
-						code: authCode,
-						redirectUri: me.getRedirectUri(request, 'auth/callback'),
-						scopes: me.authServerConfig.authServer.scope.split(" ") ?? ["user.read"],
-						codeVerifier: pkceverifier,
-					});
-					let obtainedTokens = {
-						tokenType: 'Bearer',
-						token: tokenResponse.idToken,
-						tokenSubType: 'id_token',
-						account: tokenResponse.account
-					};
-					request.yar.set('jwtToken', obtainedTokens);
-					let originalUrlPathName = request.yar.get('originalUrlPathName') ?? '/'
-					// Set session state
-					const sessionState = request.query.session_state;
-					h.state(this.COOKIE_NAMES.SESSION_STATE, sessionState);
-
-					// already reloged
-					request.yar.clear('userRelog');
-					// Store the JWT token in the `Authorization` header or a cookie
-					switch (obtainedTokens.tokenType) {
-						case 'Bearer':
-						case 'bearer': {
-							request.yar.set('jwtToken', obtainedTokens);
-							await request.yar.commit(h);
-							return h.redirect(originalUrlPathName);
-						}
-						default: {
-							break;
-						}
-					}
-					await request.yar.commit(h);
-					return h.redirect('/'); // Continue in case no token_type -> no auth header configured
-				} catch (error) {
-					request.yar.reset();
-					await request.yar.commit(h);
-					delete request.headers.authorization; // Remove the authorization header
-					console.error('Failed to obtain jwt token: ', error.response?.data ?? error.message);
-					return h.response('Failed to authenticate').code(500).takeover();
-				}
-			},
-		});
-		// POST /auth/callback: Resolves the jwt token on a callback after the login (keycloak/azure)
-		hapiServer.route({
-			method: 'POST',
-			path: '/auth/callback',
-			options: {
-				auth: false, // Disable authentication for this route
-			},
-			handler: async (request, h) => {
-				const authCode = request.payload.code;
-				if (!authCode) {
-					return h.response('Authorization code missing').code(400);
-				}
-				try {
-					//let pkceverifier = request.yar.get('pkv');
-					const stateId = request.payload.state;
-					//const pkceverifier = request.yar.get(`pkce:${stateId}`);
-					const pkceverifier = getVerifier(stateId)
-					const tokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenByCode({
-						code: authCode,
-						redirectUri: me.getRedirectUri(request, 'auth/callback'),
-						scopes: me.authServerConfig.authServer.scope.split(" ") ?? ["user.read"],
-						codeVerifier: pkceverifier,
-						responseMode: 'form_post'
-					});
-					let obtainedTokens = {
-						tokenType: 'Bearer',
-						token: tokenResponse.idToken,
-						tokenSubType: 'id_token',
-						account: tokenResponse.account
-					};
-					request.yar.set('jwtToken', obtainedTokens);
-					let originalUrlPathName = request.yar.get('originalUrlPathName') ?? '/'
-					// Set session state
-					const sessionState = request.payload.session_state;
-					if (!sessionState) {
-						return h.response('Session State missing').code(400);
-					}
-					h.state(this.COOKIE_NAMES.SESSION_STATE, sessionState);
-
-
-					// already reloged
-					request.yar.clear('userRelog');
-					// Store the JWT token in the `Authorization` header or a cookie
-					switch (obtainedTokens.tokenType) {
-						case 'Bearer':
-						case 'bearer': {
-							request.yar.set('jwtToken', obtainedTokens);
-							await request.yar.commit(h);
-							return h.redirect(originalUrlPathName);
-						}
-						default: {
-							break;
-						}
-					}
-					await request.yar.commit(h);
-					return h.redirect('/'); // Continue in case no token_type -> no auth header configured
-				} catch (error) {
-					request.yar.reset();
-					await request.yar.commit(h);
-					delete request.headers.authorization; // Remove the authorization header
-					console.error('Failed to obtain jwt token: ', error.response?.data ?? error.message);
-					return h.response('Failed to authenticate').code(500).takeover();
-				}
-			},
-		});
-		const me = this
-		// /get-authorization
-		hapiServer.route({
-			method: 'GET',
-			path: '/get-authorization',
-			handler: async (request, h) => {
-				try {
-					const {
-						session_state: ckSessionState
-					} = request.state
-					if (!ckSessionState) {
-						throw new Exception("Azure get-authorization: Session cookie doesn't exist.", 'CookiesError', 404)
-					}
-					const tokenSet = await me.openIdConnect.tokenSet()
-					const tokens = await tokenSet.tokens(ckSessionState)
-					const uma = await Uma.permission()
-					const token = await uma.ticket({
-						tokenUrl: authServer.tokenEndpoint || authServer.tokenUrl,
-						token: tokens.access_token,
-						audience: authServer.clientId
-					})
-					const sourceData = Jsonwebtoken.decode(token.access_token)
-					return h.response(JSON.stringify(sourceData.authorization)).takeover()
-				} catch (err) {
-					return errorResponse(h, err, 401)
-				}
-			}
-		})
-		// /get-security-rules
-		hapiServer.route({
-			method: 'GET',
-			path: '/get-security-rules',
-			handler: async (request, h) => {
-				try {
-					const securityRules = await securityService.getFrontendSecurityRules(request)
-					return h.response(JSON.stringify(securityRules)).takeover()
-				} catch (err) {
-					return errorResponse(h, err, 401)
-				}
-			}
-		})
-		// /get-permissions
-		hapiServer.route({
-			method: 'GET',
-			path: '/get-permissions',
-			handler: async (request, h) => {
-				try {
-					const permissions = await securityService.getPermissions()
-					return h.response(JSON.stringify(permissions)).takeover()
-				} catch (err) {
-					return errorResponse(h, err, 401)
-				}
-			}
-		})
-
-		hapiServer.route({
-			method: 'GET',
-			path: '/check-authorize',
-			handler: async (request, h) => {
-				try {
-					const resourcePath = request.query.path;
-					const action = request.query.action;
-					const roles = request.query.roles;
-					const domains = request.query.domains;
-					let parsedRoles;
-					if (Array.isArray(roles)) {
-						parsedRoles = roles;
-					} else if (typeof roles === 'string') {
-						parsedRoles = roles.split(',').map(r => r.trim());
-					} else {
-						parsedRoles = [];
-					}
-					let parsedDomains;
-					if (Array.isArray(domains)) {
-						parsedDomains = domains;
-					} else if (typeof domains === 'string') {
-						parsedDomains = domains.split(',').map(d => d.trim());
-					} else {
-						parsedDomains = [];
-					}
-					const result = await securityService.checkAuthorize(
-						resourcePath,
-						action,
-						parsedRoles,
-						parsedDomains
-					);
-					return h.response(JSON.stringify(result)).takeover()
-				} catch (err) {
-					return errorResponse(h, err, 401)
-				}
-			}
-		})
-
-		// /get-user-info
-		hapiServer.route({
-			method: 'GET',
-			path: '/get-user-info',
-			handler: async (request, h) => {
-				try {
-					const userInfo = await securityService.getUserInfo(request)
-					return h
-						.response(JSON.stringify(userInfo))
-						.takeover()
-				} catch (err) {
-					return errorResponse(h, err, 500)
-				}
-			}
-		})
-		// /logout
-		hapiServer.route({
-			path: '/logout',
-			method: 'GET',
-			options: {
-				auth: false
-			}, // No auth required for logout
-			handler: async (request, h) => {
-				try {
-					// Get the post-logout redirect URI (where the user will go after logout)
-					const postLogoutRedirectUri = encodeURIComponent(me.getBaseUrl(request));
-					// Construct the logout URL for Azure AD
-					const logoutUrl = `https://login.microsoftonline.com/${me.authServerConfig.authServer.tenantId}/oauth2/v2.0/logout?post_logout_redirect_uri=${postLogoutRedirectUri}`;
-
-					// Clear session
-					request.yar.clear('jwtToken');
-					request.yar.clear('userRelog');
-
-					return h.redirect(logoutUrl); // Redirect to Azure AD logout
-				} catch (error) {
-					console.error('Error logging out:', error);
-					return h.response('Logout failed').code(500);
-				}
-			},
-		});
-		// /check-session-iframe.html
-		// This method returns the htlm code for the iframe
-		hapiServer.route({
-			path: '/check-session-iframe.html',
-			method: 'GET',
-			options: {
-				auth: false
-			},
-			handler: async (request, h) => {
-				try {
-					let content = getTemplate('session-iframe-azure-ad', {
-						checkSessionUrl: me.getBaseUrl(request) + 'check-session'
-					})
-					return h.response(content)
-						.header('Content-Type', 'text/html')
-				} catch (err) {
-					return errorResponse(h, err, 500)
-				}
-			}
-		});
-		// /check-session
-		hapiServer.route({
-			path: '/check-session',
-			options: {
-				auth: false
-			},
-			method: 'GET',
-			handler: async (request, h) => {
-				let tokenInfo = request.yar.get('jwtToken');
-				let tokenIsExpired = { expired: false }
-				if (tokenInfo) {
-					// check if token is about to be expired
-					tokenIsExpired.expired = await me.tokenAboutToExpire(tokenInfo.token, 0.5);
-					if (tokenIsExpired.expired) {
-						let params = {
-							redirectUri: me.getRedirectUri(request, 'auth/callback'),
-							scopes: me.authServerConfig.authServer.scope.split(" "),
-						}
-						tokenIsExpired.redirectUrl = await me.authServerConfig.authServer.msalClient.getAuthCodeUrl(params);
-						request.yar.clear('jwtToken');
-						request.yar.clear('userRelog');
-					}
-				}
-				return h.response(tokenIsExpired);
-			}
-		})
-	}
-	getRedirectUri(request, redirectPath) {
-		const baseUrl = this.authServerConfig.url ?? this.getBaseUrl(request);
-		const path = (redirectPath) ?? this.getPathname(request);
-		let url = new URL(path, baseUrl);
-
-		// If the hostname is not localhost, force HTTPS
-		if (url.hostname !== 'localhost' && url.hostname !== '127.0.0.1') {
-			url.protocol = 'https:';
-		}
-		return url.toString();
-	}
-	getFullUrl(request) {
-		return `${getProtocol(request)}://${getHost(request)}${getPathname(request)}`
-	}
-	getBaseUrl(request) {
-		return `${getProtocol(request)}://${getHost(request)}/`
-	}
-	async authenticate(h, scope) {
-		const {
-			request
-		} = h
-		const pkceCode = await this.openIdConnect.pkceCode()
-		const requestUrl = getFullUrl(request)
-		let oidcMetadata = await this.openIdConnect.oidcMetadata()
-		if (!oidcMetadata || !oidcMetadata.openid_configuration) {
-			oidcMetadata = await this.configuration(this.authServerConfig.authServer)
-		}
-		if (requestUrl.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source + getHost(request) + /\/?$/.source))) {
-			const authorizationUrl = await this.openIdConnect.authorizationUrl({
-				scope,
-				redirectUri: this.getRedirectUri(request),
-				pkceCode
-			})
-			trace('INFO', `Authenticate redirecting to ${authorizationUrl}`)
-			return h
-				.response()
-				.state(this.COOKIE_NAMES.SID, pkceCode)
-				.redirect(authorizationUrl)
-				.takeover()
-		} else if (getPathname(request) === '/logout') {
-			return h.continue
-		} else {
-			const tokenSet = await this.openIdConnect.tokenSet()
-			const {
-				state
-			} = request
-			if (tokenSet && state && state[this.COOKIE_NAMES.SESSION_STATE]) {
-				const tokens = await tokenSet.tokens(state[this.COOKIE_NAMES.SESSION_STATE])
-				if (!tokens || tokens.refresh_expires_in <= getTokenTolerance(0)) {
-					throw new Exception('Error when getting token', 'ExpirationError', 403)
-				}
-				return h.continue
-			} else {
-				return h
-					.response()
-					.code(401)
-					.takeover()
-			}
-		}
-	}
-
-	async configurePlugins(server) {
-		// Add Yar to save info in the cookies across session calls
-		const hapiYarPassword = process.env.blz_hapiYarPassword || 'your-super-secure-yar-atleast-32-bytes-password';
-		await server.register({
-			plugin: hapiYar,
-			options: {
-				name: 'yar_state',
-				cookieOptions: {
-					password: hapiYarPassword,
-					isSecure: true, // Use true in production
-					isHttpOnly: true,
-					isSameSite: 'Lax', // 'Strict', 'Lax', or 'None'
-					clearInvalid: true,
-					ignoreErrors: true
-				},
-				storeBlank: false, // Prevent saving blank sessions
-				maxCookieSize: 0 // Use server-side storage for larger payloads
-			}
-		});
-		// Register @hapi/jwt plugin
-		await server.register(hapiJwt);
-
-		// Check for static certificate or rotating.
-		let keysFetch = true;
-		// Azure rotating certificates, prepare for the hapi jwt module
-		this.startupJwksClient();
-		// set up the function in this.publickKeyFetch
-		this.startupPublickKeyFetch();
-		keysFetch = this.publicKeyFetch;
-		const tenant_id = this.authServerConfig.authServer.issuer.match(/login\.microsoftonline\.com\/([^/]+)/)?.[1];
-		this.authServerConfig.authServer.tenantId = tenant_id;
-		this.authServerConfig.authServer.msalConfig = {
-			auth: {
-				clientId: this.authServerConfig.authServer.clientId,
-				authority: `https://login.microsoftonline.com/${tenant_id}`,
-				clientSecret: this.authServerConfig.authServer.clientSecret
-			},
-		};
-		const msalClient = new ConfidentialClientApplication(this.authServerConfig.authServer.msalConfig);
-		this.authServerConfig.authServer.msalClient = msalClient;
-
-		// Define the auth strategy
-		server.auth.strategy('jwtAuth', 'jwt', {
-			keys: keysFetch,
-			verify: {
-				aud: this.authServerConfig.authServer.clientId,
-				iss: this.authServerConfig.authServer.issuer,
-				exp: true, // validate expiration
-				sub: false
-			},
-			validate: false
-		});
-
-		// Register the @hapi/cookie plugin
-		await server.register(hapiCookie);
-		
-		const hapiCookiePassword = process.env.blz_hapiCookiePassword || 'supersecretpasswordmustbeatleast32characterslong';
-		// Define the cookie-based auth strategy
-		server.auth.strategy('cookieAuth', 'cookie', {
-			cookie: {
-				name: 'sid', // Primary session cookie
-				password: hapiCookiePassword, // Encryption key
-				isSecure: true, // Should be true in production
-				isHttpOnly: true, // Prevents client-side JavaScript access
-				isSameSite: 'Lax', // Protects against CSRF
-			},
-			keepAlive: true,
-			redirectTo: false,
-		});
-		// Set default auth strategy to try both JWT and cookies
-		server.auth.default({
-			strategies: ['jwtAuth', 'cookieAuth'], // Try JWT first, then Cookie
-		});
-	}
-
-	async decodeJwtToken(token) {
-		const decodedToken = hapiJwt.token.decode(token);
-		return decodedToken;
-	}
-	async tokenAboutToExpire(token, minutesBeforeExpiration = 0) {
-		if (!token)
-			return true;
-		const decodedToken = hapiJwt.token.decode(token);
-		const expirationTime = decodedToken.decoded.payload.exp * 1000; // Convert to milliseconds
-		const currentTime = Date.now();
-		const expirationThreshold = minutesBeforeExpiration * 60 * 1000; // Convert minutes to milliseconds
-
-		// Check if the token is expired or about to expire within the specified minutes
-		const isAboutToExpire = expirationTime - currentTime <= expirationThreshold;
-		return isAboutToExpire;
-	}
-	async isRefreshTokenExpired(refreshToken) {
-		try {
-			// Decode the token without verifying its signature.
-			const decodedRefreshToken = hapiJwt.token.decode(refreshToken);
-			// Get the current timestamp (in seconds).
-			const currentTimestamp = Math.floor(Date.now() / 1000);
-
-			if (decodedRefreshToken && decodedRefreshToken.decoded && decodedRefreshToken.decoded.payload && decodedRefreshToken.decoded.payload.exp) {
-				return (decodedRefreshToken.decoded.payload.exp < currentTimestamp)
-			} else
-				return true;
-		} catch (error) {
-			// if there is an error treat as if expired, so a re-login is prompted
-			console.error('Failed to decode the token: Invalid Refresh token format', error);
-			return true;
-		}
-	}
-	async startupJwksClient() {
-		// Azure rotating certificates, prepare for the hapi jwt module
-		this.clientJwk = jwksClient({
-			jwksUri: this.authServerConfig.authServer.jwksUri,
-			cache: true, // Cache signing keys to avoid frequent network calls
-			rateLimit: true, // Rate limit the number of requests to the JWKS URI
-			jwksRequestsPerMinute: 10, // Limit to 10 requests per minute
-		});
-	}
-	async startupPublickKeyFetch() {
-		// Function to get the signing key
-		const getKey = async (kid) => {
-			return new Promise((resolve, reject) => {
-				this.clientJwk.getSigningKey(kid, (err, key) => {
-					if (err) {
-						return reject(err);
-					}
-					const signingKey = key.getPublicKey(); // Public key for signature verification
-					resolve(signingKey);
-				});
-			});
-		};
-		this.publicKeyFetch = async (artifacts) => {
-			const kid = artifacts.decoded.header.kid; // Extract 'kid' from JWT header
-			return getKey(kid); // Fetch the corresponding public key
-		}
-	}
-}
-
-module.exports = {
-	HapiServerAzureAd
-}