@memberjunction/server 2.89.0 → 2.91.0

package/src/auth/AuthProviderFactory.ts

@@ -0,0 +1,152 @@
+import { AuthProviderConfig } from '@memberjunction/core';
+import { IAuthProvider } from './IAuthProvider.js';
+import { BaseAuthProvider } from './BaseAuthProvider.js';
+import { MJGlobal } from '@memberjunction/global';
+
+// Import providers to ensure they're registered
+import './providers/Auth0Provider.js';
+import './providers/MSALProvider.js';
+import './providers/OktaProvider.js';
+import './providers/CognitoProvider.js';
+import './providers/GoogleProvider.js';
+
+/**
+ * Factory and registry for managing authentication providers
+ * Combines provider creation and lifecycle management in a single class
+ */
+export class AuthProviderFactory {
+  private static instance: AuthProviderFactory;
+  private providers: Map<string, IAuthProvider> = new Map();
+  private issuerCache: Map<string, IAuthProvider> = new Map();
+
+  private constructor() {}
+
+  /**
+   * Gets the singleton instance of the factory
+   */
+  static getInstance(): AuthProviderFactory {
+    if (!AuthProviderFactory.instance) {
+      AuthProviderFactory.instance = new AuthProviderFactory();
+    }
+    return AuthProviderFactory.instance;
+  }
+
+  /**
+   * Creates an authentication provider instance based on configuration
+   * Uses MJGlobal ClassFactory to instantiate the correct provider class
+   */
+  static createProvider(config: AuthProviderConfig): IAuthProvider {
+    try {
+      // Use MJGlobal ClassFactory to create the provider instance
+      // The provider type in config should match the key used in @RegisterClass
+      // The config is passed as a constructor parameter via the spread operator
+      const provider = MJGlobal.Instance.ClassFactory.CreateInstance<BaseAuthProvider>(
+        BaseAuthProvider,
+        config.type.toLowerCase(),
+        config
+      );
+      
+      if (!provider) {
+        throw new Error(`No provider registered for type: ${config.type}`);
+      }
+      
+      return provider;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`Failed to create authentication provider for type '${config.type}': ${message}`);
+    }
+  }
+
+  /**
+   * Registers a new authentication provider
+   */
+  register(provider: IAuthProvider): void {
+    if (!provider.validateConfig()) {
+      throw new Error(`Invalid configuration for provider: ${provider.name}`);
+    }
+
+    this.providers.set(provider.name, provider);
+    
+    // Clear issuer cache when registering new provider
+    this.issuerCache.clear();
+    
+    console.log(`Registered auth provider: ${provider.name} with issuer: ${provider.issuer}`);
+  }
+
+  /**
+   * Gets a provider by its issuer URL
+   */
+  getByIssuer(issuer: string): IAuthProvider | undefined {
+    // Check cache first
+    if (this.issuerCache.has(issuer)) {
+      return this.issuerCache.get(issuer);
+    }
+
+    // Search through providers
+    for (const provider of this.providers.values()) {
+      if (provider.matchesIssuer(issuer)) {
+        // Cache for future lookups
+        this.issuerCache.set(issuer, provider);
+        return provider;
+      }
+    }
+
+    return undefined;
+  }
+
+  /**
+   * Gets a provider by its name
+   */
+  getByName(name: string): IAuthProvider | undefined {
+    return this.providers.get(name);
+  }
+
+  /**
+   * Gets all registered providers
+   */
+  getAllProviders(): IAuthProvider[] {
+    return Array.from(this.providers.values());
+  }
+
+  /**
+   * Checks if any providers are registered
+   */
+  hasProviders(): boolean {
+    return this.providers.size > 0;
+  }
+
+  /**
+   * Clears all registered providers (useful for testing)
+   */
+  clear(): void {
+    this.providers.clear();
+    this.issuerCache.clear();
+  }
+
+  /**
+   * Gets all registered provider types from the ClassFactory
+   */
+  static getRegisteredProviderTypes(): string[] {
+    // Get all registrations for BaseAuthProvider from ClassFactory
+    const registrations = MJGlobal.Instance.ClassFactory.GetAllRegistrations(BaseAuthProvider);
+    // Extract unique keys (provider types) from registrations
+    const providerTypes = registrations
+      .map(reg => reg.Key)
+      .filter((key): key is string => key !== null && key !== undefined);
+    // Return unique provider types
+    return Array.from(new Set(providerTypes));
+  }
+
+  /**
+   * Checks if a provider type is registered
+   */
+  static isProviderTypeRegistered(type: string): boolean {
+    try {
+      // Try to get the registration for this specific type
+      const registration = MJGlobal.Instance.ClassFactory.GetRegistration(BaseAuthProvider, type.toLowerCase());
+      return registration !== null && registration !== undefined;
+    } catch {
+      return false;
+    }
+  }
+}

