@boxyhq/saml-jackson 0.2.4 → 0.3.0-beta.246

package/Dockerfile

@@ -1,11 +1,12 @@
 # Install dependencies only when needed
-FROM node:16.13.1-alpine3.14 AS deps
+FROM node:16.13.1-alpine3.14 AS build
 # Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
 RUN apk add --no-cache libc6-compat
 WORKDIR /app
 COPY src/ src/
-COPY package.json package-lock.json ./
-RUN npm ci --only=production
+COPY package.json package-lock.json tsconfig*.json ./
+RUN npm install
+RUN npm run build
 
 # Production image, copy all the files and run next
 FROM node:16.13.1-alpine3.14 AS runner
@@ -17,13 +18,14 @@ ENV NODE_ENV production
 RUN addgroup -g 1001 -S nodejs
 RUN adduser -S nodejs -u 1001
 
-COPY --from=deps /app/src ./src
-COPY --from=deps /app/node_modules ./node_modules
-COPY --from=deps /app/package.json ./package.json
+COPY --from=build /app/dist ./dist
+COPY --from=build /app/package.json ./package.json
+COPY --from=build /app/package-lock.json ./package-lock.json
+RUN npm ci --only=production
 
 USER nodejs
 
 EXPOSE 5000
 EXPOSE 6000
 
-CMD [ "node", "src/jackson.js" ]
+CMD [ "node", "dist/jackson.js" ]

package/README.md

@@ -357,7 +357,6 @@ To Do
 Jackson currently supports the following databases.
 
 - Postgres
-- CockroachDB
 - MySQL
 - MariaDB
 - MongoDB
@@ -381,7 +380,7 @@ The following options are supported and will have to be configured during deploy
 | IDP_ENABLED (npm: idpEnabled)             | Set to `true` to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times.                                                                                                                                                                                                                                                              | `false`                         |
 | DB_ENGINE (npm: db.engine)                | Supported values are `redis`, `sql`, `mongo`, `mem`.                                                                                                                                                                                                                                                                                                                                                                 | `sql`                           |
 | DB_URL (npm: db.url)                      | The database URL to connect to. For example `postgres://postgres:postgres@localhost:5450/jackson`                                                                                                                                                                                                                                                                                                                    |                                 |
-| DB_TYPE (npm: db.type)                    | Only needed when DB_ENGINE is `sql`. Supported values are `postgres`, `cockroachdb`, `mysql`, `mariadb`.                                                                                                                                                                                                                                                                                                             | `postgres`                      |
+| DB_TYPE (npm: db.type)                    | Only needed when DB_ENGINE is `sql`. Supported values are `postgres`, `mysql`, `mariadb`.                                                                                                                                                                                                                                                                                                                            | `postgres`                      |
 | DB_TTL (npm: db.ttl)                      | TTL for the code, session and token stores (in seconds).                                                                                                                                                                                                                                                                                                                                                             | 300                             |
 | DB_CLEANUP_LIMIT (npm: db.cleanupLimit)   | Limit cleanup of TTL entries to this number.                                                                                                                                                                                                                                                                                                                                                                         | 1000                            |
 | DB_ENCRYPTION_KEY (npm: db.encryptionKey) | To encrypt data at rest specify a 32 character key.                                                                                                                                                                                                                                                                                                                                                                  |                                 |

package/dist/controller/api.d.ts

@@ -0,0 +1,32 @@
+import { IdPConfig, ISAMLConfig, OAuth } from '../typings';
+export declare class SAMLConfig implements ISAMLConfig {
+    private configStore;
+    constructor({ configStore }: {
+        configStore: any;
+    });
+    private _validateIdPConfig;
+    create(body: IdPConfig): Promise<OAuth>;
+    get(body: {
+        clientID: string;
+        tenant: string;
+        product: string;
+    }): Promise<Partial<OAuth>>;
+    delete(body: {
+        clientID: string;
+        clientSecret: string;
+        tenant: string;
+        product: string;
+    }): Promise<void>;
+    config(body: IdPConfig): Promise<OAuth>;
+    getConfig(body: {
+        clientID: string;
+        tenant: string;
+        product: string;
+    }): Promise<Partial<OAuth>>;
+    deleteConfig(body: {
+        clientID: string;
+        clientSecret: string;
+        tenant: string;
+        product: string;
+    }): Promise<void>;
+}

