@crossauth/fastify 0.0.14 → 0.0.15

package/dist/fastifyoauthclient.d.ts

@@ -182,6 +182,10 @@ export interface FastifyOAuthClientOptions extends OAuthClientOptions {
      * Defaults to empty.
      */
     validFlows?: string[];
+    /**
+     * These token types will be treated as JWT.  Default all of them
+     */
+    jwtTokens?: ("access" | "id" | "refresh")[];
 }
 /**
  * Query type for the `authorize` Fastify request.
@@ -270,6 +274,13 @@ export interface PasswordOobType {
     challenge_type?: string;
     name?: string;
 }
+/**
+ * Query type for the refresh token flow Fastify request.
+ */
+export interface TokensBodyType {
+    decode?: boolean;
+    csrfToken?: string;
+}
 /**
  * The Fastify implementation of the OAuth client.
  *
@@ -331,7 +342,19 @@ export interface PasswordOobType {
  *
  * This pattern avoids you having to store the access token in the frontend.
  *
- * **Endpoints provided by this class**
+ *  **Middleware**
+ *
+ *  This class provides middleware that works with the BFF method.
+ *
+ *  If an ID token is saved in the session and it is valid, the following
+ *  state attributes are set in the request object:
+ *
+ *     - `idPayload` the payload from the ID token
+ *     - `user` a :class:`crossauth_backend.User` object created from the ID
+ *        token
+ *     - `authType` set to `oidc`
+ *
+ *  **Endpoints provided by this class**
  *
  * In addition to the BFF endpoints above, this class provides the following
  * endpoints. The ENDPOINT column values can be overridden in
@@ -359,12 +382,13 @@ export interface PasswordOobType {
  * | POST   | `api/devicecodeflow` | Initiates the device code flow                              | See {@link DeviceCodeBodyType}                      | See {@link DeviceCodeFlowResponse}                        |                          |
  * | POST   | `devicecodepoll`     | Initiates the device code flow                              | See {@link DeviceCodePollBodyType}                  | Authorization complete: See docs for`tokenResponseType`.  Other cases, {@link @crossauth/common!OAuthTokenResponse} |                          |
  * | POST   | `api/devicecodepoll` | Initiates the device code flow                              | See {@link DeviceCodePollBodyType}                  | {@link @crossauth/common!OAuthTokenResponse}              |                          |
- * | POST   | `access_token`      | For BFF mode, returns the saved access token                 |                                                     | *Access token payload*                                    |                          |
- * | POST   | `refresh_token`     | For BFF mode, returns the saved refresh token                |                                                     | `token` containing the refresh token                      |                          |
- * | POST   | `id_token     `     | For BFF mode, returns the saved ID token                     |                                                     | *ID token payload*                                        |                          |
+ * | POST   | `access_token`      | For BFF mode, returns the saved access token                 | `decode`, default `true`                            | *Access token payload*                                    |                          |
+ * | POST   | `refresh_token`     | For BFF mode, returns the saved refresh token                | `decode`, default `true`                            | `token` containing the refresh token                      |                          |
+ * | POST   | `id_token     `     | For BFF mode, returns the saved ID token                     | `decode`, default `true`                            | *ID token payload*                                        |                          |
  * | POST   | `have_access_token` | For BFF mode, returns whether an acccess token is saved      |                                                     | `ok`                                                      |                          |
  * | POST   | `have_refresh_token`| For BFF mode, returns whether a refresh token is saved       |                                                     | `ok`                                                      |                          |
  * | POST   | `have_id_token`     | For BFF mode, returns whether an ID token is saved           |                                                     | `ok`                                                      |                          |
+ * | POST   | `tokens`            | For BFF mode, returns all the saved tokens                   | `decode`, default `true`                            | *Token payloads      *                                    |                          |
  * | POST   | `deletetokens`      | Deletes all BFF tokens and displays a page                   | None                                                | `ok`                                                      | `deleteTokensPage`       |
  * | POST   | `api/deletetokens`  | Delertes all tokens and returns JSON                         | None                                                | `ok`                                                      |                          |
  */
@@ -388,6 +412,9 @@ export declare class FastifyOAuthClient extends OAuthClientBackend {
     private errorFn;
     private loginUrl;
     private validFlows;
+    readonly jwtTokens: string[];
+    private testMiddleware;
+    private requestObj;
     /**
      * See {@link FastifyOAuthClientOptions}
      */
@@ -423,6 +450,7 @@ export declare class FastifyOAuthClient extends OAuthClientBackend {
         expires_at?: number;
         error?: string;
         error_description?: string;
+        id_token?: string;
     } | FastifyReply | undefined>;
     private refreshTokens;
     private deleteTokens;

