@emulators/okta 0.4.0 → 0.5.0

package/README.md

@@ -0,0 +1,98 @@
+# @emulators/okta
+
+Okta identity provider emulation with OAuth 2.0 / OIDC, user management, groups, apps, and authorization servers.
+
+Part of [emulate](https://github.com/vercel-labs/emulate) — local drop-in replacement services for CI and no-network sandboxes.
+
+## Install
+
+```bash
+npm install @emulators/okta
+```
+
+## Endpoints
+
+### OAuth / OIDC
+
+Default org server and custom authorization server paths (`/oauth2/:authServerId/...`):
+
+- `GET /.well-known/openid-configuration` — OIDC discovery (default)
+- `GET /oauth2/:authServerId/.well-known/openid-configuration` — per-server discovery
+- `GET /oauth2/v1/keys` — JSON Web Key Set (JWKS)
+- `GET /oauth2/v1/authorize` — authorization endpoint
+- `POST /oauth2/v1/token` — token endpoint
+- `GET /oauth2/v1/userinfo` — user info
+- `POST /oauth2/v1/revoke` — token revocation
+- `POST /oauth2/v1/introspect` — token introspection
+- `GET /oauth2/v1/logout` — end session
+
+### Users
+- `GET /api/v1/users` — list users
+- `POST /api/v1/users` — create user
+- `GET /api/v1/users/me` — current user (from token)
+- `GET /api/v1/users/:userId` — get user
+- `PUT /api/v1/users/:userId` — replace user
+- `POST /api/v1/users/:userId` — partial update
+- `DELETE /api/v1/users/:userId` — delete user
+- `GET /api/v1/users/:userId/groups` — list user groups
+- `POST /api/v1/users/:userId/lifecycle/activate` — activate
+- `POST /api/v1/users/:userId/lifecycle/deactivate` — deactivate
+- `POST /api/v1/users/:userId/lifecycle/suspend` — suspend
+- `POST /api/v1/users/:userId/lifecycle/unsuspend` — unsuspend
+- `POST /api/v1/users/:userId/lifecycle/reactivate` — reactivate
+
+### Groups
+- `GET /api/v1/groups` — list groups
+- `POST /api/v1/groups` — create group
+- `GET /api/v1/groups/:groupId` — get group
+- `PUT /api/v1/groups/:groupId` — update group
+- `DELETE /api/v1/groups/:groupId` — delete group
+- `GET /api/v1/groups/:groupId/users` — list group members
+- `PUT /api/v1/groups/:groupId/users/:userId` — add user to group
+- `DELETE /api/v1/groups/:groupId/users/:userId` — remove user from group
+
+### Apps
+- `GET /api/v1/apps` — list apps
+- `POST /api/v1/apps` — create app
+- `GET /api/v1/apps/:appId` — get app
+- `PUT /api/v1/apps/:appId` — update app
+- `DELETE /api/v1/apps/:appId` — delete app
+- `GET /api/v1/apps/:appId/users` — list assigned users
+- `PUT /api/v1/apps/:appId/users/:userId` — assign user
+- `DELETE /api/v1/apps/:appId/users/:userId` — unassign user
+- `POST /api/v1/apps/:appId/lifecycle/activate` — activate app
+- `POST /api/v1/apps/:appId/lifecycle/deactivate` — deactivate app
+
+### Authorization Servers
+- `GET /api/v1/authorizationServers` — list
+- `POST /api/v1/authorizationServers` — create
+- `GET /api/v1/authorizationServers/:authServerId` — get
+- `PUT /api/v1/authorizationServers/:authServerId` — update
+- `DELETE /api/v1/authorizationServers/:authServerId` — delete
+- `POST /api/v1/authorizationServers/:authServerId/lifecycle/activate` — activate
+- `POST /api/v1/authorizationServers/:authServerId/lifecycle/deactivate` — deactivate
+
+## Seed Configuration
+
+```yaml
+okta:
+  users:
+    - login: testuser@example.com
+      email: testuser@example.com
+      firstName: Test
+      lastName: User
+  groups:
+    - name: Everyone
+      description: All users
+  apps:
+    - name: My App
+      label: My App
+  authorization_servers:
+    - name: default
+      audiences: ["api://default"]
+```
+
+## Links
+
+- [Full documentation](https://emulate.dev)
+- [GitHub](https://github.com/vercel-labs/emulate)

package/dist/index.js

