@boxyhq/saml-jackson 1.0.6 → 1.1.1

package/dist/controller/api.js

@@ -187,7 +187,7 @@ class APIController {
             if (encodedRawMetadata) {
                 metaData = Buffer.from(encodedRawMetadata, 'base64').toString();
             }
-            const idpMetadata = yield saml20_1.default.parseMetadataAsync(metaData);
+            const idpMetadata = yield saml20_1.default.parseMetadata(metaData, {});
             // extract provider
             let providerName = extractHostName(idpMetadata.entityID);
             if (!providerName) {
@@ -323,7 +323,7 @@ class APIController {
             }
             let newMetadata;
             if (metaData) {
-                newMetadata = yield saml20_1.default.parseMetadataAsync(metaData);
+                newMetadata = yield saml20_1.default.parseMetadata(metaData, {});
                 // extract provider
                 let providerName = extractHostName(newMetadata.entityID);
                 if (!providerName) {

package/dist/controller/oauth.js

@@ -39,6 +39,7 @@ exports.OAuthController = void 0;
 const crypto_1 = __importDefault(require("crypto"));
 const util_1 = require("util");
 const zlib_1 = require("zlib");
+const jose = __importStar(require("jose"));
 const dbutils = __importStar(require("../db/utils"));
 const metrics = __importStar(require("../opentelemetry/metrics"));
 const saml20_1 = __importDefault(require("@boxyhq/saml20"));
@@ -78,6 +79,9 @@ function getEncodedTenantProduct(param) {
         return null;
     }
 }
+function getScopeValues(scope) {
+    return typeof scope === 'string' ? scope.split(' ').filter((s) => s.length > 0) : [];
+}
 class OAuthController {
     constructor({ configStore, sessionStore, codeStore, tokenStore, opts }) {
         this.configStore = configStore;
@@ -128,7 +132,7 @@ class OAuthController {
     }
     authorize(body) {
         return __awaiter(this, void 0, void 0, function* () {
-            const { response_type = 'code', client_id, redirect_uri, state, tenant, product, access_type, scope, code_challenge, code_challenge_method = '', 
+            const { response_type = 'code', client_id, redirect_uri, state, tenant, product, access_type, resource, scope, nonce, code_challenge, code_challenge_method = '', 
             // eslint-disable-next-line @typescript-eslint/no-unused-vars
             provider = 'saml', idp_hint, } = body;
             let requestedTenant = tenant;
@@ -138,6 +142,8 @@ class OAuthController {
                 throw new error_1.JacksonError('Please specify a redirect URL.', 400);
             }
             let samlConfig;
+            const requestedScopes = getScopeValues(scope);
+            const requestedOIDCFlow = requestedScopes.includes('openid');
             if (tenant && product) {
                 const samlConfigs = yield this.configStore.getByIndex({
                     name: utils_1.IndexNames.TenantProduct,
@@ -172,8 +178,14 @@ class OAuthController {
                 if (!sp && access_type) {
                     sp = getEncodedTenantProduct(access_type);
                 }
-                if (!sp && scope) {
-                    sp = getEncodedTenantProduct(scope);
+                if (!sp && resource) {
+                    sp = getEncodedTenantProduct(resource);
+                }
+                if (!sp && requestedScopes) {
+                    const encodedParams = requestedScopes.find((scope) => scope.includes('=') && scope.includes('&')); // for now assume only one encoded param i.e. for tenant/product
+                    if (encodedParams) {
+                        sp = getEncodedTenantProduct(encodedParams);
+                    }
                 }
                 if (sp && sp.tenant && sp.product) {
                     requestedTenant = sp.tenant;
@@ -222,6 +234,16 @@ class OAuthController {
             if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
                 throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
             }
+            if (requestedOIDCFlow &&
+                (!this.opts.openid.jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(this.opts.openid.jwtSigningKeys))) {
+                return {
+                    redirect_url: (0, utils_1.OAuthErrorResponse)({
+                        error: 'server_error',
+                        error_description: 'OAuth server not configured correctly for openid flow, check if JWT signing keys are loaded',
+                        redirect_uri,
+                    }),
+                };
+            }
             if (!state) {
                 return {
                     redirect_url: (0, utils_1.OAuthErrorResponse)({
@@ -282,6 +304,15 @@ class OAuthController {
                 if (idp_hint) {
                     requested.idp_hint = idp_hint;
                 }
+                if (requestedOIDCFlow) {
+                    requested.oidc = true;
+                    if (nonce) {
+                        requested.nonce = nonce;
+                    }
+                }
+                if (requestedScopes) {
+                    requested.scope = requestedScopes;
+                }
                 yield this.sessionStore.put(sessionId, {
                     id: samlReq.id,
                     redirect_uri,
@@ -563,6 +594,27 @@ class OAuthController {
             // store details against a token
             const token = crypto_1.default.randomBytes(20).toString('hex');
             const tokenVal = Object.assign(Object.assign({}, codeVal.profile), { requested: codeVal.requested });
+            const requestedOIDCFlow = !!codeVal.requested.oidc;
+            const requestHasNonce = !!codeVal.requested.nonce;
+            if (requestedOIDCFlow) {
+                const { jwtSigningKeys, jwsAlg } = this.opts.openid;
+                if (!jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(jwtSigningKeys)) {
+                    throw new error_1.JacksonError('JWT signing keys are not loaded', 500);
+                }
+                let claims = requestHasNonce ? { nonce: codeVal.requested.nonce } : {};
+                claims = Object.assign(Object.assign({}, claims), { id: codeVal.profile.claims.id, email: codeVal.profile.claims.email, firstName: codeVal.profile.claims.firstName, lastName: codeVal.profile.claims.lastName });
+                const signingKey = yield (0, utils_1.loadJWSPrivateKey)(jwtSigningKeys.private, jwsAlg);
+                const id_token = yield new jose.SignJWT(claims)
+                    .setProtectedHeader({ alg: jwsAlg })
+                    .setIssuedAt()
+                    .setIssuer(this.opts.samlAudience || '')
+                    .setSubject(codeVal.profile.claims.id)
+                    .setAudience(tokenVal.requested.client_id)
+                    .setExpirationTime(`${this.opts.db.ttl}s`) //  identity token only really needs to be valid long enough for it to be verified by the client application.
+                    .sign(signingKey);
+                tokenVal.id_token = id_token;
+                tokenVal.claims.sub = codeVal.profile.claims.id;
+            }
             yield this.tokenStore.put(token, tokenVal);
             // delete the code
             try {
@@ -571,11 +623,15 @@ class OAuthController {
             catch (_err) {
                 // ignore error
             }
-            return {
+            const tokenResponse = {
                 access_token: token,
                 token_type: 'bearer',
                 expires_in: this.opts.db.ttl,
             };
+            if (requestedOIDCFlow) {
+                tokenResponse.id_token = tokenVal.id_token;
+            }
+            return tokenResponse;
         });
     }
     /**

