@lwrjs/auth-middleware 0.9.0-alpha.7 → 0.9.0-alpha.9

package/README.md

@@ -66,16 +66,6 @@ Before using the LWR authentication middleware, the app developer must set up a
     - Make selections for a "Web Server Flow" (not Device or JWT flows).
     - Set the "Callback URL" to the [origin](https://developer.mozilla.org/en-US/docs/Web/API/URL/origin) of the LWR app with an `/oauth` path appended (e.g. `https://website.com/oauth`).
 2. Make a note of the "Consumer Key" (i.e. Client ID) and "Consumer Secret" (i.e. Client Secret) (or find them later in the App Manager).
-3. Let users self-authorize:
-    - In Setup, go to "Manage Connected Apps"
-    - Click "Edit" next to the new Connected App name
-    - Set "Permitted Users" to "All users may self-authorize"
-    - Click "Save"
-4. Allow Profiles access to the Connected App:
-    - In Setup, go to "Profiles"
-    - Click "Edit" next to the desired profile
-    - Select the Connected App under "Enable Connected Apps"
-    - Click "Save"
 
 ## Details
 
@@ -128,7 +118,7 @@ The LWR server takes the following steps in order to authenticate and make autho
 4. The user sees a login page in their browser and enters their username and password.
 5. The Connected app makes a request to the middleware's redirect URI (i.e. the `/oauth` endpoint) which includes the authorization code.
 6. The middleware POSTs to the org's `/services/oauth2/token` endpoint to request an OAuth token.
-7. Upon receiving the token, the middleware adds it to a [`httpOnly` cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) and redirects to the LWR app (i.e. `app_path`).
+7. Upon receiving the token, the middleware adds it to a secure [`httpOnly` cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) and redirects to the LWR app (i.e. `app_path`).
 8. When the middleware receives a request to the proxy endpoint, it forwards the request to the Salesforce org authorized with the OAuth token:
 
 ```js

package/build/cjs/utils.cjs

@@ -10,14 +10,17 @@ __markAsModule(exports);
 __export(exports, {
   COOKIE_NAME: () => COOKIE_NAME,
   LOGIN_ENDPOINT: () => LOGIN_ENDPOINT,
+  MESSAGE_PREFIX: () => MESSAGE_PREFIX,
   PROXY_ENDPOINT: () => PROXY_ENDPOINT,
   REDIRECT_ENDPOINT: () => REDIRECT_ENDPOINT,
   buildProxyRequest: () => buildProxyRequest,
   buildRedirectUrl: () => buildRedirectUrl,
-  getAppPathAsState: () => getAppPathAsState,
+  generateStateString: () => generateStateString,
+  getAppPath: () => getAppPath,
   getOauthInfoFromCookie: () => getOauthInfoFromCookie,
   getPlatformWebServerEnvVars: () => getPlatformWebServerEnvVars
 });
+var MESSAGE_PREFIX = "Web Server OAuth Middleware - ";
 var LOGIN_ENDPOINT = "/login";
 var REDIRECT_ENDPOINT = "/oauth";
 var PROXY_ENDPOINT = "/services/data";
@@ -43,13 +46,16 @@ function getPlatformWebServerEnvVars() {
   }
   return {myDomain, clientKey, clientSecret};
 }
-function getAppPathAsState(req) {
+function generateStateString() {
+  return `s${Math.floor(Math.random() * 65536).toString(16)}`;
+}
+function getAppPath(req) {
   let appPath = req.query[REDIRECT_QUERY];
   if (appPath && !decodeURIComponent(appPath).startsWith("/")) {
     console.warn('The "app_path" parameter must be a relative path staring with "/". Defaulting to "app_path" = "/".');
     appPath = void 0;
   }
-  return appPath ? `&state=${appPath}` : "";
+  return appPath ? decodeURIComponent(appPath) : "/";
 }
 function getOauthInfoFromCookie(req) {
   const oauthInfoStr = req.cookie(COOKIE_NAME);

package/build/cjs/web-server.cjs

@@ -24,24 +24,34 @@ var __toModule = (module2) => {
 // packages/@lwrjs/auth-middleware/src/web-server.ts
 __markAsModule(exports);
 __export(exports, {
-  platformWebServerAuthMiddleware: () => platformWebServerAuthMiddleware
+  platformWebServerAuthMiddleware: () => platformWebServerAuthMiddleware,
+  stateMap: () => stateMap
 });
 var import_node_fetch = __toModule(require("node-fetch"));
 var import_utils = __toModule(require("./utils.cjs"));
-var MESSAGE_PREFIX = "Web Server OAuth Middleware - ";
+var stateMap = {};
 function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.PROXY_ENDPOINT} = {}) {
   let redirectUri;
   const {myDomain, clientKey, clientSecret} = (0, import_utils.getPlatformWebServerEnvVars)();
   server.get(import_utils.LOGIN_ENDPOINT, (req, res) => {
     redirectUri = redirectUri || (0, import_utils.buildRedirectUrl)(req);
-    const state = (0, import_utils.getAppPathAsState)(req);
+    const stateStr = (0, import_utils.generateStateString)();
+    const appPath = (0, import_utils.getAppPath)(req);
+    stateMap[stateStr] = appPath;