@@ -126,6 +126,7 @@ var FONTS = {
   "geist-sans.woff2": readFileSync(join(__dirname, "fonts", "geist-sans.woff2")),
   "GeistPixel-Square.woff2": readFileSync(join(__dirname, "fonts", "GeistPixel-Square.woff2"))
 };
+var FAVICON = readFileSync(join(__dirname, "fonts", "favicon.ico"));
 function parsePagination(c) {
   const page = Math.max(1, parseInt(c.req.query("page") ?? "1", 10) || 1);
   const per_page = Math.min(100, Math.max(1, parseInt(c.req.query("per_page") ?? "30", 10) || 30));
@@ -303,6 +304,132 @@ body{
 .app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}
 .app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}
 .empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}
+
+.inspector-layout{max-width:960px;margin:0 auto;padding:28px 20px;}
+.inspector-tabs{display:flex;gap:4px;margin-bottom:20px;}
+.inspector-tabs a{
+  padding:7px 16px;border-radius:6px;text-decoration:none;
+  font-size:.8125rem;color:#1a8c00;border:1px solid transparent;
+  transition:color .15s,border-color .15s;
+}
+.inspector-tabs a:hover{color:#33ff00;}
+.inspector-tabs a.active{color:#33ff00;font-weight:600;border-color:#0a3300;background:#0a3300;}
+.inspector-section{margin-bottom:24px;}
+.inspector-section h2{
+  font-family:'Geist Pixel',monospace;
+  font-size:1rem;font-weight:600;color:#33ff00;margin-bottom:10px;
+}
+.inspector-section h3{
+  font-family:'Geist Pixel',monospace;
+  font-size:.875rem;font-weight:600;color:#1a8c00;margin:16px 0 8px;
+}
+.inspector-table{width:100%;border-collapse:collapse;margin-bottom:12px;}
+.inspector-table th,.inspector-table td{
+  text-align:left;padding:8px 12px;border-bottom:1px solid #0a3300;
+  font-size:.8125rem;
+}
+.inspector-table th{color:#1a8c00;font-weight:600;font-size:.75rem;text-transform:uppercase;letter-spacing:.04em;}
+.inspector-table td{color:#33ff00;}
+.inspector-table tbody tr{transition:background .1s;}
+.inspector-table tbody tr:hover{background:#0a3300;}
+.inspector-empty{color:#1a8c00;text-align:center;padding:20px 0;font-size:.8125rem;}
+
+.checkout-layout{
+  display:flex;min-height:calc(100vh - 42px);
+}
+.checkout-summary{
+  flex:1;background:#020;padding:48px 40px 48px 10%;
+  display:flex;flex-direction:column;justify-content:center;
+  border-right:1px solid #0a3300;
+}
+.checkout-form-side{
+  flex:1;background:#000;padding:48px 10% 48px 40px;
+  display:flex;flex-direction:column;justify-content:center;
+}
+.checkout-merchant{
+  display:flex;align-items:center;gap:10px;margin-bottom:6px;
+}
+.checkout-merchant-name{
+  font-family:'Geist Pixel',monospace;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-test-badge{
+  font-size:.625rem;font-weight:700;letter-spacing:.04em;text-transform:uppercase;
+  background:#0a3300;color:#1a8c00;padding:2px 8px;border-radius:4px;
+}
+.checkout-total{
+  font-family:'Geist Pixel',monospace;
+  font-size:2rem;font-weight:700;color:#33ff00;margin:8px 0 28px;
+}
+.checkout-line-item{
+  display:flex;align-items:center;gap:14px;padding:14px 0;
+  border-bottom:1px solid #0a3300;
+}
+.checkout-line-item:first-child{border-top:1px solid #0a3300;}
+.checkout-item-icon{
+  width:42px;height:42px;border-radius:6px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;font-size:.875rem;font-weight:700;color:#116600;
+}
+.checkout-item-details{flex:1;min-width:0;}
+.checkout-item-name{font-size:.875rem;font-weight:600;color:#33ff00;}
+.checkout-item-qty{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.checkout-item-price{
+  font-size:.875rem;font-weight:600;color:#33ff00;text-align:right;white-space:nowrap;
+}
+.checkout-item-unit{font-size:.6875rem;color:#1a8c00;text-align:right;margin-top:2px;}
