@budibase/worker 3.13.28 → 3.14.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@budibase/worker",
   "email": "hi@budibase.com",
-  "version": "3.13.28",
+  "version": "3.14.0",
   "description": "Budibase background service",
   "main": "src/index.ts",
   "repository": {
@@ -93,6 +93,7 @@
     "rimraf": "3.0.2",
     "superagent": "^10.1.1",
     "supertest": "6.3.3",
+    "testcontainers": "10.16.0",
     "timekeeper": "2.2.0",
     "typescript": "5.7.2"
   },
@@ -114,5 +115,5 @@
       }
     }
   },
-  "gitHead": "de8a462d540b26a2040f4c8059d0a2395234c628"
+  "gitHead": "7ff8f5fc9480931c373b86dd573882841dd290d4"
 }

package/src/api/controllers/global/configs.ts

@@ -236,6 +236,11 @@ async function processGoogleConfig(
 async function processOIDCConfig(config: OIDCConfigs, existing?: OIDCConfigs) {
   await verifySSOConfig(ConfigType.OIDC, config.configs[0])
 
+  const anyPkceSettings = config.configs.find(cfg => cfg.pkce)
+  if (anyPkceSettings && !(await pro.features.isPkceOidcEnabled())) {
+    throw new Error("License does not allow OIDC PKCE method support")
+  }
+
   if (existing) {
     for (const c of config.configs) {
       const existingConfig = existing.configs.find(e => e.uuid === c.uuid)

package/src/api/routes/global/configs.ts

@@ -1,7 +1,7 @@
 import * as controller from "../../controllers/global/configs"
 import { auth } from "@budibase/backend-core"
 import Joi from "joi"
-import { ConfigType } from "@budibase/types"
+import { ConfigType, PKCEMethod } from "@budibase/types"
 import { adminRoutes, loggedInRoutes } from "../endpointGroups"
 
 function smtpValidation() {
@@ -50,7 +50,8 @@ function oidcValidation() {
         name: Joi.string().allow("", null),
         uuid: Joi.string().required(),
         activated: Joi.boolean().required(),
-        scopes: Joi.array().optional()
+        scopes: Joi.array().optional(),
+        pkce: Joi.string().valid(...Object.values(PKCEMethod)).optional()
       })
     ).required()
   }).unknown(true)

