@boxyhq/saml-jackson 0.5.1 → 1.0.0

package/README.md

@@ -14,7 +14,7 @@ npm i @boxyhq/saml-jackson
 
 ## Documentation
 
-For full documentation, visit [boxyhq.com/docs/jackson/npm-library](https://boxyhq.com/docs/jackson/npm-library)
+For full documentation, visit [boxyhq.com/docs/jackson/deploy/npm-library](https://boxyhq.com/docs/jackson/deploy/npm-library)
 
 ## License
 

package/dist/controller/api.d.ts

@@ -4,6 +4,7 @@ export declare class APIController implements IAPIController {
     constructor({ configStore }: {
         configStore: any;
     });
+    private _validateRedirectUrl;
     private _validateIdPConfig;
     /**
      * @swagger

package/dist/controller/api.js

@@ -58,6 +58,19 @@ class APIController {
     constructor({ configStore }) {
         this.configStore = configStore;
     }
+    _validateRedirectUrl({ redirectUrlList, defaultRedirectUrl }) {
+        if (redirectUrlList) {
+            if (redirectUrlList.length > 100) {
+                throw new error_1.JacksonError('Exceeded maximum number of allowed redirect urls', 400);
+            }
+            for (const url of redirectUrlList) {
+                (0, utils_1.validateAbsoluteUrl)(url, 'redirectUrl is invalid');
+            }
+        }
+        if (defaultRedirectUrl) {
+            (0, utils_1.validateAbsoluteUrl)(defaultRedirectUrl, 'defaultRedirectUrl is invalid');
+        }
+    }
     _validateIdPConfig(body) {
         const { encodedRawMetadata, rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product, description } = body;
         if (!rawMetadata && !encodedRawMetadata) {
@@ -168,6 +181,8 @@ class APIController {
             const { encodedRawMetadata, rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product, name, description, } = body;
             metrics.increment('createConfig');
             this._validateIdPConfig(body);
+            const redirectUrlList = extractRedirectUrls(redirectUrl);
+            this._validateRedirectUrl({ defaultRedirectUrl, redirectUrlList });
             let metaData = rawMetadata;
             if (encodedRawMetadata) {
                 metaData = Buffer.from(encodedRawMetadata, 'base64').toString();
@@ -195,7 +210,7 @@ class APIController {
             const record = {
                 idpMetadata,
                 defaultRedirectUrl,
-                redirectUrl: JSON.parse(redirectUrl),
+                redirectUrl: redirectUrlList,
                 tenant,
                 product,
                 name,
@@ -296,6 +311,8 @@ class APIController {
             if (description && description.length > 100) {
                 throw new error_1.JacksonError('Description should not exceed 100 characters', 400);
             }
+            const redirectUrlList = redirectUrl ? extractRedirectUrls(redirectUrl) : null;
+            this._validateRedirectUrl({ defaultRedirectUrl, redirectUrlList });
             const _currentConfig = yield this.getConfig(clientInfo);
             if (_currentConfig.clientSecret !== (clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientSecret)) {
                 throw new error_1.JacksonError('clientSecret mismatch', 400);
@@ -321,7 +338,7 @@ class APIController {
                     throw new error_1.JacksonError('Tenant/Product config mismatch with IdP metadata', 400);
                 }
             }
-            const record = Object.assign(Object.assign({}, _currentConfig), { name: name ? name : _currentConfig.name, description: description ? description : _currentConfig.description, idpMetadata: newMetadata ? newMetadata : _currentConfig.idpMetadata, defaultRedirectUrl: defaultRedirectUrl ? defaultRedirectUrl : _currentConfig.defaultRedirectUrl, redirectUrl: redirectUrl ? JSON.parse(redirectUrl) : _currentConfig.redirectUrl });
+            const record = Object.assign(Object.assign({}, _currentConfig), { name: name ? name : _currentConfig.name, description: description ? description : _currentConfig.description, idpMetadata: newMetadata ? newMetadata : _currentConfig.idpMetadata, defaultRedirectUrl: defaultRedirectUrl ? defaultRedirectUrl : _currentConfig.defaultRedirectUrl, redirectUrl: redirectUrlList ? redirectUrlList : _currentConfig.redirectUrl });
             yield this.configStore.put(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID, record, {
                 // secondary index on entityID
                 name: utils_1.IndexNames.EntityID,
@@ -495,3 +512,18 @@ const extractHostName = (url) => {
         return null;
     }
 };
+const extractRedirectUrls = (urls) => {
+    if (!urls) {
+        return [];
+    }
+    if (typeof urls === 'string') {
+        if (urls.startsWith('[')) {
+            // redirectUrl is a stringified array
+            return JSON.parse(urls);
+        }
+        // redirectUrl is a single URL
+        return [urls];
+    }
+    // redirectUrl is an array of URLs
+    return urls;
+};

package/dist/controller/health-check.d.ts

@@ -0,0 +1,11 @@
+import { IHealthCheckController, Storable } from '../typings';
+export declare class HealthCheckController implements IHealthCheckController {
+    healthCheckStore: Storable;
+    constructor({ healthCheckStore }: {
+        healthCheckStore: any;
+    });
+    init(): Promise<void>;
+    status(): Promise<{
+        status: number;
+    }>;
+}

