@boxyhq/saml-jackson 1.32.0 → 1.33.1-beta.1

package/dist/src/controller/logout.js

@@ -0,0 +1,132 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import crypto from 'crypto';
+import { promisify } from 'util';
+import { deflateRaw } from 'zlib';
+import * as dbutils from '../db/utils';
+import saml from '@boxyhq/saml20';
+import { JacksonError } from './error';
+import * as redirect from './oauth/redirect';
+import { IndexNames } from './utils';
+import { getDefaultCertificate } from '../saml/x509';
+const deflateRawAsync = promisify(deflateRaw);
+const relayStatePrefix = 'boxyhq_jackson_';
+const logoutXPath = "/*[local-name(.)='LogoutRequest']";
+export class LogoutController {
+    constructor({ connectionStore, sessionStore, opts }) {
+        this.opts = opts;
+        this.connectionStore = connectionStore;
+        this.sessionStore = sessionStore;
+    }
+    // Create SLO Request
+    createRequest(_a) {
+        return __awaiter(this, arguments, void 0, function* ({ nameId, tenant, product, redirectUrl }) {
+            let samlConnection = null;
+            if (tenant && product) {
+                const samlConnections = (yield this.connectionStore.getByIndex({
+                    name: IndexNames.TenantProduct,
+                    value: dbutils.keyFromParts(tenant, product),
+                })).data;
+                if (!samlConnections || samlConnections.length === 0) {
+                    throw new JacksonError('SAML connection not found.', 403);
+                }
+                samlConnection = samlConnections[0];
+            }
+            if (!samlConnection) {
+                throw new JacksonError('SAML connection not found.', 403);
+            }
+            const { idpMetadata: { slo, provider }, } = samlConnection;
+            const { privateKey, publicKey } = yield getDefaultCertificate();
+            if ('redirectUrl' in slo === false && 'postUrl' in slo === false) {
+                throw new JacksonError(`${provider} doesn't support SLO or disabled by IdP.`, 400);
+            }
+            const { id, xml } = saml.createLogoutRequest({
+                nameId,
+                providerName: this.opts.samlAudience,
+                sloUrl: slo.redirectUrl,
+            });
+            const sessionId = crypto.randomBytes(16).toString('hex');
+            let logoutUrl = null;
+            let logoutForm = null;
+            const relayState = relayStatePrefix + sessionId;
+            const signedXML = yield signXML(xml, privateKey, publicKey);
+            yield this.sessionStore.put(sessionId, {
+                id,
+                redirectUrl,
+            });
+            // HTTP-Redirect binding
+            if ('redirectUrl' in slo) {
+                logoutUrl = redirect.success(slo.redirectUrl, {
+                    SAMLRequest: Buffer.from(yield deflateRawAsync(signedXML)).toString('base64'),
+                    RelayState: relayState,
+                });
+            }
+            // HTTP-POST binding
+            if ('postUrl' in slo) {
+                logoutForm = saml.createPostForm(slo.postUrl, [
+                    {
+                        name: 'RelayState',
+                        value: relayState,
+                    },
+                    {
+                        name: 'SAMLRequest',
+                        value: Buffer.from(signedXML).toString('base64'),
+                    },
+                ]);
+            }
+            return { logoutUrl, logoutForm };
+        });
+    }
+    // Handle SLO Response
+    handleResponse(_a) {
+        return __awaiter(this, arguments, void 0, function* ({ SAMLResponse, RelayState }) {
+            var _b;
+            const rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
+            const sessionId = RelayState.replace(relayStatePrefix, '');
+            const session = yield this.sessionStore.get(sessionId);
+            if (!session) {
+                throw new JacksonError('Unable to validate state from the origin request.', 403);
+            }
+            const parsedResponse = yield saml.parseLogoutResponse(rawResponse);
+            if (parsedResponse.status !== 'urn:oasis:names:tc:SAML:2.0:status:Success') {
+                throw new JacksonError(`SLO failed with status ${parsedResponse.status}.`, 400);
+            }
+            if (parsedResponse.inResponseTo !== session.id) {
+                throw new JacksonError(`SLO failed with mismatched request ID.`, 400);
+            }
+            const samlConnections = (yield this.connectionStore.getByIndex({
+                name: IndexNames.EntityID,
+                value: parsedResponse.issuer,
+            })).data;
+            if (!samlConnections || samlConnections.length === 0) {
+                throw new JacksonError('SAML connection not found.', 403);
+            }
+            const { idpMetadata, defaultRedirectUrl } = samlConnections[0];
+            if (!(yield saml.validateSignature(rawResponse, null, idpMetadata.thumbprint))) {
+                throw new JacksonError('Invalid signature.', 403);
+            }
+            try {
+                yield this.sessionStore.delete(sessionId);
+                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+            }
+            catch (_err) {
+                // Ignore
+            }
+            return {
+                redirectUrl: (_b = session.redirectUrl) !== null && _b !== void 0 ? _b : defaultRedirectUrl,
+            };
+        });
+    }
+}
+// Sign the XML
+const signXML = (xml, signingKey, publicKey) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield saml.sign(xml, signingKey, publicKey, logoutXPath);
+});
+//# sourceMappingURL=logout.js.map

