@blazedpath/commons 0.2.2 → 0.3.1

package/blz-security/middleware/hapiServer.js

@@ -1,1008 +0,0 @@
-/**
- * @author Blazedpath Team
- * @implements Protecting all resources through hapi middleware
- * @description Hapi.js (derived from Http-API) is an open-source Node.js
- * framework used to build powerful and scalable web applications.
- * @see https://hapi.dev/api/
- */
-const Uma = require('../implementations/uma')
-const Jsonwebtoken = require('jsonwebtoken') // Implementations of JSON Web Tokens.
-const {
-  Exception,
-  getFullUrl,
-  getHost,
-  getProtocol,
-  getPathname,
-  getTemplate,
-  getTokenTolerance,
-  trace,
-  errorResponse
-} = require('../helpers/utils')
-// HapiServer Modules
-const hapiYar = require('@hapi/yar');
-const hapiJwt = require('@hapi/jwt');
-const hapiCookie = require('@hapi/cookie')
-// Quick Http Fetch using axios
-const axios = require('axios');
-// Crypto for code_verifier in token exchange
-const crypto = require('crypto');
-var jwkToPem = require('jwk-to-pem');
-// Uses Issue to cache manage and logout (generators/customs not sure why yet)
-const { Issuer, generators, custom } = require('openid-client') // OpenID Certified Relying Party.
-const { METADATA } = require('../helpers/consts')
-// Azure AD rotates keys, so we jwk used to routinly fetch them
-const jwksClient = require('jwks-rsa') // Retrieve RSA public keys from a JWKS.
-// MS authenticator library
-const { ConfidentialClientApplication } = require('@azure/msal-node');
-
-let contextConfig = {}
-let securityService = null
-
-class HapiServer {
-  constructor (openIdConnect, cookiesName, cache) {
-    this.openIdConnect = openIdConnect
-    this.COOKIE_NAMES = cookiesName
-    this.activateTraceApiMethod = false
-    this.queryStringLimit = null;
-    this.securityLoginTokenExpToleranceSeconds = 3600 * 5; // Default 5 hours
-    this.authServerConfig = null;
-    this.authServerFullLoginUrl = null;
-    // This cache stores locally the jwt token set for refresh and logout.
-    this.cache = cache;
-    // To terminate sessions
-    this.clientOidc = null;
-    // This client keeps a refresh of the rotating keys
-    this.clientJwk = null;
-    this.publicKeyFetch = null;
-  }
-
-  async connect (_securityService, hapiServer, config) {
-    contextConfig = config
-    this.authServerConfig = contextConfig;
-    securityService = _securityService
-    const { authServer, accessTokenSimulation, activateTraceApiMethod } = config
-    if (activateTraceApiMethod) {
-      this.activateTraceApiMethod = activateTraceApiMethod
-    }
-    let oidcConfiguration = {}
-    const stateOption = {
-      clearInvalid: true,
-      encoding: 'base64',
-      isSecure: true,
-      isHttpOnly: true,
-      isSameSite: 'Lax',
-      path: '/',
-      strictHeader: true
-    }
-    if (accessTokenSimulation && !authServer) {
-      hapiServer.config = config
-      hapiServer.state(this.COOKIE_NAMES.ACCESS_TOKEN, stateOption)
-      this.authServerSimulation(context)
-    } else {
-      try {
-        if (authServer.sessionCookiesDomain) {
-          stateOption.domain = authServer.sessionCookiesDomain
-        }
-        const isHttpOnlyForSessionState = authServer.isHttpOnlyForSessionState !== undefined ? authServer.isHttpOnlyForSessionState : false
-        // hapiServer.state(this.COOKIE_NAMES.SID, stateOption)
-        // stateOption.encoding = 'none'
-        // stateOption.strictHeader = false
-        // stateOption.isHttpOnly = isHttpOnlyForSessionState
-        hapiServer.state(this.COOKIE_NAMES.SESSION_STATE, stateOption)
-        oidcConfiguration = await this.configuration(authServer)
-        if (oidcConfiguration.clientOidc) {
-          this.clientOidc = oidcConfiguration.clientOidc;
-        }
-        if (!authServer.scope || !authServer.scope.split(' ').some((reg) => reg === 'openid')) {
-          authServer.scope = `openid ${authServer.scope || ''}`
-        }
-        if (authServer.tokenEndpoint && !authServer.tokenEndpoint.match(/https.*/)) {
-          hapiServer.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
-          hapiServer.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
-        }
-        trace('INFO', 'The following configuration was initialized')
-        const securityConfiguration = Object.fromEntries(Object.entries(authServer).filter((entry) => !['clientSecret', 'PrivateKey', 'PublicKey'].includes(entry[0])))
-        trace('INFO', oidcConfiguration.tokenEndpoint ? oidcConfiguration : securityConfiguration)
-      } catch (err) {
-        trace('ERROR', `Exception ${err.message}`)
-        trace('ERROR', err.stack)
-      }
-
-      this.prepareMemoryValues();
-      // Add Plugins
-      this.configurePlugins(hapiServer);
-      // onPreAuth: Here we check if the jwtToken is stored in the yar, refresh, and recompose the authorization header before hapi jwt module auth.
