npm - @boxyhq/saml-jackson - Versions diffs - 0.1.5-beta.116 → 0.1.5-beta.121 - Mend

@boxyhq/saml-jackson 0.1.5-beta.116 → 0.1.5-beta.121

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/.github/workflows/main.yml +1 -1
package/README.md +3 -3
package/package.json +1 -1
package/src/controller/oauth.js +2 -17
package/src/controller/utils.js +11 -0
package/src/env.js +3 -0
package/src/jackson.js +11 -0
package/src/saml/claims.js +40 -0
package/src/saml/saml.js +14 -0

package/.github/workflows/main.yml CHANGED Viewed

@@ -98,7 +98,7 @@ jobs:
       - name: Get short SHA
         id: slug
-        run: echo "::set-output name=sha8::$(echo ${GITHUB_SHA} | cut -c1-8)"
+        run: echo "::set-output name=sha8::$(echo ${GITHUB_SHA} | cut -c1-7)"
       - name: Set up Docker Buildx
         id: buildx

package/README.md CHANGED Viewed

@@ -152,7 +152,7 @@ curl --location --request POST 'http://localhost:6000/api/v1/saml/config' \
 - tenant: Jackson supports a multi-tenant architecture, this is a unique identifier you set from your side that relates back to your customer's tenant. This is normally an email, domain, an account id, or user-id
 - product: Jackson support multiple products, this is a unique identifier you set from your side that relates back to the product your customer is using
-The response returns a JSON with `client_id` and `client_secret` that can be stored against your tenant and product for a more secure OAuth 2.0 flow. If you do not want to store the `client_id` and `client_secret` you can alternatively use `client_id=tentant=<tenantID>&product=<productID>` and any arbitrary value for `client_secret` when setting up the OAuth 2.0 flow.
+The response returns a JSON with `client_id` and `client_secret` that can be stored against your tenant and product for a more secure OAuth 2.0 flow. If you do not want to store the `client_id` and `client_secret` you can alternatively use `client_id=tenant=<tenantID>&product=<productID>` and any arbitrary value for `client_secret` when setting up the OAuth 2.0 flow.
 ### 3. OAuth 2.0 Flow
@@ -175,7 +175,7 @@ https://localhost:5000/oauth/authorize
 ```
 - response_type=code: This is the only supported type for now but maybe extended in the future
-- client_id: Use the client_id returned by the SAML config API or use `tentant=<tenantID>&product=<productID>` to use the tenant and product IDs instead
+- client_id: Use the client_id returned by the SAML config API or use `tenant=<tenantID>&product=<productID>` to use the tenant and product IDs instead. **Note:** Please don't forget to URL encode the query parameters including `client_id`.
 - redirect_uri: This is where the user will be taken back once the authorization flow is complete
 - state: Use a randomly generated string as the state, this will be echoed back as a query parameter when taking the user back to the `redirect_uri` above. You should validate the state to prevent XSRF attacks
@@ -197,7 +197,7 @@ curl --request POST \
 ```
 - grant_type=authorization_code: This is the only supported flow, for now. We might extend this in the future
-- client_id: Use the client_id returned by the SAML config API or use `tentant=<tenantID>&product=<productID>` to use the tenant and product IDs instead
+- client_id: Use the client_id returned by the SAML config API or use `tenant=<tenantID>&product=<productID>` to use the tenant and product IDs instead. **Note:** Please don't forget to URL encode the query parameters including `client_id`.
 - client_secret: Use the client_secret returned by the SAML config API or any arbitrary value if using the tenant and product in the clientID
 - redirect_uri: This is where the user will be taken back once the authorization flow is complete. Use the same redirect_uri as the previous request

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.1.5-beta.116",
+  "version": "0.1.5-beta.121",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "src/index.js",

