@mastra/auth-okta 0.0.0

package/dist/index.js

@@ -0,0 +1,585 @@
+import { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';
+import pkg from '@okta/okta-sdk-nodejs';
+import { LRUCache } from 'lru-cache';
+import { MastraAuthProvider } from '@mastra/core/server';
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+
+// src/rbac-provider.ts
+var { Client } = pkg;
+var DEFAULT_CACHE_TTL_MS = 60 * 1e3;
+var DEFAULT_CACHE_MAX_SIZE = 1e3;
+var MastraRBACOkta = class {
+  oktaClient;
+  options;
+  /**
+   * Single cache for roles (the expensive Okta API call).
+   * Permissions are derived from roles on-the-fly (cheap, synchronous).
+   * Storing promises handles concurrent request deduplication.
+   */
+  rolesCache;
+  /**
+   * Expose roleMapping for middleware access.
+   * This allows the authorization middleware to resolve permissions
+   * without needing to call the async methods.
+   */
+  get roleMapping() {
+    return this.options.roleMapping;
+  }
+  /**
+   * Create a new Okta RBAC provider.
+   *
+   * @param options - RBAC configuration options
+   */
+  constructor(options) {
+    const domain = options.domain ?? process.env.OKTA_DOMAIN;
+    const apiToken = options.apiToken ?? process.env.OKTA_API_TOKEN;
+    if (!domain) {
+      throw new Error(
+        "Okta domain is required. Provide it in the options or set OKTA_DOMAIN environment variable."
+      );
+    }
+    if (!apiToken) {
+      throw new Error(
+        "Okta API token is required for RBAC. Provide it in the options or set OKTA_API_TOKEN environment variable."
+      );
+    }
+    this.oktaClient = new Client({
+      orgUrl: `https://${domain}`,
+      token: apiToken
+    });
+    this.options = options;
+    this.rolesCache = new LRUCache({
+      max: options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE,
+      ttl: options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS
+    });
+  }
+  /**
+   * Get all roles (groups) for a user from Okta.
+   *
+   * If the user object already has groups attached, uses those.
+   * Otherwise, fetches groups from Okta API and caches the result.
+   *
+   * @param user - User to get roles for
+   * @returns Array of group names
+   */
+  async getRoles(user) {
+    if (user.groups && user.groups.length > 0) {
+      return user.groups;
+    }
+    const userId = this.resolveUserId(user);
+    if (!userId) {
+      return [];
+    }
+    const cached = this.rolesCache.get(userId);
+    if (cached) {
+      return cached;
+    }
+    const groupsPromise = this.fetchGroupsFromOkta(userId).catch((err) => {
+      console.error(`[MastraRBACOkta] Failed to fetch groups for user ${userId}:`, err);
+      this.rolesCache.delete(userId);
+      return [];
+    });
+    this.rolesCache.set(userId, groupsPromise);
+    return groupsPromise;
+  }
+  /**
+   * Resolve the Okta user ID from the user object.
+   * Uses custom getUserId function if provided, otherwise falls back to oktaId or id.
+   */
+  resolveUserId(user) {
+    if (this.options.getUserId) {
+      return this.options.getUserId(user);
+    }
+    return user.oktaId ?? user.id;
+  }
+  /**
+   * Fetch groups from Okta API.
+   * Errors propagate to the caller so the cache eviction in getRoles() works.
+   */
+  async fetchGroupsFromOkta(userId) {
+    const groups = await this.oktaClient.userApi.listUserGroups({ userId });
+    const groupNames = [];
+    for await (const group of groups) {
+      if (group && group.profile?.name) {
+        groupNames.push(group.profile.name);
+      }
+    }
+    return groupNames;
+  }
+  /**
+   * Check if a user has a specific role (group).
+   *
+   * @param user - User to check
+   * @param role - Group name to check for
+   * @returns True if user has the group
+   */
+  async hasRole(user, role) {
+    const roles = await this.getRoles(user);
+    return roles.includes(role);
+  }
+  /**
+   * Get all permissions for a user by mapping their Okta groups.
