@boxyhq/saml-jackson 0.2.3-beta.177 → 0.2.3-beta.210

package/ nodemon.json

@@ -0,0 +1,12 @@
+{
+  "restartable": "rs",
+  "ignore": [".git", "node_modules/", "dist/", "coverage/"],
+  "watch": ["src/"],
+  "execMap": {
+    "ts": "node -r ts-node/register"
+  },
+  "env": {
+    "NODE_ENV": "development"
+  },
+  "ext": "js,json,ts"
+}

package/.nyc_output/36a3e9e1-42eb-468d-a9ec-8d206fedcd3e.json

@@ -0,0 +1 @@
+{}

package/.nyc_output/8c0af85a-b807-45bb-8331-20c3aabe15df.json

@@ -0,0 +1 @@
+{}

package/.nyc_output/ad148b90-7401-4df2-959f-3fdcf81a06ec.json

@@ -0,0 +1 @@
+{}

package/.nyc_output/processinfo/36a3e9e1-42eb-468d-a9ec-8d206fedcd3e.json

@@ -0,0 +1 @@
+{"parent":"ad148b90-7401-4df2-959f-3fdcf81a06ec","pid":3634,"argv":["/opt/hostedtoolcache/node/16.13.1/x64/bin/node","/home/runner/work/jackson/jackson/src/test/oauth.test.ts"],"execArgv":["-r","/home/runner/work/jackson/jackson/node_modules/ts-node/register/index.js"],"cwd":"/home/runner/work/jackson/jackson","time":1640721639279,"ppid":3619,"coverageFilename":"/home/runner/work/jackson/jackson/.nyc_output/36a3e9e1-42eb-468d-a9ec-8d206fedcd3e.json","externalId":"src/test/oauth.test.ts","uuid":"36a3e9e1-42eb-468d-a9ec-8d206fedcd3e","files":[]}

package/.nyc_output/processinfo/8c0af85a-b807-45bb-8331-20c3aabe15df.json

@@ -0,0 +1 @@
+{"parent":"ad148b90-7401-4df2-959f-3fdcf81a06ec","pid":3630,"argv":["/opt/hostedtoolcache/node/16.13.1/x64/bin/node","/home/runner/work/jackson/jackson/src/test/api.test.ts"],"execArgv":["-r","/home/runner/work/jackson/jackson/node_modules/ts-node/register/index.js"],"cwd":"/home/runner/work/jackson/jackson","time":1640721639268,"ppid":3619,"coverageFilename":"/home/runner/work/jackson/jackson/.nyc_output/8c0af85a-b807-45bb-8331-20c3aabe15df.json","externalId":"src/test/api.test.ts","uuid":"8c0af85a-b807-45bb-8331-20c3aabe15df","files":[]}

package/.nyc_output/processinfo/ad148b90-7401-4df2-959f-3fdcf81a06ec.json

@@ -0,0 +1 @@
+{"parent":null,"pid":3619,"argv":["/opt/hostedtoolcache/node/16.13.1/x64/bin/node","/home/runner/work/jackson/jackson/node_modules/.bin/tap","--ts","--timeout=100","src/test/api.test.ts","src/test/oauth.test.ts"],"execArgv":[],"cwd":"/home/runner/work/jackson/jackson","time":1640721638827,"ppid":3608,"coverageFilename":"/home/runner/work/jackson/jackson/.nyc_output/ad148b90-7401-4df2-959f-3fdcf81a06ec.json","externalId":"","uuid":"ad148b90-7401-4df2-959f-3fdcf81a06ec","files":[]}

