@boxyhq/saml-jackson 1.3.4 → 1.3.6

package/dist/controller/api.d.ts

@@ -31,10 +31,6 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *            "description": "SP for hoppscotch.io",
      *            "clientID": "Xq8AJt3yYAxmXizsCWmUBDRiVP1iTC8Y/otnvFIMitk",
      *            "clientSecret": "00e3e11a3426f97d8000000738300009130cd45419c5943",
-     *            "certs": {
-     *              "publicKey": "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----",
-     *              "privateKey": "-----BEGIN PRIVATE KEY-----......-----END PRIVATE KEY-----"
-     *            }
      *          }
      *    validationErrorsPost:
      *      description: Please provide rawMetadata or encodedRawMetadata | Please provide a defaultRedirectUrl | Please provide redirectUrl | redirectUrl is invalid | Exceeded maximum number of allowed redirect urls | defaultRedirectUrl is invalid | Please provide tenant | Please provide product | Please provide a friendly name | Description should not exceed 100 characters | Strategy: xxxx not supported | Please provide the clientId from OpenID Provider | Please provide the clientSecret from OpenID Provider | Please provide the discoveryUrl for the OpenID Provider
@@ -362,9 +358,6 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *        idpMetadata:
      *          type: object
      *          description: SAML IdP metadata
-     *        certs:
-     *          type: object
-     *          description: Certs generated for SAML connection
      *        oidcProvider:
      *          type: object
      *          description: OIDC IdP metadata
@@ -435,10 +428,6 @@ export declare class ConnectionAPIController implements IConnectionAPIController
      *                "description": "SP for hoppscotch.io",
      *                "clientID": "Xq8AJt3yYAxmXizsCWmUBDRiVP1iTC8Y/otnvFIMitk",
      *                "clientSecret": "00e3e11a3426f97d8000000738300009130cd45419c5943",
-     *                "certs": {
-     *                  "publicKey": "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----",
-     *                  "privateKey": "-----BEGIN PRIVATE KEY-----......-----END PRIVATE KEY-----"
-     *                }
      *            }
      *      '400':
      *        $ref: '#/responses/400Get'

package/dist/controller/api.js

@@ -72,10 +72,6 @@ class ConnectionAPIController {
      *            "description": "SP for hoppscotch.io",
      *            "clientID": "Xq8AJt3yYAxmXizsCWmUBDRiVP1iTC8Y/otnvFIMitk",
      *            "clientSecret": "00e3e11a3426f97d8000000738300009130cd45419c5943",
-     *            "certs": {
-     *              "publicKey": "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----",
-     *              "privateKey": "-----BEGIN PRIVATE KEY-----......-----END PRIVATE KEY-----"
-     *            }
      *          }
      *    validationErrorsPost:
      *      description: Please provide rawMetadata or encodedRawMetadata | Please provide a defaultRedirectUrl | Please provide redirectUrl | redirectUrl is invalid | Exceeded maximum number of allowed redirect urls | defaultRedirectUrl is invalid | Please provide tenant | Please provide product | Please provide a friendly name | Description should not exceed 100 characters | Strategy: xxxx not supported | Please provide the clientId from OpenID Provider | Please provide the clientSecret from OpenID Provider | Please provide the discoveryUrl for the OpenID Provider
@@ -431,9 +427,6 @@ class ConnectionAPIController {
      *        idpMetadata:
      *          type: object
      *          description: SAML IdP metadata
-     *        certs:
-     *          type: object
-     *          description: Certs generated for SAML connection
      *        oidcProvider:
      *          type: object
      *          description: OIDC IdP metadata
@@ -549,10 +542,6 @@ class ConnectionAPIController {
      *                "description": "SP for hoppscotch.io",
      *                "clientID": "Xq8AJt3yYAxmXizsCWmUBDRiVP1iTC8Y/otnvFIMitk",
      *                "clientSecret": "00e3e11a3426f97d8000000738300009130cd45419c5943",
-     *                "certs": {
-     *                  "publicKey": "-----BEGIN CERTIFICATE-----.......-----END CERTIFICATE-----",
-     *                  "privateKey": "-----BEGIN PRIVATE KEY-----......-----END PRIVATE KEY-----"
-     *                }
      *            }
      *      '400':
      *        $ref: '#/responses/400Get'

