@happyvertical/auth 0.74.8

package/dist/chunks/kanidm-hkw-YPVF.js

@@ -0,0 +1,747 @@
+import { ConfigurationError, NetworkError, InvalidCredentialsError, AccessDeniedError, InvalidGrantError, InvalidClientError, UserNotFoundError, ProviderError, UserAlreadyExistsError, NotImplementedError, InvalidNonceError, TokenExpiredError, InvalidTokenError } from "../index.js";
+import { c as createRemoteJWKSet, d as decodeJwt, j as jwtVerify, J as JWTExpired, a as JWTClaimValidationFailed, b as JWSSignatureVerificationFailed } from "./decode_jwt-D2OK1b8a.js";
+function generateRandomString(length = 32) {
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join(
+    ""
+  );
+}
+async function generatePKCE() {
+  const verifier = generateRandomString(32);
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  const challenge = btoa(String.fromCharCode(...new Uint8Array(hash))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  return { verifier, challenge };
+}
+class KanidmProvider {
+  options;
+  discoveryDocument = null;
+  jwks = null;
+  adminToken = null;
+  adminTokenExpiry = 0;
+  constructor(options) {
+    if (!options.serverUrl) {
+      throw new ConfigurationError("serverUrl is required", "kanidm");
+    }
+    if (!options.clientId) {
+      throw new ConfigurationError("clientId is required", "kanidm");
+    }
+    this.options = {
+      usePKCE: true,
+      // Required by Kanidm
+      verifySsl: true,
+      scopes: ["openid", "profile", "email", "groups"],
+      timeout: 3e4,
+      maxRetries: 3,
+      ...options
+    };
+  }
+  // ---------------------------------------------------------------------------
+  // INTERNAL HELPERS
+  // ---------------------------------------------------------------------------
+  /**
+   * Get the OIDC base URL for this client.
+   * Kanidm uses client-specific OIDC endpoints.
+   */
+  getOidcBaseUrl() {
+    return `${this.options.serverUrl}/oauth2/openid/${this.options.clientId}`;
+  }
+  /**
+   * Get the native API base URL.
+   */
+  getApiBaseUrl() {
+    return `${this.options.serverUrl}/v1`;
+  }
+  /**
+   * Make an HTTP request with error handling.
+   */
+  async request(url, options = {}, token) {
+    const headers = {
+      "Content-Type": "application/json",
+      ...this.options.headers,
+      ...options.headers
+    };
+    if (token) {
+      headers.Authorization = `Bearer ${token}`;
+    }
+    try {
+      const response = await fetch(url, {
+        ...options,
+        headers,
+        signal: AbortSignal.timeout(this.options.timeout || 3e4)
+      });
+      if (!response.ok) {
+        const errorBody = await response.text().catch(() => "");
+        let errorData = {};
+        try {
+          errorData = JSON.parse(errorBody);
+        } catch {
+        }
+        this.handleHttpError(response.status, errorData, errorBody);
+      }
+      const text = await response.text();
+      if (!text) return {};
+      return JSON.parse(text);
+    } catch (error) {
+      if (error instanceof Error && error.name === "TimeoutError") {
+        throw new NetworkError("Request timed out", "kanidm", error);
+      }
+      if (error instanceof InvalidCredentialsError || error instanceof AccessDeniedError || error instanceof InvalidGrantError || error instanceof InvalidClientError || error instanceof UserNotFoundError || error instanceof ProviderError) {
+        throw error;
+      }
+      throw new NetworkError(
+        `Network error: ${error instanceof Error ? error.message : "Unknown error"}`,
+        "kanidm",
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  /**
+   * Handle HTTP error responses.
