@blazedpath/commons 0.2.2 → 0.3.1

package/dist/blz-security/authorizationService.d.ts

@@ -0,0 +1,42 @@
+#!/usr/bin/env node
+export = AuthorizationService;
+declare class AuthorizationService {
+    constructor(utils: any, logger: any);
+    utils: any;
+    logger: any;
+    config: {
+        roles: any[];
+        permissions: any[];
+    };
+    WIDGET_SEPARATOR: string;
+    WIDGET_SEPARATOR_REPLACE: RegExp;
+    extendConfig(config: any): void;
+    extendPermission(config: any, permission: any): void;
+    extendRole(config: any, role: any): void;
+    importSecurityConfig(config: any): {
+        roles: any[];
+        permissions: any[];
+    };
+    getFrontendSecurityRules(roles: any, domains: any): any[];
+    getSecurityRules(roles: any, side: any, domains: any): any[];
+    getPermissions(): any[];
+    authorized(path: any, action: any, roles: any, domains: any): any;
+    checkAuthorize(path: any, action: any, roles: any, domains: any): any;
+    _getSecurityRulesByRole(roleId: any, side: any, domains: any): any;
+    _solveRulesByRole(config: any): void;
+    _solveMergeRulesByRole(config: any): void;
+    _solveRoleId(config: any): void;
+    _getRoles(roles: any): any;
+    _getBackendSecurityRules(roles: any, action: any, domains: any): any;
+    _solveMergeRule(rules: any, rule: any): any;
+    _cleanPath(fullUrl: any): any;
+    _cretaeExpression(route: any): any;
+    _replaceDynamicURLParts(route: any): {
+        regexp: any;
+    };
+    _findMatchedRoutes(url: any, routes?: any[]): any[];
+    _checkApi(path: any, action: any, roles: any, domains: any): boolean;
+    _checkPath(path: any, roles: any, domains: any): boolean;
+    _checkWidget(path: any, securityOption: any, roles: any, domains: any): any;
+    _validateAndNormalizeConfig(config: any): void;
+}

package/dist/blz-security/authorizationService.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+module.exports=class{constructor(e,s){this.utils=e,this.logger=s,this.config={roles:[],permissions:[]},this.WIDGET_SEPARATOR="|",this.WIDGET_SEPARATOR_REPLACE=new RegExp(this.WIDGET_SEPARATOR+".*$")}extendConfig(e){for(const s of e.permissions)s.extends&&!s._completed&&this.extendPermission(e,s);for(const s of e.roles)s.extends&&!s._completed&&this.extendRole(e,s);for(const s of e.permissions)delete s._completed;for(const s of e.roles)delete s._completed}extendPermission(e,s){for(const t of s.extends){const n=e.permissions.find(e=>e.name===t);if(!n)throw new Error(`Permission ${s.name} extends ${t} but not exists`);if(n.extends&&n.extends.includes(n.name))throw new Error(`Permission ${s.name} extends ${n.name} but it is a circular reference`);n.extends&&!n._completed&&this.extendPermission(e,n);for(const e of n.rules){s.rules.find(s=>s.path===e.path&&s.actions===e.actions)||s.rules.push(e)}}s._completed=!0}extendRole(e,s){for(const t of s.extends){const n=e.roles.find(e=>e.name===t);if(!n)throw new Error(`Role ${s.name} extends ${t} but not exists`);if(n.extends&&n.extends.includes(n.name))throw new Error(`Rome ${s.name} extends ${n.name} but it is a circular reference`);n.extends&&!n._completed&&this.extendRole(e,n);for(const e of n.permissions)s.permissions.includes(e)||s.permissions.push(e)}s._completed=!0}importSecurityConfig(e){this._solveRoleId(e),this._validateAndNormalizeConfig(e),this.extendConfig(e),this._solveRulesByRole(e),this._solveMergeRulesByRole(e),this.config=e;let s=process.env.blz_defaultUserRole;return s&&(this.config.defaultUserRole=s),this.config}getFrontendSecurityRules(e,s){const t=this._getRoles(e),n=[];for(const e of t){const t=this._getSecurityRulesByRole(e,"frontend",s);for(const e of t){const s=n.find(s=>s.path===e.path&&s.actions===e.actions);s?!s.enable&&e.enable&&(s.enable=e.enable):n.push(e)}}const i=[];for(const e of n)if(e.actions&&""!==e.actions.trim()){const s=e.actions.split(",");for(const t of s)i.push({path:e.path.trim()+"|"+t.trim(),enable:e.enable})}for(const e of n)if(!e.actions||""===e.actions.trim()){const s=i.some(s=>s.path.split("|")[0]===e.path&&s.enable),t=i.find(s=>s.path===e.path&&(!s.actions||""===s.actions.trim()));t?t&&!t.enable&&s&&(t.enable=!0):i.push({path:e.path.trim(),enable:s||e.enable})}const o=new Map;i.forEach(e=>{if(o.has(e.path)){!o.get(e.path).enable&&e.enable&&o.set(e.path,e)}else o.set(e.path,e)});return Array.from(o.values())}getSecurityRules(e,s,t){const n=[];for(const i of e){const e=this._getSecurityRulesByRole(i,s,t);for(const s of e)n.map(e=>e.path).includes(s.path)||n.push(s)}return n}getPermissions(){return this.config&&this.config.permissions&&0!==this.config.permissions.length?this.config.permissions.filter(e=>e.visible||null===e.visible||void 0===e.visible).map(e=>e.name).sort():[]}authorized(e,s,t,n){return this.config.defaultUserRole&&t.push(this.config.defaultUserRole),e.startsWith("/api")?this._checkApi(e,s,t,n):s&&""!==s.trim()?this._checkWidget(e,s,t,n):this._checkPath(e,t,n)}checkAuthorize(e,s,t,n){const i=this.authorized(e,s,t,n);return null==i||i}_getSecurityRulesByRole(e,s,t){const n=this.config.roles.find(s=>s.externalId===e);if(!n||!n.rules)return[];const i=n.rules[s];return i?t&&0!==t.length?i.filter(e=>t.includes(e.domain)):i:[]}_solveRulesByRole(e){for(const s of e.roles){s.rules={backend:[],frontend:[]};for(const t of s.permissions){const n=e.permissions.find(e=>e.name===t);if(n)for(const e of n.rules){const t=n.domain||"default";if(e.path.startsWith("/api")){s.rules.backend.find(s=>s.path===e.path&&s.actions===e.actions&&s.enable===e.enable&&s.domain===t)||(e.domain=t,s.rules.backend.push(e))}else{s.rules.frontend.find(s=>s.path===e.path&&s.actions===e.actions&&s.enable===e.enable&&s.domain===t)||(e.domain=t,s.rules.frontend.push(e))}}}}}_solveMergeRulesByRole(e){for(const s of e.roles){for(const e of s.rules.frontend)s.rules.frontend=this._solveMergeRule(s.rules.frontend,e);for(const e of s.rules.backend)s.rules.backend=this._solveMergeRule(s.rules.backend,e)}}_solveRoleId(e){for(const s of e.roles)s.externalId||(s.externalId=s.name)}_getRoles(e){const s=e&&0!==e.length?e:this.config.roles.filter(e=>e.default).map(e=>e.name),t=this.config.roles.filter(e=>e.applyToAll);if(t&&t.length>0)for(const e of t)s.includes(e.name)||s.push(e.name);return s}_getBackendSecurityRules(e,s,t){let n=[];const i=this._getRoles(e);for(const e of i){const i=this._getSecurityRulesByRole(e,"backend",t).filter(e=>e.actions.includes("*")||e.actions.includes(s));for(const e of i)n=this._solveMergeRule(n,e)}return n.sort((e,s)=>e.path>s.path?1:-1)}_solveMergeRule(e,s){let t=JSON.parse(JSON.stringify(e));const n=t.filter(e=>e.path===s.path);if(0==n.length)t.push(s);else{if(n.some(e=>e.actions.includes("*")&&e.enable))return t;if(s.actions.includes("*")&&s.enable)t=t.filter(e=>e.path!==s.path),t.push(s);else if(s.actions.includes("*")&&!s.enable)t=t.filter(e=>!(e.path===s.path&&e.enable===s.enable)),t.push(s);else{if(!s.enable&&n.some(e=>e.actions.includes("*")&&!e.enable))return t;for(const e of s.actions.split(",")){const n=t.filter(e=>e.path===s.path);if(!n.some(t=>(t.actions.includes("*")||t.actions.includes(e))&&(t.enable||t.enable===s.enable)))if(n.some(t=>t.actions.includes(e)&&!t.enable&&s.enable)){const i=n.find(s=>s.actions.includes(e)&&!s.enable),o=i.actions.split(",").filter(s=>s!==e);0===o.length?t=t.filter(t=>!(t.path===s.path&&t.actions===e&&!t.enable)):i.actions=o.join(",");const r=n.find(e=>e.enable===s.enable);r?r.actions=r.actions+","+e:t.push({path:s.path,actions:e,enable:s.enable})}else if(n.some(t=>!t.actions.includes(e)&&t.enable===s.enable)){const t=n.find(e=>e.enable===s.enable);t.actions=t.actions+","+e}else{const i=n.find(e=>e.enable===s.enable);i?i.actions=i.actions+","+e:t.push({path:s.path,actions:e,enable:s.enable})}}}}return t}_cleanPath(e){const s=e.indexOf("?");return-1!==s?e.substring(0,s):e}_cretaeExpression(e){if(this.utils.isRegExp(e))return e;if(e.endsWith("/**")){const s=e.replace(/\|.*$/gm,"").replace(/\/\*\*$/,"");return new RegExp(`^${s}(/.*)?$`)}return e.replace(/\|.*$/gm,"").replace(/\/+$/,"").replace(/^\/+/,"^/")}_replaceDynamicURLParts(e){let s=null;return s=this.utils.isRegExp(e)?e:new RegExp(e.replace(/\*\*/gm,".*").replace(/\*/gm,function(e,s,t){return"."===t[s-1]?"*":"[^/]*"})+"$",""),{regexp:s}}_findMatchedRoutes(e,s=[]){const t=e.replace(/^\/+/,"/");return s.map(e=>{const s=this._cretaeExpression(e.path),{regexp:n}=this._replaceDynamicURLParts(s);return!!n.test(t)&&e}).filter(e=>e)}_checkApi(e,s,t,n){const i=this._cleanPath(e),o=s.toUpperCase(),r=this._getBackendSecurityRules(t,o,n),l=this._findMatchedRoutes(i,r),a=this.utils.chain(l).filter(e=>e.actions.includes("*")||e.actions.includes(o)).value(),c=a.some(e=>e.enable),f=a.some(e=>!e.enable);return!(!c&&(c||f))||(f?(this.logger.error(`can't access to ${s} ${e}`),!1):null)}_checkPath(e,s,t){const n=this.getFrontendSecurityRules(s,t),i=this.utils.chain(this._findMatchedRoutes(e,n)).value(),o=i.some(e=>e.enable),r=i.some(e=>!e.enable);return!(!o&&(o||r))||!r&&null}_checkWidget(e,s,t,n){const i=s.toUpperCase(),o=this.getFrontendSecurityRules(t,n),r=this.utils.chain(this._findMatchedRoutes(e,o)).filter(({path:e})=>e.includes(this.WIDGET_SEPARATOR)).filter(({path:e})=>{const s=e.substring(e.indexOf(this.WIDGET_SEPARATOR)+1).replace(/\*\*/gm,".*");return new RegExp(`^${s}$`,"gm").test(i)}).value();if(r.find(s=>s.path===e+"|**"&&s.enable))return!0;const l=r.find(s=>s.path===e+"|"+i);if(l)return l.enable;const a=this.utils.chain(r).reverse().first().value();return a?a.enable:null}_validateAndNormalizeConfig(e){if(!e)throw new Error("config is undefined");if(void 0===e.roles||null===e.roles||0===e.roles.length)throw new Error("config.roles is undefined");if(void 0===e.permissions||null===e.permissions||0===e.permissions.length)throw new Error("config.permissions is undefined");for(const s of e.permissions){if(!s.name)throw new Error("Permission has not name");s.rules||(s.rules=[]),s.visible||(s.visible=!0);for(const e of s.rules)if(void 0!==e.enable&&null!==e.enable||(e.enable=!0),void 0===e.actions||null===e.actions?e.actions=e.path.startsWith("/api")?"*":"":e.actions=e.actions.toUpperCase(),!e.path)throw new Error(`Rule in permission ${s.name} has not path`)}for(const s of e.roles)s.permissions||(s.permissions=[])}};