package/dist/controller/connection/saml.js

@@ -50,7 +50,6 @@ const crypto_1 = __importDefault(require("crypto"));
 const dbutils = __importStar(require("../../db/utils"));
 const utils_1 = require("../utils");
 const saml20_1 = __importDefault(require("@boxyhq/saml20"));
-const x509_1 = __importDefault(require("../../saml/x509"));
 const error_1 = require("../error");
 const saml = {
     create: (body, connectionStore) => __awaiter(void 0, void 0, void 0, function* () {
@@ -86,12 +85,7 @@ const saml = {
         }
         idpMetadata.provider = providerName ? providerName : 'Unknown';
         record.clientID = dbutils.keyDigest(dbutils.keyFromParts(tenant, product, idpMetadata.entityID));
-        const certs = yield x509_1.default.generate();
-        if (!certs) {
-            throw new error_1.JacksonError('Error generating x509 certs');
-        }
         record.idpMetadata = idpMetadata;
-        record.certs = certs;
         const exists = yield connectionStore.get(record.clientID);
         if (exists) {
             connectionClientSecret = exists.clientSecret;

package/dist/controller/logout.js

@@ -46,6 +46,7 @@ const saml20_1 = __importDefault(require("@boxyhq/saml20"));
 const error_1 = require("./error");
 const redirect = __importStar(require("./oauth/redirect"));
 const utils_1 = require("./utils");
+const x509_1 = require("../saml/x509");
 const deflateRawAsync = (0, util_1.promisify)(zlib_1.deflateRaw);
 const relayStatePrefix = 'boxyhq_jackson_';
 const logoutXPath = "/*[local-name(.)='LogoutRequest']";
@@ -72,7 +73,8 @@ class LogoutController {
             if (!samlConnection) {
                 throw new error_1.JacksonError('SAML connection not found.', 403);
             }
-            const { idpMetadata: { slo, provider }, certs: { privateKey, publicKey }, } = samlConnection;
+            const { idpMetadata: { slo, provider }, } = samlConnection;
+            const { privateKey, publicKey } = yield (0, x509_1.getDefaultCertificate)();
             if ('redirectUrl' in slo === false && 'postUrl' in slo === false) {
                 throw new error_1.JacksonError(`${provider} doesn't support SLO or disabled by IdP.`, 400);
             }

package/dist/controller/oauth.js

@@ -50,7 +50,7 @@ const allowed = __importStar(require("./oauth/allowed"));
 const codeVerifier = __importStar(require("./oauth/code-verifier"));
 const redirect = __importStar(require("./oauth/redirect"));
 const utils_1 = require("./utils");
-const x509_1 = __importDefault(require("../saml/x509"));
+const x509_1 = require("../saml/x509");
 const deflateRawAsync = (0, util_1.promisify)(zlib_1.deflateRaw);
 const validateSAMLResponse = (rawResponse, validateOpts) => __awaiter(void 0, void 0, void 0, function* () {
     const profile = yield saml20_1.default.validate(rawResponse, validateOpts);
@@ -312,27 +312,8 @@ class OAuthController {
                         }),
                     };
                 }
+                const cert = yield (0, x509_1.getDefaultCertificate)();
                 try {
-                    const { validTo } = new crypto_1.default.X509Certificate(connection.certs.publicKey);
-                    const isValidExpiry = validTo != 'Bad time value' && new Date(validTo) > new Date();
-                    if (!isValidExpiry) {
-                        const certs = yield x509_1.default.generate();
-                        connection.certs = certs;
-                        if (certs) {
-                            yield this.connectionStore.put(connection.clientID, connection, {
-                                // secondary index on entityID
-                                name: utils_1.IndexNames.EntityID,
-                                value: connection.idpMetadata.entityID,
-                            }, {
-                                // secondary index on tenant + product
-                                name: utils_1.IndexNames.TenantProduct,
-                                value: dbutils.keyFromParts(connection.tenant, connection.product),
-                            });
-                        }
-                        else {
-                            throw new Error('Error generating x509 certs');
-                        }
-                    }
                     // We will get undefined or Space delimited, case sensitive list of ASCII string values in prompt
                     // If login is one of the value in prompt we want to enable forceAuthn
                     // Else use the saml connection forceAuthn value
@@ -341,8 +322,8 @@ class OAuthController {
                         ssoUrl,
                         entityID: this.opts.samlAudience,
                         callbackUrl: this.opts.externalUrl + this.opts.samlPath,
-                        signingKey: connection.certs.privateKey,
-                        publicKey: connection.certs.publicKey,
+                        signingKey: cert.privateKey,
+                        publicKey: cert.publicKey,
                         forceAuthn: promptOptions.length > 0 ? true : !!connection.forceAuthn,
                     });
                 }
@@ -382,7 +363,7 @@ class OAuthController {
                     oidcCodeVerifier = openid_client_1.generators.codeVerifier();
                     const code_challenge = openid_client_1.generators.codeChallenge(oidcCodeVerifier);
                     ssoUrl = oidcClient.authorizationUrl({
-                        scope: [...requestedScopes, 'openid', 'email', 'profile', 'groups']
+                        scope: [...requestedScopes, 'openid', 'email', 'profile']
                             .filter((value, index, self) => self.indexOf(value) === index) // filter out duplicates
                             .join(' '),
                         code_challenge,
@@ -544,10 +525,11 @@ class OAuthController {
             if (!samlConnection) {
                 throw new error_1.JacksonError('SAML connection not found.', 403);
             }
+            const { privateKey } = yield (0, x509_1.getDefaultCertificate)();
             const validateOpts = {
                 thumbprint: samlConnection.idpMetadata.thumbprint,
                 audience: this.opts.samlAudience,
-                privateKey: samlConnection.certs.privateKey,
+                privateKey,
             };
             if (session &&
                 session.redirect_uri &&