package/dist/controller/health-check.js

@@ -0,0 +1,53 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HealthCheckController = void 0;
+const error_1 = require("./error");
+const healthKey = 'amihealthy';
+const healthValue = 'fit';
+const g = global;
+class HealthCheckController {
+    constructor({ healthCheckStore }) {
+        this.healthCheckStore = healthCheckStore;
+    }
+    init() {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.healthCheckStore.put(healthKey, healthValue);
+        });
+    }
+    status() {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                if (!g.isJacksonReady) {
+                    return {
+                        status: 503,
+                    };
+                }
+                const response = yield Promise.race([
+                    this.healthCheckStore.get(healthKey),
+                    new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), 1000)),
+                ]);
+                if (response === healthValue) {
+                    return {
+                        status: 200,
+                    };
+                }
+                return {
+                    status: 503,
+                };
+            }
+            catch (err) {
+                throw new error_1.JacksonError('Service not available', 503);
+            }
+        });
+    }
+}
+exports.HealthCheckController = HealthCheckController;

package/dist/controller/oauth.js

@@ -172,7 +172,7 @@ class OAuthController {
             }
             else {
                 // HTTP POST binding
-                authorizeForm = (0, utils_1.createAuthorizeForm)(relayState, encodeURI(Buffer.from(samlReq.request).toString('base64')), ssoUrl);
+                authorizeForm = (0, utils_1.createRequestForm)(relayState, encodeURI(Buffer.from(samlReq.request).toString('base64')), ssoUrl);
             }
             return {
                 redirect_url: redirectUrl,
@@ -346,6 +346,11 @@ class OAuthController {
                         }
                     }
                 }
+                else {
+                    if (client_secret !== this.opts.clientSecretVerifier && client_secret !== codeVal.clientSecret) {
+                        throw new error_1.JacksonError('Invalid client_secret', 401);
+                    }
+                }
             }
             else if (codeVal && codeVal.session) {
                 throw new error_1.JacksonError('Please specify client_secret or code_verifier', 401);

package/dist/controller/signout.d.ts

@@ -0,0 +1,18 @@
+import { SAMLResponsePayload, SLORequestParams } from '../typings';
+export declare class LogoutController {
+    private configStore;
+    private sessionStore;
+    private opts;
+    constructor({ configStore, sessionStore, opts }: {
+        configStore: any;
+        sessionStore: any;
+        opts: any;
+    });
+    createRequest({ nameId, tenant, product, redirectUrl }: SLORequestParams): Promise<{
+        logoutUrl: string | null;
+        logoutForm: string | null;
+    }>;
+    handleResponse({ SAMLResponse, RelayState }: SAMLResponsePayload): Promise<{
+        redirectUrl: any;
+    }>;
+}