package/.nyc_output/processinfo/index.json

@@ -0,0 +1 @@
+{"processes":{"36a3e9e1-42eb-468d-a9ec-8d206fedcd3e":{"parent":"ad148b90-7401-4df2-959f-3fdcf81a06ec","externalId":"src/test/oauth.test.ts","children":[]},"8c0af85a-b807-45bb-8331-20c3aabe15df":{"parent":"ad148b90-7401-4df2-959f-3fdcf81a06ec","externalId":"src/test/api.test.ts","children":[]},"ad148b90-7401-4df2-959f-3fdcf81a06ec":{"parent":null,"children":["36a3e9e1-42eb-468d-a9ec-8d206fedcd3e","8c0af85a-b807-45bb-8331-20c3aabe15df"]}},"files":{},"externalIds":{"src/test/oauth.test.ts":{"root":"36a3e9e1-42eb-468d-a9ec-8d206fedcd3e","children":[]},"src/test/api.test.ts":{"root":"8c0af85a-b807-45bb-8331-20c3aabe15df","children":[]}}}

package/package.json

@@ -1,9 +1,10 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.2.3-beta.177",
+  "version": "0.2.3-beta.210",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
-  "main": "src/index.js",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
   "engines": {
     "node": ">=14.18.1"
   },
@@ -15,12 +16,14 @@
     "SAML 2.0"
   ],
   "scripts": {
+    "build": "tsc",
     "start": "cross-env IDP_ENABLED=true node src/jackson.js",
     "dev": "cross-env IDP_ENABLED=true nodemon src/jackson.js",
-    "mongo": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson nodemon src/jackson.js",
+    "mongo": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mongo DB_URL=mongodb://localhost:27017/jackson DB_ENCRYPTION_KEY=RiVoTxDoLUUoIUOp224abMxK6PGGfFuF nodemon --config nodemon.json src/jackson.ts",
+    "sql": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=sql DB_TYPE=postgres DB_URL=postgres://postgres:postgres@localhost:5432/jackson DB_ENCRYPTION_KEY=RiVoTxDoLUUoIUOp224abMxK6PGGfFuF nodemon src/jackson.js",
     "pre-loaded": "cross-env JACKSON_API_KEYS=secret DB_ENGINE=mem PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
     "pre-loaded-db": "cross-env JACKSON_API_KEYS=secret PRE_LOADED_CONFIG='./_config' nodemon src/jackson.js",
-    "test": "tap --timeout=100 src/**/*.test.js",
+    "test": "tap --ts --timeout=100 src/**/*.test.ts",
     "dev-dbs": "docker-compose -f ./_dev/docker-compose.yml up -d",
     "dev-dbs-destroy": "docker-compose -f ./_dev/docker-compose.yml down --volumes --remove-orphans"
   },
@@ -33,15 +36,15 @@
   },
   "dependencies": {
     "@boxyhq/saml20": "0.2.0",
-    "@peculiar/webcrypto": "1.2.2",
-    "@peculiar/x509": "1.6.0",
+    "@peculiar/webcrypto": "1.2.3",
+    "@peculiar/x509": "1.6.1",
     "cors": "2.8.5",
-    "express": "4.17.1",
-    "mongodb": "4.2.1",
+    "express": "4.17.2",
+    "mongodb": "4.2.2",
     "mysql2": "2.3.3",
     "pg": "8.7.1",
     "rambda": "6.9.0",
-    "redis": "4.0.0-rc.4",
+    "redis": "4.0.1",
     "reflect-metadata": "0.1.13",
     "ripemd160": "2.0.2",
     "thumbprint": "0.0.1",
@@ -51,17 +54,22 @@
     "xmlbuilder": "15.1.1"
   },
   "devDependencies": {
+    "@types/redis": "4.0.11",
+    "@types/sinon": "10.0.6",
+    "@types/tap": "15.0.5",
     "cross-env": "7.0.3",
-    "eslint": "8.4.0",
+    "eslint": "8.5.0",
     "husky": "7.0.4",
-    "lint-staged": "12.1.2",
+    "lint-staged": "12.1.4",
     "nodemon": "2.0.15",
     "prettier": "2.5.1",
     "sinon": "12.0.1",
-    "tap": "15.1.5"
+    "tap": "15.1.5",
+    "ts-node": "10.4.0",
+    "typescript": "4.5.4"
   },
   "lint-staged": {
-    "*.js": "eslint --cache --fix",
-    "*.{js,css,md}": "prettier --write"
+    "*.{js,ts}": "eslint --cache --fix",
+    "*.{js,ts,css,md}": "prettier --write"
   }
-}
+}