package/src/auth/BaseAuthProvider.ts

@@ -0,0 +1,71 @@
+import { JwtHeader, JwtPayload, SigningKeyCallback } from 'jsonwebtoken';
+import jwksClient from 'jwks-rsa';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { IAuthProvider } from './IAuthProvider.js';
+
+/**
+ * Base implementation of IAuthProvider with common functionality
+ * Concrete providers should extend this class and use @RegisterClass decorator
+ * with BaseAuthProvider as the base class
+ */
+export abstract class BaseAuthProvider implements IAuthProvider {
+  name: string;
+  issuer: string;
+  audience: string;
+  jwksUri: string;
+  protected config: AuthProviderConfig;
+  protected jwksClient: jwksClient.JwksClient;
+
+  constructor(config: AuthProviderConfig) {
+    this.config = config;
+    this.name = config.name;
+    this.issuer = config.issuer;
+    this.audience = config.audience;
+    this.jwksUri = config.jwksUri;
+
+    // Initialize JWKS client
+    this.jwksClient = jwksClient({
+      jwksUri: this.jwksUri,
+      cache: true,
+      cacheMaxEntries: 5,
+      cacheMaxAge: 600000 // 10 minutes
+    });
+  }
+
+  /**
+   * Validates that required configuration is present
+   */
+  validateConfig(): boolean {
+    return !!(this.name && this.issuer && this.audience && this.jwksUri);
+  }
+
+  /**
+   * Gets the signing key for token verification
+   */
+  getSigningKey(header: JwtHeader, callback: SigningKeyCallback): void {
+    this.jwksClient.getSigningKey(header.kid)
+      .then((key) => {
+        const signingKey = 'publicKey' in key ? key.publicKey : key.rsaPublicKey;
+        callback(null, signingKey);
+      })
+      .catch((err) => {
+        console.error(`Error getting signing key for provider ${this.name}:`, err);
+        callback(err);
+      });
+  }
+
+  /**
+   * Checks if a given issuer URL belongs to this provider
+   */
+  matchesIssuer(issuer: string): boolean {
+    // Handle trailing slashes and case sensitivity
+    const normalizedIssuer = issuer.toLowerCase().replace(/\/$/, '');
+    const normalizedProviderIssuer = this.issuer.toLowerCase().replace(/\/$/, '');
+    return normalizedIssuer === normalizedProviderIssuer;
+  }
+
+  /**
+   * Abstract method for extracting user info - must be implemented by each provider
+   */
+  abstract extractUserInfo(payload: JwtPayload): AuthUserInfo;
+}