+   *
+   * @param user - User to get permissions for
+   * @returns Array of permission strings
+   */
+  async getPermissions(user) {
+    const roles = await this.getRoles(user);
+    return resolvePermissionsFromMapping(roles, this.options.roleMapping);
+  }
+  /**
+   * Check if a user has a specific permission.
+   *
+   * @param user - User to check
+   * @param permission - Permission to check for (supports wildcards)
+   * @returns True if user has the permission
+   */
+  async hasPermission(user, permission) {
+    const permissions = await this.getPermissions(user);
+    return permissions.some((granted) => matchesPermission(granted, permission));
+  }
+  /**
+   * Check if a user has ALL of the specified permissions.
+   *
+   * @param user - User to check
+   * @param permissions - Permissions to check for
+   * @returns True if user has all permissions
+   */
+  async hasAllPermissions(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.every((required) => userPermissions.some((granted) => matchesPermission(granted, required)));
+  }
+  /**
+   * Check if a user has ANY of the specified permissions.
+   *
+   * @param user - User to check
+   * @param permissions - Permissions to check for
+   * @returns True if user has at least one permission
+   */
+  async hasAnyPermission(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.some((required) => userPermissions.some((granted) => matchesPermission(granted, required)));
+  }
+};
+
+// src/types.ts
+function mapOktaClaimsToUser(payload) {
+  return {
+    id: payload.sub || payload.uid || "",
+    oktaId: payload.sub || payload.uid || "",
+    email: payload.email,
+    name: payload.name || [payload.given_name, payload.family_name].filter(Boolean).join(" ") || payload.email || void 0,
+    avatarUrl: payload.picture,
+    groups: payload.groups,
+    metadata: {
+      oktaId: payload.sub,
+      emailVerified: payload.email_verified,
+      updatedAt: payload.updated_at
+    }
+  };
+}
+
+// src/auth-provider.ts
+var DEFAULT_COOKIE_NAME = "okta_session";
+var DEFAULT_COOKIE_MAX_AGE = 86400;
+var DEFAULT_SCOPES = ["openid", "profile", "email", "groups"];
+var SALT_LENGTH = 16;
+var IV_LENGTH = 12;
+async function deriveKey(password, salt, usage) {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey("raw", encoder.encode(password), "PBKDF2", false, [
+    "deriveBits",
+    "deriveKey"
+  ]);
+  return crypto.subtle.deriveKey(
+    { name: "PBKDF2", salt, iterations: 1e5, hash: "SHA-256" },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    [usage]
+  );
+}
+async function encryptSession(data, password) {
+  const encoder = new TextEncoder();
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
+  const key = await deriveKey(password, salt, "encrypt");
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const encrypted = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, encoder.encode(JSON.stringify(data)));
+  const combined = new Uint8Array(salt.length + iv.length + new Uint8Array(encrypted).length);
+  combined.set(salt);
+  combined.set(iv, salt.length);
+  combined.set(new Uint8Array(encrypted), salt.length + iv.length);
+  return btoa(String.fromCharCode(...combined));
+}
+async function decryptSession(encrypted, password) {
+  const combined = Uint8Array.from(atob(encrypted), (c) => c.charCodeAt(0));
+  const salt = combined.slice(0, SALT_LENGTH);
+  const iv = combined.slice(SALT_LENGTH, SALT_LENGTH + IV_LENGTH);
+  const data = combined.slice(SALT_LENGTH + IV_LENGTH);
+  const key = await deriveKey(password, salt, "decrypt");
+  const decrypted = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, data);
+  return JSON.parse(new TextDecoder().decode(decrypted));
+}
+var stateStore = /* @__PURE__ */ new Map();
+var MastraAuthOkta = class extends MastraAuthProvider {
+  domain;
+  clientId;
+  clientSecret;
+  issuer;
+  redirectUri;
+  scopes;
+  cookieName;
+  cookieMaxAge;
+  cookiePassword;
+  secureCookies;
+  apiToken;
+  jwks;
+  constructor(options) {
+    super({ name: options?.name ?? "okta" });
+    const domain = options?.domain ?? process.env.OKTA_DOMAIN;
+    const clientId = options?.clientId ?? process.env.OKTA_CLIENT_ID;
+    const clientSecret = options?.clientSecret ?? process.env.OKTA_CLIENT_SECRET;
+    const issuer = options?.issuer ?? process.env.OKTA_ISSUER;
+    const redirectUri = options?.redirectUri ?? process.env.OKTA_REDIRECT_URI;
+    const cookiePassword = options?.session?.cookiePassword ?? process.env.OKTA_COOKIE_PASSWORD ?? crypto.randomUUID() + crypto.randomUUID();
+    if (!domain) {
+      throw new Error("Okta domain is required. Provide it in the options or set OKTA_DOMAIN environment variable.");
+    }
+    if (!clientId) {
+      throw new Error(
+        "Okta client ID is required. Provide it in the options or set OKTA_CLIENT_ID environment variable."
