@boxyhq/saml-jackson 0.1.6 → 0.2.1-beta.152

package/README.md

@@ -17,7 +17,7 @@ There are two ways to use this repo.
 
 ## Install as an npm library
 
-Jackson is available as an [npm package](https://www.npmjs.com/package/@boxyhq/saml-jackson) that can be integrated into Express.js routes. The library should be usable with other node.js web application frameworks but is currently untested. Please file an issue or submit a PR if you encounter any issues.
+Jackson is available as an [npm package](https://www.npmjs.com/package/@boxyhq/saml-jackson) that can be integrated into any web application framework (like Express.js for example). Please file an issue or submit a PR if you encounter any issues with your choice of framework.
 
 ```
 npm i @boxyhq/saml-jackson
@@ -75,33 +75,60 @@ router.post('/api/v1/saml/config', async (req, res) => {
 // OAuth 2.0 flow
 router.get('/oauth/authorize', async (req, res) => {
   try {
-    await oauthController.authorize(req, res);
+    const { redirect_url } = await oauthController.authorize(req.query);
+
+    res.redirect(redirect_url);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 router.post('/oauth/saml', async (req, res) => {
   try {
-    await oauthController.samlResponse(req, res);
+    const { redirect_url } = await oauthController.samlResponse(req.body);
+
+    res.redirect(redirect_url);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 router.post('/oauth/token', cors(), async (req, res) => {
   try {
-    await oauthController.token(req, res);
+    const result = await oauthController.token(req.body);
+
+    res.json(result);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 router.get('/oauth/userinfo', async (req, res) => {
   try {
-    await oauthController.userInfo(req, res);
+    let token = extractAuthToken(req);
+
+    // check for query param
+    if (!token) {
+      token = req.query.access_token;
+    }
+
+    if (!token) {
+      res.status(401).json({ message: 'Unauthorized' });
+    }
+
+    const profile = await oauthController.userInfo(token);
+
+    res.json(profile);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).json({ message });
   }
 });
 
@@ -209,6 +236,8 @@ https://localhost:5000/oauth/authorize
 
 - response_type=code: This is the only supported type for now but maybe extended in the future
 - client_id: Use the client_id returned by the SAML config API or use `tenant=<tenantID>&product=<productID>` to use the tenant and product IDs instead. **Note:** Please don't forget to URL encode the query parameters including `client_id`.
+- tenant: Optionally you can provide a dummy `client_id` and specify the `tenant` and `product` custom attributes (if your OAuth 2.0 library allows it).
+- product: Should be specified if specifying `tenant` above
 - redirect_uri: This is where the user will be taken back once the authorization flow is complete
 - state: Use a randomly generated string as the state, this will be echoed back as a query parameter when taking the user back to the `redirect_uri` above. You should validate the state to prevent XSRF attacks
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.1.6",
+  "version": "0.2.1-beta.152",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "src/index.js",
@@ -17,9 +17,9 @@
   "scripts": {
     "start": "cross-env IDP_ENABLED=true node src/jackson.js",
     "dev": "cross-env IDP_ENABLED=true nodemon src/jackson.js",
-    "mongo": "cross-env DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson nodemon src/jackson.js",
-    "pre-loaded": "cross-env DB_ENGINE=mem PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
-    "pre-loaded-db": "cross-env PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
+    "mongo": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson nodemon src/jackson.js",
+    "pre-loaded": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mem PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
+    "pre-loaded-db": "cross-env JACKSON_API_KEYS=secret PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
     "test": "tap --timeout=100 src/**/*.test.js",
     "dev-dbs": "docker-compose -f ./_dev/docker-compose.yml up -d",
     "dev-dbs-destroy": "docker-compose -f ./_dev/docker-compose.yml down --volumes --remove-orphans"
@@ -57,10 +57,11 @@
     "lint-staged": "12.1.2",
     "nodemon": "2.0.15",
     "prettier": "2.5.1",
+    "sinon": "12.0.1",
     "tap": "15.1.5"
   },
   "lint-staged": {
     "*.js": "eslint --cache --fix",
     "*.{js,css,md}": "prettier --write"
   }
-}
+}

package/src/controller/error.js

@@ -0,0 +1,12 @@
+class JacksonError extends Error {
+  constructor(message, statusCode = 500) {
+    super(message);
+
+    this.name = this.constructor.name;
+    this.statusCode = statusCode;
+