package/dist/controller/signout.js

@@ -0,0 +1,231 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LogoutController = void 0;
+const xmldom_1 = require("@xmldom/xmldom");
+const crypto_1 = __importDefault(require("crypto"));
+const thumbprint_1 = __importDefault(require("thumbprint"));
+const util_1 = require("util");
+const xml_crypto_1 = require("xml-crypto");
+const xml2js_1 = __importDefault(require("xml2js"));
+const xmlbuilder_1 = __importDefault(require("xmlbuilder"));
+const zlib_1 = require("zlib");
+const dbutils = __importStar(require("../db/utils"));
+const saml_1 = __importDefault(require("../saml/saml"));
+const error_1 = require("./error");
+const redirect = __importStar(require("./oauth/redirect"));
+const utils_1 = require("./utils");
+const deflateRawAsync = (0, util_1.promisify)(zlib_1.deflateRaw);
+const relayStatePrefix = 'boxyhq_jackson_';
+class LogoutController {
+    constructor({ configStore, sessionStore, opts }) {
+        this.opts = opts;
+        this.configStore = configStore;
+        this.sessionStore = sessionStore;
+    }
+    // Create SLO Request
+    createRequest({ nameId, tenant, product, redirectUrl }) {
+        return __awaiter(this, void 0, void 0, function* () {
+            let samlConfig = null;
+            if (tenant && product) {
+                const samlConfigs = yield this.configStore.getByIndex({
+                    name: utils_1.IndexNames.TenantProduct,
+                    value: dbutils.keyFromParts(tenant, product),
+                });
+                if (!samlConfigs || samlConfigs.length === 0) {
+                    throw new error_1.JacksonError('SAML configuration not found.', 403);
+                }
+                samlConfig = samlConfigs[0];
+            }
+            if (!samlConfig) {
+                throw new error_1.JacksonError('SAML configuration not found.', 403);
+            }
+            const { idpMetadata: { slo, provider }, certs: { privateKey, publicKey }, } = samlConfig;
+            if ('redirectUrl' in slo === false && 'postUrl' in slo === false) {
+                throw new error_1.JacksonError(`${provider} doesn't support SLO or disabled by IdP.`, 400);
+            }
+            const { id, xml } = buildRequestXML(nameId, this.opts.samlAudience, slo.redirectUrl);
+            const sessionId = crypto_1.default.randomBytes(16).toString('hex');
+            let logoutUrl = null;
+            let logoutForm = null;
+            const relayState = relayStatePrefix + sessionId;
+            const signedXML = yield signXML(xml, privateKey, publicKey);
+            yield this.sessionStore.put(sessionId, {
+                id,
+                redirectUrl,
+            });
+            // HTTP-Redirect binding
+            if ('redirectUrl' in slo) {
+                logoutUrl = redirect.success(slo.redirectUrl, {
+                    SAMLRequest: Buffer.from(yield deflateRawAsync(signedXML)).toString('base64'),
+                    RelayState: relayState,
+                });
+            }
+            // HTTP-POST binding
+            if ('postUrl' in slo) {
+                logoutForm = (0, utils_1.createRequestForm)(relayState, encodeURI(Buffer.from(signedXML).toString('base64')), slo.postUrl);
+            }
+            return { logoutUrl, logoutForm };
+        });
+    }
+    // Handle SLO Response
+    handleResponse({ SAMLResponse, RelayState }) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            const rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
+            const sessionId = RelayState.replace(relayStatePrefix, '');
+            const session = yield this.sessionStore.get(sessionId);
+            if (!session) {
+                throw new error_1.JacksonError('Unable to validate state from the origin request.', 403);
+            }
+            const parsedResponse = yield parseSAMLResponse(rawResponse);
+            if (parsedResponse.status !== 'urn:oasis:names:tc:SAML:2.0:status:Success') {
+                throw new error_1.JacksonError(`SLO failed with status ${parsedResponse.status}.`, 400);
+            }
+            if (parsedResponse.inResponseTo !== session.id) {
+                throw new error_1.JacksonError(`SLO failed with mismatched request ID.`, 400);
+            }
+            const samlConfigs = yield this.configStore.getByIndex({
+                name: utils_1.IndexNames.EntityID,
+                value: parsedResponse.issuer,
+            });
+            if (!samlConfigs || samlConfigs.length === 0) {
+                throw new error_1.JacksonError('SAML configuration not found.', 403);
+            }
+            const { idpMetadata, defaultRedirectUrl } = samlConfigs[0];
+            if (!(yield hasValidSignature(rawResponse, idpMetadata.thumbprint))) {
+                throw new error_1.JacksonError('Invalid signature.', 403);
+            }
+            try {
+                yield this.sessionStore.delete(sessionId);
+            }
+            catch (_err) {
+                // Ignore
+            }
+            return {
+                redirectUrl: (_a = session.redirectUrl) !== null && _a !== void 0 ? _a : defaultRedirectUrl,
+            };
+        });
+    }
+}
+exports.LogoutController = LogoutController;
+// Create the XML for the SLO Request
+const buildRequestXML = (nameId, providerName, sloUrl) => {
+    const id = '_' + crypto_1.default.randomBytes(10).toString('hex');
+    const xml = {
+        'samlp:LogoutRequest': {
+            '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
+            '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
+            '@ID': id,
+            '@Version': '2.0',
+            '@IssueInstant': new Date().toISOString(),
+            '@Destination': sloUrl,
+            'saml:Issuer': {
+                '#text': providerName,
+            },
+            'saml:NameID': {
+                '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+                '#text': nameId,
+            },
+        },
+    };
+    return {
+        id,
+        xml: xmlbuilder_1.default.create(xml).end({}),
+    };
+};
+// Parse SAMLResponse
+const parseSAMLResponse = (rawResponse) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        xml2js_1.default.parseString(rawResponse, { tagNameProcessors: [xml2js_1.default.processors.stripPrefix] }, (err, { LogoutResponse }) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve({
+                issuer: LogoutResponse.Issuer[0]._,
+                id: LogoutResponse.$.ID,
+                status: LogoutResponse.Status[0].StatusCode[0].$.Value,
+                destination: LogoutResponse.$.Destination,
+                inResponseTo: LogoutResponse.$.InResponseTo,
+            });
+        });
+    });
+});
+// Sign the XML
+const signXML = (xml, signingKey, publicKey) => __awaiter(void 0, void 0, void 0, function* () {
+    const sig = new xml_crypto_1.SignedXml();
+    sig.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
+    sig.keyInfoProvider = new saml_1.default.PubKeyInfo(publicKey);
+    sig.signingKey = signingKey;
+    sig.addReference("/*[local-name(.)='LogoutRequest']", ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#'], 'http://www.w3.org/2001/04/xmlenc#sha256');
+    sig.computeSignature(xml);
+    return sig.getSignedXml();
+});
+// Validate signature
+const hasValidSignature = (xml, certThumbprint) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        const doc = new xmldom_1.DOMParser().parseFromString(xml);
+        const signed = new xml_crypto_1.SignedXml();
+        let calculatedThumbprint;
+        const signature = (0, xml_crypto_1.xpath)(doc, "/*/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0] ||
+            (0, xml_crypto_1.xpath)(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0] ||
+            (0, xml_crypto_1.xpath)(doc, "/*/*/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0];
+        signed.keyInfoProvider = {
+            getKey: function getKey(keyInfo) {
+                if (certThumbprint) {
+                    const embeddedSignature = keyInfo[0].getElementsByTagNameNS('http://www.w3.org/2000/09/xmldsig#', 'X509Certificate');
+                    if (embeddedSignature.length > 0) {
+                        const base64cer = embeddedSignature[0].firstChild.toString();
+                        calculatedThumbprint = thumbprint_1.default.calculate(base64cer);
+                        return saml_1.default.certToPEM(base64cer);
+                    }
+                }
+            },
+            getKeyInfo: function getKeyInfo() {
+                return '<X509Data></X509Data>';
+            },
+        };
+        signed.loadSignature(signature.toString());
+        try {
+            return resolve(signed.checkSignature(xml) && calculatedThumbprint.toUpperCase() === certThumbprint.toUpperCase());
+        }
+        catch (err) {
+            return reject(err);
+        }
+    });
+});

