@boxyhq/saml-jackson 0.1.5-beta.97 → 0.1.6

package/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Report any issues with the platform
+title: ""
+labels: bug
+assignees: ""
+---
+
+Found a bug? Please fill out the sections below. 👍
+
+### Issue Summary
+
+A summary of the issue. This needs to be a clear detailed-rich summary.
+
+### Steps to Reproduce
+
+1. (for example) Went to ...
+2. Clicked on...
+3. ...
+
+Any other relevant information. For example, why do you consider this a bug and what did you expect to happen instead?
+
+### Technical details
+
+- Browser version: You can use https://www.whatsmybrowser.org/ to find this out.
+- Node.js version
+- Anything else that you think could be an issue.

package/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Questions
+    url: https://github.com/boxyhq/jackson/discussions
+    about: Ask a general question about the project on our GitHub Discussion page

package/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,43 @@
+---
+name: Feature request
+about: Suggest a feature or idea
+title: ""
+labels: enhancement
+assignees: ""
+---
+
+> Please check if your Feature Request has not been already raised in the [Discussions Tab](https://github.com/boxyhq/jackson/discussions), as we would like to reduce duplicates. If it has been already raised, simply upvote it 🔼.
+
+### Is your proposal related to a problem?
+
+<!--
+  Provide a clear and concise description of what the problem is.
+  For example, "I'm always frustrated when..."
+-->
+
+(Write your answer here.)
+
+### Describe the solution you'd like
+
+<!--
+  Provide a clear and concise description of what you want to happen.
+-->
+
+(Describe your proposed solution here.)
+
+### Describe alternatives you've considered
+
+<!--
+  Let us know about other solutions you've tried or researched.
+-->
+
+(Write your answer here.)
+
+### Additional context
+
+<!--
+  Is there anything else you can add about the proposal?
+  You might want to link to related issues here, if you haven't already.
+-->
+
+(Write your answer here.)

package/.github/pull_request_template.md

@@ -0,0 +1,31 @@
+## What does this PR do?
+
+<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
+
+Fixes # (issue)
+
+## Type of change
+
+<!-- Please delete options that are not relevant. -->
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] This change requires a documentation update
+
+## How should this be tested?
+
+<!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration -->
+
+- [ ] Test A
+- [ ] Test B
+
+## Checklist:
+
+- [ ] My code follows the style guidelines of this project
+- [ ] I have performed a self-review of my own code and corrected any misspellings
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation
+- [ ] My changes generate no new warnings
+- [ ] I have added tests that prove my fix is effective or that my feature works
+- [ ] New and existing unit tests pass locally with my changes

package/.github/workflows/main.yml

@@ -98,7 +98,7 @@ jobs:
 
       - name: Get short SHA
         id: slug
-        run: echo "::set-output name=sha8::$(echo ${GITHUB_SHA} | cut -c1-8)"
+        run: echo "::set-output name=sha8::$(echo ${GITHUB_SHA} | cut -c1-7)"
 
       - name: Set up Docker Buildx
         id: buildx

package/README.md

@@ -4,22 +4,34 @@ SAML service [SAML in a box from BoxyHQ]
 
 You need someone like Jules Winnfield to save you from the vagaries of SAML login.
 
-## Source code visualizer
+# Source code visualizer
+
 [CodeSee codebase visualizer](https://app.codesee.io/maps/public/53e91640-23b5-11ec-a724-79d7dd589517)
 
-# npm library
-Jackson is available as an npm library (https://www.npmjs.com/package/@boxyhq/saml-jackson) that can be integrated into express.js routes. In theory, the library should be usable with other node.js web application frameworks but is currently untested. Please file an issue or submit a PR if you encounter any issues.
+# Getting Started
+
+There are two ways to use this repo.
+
+- As an npm library (for Express compatible frameworks)
+- As a separate service
+
+## Install as an npm library
+
+Jackson is available as an [npm package](https://www.npmjs.com/package/@boxyhq/saml-jackson) that can be integrated into Express.js routes. The library should be usable with other node.js web application frameworks but is currently untested. Please file an issue or submit a PR if you encounter any issues.
+
+```
+npm i @boxyhq/saml-jackson
+```
 
-Refer to https://github.com/boxyhq/jackson#configuration for the configuration options to pass to the library.
+### Add Express Routes
 
-Here's how to use the npm library:
 ```
 // express
 const express = require('express');
 const router = express.Router();
 const cors = require('cors'); // needed if you are calling the token userinfo endpoints from the frontend
 
-// Set the required options
+// Set the required options. Refer to https://github.com/boxyhq/jackson#configuration for the full list
 const opts = {
   externalUrl: 'https://my-cool-app.com',
   samlAudience: 'https://my-cool-app.com',
@@ -27,15 +39,18 @@ const opts = {
   db: {
     engine: 'mongo',
     url: 'mongodb://localhost:27017/my-cool-app',
-  }  
+  }
 };
 
+
+let apiController;
+let oauthController;
 // Please note that the initialization of @boxyhq/saml-jackson is async, you cannot run it at the top level
 // Run this in a function where you initialise the express server.
 async function init() {
   const ret = await require('@boxyhq/saml-jackson')(opts);
-  const apiController = ret.apiController;
-  const oauthController = ret.oauthController;
+  apiController = ret.apiController;
+  oauthController = ret.oauthController;
 }
 
 // express.js middlewares needed to parse json and x-www-form-urlencoded
@@ -82,7 +97,7 @@ router.post('/oauth/token', cors(), async (req, res) => {
   }
 });
 
-router.get('/oauth/userinfo', cors(), async (req, res) => {
+router.get('/oauth/userinfo', async (req, res) => {
   try {
     await oauthController.userInfo(req, res);
   } catch (err) {
@@ -91,71 +106,50 @@ router.get('/oauth/userinfo', cors(), async (req, res) => {
 });
 
 // set the router
-app.user('/sso', router);
+app.use('/sso', router);
 
