@blazedpath/commons 0.2.2 → 0.3.1

package/blz-security/middleware/HapiServerKeycloak.js

@@ -1,876 +0,0 @@
-/**
- * @author Blazedpath Team
- * @implements Protecting all resources through hapi middleware
- * @description Hapi.js (derived from Http-API) is an open-source Node.js
- * framework used to build powerful and scalable web applications.
- * @see https://hapi.dev/api/
- */
-const Uma = require('../implementations/uma')
-const Jsonwebtoken = require('jsonwebtoken') // Implementations of JSON Web Tokens.
-const {
-    Exception,
-    getFullUrl,
-    getHost,
-    getProtocol,
-    getPathname,
-    getTemplate,
-    getTokenTolerance,
-    trace,
-    errorResponse
-} = require('../helpers/utils')
-// HapiServer Modules
-const hapiYar = require('@hapi/yar');
-const hapiJwt = require('@hapi/jwt');
-const hapiCookie = require('@hapi/cookie')
-// Quick Http Fetch using axios
-const axios = require('axios');
-// Crypto for code_verifier in token exchange
-const crypto = require('crypto');
-// Uses Issue to cache manage and logout (generators/customs not sure why yet)
-const {
-    Issuer
-} = require('openid-client') // OpenID Certified Relying Party.
-const {
-    METADATA
-} = require('../helpers/consts')
-// Rotating key-certs, so we jwk used to routinly fetch them
-const jwksClient = require('jwks-rsa') // Retrieve RSA public keys from a JWKS.
-
-let contextConfig = {}
-let securityService = null
-
-class HapiServerKeycloak {
-    constructor(openIdConnect, cookiesName, cache) {
-        this.openIdConnect = openIdConnect
-        this.COOKIE_NAMES = cookiesName
-        this.activateTraceApiMethod = false
-        this.queryStringLimit = null;
-        this.securityLoginTokenExpToleranceSeconds = 3600 * 5; // Default 5 hours
-        this.authServerConfig = null;
-        this.authServerFullLoginUrl = null;
-        // This cache stores locally the jwt token set for refresh and logout.
-        this.cache = cache;
-        // To terminate sessions
-        this.clientOidc = null;
-        // This client keeps a refresh of the rotating keys
-        this.clientJwk = null;
-        this.publicKeyFetch = null;
-        // URL temporal hash
-        this.securityService = null;
-        this.securityUrlCookieKey = null;
-    }
-    
-    async generateGuid() {
-        return crypto.randomUUID();
-    }
-
-    async connect(_securityService, hapiServer, config) {
-        contextConfig = config
-        this.authServerConfig = contextConfig;
-        securityService = _securityService
-        const {
-            authServer,
-            activateTraceApiMethod
-        } = config
-        if (activateTraceApiMethod) {
-            this.activateTraceApiMethod = activateTraceApiMethod
-        }
-        let oidcConfiguration = {}
-        const stateOption = {
-            clearInvalid: true,
-            encoding: 'base64',
-            isSecure: true,
-            isHttpOnly: true,
-            isSameSite: 'Lax',
-            path: '/',
-            strictHeader: true
-        }
-        try {
-            if (authServer.sessionCookiesDomain) {
-                stateOption.domain = authServer.sessionCookiesDomain
-            }
-            stateOption.isHttpOnly = authServer.isHttpOnlyForSessionState ?? false;
-            hapiServer.state(this.COOKIE_NAMES.SESSION_STATE, stateOption)
-            oidcConfiguration = await this.configuration(authServer)
-            if (oidcConfiguration.clientOidc) {
-                this.clientOidc = oidcConfiguration.clientOidc;
-            }
-            if (!authServer.scope || !authServer.scope.split(' ').some((reg) => reg === 'openid')) {
-                authServer.scope = `openid ${authServer.scope || ''}`
-                authServer.scope.trim();
-            }            
-            if (authServer.tokenEndpoint && !authServer.tokenEndpoint.match(/https.*/)) {
-                hapiServer.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
-                hapiServer.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
-            }
-            trace('INFO', 'The following configuration was initialized')
-            const securityConfiguration = Object.fromEntries(Object.entries(authServer).filter((entry) => !['clientSecret', 'PrivateKey', 'PublicKey'].includes(entry[0])))
-            trace('INFO', oidcConfiguration.tokenEndpoint ? oidcConfiguration : securityConfiguration)
-
-            // cookie specifically used for path hash
-            this.securityUrlCookieKey = securityService.getSecureUrlCookieKey();
-            if (this.securityUrlCookieKey) {
-                const securityUrlCookieStateOptions = {
-                    ...stateOption,
-                    isHttpOnly: false,
-                    ttl: null,
-                };
-                hapiServer.state(this.securityUrlCookieKey, securityUrlCookieStateOptions);
-            }
-        } catch (err) {
-            trace('ERROR', `Exception ${err.message}`)
-            trace('ERROR', err.stack)
-        }
-        // set the scope
-        const me = this
-        // Add Plugins
-
-        this.configurePlugins(hapiServer);
-        // onPreAuth: Here we check if the jwtToken in yar, recompose the authorization header before hapi jwt module auth.