+    Error.captureStackTrace(this, this.constructor);
+  }
+}
+
+module.exports = { JacksonError };

package/src/controller/oauth/redirect.js

@@ -6,12 +6,13 @@ module.exports = {
     res.redirect(url);
   },
 
-  success: (res, redirectUrl, params) => {
-    var url = new URL(redirectUrl);
+  success: (redirectUrl, params) => {
+    const url = new URL(redirectUrl);
+
     for (const [key, value] of Object.entries(params)) {
       url.searchParams.set(key, value);
     }
 
-    res.redirect(url);
+    return url.href;
   },
 };

package/src/controller/oauth.js

@@ -2,10 +2,11 @@ const crypto = require('crypto');
 
 const saml = require('../saml/saml.js');
 const codeVerifier = require('./oauth/code-verifier.js');
-const { indexNames, extractAuthToken } = require('./utils.js');
+const { indexNames } = require('./utils.js');
 const dbutils = require('../db/utils.js');
 const redirect = require('./oauth/redirect.js');
 const allowed = require('./oauth/allowed.js');
+const { JacksonError } = require('./error.js');
 
 let configStore;
 let sessionStore;
@@ -33,7 +34,7 @@ function getEncodedClientId(client_id) {
   }
 }
 
-const authorize = async (req, res) => {
+const authorize = async (body) => {
   const {
     response_type = 'code',
     client_id,
@@ -45,21 +46,34 @@ const authorize = async (req, res) => {
     code_challenge_method = '',
     // eslint-disable-next-line no-unused-vars
     provider = 'saml',
-  } = req.query;
+  } = body;
 
   if (!redirect_uri) {
-    return res.status(400).send('Please specify a redirect URL.');
+    throw new JacksonError('Please specify a redirect URL.', 400);
   }
 
   if (!state) {
-    return res
-      .status(400)
-      .send('Please specify a state to safeguard against XSRF attacks.');
+    throw new JacksonError(
+      'Please specify a state to safeguard against XSRF attacks.',
+      400
+    );
   }
 
   let samlConfig;
 
-  if (
+  if (tenant && product) {
+    const samlConfigs = await configStore.getByIndex({
+      name: indexNames.tenantProduct,
+      value: dbutils.keyFromParts(tenant, product),
+    });
+
+    if (!samlConfigs || samlConfigs.length === 0) {
+      throw new JacksonError('SAML configuration not found.', 403);
+    }
+
+    // TODO: Support multiple matches
+    samlConfig = samlConfigs[0];
+  } else if (
     client_id &&
     client_id !== '' &&
     client_id !== 'undefined' &&
@@ -74,7 +88,7 @@ const authorize = async (req, res) => {
       });
 
       if (!samlConfigs || samlConfigs.length === 0) {
-        return res.status(403).send('SAML configuration not found.');
+        throw new JacksonError('SAML configuration not found.', 403);
       }
 
       // TODO: Support multiple matches
@@ -83,25 +97,18 @@ const authorize = async (req, res) => {
       samlConfig = await configStore.get(client_id);
     }
   } else {
-    const samlConfigs = await configStore.getByIndex({
-      name: indexNames.tenantProduct,
-      value: dbutils.keyFromParts(tenant, product),
-    });
-
-    if (!samlConfigs || samlConfigs.length === 0) {
-      return res.status(403).send('SAML configuration not found.');
-    }
-
-    // TODO: Support multiple matches
-    samlConfig = samlConfigs[0];
+    throw new JacksonError(
+      'You need to specify client_id or tenant & product',
+      403
+    );
   }
 
   if (!samlConfig) {
-    return res.status(403).send('SAML configuration not found.');
+    throw new JacksonError('SAML configuration not found.', 403);
   }
 
   if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
-    return res.status(403).send('Redirect URL is not allowed.');
+    throw new JacksonError('Redirect URL is not allowed.', 403);
   }
 
   const samlReq = saml.request({
@@ -121,24 +128,26 @@ const authorize = async (req, res) => {
     code_challenge_method,
   });
 
-  return redirect.success(res, samlConfig.idpMetadata.sso.redirectUrl, {
+  const redirectUrl = redirect.success(samlConfig.idpMetadata.sso.redirectUrl, {
     RelayState: relayStatePrefix + sessionId,
     SAMLRequest: Buffer.from(samlReq.request).toString('base64'),
   });
+
+  return { redirect_url: redirectUrl };
 };
 
-const samlResponse = async (req, res) => {
-  const { SAMLResponse } = req.body; // RelayState will contain the sessionId from earlier quasi-oauth flow
+const samlResponse = async (body) => {
+  const { SAMLResponse } = body; // RelayState will contain the sessionId from earlier quasi-oauth flow
 
-  let RelayState = req.body.RelayState || '';
+  let RelayState = body.RelayState || '';
 
   if (!options.idpEnabled && !RelayState.startsWith(relayStatePrefix)) {
     // IDP is disabled so block the request
-    return res
-      .status(403)
-      .send(
-        'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.'