package/src/auth/IAuthProvider.ts

@@ -0,0 +1,49 @@
+import { JwtHeader, JwtPayload, SigningKeyCallback } from 'jsonwebtoken';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+
+/**
+ * Interface for authentication providers in MemberJunction
+ * Enables support for any OAuth 2.0/OIDC compliant provider
+ */
+export interface IAuthProvider {
+  /**
+   * Unique name identifier for this provider
+   */
+  name: string;
+
+  /**
+   * The issuer URL for this provider (must match the 'iss' claim in tokens)
+   */
+  issuer: string;
+
+  /**
+   * The expected audience for tokens from this provider
+   */
+  audience: string;
+
+  /**
+   * The JWKS endpoint URL for retrieving signing keys
+   */
+  jwksUri: string;
+
+  /**
+   * Validates that the provider configuration is complete and valid
+   */
+  validateConfig(): boolean;
+
+  /**
+   * Gets the signing key for token verification
+   */
+  getSigningKey(header: JwtHeader, callback: SigningKeyCallback): void;
+
+  /**
+   * Extracts user information from the JWT payload
+   * Different providers use different claim names
+   */
+  extractUserInfo(payload: JwtPayload): AuthUserInfo;
+
+  /**
+   * Checks if a given issuer URL belongs to this provider
+   */
+  matchesIssuer(issuer: string): boolean;
+}