package/dist/blz-security/config/global.js

@@ -0,0 +1 @@
+module.exports={startupBoxOptions:{padding:1,margin:1,borderStyle:"round",borderColor:"yellow"}};

package/dist/blz-security/filescanner/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Scans a readable stream for viruses using ClamAV over TCP.
+ *
+ * @param {ReadableStream} stream - A Node.js readable stream to scan.
+ * @param {Object} [options]
+ * @param {number} [options.port=3310] - TCP port where clamd is listening.
+ * @param {string} [options.host='127.0.0.1'] - Clamd host.
+ * @param {number} [options.timeout=60000] - Timeout in milliseconds.
+ * @returns {Promise<{ clean: boolean, name: string }>} - Scan result.
+ */
+export function scanStream(stream: ReadableStream, options?: {
+    port?: number;
+    host?: string;
+    timeout?: number;
+}): Promise<{
+    clean: boolean;
+    name: string;
+}>;
+/**
+ * Checks if a file extension is allowed.
+ * @param {string} filename - Name of the file to check.
+ * @returns {boolean}
+ */
+export function fileExtensionAllowed(filename: string): boolean;

package/dist/blz-security/filescanner/index.js

@@ -0,0 +1 @@
+const clamav=require("clamav.js"),path=require("path");async function scanStream(e,n={}){const t=n.port||3310,a=n.host||"127.0.0.1",o=n.timeout||6e4,r=clamav.createScanner(t,a,o);return new Promise((n,t)=>{r.scan(e,(e,a,o)=>{if(e)return t(e);n({clean:!o,name:a})})})}function fileExtensionAllowed(e){const n=path.extname(e).toLowerCase(),t=process.env.blz_fileScannerAllowedExtension;return!t||t.split(",").includes(n)}module.exports={scanStream:scanStream,fileExtensionAllowed:fileExtensionAllowed};

package/dist/blz-security/helpers/consts.d.ts

@@ -0,0 +1,28 @@
+/**
+ * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+ * @description Document listing OP endpoint URLs.
+ */
+export const METADATA: {
+    name: string;
+    description: string;
+    type: string;
+}[];
+/**
+ * @see https://openid.net/specs/openid-connect-core-1_0.html
+ * @description OpenID Connect Core
+ * @version 1.0
+ * @param OP OpenId Provider
+ * @param RP Relying Party (Client)
+ */
+/**
+ * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
+ * @description OP configuration document.
+ *
+ */
+export const OIDC_DISCOVERY: "/.well-known/openid-configuration";
+/**
+ * @description Encrypt with AES the word "BLAZEDPATH" with the same secret key in md5 and the output to be base64.
+ * @argument md5 E6F712AA790EE519C2E39177576CD0F0
+ * @argument output base64
+ */
+export const SIGNATURE: "LSL/e9tVTTK5VovRt9qQgg==";