-      );
+
+    throw new JacksonError(
+      'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
+      403
+    );
   }
 
   if (!RelayState.startsWith(relayStatePrefix)) {
@@ -157,7 +166,7 @@ const samlResponse = async (req, res) => {
   });
 
   if (!samlConfigs || samlConfigs.length === 0) {
-    return res.status(403).send('SAML configuration not found.');
+    throw new JacksonError('SAML configuration not found.', 403);
   }
 
   // TODO: Support multiple matches
@@ -168,10 +177,9 @@ const samlResponse = async (req, res) => {
   if (RelayState !== '') {
     session = await sessionStore.get(RelayState);
     if (!session) {
-      return redirect.error(
-        res,
-        samlConfig.defaultRedirectUrl,
-        'Unable to validate state from the origin request.'
+      throw new JacksonError(
+        'Unable to validate state from the origin request.',
+        403
       );
     }
   }
@@ -207,7 +215,7 @@ const samlResponse = async (req, res) => {
     session.redirect_uri &&
     !allowed.redirect(session.redirect_uri, samlConfig.redirectUrl)
   ) {
-    return res.status(403).send('Redirect URL is not allowed.');
+    throw new JacksonError('Redirect URL is not allowed.', 403);
   }
 
   let params = {
@@ -218,45 +226,48 @@ const samlResponse = async (req, res) => {
     params.state = session.state;
   }
 
-  return redirect.success(
-    res,
+  const redirectUrl = redirect.success(
     (session && session.redirect_uri) || samlConfig.defaultRedirectUrl,
     params
   );
+
+  return { redirect_url: redirectUrl };
 };
 
-const token = async (req, res) => {
+const token = async (body) => {
   const {
     client_id,
     client_secret,
     code_verifier,
     code,
     grant_type = 'authorization_code',
-  } = req.body;
+  } = body;
 
   if (grant_type !== 'authorization_code') {
-    return res.status(400).send('Unsupported grant_type');
+    throw new JacksonError('Unsupported grant_type', 400);
   }
 
   if (!code) {
-    return res.status(400).send('Please specify code');
+    throw new JacksonError('Please specify code', 400);
   }
 
   const codeVal = await codeStore.get(code);
   if (!codeVal || !codeVal.profile) {
-    return res.status(403).send('Invalid code');
+    throw new JacksonError('Invalid code', 403);
   }
 
   if (client_id && client_secret) {
     // check if we have an encoded client_id
-    const sp = getEncodedClientId(client_id);
-    if (!sp) {
-      // OAuth flow
-      if (
-        client_id !== codeVal.clientID ||
-        client_secret !== codeVal.clientSecret
-      ) {
-        return res.status(401).send('Invalid client_id or client_secret');
+    if (client_id !== 'dummy' && client_secret !== 'dummy') {
+      const sp = getEncodedClientId(client_id);
+      if (!sp) {
+        // OAuth flow
+        if (
+          client_id !== codeVal.clientID ||
+          client_secret !== codeVal.clientSecret
+        ) {
+          throw new JacksonError('Invalid client_id or client_secret', 401);
+        }
       }
     }
   } else if (code_verifier) {
@@ -267,12 +278,13 @@ const token = async (req, res) => {
     }
 
     if (codeVal.session.code_challenge !== cv) {
-      return res.status(401).send('Invalid code_verifier');
+      throw new JacksonError('Invalid code_verifier', 401);
     }
   } else if (codeVal && codeVal.session) {
-    return res
-      .status(401)
-      .send('Please specify client_secret or code_verifier');
+    throw new JacksonError(
+      'Please specify client_secret or code_verifier',
+      401
+    );
   }
 
   // store details against a token
@@ -280,24 +292,17 @@ const token = async (req, res) => {
 
   await tokenStore.put(token, codeVal.profile);
 
-  res.json({
+  return {
     access_token: token,
     token_type: 'bearer',
