@boxyhq/saml-jackson 0.1.5 → 0.2.0-beta.149

package/src/jackson.js

@@ -2,6 +2,7 @@ const express = require('express');
 const cors = require('cors');
 
 const env = require('./env.js');
+const { extractAuthToken } = require('./controller/utils.js');
 
 let apiController;
 let oauthController;
@@ -16,33 +17,60 @@ app.use(express.urlencoded({ extended: true }));
 
 app.get(oauthPath + '/authorize', async (req, res) => {
   try {
-    await oauthController.authorize(req, res);
+    const { redirect_url } = await oauthController.authorize(req.query);
+
+    res.redirect(redirect_url);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 app.post(env.samlPath, async (req, res) => {
   try {
-    await oauthController.samlResponse(req, res);
+    const { redirect_url } = await oauthController.samlResponse(req.body);
+
+    res.redirect(redirect_url);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 app.post(oauthPath + '/token', cors(), async (req, res) => {
   try {
-    await oauthController.token(req, res);
+    const result = await oauthController.token(req.body);
+
+    res.json(result);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
-app.get(oauthPath + '/userinfo', cors(), async (req, res) => {
+app.get(oauthPath + '/userinfo', async (req, res) => {
   try {
-    await oauthController.userInfo(req, res);
+    let token = extractAuthToken(req);
+
+    // check for query param
+    if (!token) {
+      token = req.query.access_token;
+    }
+
+    if (!token) {
+      res.status(401).json({ message: 'Unauthorized' });
+    }
+
+    const profile = await oauthController.userInfo(token);
+
+    res.json(profile);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).json({ message });
   }
 });
 
@@ -66,8 +94,18 @@ if (env.useInternalServer) {
   internalApp.use(express.urlencoded({ extended: true }));
 }
 
+const validateApiKey = (token) => {
+  return env.apiKeys.includes(token);
+};
+
 internalApp.post(apiPath + '/config', async (req, res) => {
   try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+
     res.json(await apiController.config(req.body));
   } catch (err) {
     res.status(500).json({
@@ -76,6 +114,22 @@ internalApp.post(apiPath + '/config', async (req, res) => {
   }
 });
 
+internalApp.post(apiPath + '/config/get', async (req, res) => {
+  try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+
+    res.json(await apiController.getConfig(req.body));
+  } catch (err) {
+    res.status(500).json({
+      error: err.message,
+    });
+  }
+});
+
 let internalServer = server;
 if (env.useInternalServer) {
   internalServer = internalApp.listen(env.internalHostPort, async () => {

package/src/saml/claims.js

@@ -0,0 +1,40 @@
+const mapping = [
+  {
+    attribute: 'id',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier',
+  },
+  {
+    attribute: 'email',
+    schema:
+      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+  },
+  {
+    attribute: 'firstName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
+  },
+  {
+    attribute: 'lastName',
+    schema: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
+  },
+];
+
+const map = (claims) => {
+  const profile = {
+    raw: claims,
+  };
+
+  mapping.forEach((m) => {
+    if (claims[m.attribute]) {
+      profile[m.attribute] = claims[m.attribute];
+    } else if (claims[m.schema]) {
+      profile[m.attribute] = claims[m.schema];
+    }
+  });
+
+  return profile;
+};
+
+module.exports = {
+  map,
+};

package/src/saml/saml.js

@@ -5,6 +5,7 @@ const thumbprint = require('thumbprint');
 const xmlbuilder = require('xmlbuilder');
 const crypto = require('crypto');
 const xmlcrypto = require('xml-crypto');
+const claims = require('./claims');
 
 const idPrefix = '_';
 const authnXPath =
@@ -120,6 +121,19 @@ module.exports = {
             return;
           }
 
+          if (profile && profile.claims) {
+            // we map claims to our attributes id, email, firstName, lastName where possible. We also map original claims to raw
+            profile.claims = claims.map(profile.claims);
+
+            // some providers don't return the id in the assertion, we set it to a sha256 hash of the email
+            if (!profile.claims.id) {
+              profile.claims.id = crypto
+                .createHash('sha256')
+                .update(profile.claims.email)
+                .digest('hex');
+            }
+          }
+
           resolve(profile);
         }
       );
@@ -141,12 +155,20 @@ module.exports = {
           let X509Certificate = null;
           let ssoPostUrl = null;
           let ssoRedirectUrl = null;
+          let loginType = 'idp';
 
