@blazedpath/commons 0.2.2 → 0.3.1

package/blz-security/middleware/hapi.js

@@ -1,555 +0,0 @@
-/**
- * @author Blazedpath Team
- * @implements Protecting all resources through hapi middleware
- * @description Hapi.js (derived from Http-API) is an open-source Node.js
- * framework used to build powerful and scalable web applications.
- * @see https://hapi.dev/api/
- */
-
-const Uma = require('../implementations/uma')
-const Jsonwebtoken = require('jsonwebtoken') // Implementations of JSON Web Tokens.
-const {
-  Exception,
-  getFullUrl,
-  getHost,
-  getPathname,
-  getTemplate,
-  getTokenTolerance,
-  trace,
-  errorResponse
-} = require('../helpers/utils')
-
-let contextConfig = {}
-let securityService = null
-
-class Hapi {
-  constructor (oidc, cookiesName) {
-    this.oidc = oidc
-    this.COOKIE_NAMES = cookiesName
-    this.activateTraceApiMethod = false
-    this.queryStringLimit = null;
-    this.securityLoginTokenExpToleranceSeconds = 3600 * 5; // Default 5 hours
-  }
-
-  async connect (_securityService, context, config) {
-    contextConfig = config
-    securityService = _securityService
-    const { authServer, accessTokenSimulation, activateTraceApiMethod } = config
-    if (activateTraceApiMethod) {
-      this.activateTraceApiMethod = activateTraceApiMethod
-    }
-    let oidcConfiguration = {}
-    const stateOption = {
-      clearInvalid: true,
-      encoding: 'base64',
-      isSecure: true,
-      isHttpOnly: true,
-      isSameSite: 'Lax',
-      path: '/',
-      strictHeader: true
-    }
-    if (accessTokenSimulation && !authServer) {
-      context.config = config
-      context.state(this.COOKIE_NAMES.ACCESS_TOKEN, stateOption)
-      this.authServerSimulation(context)
-    } else {
-      try {
-        if (authServer.sessionCookiesDomain) {
-          stateOption.domain = authServer.sessionCookiesDomain
-        }
-        const isHttpOnlyForSessionState = authServer.isHttpOnlyForSessionState !== undefined ? authServer.isHttpOnlyForSessionState : false
-        context.state(this.COOKIE_NAMES.SID, stateOption)
-        stateOption.encoding = 'none'
-        stateOption.strictHeader = false
-        stateOption.isHttpOnly = isHttpOnlyForSessionState
-        context.state(this.COOKIE_NAMES.SESSION_STATE, stateOption)
-        oidcConfiguration = await this.configuration(authServer)
-        if (!authServer.scope || !authServer.scope.split(' ').some((reg) => reg === 'openid')) {
-          authServer.scope = `openid ${authServer.scope || ''}`
-        }
-        if (authServer.tokenEndpoint && !authServer.tokenEndpoint.match(/https.*/)) {
-          context.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
-          context.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
-        }
-        trace('INFO', 'The following configuration was initialized')
-        const securityConfiguration = Object.fromEntries(Object.entries(authServer).filter((entry) => !['clientSecret', 'PrivateKey', 'PublicKey'].includes(entry[0])))
-        trace('INFO', oidcConfiguration.tokenEndpoint ? oidcConfiguration : securityConfiguration)
-      } catch (err) {
-        trace('ERROR', `Exception ${err.message}`)
-        trace('ERROR', err.stack)
-      }
-      context.ext('onPreHandler', async (request, h) => {
-        const unprotectedPaths = [/\/health/, /\/metrics/]
-        const unprotectedExtensions = ['.ico', '.jpg', '.jpeg', '.gif', '.png', '.pdf', '.svg', '.html', '.htm', '.css', '.js', '.js.map', '.json', '.woff', '.woff2']
-        const requestUrl = getFullUrl(request)
-        if(this.activateTraceApiMethod){
-          if(requestUrl.includes('\/api\/')){
-            console.log(requestUrl + ' - ' + request.method.toUpperCase());
-          }
-        }
-        try {
-          const { session_state: qrSessionState, code } = request.query
-          const ckSessionState = request.state[this.COOKIE_NAMES.SESSION_STATE]
-          const sid = request.state[this.COOKIE_NAMES.SID]
-          const tokenSet = await this.oidc.tokenSet()
-          const uma = await Uma.permission()
-          const href = h.request.url.href || requestUrl
-
-          // Check for malicios query string parameters
-          if (this.queryStringLimit) {