package/dist/controller/api.js

@@ -0,0 +1,193 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SAMLConfig = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const dbutils = __importStar(require("../db/utils"));
+const saml_1 = __importDefault(require("../saml/saml"));
+const x509_1 = __importDefault(require("../saml/x509"));
+const error_1 = require("./error");
+const utils_1 = require("./utils");
+class SAMLConfig {
+    constructor({ configStore }) {
+        this.configStore = configStore;
+    }
+    _validateIdPConfig(body) {
+        const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } = body;
+        if (!rawMetadata) {
+            throw new error_1.JacksonError('Please provide rawMetadata', 400);
+        }
+        if (!defaultRedirectUrl) {
+            throw new error_1.JacksonError('Please provide a defaultRedirectUrl', 400);
+        }
+        if (!redirectUrl) {
+            throw new error_1.JacksonError('Please provide redirectUrl', 400);
+        }
+        if (!tenant) {
+            throw new error_1.JacksonError('Please provide tenant', 400);
+        }
+        if (!product) {
+            throw new error_1.JacksonError('Please provide product', 400);
+        }
+    }
+    create(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } = body;
+            this._validateIdPConfig(body);
+            const idpMetadata = yield saml_1.default.parseMetadataAsync(rawMetadata);
+            // extract provider
+            let providerName = extractHostName(idpMetadata.entityID);
+            if (!providerName) {
+                providerName = extractHostName(idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl);
+            }
+            idpMetadata.provider = providerName ? providerName : 'Unknown';
+            const clientID = dbutils.keyDigest(dbutils.keyFromParts(tenant, product, idpMetadata.entityID));
+            let clientSecret;
+            const exists = yield this.configStore.get(clientID);
+            if (exists) {
+                clientSecret = exists.clientSecret;
+            }
+            else {
+                clientSecret = crypto_1.default.randomBytes(24).toString('hex');
+            }
+            const certs = yield x509_1.default.generate();
+            if (!certs) {
+                throw new Error('Error generating x59 certs');
+            }
+            yield this.configStore.put(clientID, {
+                idpMetadata,
+                defaultRedirectUrl,
+                redirectUrl: JSON.parse(redirectUrl),
+                tenant,
+                product,
+                clientID,
+                clientSecret,
+                certs,
+            }, {
+                // secondary index on entityID
+                name: utils_1.IndexNames.EntityID,
+                value: idpMetadata.entityID,
+            }, {
+                // secondary index on tenant + product
+                name: utils_1.IndexNames.TenantProduct,
+                value: dbutils.keyFromParts(tenant, product),
+            });
+            return {
+                client_id: clientID,
+                client_secret: clientSecret,
+                provider: idpMetadata.provider,
+            };
+        });
+    }
+    get(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { clientID, tenant, product } = body;
+            if (clientID) {
+                const samlConfig = yield this.configStore.get(clientID);
+                return samlConfig ? { provider: samlConfig.idpMetadata.provider } : {};
+            }
+            if (tenant && product) {
+                const samlConfigs = yield this.configStore.getByIndex({
+                    name: utils_1.IndexNames.TenantProduct,
+                    value: dbutils.keyFromParts(tenant, product),
+                });
+                if (!samlConfigs || !samlConfigs.length) {
+                    return {};
+                }
+                return { provider: samlConfigs[0].idpMetadata.provider };
+            }
+            throw new error_1.JacksonError('Please provide `clientID` or `tenant` and `product`.', 400);
+        });
+    }
+    delete(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { clientID, clientSecret, tenant, product } = body;
+            if (clientID && clientSecret) {
+                const samlConfig = yield this.configStore.get(clientID);
+                if (!samlConfig) {
+                    return;
+                }
+                if (samlConfig.clientSecret === clientSecret) {
+                    yield this.configStore.delete(clientID);
+                }
+                else {
+                    throw new error_1.JacksonError('clientSecret mismatch.', 400);
+                }
+                return;
+            }
+            if (tenant && product) {
+                const samlConfigs = yield this.configStore.getByIndex({
+                    name: utils_1.IndexNames.TenantProduct,
+                    value: dbutils.keyFromParts(tenant, product),
+                });
+                if (!samlConfigs || !samlConfigs.length) {
+                    return;
+                }
+                for (const conf of samlConfigs) {
+                    yield this.configStore.delete(conf.clientID);
+                }
+                return;
+            }
+            throw new error_1.JacksonError('Please provide `clientID` and `clientSecret` or `tenant` and `product`.', 400);
+        });
+    }
+    // Ensure backward compatibility
+    config(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.create(body);
+        });
+    }
+    getConfig(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.get(body);
+        });
+    }
+    deleteConfig(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.delete(body);
+        });
+    }
+}
+exports.SAMLConfig = SAMLConfig;
+const extractHostName = (url) => {
+    try {
+        const pUrl = new URL(url);
+        if (pUrl.hostname.startsWith('www.')) {
+            return pUrl.hostname.substring(4);
+        }
+        return pUrl.hostname;
+    }
+    catch (err) {
+        return null;
+    }
+};

