@igxjs/node-components 1.0.15 → 1.0.16

package/components/assets/template.html

@@ -2,7 +2,7 @@
 <html lang="en">
   <head>
     <title>Sign in IBM Garage</title>
-    <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no,viewport-fit=cover,minimum-scale=1,maximum-scale=1,user-scalable=no">
+    <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no,viewport-fit=cover,minimum-scale=1,maximum-scale=2">
     <meta name="robots" content="noindex, nofollow" />
     <style>
       :root {
@@ -94,9 +94,14 @@
         localStorage.setItem('{{SESSION_EXPIRY_KEY}}', '{{SESSION_EXPIRY_VALUE}}');
       }
 
+      /**
+       * Note: You can also request full user informlation by using ajax request or loading server side page.
+       */
+
       // Fall back to simple navigation
       location.href = '{{SSO_SUCCESS_URL}}';
-    } catch (e) {
+    }
+    catch (e) {
       console.error('Redirect failed:', e);
       success = false;
     }

package/components/session.js

@@ -272,7 +272,7 @@ export class SessionManager {
    * @private
    */
   #getTokenRedisKey(email, tid) {
-    return `${this.#config.SESSION_KEY}:t:${email}:${tid}`;
+    return `${this.#config.SESSION_KEY}:${email}:${tid}`;
   }
 
   /**
@@ -282,7 +282,7 @@ export class SessionManager {
    * @private
    */
   #getTokenRedisPattern(email) {
-    return `${this.#config.SESSION_KEY}:t:${email}:*`;
+    return `${this.#config.SESSION_KEY}:${email}:*`;
   }
 
   /**
@@ -311,12 +311,12 @@ export class SessionManager {
     });
     app.set('trust proxy', 1);
     const isOK = await this.#redisManager.connect(this.#config.REDIS_URL, this.#config.REDIS_CERT_PATH);
-    if (this.#config.SESSION_MODE === SessionMode.SESSION) {
+    if (this.getSessionMode() === SessionMode.SESSION) {
       app.use(this.#sessionHandler(isOK));
     }
 
     // Cache HTML template for TOKEN mode
-    if (this.#config.SESSION_MODE === SessionMode.TOKEN) {
+    if (this.getSessionMode() === SessionMode.TOKEN) {
       const templatePath = this.#config.TOKEN_STORAGE_TEMPLATE_PATH ||
         path.resolve(__dirname, 'assets', 'template.html');
       this.#htmlTemplate = fs.readFileSync(templatePath, 'utf8');
@@ -324,27 +324,37 @@ export class SessionManager {
     }
   }
 
+  /**
+   * Generate lightweight JWT token
+   * @param {string} email User email
+   * @param {string} tokenId Token ID
+   * @param {number} expirationTime Expiration time in seconds
+   * @returns {Promise<string>} Returns the generated JWT token
+   * @private
+   */
+  async #getLightweightToken(email, tokenId, expirationTime) {
+    return await this.#jwtManager.encrypt({ email, tid: tokenId }, this.#config.SSO_CLIENT_SECRET, { expirationTime });
+  }
+
   /**
    * Generate and store JWT token in Redis
    * - JWT payload contains only { email, tid } for minimal size
    * - Full user data is stored in Redis as single source of truth
-   * @param {object} user User object with email and attributes
+   * @param {string} tid Token ID
+   * @param {Record<string, any> & { email: string, tid: string }} user User object with email and attributes
    * @returns {Promise<string>} Returns the generated JWT token
    * @throws {Error} If JWT encryption fails
    * @throws {Error} If Redis storage fails
    * @private
    * @example
-   * const token = await this.#generateAndStoreToken({
+   * const token = await this.#generateAndStoreToken('tid', {
    *   email: 'user@example.com',
    *   attributes: { /* user data * / }
    * });
    */
-  async #generateAndStoreToken(user) {
-    // Generate unique token ID for this device/session
-    const tid = crypto.randomUUID();
-    // Create JWT token with only email and tid (minimal payload)
-    const payload = { email: user.email, tid };
-    const token = await this.#jwtManager.encrypt(payload, this.#config.SESSION_SECRET, { expirationTime: this.#config.SESSION_AGE });
+  async #generateAndStoreToken(tid, user) {
+    // Create JWT token with only email, tid and idp (minimal payload)
+    const token = await this.#getLightweightToken(user.email, tid, this.#config.SESSION_AGE);
 