+   */
+  handleHttpError(status, data, rawBody) {
+    const error = data.error;
+    const errorDescription = data.message || data.error_description || data.errorMessage || rawBody;
+    switch (status) {
+      case 400:
+        if (error === "invalid_grant") {
+          throw new InvalidGrantError(errorDescription, "kanidm");
+        }
+        if (error === "invalid_client") {
+          throw new InvalidClientError("kanidm");
+        }
+        throw new ProviderError(`Bad request: ${errorDescription}`, "kanidm");
+      case 401:
+        throw new InvalidCredentialsError("kanidm");
+      case 403:
+        throw new AccessDeniedError(errorDescription, "kanidm");
+      case 404:
+        throw new UserNotFoundError(void 0, "kanidm");
+      case 409:
+        throw new UserAlreadyExistsError(void 0, "kanidm");
+      default:
+        throw new ProviderError(
+          `Kanidm error (${status}): ${errorDescription}`,
+          "kanidm"
+        );
+    }
+  }
+  /**
+   * Fetch and cache the OIDC discovery document.
+   */
+  async fetchDiscoveryDocument() {
+    if (this.discoveryDocument) {
+      return this.discoveryDocument;
+    }
+    const url = `${this.getOidcBaseUrl()}/.well-known/openid-configuration`;
+    this.discoveryDocument = await this.request(url);
+    return this.discoveryDocument;
+  }
+  /**
+   * Get JWKS for token validation.
+   */
+  async getJWKS() {
+    if (this.jwks) {
+      return this.jwks;
+    }
+    const discovery = await this.fetchDiscoveryDocument();
+    this.jwks = createRemoteJWKSet(new URL(discovery.jwks_uri));
+    return this.jwks;
+  }
+  /**
+   * Authenticate with Kanidm's native API to get an admin token.
+   * Uses the multi-step authentication flow.
+   */
+  async getAdminToken() {
+    if (this.adminToken && Date.now() < this.adminTokenExpiry) {
+      return this.adminToken;
+    }
+    if (!this.options.adminUsername || !this.options.adminPassword) {
+      throw new ConfigurationError(
+        "adminUsername and adminPassword are required for admin operations",
+        "kanidm"
+      );
+    }
+    const authUrl = `${this.getApiBaseUrl()}/auth`;
+    const initResponse = await fetch(authUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        step: {
+          init2: {
+            username: this.options.adminUsername,
+            issue: "token",
+            privileged: true
+          }
+        }
+      }),
+      signal: AbortSignal.timeout(this.options.timeout || 3e4)
+    });
+    if (!initResponse.ok) {
+      throw new InvalidCredentialsError("kanidm", {
+        reason: "Failed to initialize admin authentication"
+      });
+    }
+    const cookies = initResponse.headers.get("set-cookie");
+    const beginResponse = await fetch(authUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...cookies ? { Cookie: cookies } : {}
+      },
+      body: JSON.stringify({
+        step: {
+          begin: "password"
+        }
+      }),
+      signal: AbortSignal.timeout(this.options.timeout || 3e4)
+    });
+    if (!beginResponse.ok) {
+      throw new InvalidCredentialsError("kanidm", {
+        reason: "Failed to begin password authentication"
+      });
+    }
+    const credResponse = await fetch(authUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...cookies ? { Cookie: cookies } : {}
+      },
+      body: JSON.stringify({
+        step: {
+          cred: {
+            password: this.options.adminPassword
+          }
+        }
+      }),
+      signal: AbortSignal.timeout(this.options.timeout || 3e4)
+    });
+    if (!credResponse.ok) {
+      throw new InvalidCredentialsError("kanidm", {
+        reason: "Invalid admin credentials"
+      });
+    }
+    const result = await credResponse.json();
+    const token = result.state?.success || result.token;
+    if (!token) {
+      throw new ProviderError(
+        "Failed to obtain admin token from Kanidm",
+        "kanidm"
+      );
+    }
+    this.adminToken = token;
+    this.adminTokenExpiry = Date.now() + 36e5;
+    return this.adminToken;
+  }
+  // ---------------------------------------------------------------------------
+  // AUTHENTICATION FLOWS
+  // ---------------------------------------------------------------------------
+  async getAuthorizationUrl(options) {
+    const discovery = await this.fetchDiscoveryDocument();
+    const state = options?.state || generateRandomString();
+    const nonce = options?.nonce || generateRandomString();
