@lwrjs/auth-middleware 0.6.0

package/LICENSE

@@ -0,0 +1,10 @@
+MIT LICENSE
+
+Copyright (c) 2020, Salesforce.com, Inc.
+All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,138 @@
+# LWR Authentication Middleware
+
+This package contains middleware which authenticates to a [Salesforce Connected App](https://help.salesforce.com/s/articleView?id=sf.connected_app_overview.htm&type=5). Once authenticated, LWR app developers can make requests to their Salesforce org. The middleware works with both Express and Koa LWR server types.
+
+-   [Basic Example](#basic-example)
+-   [Connected App Setup](#connected-app-setup)
+-   [Details](#details)
+    -   [Middleware](#middleware)
+    -   [Variables](#variables)
+    -   [Endpoints](#endpoints)
+    -   [Flow](#flow)
+
+## Basic Example
+
+Add the middleware to the LWR server:
+
+```ts
+// excerpt from /my-lwr-app/src/index.ts
+import { createServer } from 'lwr';
+import { platformWebServerAuthMiddleware } from '@lwrjs/auth-middleware';
+
+const lwrApp = createServer(lwrConfig);
+platformWebServerAuthMiddleware(lwrApp.getServer()); // Pass in the generic LWR server interface
+```
+
+> For more information on LWR middleware see [this recipe](https://github.com/salesforce/lwr-recipes/tree/master/packages/custom-middleware).
+
+Start the LWR server, and pass the [Connected App information](#variables) in using environment variables:
+
+```
+MY_DOMAIN=https://somewhere.force.com CLIENT_KEY=abc.123 CLIENT_SECRET=****** yarn start
+```
+
+Authenticate by accessing the `/login` [endpoint](#endpoints) from the LWR app:
+
+```html
+<!-- /my-lwr-app/src/modules/my/app/app.html -->
+<a href="/login?app_path=%2Fhome">Login to Salesforce</a>
+```
+
+Make authenticated requests from the LWR app through the [proxy endpoint](#endpoints):
+
+```js
+// /my-lwr-app/src/modules/my/app/app.js
+
+export default class MyApp extends LightningElement {
+    records;
+
+    getOpportunities() {
+        fetch('/services/data/v54.0/ui-api/list-ui/Opportunity/AllOpportunities')
+            .then((res) => {
+                res.json().then((data) => (this.records = data));
+            })
+            .catch((e) => {
+                console.error(e);
+            });
+    }
+}
+```
+
+## Connected App Setup
+
+Before using the LWR authentication middleware, the app developer must set up a [Connected App](https://help.salesforce.com/s/articleView?id=sf.connected_app_overview.htm&type=5):
+
+1. Follow [these instructions](https://help.salesforce.com/s/articleView?id=sf.connected_app_create_api_integration.htm&type=5) to set up the Connected App with OAuth enabled.
+    - Make selections for a "Web Server Flow" (not Device or JWT flows).
+    - Set the "Callback URL" to the [origin](https://developer.mozilla.org/en-US/docs/Web/API/URL/origin) of the LWR app with an `/oauth` path appended (e.g. `https://website.com/oauth`).
+2. Make a note of the "Consumer Key" (i.e. Client ID) and "Consumer Secret" (i.e. Client Secret) (or find them later in the App Manager).
+3. Let users self-authorize:
+    - In Setup, go to "Manage Connected Apps"
+    - Click "Edit" next to the new Connected App name
+    - Set "Permitted Users" to "All users may self-authorize"
+    - Click "Save"
+4. Allow Profiles access to the Connected App:
+    - In Setup, go to "Profiles"
+    - Click "Edit" next to the desired profile
+    - Select the Connected App under "Enable Connected Apps"
+    - Click "Save"
+
+## Details
+
+The `platformWebServerAuthMiddleware` uses the [OAuth 2.0 Web Server Flow for Web App Integration](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5).
+
+### Middleware
+
+An app developer can attach the LWR authentication middleware when they create their LWR server. The middleware takes the following arguments:
+