     expires_in: options.db.ttl,
-  });
+  };
 };
 
-const userInfo = async (req, res) => {
-  let token = extractAuthToken(req);
-
-  // check for query param
-  if (!token) {
-    token = req.query.access_token;
-  }
-
-  const profile = await tokenStore.get(token);
+const userInfo = async (token) => {
+  const { claims } = await tokenStore.get(token);
 
-  res.json(profile.claims);
+  return claims;
 };
 
 module.exports = (opts) => {

package/src/jackson.js

@@ -17,33 +17,60 @@ app.use(express.urlencoded({ extended: true }));
 
 app.get(oauthPath + '/authorize', async (req, res) => {
   try {
-    await oauthController.authorize(req, res);
+    const { redirect_url } = await oauthController.authorize(req.query);
+
+    res.redirect(redirect_url);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 app.post(env.samlPath, async (req, res) => {
   try {
-    await oauthController.samlResponse(req, res);
+    const { redirect_url } = await oauthController.samlResponse(req.body);
+
+    res.redirect(redirect_url);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 app.post(oauthPath + '/token', cors(), async (req, res) => {
   try {
-    await oauthController.token(req, res);
+    const result = await oauthController.token(req.body);
+
+    res.json(result);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).send(message);
   }
 });
 
 app.get(oauthPath + '/userinfo', async (req, res) => {
   try {
-    await oauthController.userInfo(req, res);
+    let token = extractAuthToken(req);
+
+    // check for query param
+    if (!token) {
+      token = req.query.access_token;
+    }
+
+    if (!token) {
+      res.status(401).json({ message: 'Unauthorized' });
+    }
+
+    const profile = await oauthController.userInfo(token);
+
+    res.json(profile);
   } catch (err) {
-    res.status(500).send(err.message);
+    const { message, statusCode = 500 } = err;
+
+    res.status(statusCode).json({ message });
   }
 });
 

package/src/test/data/metadata/boxyhq.js

@@ -0,0 +1,6 @@
+module.exports = {
+  defaultRedirectUrl: 'http://localhost:3000/sso/oauth/completed',
+  redirectUrl: '["http://localhost:3000"]',
+  tenant: 'boxyhq.com',
+  product: 'crm',
+};

package/src/test/data/metadata/boxyhq.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2" validUntil="2026-06-22T18:39:53.000Z">
+  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAXo6K+u/MA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
+bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
+b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjEwNjIz
+MTgzOTUzWhcNMjYwNjIyMTgzOTUzWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
+TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA4qZcxwPiVka9GzGdQ9LVlgVkn3A7O3HtxR6RIm5AMaL4YZziEHt2HgxLdJZyXYJw
+yfT1KB2IHt+XDQBkgEpQVXuuwSPI8vhI8Jr+nr8zia3MMoy9vJF8ZG7HuWeakaKEh7tJqjYu1Cl9
+a81rkYdXAFUA+gl2q+stvK26xylAUwptCJSQo0NanWzCq+k5zvX0uLmh58+W5Yv11hDTtAoW+1dH
+LWUTHXPfoZINPRy5NGKJ2Onq5/D5XJRimNnUa2iYi0Yv9txp1RRq4dpB9MaVttt3iKyDo4/+8fg/
+bL8BLhguiOeqcP4DEIzMuExi3bZAOu2NC7k7Qf28nA81LzP9DQIDAQABMA0GCSqGSIb3DQEBCwUA
+A4IBAQARBNB3+MfmKr5WXNXXE9YwUzUGmpfbqUPXh2y2dOAkj6TzoekAsOLWB0p8oyJ5d1bFlTsx
+i1OY9RuFl0tc35Jbo+ae5GfUvJmbnYGi9z8sBL55HY6x3KQNmM/ehof7ttZwvB6nwuRxAiGYG497
+3tSzrqMQzEskcgX1mlCW0vks/ztCaayprDXcCUxWdP9FaiSZDEXV6PHhFZgGlRNvERsgaMDJgOsq
+v6hLX10Q9CtOWzqu18PI4DcfoZ7exWcC29yWvwZzDTfHGaSG1DtUFLwiQmhVUbfd7/fmLV+/iOxV
+zI0b5xSYZOJ7Kena7gd5zGVrc2ygKAFKiffiI5GLmLkv</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2"/>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2"/>
+  </md:IDPSSODescriptor>
+</md:EntityDescriptor>

package/src/test/data/saml_response

