@flink-app/oidc-plugin 1.0.0

package/dist/OidcInternalContext.d.ts

@@ -0,0 +1,15 @@
+import { FlinkContext } from "@flink-app/flink";
+import { OidcPluginContext } from "./OidcPluginContext";
+import OidcSessionRepo from "./repos/OidcSessionRepo";
+import OidcConnectionRepo from "./repos/OidcConnectionRepo";
+/**
+ * Internal context type for OIDC plugin
+ * Extends the app's context with OIDC-specific repositories
+ */
+export interface OidcInternalContext extends FlinkContext, OidcPluginContext {
+    repos: FlinkContext["repos"] & {
+        oidcSessionRepo: OidcSessionRepo;
+        oidcConnectionRepo: OidcConnectionRepo;
+    };
+}
+//# sourceMappingURL=OidcInternalContext.d.ts.map

package/dist/OidcInternalContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcInternalContext.d.ts","sourceRoot":"","sources":["../src/OidcInternalContext.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,eAAe,MAAM,yBAAyB,CAAC;AACtD,OAAO,kBAAkB,MAAM,4BAA4B,CAAC;AAE5D;;;GAGG;AACH,MAAM,WAAW,mBAAoB,SAAQ,YAAY,EAAE,iBAAiB;IACxE,KAAK,EAAE,YAAY,CAAC,OAAO,CAAC,GAAG;QAC3B,eAAe,EAAE,eAAe,CAAC;QACjC,kBAAkB,EAAE,kBAAkB,CAAC;KAC1C,CAAC;CACL"}

package/dist/OidcInternalContext.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/OidcPlugin.d.ts

@@ -0,0 +1,77 @@
+import { FlinkPlugin } from "@flink-app/flink";
+import { OidcPluginOptions } from "./OidcPluginOptions";
+/**
+ * OIDC Plugin Factory Function
+ *
+ * Creates a Flink plugin for OIDC authentication with generic IdP support.
+ * Integrates with JWT Auth Plugin for token generation.
+ *
+ * @param options - OIDC plugin configuration options
+ * @returns FlinkPlugin instance
+ *
+ * @example
+ * ```typescript
+ * import { jwtAuthPlugin } from '@flink-app/jwt-auth-plugin';
+ * import { oidcPlugin } from '@flink-app/oidc-plugin';
+ *
+ * const app = new FlinkApp({
+ *   auth: jwtAuthPlugin({
+ *     secret: process.env.JWT_SECRET!,
+ *     getUser: async (tokenData) => {
+ *       return ctx.repos.userRepo.getById(tokenData.userId);
+ *     },
+ *     rolePermissions: {
+ *       user: ['read:own'],
+ *       admin: ['read:all', 'write:all']
+ *     }
+ *   }),
+ *
+ *   plugins: [
+ *     oidcPlugin({
+ *       providers: {
+ *         acme: {
+ *           issuer: 'https://idp.acme.com',
+ *           clientId: process.env.OIDC_CLIENT_ID!,
+ *           clientSecret: process.env.OIDC_CLIENT_SECRET!,
+ *           callbackUrl: 'https://myapp.com/oidc/acme/callback',
+ *           discoveryUrl: 'https://idp.acme.com/.well-known/openid-configuration'
+ *         }
+ *       },
+ *       onAuthSuccess: async ({ profile, claims, provider }, ctx) => {
+ *         // Find or create user (JIT provisioning)
+ *         let user = await ctx.repos.userRepo.getOne({
+ *           'oidcConnections.subject': claims.sub,
+ *           'oidcConnections.issuer': claims.iss
+ *         });
+ *
+ *         if (!user) {
+ *           user = await ctx.repos.userRepo.create({
+ *             email: claims.email,
+ *             name: claims.name,
+ *             oidcConnections: [{
+ *               issuer: claims.iss,
+ *               subject: claims.sub,
+ *               provider
+ *             }]
+ *           });
+ *         }
+ *
+ *         // Generate JWT token
+ *         const token = await ctx.plugins.jwtAuth.createToken(
+ *           { userId: user._id, email: user.email },
+ *           ['user']
+ *         );
+ *
+ *         return {
+ *           user,
+ *           token,
+ *           redirectUrl: '/dashboard'
+ *         };
+ *       }
+ *     })
+ *   ]
+ * });
+ * ```
+ */
+export declare function oidcPlugin(options: OidcPluginOptions): FlinkPlugin;
+//# sourceMappingURL=OidcPlugin.d.ts.map

package/dist/OidcPlugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcPlugin.d.ts","sourceRoot":"","sources":["../src/OidcPlugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,WAAW,EAAO,MAAM,kBAAkB,CAAC;AAE9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAWxD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,WAAW,CA2MlE"}