package/dist/controller/oidc-discovery.d.ts

@@ -0,0 +1,50 @@
+import { IOidcDiscoveryController } from '../typings';
+export declare class OidcDiscoveryController implements IOidcDiscoveryController {
+    private opts;
+    constructor({ opts }: {
+        opts: any;
+    });
+    openidConfig(): {
+        issuer: string;
+        authorization_endpoint: string;
+        token_endpoint: string;
+        userinfo_endpoint: string;
+        jwks_uri: string;
+        response_types_supported: string[];
+        subject_types_supported: string[];
+        id_token_signing_alg_values_supported: string[];
+        grant_types_supported: string[];
+        code_challenge_methods_supported: string[];
+    };
+    jwks(): Promise<{
+        keys: {
+            kid: string;
+            alg: string;
+            use: string;
+            crv?: string | undefined;
+            d?: string | undefined;
+            dp?: string | undefined;
+            dq?: string | undefined;
+            e?: string | undefined;
+            ext?: boolean | undefined;
+            k?: string | undefined;
+            key_ops?: string[] | undefined;
+            kty?: string | undefined;
+            n?: string | undefined;
+            oth?: {
+                d?: string | undefined;
+                r?: string | undefined;
+                t?: string | undefined;
+            }[] | undefined;
+            p?: string | undefined;
+            q?: string | undefined;
+            qi?: string | undefined;
+            x?: string | undefined;
+            y?: string | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+        }[];
+    }>;
+}

package/dist/controller/oidc-discovery.js

@@ -0,0 +1,49 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OidcDiscoveryController = void 0;
+const error_1 = require("./error");
+const utils_1 = require("./utils");
+class OidcDiscoveryController {
+    constructor({ opts }) {
+        this.opts = opts;
+    }
+    openidConfig() {
+        return {
+            issuer: this.opts.samlAudience,
+            authorization_endpoint: `${this.opts.externalUrl}/api/oauth/authorize`,
+            token_endpoint: `${this.opts.externalUrl}/api/oauth/token`,
+            userinfo_endpoint: `${this.opts.externalUrl}/api/oauth/userinfo`,
+            jwks_uri: `${this.opts.externalUrl}/oauth/jwks`,
+            response_types_supported: ['code'],
+            subject_types_supported: ['public'],
+            id_token_signing_alg_values_supported: ['RS256'],
+            grant_types_supported: ['authorization_code'],
+            code_challenge_methods_supported: ['plain', 'S256'],
+        };
+    }
+    jwks() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { jwtSigningKeys, jwsAlg } = this.opts.openid;
+            if (!jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(jwtSigningKeys)) {
+                throw new error_1.JacksonError('JWT signing keys are not loaded', 501);
+            }
+            const importedPublicKey = yield (0, utils_1.importJWTPublicKey)(jwtSigningKeys.public, jwsAlg);
+            const publicKeyJWK = yield (0, utils_1.exportPublicKeyJWK)(importedPublicKey);
+            const jwkThumbprint = yield (0, utils_1.generateJwkThumbprint)(publicKeyJWK);
+            const jwks = {
+                keys: [Object.assign(Object.assign({}, publicKeyJWK), { kid: jwkThumbprint, alg: jwsAlg, use: 'sig' })],
+            };
+            return jwks;
+        });
+    }
+}
+exports.OidcDiscoveryController = OidcDiscoveryController;