package/dist/controller/sp-config.d.ts

@@ -1,21 +1,22 @@
 import type { JacksonOption } from '../typings';
 export declare class SPSAMLConfig {
     private opts;
-    constructor(opts: JacksonOption);
+    private getDefaultCertificate;
+    constructor(opts: JacksonOption, getDefaultCertificate: any);
     private get acsUrl();
     private get entityId();
     private get responseSigned();
     private get assertionSignature();
     private get signatureAlgorithm();
-    private get assertionEncryption();
-    get(): {
+    get(): Promise<{
         acsUrl: string;
         entityId: string;
         response: string;
         assertionSignature: string;
         signatureAlgorithm: string;
-        assertionEncryption: string;
-    };
+        publicKey: string;
+        publicKeyString: string;
+    }>;
     toMarkdown(): string;
     toHTML(): string;
 }

package/dist/controller/sp-config.js

@@ -1,11 +1,25 @@
 "use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SPSAMLConfig = void 0;
 const marked_1 = require("marked");
+const saml20_1 = __importDefault(require("@boxyhq/saml20"));
 // Service Provider SAML Configuration
 class SPSAMLConfig {
-    constructor(opts) {
+    constructor(opts, getDefaultCertificate) {
         this.opts = opts;
+        this.getDefaultCertificate = getDefaultCertificate;
     }
     get acsUrl() {
         return `${this.opts.externalUrl}${this.opts.samlPath}`;
@@ -22,18 +36,19 @@ class SPSAMLConfig {
     get signatureAlgorithm() {
         return 'RSA-SHA256';
     }
-    get assertionEncryption() {
-        return 'Unencrypted';
-    }
     get() {
-        return {
-            acsUrl: this.acsUrl,
-            entityId: this.entityId,
-            response: this.responseSigned,
-            assertionSignature: this.assertionSignature,
-            signatureAlgorithm: this.signatureAlgorithm,
-            assertionEncryption: this.assertionEncryption,
-        };
+        return __awaiter(this, void 0, void 0, function* () {
+            const cert = yield this.getDefaultCertificate();
+            return {
+                acsUrl: this.acsUrl,
+                entityId: this.entityId,
+                response: this.responseSigned,
+                assertionSignature: this.assertionSignature,
+                signatureAlgorithm: this.signatureAlgorithm,
+                publicKey: cert.publicKey,
+                publicKeyString: saml20_1.default.stripCertHeaderAndFooter(cert.publicKey),
+            };
+        });
     }
     toMarkdown() {
         return markdownTemplate
@@ -41,8 +56,7 @@ class SPSAMLConfig {
             .replace('{{entityId}}', this.entityId)
             .replace('{{responseSigned}}', this.responseSigned)
             .replace('{{assertionSignature}}', this.assertionSignature)
-            .replace('{{signatureAlgorithm}}', this.signatureAlgorithm)
-            .replace('{{assertionEncryption}}', this.assertionEncryption);
+            .replace('{{signatureAlgorithm}}', this.signatureAlgorithm);
     }
     toHTML() {
         return marked_1.marked.parse(this.toMarkdown());
@@ -70,5 +84,5 @@ Your Identity Provider (IdP) will ask for the following information while config
 {{signatureAlgorithm}}
 
 **Assertion Encryption** <br />
-{{assertionEncryption}}
+If you want to encrypt the assertion, you can download our [public certificate](/.well-known/saml.cer). Otherwise select the 'Unencrypted' option.
 `;