package/dist/OidcPlugin.js

@@ -0,0 +1,274 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oidcPlugin = oidcPlugin;
+const flink_1 = require("@flink-app/flink");
+const OidcSessionRepo_1 = __importDefault(require("./repos/OidcSessionRepo"));
+const OidcConnectionRepo_1 = __importDefault(require("./repos/OidcConnectionRepo"));
+const encryption_utils_1 = require("./utils/encryption-utils");
+const ProviderRegistry_1 = require("./providers/ProviderRegistry");
+const InitiateOidc = __importStar(require("./handlers/InitiateOidc"));
+const CallbackOidc = __importStar(require("./handlers/CallbackOidc"));
+/**
+ * OIDC Plugin Factory Function
+ *
+ * Creates a Flink plugin for OIDC authentication with generic IdP support.
+ * Integrates with JWT Auth Plugin for token generation.
+ *
+ * @param options - OIDC plugin configuration options
+ * @returns FlinkPlugin instance
+ *
+ * @example
+ * ```typescript
+ * import { jwtAuthPlugin } from '@flink-app/jwt-auth-plugin';
+ * import { oidcPlugin } from '@flink-app/oidc-plugin';
+ *
+ * const app = new FlinkApp({
+ *   auth: jwtAuthPlugin({
+ *     secret: process.env.JWT_SECRET!,
+ *     getUser: async (tokenData) => {
+ *       return ctx.repos.userRepo.getById(tokenData.userId);
+ *     },
+ *     rolePermissions: {
+ *       user: ['read:own'],
+ *       admin: ['read:all', 'write:all']
+ *     }
+ *   }),
+ *
+ *   plugins: [
+ *     oidcPlugin({
+ *       providers: {
+ *         acme: {
+ *           issuer: 'https://idp.acme.com',
+ *           clientId: process.env.OIDC_CLIENT_ID!,
+ *           clientSecret: process.env.OIDC_CLIENT_SECRET!,
+ *           callbackUrl: 'https://myapp.com/oidc/acme/callback',
+ *           discoveryUrl: 'https://idp.acme.com/.well-known/openid-configuration'
+ *         }
+ *       },
+ *       onAuthSuccess: async ({ profile, claims, provider }, ctx) => {
+ *         // Find or create user (JIT provisioning)
+ *         let user = await ctx.repos.userRepo.getOne({
+ *           'oidcConnections.subject': claims.sub,
+ *           'oidcConnections.issuer': claims.iss
+ *         });
+ *
+ *         if (!user) {
+ *           user = await ctx.repos.userRepo.create({
+ *             email: claims.email,
+ *             name: claims.name,
+ *             oidcConnections: [{
+ *               issuer: claims.iss,
+ *               subject: claims.sub,
+ *               provider
+ *             }]
+ *           });
+ *         }
+ *
+ *         // Generate JWT token
+ *         const token = await ctx.plugins.jwtAuth.createToken(
+ *           { userId: user._id, email: user.email },
+ *           ['user']
+ *         );
+ *
+ *         return {
+ *           user,
+ *           token,
+ *           redirectUrl: '/dashboard'
+ *         };
+ *       }
+ *     })
+ *   ]
+ * });
+ * ```
+ */
+function oidcPlugin(options) {
+    // Validation
+    if (!options.providers || Object.keys(options.providers).length === 0) {
+        throw new Error("OIDC Plugin: At least one provider must be configured");
+    }
+    // Validate provider configurations
+    const configuredProviders = Object.keys(options.providers);
+    for (const providerName of configuredProviders) {
+        const providerConfig = options.providers[providerName];
+        if (!providerConfig)
+            continue;
+        if (!providerConfig.issuer) {
+            throw new Error(`OIDC Plugin: ${providerName} issuer is required`);
+        }
+        if (!providerConfig.clientId) {
+            throw new Error(`OIDC Plugin: ${providerName} clientId is required`);
+        }
+        if (!providerConfig.clientSecret) {
+            throw new Error(`OIDC Plugin: ${providerName} clientSecret is required`);
+        }
+        if (!providerConfig.callbackUrl) {
+            throw new Error(`OIDC Plugin: ${providerName} callbackUrl is required`);
+        }
+        // Validate that either discoveryUrl or manual endpoints are provided
+        if (!providerConfig.discoveryUrl) {
+            if (!providerConfig.authorizationEndpoint || !providerConfig.tokenEndpoint || !providerConfig.jwksUri) {
+                throw new Error(`OIDC Plugin: ${providerName} must have either discoveryUrl or manual endpoints ` +
+                    `(authorizationEndpoint, tokenEndpoint, jwksUri)`);
+            }
+        }
+    }
+    if (!options.onAuthSuccess) {
+        throw new Error("OIDC Plugin: onAuthSuccess callback is required");
+    }
+    // Determine encryption key
+    let encryptionKey = options.encryptionKey;
+    if (!encryptionKey) {
+        // Derive from first configured provider's client secret
+        const firstProvider = configuredProviders[0];
+        const firstProviderConfig = options.providers[firstProvider];
+        if (firstProviderConfig) {
+            encryptionKey = firstProviderConfig.clientSecret;
+            flink_1.log.warn("OIDC Plugin: No encryption key provided, deriving from client secret. " + "For better security, provide a dedicated encryptionKey in options.");
+        }
+    }
+    if (!encryptionKey || encryptionKey.length < 32) {