package/dist/controller/utils.d.ts

@@ -1,4 +1,5 @@
 import type { OAuthErrorHandlerParams } from '../typings';
+import * as jose from 'jose';
 export declare enum IndexNames {
     EntityID = "entityID",
     TenantProduct = "tenantProduct"
@@ -7,3 +8,11 @@ export declare const relayStatePrefix = "boxyhq_jackson_";
 export declare const validateAbsoluteUrl: (url: any, message: any) => void;
 export declare const OAuthErrorResponse: ({ error, error_description, redirect_uri, state, }: OAuthErrorHandlerParams) => string;
 export declare function getErrorMessage(error: unknown): string;
+export declare function loadJWSPrivateKey(key: string, alg: string): Promise<jose.KeyLike>;
+export declare function isJWSKeyPairLoaded(jwsKeyPair: {
+    private: string;
+    public: string;
+}): boolean;
+export declare const importJWTPublicKey: (key: string, jwsAlg: string) => Promise<jose.KeyLike>;
+export declare const exportPublicKeyJWK: (key: jose.KeyLike) => Promise<jose.JWK>;
+export declare const generateJwkThumbprint: (jwk: jose.JWK) => Promise<string>;

package/dist/controller/utils.js

@@ -22,10 +22,20 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getErrorMessage = exports.OAuthErrorResponse = exports.validateAbsoluteUrl = exports.relayStatePrefix = exports.IndexNames = void 0;
+exports.generateJwkThumbprint = exports.exportPublicKeyJWK = exports.importJWTPublicKey = exports.isJWSKeyPairLoaded = exports.loadJWSPrivateKey = exports.getErrorMessage = exports.OAuthErrorResponse = exports.validateAbsoluteUrl = exports.relayStatePrefix = exports.IndexNames = void 0;
 const error_1 = require("./error");
 const redirect = __importStar(require("./oauth/redirect"));
+const jose = __importStar(require("jose"));
 var IndexNames;
 (function (IndexNames) {
     IndexNames["EntityID"] = "entityID";
@@ -47,8 +57,40 @@ const OAuthErrorResponse = ({ error, error_description, redirect_uri, state, })
 exports.OAuthErrorResponse = OAuthErrorResponse;
 // https://kentcdodds.com/blog/get-a-catch-block-error-message-with-typescript
 function getErrorMessage(error) {
-    if (error instanceof Error)
+    if (error instanceof Error) {
         return error.message;
+    }
     return String(error);
 }
 exports.getErrorMessage = getErrorMessage;
+function loadJWSPrivateKey(key, alg) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const pkcs8 = Buffer.from(key, 'base64').toString('ascii');
+        const privateKey = yield jose.importPKCS8(pkcs8, alg);
+        return privateKey;
+    });
+}
+exports.loadJWSPrivateKey = loadJWSPrivateKey;
+function isJWSKeyPairLoaded(jwsKeyPair) {
+    if (!jwsKeyPair.private || !jwsKeyPair.public) {
+        return false;
+    }
+    return true;
+}
+exports.isJWSKeyPairLoaded = isJWSKeyPairLoaded;
+const importJWTPublicKey = (key, jwsAlg) => __awaiter(void 0, void 0, void 0, function* () {
+    const spki = Buffer.from(key, 'base64').toString('ascii');
+    const publicKey = yield jose.importSPKI(spki, jwsAlg);
+    return publicKey;
+});
+exports.importJWTPublicKey = importJWTPublicKey;
+const exportPublicKeyJWK = (key) => __awaiter(void 0, void 0, void 0, function* () {
+    const publicJWK = yield jose.exportJWK(key);
+    return publicJWK;
+});
+exports.exportPublicKeyJWK = exportPublicKeyJWK;
+const generateJwkThumbprint = (jwk) => __awaiter(void 0, void 0, void 0, function* () {
+    const thumbprint = yield jose.calculateJwkThumbprint(jwk);
+    return thumbprint;
+});
+exports.generateJwkThumbprint = generateJwkThumbprint;

