@botfabrik/engine-webclient 4.96.6 → 4.96.10

package/README.md

@@ -287,6 +287,10 @@ Durch das Bewerten des Chats wird die Action `core.conversation.rating.from.gues
 Ermöglicht die Option, den Chat-Client in einem eigenständigen Tab oder Fenster zu öffnen.
 Wenn diese Option auf `true` gesetzt ist, wird eine Button angezeigt, die es den Benutzern ermöglicht, den Chat ausserhalb eines eingebetteten Iframe in einem neuen Browser-Tab öffnen können.
 
+### auth (optional)
+
+Diese Konfiguration stellt sicher, dass sich Benutzer vor der Nutzung des Chats über SAML authentifizieren. Ist die Funktion aktiviert, erscheint automatisch der Startbildschirm. Beim Klick auf „Chat starten“ öffnet sich das Login-Fenster des Identity Providers in einem neuen Fenster. Nach erfolgreicher Anmeldung schliesst sich dieses automatisch und der Chat wird gestartet. Im Rahmen des Logins werden die E-Mail-Adresse sowie der Vor- und Nachname des Benutzers in der Session gespeichert.
+
 ### fabVisible (optional, true [default] | false)
 
 Falls dieses Property auf `false` ist, erscheint z.B. der FAB (Floating Action Button) auf der Webseite nicht. Der Chatbot kann via FAB nur mittels Bookmarklet verwendet werden.
@@ -568,4 +572,5 @@ Erlaub das Registrieren von Event-Handlers.
 chatbot.subscribe('ON_CHAT_WINDOW_STATE_CHANGE', function onChange(open) {
     console.log('chat window is ' + open ? 'open' : 'close')
 })
+
 ```

package/dist/auth/auth-pages.d.ts

@@ -0,0 +1,6 @@
+import type { Response } from 'express';
+type Lang = 'de' | 'en' | 'fr' | 'it';
+export declare function setAuthPageHeaders(res: Response): void;
+export declare function renderAuthSuccessPage(lang: Lang): string;
+export declare function renderAuthErrorPage(lang: Lang): string;
+export {};

package/dist/auth/auth-pages.js

@@ -0,0 +1,102 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setAuthPageHeaders = setAuthPageHeaders;
+exports.renderAuthSuccessPage = renderAuthSuccessPage;
+exports.renderAuthErrorPage = renderAuthErrorPage;
+const STRINGS = {
+    de: {
+        successTitle: 'Login erfolgreich',
+        successText: 'Dieses Fenster wird automatisch geschlossen.',
+        closeNow: 'Jetzt schliessen',
+        errorTitle: 'Login fehlgeschlagen',
+        errorText: 'Beim Anmelden ist ein Fehler aufgetreten. Bitte versuche es erneut.',
+        errorHint: 'Du kannst dieses Fenster schliessen und es erneut versuchen.',
+        closeWindow: 'Fenster schliessen',
+    },
+    en: {
+        successTitle: 'Login successful',
+        successText: 'This window will close automatically.',
+        closeNow: 'Close now',
+        errorTitle: 'Login failed',
+        errorText: 'An error occurred during sign-in. Please try again.',
+        errorHint: 'You can close this window and try again.',
+        closeWindow: 'Close window',
+    },
+    fr: {
+        successTitle: 'Connexion reussie',
+        successText: 'Cette fenetre se fermera automatiquement.',
+        closeNow: 'Fermer maintenant',
+        errorTitle: 'Echec de la connexion',
+        errorText: 'Une erreur s’est produite lors de la connexion. Veuillez reessayer.',
+        errorHint: 'Vous pouvez fermer cette fenetre et reessayer.',
+        closeWindow: 'Fermer la fenetre',
+    },
+    it: {
+        successTitle: 'Accesso riuscito',
+        successText: 'Questa finestra si chiudera automaticamente.',
+        closeNow: 'Chiudi ora',
+        errorTitle: 'Accesso non riuscito',
+        errorText: 'Si è verificato un errore durante l’accesso. Riprova.',
+        errorHint: 'Puoi chiudere questa finestra e riprovare.',
+        closeWindow: 'Chiudi finestra',
+    },
+};
+function setAuthPageHeaders(res) {