package/.eslintrc.js

@@ -1,13 +0,0 @@
-module.exports = {
-    "env": {
-        "es2021": true,
-        "node": true
-    },
-    "extends": "eslint:recommended",
-    "parserOptions": {
-        "ecmaVersion": 13,
-        "sourceType": "module"
-    },
-    "rules": {
-    }
-};

package/prettier.config.js

@@ -1,4 +0,0 @@
-module.exports = {
-  singleQuote: true,
-  trailingComma: 'es5',
-};

package/src/controller/api.js

@@ -1,167 +0,0 @@
-const saml = require('../saml/saml.js');
-const x509 = require('../saml/x509.js');
-const dbutils = require('../db/utils.js');
-const { indexNames } = require('./utils.js');
-const { JacksonError } = require('./error.js');
-
-const crypto = require('crypto');
-
-let configStore;
-
-const extractHostName = (url) => {
-  try {
-    const pUrl = new URL(url);
-    if (pUrl.hostname.startsWith('www.')) {
-      return pUrl.hostname.substring(4);
-    }
-    return pUrl.hostname;
-  } catch (err) {
-    return null;
-  }
-};
-
-const config = async (body) => {
-  const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } =
-    body;
-
-  if (!rawMetadata) {
-    throw new JacksonError('Please provide rawMetadata', 400);
-  }
-
-  if (!defaultRedirectUrl) {
-    throw new JacksonError('Please provide a defaultRedirectUrl', 400);
-  }
-
-  if (!redirectUrl) {
-    throw new JacksonError('Please provide redirectUrl', 400);
-  }
-
-  if (!tenant) {
-    throw new JacksonError('Please provide tenant', 400);
-  }
-
-  if (!product) {
-    throw new JacksonError('Please provide product', 400);
-  }
-
-  const idpMetadata = await saml.parseMetadataAsync(rawMetadata);
-
-  // extract provider
-  let providerName = extractHostName(idpMetadata.entityID);
-  if (!providerName) {
-    providerName = extractHostName(
-      idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl
-    );
-  }
-
-  idpMetadata.provider = providerName ? providerName : 'Unknown';
-
-  let clientID = dbutils.keyDigest(
-    dbutils.keyFromParts(tenant, product, idpMetadata.entityID)
-  );
-  let clientSecret;
-
-  let exists = await configStore.get(clientID);
-  if (exists) {
-    clientSecret = exists.clientSecret;
-  } else {
-    clientSecret = crypto.randomBytes(24).toString('hex');
-  }
-
-  const certs = await x509.generate();
-  if (!certs) {
-    throw new Error('Error generating x59 certs');
-  }
-
-  await configStore.put(
-    clientID,
-    {
-      idpMetadata,
-      defaultRedirectUrl,
-      redirectUrl: JSON.parse(redirectUrl), // redirectUrl is a stringified array
-      tenant,
-      product,
-      clientID,
-      clientSecret,
-      certs,
-    },
-    {
-      // secondary index on entityID
-      name: indexNames.entityID,
-      value: idpMetadata.entityID,
-    },
-    {
-      // secondary index on tenant + product
-      name: indexNames.tenantProduct,
-      value: dbutils.keyFromParts(tenant, product),
-    }
-  );
-
-  return {
-    client_id: clientID,
-    client_secret: clientSecret,
-    provider: idpMetadata.provider,
-  };
-};
-
-const getConfig = async (body) => {
-  const { clientID, tenant, product } = body;
-
-  if (clientID) {
-    const samlConfig = await configStore.get(clientID);
-    if (!samlConfig) {
-      return {};
-    }
-
-    return { provider: samlConfig.idpMetadata.provider };
-  } else {
-    const samlConfigs = await configStore.getByIndex({
-      name: indexNames.tenantProduct,
-      value: dbutils.keyFromParts(tenant, product),
-    });
-    if (!samlConfigs || !samlConfigs.length) {
-      return {};
-    }
-
-    return { provider: samlConfigs[0].idpMetadata.provider };
-  }
-};
-
-const deleteConfig = async (body) => {
-  const { clientID, clientSecret, tenant, product } = body;
-
-  if (clientID) {
-    if (!clientSecret) {
-      throw new JacksonError('Please provide clientSecret', 400);
-    }
-    const samlConfig = await configStore.get(clientID);
-    if (!samlConfig) {
-      return;
-    }
-    if (samlConfig.clientSecret === clientSecret) {
-      await configStore.delete(clientID);
-    } else {
-      throw new JacksonError('clientSecret mismatch', 400);
-    }
-  } else {
-    const samlConfigs = await configStore.getByIndex({
-      name: indexNames.tenantProduct,
-      value: dbutils.keyFromParts(tenant, product),
-    });
-    if (!samlConfigs || !samlConfigs.length) {
-      return;
-    }
-    for (const conf of samlConfigs) {
-      await configStore.delete(conf.clientID);
-    }
-  }
-};
-
-module.exports = (opts) => {
-  configStore = opts.configStore;
-  return {
-    config,
-    getConfig,
-    deleteConfig,
-  };
-};