-      // Http protocol does not redirect all headers on a 3XX code.
-      hapiServer.ext('onPreAuth', async (request, h) => {
-        // Retrieve the token from the yar storage, second parameter absent so that the token is not lost on read
-        let tokenInfo = request.yar.get('jwtToken');
-        if(tokenInfo) {
-          // check if token is about to be expired, if expired, update
-          let aboutToExpire = await me.tokenAboutToExpire(tokenInfo.token, 10);
-          if (aboutToExpire) {
-            if (me.authServerConfig.authServer.msalClient) {
-              // Get session name from yar storage: should be in request.yar.get('jwtToken')
-
-              // To refresh the tokens, Azure uses a silent re authentication
-              const silentRereshTokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenSilent({
-                account: tokenInfo.account,  // Use stored account details
-                scopes: ["User.Read"],     // Adjust scopes as needed
-              });
-              //let refreshedTokens = await this.silentAuthenticationAzure({redirectUri: me.getBaseUrl(request), idToken: tokenInfo.token})
-              // Check that all the needed data comes in the silent Authentication, if not send to relog
-              if (silentRereshTokenResponse && silentRereshTokenResponse.idToken) {
-                // Update the session with the new access token
-                const session =  request.yar.get('session');
-                request.yar.set('session', {
-                  ...session,
-                  token: silentRereshTokenResponse.accessToken
-                });
-                const obtainedTokens = {};
-                obtainedTokens.tokenType = 'Bearer';
-                obtainedTokens.token = silentRereshTokenResponse.idToken;
-                obtainedTokens.tokenSubType = 'id_token';
-                obtainedTokens.account = silentRereshTokenResponse.account;
-                request.yar.set('jwtToken', obtainedTokens );
-                // let refreshedTokenInfo = { tokenType: 'Bearer', token: refreshedTokens.id_token, tokenSubType: 'id_token'};
-                // request.yar.set('jwtToken', refreshedTokenInfo);
-                // tokenInfo = refreshedTokenInfo;
-                await request.yar.commit(h);
-              } else {
-                // no valid set of tokens has returned, clear the yar storage and continue
-                request.yar.get('jwtToken', true);
-                await request.yar.commit(h);
-                delete request.headers.authorization; // Remove the authorization header
-                return h.continue;
-              }
-            } else {
-              // If Provider is Keycloak, execute this block
-              // If refresh token is expired as well, then the user MUST re-login
-              let isRefreshTokenExpired = await this.isRefreshTokenExpired(tokenInfo.refreshToken);
-              let refreshTokenPresent = 'refreshToken' in tokenInfo;
-              if (isRefreshTokenExpired && refreshTokenPresent) {
-                // clear token from cookies and exit
-                request.yar.get('jwtToken', true);
-                delete request.headers.authorization; // Remove the authorization header
-                await request.yar.commit(h);
-                return h.continue;
-              } else {
-                // If refresh token is present and not expired, attempt refresh
-                let refreshedTokens = await this.refreshToken(tokenInfo.refreshToken);
-                // Check that this method returned a valid set of tokens
-                if (refreshedTokens && refreshedTokens.token_type &&
-                    refreshedTokens.id_token && refreshedTokens.session_state && 
-                    refreshedTokens.access_token && refreshedTokens.refresh_token ) {
-                  let refreshedTokenInfo = { tokenType: 'Bearer', token: refreshedTokens.id_token, tokenSubType: 'id_token', refreshToken: refreshedTokens.refresh_token };
-                  request.yar.set('jwtToken', refreshedTokenInfo);
-                  await request.yar.commit(h);
-                  tokenInfo = refreshedTokenInfo;
-                } else {
-                  // Refresh token failed, clear and continue
-                  request.yar.get('jwtToken', true);
-                  delete request.headers.authorization;
-                  await request.yar.commit(h);
-                  return h.continue;
-                }
-              }
-            }
-          }
-          switch(tokenInfo.tokenType) {
-            case 'Bearer':
-            case 'bearer': {
-              request.headers.authorization = `Bearer ${tokenInfo.token}`;
-              break;
-            }
-            default:
-              break;
-          }
-        }
-        return h.continue;
-    });
-      hapiServer.ext('onPreResponse', async (request, h) => {
-        const response = request.response;
- 
-        let authError = request.yar.get('authError', true);
-        // By this point, token refresh was already attempted in onPreAuth event, so it redirects to login on unauthorized
-        if (response.isBoom && response.output.statusCode === 401 && !request.path.startsWith('/auth/callback') && !authError) {
-          if (this.authServerConfig.authServer.provider=== 'ad-azure') {
-            return h.redirect('/login').takeover();            
-          }
-          // Create the url query string parameters. with a random code verifier, store in yar and get the codeChallenge
-          const codeVerifier = crypto.randomBytes(32).toString('base64url');
-          request.yar.set('code_verifier', codeVerifier); // For PKCE auth flow
-          request.yar.set('originalUrlPathName', me.getFullUrl(request)); // For redirect after login
-          await request.yar.commit(h);
-
-          const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
-          const responseType = 'code'; // Authorization code grant
-          const redirectUri = me.getBaseUrl(request) + 'auth/callback';
-          const codeChallengeMethod = 'S256'; // PKCE method
-          const scope = (authServer.scope) ? authServer.scope.replace(/\s+/g, '%20') : 'openid';
-      
-          const authLoginUrlWithParams = new URL(authServer.authorizationEndpoint);
-          authLoginUrlWithParams.searchParams.set('client_id', me.authServerConfig.authServer.clientId);
-          authLoginUrlWithParams.searchParams.set('response_type', responseType);
-          authLoginUrlWithParams.searchParams.set('redirect_uri', redirectUri);
-          authLoginUrlWithParams.searchParams.set('scope', scope);
-          authLoginUrlWithParams.searchParams.set('code_challenge', codeChallenge);
-          authLoginUrlWithParams.searchParams.set('code_challenge_method', codeChallengeMethod);
-      
-          // Redirect to Keycloak
-          return h.redirect(authLoginUrlWithParams.toString()).takeover();
-        }
-        return h.continue;
-      });
-      // /login so that i can redirect my user to a login.