package/dist/blz-security/helpers/consts.js

@@ -0,0 +1 @@
+const OIDC_DISCOVERY="/.well-known/openid-configuration",SIGNATURE="LSL/e9tVTTK5VovRt9qQgg==",METADATA=[{name:"issuer",description:"URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.",type:"REQUIRED"},{name:"authorization_endpoint",description:"URL of the OP OAuth 2.0 Authorization Endpoint.",type:"REQUIRED"},{name:"token_endpoint",description:"URL of the OP OAuth 2.0 Token Endpoint.",type:"REQUIRED"},{name:"userinfo_endpoint",description:"URL of the OP UserInfo Endpoint.",type:"RECOMMENDED"},{name:"jwks_uri",description:"URL of the OP JSON Web Key Set [JWK] document.",type:"REQUIRED"},{name:"registration_endpoint",description:"URL of the OP Dynamic Client Registration Endpoint.",type:"RECOMMENDED"},{name:"scopes_supported",description:"JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.",type:"RECOMMENDED"},{name:"response_types_supported",description:"JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.",type:"REQUIRED"},{name:"response_modes_supported",description:"JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports",type:"OPTIONAL"},{name:"grant_types_supported",description:"JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.",type:"OPTIONAL"},{name:"acr_values_supported",description:"JSON array containing a list of the Authentication Context Class References that this OP supports.",type:"OPTIONAL"},{name:"subject_types_supported",description:"JSON array containing a list of the Subject Identifier types that this OP supports.",type:"REQUIRED"},{name:"id_token_signing_alg_values_supported",description:"JSON array containing a list of the JWS signing algorithms supported by the OP for the ID Token to encode the Claims in a JWT.",type:"REQUIRED"},{name:"id_token_encryption_alg_values_supported",description:"JSON array containing a list of the JWE encryption algorithms supported by the OP for the ID Token to encode the Claims in a JWT.",type:"OPTIONAL"},{name:"id_token_encryption_enc_values_supported",description:"JSON array containing a list of the JWE encryption algorithms supported by the OP for the ID Token to encode the Claims in a JWT.",type:"OPTIONAL"},{name:"userinfo_signing_alg_values_supported",description:"JSON array containing a list of the JWS [JWS] signing algorithms [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT.",type:"OPTIONAL"},{name:"userinfo_encryption_alg_values_supported",description:"JSON array containing a list of the JWE [JWE] encryption algorithms [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT ",type:"OPTIONAL"},{name:"userinfo_encryption_enc_values_supported",description:"JSON array containing a list of the JWE encryption algorithms [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT.",type:"OPTIONAL"},{name:"request_object_signing_alg_values_supported",description:"JSON array containing a list of the JWS signing algorithms supported by the OP for Request Objects.",type:"OPTIONAL"},{name:"request_object_encryption_alg_values_supported",description:"JSON array containing a list of the JWE encryption algorithms supported by the OP for Request Objects.",type:"OPTIONAL"},{name:"request_object_encryption_enc_values_supported",description:"JSON array containing a list of the JWE encryption algorithms supported by the OP for Request Objects",type:"OPTIONAL"},{name:"token_endpoint_auth_methods_supported",description:"JSON array containing a list of Client Authentication methods supported by this Token Endpoint.",type:"OPTIONAL"},{name:"token_endpoint_auth_signing_alg_values_supported",description:"JSON array containing a list of the JWS signing algorithms supported by the Token Endpoint for the signature on the JWT.",type:"OPTIONAL"},{name:"display_values_supported",description:"JSON array containing a list of the display parameter values that the OP supports",type:"OPTIONAL"},{name:"claim_types_supported",description:"JSON array containing a list of the Claim Types that the OP supports.",type:"OPTIONAL"},{name:"claims_supported",description:"JSON array containing a list of the Claim Names of the Claims that the OP may be able to supply values for.",type:"RECOMMENDED"},{name:"service_documentation",description:"URL of a page containing human-readable information that developers might want or need to know when using the OP.",type:"OPTIONAL"},{name:"claims_locales_supported",description:"Languages and scripts supported for values in Claims being returned.",type:"OPTIONAL"},{name:"ui_locales_supported",description:"Languages and scripts supported for the user interface.",type:"OPTIONAL"},{name:"claims_parameter_supported",description:"Boolean value specifying whether the OP supports use of the claims parameter.",type:"OPTIONAL"},{name:"request_parameter_supported",description:"Boolean value specifying whether the OP supports use of the request parameter.",type:"OPTIONAL"},{name:"request_uri_parameter_supported",description:"Boolean value specifying whether the OP supports use of the request_uri parameter.",type:"OPTIONAL"},{name:"require_request_uri_registration",description:"Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter.",type:"OPTIONAL"},{name:"op_policy_uri",description:"URL that the OP provides to the person registering the Client to read about the OP requirements on how the Relying Party can use the data provided by the OP.",type:"OPTIONAL"},{name:"op_tos_uri",description:"URL that the OP provides to the person registering the Client to read about OP terms of service",type:"OPTIONAL"},{name:"check_session_iframe",description:"URL of an OP iframe that supports cross-origin communications for session state information with the RP Client",type:"OPTIONAL"},{name:"end_session_endpoint",description:"OAuth logout URI that the client can use to initiate logout on the server.",type:"OPTIONAL"},{name:"backchannel_logout_supported",description:"Boolean value specifying whether the OP supports back-channel logout.",type:"OPTIONAL"},{name:"backchannel_logout_session_supported",description:"Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP.",type:"OPTIONAL"}];module.exports={METADATA:METADATA,OIDC_DISCOVERY:OIDC_DISCOVERY,SIGNATURE:SIGNATURE};

package/dist/blz-security/helpers/utils.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Handling exceptions
+ * @param {string} message
+ * @param {string} name
+ * @param {integer} code
+ */
+export class Exception {
+    constructor(message: any, name: any, code: any);
+    message: any;
+    name: any;
+    code: any;
+}
+/**
+ * @name filePathList
+ * @api private
+ * @description Get list of files with path and folder name recursively.
+ * @param {String} path Absolute path of the folder to be analyzed.
+ * @param {String} folderName Name of the folder to compare recursively to get the files.
+ * @param {[]} listFiles List of files to be added after the recursive search criteria are met.
+ * @returns
+ */
+export function filePathList(path: string, folderName: string, listFiles?: []): [];
+export function getCookieName(cookieName?: string): string;
+/**
+ * @name getFullUrl
+ * @api private
+ * @description Get full URL
+ * @param {*} request
+ * @returns
+ */
+export function getFullUrl(request: any): string;
+/**
+ * @name getHost
+ * @api private
+ * @description Get host URL
+ * @param {*} request
+ * @returns
+ */
+export function getHost(request: any): any;
+export function getMappingValues(data: any, mappings: any): {};
+/**
+ * @name getPathname
+ * @api private
+ * @description Get pathname URL
+ * @param {*} request
+ * @returns
+ */
+export function getPathname(request: any): any;
+/**
+ * @name getProtocol
+ * @api private
+ * @description Get protocol URL
+ * @param {*} request
+ * @returns
+ */
+export function getProtocol(request: any): any;
+export function getRefreshTokenTolerance(defaultValue?: number): any;
+/**
+ * @name Template
+ * @description Function to get the template through the key and context data.
+ * @api private
+ * @param {String} key
+ * @param {*} data Context data
+ * @returns {String} Template with html structure.
+ */
+export function getTemplate(key: string, data: any): string;
+export function getTokenTolerance(defaultValue?: number): any;
+/**
+ * @name log
+ * @api private
+ * @Description Event logging function
+ * @param {*} Object with unstructured properties.
+ */
+export function log({ inBox, color, message, withDateTime }: any): void;
+/**
+ * Event tracing
+ * @param {string} logLevel INFO, ERROR or WARN
+ * @param {string} message Log message
+ */
+export function trace(logLevel: string, message: string): void;
+export function errorResponse(h: any, err: any, defaultCode?: number): any;
+export function isBase64(str: any): boolean;