package/dist/controller/error.d.ts

@@ -0,0 +1,5 @@
+export declare class JacksonError extends Error {
+    name: string;
+    statusCode: number;
+    constructor(message: string, statusCode?: number);
+}

package/dist/controller/error.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JacksonError = void 0;
+class JacksonError extends Error {
+    constructor(message, statusCode = 500) {
+        super(message);
+        this.name = this.constructor.name;
+        this.statusCode = statusCode;
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+exports.JacksonError = JacksonError;

package/dist/controller/oauth/allowed.d.ts

@@ -0,0 +1 @@
+export declare const redirect: (redirectUrl: string, redirectUrls: string[]) => boolean;

package/dist/controller/oauth/allowed.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redirect = void 0;
+const redirect = (redirectUrl, redirectUrls) => {
+    const url = new URL(redirectUrl);
+    for (const idx in redirectUrls) {
+        const rUrl = new URL(redirectUrls[idx]);
+        // TODO: Check pathname, for now pathname is ignored
+        if (rUrl.protocol === url.protocol &&
+            rUrl.hostname === url.hostname &&
+            rUrl.port === url.port) {
+            return true;
+        }
+    }
+    return false;
+};
+exports.redirect = redirect;

package/dist/controller/oauth/code-verifier.d.ts

@@ -0,0 +1,2 @@
+export declare const transformBase64: (input: string) => string;
+export declare const encode: (code_challenge: string) => string;

package/dist/controller/oauth/code-verifier.js

@@ -0,0 +1,15 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encode = exports.transformBase64 = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const transformBase64 = (input) => {
+    return input.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+};
+exports.transformBase64 = transformBase64;
+const encode = (code_challenge) => {
+    return (0, exports.transformBase64)(crypto_1.default.createHash('sha256').update(code_challenge).digest('base64'));
+};
+exports.encode = encode;

package/dist/controller/oauth/redirect.d.ts

@@ -0,0 +1 @@
+export declare const success: (redirectUrl: string, params: Record<string, string>) => string;

package/dist/controller/oauth/redirect.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.success = void 0;
+const success = (redirectUrl, params) => {
+    const url = new URL(redirectUrl);
+    for (const [key, value] of Object.entries(params)) {
+        url.searchParams.set(key, value);
+    }
+    return url.href;
+};
+exports.success = success;

package/dist/controller/oauth.d.ts

@@ -0,0 +1,23 @@
+import { IOAuthController, OAuthReqBody, OAuthTokenReq, OAuthTokenRes, Profile, SAMLResponsePayload } from '../typings';
+export declare class OAuthController implements IOAuthController {
+    private configStore;
+    private sessionStore;
+    private codeStore;
+    private tokenStore;
+    private opts;
+    constructor({ configStore, sessionStore, codeStore, tokenStore, opts }: {
+        configStore: any;
+        sessionStore: any;
+        codeStore: any;
+        tokenStore: any;
+        opts: any;
+    });
+    authorize(body: OAuthReqBody): Promise<{
+        redirect_url: string;
+    }>;
+    samlResponse(body: SAMLResponsePayload): Promise<{
+        redirect_url: string;
+    }>;
+    token(body: OAuthTokenReq): Promise<OAuthTokenRes>;
+    userInfo(token: string): Promise<Profile>;
+}