package/dist/controller/utils.d.ts

@@ -2,4 +2,5 @@ export declare enum IndexNames {
     EntityID = "entityID",
     TenantProduct = "tenantProduct"
 }
-export declare const createAuthorizeForm: (relayState: string, samlReqEnc: string, postUrl: string) => string;
+export declare const createRequestForm: (relayState: string, samlReqEnc: string, postUrl: string) => string;
+export declare const validateAbsoluteUrl: (url: any, message: any) => void;

package/dist/controller/utils.js

@@ -1,12 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createAuthorizeForm = exports.IndexNames = void 0;
+exports.validateAbsoluteUrl = exports.createRequestForm = exports.IndexNames = void 0;
+const error_1 = require("./error");
 var IndexNames;
 (function (IndexNames) {
     IndexNames["EntityID"] = "entityID";
     IndexNames["TenantProduct"] = "tenantProduct";
 })(IndexNames = exports.IndexNames || (exports.IndexNames = {}));
-const createAuthorizeForm = (relayState, samlReqEnc, postUrl) => {
+const createRequestForm = (relayState, samlReqEnc, postUrl) => {
     const formElements = [
         '<!DOCTYPE html>',
         '<html>',
@@ -29,4 +30,13 @@ const createAuthorizeForm = (relayState, samlReqEnc, postUrl) => {
     ];
     return formElements.join('');
 };
-exports.createAuthorizeForm = createAuthorizeForm;
+exports.createRequestForm = createRequestForm;
+const validateAbsoluteUrl = (url, message) => {
+    try {
+        new URL(url);
+    }
+    catch (err) {
+        throw new error_1.JacksonError(message ? message : 'Invalid url', 400);
+    }
+};
+exports.validateAbsoluteUrl = validateAbsoluteUrl;

package/dist/db/mem.js

@@ -79,16 +79,16 @@ class Mem {
             take += skip;
             const returnValue = [];
             if (namespace) {
-                for (const key in this.store) {
-                    if (key.startsWith(namespace)) {
-                        if (count >= take) {
-                            break;
-                        }
-                        if (count >= skip) {
-                            returnValue.push(this.store[key]);
-                        }
-                        count++;
+                const val = Array.from(this.indexes[dbutils.keyFromParts(dbutils.createdAtPrefix, namespace)]);
+                const iterator = val.reverse().values();
+                for (const value of iterator) {
+                    if (count >= take) {
+                        break;
+                    }
+                    if (count >= skip) {
+                        returnValue.push(this.store[dbutils.keyFromParts(namespace, value)]);
                     }
+                    count++;
                 }
             }
             return returnValue || [];
@@ -108,9 +108,6 @@ class Mem {
         return __awaiter(this, void 0, void 0, function* () {
             const k = dbutils.key(namespace, key);
             this.store[k] = val;
-            if (!Date.parse(this.store['createdAt']))
-                this.store['createdAt'] = new Date().toISOString();
-            this.store['modifiedAt'] = new Date().toISOString();
             // console.log(this.store)
             if (ttl) {
                 this.ttlStore[k] = {
@@ -136,6 +133,26 @@ class Mem {
                 }
                 cleanup.add(idxKey);
             }
+            let createdAtSet = this.indexes[dbutils.keyFromParts(dbutils.createdAtPrefix, namespace)];
+            if (!createdAtSet) {
+                createdAtSet = new Set();
+                this.indexes[dbutils.keyFromParts(dbutils.createdAtPrefix, namespace)] = createdAtSet;
+                this.store['createdAt'] = new Date().toISOString();
+                createdAtSet.add(key);
+            }
+            else {
+                if (!this.indexes[dbutils.keyFromParts(dbutils.createdAtPrefix, namespace)].has(key)) {
+                    createdAtSet.add(key);
+                    this.store['createdAt'] = new Date().toISOString();
+                }
+            }
+            let modifiedAtSet = this.indexes[dbutils.keyFromParts(dbutils.modifiedAtPrefix, namespace)];
+            if (!modifiedAtSet) {
+                modifiedAtSet = new Set();
+                this.indexes[dbutils.keyFromParts(dbutils.modifiedAtPrefix, namespace)] = modifiedAtSet;
+            }
+            modifiedAtSet.add(key);
+            this.store['modifiedAt'] = new Date().toISOString();
         });
     }
     delete(namespace, key) {
@@ -148,6 +165,8 @@ class Mem {
             for (const dbKey of dbKeys || []) {
                 this.indexes[dbKey] && this.indexes[dbKey].delete(key);
             }
+            this.indexes[dbutils.keyFromParts(dbutils.createdAtPrefix, namespace)].delete(key);
+            this.indexes[dbutils.keyFromParts(dbutils.modifiedAtPrefix, namespace)].delete(key);
             delete this.cleanup[idxKey];
             delete this.ttlStore[k];
         });