-        // Http protocol does not redirect all headers on a 3XX code.
-        hapiServer.ext('onPreAuth', async (request, h) => {
-            // add cookie para lo de flavio
-            if (this.securityUrlCookieKey){
-                const clientId = request.state[this.securityUrlCookieKey];
-                if (!clientId) {
-                    const securityUrlCookieKeyValue = await this.generateGuid();
-                    h.state(this.securityUrlCookieKey, securityUrlCookieKeyValue); // Set cookie
-                }
-            }
-
-            // Retrieve token info from yar storage
-            let tokenInfo = request.yar.get('jwtToken');
-            if (tokenInfo) {
-                // check if token is about to be expired or absent, if so, update
-                let aboutToExpire = await me.tokenAboutToExpire(tokenInfo.token, 10);
-                if (aboutToExpire) {
-                    // If refresh token is expired as well, then the user MUST re-login
-                    let isRefreshTokenExpired = await this.isRefreshTokenExpired(tokenInfo.refreshToken);
-                    let refreshTokenPresent = 'refreshToken' in tokenInfo;
-                    if (isRefreshTokenExpired && refreshTokenPresent) {
-                        // clear token from cookies and exit
-                        request.yar.get('jwtToken', true);
-                        delete request.headers.authorization; // Remove the authorization header
-                        await request.yar.commit(h);
-                        return h.continue;
-                    } else {
-                        // If refresh token is present and not expired, attempt refresh
-                        let refreshedTokens = await this.refreshToken(tokenInfo.refreshToken);
-                        // Check that this method returned a valid set of tokens
-                        if (refreshedTokens && refreshedTokens.token_type &&
-                            (refreshedTokens.id_token || refreshedTokens.access_token) && refreshedTokens.session_state &&
-                                refreshedTokens.refresh_token) {
-                            let refreshedTokenInfo = {
-                                tokenType: 'Bearer',
-                                token: refreshedTokens.id_token,
-                                tokenSubType: 'id_token',
-                                refreshToken: refreshedTokens.refresh_token
-                            };
-                            request.yar.set('jwtToken', refreshedTokenInfo);
-                            await request.yar.commit(h);
-                            tokenInfo = refreshedTokenInfo;
-                        } else {
-                            // Refresh token failed, clear and continue
-                            request.yar.get('jwtToken', true);
-                            delete request.headers.authorization;
-                            await request.yar.commit(h);
-                            return h.continue;
-                        }
-                    }
-                }
-                switch (tokenInfo.tokenType) {
-                    case 'Bearer':
-                    case 'bearer': {
-                        request.headers.authorization = `Bearer ${tokenInfo.token}`;
-                        break;
-                    }
-                    default:
-                        break;
-                }
-            }
-            return h.continue;
-        });
-        hapiServer.ext('onPreResponse', async (request, h) => {
-            const response = request.response;
-
-            let authError = request.yar.get('authError', true);
-            await request.yar.commit(h);
-            // By this point, token refresh was already attempted in onPreAuth event, so it redirects to login on unauthorized
-            if (response.isBoom && response.output.statusCode === 401 && !request.path.startsWith('/auth/callback') && !authError) {
-                // Create the url query string parameters. with a random code verifier, store in yar and get the codeChallenge
-                const codeVerifier = crypto.randomBytes(32).toString('base64url');
-                request.yar.set('code_verifier', codeVerifier); // For PKCE auth flow
-                request.yar.set('originalUrlPathName', me.getFullUrl(request)); // For redirect after login
-                await request.yar.commit(h);
-
-                const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
-                const responseType = 'code'; // Authorization code grant
-                const redirectUri = me.getRedirectUriPath(request, 'auth/callback');
-                const codeChallengeMethod = 'S256'; // PKCE method
-                const scope = (authServer.scope) ? authServer.scope.trim().replace(/\s+/g, '%20') : 'openid';
-
-                const authLoginUrlWithParams = new URL(authServer.authorizationEndpoint);