@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxzYW1sMnA6UmVzcG9uc2UgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovLzdlYTItMTAzLTE1My0xMDQtMTYxLm5ncm9rLmlvL3Nzby9vYXV0aC9zYW1sIiBJRD0iXzRkZmM5MjYwZDFjZTVlMDRhZTQ4ZTg4ZWJkNGNlOTY3IiBJblJlc3BvbnNlVG89Il9kYWNkMTRhZGVmMmNiMDc1NGM5NiIgSXNzdWVJbnN0YW50PSIyMDIxLTEyLTA2VDE1OjIzOjA3LjM2MFoiIFZlcnNpb249IjIuMCI+DQogICA8c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9zYW1sMjwvc2FtbDI6SXNzdWVyPg0KICAgPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogICAgICA8ZHM6U2lnbmVkSW5mbz4NCiAgICAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPg0KICAgICAgICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiIC8+DQogICAgICAgICA8ZHM6UmVmZXJlbmNlIFVSST0iI180ZGZjOTI2MGQxY2U1ZTA0YWU0OGU4OGViZDRjZTk2NyI+DQogICAgICAgICAgICA8ZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz4NCiAgICAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+DQogICAgICAgICAgICA8L2RzOlRyYW5zZm9ybXM+DQogICAgICAgICAgICA8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPg0KICAgICAgICAgICAgPGRzOkRpZ2VzdFZhbHVlPjI3Vy9EZTVKTlZIWkk1VTVKZGIvUi9mUXIya0pmd1VPbk0vVlRmQ1ZwQU09PC9kczpEaWdlc3RWYWx1ZT4NCiAgICAgICAgIDwvZHM6UmVmZXJlbmNlPg0KICAgICAgPC9kczpTaWduZWRJbmZvPg0KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPm4vWCsvb0ZzK3JNU2gxMlg4dnowWlNkNlFpcU50eTY3RnFVbVNwdGllRmNoM0NScGQzZ2dpSHNwTTlMcm9MWjZVZGlsbThtdFZqTkgNCi9ob21yWDNvVEQ4UStxdzNiSllOTEptNEQvRWNmZmRDNmpSb0RJZzRYeFYxYlBVaWhQTnI4dlBFZEF2eEdwNTNiZ2MyREJsWkJpT3gNCnh4RlBSbEtnajJDWjh5SWk1R05FMUVTYms2SEtjY3g4R2dxWmtSYkVRbWtnbVMxZG1xcGl5bUpQM3orMHlaaXQyZ3dwQW5WVjNCMDUNCnZOcy8rSTFzRlZLaHNWcTc4QzZNWlZzV1pUSi80RFhadWhVSnpLNElTSU11b1RqUWFacEZMeEpBKzlhZzIvcm9OMjkwcitpcTZ5MVQNCjNHSlF1TlBPU0JVS1NpWlZVNmdwTldRRDBxckFxSWFQUFpOZnp3PT08L2RzOlNpZ25hdHVyZVZhbHVlPg0KICAgICAgPGRzOktleUluZm8+DQogICAgICAgICA8ZHM6WDUwOURhdGE+DQogICAgICAgICAgICA8ZHM6WDUwOVN1YmplY3ROYW1lPlNUPUNhbGlmb3JuaWEsQz1VUyxPVT1Hb29nbGUgRm9yIFdvcmssQ049R29vZ2xlLEw9TW91bnRhaW4gVmlldyxPPUdvb2dsZSBJbmMuPC9kczpYNTA5U3ViamVjdE5hbWU+DQogICAgICAgICAgICA8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURkRENDQWx5Z0F3SUJBZ0lHQVhvNksrdS9NQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Ic3hGREFTQmdOVkJBb1RDMGR2YjJkc1pTQkoNCmJtTXVNUll3RkFZRFZRUUhFdzFOYjNWdWRHRnBiaUJXYVdWM01ROHdEUVlEVlFRREV3WkhiMjluYkdVeEdEQVdCZ05WQkFzVEQwZHYNCmIyZHNaU0JHYjNJZ1YyOXlhekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXdIaGNOTWpFd05qSXoNCk1UZ3pPVFV6V2hjTk1qWXdOakl5TVRnek9UVXpXakI3TVJRd0VnWURWUVFLRXd0SGIyOW5iR1VnU1c1akxqRVdNQlFHQTFVRUJ4TU4NClRXOTFiblJoYVc0Z1ZtbGxkekVQTUEwR0ExVUVBeE1HUjI5dloyeGxNUmd3RmdZRFZRUUxFdzlIYjI5bmJHVWdSbTl5SUZkdmNtc3gNCkN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEENCk1JSUJDZ0tDQVFFQTRxWmN4d1BpVmthOUd6R2RROUxWbGdWa24zQTdPM0h0eFI2UkltNUFNYUw0WVp6aUVIdDJIZ3hMZEpaeVhZSncNCnlmVDFLQjJJSHQrWERRQmtnRXBRVlh1dXdTUEk4dmhJOEpyK25yOHppYTNNTW95OXZKRjhaRzdIdVdlYWthS0VoN3RKcWpZdTFDbDkNCmE4MXJrWWRYQUZVQStnbDJxK3N0dksyNnh5bEFVd3B0Q0pTUW8wTmFuV3pDcStrNXp2WDB1TG1oNTgrVzVZdjExaERUdEFvVysxZEgNCkxXVVRIWFBmb1pJTlBSeTVOR0tKMk9ucTUvRDVYSlJpbU5uVWEyaVlpMFl2OXR4cDFSUnE0ZHBCOU1hVnR0dDNpS3lEbzQvKzhmZy8NCmJMOEJMaGd1aU9lcWNQNERFSXpNdUV4aTNiWkFPdTJOQzdrN1FmMjhuQTgxTHpQOURRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUENCkE0SUJBUUFSQk5CMytNZm1LcjVXWE5YWEU5WXdVelVHbXBmYnFVUFhoMnkyZE9Ba2o2VHpvZWtBc09MV0IwcDhveUo1ZDFiRmxUc3gNCmkxT1k5UnVGbDB0YzM1SmJvK2FlNUdmVXZKbWJuWUdpOXo4c0JMNTVIWTZ4M0tRTm1NL2Vob2Y3dHRad3ZCNm53dVJ4QWlHWUc0OTcNCjN0U3pycU1RekVza2NnWDFtbENXMHZrcy96dENhYXlwckRYY0NVeFdkUDlGYWlTWkRFWFY2UEhoRlpnR2xSTnZFUnNnYU1ESmdPc3ENCnY2aExYMTBROUN0T1d6cXUxOFBJNERjZm9aN2V4V2NDMjl5V3Z3WnpEVGZIR2FTRzFEdFVGTHdpUW1oVlViZmQ3L2ZtTFYrL2lPeFYNCnpJMGI1eFNZWk9KN0tlbmE3Z2Q1ekdWcmMyeWdLQUZLaWZmaUk1R0xtTGt2PC9kczpYNTA5Q2VydGlmaWNhdGU+DQogICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgPC9kczpLZXlJbmZvPg0KICAgPC9kczpTaWduYXR1cmU+DQogICA8c2FtbDJwOlN0YXR1cz4NCiAgICAgIDxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPg0KICAgPC9zYW1sMnA6U3RhdHVzPg0KICAgPHNhbWwyOkFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il8xMWZkN2U5MDdjZmNiMTEwODM3NjI5OGM1Nzc0ZjgyNyIgSXNzdWVJbnN0YW50PSIyMDIxLTEyLTA2VDE1OjIzOjA3LjM2MFoiIFZlcnNpb249IjIuMCI+DQogICAgICA8c2FtbDI6SXNzdWVyPmh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL3NhbWwyPC9zYW1sMjpJc3N1ZXI+DQogICAgICA8c2FtbDI6U3ViamVjdD4NCiAgICAgICAgIDxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPmtpcmFuQGRlbW8uY29tPC9zYW1sMjpOYW1lSUQ+DQogICAgICAgICA8c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPg0KICAgICAgICAgICAgPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iX2RhY2QxNGFkZWYyY2IwNzU0Yzk2IiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMTItMDZUMTU6Mjg6MDcuMzYwWiIgUmVjaXBpZW50PSJodHRwczovLzdlYTItMTAzLTE1My0xMDQtMTYxLm5ncm9rLmlvL3Nzby9vYXV0aC9zYW1sIiAvPg0KICAgICAgICAgPC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgICAgPC9zYW1sMjpTdWJqZWN0Pg0KICAgICAgPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDIxLTEyLTA2VDE1OjE4OjA3LjM2MFoiIE5vdE9uT3JBZnRlcj0iMjAyMS0xMi0wNlQxNToyODowNy4zNjBaIj4NCiAgICAgICAgIDxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICAgICAgPHNhbWwyOkF1ZGllbmNlPmh0dHBzOi8vc2FtbC5ib3h5aHEuY29tPC9zYW1sMjpBdWRpZW5jZT4NCiAgICAgICAgIDwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgIDwvc2FtbDI6Q29uZGl0aW9ucz4NCiAgICAgIDxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXIuZW1haWwiPg0KICAgICAgICAgICAgPHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPmtpcmFuQGRlbW8uY29tPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgICAgIDwvc2FtbDI6QXR0cmlidXRlPg0KICAgICAgICAgPHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ1c2VyLmZpcnN0TmFtZSI+DQogICAgICAgICAgICA8c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6YW55VHlwZSI+S2lyYW48L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgPC9zYW1sMjpBdHRyaWJ1dGU+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXIuaWQiIC8+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXIubGFzdE5hbWUiPg0KICAgICAgICAgICAgPHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPks8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgPC9zYW1sMjpBdHRyaWJ1dGU+DQogICAgICAgICA8c2FtbDI6QXR0cmlidXRlIE5hbWU9Im1lbWJlci1vZiIgLz4NCiAgICAgIDwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMS0xMi0wNlQxNToxNzowNS4wMDBaIiBTZXNzaW9uSW5kZXg9Il8xMWZkN2U5MDdjZmNiMTEwODM3NjI5OGM1Nzc0ZjgyNyI+DQogICAgICAgICA8c2FtbDI6QXV0aG5Db250ZXh0Pg0KICAgICAgICAgICAgPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgICAgIDwvc2FtbDI6QXV0aG5Db250ZXh0Pg0KICAgICAgPC9zYW1sMjpBdXRoblN0YXRlbWVudD4NCiAgIDwvc2FtbDI6QXNzZXJ0aW9uPg0KPC9zYW1sMnA6UmVzcG9uc2U+

package/src/test/oauth.test.js

@@ -0,0 +1,342 @@
+const tap = require('tap');
+const { promises: fs } = require('fs');
+const path = require('path');
+const sinon = require('sinon');
+const crypto = require('crypto');
+
+const readConfig = require('../read-config');
+const saml = require('../saml/saml');
+
+let apiController;
+let oauthController;
+
+const code = '1234567890';
+const token = '24c1550190dd6a5a9bd6fe2a8ff69d593121c7b9';
+
+const metadataPath = path.join(__dirname, '/data/metadata');
+
+const options = {
+  externalUrl: 'https://my-cool-app.com',
+  samlAudience: 'https://saml.boxyhq.com',
+  samlPath: '/sso/oauth/saml',
+  db: {
+    engine: 'mem',
+  },
+};
+
+const samlConfig = {
+  tenant: 'boxyhq.com',
+  product: 'crm',
+  redirectUrl: '["http://localhost:3000/*"]',
+  defaultRedirectUrl: 'http://localhost:3000/login/saml',
+  rawMetadata: null,
+};
+
+const addMetadata = async (metadataPath) => {
+  const configs = await readConfig(metadataPath);
+
+  for (const config of configs) {
+    await apiController.config(config);
+  }
+};
+
+tap.before(async () => {
+  const controller = await require('../index.js')(options);
+
+  apiController = controller.apiController;
+  oauthController = controller.oauthController;
