@kaapi/oauth2-auth-design 0.0.34 → 0.0.36

package/lib/generators/oauth2-design-generator.js

@@ -0,0 +1,297 @@
+"use strict";
+var _OAuth2DesignGenerator_instances, _OAuth2DesignGenerator_values, _OAuth2DesignGenerator_getOidcAuthCodeContent;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuth2DesignGenerator = void 0;
+const tslib_1 = require("tslib");
+const definitions_1 = require("@kaapi/cli/definitions");
+const utils_1 = require("@kaapi/cli/utils");
+const FLOW_OPTIONS = [
+    {
+        value: 'oidc-auth-code',
+        label: 'OIDC Authorization Code',
+        hint: ''
+    },
+    {
+        value: 'oidc-client-credentials',
+        label: 'OIDC Client Credentials',
+        hint: ''
+    },
+    {
+        value: 'oidc-device-flow',
+        label: 'OIDC Device Flow',
+        hint: ''
+    }
+];
+class OAuth2DesignGenerator {
+    constructor() {
+        _OAuth2DesignGenerator_instances.add(this);
+        _OAuth2DesignGenerator_values.set(this, {
+            name: '',
+            flow: ''
+        });
+    }
+    get type() {
+        return 'auth-design';
+    }
+    get name() {
+        return 'oauth2-design-generator';
+    }
+    get description() {
+        return 'Creates an auth design based on OAuth2 specifications.';
+    }
+    get notes() {
+        return [
+            'Allowed values for --flow:',
+            ...FLOW_OPTIONS.map(o => `  - ${o.value}`)
+        ];
+    }
+    get options() {
+        return {
+            name: 'The name of the auth design',
+            flow: 'The grant type flow'
+        };
+    }
+    init(options) {
+        if (typeof options['name'] == 'string') {
+            tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").name = (0, utils_1.camelCase)(options['name']);
+        }
+        if (typeof options['flow'] == 'string') {
+            if (!FLOW_OPTIONS.map(v => v.value).includes(options['flow'])) {
+                throw new Error(`Invalid value for '--flow'. Allowed values are: ${FLOW_OPTIONS.map(v => v.value).join(', ')}.`);
+            }
+            tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").flow = options['flow'];
+        }
+    }
+    isValid() {
+        return !!tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").name;
+    }
+    getFileContent() {
+        return tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_instances, "m", _OAuth2DesignGenerator_getOidcAuthCodeContent).call(this);
+    }
+    getQuestions() {
+        const r = [];
+        if (!tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").name) {
+            r.push({
+                type: definitions_1.QuestionType.text,
+                options: {
+                    message: 'The name of the auth design?',
+                    defaultValue: 'oauth2AuthDesign',
+                    placeholder: 'oauth2AuthDesign'
+                },
+                setValue: (pluginName) => {
+                    tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").name = (0, utils_1.camelCase)(pluginName);
+                }
+            });
+        }
+        if (!(tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").flow && FLOW_OPTIONS.map(v => v.value).includes(tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").flow))) {
+            r.push({
+                type: definitions_1.QuestionType.select,
+                options: {
+                    message: 'The authorization flow?',
+                    options: FLOW_OPTIONS,
+                    initialValue: 'oidc-auth-code'
+                },
+                setValue: (value) => {
+                    tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").flow = `${value}`;
+                }
+            });
+        }
+        return r;
+    }
+    getFilename() {
+        return (0, utils_1.kebabCase)(`${tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").name}`) + '.ts';