package/dist/db/db.js

@@ -41,6 +41,12 @@ const mongo_1 = __importDefault(require("./mongo"));
 const redis_1 = __importDefault(require("./redis"));
 const sql_1 = __importDefault(require("./sql/sql"));
 const store_1 = __importDefault(require("./store"));
+const JacksonStore_1 = require("./sql/entity/JacksonStore");
+const JacksonIndex_1 = require("./sql/entity/JacksonIndex");
+const JacksonTTL_1 = require("./sql/entity/JacksonTTL");
+const JacksonStore_2 = require("./planetscale/entity/JacksonStore");
+const JacksonIndex_2 = require("./planetscale/entity/JacksonIndex");
+const JacksonTTL_2 = require("./planetscale/entity/JacksonTTL");
 const decrypt = (res, encryptionKey) => {
     if (res.iv && res.tag) {
         return JSON.parse(encrypter.decrypt(res.value, res.iv, res.tag, encryptionKey));
@@ -107,7 +113,17 @@ exports.default = {
             case 'redis':
                 return new DB(yield redis_1.default.new(options), encryptionKey);
             case 'sql':
-                return new DB(yield sql_1.default.new(options), encryptionKey);
+                return new DB(yield sql_1.default.new(options, {
+                    JacksonStore: JacksonStore_1.JacksonStore,
+                    JacksonIndex: JacksonIndex_1.JacksonIndex,
+                    JacksonTTL: JacksonTTL_1.JacksonTTL,
+                }), encryptionKey);
+            case 'planetscale':
+                return new DB(yield sql_1.default.new(options, {
+                    JacksonStore: JacksonStore_2.JacksonStore,
+                    JacksonIndex: JacksonIndex_2.JacksonIndex,
+                    JacksonTTL: JacksonTTL_2.JacksonTTL,
+                }), encryptionKey);
             case 'mongo':
                 return new DB(yield mongo_1.default.new(options), encryptionKey);
             case 'mem':

package/dist/db/mongo.js

@@ -67,8 +67,9 @@ class Mongo {
             const docs = yield this.collection
                 .find({ _id: _namespaceMatch }, { sort: { createdAt: -1 }, skip: offset, limit: limit })
                 .toArray();
-            if (docs)
+            if (docs) {
                 return docs.map(({ value }) => value);
+            }
             return [];
         });
     }

package/dist/db/planetscale/entity/JacksonIndex.d.ts

@@ -0,0 +1,5 @@
+export declare class JacksonIndex {
+    id: number;
+    key: string;
+    storeKey: string;
+}

package/dist/db/planetscale/entity/JacksonIndex.js

@@ -0,0 +1,34 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JacksonIndex = void 0;
+const typeorm_1 = require("typeorm");
+let JacksonIndex = class JacksonIndex {
+};
+__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)()
+], JacksonIndex.prototype, "id", void 0);
+__decorate([
+    (0, typeorm_1.Index)('_jackson_index_key'),
+    (0, typeorm_1.Column)({
+        type: 'varchar',
+        length: 250,
+    })
+], JacksonIndex.prototype, "key", void 0);
+__decorate([
+    (0, typeorm_1.Index)('_jackson_index_store'),
+    (0, typeorm_1.Column)({
+        type: 'varchar',
+        length: 250,
+    })
+], JacksonIndex.prototype, "storeKey", void 0);
+JacksonIndex = __decorate([
+    (0, typeorm_1.Index)('_jackson_index_key_store', ['key', 'storeKey']),
+    (0, typeorm_1.Entity)()
+], JacksonIndex);
+exports.JacksonIndex = JacksonIndex;

package/dist/db/planetscale/entity/JacksonStore.d.ts

@@ -0,0 +1,8 @@
+export declare class JacksonStore {
+    key: string;
+    value: string;
+    iv?: string;
+    tag?: string;
+    createdAt?: Date;
+    modifiedAt?: string;
+}

package/dist/db/planetscale/entity/JacksonStore.js

@@ -0,0 +1,55 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JacksonStore = void 0;
+const typeorm_1 = require("typeorm");
+let JacksonStore = class JacksonStore {
+};
+__decorate([
+    (0, typeorm_1.Column)({
+        primary: true,
+        type: 'varchar',
+        length: 250,
+    })
+], JacksonStore.prototype, "key", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'text',
+    })
+], JacksonStore.prototype, "value", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'varchar',
+        length: 64,
+        nullable: true,
+    })
+], JacksonStore.prototype, "iv", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'varchar',
+        length: 64,
+        nullable: true,
+    })
+], JacksonStore.prototype, "tag", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'timestamp',
+        default: () => 'CURRENT_TIMESTAMP',
+        nullable: false,
+    })
+], JacksonStore.prototype, "createdAt", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'timestamp',
+        nullable: true,
+    })
+], JacksonStore.prototype, "modifiedAt", void 0);
+JacksonStore = __decorate([
+    (0, typeorm_1.Entity)()
+], JacksonStore);
+exports.JacksonStore = JacksonStore;