package/dist/db/db.js

@@ -47,6 +47,9 @@ const JacksonTTL_1 = require("./sql/entity/JacksonTTL");
 const JacksonStore_2 = require("./planetscale/entity/JacksonStore");
 const JacksonIndex_2 = require("./planetscale/entity/JacksonIndex");
 const JacksonTTL_2 = require("./planetscale/entity/JacksonTTL");
+const JacksonStore_3 = require("./sql/mssql/entity/JacksonStore");
+const JacksonIndex_3 = require("./sql/mssql/entity/JacksonIndex");
+const JacksonTTL_3 = require("./sql/mssql/entity/JacksonTTL");
 const decrypt = (res, encryptionKey) => {
     if (res.iv && res.tag) {
         return JSON.parse(encrypter.decrypt(res.value, res.iv, res.tag, encryptionKey));
@@ -113,11 +116,20 @@ exports.default = {
             case 'redis':
                 return new DB(yield redis_1.default.new(options), encryptionKey);
             case 'sql':
-                return new DB(yield sql_1.default.new(options, {
-                    JacksonStore: JacksonStore_1.JacksonStore,
-                    JacksonIndex: JacksonIndex_1.JacksonIndex,
-                    JacksonTTL: JacksonTTL_1.JacksonTTL,
-                }), encryptionKey);
+                switch (options.type) {
+                    case 'mssql':
+                        return new DB(yield sql_1.default.new(options, {
+                            JacksonStore: JacksonStore_3.JacksonStore,
+                            JacksonIndex: JacksonIndex_3.JacksonIndex,
+                            JacksonTTL: JacksonTTL_3.JacksonTTL,
+                        }), encryptionKey);
+                    default:
+                        return new DB(yield sql_1.default.new(options, {
+                            JacksonStore: JacksonStore_1.JacksonStore,
+                            JacksonIndex: JacksonIndex_1.JacksonIndex,
+                            JacksonTTL: JacksonTTL_1.JacksonTTL,
+                        }), encryptionKey);
+                }
             case 'planetscale':
                 return new DB(yield sql_1.default.new(options, {
                     JacksonStore: JacksonStore_2.JacksonStore,

package/dist/db/redis.js

@@ -54,7 +54,7 @@ class Redis {
                 };
             }
             this.client = redis.createClient(opts);
-            this.client.on('error', (err) => console.log('Redis Client Error', err));
+            this.client.on('error', (err) => console.info('Redis Client Error', err));
             yield this.client.connect();
             return this;
         });

package/dist/db/sql/mssql/entity/JacksonIndex.d.ts

@@ -0,0 +1,7 @@
+import { JacksonStore } from './JacksonStore';
+export declare class JacksonIndex {
+    id: number;
+    key: string;
+    storeKey: string;
+    store?: JacksonStore;
+}

package/dist/db/sql/mssql/entity/JacksonIndex.js

@@ -0,0 +1,41 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JacksonIndex = void 0;
+const JacksonStore_1 = require("./JacksonStore");
+const typeorm_1 = require("typeorm");
+let JacksonIndex = class JacksonIndex {
+};
+__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)()
+], JacksonIndex.prototype, "id", void 0);
+__decorate([
+    (0, typeorm_1.Index)('_jackson_index_key'),
+    (0, typeorm_1.Column)({
+        type: 'varchar',
+        length: 1500,
+    })
+], JacksonIndex.prototype, "key", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'varchar',
+        length: 1500,
+    })
+], JacksonIndex.prototype, "storeKey", void 0);
+__decorate([
+    (0, typeorm_1.ManyToOne)(() => JacksonStore_1.JacksonStore, undefined, {
+        //inverseSide: 'in',
+        eager: true,
+        onDelete: 'CASCADE',
+    })
+], JacksonIndex.prototype, "store", void 0);
+JacksonIndex = __decorate([
+    (0, typeorm_1.Index)('_jackson_index_key_store', ['key', 'storeKey']),
+    (0, typeorm_1.Entity)()
+], JacksonIndex);
+exports.JacksonIndex = JacksonIndex;

package/dist/db/sql/mssql/entity/JacksonStore.d.ts

@@ -0,0 +1,8 @@
+export declare class JacksonStore {
+    key: string;
+    value: string;
+    iv?: string;
+    tag?: string;
+    createdAt?: Date;
+    modifiedAt?: string;
+}

package/dist/db/sql/mssql/entity/JacksonStore.js

@@ -0,0 +1,55 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JacksonStore = void 0;
+const typeorm_1 = require("typeorm");
+let JacksonStore = class JacksonStore {
+};
+__decorate([
+    (0, typeorm_1.Column)({
+        primary: true,
+        type: 'varchar',
+        length: 1500,
+    })
+], JacksonStore.prototype, "key", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'text',
+    })
+], JacksonStore.prototype, "value", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'varchar',
+        length: 64,
+        nullable: true,
+    })
+], JacksonStore.prototype, "iv", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'varchar',
+        length: 64,
+        nullable: true,
+    })
+], JacksonStore.prototype, "tag", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'datetime',
+        default: () => 'CURRENT_TIMESTAMP',
+        nullable: false,
+    })
+], JacksonStore.prototype, "createdAt", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'datetime',
+        nullable: true,
+    })
+], JacksonStore.prototype, "modifiedAt", void 0);
+JacksonStore = __decorate([
+    (0, typeorm_1.Entity)()
+], JacksonStore);
+exports.JacksonStore = JacksonStore;