package/dist/fastifyoauthserver.d.ts

@@ -1,9 +1,27 @@
 import { FastifyInstance } from 'fastify';
 import { Server, IncomingMessage, ServerResponse } from 'http';
 import { OAuthClientStorage, KeyStorage, OAuthAuthorizationServer, Authenticator, OAuthAuthorizationServerOptions, DoubleSubmitCsrfTokenOptions } from '@crossauth/backend';
-import { OpenIdConfiguration } from '@crossauth/common';
+import { OpenIdConfiguration, User } from '@crossauth/common';
 import { FastifyServer } from './fastifyserver';
 
+export interface DevicePageData {
+    authorizationNeeded?: {
+        user: User;
+        client_id: string;
+        client_name: string;
+        scope?: string;
+        scopes?: string[];
+        csrfToken?: string;
+    };
+    completed: boolean;
+    retryAllowed: boolean;
+    user?: User;
+    csrfToken?: string;
+    ok: boolean;
+    error?: string;
+    error_description?: string;
+    user_code?: string;
+}
 /**
  * Options for {@link FastifyAuthorizationServer}
  */

package/dist/fastifyresserver.d.ts

@@ -2,6 +2,7 @@ import { FastifyRequest, FastifyInstance } from 'fastify';
 import { Server, IncomingMessage, ServerResponse } from 'http';
 import { User } from '@crossauth/common';
 import { OAuthResourceServer, UserStorage, OAuthResourceServerOptions, OAuthTokenConsumer } from '@crossauth/backend';
+import { FastifySessionAdapter } from './fastifysessionadapter';
 
 /**
  * Options for {@link FastifyOAuthResourceServer}
@@ -32,6 +33,24 @@ export interface FastifyOAuthResourceServerOptions extends OAuthResourceServerOp
             acceptSessionAuthorization?: boolean;
         };
     };
+    /**
+     * Where access tokens may be found (in this order).
+     *
+     * If this contains `session`, must also provide the session adapter
+     *
+     * Default `header`
+     */
+    tokenLocations?: ("beader" | "session")[];
+    /**
+     * If tokenLocations contains `session`, tokens are keyed on this name.
+     *
+     * Default `oauth`
+     */
+    sessionDataName?: string;
+    /**
+     * If `tokenLocations` contains `session`, must provide a session adapter
+     */
+    sessionAdapter?: FastifySessionAdapter;
 }
 /**
  * OAuth resource server.
@@ -47,11 +66,17 @@ export interface FastifyOAuthResourceServerOptions extends OAuthResourceServerOp
  *
  * If you do set `protectedEndpoints` in
  * {@link FastifyOAuthResourceServer.constructor}
- * then a `preHandler` iscreated.
+ * then a `preHandler` is created.
+ *
+ * **Middleware**
+ *
  * The preHandler
  * hook will set the `accessTokenPayload`, `user` and `scope` fields
  * on the Fastify request object based on the content
  * of the access token in the `Authorization` header if it is valid.
+ * If a user storage is provided,
+ * it will be used to look the user up.  Otherwise a minimal user object
+ * is created.
  * If it is not valid it will set the `authError` and `authErrorDescription`.
  * If the access token is invalid, or there is an error, a 401 or 500
  * response is sent before executing your endpoint code.  As per
@@ -62,10 +87,13 @@ export declare class FastifyOAuthResourceServer extends OAuthResourceServer {
     private userStorage?;
     private protectedEndpoints;
     private errorBody;
+    private sessionDataName;
+    private tokenLocations;
+    private sessionAdapter?;
     /**
      * Constructor
      * @param app the Fastify app
-     * @param tokenConsumers the token consumers, one per issuer
+     * @param tokenConsumers the token consumers, one per issuer and audience
      * @param options See {@link FastifyOAuthResourceServerOptions}
      */
     constructor(app: FastifyInstance<Server, IncomingMessage, ServerResponse>, tokenConsumers: OAuthTokenConsumer[], options?: FastifyOAuthResourceServerOptions);
@@ -90,4 +118,6 @@ export declare class FastifyOAuthResourceServer extends OAuthResourceServer {
         error?: string;
         error_description?: string;
     } | undefined>;
+    private tokenFromHeader;
+    private tokenFromSession;
 }

