npm - @lwrjs/auth-middleware - Versions diffs - 0.9.9-alpha.8 → 0.10.0-alpha.1 - Mend

@lwrjs/auth-middleware 0.9.9-alpha.8 → 0.10.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -23,7 +23,7 @@ const lwrApp = createServer(lwrConfig);
 platformWebServerAuthMiddleware(lwrApp.getServer()); // Pass in the generic LWR server interface
 ```
-> For more information on LWR middleware see [this recipe](https://github.com/salesforce/lwr-recipes/tree/master/packages/custom-middleware).
+> For more information on LWR middleware see [this recipe](https://github.com/salesforce-experience-platform-emu/lwr-recipes/tree/master/packages/custom-middleware).
 Start the LWR server, and pass the [Connected App information](#variables) in using environment variables:
@@ -66,16 +66,6 @@ Before using the LWR authentication middleware, the app developer must set up a
     - Make selections for a "Web Server Flow" (not Device or JWT flows).
     - Set the "Callback URL" to the [origin](https://developer.mozilla.org/en-US/docs/Web/API/URL/origin) of the LWR app with an `/oauth` path appended (e.g. `https://website.com/oauth`).
 2. Make a note of the "Consumer Key" (i.e. Client ID) and "Consumer Secret" (i.e. Client Secret) (or find them later in the App Manager).
-3. Let users self-authorize:
-    - In Setup, go to "Manage Connected Apps"
-    - Click "Edit" next to the new Connected App name
-    - Set "Permitted Users" to "All users may self-authorize"
-    - Click "Save"
-4. Allow Profiles access to the Connected App:
-    - In Setup, go to "Profiles"
-    - Click "Edit" next to the desired profile
-    - Select the Connected App under "Enable Connected Apps"
-    - Click "Save"
 ## Details
@@ -128,7 +118,7 @@ The LWR server takes the following steps in order to authenticate and make autho
 4. The user sees a login page in their browser and enters their username and password.
 5. The Connected app makes a request to the middleware's redirect URI (i.e. the `/oauth` endpoint) which includes the authorization code.
 6. The middleware POSTs to the org's `/services/oauth2/token` endpoint to request an OAuth token.
-7. Upon receiving the token, the middleware adds it to a [`httpOnly` cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) and redirects to the LWR app (i.e. `app_path`).
+7. Upon receiving the token, the middleware adds it to a secure [`httpOnly` cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) and redirects to the LWR app (i.e. `app_path`).
 8. When the middleware receives a request to the proxy endpoint, it forwards the request to the Salesforce org authorized with the OAuth token:
 ```js

package/build/cjs/utils.cjs CHANGED Viewed

@@ -10,14 +10,17 @@ __markAsModule(exports);
 __export(exports, {
   COOKIE_NAME: () => COOKIE_NAME,
   LOGIN_ENDPOINT: () => LOGIN_ENDPOINT,
+  MESSAGE_PREFIX: () => MESSAGE_PREFIX,
   PROXY_ENDPOINT: () => PROXY_ENDPOINT,
   REDIRECT_ENDPOINT: () => REDIRECT_ENDPOINT,
   buildProxyRequest: () => buildProxyRequest,
   buildRedirectUrl: () => buildRedirectUrl,
-  getAppPathAsState: () => getAppPathAsState,
+  generateStateString: () => generateStateString,
+  getAppPath: () => getAppPath,
   getOauthInfoFromCookie: () => getOauthInfoFromCookie,
   getPlatformWebServerEnvVars: () => getPlatformWebServerEnvVars
 });
+var MESSAGE_PREFIX = "Web Server OAuth Middleware - ";
 var LOGIN_ENDPOINT = "/login";
 var REDIRECT_ENDPOINT = "/oauth";
 var PROXY_ENDPOINT = "/services/data";
@@ -43,13 +46,16 @@ function getPlatformWebServerEnvVars() {
   }
   return {myDomain, clientKey, clientSecret};
 }
-function getAppPathAsState(req) {
+function generateStateString() {
+  return `s${Math.floor(Math.random() * 65536).toString(16)}`;
+}
+function getAppPath(req) {
   let appPath = req.query[REDIRECT_QUERY];
   if (appPath && !decodeURIComponent(appPath).startsWith("/")) {
     console.warn('The "app_path" parameter must be a relative path staring with "/". Defaulting to "app_path" = "/".');
     appPath = void 0;
   }
-  return appPath ? `&state=${appPath}` : "";
+  return appPath ? decodeURIComponent(appPath) : "/";
 }
 function getOauthInfoFromCookie(req) {
   const oauthInfoStr = req.cookie(COOKIE_NAME);