-            const { limit } = request.query; // Access the query parameter "limit"
-            // Check if the limit is greater than the configured
-            if (limit && parseInt(limit, 10) > this.queryStringLimit) {
-              const error = new Error('Bad Request.');
-              error.name = 'BadRequest';
-              error.code = 400;
-              throw error;
-            }
-          }
-          if (unprotectedPaths.some((reg) => reg.test(request.path)) || unprotectedExtensions.some((ext) => requestUrl.endsWith(ext))) {
-            return h.continue
-          }
-          if (getHost(request).includes('0.0.0.0') && context.states.cookies[this.COOKIE_NAMES.SID].isSecure) {
-            trace('WARN', `Accessing ${getHost(request)} doesn't ensure a secure context for writing cookies.`)
-            context.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
-            context.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
-          }
-          trace('INFO', `Navigating to ${requestUrl}`)
-          if (!request.state) {
-            throw new Exception('Error when getting cookies', 'CookiesError', 404)
-          } else if (code && ckSessionState && qrSessionState && qrSessionState !== ckSessionState) {
-            trace('ERROR', `The Session cookie ${ckSessionState} doesn't match with the query session ${qrSessionState}`)
-            return h
-              .response()
-              .unstate(this.COOKIE_NAMES.SID)
-              .unstate(this.COOKIE_NAMES.SESSION_STATE)
-              .redirect(requestUrl)
-              .takeover()
-          } else if (ckSessionState && sid) {
-            // pasa por aca si sid=falsy
-            const tokens = await tokenSet.tokens(ckSessionState)
-            if (authServer.umaUri) {
-              let badUmaUri = false
-              const hrefParts = href.split('/')
-              if (hrefParts.length > 0) {
-                const lastHrefPart = hrefParts[hrefParts.length - 1]
-                badUmaUri = lastHrefPart.indexOf('.') !== -1
-              }
-              if (!badUmaUri) {
-                tokens.access_token = await uma.ticket({ tokenUrl: authServer.tokenEndpoint, token: tokens.access_token, audience: authServer.clientId })
-                trace('INFO', 'Generating uma ticket:')
-              }
-            }
-            if (this.validSid(sid)) {
-              return h.continue
-            }
-            else {
-              // valid Sid checks for invalid, or expired values.
-              const error = new Error('Invalid sid.');
-              error.name = 'ExpiredSid';
-              error.code = 401;
-              throw error;
-            }
-          } else if (code && sid) {
-            trace('INFO', 'Generating token:')
-            const tokensSet = await tokenSet.generate({ code, scope: authServer.scope, redirectUri: this.getRedirectUri(request), sid })
-            if (!tokensSet) {
-              return await this.authenticate(h, authServer.scope)
-            }
-            trace('INFO', `Set token for session_state:${tokensSet.session_state}`)
-            // trace('INFO', tokensSet)
-            return h
-              .response()
-              .state(this.COOKIE_NAMES.SID, sid)
-              .state(this.COOKIE_NAMES.SESSION_STATE, tokensSet.session_state)
-              .redirect(requestUrl)
-              .takeover()
-          } else if ((!sid && ckSessionState) || (!ckSessionState && sid)) {
-            const error = new Error('Token is Invalid.');
-            error.name = 'TokenInvalid';
-            error.code = 401;
-            throw error;
-          } else {
-            return await this.authenticate(h, authServer.scope)
-          }
-        } catch (err) {
-          let { code, name, message } = err
-          trace('ERROR', `${name}:${message}`)
-          code = parseInt(code) || (err.response ? err.response.statusCode : 500)
-          const errorList = ['pkce', 'code', 'jwt']
-          if (errorList.some((error) => message.includes(error)) && code !== 403) {
-            trace('ERROR', `Forbidden ${message}`)
-            return h
-              .response()
-              .unstate(this.COOKIE_NAMES.SID)
-              .unstate(this.COOKIE_NAMES.SESSION_STATE)
-              .redirect(requestUrl)
