@boxyhq/saml-jackson 1.3.0 → 1.3.1

package/dist/controller/api.d.ts

@@ -1,8 +1,10 @@
-import { GetConfigQuery, GetConnectionsQuery, DelConnectionsQuery, IConnectionAPIController, SAMLSSOConnectionWithEncodedMetadata, SAMLSSOConnectionWithRawMetadata, OIDCSSOConnection } from '../typings';
+import { GetConfigQuery, GetConnectionsQuery, DelConnectionsQuery, IConnectionAPIController, SAMLSSOConnectionWithEncodedMetadata, SAMLSSOConnectionWithRawMetadata, OIDCSSOConnection, SAMLSSORecord, OIDCSSORecord } from '../typings';
 export declare class ConnectionAPIController implements IConnectionAPIController {
     private connectionStore;
-    constructor({ connectionStore }: {
+    private opts;
+    constructor({ connectionStore, opts }: {
         connectionStore: any;
+        opts: any;
     });
     /**
      * @swagger
@@ -126,6 +128,8 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *          $ref: '#/definitions/validationErrorsPost'
      *      401:
      *        description: Unauthorized
+     *      500:
+     *        description: Please set OpenID response handler path (oidcPath) on Jackson
      * /api/v1/connections:
      *   post:
      *     summary: Create SSO connection
@@ -158,9 +162,9 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *       401:
      *         description: Unauthorized
      */
-    createSAMLConnection(body: SAMLSSOConnectionWithEncodedMetadata | SAMLSSOConnectionWithRawMetadata): Promise<any>;
-    config(...args: Parameters<ConnectionAPIController['createSAMLConnection']>): Promise<any>;
-    createOIDCConnection(body: OIDCSSOConnection): Promise<any>;
+    createSAMLConnection(body: SAMLSSOConnectionWithEncodedMetadata | SAMLSSOConnectionWithRawMetadata): Promise<SAMLSSORecord>;
+    config(...args: Parameters<ConnectionAPIController['createSAMLConnection']>): Promise<SAMLSSORecord>;
+    createOIDCConnection(body: OIDCSSOConnection): Promise<OIDCSSORecord>;
     /**
      * @swagger
      * definitions:
@@ -292,12 +296,14 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *         $ref: '#/definitions/validationErrorsPatch'
      *       401:
      *         description: Unauthorized
+     *       500:
+     *         description: Please set OpenID response handler path (oidcPath) on Jackson
      */
     updateSAMLConnection(body: (SAMLSSOConnectionWithEncodedMetadata | SAMLSSOConnectionWithRawMetadata) & {
         clientID: string;
         clientSecret: string;
     }): Promise<void>;
-    updateConfig(...args: Parameters<ConnectionAPIController['updateSAMLConnection']>): Promise<any>;
+    updateConfig(...args: Parameters<ConnectionAPIController['updateSAMLConnection']>): Promise<void>;
     updateOIDCConnection(body: OIDCSSOConnection & {
         clientID: string;
         clientSecret: string;
@@ -320,6 +326,11 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *     name: clientID
      *     type: string
      *     description: Client ID
+     *  strategyParamGet:
+     *     in: query
+     *     name: strategy
+     *     type: string
+     *     description: Strategy which can help to filter connections with tenant/product query
      * definitions:
      *   Connection:
      *      type: object
@@ -375,6 +386,7 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *       - $ref: '#/parameters/tenantParamGet'
      *       - $ref: '#/parameters/productParamGet'
      *       - $ref: '#/parameters/clientIDParamGet'
+     *       - $ref: '#/parameters/strategyParamGet'
      *     operationId: get-connections
      *     tags: [Connections]
      *     responses:
@@ -385,7 +397,7 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *      '401':
      *        $ref: '#/responses/401Get'
      */
-    getConnections(body: GetConnectionsQuery): Promise<Array<any>>;
+    getConnections(body: GetConnectionsQuery): Promise<Array<SAMLSSORecord | OIDCSSORecord>>;
     /**
      * @swagger
      * /api/v1/saml/config:
@@ -433,7 +445,7 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *      '401':
      *        $ref: '#/responses/401Get'
      */
-    getConfig(body: GetConfigQuery): Promise<any>;
+    getConfig(body: GetConfigQuery): Promise<SAMLSSORecord | Record<string, never>>;
     /**
      * @swagger
      * parameters:
@@ -461,7 +473,7 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *     name: strategy
      *     in: formData
      *     type: string
-     *     description: Strategy
+     *     description: Strategy which can help to filter connections with tenant/product query
      * /api/v1/connections:
      *   delete:
      *     parameters:

package/dist/controller/api.js

@@ -43,8 +43,9 @@ const utils_1 = require("./utils");
 const oidc_1 = __importDefault(require("./connection/oidc"));
 const saml_1 = __importDefault(require("./connection/saml"));
 class ConnectionAPIController {
-    constructor({ connectionStore }) {
+    constructor({ connectionStore, opts }) {
         this.connectionStore = connectionStore;
+        this.opts = opts;
     }
     /**
      * @swagger
@@ -168,6 +169,8 @@ class ConnectionAPIController {
      *          $ref: '#/definitions/validationErrorsPost'
      *      401:
      *        description: Unauthorized
+     *      500:
+     *        description: Please set OpenID response handler path (oidcPath) on Jackson
      * /api/v1/connections:
      *   post:
      *     summary: Create SSO connection
@@ -203,8 +206,7 @@ class ConnectionAPIController {
     createSAMLConnection(body) {
         return __awaiter(this, void 0, void 0, function* () {
             metrics.increment('createConnection');
-            const record = yield saml_1.default.create(body, this.connectionStore);
-            return record;
+            return yield saml_1.default.create(body, this.connectionStore);
         });
     }
     // For backwards compatibility
@@ -216,8 +218,10 @@ class ConnectionAPIController {
     createOIDCConnection(body) {
         return __awaiter(this, void 0, void 0, function* () {
             metrics.increment('createConnection');
-            const record = yield oidc_1.default.create(body, this.connectionStore);
-            return record;
+            if (!this.opts.oidcPath) {
+                throw new error_1.JacksonError('Please set OpenID response handler path (oidcPath) on Jackson', 500);
+            }
+            return yield oidc_1.default.create(body, this.connectionStore);
         });
     }
     /**
@@ -351,6 +355,8 @@ class ConnectionAPIController {
      *         $ref: '#/definitions/validationErrorsPatch'
      *       401:
      *         description: Unauthorized
+     *       500:
+     *         description: Please set OpenID response handler path (oidcPath) on Jackson
      */
     updateSAMLConnection(body) {
         return __awaiter(this, void 0, void 0, function* () {
@@ -365,6 +371,9 @@ class ConnectionAPIController {
     }
     updateOIDCConnection(body) {
         return __awaiter(this, void 0, void 0, function* () {
+            if (!this.opts.oidcPath) {
+                throw new error_1.JacksonError('Please set OpenID response handler path (oidcPath) on Jackson', 500);
+            }
             yield oidc_1.default.update(body, this.connectionStore, this.getConnections.bind(this));
         });
     }
@@ -386,6 +395,11 @@ class ConnectionAPIController {
      *     name: clientID
      *     type: string
      *     description: Client ID
+     *  strategyParamGet:
+     *     in: query
+     *     name: strategy
+     *     type: string
+     *     description: Strategy which can help to filter connections with tenant/product query
      * definitions:
      *   Connection:
      *      type: object
@@ -441,6 +455,7 @@ class ConnectionAPIController {
      *       - $ref: '#/parameters/tenantParamGet'
      *       - $ref: '#/parameters/productParamGet'
      *       - $ref: '#/parameters/clientIDParamGet'
+     *       - $ref: '#/parameters/strategyParamGet'
      *     operationId: get-connections
      *     tags: [Connections]
      *     responses:
@@ -594,7 +609,7 @@ class ConnectionAPIController {
      *     name: strategy
      *     in: formData
      *     type: string
-     *     description: Strategy
+     *     description: Strategy which can help to filter connections with tenant/product query
      * /api/v1/connections:
      *   delete:
      *     parameters:

package/dist/controller/connection/oidc.d.ts

@@ -1,15 +1,6 @@
-import { IConnectionAPIController, OIDCSSOConnection, Storable } from '../../typings';
+import { IConnectionAPIController, OIDCSSOConnection, OIDCSSORecord, Storable } from '../../typings';
 declare const oidc: {
-    create: (body: OIDCSSOConnection, connectionStore: Storable) => Promise<Partial<OIDCSSOConnection> & {
-        clientID: string;
-        clientSecret: string;
-        oidcProvider?: {
-            provider?: string | undefined;
-            discoveryUrl?: string | undefined;
-            clientId?: string | undefined;
-            clientSecret?: string | undefined;
-        } | undefined;
-    }>;
+    create: (body: OIDCSSOConnection, connectionStore: Storable) => Promise<OIDCSSORecord>;
     update: (body: OIDCSSOConnection & {
         clientID: string;
         clientSecret: string;