     // Store user data in Redis with TTL
     const redisKey = this.#getTokenRedisKey(user.email, tid);
@@ -357,28 +367,28 @@ export class SessionManager {
   /**
    * Extract and validate user data from Authorization header (TOKEN mode only)
    * @param {string} authHeader Authorization header in format "Bearer {token}"
-   * @param {boolean} [fetchFromRedis=true] Whether to fetch full user data from Redis
-   *   - true: Returns { tid, user } with full user data from Redis (default)
+   * @param {boolean} [includeUserData=true] Whether to include full user data in response
+   *   - true: Returns { tid, user } with full user data (default)
    *   - false: Returns JWT payload only (lightweight validation)
-   * @returns {Promise<{ tid: string?, email: string?, user: object? } | object>}
-   *   - When fetchFromRedis=true: { tid: string, user: object }
-   *   - When fetchFromRedis=false: JWT payload object
+   * @returns {Promise<{ tid: string, user: { email: string, attributes: { expires_at: number, sub: string } } } & object>}
+   *   - When includeUserData=true: { tid: string, user: object }
+   *   - When includeUserData=false: JWT payload object
    * @throws {CustomError} UNAUTHORIZED (401) if:
    *   - Authorization header is missing or invalid format
    *   - Token decryption fails
    *   - Token payload is invalid (missing email/tid)
-   *   - Token not found in Redis (when fetchFromRedis=true)
+   *   - Token not found in Redis (when includeUserData=true)
    * @private
    */
-  async #getUserFromToken(authHeader, fetchFromRedis = true) {
+  async #getUserFromToken(authHeader, includeUserData = true) {
     if (!authHeader?.startsWith('Bearer ')) {
       throw new CustomError(httpCodes.UNAUTHORIZED, 'Missing or invalid authorization header');
     }
     const token = authHeader.substring(7); // Remove 'Bearer ' prefix
-    // Decrypt JWT token
-    const { payload } = await this.#jwtManager.decrypt(token, this.#config.SESSION_SECRET);
+    /** @type {{ payload: { email: string, tid: string } & import('jose').JWTPayload }} */
+    const { payload } = await this.#jwtManager.decrypt(token, this.#config.SSO_CLIENT_SECRET);
 
-    if (fetchFromRedis) {
+    if (includeUserData) {
       /** @type {{ email: string, tid: string }} Extract email and token ID */
       const { email, tid } = payload;
       if (!email || !tid) {
@@ -392,14 +402,15 @@ export class SessionManager {
       if (!userData) {
         throw new CustomError(httpCodes.UNAUTHORIZED, 'Token not found or expired');
       }
-      return { tid, user: JSON.parse(userData) };
+      return { tid, user: { ...JSON.parse(userData) } };
     }
-    return payload;
+    return { tid: payload.tid, user: { email: payload.email, attributes: { sub: payload.sub, expires_at: payload.exp ? payload.exp * 1000 : 0 } } };
   }
 
   /**
    * Get authenticated user data (works for both SESSION and TOKEN modes)
    * @param {import('@types/express').Request} req Express request object
+   * @param {boolean} [includeUserData=false] Whether to include full user data in response
    * @returns {Promise<object>} Full user data object
    * @throws {CustomError} If user is not authenticated
    * @public
@@ -415,9 +426,9 @@ export class SessionManager {
    *   }
    * });
    */
-  async getUser(req) {
-    if (this.#config.SESSION_MODE === SessionMode.TOKEN) {
-      const { user } = await this.#getUserFromToken(req.headers.authorization, true);
+  async getUser(req, includeUserData = false) {
+    if (this.getSessionMode() === SessionMode.TOKEN) {
+      const { user } = await this.#getUserFromToken(req.headers.authorization, includeUserData);
       return user;
     }
     // Session mode
@@ -484,17 +495,16 @@ export class SessionManager {
    * @param {import('@types/express').Request} req Request with Authorization header
    * @param {import('@types/express').Response} res Response object
    * @param {import('@types/express').NextFunction} next Next middleware function
-   * @param {(user: object) => object} initUser Function to initialize/transform user object
+   * @param {(user: object) => object & { email: string }} initUser Function to initialize/transform user object
    * @param {string} idpRefreshUrl Identity provider refresh endpoint URL
    * @throws {CustomError} If refresh lock is active or SSO refresh fails
    * @private
    * @example
    * // Response format:
-   * // { jwt: "new_jwt", user: {...}, expires_at: 64800, token_type: "Bearer" }
+   * // { jwt: "new_jwt", user: {...} }
    */
   async #refreshToken(req, res, next, initUser, idpRefreshUrl) {
     try {
-      /** @type {{ tid: string, user: { email: string, attributes: { idp: string, refresh_token: string }? } }} */
       const { tid, user } = await this.#getUserFromToken(req.headers.authorization, true);
 
       // Check refresh lock
@@ -505,12 +515,11 @@ export class SessionManager {
 
       // Call SSO refresh endpoint
       const response = await this.#idpRequest.post(idpRefreshUrl, {
-        user: {
-          email: user?.email,
-          attributes: {
-            idp: user?.attributes?.idp,
-            refresh_token: user?.attributes?.refresh_token
-          }
+        idp: user?.attributes?.idp, 
+        refresh_token: user?.attributes?.refresh_token
+      }, {
+        headers: {
+          Authorization: req.headers.authorization
         }
       });
 
@@ -530,16 +539,12 @@ export class SessionManager {
       const newUser = initUser(newPayload.user);
 
       // Generate new token
-      const newToken = await this.#generateAndStoreToken(newUser);
-
-      // Remove old token from Redis
-      const oldRedisKey = this.#getTokenRedisKey(user.email, tid);
-      await this.#redisManager.getClient().del(oldRedisKey);
+      const newToken = await this.#generateAndStoreToken(tid, newUser);
 
       this.#logger.debug('### TOKEN REFRESHED SUCCESSFULLY ###');
 
       // Return new token
-      return res.json({ jwt: newToken, user: newUser, expires_at: this.#config.SESSION_AGE, token_type: 'Bearer' });
+      return res.json({ jwt: newToken, user: newUser });
     } catch (error) {
       return next(httpHelper.handleAxiosError(error));
     }
@@ -557,23 +562,30 @@ export class SessionManager {
   async #refreshSession(req, res, next, initUser, idpRefreshUrl) {
     try {
       const { email, attributes } = req.user || { email: '', attributes: {} };
+      // Check refresh lock
       if (this.hasLock(email)) {
-        throw new CustomError(httpCodes.CONFLICT, 'User refresh is locked');
+        throw new CustomError(httpCodes.CONFLICT, 'Session refresh is locked');
       }
       this.lock(email);
+
+      /** @type {string} */
+      const token = await this.#getLightweightToken(email, req.sessionID, req.user.attributes.expires_at);
+
+      // Call SSO refresh endpoint
       const response = await this.#idpRequest.post(idpRefreshUrl, {
-        user: {
-          email,
-          attributes: {
-            idp: attributes?.idp,
-            refresh_token: attributes?.refresh_token
-          }
+        idp: attributes?.idp,
+        refresh_token: attributes?.refresh_token,
+      }, {
+        headers: {
+          Authorization: `Bearer ${token}`
         }
       });
       if (response.status === httpCodes.OK) {
+        /** @type {{ jwt: string }} */
         const { jwt } = response.data;
-        const payload = await this.#saveSession(req, jwt, initUser);
-        return res.json(payload);
+        const { payload } = await this.#jwtManager.decrypt(jwt, this.#config.SSO_CLIENT_SECRET);
+        const result = await this.#saveSession(req, payload, initUser);
+        return res.json(result);
       }
       throw new CustomError(response.status, response.statusText);
     } catch (error) {
@@ -643,8 +655,8 @@ export class SessionManager {
 