+-   _Required_ app server instance from `getServer()`; this is compatible with both the Express and Koa LWR server types. Do not use `getInternalServer()`, which returns **either** the underlying Express **or** Koa server.
+-   _Optional_ bag of options: `{ proxyEndpoint?: string; }`:
+    -   proxyEndpoint: The endpoint which proxies all its requests to the Salesforce org; it defaults to `/services/data`.
+
+```ts
+import { createServer } from 'lwr';
+import { platformWebServerAuthMiddleware } from '@lwrjs/auth-middleware';
+
+const lwrApp = createServer(lwrConfig);
+platformWebServerAuthMiddleware(lwrApp.getServer(), { proxyEndpoint: '/some/where' });
+```
+
+### Variables
+
+In order to authenticate with the Web Server Flow, the following Connected App information is needed:
+
+-   `MY_DOMAIN`: The [domain of the Salesforce org](https://help.salesforce.com/s/articleView?id=sf.faq_domain_name_what.htm&type=5) (_Note_: Find this in Setup -> "My Domain"; this is **not** necessarily the same as the URL in the browser address bar when visiting the org).
+-   `CLIENT_KEY`: The public OAuth identifier for the Connected App (i.e. "Consumer Key", "Client ID").
+-   `CLIENT_SECRET`: The password to go along with the `CLIENT_KEY` (i.e. "Consumer Secret", "Client Secret"), known only to the Connected App the and LWR server.
+
+This information is passed to the LWR server via environment variables to keep them secure and out of the codebase.
+
+> Read more about the OAuth Client ID and Secret [here](https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/).
+
+### Endpoints
+
+The LWR authentication middleware provides the following endpoints:
+
+-   `/login`: Accessed from the LWR app client code to trigger the OAuth flow and allow the current user to log in.
+    -   The `/login` endpoint takes an optional query parameter: `app_path`. Set `app_path` to the [path and parameters](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_URL#path_to_resource) the LWR server should redirect to after authenticating (e.g. `/home`, `/list?sort=desc`). If omitted, `app_path` defaults to `/`. This value must be URL encoded.
+-   `/oauth`: Used internally as part of the OAuth flow, this is the [OAuth redirect URI](https://www.oauth.com/oauth2-servers/redirect-uris/) for the [Connected App](#connected-app-setup) which fetches the OAuth token.
+-   proxy endpoint: Requests sent to this endpoint are proxied to the Salesforce org with the OAuth token in an [Authorization header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization). By proxying these requests through the LWR server, the token remains secure from inspection by the client. The proxy endpoint is optionally passed into the [`platformWebServerAuthMiddleware`](#middleware) as an option; the default proxy endpoint is `/services/data`.
+
+### Flow
+
+The LWR server takes the following steps in order to authenticate and make authorized requests to a Salesforce org:
+
+1. The LWR authentication middleware receives a request to its `/login` endpoint.
+2. The middleware builds the `redirect_uri` by appending `/oauth` to the [origin](https://developer.mozilla.org/en-US/docs/Web/API/URL/origin).
+3. The middleware redirects to the org's `/services/oauth2/authorize` endpoint to request an authorization code.
+4. The user sees a login page in their browser and enters their username and password.
+5. The Connected app makes a request to the middleware's redirect URI (i.e. the `/oauth` endpoint) which includes the authorization code.
+6. The middleware POSTs to the org's `/services/oauth2/token` endpoint to request an OAuth token.
+7. Upon receiving the token, the middleware adds it to a [`httpOnly` cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) and redirects to the LWR app (i.e. `app_path`).
+8. When the middleware receives a request to the proxy endpoint, it forwards the request to the Salesforce org authorized with the OAuth token:
+
+```js
+headers = {
+    Authorization: `Bearer ${token}`,
+};
+```