+    const scopes = options?.scopes || this.options.scopes || ["openid", "profile", "email", "groups"];
+    const redirectUri = options?.redirectUri || this.options.redirectUri;
+    if (!redirectUri) {
+      throw new ConfigurationError("redirectUri is required", "kanidm");
+    }
+    const params = new URLSearchParams({
+      client_id: this.options.clientId,
+      redirect_uri: redirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      nonce
+    });
+    if (options?.prompt) {
+      params.set("prompt", options.prompt);
+    }
+    if (options?.loginHint) {
+      params.set("login_hint", options.loginHint);
+    }
+    if (options?.extraParams) {
+      for (const [key, value] of Object.entries(options.extraParams)) {
+        params.set(key, value);
+      }
+    }
+    const pkce = await generatePKCE();
+    params.set("code_challenge", pkce.challenge);
+    params.set("code_challenge_method", "S256");
+    const url = `${discovery.authorization_endpoint}?${params.toString()}`;
+    return {
+      url,
+      state,
+      nonce,
+      codeVerifier: pkce.verifier
+    };
+  }
+  async exchangeCode(params) {
+    const discovery = await this.fetchDiscoveryDocument();
+    const redirectUri = params.redirectUri || this.options.redirectUri;
+    if (!redirectUri) {
+      throw new ConfigurationError("redirectUri is required", "kanidm");
+    }
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: this.options.clientId,
+      code: params.code,
+      redirect_uri: redirectUri
+    });
+    if (this.options.clientSecret) {
+      body.set("client_secret", this.options.clientSecret);
+    }
+    if (params.codeVerifier) {
+      body.set("code_verifier", params.codeVerifier);
+    }
+    const response = await this.request(discovery.token_endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    let userId = "";
+    if (response.id_token) {
+      const payload = decodeJwt(response.id_token);
+      userId = payload.sub || "";
+    }
+    return {
+      accessToken: response.access_token,
+      tokenType: response.token_type || "Bearer",
+      expiresIn: response.expires_in,
+      refreshToken: response.refresh_token,
+      idToken: response.id_token,
+      scope: response.scope,
+      userId
+    };
+  }
+  async authenticate(_credentials) {
+    throw new NotImplementedError("authenticate", "kanidm", {
+      reason: "Kanidm only supports authorization code flow. Use getAuthorizationUrl() and exchangeCode() instead."
+    });
+  }
+  async refresh(refreshToken) {
+    const discovery = await this.fetchDiscoveryDocument();
+    const body = new URLSearchParams({
+      grant_type: "refresh_token",
+      client_id: this.options.clientId,
+      refresh_token: refreshToken
+    });
+    if (this.options.clientSecret) {
+      body.set("client_secret", this.options.clientSecret);
+    }
+    const response = await this.request(discovery.token_endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    let userId = "";
+    if (response.access_token) {
+      const payload = decodeJwt(response.access_token);
+      userId = payload.sub || "";
+    }
+    return {
+      accessToken: response.access_token,
+      tokenType: response.token_type || "Bearer",
+      expiresIn: response.expires_in,
+      refreshToken: response.refresh_token || refreshToken,
+      idToken: response.id_token,
+      scope: response.scope,
+      userId
+    };
+  }
+  async logout(options) {
+    const discovery = await this.fetchDiscoveryDocument();
+    if (options?.refreshToken && discovery.revocation_endpoint) {
+      const body = new URLSearchParams({
+        client_id: this.options.clientId,
+        token: options.refreshToken,
+        token_type_hint: "refresh_token"
+      });
+      if (this.options.clientSecret) {
+        body.set("client_secret", this.options.clientSecret);
+      }
+      try {
+        await this.request(discovery.revocation_endpoint, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: body.toString()
+        });
+      } catch {
+      }
+    }
+    if (options?.token && discovery.revocation_endpoint) {
+      const body = new URLSearchParams({
+        client_id: this.options.clientId,
+        token: options.token,
+        token_type_hint: "access_token"
+      });
+      if (this.options.clientSecret) {
+        body.set("client_secret", this.options.clientSecret);
+      }
+      try {