package/dist/blz-security/helpers/utils.js

@@ -0,0 +1 @@
+const Fs=require("fs"),Handlebars=require("handlebars"),Path=require("path"),jsonpath=require("jsonpath"),BlzConfig=require("../../blz-config/index"),hasTracing=process.env.TRACING||!1,getTemplate=(e,t)=>{let r=Path.join(Path.dirname(__dirname),"templates",`${e}.html`);if(!Fs.existsSync(r))throw new Exception(`The template doesn't exist with the key ${e}`,"TemplateError",404);return r=Fs.readFileSync(r,"utf-8"),Handlebars.compile(r)(t)};function log({inBox:e,color:t,message:r,withDateTime:o=!1}){r=`${o?`[${(new Date).toLocaleString()}]`:""} ${r}`,console.log(r)}const filePathList=(e,t,r=[])=>{if(Fs.existsSync(e))if(Fs.lstatSync(e).isDirectory()){const o=Fs.readdirSync(e).filter(t=>Fs.statSync(Path.join(e,t)).isDirectory());if(o&&o.length>0)for(const n in o){const s=o[n];if(s===t){Fs.readdirSync(Path.join(e,s)).filter(t=>Fs.statSync(Path.join(e,s,t)).isFile()).map(t=>r.push(Path.join(e,s,t)))}filePathList(Path.join(e,s),t,r)}}else r.push(e);return r},getFullUrl=e=>`${getProtocol(e)}://${getHost(e)}${getPathname(e)}`,getHost=e=>e.info.host,getPathname=e=>{const{pathname:t}=e.url;return t},getProtocol=e=>e.server.info.protocol,trace=(e,t)=>{if(process.env.TRACING||hasTracing){let r=null;switch(e){case"ERROR":r="red";break;case"WARN":r="yellow";break;default:r="green"}"object"==typeof t?Object.entries(t).map(e=>(e&&e[0]&&e[1]&&log({message:`${e[0]}: ${e[1]}`,withDateTime:!0,color:r}),e)):log({message:t,withDateTime:!0,color:r})}},getMappingValues=(e,t)=>{const r={};for(const o in t){const n=t[o];try{let t=jsonpath.query(e,n.path);if(void 0!==n.pathIndex&&(t=t[n.pathIndex]),n.regex){t=new RegExp(n.regex).exec(t),void 0!==n.regexGroup&&(t=t[n.regexGroup])}if(n.split&&(t=t.split(n.split)),n.replaceRules){const e=[];for(const r in t){const o=t[r],s=n.replaceRules.find(e=>e.oldValue===o);s&&e.push(s.newValue)}t=e}r[n.itemKey]=t}catch(e){throw new Error(`User info mapping ${JSON.stringify(n)} error: ${e}`)}}return r};class Exception{constructor(e,t,r){this.message=e,this.name=t,this.code=r}}const getTokenTolerance=function(e=30){return parseNumber(process.env.TOKEN_TOLERANCE,e)},getRefreshTokenTolerance=function(e=0){return parseNumber(process.env.REFRESH_TOKEN_TOLERANCE,e)},parseNumber=function(e,t){return e&&!isNaN(e)?Number(e):t},getCookieName=function(e=""){const t=BlzConfig.getConfig()||{};return(t.authServer&&t.authServer.sessionCookiesPrefix||"")+e},errorResponse=function(e,t,r=500){const{code:o,name:n,message:s}=t;return"production"===process.env.NODE_ENV?(trace("ERROR",{name:n,message:s}),e.response({name:n}).code(parseInt(o)||r).takeover()):e.response({name:n,message:s}).code(parseInt(o)||r).takeover()},isBase64=function(e){if("string"!=typeof e)return!1;if(!/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?$/.test(e))return!1;try{const t=Buffer.from(e,"base64").toString("utf8");return Buffer.from(t,"utf8").toString("base64")===e.replace(/=*$/,"")}catch(e){return!1}};module.exports={Exception:Exception,filePathList:filePathList,getCookieName:getCookieName,getFullUrl:getFullUrl,getHost:getHost,getMappingValues:getMappingValues,getPathname:getPathname,getProtocol:getProtocol,getRefreshTokenTolerance:getRefreshTokenTolerance,getTemplate:getTemplate,getTokenTolerance:getTokenTolerance,log:log,trace:trace,errorResponse:errorResponse,isBase64:isBase64};

package/dist/blz-security/implementations/cache.d.ts

@@ -0,0 +1,58 @@
+export class RedisCache {
+    constructor(cnx: any);
+    _cache: any;
+    /**
+   * @name set
+   * @api private
+   * @description Maximum age in ms.
+   * @param {*} key key to be cached.
+   * @param {*} value value to be cached.
+   * @param {*} maxAge Maximum age in ms.
+   */
+    set(key: any, value: any, maxAge: any): Promise<void>;
+    /**
+   * @name get
+   * @api private
+   * @description Get the value that was cached.
+   * @param {*} key
+   * @returns
+   */
+    get(key: any): Promise<any>;
+    /**
+   * @name del
+   * @api private
+   * @description It was removing the value that was in the cache.
+   * @param {*} key
+   * @returns
+   */
+    del(key: any): Promise<void>;
+}
+export class LruCache {
+    _cache: LRUCache<{}, {}, unknown>;
+    /**
+   * @name set
+   * @api private
+   * @description Maximum age in ms.
+   * @param {*} key key to be cached.
+   * @param {*} value value to be cached.
+   * @param {*} maxAge Maximum age in ms.
+   */
+    set(key: any, value: any, maxAge: any): Promise<void>;
+    /**
+   * @name get
+   * @api private
+   * @description Get the value that was cached.
+   * @param {*} key
+   * @returns
+   */
+    get(key: any): Promise<{}>;
+    /**
+   * @name del
+   * @api private
+   * @description It was removing the value that was in the cache.
+   * @param {*} key
+   * @returns
+   */
+    del(key: any): Promise<void>;
+}
+import { LRUCache } from "lru-cache";

package/dist/blz-security/implementations/cache.js

@@ -0,0 +1 @@
+const{LRUCache:LRUCache}=require("lru-cache"),IoRedis=require("ioredis");class LruCache{constructor(){this._cache=new LRUCache({max:500,maxSize:5e3,ttl:108e5,sizeCalculation:(e,c)=>1})}async set(e,c,a){this._cache.set(e,c,a)}async get(e){return this._cache.get(e)}async del(e){this._cache.delete(e)}}class RedisCache{constructor(e){this._cache=new IoRedis(e)}async set(e,c,a){const s=JSON.stringify(c);await this._cache.set(e,s,"EX",a/1e3)}async get(e){const c=await this._cache.get(e);return c?JSON.parse(c):c}async del(e){await this._cache.del(e)}}module.exports={RedisCache:RedisCache,LruCache:LruCache};

package/dist/blz-security/implementations/oidc.d.ts

@@ -0,0 +1,100 @@
+export class Oidc {
+    constructor(cache: any, config: any);
+    cache: any;
+    config: any;
+    oidcMetadataKey(): any;
+    oidcMetadata(): Promise<any>;
+    /**
+     * @name configuration
+     * @api public
+     * @param {String} uri OP configuration information
+     */
+    configuration(context: any): Promise<Iss>;
+    expiresIn(tokensSet: any): number;
+    expired(tokensSet: any): boolean;
+    /**
+     * @name tokenSet
+     * @generator PKCE is mandatory in OAuth 2.1.
+     * @see https://tools.ietf.org/html/draft-ietf-oauth-v2-1-02
+     * @see https://tools.ietf.org/html/rfc7636
+     */
+    tokenSet(): Promise<{
+        /**
+         * @name tokens
+         * @api public
+         * @param sessionState String that represents the End-User's login state at the OP.
+         * @returns Tokens set
+         */
+        tokens: (sessionState: any) => Promise<any>;
+        /**
+         * @name generate
+         * @api public
+         * @param {code, scope, redirect_uri}
+         * @description Generate token with authorization flow with PKCE.
+         */
+        generate: ({ code, scope, redirectUri, sid }: any) => Promise<any>;
+        /**
+         * @name userInfo
+         * @api public
+         * @param {String} sessionState
+         * @returns userInfo Returns previously consented user profile information to the RP.
+         * @see https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+         */
+        userInfo: (sessionState: string) => Promise<{
+            user_name: any;
+        }>;
+    }>;
+    getUseTokenType(): any;
+    getUseToken(sessionState: any): Promise<any>;
+    /**
+     * @name pkceCode
+     * @api public
+     * @description The properties "code_challenge" and "code_verifier" are adopted from the OAuth 2.0 extension
+     * known as "Proof-Key for Code Exchange", or PKCE [RFC7636].
+     * @see https://datatracker.ietf.org/doc/html/rfc7636
+     * @param {String} code
+     * @returns
+     */
+    pkceCode(code: string): Promise<any>;
+    /**
+     * @name authorizationUrl
+     * @api public
+     * @param {scope, redirect_uri}
+     * @returns authorization endpoint with PKCE
+     */
+    authorizationUrl({ scope, redirectUri, pkceCode }: any): Promise<any>;
+    /**
+     * @name endSessionUrl
+     * @api public
+     * @param {session_state, redirect_uri}
+     * @returns end session url
+     */
+    endSessionUrl({ sessionState, redirectUri }: session_state): Promise<any>;
+    /**
+     * @name client
+     * @api public
+     * @description set client ID and secret in metadata object
+     * @param {clientId, clientSecret}
+     */
+    client({ clientId, clientSecret }: any): Promise<void>;
+    jwt(): {
+        sign: ({ payload, secret, algorithm }: {
+            payload: any;
+            secret: any;
+            algorithm?: string;
+        }) => never;
+    };
+}
+/**
+ * @name Iss
+ * @api public
+ * @description Entity that issues a set of claims
+ */
+declare class Iss {
+    /**
+     * @constructor
+     * @param {Object} metadata
+     */
+    constructor(metadata: any);
+}
+export {};