package/src/controller/error.js

@@ -1,12 +0,0 @@
-class JacksonError extends Error {
-  constructor(message, statusCode = 500) {
-    super(message);
-
-    this.name = this.constructor.name;
-    this.statusCode = statusCode;
-
-    Error.captureStackTrace(this, this.constructor);
-  }
-}
-
-module.exports = { JacksonError };

package/src/controller/oauth/allowed.js

@@ -1,19 +0,0 @@
-module.exports = {
-  redirect: (redirectUrl, redirectUrls) => {
-    const url = new URL(redirectUrl);
-
-    for (const idx in redirectUrls) {
-      const rUrl = new URL(redirectUrls[idx]);
-      // TODO: Check pathname, for now pathname is ignored
-      if (
-        rUrl.protocol === url.protocol &&
-        rUrl.hostname === url.hostname &&
-        rUrl.port === url.port
-      ) {
-        return true;
-      }
-    }
-
-    return false;
-  },
-};

package/src/controller/oauth/code-verifier.js

@@ -1,16 +0,0 @@
-const crypto = require('crypto');
-
-const transformBase64 = (input) => {
-  return input.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
-};
-
-const encode = (code_challenge) => {
-  return transformBase64(
-    crypto.createHash('sha256').update(code_challenge).digest('base64')
-  );
-};
-
-module.exports = {
-  encode,
-  transformBase64,
-};

package/src/controller/oauth/redirect.js

@@ -1,18 +0,0 @@
-module.exports = {
-  error: (res, redirectUrl, err) => {
-    var url = new URL(redirectUrl);
-    url.searchParams.set('error', err);
-
-    res.redirect(url);
-  },
-
-  success: (redirectUrl, params) => {
-    const url = new URL(redirectUrl);
-
-    for (const [key, value] of Object.entries(params)) {
-      url.searchParams.set(key, value);
-    }
-
-    return url.href;
-  },
-};