package/build/cjs/web-server.cjs CHANGED Viewed

@@ -24,24 +24,34 @@ var __toModule = (module2) => {
 // packages/@lwrjs/auth-middleware/src/web-server.ts
 __markAsModule(exports);
 __export(exports, {
-  platformWebServerAuthMiddleware: () => platformWebServerAuthMiddleware
+  platformWebServerAuthMiddleware: () => platformWebServerAuthMiddleware,
+  stateMap: () => stateMap
 });
 var import_node_fetch = __toModule(require("node-fetch"));
 var import_utils = __toModule(require("./utils.cjs"));
-var MESSAGE_PREFIX = "Web Server OAuth Middleware - ";
+var stateMap = {};
 function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.PROXY_ENDPOINT} = {}) {
   let redirectUri;
   const {myDomain, clientKey, clientSecret} = (0, import_utils.getPlatformWebServerEnvVars)();
   server.get(import_utils.LOGIN_ENDPOINT, (req, res) => {
     redirectUri = redirectUri || (0, import_utils.buildRedirectUrl)(req);
-    const state = (0, import_utils.getAppPathAsState)(req);
+    const stateStr = (0, import_utils.generateStateString)();
+    const appPath = (0, import_utils.getAppPath)(req);
+    stateMap[stateStr] = appPath;
     const loginUri = `${myDomain}/services/oauth2/authorize?response_type=code`;
-    res.set({Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}${state}`});
+    res.set({
+      Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}&state=${stateStr}`
+    });
     res.sendStatus(302);
   });
   server.get(import_utils.REDIRECT_ENDPOINT, async (req, res) => {
     const {code, state} = req.query;
-    const appPath = state ? decodeURIComponent(state) : "/";
+    const appPath = stateMap[state];
+    if (!appPath) {
+      res.status(400).send(`${import_utils.MESSAGE_PREFIX}invalid login attempt.`);
+      return;
+    }
+    delete stateMap[state];
     const response = await (0, import_node_fetch.default)(`${myDomain}/services/oauth2/token`, {
       method: "POST",
       headers: {"Content-Type": "application/x-www-form-urlencoded", Accept: "application/json"},
@@ -51,11 +61,14 @@ function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.P
     const data = await (contentType.includes("application/json") ? response.json() : response.text());
     if (response.ok) {
       const {access_token, instance_url} = data;
-      res.cookie(import_utils.COOKIE_NAME, JSON.stringify({access_token, instance_url}), {httpOnly: true});
+      res.cookie(import_utils.COOKIE_NAME, JSON.stringify({access_token, instance_url}), {
+        httpOnly: true,
+        secure: true
+      });
       res.set({Location: appPath});
       res.sendStatus(302);
     } else {
-      const errorMsg = `${MESSAGE_PREFIX}could not authenticate.`;
+      const errorMsg = `${import_utils.MESSAGE_PREFIX}could not authenticate.`;
       console.error(errorMsg, data);
       res.status(response.status).send(errorMsg);
     }
@@ -69,7 +82,7 @@ function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.P
       const data = await (contentType.includes("application/json") ? proxyRes.json() : proxyRes.text());
       res.status(proxyRes.status).send(data);
     } else {
-      res.status(401).send(`${MESSAGE_PREFIX}user is not authenticated.`);
+      res.status(401).send(`${import_utils.MESSAGE_PREFIX}user is not authenticated.`);
     }
   });
 }

