npm - @budibase/worker - Versions diffs - 3.13.28 → 3.14.0 - Mend

@budibase/worker 3.13.28 → 3.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +3 -2
package/src/api/controllers/global/configs.ts +5 -0
package/src/api/routes/global/configs.ts +3 -2
package/src/api/routes/global/tests/oidc-integration.spec.ts +291 -0
package/src/index.ts +9 -3
package/src/tests/utils/oidc.ts +207 -0

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@budibase/worker",
   "email": "hi@budibase.com",
-  "version": "3.13.28",
+  "version": "3.14.0",
   "description": "Budibase background service",
   "main": "src/index.ts",
   "repository": {
@@ -93,6 +93,7 @@
     "rimraf": "3.0.2",
     "superagent": "^10.1.1",
     "supertest": "6.3.3",
+    "testcontainers": "10.16.0",
     "timekeeper": "2.2.0",
     "typescript": "5.7.2"
   },
@@ -114,5 +115,5 @@
       }
     }
   },
-  "gitHead": "de8a462d540b26a2040f4c8059d0a2395234c628"
+  "gitHead": "7ff8f5fc9480931c373b86dd573882841dd290d4"
 }

package/src/api/controllers/global/configs.ts CHANGED Viewed

@@ -236,6 +236,11 @@ async function processGoogleConfig(
 async function processOIDCConfig(config: OIDCConfigs, existing?: OIDCConfigs) {
   await verifySSOConfig(ConfigType.OIDC, config.configs[0])
+  const anyPkceSettings = config.configs.find(cfg => cfg.pkce)
+  if (anyPkceSettings && !(await pro.features.isPkceOidcEnabled())) {
+    throw new Error("License does not allow OIDC PKCE method support")
+  }
   if (existing) {
     for (const c of config.configs) {
       const existingConfig = existing.configs.find(e => e.uuid === c.uuid)

package/src/api/routes/global/configs.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import * as controller from "../../controllers/global/configs"
 import { auth } from "@budibase/backend-core"
 import Joi from "joi"
-import { ConfigType } from "@budibase/types"
+import { ConfigType, PKCEMethod } from "@budibase/types"
 import { adminRoutes, loggedInRoutes } from "../endpointGroups"
 function smtpValidation() {
@@ -50,7 +50,8 @@ function oidcValidation() {
         name: Joi.string().allow("", null),
         uuid: Joi.string().required(),
         activated: Joi.boolean().required(),
-        scopes: Joi.array().optional()
+        scopes: Joi.array().optional(),
+        pkce: Joi.string().valid(...Object.values(PKCEMethod)).optional()
       })
     ).required()
   }).unknown(true)