 ```
-You can also refer to our usage of the library internally in the Jackson service here - https://github.com/boxyhq/jackson/blob/main/src/jackson.js
 
-# Deployment
-The docker container can be found at https://hub.docker.com/r/boxyhq/jackson/tags. It is preferable to use a specific version instead of the `latest` tag. Jackson uses two ports (configurable if needed, see below) 5000 and 6000. 6000 is the internal port and ideally should not be exposed to a public network.
+## Deployment as a service: Docker
+
+The docker container can be found at [boxyhq/jackson](https://hub.docker.com/r/boxyhq/jackson/tags). It is preferable to use a specific version instead of the `latest` tag. Jackson uses two ports (configurable if needed, see below) 5000 and 6000. 6000 is the internal port and ideally should not be exposed to a public network.
 
-Example of a docker run:
 ```
 docker run -p 5000:5000 -p 6000:6000 boxyhq/jackson:78e9099d
 ```
 
-# Database Support
-Jackson currently supports SQL databases (Postgres, CockroachDB, MySQL, and MariaDB), MongoDB, and Redis.
-
-# Configuration
-Configuration is done via env vars (and in the case of the npm library via an options object). The following options are supported and will have to be configured during deployment:
-- HOST_URL: The URL to bind to, defaults to `localhost`
-- HOST_PORT: The port to bind to, defaults to `5000`
-- EXTERNAL_URL (npm: externalUrl): The public URL to reach this service, used internally for documenting the SAML configuration instructions. Defaults to `http://{HOST_URL}:{HOST_PORT}` for Jackson service, required for npm library
-- INTERNAL_HOST_URL: The URL to bind to expose the internal APIs, defaults to `localhost`. Do not configure this to a public network
-- INTERNAL_HOST_PORT: The port to bind to for the internal APIs, defaults to `6000`
-- SAML_AUDIENCE (npm: samlAudience): This is just an identifier to validate the SAML audience, this value will also get configured in the SAML apps created by your customers. Once set do not change this value unless you get your customers to reconfigure their SAML again. Defaults to `https://saml.boxyhq.com` and is case sensitive. This does not have to be a real URL
-- IDP_ENABLED (npm: idpEnabled): Set to `true` to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times. Defaults to `false`
-- DB_ENGINE (npm: db.engine): Supported values are `redis`, `sql`, `mongo`, `mem`. Defaults to `sql`
-- DB_URL (npm: db.url): The database URL to connect to, for example `postgres://postgres:postgres@localhost:5450/jackson`
-- DB_TYPE (npm: db.type): Only needed when DB_ENGINE is `sql`. Supported values are `postgres`, `cockroachdb`, `mysql`, `mariadb`. Defaults to `postgres`
-- PRE_LOADED_CONFIG: If you only need a single tenant or a handful of pre-configured tenants then this config will help you read and load SAML configs. It works well with the mem DB engine so you don't have to configure any external databases for this to work (though it works with those as well). This is a path (absolute or relative) to a directory that contains files organized in the format described in the next section.
-
-# Pre-loaded SAML Configuration
-If PRE_LOADED_CONFIG is set then it should point to a directory with the following structure (example below):-
-```
-boxyhq.js
-boxyhq.xml
-anothertenant.js
-anothertenant.xml
-```
-The JS file has the following structure:-
-```
-module.exports = {
-  defaultRedirectUrl: 'http://localhost:3000/login/saml',
-  redirectUrl: '["http://localhost:3000/*", "http://localhost:5000/*"]',
-  tenant: 'boxyhq.com',
-  product: 'demo',
-};
-```
-The XML file (should share the name with the .js file) is the raw XML metadata file you receive from your Identity Provider. Please ensure it is saved in the `utf-8` encoding.
+Refer to https://github.com/boxyhq/jackson#configuration for the full configuration.
 
-The config and XML above correspond to the `SAML API config` (see below).
+Kubernetes and docker-compose deployment files will be coming soon.
 