-      hapiServer.route({
-        method: 'GET',
-        path: '/login',
-        options: {
-          auth: false, // Disable authentication for this route
-        },
-        handler: async (request, h) => {
-          const authUrl = await me.authServerConfig.authServer.msalClient.getAuthCodeUrl({
-            redirectUri: me.getBaseUrl(request) + 'auth/callback',
-            scopes: ['user.read'],
-          });
-    
-          return h.redirect(authUrl);
-        }
-      });
-      // /auth/callback
-      // Resolves the jwt token on a callback after the login (keycloak/azure)
-      hapiServer.route({
-        method: 'GET',
-        path: '/auth/callback',
-        options: {
-          auth: false, // Disable authentication for this route
-        },
-        handler: async (request, h) => {
-          const authCode = request.query.code;
-          if (!authCode) {
-            return h.response('Authorization code missing').code(400);
-          }
-          try {
-            let obtainedTokens = {};
-            // If we have azure-AD use that lifecycle
-            if (me.authServerConfig.authServer.msalClient) {
-              if (!authCode) {
-                return h.response('Missing authorization code').code(400);
-              }
-      
-              try {
-                const tokenResponse = await me.authServerConfig.authServer.msalClient.acquireTokenByCode({
-                  code: authCode,
-                  redirectUri: me.getBaseUrl(request) + 'auth/callback',
-                  scopes: ['user.read'],
-                });
-      
-                request.yar.set('session', { token: tokenResponse.accessToken, user: tokenResponse.account });
-                obtainedTokens.tokenType = 'Bearer';
-                obtainedTokens.token = tokenResponse.idToken;
-                obtainedTokens.tokenSubType = 'id_token';
-                obtainedTokens.account = tokenResponse.account;
-                //return h.redirect('/');
-              } catch (error) {
-                console.error('Auth error:', error);
-                return h.response('Authentication failed').code(500);
-              }
-            } else {
-              // This code-block is for keycloak or other oauth0 for now
-              // Grab the code verifier
-              let codeVerifier = request.yar.get('code_verifier', true);
-              tokenResponse = await axios.post(
-                me.authServerConfig.authServer.tokenEndpoint,
-                new URLSearchParams({
-                  grant_type: 'authorization_code',
-                  client_id: me.authServerConfig.authServer.clientId,
-                  client_secret: me.authServerConfig.authServer.clientSecret, // If required
-                  code: authCode,
-                  redirect_uri: me.getRedirectUri(request),
-                  code_verifier: codeVerifier
-                }).toString(),
-                {
-                  headers: {
-                    'Content-Type': 'application/x-www-form-urlencoded',
-                  },
-                }
-              );
-              if (!tokenResponse.statusText =='OK') {
-                throw new Error('Failed to exchange code for tokens');
-              }
-              obtainedTokens.tokenType = 'Bearer';
-              obtainedTokens.token = tokenResponse.data.id_token;
-              obtainedTokens.tokenSubType = 'id_token';
-              obtainedTokens.refreshToken = tokenResponse.data.refresh_token;
-            }
-            let originalUrlPathName = request.yar.get('originalUrlPathName') ?? '/'
-            // Set session state
-            const sessionState = request.query.session_state;
-            h.state(this.COOKIE_NAMES.SESSION_STATE, sessionState);
-
-            // Store the JWT token in the `Authorization` header or a cookie
-            switch (obtainedTokens.tokenType){
-              case 'Bearer':
-              case 'bearer': {
-                request.yar.set('jwtToken', obtainedTokens);
-                await request.yar.commit(h);
-                return h.redirect(originalUrlPathName).takeover();
-              }
-              default: {
-                break;
-
-              }
-            }
-            return h.continue; // Continue in case no token_type -> no auth header configured
-          } catch (error) {
-            request.yar.set('authError', true);
-            await request.yar.commit(h);
-            console.error('Failed to exchange code for token:', error.response?.data || error.message);
-            return h.response('Failed to authenticate').code(500).takeover();
-          }
-        },
-      });      
-      const me = this
-      // /get-authorization
-      hapiServer.route({
-        method: 'GET',
-        path: '/get-authorization',
-        handler: async (request, h) => {
-          try {
-            const { session_state: ckSessionState } = request.state
-            if (!ckSessionState) {
-              
-              throw new Exception("Hapi get-authorization: Session cookie doesn't exist.", 'CookiesError', 404)
-            }
-            const tokenSet = await me.openIdConnect.tokenSet()
-            const tokens = await tokenSet.tokens(ckSessionState)
-            const uma = await Uma.permission()
-            const token = await uma.ticket({ tokenUrl: authServer.tokenEndpoint || authServer.tokenUrl, token: tokens.access_token, audience: authServer.clientId })