+        throw new Error("OIDC Plugin: Encryption key must be at least 32 characters");
+    }
+    // Validate encryption key
+    (0, encryption_utils_1.validateEncryptionSecret)(encryptionKey);
+    let flinkApp;
+    let sessionRepo;
+    let connectionRepo;
+    let providerRegistry;
+    /**
+     * Plugin initialization
+     */
+    async function init(app, db) {
+        flink_1.log.info("Initializing OIDC Plugin...");
+        flinkApp = app;
+        try {
+            if (!db) {
+                throw new Error("OIDC Plugin: Database connection is required");
+            }
+            // Initialize repositories
+            const sessionsCollectionName = options.sessionsCollectionName || "oidc_sessions";
+            const connectionsCollectionName = options.connectionsCollectionName || "oidc_connections";
+            sessionRepo = new OidcSessionRepo_1.default(sessionsCollectionName, db);
+            connectionRepo = new OidcConnectionRepo_1.default(connectionsCollectionName, db);
+            flinkApp.addRepo("oidcSessionRepo", sessionRepo);
+            flinkApp.addRepo("oidcConnectionRepo", connectionRepo);
+            // Create TTL index for session expiration
+            const sessionTTL = options.sessionTTL || 600; // Default 10 minutes
+            await db.collection(sessionsCollectionName).createIndex({ createdAt: 1 }, { expireAfterSeconds: sessionTTL });
+            flink_1.log.info(`OIDC Plugin: Created TTL index on ${sessionsCollectionName} with ${sessionTTL}s expiration`);
+            // Initialize provider registry
+            providerRegistry = new ProviderRegistry_1.ProviderRegistry(options.providers, options.providerLoader);
+            // Store provider registry in app context for handlers to access
+            flinkApp.ctx.oidcProviderRegistry = providerRegistry;
+            // Register OIDC handlers
+            // Only register handlers if registerRoutes is enabled (default: true)
+            if (options.registerRoutes !== false) {
+                flinkApp.addHandler(InitiateOidc);
+                flinkApp.addHandler(CallbackOidc);
+            }
+            flink_1.log.info(`OIDC Plugin initialized with providers: ${configuredProviders.join(", ")}`);
+        }
+        catch (error) {
+            flink_1.log.error("Failed to initialize OIDC Plugin:", error);
+            throw error;
+        }
+    }
+    /**
+     * Get OIDC connection for a user
+     */
+    async function getConnection(userId, provider) {
+        if (!connectionRepo) {
+            throw new Error("OIDC Plugin: Plugin not initialized");
+        }
+        const connection = await connectionRepo.findByUserAndProvider(userId, provider);
+        if (!connection) {
+            return null;
+        }
+        // Decrypt tokens before returning
+        if (connection.accessToken && encryptionKey) {
+            connection.accessToken = (0, encryption_utils_1.decryptToken)(connection.accessToken, encryptionKey);
+        }
+        if (connection.idToken && encryptionKey) {
+            connection.idToken = (0, encryption_utils_1.decryptToken)(connection.idToken, encryptionKey);
+        }
+        if (connection.refreshToken && encryptionKey) {
+            connection.refreshToken = (0, encryption_utils_1.decryptToken)(connection.refreshToken, encryptionKey);
+        }
+        return connection;
+    }
+    /**
+     * Get all OIDC connections for a user
+     */
+    async function getConnections(userId) {
+        if (!connectionRepo) {
+            throw new Error("OIDC Plugin: Plugin not initialized");
+        }
+        const connections = await connectionRepo.findByUserId(userId);
+        // Decrypt tokens in each connection
+        return connections.map((connection) => {
+            if (connection.accessToken && encryptionKey) {
+                connection.accessToken = (0, encryption_utils_1.decryptToken)(connection.accessToken, encryptionKey);
+            }
+            if (connection.idToken && encryptionKey) {
+                connection.idToken = (0, encryption_utils_1.decryptToken)(connection.idToken, encryptionKey);
+            }
+            if (connection.refreshToken && encryptionKey) {
+                connection.refreshToken = (0, encryption_utils_1.decryptToken)(connection.refreshToken, encryptionKey);
+            }
+            return connection;
+        });
+    }
+    /**
+     * Delete OIDC connection for a user
+     */
+    async function deleteConnection(userId, provider) {
+        if (!connectionRepo) {
+            throw new Error("OIDC Plugin: Plugin not initialized");
+        }
+        await connectionRepo.deleteByUserAndProvider(userId, provider);
+        flink_1.log.info(`OIDC Plugin: Deleted ${provider} connection for user ${userId}`);
+    }
+    /**
+     * Plugin context exposed via ctx.plugins.oidc
+     */
+    const pluginCtx = {
+        getConnection,
+        getConnections,
+        deleteConnection,
+        options: Object.freeze({ ...options }),
+    };
+    return {
+        id: "oidc",
+        db: {
+            useHostDb: true,
+        },
+        ctx: pluginCtx,
+        init,
+    };
+}