package/dist/db/sql/mssql/entity/JacksonTTL.d.ts

@@ -0,0 +1,4 @@
+export declare class JacksonTTL {
+    key: string;
+    expiresAt: number;
+}

package/dist/db/sql/mssql/entity/JacksonTTL.js

@@ -0,0 +1,29 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JacksonTTL = void 0;
+const typeorm_1 = require("typeorm");
+let JacksonTTL = class JacksonTTL {
+};
+__decorate([
+    (0, typeorm_1.Column)({
+        primary: true,
+        type: 'varchar',
+        length: 1500,
+    })
+], JacksonTTL.prototype, "key", void 0);
+__decorate([
+    (0, typeorm_1.Index)('_jackson_ttl_expires_at'),
+    (0, typeorm_1.Column)({
+        type: 'bigint',
+    })
+], JacksonTTL.prototype, "expiresAt", void 0);
+JacksonTTL = __decorate([
+    (0, typeorm_1.Entity)()
+], JacksonTTL);
+exports.JacksonTTL = JacksonTTL;

package/dist/db/sql/mssql.d.ts

@@ -0,0 +1 @@
+export declare const parseURL: (url?: string) => any;

package/dist/db/sql/mssql.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseURL = void 0;
+const parseURL = (url) => {
+    if (!url) {
+        throw new Error('URL is required');
+    }
+    const parts = url.split('://');
+    if (parts.length != 2) {
+        throw new Error('Invalid connection string');
+    }
+    //const scheme = parts[0];
+    const connectionString = parts[1];
+    const connParts = connectionString.split(';');
+    if (connParts.length == 0) {
+        throw new Error('Invalid connection string');
+    }
+    // sqlserver://[serverName[\instanceName][:portNumber]][;property=value[;property=value]]
+    const hostPort = connParts[0];
+    const hostPortParts = hostPort.split(':');
+    const host = hostPortParts[0];
+    const port = hostPortParts.length > 1 ? parseInt(hostPortParts[1], 10) : 1433;
+    const options = {};
+    connParts.slice(1).map((p) => {
+        const ps = p.split('=');
+        options[ps[0]] = ps[1];
+    });
+    const username = options.username || options.user;
+    const password = options.password || options.pass;
+    const database = options.database;
+    delete options.username;
+    delete options.user;
+    delete options.password;
+    delete options.pass;
+    delete options.database;
+    options.encrypt = Boolean(options.encrypt || false);
+    return {
+        host,
+        port,
+        database,
+        username,
+        password,
+        options,
+    };
+};
+exports.parseURL = parseURL;

package/dist/db/sql/sql.js

@@ -36,6 +36,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 require('reflect-metadata');
 const typeorm_1 = require("typeorm");
 const dbutils = __importStar(require("../utils"));
+const mssql = __importStar(require("./mssql"));
 class Sql {
     constructor(options) {
         this.options = options;
@@ -45,15 +46,20 @@ class Sql {
             const sqlType = this.options.engine === 'planetscale' ? 'mysql' : this.options.type;
             while (true) {
                 try {
-                    this.dataSource = new typeorm_1.DataSource({
+                    const baseOpts = {
                         type: sqlType,
-                        url: this.options.url,
                         synchronize: this.options.engine !== 'planetscale',
                         migrationsTableName: '_jackson_migrations',
                         logging: ['error'],
                         entities: [JacksonStore, JacksonIndex, JacksonTTL],
-                        ssl: this.options.ssl,
-                    });
+                    };
+                    if (sqlType === 'mssql') {
+                        const mssqlOpts = mssql.parseURL(this.options.url);
+                        this.dataSource = new typeorm_1.DataSource(Object.assign({ host: mssqlOpts.host, port: mssqlOpts.port, database: mssqlOpts.database, username: mssqlOpts.username, password: mssqlOpts.password, options: mssqlOpts.options }, baseOpts));
+                    }
+                    else {
+                        this.dataSource = new typeorm_1.DataSource(Object.assign({ url: this.options.url, ssl: this.options.ssl }, baseOpts));
+                    }
                     yield this.dataSource.initialize();
                     break;
                 }
@@ -94,7 +100,7 @@ class Sql {
                 this.timerId = setTimeout(this.ttlCleanup, this.options.ttl * 1000);
             }
             else {
-                console.log('Warning: ttl cleanup not enabled, set both "ttl" and "cleanupLimit" options to enable it!');
+                console.warn('Warning: ttl cleanup not enabled, set both "ttl" and "cleanupLimit" options to enable it!');
             }
             return this;
         });
@@ -173,7 +179,7 @@ class Sql {
                 // no ttl support for secondary indexes
                 for (const idx of indexes || []) {
                     const key = dbutils.keyForIndex(namespace, idx);
-                    const rec = yield this.indexRepository.findOneBy({
+                    const rec = yield transactionalEntityManager.findOneBy(this.JacksonIndex, {
                         key,
                         storeKey: store.key,
                     });