-            const sourceData = Jsonwebtoken.decode(token.access_token)
-            return h.response(JSON.stringify(sourceData.authorization)).takeover()
-          } catch (err) {
-            return errorResponse(h, err, 401)
-          }
-        }
-      })
-      // /get-security-rules
-      hapiServer.route({
-        method: 'GET',
-        path: '/get-security-rules',
-        handler: async (request, h) => {
-          try {
-            const securityRules = await securityService.getFrontendSecurityRules(request)
-            return h.response(JSON.stringify(securityRules)).takeover()
-          } catch (err) {
-            return errorResponse(h, err, 401)
-          }
-        }
-      })
-      // /get-permissions
-      hapiServer.route({
-        method: 'GET',
-        path: '/get-permissions',
-        handler: async (request, h) => {
-          try {
-            const permissions = await securityService.getPermissions()
-            return h.response(JSON.stringify(permissions)).takeover()
-          } catch (err) {
-            return errorResponse(h, err, 401)
-          }
-        }
-      })
-
-      context.route({
-        method: 'GET',
-        path: '/check-authorize',
-        handler: async (request, h) => {
-          try {
-            const resourcePath = request.query.path;
-            const action = request.query.action;
-            const roles = request.query.roles;
-            const domains = request.query.domains;
-            let parsedRoles;
-            if (Array.isArray(roles)) {
-              parsedRoles = roles;
-            } else if (typeof roles === 'string') {
-              parsedRoles = roles.split(',').map(r => r.trim());
-            } else {
-              parsedRoles = [];
-            }
-            let parsedDomains;
-            if (Array.isArray(domains)) {
-              parsedDomains = domains;
-            } else if (typeof domains === 'string') {
-              parsedDomains = domains.split(',').map(d => d.trim());
-            } else {
-              parsedDomains = [];
-            }
-            const result = await securityService.checkAuthorize(
-              resourcePath,
-              action,
-              parsedRoles,
-              parsedDomains
-            );
-            return h.response(JSON.stringify(result)).takeover()
-          } catch (err) {
-            return errorResponse(h, err, 401)
-          }
-        }
-      })
-      
-      // /get-user-info
-      hapiServer.route({
-        method: 'GET',
-        path: '/get-user-info',
-        handler: async (request, h) => {
-          try {
-            const userInfo = await securityService.getUserInfo(request)
-            return h
-              .response(JSON.stringify(userInfo))
-              .takeover()
-          } catch (err) {
-            return errorResponse(h, err, 500)
-          }
-        }
-      })
-      // /logout
-      hapiServer.route({
-        path: '/logout',
-        method: 'GET',
-        handler: async (request, h) => {
-          try {
-            const ckSessionState = request.state[this.COOKIE_NAMES.SESSION_STATE]
-            request.yar.clear('jwtToken');
-            await request.yar.commit(h);
-            let endSessionUrl = await me.endSessionUrl(me.getRedirectUri(request), me.clientOidc);
-            return h
-              .response()
-              .unstate(this.COOKIE_NAMES.SID)
-              .unstate(this.COOKIE_NAMES.SESSION_STATE)
-              .unstate(this.COOKIE_NAMES.AUTH_TOKEN)
-              .redirect(endSessionUrl)
-              .takeover()
-          } catch (err) {
-            return errorResponse(h, err, 500)
-          }
-        }
-      })
-      // /invalid-session
-      hapiServer.route({
-        path: '/invalid-session',
-        method: 'GET',
-        handler: async (request, h) => {
-          try {
-            const endSessionUrl = await me.openIdConnect.endSessionUrl({
-              redirectUri: this.getRedirectUri(request),
-              sessionState: request.state[this.COOKIE_NAMES.SESSION_STATE]
-            })
-            return h
-              .response()
-              .unstate(this.COOKIE_NAMES.SID)
-              .unstate(this.COOKIE_NAMES.SESSION_STATE)
-              .redirect(endSessionUrl)
-              .takeover()
-          } catch (err) {
-            return errorResponse(h, err, 500)
-          }
-        }
-      })
-      // /check-session-iframe.html
-      hapiServer.route({
-        path: '/check-session-iframe.html',
-        method: 'GET',
-        handler: async (_request, h) => {
-          try {
-            let content = '<html/>'
-            if (authServer && authServer.checkSessionIframe) {
-              const { checkSessionIframe: sessionIframeUrl, clientId, sessionCookiesPrefix } = authServer
-              if (sessionIframeUrl && sessionIframeUrl.includes('https://')) {
-                trace('INFO', `Session management url: ${sessionIframeUrl}`)
-                content = getTemplate('session-iframe', {
-                  sessionIframeUrl,
-                  clientId,
-                  sessionCookiesPrefix: sessionCookiesPrefix || ''
-                })
-              } else {
-                trace('WARN', 'For session management, it is necessary to get the value from a cookie called session_state, and as a good practice, it should have reached a secure context [TLS].')