+    }
+}
+exports.OAuth2DesignGenerator = OAuth2DesignGenerator;
+_OAuth2DesignGenerator_values = new WeakMap(), _OAuth2DesignGenerator_instances = new WeakSet(), _OAuth2DesignGenerator_getOidcAuthCodeContent = function _OAuth2DesignGenerator_getOidcAuthCodeContent() {
+    return `// generated by @kaapi/oauth2-auth-design
+
+import {
+    BearerToken,
+    OIDCAuthorizationCodeBuilder,
+    createInMemoryKeyStore,
+    createMatchAuthCodeResult,
+    OAuth2TokenResponse,
+    ClientSecretBasic,
+    ClientSecretPost,
+    NoneAuthMethod,
+    OAuth2ErrorCode,
+} from '@kaapi/oauth2-auth-design';
+
+const VALID_CLIENTS = [
+    {
+        client_id: 'service-api-client',
+        client_secret: 's3cr3tK3y123!',
+        allowed_scopes: ['openid', 'profile', 'email', 'read', 'write'],
+    },
+];
+
+const REGISTERED_USERS = [{ id: 'user-1234', username: 'user', password: 'password', email: 'user@email.com' }];
+
+const authCodesStore: Map<
+    string,
+    { clientId: string; scopes: string[]; userId: string; codeChallenge?: string | undefined }
+> = new Map();
+
+export const oidcAuthCodeBuilder = OIDCAuthorizationCodeBuilder.create()
+    // the name of the strategy
+    .strategyName('${(0, utils_1.kebabCase)(tslib_1.__classPrivateFieldGet(this, _OAuth2DesignGenerator_values, "f").name)}')
+    // access token TTL (used in generateToken controller)
+    .setTokenTtl(3600)
+    // activate auto parsing of access token (jwtAccessTokenPayload + createJwtAccessToken)
+    .useAccessTokenJwks(true)
+    // Client authentication methods
+    .addClientAuthenticationMethod(new ClientSecretBasic())
+    .addClientAuthenticationMethod(new ClientSecretPost())
+    .addClientAuthenticationMethod(new NoneAuthMethod())
+    .setTokenType(new BearerToken())
+    // Define scopes
+    .setScopes({
+        profile: 'Access to basic profile information such as name and picture.',
+        email: "Access to the user's email address and its verification status.",
+        read: 'Grants read-only access to protected resources',
+        write: 'Grants write access to protected resources',
+    })
+
+    // Authorization
+    .authorizationRoute<object, { Payload: { username?: string; password?: string } }>((route) =>
+        route
+            .setPath('/oauth2/v1.0/authorize')
+            .setUsernameField('username')
+            .setPasswordField('password')
+            .generateCode(async ({ clientId, codeChallenge, scope }, req, _h) => {
+                // client exists?
+                const client = VALID_CLIENTS.find((c) => c.client_id === clientId);
+                if (!client) return null;
+
+                // filter client's allowed scoped
+                const requestedScopes = (scope ?? '').split(/\\s+/).filter(Boolean);
+                const grantedScopes = requestedScopes.length
+                    ? requestedScopes.filter((s) => client.allowed_scopes.includes(s))
+                    : client.allowed_scopes;
+                if (grantedScopes.length === 0) return null;
+
+                // user exists?
+                const user = REGISTERED_USERS.find(
+                    (u) => u.username === req.payload.username && u.password === req.payload.password
+                );
+                if (!user) return null;
+
+                // generate code
+                const code = \`auth-${Date.now()}\`;
+                authCodesStore.set(code, { clientId, scopes: grantedScopes, userId: user.id, codeChallenge });
+                return { type: 'code', value: code };
+            })
+            .finalizeAuthorization(async (ctx, _params, _req, h) => {
+                // redirect to callback url (could do something else depending on the code result)
+                const matcher = createMatchAuthCodeResult({
+                    code: async () => h.redirect(ctx.fullRedirectUri),
+                    continue: async () => h.redirect(ctx.fullRedirectUri),
+                    deny: async () => h.redirect(ctx.fullRedirectUri),
+                });
+                return matcher(ctx.authorizationResult);
+            })
+    )
+
+    // Token exchange
+    .tokenRoute((route) =>
+        route.generateToken(
+            async ({
+                clientId,
+                ttl,
+                tokenType,
+                code,
+                clientSecret,
+                codeVerifier,
+                createJwtAccessToken,
+                createIdToken,
+                verifyCodeVerifier,
+            }) => {
+                const entry = authCodesStore.get(code);
+                if (!entry || entry.clientId !== clientId) return null;
+
+                const client = VALID_CLIENTS.find((c) => c.client_id === clientId);
+                if (!client) {
+                    return {
+                        error: OAuth2ErrorCode.INVALID_CLIENT,
+                        error_description: 'Client authentication failed.',
+                    };
+                }
+
+                if (entry.codeChallenge && codeVerifier) {
+                    if (!verifyCodeVerifier(codeVerifier, entry.codeChallenge)) {
+                        return {
+                            error: OAuth2ErrorCode.INVALID_GRANT,
+                            error_description: 'Invalid authorization grant.',
+                        };
+                    }
+                } else if (clientSecret) {
+                    if (client.client_secret !== clientSecret) {
+                        return {
+                            error: OAuth2ErrorCode.INVALID_CLIENT,
+                            error_description: 'Client authentication failed.',
+                        };
+                    }
+                } else {
+                    return {
+                        error: OAuth2ErrorCode.INVALID_REQUEST,
+                        error_description: 'Missing or invalid request parameter.',
+                    };
+                }
+
+                const user = REGISTERED_USERS.find((u) => u.id === entry.userId);
+                if (!user) {
+                    return {
+                        error: OAuth2ErrorCode.INVALID_GRANT,
+                        error_description: 'Invalid authorization grant.',
+                    };
+                }
+
+                // Generate a signed JWT access token
+                const { token: accessToken } = await createJwtAccessToken!({
+                    sub: entry.userId,
+                    client_id: clientId,
+                    scope: entry.scopes,
+                });
+
+                // Generate a signed JWT id token
+                const idToken = entry.scopes.includes('openid')
+                    ? (await createIdToken!({ sub: entry.userId, name: user.username, aud: clientId })).token
+                    : undefined;
+
+                // Return token response
+                return new OAuth2TokenResponse({ access_token: accessToken })
+                    .setExpiresIn(ttl)
+                    .setTokenType(tokenType)
+                    .setScope(entry.scopes)
+                    .setIdToken(idToken);
+            }
+        )
+    )
+
+    // Access Token Validation
+    .validate(async (_req, { jwtAccessTokenPayload }) => {
+        if (!jwtAccessTokenPayload?.sub) return { isValid: false };
+        return {
+            isValid: true,
+            credentials: {
+                user: {
+                    id: jwtAccessTokenPayload.sub,
+                    clientId: jwtAccessTokenPayload.client_id,
+                },
+                scope: Array.isArray(jwtAccessTokenPayload.scope) ? jwtAccessTokenPayload.scope : [],
+            },
+        };
+    })
+        
+    // JWKS