+      );
+    }
+    if (!clientSecret) {
+      throw new Error(
+        "Okta client secret is required for SSO. Provide it in the options or set OKTA_CLIENT_SECRET environment variable."
+      );
+    }
+    if (!redirectUri) {
+      throw new Error(
+        "Okta redirect URI is required for SSO. Provide it in the options or set OKTA_REDIRECT_URI environment variable."
+      );
+    }
+    if (cookiePassword.length < 32) {
+      throw new Error("Cookie password must be at least 32 characters. Set OKTA_COOKIE_PASSWORD environment variable.");
+    }
+    this.domain = domain;
+    this.clientId = clientId;
+    this.clientSecret = clientSecret;
+    this.issuer = issuer ?? `https://${domain}/oauth2/default`;
+    this.redirectUri = redirectUri;
+    this.scopes = options?.scopes ?? DEFAULT_SCOPES;
+    this.cookieName = options?.session?.cookieName ?? DEFAULT_COOKIE_NAME;
+    this.cookieMaxAge = options?.session?.cookieMaxAge ?? DEFAULT_COOKIE_MAX_AGE;
+    this.cookiePassword = cookiePassword;
+    this.secureCookies = options?.session?.secureCookies ?? process.env.NODE_ENV === "production";
+    this.apiToken = options?.apiToken ?? process.env.OKTA_API_TOKEN;
+    this.jwks = createRemoteJWKSet(new URL(`${this.issuer}/v1/keys`));
+    if (!options?.session?.cookiePassword && !process.env.OKTA_COOKIE_PASSWORD) {
+      console.warn(
+        "[MastraAuthOkta] No cookie password set \u2014 using auto-generated value. Sessions will not survive restarts and will break in multi-instance deployments. Set OKTA_COOKIE_PASSWORD for production use."
+      );
+    }
+    if (process.env.NODE_ENV === "production") {
+      console.warn(
+        "[MastraAuthOkta] Using in-memory OAuth state store. This will not work in serverless or multi-instance deployments. Consider implementing a custom state store for production."
+      );
+    }
+    this.registerOptions(options);
+  }
+  // ============================================================================
+  // MastraAuthProvider Implementation
+  // ============================================================================
+  /**
+   * Authenticate a token from the request.
+   * First tries to read from session cookie, then falls back to Authorization header.
+   */
+  async authenticateToken(token, request) {
+    const sessionUser = await this.getUserFromSession(request);
+    if (sessionUser) {
+      return sessionUser;
+    }
+    if (!token || typeof token !== "string") {
+      return null;
+    }
+    try {
+      const { payload } = await jwtVerify(token, this.jwks, {
+        issuer: this.issuer,
+        audience: this.clientId
+      });
+      return mapOktaClaimsToUser(payload);
+    } catch (err) {
+      console.error("Okta token verification failed:", err);
+      return null;
+    }
+  }
+  /**
+   * Authorize a user.
+   */
+  authorizeUser(user, _request) {
+    if (!user || !user.oktaId) return false;
+    return true;
+  }
+  // ============================================================================
+  // IUserProvider Implementation
+  // ============================================================================
+  /**
+   * Get the current user from the request session.