package/src/auth/__tests__/backward-compatibility.test.ts

@@ -0,0 +1,183 @@
+import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';
+import { AuthProviderFactory } from '../AuthProviderFactory';
+import { IAuthProvider } from '../IAuthProvider';
+import { initializeAuthProviders } from '../initializeProviders';
+
+/**
+ * Test suite for backward compatibility of the new auth provider system
+ */
+describe('Authentication Provider Backward Compatibility', () => {
+  let factory: AuthProviderFactory;
+  
+  beforeEach(() => {
+    factory = AuthProviderFactory.getInstance();
+    factory.clear();
+  });
+  
+  afterEach(() => {
+    factory.clear();
+  });
+
+  describe('Legacy Configuration Support', () => {
+    it('should create MSAL provider from legacy config', () => {
+      // Simulate legacy environment variables
+      process.env.TENANT_ID = 'test-tenant-id';
+      process.env.WEB_CLIENT_ID = 'test-client-id';
+      
+      // Initialize with legacy config
+      initializeAuthProviders();
+      
+      // Check that MSAL provider was created
+      const msalProvider = factory.getByName('msal');
+      expect(msalProvider).toBeDefined();
+      expect(msalProvider?.issuer).toContain('test-tenant-id');
+      expect(msalProvider?.audience).toBe('test-client-id');
+    });
+    
+    it('should create Auth0 provider from legacy config', () => {
+      // Simulate legacy environment variables
+      process.env.AUTH0_DOMAIN = 'test.auth0.com';
+      process.env.AUTH0_CLIENT_ID = 'auth0-client-id';
+      process.env.AUTH0_CLIENT_SECRET = 'auth0-secret';
+      
+      // Initialize with legacy config
+      initializeAuthProviders();
+      
+      // Check that Auth0 provider was created
+      const auth0Provider = factory.getByName('auth0');
+      expect(auth0Provider).toBeDefined();
+      expect(auth0Provider?.issuer).toBe('https://test.auth0.com/');
+      expect(auth0Provider?.audience).toBe('auth0-client-id');
+    });
+  });
+
+
+  describe('Provider Registry Functionality', () => {
+    it('should find providers by issuer with different formats', () => {
+      // Register a test provider
+      const testProvider = {
+        name: 'test',
+        issuer: 'https://test.provider.com/oauth2',
+        audience: 'test-audience',
+        jwksUri: 'https://test.provider.com/.well-known/jwks.json',
+        validateConfig: () => true,
+        getSigningKey: jest.fn(),
+        extractUserInfo: jest.fn(),
+        matchesIssuer: (issuer: string) => {
+          const normalized = issuer.toLowerCase().replace(/\/$/, '');
+          return normalized === 'https://test.provider.com/oauth2';
+        }
+      } as IAuthProvider;
+      
+      factory.register(testProvider);
+      
+      // Test with exact match
+      expect(factory.getByIssuer('https://test.provider.com/oauth2')).toBe(testProvider);
+      
+      // Test with trailing slash
+      expect(factory.getByIssuer('https://test.provider.com/oauth2/')).toBe(testProvider);
+      
+      // Test with different case
+      expect(factory.getByIssuer('https://TEST.PROVIDER.COM/oauth2')).toBe(testProvider);
+    });
+    
+    it('should cache issuer lookups for performance', () => {
+      const testProvider = {
+        name: 'test',
+        issuer: 'https://test.provider.com',
+        audience: 'test',
+        jwksUri: 'https://test.provider.com/jwks',
+        validateConfig: () => true,
+        getSigningKey: jest.fn(),
+        extractUserInfo: jest.fn(),
+        matchesIssuer: jest.fn((issuer: string): boolean => issuer === 'https://test.provider.com')
+      } as IAuthProvider;
+      
+      factory.register(testProvider);
+      
+      // First lookup
+      factory.getByIssuer('https://test.provider.com');
+      expect(testProvider.matchesIssuer).toHaveBeenCalledTimes(1);
+      
+      // Second lookup should use cache
+      factory.getByIssuer('https://test.provider.com');
+      expect(testProvider.matchesIssuer).toHaveBeenCalledTimes(1);
+    });
+  });
+
+  describe('User Info Extraction', () => {
+    it('should extract user info from different token formats', () => {
+      // Test MSAL token format
+      const msalPayload = {
+        iss: 'https://login.microsoftonline.com/tenant/v2.0',
+        email: 'user@example.com',
+        given_name: 'John',
+        family_name: 'Doe',
+        name: 'John Doe',
+        preferred_username: 'john.doe@example.com'
+      };
+      
+      // Test Auth0 token format
+      const auth0Payload = {
+        iss: 'https://test.auth0.com/',
+        email: 'user@example.com',
+        given_name: 'Jane',
+        family_name: 'Smith',
+        name: 'Jane Smith'
+      };
+      
+      // Test Okta token format
+      const oktaPayload = {
+        iss: 'https://test.okta.com/oauth2/default',
+        email: 'user@example.com',
+        given_name: 'Bob',
+        family_name: 'Johnson',
+        name: 'Bob Johnson',
+        preferred_username: 'bob.johnson'
+      };
+      
+      // Initialize providers
+      initializeAuthProviders();
+      
+      // Test extraction for each provider type
+      const msalProvider = factory.getByIssuer(msalPayload.iss);
+      if (msalProvider) {
+        const msalUserInfo = msalProvider.extractUserInfo(msalPayload);
+        expect(msalUserInfo.email).toBe('user@example.com');
+        expect(msalUserInfo.firstName).toBe('John');
+        expect(msalUserInfo.lastName).toBe('Doe');
+      }
+      
+      const auth0Provider = factory.getByIssuer(auth0Payload.iss);
+      if (auth0Provider) {
+        const auth0UserInfo = auth0Provider.extractUserInfo(auth0Payload);
+        expect(auth0UserInfo.email).toBe('user@example.com');
+        expect(auth0UserInfo.firstName).toBe('Jane');
+        expect(auth0UserInfo.lastName).toBe('Smith');
+      }
+    });
+  });
+
+  describe('Error Handling', () => {
+    it('should handle missing provider gracefully', () => {
+      const unknownIssuer = 'https://unknown.provider.com';
+      const provider = factory.getByIssuer(unknownIssuer);
+      expect(provider).toBeUndefined();
+    });
+    
+    it('should validate provider configuration', () => {
+      const invalidProvider = {
+        name: 'invalid',
+        issuer: '', // Invalid: empty issuer
+        audience: 'test',
+        jwksUri: 'https://test.com/jwks',
+        validateConfig: () => false,
+        getSigningKey: jest.fn(),
+        extractUserInfo: jest.fn(),
+        matchesIssuer: jest.fn()
+      } as IAuthProvider;
+      
+      expect(() => factory.register(invalidProvider)).toThrow();
+    });
+  });
+});