-# SAML Login flows
-There are two kinds of SAML login flows - SP-initiated and IdP-initiated. We highly recommend sticking to the SP-initiated flow since it is more secure but Jackson also supports the IdP-initiated flow if you enable it. For an in-depth understanding of SAML and the two flows please refer to Okta's comprehensive guide - https://developer.okta.com/docs/concepts/saml/.
+## Usage
+
+### 1. Setting up SAML with your customer's Identity Provider
+
+Please follow the instructions [here](https://docs.google.com/document/d/1fk---Z9Ln59u-2toGKUkyO3BF6Dh3dscT2u4J2xHANE) to guide your customers in setting up SAML correctly for your product(s). You should create a copy of the doc and modify it with your custom settings, we have used the values that work for our demo apps.
+
+### 1.1 SAML profile/claims/attributes mapping
+
+As outlined in the guide above we try and support 4 attributes in the SAML claims - `id`, `email`, `firstName`, `lastName`. This is how the common SAML attributes map over for most providers, but some providers have custom mappings. Please refer to the documentation on Identity Provider to understand the exact mapping.
+
+| SAML Attribute                                                       | Jackson mapping |
+| -------------------------------------------------------------------- | --------------- |
+| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | id              |
+| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress   | email           |
+| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname      | firstName       |
+| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname        | lastName        |
 
-# Setting up SAML with your customer's Identity Provider
-Please follow the instructions here to guide your customer's in setting up SAML correctly for your product(s). You should create a copy of the doc and modify it with your custom settings, we have used the values that work for our demo apps - https://docs.google.com/document/d/1fk---Z9Ln59u-2toGKUkyO3BF6Dh3dscT2u4J2xHANE.
+### 2. SAML config API
 
-# SAML config API
-Once your customer has set up the SAML app on their Identity Provider, the Identity Provider will generate an IdP or SP metadata file. Some Identity Providers only generate an IdP metadata file but it usually works for the SP login flow as well. It is an XML file that contains various attributes Jackson needs in order to validate incoming SAML login requests. This step is the equivalent of setting an OAuth 2.0 app and generating a client ID and client secret that will be used in the login flow.
+Once your customer has set up the SAML app on their Identity Provider, the Identity Provider will generate an IdP or SP metadata file. Some Identity Providers only generate an IdP metadata file but it usually works for the SP login flow as well. It is an XML file that contains various attributes Jackson needs to validate incoming SAML login requests. This step is the equivalent of setting an OAuth 2.0 app and generating a client ID and client secret that will be used in the login flow.
 
 You will need to provide a place in the UI for your customers (The account settings page is usually a good place for this) to configure this and then call the API below.
 