package/dist/src/controller/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../../src/controller/logout.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,OAAO,MAAM,aAAa,CAAC;AAEvC,OAAO,IAAI,MAAM,gBAAgB,CAAC;AAElC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,KAAK,QAAQ,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAErD,MAAM,eAAe,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;AAE9C,MAAM,gBAAgB,GAAG,iBAAiB,CAAC;AAC3C,MAAM,WAAW,GAAG,mCAAmC,CAAC;AAExD,MAAM,OAAO,gBAAgB;IAK3B,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,IAAI,EAAE;QACjD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QACvC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED,qBAAqB;IACR,aAAa;6DAAC,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAoB;YACnF,IAAI,cAAc,GAA0B,IAAI,CAAC;YAEjD,IAAI,MAAM,IAAI,OAAO,EAAE,CAAC;gBACtB,MAAM,eAAe,GAAG,CACtB,MAAM,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC;oBACpC,IAAI,EAAE,UAAU,CAAC,aAAa;oBAC9B,KAAK,EAAE,OAAO,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC;iBAC7C,CAAC,CACH,CAAC,IAAI,CAAC;gBAEP,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACrD,MAAM,IAAI,YAAY,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;gBAC5D,CAAC;gBAED,cAAc,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YACtC,CAAC;YAED,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,MAAM,IAAI,YAAY,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YAC5D,CAAC;YAED,MAAM,EACJ,WAAW,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,GAC/B,GAAG,cAAc,CAAC;YAEnB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,qBAAqB,EAAE,CAAC;YAEhE,IAAI,aAAa,IAAI,GAAG,KAAK,KAAK,IAAI,SAAS,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;gBACjE,MAAM,IAAI,YAAY,CAAC,GAAG,QAAQ,0CAA0C,EAAE,GAAG,CAAC,CAAC;YACrF,CAAC;YAED,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC;gBAC3C,MAAM;gBACN,YAAY,EAAE,IAAI,CAAC,IAAI,CAAC,YAAa;gBACrC,MAAM,EAAE,GAAG,CAAC,WAAqB;aAClC,CAAC,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAEzD,IAAI,SAAS,GAAkB,IAAI,CAAC;YACpC,IAAI,UAAU,GAAkB,IAAI,CAAC;YAErC,MAAM,UAAU,GAAG,gBAAgB,GAAG,SAAS,CAAC;YAChD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;YAE5D,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE;gBACrC,EAAE;gBACF,WAAW;aACZ,CAAC,CAAC;YAEH,wBAAwB;YACxB,IAAI,aAAa,IAAI,GAAG,EAAE,CAAC;gBACzB,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,WAAqB,EAAE;oBACtD,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAC7E,UAAU,EAAE,UAAU;iBACvB,CAAC,CAAC;YACL,CAAC;YAED,oBAAoB;YACpB,IAAI,SAAS,IAAI,GAAG,EAAE,CAAC;gBACrB,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,OAAiB,EAAE;oBACtD;wBACE,IAAI,EAAE,YAAY;wBAClB,KAAK,EAAE,UAAU;qBAClB;oBACD;wBACE,IAAI,EAAE,aAAa;wBACnB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;qBACjD;iBACF,CAAC,CAAC;YACL,CAAC;YAED,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;QACnC,CAAC;KAAA;IAED,sBAAsB;IACT,cAAc;6DAAC,EAAE,YAAY,EAAE,UAAU,EAAuB;;YAC3E,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;YAEnE,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;YAC3D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAEvD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,YAAY,CAAC,mDAAmD,EAAE,GAAG,CAAC,CAAC;YACnF,CAAC;YAED,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC;YAEnE,IAAI,cAAc,CAAC,MAAM,KAAK,4CAA4C,EAAE,CAAC;gBAC3E,MAAM,IAAI,YAAY,CAAC,0BAA0B,cAAc,CAAC,MAAM,GAAG,EAAE,GAAG,CAAC,CAAC;YAClF,CAAC;YAED,IAAI,cAAc,CAAC,YAAY,KAAK,OAAO,CAAC,EAAE,EAAE,CAAC;gBAC/C,MAAM,IAAI,YAAY,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;YACxE,CAAC;YAED,MAAM,eAAe,GAAG,CACtB,MAAM,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC;gBACpC,IAAI,EAAE,UAAU,CAAC,QAAQ;gBACzB,KAAK,EAAE,cAAc,CAAC,MAAM;aAC7B,CAAC,CACH,CAAC,IAAI,CAAC;YAEP,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrD,MAAM,IAAI,YAAY,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YAC5D,CAAC;YAED,MAAM,EAAE,WAAW,EAAE,kBAAkB,EAAE,GAAmB,eAAe,CAAC,CAAC,CAAC,CAAC;YAE/E,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,iBAAiB,CAAC,WAAW,EAAE,IAAI,EAAE,WAAW,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;gBAC/E,MAAM,IAAI,YAAY,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC1C,6DAA6D;YAC/D,CAAC;YAAC,OAAO,IAAI,EAAE,CAAC;gBACd,SAAS;YACX,CAAC;YAED,OAAO;gBACL,WAAW,EAAE,MAAA,OAAO,CAAC,WAAW,mCAAI,kBAAkB;aACvD,CAAC;QACJ,CAAC;KAAA;CACF;AAED,eAAe;AACf,MAAM,OAAO,GAAG,CAAO,GAAW,EAAE,UAAkB,EAAE,SAAiB,EAAmB,EAAE;IAC5F,OAAO,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;AAClE,CAAC,CAAA,CAAC"}