package/dist/db/mongo.js

@@ -40,16 +40,9 @@ class Mongo {
     }
     init() {
         return __awaiter(this, void 0, void 0, function* () {
-            try {
-                if (!this.options.url) {
-                    throw Error('Please specify a db url');
-                }
-                this.client = new mongodb_1.MongoClient(this.options.url);
-                yield this.client.connect();
-            }
-            catch (err) {
-                console.error(`error connecting to ${this.options.type} db: ${err}`);
-            }
+            const dbUrl = this.options.url;
+            this.client = new mongodb_1.MongoClient(dbUrl);
+            yield this.client.connect();
             this.db = this.client.db();
             this.collection = this.db.collection('jacksonStore');
             yield this.collection.createIndex({ indexes: 1 });

package/dist/db/redis.js

@@ -79,16 +79,13 @@ class Redis {
             let count = 0;
             take += skip;
             try {
-                for (var _b = __asyncValues(this.client.scanIterator({
-                    MATCH: dbutils.keyFromParts(namespace, '*'),
-                    COUNT: Math.min(take, 1000),
-                })), _c; _c = yield _b.next(), !_c.done;) {
-                    const key = _c.value;
+                for (var _b = __asyncValues(this.client.zScanIterator(dbutils.keyFromParts(dbutils.createdAtPrefix, namespace), Math.min(take, 1000))), _c; _c = yield _b.next(), !_c.done;) {
+                    const { score, value } = _c.value;
                     if (count >= take) {
                         break;
                     }
                     if (count >= skip) {
-                        keyArray.push(key);
+                        keyArray.push(dbutils.keyFromParts(namespace, value));
                     }
                     count++;
                 }
@@ -137,6 +134,18 @@ class Redis {
                 tx = tx.sAdd(dbutils.keyFromParts(dbutils.indexPrefix, idxKey), key);
                 tx = tx.sAdd(dbutils.keyFromParts(dbutils.indexPrefix, k), idxKey);
             }
+            const timestamp = Number(Date.now());
+            //Converting Timestamp in negative so that when we get the value, it will be found in reverse order (descending order).
+            const negativeTimestamp = -Math.abs(timestamp);
+            const value = yield this.client.get(k);
+            if (!value) {
+                tx = tx.zAdd(dbutils.keyFromParts(dbutils.createdAtPrefix, namespace), [
+                    { score: negativeTimestamp, value: key },
+                ]);
+            }
+            tx = tx.zAdd(dbutils.keyFromParts(dbutils.modifiedAtPrefix, namespace), [
+                { score: negativeTimestamp, value: key },
+            ]);
             yield tx.exec();
         });
     }
@@ -151,6 +160,8 @@ class Redis {
             for (const dbKey of dbKeys || []) {
                 tx.sRem(dbutils.keyFromParts(dbutils.indexPrefix, dbKey), key);
             }
+            tx.ZREM(dbutils.keyFromParts(dbutils.createdAtPrefix, namespace), key);
+            tx.ZREM(dbutils.keyFromParts(dbutils.modifiedAtPrefix, namespace), key);
             tx.del(idxKey);
             return yield tx.exec();
         });

package/dist/db/sql/sql.d.ts

@@ -1,7 +1,7 @@
 import { DatabaseDriver, DatabaseOption, Index, Encrypted } from '../../typings';
 declare class Sql implements DatabaseDriver {
     private options;
-    private connection;
+    private dataSource;
     private storeRepository;
     private indexRepository;
     private ttlRepository;