-          const ssoDes = rambda.pathOr(
-            [],
+          let ssoDes = rambda.pathOr(
+            null,
             'EntityDescriptor.IDPSSODescriptor',
             res
           );
+          if (!ssoDes) {
+            ssoDes = rambda.pathOr([], 'EntityDescriptor.SPSSODescriptor', res);
+            if (!ssoDes) {
+              loginType = 'sp';
+            }
+          }
+
           for (const ssoDesRec of ssoDes) {
             const keyDes = ssoDesRec['KeyDescriptor'];
             for (const keyDesRec of keyDes) {
@@ -157,7 +179,10 @@ module.exports = {
               }
             }
 
-            const ssoSvc = ssoDesRec['SingleSignOnService'] || [];
+            const ssoSvc =
+              ssoDesRec['SingleSignOnService'] ||
+              ssoDesRec['AssertionConsumerService'] ||
+              [];
             for (const ssoSvcRec of ssoSvc) {
               if (
                 rambda.pathOr('', '$.Binding', ssoSvcRec).endsWith('HTTP-POST')
@@ -188,6 +213,7 @@ module.exports = {
           if (ssoRedirectUrl) {
             ret.sso.redirectUrl = ssoRedirectUrl;
           }
+          ret.loginType = loginType;
 
           resolve(ret);
         }

package/src/test/data/metadata/boxyhq.js

@@ -0,0 +1,6 @@
+module.exports = {
+  defaultRedirectUrl: 'http://localhost:3000/sso/oauth/completed',
+  redirectUrl: '["http://localhost:3000"]',
+  tenant: 'boxyhq.com',
+  product: 'crm',
+};

package/src/test/data/metadata/boxyhq.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2" validUntil="2026-06-22T18:39:53.000Z">
+  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAXo6K+u/MA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
+bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
+b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjEwNjIz
+MTgzOTUzWhcNMjYwNjIyMTgzOTUzWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
+TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA4qZcxwPiVka9GzGdQ9LVlgVkn3A7O3HtxR6RIm5AMaL4YZziEHt2HgxLdJZyXYJw
+yfT1KB2IHt+XDQBkgEpQVXuuwSPI8vhI8Jr+nr8zia3MMoy9vJF8ZG7HuWeakaKEh7tJqjYu1Cl9
+a81rkYdXAFUA+gl2q+stvK26xylAUwptCJSQo0NanWzCq+k5zvX0uLmh58+W5Yv11hDTtAoW+1dH
+LWUTHXPfoZINPRy5NGKJ2Onq5/D5XJRimNnUa2iYi0Yv9txp1RRq4dpB9MaVttt3iKyDo4/+8fg/
+bL8BLhguiOeqcP4DEIzMuExi3bZAOu2NC7k7Qf28nA81LzP9DQIDAQABMA0GCSqGSIb3DQEBCwUA
+A4IBAQARBNB3+MfmKr5WXNXXE9YwUzUGmpfbqUPXh2y2dOAkj6TzoekAsOLWB0p8oyJ5d1bFlTsx
+i1OY9RuFl0tc35Jbo+ae5GfUvJmbnYGi9z8sBL55HY6x3KQNmM/ehof7ttZwvB6nwuRxAiGYG497
+3tSzrqMQzEskcgX1mlCW0vks/ztCaayprDXcCUxWdP9FaiSZDEXV6PHhFZgGlRNvERsgaMDJgOsq
+v6hLX10Q9CtOWzqu18PI4DcfoZ7exWcC29yWvwZzDTfHGaSG1DtUFLwiQmhVUbfd7/fmLV+/iOxV
+zI0b5xSYZOJ7Kena7gd5zGVrc2ygKAFKiffiI5GLmLkv</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2"/>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2"/>
+  </md:IDPSSODescriptor>
+</md:EntityDescriptor>