+.checkout-totals{margin-top:20px;}
+.checkout-totals-row{
+  display:flex;justify-content:space-between;padding:6px 0;
+  font-size:.8125rem;color:#1a8c00;
+}
+.checkout-totals-row.total{
+  border-top:1px solid #0a3300;margin-top:8px;padding-top:14px;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-form-section{margin-bottom:24px;}
+.checkout-form-label{
+  font-size:.8125rem;font-weight:600;color:#33ff00;margin-bottom:8px;display:block;
+}
+.checkout-input{
+  width:100%;padding:10px 12px;border:1px solid #0a3300;border-radius:6px;
+  background:#020;color:#33ff00;font:inherit;font-size:.875rem;
+  transition:border-color .15s;outline:none;
+}
+.checkout-input:focus{border-color:#33ff00;}
+.checkout-input::placeholder{color:#116600;}
+.checkout-card-box{
+  border:1px solid #0a3300;border-radius:6px;padding:14px;
+  background:#020;
+}
+.checkout-card-row{
+  display:flex;gap:12px;margin-top:10px;
+}
+.checkout-card-row .checkout-input{flex:1;}
+.checkout-sim-note{
+  font-size:.6875rem;color:#1a8c00;margin-top:10px;text-align:center;
+  font-style:italic;
+}
+.checkout-pay-btn{
+  width:100%;padding:14px;border:none;border-radius:8px;
+  background:#33ff00;color:#000;font:inherit;font-size:.9375rem;font-weight:700;
+  cursor:pointer;transition:background .15s;
+  font-family:'Geist Pixel',monospace;
+}
+.checkout-pay-btn:hover{background:#44ff22;}
+.checkout-cancel{
+  text-align:center;margin-top:14px;
+}
+.checkout-cancel a{
+  color:#1a8c00;text-decoration:none;font-size:.8125rem;
+  transition:color .15s;
+}
+.checkout-cancel a:hover{color:#33ff00;}
+@media(max-width:768px){
+  .checkout-layout{flex-direction:column;}
+  .checkout-summary{padding:32px 20px;border-right:none;border-bottom:1px solid #0a3300;}
+  .checkout-form-side{padding:32px 20px;}
+}
 `;
 var POWERED_BY = `<div class="powered-by">Powered by <a href="https://emulate.dev" target="_blank" rel="noopener">emulate</a></div>`;
 function emuBar(service) {
@@ -322,6 +449,7 @@ function head(title) {
 <head>
 <meta charset="utf-8"/>
 <meta name="viewport" content="width=device-width,initial-scale=1"/>
+<link rel="icon" href="/_emulate/favicon.ico"/>
 <title>${escapeHtml(title)} | emulate</title>
 <style>${CSS}</style>
 </head>`;
@@ -353,6 +481,25 @@ ${emuBar(service)}
 ${POWERED_BY}
 </body></html>`;
 }
+function renderFormPostPage(action, fields, service) {
+  const hiddens = Object.entries(fields).filter(([, v]) => v != null).map(([k, v]) => `<input type="hidden" name="${escapeAttr(k)}" value="${escapeAttr(v)}"/>`).join("\n");
+  return `${head("Redirecting")}
+<body onload="document.forms[0].submit()">
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner" style="text-align:center">
+    <div class="card-subtitle">Redirecting&hellip;</div>
+    <form method="POST" action="${escapeAttr(action)}">
+${hiddens}
+    <noscript><button type="submit" class="user-btn" style="margin-top:12px;justify-content:center">
+      <span class="user-login">Continue</span>
+    </button></noscript>
+    </form>
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
 function renderUserButton(opts) {
   const hiddens = Object.entries(opts.hiddenFields).map(([k, v]) => `<input type="hidden" name="${escapeAttr(k)}" value="${escapeAttr(v)}"/>`).join("");
   const nameLine = opts.name ? `<div class="user-meta">${escapeHtml(opts.name)}</div>` : "";
@@ -539,7 +686,10 @@ function getOktaStore(store) {
     apps: store.collection("okta.apps", ["okta_id", "name"]),
     oauthClients: store.collection("okta.oauth_clients", ["client_id", "auth_server_id"]),
     authorizationServers: store.collection("okta.auth_servers", ["server_id"]),