package/dist/controller/connection/saml.d.ts

@@ -1,11 +1,6 @@
-import { IConnectionAPIController, SAMLSSOConnection, SAMLSSOConnectionWithEncodedMetadata, SAMLSSOConnectionWithRawMetadata, Storable } from '../../typings';
+import { IConnectionAPIController, SAMLSSOConnectionWithEncodedMetadata, SAMLSSOConnectionWithRawMetadata, SAMLSSORecord, Storable } from '../../typings';
 declare const saml: {
-    create: (body: SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata, connectionStore: Storable) => Promise<Partial<SAMLSSOConnection> & {
-        clientID: string;
-        clientSecret: string;
-        idpMetadata?: Record<string, any> | undefined;
-        certs?: Record<"publicKey" | "privateKey", string> | undefined;
-    }>;
+    create: (body: SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata, connectionStore: Storable) => Promise<SAMLSSORecord>;
     update: (body: (SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata) & {
         clientID: string;
         clientSecret: string;

package/dist/controller/connection/saml.js

@@ -75,17 +75,20 @@ const saml = {
         if (encodedRawMetadata) {
             metaData = Buffer.from(encodedRawMetadata, 'base64').toString();
         }
-        const idpMetadata = yield saml20_1.default.parseMetadata(metaData, {});
+        const idpMetadata = (yield saml20_1.default.parseMetadata(metaData, {}));
+        if (!idpMetadata.entityID) {
+            throw new error_1.JacksonError("Couldn't parse EntityID from SAML metadata", 400);
+        }
         // extract provider
         let providerName = (0, utils_1.extractHostName)(idpMetadata.entityID);
         if (!providerName) {
-            providerName = (0, utils_1.extractHostName)(idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl);
+            providerName = (0, utils_1.extractHostName)(idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl || '');
         }
         idpMetadata.provider = providerName ? providerName : 'Unknown';
         record.clientID = dbutils.keyDigest(dbutils.keyFromParts(tenant, product, idpMetadata.entityID));
         const certs = yield x509_1.default.generate();
         if (!certs) {
-            throw new Error('Error generating x509 certs');
+            throw new error_1.JacksonError('Error generating x509 certs');
         }
         record.idpMetadata = idpMetadata;
         record.certs = certs;
@@ -139,6 +142,9 @@ const saml = {
         let newMetadata;
         if (metaData) {
             newMetadata = yield saml20_1.default.parseMetadata(metaData, {});
+            if (!newMetadata.entityID) {
+                throw new error_1.JacksonError("Couldn't parse EntityID from SAML metadata", 400);
+            }
             // extract provider
             let providerName = (0, utils_1.extractHostName)(newMetadata.entityID);
             if (!providerName) {