package/src/api/routes/global/tests/oidc-integration.spec.ts ADDED Viewed

@@ -0,0 +1,291 @@
+import { TestConfiguration } from "../../../../tests"
+import {
+  getOIDCConfigs,
+  waitForDex,
+  generateCodeVerifier,
+  generateCodeChallenge,
+  buildAuthorizationUrl,
+  exchangeCodeForTokens,
+} from "../../../../tests/utils/oidc"
+import { ConfigType, OIDCInnerConfig, PKCEMethod } from "@budibase/types"
+import { middleware } from "@budibase/backend-core"
+import fetch from "node-fetch"
+import { generator, mocks } from "@budibase/backend-core/tests"
+mocks.licenses.usePkceOidc()
+// Set longer timeout for container startup
+jest.setTimeout(120000)
+describe("OIDC Integration Tests", () => {
+  const config = new TestConfiguration()
+  let oidcConfigs: {
+    noPkce: OIDCInnerConfig
+    withPkce: OIDCInnerConfig
+  }
+  let dexPort: number
+  beforeAll(async () => {
+    await config.beforeAll()
+    dexPort = await waitForDex()
+    oidcConfigs = getOIDCConfigs(dexPort)
+  }, 120000)
+  afterAll(async () => {
+    await config.afterAll()
+  })
+  describe("OIDC Authentication Flow Tests", () => {
+    afterEach(async () => {
+      await config.deleteConfig(ConfigType.OIDC)
+    })
+    it("should generate authorization URL without PKCE", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.noPkce,
+        callbackUrl
+      )
+      const state = generator.guid()
+      const nonce = generator.guid()
+      const authUrl = buildAuthorizationUrl({
+        authorizationUrl: strategyConfig.authorizationURL,
+        clientId: strategyConfig.clientID,
+        redirectUri: callbackUrl,
+        state,
+        nonce,
+      })
+      expect(authUrl).toContain(strategyConfig.authorizationURL)
+      expect(authUrl).toContain(`client_id=${strategyConfig.clientID}`)
+      expect(authUrl).toContain(
+        `redirect_uri=${encodeURIComponent(callbackUrl)}`
+      )
+      expect(authUrl).toContain(`state=${state}`)
+      expect(authUrl).toContain(`nonce=${nonce}`)
+      expect(authUrl).toContain("response_type=code")
+      expect(authUrl).toContain("scope=openid+profile+email")
+      expect(authUrl).not.toContain("code_challenge")
+    })
+    it("should generate authorization URL with PKCE", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.withPkce,
+        callbackUrl
+      )
+      const state = generator.guid()
+      const nonce = generator.guid()
+      const codeVerifier = generateCodeVerifier()
+      const codeChallenge = generateCodeChallenge(codeVerifier, PKCEMethod.S256)
+      const authUrl = buildAuthorizationUrl({
+        authorizationUrl: strategyConfig.authorizationURL,
+        clientId: strategyConfig.clientID,
+        redirectUri: callbackUrl,
+        state,
+        nonce,
+        pkce: {
+          codeChallenge,
+          codeChallengeMethod: PKCEMethod.S256,
+        },
+      })
+      expect(authUrl).toContain(strategyConfig.authorizationURL)
+      expect(authUrl).toContain(`client_id=${strategyConfig.clientID}`)
+      expect(authUrl).toContain(
+        `redirect_uri=${encodeURIComponent(callbackUrl)}`
+      )
+      expect(authUrl).toContain(`state=${state}`)
+      expect(authUrl).toContain(`nonce=${nonce}`)
+      expect(authUrl).toContain("response_type=code")
+      expect(authUrl).toContain("scope=openid+profile+email")
+      expect(authUrl).toContain(
+        `code_challenge=${encodeURIComponent(codeChallenge)}`
+      )
+      expect(authUrl).toContain("code_challenge_method=S256")
+    })
+    it("should validate well-known OIDC configuration from Dex", async () => {
+      const wellKnownUrl = `http://localhost:${dexPort}/.well-known/openid-configuration`
+      const response = await fetch(wellKnownUrl)
+      expect(response.ok).toBe(true)
+      const config = await response.json()
+      expect(config.issuer).toBe(`http://localhost:${dexPort}`)
+      expect(config.authorization_endpoint).toBe(
+        `http://localhost:${dexPort}/auth`
+      )
+      expect(config.token_endpoint).toBe(`http://localhost:${dexPort}/token`)
+      expect(config.userinfo_endpoint).toBe(
+        `http://localhost:${dexPort}/userinfo`
+      )
+      expect(config.jwks_uri).toBe(`http://localhost:${dexPort}/keys`)
+      expect(config.scopes_supported).toContain("openid")
+      expect(config.response_types_supported).toContain("code")
+      expect(config.code_challenge_methods_supported).toContain("S256")
+      expect(config.code_challenge_methods_supported).toContain("plain")
+    })
+  })
+  describe("PKCE Authentication Tests", () => {
+    afterEach(async () => {
+      await config.deleteConfig(ConfigType.OIDC)
+    })
+    it("should generate valid PKCE code verifier", () => {
+      const verifier = generateCodeVerifier()
+      expect(verifier).toBeDefined()
+      expect(typeof verifier).toBe("string")
+      expect(verifier.length).toBeGreaterThan(40)
+      expect(verifier).toMatch(/^[A-Za-z0-9\-._~]+$/)
