@boxyhq/saml-jackson 0.3.7 → 0.3.8-beta.760

package/dist/controller/api.js

@@ -34,6 +34,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.APIController = void 0;
 const crypto_1 = __importDefault(require("crypto"));
 const dbutils = __importStar(require("../db/utils"));
+const metrics = __importStar(require("../opentelemetry/metrics"));
 const saml_1 = __importDefault(require("../saml/saml"));
 const x509_1 = __importDefault(require("../saml/x509"));
 const error_1 = require("./error");
@@ -124,6 +125,7 @@ class APIController {
     config(body) {
         return __awaiter(this, void 0, void 0, function* () {
             const { encodedRawMetadata, rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product } = body;
+            metrics.increment('createConfig');
             this._validateIdPConfig(body);
             let metaData = rawMetadata;
             if (encodedRawMetadata) {
@@ -214,6 +216,7 @@ class APIController {
     getConfig(body) {
         return __awaiter(this, void 0, void 0, function* () {
             const { clientID, tenant, product } = body;
+            metrics.increment('getConfig');
             if (clientID) {
                 const samlConfig = yield this.configStore.get(clientID);
                 return samlConfig ? { provider: samlConfig.idpMetadata.provider } : {};
@@ -271,6 +274,7 @@ class APIController {
     deleteConfig(body) {
         return __awaiter(this, void 0, void 0, function* () {
             const { clientID, clientSecret, tenant, product } = body;
+            metrics.increment('deleteConfig');
             if (clientID && clientSecret) {
                 const samlConfig = yield this.configStore.get(clientID);
                 if (!samlConfig) {

package/dist/controller/oauth.d.ts

@@ -14,6 +14,7 @@ export declare class OAuthController implements IOAuthController {
     });
     authorize(body: OAuthReqBody): Promise<{
         redirect_url: string;
+        authorize_form: string;
     }>;
     samlResponse(body: SAMLResponsePayload): Promise<{
         redirect_url: string;