package/dist/db/planetscale/entity/JacksonTTL.d.ts

@@ -0,0 +1,4 @@
+export declare class JacksonTTL {
+    key: string;
+    expiresAt: number;
+}

package/dist/db/planetscale/entity/JacksonTTL.js

@@ -0,0 +1,29 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JacksonTTL = void 0;
+const typeorm_1 = require("typeorm");
+let JacksonTTL = class JacksonTTL {
+};
+__decorate([
+    (0, typeorm_1.Column)({
+        primary: true,
+        type: 'varchar',
+        length: 250,
+    })
+], JacksonTTL.prototype, "key", void 0);
+__decorate([
+    (0, typeorm_1.Index)('_jackson_ttl_expires_at'),
+    (0, typeorm_1.Column)({
+        type: 'bigint',
+    })
+], JacksonTTL.prototype, "expiresAt", void 0);
+JacksonTTL = __decorate([
+    (0, typeorm_1.Entity)()
+], JacksonTTL);
+exports.JacksonTTL = JacksonTTL;

package/dist/db/sql/sql.d.ts

@@ -7,8 +7,15 @@ declare class Sql implements DatabaseDriver {
     private ttlRepository;
     private ttlCleanup;
     private timerId;
+    private JacksonStore;
+    private JacksonIndex;
+    private JacksonTTL;
     constructor(options: DatabaseOption);
-    init(): Promise<Sql>;
+    init({ JacksonStore, JacksonIndex, JacksonTTL }: {
+        JacksonStore: any;
+        JacksonIndex: any;
+        JacksonTTL: any;
+    }): Promise<Sql>;
     get(namespace: string, key: string): Promise<any>;
     getAll(namespace: string, pageOffset: number, pageLimit: number): Promise<unknown[]>;
     getByIndex(namespace: string, idx: Index): Promise<any>;
@@ -16,6 +23,6 @@ declare class Sql implements DatabaseDriver {
     delete(namespace: string, key: string): Promise<any>;
 }
 declare const _default: {
-    new: (options: DatabaseOption) => Promise<Sql>;
+    new: (options: DatabaseOption, entities: any) => Promise<Sql>;
 };
 export default _default;

