npm - @memberjunction/server - Versions diffs - 2.90.0 → 2.91.0 - Mend

@memberjunction/server 2.90.0 → 2.91.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/dist/auth/AuthProviderFactory.d.ts +24 -0
package/dist/auth/AuthProviderFactory.d.ts.map +1 -0
package/dist/auth/AuthProviderFactory.js +82 -0
package/dist/auth/AuthProviderFactory.js.map +1 -0
package/dist/auth/BaseAuthProvider.d.ts +18 -0
package/dist/auth/BaseAuthProvider.d.ts.map +1 -0
package/dist/auth/BaseAuthProvider.js +42 -0
package/dist/auth/BaseAuthProvider.js.map +1 -0
package/dist/auth/IAuthProvider.d.ts +13 -0
package/dist/auth/IAuthProvider.d.ts.map +1 -0
package/dist/auth/IAuthProvider.js +2 -0
package/dist/auth/IAuthProvider.js.map +1 -0
package/dist/auth/__tests__/backward-compatibility.test.d.ts +2 -0
package/dist/auth/__tests__/backward-compatibility.test.d.ts.map +1 -0
package/dist/auth/__tests__/backward-compatibility.test.js +135 -0
package/dist/auth/__tests__/backward-compatibility.test.js.map +1 -0
package/dist/auth/index.d.ts +22 -7
package/dist/auth/index.d.ts.map +1 -1
package/dist/auth/index.js +65 -32
package/dist/auth/index.js.map +1 -1
package/dist/auth/initializeProviders.d.ts +2 -0
package/dist/auth/initializeProviders.d.ts.map +1 -0
package/dist/auth/initializeProviders.js +23 -0
package/dist/auth/initializeProviders.js.map +1 -0
package/dist/auth/providers/Auth0Provider.d.ts +9 -0
package/dist/auth/providers/Auth0Provider.d.ts.map +1 -0
package/dist/auth/providers/Auth0Provider.js +42 -0
package/dist/auth/providers/Auth0Provider.js.map +1 -0
package/dist/auth/providers/CognitoProvider.d.ts +9 -0
package/dist/auth/providers/CognitoProvider.d.ts.map +1 -0
package/dist/auth/providers/CognitoProvider.js +46 -0
package/dist/auth/providers/CognitoProvider.js.map +1 -0
package/dist/auth/providers/GoogleProvider.d.ts +9 -0
package/dist/auth/providers/GoogleProvider.d.ts.map +1 -0
package/dist/auth/providers/GoogleProvider.js +41 -0
package/dist/auth/providers/GoogleProvider.js.map +1 -0
package/dist/auth/providers/MSALProvider.d.ts +9 -0
package/dist/auth/providers/MSALProvider.d.ts.map +1 -0
package/dist/auth/providers/MSALProvider.js +42 -0
package/dist/auth/providers/MSALProvider.js.map +1 -0
package/dist/auth/providers/OktaProvider.d.ts +9 -0
package/dist/auth/providers/OktaProvider.d.ts.map +1 -0
package/dist/auth/providers/OktaProvider.js +42 -0
package/dist/auth/providers/OktaProvider.js.map +1 -0
package/dist/config.d.ts +97 -21
package/dist/config.d.ts.map +1 -1
package/dist/config.js +13 -6
package/dist/config.js.map +1 -1
package/dist/context.d.ts.map +1 -1
package/dist/context.js +25 -17
package/dist/context.js.map +1 -1
package/dist/generated/generated.d.ts +3 -0
package/dist/generated/generated.d.ts.map +1 -1
package/dist/generated/generated.js +16 -0
package/dist/generated/generated.js.map +1 -1
package/dist/generic/ResolverBase.d.ts +1 -1
package/dist/generic/ResolverBase.d.ts.map +1 -1
package/dist/generic/ResolverBase.js +5 -4
package/dist/generic/ResolverBase.js.map +1 -1
package/package.json +39 -39
package/src/auth/AuthProviderFactory.ts +152 -0
package/src/auth/BaseAuthProvider.ts +71 -0
package/src/auth/IAuthProvider.ts +49 -0
package/src/auth/__tests__/backward-compatibility.test.ts +183 -0
package/src/auth/index.ts +104 -36
package/src/auth/initializeProviders.ts +31 -0
package/src/auth/providers/Auth0Provider.ts +45 -0
package/src/auth/providers/CognitoProvider.ts +50 -0
package/src/auth/providers/GoogleProvider.ts +45 -0
package/src/auth/providers/MSALProvider.ts +45 -0
package/src/auth/providers/OktaProvider.ts +46 -0
package/src/config.ts +14 -10
package/src/context.ts +40 -17
package/src/generated/generated.ts +10 -0
package/src/generic/ResolverBase.ts +9 -4