+        await this.request(discovery.revocation_endpoint, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: body.toString()
+        });
+      } catch {
+      }
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // TOKEN OPERATIONS
+  // ---------------------------------------------------------------------------
+  async validateToken(token, options) {
+    try {
+      const jwks = await this.getJWKS();
+      const discovery = await this.fetchDiscoveryDocument();
+      const verifyOptions = {
+        issuer: options?.issuer || discovery.issuer,
+        clockTolerance: options?.clockTolerance || 0
+      };
+      if (options?.audience) {
+        verifyOptions.audience = options.audience;
+      }
+      const { payload } = await jwtVerify(token, jwks, verifyOptions);
+      if (options?.nonce && payload.nonce !== options.nonce) {
+        throw new InvalidNonceError("kanidm");
+      }
+      const groups = payload.groups || [];
+      return {
+        sub: payload.sub || "",
+        iss: payload.iss || "",
+        aud: payload.aud || "",
+        exp: payload.exp || 0,
+        iat: payload.iat || 0,
+        nbf: payload.nbf,
+        azp: payload.azp,
+        email: payload.email,
+        email_verified: payload.email_verified,
+        preferred_username: payload.preferred_username,
+        name: payload.name,
+        roles: groups,
+        // Map groups to roles for consistency
+        ...payload
+      };
+    } catch (error) {
+      if (error instanceof JWTExpired) {
+        throw new TokenExpiredError("kanidm");
+      }
+      if (error instanceof JWTClaimValidationFailed) {
+        return null;
+      }
+      if (error instanceof JWSSignatureVerificationFailed) {
+        throw new InvalidTokenError("Invalid token signature", "kanidm");
+      }
+      if (error instanceof InvalidNonceError) {
+        throw error;
+      }
+      return null;
+    }
+  }
+  decodeToken(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        throw new InvalidTokenError("Invalid JWT format", "kanidm");
+      }
+      const header = JSON.parse(atob(parts[0]));
+      const payload = decodeJwt(token);
+      return {
+        header: {
+          alg: header.alg,
+          typ: header.typ,
+          kid: header.kid
+        },
+        payload,
+        signature: parts[2]
+      };
+    } catch {
+      throw new InvalidTokenError("Failed to decode token", "kanidm");
+    }
+  }
+  async introspectToken(token) {
+    const discovery = await this.fetchDiscoveryDocument();
+    if (!discovery.introspection_endpoint) {
+      const claims = await this.validateToken(token);
+      return {
+        active: claims !== null,
+        claims: claims || void 0
+      };
+    }
+    const body = new URLSearchParams({
+      client_id: this.options.clientId,
+      token
+    });
+    if (this.options.clientSecret) {
+      body.set("client_secret", this.options.clientSecret);
+    }
+    const response = await this.request(discovery.introspection_endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.active) {
+      return { active: false };
+    }
+    return {
+      active: true,
+      claims: {
+        sub: response.sub || "",
+        iss: response.iss || "",
+        aud: response.aud || "",
+        exp: response.exp || 0,
+        iat: response.iat || 0,
+        ...response
+      },
+      tokenType: response.token_type,
+      clientId: response.client_id,
+      scope: response.scope
+    };
+  }
+  // ---------------------------------------------------------------------------
+  // USER OPERATIONS
+  // ---------------------------------------------------------------------------
+  async getProfile(tokenOrSession) {
+    const discovery = await this.fetchDiscoveryDocument();
+    const response = await this.request(discovery.userinfo_endpoint, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${tokenOrSession}` }
+    });
+    return {
+      id: response.sub,
+      username: response.preferred_username,
+      email: response.email,
+      emailVerified: response.email_verified,
+      firstName: response.given_name,
+      lastName: response.family_name,
+      displayName: response.name,
+      picture: response.picture,
+      groups: response.groups
+    };
+  }
+  async updateProfile(_tokenOrSession, _profile) {
+    throw new NotImplementedError("updateProfile", "kanidm", {
+      reason: "Profile updates are not supported via OAuth2. Use admin API with createUser/updateUser."