package/dist/db/sql/sql.js

@@ -47,8 +47,8 @@ class Sql {
         return __awaiter(this, void 0, void 0, function* () {
             while (true) {
                 try {
-                    this.connection = yield (0, typeorm_1.createConnection)({
-                        name: this.options.type + Math.floor(Math.random() * 100000),
+                    this.dataSource = new typeorm_1.DataSource({
+                        // name: this.options.type! + Math.floor(Math.random() * 100000),
                         type: this.options.type,
                         url: this.options.url,
                         synchronize: true,
@@ -56,6 +56,7 @@ class Sql {
                         logging: ['error'],
                         entities: [JacksonStore_1.JacksonStore, JacksonIndex_1.JacksonIndex, JacksonTTL_1.JacksonTTL],
                     });
+                    yield this.dataSource.initialize();
                     break;
                 }
                 catch (err) {
@@ -64,9 +65,9 @@ class Sql {
                     continue;
                 }
             }
-            this.storeRepository = this.connection.getRepository(JacksonStore_1.JacksonStore);
-            this.indexRepository = this.connection.getRepository(JacksonIndex_1.JacksonIndex);
-            this.ttlRepository = this.connection.getRepository(JacksonTTL_1.JacksonTTL);
+            this.storeRepository = this.dataSource.getRepository(JacksonStore_1.JacksonStore);
+            this.indexRepository = this.dataSource.getRepository(JacksonIndex_1.JacksonIndex);
+            this.ttlRepository = this.dataSource.getRepository(JacksonTTL_1.JacksonTTL);
             if (this.options.ttl && this.options.cleanupLimit) {
                 this.ttlCleanup = () => __awaiter(this, void 0, void 0, function* () {
                     const now = Date.now();
@@ -99,7 +100,7 @@ class Sql {
     }
     get(namespace, key) {
         return __awaiter(this, void 0, void 0, function* () {
-            const res = yield this.storeRepository.findOne({
+            const res = yield this.storeRepository.findOneBy({
                 key: dbutils.key(namespace, key),
             });
             if (res && res.value) {
@@ -133,7 +134,7 @@ class Sql {
     }
     getByIndex(namespace, idx) {
         return __awaiter(this, void 0, void 0, function* () {
-            const res = yield this.indexRepository.find({
+            const res = yield this.indexRepository.findBy({
                 key: dbutils.keyForIndex(namespace, idx),
             });
             const ret = [];
@@ -151,7 +152,7 @@ class Sql {
     }
     put(namespace, key, val, ttl = 0, ...indexes) {
         return __awaiter(this, void 0, void 0, function* () {
-            yield this.connection.transaction((transactionalEntityManager) => __awaiter(this, void 0, void 0, function* () {
+            yield this.dataSource.transaction((transactionalEntityManager) => __awaiter(this, void 0, void 0, function* () {
                 const dbKey = dbutils.key(namespace, key);
                 const store = new JacksonStore_1.JacksonStore();
                 store.key = dbKey;
@@ -169,7 +170,7 @@ class Sql {
                 // no ttl support for secondary indexes
                 for (const idx of indexes || []) {
                     const key = dbutils.keyForIndex(namespace, idx);
-                    const rec = yield this.indexRepository.findOne({
+                    const rec = yield this.indexRepository.findOneBy({
                         key,
                         storeKey: store.key,
                     });

package/dist/db/utils.d.ts

@@ -6,3 +6,5 @@ export declare const keyFromParts: (...parts: string[]) => string;
 export declare const sleep: (ms: number) => Promise<void>;
 export declare function isNumeric(num: any): boolean;
 export declare const indexPrefix = "_index";
+export declare const createdAtPrefix = "_createdAt";
+export declare const modifiedAtPrefix = "_modifiedAt";

package/dist/db/utils.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.indexPrefix = exports.isNumeric = exports.sleep = exports.keyFromParts = exports.keyDigest = exports.keyForIndex = exports.key = void 0;
+exports.modifiedAtPrefix = exports.createdAtPrefix = exports.indexPrefix = exports.isNumeric = exports.sleep = exports.keyFromParts = exports.keyDigest = exports.keyForIndex = exports.key = void 0;
 const ripemd160_1 = __importDefault(require("ripemd160"));
 const key = (namespace, k) => {
     return namespace + ':' + k;
@@ -31,3 +31,5 @@ function isNumeric(num) {
 }
 exports.isNumeric = isNumeric;
 exports.indexPrefix = '_index';
+exports.createdAtPrefix = '_createdAt';
+exports.modifiedAtPrefix = '_modifiedAt';

package/dist/index.d.ts

@@ -1,11 +1,15 @@
+import { AdminController } from './controller/admin';
 import { APIController } from './controller/api';
 import { OAuthController } from './controller/oauth';
-import { AdminController } from './controller/admin';
+import { HealthCheckController } from './controller/health-check';
+import { LogoutController } from './controller/signout';
 import { JacksonOption } from './typings';
 export declare const controllers: (opts: JacksonOption) => Promise<{
     apiController: APIController;
     oauthController: OAuthController;
     adminController: AdminController;
+    logoutController: LogoutController;
+    healthCheckController: HealthCheckController;
 }>;
 export default controllers;
 export * from './typings';