package/dist/blz-security/implementations/oidc.js

@@ -0,0 +1 @@
+const CryptoJS=require("crypto-js"),{Issuer:Issuer,generators:generators,custom:custom}=require("openid-client"),Jsonwebtoken=require("jsonwebtoken"),JwksClient=require("jwks-rsa"),Uuid=require("uuid"),{METADATA:METADATA}=require("../helpers/consts"),{trace:trace,Exception:Exception,getTokenTolerance:getTokenTolerance}=require("../helpers/utils");let jwks,clientOidc;custom.setHttpOptionsDefaults({timeout:process.env.TIMEOUT_HTTP||3e4});class Iss{constructor(e){e.id_token_signing_alg_values_supported||(e.id_token_signing_alg_values_supported=["RS256"]),e.response_types_supported||(e.response_types_supported=["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"]),e.subject_types_supported||(e.subject_types_supported=["public"]);const t=METADATA.filter(({type:e})=>"REQUIRED"===e),i=Object.entries(e);for(let e=0;e<i.length;e++)t.forEach((r,n)=>{i[e][0]===r.name&&i[e][1]&&t.splice(n,1)});if(t.length>0)throw new Exception(JSON.stringify(t),"ClaimError",403);jwks=JwksClient({cache:!0,rateLimit:!0,cacheMaxAge:6e4,jwksRequestsPerMinute:15,jwksUri:e.jwks_uri});const r=e.Client?e:new Issuer(e),n={client_id:e.clientId,response_type:"code"};e.clientSecret&&(n.client_secret=e.clientSecret),clientOidc=new r.Client(n)}}class Oidc{constructor(e,t){if(this.cache=e,this.config=t,this.config.authServer){if(this.config.authServer.PrivateKey&&this.config.authServer.PublicKey)this.config.authServer.PrivateKey=this.config.authServer.PrivateKey.replace(/\\n/g,"\n"),this.config.authServer.PublicKey=this.config.authServer.PublicKey.replace(/\\n/g,"\n");else{if(!process.env.PRIVATE_KEY||!process.env.PUBLIC_KEY)throw new Exception("Private and public keys are mandatory","AttributeError",403);this.config.authServer.PrivateKey=process.env.PRIVATE_KEY,this.config.authServer.PublicKey=process.env.PUBLIC_KEY}this.config.authServer.Signature||(process.env.OIDC_SIGNATURE?this.config.authServer.Signature=process.env.OIDC_SIGNATURE:this.config.authServer.Signature="--")}}oidcMetadataKey(){return this.config.authServer.sessionCookiesDomain||"oidcMetadata"}async oidcMetadata(){return await this.cache.get(this.oidcMetadataKey())}async configuration(e){let t=await this.cache.get(this.oidcMetadataKey());if("string"==typeof e&&!e.match(/(https?:\/\/.*):?(\d*)\/?(.*)/gi))throw new Exception("Wrong OpenId Provider configuration URI entered","AttributeError",403);return t&&t.issuer||(e.issuer?t={...t||{},...e}:(t=t||{},t.openid_configuration=e,t={...t,...await Issuer.discover(e)}),await this.cache.set(this.oidcMetadataKey(),t,864e5)),new Iss(t)}expiresIn(e){return Math.round((1e3*e.expires_at-Date.now())/1e3)}expired(e){return this.expiresIn(e)<getTokenTolerance()}async tokenSet(){return{tokens:async e=>{if(!e)throw new Exception("Session state is mandatory","AttributeError",404);const t=await this.cache.get(e);if(!t||!t.access_token)throw new Exception(`No token found fo session_state: ${e}`,"TokenError",403);if(this.expired(t)&&t.refresh_token){const[i,r]=await clientOidc.refresh(t.refresh_token,{exchangeBody:{client_id:clientOidc.clientId}}).then(e=>[null,e]).catch(e=>[e,null]);if(i||!r.access_token)throw await this.cache.del(e),new Exception(`Can not refresh token for session_state: ${e}`,"ExpirationError",403);return trace("INFO",`Refresh token for session_state: ${e}`),await this.cache.set(e,r,1e3*(r.refresh_expires_in||r.expires_in)),r}if(t.refresh_expires_in<getTokenTolerance())throw await this.cache.del(e),new Exception(`Token expired, remove session_state: ${e}`,"ExpirationError",403);return trace("INFO",`Get token of session_state: ${e}`),t},generate:async({code:e,scope:t="openid",redirectUri:i="",sid:r})=>{if(!r)throw new Exception("SID is mandatory","");const{codeVerifier:n}=await this.pkceCode(r),o=await clientOidc.callback(i,{grant_type:"authorization_code",code:e,scope:t,client_id:clientOidc.client_id,client_secret:clientOidc.client_secret||" ",redirect_uri:i},{code_verifier:n}).then(e=>e).catch(e=>e);if(o&&o.access_token){if(o.session_state=o.session_state||Uuid.v4(),o.refresh_expires_in<=getTokenTolerance(0))throw new Exception(`Invalid refresh token expiration ${o.refresh_expires_in}`,"ExpirationError",403);const e=1e3*(o.refresh_expires_in||o.expires_in);return e>0?(await this.cache.set(o.session_state,o,e),o):(trace("ERROR",`Expiration time: ${e}`),null)}if(o.message&&o.exp<=o.now)throw new Exception(o.message,"ExpirationError",403);throw new Exception(o.error_description||o.error||o.message,"TokenError",403)},userInfo:async e=>{const t=await this.cache.get(e);let i={};if(!t||!t.access_token)throw new Exception("Access token is mandatory","TokenError",401);if(i=clientOidc.issuer&&clientOidc.issuer.userinfo_endpoint?await clientOidc.userinfo(t.access_token).then(e=>e).catch(e=>e):Jsonwebtoken.decode(t.id_token),!i.user_name&&i.name&&(i.user_name=i.name),i.error)throw new Exception(i.error,"UserInfoError",403);return i}}}getUseTokenType(){return this.config.authServer.useTokenType||"access_token"}async getUseToken(e){const t=await this.tokenSet();if(t&&e){const i=await t.tokens(e);if(i)return i[this.getUseTokenType()]}return null}async pkceCode(e){if(!e){const e=generators.codeVerifier(),t={jti:Uuid.v4(),iat:Math.floor(Date.now()/1e3),typ:"Serialized-ID",state_checker:CryptoJS.AES.encrypt(JSON.stringify({codeVerifier:e,codeChallenge:generators.codeChallenge(e)}),this.config.authServer.Signature).toString()};return Jsonwebtoken.sign(t,this.config.authServer.PrivateKey,{expiresIn:"1m",algorithm:"RS256"})}try{const t=await Jsonwebtoken.verify(e,this.config.authServer.PublicKey,{algorithms:["RS256"]}),{state_checker:i}=t;return JSON.parse(CryptoJS.AES.decrypt(i,this.config.authServer.Signature).toString(CryptoJS.enc.Utf8))}catch(e){throw new Exception(e,"pkceCode",403)}}async authorizationUrl({scope:e="openid",redirectUri:t="",pkceCode:i}){const{codeChallenge:r}=await this.pkceCode(i),n=await this.cache.get(this.oidcMetadataKey());if(!clientOidc&&!n)throw new Exception("Unable to fetch configuration from identity provider","ConfigurationError",404);return await this.configuration(n.openid_configuration),clientOidc.authorizationUrl({scope:e,code_challenge:r,code_challenge_method:"S256",redirect_uri:t.replace(/\/(logout|invalid-session).*/gm,"/")})}async endSessionUrl({sessionState:e,redirectUri:t}){if(t=t.replace(/logout|invalid-session/gim,""),trace("INFO",`Logout session_state: ${e}`),e){const i=await this.cache.get(e);if(await this.cache.del(e),i)return clientOidc.endSessionUrl({id_token_hint:i.id_token,post_logout_redirect_uri:t,state:e})}if(!clientOidc)throw new Exception("Unable to fetch configuration from identity provider","ConfigurationError",404);return clientOidc.endSessionUrl({post_logout_redirect_uri:t})}async client({clientId:e,clientSecret:t}){if(!e)throw new Exception("Client ID is wrong","AttributeError",404);const i=await this.cache.get(this.oidcMetadataKey());t?await this.cache.set(this.oidcMetadataKey(),{...i||{},clientId:e,clientSecret:t},864e5):await this.cache.set(this.oidcMetadataKey(),{...i||{},clientId:e},864e5)}jwt(){return{sign:({payload:e,secret:t,algorithm:i="RS256"})=>Jsonwebtoken.sign(e,t,{algorithm:i})}}}module.exports={Oidc:Oidc};