package/src/controller/oauth.js CHANGED Viewed

@@ -2,7 +2,7 @@ const crypto = require('crypto');
 const saml = require('../saml/saml.js');
 const codeVerifier = require('./oauth/code-verifier.js');
-const { indexNames } = require('./utils.js');
+const { indexNames, extractAuthToken } = require('./utils.js');
 const dbutils = require('../db/utils.js');
 const redirect = require('./oauth/redirect.js');
 const allowed = require('./oauth/allowed.js');
@@ -15,16 +15,6 @@ let options;
 const relayStatePrefix = 'boxyhq_jackson_';
-const extractBearerToken = (req) => {
-  const authHeader = req.get('authorization');
-  const parts = (authHeader || '').split(' ');
-  if (parts.length > 1) {
-    return parts[1];
-  }
-  return null;
-};
 function getEncodedClientId(client_id) {
   try {
     const sp = new URLSearchParams(client_id);
@@ -196,11 +186,6 @@ const samlResponse = async (req, res) => {
   }
   const profile = await saml.validateAsync(rawResponse, validateOpts);
-  // some providers don't return the id in the assertion, we set it to a sha256 hash of the email
-  if (profile && profile.claims && !profile.claims.id) {
-    profile.claims.id = crypto.createHash('sha256').update(profile.claims.email).digest('hex');
-  }
   // store details against a code
   const code = crypto.randomBytes(20).toString('hex');
@@ -303,7 +288,7 @@ const token = async (req, res) => {
 };
 const userInfo = async (req, res) => {
-  let token = extractBearerToken(req);
+  let token = extractAuthToken(req);
   // check for query param
   if (!token) {

package/src/controller/utils.js CHANGED Viewed

@@ -3,6 +3,17 @@ const indexNames = {
   tenantProduct: 'tenantProduct',
 };
+const extractAuthToken = (req) => {
+  const authHeader = req.get('authorization');
+  const parts = (authHeader || '').split(' ');
+  if (parts.length > 1) {
+    return parts[1];
+  }
+  return null;
+};
 module.exports = {
   indexNames,
+  extractAuthToken,
 };

package/src/env.js CHANGED Viewed

@@ -7,6 +7,8 @@ const samlPath = process.env.SAML_PATH || '/oauth/saml';
 const internalHostUrl = process.env.INTERNAL_HOST_URL || 'localhost';
 const internalHostPort = (process.env.INTERNAL_HOST_PORT || '6000') * 1;
+const apiKeys = (process.env.JACKSON_API_KEYS || '').split(',');
 const samlAudience = process.env.SAML_AUDIENCE;
 const preLoadedConfig = process.env.PRE_LOADED_CONFIG;
@@ -27,6 +29,7 @@ module.exports = {
   preLoadedConfig,
   internalHostUrl,
   internalHostPort,
+  apiKeys,
   idpEnabled,
   db,
   useInternalServer: !(

package/src/jackson.js CHANGED Viewed

@@ -2,6 +2,7 @@ const express = require('express');
 const cors = require('cors');
 const env = require('./env.js');
+const { extractAuthToken } = require('./controller/utils.js');
 let apiController;
 let oauthController;
@@ -66,8 +67,18 @@ if (env.useInternalServer) {
   internalApp.use(express.urlencoded({ extended: true }));
 }
+const validateApiKey = (token) => {
+  return env.apiKeys.includes(token);
+};
 internalApp.post(apiPath + '/config', async (req, res) => {
   try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
     res.json(await apiController.config(req.body));
   } catch (err) {
     res.status(500).json({

package/src/saml/claims.js ADDED Viewed

@@ -0,0 +1,40 @@
+const mapping = [
+  {
+    attribute: 'id',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier',
+  },
+  {
+    attribute: 'email',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+  },
+  {
+    attribute: 'firstName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
+  },
+  {
+    attribute: 'lastName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
+  },
+];
+const map = (claims) => {
+  const profile = {
+    raw: claims,
+  };
+  mapping.forEach((m) => {
+    if (claims[m.attribute]) {
+      profile[m.attribute] = claims[m.attribute];
+    } else if (claims[m.schema]) {
+      profile[m.attribute] = claims[m.schema];
+    }
+  });
+  return profile;
+};
+module.exports = {
+  map,
+};

package/src/saml/saml.js CHANGED Viewed

@@ -5,6 +5,7 @@ const thumbprint = require('thumbprint');
 const xmlbuilder = require('xmlbuilder');
 const crypto = require('crypto');
 const xmlcrypto = require('xml-crypto');
+const claims = require('./claims');
 const idPrefix = '_';
 const authnXPath =
@@ -120,6 +121,19 @@ module.exports = {
             return;
           }
+          if (profile && profile.claims) {
+            // we map claims to our attributes id, email, firstName, lastName where possible. We also map original claims to raw
+            profile.claims = claims.map(profile.claims);
+            // some providers don't return the id in the assertion, we set it to a sha256 hash of the email
+            if (!profile.claims.id) {
+              profile.claims.id = crypto
+                .createHash('sha256')
+                .update(profile.claims.email)
+                .digest('hex');
+            }
+          }
           resolve(profile);
         }
       );