-              }
-            }
-            return h
-              .response(content)
-              .header('Content-Type', 'text/html')
-          } catch (err) {
-            return errorResponse(h, err, 500)
-          }
-        }
-      });
-    }
-  }
-
-  authServerSimulation (context) {
-    if (!context.config || !context.config.accessTokenSimulation) {
-      throw new Exception('Error parsing metadata for simulation', 'ConfigurationError', 404)
-    }
-    let { algorithm, payload, secret } = context.config.accessTokenSimulation
-    const me = this
-    context.ext('onPreAuth', async function (request, h) {
-      if (request.state && request.state[me.COOKIE_NAMES.ACCESS_TOKEN]) {
-        return h.continue
-      } else {
-        switch (algorithm) {
-          case 'HMAC-SHA384': {
-            algorithm = 'HS384'
-            break
-          }
-          case 'HMAC-SHA512': {
-            algorithm = 'HS512'
-            break
-          }
-          default: {
-            algorithm = 'HS256'
-          }
-        }
-        const jwt = me.openIdConnect.jwt().sign({ payload, secret, algorithm })
-        return h
-          .response()
-          .state(me.COOKIE_NAMES.ACCESS_TOKEN, jwt)
-          .redirect(me.getRedirectUri(request))
-          .takeover()
-      }
-    })
-    // /get-authorization
-    context.route({
-      path: '/get-authorization',
-      method: 'GET',
-      handler: async function (_request, h) {
-        return h
-          .response('[]')
-          .code(200)
-      }
-    })
-    // /get-security-rules
-    context.route({
-      path: '/get-security-rules',
-      method: 'GET',
-      handler: async function (_request, h) {
-        let securityRules = []
-        if (securityService && context.config.accessTokenSimulation.playload) {
-          const groups = securityService.getGroups(context.config.accessTokenSimulation.playload)
-          securityRules = securityService.getFrontendSecurityRules([groups])
-        }
-        return h
-          .response(JSON.stringify(securityRules))
-          .code(200)
-      }
-    })
-    // /get-permissions
-    context.route({
-      path: '/get-permissions',
-      method: 'GET',
-      handler: async function (_request, h) {
-        const permissions = (securityService) ? securityService.getPermissions() : []
-        return h
-          .response(JSON.stringify(permissions))
-          .code(200)
-      }
-    })
-    // /get-user-info
-    context.route({
-      path: '/get-user-info',
-      method: 'GET',
-      handler: async function (_request, h) {
-        return h
-          .response(JSON.stringify(payload))
-          .code(200)
-      }
-    })
-    // /logout
-    context.route({
-      path: '/logout',
-      method: 'GET',
-      handler: async function (_request, h) {
-        return h
-          .response()
-          .unstate(this.COOKIE_NAMES.ACCESS_TOKEN)
-          .takeover()
-      }
-    })
-  }
-
-  getRedirectUri (request) {
-    return contextConfig.authServer.redirectUri || getFullUrl(request)
-  }
-  getFullUrl (request) {
-    return `${getProtocol(request)}://${getHost(request)}${getPathname(request)}`
-  }
-  getBaseUrl (request) {
-    return `${getProtocol(request)}://${getHost(request)}/`
-  }
-  async authenticate (h, scope) {
-    const { request } = h
-    const pkceCode = await this.openIdConnect.pkceCode()
-    const requestUrl = getFullUrl(request)
-    let oidcMetadata = await this.openIdConnect.oidcMetadata()
-    if (!oidcMetadata || !oidcMetadata.openid_configuration) {
-      oidcMetadata = await this.configuration(contextConfig.authServer)
-    }
-    if (requestUrl.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source + getHost(request) + /\/?$/.source))) {
-      const authorizationUrl = await this.openIdConnect.authorizationUrl({ scope, redirectUri: this.getRedirectUri(request), pkceCode })
-      trace('INFO', `Authenticate redirecting to ${authorizationUrl}`)
-      return h
-        .response()
-        .state(this.COOKIE_NAMES.SID, pkceCode)
-        .redirect(authorizationUrl)
-        .takeover()
-    } else if (getPathname(request) === '/logout') {
-      return h.continue
-    } else {
-      const tokenSet = await this.openIdConnect.tokenSet()
-      const { state } = request
-      if (tokenSet && state && state[this.COOKIE_NAMES.SESSION_STATE]) {
-        const tokens = await tokenSet.tokens(state[this.COOKIE_NAMES.SESSION_STATE])