package/src/test/data/saml_response

@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxzYW1sMnA6UmVzcG9uc2UgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovLzdlYTItMTAzLTE1My0xMDQtMTYxLm5ncm9rLmlvL3Nzby9vYXV0aC9zYW1sIiBJRD0iXzRkZmM5MjYwZDFjZTVlMDRhZTQ4ZTg4ZWJkNGNlOTY3IiBJblJlc3BvbnNlVG89Il9kYWNkMTRhZGVmMmNiMDc1NGM5NiIgSXNzdWVJbnN0YW50PSIyMDIxLTEyLTA2VDE1OjIzOjA3LjM2MFoiIFZlcnNpb249IjIuMCI+DQogICA8c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9zYW1sMjwvc2FtbDI6SXNzdWVyPg0KICAgPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogICAgICA8ZHM6U2lnbmVkSW5mbz4NCiAgICAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPg0KICAgICAgICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiIC8+DQogICAgICAgICA8ZHM6UmVmZXJlbmNlIFVSST0iI180ZGZjOTI2MGQxY2U1ZTA0YWU0OGU4OGViZDRjZTk2NyI+DQogICAgICAgICAgICA8ZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz4NCiAgICAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+DQogICAgICAgICAgICA8L2RzOlRyYW5zZm9ybXM+DQogICAgICAgICAgICA8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPg0KICAgICAgICAgICAgPGRzOkRpZ2VzdFZhbHVlPjI3Vy9EZTVKTlZIWkk1VTVKZGIvUi9mUXIya0pmd1VPbk0vVlRmQ1ZwQU09PC9kczpEaWdlc3RWYWx1ZT4NCiAgICAgICAgIDwvZHM6UmVmZXJlbmNlPg0KICAgICAgPC9kczpTaWduZWRJbmZvPg0KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPm4vWCsvb0ZzK3JNU2gxMlg4dnowWlNkNlFpcU50eTY3RnFVbVNwdGllRmNoM0NScGQzZ2dpSHNwTTlMcm9MWjZVZGlsbThtdFZqTkgNCi9ob21yWDNvVEQ4UStxdzNiSllOTEptNEQvRWNmZmRDNmpSb0RJZzRYeFYxYlBVaWhQTnI4dlBFZEF2eEdwNTNiZ2MyREJsWkJpT3gNCnh4RlBSbEtnajJDWjh5SWk1R05FMUVTYms2SEtjY3g4R2dxWmtSYkVRbWtnbVMxZG1xcGl5bUpQM3orMHlaaXQyZ3dwQW5WVjNCMDUNCnZOcy8rSTFzRlZLaHNWcTc4QzZNWlZzV1pUSi80RFhadWhVSnpLNElTSU11b1RqUWFacEZMeEpBKzlhZzIvcm9OMjkwcitpcTZ5MVQNCjNHSlF1TlBPU0JVS1NpWlZVNmdwTldRRDBxckFxSWFQUFpOZnp3PT08L2RzOlNpZ25hdHVyZVZhbHVlPg0KICAgICAgPGRzOktleUluZm8+DQogICAgICAgICA8ZHM6WDUwOURhdGE+DQogICAgICAgICAgICA8ZHM6WDUwOVN1YmplY3ROYW1lPlNUPUNhbGlmb3JuaWEsQz1VUyxPVT1Hb29nbGUgRm9yIFdvcmssQ049R29vZ2xlLEw9TW91bnRhaW4gVmlldyxPPUdvb2dsZSBJbmMuPC9kczpYNTA5U3ViamVjdE5hbWU+DQogICAgICAgICAgICA8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkRENDQWx5Z0F3SUJBZ0lHQVhvNksrdS9NQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Ic3hGREFTQmdOVkJBb1RDMGR2YjJkc1pTQkoNCmJtTXVNUll3RkFZRFZRUUhFdzFOYjNWdWRHRnBiaUJXYVdWM01ROHdEUVlEVlFRREV3WkhiMjluYkdVeEdEQVdCZ05WQkFzVEQwZHYNCmIyZHNaU0JHYjNJZ1YyOXlhekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXdIaGNOTWpFd05qSXoNCk1UZ3pPVFV6V2hjTk1qWXdOakl5TVRnek9UVXpXakI3TVJRd0VnWURWUVFLRXd0SGIyOW5iR1VnU1c1akxqRVdNQlFHQTFVRUJ4TU4NClRXOTFiblJoYVc0Z1ZtbGxkekVQTUEwR0ExVUVBeE1HUjI5dloyeGxNUmd3RmdZRFZRUUxFdzlIYjI5bmJHVWdSbTl5SUZkdmNtc3gNCkN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEENCk1JSUJDZ0tDQVFFQTRxWmN4d1BpVmthOUd6R2RROUxWbGdWa24zQTdPM0h0eFI2UkltNUFNYUw0WVp6aUVIdDJIZ3hMZEpaeVhZSncNCnlmVDFLQjJJSHQrWERRQmtnRXBRVlh1dXdTUEk4dmhJOEpyK25yOHppYTNNTW95OXZKRjhaRzdIdVdlYWthS0VoN3RKcWpZdTFDbDkNCmE4MXJrWWRYQUZVQStnbDJxK3N0dksyNnh5bEFVd3B0Q0pTUW8wTmFuV3pDcStrNXp2WDB1TG1oNTgrVzVZdjExaERUdEFvVysxZEgNCkxXVVRIWFBmb1pJTlBSeTVOR0tKMk9ucTUvRDVYSlJpbU5uVWEyaVlpMFl2OXR4cDFSUnE0ZHBCOU1hVnR0dDNpS3lEbzQvKzhmZy8NCmJMOEJMaGd1aU9lcWNQNERFSXpNdUV4aTNiWkFPdTJOQzdrN1FmMjhuQTgxTHpQOURRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUENCkE0SUJBUUFSQk5CMytNZm1LcjVXWE5YWEU5WXdVelVHbXBmYnFVUFhoMnkyZE9Ba2o2VHpvZWtBc09MV0IwcDhveUo1ZDFiRmxUc3gNCmkxT1k5UnVGbDB0YzM1SmJvK2FlNUdmVXZKbWJuWUdpOXo4c0JMNTVIWTZ4M0tRTm1NL2Vob2Y3dHRad3ZCNm53dVJ4QWlHWUc0OTcNCjN0U3pycU1RekVza2NnWDFtbENXMHZrcy96dENhYXlwckRYY0NVeFdkUDlGYWlTWkRFWFY2UEhoRlpnR2xSTnZFUnNnYU1ESmdPc3ENCnY2aExYMTBROUN0T1d6cXUxOFBJNERjZm9aN2V4V2NDMjl5V3Z3WnpEVGZIR2FTRzFEdFVGTHdpUW1oVlViZmQ3L2ZtTFYrL2lPeFYNCnpJMGI1eFNZWk9KN0tlbmE3Z2Q1ekdWcmMyeWdLQUZLaWZmaUk1R0xtTGt2PC9kczpYNTA5Q2VydGlmaWNhdGU+DQogICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgPC9kczpLZXlJbmZvPg0KICAgPC9kczpTaWduYXR1cmU+DQogICA8c2FtbDJwOlN0YXR1cz4NCiAgICAgIDxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPg0KICAgPC9zYW1sMnA6U3RhdHVzPg0KICAgPHNhbWwyOkFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il8xMWZkN2U5MDdjZmNiMTEwODM3NjI5OGM1Nzc0ZjgyNyIgSXNzdWVJbnN0YW50PSIyMDIxLTEyLTA2VDE1OjIzOjA3LjM2MFoiIFZlcnNpb249IjIuMCI+DQogICAgICA8c2FtbDI6SXNzdWVyPmh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL3NhbWwyPC9zYW1sMjpJc3N1ZXI+DQogICAgICA8c2FtbDI6U3ViamVjdD4NCiAgICAgICAgIDxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPmtpcmFuQGRlbW8uY29tPC9zYW1sMjpOYW1lSUQ+DQogICAgICAgICA8c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPg0KICAgICAgICAgICAgPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iX2RhY2QxNGFkZWYyY2IwNzU0Yzk2IiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMTItMDZUMTU6Mjg6MDcuMzYwWiIgUmVjaXBpZW50PSJodHRwczovLzdlYTItMTAzLTE1My0xMDQtMTYxLm5ncm9rLmlvL3Nzby9vYXV0aC9zYW1sIiAvPg0KICAgICAgICAgPC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgICAgPC9zYW1sMjpTdWJqZWN0Pg0KICAgICAgPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDIxLTEyLTA2VDE1OjE4OjA3LjM2MFoiIE5vdE9uT3JBZnRlcj0iMjAyMS0xMi0wNlQxNToyODowNy4zNjBaIj4NCiAgICAgICAgIDxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICAgICAgPHNhbWwyOkF1ZGllbmNlPmh0dHBzOi8vc2FtbC5ib3h5aHEuY29tPC9zYW1sMjpBdWRpZW5jZT4NCiAgICAgICAgIDwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgIDwvc2FtbDI6Q29uZGl0aW9ucz4NCiAgICAgIDxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXIuZW1haWwiPg0KICAgICAgICAgICAgPHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPmtpcmFuQGRlbW8uY29tPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgICAgIDwvc2FtbDI6QXR0cmlidXRlPg0KICAgICAgICAgPHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ1c2VyLmZpcnN0TmFtZSI+DQogICAgICAgICAgICA8c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6YW55VHlwZSI+S2lyYW48L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgPC9zYW1sMjpBdHRyaWJ1dGU+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXIuaWQiIC8+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXIubGFzdE5hbWUiPg0KICAgICAgICAgICAgPHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPks8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgPC9zYW1sMjpBdHRyaWJ1dGU+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9Im1lbWJlci1vZiIgLz4NCiAgICAgIDwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMS0xMi0wNlQxNToxNzowNS4wMDBaIiBTZXNzaW9uSW5kZXg9Il8xMWZkN2U5MDdjZmNiMTEwODM3NjI5OGM1Nzc0ZjgyNyI+DQogICAgICAgICA8c2FtbDI6QXV0aG5Db250ZXh0Pg0KICAgICAgICAgICAgPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgICAgIDwvc2FtbDI6QXV0aG5Db250ZXh0Pg0KICAgICAgPC9zYW1sMjpBdXRoblN0YXRlbWVudD4NCiAgIDwvc2FtbDI6QXNzZXJ0aW9uPg0KPC9zYW1sMnA6UmVzcG9uc2U+