package/src/auth/__tests__/backward-compatibility.test.ts ADDED Viewed

@@ -0,0 +1,183 @@
+import { describe, it, expect, beforeEach, afterEach, jest } from '@jest/globals';
+import { AuthProviderFactory } from '../AuthProviderFactory';
+import { IAuthProvider } from '../IAuthProvider';
+import { initializeAuthProviders } from '../initializeProviders';
+/**
+ * Test suite for backward compatibility of the new auth provider system
+ */
+describe('Authentication Provider Backward Compatibility', () => {
+  let factory: AuthProviderFactory;
+  beforeEach(() => {
+    factory = AuthProviderFactory.getInstance();
+    factory.clear();
+  });
+  afterEach(() => {
+    factory.clear();
+  });
+  describe('Legacy Configuration Support', () => {
+    it('should create MSAL provider from legacy config', () => {
+      // Simulate legacy environment variables
+      process.env.TENANT_ID = 'test-tenant-id';
+      process.env.WEB_CLIENT_ID = 'test-client-id';
+      // Initialize with legacy config
+      initializeAuthProviders();
+      // Check that MSAL provider was created
+      const msalProvider = factory.getByName('msal');
+      expect(msalProvider).toBeDefined();
+      expect(msalProvider?.issuer).toContain('test-tenant-id');
+      expect(msalProvider?.audience).toBe('test-client-id');
+    });
+    it('should create Auth0 provider from legacy config', () => {
+      // Simulate legacy environment variables
+      process.env.AUTH0_DOMAIN = 'test.auth0.com';
+      process.env.AUTH0_CLIENT_ID = 'auth0-client-id';
+      process.env.AUTH0_CLIENT_SECRET = 'auth0-secret';
+      // Initialize with legacy config
+      initializeAuthProviders();
+      // Check that Auth0 provider was created
+      const auth0Provider = factory.getByName('auth0');
+      expect(auth0Provider).toBeDefined();
+      expect(auth0Provider?.issuer).toBe('https://test.auth0.com/');
+      expect(auth0Provider?.audience).toBe('auth0-client-id');
+    });
+  });
+  describe('Provider Registry Functionality', () => {
+    it('should find providers by issuer with different formats', () => {
+      // Register a test provider
+      const testProvider = {
+        name: 'test',
+        issuer: 'https://test.provider.com/oauth2',
+        audience: 'test-audience',
+        jwksUri: 'https://test.provider.com/.well-known/jwks.json',
+        validateConfig: () => true,
+        getSigningKey: jest.fn(),
+        extractUserInfo: jest.fn(),
+        matchesIssuer: (issuer: string) => {
+          const normalized = issuer.toLowerCase().replace(/\/$/, '');
+          return normalized === 'https://test.provider.com/oauth2';
+        }
+      } as IAuthProvider;
+      factory.register(testProvider);
+      // Test with exact match
+      expect(factory.getByIssuer('https://test.provider.com/oauth2')).toBe(testProvider);
+      // Test with trailing slash
+      expect(factory.getByIssuer('https://test.provider.com/oauth2/')).toBe(testProvider);
+      // Test with different case
+      expect(factory.getByIssuer('https://TEST.PROVIDER.COM/oauth2')).toBe(testProvider);
+    });
+    it('should cache issuer lookups for performance', () => {
+      const testProvider = {
+        name: 'test',
+        issuer: 'https://test.provider.com',
+        audience: 'test',
+        jwksUri: 'https://test.provider.com/jwks',
+        validateConfig: () => true,
+        getSigningKey: jest.fn(),
+        extractUserInfo: jest.fn(),
+        matchesIssuer: jest.fn((issuer: string): boolean => issuer === 'https://test.provider.com')
+      } as IAuthProvider;
+      factory.register(testProvider);
+      // First lookup
+      factory.getByIssuer('https://test.provider.com');
+      expect(testProvider.matchesIssuer).toHaveBeenCalledTimes(1);