package/build/cjs/index.cjs

@@ -0,0 +1,22 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __exportStar = (target, module2, desc) => {
+  if (module2 && typeof module2 === "object" || typeof module2 === "function") {
+    for (let key of __getOwnPropNames(module2))
+      if (!__hasOwnProp.call(target, key) && key !== "default")
+        __defProp(target, key, {get: () => module2[key], enumerable: !(desc = __getOwnPropDesc(module2, key)) || desc.enumerable});
+  }
+  return target;
+};
+var __toModule = (module2) => {
+  return __exportStar(__markAsModule(__defProp(module2 != null ? __create(__getProtoOf(module2)) : {}, "default", module2 && module2.__esModule && "default" in module2 ? {get: () => module2.default, enumerable: true} : {value: module2, enumerable: true})), module2);
+};
+
+// packages/@lwrjs/auth-middleware/src/index.ts
+__markAsModule(exports);
+__exportStar(exports, __toModule(require("./web-server.cjs")));

package/build/cjs/types.cjs

@@ -0,0 +1,5 @@
+var __defProp = Object.defineProperty;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+
+// packages/@lwrjs/auth-middleware/src/types.ts
+__markAsModule(exports);

package/build/cjs/utils.cjs

@@ -0,0 +1,74 @@
+var __defProp = Object.defineProperty;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {get: all[name], enumerable: true});
+};
+
+// packages/@lwrjs/auth-middleware/src/utils.ts
+__markAsModule(exports);
+__export(exports, {
+  COOKIE_NAME: () => COOKIE_NAME,
+  LOGIN_ENDPOINT: () => LOGIN_ENDPOINT,
+  PROXY_ENDPOINT: () => PROXY_ENDPOINT,
+  REDIRECT_ENDPOINT: () => REDIRECT_ENDPOINT,
+  buildProxyRequest: () => buildProxyRequest,
+  buildRedirectUrl: () => buildRedirectUrl,
+  getAppPathAsState: () => getAppPathAsState,
+  getOauthInfoFromCookie: () => getOauthInfoFromCookie,
+  getPlatformWebServerEnvVars: () => getPlatformWebServerEnvVars
+});
+var LOGIN_ENDPOINT = "/login";
+var REDIRECT_ENDPOINT = "/oauth";
+var PROXY_ENDPOINT = "/services/data";
+var COOKIE_NAME = "lwr_web_server_oauth_info";
+var REDIRECT_QUERY = "app_path";
+function buildRedirectUrl(req) {
+  return encodeURIComponent(`${req.protocol}://${req.get("host")}${REDIRECT_ENDPOINT}`);
+}
+function getPlatformWebServerEnvVars() {
+  const env = {myDomain: "MY_DOMAIN", clientKey: "CLIENT_KEY", clientSecret: "CLIENT_SECRET"};
+  const myDomain = process.env[env.myDomain];
+  const clientKey = process.env[env.clientKey];
+  const clientSecret = process.env[env.clientSecret];
+  const errorMsg = "Web Server OAuth Middleware: missing process.env.";
+  if (!myDomain) {
+    throw new Error(`${errorMsg}${env.myDomain}`);
+  }
+  if (!clientKey) {
+    throw new Error(`${errorMsg}${env.clientKey}`);
+  }
+  if (!clientSecret) {
+    throw new Error(`${errorMsg}${env.clientSecret}`);
+  }
+  return {myDomain, clientKey, clientSecret};
+}
+function getAppPathAsState(req) {
+  let appPath = req.query[REDIRECT_QUERY];
+  if (appPath && !decodeURIComponent(appPath).startsWith("/")) {
+    console.warn('The "app_path" parameter must be a relative path staring with "/". Defaulting to "app_path" = "/".');
+    appPath = void 0;
+  }
+  return appPath ? `&state=${appPath}` : "";
+}
+function getOauthInfoFromCookie(req) {
+  const oauthInfoStr = req.cookie(COOKIE_NAME);
+  return oauthInfoStr ? JSON.parse(oauthInfoStr) : void 0;
+}
+function buildProxyRequest(req, {access_token, instance_url}) {
+  const headers = {
+    Authorization: `Bearer ${access_token}`
+  };
+  let body;
+  if (req.method !== "GET" && req.body) {
+    body = JSON.stringify(req.body);
+  }
+  return {
+    url: `${instance_url}${req.originalUrl}`,
+    options: {
+      method: req.method,
+      headers,
+      body
+    }
+  };
+}

package/build/cjs/web-server.cjs

@@ -0,0 +1,74 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __markAsModule = (target) => __defProp(target, "__esModule", {value: true});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {get: all[name], enumerable: true});
+};
+var __exportStar = (target, module2, desc) => {
+  if (module2 && typeof module2 === "object" || typeof module2 === "function") {
+    for (let key of __getOwnPropNames(module2))
+      if (!__hasOwnProp.call(target, key) && key !== "default")
+        __defProp(target, key, {get: () => module2[key], enumerable: !(desc = __getOwnPropDesc(module2, key)) || desc.enumerable});
+  }
+  return target;
+};
+var __toModule = (module2) => {
+  return __exportStar(__markAsModule(__defProp(module2 != null ? __create(__getProtoOf(module2)) : {}, "default", module2 && module2.__esModule && "default" in module2 ? {get: () => module2.default, enumerable: true} : {value: module2, enumerable: true})), module2);
+};
+
+// packages/@lwrjs/auth-middleware/src/web-server.ts
+__markAsModule(exports);
+__export(exports, {
+  platformWebServerAuthMiddleware: () => platformWebServerAuthMiddleware
+});
+var import_node_fetch = __toModule(require("node-fetch"));
+var import_utils = __toModule(require("./utils.cjs"));
+var MESSAGE_PREFIX = "Web Server OAuth Middleware - ";
+function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.PROXY_ENDPOINT} = {}) {
+  let redirectUri;
+  const {myDomain, clientKey, clientSecret} = (0, import_utils.getPlatformWebServerEnvVars)();
+  server.get(import_utils.LOGIN_ENDPOINT, (req, res) => {
+    redirectUri = redirectUri || (0, import_utils.buildRedirectUrl)(req);
+    const state = (0, import_utils.getAppPathAsState)(req);
+    const loginUri = `${myDomain}/services/oauth2/authorize?response_type=code`;
+    res.set({Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}${state}`});
+    res.sendStatus(302);
+  });
+  server.get(import_utils.REDIRECT_ENDPOINT, async (req, res) => {
+    const {code, state} = req.query;
+    const appPath = state ? decodeURIComponent(state) : "/";
+    const response = await (0, import_node_fetch.default)(`${myDomain}/services/oauth2/token`, {
+      method: "POST",
+      headers: {"Content-Type": "application/x-www-form-urlencoded", Accept: "application/json"},
+      body: `grant_type=authorization_code&code=${code}&client_id=${clientKey}&client_secret=${clientSecret}&redirect_uri=${redirectUri}`
+    });
+    const data = await response.json();
+    if (response.ok) {
+      const {access_token, instance_url} = data;
+      res.cookie(import_utils.COOKIE_NAME, JSON.stringify({access_token, instance_url}), {httpOnly: true});
+      res.set({Location: appPath});
+      res.sendStatus(302);
+    } else {
+      const errorMsg = `${MESSAGE_PREFIX}could not authenticate.`;
+      console.error(errorMsg, data);
+      res.status(response.status).send(errorMsg);
+    }
+  });
+  server.all(`${proxyEndpoint}/${server.getRegexWildcard()}`, async (req, res) => {
+    const oauthInfo = (0, import_utils.getOauthInfoFromCookie)(req);
+    if (oauthInfo) {
+      const {url, options} = (0, import_utils.buildProxyRequest)(req, oauthInfo);
+      const proxyRes = await (0, import_node_fetch.default)(url, options);
+      const contentType = proxyRes.headers.get("Content-Type") || "";
+      const data = await (contentType.includes("application/json") ? proxyRes.json() : proxyRes.text());
+      res.status(proxyRes.status).send(data);
+    } else {
+      res.status(401).send(`${MESSAGE_PREFIX}user is not authenticated.`);
+    }
+  });
+}

package/build/es/index.d.ts

@@ -0,0 +1,2 @@
+export * from './web-server.js';
+//# sourceMappingURL=index.d.ts.map

package/build/es/index.js

@@ -0,0 +1,2 @@
+export * from './web-server.js';
+//# sourceMappingURL=index.js.map

package/build/es/types.d.ts

@@ -0,0 +1,27 @@
+export interface PlatformWebServerInput {
+    /** base URL to the Connected App, e.g. "https://lwr.lightning.force.com" (no trailing slash) */
+    myDomain: string;
+    /** "Consumer Key" from the Connected App */
+    clientKey: string;
+    /** "Consumer Secret" from the Connected App */
+    clientSecret: string;
+}
+export interface PlatformWebServerOptions {
+    /** The endpoint path through which all authenticated/proxied requests pass */
+    proxyEndpoint?: string;
+}
+export interface OAuthInfo {
+    /** The OAuth token, used to authenticate requests via the "Authentication: Bearer <token>" header */
+    access_token: string;
+    /** The URL to the Connected App which receives authenticated requests */
+    instance_url: string;
+}
+export interface RequestOptions {
+    url: string;
+    options: {
+        method: string;
+        headers?: Record<string, string>;
+        body?: string;
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/build/es/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/build/es/utils.d.ts

@@ -0,0 +1,12 @@
+import type { MiddlewareRequest } from '@lwrjs/types';
+import type { OAuthInfo, RequestOptions, PlatformWebServerInput } from './types.js';
+export declare const LOGIN_ENDPOINT = "/login";
+export declare const REDIRECT_ENDPOINT = "/oauth";
+export declare const PROXY_ENDPOINT = "/services/data";
+export declare const COOKIE_NAME = "lwr_web_server_oauth_info";
+export declare function buildRedirectUrl(req: MiddlewareRequest): string;
+export declare function getPlatformWebServerEnvVars(): PlatformWebServerInput;
+export declare function getAppPathAsState(req: MiddlewareRequest): string;
+export declare function getOauthInfoFromCookie(req: MiddlewareRequest): OAuthInfo | undefined;
+export declare function buildProxyRequest(req: MiddlewareRequest, { access_token, instance_url }: OAuthInfo): RequestOptions;
+//# sourceMappingURL=utils.d.ts.map