-        if (!tokens || tokens.refresh_expires_in <= getTokenTolerance(0)) {
-          throw new Exception('Error when getting token', 'ExpirationError', 403)
-        }
-        return h.continue
-      } else {
-        return h
-          .response()
-          .code(401)
-          .takeover()
-      }
-    }
-  }
-
-  async configurePlugins (server) {
-    // Add Yar to save info in the cookies across session calls
-    const hapiYarPassword = process.env.blz_hapiYarPassword || 'your-super-secure-yar-atleast-32-bytes-password';
-    await server.register({
-      plugin: hapiYar,
-      options: {
-        cookieOptions: {
-          password: hapiYarPassword,
-          isSecure: true,                  // Use true in production
-          isHttpOnly: true,
-          isSameSite: 'Lax',              // 'Strict', 'Lax', or 'None'
-          clearInvalid: true,
-          ignoreErrors: true
-        },
-        storeBlank: false, // Prevent saving blank sessions
-        maxCookieSize: 0   // Use server-side storage for larger payloads
-      }
-    });
-    // Register @hapi/jwt plugin
-    await server.register(hapiJwt);
-
-    // Check for static certificate or rotating.
-    let keysFetch = true;
-    if (true) {
-      // Azure rotating certificates, prepare for the hapi jwt module
-      this.startupJwksClient();
-      // set up the function in this.publickKeyFetch
-      this.startupPublickKeyFetch();
-      keysFetch = this.publicKeyFetch;
-    } else {
-      // Esto es para un certificado estatico. Keycloak lo permite
-      const response = await axios.get(this.authServerConfig.authServer.jwksUri);
-      const jwks = response.data; // JWKS data is directly accessible from response.data
-      const kidValue = this.authServerConfig.authServer.oAuthKid; // Kid from keycloak/azure, in realm settings
-      const key = jwks.keys.find(k => k.kid === kidValue);
-      if (!key) throw new Error(`Key with ID ${kid} not found`);
-      const pemPublicKey = jwkToPem(key);
-      this.authServerConfig.authServer.PublicKey = pemPublicKey;
-      keysFetch = {
-          key: pemPublicKey,
-          algorithms: ['RS256'],
-          kid: kidValue
-      };
-    }
-    if (this.authServerConfig.authServer.provider=== 'ad-azure') {
-      const tenant_id = this.authServerConfig.authServer.issuer.match(/login\.microsoftonline\.com\/([^/]+)/)?.[1]
-      this.authServerConfig.authServer.msalConfig = {
-        auth: {
-          clientId: this.authServerConfig.authServer.clientId,
-          authority: `https://login.microsoftonline.com/${tenant_id}`,
-          clientSecret: this.authServerConfig.authServer.clientSecret,
-        },
-      };
-      const msalClient = new ConfidentialClientApplication(this.authServerConfig.authServer.msalConfig);
-      this.authServerConfig.authServer.msalClient = msalClient;
-    }
-    
-
-    // Define the auth strategy
-    server.auth.strategy('jwtAuth', 'jwt', {
-    keys: keysFetch,
-    verify: {
-      aud: this.authServerConfig.authServer.clientId,
-      iss: this.authServerConfig.authServer.issuer,
-      exp: true, // validate expiration
-      sub: false
-    },
-    validate: false
-    // validate: async (artifacts, request, h) => {
-    //     // Validate the token payload (you can perform additional checks here if needed)
-    //     const { exp } = artifacts.decoded.payload;
-        
-    //     if (Date.now() >= exp * 1000) {
-    //         throw h.unauthorized('Token expired', { redirectToLogin: true });
-    //     }
-        
-    //     return { isValid: true, credentials: artifacts.decoded.payload };
-    // }
-    });
-
-    // Register the @hapi/cookie plugin
-    await server.register(hapiCookie);
-
-    const hapiCookiePassword = process.env.blz_hapiCookiePassword || 'supersecretpasswordmustbeatleast32characterslong';
-    // Define the cookie-based auth strategy
-    server.auth.strategy('cookieAuth', 'cookie', {
-      cookie: {
-          name: 'sid', // Primary session cookie
-          password: hapiCookiePassword, // Encryption key
-          isSecure: true, // Should be true in production
-          isHttpOnly: true, // Prevents client-side JavaScript access
-          isSameSite: 'Lax', // Protects against CSRF
-      },
-      keepAlive: true, // automatically sets the session cookie after validation to extend the current session for a new ttl duration. Defaults to false.