package/build/es/utils.d.ts CHANGED Viewed

@@ -1,12 +1,14 @@
 import type { MiddlewareRequest, Headers } from '@lwrjs/types';
 import type { OAuthInfo, RequestOptions, PlatformWebServerInput } from './types.js';
+export declare const MESSAGE_PREFIX = "Web Server OAuth Middleware - ";
 export declare const LOGIN_ENDPOINT = "/login";
 export declare const REDIRECT_ENDPOINT = "/oauth";
 export declare const PROXY_ENDPOINT = "/services/data";
 export declare const COOKIE_NAME = "lwr_web_server_oauth_info";
 export declare function buildRedirectUrl(req: MiddlewareRequest): string;
 export declare function getPlatformWebServerEnvVars(): PlatformWebServerInput;
-export declare function getAppPathAsState(req: MiddlewareRequest): string;
+export declare function generateStateString(): string;
+export declare function getAppPath(req: MiddlewareRequest): string;
 export declare function getOauthInfoFromCookie(req: MiddlewareRequest): OAuthInfo | undefined;
 export declare function buildProxyRequest(req: MiddlewareRequest, { access_token, instance_url }: OAuthInfo, existingHeader: Headers): RequestOptions;
 //# sourceMappingURL=utils.d.ts.map

package/build/es/utils.js CHANGED Viewed

@@ -1,3 +1,4 @@
+export const MESSAGE_PREFIX = 'Web Server OAuth Middleware - ';
 export const LOGIN_ENDPOINT = '/login';
 export const REDIRECT_ENDPOINT = '/oauth';
 export const PROXY_ENDPOINT = '/services/data';
@@ -27,14 +28,20 @@ export function getPlatformWebServerEnvVars() {
     }
     return { myDomain, clientKey, clientSecret };
 }
-// Parse the app_path query param, validate it, and return it as a state query param
-export function getAppPathAsState(req) {
+// Create a random string to use as the OAuth state value
+// This value is saved and used to verify the request in the REDIRECT_ENDPOINT
+// See: https://auth0.com/docs/secure/attack-protection/state-parameters
+export function generateStateString() {
+    return `s${Math.floor(Math.random() * 0x10000).toString(16)}`;
+}
+// Parse the app_path query param, validate it, and return it decoded. Default = "/"
+export function getAppPath(req) {
     let appPath = req.query[REDIRECT_QUERY];
     if (appPath && !decodeURIComponent(appPath).startsWith('/')) {
         console.warn('The "app_path" parameter must be a relative path staring with "/". Defaulting to "app_path" = "/".');
         appPath = undefined;
     }
-    return appPath ? `&state=${appPath}` : '';
+    return appPath ? decodeURIComponent(appPath) : '/';
 }
 // Get the token and url from the cookie
 export function getOauthInfoFromCookie(req) {

package/build/es/web-server.d.ts CHANGED Viewed

@@ -1,5 +1,8 @@
 import type { PublicAppServer, ServerTypes } from '@lwrjs/types';
 import type { PlatformWebServerOptions } from './types.js';
+export declare const stateMap: {
+    [key: string]: string;
+};
 /**
  * Web Server OAuth middleware: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5
  * Accepts the following environment variables:

package/build/es/web-server.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import fetch from 'node-fetch';
-import { COOKIE_NAME, LOGIN_ENDPOINT, PROXY_ENDPOINT, REDIRECT_ENDPOINT, buildProxyRequest, buildRedirectUrl, getAppPathAsState, getOauthInfoFromCookie, getPlatformWebServerEnvVars, } from './utils.js';
-const MESSAGE_PREFIX = 'Web Server OAuth Middleware - ';
+import { COOKIE_NAME, LOGIN_ENDPOINT, MESSAGE_PREFIX, PROXY_ENDPOINT, REDIRECT_ENDPOINT, buildProxyRequest, buildRedirectUrl, generateStateString, getAppPath, getOauthInfoFromCookie, getPlatformWebServerEnvVars, } from './utils.js';
+export const stateMap = {};
 /**
  * Web Server OAuth middleware: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5
  * Accepts the following environment variables:
@@ -16,20 +16,30 @@ export function platformWebServerAuthMiddleware(server, { proxyEndpoint = PROXY_
     // First, request an authorization code by redirecting to Salesforce login
     // The LWR app should call this endpoint when authentication is needed
     server.get(LOGIN_ENDPOINT, (req, res) => {
-        // Build the redirect URI and save the app path in the OAuth state, if included
+        // Build the redirect URI and save the app path in the state map
         redirectUri = redirectUri || buildRedirectUrl(req);
-        const state = getAppPathAsState(req);
+        const stateStr = generateStateString();
+        const appPath = getAppPath(req);
+        stateMap[stateStr] = appPath; // Save the state string for verification in step 2
         // Redirect to the Salesforce login page
         const loginUri = `${myDomain}/services/oauth2/authorize?response_type=code`;
-        res.set({ Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}${state}` });
+        res.set({
+            Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}&state=${stateStr}`,
+        });
         res.sendStatus(302);
     });
     // Second, use the authorization code from the redirect URI to retrieve the token
     // This route MUST BE the "Callback URL" in the Connected App OAuth settings
     server.get(REDIRECT_ENDPOINT, async (req, res) => {
-        // Parse the code and state (i.e. app_path) query params
+        // Parse the code and state string from the query params
         const { code, state } = req.query;
-        const appPath = state ? decodeURIComponent(state) : '/';
+        const appPath = stateMap[state];
+        // If the state string is not found in the map, the request is invalid
+        if (!appPath) {
+            res.status(400).send(`${MESSAGE_PREFIX}invalid login attempt.`);
+            return;
+        }
+        delete stateMap[state];
         // Fetch the OAuth token
         const response = await fetch(`${myDomain}/services/oauth2/token`, {
             method: 'POST',
@@ -44,7 +54,10 @@ export function platformWebServerAuthMiddleware(server, { proxyEndpoint = PROXY_
         if (response.ok) {
             // Store the OAuth info in a cookie and redirect to the app
             const { access_token, instance_url } = data;
-            res.cookie(COOKIE_NAME, JSON.stringify({ access_token, instance_url }), { httpOnly: true });
+            res.cookie(COOKIE_NAME, JSON.stringify({ access_token, instance_url }), {
+                httpOnly: true,
+                secure: true,
+            });
             res.set({ Location: appPath });
             res.sendStatus(302);
         }

package/package.json CHANGED Viewed

@@ -4,15 +4,15 @@
     "publishConfig": {
         "access": "public"
     },
-    "version": "0.9.9-alpha.8",
+    "version": "0.10.0-alpha.1",
     "homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
     "repository": {
         "type": "git",
-        "url": "https://github.com/salesforce/lwr.git",
+        "url": "https://github.com/salesforce-experience-platform-emu/lwr.git",
         "directory": "packages/@lwrjs/auth-middleware"
     },
     "bugs": {
-        "url": "https://github.com/salesforce/lwr/issues"
+        "url": "https://github.com/salesforce-experience-platform-emu/lwr/issues"
     },
     "type": "module",
     "types": "build/es/index.d.ts",
@@ -30,15 +30,15 @@
         "build/**/*.d.ts"
     ],
     "dependencies": {
-        "node-fetch": "^2.6.1"
+        "node-fetch": "^2.6.8"
     },
     "devDependencies": {
-        "@lwrjs/server": "0.9.9-alpha.8",
-        "@lwrjs/types": "0.9.9-alpha.8",
+        "@lwrjs/server": "0.10.0-alpha.1",
+        "@lwrjs/types": "0.10.0-alpha.1",
         "@types/node-fetch": "^2.5.12"
     },
     "engines": {
-        "node": ">=14.15.4 <19"
+        "node": ">=16.0.0 <20"
     },
-    "gitHead": "ac15f9c862f53f0fab34ea229c8c27b1d66c9f7e"
+    "gitHead": "2683dd5839b4da2ed93d42874cfceb78cbb5bf0d"
 }