-    groupMemberships: store.collection("okta.group_memberships", ["group_okta_id", "user_okta_id"]),
+    groupMemberships: store.collection("okta.group_memberships", [
+      "group_okta_id",
+      "user_okta_id"
+    ]),
     appAssignments: store.collection("okta.app_assignments", ["app_okta_id", "user_okta_id"])
   };
 }
@@ -553,9 +703,7 @@ function appRoutes({ app, store, baseUrl, tokenMap }) {
     const q = (c.req.query("q") ?? "").toLowerCase();
     let apps = oktaStore.apps.all();
     if (q) {
-      apps = apps.filter(
-        (entry) => `${entry.name} ${entry.label}`.toLowerCase().includes(q)
-      );
+      apps = apps.filter((entry) => `${entry.name} ${entry.label}`.toLowerCase().includes(q));
     }
     const { page, per_page } = parsePagination(c);
     const total = apps.length;
@@ -783,9 +931,7 @@ function groupRoutes({ app, store, baseUrl, tokenMap }) {
     const q = (c.req.query("q") ?? "").toLowerCase();
     let groups = oktaStore.groups.all();
     if (q) {
-      groups = groups.filter(
-        (group) => `${group.name} ${group.description ?? ""}`.toLowerCase().includes(q)
-      );
+      groups = groups.filter((group) => `${group.name} ${group.description ?? ""}`.toLowerCase().includes(q));
     }
     const { page, per_page } = parsePagination(c);
     const total = groups.length;
@@ -1091,10 +1237,10 @@ async function createIdToken(oktaStore, user, clientId, nonce, issuer, scope) {
   return new SignJWT(claims).setProtectedHeader({ alg: "RS256", kid: KID, typ: "JWT" }).setIssuer(issuer).setAudience(clientId).setIssuedAt(now).setExpirationTime("1h").sign(privateKey);
 }
 function unauthorizedOAuthError() {
-  return new Response(
-    JSON.stringify({ error: "invalid_token", error_description: "The access token is invalid." }),
-    { status: 401, headers: { "Content-Type": "application/json" } }
-  );
+  return new Response(JSON.stringify({ error: "invalid_token", error_description: "The access token is invalid." }), {
+    status: 401,
+    headers: { "Content-Type": "application/json" }
+  });
 }
 function oauthRoutes({ app, store, baseUrl, tokenMap }) {
   const oktaStore = getOktaStore(store);
@@ -1163,7 +1309,11 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
       }
       if (!matchesRedirectUri(redirectUri, client.redirect_uris)) {
         return c.html(
-          renderErrorPage("Redirect URI mismatch", "The redirect_uri is not registered for this application.", SERVICE_LABEL),
+          renderErrorPage(
+            "Redirect URI mismatch",
+            "The redirect_uri is not registered for this application.",
+            SERVICE_LABEL
+          ),
           400
         );
       }
@@ -1171,25 +1321,27 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     }
     const users = oktaStore.users.all();
     const callbackPath = `${buildOAuthBasePath(authServerId)}/authorize/callback`;
-    const buttons = users.map((user) => renderUserButton({
-      letter: (user.login[0] ?? "?").toUpperCase(),
-      login: user.login,
-      name: userDisplayName(user),
-      email: user.email,
-      formAction: callbackPath,
-      hiddenFields: {
-        user_ref: user.okta_id,
-        redirect_uri: redirectUri,
-        scope,
-        state,
-        nonce,
-        client_id: clientId,
-        response_mode: responseMode,
-        code_challenge: codeChallenge,
-        code_challenge_method: codeChallengeMethod,
-        auth_server_id: authServerId
-      }
-    })).join("\n");
+    const buttons = users.map(
+      (user) => renderUserButton({
+        letter: (user.login[0] ?? "?").toUpperCase(),
+        login: user.login,