package/src/auth/index.ts

@@ -1,33 +1,28 @@
-import { JwtHeader, SigningKeyCallback } from 'jsonwebtoken';
-import jwksClient from 'jwks-rsa';
-import { auth0Domain, auth0WebClientID, configInfo, tenantID, webClientID } from '../config.js';
+import { JwtHeader, SigningKeyCallback, JwtPayload } from 'jsonwebtoken';
+import { configInfo } from '../config.js';
 import { UserCache } from '@memberjunction/sqlserver-dataprovider';
 import sql from 'mssql';
 import { Metadata, RoleInfo, UserInfo } from '@memberjunction/core';
 import { NewUserBase } from './newUsers.js';
 import { MJGlobal } from '@memberjunction/global';
 import { UserEntity, UserEntityType } from '@memberjunction/core-entities';
+import { AuthProviderFactory } from './AuthProviderFactory.js';
+import { initializeAuthProviders } from './initializeProviders.js';
 
 export { TokenExpiredError } from './tokenExpiredError.js';
-
-const missingAzureConfig = !tenantID || !webClientID;
-const missingAuth0Config = !auth0Domain || !auth0WebClientID;
+export { IAuthProvider } from './IAuthProvider.js';
+export { AuthProviderFactory } from './AuthProviderFactory.js';
 
 // This is a hard-coded forever constant due to internal migrations
 const SYSTEM_USER_ID = 'ecafccec-6a37-ef11-86d4-000d3a4e707e';
 
 class MissingAuthError extends Error {
   constructor() {
-    super('Could not find authentication configuration for either MSAL or Auth0 in the server environment variables.');
+    super('No authentication providers configured. Please configure at least one auth provider in mj.config.cjs');
     this.name = 'MissingAuthError';
   }
 }
 
-const issuers = {
-  azure: `https://login.microsoftonline.com/${tenantID}/v2.0`,
-  auth0: `https://${auth0Domain}/`,
-};
-
 const refreshUserCache = async (dataSource?: sql.ConnectionPool) => {
   const startTime: number = Date.now();
   await UserCache.Instance.Refresh(dataSource);
@@ -51,16 +46,40 @@ const refreshUserCache = async (dataSource?: sql.ConnectionPool) => {
   );
 };
 
-export const validationOptions = {
-  [issuers.auth0]: {
-    audience: auth0WebClientID,
-    jwksUri: `https://${auth0Domain}/.well-known/jwks.json`,
+/**
+ * Gets validation options for a specific issuer
+ * This maintains backward compatibility with the old structure
+ */
+export const getValidationOptions = (issuer: string): { audience: string; jwksUri: string } | undefined => {
+  const factory = AuthProviderFactory.getInstance();
+  const provider = factory.getByIssuer(issuer);
+  
+  if (!provider) {
+    return undefined;
+  }
+
+  return {
+    audience: provider.audience,
+    jwksUri: provider.jwksUri
+  };
+};
+
+/**
+ * Backward compatible validationOptions object
+ * @deprecated Use getValidationOptions() or AuthProviderRegistry instead
+ */
+export const validationOptions: Record<string, { audience: string; jwksUri: string }> = new Proxy({}, {
+  get: (target, prop: string) => {
+    return getValidationOptions(prop);
   },
-  [issuers.azure]: {
-    audience: webClientID,
-    jwksUri: `https://login.microsoftonline.com/${tenantID}/discovery/v2.0/keys`,
+  has: (target, prop: string) => {
+    return getValidationOptions(prop) !== undefined;
   },
-};
+  ownKeys: () => {
+    const factory = AuthProviderFactory.getInstance();
+    return factory.getAllProviders().map(p => p.issuer);
+  }
+});
 
 export class UserPayload {
   aio?: string;
@@ -78,31 +97,77 @@ export class UserPayload {
   tid?: string;
   uti?: string;
   ver?: string;
-  // what about an array of roles???
+  email?: string;
+  given_name?: string;
+  family_name?: string;
+  [key: string]: unknown; // Allow additional claims
 }
 
+/**
+ * Gets signing keys for JWT validation
+ */
 export const getSigningKeys = (issuer: string) => (header: JwtHeader, cb: SigningKeyCallback) => {
-  if (!validationOptions[issuer]) {
-    throw new Error(`No validation options found for issuer ${issuer}`);
+  const factory = AuthProviderFactory.getInstance();
+  
+  // Initialize providers if not already done
+  if (!factory.hasProviders()) {
+    initializeAuthProviders();
   }
 