+    res.setHeader('Content-Type', 'text/html; charset=utf-8');
+    res.setHeader('Content-Security-Policy', "default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; img-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'");
+    res.setHeader('Referrer-Policy', 'no-referrer');
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+}
+function renderAuthSuccessPage(lang) {
+    const t = STRINGS[lang];
+    return `<!doctype html>
+<html lang="${lang}">
+<meta charset="utf-8">
+<title>${t.successTitle}</title>
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<style>
+  body { font-family: system-ui, -apple-system, Segoe UI, Roboto, Arial, sans-serif; margin: 0; padding: 2rem; }
+  .box { max-width: 520px; margin: 15vh auto 0; text-align: center; }
+  h1 { font-size: 1.25rem; margin: 0 0 .75rem; }
+  p { color: #444; margin: 0 0 1rem; }
+  button { border: 0; padding: .7rem 1rem; border-radius: .5rem; cursor: pointer; }
+</style>
+<body>
+  <div class="box" role="status" aria-live="polite">
+    <h1>${t.successTitle}</h1>
+    <p>${t.successText}</p>
+    <button onclick="window.close()">${t.closeNow}</button>
+  </div>
+  <script>
+    try { window.close(); } catch (e) {}
+    setTimeout(() => { try { window.close(); } catch (e) {} }, 2000);
+  </script>
+</body>
+</html>`;
+}
+function renderAuthErrorPage(lang) {
+    const t = STRINGS[lang];
+    return `<!doctype html>
+<html lang="${lang}">
+<meta charset="utf-8">
+<title>${t.errorTitle}</title>
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<style>
+  body { font-family: system-ui, -apple-system, Segoe UI, Roboto, Arial, sans-serif; margin: 0; padding: 2rem; background: #fff; }
+  .box { max-width: 560px; margin: 15vh auto 0; text-align: center; }
+  h1 { color: #b00020; font-size: 1.25rem; margin: 0 0 .75rem; }
+  p { color: #444; margin: 0 0 1rem; }
+  .hint { color: #666; font-size: .95rem; }
+  button { background: #111; color: #fff; border: 0; padding: .75rem 1rem; border-radius: .5rem; cursor: pointer; }
+  button:focus { outline: 2px solid #000; outline-offset: 2px; }
+</style>
+<body>
+  <div class="box" role="alert" aria-live="assertive">
+    <h1>${t.errorTitle}</h1>
+    <p>${t.errorText}</p>
+    <p class="hint">${t.errorHint}</p>
+    <button type="button" onclick="window.close()" aria-label="${t.closeWindow}">${t.closeWindow}</button>
+  </div>
+</body>
+</html>`;
+}

package/dist/auth/index.d.ts

@@ -0,0 +1,11 @@
+import type { BotInstance, Logger } from '@botfabrik/engine-domain';
+import type { Namespace } from 'socket.io';
+import type { Auth } from '../types';
+export type AuthenticatedUser = {
+    email: string;
+    firstName: string | undefined;
+    lastName: string | undefined;
+};
+export declare function setUpSamlAuth(bot: BotInstance, auth: Auth, clientName: string, nsp: Namespace): void;
+export declare function storeLoginRequestToken(loginRequestToken: string, socketId: string): void;
+export declare function verifyLoginToken(token: string | undefined, auth: Auth | undefined, logger: Logger): AuthenticatedUser | undefined;

package/dist/auth/index.js

@@ -0,0 +1,145 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setUpSamlAuth = setUpSamlAuth;
+exports.storeLoginRequestToken = storeLoginRequestToken;
+exports.verifyLoginToken = verifyLoginToken;
+const passport_saml_1 = require("@node-saml/passport-saml");
+const express_1 = __importDefault(require("express"));
+const jsonwebtoken_1 = require("jsonwebtoken");
+const passport_1 = __importDefault(require("passport"));
+const auth_pages_1 = require("./auth-pages");
+const relay_state_1 = require("./relay-state");
+const ttl_cache_1 = require("./ttl-cache");
+const E_MAIL_CLAIM = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress';