+      // Should generate different verifiers each time
+      const verifier2 = generateCodeVerifier()
+      expect(verifier).not.toBe(verifier2)
+    })
+    it("should generate valid PKCE code challenge for S256 method", () => {
+      const verifier = generateCodeVerifier()
+      const challenge = generateCodeChallenge(verifier, PKCEMethod.S256)
+      expect(challenge).toBeDefined()
+      expect(typeof challenge).toBe("string")
+      expect(challenge).not.toBe(verifier)
+      expect(challenge.length).toBe(43) // Base64url encoded SHA256 hash length
+      expect(challenge).toMatch(/^[A-Za-z0-9\-_]+$/)
+    })
+    it("should generate valid PKCE code challenge for PLAIN method", () => {
+      const verifier = generateCodeVerifier()
+      const challenge = generateCodeChallenge(verifier, PKCEMethod.PLAIN)
+      expect(challenge).toBeDefined()
+      expect(challenge).toBe(verifier) // PLAIN method returns verifier as-is
+    })
+    it("should reject invalid PKCE method", () => {
+      const verifier = generateCodeVerifier()
+      expect(() => {
+        generateCodeChallenge(verifier, "INVALID" as PKCEMethod)
+      }).toThrow("Unsupported PKCE method: INVALID")
+    })
+    it("should handle token exchange without PKCE", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.noPkce,
+        callbackUrl
+      )
+      // Mock token exchange (since we can't easily get a real auth code in tests)
+      const mockCode = "mock-authorization-code"
+      try {
+        await exchangeCodeForTokens(
+          strategyConfig.tokenURL,
+          strategyConfig.clientID,
+          strategyConfig.clientSecret,
+          mockCode,
+          callbackUrl
+        )
+      } catch (error: any) {
+        // Expect this to fail with mock code, but validate the request structure
+        expect(error.message).toContain("Token exchange failed")
+        expect(error.message).toContain("400") // Bad Request for invalid code
+      }
+    })
+    it("should handle token exchange with PKCE", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.withPkce,
+        callbackUrl
+      )
+      const codeVerifier = generateCodeVerifier()
+      const mockCode = "mock-authorization-code"
+      try {
+        await exchangeCodeForTokens(
+          strategyConfig.tokenURL,
+          strategyConfig.clientID,
+          strategyConfig.clientSecret,
+          mockCode,
+          callbackUrl,
+          codeVerifier
+        )
+      } catch (error: any) {
+        // Expect this to fail with mock code, but validate the request structure
+        expect(error.message).toContain("Token exchange failed")
+        expect(error.message).toContain("400") // Bad Request for invalid code
+      }
+    })
+  })
+  describe("Token Validation Tests", () => {
+    afterEach(async () => {
+      await config.deleteConfig(ConfigType.OIDC)
+    })
+    it("should validate OIDC strategy configuration for token endpoints", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      // Test without PKCE
+      const strategyConfigNoPkce = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.noPkce,
+        callbackUrl
+      )
+      expect(strategyConfigNoPkce.tokenURL).toBeDefined()
+      expect(strategyConfigNoPkce.userInfoURL).toBeDefined()
+      expect(strategyConfigNoPkce.clientID).toBe("budibase-no-pkce")
+      expect(strategyConfigNoPkce.clientSecret).toBe("test-secret-no-pkce")
+      expect(strategyConfigNoPkce.pkce).toBeUndefined()
+      // Test with PKCE
+      const strategyConfigWithPkce = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.withPkce,
+        callbackUrl
+      )
+      expect(strategyConfigWithPkce.tokenURL).toBeDefined()
+      expect(strategyConfigWithPkce.userInfoURL).toBeDefined()
+      expect(strategyConfigWithPkce.clientID).toBe("budibase-pkce")
+      expect(strategyConfigWithPkce.clientSecret).toBe("test-secret-pkce")
+      expect(strategyConfigWithPkce.pkce).toBe(PKCEMethod.S256)
+    })
+    it("should validate OIDC endpoints are accessible", async () => {
+      const callbackUrl = "http://localhost:4001/api/global/auth/oidc/callback"
+      const strategyConfig = await middleware.oidc.fetchStrategyConfig(
+        oidcConfigs.noPkce,
+        callbackUrl
+      )
+      // Test authorization endpoint
+      const authResponse = await fetch(strategyConfig.authorizationURL, {
+        method: "HEAD",
+      })
+      expect(authResponse.status).toBeLessThan(500) // Should not be server error
+      // Test token endpoint
+      const tokenResponse = await fetch(strategyConfig.tokenURL, {
+        method: "HEAD",
+      })
+      expect(tokenResponse.status).toBeLessThan(500) // Should not be server error
+      // Test userinfo endpoint
+      const userInfoResponse = await fetch(strategyConfig.userInfoURL, {
+        method: "HEAD",
+      })
+      expect(userInfoResponse.status).toBeLessThan(500) // Should not be server error
+    })
+  })
+})