+        name: userDisplayName(user),
+        email: user.email,
+        formAction: callbackPath,
+        hiddenFields: {
+          user_ref: user.okta_id,
+          redirect_uri: redirectUri,
+          scope,
+          state,
+          nonce,
+          client_id: clientId,
+          response_mode: responseMode,
+          code_challenge: codeChallenge,
+          code_challenge_method: codeChallengeMethod,
+          auth_server_id: authServerId
+        }
+      })
+    ).join("\n");
     const subtitle = clientName ? `Sign in to <strong>${escapeHtml(clientName)}</strong> with your Okta account.` : "Choose a seeded user to continue.";
     return c.html(
       renderCardPage(
@@ -1223,10 +1375,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     }
     const user = findUserByRef(oktaStore, userRef);
     if (!user) {
-      return c.html(
-        renderErrorPage("Unknown user", "The selected user is not available.", SERVICE_LABEL),
-        400
-      );
+      return c.html(renderErrorPage("Unknown user", "The selected user is not available.", SERVICE_LABEL), 400);
     }
     const configuredClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);
     if (configuredClients.length > 0) {
@@ -1239,7 +1388,11 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
       }
       if (!matchesRedirectUri(redirectUri, client.redirect_uris)) {
         return c.html(
-          renderErrorPage("Redirect URI mismatch", "The redirect_uri is not registered for this application.", SERVICE_LABEL),
+          renderErrorPage(
+            "Redirect URI mismatch",
+            "The redirect_uri is not registered for this application.",
+            SERVICE_LABEL
+          ),
           400
         );
       }
@@ -1258,17 +1411,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     });
     debug("okta.oauth", `[callback] code=${code.slice(0, 8)}... user=${user.login} server=${authServerId}`);
     if (responseMode === "form_post") {
-      const html = `<!DOCTYPE html>
-<html>
-<head><title>Submit</title></head>
-<body onload="document.forms[0].submit()">
-<form method="POST" action="${escapeAttr(redirectUri)}">
-<input type="hidden" name="code" value="${escapeAttr(code)}" />
-<input type="hidden" name="state" value="${escapeAttr(state)}" />
-</form>
-</body>
-</html>`;
-      return c.html(html);
+      return c.html(renderFormPostPage(redirectUri, { code, state }, SERVICE_LABEL));
     }
     const url = new URL(redirectUri);
     url.searchParams.set("code", code);
@@ -1276,7 +1419,10 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     return c.redirect(url.toString(), 302);
   };
   app.post("/oauth2/v1/authorize/callback", (c) => handleAuthorizeCallback(c, ORG_AUTH_SERVER_ID));
-  app.post("/oauth2/:authServerId/v1/authorize/callback", (c) => handleAuthorizeCallback(c, c.req.param("authServerId")));
+  app.post(
+    "/oauth2/:authServerId/v1/authorize/callback",
+    (c) => handleAuthorizeCallback(c, c.req.param("authServerId"))
+  );
   const handleToken = async (c, authServerId) => {
     const server = resolveServer(authServerId, baseUrl, oktaStore);
     if (!server) return oktaError(c, 404, "E0000007", `Not found: authorization server '${authServerId}'`);
@@ -1306,7 +1452,10 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
         return c.json({ error: "invalid_grant", error_description: "redirect_uri does not match." }, 400);
       }
       if (validatedClient && validatedClient.client_id !== pending.clientId) {
-        return c.json({ error: "invalid_grant", error_description: "Authorization code was not issued to this client." }, 400);