+    });
+  }
+  async getUser(userId, _adminToken) {
+    const token = await this.getAdminToken();
+    const response = await this.request(
+      `${this.getApiBaseUrl()}/person/${userId}`,
+      { method: "GET" },
+      token
+    );
+    return this.mapKanidmPerson(response);
+  }
+  async createUser(user, _adminToken) {
+    const token = await this.getAdminToken();
+    const kanidmPerson = {
+      attrs: {
+        name: [user.username],
+        displayname: [
+          user.firstName && user.lastName ? `${user.firstName} ${user.lastName}` : user.username
+        ]
+      }
+    };
+    if (user.email && kanidmPerson.attrs) {
+      kanidmPerson.attrs.mail = [user.email];
+    }
+    const response = await fetch(`${this.getApiBaseUrl()}/person`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`
+      },
+      body: JSON.stringify(kanidmPerson)
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      if (response.status === 409) {
+        throw new UserAlreadyExistsError(user.username, "kanidm");
+      }
+      throw new ProviderError(`Failed to create user: ${errorBody}`, "kanidm");
+    }
+    return this.getUser(user.username, token);
+  }
+  async updateUser(userId, updates, _adminToken) {
+    const token = await this.getAdminToken();
+    const attrs = {};
+    if (updates.email !== void 0) {
+      attrs.mail = [updates.email];
+    }
+    if (updates.firstName !== void 0 || updates.lastName !== void 0) {
+      const displayName = updates.firstName && updates.lastName ? `${updates.firstName} ${updates.lastName}` : updates.firstName || updates.lastName || "";
+      if (displayName) {
+        attrs.displayname = [displayName];
+      }
+    }
+    await this.request(
+      `${this.getApiBaseUrl()}/person/${userId}`,
+      {
+        method: "PATCH",
+        body: JSON.stringify({ attrs })
+      },
+      token
+    );
+    return this.getUser(userId, token);
+  }
+  async deleteUser(userId, _adminToken) {
+    const token = await this.getAdminToken();
+    await this.request(
+      `${this.getApiBaseUrl()}/person/${userId}`,
+      { method: "DELETE" },
+      token
+    );
+  }
+  async listUsers(query, _adminToken) {
+    const token = await this.getAdminToken();
+    let url = `${this.getApiBaseUrl()}/person`;
+    const params = new URLSearchParams();
+    if (query.search) {
+      params.set("search", query.search);
+    }
+    if (params.toString()) {
+      url += `?${params.toString()}`;
+    }
+    const response = await this.request(
+      url,
+      { method: "GET" },
+      token
+    );
+    const users = Array.isArray(response) ? response : [];
+    let filteredUsers = users.map((u) => this.mapKanidmPerson(u));
+    if (query.email) {
+      filteredUsers = filteredUsers.filter((u) => u.email === query.email);
+    }
+    if (query.username) {
+      filteredUsers = filteredUsers.filter(
+        (u) => u.username === query.username
+      );
+    }
+    const total = filteredUsers.length;
+    const offset = query.offset || 0;
+    const limit = query.limit || 100;
+    return {
+      users: filteredUsers.slice(offset, offset + limit),
+      total,
+      limit,
+      offset
+    };
+  }
+  async requestPasswordReset(_email) {
+    throw new NotImplementedError("requestPasswordReset", "kanidm", {
+      reason: "Password reset is not exposed via Kanidm API"
+    });
+  }
+  async resetPassword(_token, _newPassword) {
+    throw new NotImplementedError("resetPassword", "kanidm", {
+      reason: "Password reset is not exposed via Kanidm API"