-              .takeover()
-          }
-          if (code === 403 || code === 401) {
-            if (name === 'ExpirationError' || name === 'TokenInvalid' || (name === 'TokenError' && getPathname(request) === '/')) {
-              return h
-                .response()
-                .unstate(this.COOKIE_NAMES.SID)
-                .unstate(this.COOKIE_NAMES.SESSION_STATE)
-                .redirect('/logout')
-                .takeover()
-            } else if (name === 'ExpiredSid') {
-              return h
-                .response()
-                .unstate(this.COOKIE_NAMES.SID)
-                .unstate(this.COOKIE_NAMES.SESSION_STATE)
-                .code(401)
-                .redirect('/logout')
-                .takeover()
-            } else {
-              return h
-                .response()
-                .code(401)
-                .unstate(this.COOKIE_NAMES.SID)
-                .unstate(this.COOKIE_NAMES.SESSION_STATE)
-                .takeover()
-            }
-          }
-          return h
-            .response({ name, message })
-            .code(code || 500)
-            .unstate(this.COOKIE_NAMES.SID)
-            .unstate(this.COOKIE_NAMES.SESSION_STATE)
-            .takeover()
-        }
-      })
-      const me = this
-      context.route({
-        method: 'GET',
-        path: '/get-authorization',
-        handler: async (request, h) => {
-          try {
-            const { session_state: ckSessionState } = request.state
-            if (!ckSessionState) {
-              throw new Exception("old Hapi get-authorization: Session cookie doesn't exist.", 'CookiesError', 404)
-            }
-            const tokenSet = await me.oidc.tokenSet()
-            const tokens = await tokenSet.tokens(ckSessionState)
-            const uma = await Uma.permission()
-            const token = await uma.ticket({ tokenUrl: authServer.tokenEndpoint || authServer.tokenUrl, token: tokens.access_token, audience: authServer.clientId })
-            const sourceData = Jsonwebtoken.decode(token.access_token)
-            return h.response(JSON.stringify(sourceData.authorization)).takeover()
-          } catch (err) {
-            return errorResponse(h, err, 401)
-          }
-        }
-      })
-
-      context.route({
-        method: 'GET',
-        path: '/get-security-rules',
-        handler: async (request, h) => {
-          try {
-            const securityRules = await securityService.getFrontendSecurityRules(request)
-            return h.response(JSON.stringify(securityRules)).takeover()
-          } catch (err) {
-            return errorResponse(h, err, 401)
-          }
-        }
-      })
-
-      context.route({
-        method: 'GET',
-        path: '/get-permissions',
-        handler: async (request, h) => {
-          try {
-            const permissions = await securityService.getPermissions()
-            return h.response(JSON.stringify(permissions)).takeover()
-          } catch (err) {
-            return errorResponse(h, err, 401)
-          }
-        }
-      })
-
-      context.route({
-        method: 'GET',
-        path: '/check-authorize',
-        handler: async (request, h) => {
-          try {
-            const resourcePath = request.query.path;
-            const action = request.query.action;
-            const roles = request.query.roles;
-            const domains = request.query.domains;
-            let parsedRoles;
-            if (Array.isArray(roles)) {
-              parsedRoles = roles;
-            } else if (typeof roles === 'string') {
-              parsedRoles = roles.split(',').map(r => r.trim());
-            } else {
-              parsedRoles = [];
-            }
-            let parsedDomains;
-            if (Array.isArray(domains)) {
-              parsedDomains = domains;
-            } else if (typeof domains === 'string') {
-              parsedDomains = domains.split(',').map(d => d.trim());
-            } else {
-              parsedDomains = [];
-            }
-            const result = await securityService.checkAuthorize(
-              resourcePath,
-              action,
-              parsedRoles,
-              parsedDomains
-            );
-            return h.response(JSON.stringify(result)).takeover()
-          } catch (err) {
-            return errorResponse(h, err, 401)
-          }
-        }
-      })
-
-      
-
-      context.route({
-        method: 'GET',
-        path: '/get-user-info',
-        handler: async (request, h) => {
-          try {
-            const userInfo = await securityService.getUserInfo(request)
-            return h
-              .response(JSON.stringify(userInfo))
-              .takeover()
-          } catch (err) {
-            return errorResponse(h, err, 500)
-          }
-        }
-      })
-      context.route({
-        path: '/logout',
-        method: 'GET',
-        handler: async (request, h) => {
-          try {
-            const ckSessionState = request.state[this.COOKIE_NAMES.SESSION_STATE]
-            return h
-              .response()
-              .unstate(this.COOKIE_NAMES.SID)
-              .unstate(this.COOKIE_NAMES.SESSION_STATE)
-              .redirect(await me.oidc.endSessionUrl({
-                sessionState: ckSessionState,
-                redirectUri: this.getRedirectUri(request)
-              }))
-              .takeover()
-          } catch (err) {
-            return errorResponse(h, err, 500)
-          }
-        }
-      })
-      context.route({
-        path: '/invalid-session',
-        method: 'GET',
-        handler: async (request, h) => {
-          try {
-            const endSessionUrl = await me.oidc.endSessionUrl({
-              redirectUri: this.getRedirectUri(request),
-              sessionState: request.state[this.COOKIE_NAMES.SESSION_STATE]
-            })
-            return h
-              .response()
-              .unstate(this.COOKIE_NAMES.SID)
-              .unstate(this.COOKIE_NAMES.SESSION_STATE)
-              .redirect(endSessionUrl)
-              .takeover()
-          } catch (err) {
-            return errorResponse(h, err, 500)
-          }
-        }
-      })
-
-      context.route({
-        path: '/check-session-iframe.html',
-        method: 'GET',
-        handler: async (_request, h) => {
-          try {
-            let content = '<html/>'
-            if (authServer && authServer.checkSessionIframe) {
-              const { checkSessionIframe: sessionIframeUrl, clientId, sessionCookiesPrefix } = authServer
-              if (sessionIframeUrl && sessionIframeUrl.includes('https://')) {
-                trace('INFO', `Session management url: ${sessionIframeUrl}`)
-                content = getTemplate('session-iframe', {
-                  sessionIframeUrl,
-                  clientId,
-                  sessionCookiesPrefix: sessionCookiesPrefix || ''
-                })
-              } else {
-                trace('WARN', 'For session management, it is necessary to get the value from a cookie called session_state, and as a good practice, it should have reached a secure context [TLS].')
-              }
-            }
-            return h
-              .response(content)
-              .header('Content-Type', 'text/html')
-          } catch (err) {
-            return errorResponse(h, err, 500)
-          }
-        }
-      })
-    }
-  }
-  validSid(sid){
-    let decodedSid = Jsonwebtoken.decode(sid);
-    if (!decodedSid) {
-      return false;
-    }
-    // checks for expiration against current time, with 5' tolerance
-    if (decodedSid.exp)
-      return (decodedSid.exp + this.securityLoginTokenExpToleranceSeconds > (Date.now() / 1000))
-    else
-      return false;
-  }
-
-  authServerSimulation (context) {
-    if (!context.config || !context.config.accessTokenSimulation) {
-      throw new Exception('Error parsing metadata for simulation', 'ConfigurationError', 404)
-    }
-    let { algorithm, payload, secret } = context.config.accessTokenSimulation
-    const me = this
-    context.ext('onPreAuth', async function (request, h) {
-      if (request.state && request.state[me.COOKIE_NAMES.ACCESS_TOKEN]) {
-        return h.continue
-      } else {
-        switch (algorithm) {
-          case 'HMAC-SHA384': {
-            algorithm = 'HS384'
-            break
-          }
-          case 'HMAC-SHA512': {
-            algorithm = 'HS512'
-            break
-          }
-          default: {
-            algorithm = 'HS256'
-          }
-        }
-        const jwt = me.oidc.jwt().sign({ payload, secret, algorithm })
-        return h
-          .response()
-          .state(me.COOKIE_NAMES.ACCESS_TOKEN, jwt)
-          .redirect(me.getRedirectUri(request))
-          .takeover()
-      }
-    })
-    context.route({
-      path: '/get-authorization',
-      method: 'GET',
-      handler: async function (_request, h) {
-        return h
-          .response('[]')
-          .code(200)
-      }
-    })
-    context.route({
-      path: '/get-security-rules',
-      method: 'GET',
-      handler: async function (_request, h) {
-        let securityRules = []
-        if (securityService && context.config.accessTokenSimulation.playload) {
-          const groups = securityService.getGroups(context.config.accessTokenSimulation.playload)
-          securityRules = securityService.getFrontendSecurityRules([groups])
-        }
-        return h
-          .response(JSON.stringify(securityRules))
-          .code(200)
-      }
-    })
-    context.route({
-      path: '/get-permissions',
-      method: 'GET',
-      handler: async function (_request, h) {
-        const permissions = (securityService) ? securityService.getPermissions() : []
-        return h
-          .response(JSON.stringify(permissions))
-          .code(200)
-      }
-    })
-    context.route({
-      path: '/get-user-info',
-      method: 'GET',
-      handler: async function (_request, h) {
-        return h
-          .response(JSON.stringify(payload))
-          .code(200)
-      }
-    })
-    context.route({
-      path: '/logout',
-      method: 'GET',
-      handler: async function (_request, h) {
-        return h
-          .response()
-          .unstate(this.COOKIE_NAMES.ACCESS_TOKEN)
-          .takeover()
-      }
-    })
-  }
-
-  getRedirectUri (request) {
-    return contextConfig.authServer.redirectUri || getFullUrl(request)
-  }
-
-  async authenticate (h, scope) {
-    const { request } = h
-    const pkceCode = await this.oidc.pkceCode()
-    const requestUrl = getFullUrl(request)
-    let oidcMetadata = await this.oidc.oidcMetadata()
-    if (!oidcMetadata || !oidcMetadata.openid_configuration) {
-      oidcMetadata = await this.configuration(contextConfig.authServer)
-    }
-    if (requestUrl.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source + getHost(request) + /\/?$/.source))) {
-      const authorizationUrl = await this.oidc.authorizationUrl({ scope, redirectUri: this.getRedirectUri(request), pkceCode })
-      trace('INFO', `Authenticate redirecting to ${authorizationUrl}`)
-      return h
-        .response()
-        .state(this.COOKIE_NAMES.SID, pkceCode)
-        .redirect(authorizationUrl)
-        .takeover()
-    } else if (getPathname(request) === '/logout') {
-      return h.continue
-    } else {
-      const tokenSet = await this.oidc.tokenSet()
-      const { state } = request
-      if (tokenSet && state && state[this.COOKIE_NAMES.SESSION_STATE]) {
-        const tokens = await tokenSet.tokens(state[this.COOKIE_NAMES.SESSION_STATE])
-        if (!tokens || tokens.refresh_expires_in <= getTokenTolerance(0)) {
-          throw new Exception('Error when getting token', 'ExpirationError', 403)
-        }
-        return h.continue
-      } else {
-        return h
-          .response()
-          .code(401)
-          .takeover()
-      }
-    }
-  }
-
-  async configuration (authServer) {
-    if (!authServer) {
-      throw new Exception('Error when getting configuration attributes ')
-    }
-    const { clientId, clientSecret } = authServer
-    await this.oidc.client({ clientId, clientSecret })
-    if (authServer.openIdConfigurationEndpoint) {
-      return await this.oidc.configuration(authServer.openIdConfigurationEndpoint)
-    } else {
-      // If configuration uri does not exist but the auth server form has been filled in.
-      return await this.oidc.configuration({
-        issuer: authServer.issuer,
-        authorization_endpoint: authServer.authorizationEndpoint,
-        token_endpoint: authServer.tokenEndpoint,
-        userinfo_endpoint: authServer.userinfoEndpoint,
-        end_session_endpoint: authServer.endSessionEndpoint,
-        jwks_uri: authServer.jwksUri
-      })
-    }
-  }
-}
-
-module.exports = {
-  Hapi
-}