package/dist/src/controller/oauth/allowed.d.ts

@@ -0,0 +1 @@
+export declare const redirect: (redirectUrl: string, redirectUrls: string[]) => boolean;

package/dist/src/controller/oauth/allowed.js

@@ -0,0 +1,30 @@
+const redirectUrlPlaceholder = 'http://_boxyhq_redirect_not_in_use';
+export const redirect = (redirectUrl, redirectUrls) => {
+    // Don't allow redirect to URL placeholder
+    if (redirectUrl === redirectUrlPlaceholder) {
+        return false;
+    }
+    const url = new URL(redirectUrl);
+    for (const idx in redirectUrls) {
+        const rUrl = new URL(redirectUrls[idx]);
+        let hostname = url.hostname;
+        let hostNameAllowed = rUrl.hostname;
+        // allow subdomain globbing *.example.com only
+        try {
+            if (rUrl.hostname.startsWith('*.')) {
+                hostNameAllowed = rUrl.hostname.slice(2);
+                hostname = hostname.slice(hostname.indexOf('.') + 1);
+            }
+            // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        }
+        catch (e) {
+            // no-op
+        }
+        // TODO: Check pathname, for now pathname is ignored
+        if (rUrl.protocol === url.protocol && hostNameAllowed === hostname && rUrl.port === url.port) {
+            return true;
+        }
+    }
+    return false;
+};
+//# sourceMappingURL=allowed.js.map

package/dist/src/controller/oauth/allowed.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowed.js","sourceRoot":"","sources":["../../../../src/controller/oauth/allowed.ts"],"names":[],"mappings":"AAAA,MAAM,sBAAsB,GAAG,oCAAoC,CAAC;AAEpE,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,WAAmB,EAAE,YAAsB,EAAW,EAAE;IAC/E,0CAA0C;IAC1C,IAAI,WAAW,KAAK,sBAAsB,EAAE,CAAC;QAC3C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,GAAG,GAAQ,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAEtC,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAQ,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;QAE7C,IAAI,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;QAC5B,IAAI,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC;QAEpC,8CAA8C;QAC9C,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnC,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACzC,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;YACvD,CAAC;YACD,6DAA6D;QAC/D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,QAAQ;QACV,CAAC;QAED,oDAAoD;QAEpD,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,IAAI,eAAe,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;YAC7F,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC,CAAC"}

package/dist/src/controller/oauth/code-verifier.d.ts

@@ -0,0 +1 @@
+export declare const encode: (code_challenge: string) => string;