-                authLoginUrlWithParams.searchParams.set('client_id', me.authServerConfig.authServer.clientId);
-                authLoginUrlWithParams.searchParams.set('response_type', responseType);
-                authLoginUrlWithParams.searchParams.set('redirect_uri', redirectUri);
-                authLoginUrlWithParams.searchParams.set('scope', scope);
-                authLoginUrlWithParams.searchParams.set('code_challenge', codeChallenge);
-                authLoginUrlWithParams.searchParams.set('code_challenge_method', codeChallengeMethod);
-
-                // Redirect to Keycloak
-                return h.redirect(authLoginUrlWithParams.toString()).takeover();
-            }
-            return h.continue;
-        });
-        // /auth/callback : Resolves the jwt token on a callback after the login
-        hapiServer.route({
-            method: 'GET',
-            path: '/auth/callback',
-            options: {
-                auth: false, // Disable authentication for this route
-            },
-            handler: async (request, h) => {
-                const authCode = request.query.code;
-                if (!authCode) {
-                    return h.response('Authorization code missing').code(400);
-                }
-                try {
-                    // Grab the code verifier
-                    let codeVerifier = request.yar.get('code_verifier', true);
-                    let tokenResponse = await axios.post(
-                        me.authServerConfig.authServer.tokenEndpoint,
-                        new URLSearchParams({
-                            grant_type: 'authorization_code',
-                            client_id: me.authServerConfig.authServer.clientId,
-                            client_secret: me.authServerConfig.authServer.clientSecret, // If required
-                            code: authCode,
-                            redirect_uri: me.getRedirectUriPath(request, 'auth/callback'),
-                            code_verifier: codeVerifier
-                        }).toString(), {
-                            headers: {
-                                'Content-Type': 'application/x-www-form-urlencoded',
-                            },
-                        }
-                    );
-                    if (!tokenResponse.statusText === 'OK') {
-                        throw new Error('Failed to exchange code for tokens');
-                    }
-                    let obtainedTokens = {};
-                    obtainedTokens.tokenType = 'Bearer';
-                    if (tokenResponse.data.id_token) {
-                        obtainedTokens.token = tokenResponse.data.id_token;
-                        obtainedTokens.tokenSubType = 'id_token';
-                    } else {
-                        obtainedTokens.token = tokenResponse.data.access_token;
-                        obtainedTokens.tokenSubType = 'access_token';
-                    }
-                    obtainedTokens.refreshToken = tokenResponse.data.refresh_token;
-
-                    let originalUrlPathName = request.yar.get('originalUrlPathName') ?? '/'
-                    // Set session state
-                    const sessionState = request.query.session_state;
-                    h.state(this.COOKIE_NAMES.SESSION_STATE, sessionState);
-
-                    // Store the JWT token in the `Authorization` header or a cookie
-                    switch (obtainedTokens.tokenType) {
-                        case 'Bearer':
-                        case 'bearer': {
-                            request.yar.set('jwtToken', obtainedTokens);
-                            await request.yar.commit(h);
-                            return h.redirect(originalUrlPathName).takeover();
-                        }
-                        default: {
-                            break;
-                        }
-                    }
-                    return h.continue; // Continue in case no token_type -> no auth header configured
-                } catch (error) {
-                    request.yar.set('authError', false);
-                    await request.yar.commit(h);
-                    console.error('Failed to exchange code for token:', error.response?.data || error.message);
-                    return h.response('Failed to authenticate').code(500).takeover();
-                }
-            },
-        });
-        // /get-authorization
-        hapiServer.route({
-            method: 'GET',
-            path: '/get-authorization',
-            handler: async (request, h) => {
-                try {
-                    const {
-                        session_state: ckSessionState
-                    } = request.state
-                    if (!ckSessionState) {
-                        throw new Exception("Keycloack get-authorization: Session cookie doesn't exist.", 'CookiesError', 404)