+const FIRST_NAME_CLAIM = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname';
+const LAST_NAME_CLAIM = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname';
+const loginTokenCache = new ttl_cache_1.TtlCache({
+    defaultTtlMs: 5 * 60 * 1000, // 5 minutes
+});
+function setUpSamlAuth(bot, auth, clientName, nsp) {
+    bot.logger.info(`Setting up SAML authentication for ${clientName}`);
+    const strategyName = `${clientName}-saml`;
+    const callbackUrl = `/${clientName}/auth/saml/login/callback`;
+    const samlStrategy = new passport_saml_1.Strategy({
+        callbackUrl: `${bot.webserver.baseUrl}${callbackUrl}`,
+        entryPoint: auth.saml.entryPoint,
+        issuer: auth.saml.issuer,
+        idpCert: fixUnwantedEscapeCharacters(auth.saml.idpCert),
+        ...(auth.saml.options || {}),
+    }, signonVerify, logoutVerify);
+    passport_1.default.use(strategyName, samlStrategy);
+    bot.webserver.express.get(`/${clientName}/auth/login`, (req, res, next) => {
+        const { loginRequestToken } = req.query;
+        const relayState = (0, relay_state_1.signRelayState)(String(loginRequestToken), auth.jwtSecret);
+        const options = {
+            session: false,
+            additionalParams: { RelayState: relayState },
+        };
+        const authenticateFn = passport_1.default.authenticate(strategyName, options);
+        authenticateFn(req, res, next);
+    });
+    bot.webserver.express.post(callbackUrl, express_1.default.urlencoded({ extended: false }), (req, res, next) => {
+        const authenticatorFn = passport_1.default.authenticate(strategyName, { session: false }, (err, user) => {
+            const lang = getLang(req);
+            (0, auth_pages_1.setAuthPageHeaders)(res);
+            try {
+                if (err) {
+                    bot.logger.error('SAML callback error:', err);
+                    return res.status(500).send((0, auth_pages_1.renderAuthErrorPage)(lang));
+                }
+                const relayState = req.body?.RelayState;
+                if (!relayState) {
+                    bot.logger.warn('Missing RelayState');
+                    return res.status(400).send((0, auth_pages_1.renderAuthErrorPage)(lang));
+                }
+                const loginRequestToken = (0, relay_state_1.verifyRelayState)(relayState, auth.jwtSecret);
+                const { socketId } = consumeLoginRequestToken(loginRequestToken);
+                if (!user) {
+                    return res.status(401).send((0, auth_pages_1.renderAuthErrorPage)(lang));
+                }
+                const loginToken = (0, jsonwebtoken_1.sign)(user, auth.jwtSecret, {
+                    expiresIn: '1m',
+                });
+                const socket = nsp.sockets.get(socketId);
+                if (socket) {
+                    socket.emit('login-success', { loginToken });
+                }
+                else {
+                    bot.logger.warn('Target socket not found', { socketId });
+                }
+                return res.send((0, auth_pages_1.renderAuthSuccessPage)(lang));
+            }
+            catch (e) {
+                bot.logger.error('Callback handling failure:', e);
+                return res.status(500).send((0, auth_pages_1.renderAuthErrorPage)(lang));
+            }
+        });
+        authenticatorFn(req, res, next);
+    });
+}
+function storeLoginRequestToken(loginRequestToken, socketId) {
+    // associate socketId with loginRequestToken and store it in memory cache
+    loginTokenCache.set(loginRequestToken, { loginRequestToken, socketId });
+}
+/**
+ * Retrieve the socketId associated with a loginRequestToken.