package/dist/index.js

@@ -10,6 +10,18 @@ var __createBinding = (this && this.__createBinding) || (Object.create ? (functi
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
 }));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
@@ -38,6 +50,7 @@ const logout_1 = require("./controller/logout");
 const directory_sync_1 = __importDefault(require("./directory-sync"));
 const oidc_discovery_1 = require("./controller/oidc-discovery");
 const sp_config_1 = require("./controller/sp-config");
+const x509 = __importStar(require("./saml/x509"));
 const defaultOpts = (opts) => {
     const newOpts = Object.assign({}, opts);
     if (!newOpts.externalUrl) {
@@ -67,10 +80,13 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
     const codeStore = db.store('oauth:code', opts.db.ttl);
     const tokenStore = db.store('oauth:token', opts.db.ttl);
     const healthCheckStore = db.store('_health:check');
+    const certificateStore = db.store('x509:certificates');
     const connectionAPIController = new api_1.ConnectionAPIController({ connectionStore, opts });
     const adminController = new admin_1.AdminController({ connectionStore });
     const healthCheckController = new health_check_1.HealthCheckController({ healthCheckStore });
     yield healthCheckController.init();
+    // Create default certificate if it doesn't exist.
+    yield x509.init(certificateStore);
     const oauthController = new oauth_1.OAuthController({
         connectionStore,
         sessionStore,
@@ -85,7 +101,7 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
     });
     const directorySync = yield (0, directory_sync_1.default)({ db, opts });
     const oidcDiscoveryController = new oidc_discovery_1.OidcDiscoveryController({ opts });
-    const spConfig = new sp_config_1.SPSAMLConfig(opts);
+    const spConfig = new sp_config_1.SPSAMLConfig(opts, x509.getDefaultCertificate);
     // write pre-loaded connections if present
     const preLoadedConnection = opts.preLoadedConnection || opts.preLoadedConfig;
     if (preLoadedConnection && preLoadedConnection.length > 0) {
@@ -97,11 +113,11 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
             else {
                 yield connectionAPIController.createSAMLConnection(connection);
             }
-            console.log(`loaded connection for tenant "${connection.tenant}" and product "${connection.product}"`);
+            console.info(`loaded connection for tenant "${connection.tenant}" and product "${connection.product}"`);
         }
     }
     const type = opts.db.engine === 'sql' && opts.db.type ? ' Type: ' + opts.db.type : '';
-    console.log(`Using engine: ${opts.db.engine}.${type}`);
+    console.info(`Using engine: ${opts.db.engine}.${type}`);
     return {
         spConfig,
         apiController: connectionAPIController,

package/dist/saml/x509.d.ts

@@ -1,7 +1,13 @@
-declare const _default: {
-    generate: () => {
-        publicKey: any;
-        privateKey: any;
-    };
+import type { Storable } from '../typings';
+export declare const init: (store: Storable) => Promise<{
+    publicKey: string;
+    privateKey: string;
+}>;
+export declare const generateCertificate: () => {
+    publicKey: any;
+    privateKey: any;
 };
-export default _default;
+export declare const getDefaultCertificate: () => Promise<{
+    publicKey: string;
+    privateKey: string;
+}>;