     const loginUri = `${myDomain}/services/oauth2/authorize?response_type=code`;
-    res.set({Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}${state}`});
+    res.set({
+      Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}&state=${stateStr}`
+    });
     res.sendStatus(302);
   });
   server.get(import_utils.REDIRECT_ENDPOINT, async (req, res) => {
     const {code, state} = req.query;
-    const appPath = state ? decodeURIComponent(state) : "/";
+    const appPath = stateMap[state];
+    if (!appPath) {
+      res.status(400).send(`${import_utils.MESSAGE_PREFIX}invalid login attempt.`);
+      return;
+    }
+    delete stateMap[state];
     const response = await (0, import_node_fetch.default)(`${myDomain}/services/oauth2/token`, {
       method: "POST",
       headers: {"Content-Type": "application/x-www-form-urlencoded", Accept: "application/json"},
@@ -51,11 +61,14 @@ function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.P
     const data = await (contentType.includes("application/json") ? response.json() : response.text());
     if (response.ok) {
       const {access_token, instance_url} = data;
-      res.cookie(import_utils.COOKIE_NAME, JSON.stringify({access_token, instance_url}), {httpOnly: true});
+      res.cookie(import_utils.COOKIE_NAME, JSON.stringify({access_token, instance_url}), {
+        httpOnly: true,
+        secure: true
+      });
       res.set({Location: appPath});
       res.sendStatus(302);
     } else {
-      const errorMsg = `${MESSAGE_PREFIX}could not authenticate.`;
+      const errorMsg = `${import_utils.MESSAGE_PREFIX}could not authenticate.`;
       console.error(errorMsg, data);
       res.status(response.status).send(errorMsg);
     }
@@ -69,7 +82,7 @@ function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.P
       const data = await (contentType.includes("application/json") ? proxyRes.json() : proxyRes.text());
       res.status(proxyRes.status).send(data);
     } else {
-      res.status(401).send(`${MESSAGE_PREFIX}user is not authenticated.`);
+      res.status(401).send(`${import_utils.MESSAGE_PREFIX}user is not authenticated.`);
     }
   });
 }

package/build/es/utils.d.ts

@@ -1,12 +1,14 @@
 import type { MiddlewareRequest, Headers } from '@lwrjs/types';
 import type { OAuthInfo, RequestOptions, PlatformWebServerInput } from './types.js';
+export declare const MESSAGE_PREFIX = "Web Server OAuth Middleware - ";
 export declare const LOGIN_ENDPOINT = "/login";
 export declare const REDIRECT_ENDPOINT = "/oauth";
 export declare const PROXY_ENDPOINT = "/services/data";
 export declare const COOKIE_NAME = "lwr_web_server_oauth_info";
 export declare function buildRedirectUrl(req: MiddlewareRequest): string;
 export declare function getPlatformWebServerEnvVars(): PlatformWebServerInput;
-export declare function getAppPathAsState(req: MiddlewareRequest): string;
+export declare function generateStateString(): string;
+export declare function getAppPath(req: MiddlewareRequest): string;
 export declare function getOauthInfoFromCookie(req: MiddlewareRequest): OAuthInfo | undefined;
 export declare function buildProxyRequest(req: MiddlewareRequest, { access_token, instance_url }: OAuthInfo, existingHeader: Headers): RequestOptions;
 //# sourceMappingURL=utils.d.ts.map

package/build/es/utils.js

@@ -1,3 +1,4 @@
+export const MESSAGE_PREFIX = 'Web Server OAuth Middleware - ';
 export const LOGIN_ENDPOINT = '/login';
 export const REDIRECT_ENDPOINT = '/oauth';
 export const PROXY_ENDPOINT = '/services/data';
@@ -27,14 +28,20 @@ export function getPlatformWebServerEnvVars() {
     }
     return { myDomain, clientKey, clientSecret };
 }
-// Parse the app_path query param, validate it, and return it as a state query param
-export function getAppPathAsState(req) {
+// Create a random string to use as the OAuth state value
+// This value is saved and used to verify the request in the REDIRECT_ENDPOINT
+// See: https://auth0.com/docs/secure/attack-protection/state-parameters
+export function generateStateString() {
+    return `s${Math.floor(Math.random() * 0x10000).toString(16)}`;
+}
+// Parse the app_path query param, validate it, and return it decoded. Default = "/"
+export function getAppPath(req) {
     let appPath = req.query[REDIRECT_QUERY];
     if (appPath && !decodeURIComponent(appPath).startsWith('/')) {
         console.warn('The "app_path" parameter must be a relative path staring with "/". Defaulting to "app_path" = "/".');
         appPath = undefined;
     }
-    return appPath ? `&state=${appPath}` : '';
+    return appPath ? decodeURIComponent(appPath) : '/';
 }