package/dist/index.js

@@ -27,12 +27,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.controllers = void 0;
+const admin_1 = require("./controller/admin");
 const api_1 = require("./controller/api");
 const oauth_1 = require("./controller/oauth");
-const admin_1 = require("./controller/admin");
+const health_check_1 = require("./controller/health-check");
+const signout_1 = require("./controller/signout");
 const db_1 = __importDefault(require("./db/db"));
-const read_config_1 = __importDefault(require("./read-config"));
 const defaultDb_1 = __importDefault(require("./db/defaultDb"));
+const read_config_1 = __importDefault(require("./read-config"));
 const defaultOpts = (opts) => {
     const newOpts = Object.assign({}, opts);
     if (!newOpts.externalUrl) {
@@ -56,8 +58,11 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
     const sessionStore = db.store('oauth:session', opts.db.ttl);
     const codeStore = db.store('oauth:code', opts.db.ttl);
     const tokenStore = db.store('oauth:token', opts.db.ttl);
+    const healthCheckStore = db.store('_health');
     const apiController = new api_1.APIController({ configStore });
     const adminController = new admin_1.AdminController({ configStore });
+    const healthCheckController = new health_check_1.HealthCheckController({ healthCheckStore });
+    yield healthCheckController.init();
     const oauthController = new oauth_1.OAuthController({
         configStore,
         sessionStore,
@@ -65,6 +70,11 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
         tokenStore,
         opts,
     });
+    const logoutController = new signout_1.LogoutController({
+        configStore,
+        sessionStore,
+        opts,
+    });
     // write pre-loaded config if present
     if (opts.preLoadedConfig && opts.preLoadedConfig.length > 0) {
         const configs = yield (0, read_config_1.default)(opts.preLoadedConfig);
@@ -79,6 +89,8 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
         apiController,
         oauthController,
         adminController,
+        logoutController,
+        healthCheckController,
     };
 });
 exports.controllers = controllers;

package/dist/saml/saml.d.ts

@@ -1,5 +1,6 @@
 import { SAMLProfile, SAMLReq } from '../typings';
 export declare const stripCertHeaderAndFooter: (cert: string) => string;
+declare function PubKeyInfo(this: any, pubKey: string): void;
 declare const _default: {
     request: ({ ssoUrl, entityID, callbackUrl, isPassive, forceAuthn, identifierFormat, providerName, signingKey, publicKey, }: SAMLReq) => {
         id: string;
@@ -8,5 +9,7 @@ declare const _default: {
     parseAsync: (rawAssertion: string) => Promise<SAMLProfile>;
     validateAsync: (rawAssertion: string, options: any) => Promise<SAMLProfile>;
     parseMetadataAsync: (idpMeta: string) => Promise<Record<string, any>>;
+    PubKeyInfo: typeof PubKeyInfo;
+    certToPEM: (cert: string) => string;
 };
 export default _default;

package/dist/saml/saml.js

@@ -37,12 +37,12 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.stripCertHeaderAndFooter = void 0;
 const saml20_1 = __importDefault(require("@boxyhq/saml20"));
-const xml2js_1 = __importDefault(require("xml2js"));
+const crypto_1 = __importDefault(require("crypto"));
+const rambda = __importStar(require("rambda"));
 const thumbprint_1 = __importDefault(require("thumbprint"));
 const xml_crypto_1 = __importDefault(require("xml-crypto"));
-const rambda = __importStar(require("rambda"));
+const xml2js_1 = __importDefault(require("xml2js"));
 const xmlbuilder_1 = __importDefault(require("xmlbuilder"));
-const crypto_1 = __importDefault(require("crypto"));
 const claims_1 = __importDefault(require("./claims"));
 const idPrefix = '_';
 const authnXPath = '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
@@ -162,6 +162,8 @@ const parseMetadataAsync = (idpMeta) => __awaiter(void 0, void 0, void 0, functi
             let ssoPostUrl = null;
             let ssoRedirectUrl = null;
             let loginType = 'idp';
+            let sloRedirectUrl = null;
+            let sloPostUrl = null;
             let ssoDes = rambda.pathOr(null, 'EntityDescriptor.IDPSSODescriptor', res);
             if (!ssoDes) {
                 ssoDes = rambda.pathOr([], 'EntityDescriptor.SPSSODescriptor', res);
@@ -187,9 +189,19 @@ const parseMetadataAsync = (idpMeta) => __awaiter(void 0, void 0, void 0, functi
                         ssoRedirectUrl = rambda.path('$.Location', ssoSvcRec);
                     }
                 }
+                const sloSvc = ssoDesRec['SingleLogoutService'] || [];
+                for (const sloSvcRec of sloSvc) {
+                    if (rambda.pathOr('', '$.Binding', sloSvcRec).endsWith('HTTP-Redirect')) {
+                        sloRedirectUrl = rambda.path('$.Location', sloSvcRec);
+                    }
+                    else if (rambda.pathOr('', '$.Binding', sloSvcRec).endsWith('HTTP-POST')) {
+                        sloPostUrl = rambda.path('$.Location', sloSvcRec);
+                    }
+                }
             }
             const ret = {
                 sso: {},
+                slo: {},
             };
             if (entityID) {
                 ret.entityID = entityID;
@@ -203,9 +215,26 @@ const parseMetadataAsync = (idpMeta) => __awaiter(void 0, void 0, void 0, functi
             if (ssoRedirectUrl) {
                 ret.sso.redirectUrl = ssoRedirectUrl;
             }
+            if (sloRedirectUrl) {
+                ret.slo.redirectUrl = sloRedirectUrl;
+            }
+            if (sloPostUrl) {
+                ret.slo.postUrl = sloPostUrl;
+            }
             ret.loginType = loginType;
             resolve(ret);
         });
     });
 });
-exports.default = { request, parseAsync, validateAsync, parseMetadataAsync };
+const certToPEM = (cert) => {
+    if (cert.indexOf('BEGIN CERTIFICATE') === -1 && cert.indexOf('END CERTIFICATE') === -1) {
+        const matches = cert.match(/.{1,64}/g);
+        if (matches) {
+            cert = matches.join('\n');
+            cert = '-----BEGIN CERTIFICATE-----\n' + cert;
+            cert = cert + '\n-----END CERTIFICATE-----\n';
+        }
+    }
+    return cert;
+};
+exports.default = { request, parseAsync, validateAsync, parseMetadataAsync, PubKeyInfo, certToPEM };