package/dist/src/controller/oauth/code-verifier.js

@@ -0,0 +1,8 @@
+import crypto from 'crypto';
+const transformBase64 = (input) => {
+    return input.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+};
+export const encode = (code_challenge) => {
+    return transformBase64(crypto.createHash('sha256').update(code_challenge).digest('base64'));
+};
+//# sourceMappingURL=code-verifier.js.map

package/dist/src/controller/oauth/code-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"code-verifier.js","sourceRoot":"","sources":["../../../../src/controller/oauth/code-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,MAAM,eAAe,GAAG,CAAC,KAAa,EAAU,EAAE;IAChD,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AACzE,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,MAAM,GAAG,CAAC,cAAsB,EAAU,EAAE;IACvD,OAAO,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC9F,CAAC,CAAC"}

package/dist/src/controller/oauth/oidc-client.d.ts

@@ -0,0 +1,12 @@
+import type { ServerMetadata, Configuration } from 'openid-client' with { 'resolution-mode': 'import' };
+import { SSOTrace, SSOTracesInstance } from '../../typings';
+export declare const oidcClientConfig: ({ discoveryUrl, metadata, clientId, clientSecret, ssoTraces, }: {
+    discoveryUrl?: string;
+    metadata?: ServerMetadata;
+    clientId: string;
+    clientSecret: string;
+    ssoTraces: {
+        instance: SSOTracesInstance;
+        context: SSOTrace["context"];
+    };
+}) => Promise<Configuration>;

package/dist/src/controller/oauth/oidc-client.js

@@ -0,0 +1,89 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import * as http from 'http';
+import * as https from 'https';
+import { JacksonError } from '../error';
+import { URL } from 'url';
+const createCustomFetch = (ssoTraces) => {
+    return (url, options) => __awaiter(void 0, void 0, void 0, function* () {
+        return new Promise((resolve, reject) => {
+            const parsedUrl = new URL(url);
+            const requestOptions = {
+                hostname: parsedUrl.hostname,
+                port: parsedUrl.port,
+                path: parsedUrl.pathname + parsedUrl.search,
+                method: options.method || 'GET',
+                headers: options.headers,
+            };
+            const request = parsedUrl.protocol === 'https:' ? https.request : http.request;
+            const req = request(requestOptions, (res) => {
+                let data = '';
+                res.on('data', (chunk) => {
+                    data += chunk;
+                });
+                res.on('end', () => {
+                    const response = new Response(data, {
+                        status: res.statusCode,
+                        statusText: res.statusMessage,
+                        headers: new Headers(res.headers),
+                    });
+                    resolve(response);
+                });
+            });
+            req.on('error', (error) => {
+                ssoTraces.instance.saveTrace({
+                    error: `Fetch failed for OIDC IdP endpoint: ${parsedUrl.toString()}`,
+                    context: ssoTraces.context,
+                });
+                reject(error);
+            });
+            if (options.body) {
+                let body;
+                let contentType;
+                if (options.body instanceof URLSearchParams) {
+                    body = options.body.toString();
+                    contentType = 'application/x-www-form-urlencoded';
+                }
+                else {
+                    body = options.body;
+                }
+                if (contentType) {
+                    req.setHeader('content-type', contentType);
+                }
+                req.write(body);
+            }
+            req.end();
+        });
+    });
+};
+export const oidcClientConfig = (_a) => __awaiter(void 0, [_a], void 0, function* ({ discoveryUrl, metadata, clientId, clientSecret, ssoTraces, }) {
+    const url = discoveryUrl ? new URL(discoveryUrl) : new URL(metadata.issuer);
+    const isLocalhost = url.hostname === 'localhost';
+    const customFetchWithSsoTraces = createCustomFetch(ssoTraces);
+    const client = yield import('openid-client');
+    if (discoveryUrl) {
+        return yield client.discovery(url, clientId, clientSecret, undefined, isLocalhost
+            ? {
+                execute: [client.allowInsecureRequests],
+                [client.customFetch]: customFetchWithSsoTraces,
+            }
+            : { [client.customFetch]: customFetchWithSsoTraces });
+    }
+    if (metadata) {
+        const config = new client.Configuration(metadata, clientId, clientSecret);
+        config[client.customFetch] = customFetchWithSsoTraces;
+        if (isLocalhost) {
+            client.allowInsecureRequests(config);
+        }
+        return config;
+    }
+    throw new JacksonError('Neither "discoveryUrl" nor "metadata" set for the OIDC provider', 500);
+});
+//# sourceMappingURL=oidc-client.js.map