package/src/test/oauth.test.js

@@ -0,0 +1,342 @@
+const tap = require('tap');
+const { promises: fs } = require('fs');
+const path = require('path');
+const sinon = require('sinon');
+const crypto = require('crypto');
+
+const readConfig = require('../read-config');
+const saml = require('../saml/saml');
+
+let apiController;
+let oauthController;
+
+const code = '1234567890';
+const token = '24c1550190dd6a5a9bd6fe2a8ff69d593121c7b9';
+
+const metadataPath = path.join(__dirname, '/data/metadata');
+
+const options = {
+  externalUrl: 'https://my-cool-app.com',
+  samlAudience: 'https://saml.boxyhq.com',
+  samlPath: '/sso/oauth/saml',
+  db: {
+    engine: 'mem',
+  },
+};
+
+const samlConfig = {
+  tenant: 'boxyhq.com',
+  product: 'crm',
+  redirectUrl: '["http://localhost:3000/*"]',
+  defaultRedirectUrl: 'http://localhost:3000/login/saml',
+  rawMetadata: null,
+};
+
+const addMetadata = async (metadataPath) => {
+  const configs = await readConfig(metadataPath);
+
+  for (const config of configs) {
+    await apiController.config(config);
+  }
+};
+
+tap.before(async () => {
+  const controller = await require('../index.js')(options);
+
+  apiController = controller.apiController;
+  oauthController = controller.oauthController;
+
+  await addMetadata(metadataPath);
+});
+
+tap.teardown(async () => {
+  process.exit(0);
+});
+
+tap.test('authorize()', async (t) => {
+  t.test('Should throw an error if `redirect_uri` null', async (t) => {
+    const body = {
+      redirect_uri: null,
+      state: 'state',
+    };
+
+    try {
+      await oauthController.authorize(body);
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(
+        err.message,
+        'Please specify a redirect URL.',
+        'got expected error message'
+      );
+      t.equal(err.statusCode, 400, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should throw an error if `state` null', async (t) => {
+    const body = {
+      redirect_uri: 'https://example.com/',
+      state: null,
+    };
+
+    try {
+      await oauthController.authorize(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(
+        err.message,
+        'Please specify a state to safeguard against XSRF attacks.',
+        'got expected error message'
+      );
+      t.equal(err.statusCode, 400, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should throw an error if `client_id` is invalid', async (t) => {
+    const body = {
+      redirect_uri: 'https://example.com/',
+      state: 'state-123',
+      client_id: '27fa9a11875ec3a0',
+    };
+
+    try {
+      await oauthController.authorize(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(
+        err.message,
+        'SAML configuration not found.',
+        'got expected error message'
+      );
+      t.equal(err.statusCode, 403, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test(
+    'Should throw an error if `redirect_uri` is not allowed',
+    async (t) => {
+      const body = {
+        redirect_uri: 'https://example.com/',
+        state: 'state-123',
+        client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+      };
+
+      try {
+        await oauthController.authorize(body);
+
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(
+          err.message,
+          'Redirect URL is not allowed.',
+          'got expected error message'
+        );
+        t.equal(err.statusCode, 403, 'got expected status code');
+      }
+
+      t.end();
+    }
+  );
+
+  t.test('Should return the Idp SSO URL', async (t) => {
+    const body = {
+      redirect_uri: samlConfig.defaultRedirectUrl,
+      state: 'state-123',
+      client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+    };
+
+    const response = await oauthController.authorize(body);
+    const params = new URLSearchParams(new URL(response.redirect_url).search);
+
+    t.ok('redirect_url' in response, 'got the Idp authorize URL');
+    t.ok(params.has('RelayState'), 'RelayState present in the query string');
+    t.ok(params.has('SAMLRequest'), 'SAMLRequest present in the query string');
+
+    t.end();
+  });
+
+  t.end();
+});
+
+tap.test('samlResponse()', async (t) => {
+  const authBody = {
+    redirect_uri: samlConfig.defaultRedirectUrl,
+    state: 'state-123',
+    client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+  };
+
+  const { redirect_url } = await oauthController.authorize(authBody);