package/dist/fastifyserver.d.ts

@@ -29,6 +29,12 @@ export interface FastifyServerOptions extends FastifySessionServerOptions, Fasti
     /** If this is passed, it is registered as a Nunjucks view folder with autoscape on */
     views?: string;
     isAdminFn?: (user: User) => boolean;
+    /**
+     * Config for `@fastify/cors`
+     */
+    cors?: {
+        [key: string]: any;
+    };
 }
 /**
  * Type for the function that is called to pass an error back to the user
@@ -42,7 +48,7 @@ export type FastifyErrorFn = (server: FastifyServer, request: FastifyRequest, re
  * This class provides a complete (but without HTML files) auth backend server
  * for Fastify applications
  *
- * If you do not pass an Fastify app to this class, it will create one.
+ * If you do not pass a Fastify app to this class, it will create one.
  * By default, pages are rendered
  * with Nunjucks.  If you prefer another renderer that is compatible with
  * Fastify, create your
@@ -64,7 +70,7 @@ export type FastifyErrorFn = (server: FastifyServer, request: FastifyRequest, re
  * - `sessionServer`   Session cookie management server.  Uses sesion ID
  *                     and CSRF cookies.  See {@link FastifySessionServer}.
  * - `sessionAdapter`  If you want an OAuth client but not want to use
- *                     Fastify's session server, you can provide your own
+ *                     Crossauth's session server, you can provide your own
  *                     with this.  Won't work with auth server.
  * - `oAuthAuthServer` OAuth authorization server.  See
  *                     {@link FastifyAuthorizationServer}
@@ -86,7 +92,7 @@ export type FastifyErrorFn = (server: FastifyServer, request: FastifyRequest, re
  * **Authenticators**
  *
  * One and two factor authentication is supported.  Authentication is provided
- * by classes implementing {@link Authenticator}.  They are passed as an
+ * by classes implementing {@link @crossauth/backend!Authenticator}.  They are passed as an
  * object to this class, keyed on the name that appears in the user record
  * as `factor1` or `factor2`.
  *
@@ -122,6 +128,7 @@ export declare class FastifyServer {
     readonly oAuthResServer?: FastifyOAuthResourceServer;
     /** Config for `@fastify/cors` */
     private cors;
+    private audience;
     /**
      * Integrates fastify session, API key and OAuth servers
      * @param config object with entries as follow:

package/dist/fastifysession.d.ts

@@ -389,7 +389,7 @@ export interface AuthenticatorDetails {
     hasSecrets: boolean;
 }
 /**
- * This class adds user endpoints to the Fastidfy session server.
+ * This class adds user endpoints to the Fastify session server.
  *
  * You shouldn't have create create this directly - it is created by
  * {@link FastifyServer}.
@@ -460,7 +460,7 @@ export interface AuthenticatorDetails {
  * be redirected to the page for entering the second factor.
  *
  * For API endpoints., the response will be
- * `{"ok": true, "factor2Reqiored': true}`.  The user should then make a POST
+ * `{"ok": true, "factor2Required': true}`.  The user should then make a POST
  * request to the same endpoint but with the 2FA field in the body instead
  * of the original request body, eg `{"otp": 123456}`.  If the factor is
  * valid, the JSON data from the original post will be submittd.
@@ -482,6 +482,16 @@ export interface AuthenticatorDetails {
  * If you are serving other endpoints, or you want to use something other than
  * Nunjucks, you can create
  * and pass in your own Fastify app.
+
+ *  **Middleware**
+ *
+ *  This class registers one middleware function to fill in the following
+ *  fields in the request:
+ *
+ *     - `user` a {@link @crossauth/common!User}` object
+ *     - `authType`: set to `cookie` or undefined
+ *     - `csrfToken`: a CSRF token that can be used in POST requests
+ *     - `sessionId` a session ID if one is created
  */
 export declare class FastifySessionServer implements FastifySessionAdapter {
     /**