-                    }
-                    const tokenSet = await me.openIdConnect.tokenSet()
-                    const tokens = await tokenSet.tokens(ckSessionState)
-                    const uma = await Uma.permission()
-                    const token = await uma.ticket({
-                        tokenUrl: authServer.tokenEndpoint || authServer.tokenUrl,
-                        token: tokens.access_token,
-                        audience: authServer.clientId
-                    })
-                    const sourceData = Jsonwebtoken.decode(token.access_token)
-                    return h.response(JSON.stringify(sourceData.authorization)).takeover()
-                } catch (err) {
-                    return errorResponse(h, err, 401)
-                }
-            }
-        })
-        // /get-security-rules
-        hapiServer.route({
-            method: 'GET',
-            path: '/get-security-rules',
-            handler: async (request, h) => {
-                try {
-                    const securityRules = await securityService.getFrontendSecurityRules(request)
-                    return h.response(JSON.stringify(securityRules)).takeover()
-                } catch (err) {
-                    return errorResponse(h, err, 401)
-                }
-            }
-        })
-        // /get-permissions
-        hapiServer.route({
-            method: 'GET',
-            path: '/get-permissions',
-            handler: async (request, h) => {
-                try {
-                    const permissions = await securityService.getPermissions()
-                    return h.response(JSON.stringify(permissions)).takeover()
-                } catch (err) {
-                    return errorResponse(h, err, 401)
-                }
-            }
-        })
-
-        hapiServer.route({
-            method: 'GET',
-            path: '/check-authorize',
-            handler: async (request, h) => {
-              try {
-                const resourcePath = request.query.path;
-                const action = request.query.action;
-                const roles = request.query.roles;
-                const domains = request.query.domains;
-                let parsedRoles;
-                if (Array.isArray(roles)) {
-                  parsedRoles = roles;
-                } else if (typeof roles === 'string') {
-                  parsedRoles = roles.split(',').map(r => r.trim());
-                } else {
-                  parsedRoles = [];
-                }
-                let parsedDomains;
-                if (Array.isArray(domains)) {
-                  parsedDomains = domains;
-                } else if (typeof domains === 'string') {
-                  parsedDomains = domains.split(',').map(d => d.trim());
-                } else {
-                  parsedDomains = [];
-                }
-                const result = await securityService.checkAuthorize(
-                  resourcePath,
-                  action,
-                  parsedRoles,
-                  parsedDomains
-                );
-                return h.response(JSON.stringify(result)).takeover()
-              } catch (err) {
-                return errorResponse(h, err, 401)
-              }
-            }
-          })
-
-        // /get-user-info
-        hapiServer.route({
-            method: 'GET',
-            path: '/get-user-info',
-            handler: async (request, h) => {
-                try {
-                    const userInfo = await securityService.getUserInfo(request)
-                    return h
-                        .response(JSON.stringify(userInfo))
-                        .takeover()
-                } catch (err) {
-                    return errorResponse(h, err, 500)
-                }
-            }
-        })
-        // /logout
-        hapiServer.route({
-            path: '/logout',
-            method: 'GET',
-            options: {
-                auth: false, // Disable authentication for this route TODO:
-            },
-            handler: async (request, h) => {
-                try {
-                    const ckSessionState = request.state[this.COOKIE_NAMES.SESSION_STATE]
-                    request.yar.clear('jwtToken');
-                    await request.yar.commit(h);
-                    let endSessionUrl = await me.endSessionUrl(me.getRedirectUri(request), me.clientOidc);
-                    return h
-                        .response()
-                        .unstate(this.COOKIE_NAMES.SID)
-                        .unstate(this.COOKIE_NAMES.SESSION_STATE)
-                        .unstate(this.COOKIE_NAMES.AUTH_TOKEN)
-                        .redirect(endSessionUrl)
-                        .takeover()
-                } catch (err) {
-                    return errorResponse(h, err, 500)
-                }
-            }