package/dist/controller/oauth.js

@@ -33,15 +33,16 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OAuthController = void 0;
 const crypto_1 = __importDefault(require("crypto"));
+const util_1 = require("util");
+const zlib_1 = require("zlib");
 const dbutils = __importStar(require("../db/utils"));
+const metrics = __importStar(require("../opentelemetry/metrics"));
 const saml_1 = __importDefault(require("../saml/saml"));
 const error_1 = require("./error");
 const allowed = __importStar(require("./oauth/allowed"));
 const codeVerifier = __importStar(require("./oauth/code-verifier"));
 const redirect = __importStar(require("./oauth/redirect"));
 const utils_1 = require("./utils");
-const util_1 = require("util");
-const zlib_1 = require("zlib");
 const deflateRawAsync = (0, util_1.promisify)(zlib_1.deflateRaw);
 const relayStatePrefix = 'boxyhq_jackson_';
 function getEncodedClientId(client_id) {
@@ -74,6 +75,7 @@ class OAuthController {
             const { response_type = 'code', client_id, redirect_uri, state, tenant, product, code_challenge, code_challenge_method = '', 
             // eslint-disable-next-line @typescript-eslint/no-unused-vars
             provider = 'saml', } = body;
+            metrics.increment('oauthAuthorize');
             if (!redirect_uri) {
                 throw new error_1.JacksonError('Please specify a redirect URL.', 400);
             }
@@ -119,7 +121,20 @@ class OAuthController {
             if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
                 throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
             }
+            let ssoUrl;
+            let post = false;
+            const { sso } = samlConfig.idpMetadata;
+            if ('redirectUrl' in sso) {
+                // HTTP Redirect binding
+                ssoUrl = sso.redirectUrl;
+            }
+            else if ('postUrl' in sso) {
+                // HTTP-POST binding
+                ssoUrl = sso.postUrl;
+                post = true;
+            }
             const samlReq = saml_1.default.request({
+                ssoUrl,
                 entityID: this.opts.samlAudience,
                 callbackUrl: this.opts.externalUrl + this.opts.samlPath,
                 signingKey: samlConfig.certs.privateKey,
@@ -133,13 +148,24 @@ class OAuthController {
                 code_challenge,
                 code_challenge_method,
             });
-            // deepak: When supporting HTTP-POST skip deflate
-            const samlReqEnc = yield deflateRawAsync(samlReq.request);
-            const redirectUrl = redirect.success(samlConfig.idpMetadata.sso.redirectUrl, {
-                RelayState: relayStatePrefix + sessionId,
-                SAMLRequest: Buffer.from(samlReqEnc).toString('base64'),
-            });
-            return { redirect_url: redirectUrl };
+            const relayState = relayStatePrefix + sessionId;
+            let redirectUrl;
+            let authorizeForm;
+            if (!post) {
+                // HTTP Redirect binding
+                redirectUrl = redirect.success(ssoUrl, {
+                    RelayState: relayState,
+                    SAMLRequest: Buffer.from(yield deflateRawAsync(samlReq.request)).toString('base64'),
+                });
+            }
+            else {
+                // HTTP POST binding
+                authorizeForm = (0, utils_1.createAuthorizeForm)(relayState, encodeURI(Buffer.from(samlReq.request).toString('base64')), ssoUrl);
+            }
+            return {
+                redirect_url: redirectUrl,
+                authorize_form: authorizeForm,
+            };
         });
     }
     samlResponse(body) {
@@ -262,6 +288,7 @@ class OAuthController {
     token(body) {
         return __awaiter(this, void 0, void 0, function* () {
             const { client_id, client_secret, code_verifier, code, grant_type = 'authorization_code' } = body;
+            metrics.increment('oauthToken');
             if (grant_type !== 'authorization_code') {
                 throw new error_1.JacksonError('Unsupported grant_type', 400);
             }
@@ -292,6 +319,12 @@ class OAuthController {
                             throw new error_1.JacksonError('Invalid client_id or client_secret', 401);
                         }
                     }
+                    else {
+                        // encoded client_id, verify client_secret
+                        if (client_secret !== this.opts.clientSecretVerifier) {
+                            throw new error_1.JacksonError('Invalid client_secret', 401);
+                        }
+                    }
                 }
             }
             else if (codeVal && codeVal.session) {
@@ -339,6 +372,7 @@ class OAuthController {
     userInfo(token) {
         return __awaiter(this, void 0, void 0, function* () {
             const rsp = yield this.tokenStore.get(token);
+            metrics.increment('oauthUserInfo');
             if (!rsp || !rsp.claims) {
                 throw new error_1.JacksonError('Invalid token', 403);
             }

package/dist/controller/utils.d.ts

@@ -2,3 +2,4 @@ export declare enum IndexNames {
     EntityID = "entityID",
     TenantProduct = "tenantProduct"
 }
+export declare const createAuthorizeForm: (relayState: string, samlReqEnc: string, postUrl: string) => string;

package/dist/controller/utils.js

@@ -1,8 +1,32 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.IndexNames = void 0;
+exports.createAuthorizeForm = exports.IndexNames = void 0;
 var IndexNames;
 (function (IndexNames) {
     IndexNames["EntityID"] = "entityID";
     IndexNames["TenantProduct"] = "tenantProduct";
 })(IndexNames = exports.IndexNames || (exports.IndexNames = {}));
+const createAuthorizeForm = (relayState, samlReqEnc, postUrl) => {
+    const formElements = [
+        '<!DOCTYPE html>',
+        '<html>',
+        '<head>',
+        '<meta charset="utf-8">',
+        '<meta http-equiv="x-ua-compatible" content="ie=edge">',
+        '</head>',
+        '<body onload="document.forms[0].submit()">',
+        '<noscript>',
+        '<p>Note: Since your browser does not support JavaScript, you must press the Continue button once to proceed.</p>',
+        '</noscript>',
+        '<form method="post" action="' + encodeURI(postUrl) + '">',
+        '<input type="hidden" name="RelayState" value="' + relayState + '"/>',
+        '<input type="hidden" name="SAMLRequest" value="' + samlReqEnc + '"/>',
+        '<input type="submit" value="Continue" />',
+        '</form>',
+        '<script>document.forms[0].style.display="none";</script>',
+        '</body>',
+        '</html>',
+    ];
+    return formElements.join('');
+};
+exports.createAuthorizeForm = createAuthorizeForm;