package/dist/blz-security/implementations/pkceCacheStore.d.ts

@@ -0,0 +1,2 @@
+export function saveVerifier(stateId: any, codeVerifier: any): void;
+export function getVerifier(stateId: any): any;

package/dist/blz-security/implementations/pkceCacheStore.js

@@ -0,0 +1 @@
+const pkceStore=new Map;function saveVerifier(e,r){pkceStore.set(e,r),setTimeout(()=>{pkceStore.delete(e)},3e5)}function getVerifier(e){const r=pkceStore.get(e);return r&&pkceStore.delete(e),r}module.exports={saveVerifier:saveVerifier,getVerifier:getVerifier};

package/dist/blz-security/implementations/saml.js

@@ -0,0 +1 @@
+const SAML_todo="WIP - SAML implementation coming soon!";

package/dist/blz-security/implementations/uma.d.ts

@@ -0,0 +1,31 @@
+export = Uma;
+/**
+ * @param RPT Requesting Party Token
+ * @param PAT Protection API Token
+ * @param AS Authorization Server
+ * @param RS Resource Server
+ */
+/**
+ * @name Uma
+ * @api public
+ * @description Managing access to protected resources.
+ */
+declare class Uma {
+    /**
+     * @name permission
+     * @api public
+     * @description
+     * @returns
+     */
+    static permission(): Promise<{
+        /**
+         * @name ticket
+         * @api public
+         * @description Through grant type xx:uma-ticket, clients can send authorization
+         * requests and get an RPT with all permissions granted by auth server.
+         * @param {token_url, token, audience}
+         * @returns token
+         */
+        ticket: ({ tokenUrl, token, audience }: token_url) => Promise<any>;
+    }>;
+}

package/dist/blz-security/implementations/uma.js

@@ -0,0 +1 @@
+const Got=require("got");class Uma{static async permission(){return{ticket:async({tokenUrl:t,token:e,audience:a})=>{const r=new URLSearchParams([["grant_type","urn:ietf:params:oauth:grant-type:uma-ticket"],["audience",a]]);let{body:n}=await Got.post(t,{headers:{Authorization:`Bearer ${e}`,"Content-Type":"application/x-www-form-urlencoded"},body:r.toString()});return"string"==typeof n&&(n=JSON.parse(n)),n}}}}module.exports=Uma;

package/dist/blz-security/implementations/webAuthn.js

@@ -0,0 +1 @@
+const WebAuthn_todo="WIP - WebAuthn implementation coming soon!";

package/dist/blz-security/implementations/wstg.js

@@ -0,0 +1 @@
+const Fs=require("fs"),{filePathList:filePathList}=require("../helpers/utils"),{log:log}=require("../helpers/utils"),informationGathering=e=>({reviewLeakage:()=>{const t=filePathList(e,"public");for(let e=0;e<t.length;e+=1){const s=t[e];if([/^(.*\.((html?|(tp|ft)l|s?[c|a]ss|less|m?js(on)?)))$/gim].some(e=>e.test(s))){let e=/( )*<!--((.*)|[^<]*|[^!]*|[^-]*|[^>]*)-->\n*/gm,t=Fs.readFileSync(s,"utf8");[/^(.*\.((s?[c|a]ss|less)?))$/gim].some(e=>e.test(s))?e=/\/\*[^*]*\*+([^/*][^*]*\*+)*\//gm:[/^(.*\.((m?js(on)?)))$/gim].some(e=>e.test(s))&&(t.split(/\r?\n/).some(e=>e.length>250&&e.match(/class|Blz|function/gm))||(t=t.replace(/(?<=(("([^"\\]|\\.|\\\n)*"|'([^'\\]|\\.|\\\n)*'|`([^`\\]|\\.|\\\n)*`)|\/.*\/(g|m|i|y|u|s)+|\{|\}|\*\/|\)|;|\]|^|\r*))\/{2}[^'"].*/gm,"")),e=/(?<=[^'|"|`])\/\*[^*"^]*\*+(?:[^/*][^*]*\*+)*\//gm),t=t.replace(e,""),Fs.writeFileSync(s,t,"utf8"),log({message:`Applying rules to the file ${s}`,withDateTime:!0})}}return t}}),testing=e=>({fix:()=>{const t="string"==typeof e?e:e[Object.keys(e).find(t=>"string"==typeof e[t])];t&&[/^.*[/ | \\].*$/gm].some(e=>e.test(t))&&informationGathering(t).reviewLeakage()}});module.exports={testing:testing};

package/dist/blz-security/index.d.ts

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+declare const _exports: SecurityService;
+export = _exports;
+import SecurityService = require("./securityService");

package/dist/blz-security/index.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+const AuthorizationService=require("./authorizationService"),SecurityService=require("./securityService"),SqlInjectionGuard=require("./sqlInjectionGuard"),XssGuard=require("./xssGuard"),SecureUrlService=require("./secureUrlService"),_=require("underscore"),logger=require("pino")();let navigationRepository=null;const createNavigationRepository=function(){if(process.env.NAVIGATION_INFO_MONGODB_URL&&process.env.NAVIGATION_INFO_MONGODB_DB&&process.env.NAVIGATION_INFO_MONGODB_COLLECTION){return new(require("./navigationMongoDbRepository"))(process.env.NAVIGATION_INFO_MONGODB_URL,process.env.NAVIGATION_INFO_MONGODB_DB,process.env.NAVIGATION_INFO_MONGODB_COLLECTION,process.env.NAVIGATION_INFO_MONGODB_CERTIFICATE)}logger.warn("MongoDB configuration is missing. Using in-memory repository.");return new(require("./navigationMemoryRepository"))};try{async function gracefulShutdown(){try{navigationRepository&&navigationRepository.close&&(await navigationRepository.close(),logger.info("Navigation repository connection closed."))}catch(e){logger.error("Error during shutdown:",e)}finally{process.exit(0)}}navigationRepository=createNavigationRepository(),process.on("SIGINT",gracefulShutdown)}catch(e){logger.error("Error during startup:",e),process.exit(1)}module.exports=new SecurityService(new AuthorizationService(_,logger),new SqlInjectionGuard(logger),new XssGuard(logger),navigationRepository,new SecureUrlService(logger),logger);

package/dist/blz-security/lab/index.js

@@ -0,0 +1 @@
+const{h3lp:h3lp}=require("h3lp"),Yaml=require("js-yaml"),path=require("path"),AuthorizationService=require("../authorizationService"),_=require("underscore"),logger=require("pino")();async function getAuthorizationService(e){const i=new AuthorizationService(_,logger),n=await h3lp.fs.read(path.join(__dirname,e)),r=(await Yaml.loadAll(n))[0];return i.importSecurityConfig(r),i}(async()=>{let e=null;const i=await getAuthorizationService("../__test__/AuthorizationKpn.yaml");e=i.checkAuthorize("/debtor/102592","dunning_CreateFinancingAgreement",["Collections.ViewOnly"],["agent"]),console.log(e),e=i.checkAuthorize("/debtor/102592","dunning_CreateFinancingAgreement",["Configuration.Admin"],["agent"]),console.log(e)})();

package/dist/blz-security/middleware/HapiServerAzureAd.d.ts

@@ -0,0 +1,26 @@
+export class HapiServerAzureAd {
+    constructor(openIdConnect: any, cookiesName: any, cache: any);
+    openIdConnect: any;
+    COOKIE_NAMES: any;
+    activateTraceApiMethod: boolean;
+    queryStringLimit: any;
+    securityLoginTokenExpToleranceSeconds: number;
+    authServerConfig: any;
+    authServerFullLoginUrl: any;
+    cache: any;
+    clientJwk: jwksClient.JwksClient;
+    publicKeyFetch: (artifacts: any) => Promise<any>;
+    connect(_securityService: any, hapiServer: any, config: any): Promise<void>;
+    getRedirectUri(request: any, redirectPath: any): string;
+    getFullUrl(request: any): string;
+    getBaseUrl(request: any): string;
+    authenticate(h: any, scope: any): Promise<any>;
+    configurePlugins(server: any): Promise<void>;
+    decodeJwtToken(token: any): Promise<hapiJwt.HapiJwt.Artifacts<hapiJwt.HapiJwt.JwtRefs>>;
+    tokenAboutToExpire(token: any, minutesBeforeExpiration?: number): Promise<boolean>;
+    isRefreshTokenExpired(refreshToken: any): Promise<boolean>;
+    startupJwksClient(): Promise<void>;
+    startupPublickKeyFetch(): Promise<void>;
+}
+import jwksClient = require("jwks-rsa");
+import hapiJwt = require("@hapi/jwt");