-        })
-        // /invalid-session
-        hapiServer.route({
-            path: '/invalid-session',
-            method: 'GET',
-            handler: async (request, h) => {
-                try {
-                    const endSessionUrl = await me.openIdConnect.endSessionUrl({
-                        redirectUri: this.getRedirectUri(request),
-                        sessionState: request.state[this.COOKIE_NAMES.SESSION_STATE]
-                    })
-                    return h
-                        .response()
-                        .unstate(this.COOKIE_NAMES.SID)
-                        .unstate(this.COOKIE_NAMES.SESSION_STATE)
-                        .redirect(endSessionUrl)
-                        .takeover()
-                } catch (err) {
-                    return errorResponse(h, err, 500)
-                }
-            }
-        })
-        // /check-session-iframe.html
-        hapiServer.route({
-            path: '/check-session-iframe.html',
-            method: 'GET',
-            handler: async (_request, h) => {
-                try {
-                    let content = '<html/>'
-                    if (authServer && authServer.checkSessionIframe) {
-                        const {
-                            checkSessionIframe: sessionIframeUrl,
-                            clientId,
-                            sessionCookiesPrefix
-                        } = authServer
-                        if (sessionIframeUrl && sessionIframeUrl.includes('https://')) {
-                            trace('INFO', `Session management url: ${sessionIframeUrl}`)
-                            content = getTemplate('session-iframe', {
-                                sessionIframeUrl,
-                                clientId,
-                                sessionCookiesPrefix: sessionCookiesPrefix || ''
-                            })
-                        } else {
-                            trace('WARN', 'For session management, it is necessary to get the value from a cookie called session_state, and as a good practice, it should have reached a secure context [TLS].')
-                        }
-                    }
-                    return h
-                        .response(content)
-                        .header('Content-Type', 'text/html')
-                } catch (err) {
-                    return errorResponse(h, err, 500)
-                }
-            }
-        });
-        // /check-session
-        hapiServer.route({
-            path: '/check-session',
-            options: {
-                auth: false
-            },
-            method: 'GET',
-            handler: async (request, h) => {
-                let tokenInfo = request.yar.get('jwtToken');
-                let tokenIsExpired = { expired: false }
-                if (tokenInfo) {
-                    // check if refresh token is about to be expired
-                    tokenIsExpired.expired = await this.tokenAboutToExpire(tokenInfo.refreshToken, 0.5);
-                    if (tokenIsExpired.expired) {
-                        tokenIsExpired.redirectUrl = await this.getFullKeycloakLoginUri(request, h)
-                        request.yar.clear('jwtToken');
-                        request.yar.clear('userRelog');
-                    }
-                }
-                return h.response(tokenIsExpired);
-            }
-        });
-    }
-    // this function takes h, because i need to set yar storage, and avoid overprocessing
-    async getFullKeycloakLoginUri(request, h) {
-        const codeVerifier = crypto.randomBytes(32).toString('base64url');
-        request.yar.set('code_verifier', codeVerifier); // For PKCE auth flow
-        request.yar.set('originalUrlPathName', this.getBaseUrl(request) ); // For redirect after login
-        await request.yar.commit(h);
-
-        const responseType = 'code'; // Authorization code grant
-        const redirectUri = this.getRedirectUriPath(request, 'auth/callback');
-        const scope = this.authServerConfig.authServer.scope;
-        const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
-        const codeChallengeMethod = 'S256'; // PKCE method
-
-        const authLoginUrlWithParams = new URL(this.authServerConfig.authServer.authorizationEndpoint);
-        authLoginUrlWithParams.searchParams.set('client_id', this.authServerConfig.authServer.clientId);
-        authLoginUrlWithParams.searchParams.set('response_type', responseType);
-        authLoginUrlWithParams.searchParams.set('redirect_uri', redirectUri);
-        authLoginUrlWithParams.searchParams.set('scope', scope);
-        authLoginUrlWithParams.searchParams.set('code_challenge', codeChallenge);
-        authLoginUrlWithParams.searchParams.set('code_challenge_method', codeChallengeMethod);
-        return authLoginUrlWithParams.toString();
-    }
-    getRedirectUri(request) {