     try {
       // Extract Token ID and email from current token
-      const payload = await this.#getUserFromToken(req.headers.authorization, false);
-      const { email, tid } = payload;
+      const { tid, user } = await this.#getUserFromToken(req.headers.authorization, false);
+      const { email } = user;
 
       if (!email || !tid) {
         throw new CustomError(httpCodes.BAD_REQUEST, 'Invalid token payload');
@@ -749,9 +761,9 @@ export class SessionManager {
    * @returns {import('@types/express').RequestHandler} Returns express Request Handler
    */
   requireUser = () => {
-    return async (req, res, next) => {
+    return async (req, _res, next) => {
       try {
-        req.user = await this.getUser(req);
+        req.user = await this.getUser(req, true);
         return next();
       }
       catch (error) {
@@ -786,7 +798,7 @@ export class SessionManager {
    */
   authenticate(errorRedirectUrl = '') {
     return async (req, res, next) => {
-      const mode = this.#config.SESSION_MODE || SessionMode.SESSION;
+      const mode = this.getSessionMode() || SessionMode.SESSION;
       if (mode === SessionMode.TOKEN) {
         return this.#verifyToken(req, res, next, errorRedirectUrl);
       }
@@ -819,13 +831,11 @@ export class SessionManager {
   /**
    * Save session
    * @param {import('@types/express').Request} request Request object
-   * @param {string} jwt JWT
+   * @param {import('jose').JWTPayload} payload JWT
    * @param {(user: object) => object} initUser Redirect URL
    * @returns {Promise<{ user: import('../models/types/user').UserModel, redirect_url: string }>} Promise
    */
-  #saveSession = async (request, jwt, initUser) => {
-    /** @type {{ payload: { user: import('../models/types/user').UserModel, redirect_url: string } }} */
-    const { payload } = await this.#jwtManager.decrypt(jwt, this.#config.SSO_CLIENT_SECRET);
+  #saveSession = async (request, payload, initUser) => {
     if (payload?.user) {
       this.#logger.debug('### CALLBACK USER ###');
       request.session[this.#getSessionKey()] = initUser(payload.user);
@@ -876,26 +886,28 @@ export class SessionManager {
         try {
           // Decrypt JWT from Identity Adapter
           const { payload } = await this.#jwtManager.decrypt(jwt, this.#config.SSO_CLIENT_SECRET);
-          
+
           if (!payload?.user) {
             throw new CustomError(httpCodes.BAD_REQUEST, 'Invalid JWT payload');
           }
   
-          /** @type {import('../index.js').SessionUser} */
-          const user = initUser(payload.user);
           /** @type {string} */
           const callbackRedirectUrl = payload.redirect_url || this.#config.SSO_SUCCESS_URL;
   
           // Token mode: Generate token and return HTML page
-          if (this.#config.SESSION_MODE === SessionMode.TOKEN) {
-            const token = await this.#generateAndStoreToken(user);
+          if (this.getSessionMode() === SessionMode.TOKEN) {
+            /** @type {import('../index.js').SessionUser} */
+            const user = initUser(payload.user);
+            // Generate unique token ID for this device/session
+            const tid = crypto.randomUUID();
+            const token = await this.#generateAndStoreToken(tid, user);
             this.#logger.debug('### CALLBACK TOKEN GENERATED ###');
             const html = this.#renderTokenStorageHtml(token, user.attributes.expires_at, callbackRedirectUrl);
             return res.send(html);
           }
 
           // Session mode: Save to session and redirect
-          await this.#saveSession(req, jwt, initUser);
+          await this.#saveSession(req, payload, initUser);
           return res.redirect(callbackRedirectUrl);
         }
         catch (error) {
@@ -939,11 +951,12 @@ export class SessionManager {
   refresh(initUser) {
     const idpRefreshUrl = '/auth/refresh'.concat('?client_id=').concat(this.#config.SSO_CLIENT_ID);
     return async (req, res, next) => {
-      const mode = this.#config.SESSION_MODE || SessionMode.SESSION;
+      const mode = this.getSessionMode() || SessionMode.SESSION;
 
       if (mode === SessionMode.TOKEN) {
         return this.#refreshToken(req, res, next, initUser, idpRefreshUrl);
-      } else {
+      }
+      else {
         return this.#refreshSession(req, res, next, initUser, idpRefreshUrl);
       }
     };
@@ -958,8 +971,8 @@ export class SessionManager {
       const { redirect = false, all = false } = req.query;
       const isRedirect = (redirect === 'true' || redirect === true);
       const logoutAll = (all === 'true' || all === true);
-      const mode = this.#config.SESSION_MODE || SessionMode.SESSION;
-      
+      const mode = this.getSessionMode() || SessionMode.SESSION;
+
       if (mode === SessionMode.TOKEN) {
         return this.#logoutToken(req, res, isRedirect, logoutAll);
       }
@@ -985,4 +998,11 @@ export class SessionManager {
     };
   }
 
+  /**
+   * Get session mode
+   * @returns {string} Session mode
+   */
+  getSessionMode() {
+    return this.#config.SESSION_MODE;
+  }
 }

package/index.d.ts

@@ -316,6 +316,7 @@ export class SessionManager {
   /**
    * Get authenticated user data (works for both SESSION and TOKEN modes)
    * @param req Express request object
+   * @param includeUserData Include user data in the response (default: false)
    * @returns Promise resolving to full user data object
    * @throws CustomError If user is not authenticated
    * @example
@@ -323,7 +324,7 @@ export class SessionManager {
    * // Use in custom middleware
    * app.use(async (req, res, next) => {
    *   try {
-   *     const user = await sessionManager.getUser(req);
+   *     const user = await sessionManager.getUser(req, true);
    *     req.customUser = user;
    *     next();
    *   } catch (error) {
@@ -332,7 +333,7 @@ export class SessionManager {
    * });
    * ```
    */
-  getUser(req: Request): Promise<SessionUser>;
+  getUser(req: Request, includeUserData: boolean?): Promise<SessionUser>;
 
   /**
    * Initialize the session configurations and middleware
@@ -439,6 +440,12 @@ export class SessionManager {
    * @returns Returns express Request Handler
    */
   logout(): RequestHandler;
+
+  /**
+   * Get the current session mode
+   * @returns Returns 'session' or 'token' based on configuration
+   */
+  getSessionMode(): string;
 }
 
 // Custom Error class

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@igxjs/node-components",
-  "version": "1.0.15",
+  "version": "1.0.16",
   "description": "Node components for igxjs",
   "main": "index.js",
   "type": "module",
@@ -12,21 +12,7 @@
     "url": "git+https://github.com/igxjs/node-components.git"
   },
   "keywords": [
-    "igxjs",
-    "express",
-    "session-management",
-    "jwt",
-    "jwe",
-    "redis",
-    "authentication",
-    "sso",
-    "oauth",
-    "middleware",
-    "node-components",
-    "session",
-    "token-auth",
-    "bearer-token",
-    "express-middleware"
+    "igxjs"
   ],
   "author": "Michael",
   "license": "Apache-2.0",
@@ -43,7 +29,7 @@
     "axios": "^1.13.6",
     "connect-redis": "^9.0.0",
     "express-session": "^1.19.0",
-    "jose": "^6.2.1",
+    "jose": "^6.2.2",
     "memorystore": "^1.6.7"
   },
   "devDependencies": {