package/dist/controller/oauth.js

@@ -0,0 +1,263 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthController = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const dbutils = __importStar(require("../db/utils"));
+const saml_1 = __importDefault(require("../saml/saml"));
+const error_1 = require("./error");
+const allowed = __importStar(require("./oauth/allowed"));
+const codeVerifier = __importStar(require("./oauth/code-verifier"));
+const redirect = __importStar(require("./oauth/redirect"));
+const utils_1 = require("./utils");
+const relayStatePrefix = 'boxyhq_jackson_';
+function getEncodedClientId(client_id) {
+    try {
+        const sp = new URLSearchParams(client_id);
+        const tenant = sp.get('tenant');
+        const product = sp.get('product');
+        if (tenant && product) {
+            return {
+                tenant: sp.get('tenant'),
+                product: sp.get('product'),
+            };
+        }
+        return null;
+    }
+    catch (err) {
+        return null;
+    }
+}
+class OAuthController {
+    constructor({ configStore, sessionStore, codeStore, tokenStore, opts }) {
+        this.configStore = configStore;
+        this.sessionStore = sessionStore;
+        this.codeStore = codeStore;
+        this.tokenStore = tokenStore;
+        this.opts = opts;
+    }
+    authorize(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { response_type = 'code', client_id, redirect_uri, state, tenant, product, code_challenge, code_challenge_method = '', 
+            // eslint-disable-next-line @typescript-eslint/no-unused-vars
+            provider = 'saml', } = body;
+            if (!redirect_uri) {
+                throw new error_1.JacksonError('Please specify a redirect URL.', 400);
+            }
+            if (!state) {
+                throw new error_1.JacksonError('Please specify a state to safeguard against XSRF attacks.', 400);
+            }
+            let samlConfig;
+            if (tenant && product) {
+                const samlConfigs = yield this.configStore.getByIndex({
+                    name: utils_1.IndexNames.TenantProduct,
+                    value: dbutils.keyFromParts(tenant, product),
+                });
+                if (!samlConfigs || samlConfigs.length === 0) {
+                    throw new error_1.JacksonError('SAML configuration not found.', 403);
+                }
+                // TODO: Support multiple matches
+                samlConfig = samlConfigs[0];
+            }
+            else if (client_id &&
+                client_id !== '' &&
+                client_id !== 'undefined' &&
+                client_id !== 'null') {
+                // if tenant and product are encoded in the client_id then we parse it and check for the relevant config(s)
+                const sp = getEncodedClientId(client_id);
+                if (sp === null || sp === void 0 ? void 0 : sp.tenant) {
+                    const samlConfigs = yield this.configStore.getByIndex({
+                        name: utils_1.IndexNames.TenantProduct,
+                        value: dbutils.keyFromParts(sp.tenant, sp.product || ''),
+                    });
+                    if (!samlConfigs || samlConfigs.length === 0) {
+                        throw new error_1.JacksonError('SAML configuration not found.', 403);
+                    }
+                    // TODO: Support multiple matches
+                    samlConfig = samlConfigs[0];
+                }
+                else {
+                    samlConfig = yield this.configStore.get(client_id);
+                }
+            }
+            else {
+                throw new error_1.JacksonError('You need to specify client_id or tenant & product', 403);
+            }
+            if (!samlConfig) {
+                throw new error_1.JacksonError('SAML configuration not found.', 403);
+            }
+            if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
+                throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
+            }
+            const samlReq = saml_1.default.request({
+                entityID: this.opts.samlAudience,
+                callbackUrl: this.opts.externalUrl + this.opts.samlPath,
+                signingKey: samlConfig.certs.privateKey,
+            });
+            const sessionId = crypto_1.default.randomBytes(16).toString('hex');
+            yield this.sessionStore.put(sessionId, {
+                id: samlReq.id,
+                redirect_uri,
+                response_type,
+                state,
+                code_challenge,
+                code_challenge_method,
+            });
+            const redirectUrl = redirect.success(samlConfig.idpMetadata.sso.redirectUrl, {
+                RelayState: relayStatePrefix + sessionId,
+                SAMLRequest: Buffer.from(samlReq.request).toString('base64'),
+            });
+            return { redirect_url: redirectUrl };
+        });
+    }
+    samlResponse(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { SAMLResponse } = body; // RelayState will contain the sessionId from earlier quasi-oauth flow
+            let RelayState = body.RelayState || '';
+            if (!this.opts.idpEnabled && !RelayState.startsWith(relayStatePrefix)) {
+                // IDP is disabled so block the request