+    .jwksRoute((route) => route.setPath('/discovery/v1.0/keys')) // activates jwks uri
+    .setPublicKeyExpiry(86400) // 24h
+    .setJwksKeyStore(createInMemoryKeyStore()) // store for JWKS
+    .setJwksRotatorOptions({
+        intervalMs: 7.884e9, // 91 days
+        timestampStore: createInMemoryKeyStore(),
+    });
+`;
+};
+//# sourceMappingURL=oauth2-design-generator.js.map

package/lib/generators/oauth2-design-generator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth2-design-generator.js","sourceRoot":"","sources":["../../src/generators/oauth2-design-generator.ts"],"names":[],"mappings":";;;;;AAAA,wDAAiG;AACjG,4CAAuD;AAEvD,MAAM,YAAY,GAAG;IACjB;QACI,KAAK,EAAE,gBAAgB;QACvB,KAAK,EAAE,yBAAyB;QAChC,IAAI,EAAE,EAAE;KACX;IACD;QACI,KAAK,EAAE,yBAAyB;QAChC,KAAK,EAAE,yBAAyB;QAChC,IAAI,EAAE,EAAE;KACX;IACD;QACI,KAAK,EAAE,kBAAkB;QACzB,KAAK,EAAE,kBAAkB;QACzB,IAAI,EAAE,EAAE;KACX;CACJ,CAAC;AAEF,MAAa,qBAAqB;IAAlC;;QA4BI,wCAAU;YACN,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;SACX,EAAA;IA2PL,CAAC;IAxRG,IAAI,IAAI;QACJ,OAAO,aAAa,CAAA;IACxB,CAAC;IAED,IAAI,IAAI;QACJ,OAAO,yBAAyB,CAAA;IACpC,CAAC;IAED,IAAI,WAAW;QACX,OAAO,wDAAwD,CAAA;IACnE,CAAC;IAED,IAAI,KAAK;QACL,OAAO;YACH,4BAA4B;YAC5B,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC;SAC7C,CAAA;IACL,CAAC;IAED,IAAI,OAAO;QACP,OAAO;YACH,IAAI,EAAE,6BAA6B;YACnC,IAAI,EAAE,qBAAqB;SAC9B,CAAA;IACL,CAAC;IAOD,IAAI,CAAC,OAAgC;QACjC,IAAI,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACrC,+BAAA,IAAI,qCAAQ,CAAC,IAAI,GAAG,IAAA,iBAAS,EAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAA;QAClD,CAAC;QACD,IAAI,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACrC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC5D,MAAM,IAAI,KAAK,CAAC,mDAAmD,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACpH,CAAC;YACD,+BAAA,IAAI,qCAAQ,CAAC,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;QACvC,CAAC;IACL,CAAC;IAED,OAAO;QACH,OAAO,CAAC,CAAC,+BAAA,IAAI,qCAAQ,CAAC,IAAI,CAAA;IAC9B,CAAC;IAED,cAAc;QACV,OAAO,+BAAA,IAAI,uFAAwB,MAA5B,IAAI,CAA0B,CAAA;IACzC,CAAC;IAED,YAAY;QACR,MAAM,CAAC,GAAe,EAAE,CAAA;QAExB,IAAI,CAAC,+BAAA,IAAI,qCAAQ,CAAC,IAAI,EAAE,CAAC;YACrB,CAAC,CAAC,IAAI,CAAC;gBACH,IAAI,EAAE,0BAAY,CAAC,IAAI;gBACvB,OAAO,EAAE;oBACL,OAAO,EAAE,8BAA8B;oBACvC,YAAY,EAAE,kBAAkB;oBAChC,WAAW,EAAE,kBAAkB;iBAClC;gBACD,QAAQ,EAAE,CAAC,UAAU,EAAE,EAAE;oBACrB,+BAAA,IAAI,qCAAQ,CAAC,IAAI,GAAG,IAAA,iBAAS,EAAC,UAAU,CAAC,CAAA;gBAC7C,CAAC;aACJ,CAAC,CAAA;QACN,CAAC;QAED,IAAI,CAAC,CAAC,+BAAA,IAAI,qCAAQ,CAAC,IAAI,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,+BAAA,IAAI,qCAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACrF,CAAC,CAAC,IAAI,CAAC;gBACH,IAAI,EAAE,0BAAY,CAAC,MAAM;gBACzB,OAAO,EAAE;oBACL,OAAO,EAAE,yBAAyB;oBAClC,OAAO,EAAE,YAAY;oBACrB,YAAY,EAAE,gBAAgB;iBACjC;gBACD,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE;oBAChB,+BAAA,IAAI,qCAAQ,CAAC,IAAI,GAAG,GAAG,KAAK,EAAE,CAAA;gBAClC,CAAC;aACJ,CAAC,CAAA;QACN,CAAC;QAED,OAAO,CAAC,CAAA;IACZ,CAAC;IAED,WAAW;QACP,OAAO,IAAA,iBAAS,EAAC,GAAG,+BAAA,IAAI,qCAAQ,CAAC,IAAI,EAAE,CAAC,GAAG,KAAK,CAAA;IACpD,CAAC;CAiMJ;AA1RD,sDA0RC;;IA9LO,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qBA+BM,IAAA,iBAAS,EAAC,+BAAA,IAAI,qCAAQ,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sCA2CX,IAAI,CAAC,GAAG,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkH/C,CAAA;AACG,CAAC"}

package/lib/generators/oauth2-flow-generator.d.ts

@@ -0,0 +1,14 @@
+import { FileGenerator, FileGeneratorType, Question } from '@kaapi/cli/definitions';
+export declare class OAuth2FlowGenerator implements FileGenerator {
+    #private;
+    get type(): FileGeneratorType;
+    get name(): 'oauth2-flow';
+    get description(): string;
+    get notes(): string[];
+    get options(): Record<string, string>;
+    init(options: Record<string, unknown>): void;
+    isValid(): boolean;
+    getFileContent(): string;
+    getQuestions(): Question[];
+    getFilename(): string;
+}