package/dist/db/sql/sql.js

@@ -36,38 +36,39 @@ Object.defineProperty(exports, "__esModule", { value: true });
 require('reflect-metadata');
 const typeorm_1 = require("typeorm");
 const dbutils = __importStar(require("../utils"));
-const JacksonStore_1 = require("./entity/JacksonStore");
-const JacksonIndex_1 = require("./entity/JacksonIndex");
-const JacksonTTL_1 = require("./entity/JacksonTTL");
 class Sql {
     constructor(options) {
         this.options = options;
     }
-    init() {
+    init({ JacksonStore, JacksonIndex, JacksonTTL }) {
         return __awaiter(this, void 0, void 0, function* () {
+            const sqlType = this.options.engine === 'planetscale' ? 'mysql' : this.options.type;
             while (true) {
                 try {
                     this.dataSource = new typeorm_1.DataSource({
-                        // name: this.options.type! + Math.floor(Math.random() * 100000),
-                        type: this.options.type,
+                        type: sqlType,
                         url: this.options.url,
-                        synchronize: true,
+                        synchronize: this.options.engine !== 'planetscale',
                         migrationsTableName: '_jackson_migrations',
                         logging: ['error'],
-                        entities: [JacksonStore_1.JacksonStore, JacksonIndex_1.JacksonIndex, JacksonTTL_1.JacksonTTL],
+                        entities: [JacksonStore, JacksonIndex, JacksonTTL],
+                        ssl: this.options.ssl,
                     });
                     yield this.dataSource.initialize();
                     break;
                 }
                 catch (err) {
-                    console.error(`error connecting to ${this.options.type} db: ${err}`);
+                    console.error(`error connecting to engine: ${this.options.engine}, type: ${sqlType} db: ${err}`);
                     yield dbutils.sleep(1000);
                     continue;
                 }
             }
-            this.storeRepository = this.dataSource.getRepository(JacksonStore_1.JacksonStore);
-            this.indexRepository = this.dataSource.getRepository(JacksonIndex_1.JacksonIndex);
-            this.ttlRepository = this.dataSource.getRepository(JacksonTTL_1.JacksonTTL);
+            this.JacksonStore = JacksonStore;
+            this.JacksonIndex = JacksonIndex;
+            this.JacksonTTL = JacksonTTL;
+            this.storeRepository = this.dataSource.getRepository(JacksonStore);
+            this.indexRepository = this.dataSource.getRepository(JacksonIndex);
+            this.ttlRepository = this.dataSource.getRepository(JacksonTTL);
             if (this.options.ttl && this.options.cleanupLimit) {
                 this.ttlCleanup = () => __awaiter(this, void 0, void 0, function* () {
                     const now = Date.now();
@@ -121,15 +122,11 @@ class Sql {
                 select: ['value', 'iv', 'tag'],
                 order: {
                     ['createdAt']: 'DESC',
-                    // ['createdAt']: 'ASC',
                 },
                 take: offsetAndLimitValueCheck ? this.options.pageLimit : pageLimit,
                 skip: offsetAndLimitValueCheck ? 0 : pageOffset,
             });
-            const returnValue = JSON.parse(JSON.stringify(response));
-            if (returnValue)
-                return returnValue;
-            return [];
+            return JSON.parse(JSON.stringify(response)) || [];
         });
     }
     getByIndex(namespace, idx) {
@@ -139,13 +136,19 @@ class Sql {
             });
             const ret = [];
             if (res) {
-                res.forEach((r) => {
+                for (const r of res) {
+                    let value = r.store;
+                    if (this.options.engine === 'planetscale') {
+                        value = yield this.storeRepository.findOneBy({
+                            key: r.storeKey,
+                        });
+                    }
                     ret.push({
-                        value: r.store.value,
-                        iv: r.store.iv,
-                        tag: r.store.tag,
+                        value: value.value,
+                        iv: value.iv,
+                        tag: value.tag,
                     });
-                });
+                }
             }
             return ret;
         });
@@ -154,7 +157,7 @@ class Sql {
         return __awaiter(this, void 0, void 0, function* () {
             yield this.dataSource.transaction((transactionalEntityManager) => __awaiter(this, void 0, void 0, function* () {
                 const dbKey = dbutils.key(namespace, key);
-                const store = new JacksonStore_1.JacksonStore();
+                const store = new this.JacksonStore();
                 store.key = dbKey;
                 store.value = val.value;
                 store.iv = val.iv;
@@ -162,7 +165,7 @@ class Sql {
                 store.modifiedAt = new Date().toISOString();
                 yield transactionalEntityManager.save(store);
                 if (ttl) {
-                    const ttlRec = new JacksonTTL_1.JacksonTTL();
+                    const ttlRec = new this.JacksonTTL();
                     ttlRec.key = dbKey;
                     ttlRec.expiresAt = Date.now() + ttl * 1000;
                     yield transactionalEntityManager.save(ttlRec);
@@ -175,9 +178,14 @@ class Sql {
                         storeKey: store.key,
                     });
                     if (!rec) {
-                        const ji = new JacksonIndex_1.JacksonIndex();
+                        const ji = new this.JacksonIndex();
                         ji.key = key;
-                        ji.store = store;
+                        if (this.options.engine === 'planetscale') {
+                            ji.storeKey = store.key;
+                        }
+                        else {
+                            ji.store = store;
+                        }
                         yield transactionalEntityManager.save(ji);
                     }
                 }
@@ -188,6 +196,18 @@ class Sql {
         return __awaiter(this, void 0, void 0, function* () {
             const dbKey = dbutils.key(namespace, key);
             yield this.ttlRepository.remove({ key: dbKey });
+            if (this.options.engine === 'planetscale') {
+                const response = yield this.indexRepository.find({
+                    where: { storeKey: dbKey },
+                    select: ['id'],
+                });
+                const returnValue = response || [];
+                for (const r of returnValue) {
+                    yield this.indexRepository.remove({
+                        id: r.id,
+                    });
+                }
+            }
             return yield this.storeRepository.remove({
                 key: dbKey,
             });
@@ -195,7 +215,7 @@ class Sql {
     }
 }
 exports.default = {
-    new: (options) => __awaiter(void 0, void 0, void 0, function* () {
-        return yield new Sql(options).init();
+    new: (options, entities) => __awaiter(void 0, void 0, void 0, function* () {
+        return yield new Sql(options).init(entities);
     }),
 };

package/dist/index.d.ts

@@ -3,6 +3,7 @@ import { APIController } from './controller/api';
 import { OAuthController } from './controller/oauth';
 import { HealthCheckController } from './controller/health-check';
 import { LogoutController } from './controller/logout';
+import { OidcDiscoveryController } from './controller/oidc-discovery';
 import { JacksonOption } from './typings';
 export declare const controllers: (opts: JacksonOption) => Promise<{
     apiController: APIController;
@@ -10,6 +11,7 @@ export declare const controllers: (opts: JacksonOption) => Promise<{
     adminController: AdminController;
     logoutController: LogoutController;
     healthCheckController: HealthCheckController;
+    oidcDiscoveryController: OidcDiscoveryController;
 }>;
 export default controllers;
 export * from './typings';