-        return contextConfig.authServer.redirectUri || getFullUrl(request)
-    }
-	getRedirectUriPath(request, redirectPath) {
-		const baseUrl = this.getBaseUrl(request);
-		const path = (redirectPath) ?? this.getPathname(request);
-		let url = new URL(path, baseUrl);
-
-		// If the hostname is not localhost, force HTTPS
-		if (url.hostname !== 'localhost') {
-			url.protocol = 'https:';
-		}
-		return url.toString();
-	}
-
-    getFullUrl(request) {
-        return `${getProtocol(request)}://${getHost(request)}${getPathname(request)}`
-    }
-    getBaseUrl(request) {
-        return `${getProtocol(request)}://${getHost(request)}/`
-    }
-    async authenticate(h, scope) {
-        const {
-            request
-        } = h
-        const pkceCode = await this.openIdConnect.pkceCode()
-        const requestUrl = getFullUrl(request)
-        let oidcMetadata = await this.openIdConnect.oidcMetadata()
-        if (!oidcMetadata || !oidcMetadata.openid_configuration) {
-            oidcMetadata = await this.configuration(contextConfig.authServer)
-        }
-        if (requestUrl.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source + getHost(request) + /\/?$/.source))) {
-            const authorizationUrl = await this.openIdConnect.authorizationUrl({
-                scope,
-                redirectUri: this.getRedirectUri(request),
-                pkceCode
-            })
-            trace('INFO', `Authenticate redirecting to ${authorizationUrl}`)
-            return h
-                .response()
-                .state(this.COOKIE_NAMES.SID, pkceCode)
-                .redirect(authorizationUrl)
-                .takeover()
-        } else if (getPathname(request) === '/logout') {
-            return h.continue
-        } else {
-            const tokenSet = await this.openIdConnect.tokenSet()
-            const {
-                state
-            } = request
-            if (tokenSet && state && state[this.COOKIE_NAMES.SESSION_STATE]) {
-                const tokens = await tokenSet.tokens(state[this.COOKIE_NAMES.SESSION_STATE])
-                if (!tokens || tokens.refresh_expires_in <= getTokenTolerance(0)) {
-                    throw new Exception('Error when getting token', 'ExpirationError', 403)
-                }
-                return h.continue
-            } else {
-                return h
-                    .response()
-                    .code(401)
-                    .takeover()
-            }
-        }
-    }
-    async configurePlugins(server) {
-        // Hapi Yar module, saves info in the cookies across session calls
-        const hapiYarPassword = process.env.blz_hapiYarPassword || 'your-super-secure-yar-atleast-32-bytes-password';
-        await server.register({
-            plugin: hapiYar,
-            options: {
-                cookieOptions: {
-                    password: hapiYarPassword,
-                    isSecure: true, // Use true in production
-                    isHttpOnly: true,
-                    isSameSite: 'Lax', // 'Strict', 'Lax', or 'None'
-                    clearInvalid: true,
-                    ignoreErrors: true
-                },
-                storeBlank: false, // Prevent saving blank sessions
-                maxCookieSize: 0 // Use server-side storage for larger payloads
-            }
-        });
-        // Register @hapi/jwt plugin
-        await server.register(hapiJwt);
-
-        // Use rotating certificates with keysFetch function for jwt module
-        this.startupJwksClient();
-        // set up the function in this.publickKeyFetch
-        this.startupPublickKeyFetch();
-
-        // Define the auth strategy
-        server.auth.strategy('jwtAuth', 'jwt', {
-            keys: this.publicKeyFetch,
-            verify: {
-                aud: this.authServerConfig.authServer.audience ?? false,
-                iss: this.authServerConfig.authServer.issuer,
-                exp: true,
-                sub: false
-            },
-            validate: false
-        });
-
-        // Register the @hapi/cookie plugin
-        await server.register(hapiCookie);
-
-        const hapiCookiePassword = process.env.blz_hapiCookiePassword || 'supersecretpasswordmustbeatleast32characterslong';
-        // Define the cookie-based auth strategy
-        server.auth.strategy('cookieAuth', 'cookie', {
-            cookie: {
-                name: 'sid', // Primary session cookie
-                password: hapiCookiePassword, // Encryption key
-                isSecure: true, // Should be true in production
-                isHttpOnly: true, // Prevents client-side JavaScript access
-                isSameSite: 'Lax', // Protects against CSRF
-            },
-            keepAlive: true, // automatically sets the session cookie after validation to extend the current session for a new ttl duration. Defaults to false.