-      redirectTo: false, //function(request) {}, // Redirect if authentication fails
-    });
-    // Set default auth strategy to try both JWT and cookies
-    server.auth.default({
-        strategies: ['jwtAuth', 'cookieAuth'], // Try JWT first, then Cookie
-    });
-  }
-
-  async configuration (authServer) {
-    if (!authServer) {
-      throw new Exception('Error when getting configuration attributes ')
-    }
-    const { clientId, clientSecret } = authServer
-    await this.openIdConnect.client({ clientId, clientSecret })
-    if (authServer.openIdConfigurationEndpoint) {
-      return await this.openIdConnect.configuration(authServer.openIdConfigurationEndpoint)
-    } else {
-      // If configuration uri does not exist but the auth server form has been filled in.
-      return await this.openIdConnect.configuration({
-        issuer: authServer.issuer,
-        authorization_endpoint: authServer.authorizationEndpoint,
-        token_endpoint: authServer.tokenEndpoint,
-        userinfo_endpoint: authServer.userinfoEndpoint,
-        end_session_endpoint: authServer.endSessionEndpoint,
-        jwks_uri: authServer.jwksUri
-      })
-    }
-  }
-  async prepareMemoryValues(){
-    //this.authServerFullLoginUrl = ;
-  }
-  async endSessionUrl (redirectUri, clientOidc) {
-    redirectUri = redirectUri.replace(/logout|invalid-session/gmi, '')
-    // Log off specific session.
-    if (!clientOidc) {
-      throw new Error('Unable to get configuration from identity provider', 'ConfigurationError', 404);
-    }
-    return clientOidc.endSessionUrl({ post_logout_redirect_uri: redirectUri })
-  }
-  oidcMetadataKey() {
-    return this.authServerConfig.authServer.sessionCookiesDomain || 'oidcMetadata'
-  }
-  async configuration (context) {
-    let metadata = await this.cache.get(this.oidcMetadataKey())
-    if (typeof context === 'string' && !context.match(/(https?:\/\/.*):?(\d*)\/?(.*)/gi)) {
-      throw new Exception('Wrong OpenId Provider configuration URI entered', 'AttributeError', 403)
-    }
-    if (!metadata || !metadata.issuer) {
-      if (context.issuer) {
-        metadata = { ...(metadata || {}), ...context }
-      } else {
-        metadata = metadata || {}
-        metadata.openid_configuration = context
-        metadata = { ...metadata, ...(await Issuer.discover(context.issuer)) } // Discover an issuer configuration, must be an url
-      }
-      await this.cache.set(this.oidcMetadataKey(), metadata, 864e5) // 1 day of cache
-    }
-    return new Iss(metadata)
-  }
-  async refreshToken (refreshToken) {
-    // Make a POST request to Keycloak to refresh the token
-    const response = await axios.post(this.authServerConfig.authServer.tokenEndpoint, 
-      new URLSearchParams({
-        grant_type: 'refresh_token',
-        client_id: this.authServerConfig.authServer.clientId,
-        client_secret: this.authServerConfig.authServer.clientSecret,
-        refresh_token: refreshToken,
-      }).toString(),
-      {
-        headers: {
-          'Content-Type': 'application/x-www-form-urlencoded',
-        },
-      }
-    );
-    
-
-    if (!(response.status === 200)) {
-      const errorResponse = await response.json();
-      console.error('Error refreshing token:', errorResponse);
-      return errorResponse;
-    }
-    // Refresh token response may change from time to time, here are two possible responses
-    try {
-      return await response.json(); // all tokens refershed
-
-    } catch (error) {
-
-    }
-    try {
-      return response.data;
-    }
-    catch {
-
-    }
-   
-  }
-  async decodeJwtToken(token) {
-    const decodedToken = hapiJwt.token.decode(token);
-    return decodedToken;
-  }
-  async tokenAboutToExpire(token, minutesBeforeExpiration = 0) {
-    const decodedToken = hapiJwt.token.decode(token);
-    const expirationTime = decodedToken.decoded.payload.exp * 1000; // Convert to milliseconds
-    const currentTime = Date.now();
-    const expirationThreshold = minutesBeforeExpiration * 60 * 1000; // Convert minutes to milliseconds
-
-    // Check if the token is expired or about to expire within the specified minutes
-    const isAboutToExpire = expirationTime - currentTime <= expirationThreshold;
-    return isAboutToExpire;
-}
-  async isRefreshTokenExpired (refreshToken) {
-    try {
-      // Decode the token without verifying its signature.
-      const decodedRefreshToken =  hapiJwt.token.decode(refreshToken);
-      // Get the current timestamp (in seconds).