package/build/es/utils.js

@@ -0,0 +1,64 @@
+export const LOGIN_ENDPOINT = '/login';
+export const REDIRECT_ENDPOINT = '/oauth';
+export const PROXY_ENDPOINT = '/services/data';
+export const COOKIE_NAME = 'lwr_web_server_oauth_info';
+const REDIRECT_QUERY = 'app_path';
+// Create an OAuth redirect URI from the origin of a request
+// Return the redirect URI encoded so it can be used as a query param
+export function buildRedirectUrl(req) {
+    return encodeURIComponent(`${req.protocol}://${req.get('host')}${REDIRECT_ENDPOINT}`);
+}
+// Retrieve and validate environment variables for the Web Server OAuth flow
+export function getPlatformWebServerEnvVars() {
+    const env = { myDomain: 'MY_DOMAIN', clientKey: 'CLIENT_KEY', clientSecret: 'CLIENT_SECRET' };
+    const myDomain = process.env[env.myDomain];
+    const clientKey = process.env[env.clientKey];
+    const clientSecret = process.env[env.clientSecret];
+    // The inputs are all required
+    const errorMsg = 'Web Server OAuth Middleware: missing process.env.';
+    if (!myDomain) {
+        throw new Error(`${errorMsg}${env.myDomain}`);
+    }
+    if (!clientKey) {
+        throw new Error(`${errorMsg}${env.clientKey}`);
+    }
+    if (!clientSecret) {
+        throw new Error(`${errorMsg}${env.clientSecret}`);
+    }
+    return { myDomain, clientKey, clientSecret };
+}
+// Parse the app_path query param, validate it, and return it as a state query param
+export function getAppPathAsState(req) {
+    let appPath = req.query[REDIRECT_QUERY];
+    if (appPath && !decodeURIComponent(appPath).startsWith('/')) {
+        console.warn('The "app_path" parameter must be a relative path staring with "/". Defaulting to "app_path" = "/".');
+        appPath = undefined;
+    }
+    return appPath ? `&state=${appPath}` : '';
+}
+// Get the token and url from the cookie
+export function getOauthInfoFromCookie(req) {
+    const oauthInfoStr = req.cookie(COOKIE_NAME);
+    return oauthInfoStr ? JSON.parse(oauthInfoStr) : undefined;
+}
+// Build an authenticated request based on a request to the proxy endpoint
+export function buildProxyRequest(req, { access_token, instance_url }) {
+    // Add the oauth header, future: forward any headers from the client?
+    const headers = {
+        Authorization: `Bearer ${access_token}`, // add the oauth header
+    };
+    // Pull the body from non-GET requests
+    let body;
+    if (req.method !== 'GET' && req.body) {
+        body = JSON.stringify(req.body);
+    }
+    return {
+        url: `${instance_url}${req.originalUrl}`,
+        options: {
+            method: req.method,
+            headers: headers,
+            body,
+        },
+    };
+}
+//# sourceMappingURL=utils.js.map

package/build/es/web-server.d.ts

@@ -0,0 +1,13 @@
+import type { InternalAppServer, ServerTypes } from '@lwrjs/types';
+import type { PlatformWebServerOptions } from './types.js';
+/**
+ * Web Server OAuth middleware: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5
+ * Accepts the following environment variables:
+ *      - process.env.MY_DOMAIN
+ *      - process.env.CLIENT_KEY
+ *      - process.env.CLIENT_SECRET
+ * The login endpoint accepts the following query parameters:
+ *      - app_path: a path encoded string; the middleware redirects to this path after setting the OAuth token in a cookie; default is "/"
+ */
+export declare function platformWebServerAuthMiddleware<T extends ServerTypes>(server: InternalAppServer<T>, { proxyEndpoint }?: PlatformWebServerOptions): void;
+//# sourceMappingURL=web-server.d.ts.map