package/dist/src/controller/oauth/oidc-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-client.js","sourceRoot":"","sources":["../../../../src/controller/oauth/oidc-client.ts"],"names":[],"mappings":";;;;;;;;;AACA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,GAAG,EAAE,MAAM,KAAK,CAAC;AAG1B,MAAM,iBAAiB,GAAG,CAAC,SAAwE,EAAE,EAAE;IACrG,OAAO,CAAO,GAAgB,EAAE,OAAoB,EAAqB,EAAE;QACzE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAE/B,MAAM,cAAc,GAAyB;gBAC3C,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,IAAI,EAAE,SAAS,CAAC,QAAQ,GAAG,SAAS,CAAC,MAAM;gBAC3C,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;gBAC/B,OAAO,EAAE,OAAO,CAAC,OAAmC;aACrD,CAAC;YACF,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;YAE/E,MAAM,GAAG,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC1C,IAAI,IAAI,GAAG,EAAE,CAAC;gBAEd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;oBACvB,IAAI,IAAI,KAAK,CAAC;gBAChB,CAAC,CAAC,CAAC;gBAEH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,IAAI,EAAE;wBAClC,MAAM,EAAE,GAAG,CAAC,UAAU;wBACtB,UAAU,EAAE,GAAG,CAAC,aAAa;wBAC7B,OAAO,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,OAAsB,CAAC;qBACjD,CAAC,CAAC;oBAEH,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACpB,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;gBACxB,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAC3B,KAAK,EAAE,uCAAuC,SAAS,CAAC,QAAQ,EAAE,EAAE;oBACpE,OAAO,EAAE,SAAS,CAAC,OAAO;iBAC3B,CAAC,CAAC;gBACH,MAAM,CAAC,KAAK,CAAC,CAAC;YAChB,CAAC,CAAC,CAAC;YAEH,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,IAAI,IAAI,CAAC;gBACT,IAAI,WAA+B,CAAC;gBAEpC,IAAI,OAAO,CAAC,IAAI,YAAY,eAAe,EAAE,CAAC;oBAC5C,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;oBAC/B,WAAW,GAAG,mCAAmC,CAAC;gBACpD,CAAC;qBAAM,CAAC;oBACN,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;gBACtB,CAAC;gBAED,IAAI,WAAW,EAAE,CAAC;oBAChB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;gBAC7C,CAAC;gBACD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClB,CAAC;YACD,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAA,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAYL,EAAE,4CAZU,EACrC,YAAY,EACZ,QAAQ,EACR,QAAQ,EACR,YAAY,EACZ,SAAS,GAOV;IACC,MAAM,GAAG,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,QAAS,CAAC,MAAM,CAAC,CAAC;IAC7E,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,KAAK,WAAW,CAAC;IACjD,MAAM,wBAAwB,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;IAE7C,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,MAAM,MAAM,CAAC,SAAS,CAC3B,GAAG,EACH,QAAQ,EACR,YAAY,EACZ,SAAS,EACT,WAAW;YACT,CAAC,CAAC;gBACE,OAAO,EAAE,CAAC,MAAM,CAAC,qBAAqB,CAAC;gBACvC,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,wBAAwB;aAC/C;YACH,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,wBAAwB,EAAE,CACvD,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QAC1E,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,wBAAwB,CAAC;QACtD,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,MAAM,IAAI,YAAY,CAAC,iEAAiE,EAAE,GAAG,CAAC,CAAC;AACjG,CAAC,CAAA,CAAC"}

package/dist/src/controller/oauth/redirect.d.ts

@@ -0,0 +1 @@
+export declare const success: (redirectUrl: string, params: Record<string, string | string[] | undefined>) => string;

package/dist/src/controller/oauth/redirect.js

@@ -0,0 +1,13 @@
+export const success = (redirectUrl, params) => {
+    const url = new URL(redirectUrl);
+    for (const [key, value] of Object.entries(params)) {
+        if (Array.isArray(value)) {
+            value.forEach((v) => url.searchParams.append(key, v));
+        }
+        else if (value !== undefined) {
+            url.searchParams.set(key, value);
+        }
+    }
+    return url.href;
+};
+//# sourceMappingURL=redirect.js.map