package/dist/saml/x509.js

@@ -22,17 +22,38 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.getDefaultCertificate = exports.generateCertificate = exports.init = void 0;
 const forge = __importStar(require("node-forge"));
+const crypto_1 = __importDefault(require("crypto"));
 const pki = forge.pki;
-const generate = () => {
+let certificateStore;
+let cachedCertificate;
+const init = (store) => __awaiter(void 0, void 0, void 0, function* () {
+    certificateStore = store;
+    return yield (0, exports.getDefaultCertificate)();
+});
+exports.init = init;
+const generateCertificate = () => {
     const today = new Date();
     const keys = pki.rsa.generateKeyPair(2048);
     const cert = pki.createCertificate();
     cert.publicKey = keys.publicKey;
     cert.serialNumber = '01';
     cert.validity.notBefore = new Date();
-    cert.validity.notAfter = new Date(today.setFullYear(today.getFullYear() + 10));
+    cert.validity.notAfter = new Date(today.setFullYear(today.getFullYear() + 30));
     const attrs = [
         {
             name: 'commonName',
@@ -62,6 +83,26 @@ const generate = () => {
         privateKey: pki.privateKeyToPem(keys.privateKey),
     };
 };
-exports.default = {
-    generate,
-};
+exports.generateCertificate = generateCertificate;
+const getDefaultCertificate = () => __awaiter(void 0, void 0, void 0, function* () {
+    if (cachedCertificate && !(yield isCertificateExpired(cachedCertificate.publicKey))) {
+        return cachedCertificate;
+    }
+    if (!certificateStore) {
+        throw new Error('Certificate store not initialized');
+    }
+    cachedCertificate = yield certificateStore.get('default');
+    // If certificate is expired let it drop through so it creates a new cert
+    if (cachedCertificate && !(yield isCertificateExpired(cachedCertificate.publicKey))) {
+        return cachedCertificate;
+    }
+    // If default certificate is not found or has expired, create one and store it.
+    cachedCertificate = (0, exports.generateCertificate)();
+    yield certificateStore.put('default', cachedCertificate);
+    return cachedCertificate;
+});
+exports.getDefaultCertificate = getDefaultCertificate;
+const isCertificateExpired = (publicKey) => __awaiter(void 0, void 0, void 0, function* () {
+    const { validTo } = new crypto_1.default.X509Certificate(publicKey);
+    return !(validTo != 'Bad time value' && new Date(validTo) > new Date());
+});

package/dist/typings.d.ts

@@ -41,10 +41,6 @@ export interface SAMLSSORecord extends SAMLSSOConnection {
         thumbprint?: string;
         validTo?: string;
     };
-    certs: {
-        privateKey: string;
-        publicKey: string;
-    };
 }
 export interface OIDCSSORecord extends SSOConnection {
     clientID: string;
@@ -261,7 +257,7 @@ export interface Encrypted {
 }
 export declare type EncryptionKey = any;
 export declare type DatabaseEngine = 'redis' | 'sql' | 'mongo' | 'mem' | 'planetscale';
-export declare type DatabaseType = 'postgres' | 'mysql' | 'mariadb';
+export declare type DatabaseType = 'postgres' | 'mysql' | 'mariadb' | 'mssql';
 export interface DatabaseOption {
     engine?: DatabaseEngine;
     url?: string;
@@ -314,10 +310,6 @@ interface Metadata {
 }
 export interface SAMLConnection {
     idpMetadata: Metadata;
-    certs: {
-        privateKey: string;
-        publicKey: string;
-    };
     defaultRedirectUrl: string;
 }
 export interface OAuthErrorHandlerParams {
@@ -328,14 +320,15 @@ export interface OAuthErrorHandlerParams {
 }
 export declare type OIDCErrorCodes = 'interaction_required' | 'login_required' | 'account_selection_required' | 'consent_required' | 'invalid_request_uri' | 'invalid_request_object' | 'request_not_supported' | 'request_uri_not_supported' | 'registration_not_supported';
 export interface ISPSAMLConfig {
-    get(): {
+    get(): Promise<{
         acsUrl: string;
         entityId: string;
         response: string;
         assertionSignature: string;
         signatureAlgorithm: string;
-        assertionEncryption: string;
-    };
+        publicKey: string;
+        publicKeyString: string;
+    }>;
     toMarkdown(): string;
     toHTML(): string;
 }