package/build/es/web-server.js

@@ -0,0 +1,71 @@
+import fetch from 'node-fetch';
+import { COOKIE_NAME, LOGIN_ENDPOINT, PROXY_ENDPOINT, REDIRECT_ENDPOINT, buildProxyRequest, buildRedirectUrl, getAppPathAsState, getOauthInfoFromCookie, getPlatformWebServerEnvVars, } from './utils.js';
+const MESSAGE_PREFIX = 'Web Server OAuth Middleware - ';
+/**
+ * Web Server OAuth middleware: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5
+ * Accepts the following environment variables:
+ *      - process.env.MY_DOMAIN
+ *      - process.env.CLIENT_KEY
+ *      - process.env.CLIENT_SECRET
+ * The login endpoint accepts the following query parameters:
+ *      - app_path: a path encoded string; the middleware redirects to this path after setting the OAuth token in a cookie; default is "/"
+ */
+export function platformWebServerAuthMiddleware(server, { proxyEndpoint = PROXY_ENDPOINT } = {}) {
+    let redirectUri;
+    const { myDomain, clientKey, clientSecret } = getPlatformWebServerEnvVars();
+    // First, request an authorization code by redirecting to Salesforce login
+    // The LWR app should call this endpoint when authentication is needed
+    server.get(LOGIN_ENDPOINT, (req, res) => {
+        // Build the redirect URI and save the app path in the OAuth state, if included
+        redirectUri = redirectUri || buildRedirectUrl(req);
+        const state = getAppPathAsState(req);
+        // Redirect to the Salesforce login page
+        const loginUri = `${myDomain}/services/oauth2/authorize?response_type=code`;
+        res.set({ Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}${state}` });
+        res.sendStatus(302);
+    });
+    // Second, use the authorization code from the redirect URI to retrieve the token
+    // This route MUST BE the "Callback URL" in the Connected App OAuth settings
+    server.get(REDIRECT_ENDPOINT, async (req, res) => {
+        // Parse the code and state (i.e. app_path) query params
+        const { code, state } = req.query;
+        const appPath = state ? decodeURIComponent(state) : '/';
+        // Fetch the OAuth token
+        const response = await fetch(`${myDomain}/services/oauth2/token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded', Accept: 'application/json' },
+            body: `grant_type=authorization_code&code=${code}&client_id=${clientKey}&client_secret=${clientSecret}&redirect_uri=${redirectUri}`,
+        });
+        // Response handling
+        const data = await response.json();
+        if (response.ok) {
+            // Store the OAuth info in a cookie and redirect to the app
+            const { access_token, instance_url } = data;
+            res.cookie(COOKIE_NAME, JSON.stringify({ access_token, instance_url }), { httpOnly: true });
+            res.set({ Location: appPath });
+            res.sendStatus(302);
+        }
+        else {
+            // Print and forward the error JSON to the client
+            const errorMsg = `${MESSAGE_PREFIX}could not authenticate.`;
+            console.error(errorMsg, data);
+            res.status(response.status).send(errorMsg);
+        }
+    });
+    // Now, proxy requests using the token to authorize them
+    // e.g. /services/data/v52.0/ui-api/list-ui/Opportunity/AllOpportunities"
+    server.all(`${proxyEndpoint}/${server.getRegexWildcard()}`, async (req, res) => {
+        const oauthInfo = getOauthInfoFromCookie(req);
+        if (oauthInfo) {
+            const { url, options } = buildProxyRequest(req, oauthInfo);
+            const proxyRes = await fetch(url, options);
+            const contentType = proxyRes.headers.get('Content-Type') || ''; // parse as json or text
+            const data = await (contentType.includes('application/json') ? proxyRes.json() : proxyRes.text());
+            res.status(proxyRes.status).send(data);
+        }
+        else {
+            res.status(401).send(`${MESSAGE_PREFIX}user is not authenticated.`);
+        }
+    });
+}
+//# sourceMappingURL=web-server.js.map

package/package.json

@@ -0,0 +1,42 @@
+{
+    "name": "@lwrjs/auth-middleware",
+    "license": "MIT",
+    "publishConfig": {
+        "access": "public"
+    },
+    "version": "0.6.0",
+    "homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/salesforce/lwr.git",
+        "directory": "packages/@lwrjs/auth-middleware"
+    },
+    "bugs": {
+        "url": "https://github.com/salesforce/lwr/issues"
+    },
+    "type": "module",
+    "types": "build/es/index.d.ts",
+    "main": "build/cjs/index.cjs",
+    "module": "build/es/index.js",
+    "exports": {
+        ".": {
+            "import": "./build/es/index.js",
+            "require": "./build/cjs/index.cjs"
+        }
+    },
+    "files": [
+        "build/**/*.js",
+        "build/**/*.cjs",
+        "build/**/*.d.ts"
+    ],
+    "devDependencies": {
+        "@lwrjs/server": "0.6.0",
+        "@lwrjs/types": "0.6.0",
+        "@types/node-fetch": "^2.5.12",
+        "node-fetch": "^2.6.1"
+    },
+    "engines": {
+        "node": ">=14.15.4 <17"
+    },
+    "gitHead": "31769655f0155ad7e54cf37bccdf72d0baaf44ab"
+}