package/src/api/routes/global/tests/oidc-integration.spec.ts

@@ -0,0 +1,291 @@
+import { TestConfiguration } from "../../../../tests"
+import {
+  getOIDCConfigs,
+  waitForDex,
+  generateCodeVerifier,
+  generateCodeChallenge,
+  buildAuthorizationUrl,
+  exchangeCodeForTokens,
+} from "../../../../tests/utils/oidc"
+import { ConfigType, OIDCInnerConfig, PKCEMethod } from "@budibase/types"
+import { middleware } from "@budibase/backend-core"
+import fetch from "node-fetch"
+import { generator, mocks } from "@budibase/backend-core/tests"
+
+mocks.licenses.usePkceOidc()
+
+// Set longer timeout for container startup
+jest.setTimeout(120000)
+
+describe("OIDC Integration Tests", () => {
+  const config = new TestConfiguration()
+  let oidcConfigs: {
+    noPkce: OIDCInnerConfig
+    withPkce: OIDCInnerConfig
+  }
+  let dexPort: number
+
+  beforeAll(async () => {
+    await config.beforeAll()
+    dexPort = await waitForDex()
+    oidcConfigs = getOIDCConfigs(dexPort)
+  }, 120000)
+
+  afterAll(async () => {
+    await config.afterAll()
+  })
+
+  describe("OIDC Authentication Flow Tests", () => {
+    afterEach(async () => {
+      await config.deleteConfig(ConfigType.OIDC)
+    })
+
+    it("should generate authorization URL without PKCE", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.noPkce,
+        callbackUrl
+      )
+
+      const state = generator.guid()
+      const nonce = generator.guid()
+
+      const authUrl = buildAuthorizationUrl({
+        authorizationUrl: strategyConfig.authorizationURL,
+        clientId: strategyConfig.clientID,
+        redirectUri: callbackUrl,
+        state,
+        nonce,
+      })
+
+      expect(authUrl).toContain(strategyConfig.authorizationURL)
+      expect(authUrl).toContain(`client_id=${strategyConfig.clientID}`)
+      expect(authUrl).toContain(
+        `redirect_uri=${encodeURIComponent(callbackUrl)}`
+      )
+      expect(authUrl).toContain(`state=${state}`)
+      expect(authUrl).toContain(`nonce=${nonce}`)
+      expect(authUrl).toContain("response_type=code")
+      expect(authUrl).toContain("scope=openid+profile+email")
+      expect(authUrl).not.toContain("code_challenge")
+    })
+
+    it("should generate authorization URL with PKCE", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.withPkce,
+        callbackUrl
+      )
+
+      const state = generator.guid()
+      const nonce = generator.guid()
+      const codeVerifier = generateCodeVerifier()
+      const codeChallenge = generateCodeChallenge(codeVerifier, PKCEMethod.S256)
+
+      const authUrl = buildAuthorizationUrl({
+        authorizationUrl: strategyConfig.authorizationURL,
+        clientId: strategyConfig.clientID,
+        redirectUri: callbackUrl,
+        state,
+        nonce,
+        pkce: {
+          codeChallenge,
+          codeChallengeMethod: PKCEMethod.S256,
+        },
+      })
+
+      expect(authUrl).toContain(strategyConfig.authorizationURL)
+      expect(authUrl).toContain(`client_id=${strategyConfig.clientID}`)
+      expect(authUrl).toContain(
+        `redirect_uri=${encodeURIComponent(callbackUrl)}`
+      )
+      expect(authUrl).toContain(`state=${state}`)
+      expect(authUrl).toContain(`nonce=${nonce}`)
+      expect(authUrl).toContain("response_type=code")
+      expect(authUrl).toContain("scope=openid+profile+email")
+      expect(authUrl).toContain(
+        `code_challenge=${encodeURIComponent(codeChallenge)}`
+      )
+      expect(authUrl).toContain("code_challenge_method=S256")
+    })
+
+    it("should validate well-known OIDC configuration from Dex", async () => {
+      const wellKnownUrl = `http://localhost:${dexPort}/.well-known/openid-configuration`
+      const response = await fetch(wellKnownUrl)
+
+      expect(response.ok).toBe(true)
+
+      const config = await response.json()
+      expect(config.issuer).toBe(`http://localhost:${dexPort}`)
+      expect(config.authorization_endpoint).toBe(
+        `http://localhost:${dexPort}/auth`
+      )
+      expect(config.token_endpoint).toBe(`http://localhost:${dexPort}/token`)
+      expect(config.userinfo_endpoint).toBe(
+        `http://localhost:${dexPort}/userinfo`
+      )
+      expect(config.jwks_uri).toBe(`http://localhost:${dexPort}/keys`)
+      expect(config.scopes_supported).toContain("openid")
+      expect(config.response_types_supported).toContain("code")
+      expect(config.code_challenge_methods_supported).toContain("S256")
+      expect(config.code_challenge_methods_supported).toContain("plain")
+    })
+  })
+
+  describe("PKCE Authentication Tests", () => {
+    afterEach(async () => {
+      await config.deleteConfig(ConfigType.OIDC)
+    })
+
+    it("should generate valid PKCE code verifier", () => {
+      const verifier = generateCodeVerifier()
+
+      expect(verifier).toBeDefined()
+      expect(typeof verifier).toBe("string")
+      expect(verifier.length).toBeGreaterThan(40)
+      expect(verifier).toMatch(/^[A-Za-z0-9\-._~]+$/)
+
+      // Should generate different verifiers each time
+      const verifier2 = generateCodeVerifier()
+      expect(verifier).not.toBe(verifier2)
+    })
+
+    it("should generate valid PKCE code challenge for S256 method", () => {
+      const verifier = generateCodeVerifier()
+      const challenge = generateCodeChallenge(verifier, PKCEMethod.S256)
+
+      expect(challenge).toBeDefined()
+      expect(typeof challenge).toBe("string")
+      expect(challenge).not.toBe(verifier)
+      expect(challenge.length).toBe(43) // Base64url encoded SHA256 hash length
+      expect(challenge).toMatch(/^[A-Za-z0-9\-_]+$/)
+    })
+
+    it("should generate valid PKCE code challenge for PLAIN method", () => {
+      const verifier = generateCodeVerifier()
+      const challenge = generateCodeChallenge(verifier, PKCEMethod.PLAIN)
+
+      expect(challenge).toBeDefined()
+      expect(challenge).toBe(verifier) // PLAIN method returns verifier as-is
+    })
+
+    it("should reject invalid PKCE method", () => {
+      const verifier = generateCodeVerifier()
+
+      expect(() => {
+        generateCodeChallenge(verifier, "INVALID" as PKCEMethod)
+      }).toThrow("Unsupported PKCE method: INVALID")
+    })
+
+    it("should handle token exchange without PKCE", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.noPkce,
+        callbackUrl
+      )
+
+      // Mock token exchange (since we can't easily get a real auth code in tests)
+      const mockCode = "mock-authorization-code"
+
+      try {
+        await exchangeCodeForTokens(
+          strategyConfig.tokenURL,
+          strategyConfig.clientID,
+          strategyConfig.clientSecret,
+          mockCode,
+          callbackUrl
+        )
+      } catch (error: any) {
+        // Expect this to fail with mock code, but validate the request structure
+        expect(error.message).toContain("Token exchange failed")
+        expect(error.message).toContain("400") // Bad Request for invalid code
+      }
+    })
+
+    it("should handle token exchange with PKCE", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.withPkce,
+        callbackUrl
+      )
+
+      const codeVerifier = generateCodeVerifier()
+      const mockCode = "mock-authorization-code"
+
+      try {
+        await exchangeCodeForTokens(
+          strategyConfig.tokenURL,
+          strategyConfig.clientID,
+          strategyConfig.clientSecret,
+          mockCode,
+          callbackUrl,
+          codeVerifier
+        )
+      } catch (error: any) {
+        // Expect this to fail with mock code, but validate the request structure
+        expect(error.message).toContain("Token exchange failed")
+        expect(error.message).toContain("400") // Bad Request for invalid code
+      }
+    })
+  })
+
+  describe("Token Validation Tests", () => {
+    afterEach(async () => {
+      await config.deleteConfig(ConfigType.OIDC)
+    })
+
+    it("should validate OIDC strategy configuration for token endpoints", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+
+      // Test without PKCE
+      const strategyConfigNoPkce = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.noPkce,
+        callbackUrl
+      )
+
+      expect(strategyConfigNoPkce.tokenURL).toBeDefined()
+      expect(strategyConfigNoPkce.userInfoURL).toBeDefined()
+      expect(strategyConfigNoPkce.clientID).toBe("budibase-no-pkce")
+      expect(strategyConfigNoPkce.clientSecret).toBe("test-secret-no-pkce")
+      expect(strategyConfigNoPkce.pkce).toBeUndefined()
+
+      // Test with PKCE
+      const strategyConfigWithPkce = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.withPkce,
+        callbackUrl
+      )
+
+      expect(strategyConfigWithPkce.tokenURL).toBeDefined()
+      expect(strategyConfigWithPkce.userInfoURL).toBeDefined()
+      expect(strategyConfigWithPkce.clientID).toBe("budibase-pkce")
+      expect(strategyConfigWithPkce.clientSecret).toBe("test-secret-pkce")
+      expect(strategyConfigWithPkce.pkce).toBe(PKCEMethod.S256)
+    })
+
+    it("should validate OIDC endpoints are accessible", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.noPkce,
+        callbackUrl
+      )
+
+      // Test authorization endpoint
+      const authResponse = await fetch(strategyConfig.authorizationURL, {
+        method: "HEAD",
+      })
+      expect(authResponse.status).toBeLessThan(500) // Should not be server error
+
+      // Test token endpoint
+      const tokenResponse = await fetch(strategyConfig.tokenURL, {
+        method: "HEAD",
+      })
+      expect(tokenResponse.status).toBeLessThan(500) // Should not be server error
+
+      // Test userinfo endpoint
+      const userInfoResponse = await fetch(strategyConfig.userInfoURL, {
+        method: "HEAD",
+      })
+      expect(userInfoResponse.status).toBeLessThan(500) // Should not be server error
+    })
+  })
+})

package/src/index.ts

@@ -54,12 +54,18 @@ app.proxy = true
 app.use(handleScimBody)
 app.use(koaBody({ multipart: true }))
 
+let store: any
+
 const sessionMiddleware: Middleware = async (ctx: any, next: any) => {
-  const redisClient = await redis.clients.getSessionClient()
+  if (!store) {
+    const redisClient = await redis.clients.getSessionClient()
+    // @ts-expect-error - koa-redis types are weird
+    store = RedisStore({ client: redisClient.client })
+  }
+
   return koaSession(
     {
-      // @ts-ignore
-      store: new RedisStore({ client: redisClient.client }),
+      store,
       key: "koa:sess",
       maxAge: 86400000, // one day
     },

package/src/tests/utils/oidc.ts

@@ -0,0 +1,207 @@
+import { GenericContainer, Wait } from "testcontainers"
+import { testContainerUtils } from "@budibase/backend-core/tests"
+import { OIDCInnerConfig, PKCEMethod } from "@budibase/types"
+import { generator } from "@budibase/backend-core/tests"
+import fetch from "node-fetch"
+import * as crypto from "crypto"
+
+const DEX_IMAGE = "dexidp/dex:v2.37.0"
+const DEX_PORT = 5556
+
+let ports: testContainerUtils.Port[]
+
+export async function getDexContainer(): Promise<testContainerUtils.Port[]> {
+  if (!ports) {
+    // Create the Dex configuration that will work with any port
+    const dexConfig = `
+issuer: http://localhost:${DEX_PORT}
+
+storage:
+  type: memory
+
+web:
+  http: 0.0.0.0:${DEX_PORT}
+  allowedOrigins: ['*']
+
+staticClients:
+  - id: budibase-no-pkce
+    secret: test-secret-no-pkce
+    name: 'Budibase Test (No PKCE)'
+    redirectURIs:
+      - 'http://localhost:4001/api/global/auth/oidc/callback'
+  - id: budibase-pkce
+    secret: test-secret-pkce
+    name: 'Budibase Test (PKCE)'
+    redirectURIs:
+      - 'http://localhost:4001/api/global/auth/oidc/callback'
+
+enablePasswordDB: true
+
+staticPasswords:
+  - email: test@budibase.com
+    hash: "$2y$12$6q53Pz1Xey3TZUhupeK1vO2zUk8uQsFnM1nJtrrwAHPIvMNnfwOB6" # "password"
+    username: testuser
+    userID: "1111"
+`
+
+    const container = new GenericContainer(DEX_IMAGE)
+      // need to lock the port, its important for dex to present its port
+      .withExposedPorts({ container: 5556, host: 5556 })
+      .withCommand(["dex", "serve", "/etc/dex/cfg/config.yaml"])
+      .withCopyContentToContainer([
+        {
+          content: dexConfig,
+          target: "/etc/dex/cfg/config.yaml",
+        },
+      ])
+      .withWaitStrategy(
+        Wait.forLogMessage(
+          "listening (http) on 0.0.0.0:5556"
+        ).withStartupTimeout(60000)
+      )
+    ports = await testContainerUtils.startContainer(container)
+  }
+
+  return ports
+}
+
+export interface OIDCTestConfig {
+  noPkce: OIDCInnerConfig
+  withPkce: OIDCInnerConfig
+}
+
+export function getOIDCConfigs(port: number): OIDCTestConfig {
+  const configUrl = `http://localhost:${port}/.well-known/openid-configuration`
+  const noPkceConfig: OIDCInnerConfig = {
+    configUrl,
+    clientID: "budibase-no-pkce",
+    clientSecret: "test-secret-no-pkce",
+    logo: "",
+    name: "Test OIDC (No PKCE)",
+    uuid: generator.guid(),
+    activated: true,
+    scopes: ["openid", "profile", "email"],
+  }
+
+  const withPkceConfig: OIDCInnerConfig = {
+    configUrl,
+    clientID: "budibase-pkce",
+    clientSecret: "test-secret-pkce",
+    logo: "",
+    name: "Test OIDC (PKCE)",
+    uuid: generator.guid(),
+    activated: true,
+    scopes: ["openid", "profile", "email"],
+    pkce: PKCEMethod.S256,
+  }
+
+  return {
+    noPkce: noPkceConfig,
+    withPkce: withPkceConfig,
+  }
+}
+
+export async function waitForDex(): Promise<number> {
+  const containerPorts = await getDexContainer()
+  const dexPort = containerPorts.find(x => x.container === DEX_PORT)?.host
+  if (!dexPort) {
+    throw new Error("Dex port not found")
+  }
+  const wellKnownUrl = `http://localhost:${dexPort}/.well-known/openid-configuration`
+  const response = await fetch(wellKnownUrl)
+
+  if (!response.ok) {
+    throw new Error("Unable to fetch well known openid-configuration")
+  }
+  return dexPort
+}
+
+// PKCE Helper Functions
+export function generateCodeVerifier(): string {
+  return crypto.randomBytes(32).toString("base64url")
+}
+
+export function generateCodeChallenge(
+  verifier: string,
+  method: PKCEMethod
+): string {
+  if (method === PKCEMethod.PLAIN) {
+    return verifier
+  } else if (method === PKCEMethod.S256) {
+    return crypto.createHash("sha256").update(verifier).digest("base64url")
+  }
+  throw new Error(`Unsupported PKCE method: ${method}`)
+}
+
+// OIDC Authentication Helper Functions
+export interface AuthorizationUrlParams {
+  authorizationUrl: string
+  clientId: string
+  redirectUri: string
+  state: string
+  nonce: string
+  scopes?: string[]
+  pkce?: {
+    codeChallenge: string
+    codeChallengeMethod: PKCEMethod
+  }
+}
+
+export function buildAuthorizationUrl(params: AuthorizationUrlParams): string {
+  const url = new URL(params.authorizationUrl)
+  url.searchParams.set("response_type", "code")
+  url.searchParams.set("client_id", params.clientId)
+  url.searchParams.set("redirect_uri", params.redirectUri)
+  url.searchParams.set("state", params.state)
+  url.searchParams.set("nonce", params.nonce)
+  url.searchParams.set(
+    "scope",
+    (params.scopes || ["openid", "profile", "email"]).join(" ")
+  )
+
+  if (params.pkce) {
+    url.searchParams.set("code_challenge", params.pkce.codeChallenge)
+    url.searchParams.set(
+      "code_challenge_method",
+      params.pkce.codeChallengeMethod
+    )
+  }
+
+  return url.toString()
+}
+
+export async function exchangeCodeForTokens(
+  tokenUrl: string,
+  clientId: string,
+  clientSecret: string,
+  code: string,
+  redirectUri: string,
+  codeVerifier?: string
+): Promise<any> {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    client_id: clientId,
+    client_secret: clientSecret,
+    code: code,
+    redirect_uri: redirectUri,
+  })
+
+  if (codeVerifier) {
+    body.set("code_verifier", codeVerifier)
+  }
+
+  const response = await fetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: body.toString(),
+  })
+
+  if (!response.ok) {
+    const errorText = await response.text()
+    throw new Error(`Token exchange failed: ${response.status} ${errorText}`)
+  }
+
+  return response.json()
+}