@infoxchange/make-it-so 2.11.0 → 2.12.0-internal-testing-odic-verify-proxy-fix.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/lib/auth/oidc.d.ts.map +1 -1
- package/dist/lib/auth/oidc.js +5 -0
- package/dist/lib/proxy/fetch.d.ts +4 -0
- package/dist/lib/proxy/fetch.d.ts.map +1 -0
- package/dist/lib/proxy/fetch.js +27 -0
- package/dist/lib/proxy/index.d.ts +2 -0
- package/dist/lib/proxy/index.d.ts.map +1 -0
- package/dist/lib/proxy/index.js +1 -0
- package/package.json +6 -2
- package/src/lib/auth/oidc.ts +6 -0
- package/src/lib/proxy/fetch.ts +36 -0
- package/src/lib/proxy/index.ts +1 -0
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oidc.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/oidc.ts"],"names":[],"mappings":"AACA,OAAO,EAAsB,UAAU,EAAa,MAAM,MAAM,CAAC;AAEjE,KAAK,uBAAuB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,IAAI;IACjE,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,EAAE,EAC1E,KAAK,EACL,SAAS,EACT,QAAQ,EACR,UAAU,GACX,EAAE,uBAAuB,CAAC,UAAU,CAAC,GAAG,OAAO,CAC9C,UAAU,SAAS,IAAI,GAEf;IAAE,KAAK,EAAE,KAAK,GAAG,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAA;CAAE,GACzC;IAAE,KAAK,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,GACxC,UAAU,CACf,
|
|
1
|
+
{"version":3,"file":"oidc.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/oidc.ts"],"names":[],"mappings":"AACA,OAAO,EAAsB,UAAU,EAAa,MAAM,MAAM,CAAC;AAEjE,KAAK,uBAAuB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,IAAI;IACjE,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,EAAE,EAC1E,KAAK,EACL,SAAS,EACT,QAAQ,EACR,UAAU,GACX,EAAE,uBAAuB,CAAC,UAAU,CAAC,GAAG,OAAO,CAC9C,UAAU,SAAS,IAAI,GAEf;IAAE,KAAK,EAAE,KAAK,GAAG,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAA;CAAE,GACzC;IAAE,KAAK,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,GACxC,UAAU,CACf,CA+CA"}
|
package/dist/lib/auth/oidc.js
CHANGED
|
@@ -12,16 +12,21 @@ import { createRemoteJWKSet, jwtVerify } from "jose";
|
|
|
12
12
|
*/
|
|
13
13
|
export async function verifyAccessToken({ token, issuerUrl, audience, safeVerify, }) {
|
|
14
14
|
try {
|
|
15
|
+
console.debug("Discovered JWKS URI aa:", issuerUrl);
|
|
15
16
|
const issuer = await Issuer.discover(issuerUrl);
|
|
17
|
+
console.debug("Discovered JWKS URI aa 2");
|
|
16
18
|
const jwksUri = issuer.metadata.jwks_uri;
|
|
17
19
|
if (!jwksUri) {
|
|
18
20
|
throw new Error("JWKS URI not found in issuer metadata");
|
|
19
21
|
}
|
|
22
|
+
console.debug("Discovered JWKS URI:", jwksUri);
|
|
20
23
|
const JWKS = createRemoteJWKSet(new URL(jwksUri));
|
|
24
|
+
console.debug("Discovered JWKS URI 1");
|
|
21
25
|
// Verify the signature and basic claims
|
|
22
26
|
const { payload } = await jwtVerify(token, JWKS, {
|
|
23
27
|
issuer: issuer.metadata.issuer,
|
|
24
28
|
});
|
|
29
|
+
console.debug("Discovered JWKS URI 2");
|
|
25
30
|
const tokenAud = payload.aud ?? payload.client_id;
|
|
26
31
|
let audienceMatches = false;
|
|
27
32
|
for (const aud of Array.isArray(tokenAud) ? tokenAud : [tokenAud]) {