+      // Second lookup should use cache
+      factory.getByIssuer('https://test.provider.com');
+      expect(testProvider.matchesIssuer).toHaveBeenCalledTimes(1);
+    });
+  });
+  describe('User Info Extraction', () => {
+    it('should extract user info from different token formats', () => {
+      // Test MSAL token format
+      const msalPayload = {
+        iss: 'https://login.microsoftonline.com/tenant/v2.0',
+        email: 'user@example.com',
+        given_name: 'John',
+        family_name: 'Doe',
+        name: 'John Doe',
+        preferred_username: 'john.doe@example.com'
+      };
+      // Test Auth0 token format
+      const auth0Payload = {
+        iss: 'https://test.auth0.com/',
+        email: 'user@example.com',
+        given_name: 'Jane',
+        family_name: 'Smith',
+        name: 'Jane Smith'
+      };
+      // Test Okta token format
+      const oktaPayload = {
+        iss: 'https://test.okta.com/oauth2/default',
+        email: 'user@example.com',
+        given_name: 'Bob',
+        family_name: 'Johnson',
+        name: 'Bob Johnson',
+        preferred_username: 'bob.johnson'
+      };
+      // Initialize providers
+      initializeAuthProviders();
+      // Test extraction for each provider type
+      const msalProvider = factory.getByIssuer(msalPayload.iss);
+      if (msalProvider) {
+        const msalUserInfo = msalProvider.extractUserInfo(msalPayload);
+        expect(msalUserInfo.email).toBe('user@example.com');
+        expect(msalUserInfo.firstName).toBe('John');
+        expect(msalUserInfo.lastName).toBe('Doe');
+      }
+      const auth0Provider = factory.getByIssuer(auth0Payload.iss);
+      if (auth0Provider) {
+        const auth0UserInfo = auth0Provider.extractUserInfo(auth0Payload);
+        expect(auth0UserInfo.email).toBe('user@example.com');
+        expect(auth0UserInfo.firstName).toBe('Jane');
+        expect(auth0UserInfo.lastName).toBe('Smith');
+      }
+    });
+  });
+  describe('Error Handling', () => {
+    it('should handle missing provider gracefully', () => {
+      const unknownIssuer = 'https://unknown.provider.com';
+      const provider = factory.getByIssuer(unknownIssuer);
+      expect(provider).toBeUndefined();
+    });
+    it('should validate provider configuration', () => {
+      const invalidProvider = {
+        name: 'invalid',
+        issuer: '', // Invalid: empty issuer
+        audience: 'test',
+        jwksUri: 'https://test.com/jwks',
+        validateConfig: () => false,
+        getSigningKey: jest.fn(),
+        extractUserInfo: jest.fn(),
+        matchesIssuer: jest.fn()
+      } as IAuthProvider;
+      expect(() => factory.register(invalidProvider)).toThrow();
+    });
+  });
+});

package/src/auth/index.ts CHANGED Viewed

@@ -1,33 +1,28 @@
-import { JwtHeader, SigningKeyCallback } from 'jsonwebtoken';
-import jwksClient from 'jwks-rsa';
-import { auth0Domain, auth0WebClientID, configInfo, tenantID, webClientID } from '../config.js';
+import { JwtHeader, SigningKeyCallback, JwtPayload } from 'jsonwebtoken';
+import { configInfo } from '../config.js';
 import { UserCache } from '@memberjunction/sqlserver-dataprovider';
 import sql from 'mssql';
 import { Metadata, RoleInfo, UserInfo } from '@memberjunction/core';
 import { NewUserBase } from './newUsers.js';
 import { MJGlobal } from '@memberjunction/global';
 import { UserEntity, UserEntityType } from '@memberjunction/core-entities';
+import { AuthProviderFactory } from './AuthProviderFactory.js';
+import { initializeAuthProviders } from './initializeProviders.js';
 export { TokenExpiredError } from './tokenExpiredError.js';
-const missingAzureConfig = !tenantID || !webClientID;
-const missingAuth0Config = !auth0Domain || !auth0WebClientID;