package/dist/index.js

@@ -32,6 +32,7 @@ const api_1 = require("./controller/api");
 const oauth_1 = require("./controller/oauth");
 const health_check_1 = require("./controller/health-check");
 const logout_1 = require("./controller/logout");
+const oidc_discovery_1 = require("./controller/oidc-discovery");
 const db_1 = __importDefault(require("./db/db"));
 const defaultDb_1 = __importDefault(require("./db/defaultDb"));
 const read_config_1 = __importDefault(require("./read-config"));
@@ -49,6 +50,8 @@ const defaultOpts = (opts) => {
     (0, defaultDb_1.default)(newOpts);
     newOpts.clientSecretVerifier = newOpts.clientSecretVerifier || 'dummy';
     newOpts.db.pageLimit = newOpts.db.pageLimit || 50;
+    newOpts.openid = newOpts.openid || {};
+    newOpts.openid.jwsAlg = newOpts.openid.jwsAlg || 'RS256';
     return newOpts;
 };
 const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
@@ -75,6 +78,7 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
         sessionStore,
         opts,
     });
+    const oidcDiscoveryController = new oidc_discovery_1.OidcDiscoveryController({ opts });
     // write pre-loaded config if present
     if (opts.preLoadedConfig && opts.preLoadedConfig.length > 0) {
         const configs = yield (0, read_config_1.default)(opts.preLoadedConfig);
@@ -91,6 +95,7 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
         adminController,
         logoutController,
         healthCheckController,
+        oidcDiscoveryController,
     };
 });
 exports.controllers = controllers;

package/dist/typings.d.ts

@@ -1,3 +1,4 @@
+import { type JWK } from 'jose';
 export declare type IdPConfig = {
     defaultRedirectUrl: string;
     redirectUrl: string[] | string;
@@ -44,6 +45,23 @@ export interface IHealthCheckController {
     }>;
     init(): Promise<void>;
 }
+export interface IOidcDiscoveryController {
+    openidConfig(): {
+        issuer: string;
+        authorization_endpoint: string;
+        token_endpoint: string;
+        userinfo_endpoint: string;
+        jwks_uri: string;
+        response_types_supported: Array<string>;
+        subject_types_supported: Array<string>;
+        id_token_signing_alg_values_supported: Array<string>;
+        grant_types_supported: Array<string>;
+        code_challenge_methods_supported: Array<string>;
+    };
+    jwks(): Promise<{
+        keys: JWK[];
+    }>;
+}
 export interface OAuthReqBody {
     response_type: 'code';
     client_id: string;
@@ -52,7 +70,9 @@ export interface OAuthReqBody {
     tenant?: string;
     product?: string;
     access_type?: string;
+    resource?: string;
     scope?: string;
+    nonce?: string;
     code_challenge: string;
     code_challenge_method: 'plain' | 'S256' | '';
     provider: 'saml';
@@ -72,11 +92,13 @@ export interface OAuthTokenReq {
 }
 export interface OAuthTokenRes {
     access_token: string;
+    id_token?: string;
     token_type: 'bearer';
     expires_in: number;
 }
 export interface Profile {
     id: string;
+    sub?: string;
     email: string;
     firstName: string;
     lastName: string;
@@ -106,7 +128,7 @@ export interface Encrypted {
     value: string;
 }
 export declare type EncryptionKey = any;
-export declare type DatabaseEngine = 'redis' | 'sql' | 'mongo' | 'mem';
+export declare type DatabaseEngine = 'redis' | 'sql' | 'mongo' | 'mem' | 'planetscale';
 export declare type DatabaseType = 'postgres' | 'mysql' | 'mariadb';
 export interface DatabaseOption {
     engine?: DatabaseEngine;
@@ -116,6 +138,7 @@ export interface DatabaseOption {
     cleanupLimit?: number;
     encryptionKey?: string;
     pageLimit?: number;
+    ssl?: any;
 }
 export interface JacksonOption {
     externalUrl: string;
@@ -126,6 +149,13 @@ export interface JacksonOption {
     db: DatabaseOption;
     clientSecretVerifier?: string;
     idpDiscoveryPath?: string;
+    openid: {
+        jwsAlg: string;
+        jwtSigningKeys?: {
+            private: string;
+            public: string;
+        };
+    };
 }
 export interface SLORequestParams {
     nameId: string;