package/dist/OidcPluginContext.d.ts

@@ -0,0 +1,73 @@
+import OidcConnection from "./schemas/OidcConnection";
+import { OidcPluginOptions } from "./OidcPluginOptions";
+/**
+ * OIDC Plugin context API exposed via ctx.plugins.oidc
+ *
+ * Provides methods to manage OIDC connections for users.
+ */
+export interface OidcPluginContext {
+    oidc: {
+        /**
+         * Get OIDC connection for a user and provider
+         *
+         * Returns the stored OIDC connection with decrypted tokens (if storeTokens enabled).
+         *
+         * @param userId - Application user ID
+         * @param provider - Provider name (e.g., "acme")
+         * @returns OIDC connection or null if not found
+         *
+         * Example:
+         * ```typescript
+         * const connection = await ctx.plugins.oidc.getConnection(user._id, 'acme');
+         * if (connection) {
+         *   console.log('User connected to:', connection.issuer);
+         *   console.log('Subject:', connection.subject);
+         *   if (connection.accessToken) {
+         *     // Use access token to call IdP APIs
+         *   }
+         * }
+         * ```
+         */
+        getConnection: (userId: string, provider: string) => Promise<OidcConnection | null>;
+        /**
+         * Get all OIDC connections for a user
+         *
+         * Returns all IdP connections for the user with decrypted tokens.
+         *
+         * @param userId - Application user ID
+         * @returns Array of OIDC connections
+         *
+         * Example:
+         * ```typescript
+         * const connections = await ctx.plugins.oidc.getConnections(user._id);
+         * console.log('User has', connections.length, 'IdP connections');
+         * connections.forEach(conn => {
+         *   console.log('- Provider:', conn.provider, 'Email:', conn.email);
+         * });
+         * ```
+         */
+        getConnections: (userId: string) => Promise<OidcConnection[]>;
+        /**
+         * Delete/unlink OIDC connection for a user
+         *
+         * Removes the connection between the user and the IdP.
+         * The user will need to re-authenticate with the IdP.
+         *
+         * @param userId - Application user ID
+         * @param provider - Provider name (e.g., "acme")
+         *
+         * Example:
+         * ```typescript
+         * // User wants to disconnect their Acme account
+         * await ctx.plugins.oidc.deleteConnection(user._id, 'acme');
+         * ```
+         */
+        deleteConnection: (userId: string, provider: string) => Promise<void>;
+        /**
+         * Plugin configuration options (read-only)
+         * Useful for checking plugin settings at runtime
+         */
+        options: Readonly<OidcPluginOptions>;
+    };
+}
+//# sourceMappingURL=OidcPluginContext.d.ts.map

package/dist/OidcPluginContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcPluginContext.d.ts","sourceRoot":"","sources":["../src/OidcPluginContext.ts"],"names":[],"mappings":"AAAA,OAAO,cAAc,MAAM,0BAA0B,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAExD;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAC9B,IAAI,EAAE;QACF;;;;;;;;;;;;;;;;;;;;WAoBG;QACH,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;QAEpF;;;;;;;;;;;;;;;;WAgBG;QACH,cAAc,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;QAE9D;;;;;;;;;;;;;;WAcG;QACH,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAEtE;;;WAGG;QACH,OAAO,EAAE,QAAQ,CAAC,iBAAiB,CAAC,CAAC;KACxC,CAAC;CACL"}

package/dist/OidcPluginContext.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });