@boxyhq/saml-jackson 0.5.1 → 1.0.2

package/dist/typings.d.ts

@@ -1,6 +1,6 @@
 export declare type IdPConfig = {
     defaultRedirectUrl: string;
-    redirectUrl: string;
+    redirectUrl: string[] | string;
     tenant: string;
     product: string;
     name: string;
@@ -29,7 +29,8 @@ export interface IOAuthController {
         authorize_form?: string;
     }>;
     samlResponse(body: SAMLResponsePayload): Promise<{
-        redirect_url: string;
+        redirect_url?: string;
+        app_select_form?: string;
     }>;
     token(body: OAuthTokenReq): Promise<OAuthTokenRes>;
     userInfo(token: string): Promise<Profile>;
@@ -37,20 +38,28 @@ export interface IOAuthController {
 export interface IAdminController {
     getAllConfig(pageOffset?: number, pageLimit?: number): any;
 }
+export interface IHealthCheckController {
+    status(): Promise<{
+        status: number;
+    }>;
+    init(): Promise<void>;
+}
 export interface OAuthReqBody {
     response_type: 'code';
     client_id: string;
     redirect_uri: string;
     state: string;
-    tenant: string;
-    product: string;
+    tenant?: string;
+    product?: string;
     code_challenge: string;
     code_challenge_method: 'plain' | 'S256' | '';
     provider: 'saml';
+    idp_hint?: string;
 }
 export interface SAMLResponsePayload {
     SAMLResponse: string;
     RelayState: string;
+    idp_hint?: string;
 }
 export interface OAuthTokenReq {
     client_id: string;
@@ -105,23 +114,6 @@ export interface DatabaseOption {
     encryptionKey?: string;
     pageLimit?: number;
 }
-export interface SAMLReq {
-    ssoUrl?: string;
-    entityID: string;
-    callbackUrl: string;
-    isPassive?: boolean;
-    forceAuthn?: boolean;
-    identifierFormat?: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress';
-    providerName?: 'BoxyHQ';
-    signingKey: string;
-    publicKey: string;
-}
-export interface SAMLProfile {
-    audience: string;
-    claims: Record<string, any>;
-    issuer: string;
-    sessionIndex: string;
-}
 export interface JacksonOption {
     externalUrl: string;
     samlPath: string;
@@ -130,4 +122,41 @@ export interface JacksonOption {
     idpEnabled?: boolean;
     db: DatabaseOption;
     clientSecretVerifier?: string;
+    idpDiscoveryPath?: string;
+}
+export interface SLORequestParams {
+    nameId: string;
+    tenant: string;
+    product: string;
+    redirectUrl?: string;
+}
+interface Metadata {
+    sso: {
+        postUrl?: string;
+        redirectUrl: string;
+    };
+    slo: {
+        redirectUrl?: string;
+        postUrl?: string;
+    };
+    entityID: string;
+    thumbprint: string;
+    loginType: 'idp';
+    provider: string;
+}
+export interface SAMLConfig {
+    idpMetadata: Metadata;
+    certs: {
+        privateKey: string;
+        publicKey: string;
+    };
+    defaultRedirectUrl: string;
+}
+export interface ILogoutController {
+    createRequest(body: SLORequestParams): Promise<{
+        logoutUrl: string | null;
+        logoutForm: string | null;
+    }>;
+    handleResponse(body: SAMLResponsePayload): Promise<any>;
 }
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.5.1",
+  "version": "1.0.2",
   "description": "SAML Jackson library",
   "keywords": [
     "SAML 2.0"
@@ -18,12 +18,12 @@
   ],
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
-    "db:migration:generate:postgres": "ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js migration:generate --config ormconfig.js  -n createdAt",
-    "db:migration:generate:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js migration:generate --config ormconfig.js  -n createdAt",
-    "db:migration:generate:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js migration:generate --config ormconfig.js  -n createdAt",
-    "db:migration:run:postgres": "ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run",
-    "db:migration:run:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run",
-    "db:migration:run:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run",
+    "db:migration:generate:postgres": "ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts  migration/postgres/pg_${MIGRATION_NAME}",
+    "db:migration:generate:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mysql/ms_${MIGRATION_NAME}",
+    "db:migration:generate:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mariadb/md_${MIGRATION_NAME}",
+    "db:migration:run:postgres": "ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
+    "db:migration:run:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
+    "db:migration:run:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
     "prepublishOnly": "npm run build",
     "test": "tap --ts --timeout=100 --coverage test/**/*.test.ts",
     "sort": "npx sort-package-json"
@@ -36,38 +36,35 @@
     "statements": 70
   },
   "dependencies": {
-    "@boxyhq/saml20": "0.2.0",
+    "@boxyhq/saml20": "1.0.2",
     "@opentelemetry/api-metrics": "0.27.0",
-    "@peculiar/webcrypto": "1.3.2",
+    "@peculiar/webcrypto": "1.3.3",
     "@peculiar/x509": "1.6.1",
-    "mongodb": "4.4.1",
+    "mongodb": "4.5.0",
     "mysql2": "2.3.3",
     "pg": "8.7.3",
-    "rambda": "7.0.3",
-    "redis": "4.0.4",
+    "redis": "4.0.6",
     "reflect-metadata": "0.1.13",
     "ripemd160": "2.0.2",
-    "thumbprint": "0.0.1",
-    "typeorm": "0.2.45",
-    "xml-crypto": "2.1.3",
+    "typeorm": "0.3.6",
     "xml2js": "0.4.23",
     "xmlbuilder": "15.1.1"
   },
   "devDependencies": {
-    "@types/node": "17.0.21",
+    "@types/node": "17.0.30",
     "@types/sinon": "10.0.11",
-    "@types/tap": "15.0.6",
-    "@typescript-eslint/eslint-plugin": "5.15.0",
-    "@typescript-eslint/parser": "5.15.0",
+    "@types/tap": "15.0.7",
+    "@typescript-eslint/eslint-plugin": "5.21.0",
+    "@typescript-eslint/parser": "5.21.0",
     "cross-env": "7.0.3",
-    "eslint": "8.11.0",
+    "eslint": "8.14.0",
     "eslint-config-prettier": "8.5.0",
-    "prettier": "2.6.0",
-    "sinon": "13.0.1",
-    "tap": "16.0.0",
+    "prettier": "2.6.2",
+    "sinon": "13.0.2",
+    "tap": "16.1.0",
     "ts-node": "10.7.0",
-    "tsconfig-paths": "3.14.0",
-    "typescript": "4.6.2"
+    "tsconfig-paths": "3.14.1",
+    "typescript": "4.6.4"
   },
   "engines": {
     "node": ">=14.18.1 <=16.x"

package/dist/saml/saml.d.ts

@@ -1,12 +0,0 @@
-import { SAMLProfile, SAMLReq } from '../typings';
-export declare const stripCertHeaderAndFooter: (cert: string) => string;
-declare const _default: {
-    request: ({ ssoUrl, entityID, callbackUrl, isPassive, forceAuthn, identifierFormat, providerName, signingKey, publicKey, }: SAMLReq) => {
-        id: string;
-        request: string;
-    };
-    parseAsync: (rawAssertion: string) => Promise<SAMLProfile>;
-    validateAsync: (rawAssertion: string, options: any) => Promise<SAMLProfile>;
-    parseMetadataAsync: (idpMeta: string) => Promise<Record<string, any>>;
-};
-export default _default;

package/dist/saml/saml.js

@@ -1,211 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.stripCertHeaderAndFooter = void 0;
-const saml20_1 = __importDefault(require("@boxyhq/saml20"));
-const xml2js_1 = __importDefault(require("xml2js"));
-const thumbprint_1 = __importDefault(require("thumbprint"));
-const xml_crypto_1 = __importDefault(require("xml-crypto"));
-const rambda = __importStar(require("rambda"));
-const xmlbuilder_1 = __importDefault(require("xmlbuilder"));
-const crypto_1 = __importDefault(require("crypto"));
-const claims_1 = __importDefault(require("./claims"));
-const idPrefix = '_';
-const authnXPath = '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
-const issuerXPath = '/*[local-name(.)="Issuer" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:assertion"]';
-const stripCertHeaderAndFooter = (cert) => {
-    cert = cert.replace(/-+BEGIN CERTIFICATE-+\r?\n?/, '');
-    cert = cert.replace(/-+END CERTIFICATE-+\r?\n?/, '');
-    cert = cert.replace(/\r\n/g, '\n');
-    return cert;
-};
-exports.stripCertHeaderAndFooter = stripCertHeaderAndFooter;
-function PubKeyInfo(pubKey) {
-    this.pubKey = (0, exports.stripCertHeaderAndFooter)(pubKey);
-    this.getKeyInfo = function (_key, prefix) {
-        prefix = prefix || '';
-        prefix = prefix ? prefix + ':' : prefix;
-        return `<${prefix}X509Data><${prefix}X509Certificate>${this.pubKey}</${prefix}X509Certificate</${prefix}X509Data>`;
-    };
-}
-const signRequest = (xml, signingKey, publicKey) => {
-    if (!xml) {
-        throw new Error('Please specify xml');
-    }
-    if (!signingKey) {
-        throw new Error('Please specify signingKey');
-    }
-    const sig = new xml_crypto_1.default.SignedXml();
-    sig.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
-    sig.keyInfoProvider = new PubKeyInfo(publicKey);
-    sig.signingKey = signingKey;
-    sig.addReference(authnXPath, ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/2001/10/xml-exc-c14n#'], 'http://www.w3.org/2001/04/xmlenc#sha256');
-    sig.computeSignature(xml, {
-        location: { reference: authnXPath + issuerXPath, action: 'after' },
-    });
-    return sig.getSignedXml();
-};
-const request = ({ ssoUrl, entityID, callbackUrl, isPassive = false, forceAuthn = false, identifierFormat = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', providerName = 'BoxyHQ', signingKey, publicKey, }) => {
-    const id = idPrefix + crypto_1.default.randomBytes(10).toString('hex');
-    const date = new Date().toISOString();
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const samlReq = {
-        'samlp:AuthnRequest': {
-            '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
-            '@ID': id,
-            '@Version': '2.0',
-            '@IssueInstant': date,
-            '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-            '@Destination': ssoUrl,
-            'saml:Issuer': {
-                '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion',
-                '#text': entityID,
-            },
-        },
-    };
-    if (isPassive)
-        samlReq['samlp:AuthnRequest']['@IsPassive'] = true;
-    if (forceAuthn) {
-        samlReq['samlp:AuthnRequest']['@ForceAuthn'] = true;
-    }
-    samlReq['samlp:AuthnRequest']['@AssertionConsumerServiceURL'] = callbackUrl;
-    samlReq['samlp:AuthnRequest']['samlp:NameIDPolicy'] = {
-        '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol',
-        '@Format': identifierFormat,
-        '@AllowCreate': 'true',
-    };
-    if (providerName != null) {