-            redirectTo: false, //function(request) {}, // Redirect if authentication fails
-        });
-        // Set default auth strategy to try both JWT and cookies
-        server.auth.default({
-            strategies: ['jwtAuth', 'cookieAuth'], // Try JWT first, then Cookie
-        });
-    }
-
-    async configuration(authServer) {
-        if (!authServer) {
-            throw new Exception('Error when getting configuration attributes ')
-        }
-        const {
-            clientId,
-            clientSecret
-        } = authServer
-        await this.openIdConnect.client({
-            clientId,
-            clientSecret
-        })
-        if (authServer.openIdConfigurationEndpoint) {
-            return await this.openIdConnect.configuration(authServer.openIdConfigurationEndpoint)
-        } else {
-            // If configuration uri does not exist but the auth server form has been filled in.
-            return await this.openIdConnect.configuration({
-                issuer: authServer.issuer,
-                authorization_endpoint: authServer.authorizationEndpoint,
-                token_endpoint: authServer.tokenEndpoint,
-                userinfo_endpoint: authServer.userinfoEndpoint,
-                end_session_endpoint: authServer.endSessionEndpoint,
-                jwks_uri: authServer.jwksUri
-            })
-        }
-    }
-
-    async endSessionUrl(redirectUri, clientOidc) {
-        redirectUri = redirectUri.replace(/logout|invalid-session/gmi, '')
-        // Log off specific session.
-        if (!clientOidc) {
-            throw new Error('Unable to get configuration from identity provider', 'ConfigurationError', 404);
-        }
-        return clientOidc.endSessionUrl({
-            post_logout_redirect_uri: redirectUri
-        })
-    }
-    oidcMetadataKey() {
-        return this.authServerConfig.authServer.sessionCookiesDomain || 'oidcMetadata'
-    }
-    async configuration(context) {
-        let metadata = await this.cache.get(this.oidcMetadataKey())
-        if (typeof context === 'string' && !context.match(/(https?:\/\/.*):?(\d*)\/?(.*)/gi)) {
-            throw new Exception('Wrong OpenId Provider configuration URI entered', 'AttributeError', 403)
-        }
-        if (!metadata || !metadata.issuer) {
-            if (context.issuer) {
-                metadata = {
-                    ...(metadata || {}),
-                    ...context
-                }
-            } else {
-                metadata = metadata || {}
-                metadata.openid_configuration = context
-                metadata = {
-                    ...metadata,
-                    ...(await Issuer.discover(context.issuer))
-                } // Discover an issuer configuration, must be an url
-            }
-            await this.cache.set(this.oidcMetadataKey(), metadata, 864e5) // 1 day of cache
-        }
-        return new Iss(metadata)
-    }
-    async refreshToken(refreshToken) {
-        // Make a POST request to Keycloak to refresh the token
-        const response = await axios.post(this.authServerConfig.authServer.tokenEndpoint,
-            new URLSearchParams({
-                grant_type: 'refresh_token',
-                client_id: this.authServerConfig.authServer.clientId,
-                client_secret: this.authServerConfig.authServer.clientSecret,
-                refresh_token: refreshToken,
-            }).toString(), {
-                headers: {
-                    'Content-Type': 'application/x-www-form-urlencoded',
-                },
-            }
-        );
-
-        if (!(response.status === 200)) {
-            const errorResponse = await response.json();
-            console.error('Error refreshing token:', errorResponse);
-            return errorResponse;
-        }
-        // Refresh token response may change from time to time, here are two possible responses
-        try {
-            return await response.json(); // all tokens refershed
-
-        } catch (error) {
-
-        }
-        try {
-            return response.data;
-        } catch {
-
-        }
-
-    }
-    async decodeJwtToken(token) {
-        const decodedToken = hapiJwt.token.decode(token);
-        return decodedToken;
-    }
-    async tokenAboutToExpire(token, minutesBeforeExpiration = 0) {
-        if (!token)
-            return true;
-        const decodedToken = hapiJwt.token.decode(token);
-        const expirationTime = decodedToken.decoded.payload.exp * 1000; // Convert to milliseconds
-        const currentTime = Date.now();
-        const expirationThreshold = minutesBeforeExpiration * 60 * 1000; // Convert minutes to milliseconds
-
-        // Check if the token is expired or about to expire within the specified minutes
-        const isAboutToExpire = expirationTime - currentTime <= expirationThreshold;
-        return isAboutToExpire;
-    }
-    async isRefreshTokenExpired(refreshToken) {
-        try {
-            // Decode the token without verifying its signature.