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // SESSION OPERATIONS
+  // ---------------------------------------------------------------------------
+  async listSessions(_userId, _adminToken) {
+    throw new NotImplementedError("listSessions", "kanidm", {
+      reason: "Session management is not exposed via Kanidm API"
+    });
+  }
+  async revokeSession(_sessionId, _adminToken) {
+    throw new NotImplementedError("revokeSession", "kanidm", {
+      reason: "Session management is not exposed via Kanidm API"
+    });
+  }
+  async revokeAllSessions(_userId, _adminToken) {
+    throw new NotImplementedError("revokeAllSessions", "kanidm", {
+      reason: "Session management is not exposed via Kanidm API"
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // AUTHORIZATION
+  // ---------------------------------------------------------------------------
+  async hasRole(tokenOrUserId, role) {
+    const roles = await this.getRoles(tokenOrUserId);
+    return roles.includes(role);
+  }
+  async hasPermission(tokenOrUserId, permission, resource) {
+    const roles = await this.getRoles(tokenOrUserId);
+    const permissionRole = resource ? `${resource}:${permission}` : permission;
+    return roles.includes(permissionRole) || roles.includes(permission);
+  }
+  async getRoles(tokenOrUserId, _adminToken) {
+    try {
+      const claims = await this.validateToken(tokenOrUserId);
+      if (claims) {
+        return claims.roles || [];
+      }
+    } catch {
+    }
+    try {
+      const user = await this.getUser(tokenOrUserId);
+      return user.groups || [];
+    } catch {
+    }
+    return [];
+  }
+  async assignRole(_userId, _role, _adminToken) {
+    throw new NotImplementedError("assignRole", "kanidm", {
+      reason: "Role assignment via API requires group management. Use Kanidm CLI to add users to groups."
+    });
+  }
+  async removeRole(_userId, _role, _adminToken) {
+    throw new NotImplementedError("removeRole", "kanidm", {
+      reason: "Role removal via API requires group management. Use Kanidm CLI to remove users from groups."
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // PROVIDER INFORMATION
+  // ---------------------------------------------------------------------------
+  async getCapabilities() {
+    return {
+      authorizationCode: true,
+      passwordGrant: false,
+      // Not supported
+      clientCredentials: false,
+      // Not supported
+      tokenRefresh: true,
+      oidc: true,
+      userManagement: true,
+      // Via /v1/person API
+      sessionManagement: false,
+      // Not exposed
+      rbac: true,
+      // Via groups claim
+      passwordReset: false,
+      // Not exposed via API
+      mfa: true,
+      // Webauthn/passkeys supported
+      socialLogin: false,
+      federation: true,
+      decentralized: false
+    };
+  }
+  async getDiscoveryDocument() {
+    return this.fetchDiscoveryDocument();
+  }
+  // ---------------------------------------------------------------------------
+  // PRIVATE HELPERS
+  // ---------------------------------------------------------------------------
+  mapKanidmPerson(person) {
+    const attrs = person.attrs || {};
+    return {
+      id: attrs.uuid?.[0] || attrs.name?.[0] || "",
+      username: attrs.name?.[0],
+      email: attrs.mail?.[0],
+      displayName: attrs.displayname?.[0],
+      groups: attrs.memberof,
+      enabled: true
+      // Kanidm doesn't expose this directly
+    };
+  }
+}
+export {
+  KanidmProvider
+};
+//# sourceMappingURL=kanidm-hkw-YPVF.js.map