 The following API call sets up the configuration in Jackson:
+
 ```
 curl --location --request POST 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'rawMetadata=<IdP/SP metadata XML>' \
 --data-urlencode 'defaultRedirectUrl=http://localhost:3000/login/saml' \
@@ -170,16 +164,41 @@ curl --location --request POST 'http://localhost:6000/api/v1/saml/config' \
 - tenant: Jackson supports a multi-tenant architecture, this is a unique identifier you set from your side that relates back to your customer's tenant. This is normally an email, domain, an account id, or user-id
 - product: Jackson support multiple products, this is a unique identifier you set from your side that relates back to the product your customer is using
 
-The response returns a JSON with `client_id` and `client_secret` that can be stored against your tenant and product for a more secure OAuth 2.0 flow. If you do not want to store the `client_id` and `client_secret` you can alternatively use `client_id=tentant=<tenantID>&product=<productID>` and any arbitrary value for `client_secret` when setting up the OAuth 2.0 flow.
+The response returns a JSON with `client_id` and `client_secret` that can be stored against your tenant and product for a more secure OAuth 2.0 flow. If you do not want to store the `client_id` and `client_secret` you can alternatively use `client_id=tenant=<tenantID>&product=<productID>` and any arbitrary value for `client_secret` when setting up the OAuth 2.0 flow. Additionally a `provider` attribute is also returned which indicates the domain of your Identity Provider.
+
+#### 2.1 SAML get config API
+
+This endpoint can be used to return metadata about an existing SAML config. This can be used to check and display the details to your customers. You can use either `clientID` or `tenant` and `product` combination.
+
+```
+curl --location --request POST 'http://localhost:6000/api/v1/saml/config/get' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'tenant=boxyhq.com' \
+--data-urlencode 'product=demo'
+```
+
+```
+curl --location --request POST 'http://localhost:6000/api/v1/saml/config/get' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'clientID=<Client ID>'
+```
+
+The response returns a JSON with `provider` indicating the domain of your Identity Provider. If an empty JSON payload is returned then we do not have any configuration stored for the attributes you requested.
+
+### 3. OAuth 2.0 Flow
 
-# OAuth 2.0 Flow
 Jackson has been designed to abstract the SAML login flow as a pure OAuth 2.0 flow. This means it's compatible with any standard OAuth 2.0 library out there, both client-side and server-side. It is important to remember that SAML is configured per customer unlike OAuth 2.0 where you can have a single OAuth app supporting logins for all customers.
 
 Jackson also supports the PKCE authorization flow (https://oauth.net/2/pkce/), so you can protect your SPAs.
 
 If for any reason you need to implement the flow on your own, the steps are outlined below:
-## Authorize
+
+### 4. Authorize
+
 The OAuth flow begins with redirecting your user to the `authorize` URL:
+
 ```
 https://localhost:5000/oauth/authorize
   ?response_type=code&provider=saml
@@ -189,30 +208,34 @@ https://localhost:5000/oauth/authorize
 ```
 
 - response_type=code: This is the only supported type for now but maybe extended in the future
-- client_id: Use the client_id returned by the SAML config API or use `tentant=<tenantID>&product=<productID>` to use the tenant and product IDs instead
+- client_id: Use the client_id returned by the SAML config API or use `tenant=<tenantID>&product=<productID>` to use the tenant and product IDs instead. **Note:** Please don't forget to URL encode the query parameters including `client_id`.
 - redirect_uri: This is where the user will be taken back once the authorization flow is complete
 - state: Use a randomly generated string as the state, this will be echoed back as a query parameter when taking the user back to the `redirect_uri` above. You should validate the state to prevent XSRF attacks
 
-## Code exchange
-After successful authorization, the user is redirected back to the `redirect_uri`. The query parameters will include the `code` and `state` parameters. You should validate that the state matches the one you sent in the authorize request.
+### 5. Code Exchange
+
+After successful authorization, the user is redirected back to the `redirect_uri`. The query parameters will include the `code` and `state` parameters. You should validate that the state matches the one you sent in the `authorize` request.
 
 The code can then be exchanged for a token by making the following request:
+
 ```
 curl --request POST \
   --url 'http://localhost:5000/oauth/token' \
   --header 'content-type: application/x-www-form-urlencoded' \
-  --data grant_type=authorization_code \
+  --data 'grant_type=authorization_code' \
   --data 'client_id=<clientID or tenant and product query params as described in the SAML config API section above>' \
-  --data client_secret=<clientSecret or any arbitrary value if using the tenant and product in the clientID> \
+  --data 'client_secret=<clientSecret or any arbitrary value if using the tenant and product in the clientID>' \
   --data 'redirect_uri=<redirect URL>' \
-  --data code=<code from the query parameter above>
+  --data 'code=<code from the query parameter above>'
 ```
+
 - grant_type=authorization_code: This is the only supported flow, for now. We might extend this in the future
-- client_id: Use the client_id returned by the SAML config API or use `tentant=<tenantID>&product=<productID>` to use the tenant and product IDs instead
+- client_id: Use the client_id returned by the SAML config API or use `tenant=<tenantID>&product=<productID>` to use the tenant and product IDs instead. **Note:** Please don't forget to URL encode the query parameters including `client_id`.
 - client_secret: Use the client_secret returned by the SAML config API or any arbitrary value if using the tenant and product in the clientID
 - redirect_uri: This is where the user will be taken back once the authorization flow is complete. Use the same redirect_uri as the previous request
 
 If everything goes well you should receive a JSON response that includes the access token. This token is needed for the next step where we fetch the user profile.
+
 ```
 {
   "access_token": <access token>,
@@ -221,8 +244,10 @@ If everything goes well you should receive a JSON response that includes the acc
 }
 ```
 
-## Profile request
+### 6. Profile Request
+
 The short-lived access token can now be used to request the user's profile. You'll need to make the following request:
+
 ```
 curl --request GET \
   --url https://localhost:5000/oauth/me \
@@ -231,16 +256,106 @@ curl --request GET \
 ```
 
 If everything goes well you should receive a JSON response with the user's profile:
+
 ```
 {
+  "id": <id from the Identity Provider>,
   "email": "sjackson@coolstartup.com",
   "firstName": "SAML"
-  "id": <id from the Identity Provider>,
-  "lastName": "Jackson",
+  "lastName": "Jackson"
 }
 ```
 
-- email: The email address of the user as provided by the Identity Provider
 - id: The id of the user as provided by the Identity Provider
+- email: The email address of the user as provided by the Identity Provider
 - firstName: The first name of the user as provided by the Identity Provider
 - lastName: The last name of the user as provided by the Identity Provider
+
+## Examples
+
+To Do
+
+## Database Support
+
+Jackson currently supports the following databases.
+
+- Postgres
+- CockroachDB
+- MySQL
+- MariaDB
+- MongoDB
+- Redis
+
+## Configuration
+
+Configuration is done via env vars (and in the case of the npm library via an options object).
+
+The following options are supported and will have to be configured during deployment.
+
+| Key                               | Description                                                                                                                                                                                                                                                                                                                                                                                                          | Default                         |
+| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
+| HOST_URL                          | The URL to bind to                                                                                                                                                                                                                                                                                                                                                                                                   | `localhost`                     |
+| HOST_PORT                         | The port to bind to                                                                                                                                                                                                                                                                                                                                                                                                  | `5000`                          |
+| EXTERNAL_URL (npm: externalUrl)   | The public URL to reach this service, used internally for documenting the SAML configuration instructions.                                                                                                                                                                                                                                                                                                           | `http://{HOST_URL}:{HOST_PORT}` |
+| INTERNAL_HOST_URL                 | The URL to bind to expose the internal APIs. Do not configure this to a public network.                                                                                                                                                                                                                                                                                                                              | `localhost`                     |
+| INTERNAL_HOST_PORT                | The port to bind to for the internal APIs.                                                                                                                                                                                                                                                                                                                                                                           | `6000`                          |
+| JACKSON_API_KEYS                  | A comma separated list of API keys that will be validated when serving the Config API requests                                                                                                                                                                                                                                                                                                                       |                                 |
+| SAML_AUDIENCE (npm: samlAudience) | This is just an identifier to validate the SAML audience, this value will also get configured in the SAML apps created by your customers. Once set do not change this value unless you get your customers to reconfigure their SAML again. It is case-sensitive. This does not have to be a real URL.                                                                                                                | `https://saml.boxyhq.com`       |
+| IDP_ENABLED (npm: idpEnabled)     | Set to `true` to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times.                                                                                                                                                                                                                                                              | `false`                         |
+| DB_ENGINE (npm: db.engine)        | Supported values are `redis`, `sql`, `mongo`, `mem`.                                                                                                                                                                                                                                                                                                                                                                 | `sql`                           |
+| DB_URL (npm: db.url)              | The database URL to connect to. For example `postgres://postgres:postgres@localhost:5450/jackson`                                                                                                                                                                                                                                                                                                                    |                                 |
+| DB_TYPE (npm: db.type)            | Only needed when DB_ENGINE is `sql`. Supported values are `postgres`, `cockroachdb`, `mysql`, `mariadb`.                                                                                                                                                                                                                                                                                                             | `postgres`                      |
+| PRE_LOADED_CONFIG                 | If you only need a single tenant or a handful of pre-configured tenants then this config will help you read and load SAML configs. It works well with the mem DB engine so you don't have to configure any external databases for this to work (though it works with those as well). This is a path (absolute or relative) to a directory that contains files organized in the format described in the next section. |                                 |
+
+## Pre-loaded SAML Configuration
+
+If PRE_LOADED_CONFIG is set then it should point to a directory with the following structure (example below):-
+
+```
+boxyhq.js
+boxyhq.xml
+anothertenant.js
+anothertenant.xml
+```
+
+The JS file has the following structure:-
+
+```
+module.exports = {
+  defaultRedirectUrl: 'http://localhost:3000/login/saml',
+  redirectUrl: '["http://localhost:3000/*", "http://localhost:5000/*"]',
+  tenant: 'boxyhq.com',
+  product: 'demo',
+};
+```
+
+The XML file (should share the name with the .js file) is the raw XML metadata file you receive from your Identity Provider. Please ensure it is saved in the `utf-8` encoding.
+
+The config and XML above correspond to the `SAML API config` (see below).
+
+## SAML Login flows
+
+There are two kinds of SAML login flows - SP-initiated and IdP-initiated. We highly recommend sticking to the SP-initiated flow since it is more secure but Jackson also supports the IdP-initiated flow if you enable it. For an in-depth understanding of SAML and the two flows please refer to Okta's comprehensive guide - https://developer.okta.com/docs/concepts/saml/.
+
+## Contributing
+
+Thanks for taking the time to contribute! Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make will benefit everybody else and are appreciated.
+
+Please try to create bug reports that are:
+
+- _Reproducible._ Include steps to reproduce the problem.
+- _Specific._ Include as much detail as possible: which version, what environment, etc.
+- _Unique._ Do not duplicate existing opened issues.
+- _Scoped to a Single Bug._ One bug per report.
+
+## Support
+
+Reach out to the maintainer at one of the following places:
+
+- [GitHub Discussions](https://github.com/boxyhq/jackson/discussions)
+- [GitHub Issues](https://github.com/boxyhq/jackson/issues)
+- The email which is located [in GitHub profile](https://github.com/deepakprabhakara)
+
+## License
+
+[Apache 2.0 License](https://github.com/boxyhq/jackson/blob/main/LICENSE)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.1.5-beta.97",
+  "version": "0.1.6",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "src/index.js",
@@ -17,11 +17,12 @@
   "scripts": {
     "start": "cross-env IDP_ENABLED=true node src/jackson.js",
     "dev": "cross-env IDP_ENABLED=true nodemon src/jackson.js",
-    "calendso": "cross-env DB_URL=postgresql://postgres:postgres@localhost:5450/calendso nodemon src/jackson.js",
     "mongo": "cross-env DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson nodemon src/jackson.js",
     "pre-loaded": "cross-env DB_ENGINE=mem PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
+    "pre-loaded-db": "cross-env PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
     "test": "tap --timeout=100 src/**/*.test.js",
-    "dev-dbs": "docker-compose -f ./_dev/docker-compose.yml up -d"
+    "dev-dbs": "docker-compose -f ./_dev/docker-compose.yml up -d",
+    "dev-dbs-destroy": "docker-compose -f ./_dev/docker-compose.yml down --volumes --remove-orphans"
   },
   "tap": {
     "coverage-map": "map.js",
@@ -36,7 +37,7 @@
     "@peculiar/x509": "1.6.0",
     "cors": "2.8.5",
     "express": "4.17.1",
-    "mongodb": "4.2.0",
+    "mongodb": "4.2.1",
     "mysql2": "2.3.3",
     "pg": "8.7.1",
     "rambda": "6.9.0",
@@ -51,8 +52,15 @@
   },
   "devDependencies": {
     "cross-env": "7.0.3",
-    "eslint": "8.3.0",
+    "eslint": "8.4.0",
+    "husky": "7.0.4",
+    "lint-staged": "12.1.2",
     "nodemon": "2.0.15",
-    "tap": "15.1.2"
+    "prettier": "2.5.1",
+    "tap": "15.1.5"
+  },
+  "lint-staged": {
+    "*.js": "eslint --cache --fix",
+    "*.{js,css,md}": "prettier --write"
   }
 }

package/src/controller/api.js

@@ -7,11 +7,33 @@ const crypto = require('crypto');
 
 let configStore;
 
+const extractHostName = (url) => {
+  try {
+    const pUrl = new URL(url);
+    if(pUrl.hostname.startsWith('www.')) {
+      return pUrl.hostname.substring(4);
+    }
+    return pUrl.hostname;
+  } catch (err) {
+    return null;
+  }
+};
+
 const config = async (body) => {
   const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } =
     body;
   const idpMetadata = await saml.parseMetadataAsync(rawMetadata);
 
+  // extract provider
+  let providerName = extractHostName(idpMetadata.entityID);
+  if (!providerName) {
+    providerName = extractHostName(
+      idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl
+    );
+  }
+
+  idpMetadata.provider = providerName ? providerName : 'Unknown';
+
   let clientID = dbutils.keyDigest(
     dbutils.keyFromParts(tenant, product, idpMetadata.entityID)
   );
@@ -56,12 +78,37 @@ const config = async (body) => {
   return {
     client_id: clientID,
     client_secret: clientSecret,
+    provider: idpMetadata.provider,
   };
 };
 
+const getConfig = async (body) => {
+  const { clientID, tenant, product } = body;
+
+  if (clientID) {
+    const samlConfig = await configStore.get(clientID);
+    if (!samlConfig) {
+      return {};
+    }
+
+    return { provider: samlConfig.idpMetadata.provider };
+  } else {
+    const samlConfigs = await configStore.getByIndex({
+      name: indexNames.tenantProduct,
+      value: dbutils.keyFromParts(tenant, product),
+    });
+    if (!samlConfigs || !samlConfigs.length) {
+      return {};
+    }
+
+    return { provider: samlConfigs[0].idpMetadata.provider };
+  }
+};
+
 module.exports = (opts) => {
   configStore = opts.configStore;
   return {
     config,
+    getConfig,
   };
 };

package/src/controller/oauth.js

@@ -2,7 +2,7 @@ const crypto = require('crypto');
 
 const saml = require('../saml/saml.js');
 const codeVerifier = require('./oauth/code-verifier.js');
-const { indexNames } = require('./utils.js');
+const { indexNames, extractAuthToken } = require('./utils.js');
 const dbutils = require('../db/utils.js');
 const redirect = require('./oauth/redirect.js');
 const allowed = require('./oauth/allowed.js');
@@ -15,16 +15,6 @@ let options;
 
 const relayStatePrefix = 'boxyhq_jackson_';
 
-const extractBearerToken = (req) => {
-  const authHeader = req.get('authorization');
-  const parts = (authHeader || '').split(' ');
-  if (parts.length > 1) {
-    return parts[1];
-  }
-
-  return null;
-};
-
 function getEncodedClientId(client_id) {
   try {
     const sp = new URLSearchParams(client_id);
@@ -115,7 +105,7 @@ const authorize = async (req, res) => {
   }
 
   const samlReq = saml.request({
-    entityID: samlConfig.idpMetadata.entityID,
+    entityID: options.samlAudience,
     callbackUrl: options.externalUrl + options.samlPath,
     signingKey: samlConfig.certs.privateKey,
   });
@@ -298,7 +288,7 @@ const token = async (req, res) => {
 };
 
 const userInfo = async (req, res) => {
-  let token = extractBearerToken(req);
+  let token = extractAuthToken(req);
 
   // check for query param
   if (!token) {

package/src/controller/utils.js

@@ -3,6 +3,17 @@ const indexNames = {
   tenantProduct: 'tenantProduct',
 };
 
+const extractAuthToken = (req) => {
+  const authHeader = req.get('authorization');
+  const parts = (authHeader || '').split(' ');
+  if (parts.length > 1) {
+    return parts[1];
+  }
+
+  return null;
+};
+
 module.exports = {
   indexNames,
+  extractAuthToken,
 };

package/src/db/db.test.js

@@ -224,7 +224,7 @@ t.test('dbs', ({ end }) => {
       }
 
       await new Promise((resolve) =>
-        setTimeout(resolve, ((dbEngine === 'mem' ? 5 : 0) + ttl + 0.5) * 1000)
+        setTimeout(resolve, (2*ttl + 0.5) * 1000)
       );
 
       const ret1 = await ttlStore.get(record1.id);

package/src/db/sql/entity/JacksonStore.js

@@ -27,10 +27,6 @@ module.exports = (type) => {
       value: {
         type: valueType(type),
       },
-      expiresAt: {
-        type: 'bigint',
-        nullable: true,
-      },
     },
   });
 };

package/src/db/sql/entity/JacksonTTL.js

@@ -0,0 +1,23 @@
+const EntitySchema = require('typeorm').EntitySchema;
+const JacksonTTL = require('../model/JacksonTTL.js');
+
+module.exports = new EntitySchema({
+  name: 'JacksonTTL',
+  target: JacksonTTL,
+  columns: {
+    key: {
+      primary: true,
+      type: 'varchar',
+      length: 1500,
+    },
+    expiresAt: {
+      type: 'bigint',
+    },
+  },
+  indices: [
+    {
+      name: '_jackson_ttl_expires_at',
+      columns: ['expiresAt'],
+    },
+  ],
+});

package/src/db/sql/model/JacksonStore.js

@@ -1,8 +1,7 @@
 /*export */ class JacksonStore {
-  constructor(key, value, expiresAt) {
+  constructor(key, value) {
     this.key = key;
     this.value = value;
-    this.expiresAt = expiresAt;
   }
 }
 

package/src/db/sql/model/JacksonTTL.js

@@ -0,0 +1,8 @@
+/*export */ class JacksonTTL {
+  constructor(key, expiresAt) {
+    this.key = key;
+    this.expiresAt = expiresAt;
+  }
+}
+
+module.exports = JacksonTTL;

package/src/db/sql/sql.js

@@ -2,6 +2,7 @@ require('reflect-metadata');
 const typeorm = require('typeorm');
 const JacksonStore = require('./model/JacksonStore.js');
 const JacksonIndex = require('./model/JacksonIndex.js');
+const JacksonTTL = require('./model/JacksonTTL.js');
 
 const dbutils = require('../utils.js');
 
@@ -20,6 +21,7 @@ class Sql {
             entities: [
               require('./entity/JacksonStore.js')(options.type),
               require('./entity/JacksonIndex.js'),
+              require('./entity/JacksonTTL.js'),
             ],
           });
 
@@ -33,22 +35,29 @@ class Sql {
 
       this.storeRepository = this.connection.getRepository(JacksonStore);
       this.indexRepository = this.connection.getRepository(JacksonIndex);
+      this.ttlRepository = this.connection.getRepository(JacksonTTL);
 
       if (options.ttl && options.limit) {
         this.ttlCleanup = async () => {
           const now = Date.now();
 
           while (true) {
-            const ids = await this.storeRepository.find({
-              expiresAt: typeorm.MoreThan(now),
-              take: options.limit,
-            });
+            const ids = await this.ttlRepository
+              .createQueryBuilder('jackson_ttl')
+              .limit(options.limit)
+              .where('jackson_ttl.expiresAt <= :expiresAt', { expiresAt: now })
+              .getMany();
 
             if (ids.length <= 0) {
               break;
             }
 
+            const delIds = ids.map((id) => {
+              return id.key;
+            });
+
             await this.storeRepository.remove(ids);
+            await this.ttlRepository.delete(delIds);
           }
 
           this.timerId = setTimeout(this.ttlCleanup, options.ttl * 1000);
@@ -99,13 +108,15 @@ class Sql {
 
   async put(namespace, key, val, ttl = 0, ...indexes) {
     await this.connection.transaction(async (transactionalEntityManager) => {
-      const store = new JacksonStore(
-        dbutils.key(namespace, key),
-        JSON.stringify(val),
-        ttl > 0 ? Date.now() + ttl * 1000 : null
-      );
+      const dbKey = dbutils.key(namespace, key);
+      const store = new JacksonStore(dbKey, JSON.stringify(val));
       await transactionalEntityManager.save(store);
 
+      if (ttl) {
+        const ttlRec = new JacksonTTL(dbKey, Date.now() + ttl * 1000);
+        await transactionalEntityManager.save(ttlRec);
+      }
+
       // no ttl support for secondary indexes
       for (const idx of indexes || []) {
         const key = dbutils.keyForIndex(namespace, idx);

package/src/env.js

@@ -7,6 +7,8 @@ const samlPath = process.env.SAML_PATH || '/oauth/saml';
 const internalHostUrl = process.env.INTERNAL_HOST_URL || 'localhost';
 const internalHostPort = (process.env.INTERNAL_HOST_PORT || '6000') * 1;
 
+const apiKeys = (process.env.JACKSON_API_KEYS || '').split(',');
+
 const samlAudience = process.env.SAML_AUDIENCE;
 const preLoadedConfig = process.env.PRE_LOADED_CONFIG;
 
@@ -27,6 +29,7 @@ module.exports = {
   preLoadedConfig,
   internalHostUrl,
   internalHostPort,
+  apiKeys,
   idpEnabled,
   db,
   useInternalServer: !(

package/src/index.js

@@ -19,7 +19,7 @@ const defaultOpts = (opts) => {
   newOpts.db = newOpts.db || {};
   newOpts.db.engine = newOpts.db.engine || 'sql'; // Supported values: redis, sql, mongo, mem. Keep comment in sync with db.js
   newOpts.db.url =
-    newOpts.db.url || 'postgres://postgres:postgres@localhost:5432/jackson';
+    newOpts.db.url || 'postgresql://postgres:postgres@localhost:5432/postgres';
   newOpts.db.type = newOpts.db.type || 'postgres'; // Only needed if DB_ENGINE is sql. Supported values: postgres, cockroachdb, mysql, mariadb
   newOpts.db.ttl = (newOpts.db.ttl || 300) * 1; // TTL for the code, session and token stores (in seconds)
   newOpts.db.limit = (newOpts.db.limit || 1000) * 1; // Limit ttl cleanup to this many items at a time
@@ -56,7 +56,7 @@ module.exports = async function (opts) {
     }
   }
 
-  const type = opts.db.type ? ' Type: ' + opts.db.type : '';
+  const type = opts.db.engine === 'sql' && opts.db.type ? ' Type: ' + opts.db.type : '';
   console.log(`Using engine: ${opts.db.engine}.${type}`);
 
   return {

package/src/jackson.js

@@ -2,6 +2,7 @@ const express = require('express');
 const cors = require('cors');
 
 const env = require('./env.js');
+const { extractAuthToken } = require('./controller/utils.js');
 
 let apiController;
 let oauthController;
@@ -38,7 +39,7 @@ app.post(oauthPath + '/token', cors(), async (req, res) => {
   }
 });
 
-app.get(oauthPath + '/userinfo', cors(), async (req, res) => {
+app.get(oauthPath + '/userinfo', async (req, res) => {
   try {
     await oauthController.userInfo(req, res);
   } catch (err) {
@@ -66,8 +67,18 @@ if (env.useInternalServer) {
   internalApp.use(express.urlencoded({ extended: true }));
 }
 
+const validateApiKey = (token) => {
+  return env.apiKeys.includes(token);
+};
+
 internalApp.post(apiPath + '/config', async (req, res) => {
   try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+
     res.json(await apiController.config(req.body));
   } catch (err) {
     res.status(500).json({
@@ -76,6 +87,22 @@ internalApp.post(apiPath + '/config', async (req, res) => {
   }
 });
 
+internalApp.post(apiPath + '/config/get', async (req, res) => {
+  try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+
+    res.json(await apiController.getConfig(req.body));
+  } catch (err) {
+    res.status(500).json({
+      error: err.message,
+    });
+  }
+});
+
 let internalServer = server;
 if (env.useInternalServer) {
   internalServer = internalApp.listen(env.internalHostPort, async () => {

package/src/saml/claims.js

@@ -0,0 +1,40 @@
+const mapping = [
+  {
+    attribute: 'id',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier',
+  },
+  {
+    attribute: 'email',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+  },
+  {
+    attribute: 'firstName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
+  },
+  {
+    attribute: 'lastName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
+  },
+];
+
+const map = (claims) => {
+  const profile = {
+    raw: claims,
+  };
+
+  mapping.forEach((m) => {
+    if (claims[m.attribute]) {
+      profile[m.attribute] = claims[m.attribute];
+    } else if (claims[m.schema]) {
+      profile[m.attribute] = claims[m.schema];
+    }
+  });
+
+  return profile;
+};
+
+module.exports = {
+  map,
+};

package/src/saml/saml.js

@@ -5,6 +5,7 @@ const thumbprint = require('thumbprint');
 const xmlbuilder = require('xmlbuilder');
 const crypto = require('crypto');
 const xmlcrypto = require('xml-crypto');
+const claims = require('./claims');
 
 const idPrefix = '_';
 const authnXPath =
@@ -120,6 +121,19 @@ module.exports = {
             return;
           }
 
+          if (profile && profile.claims) {
+            // we map claims to our attributes id, email, firstName, lastName where possible. We also map original claims to raw
+            profile.claims = claims.map(profile.claims);
+
+            // some providers don't return the id in the assertion, we set it to a sha256 hash of the email
+            if (!profile.claims.id) {
+              profile.claims.id = crypto
+                .createHash('sha256')
+                .update(profile.claims.email)
+                .digest('hex');
+            }
+          }
+
           resolve(profile);
         }
       );
@@ -141,12 +155,20 @@ module.exports = {
           let X509Certificate = null;
           let ssoPostUrl = null;
           let ssoRedirectUrl = null;
+          let loginType = 'idp';
 
-          const ssoDes = rambda.pathOr(
-            [],
+          let ssoDes = rambda.pathOr(
+            null,
             'EntityDescriptor.IDPSSODescriptor',
             res
           );
+          if (!ssoDes) {
+            ssoDes = rambda.pathOr([], 'EntityDescriptor.SPSSODescriptor', res);
+            if (!ssoDes) {
+              loginType = 'sp';
+            }
+          }
+
           for (const ssoDesRec of ssoDes) {
             const keyDes = ssoDesRec['KeyDescriptor'];
             for (const keyDesRec of keyDes) {
@@ -157,7 +179,10 @@ module.exports = {
               }
             }
 
-            const ssoSvc = ssoDesRec['SingleSignOnService'] || [];
+            const ssoSvc =
+              ssoDesRec['SingleSignOnService'] ||
+              ssoDesRec['AssertionConsumerService'] ||
+              [];
             for (const ssoSvcRec of ssoSvc) {
               if (
                 rambda.pathOr('', '$.Binding', ssoSvcRec).endsWith('HTTP-POST')
@@ -188,6 +213,7 @@ module.exports = {
           if (ssoRedirectUrl) {
             ret.sso.redirectUrl = ssoRedirectUrl;
           }
+          ret.loginType = loginType;
 
           resolve(ret);
         }