+
+  await addMetadata(metadataPath);
+});
+
+tap.teardown(async () => {
+  process.exit(0);
+});
+
+tap.test('authorize()', async (t) => {
+  t.test('Should throw an error if `redirect_uri` null', async (t) => {
+    const body = {
+      redirect_uri: null,
+      state: 'state',
+    };
+
+    try {
+      await oauthController.authorize(body);
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(
+        err.message,
+        'Please specify a redirect URL.',
+        'got expected error message'
+      );
+      t.equal(err.statusCode, 400, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should throw an error if `state` null', async (t) => {
+    const body = {
+      redirect_uri: 'https://example.com/',
+      state: null,
+    };
+
+    try {
+      await oauthController.authorize(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(
+        err.message,
+        'Please specify a state to safeguard against XSRF attacks.',
+        'got expected error message'
+      );
+      t.equal(err.statusCode, 400, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should throw an error if `client_id` is invalid', async (t) => {
+    const body = {
+      redirect_uri: 'https://example.com/',
+      state: 'state-123',
+      client_id: '27fa9a11875ec3a0',
+    };
+
+    try {
+      await oauthController.authorize(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(
+        err.message,
+        'SAML configuration not found.',
+        'got expected error message'
+      );
+      t.equal(err.statusCode, 403, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test(
+    'Should throw an error if `redirect_uri` is not allowed',
+    async (t) => {
+      const body = {
+        redirect_uri: 'https://example.com/',
+        state: 'state-123',
+        client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+      };
+
+      try {
+        await oauthController.authorize(body);
+
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(
+          err.message,
+          'Redirect URL is not allowed.',
+          'got expected error message'
+        );
+        t.equal(err.statusCode, 403, 'got expected status code');
+      }
+
+      t.end();
+    }
+  );
+
+  t.test('Should return the Idp SSO URL', async (t) => {
+    const body = {
+      redirect_uri: samlConfig.defaultRedirectUrl,
+      state: 'state-123',
+      client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+    };
+
+    const response = await oauthController.authorize(body);
+    const params = new URLSearchParams(new URL(response.redirect_url).search);
+
+    t.ok('redirect_url' in response, 'got the Idp authorize URL');
+    t.ok(params.has('RelayState'), 'RelayState present in the query string');
+    t.ok(params.has('SAMLRequest'), 'SAMLRequest present in the query string');
+
+    t.end();
+  });
+
+  t.end();
+});
+
+tap.test('samlResponse()', async (t) => {
+  const authBody = {
+    redirect_uri: samlConfig.defaultRedirectUrl,
+    state: 'state-123',
+    client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+  };
+
+  const { redirect_url } = await oauthController.authorize(authBody);
+
+  const relayState = new URLSearchParams(new URL(redirect_url).search).get(
+    'RelayState'
+  );
+
+  const rawResponse = await fs.readFile(
+    path.join(__dirname, '/data/saml_response'),
+    'utf8'
+  );
+
+  t.test('Should throw an error if `RelayState` is missing', async (t) => {
+    const responseBody = {
+      SAMLResponse: rawResponse,
+    };
+
+    try {
+      await oauthController.samlResponse(responseBody);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(
+        err.message,
+        'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
+        'got expected error message'
+      );
+