package/src/index.ts CHANGED Viewed

@@ -54,12 +54,18 @@ app.proxy = true
 app.use(handleScimBody)
 app.use(koaBody({ multipart: true }))
+let store: any
 const sessionMiddleware: Middleware = async (ctx: any, next: any) => {
-  const redisClient = await redis.clients.getSessionClient()
+  if (!store) {
+    const redisClient = await redis.clients.getSessionClient()
+    // @ts-expect-error - koa-redis types are weird
+    store = RedisStore({ client: redisClient.client })
+  }
   return koaSession(
     {
-      // @ts-ignore
-      store: new RedisStore({ client: redisClient.client }),
+      store,
       key: "koa:sess",
       maxAge: 86400000, // one day
     },

package/src/tests/utils/oidc.ts ADDED Viewed

@@ -0,0 +1,207 @@
+import { GenericContainer, Wait } from "testcontainers"
+import { testContainerUtils } from "@budibase/backend-core/tests"
+import { OIDCInnerConfig, PKCEMethod } from "@budibase/types"
+import { generator } from "@budibase/backend-core/tests"
+import fetch from "node-fetch"
+import * as crypto from "crypto"
+const DEX_IMAGE = "dexidp/dex:v2.37.0"
+const DEX_PORT = 5556
+let ports: testContainerUtils.Port[]
+export async function getDexContainer(): Promise<testContainerUtils.Port[]> {
+  if (!ports) {
+    // Create the Dex configuration that will work with any port
+    const dexConfig = `
+issuer: http://localhost:${DEX_PORT}
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:${DEX_PORT}
+  allowedOrigins: ['*']
+staticClients:
+  - id: budibase-no-pkce
+    secret: test-secret-no-pkce
+    name: 'Budibase Test (No PKCE)'
+    redirectURIs:
+      - 'http://localhost:4001/api/global/auth/oidc/callback'
+  - id: budibase-pkce
+    secret: test-secret-pkce
+    name: 'Budibase Test (PKCE)'
+    redirectURIs:
+      - 'http://localhost:4001/api/global/auth/oidc/callback'
+enablePasswordDB: true
+staticPasswords:
+  - email: test@budibase.com
+    hash: "$2y$12$6q53Pz1Xey3TZUhupeK1vO2zUk8uQsFnM1nJtrrwAHPIvMNnfwOB6" # "password"
+    username: testuser
+    userID: "1111"
+`
+    const container = new GenericContainer(DEX_IMAGE)
+      // need to lock the port, its important for dex to present its port
+      .withExposedPorts({ container: 5556, host: 5556 })
+      .withCommand(["dex", "serve", "/etc/dex/cfg/config.yaml"])
+      .withCopyContentToContainer([
+        {
+          content: dexConfig,
+          target: "/etc/dex/cfg/config.yaml",
+        },
+      ])
+      .withWaitStrategy(
+        Wait.forLogMessage(
+          "listening (http) on 0.0.0.0:5556"
+        ).withStartupTimeout(60000)
+      )
+    ports = await testContainerUtils.startContainer(container)
+  }
+  return ports
+}
+export interface OIDCTestConfig {
+  noPkce: OIDCInnerConfig
+  withPkce: OIDCInnerConfig
+}
+export function getOIDCConfigs(port: number): OIDCTestConfig {
+  const configUrl = `http://localhost:${port}/.well-known/openid-configuration`
+  const noPkceConfig: OIDCInnerConfig = {
+    configUrl,
+    clientID: "budibase-no-pkce",
+    clientSecret: "test-secret-no-pkce",
+    logo: "",
+    name: "Test OIDC (No PKCE)",
+    uuid: generator.guid(),
+    activated: true,
+    scopes: ["openid", "profile", "email"],
+  }
+  const withPkceConfig: OIDCInnerConfig = {
+    configUrl,
+    clientID: "budibase-pkce",
+    clientSecret: "test-secret-pkce",
+    logo: "",
+    name: "Test OIDC (PKCE)",
+    uuid: generator.guid(),
+    activated: true,
+    scopes: ["openid", "profile", "email"],
+    pkce: PKCEMethod.S256,
+  }
+  return {
+    noPkce: noPkceConfig,
+    withPkce: withPkceConfig,
+  }
+}
+export async function waitForDex(): Promise<number> {
+  const containerPorts = await getDexContainer()
+  const dexPort = containerPorts.find(x => x.container === DEX_PORT)?.host
+  if (!dexPort) {
+    throw new Error("Dex port not found")
+  }
+  const wellKnownUrl = `http://localhost:${dexPort}/.well-known/openid-configuration`
+  const response = await fetch(wellKnownUrl)
+  if (!response.ok) {
+    throw new Error("Unable to fetch well known openid-configuration")
+  }
+  return dexPort
+}
+// PKCE Helper Functions
+export function generateCodeVerifier(): string {
+  return crypto.randomBytes(32).toString("base64url")
+}
+export function generateCodeChallenge(
+  verifier: string,
+  method: PKCEMethod
+): string {
+  if (method === PKCEMethod.PLAIN) {
+    return verifier
+  } else if (method === PKCEMethod.S256) {
+    return crypto.createHash("sha256").update(verifier).digest("base64url")
+  }
+  throw new Error(`Unsupported PKCE method: ${method}`)
+}
+// OIDC Authentication Helper Functions
+export interface AuthorizationUrlParams {
+  authorizationUrl: string
+  clientId: string
+  redirectUri: string
+  state: string
+  nonce: string
+  scopes?: string[]
+  pkce?: {
+    codeChallenge: string
+    codeChallengeMethod: PKCEMethod
+  }
+}
+export function buildAuthorizationUrl(params: AuthorizationUrlParams): string {
+  const url = new URL(params.authorizationUrl)
+  url.searchParams.set("response_type", "code")
+  url.searchParams.set("client_id", params.clientId)
+  url.searchParams.set("redirect_uri", params.redirectUri)
+  url.searchParams.set("state", params.state)
+  url.searchParams.set("nonce", params.nonce)
+  url.searchParams.set(
+    "scope",
+    (params.scopes || ["openid", "profile", "email"]).join(" ")
+  )
+  if (params.pkce) {
+    url.searchParams.set("code_challenge", params.pkce.codeChallenge)
+    url.searchParams.set(
+      "code_challenge_method",
+      params.pkce.codeChallengeMethod
+    )
+  }
+  return url.toString()
+}
+export async function exchangeCodeForTokens(
+  tokenUrl: string,
+  clientId: string,
+  clientSecret: string,
+  code: string,
+  redirectUri: string,
+  codeVerifier?: string
+): Promise<any> {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    client_id: clientId,
+    client_secret: clientSecret,
+    code: code,
+    redirect_uri: redirectUri,
+  })
+  if (codeVerifier) {
+    body.set("code_verifier", codeVerifier)
+  }
+  const response = await fetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: body.toString(),
+  })
+  if (!response.ok) {
+    const errorText = await response.text()
+    throw new Error(`Token exchange failed: ${response.status} ${errorText}`)
+  }
+  return response.json()
+}