-  const jwksUri = validationOptions[issuer].jwksUri;
-  if (missingAuth0Config && missingAzureConfig) {
-    throw new MissingAuthError();
+  const provider = factory.getByIssuer(issuer);
+  
+  if (!provider) {
+    // Check if we have any providers at all
+    if (!factory.hasProviders()) {
+      throw new MissingAuthError();
+    }
+    throw new Error(`No authentication provider found for issuer: ${issuer}`);
   }
-  if (missingAuth0Config) {
-    console.warn('Auth0 configuration not found in environment variables');
+
+  provider.getSigningKey(header, cb);
+};
+
+/**
+ * Extracts user information from JWT payload using the appropriate provider
+ */
+export const extractUserInfoFromPayload = (payload: JwtPayload): {
+  email?: string;
+  firstName?: string;
+  lastName?: string;
+  fullName?: string;
+  preferredUsername?: string;
+} => {
+  const factory = AuthProviderFactory.getInstance();
+  const issuer = payload.iss;
+  
+  if (!issuer) {
+    // Fallback to default extraction
+    const preferredUsername = payload.preferred_username as string | undefined;
+    return {
+      email: payload.email as string | undefined || preferredUsername,
+      firstName: payload.given_name as string | undefined,
+      lastName: payload.family_name as string | undefined,
+      fullName: payload.name as string | undefined,
+      preferredUsername
+    };
   }
-  if (missingAzureConfig) {
-    console.warn('MSAL configuration not found in environment variables');
+
+  const provider = factory.getByIssuer(issuer);
+  
+  if (!provider) {
+    // Fallback to default extraction
+    const fullName = payload.name as string | undefined;
+    const preferredUsername = payload.preferred_username as string | undefined;
+    return {
+      email: payload.email as string | undefined || preferredUsername,
+      firstName: payload.given_name as string | undefined || fullName?.split(' ')[0],
+      lastName: payload.family_name as string | undefined || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+      fullName,
+      preferredUsername
+    };
   }
 
-  jwksClient({ jwksUri })
-    .getSigningKey(header.kid)
-    .then((key) => {
-      cb(null, 'publicKey' in key ? key.publicKey : key.rsaPublicKey);
-    })
-    .catch((err) => console.error(err));
+  return provider.extractUserInfo(payload);
 };
 
 export const getSystemUser = async (dataSource?: sql.ConnectionPool, attemptCacheUpdateIfNeeded: boolean = true): Promise<UserInfo> => {
@@ -200,3 +265,6 @@ export const verifyUserRecord = async (
 
   return user;
 };
+
+// Initialize providers on module load
+initializeAuthProviders();

package/src/auth/initializeProviders.ts

@@ -0,0 +1,31 @@
+import { configInfo } from '../config.js';
+import { AuthProviderConfig, LogError, LogStatus } from '@memberjunction/core';
+import { AuthProviderFactory } from './AuthProviderFactory.js';
+
+/**
+ * Initialize authentication providers from configuration
+ */
+export function initializeAuthProviders(): void {
+  const factory = AuthProviderFactory.getInstance();
+  
+  // Clear any existing providers
+  factory.clear();
+
+  // Initialize providers from authProviders config
+  if (configInfo.authProviders && configInfo.authProviders.length > 0) {
+    for (const providerConfig of configInfo.authProviders) {
+      try {
+        const provider = AuthProviderFactory.createProvider(providerConfig as AuthProviderConfig);
+        factory.register(provider);
+        LogStatus(`Registered auth provider: ${provider.name} (type: ${providerConfig.type})`);
+      } catch (error) {
+        LogError(`Failed to initialize auth provider ${providerConfig.name}: ${error}`);
+      }
+    }
+  }
+
+  // Validate we have at least one provider
+  if (!factory.hasProviders()) {
+    LogError('No authentication providers configured. Please configure authProviders array in mj.config.cjs');
+  }
+}