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../../src/lib/proxy/fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,IAAI,WAAW,EACrB,MAAM,QAAQ,CAAC;AAGhB,wBAAgB,kBAAkB,SAcjC;AAED,wBAAgB,eAAe,uBAY9B"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
import { setGlobalDispatcher, EnvHttpProxyAgent, fetch as undiciFetch, } from "undici";
|
|
2
|
+
import { bootstrap } from "global-agent";
|
|
3
|
+
export function setupProxyGlobally() {
|
|
4
|
+
// To cover libraries that use fetch
|
|
5
|
+
// See https://nodejs.org/api/globals.html#custom-dispatcher
|
|
6
|
+
// This might stop being needed at some point: https://github.com/actions/create-github-app-token/pull/143#discussion_r1747641337
|
|
7
|
+
const envHttpProxyAgent = new EnvHttpProxyAgent();
|
|
8
|
+
setGlobalDispatcher(envHttpProxyAgent);
|
|
9
|
+
// To cover libraries that use the http/https object
|
|
10
|
+
if (!process.env.GLOBAL_AGENT_HTTP_PROXY) {
|
|
11
|
+
process.env.GLOBAL_AGENT_HTTP_PROXY = process.env.HTTP_PROXY;
|
|
12
|
+
process.env.GLOBAL_AGENT_HTTPS_PROXY =
|
|
13
|
+
process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;
|
|
14
|
+
}
|
|
15
|
+
bootstrap();
|
|
16
|
+
}
|
|
17
|
+
export function getProxiedFetch() {
|
|
18
|
+
const fetch = (input, init = {}) => {
|
|
19
|
+
console.log("Using proxied fetch for request to:", input);
|
|
20
|
+
if (init.dispatcher) {
|
|
21
|
+
console.warn("A custom dispatcher was provided to fetch but this is ignored as a proxy agent is being used.");
|
|
22
|
+
}
|
|
23
|
+
const envHttpProxyAgent = new EnvHttpProxyAgent();
|
|
24
|
+
return undiciFetch(input, { ...init, dispatcher: envHttpProxyAgent });
|
|
25
|
+
};
|
|
26
|
+
return fetch;
|
|
27
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/proxy/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export * from "./fetch.js";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@infoxchange/make-it-so",
|
|
3
|
-
"version": "2.
|
|
3
|
+
"version": "2.12.0-internal-testing-odic-verify-proxy-fix.2",
|
|
4
4
|
"description": "Makes deploying services to IX infra easy",
|
|
5
5
|
"repository": "github:infoxchange/make-it-so",
|
|
6
6
|
"type": "module",
|
|
@@ -17,7 +17,8 @@
|
|
|
17
17
|
"exports": {
|
|
18
18
|
"./cdk-constructs": "./dist/cdk-constructs/index.js",
|
|
19
19
|
"./deployConfig": "./dist/deployConfig.js",
|
|
20
|
-
"./auth": "./dist/lib/auth/index.js"
|
|
20
|
+
"./auth": "./dist/lib/auth/index.js",
|
|
21
|
+
"./proxy": "./dist/lib/proxy/index.js"
|
|
21
22
|
},
|
|
22
23
|
"lint-staged": {
|
|
23
24
|
"**/*": [
|
|
@@ -32,6 +33,7 @@
|
|
|
32
33
|
"@eslint/js": "^9.3.0",
|
|
33
34
|
"@tsconfig/node21": "^21.0.3",
|
|
34
35
|
"@types/aws-cloudfront-function": "^1.0.6",
|
|
36
|
+
"@types/global-agent": "^3.0.0",
|
|
35
37
|
"@types/jsonwebtoken": "^9.0.10",
|
|
36
38
|
"aws-cdk-lib": "2.142.1",
|
|
37
39
|
"constructs": "^10.3.0",
|
|
@@ -53,7 +55,9 @@
|
|
|
53
55
|
"sst": "^2.0.0"
|
|
54
56
|
},
|
|
55
57
|
"dependencies": {
|
|
58
|
+
"global-agent": "^3.0.0",
|
|
56