+ * @param loginRequestToken
+ * @returns socketId
+ */
+function consumeLoginRequestToken(loginRequestToken) {
+    const cachedLoginRequest = loginTokenCache.get(loginRequestToken);
+    if (!cachedLoginRequest) {
+        throw new Error('Invalid login request token');
+    }
+    loginTokenCache.delete(loginRequestToken);
+    return { socketId: cachedLoginRequest.socketId };
+}
+function verifyLoginToken(token, auth, logger) {
+    try {
+        if (auth) {
+            const verified = (0, jsonwebtoken_1.verify)(token || '', auth.jwtSecret);
+            return {
+                email: verified['email'],
+                firstName: verified['firstName'],
+                lastName: verified['lastName'],
+            };
+        }
+        else {
+            return undefined;
+        }
+    }
+    catch (error) {
+        logger.error('Error verifying login token:', error);
+        throw new Error('Invalid login token');
+    }
+}
+const fixUnwantedEscapeCharacters = (idpCert) => {
+    const certs = Array.isArray(idpCert) ? idpCert : [idpCert];
+    return certs.map((cert) => cert.replace(/\\n/g, '\n')); // process env adds an unwanted escape character
+};
+const extractEmail = (profile) => {
+    const email = profile[E_MAIL_CLAIM] || profile.email;
+    if (!email) {
+        throw new Error('No email provided in SAML profile');
+    }
+    return email;
+};
+const signonVerify = async (profile, done) => {
+    if (!profile) {
+        return done(new Error('No profile provided'), undefined);
+    }
+    const firstName = profile[FIRST_NAME_CLAIM];
+    const lastName = profile[LAST_NAME_CLAIM];
+    const email = extractEmail(profile);
+    const user = { email, firstName, lastName };
+    return done(null, user);
+};
+const logoutVerify = async (profile, done) => {
+    return done(null, profile || {});
+};
+const getLang = (req) => {
+    return (req.acceptsLanguages('de', 'en', 'fr', 'it') || 'de');
+};

package/dist/auth/relay-state.d.ts

@@ -0,0 +1,2 @@
+export declare function signRelayState(rawToken: string, secret: string): string;
+export declare function verifyRelayState(stateB64: string, secret: string): string;

package/dist/auth/relay-state.js

@@ -0,0 +1,39 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signRelayState = signRelayState;
+exports.verifyRelayState = verifyRelayState;
+const crypto_1 = __importDefault(require("crypto"));
+const STATE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+function signRelayState(rawToken, secret) {
+    if (!/^[\w-]{16,128}$/.test(rawToken))
+        throw new Error('bad token format');
+    const exp = Date.now() + STATE_TTL_MS;
+    const payload = `${rawToken}.${exp}`;
+    const mac = crypto_1.default
+        .createHmac('sha256', secret)
+        .update(payload)
+        .digest('base64url');
+    return Buffer.from(`${payload}.${mac}`, 'utf8').toString('base64url');
+}
+function verifyRelayState(stateB64, secret) {
+    const raw = Buffer.from(stateB64, 'base64url').toString('utf8');
+    const [token, expStr, mac] = raw.split('.');
+    if (!token || !expStr || !mac) {
+        throw new Error('bad state');
+    }
+    const exp = Number(expStr);
+    if (!Number.isFinite(exp) || exp < Date.now()) {
+        throw new Error('state expired');
+    }
+    const expected = crypto_1.default
+        .createHmac('sha256', secret)
+        .update(`${token}.${exp}`)
+        .digest('base64url');
+    if (!crypto_1.default.timingSafeEqual(Buffer.from(mac), Buffer.from(expected))) {
+        throw new Error('state tampered');
+    }
+    return token;
+}

package/dist/auth/ttl-cache.d.ts

@@ -0,0 +1,14 @@
+export declare class TtlCache<K, V> {
+    private readonly data;
+    private readonly timers;
+    private readonly defaultTtlMs?;
+    constructor(opts?: {
+        defaultTtlMs?: number;
+    });
+    get size(): number;
+    set(key: K, value: V, ttlMs?: number): void;
+    get(key: K): V | undefined;
+    has(key: K): boolean;
+    delete(key: K): boolean;
+    clear(): void;
+}

package/dist/auth/ttl-cache.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TtlCache = void 0;
+class TtlCache {
+    data = new Map();
+    timers = new Map();
+    defaultTtlMs;
+    constructor(opts) {
+        this.defaultTtlMs = opts?.defaultTtlMs ?? 3000;
+    }
+    get size() {
+        return this.data.size;
+    }
+    set(key, value, ttlMs) {
+        const t = this.timers.get(key);
+        if (t) {
+            clearTimeout(t);
+            this.timers.delete(key);
+        }
+        this.data.set(key, value);
+        const ttl = ttlMs ?? this.defaultTtlMs;
+        if (ttl != null && ttl > 0) {
+            const timer = setTimeout(() => {
+                this.delete(key);
+            }, ttl);
+            timer.unref();
+            this.timers.set(key, timer);
+        }
+    }
+    get(key) {
+        return this.data.get(key);
+    }
+    has(key) {
+        return this.data.has(key);
+    }
+    delete(key) {
+        const t = this.timers.get(key);
+        if (t) {
+            clearTimeout(t);
+            this.timers.delete(key);
+        }
+        return this.data.delete(key);
+    }
+    clear() {
+        for (const t of this.timers.values()) {
+            clearTimeout(t);
+        }
+        this.timers.clear();
+        this.data.clear();
+    }
+}
+exports.TtlCache = TtlCache;