package/dist/controller/oauth.js

@@ -139,6 +139,7 @@ class OAuthController {
         return {};
     }
     authorize(body) {
+        var _a;
         return __awaiter(this, void 0, void 0, function* () {
             const { response_type = 'code', client_id, redirect_uri, state, scope, nonce, code_challenge, code_challenge_method = '', idp_hint, prompt, } = body;
             const tenant = 'tenant' in body ? body.tenant : undefined;
@@ -251,7 +252,7 @@ class OAuthController {
                 throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
             }
             if (requestedOIDCFlow &&
-                (!this.opts.openid.jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(this.opts.openid.jwtSigningKeys))) {
+                (!((_a = this.opts.openid) === null || _a === void 0 ? void 0 : _a.jwtSigningKeys) || !(0, utils_1.isJWSKeyPairLoaded)(this.opts.openid.jwtSigningKeys))) {
                 return {
                     redirect_url: (0, utils_1.OAuthErrorResponse)({
                         error: 'server_error',
@@ -358,6 +359,16 @@ class OAuthController {
             // OIDC Connection: Issuer discovery, openid-client init and extraction of authorization endpoint happens here
             let oidcCodeVerifier;
             if (connectionIsOIDC) {
+                if (!this.opts.oidcPath) {
+                    return {
+                        redirect_url: (0, utils_1.OAuthErrorResponse)({
+                            error: 'server_error',
+                            error_description: 'OpenID response handler path (oidcPath) is not set',
+                            redirect_uri,
+                            state,
+                        }),
+                    };
+                }
                 const { discoveryUrl, clientId, clientSecret } = connection.oidcProvider;
                 try {
                     const oidcIssuer = yield openid_client_1.Issuer.discover(discoveryUrl);
@@ -784,7 +795,7 @@ class OAuthController {
      *             expires_in: 300
      */
     token(body) {
-        var _a, _b, _c, _d, _e;
+        var _a, _b, _c, _d, _e, _f;
         return __awaiter(this, void 0, void 0, function* () {
             const { code, grant_type = 'authorization_code', redirect_uri } = body;
             const client_id = 'client_id' in body ? body.client_id : undefined;
@@ -851,7 +862,7 @@ class OAuthController {
             const requestedOIDCFlow = !!((_d = codeVal.requested) === null || _d === void 0 ? void 0 : _d.oidc);
             const requestHasNonce = !!((_e = codeVal.requested) === null || _e === void 0 ? void 0 : _e.nonce);
             if (requestedOIDCFlow) {
-                const { jwtSigningKeys, jwsAlg } = this.opts.openid;
+                const { jwtSigningKeys, jwsAlg } = (_f = this.opts.openid) !== null && _f !== void 0 ? _f : {};
                 if (!jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(jwtSigningKeys)) {
                     throw new error_1.JacksonError('JWT signing keys are not loaded', 500);
                 }

package/dist/controller/oidc-discovery.js

@@ -31,8 +31,9 @@ class OidcDiscoveryController {
         };
     }
     jwks() {
+        var _a;
         return __awaiter(this, void 0, void 0, function* () {
-            const { jwtSigningKeys, jwsAlg } = this.opts.openid;
+            const { jwtSigningKeys, jwsAlg } = (_a = this.opts.openid) !== null && _a !== void 0 ? _a : {};
             if (!jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(jwtSigningKeys)) {
                 throw new error_1.JacksonError('JWT signing keys are not loaded', 501);
             }

package/dist/index.js

@@ -47,9 +47,6 @@ const defaultOpts = (opts) => {
         throw new Error('samlPath is required');
     }
     newOpts.scimPath = newOpts.scimPath || '/api/scim/v2.0';
-    if (!newOpts.oidcPath) {
-        throw new Error('oidcPath is required');
-    }
     newOpts.samlAudience = newOpts.samlAudience || 'https://saml.boxyhq.com';
     // path to folder containing static IdP connections that will be preloaded. This is useful for self-hosted deployments that only have to support a single tenant (or small number of known tenants).
     newOpts.preLoadedConnection = newOpts.preLoadedConnection || '';
@@ -70,7 +67,7 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
     const codeStore = db.store('oauth:code', opts.db.ttl);
     const tokenStore = db.store('oauth:token', opts.db.ttl);
     const healthCheckStore = db.store('_health:check');
-    const connectionAPIController = new api_1.ConnectionAPIController({ connectionStore });
+    const connectionAPIController = new api_1.ConnectionAPIController({ connectionStore, opts });
     const adminController = new admin_1.AdminController({ connectionStore });
     const healthCheckController = new health_check_1.HealthCheckController({ healthCheckStore });
     yield healthCheckController.init();