package/migration/mssql/1667949639424-mss_Initial.ts

@@ -0,0 +1,26 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class mssInitial1667949639424 implements MigrationInterface {
+    name = 'mssInitial1667949639424'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`CREATE TABLE "jackson_ttl" ("key" varchar(1500) NOT NULL, "expiresAt" bigint NOT NULL, CONSTRAINT "PK_7c9bcdfb4d82e873e19935ec806" PRIMARY KEY ("key"))`);
+        await queryRunner.query(`CREATE INDEX "_jackson_ttl_expires_at" ON "jackson_ttl" ("expiresAt") `);
+        await queryRunner.query(`CREATE TABLE "jackson_store" ("key" varchar(1500) NOT NULL, "value" text NOT NULL, "iv" varchar(64), "tag" varchar(64), "createdAt" datetime NOT NULL CONSTRAINT "DF_49022ed8c543adefc99ff762200" DEFAULT getdate(), "modifiedAt" datetime, CONSTRAINT "PK_87b6fc1475fbd1228d2f53c6f4a" PRIMARY KEY ("key"))`);
+        await queryRunner.query(`CREATE TABLE "jackson_index" ("id" int NOT NULL IDENTITY(1,1), "key" varchar(1500) NOT NULL, "storeKey" varchar(1500) NOT NULL, CONSTRAINT "PK_a95aa83f01e3c73e126856b7820" PRIMARY KEY ("id"))`);
+        await queryRunner.query(`CREATE INDEX "_jackson_index_key" ON "jackson_index" ("key") `);
+        await queryRunner.query(`CREATE INDEX "_jackson_index_key_store" ON "jackson_index" ("key", "storeKey") `);
+        await queryRunner.query(`ALTER TABLE "jackson_index" ADD CONSTRAINT "FK_937b040fb2592b4671cbde09e83" FOREIGN KEY ("storeKey") REFERENCES "jackson_store"("key") ON DELETE CASCADE ON UPDATE NO ACTION`);
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "jackson_index" DROP CONSTRAINT "FK_937b040fb2592b4671cbde09e83"`);
+        await queryRunner.query(`DROP INDEX "_jackson_index_key_store" ON "jackson_index"`);
+        await queryRunner.query(`DROP INDEX "_jackson_index_key" ON "jackson_index"`);
+        await queryRunner.query(`DROP TABLE "jackson_index"`);
+        await queryRunner.query(`DROP TABLE "jackson_store"`);
+        await queryRunner.query(`DROP INDEX "_jackson_ttl_expires_at" ON "jackson_ttl"`);
+        await queryRunner.query(`DROP TABLE "jackson_ttl"`);
+    }
+
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "1.3.4",
+  "version": "1.3.6",
   "description": "SAML Jackson library",
   "keywords": [
     "SAML 2.0"
@@ -22,10 +22,12 @@
     "db:migration:generate:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mysql/ms_${MIGRATION_NAME}",
     "db:migration:generate:planetscale": "cross-env DB_ENGINE=planetscale DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mysql/ms_${MIGRATION_NAME}",
     "db:migration:generate:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mariadb/md_${MIGRATION_NAME}",
+    "db:migration:generate:mssql": "cross-env DB_TYPE=mssql DB_URL='sqlserver://localhost:1433;database=master;username=sa;password=123ABabc!' ts-node --transpile-only ./node_modules/typeorm/cli.js migration:generate -d typeorm.ts migration/mssql/mss_${MIGRATION_NAME}",
     "db:migration:run:postgres": "ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
     "db:migration:run:mysql": "cross-env DB_TYPE=mysql DB_URL=mysql://root:mysql@localhost:3307/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
     "db:migration:run:planetscale": "cross-env DB_SSL=true DB_ENGINE=planetscale DB_URL=${PLANETSCALE_URL} ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
     "db:migration:run:mariadb": "cross-env DB_TYPE=mariadb DB_URL=mariadb://root@localhost:3306/mysql ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
+    "db:migration:run:mssql": "cross-env DB_TYPE=mssql DB_URL='sqlserver://localhost:1433;database=master;username=sa;password=123ABabc!' ts-node --transpile-only ./node_modules/typeorm/cli.js migration:run -d typeorm.ts",
     "prepublishOnly": "npm run build",
     "test": "tap --ts --timeout=100 --coverage-map=map.js test/**/*.test.ts",
     "sort": "npx sort-package-json"
@@ -42,14 +44,15 @@
     "@opentelemetry/api": "1.0.4",
     "@opentelemetry/api-metrics": "0.27.0",
     "axios": "1.1.3",
-    "jose": "4.10.3",
-    "marked": "4.1.1",
+    "jose": "4.10.4",
+    "marked": "4.2.2",
     "mongodb": "4.11.0",
+    "mssql": "9.0.1",
     "mysql2": "2.3.3",
-    "openid-client": "5.1.10",
     "node-forge": "1.3.1",
+    "openid-client": "5.2.1",
     "pg": "8.8.0",
-    "redis": "4.3.1",
+    "redis": "4.4.0",
     "reflect-metadata": "0.1.13",
     "ripemd160": "2.0.2",
     "typeorm": "0.3.10",
@@ -58,13 +61,13 @@
   },
   "devDependencies": {
     "@faker-js/faker": "7.6.0",
-    "@types/node": "18.11.5",
+    "@types/node": "18.11.9",
     "@types/sinon": "10.0.13",
     "@types/tap": "15.0.7",
-    "@typescript-eslint/eslint-plugin": "5.40.0",
-    "@typescript-eslint/parser": "5.41.0",
+    "@typescript-eslint/eslint-plugin": "5.42.0",
+    "@typescript-eslint/parser": "5.42.0",
     "cross-env": "7.0.3",
-    "eslint": "8.26.0",
+    "eslint": "8.27.0",
     "eslint-config-prettier": "8.5.0",
     "prettier": "2.7.1",
     "sinon": "14.0.1",
@@ -74,6 +77,6 @@
     "typescript": "4.8.4"
   },
   "engines": {
-    "node": ">=14.18.1 <=16.x"
+    "node": ">=14.18.1 <=18.x"
   }
 }