package/src/controller/oauth.js

@@ -1,321 +0,0 @@
-const crypto = require('crypto');
-
-const saml = require('../saml/saml.js');
-const codeVerifier = require('./oauth/code-verifier.js');
-const { indexNames } = require('./utils.js');
-const dbutils = require('../db/utils.js');
-const redirect = require('./oauth/redirect.js');
-const allowed = require('./oauth/allowed.js');
-const { JacksonError } = require('./error.js');
-
-let configStore;
-let sessionStore;
-let codeStore;
-let tokenStore;
-let options;
-
-const relayStatePrefix = 'boxyhq_jackson_';
-
-function getEncodedClientId(client_id) {
-  try {
-    const sp = new URLSearchParams(client_id);
-    const tenant = sp.get('tenant');
-    const product = sp.get('product');
-    if (tenant && product) {
-      return {
-        tenant: sp.get('tenant'),
-        product: sp.get('product'),
-      };
-    }
-
-    return null;
-  } catch (err) {
-    return null;
-  }
-}
-
-const authorize = async (body) => {
-  const {
-    response_type = 'code',
-    client_id,
-    redirect_uri,
-    state,
-    tenant,
-    product,
-    code_challenge,
-    code_challenge_method = '',
-    // eslint-disable-next-line no-unused-vars
-    provider = 'saml',
-  } = body;
-
-  if (!redirect_uri) {
-    throw new JacksonError('Please specify a redirect URL.', 400);
-  }
-
-  if (!state) {
-    throw new JacksonError(
-      'Please specify a state to safeguard against XSRF attacks.',
-      400
-    );
-  }
-
-  let samlConfig;
-
-  if (tenant && product) {
-    const samlConfigs = await configStore.getByIndex({
-      name: indexNames.tenantProduct,
-      value: dbutils.keyFromParts(tenant, product),
-    });
-
-    if (!samlConfigs || samlConfigs.length === 0) {
-      throw new JacksonError('SAML configuration not found.', 403);
-    }
-
-    // TODO: Support multiple matches
-    samlConfig = samlConfigs[0];
-  } else if (
-    client_id &&
-    client_id !== '' &&
-    client_id !== 'undefined' &&
-    client_id !== 'null'
-  ) {
-    // if tenant and product are encoded in the client_id then we parse it and check for the relevant config(s)
-    const sp = getEncodedClientId(client_id);
-    if (sp) {
-      const samlConfigs = await configStore.getByIndex({
-        name: indexNames.tenantProduct,
-        value: dbutils.keyFromParts(sp.tenant, sp.product),
-      });
-
-      if (!samlConfigs || samlConfigs.length === 0) {
-        throw new JacksonError('SAML configuration not found.', 403);
-      }
-
-      // TODO: Support multiple matches
-      samlConfig = samlConfigs[0];
-    } else {
-      samlConfig = await configStore.get(client_id);
-    }
-  } else {
-    throw new JacksonError(
-      'You need to specify client_id or tenant & product',
-      403
-    );
-  }
-
-  if (!samlConfig) {
-    throw new JacksonError('SAML configuration not found.', 403);
-  }
-
-  if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
-    throw new JacksonError('Redirect URL is not allowed.', 403);
-  }
-
-  const samlReq = saml.request({
-    entityID: options.samlAudience,
-    callbackUrl: options.externalUrl + options.samlPath,
-    signingKey: samlConfig.certs.privateKey,
-  });
-
-  const sessionId = crypto.randomBytes(16).toString('hex');
-
-  await sessionStore.put(sessionId, {
-    id: samlReq.id,
-    redirect_uri,
-    response_type,
-    state,
-    code_challenge,
-    code_challenge_method,
-  });
-
-  const redirectUrl = redirect.success(samlConfig.idpMetadata.sso.redirectUrl, {
-    RelayState: relayStatePrefix + sessionId,
-    SAMLRequest: Buffer.from(samlReq.request).toString('base64'),
-  });
-
-  return { redirect_url: redirectUrl };
-};
-
-const samlResponse = async (body) => {
-  const { SAMLResponse } = body; // RelayState will contain the sessionId from earlier quasi-oauth flow
-
-  let RelayState = body.RelayState || '';
-
-  if (!options.idpEnabled && !RelayState.startsWith(relayStatePrefix)) {
-    // IDP is disabled so block the request
-
-    throw new JacksonError(
-      'IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.',