package/dist/typings.d.ts

@@ -23,6 +23,39 @@ export interface OIDCSSOConnection extends SSOConnection {
     oidcClientId: string;
     oidcClientSecret: string;
 }
+export interface SAMLSSORecord extends SAMLSSOConnection {
+    clientID: string;
+    clientSecret: string;
+    idpMetadata: {
+        entityID: string;
+        loginType?: string;
+        provider: string | 'Unknown';
+        slo: {
+            postUrl?: string;
+            redirectUrl?: string;
+        };
+        sso: {
+            postUrl?: string;
+            redirectUrl?: string;
+        };
+        thumbprint?: string;
+        validTo?: string;
+    };
+    certs: {
+        privateKey: string;
+        publicKey: string;
+    };
+}
+export interface OIDCSSORecord extends SSOConnection {
+    clientID: string;
+    clientSecret: string;
+    oidcProvider: {
+        provider?: string;
+        discoveryUrl?: string;
+        clientId?: string;
+        clientSecret?: string;
+    };
+}
 export declare type ConnectionType = 'saml' | 'oidc';
 declare type ClientIDQuery = {
     clientID: string;
@@ -41,24 +74,36 @@ export declare type DelConfigQuery = (ClientIDQuery & {
     clientSecret: string;
 }) | Omit<TenantQuery, 'strategy'>;
 export interface IConnectionAPIController {
-    config(body: SAMLSSOConnection): Promise<any>;
-    createSAMLConnection(body: SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata): Promise<any>;
-    createOIDCConnection(body: OIDCSSOConnection): Promise<any>;
+    /**
+     * @deprecated Use `createSAMLConnection` instead.
+     */
+    config(body: SAMLSSOConnection): Promise<SAMLSSORecord>;
+    createSAMLConnection(body: SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata): Promise<SAMLSSORecord>;
+    createOIDCConnection(body: OIDCSSOConnection): Promise<OIDCSSORecord>;
+    /**
+     * @deprecated Use `updateSAMLConnection` instead.
+     */
     updateConfig(body: SAMLSSOConnection & {
         clientID: string;
         clientSecret: string;
-    }): Promise<any>;
+    }): Promise<void>;
     updateSAMLConnection(body: (SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata) & {
         clientID: string;
         clientSecret: string;
-    }): Promise<any>;
+    }): Promise<void>;
     updateOIDCConnection(body: OIDCSSOConnection & {
         clientID: string;
         clientSecret: string;
-    }): Promise<any>;
-    getConnections(body: GetConnectionsQuery): Promise<Array<any>>;
-    getConfig(body: GetConfigQuery): Promise<any>;
+    }): Promise<void>;
+    getConnections(body: GetConnectionsQuery): Promise<Array<SAMLSSORecord | OIDCSSORecord>>;
+    /**
+     * @deprecated Use `getConnections` instead.
+     */
+    getConfig(body: GetConfigQuery): Promise<SAMLSSORecord | Record<string, never>>;
     deleteConnections(body: DelConnectionsQuery): Promise<void>;
+    /**
+     * @deprecated Use `deleteConnections` instead.
+     */
     deleteConfig(body: DelConfigQuery): Promise<void>;
 }
 export interface IOAuthController {
@@ -227,7 +272,7 @@ export interface DatabaseOption {
 export interface JacksonOption {
     externalUrl: string;
     samlPath: string;
-    oidcPath: string;
+    oidcPath?: string;
     samlAudience?: string;
     preLoadedConfig?: string;
     preLoadedConnection?: string;
@@ -236,7 +281,7 @@ export interface JacksonOption {
     clientSecretVerifier?: string;
     idpDiscoveryPath?: string;
     scimPath?: string;
-    openid: {
+    openid?: {
         jwsAlg?: string;
         jwtSigningKeys?: {
             private: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "SAML Jackson library",
   "keywords": [
     "SAML 2.0"
@@ -41,12 +41,12 @@
     "@boxyhq/saml20": "1.0.7",
     "@opentelemetry/api": "1.0.4",
     "@opentelemetry/api-metrics": "0.27.0",
-    "axios": "^0.27.2",
-    "jose": "4.9.3",
-    "marked": "4.1.0",
+    "axios": "1.1.2",
+    "jose": "4.10.0",
+    "marked": "4.1.1",
     "mongodb": "4.10.0",
     "mysql2": "2.3.3",
-    "openid-client": "5.1.9",
+    "openid-client": "5.1.10",
     "node-forge": "1.3.1",
     "pg": "8.8.0",
     "redis": "4.3.1",
@@ -58,20 +58,20 @@
   },
   "devDependencies": {
     "@faker-js/faker": "7.5.0",
-    "@types/node": "18.7.23",
+    "@types/node": "18.8.3",
     "@types/sinon": "10.0.13",
     "@types/tap": "15.0.7",
-    "@typescript-eslint/eslint-plugin": "5.38.1",
+    "@typescript-eslint/eslint-plugin": "5.40.0",
     "@typescript-eslint/parser": "5.38.1",
     "cross-env": "7.0.3",
-    "eslint": "8.24.0",
+    "eslint": "8.25.0",
     "eslint-config-prettier": "8.5.0",
     "prettier": "2.7.1",
-    "sinon": "14.0.0",
+    "sinon": "14.0.1",
     "tap": "16.3.0",
     "ts-node": "10.9.1",
     "tsconfig-paths": "4.1.0",
-    "typescript": "4.8.3"
+    "typescript": "4.8.4"
   },
   "engines": {
     "node": ">=14.18.1 <=16.x"