+   */
+  async getCurrentUser(request) {
+    return this.getUserFromSession(request);
+  }
+  /**
+   * Get a user by ID via the Okta Users API.
+   * Requires an API token (set OKTA_API_TOKEN or pass apiToken in options).
+   * Returns null if no API token is configured or user is not found.
+   */
+  async getUser(userId) {
+    if (!this.apiToken) {
+      return null;
+    }
+    try {
+      const response = await fetch(`https://${this.domain}/api/v1/users/${userId}`, {
+        headers: {
+          Authorization: `SSWS ${this.apiToken}`,
+          Accept: "application/json"
+        }
+      });
+      if (!response.ok) {
+        return null;
+      }
+      const oktaProfile = await response.json();
+      return {
+        id: oktaProfile.id,
+        oktaId: oktaProfile.id,
+        email: oktaProfile.profile.email,
+        name: [oktaProfile.profile.firstName, oktaProfile.profile.lastName].filter(Boolean).join(" ") || void 0
+      };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Get user from session cookie.
+   */
+  async getUserFromSession(request) {
+    try {
+      const cookieHeader = "header" in request ? request.header("cookie") : request.headers.get("cookie");
+      if (!cookieHeader) return null;
+      const cookies = cookieHeader.split(";").map((c) => c.trim());
+      const sessionCookie = cookies.find((c) => c.startsWith(`${this.cookieName}=`));
+      if (!sessionCookie) return null;
+      const sessionValue = sessionCookie.split("=")[1];
+      if (!sessionValue) return null;
+      const session = await decryptSession(decodeURIComponent(sessionValue), this.cookiePassword);
+      if (session.expiresAt && session.expiresAt < Date.now()) {
+        return null;
+      }
+      return session.user;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Extract the raw ID token from the encrypted session cookie.
+   * Used to provide id_token_hint for Okta logout.
+   */
+  async getIdTokenFromSession(request) {
+    try {
+      const cookieHeader = "header" in request ? request.header("cookie") : request.headers.get("cookie");
+      if (!cookieHeader) return null;
+      const cookies = cookieHeader.split(";").map((c) => c.trim());
+      const sessionCookie = cookies.find((c) => c.startsWith(`${this.cookieName}=`));
+      if (!sessionCookie) return null;
+      const sessionValue = sessionCookie.split("=")[1];
+      if (!sessionValue) return null;
+      const session = await decryptSession(decodeURIComponent(sessionValue), this.cookiePassword);
+      return session.idToken ?? null;
+    } catch {
+      return null;
+    }
+  }
+  // ============================================================================
+  // ISSOProvider Implementation
+  // ============================================================================
+  /**
+   * Get the URL to redirect users to for Okta login.
+   * Uses client_secret authentication (no PKCE) since this is a confidential client.
+   */
+  getLoginUrl(redirectUri, state) {
+    const stateId = state.includes("|") ? state.split("|")[0] : state;
+    const actualRedirectUri = redirectUri ?? this.redirectUri;
+    stateStore.set(stateId, {
+      expiresAt: Date.now() + 10 * 60 * 1e3,
+      redirectUri: actualRedirectUri
+    });
+    for (const [key, value] of stateStore.entries()) {
+      if (value.expiresAt < Date.now()) {
+        stateStore.delete(key);
+      }
+    }
+    const params = new URLSearchParams({
+      client_id: this.clientId,
+      response_type: "code",
+      scope: this.scopes.join(" "),
+      redirect_uri: actualRedirectUri,
+      state
+    });
+    return `${this.issuer}/v1/authorize?${params.toString()}`;
+  }
+  /**
+   * Handle the OAuth callback from Okta.
+   * Note: The server passes only the stateId (UUID part), not the full state.