package/migration/planetscale/1653746497237-ms_nocascade.ts

@@ -0,0 +1,22 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class msNocascade1653746497237 implements MigrationInterface {
+    name = 'msNocascade1653746497237'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`CREATE TABLE \`jackson_store\` (\`key\` varchar(250) NOT NULL, \`value\` text NOT NULL, \`iv\` varchar(64) NULL, \`tag\` varchar(64) NULL, \`createdAt\` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, \`modifiedAt\` timestamp NULL, PRIMARY KEY (\`key\`)) ENGINE=InnoDB`);
+        await queryRunner.query(`CREATE TABLE \`jackson_ttl\` (\`key\` varchar(250) NOT NULL, \`expiresAt\` bigint NOT NULL, INDEX \`_jackson_ttl_expires_at\` (\`expiresAt\`), PRIMARY KEY (\`key\`)) ENGINE=InnoDB`);
+        await queryRunner.query(`CREATE TABLE \`jackson_index\` (\`id\` int NOT NULL AUTO_INCREMENT, \`key\` varchar(250) NOT NULL, \`storeKey\` varchar(250) NOT NULL, INDEX \`_jackson_index_key\` (\`key\`), INDEX \`_jackson_index_store\` (\`storeKey\`), INDEX \`_jackson_index_key_store\` (\`key\`, \`storeKey\`), PRIMARY KEY (\`id\`)) ENGINE=InnoDB`);
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`DROP INDEX \`_jackson_index_key_store\` ON \`jackson_index\``);
+        await queryRunner.query(`DROP INDEX \`_jackson_index_store\` ON \`jackson_index\``);
+        await queryRunner.query(`DROP INDEX \`_jackson_index_key\` ON \`jackson_index\``);
+        await queryRunner.query(`DROP TABLE \`jackson_index\``);
+        await queryRunner.query(`DROP INDEX \`_jackson_ttl_expires_at\` ON \`jackson_ttl\``);
+        await queryRunner.query(`DROP TABLE \`jackson_ttl\``);
+        await queryRunner.query(`DROP TABLE \`jackson_store\``);
+    }
+
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "1.0.6",
+  "version": "1.1.1",
   "description": "SAML Jackson library",
   "keywords": [
     "SAML 2.0"
@@ -20,9 +20,11 @@
     "build": "tsc -p tsconfig.build.json",
     "db:migration:generate:postgres": "ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts  migration/postgres/pg_${MIGRATION_NAME}",
     "db:migration:generate:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mysql/ms_${MIGRATION_NAME}",
+    "db:migration:generate:planetscale": "cross-env DB_ENGINE=planetscale DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mysql/ms_${MIGRATION_NAME}",
     "db:migration:generate:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mariadb/md_${MIGRATION_NAME}",
     "db:migration:run:postgres": "ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
     "db:migration:run:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
+    "db:migration:run:planetscale": "cross-env DB_SSL=true DB_ENGINE=planetscale DB_URL=${PLANETSCALE_URL} ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
     "db:migration:run:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
     "prepublishOnly": "npm run build",
     "test": "tap --ts --timeout=100 --coverage test/**/*.test.ts",
@@ -36,12 +38,13 @@
     "statements": 70
   },
   "dependencies": {
-    "@boxyhq/saml20": "1.0.3",
+    "@boxyhq/saml20": "1.0.4",
     "@opentelemetry/api-metrics": "0.27.0",
     "@opentelemetry/api": "1.0.4",
     "@peculiar/webcrypto": "1.4.0",
-    "@peculiar/x509": "1.7.2",
-    "mongodb": "4.7.0",
+    "@peculiar/x509": "1.8.0",
+    "jose": "4.8.3",
+    "mongodb": "4.8.0",
     "mysql2": "2.3.3",
     "pg": "8.7.3",
     "redis": "4.0.6",
@@ -52,18 +55,18 @@
     "xmlbuilder": "15.1.1"
   },
   "devDependencies": {
-    "@types/node": "18.0.3",
-    "@types/sinon": "10.0.12",
+    "@types/node": "18.6.1",
+    "@types/sinon": "10.0.13",
     "@types/tap": "15.0.7",
-    "@typescript-eslint/eslint-plugin": "5.30.5",
-    "@typescript-eslint/parser": "5.30.5",
+    "@typescript-eslint/eslint-plugin": "5.30.7",
+    "@typescript-eslint/parser": "5.30.7",
     "cross-env": "7.0.3",
-    "eslint": "8.19.0",
+    "eslint": "8.20.0",
     "eslint-config-prettier": "8.5.0",
     "prettier": "2.7.1",
     "sinon": "14.0.0",
     "tap": "16.3.0",
-    "ts-node": "10.8.2",
+    "ts-node": "10.9.1",
     "tsconfig-paths": "4.0.0",
     "typescript": "4.7.4"
   },