+                throw new error_1.JacksonError('IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.', 403);
+            }
+            if (!RelayState.startsWith(relayStatePrefix)) {
+                RelayState = '';
+            }
+            RelayState = RelayState.replace(relayStatePrefix, '');
+            const rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
+            const parsedResp = yield saml_1.default.parseAsync(rawResponse);
+            const samlConfigs = yield this.configStore.getByIndex({
+                name: utils_1.IndexNames.EntityID,
+                value: parsedResp === null || parsedResp === void 0 ? void 0 : parsedResp.issuer,
+            });
+            if (!samlConfigs || samlConfigs.length === 0) {
+                throw new error_1.JacksonError('SAML configuration not found.', 403);
+            }
+            // TODO: Support multiple matches
+            const samlConfig = samlConfigs[0];
+            let session;
+            if (RelayState !== '') {
+                session = yield this.sessionStore.get(RelayState);
+                if (!session) {
+                    throw new error_1.JacksonError('Unable to validate state from the origin request.', 403);
+                }
+            }
+            const validateOpts = {
+                thumbprint: samlConfig.idpMetadata.thumbprint,
+                audience: this.opts.samlAudience,
+            };
+            if (session && session.id) {
+                validateOpts.inResponseTo = session.id;
+            }
+            const profile = yield saml_1.default.validateAsync(rawResponse, validateOpts);
+            // store details against a code
+            const code = crypto_1.default.randomBytes(20).toString('hex');
+            const codeVal = {
+                profile,
+                clientID: samlConfig.clientID,
+                clientSecret: samlConfig.clientSecret,
+            };
+            if (session) {
+                codeVal.session = session;
+            }
+            yield this.codeStore.put(code, codeVal);
+            if (session &&
+                session.redirect_uri &&
+                !allowed.redirect(session.redirect_uri, samlConfig.redirectUrl)) {
+                throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
+            }
+            const params = {
+                code,
+            };
+            if (session && session.state) {
+                params.state = session.state;
+            }
+            const redirectUrl = redirect.success((session && session.redirect_uri) || samlConfig.defaultRedirectUrl, params);
+            return { redirect_url: redirectUrl };
+        });
+    }
+    token(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { client_id, client_secret, code_verifier, code, grant_type = 'authorization_code', } = body;
+            if (grant_type !== 'authorization_code') {
+                throw new error_1.JacksonError('Unsupported grant_type', 400);
+            }
+            if (!code) {
+                throw new error_1.JacksonError('Please specify code', 400);
+            }
+            const codeVal = yield this.codeStore.get(code);
+            if (!codeVal || !codeVal.profile) {
+                throw new error_1.JacksonError('Invalid code', 403);
+            }
+            if (client_id && client_secret) {
+                // check if we have an encoded client_id
+                if (client_id !== 'dummy' && client_secret !== 'dummy') {
+                    const sp = getEncodedClientId(client_id);
+                    if (!sp) {
+                        // OAuth flow
+                        if (client_id !== codeVal.clientID ||
+                            client_secret !== codeVal.clientSecret) {
+                            throw new error_1.JacksonError('Invalid client_id or client_secret', 401);
+                        }
+                    }
+                }
+            }
+            else if (code_verifier) {
+                // PKCE flow
+                let cv = code_verifier;
+                if (codeVal.session.code_challenge_method.toLowerCase() === 's256') {
+                    cv = codeVerifier.encode(code_verifier);
+                }
+                if (codeVal.session.code_challenge !== cv) {
+                    throw new error_1.JacksonError('Invalid code_verifier', 401);
+                }
+            }
+            else if (codeVal && codeVal.session) {
+                throw new error_1.JacksonError('Please specify client_secret or code_verifier', 401);
+            }
+            // store details against a token
+            const token = crypto_1.default.randomBytes(20).toString('hex');
+            yield this.tokenStore.put(token, codeVal.profile);
+            return {
+                access_token: token,
+                token_type: 'bearer',
+                expires_in: this.opts.db.ttl,
+            };
+        });
+    }
+    userInfo(token) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { claims } = yield this.tokenStore.get(token);
+            return claims;
+        });
+    }
+}
+exports.OAuthController = OAuthController;

package/dist/controller/utils.d.ts

@@ -0,0 +1,6 @@
+import { Request } from 'express';
+export declare const extractAuthToken: (req: Request) => string | null;
+export declare enum IndexNames {
+    EntityID = "entityID",
+    TenantProduct = "tenantProduct"
+}