package/dist/index.d.ts

@@ -1,6 +1,6 @@
-import { JacksonOption } from './typings';
 import { APIController } from './controller/api';
 import { OAuthController } from './controller/oauth';
+import { JacksonOption } from './typings';
 export declare const controllers: (opts: JacksonOption) => Promise<{
     apiController: APIController;
     oauthController: OAuthController;

package/dist/index.js

@@ -44,6 +44,7 @@ const defaultOpts = (opts) => {
     newOpts.db.type = newOpts.db.type || 'postgres'; // Only needed if DB_ENGINE is sql.
     newOpts.db.ttl = (newOpts.db.ttl || 300) * 1; // TTL for the code, session and token stores (in seconds)
     newOpts.db.cleanupLimit = (newOpts.db.cleanupLimit || 1000) * 1; // Limit cleanup of TTL entries to this many items at a time
+    newOpts.clientSecretVerifier = newOpts.clientSecretVerifier || 'dummy';
     return newOpts;
 };
 const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {

package/dist/opentelemetry/metrics.d.ts

@@ -0,0 +1,2 @@
+declare const increment: (action: string) => void;
+export { increment };

package/dist/opentelemetry/metrics.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.increment = void 0;
+const api_metrics_1 = require("@opentelemetry/api-metrics");
+const counters = {
+    createConfig: {
+        name: 'jackson.config.create',
+        description: 'Number of SAML config create requests',
+    },
+    getConfig: {
+        name: 'jackson.config.get',
+        description: 'Number of SAML config get requests',
+    },
+    deleteConfig: {
+        name: 'jackson.config.delete',
+        description: 'Number of SAML config delete requests',
+    },
+    oauthAuthorize: {
+        name: 'jackson.oauth.authorize',
+        description: 'Number of SAML oauth authorize requests',
+    },
+    oauthToken: {
+        name: 'jackson.oauth.token',
+        description: 'Number of SAML oauth token requests',
+    },
+    oauthUserInfo: {
+        name: 'jackson.oauth.userinfo',
+        description: 'Number of SAML oauth user info requests',
+    },
+};
+const createCounter = (action) => {
+    const meter = api_metrics_1.metrics.getMeterProvider().getMeter('jackson');
+    const counter = counters[action];
+    return meter.createCounter(counter.name, {
+        description: counter.description,
+    });
+};
+const increment = (action) => {
+    const counter = createCounter(action);
+    counter.add(1, { provider: 'saml' });
+};
+exports.increment = increment;

package/dist/saml/saml.js

@@ -68,7 +68,7 @@ const request = ({ ssoUrl, entityID, callbackUrl, isPassive = false, forceAuthn
             '@ID': id,
             '@Version': '2.0',
             '@IssueInstant': date,
-            '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
             '@Destination': ssoUrl,
             'saml:Issuer': {
                 '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',

package/dist/typings.d.ts

@@ -27,7 +27,8 @@ export interface IAPIController {
 }
 export interface IOAuthController {
     authorize(body: OAuthReqBody): Promise<{
-        redirect_url: string;
+        redirect_url?: string;
+        authorize_form?: string;
     }>;
     samlResponse(body: SAMLResponsePayload): Promise<{
         redirect_url: string;
@@ -123,4 +124,5 @@ export interface JacksonOption {
     preLoadedConfig?: string;
     idpEnabled?: boolean;
     db: DatabaseOption;
+    clientSecretVerifier?: string;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.3.7",
+  "version": "0.3.8-beta.760",
   "description": "SAML 2.0 service",
   "keywords": [
     "SAML 2.0"
@@ -37,10 +37,9 @@
   },
   "dependencies": {
     "@boxyhq/saml20": "0.2.0",
+    "@opentelemetry/api-metrics": "0.27.0",
     "@peculiar/webcrypto": "1.2.3",
     "@peculiar/x509": "1.6.1",
-    "cors": "2.8.5",
-    "express": "4.17.2",
     "mongodb": "4.3.1",
     "mysql2": "2.3.3",
     "pg": "8.7.3",
@@ -55,7 +54,6 @@
     "xmlbuilder": "15.1.1"
   },
   "devDependencies": {
-    "@types/express": "4.17.13",
     "@types/node": "17.0.17",
     "@types/sinon": "10.0.11",
     "@types/tap": "15.0.5",