-            const decodedRefreshToken = hapiJwt.token.decode(refreshToken);
-            // Get the current timestamp (in seconds).
-            const currentTimestamp = Math.floor(Date.now() / 1000);
-
-            if (decodedRefreshToken && decodedRefreshToken.decoded && decodedRefreshToken.decoded.payload && decodedRefreshToken.decoded.payload.exp) {
-                return (decodedRefreshToken.decoded.payload.exp < currentTimestamp)
-            } else
-                return true;
-        } catch (error) {
-            // if there is an error treat as if expired, so a re-login is prompted
-            console.error('Failed to decode the token: Invalid Refresh token format', error);
-            return true;
-        }
-    }
-
-    async startupJwksClient() {
-        // Rotating certificates, prepare for the hapi jwt module
-        this.clientJwk = jwksClient({
-            jwksUri: this.authServerConfig.authServer.jwksUri,
-            cache: true, // Cache signing keys to avoid frequent network calls
-            rateLimit: true, // Rate limit the number of requests to the JWKS URI
-            jwksRequestsPerMinute: 10, // Limit to 10 requests per minute
-        });
-    }
-    async startupPublickKeyFetch() {
-        // Function to get the signing key
-        const getKey = async (kid) => {
-            return new Promise((resolve, reject) => {
-                this.clientJwk.getSigningKey(kid, (err, key) => {
-                    if (err) {
-                        return reject(err);
-                    }
-                    const signingKey = key.getPublicKey(); // Public key for signature verification
-                    resolve(signingKey);
-                });
-            });
-        };
-        this.publicKeyFetch = async (artifacts) => {
-            const kid = artifacts.decoded.header.kid; // Extract 'kid' from JWT header
-            return getKey(kid); // Fetch the corresponding public key
-        }
-    }
-}
-
-class Iss {
-    /**
-     * @constructor
-     * @param {Object} metadata
-     */
-    constructor(metadata) {
-        if (!metadata.id_token_signing_alg_values_supported) {
-            metadata.id_token_signing_alg_values_supported = ['RS256']
-        }
-        if (!metadata.response_types_supported) {
-            metadata.response_types_supported = ['code', 'none', 'id_token', 'token', 'id_token token', 'code id_token', 'code token', 'code id_token token']
-        }
-        if (!metadata.subject_types_supported) {
-            metadata.subject_types_supported = ['public']
-        }
-        const claimsRequired = METADATA.filter(({
-            type
-        }) => type === 'REQUIRED');
-        const missingClaims = [];
-
-        for (const claim of claimsRequired) {
-            const normalizedToCamelClaimName = claim.name.toLowerCase().replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());
-            const attributeCamelCase = metadata[normalizedToCamelClaimName]; // Directly access metadata
-            const attributeSnakeCase = metadata[claim.name]; // Directly access metadata
-            if (!attributeSnakeCase && !attributeCamelCase) {
-                missingClaims.push(claim);
-            }
-        }
-
-        if (missingClaims.length > 0) {
-            console.error(JSON.stringify(missingClaims));
-            throw new Error(JSON.stringify(missingClaims));
-        }
-
-        // Issuer needs the metadata in snake_case
-        const issuer = metadata.Client ? metadata : new Issuer(this.#camelToSnakeCase(metadata))
-        // Client instance for the authorization server of that issuer.
-        const clientPayload = {
-            client_id: metadata.clientId,
-            response_type: 'code'
-        }
-        if (metadata.clientSecret) {
-            clientPayload.client_secret = metadata.clientSecret
-        }
-        this.clientOidc = new issuer.Client(clientPayload);
-    }
-    #camelToSnakeCase(obj) {
-        const toSnakeCase = str => str.replace(/[A-Z]/g, letter => `_${letter.toLowerCase()}`);
-
-        if (typeof obj !== 'object' || obj === null) return obj;
-
-        if (Array.isArray(obj)) {
-            return obj.map(item => this.#camelToSnakeCase(item));
-        }
-
-        return Object.entries(obj).reduce((acc, [key, value]) => {
-            const newKey = toSnakeCase(key);
-            acc[newKey] = typeof value === 'object' && value !== null ?
-                this.#camelToSnakeCase(value) :
-                value;
-            return acc;
-        }, {});
-    }
-}
-
-module.exports = {
-    HapiServerKeycloak
-}