-        samlReq['samlp:AuthnRequest']['@ProviderName'] = providerName;
-    }
-    let xml = xmlbuilder_1.default.create(samlReq).end({});
-    if (signingKey) {
-        xml = signRequest(xml, signingKey, publicKey);
-    }
-    return {
-        id,
-        request: xml,
-    };
-};
-const parseAsync = (rawAssertion) => __awaiter(void 0, void 0, void 0, function* () {
-    return new Promise((resolve, reject) => {
-        saml20_1.default.parse(rawAssertion, function onParseAsync(err, profile) {
-            if (err) {
-                reject(err);
-                return;
-            }
-            resolve(profile);
-        });
-    });
-});
-const validateAsync = (rawAssertion, options) => __awaiter(void 0, void 0, void 0, function* () {
-    return new Promise((resolve, reject) => {
-        saml20_1.default.validate(rawAssertion, options, function onValidateAsync(err, profile) {
-            if (err) {
-                reject(err);
-                return;
-            }
-            if (profile && profile.claims) {
-                // we map claims to our attributes id, email, firstName, lastName where possible. We also map original claims to raw
-                profile.claims = claims_1.default.map(profile.claims);
-                // some providers don't return the id in the assertion, we set it to a sha256 hash of the email
-                if (!profile.claims.id) {
-                    profile.claims.id = crypto_1.default.createHash('sha256').update(profile.claims.email).digest('hex');
-                }
-            }
-            resolve(profile);
-        });
-    });
-});
-const parseMetadataAsync = (idpMeta) => __awaiter(void 0, void 0, void 0, function* () {
-    return new Promise((resolve, reject) => {
-        xml2js_1.default.parseString(idpMeta, { tagNameProcessors: [xml2js_1.default.processors.stripPrefix] }, (err, res) => {
-            if (err) {
-                reject(err);
-                return;
-            }
-            const entityID = rambda.path('EntityDescriptor.$.entityID', res);
-            let X509Certificate = null;
-            let ssoPostUrl = null;
-            let ssoRedirectUrl = null;
-            let loginType = 'idp';
-            let ssoDes = rambda.pathOr(null, 'EntityDescriptor.IDPSSODescriptor', res);
-            if (!ssoDes) {
-                ssoDes = rambda.pathOr([], 'EntityDescriptor.SPSSODescriptor', res);
-                if (!ssoDes) {
-                    loginType = 'sp';
-                }
-            }
-            for (const ssoDesRec of ssoDes) {
-                const keyDes = ssoDesRec['KeyDescriptor'];
-                for (const keyDesRec of keyDes) {
-                    if (keyDesRec['$'] && keyDesRec['$'].use === 'signing') {
-                        const ki = keyDesRec['KeyInfo'][0];
-                        const cd = ki['X509Data'][0];
-                        X509Certificate = cd['X509Certificate'][0];
-                    }
-                }
-                const ssoSvc = ssoDesRec['SingleSignOnService'] || ssoDesRec['AssertionConsumerService'] || [];
-                for (const ssoSvcRec of ssoSvc) {
-                    if (rambda.pathOr('', '$.Binding', ssoSvcRec).endsWith('HTTP-POST')) {
-                        ssoPostUrl = rambda.path('$.Location', ssoSvcRec);
-                    }
-                    else if (rambda.pathOr('', '$.Binding', ssoSvcRec).endsWith('HTTP-Redirect')) {
-                        ssoRedirectUrl = rambda.path('$.Location', ssoSvcRec);
-                    }
-                }
-            }
-            const ret = {
-                sso: {},
-            };
-            if (entityID) {
-                ret.entityID = entityID;
-            }
-            if (X509Certificate) {
-                ret.thumbprint = thumbprint_1.default.calculate(X509Certificate);
-            }
-            if (ssoPostUrl) {
-                ret.sso.postUrl = ssoPostUrl;
-            }
-            if (ssoRedirectUrl) {
-                ret.sso.redirectUrl = ssoRedirectUrl;
-            }
-            ret.loginType = loginType;
-            resolve(ret);
-        });
-    });
-});
-exports.default = { request, parseAsync, validateAsync, parseMetadataAsync };