+   */
+  async handleCallback(code, stateId) {
+    const stored = stateStore.get(stateId);
+    if (!stored) {
+      throw new Error("Invalid or expired state parameter");
+    }
+    stateStore.delete(stateId);
+    if (stored.expiresAt < Date.now()) {
+      throw new Error("State parameter has expired");
+    }
+    const tokenResponse = await fetch(`${this.issuer}/v1/token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Basic ${btoa(`${this.clientId}:${this.clientSecret}`)}`
+      },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: stored.redirectUri
+      })
+    });
+    if (!tokenResponse.ok) {
+      const error = await tokenResponse.text();
+      throw new Error(`Token exchange failed: ${error}`);
+    }
+    const tokens = await tokenResponse.json();
+    const { payload: idTokenPayload } = await jwtVerify(tokens.id_token, this.jwks, {
+      issuer: this.issuer,
+      audience: this.clientId
+    });
+    const user = mapOktaClaimsToUser(idTokenPayload);
+    const sessionData = {
+      user,
+      idToken: tokens.id_token,
+      expiresAt: Date.now() + tokens.expires_in * 1e3
+    };
+    const encryptedSession = await encryptSession(sessionData, this.cookiePassword);
+    const cookieValue = `${this.cookieName}=${encodeURIComponent(encryptedSession)}; ${this.cookieFlags(this.cookieMaxAge)}`;
+    return {
+      user,
+      tokens: {
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        idToken: tokens.id_token,
+        expiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+      },
+      cookies: [cookieValue]
+    };
+  }
+  /**
+   * Get the URL to redirect users to for logout.
+   * Includes id_token_hint from session when available (required by Okta).
+   */
+  async getLogoutUrl(redirectUri, request) {
+    const params = new URLSearchParams({
+      post_logout_redirect_uri: redirectUri,
+      client_id: this.clientId
+    });
+    if (request) {
+      const idToken = await this.getIdTokenFromSession(request);
+      if (idToken) {
+        params.set("id_token_hint", idToken);
+      }
+    }
+    return `${this.issuer}/v1/logout?${params.toString()}`;
+  }
+  /**
+   * Get cookies to set during login.
+   */
+  getLoginCookies(_state) {
+    return [];
+  }
+  /**
+   * Get the configuration for rendering the login button.
+   */
+  getLoginButtonConfig() {
+    return {
+      provider: "okta",
+      text: "Sign in with Okta"
+    };
+  }
+  // ============================================================================
+  // ISessionProvider Implementation
+  // ============================================================================
+  async createSession(userId, metadata) {
+    const now = /* @__PURE__ */ new Date();
+    return {
+      id: crypto.randomUUID(),
+      userId,
+      createdAt: now,
+      expiresAt: new Date(now.getTime() + this.cookieMaxAge * 1e3),
+      metadata
+    };
+  }
+  async validateSession(_sessionId) {
+    return null;
+  }
+  async destroySession(_sessionId) {
+  }
+  async refreshSession(_sessionId) {
+    return null;
+  }
+  getSessionIdFromRequest(_request) {
+    return null;
+  }
+  getSessionHeaders(_session) {
+    return {};
+  }
+  getClearSessionHeaders() {
+    return {
+      "Set-Cookie": `${this.cookieName}=; ${this.cookieFlags(0)}`
+    };
+  }
+  /**
+   * Build consistent cookie attribute string for set/clear operations.
+   */
+  cookieFlags(maxAge) {
+    const flags = `Path=/; HttpOnly; SameSite=Lax; Max-Age=${maxAge}`;
+    return this.secureCookies ? `${flags}; Secure` : flags;
+  }
+  // ============================================================================
+  // Helper Methods
+  // ============================================================================
+  /**
+   * Get the Okta domain.
+   */
+  getDomain() {
+    return this.domain;
+  }
+  /**
+   * Get the configured client ID.
+   */
+  getClientId() {
+    return this.clientId;
+  }
+  /**
+   * Get the configured redirect URI.
+   */
+  getRedirectUri() {
+    return this.redirectUri;
+  }
+  /**
+   * Get the issuer URL.
+   */
+  getIssuer() {
+    return this.issuer;
+  }
+};
+
+export { MastraAuthOkta, MastraRBACOkta, mapOktaClaimsToUser };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map