package/dist/typings.d.ts

@@ -1,6 +1,6 @@
 export declare type IdPConfig = {
     defaultRedirectUrl: string;
-    redirectUrl: string;
+    redirectUrl: string[] | string;
     tenant: string;
     product: string;
     name: string;
@@ -37,6 +37,12 @@ export interface IOAuthController {
 export interface IAdminController {
     getAllConfig(pageOffset?: number, pageLimit?: number): any;
 }
+export interface IHealthCheckController {
+    status(): Promise<{
+        status: number;
+    }>;
+    init(): Promise<void>;
+}
 export interface OAuthReqBody {
     response_type: 'code';
     client_id: string;
@@ -131,3 +137,39 @@ export interface JacksonOption {
     db: DatabaseOption;
     clientSecretVerifier?: string;
 }
+export interface SLORequestParams {
+    nameId: string;
+    tenant: string;
+    product: string;
+    redirectUrl?: string;
+}
+interface Metadata {
+    sso: {
+        postUrl?: string;
+        redirectUrl: string;
+    };
+    slo: {
+        redirectUrl?: string;
+        postUrl?: string;
+    };
+    entityID: string;
+    thumbprint: string;
+    loginType: 'idp';
+    provider: string;
+}
+export interface SAMLConfig {
+    idpMetadata: Metadata;
+    certs: {
+        privateKey: string;
+        publicKey: string;
+    };
+    defaultRedirectUrl: string;
+}
+export interface ILogoutController {
+    createRequest(body: SLORequestParams): Promise<{
+        logoutUrl: string | null;
+        logoutForm: string | null;
+    }>;
+    handleResponse(body: SAMLResponsePayload): Promise<any>;
+}
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.5.1",
+  "version": "1.0.0",
   "description": "SAML Jackson library",
   "keywords": [
     "SAML 2.0"
@@ -18,12 +18,12 @@
   ],
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
-    "db:migration:generate:postgres": "ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js migration:generate --config ormconfig.js  -n createdAt",
-    "db:migration:generate:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js migration:generate --config ormconfig.js  -n createdAt",
-    "db:migration:generate:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js migration:generate --config ormconfig.js  -n createdAt",
-    "db:migration:run:postgres": "ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run",
-    "db:migration:run:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run",
-    "db:migration:run:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run",
+    "db:migration:generate:postgres": "ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts  migration/postgres/pg_${MIGRATION_NAME}",
+    "db:migration:generate:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mysql/ms_${MIGRATION_NAME}",
+    "db:migration:generate:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mariadb/md_${MIGRATION_NAME}",
+    "db:migration:run:postgres": "ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
+    "db:migration:run:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
+    "db:migration:run:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
     "prepublishOnly": "npm run build",
     "test": "tap --ts --timeout=100 --coverage test/**/*.test.ts",
     "sort": "npx sort-package-json"
@@ -36,7 +36,7 @@
     "statements": 70
   },
   "dependencies": {
-    "@boxyhq/saml20": "0.2.0",
+    "@boxyhq/saml20": "0.2.1",
     "@opentelemetry/api-metrics": "0.27.0",
     "@peculiar/webcrypto": "1.3.2",
     "@peculiar/x509": "1.6.1",
@@ -48,25 +48,25 @@
     "reflect-metadata": "0.1.13",
     "ripemd160": "2.0.2",
     "thumbprint": "0.0.1",
-    "typeorm": "0.2.45",
+    "typeorm": "0.3.3",
     "xml-crypto": "2.1.3",
     "xml2js": "0.4.23",
     "xmlbuilder": "15.1.1"
   },
   "devDependencies": {
-    "@types/node": "17.0.21",
+    "@types/node": "17.0.23",
     "@types/sinon": "10.0.11",
     "@types/tap": "15.0.6",
-    "@typescript-eslint/eslint-plugin": "5.15.0",
-    "@typescript-eslint/parser": "5.15.0",
+    "@typescript-eslint/eslint-plugin": "5.16.0",
+    "@typescript-eslint/parser": "5.16.0",
     "cross-env": "7.0.3",
     "eslint": "8.11.0",
     "eslint-config-prettier": "8.5.0",
     "prettier": "2.6.0",
     "sinon": "13.0.1",
-    "tap": "16.0.0",
+    "tap": "16.0.1",
     "ts-node": "10.7.0",
-    "tsconfig-paths": "3.14.0",
+    "tsconfig-paths": "3.14.1",
     "typescript": "4.6.2"
   },
   "engines": {