@boxyhq/saml-jackson 0.2.2 → 0.2.4

package/.github/workflows/main.yml

@@ -98,7 +98,7 @@ jobs:
 
       - name: Get short SHA
         id: slug
-        run: echo "::set-output name=sha8::$(echo ${GITHUB_SHA} | cut -c1-7)"
+        run: echo "::set-output name=sha7::$(echo ${GITHUB_SHA} | cut -c1-7)"
 
       - name: Set up Docker Buildx
         id: buildx
@@ -117,7 +117,7 @@ jobs:
           context: ./
           file: ./Dockerfile
           push: true
-          tags: ${{ github.repository }}:latest,${{ github.repository }}:${{ steps.slug.outputs.sha8 }}
+          tags: ${{ github.repository }}:latest,${{ github.repository }}:${{ steps.slug.outputs.sha7 }}
 
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}

package/Dockerfile

@@ -1,5 +1,5 @@
 # Install dependencies only when needed
-FROM node:16.9.1-alpine3.14 AS deps
+FROM node:16.13.1-alpine3.14 AS deps
 # Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
 RUN apk add --no-cache libc6-compat
 WORKDIR /app
@@ -8,7 +8,7 @@ COPY package.json package-lock.json ./
 RUN npm ci --only=production
 
 # Production image, copy all the files and run next
-FROM node:16.9.1-alpine3.14 AS runner
+FROM node:16.13.1-alpine3.14 AS runner
 WORKDIR /app
 
 ENV NODE_OPTIONS="--max-http-header-size=81920"

package/README.md

@@ -85,7 +85,21 @@ router.get('/api/v1/saml/config', async (req, res) => {
     });
   }
 });
+// delete config
+router.delete('/api/v1/saml/config', async (req, res) => {
+  try {
+    // apply your authentication flow (or ensure this route has passed through your auth middleware)
+    ...
 
+    // only when properly authenticated, call the config function
+    await apiController.deleteConfig(req.body);
+    res.status(200).end();
+  } catch (err) {
+    res.status(500).json({
+      error: err.message,
+    });
+  }
+});
 // OAuth 2.0 flow
 router.get('/oauth/authorize', async (req, res) => {
   try {
@@ -228,6 +242,26 @@ curl -G --location 'http://localhost:6000/api/v1/saml/config' \
 
 The response returns a JSON with `provider` indicating the domain of your Identity Provider. If an empty JSON payload is returned then we do not have any configuration stored for the attributes you requested.
 
+#### 2.2 SAML delete config API
+
+This endpoint can be used to delete an existing IdP metadata.
+
+```
+curl -X "DELETE" --location 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'tenant=boxyhq.com' \
+--data-urlencode 'product=demo'
+```
+
+```
+curl -X "DELETE" --location 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'clientID=<Client ID>'
+--data-urlencode 'clientSecret=<Client Secret>'
+```
+
 ### 3. OAuth 2.0 Flow
 
 Jackson has been designed to abstract the SAML login flow as a pure OAuth 2.0 flow. This means it's compatible with any standard OAuth 2.0 library out there, both client-side and server-side. It is important to remember that SAML is configured per customer unlike OAuth 2.0 where you can have a single OAuth app supporting logins for all customers.
@@ -293,7 +327,7 @@ The short-lived access token can now be used to request the user's profile. You'
 
 ```
 curl --request GET \
-  --url https://localhost:5000/oauth/me \
+  --url https://localhost:5000/oauth/userinfo \
   --header 'authorization: Bearer <access token>' \
   --header 'content-type: application/json'
 ```

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "src/index.js",
   "engines": {
-    "node": ">=14.18.1"
+    "node": ">=14.x"
   },
   "repository": {
     "type": "git",
@@ -64,4 +64,4 @@
     "*.js": "eslint --cache --fix",
     "*.{js,css,md}": "prettier --write"
   }
-}
+}

package/src/controller/api.js

@@ -127,10 +127,41 @@ const getConfig = async (body) => {
   }
 };
 
+const deleteConfig = async (body) => {
+  const { clientID, clientSecret, tenant, product } = body;
+
+  if (clientID) {
+    if (!clientSecret) {
+      throw new JacksonError('Please provide clientSecret', 400);
+    }
+    const samlConfig = await configStore.get(clientID);
+    if (!samlConfig) {
+      return;
+    }
+    if (samlConfig.clientSecret === clientSecret) {
+      await configStore.delete(clientID);
+    } else {
+      throw new JacksonError('clientSecret mismatch', 400);
+    }
+  } else {
+    const samlConfigs = await configStore.getByIndex({
+      name: indexNames.tenantProduct,
+      value: dbutils.keyFromParts(tenant, product),
+    });
+    if (!samlConfigs || !samlConfigs.length) {
+      return;
+    }
+    for (const conf of samlConfigs) {
+      await configStore.delete(conf.clientID);
+    }
+  }
+};
+
 module.exports = (opts) => {
   configStore = opts.configStore;
   return {
     config,
     getConfig,
+    deleteConfig,
   };
 };

package/src/jackson.js

@@ -130,6 +130,22 @@ internalApp.get(apiPath + '/config', async (req, res) => {
   }
 });
 
+internalApp.delete(apiPath + '/config', async (req, res) => {
+  try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+    await apiController.deleteConfig(req.body);
+    res.status(200).end();
+  } catch (err) {
+    res.status(500).json({
+      error: err.message,
+    });
+  }
+});
+
 let internalServer = server;
 if (env.useInternalServer) {
   internalServer = internalApp.listen(env.internalHostPort, async () => {

package/src/test/api.test.js

@@ -143,10 +143,35 @@ tap.test('controller/api', async (t) => {
       );
       t.equal(response.provider, PROVIDER);
 
-      const savedConf = await apiController.getConfig({
+      let savedConf = await apiController.getConfig({
         clientID: CLIENT_ID,
       });
       t.equal(savedConf.provider, PROVIDER);
+      try {
+        await apiController.deleteConfig({ clientID: CLIENT_ID });
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(err.message, 'Please provide clientSecret');
+        t.equal(err.statusCode, 400);
+      }
+      try {
+        await apiController.deleteConfig({
+          clientID: CLIENT_ID,
+          clientSecret: 'xxxxx',
+        });
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(err.message, 'clientSecret mismatch');
+        t.equal(err.statusCode, 400);
+      }
+      await apiController.deleteConfig({
+        clientID: CLIENT_ID,
+        clientSecret: 'f3b0f91eb8f4a9f7cc2254e08682d50b05b5d36262929e7f',
+      });
+      savedConf = await apiController.getConfig({
+        clientID: CLIENT_ID,
+      });
+      t.same(savedConf, {}, 'should return empty config');
 
       dbutils.keyDigest.restore();
       crypto.randomBytes.restore();