+
+  const relayState = new URLSearchParams(new URL(redirect_url).search).get(
+    'RelayState'
+  );
+
+  const rawResponse = await fs.readFile(
+    path.join(__dirname, '/data/saml_response'),
+    'utf8'
+  );
+
+  t.test('Should throw an error if `RelayState` is missing', async (t) => {
+    const responseBody = {
+      SAMLResponse: rawResponse,
+    };
+
+    try {
+      await oauthController.samlResponse(responseBody);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(
+        err.message,
+        'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
+        'got expected error message'
+      );
+
+      t.equal(err.statusCode, 403, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test(
+    'Should return a URL with code and state as query params',
+    async (t) => {
+      const responseBody = {
+        SAMLResponse: rawResponse,
+        RelayState: relayState,
+      };
+
+      const stubValidateAsync = sinon.stub(saml, 'validateAsync').returns({
+        id: 1,
+        email: 'john@example.com',
+        firstName: 'John',
+        lastName: 'Doe',
+      });
+
+      const stubRandomBytes = sinon.stub(crypto, 'randomBytes').returns(code);
+
+      const response = await oauthController.samlResponse(responseBody);
+
+      const params = new URLSearchParams(new URL(response.redirect_url).search);
+
+      t.ok(stubValidateAsync.calledOnce, 'randomBytes called once');
+      t.ok(stubRandomBytes.calledOnce, 'validateAsync called once');
+      t.ok('redirect_url' in response, 'response contains redirect_url');
+      t.ok(params.has('code'), 'query string includes code');
+      t.ok(params.has('state'), 'query string includes state');
+      t.match(params.get('state'), authBody.state, 'state value is valid');
+
+      stubRandomBytes.restore();
+      stubValidateAsync.restore();
+
+      t.end();
+    }
+  );
+
+  t.end();
+});
+
+tap.test('token()', (t) => {
+  t.test(
+    'Should throw an error if `grant_type` is not `authorization_code`',
+    async (t) => {
+      const body = {
+        grant_type: 'authorization_code_1',
+      };
+
+      try {
+        await oauthController.token(body);
+
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(
+          err.message,
+          'Unsupported grant_type',
+          'got expected error message'
+        );
+        t.equal(err.statusCode, 400, 'got expected status code');
+      }
+
+      t.end();
+    }
+  );
+
+  t.test('Should throw an error if `code` is missing', async (t) => {
+    const body = {
+      grant_type: 'authorization_code',
+    };
+
+    try {
+      await oauthController.token(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(err.message, 'Please specify code', 'got expected error message');
+      t.equal(err.statusCode, 400, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should throw an error if `code` is invalid', async (t) => {
+    const body = {
+      grant_type: 'authorization_code',
+      client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+      client_secret: 'some-secret',
+      redirect_uri: null,
+      code: 'invalid-code',
+    };
+
+    try {
+      await oauthController.token(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(err.message, 'Invalid code', 'got expected error message');
+      t.equal(err.statusCode, 403, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should return the `access_token` for a valid request', async (t) => {
+    const body = {
+      grant_type: 'authorization_code',
+      client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+      client_secret: 'some-secret',
+      redirect_uri: null,
+      code: code,
+    };
+
+    const stubRandomBytes = sinon.stub(crypto, 'randomBytes').returns(token);
+
+    const response = await oauthController.token(body);
+
+    t.ok(stubRandomBytes.calledOnce, 'randomBytes called once');
+    t.ok('access_token' in response, 'includes access_token');
+    t.ok('token_type' in response, 'includes token_type');
+    t.ok('expires_in' in response, 'includes expires_in');
+    t.match(response.access_token, token);
+    t.match(response.token_type, 'bearer');
+    t.match(response.expires_in, 300);
+
+    stubRandomBytes.reset();
+
+    t.end();
+  });
+
+  // TODO
+  t.test('Handle invalid client_id', async (t) => {
+    t.end();
+  });
+
+  t.end();
+});