+      t.equal(err.statusCode, 403, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test(
+    'Should return a URL with code and state as query params',
+    async (t) => {
+      const responseBody = {
+        SAMLResponse: rawResponse,
+        RelayState: relayState,
+      };
+
+      const stubValidateAsync = sinon.stub(saml, 'validateAsync').returns({
+        id: 1,
+        email: 'john@example.com',
+        firstName: 'John',
+        lastName: 'Doe',
+      });
+
+      const stubRandomBytes = sinon.stub(crypto, 'randomBytes').returns(code);
+
+      const response = await oauthController.samlResponse(responseBody);
+
+      const params = new URLSearchParams(new URL(response.redirect_url).search);
+
+      t.ok(stubValidateAsync.calledOnce, 'randomBytes called once');
+      t.ok(stubRandomBytes.calledOnce, 'validateAsync called once');
+      t.ok('redirect_url' in response, 'response contains redirect_url');
+      t.ok(params.has('code'), 'query string includes code');
+      t.ok(params.has('state'), 'query string includes state');
+      t.match(params.get('state'), authBody.state, 'state value is valid');
+
+      stubRandomBytes.restore();
+      stubValidateAsync.restore();
+
+      t.end();
+    }
+  );
+
+  t.end();
+});
+
+tap.test('token()', (t) => {
+  t.test(
+    'Should throw an error if `grant_type` is not `authorization_code`',
+    async (t) => {
+      const body = {
+        grant_type: 'authorization_code_1',
+      };
+
+      try {
+        await oauthController.token(body);
+
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(
+          err.message,
+          'Unsupported grant_type',
+          'got expected error message'
+        );
+        t.equal(err.statusCode, 400, 'got expected status code');
+      }
+
+      t.end();
+    }
+  );
+
+  t.test('Should throw an error if `code` is missing', async (t) => {
+    const body = {
+      grant_type: 'authorization_code',
+    };
+
+    try {
+      await oauthController.token(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(err.message, 'Please specify code', 'got expected error message');
+      t.equal(err.statusCode, 400, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should throw an error if `code` is invalid', async (t) => {
+    const body = {
+      grant_type: 'authorization_code',
+      client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+      client_secret: 'some-secret',
+      redirect_uri: null,
+      code: 'invalid-code',
+    };
+
+    try {
+      await oauthController.token(body);
+
+      t.fail('Expecting JacksonError.');
+    } catch (err) {
+      t.equal(err.message, 'Invalid code', 'got expected error message');
+      t.equal(err.statusCode, 403, 'got expected status code');
+    }
+
+    t.end();
+  });
+
+  t.test('Should return the `access_token` for a valid request', async (t) => {
+    const body = {
+      grant_type: 'authorization_code',
+      client_id: `tenant=${samlConfig.tenant}&product=${samlConfig.product}`,
+      client_secret: 'some-secret',
+      redirect_uri: null,
+      code: code,
+    };
+
+    const stubRandomBytes = sinon.stub(crypto, 'randomBytes').returns(token);
+
+    const response = await oauthController.token(body);
+
+    t.ok(stubRandomBytes.calledOnce, 'randomBytes called once');
+    t.ok('access_token' in response, 'includes access_token');
+    t.ok('token_type' in response, 'includes token_type');
+    t.ok('expires_in' in response, 'includes expires_in');
+    t.match(response.access_token, token);
+    t.match(response.token_type, 'bearer');
+    t.match(response.expires_in, 300);
+
+    stubRandomBytes.reset();
+
+    t.end();
+  });
+
+  // TODO
+  t.test('Handle invalid client_id', async (t) => {
+    t.end();
+  });
+
+  t.end();
+});