package/dist/src/controller/oauth/redirect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redirect.js","sourceRoot":"","sources":["../../../../src/controller/oauth/redirect.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,CACrB,WAAmB,EACnB,MAAqD,EAC7C,EAAE;IACV,MAAM,GAAG,GAAQ,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAEtC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACxD,CAAC;aAAM,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC/B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,CAAC;AAClB,CAAC,CAAC"}

package/dist/src/controller/oauth.d.ts

@@ -0,0 +1,142 @@
+import type { IOAuthController, OAuthReq, OAuthTokenReq, OAuthTokenRes, Profile, SAMLResponsePayload, OIDCAuthzResponsePayload } from '../typings';
+export declare class OAuthController implements IOAuthController {
+    private connectionStore;
+    private sessionStore;
+    private codeStore;
+    private tokenStore;
+    private ssoTraces;
+    private opts;
+    private ssoHandler;
+    private idFedApp;
+    constructor({ connectionStore, sessionStore, codeStore, tokenStore, ssoTraces, opts, idFedApp }: {
+        connectionStore: any;
+        sessionStore: any;
+        codeStore: any;
+        tokenStore: any;
+        ssoTraces: any;
+        opts: any;
+        idFedApp: any;
+    });
+    authorize(body: OAuthReq): Promise<{
+        redirect_url?: string;
+        authorize_form?: string;
+    }>;
+    samlResponse(body: SAMLResponsePayload): Promise<{
+        redirect_url?: string;
+        app_select_form?: string;
+        response_form?: string;
+    }>;
+    oidcAuthzResponse(body: OIDCAuthzResponsePayload): Promise<{
+        redirect_url?: string;
+        response_form?: string;
+    }>;
+    private _buildAuthorizationCode;
+    /**
+     * @swagger
+     *
+     * /oauth/token:
+     *   post:
+     *     summary: Code exchange
+     *     operationId: oauth-code-exchange
+     *     tags:
+     *       - OAuth
+     *     consumes:
+     *       - application/x-www-form-urlencoded
+     *     parameters:
+     *       - name: grant_type
+     *         in: formData
+     *         type: string
+     *         description: Grant type should be 'authorization_code'
+     *         default: authorization_code
+     *         required: true
+     *       - name: client_id
+     *         in: formData
+     *         type: string
+     *         description: Use the client_id returned by the SAML connection API
+     *         required: true
+     *       - name: client_secret
+     *         in: formData
+     *         type: string
+     *         description: Use the client_secret returned by the SAML connection API
+     *         required: true
+     *       - name: code_verifier
+     *         in: formData
+     *         type: string
+     *         description: code_verifier against the code_challenge in the authz request (relevant to PKCE flow)
+     *       - name: redirect_uri
+     *         in: formData
+     *         type: string
+     *         description: Redirect URI
+     *         required: true
+     *       - name: code
+     *         in: formData
+     *         type: string
+     *         description: Code
+     *         required: true
+     *     responses:
+     *       '200':
+     *         description: Success
+     *         schema:
+     *           type: object
+     *           properties:
+     *             access_token:
+     *               type: string
+     *             token_type:
+     *               type: string
+     *             expires_in:
+     *               type: string
+     *           example:
+     *             access_token: 8958e13053832b5af58fdf2ee83f35f5d013dc74
+     *             token_type: bearer
+     *             expires_in: 300
+     */
+    token(body: OAuthTokenReq, authHeader?: string | null): Promise<OAuthTokenRes>;
+    /**
+     * @swagger
+     *
+     * /oauth/userinfo:
+     *   get:
+     *     summary: Get profile
+     *     operationId: oauth-get-profile
+     *     tags:
+     *       - OAuth
+     *     responses:
+     *       '200':
+     *         description: Success
+     *         schema:
+     *           type: object
+     *           properties:
+     *             id:
+     *               type: string
+     *             email:
+     *               type: string
+     *             firstName:
+     *               type: string
+     *             lastName:
+     *               type: string
+     *             roles:
+     *               type: array
+     *               items:
+     *                 type: string
+     *             groups:
+     *               type: array
+     *               items:
+     *                 type: string
+     *             raw:
+     *               type: object
+     *             requested:
+     *               type: object
+     *           example:
+     *             id: 32b5af58fdf
+     *             email: jackson@coolstartup.com
+     *             firstName: SAML
+     *             lastName: Jackson
+     *             raw: {
+     *
+     *             }
+     *             requested: {
+     *
+     *             }
+     */
+    userInfo(token: string): Promise<Profile>;
+}