 // Get the token and url from the cookie
 export function getOauthInfoFromCookie(req) {

package/build/es/web-server.d.ts

@@ -1,5 +1,8 @@
 import type { PublicAppServer, ServerTypes } from '@lwrjs/types';
 import type { PlatformWebServerOptions } from './types.js';
+export declare const stateMap: {
+    [key: string]: string;
+};
 /**
  * Web Server OAuth middleware: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5
  * Accepts the following environment variables:

package/build/es/web-server.js

@@ -1,6 +1,6 @@
 import fetch from 'node-fetch';
-import { COOKIE_NAME, LOGIN_ENDPOINT, PROXY_ENDPOINT, REDIRECT_ENDPOINT, buildProxyRequest, buildRedirectUrl, getAppPathAsState, getOauthInfoFromCookie, getPlatformWebServerEnvVars, } from './utils.js';
-const MESSAGE_PREFIX = 'Web Server OAuth Middleware - ';
+import { COOKIE_NAME, LOGIN_ENDPOINT, MESSAGE_PREFIX, PROXY_ENDPOINT, REDIRECT_ENDPOINT, buildProxyRequest, buildRedirectUrl, generateStateString, getAppPath, getOauthInfoFromCookie, getPlatformWebServerEnvVars, } from './utils.js';
+export const stateMap = {};
 /**
  * Web Server OAuth middleware: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5
  * Accepts the following environment variables:
@@ -16,20 +16,30 @@ export function platformWebServerAuthMiddleware(server, { proxyEndpoint = PROXY_
     // First, request an authorization code by redirecting to Salesforce login
     // The LWR app should call this endpoint when authentication is needed
     server.get(LOGIN_ENDPOINT, (req, res) => {
-        // Build the redirect URI and save the app path in the OAuth state, if included
+        // Build the redirect URI and save the app path in the state map
         redirectUri = redirectUri || buildRedirectUrl(req);
-        const state = getAppPathAsState(req);
+        const stateStr = generateStateString();
+        const appPath = getAppPath(req);
+        stateMap[stateStr] = appPath; // Save the state string for verification in step 2
         // Redirect to the Salesforce login page
         const loginUri = `${myDomain}/services/oauth2/authorize?response_type=code`;
-        res.set({ Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}${state}` });
+        res.set({
+            Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}&state=${stateStr}`,
+        });
         res.sendStatus(302);
     });
     // Second, use the authorization code from the redirect URI to retrieve the token
     // This route MUST BE the "Callback URL" in the Connected App OAuth settings
     server.get(REDIRECT_ENDPOINT, async (req, res) => {
-        // Parse the code and state (i.e. app_path) query params
+        // Parse the code and state string from the query params
         const { code, state } = req.query;
-        const appPath = state ? decodeURIComponent(state) : '/';
+        const appPath = stateMap[state];
+        // If the state string is not found in the map, the request is invalid
+        if (!appPath) {
+            res.status(400).send(`${MESSAGE_PREFIX}invalid login attempt.`);
+            return;
+        }
+        delete stateMap[state];
         // Fetch the OAuth token
         const response = await fetch(`${myDomain}/services/oauth2/token`, {
             method: 'POST',
@@ -44,7 +54,10 @@ export function platformWebServerAuthMiddleware(server, { proxyEndpoint = PROXY_
         if (response.ok) {
             // Store the OAuth info in a cookie and redirect to the app
             const { access_token, instance_url } = data;
-            res.cookie(COOKIE_NAME, JSON.stringify({ access_token, instance_url }), { httpOnly: true });
+            res.cookie(COOKIE_NAME, JSON.stringify({ access_token, instance_url }), {
+                httpOnly: true,
+                secure: true,
+            });
             res.set({ Location: appPath });
             res.sendStatus(302);
         }

package/package.json

@@ -4,7 +4,7 @@
     "publishConfig": {
         "access": "public"
     },
-    "version": "0.9.0-alpha.7",
+    "version": "0.9.0-alpha.9",
     "homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
     "repository": {
         "type": "git",
@@ -33,12 +33,12 @@
         "node-fetch": "^2.6.1"
     },
     "devDependencies": {
-        "@lwrjs/server": "0.9.0-alpha.7",
-        "@lwrjs/types": "0.9.0-alpha.7",
+        "@lwrjs/server": "0.9.0-alpha.9",
+        "@lwrjs/types": "0.9.0-alpha.9",
         "@types/node-fetch": "^2.5.12"
     },
     "engines": {
         "node": ">=14.15.4 <19"
     },
-    "gitHead": "b442dafaf3416c8c86f0e05c1644b805aac3decd"
+    "gitHead": "93522592d25375bb20da156f864d153ffcd3ec88"
 }