59
|
"jsonwebtoken": "^9.0.2",
|
|
60
|
+
"undici": "^7.16.0",
|
|
57
61
|
"zod": "^3.24.2"
|
|
58
62
|
}
|
|
59
63
|
}
|
package/src/lib/auth/oidc.ts
CHANGED
|
@@ -31,18 +31,24 @@ export async function verifyAccessToken<SafeVerify extends boolean = false>({
|
|
|
31
31
|
: JWTPayload
|
|
32
32
|
> {
|
|
33
33
|
try {
|
|
34
|
+
console.debug("Discovered JWKS URI aa:", issuerUrl);
|
|
34
35
|
const issuer = await Issuer.discover(issuerUrl);
|
|
36
|
+
console.debug("Discovered JWKS URI aa 2");
|
|
35
37
|
const jwksUri = issuer.metadata.jwks_uri;
|
|
36
38
|
if (!jwksUri) {
|
|
37
39
|
throw new Error("JWKS URI not found in issuer metadata");
|
|
38
40
|
}
|
|
41
|
+
console.debug("Discovered JWKS URI:", jwksUri);
|
|
39
42
|
const JWKS = createRemoteJWKSet(new URL(jwksUri));
|
|
43
|
+
console.debug("Discovered JWKS URI 1");
|
|
40
44
|
|
|
41
45
|
// Verify the signature and basic claims
|
|
42
46
|
const { payload } = await jwtVerify(token, JWKS, {
|
|
43
47
|
issuer: issuer.metadata.issuer,
|
|
44
48
|
});
|
|
45
49
|
|
|
50
|
+
console.debug("Discovered JWKS URI 2");
|
|
51
|
+
|
|
46
52
|
const tokenAud = payload.aud ?? payload.client_id;
|
|
47
53
|
let audienceMatches = false;
|
|
48
54
|
for (const aud of Array.isArray(tokenAud) ? tokenAud : [tokenAud]) {
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
import {
|
|
2
|
+
setGlobalDispatcher,
|
|
3
|
+
EnvHttpProxyAgent,
|
|
4
|
+
fetch as undiciFetch,
|
|
5
|
+
} from "undici";
|
|
6
|
+
import { bootstrap } from "global-agent";
|
|
7
|
+
|
|
8
|
+
export function setupProxyGlobally() {
|
|
9
|
+
// To cover libraries that use fetch
|
|
10
|
+
// See https://nodejs.org/api/globals.html#custom-dispatcher
|
|
11
|
+
// This might stop being needed at some point: https://github.com/actions/create-github-app-token/pull/143#discussion_r1747641337
|
|
12
|
+
const envHttpProxyAgent = new EnvHttpProxyAgent();
|
|
13
|
+
setGlobalDispatcher(envHttpProxyAgent);
|
|
14
|
+
|
|
15
|
+
// To cover libraries that use the http/https object
|
|
16
|
+
if (!process.env.GLOBAL_AGENT_HTTP_PROXY) {
|
|
17
|
+
process.env.GLOBAL_AGENT_HTTP_PROXY = process.env.HTTP_PROXY;
|
|
18
|
+
process.env.GLOBAL_AGENT_HTTPS_PROXY =
|
|
19
|
+
process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;
|
|
20
|
+
}
|
|
21
|
+
bootstrap();
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
export function getProxiedFetch() {
|
|
25
|
+
const fetch: typeof undiciFetch = (input, init = {}) => {
|
|
26
|
+
console.log("Using proxied fetch for request to:", input);
|
|
27
|
+
if (init.dispatcher) {
|
|
28
|
+
console.warn(
|
|
29
|
+
"A custom dispatcher was provided to fetch but this is ignored as a proxy agent is being used.",
|
|
30
|
+
);
|
|
31
|
+
}
|
|
32
|
+
const envHttpProxyAgent = new EnvHttpProxyAgent();
|
|
33
|
+
return undiciFetch(input, { ...init, dispatcher: envHttpProxyAgent });
|
|
34
|
+
};
|
|
35
|
+
return fetch;
|
|
36
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export * from "./fetch.js";
|