+        return c.json(
+          { error: "invalid_grant", error_description: "Authorization code was not issued to this client." },
+          400
+        );
       }
       if (pending.codeChallenge !== null) {
         if (!codeVerifier) {
@@ -1356,14 +1505,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
         id: user.id,
         scopes: parseScope(scope)
       });
-      const idToken = await createIdToken(
-        oktaStore,
-        user,
-        audienceClient,
-        pending.nonce,
-        server.issuer,
-        scope
-      );
+      const idToken = await createIdToken(oktaStore, user, audienceClient, pending.nonce, server.issuer, scope);
       return c.json({
         token_type: "Bearer",
         expires_in: 3600,
@@ -1382,7 +1524,10 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
         return c.json({ error: "invalid_grant", error_description: "Authorization server mismatch." }, 400);
       }
       if (validatedClient && validatedClient.client_id !== existing.clientId) {
-        return c.json({ error: "invalid_grant", error_description: "Refresh token was not issued to this client." }, 400);
+        return c.json(
+          { error: "invalid_grant", error_description: "Refresh token was not issued to this client." },
+          400
+        );
       }
       const user = oktaStore.users.findOneBy("okta_id", existing.userOktaId);
       if (!user) return c.json({ error: "invalid_grant", error_description: "Unknown user." }, 400);
@@ -1552,9 +1697,7 @@ function oauthRoutes({ app, store, baseUrl, tokenMap }) {
     if (!postLogoutRedirectUri) return c.text("Logged out");
     const scopedClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);
     if (scopedClients.length > 0) {
-      const isAllowed = scopedClients.some(
-        (client) => matchesRedirectUri(postLogoutRedirectUri, client.redirect_uris)
-      );
+      const isAllowed = scopedClients.some((client) => matchesRedirectUri(postLogoutRedirectUri, client.redirect_uris));
       if (!isAllowed) return c.text("Invalid post_logout_redirect_uri", 400);
     }
     return c.redirect(postLogoutRedirectUri, 302);
@@ -1678,14 +1821,16 @@ function userRoutes({ app, store, baseUrl, tokenMap }) {
     if (!user) return oktaError(c, 404, "E0000007", "Not found: user");
     const memberships = oktaStore.groupMemberships.findBy("user_okta_id", user.okta_id);
     const groups = memberships.map((membership) => oktaStore.groups.findOneBy("okta_id", membership.group_okta_id)).filter((group) => Boolean(group));
-    return c.json(groups.map((group) => ({
-      id: group.okta_id,
-      profile: {
-        name: group.name,
-        description: group.description
-      },
-      type: group.type
-    })));
+    return c.json(
+      groups.map((group) => ({
+        id: group.okta_id,
+        profile: {
+          name: group.name,
+          description: group.description
+        },
+        type: group.type
+      }))
+    );
   });
   app.post("/api/v1/users/:userId/lifecycle/activate", (c) => {
     const auth = requireManagementAuth(c, tokenMap);
@@ -1833,10 +1978,7 @@ function seedDefaults(store, _baseUrl) {
       client_id: "okta-test-app",
       client_secret: "",
       name: "Sample Public PKCE Client",
-      redirect_uris: [
-        "http://localhost:3000/official-sdk/callback",
-        "http://localhost:3000/official-sdk"
-      ],
+      redirect_uris: ["http://localhost:3000/official-sdk/callback", "http://localhost:3000/official-sdk"],
       response_types: ["code"],
       grant_types: ["authorization_code", "refresh_token"],
       token_endpoint_auth_method: "none",