-      const currentTimestamp = Math.floor(Date.now() / 1000);
-
-      if (decodedRefreshToken && decodedRefreshToken.decoded && decodedRefreshToken.decoded.payload && decodedRefreshToken.decoded.payload.exp) {
-        return (decodedRefreshToken.decoded.payload.exp < currentTimestamp)
-      } else
-        return true;
-    } catch (error) {
-      // if there is an error treat as if expired, so a re-login is prompted
-      console.error('Failed to decode the token: Invalid Refresh token format', error);
-      return true;
-    }
-  }
-
-  async silentAuthenticationAzure ({redirectUri, idToken}) {
-    const authUrl = this.authServerConfig.authServer.authorizationEndpoint;
-    const decodedToken = await this.decodeJwtToken(idToken);
-  
-    try {
-      const response = await axios.get(authUrl, {
-        params: {
-          client_id: this.authServerConfig.authServer.clientId,
-          response_type: "id_token",
-          redirect_uri: redirectUri,
-          scope: this.authServerConfig.authServer.scope ?? 'openid',
-          prompt: "none",
-          response_mode: "fragment",
-          nonce: "random_nonce", // Should be a securely generated nonce
-          login_hint: decodedToken.decoded.payload.preferred_username
-        },
-        maxRedirects: 0, // Prevent following redirects automatically
-        validateStatus: (status) => status === 302 // Expecting a redirect response
-      });
-  
-      // Extract the token from the redirect location
-      const location = response.headers.location;
-      if (!location) throw new Error("No redirect location found");
-  
-      const params = new URLSearchParams(location.split("#")[1]);
-      if (params.has("id_token")) {
-        return { idToken: params.get("id_token") };
-      } else {
-        throw new Error("No ID token returned");
-      }
-    } catch (error) {
-      console.error("Silent authentication failed:", error.response?.data || error.message);
-      return null; // Handle failure gracefully
-    }
-  }
-
-  async startupJwksClient () {
-    // Azure rotating certificates, prepare for the hapi jwt module
-    this.clientJwk = jwksClient({
-      jwksUri: this.authServerConfig.authServer.jwksUri,
-      cache: true, // Cache signing keys to avoid frequent network calls
-      rateLimit: true, // Rate limit the number of requests to the JWKS URI
-      jwksRequestsPerMinute: 10, // Limit to 10 requests per minute
-    });
-  }
-  async startupPublickKeyFetch () {
-    // Function to get the signing key
-    const getKey = async (kid) => {
-      return new Promise((resolve, reject) => {
-        this.clientJwk.getSigningKey(kid, (err, key) => {
-          if (err) {
-            return reject(err);
-          }
-          const signingKey = key.getPublicKey(); // Public key for signature verification
-          resolve(signingKey);
-        });
-      });
-    };
-    this.publicKeyFetch = async (artifacts) => {
-      const kid = artifacts.decoded.header.kid; // Extract 'kid' from JWT header
-      return getKey(kid); // Fetch the corresponding public key
-    }
-  }
-}
-
-class Iss {
-  /**
-   * @constructor
-   * @param {Object} metadata
-   */
-  constructor (metadata) {
-    if (!metadata.id_token_signing_alg_values_supported) {
-      metadata.id_token_signing_alg_values_supported = ['RS256']
-    }
-    if (!metadata.response_types_supported) {
-      metadata.response_types_supported = ['code', 'none', 'id_token', 'token', 'id_token token', 'code id_token', 'code token', 'code id_token token']
-    }
-    if (!metadata.subject_types_supported) {
-      metadata.subject_types_supported = ['public']
-    }
-    const claimsRequired = METADATA.filter(({ type }) => type === 'REQUIRED');
-    const missingClaims = [];
-    
-    for (const claim of claimsRequired) {
-      const normalizedToCamelClaimName = claim.name.toLowerCase().replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());
-      const attributeCamelCase = metadata[normalizedToCamelClaimName]; // Directly access metadata
-      const attributeSnakeCase = metadata[claim.name]; // Directly access metadata
-      if (!attributeSnakeCase && !attributeCamelCase) {
-        missingClaims.push(claim);
-      }
-    }
-    
-    if (missingClaims.length > 0) {
-      console.error(JSON.stringify(missingClaims));
-      throw new Error(JSON.stringify(missingClaims));
-    }
-    
-    // Issuer needs the metadata in snake_case
-    const issuer = metadata.Client ? metadata : new Issuer(this.#camelToSnakeCase(metadata))
-    // Client instance for the authorization server of that issuer.
-    const clientPayload = {
-      client_id: metadata.clientId,
-      response_type: 'code'
-    }
-    if (metadata.clientSecret) {
-      clientPayload.client_secret = metadata.clientSecret
-    }
-    this.clientOidc = new issuer.Client(clientPayload);
-  }
-  #camelToSnakeCase (obj) {
-    const toSnakeCase = str => str.replace(/[A-Z]/g, letter => `_${letter.toLowerCase()}`);
-  
-    if (typeof obj !== 'object' || obj === null) return obj;
-  
-    if (Array.isArray(obj)) {
-        return obj.map(item => this.#camelToSnakeCase(item));
-    }
-  
-    return Object.entries(obj).reduce((acc, [key, value]) => {
-        const newKey = toSnakeCase(key);
-        acc[newKey] = typeof value === 'object' && value !== null 
-            ? this.#camelToSnakeCase(value) 
-            : value;
-        return acc;
-    }, {});
-  }
-}
-
-module.exports = {
-  HapiServer
-}