-      403
-    );
-  }
-
-  if (!RelayState.startsWith(relayStatePrefix)) {
-    RelayState = '';
-  }
-
-  RelayState = RelayState.replace(relayStatePrefix, '');
-
-  const rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
-
-  const parsedResp = await saml.parseAsync(rawResponse);
-
-  const samlConfigs = await configStore.getByIndex({
-    name: indexNames.entityID,
-    value: parsedResp.issuer,
-  });
-
-  if (!samlConfigs || samlConfigs.length === 0) {
-    throw new JacksonError('SAML configuration not found.', 403);
-  }
-
-  // TODO: Support multiple matches
-  const samlConfig = samlConfigs[0];
-
-  let session;
-
-  if (RelayState !== '') {
-    session = await sessionStore.get(RelayState);
-    if (!session) {
-      throw new JacksonError(
-        'Unable to validate state from the origin request.',
-        403
-      );
-    }
-  }
-
-  let validateOpts = {
-    thumbprint: samlConfig.idpMetadata.thumbprint,
-    audience: options.samlAudience,
-  };
-
-  if (session && session.id) {
-    validateOpts.inResponseTo = session.id;
-  }
-
-  const profile = await saml.validateAsync(rawResponse, validateOpts);
-
-  // store details against a code
-  const code = crypto.randomBytes(20).toString('hex');
-
-  let codeVal = {
-    profile,
-    clientID: samlConfig.clientID,
-    clientSecret: samlConfig.clientSecret,
-  };
-
-  if (session) {
-    codeVal.session = session;
-  }
-
-  await codeStore.put(code, codeVal);
-
-  if (
-    session &&
-    session.redirect_uri &&
-    !allowed.redirect(session.redirect_uri, samlConfig.redirectUrl)
-  ) {
-    throw new JacksonError('Redirect URL is not allowed.', 403);
-  }
-
-  let params = {
-    code,
-  };
-
-  if (session && session.state) {
-    params.state = session.state;
-  }
-
-  const redirectUrl = redirect.success(
-    (session && session.redirect_uri) || samlConfig.defaultRedirectUrl,
-    params
-  );
-
-  return { redirect_url: redirectUrl };
-};
-
-const token = async (body) => {
-  const {
-    client_id,
-    client_secret,
-    code_verifier,
-    code,
-    grant_type = 'authorization_code',
-  } = body;
-
-  if (grant_type !== 'authorization_code') {
-    throw new JacksonError('Unsupported grant_type', 400);
-  }
-
-  if (!code) {
-    throw new JacksonError('Please specify code', 400);
-  }
-
-  const codeVal = await codeStore.get(code);
-  if (!codeVal || !codeVal.profile) {
-    throw new JacksonError('Invalid code', 403);
-  }
-
-  if (client_id && client_secret) {
-    // check if we have an encoded client_id
-    if (client_id !== 'dummy' && client_secret !== 'dummy') {
-      const sp = getEncodedClientId(client_id);
-      if (!sp) {
-        // OAuth flow
-        if (
-          client_id !== codeVal.clientID ||
-          client_secret !== codeVal.clientSecret
-        ) {
-          throw new JacksonError('Invalid client_id or client_secret', 401);
-        }
-      }
-    }
-  } else if (code_verifier) {
-    // PKCE flow
-    let cv = code_verifier;
-    if (codeVal.session.code_challenge_method.toLowerCase() === 's256') {
-      cv = codeVerifier.encode(code_verifier);
-    }
-
-    if (codeVal.session.code_challenge !== cv) {
-      throw new JacksonError('Invalid code_verifier', 401);
-    }
-  } else if (codeVal && codeVal.session) {
-    throw new JacksonError(
-      'Please specify client_secret or code_verifier',
-      401
-    );
-  }
-
-  // store details against a token
-  const token = crypto.randomBytes(20).toString('hex');
-
-  await tokenStore.put(token, codeVal.profile);
-
-  return {
-    access_token: token,
-    token_type: 'bearer',
-    expires_in: options.db.ttl,
-  };
-};
-
-const userInfo = async (token) => {
-  const { claims } = await tokenStore.get(token);
-
-  return claims;
-};
-
-module.exports = (opts) => {
-  configStore = opts.configStore;
-  sessionStore = opts.sessionStore;
-  codeStore = opts.codeStore;
-  tokenStore = opts.tokenStore;
-  options = opts.opts;
-
-  return {
-    authorize,
-    samlResponse,
-    token,
-    userInfo,
-  };
-};