package/dist/blz-security/middleware/HapiServerAzureAd.js

@@ -0,0 +1 @@
+const Uma=require("../implementations/uma.js"),Jsonwebtoken=require("jsonwebtoken"),{Exception:Exception,getFullUrl:getFullUrl,getHost:getHost,getProtocol:getProtocol,getPathname:getPathname,getTemplate:getTemplate,getTokenTolerance:getTokenTolerance,trace:trace,errorResponse:errorResponse}=require("../helpers/utils.js"),hapiYar=require("@hapi/yar"),hapiJwt=require("@hapi/jwt"),hapiCookie=require("@hapi/cookie"),jwksClient=require("jwks-rsa"),{ConfidentialClientApplication:ConfidentialClientApplication}=require("@azure/msal-node"),crypto=require("crypto"),{saveVerifier:saveVerifier,getVerifier:getVerifier}=require("../implementations/pkceCacheStore.js");let securityService=null;class HapiServerAzureAd{constructor(e,t,r){this.openIdConnect=e,this.COOKIE_NAMES=t,this.activateTraceApiMethod=!1,this.queryStringLimit=null,this.securityLoginTokenExpToleranceSeconds=18e3,this.authServerConfig=null,this.authServerFullLoginUrl=null,this.cache=r,this.clientJwk=null,this.publicKeyFetch=null}async connect(e,t,r){this.authServerConfig=r,securityService=e;const{authServer:o,activateTraceApiMethod:a}=r;a&&(this.activateTraceApiMethod=a);const i={clearInvalid:!0,encoding:"base64",isSecure:!0,isHttpOnly:!0,isSameSite:"Lax",path:"/",strictHeader:!0};try{o.sessionCookiesDomain&&(i.domain=o.sessionCookiesDomain),i.isHttpOnly=o.isHttpOnlyForSessionState??!1,t.state(this.COOKIE_NAMES.SESSION_STATE,i),o.scope&&o.scope.split(" ").some(e=>"openid"===e)||(o.scope=`openid ${o.scope||""}`),o.tokenEndpoint&&!o.tokenEndpoint.match(/https.*/)&&(t.states.cookies[this.COOKIE_NAMES.SID].isSecure=!1,t.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure=!1)}catch(e){console.error("ERROR",`Exception ${e.message}`,e),trace("ERROR",e.stack)}this.configurePlugins(t),t.ext("onPreAuth",async(e,t)=>{let r=e.yar.get("jwtToken");if(r){if(await n.tokenAboutToExpire(r.token,10)){const o=await n.authServerConfig.authServer.msalClient.acquireTokenSilent({account:r.account,scopes:n.authServerConfig.authServer.scope.split(" ")??["user.read"]}),a={};if(!o||!o.idToken)return e.yar.set("userRelog",!0),a.account=r.account,e.yar.set("jwtToken",a),await e.yar.commit(t),delete e.headers.authorization,t.continue;a.tokenType="Bearer",a.token=o.idToken,a.tokenSubType="id_token",a.account=o.account,e.yar.set("jwtToken",a),await e.yar.commit(t)}switch(r.tokenType){case"Bearer":case"bearer":e.headers.authorization=`Bearer ${r.token}`}}return t.continue}),t.ext("onPreResponse",async(e,t)=>{const r=e.response;if(r.isBoom&&401===r.output.statusCode&&!e.path.startsWith("/auth/callback")){function o(e){return e.toString("base64").replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}function a(){const e=o(crypto.randomBytes(32));return{verifier:e,challenge:o(crypto.createHash("sha256").update(e).digest())}}const i=a(),s=crypto.randomBytes(16).toString("hex");saveVerifier(s,i.verifier);const c=await this.authServerConfig.authServer.msalClient.getAuthCodeUrl({redirectUri:n.getRedirectUri(e,"auth/callback"),scopes:n.authServerConfig.authServer.scope.split(" ")??["user.read"],codeChallenge:i.challenge,codeChallengeMethod:"S256",responseMode:"form_post",state:s});let u=e.yar.get("userRelog");return e.yar.set("pkv",i.verifier),e.yar.commit(t),u&&"/"!==e.path?t.redirect("/"):t.redirect(c)}return t.continue}),t.route({method:"GET",path:"/auth/callback",options:{auth:!1},handler:async(e,t)=>{const r=e.query.code;if(!r)return t.response("Authorization code missing").code(400);try{let o=e.yar.get("pkv");const a=await n.authServerConfig.authServer.msalClient.acquireTokenByCode({code:r,redirectUri:n.getRedirectUri(e,"auth/callback"),scopes:n.authServerConfig.authServer.scope.split(" ")??["user.read"],codeVerifier:o});let i={tokenType:"Bearer",token:a.idToken,tokenSubType:"id_token",account:a.account};e.yar.set("jwtToken",i);let s=e.yar.get("originalUrlPathName")??"/";const c=e.query.session_state;switch(t.state(this.COOKIE_NAMES.SESSION_STATE,c),e.yar.clear("userRelog"),i.tokenType){case"Bearer":case"bearer":return e.yar.set("jwtToken",i),await e.yar.commit(t),t.redirect(s)}return await e.yar.commit(t),t.redirect("/")}catch(r){return e.yar.reset(),await e.yar.commit(t),delete e.headers.authorization,console.error("Failed to obtain jwt token: ",r.response?.data??r.message),t.response("Failed to authenticate").code(500).takeover()}}}),t.route({method:"POST",path:"/auth/callback",options:{auth:!1},handler:async(e,t)=>{const r=e.payload.code;if(!r)return t.response("Authorization code missing").code(400);try{const o=e.payload.state,a=getVerifier(o),i=await n.authServerConfig.authServer.msalClient.acquireTokenByCode({code:r,redirectUri:n.getRedirectUri(e,"auth/callback"),scopes:n.authServerConfig.authServer.scope.split(" ")??["user.read"],codeVerifier:a,responseMode:"form_post"});let s={tokenType:"Bearer",token:i.idToken,tokenSubType:"id_token",account:i.account};e.yar.set("jwtToken",s);let c=e.yar.get("originalUrlPathName")??"/";const u=e.payload.session_state;if(!u)return t.response("Session State missing").code(400);switch(t.state(this.COOKIE_NAMES.SESSION_STATE,u),e.yar.clear("userRelog"),s.tokenType){case"Bearer":case"bearer":return e.yar.set("jwtToken",s),await e.yar.commit(t),t.redirect(c)}return await e.yar.commit(t),t.redirect("/")}catch(r){return e.yar.reset(),await e.yar.commit(t),delete e.headers.authorization,console.error("Failed to obtain jwt token: ",r.response?.data??r.message),t.response("Failed to authenticate").code(500).takeover()}}});const n=this;t.route({method:"GET",path:"/get-authorization",handler:async(e,t)=>{try{const{session_state:r}=e.state;if(!r)throw new Exception("Azure get-authorization: Session cookie doesn't exist.","CookiesError",404);const a=await n.openIdConnect.tokenSet(),i=await a.tokens(r),s=await Uma.permission(),c=await s.ticket({tokenUrl:o.tokenEndpoint||o.tokenUrl,token:i.access_token,audience:o.clientId}),u=Jsonwebtoken.decode(c.access_token);return t.response(JSON.stringify(u.authorization)).takeover()}catch(e){return errorResponse(t,e,401)}}}),t.route({method:"GET",path:"/get-security-rules",handler:async(e,t)=>{try{const r=await securityService.getFrontendSecurityRules(e);return t.response(JSON.stringify(r)).takeover()}catch(e){return errorResponse(t,e,401)}}}),t.route({method:"GET",path:"/get-permissions",handler:async(e,t)=>{try{const e=await securityService.getPermissions();return t.response(JSON.stringify(e)).takeover()}catch(e){return errorResponse(t,e,401)}}}),t.route({method:"GET",path:"/check-authorize",handler:async(e,t)=>{try{const r=e.query.path,o=e.query.action,a=e.query.roles,i=e.query.domains;let n,s;n=Array.isArray(a)?a:"string"==typeof a?a.split(",").map(e=>e.trim()):[],s=Array.isArray(i)?i:"string"==typeof i?i.split(",").map(e=>e.trim()):[];const c=await securityService.checkAuthorize(r,o,n,s);return t.response(JSON.stringify(c)).takeover()}catch(e){return errorResponse(t,e,401)}}}),t.route({method:"GET",path:"/get-user-info",handler:async(e,t)=>{try{const r=await securityService.getUserInfo(e);return t.response(JSON.stringify(r)).takeover()}catch(e){return errorResponse(t,e,500)}}}),t.route({path:"/logout",method:"GET",options:{auth:!1},handler:async(e,t)=>{try{const r=encodeURIComponent(n.getBaseUrl(e)),o=`https://login.microsoftonline.com/${n.authServerConfig.authServer.tenantId}/oauth2/v2.0/logout?post_logout_redirect_uri=${r}`;return e.yar.clear("jwtToken"),e.yar.clear("userRelog"),t.redirect(o)}catch(e){return console.error("Error logging out:",e),t.response("Logout failed").code(500)}}}),t.route({path:"/check-session-iframe.html",method:"GET",options:{auth:!1},handler:async(e,t)=>{try{let r=getTemplate("session-iframe-azure-ad",{checkSessionUrl:n.getBaseUrl(e)+"check-session"});return t.response(r).header("Content-Type","text/html")}catch(e){return errorResponse(t,e,500)}}}),t.route({path:"/check-session",options:{auth:!1},method:"GET",handler:async(e,t)=>{let r=e.yar.get("jwtToken"),o={expired:!1};if(r&&(o.expired=await n.tokenAboutToExpire(r.token,.5),o.expired)){let t={redirectUri:n.getRedirectUri(e,"auth/callback"),scopes:n.authServerConfig.authServer.scope.split(" ")};o.redirectUrl=await n.authServerConfig.authServer.msalClient.getAuthCodeUrl(t),e.yar.clear("jwtToken"),e.yar.clear("userRelog")}return t.response(o)}})}getRedirectUri(e,t){const r=this.authServerConfig.url??this.getBaseUrl(e),o=t??this.getPathname(e);let a=new URL(o,r);return"localhost"!==a.hostname&&"127.0.0.1"!==a.hostname&&(a.protocol="https:"),a.toString()}getFullUrl(e){return`${getProtocol(e)}://${getHost(e)}${getPathname(e)}`}getBaseUrl(e){return`${getProtocol(e)}://${getHost(e)}/`}async authenticate(e,t){const{request:r}=e,o=await this.openIdConnect.pkceCode(),a=getFullUrl(r);let i=await this.openIdConnect.oidcMetadata();if(i&&i.openid_configuration||(i=await this.configuration(this.authServerConfig.authServer)),a.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source+getHost(r)+/\/?$/.source))){const a=await this.openIdConnect.authorizationUrl({scope:t,redirectUri:this.getRedirectUri(r),pkceCode:o});return trace("INFO",`Authenticate redirecting to ${a}`),e.response().state(this.COOKIE_NAMES.SID,o).redirect(a).takeover()}if("/logout"===getPathname(r))return e.continue;{const t=await this.openIdConnect.tokenSet(),{state:o}=r;if(t&&o&&o[this.COOKIE_NAMES.SESSION_STATE]){const r=await t.tokens(o[this.COOKIE_NAMES.SESSION_STATE]);if(!r||r.refresh_expires_in<=getTokenTolerance(0))throw new Exception("Error when getting token","ExpirationError",403);return e.continue}return e.response().code(401).takeover()}}async configurePlugins(e){const t=process.env.blz_hapiYarPassword||"your-super-secure-yar-atleast-32-bytes-password";await e.register({plugin:hapiYar,options:{name:"yar_state",cookieOptions:{password:t,isSecure:!0,isHttpOnly:!0,isSameSite:"Lax",clearInvalid:!0,ignoreErrors:!0},storeBlank:!1,maxCookieSize:0}}),await e.register(hapiJwt);let r=!0;this.startupJwksClient(),this.startupPublickKeyFetch(),r=this.publicKeyFetch;const o=this.authServerConfig.authServer.issuer.match(/login\.microsoftonline\.com\/([^/]+)/)?.[1];this.authServerConfig.authServer.tenantId=o,this.authServerConfig.authServer.msalConfig={auth:{clientId:this.authServerConfig.authServer.clientId,authority:`https://login.microsoftonline.com/${o}`,clientSecret:this.authServerConfig.authServer.clientSecret}};const a=new ConfidentialClientApplication(this.authServerConfig.authServer.msalConfig);this.authServerConfig.authServer.msalClient=a,e.auth.strategy("jwtAuth","jwt",{keys:r,verify:{aud:this.authServerConfig.authServer.clientId,iss:this.authServerConfig.authServer.issuer,exp:!0,sub:!1},validate:!1}),await e.register(hapiCookie);const i=process.env.blz_hapiCookiePassword||"supersecretpasswordmustbeatleast32characterslong";e.auth.strategy("cookieAuth","cookie",{cookie:{name:"sid",password:i,isSecure:!0,isHttpOnly:!0,isSameSite:"Lax"},keepAlive:!0,redirectTo:!1}),e.auth.default({strategies:["jwtAuth","cookieAuth"]})}async decodeJwtToken(e){return hapiJwt.token.decode(e)}async tokenAboutToExpire(e,t=0){if(!e)return!0;return 1e3*hapiJwt.token.decode(e).decoded.payload.exp-Date.now()<=60*t*1e3}async isRefreshTokenExpired(e){try{const t=hapiJwt.token.decode(e),r=Math.floor(Date.now()/1e3);return!(t&&t.decoded&&t.decoded.payload&&t.decoded.payload.exp)||t.decoded.payload.exp<r}catch(e){return console.error("Failed to decode the token: Invalid Refresh token format",e),!0}}async startupJwksClient(){this.clientJwk=jwksClient({jwksUri:this.authServerConfig.authServer.jwksUri,cache:!0,rateLimit:!0,jwksRequestsPerMinute:10})}async startupPublickKeyFetch(){const e=async e=>new Promise((t,r)=>{this.clientJwk.getSigningKey(e,(e,o)=>{if(e)return r(e);const a=o.getPublicKey();t(a)})});this.publicKeyFetch=async t=>{const r=t.decoded.header.kid;return e(r)}}}module.exports={HapiServerAzureAd:HapiServerAzureAd};

package/dist/blz-security/middleware/HapiServerKeycloak.d.ts

@@ -0,0 +1,47 @@
+export class HapiServerKeycloak {
+    constructor(openIdConnect: any, cookiesName: any, cache: any);
+    openIdConnect: any;
+    COOKIE_NAMES: any;
+    activateTraceApiMethod: boolean;
+    queryStringLimit: any;
+    securityLoginTokenExpToleranceSeconds: number;
+    authServerConfig: {};
+    authServerFullLoginUrl: any;
+    cache: any;
+    clientOidc: any;
+    clientJwk: jwksClient.JwksClient;
+    publicKeyFetch: (artifacts: any) => Promise<any>;
+    securityService: any;
+    securityUrlCookieKey: any;
+    generateGuid(): Promise<`${string}-${string}-${string}-${string}-${string}`>;
+    connect(_securityService: any, hapiServer: any, config: any): Promise<void>;
+    getFullKeycloakLoginUri(request: any, h: any): Promise<string>;
+    getRedirectUri(request: any): any;
+    getRedirectUriPath(request: any, redirectPath: any): string;
+    getFullUrl(request: any): string;
+    getBaseUrl(request: any): string;
+    authenticate(h: any, scope: any): Promise<any>;
+    configurePlugins(server: any): Promise<void>;
+    configuration(authServer: any): Promise<any>;
+    configuration(context: any): Promise<Iss>;
+    endSessionUrl(redirectUri: any, clientOidc: any): Promise<any>;
+    oidcMetadataKey(): any;
+    refreshToken(refreshToken: any): Promise<any>;
+    decodeJwtToken(token: any): Promise<hapiJwt.HapiJwt.Artifacts<hapiJwt.HapiJwt.JwtRefs>>;
+    tokenAboutToExpire(token: any, minutesBeforeExpiration?: number): Promise<boolean>;
+    isRefreshTokenExpired(refreshToken: any): Promise<boolean>;
+    startupJwksClient(): Promise<void>;
+    startupPublickKeyFetch(): Promise<void>;
+}
+import jwksClient = require("jwks-rsa");
+declare class Iss {
+    /**
+     * @constructor
+     * @param {Object} metadata
+     */
+    constructor(metadata: any);
+    clientOidc: any;
+    #private;
+}
+import hapiJwt = require("@hapi/jwt");
+export {};