+export { IAuthProvider } from './IAuthProvider.js';
+export { AuthProviderFactory } from './AuthProviderFactory.js';
 // This is a hard-coded forever constant due to internal migrations
 const SYSTEM_USER_ID = 'ecafccec-6a37-ef11-86d4-000d3a4e707e';
 class MissingAuthError extends Error {
   constructor() {
-    super('Could not find authentication configuration for either MSAL or Auth0 in the server environment variables.');
+    super('No authentication providers configured. Please configure at least one auth provider in mj.config.cjs');
     this.name = 'MissingAuthError';
   }
 }
-const issuers = {
-  azure: `https://login.microsoftonline.com/${tenantID}/v2.0`,
-  auth0: `https://${auth0Domain}/`,
-};
 const refreshUserCache = async (dataSource?: sql.ConnectionPool) => {
   const startTime: number = Date.now();
   await UserCache.Instance.Refresh(dataSource);
@@ -51,16 +46,40 @@ const refreshUserCache = async (dataSource?: sql.ConnectionPool) => {
   );
 };
-export const validationOptions = {
-  [issuers.auth0]: {
-    audience: auth0WebClientID,
-    jwksUri: `https://${auth0Domain}/.well-known/jwks.json`,
+/**
+ * Gets validation options for a specific issuer
+ * This maintains backward compatibility with the old structure
+ */
+export const getValidationOptions = (issuer: string): { audience: string; jwksUri: string } | undefined => {
+  const factory = AuthProviderFactory.getInstance();
+  const provider = factory.getByIssuer(issuer);
+  if (!provider) {
+    return undefined;
+  }
+  return {
+    audience: provider.audience,
+    jwksUri: provider.jwksUri
+  };
+};
+/**
+ * Backward compatible validationOptions object
+ * @deprecated Use getValidationOptions() or AuthProviderRegistry instead
+ */
+export const validationOptions: Record<string, { audience: string; jwksUri: string }> = new Proxy({}, {
+  get: (target, prop: string) => {
+    return getValidationOptions(prop);
   },
-  [issuers.azure]: {
-    audience: webClientID,
-    jwksUri: `https://login.microsoftonline.com/${tenantID}/discovery/v2.0/keys`,
+  has: (target, prop: string) => {
+    return getValidationOptions(prop) !== undefined;
   },
-};
+  ownKeys: () => {
+    const factory = AuthProviderFactory.getInstance();
+    return factory.getAllProviders().map(p => p.issuer);
+  }
+});
 export class UserPayload {
   aio?: string;
@@ -78,31 +97,77 @@ export class UserPayload {
   tid?: string;
   uti?: string;
   ver?: string;
-  // what about an array of roles???
+  email?: string;
+  given_name?: string;
+  family_name?: string;
+  [key: string]: unknown; // Allow additional claims
 }
+/**
+ * Gets signing keys for JWT validation
+ */
 export const getSigningKeys = (issuer: string) => (header: JwtHeader, cb: SigningKeyCallback) => {
-  if (!validationOptions[issuer]) {
-    throw new Error(`No validation options found for issuer ${issuer}`);
+  const factory = AuthProviderFactory.getInstance();
+  // Initialize providers if not already done
+  if (!factory.hasProviders()) {
+    initializeAuthProviders();
   }
-  const jwksUri = validationOptions[issuer].jwksUri;
-  if (missingAuth0Config && missingAzureConfig) {
-    throw new MissingAuthError();
+  const provider = factory.getByIssuer(issuer);
+  if (!provider) {
+    // Check if we have any providers at all
+    if (!factory.hasProviders()) {
+      throw new MissingAuthError();
+    }
+    throw new Error(`No authentication provider found for issuer: ${issuer}`);
   }
-  if (missingAuth0Config) {
-    console.warn('Auth0 configuration not found in environment variables');
+  provider.getSigningKey(header, cb);
+};
+/**
+ * Extracts user information from JWT payload using the appropriate provider
+ */
+export const extractUserInfoFromPayload = (payload: JwtPayload): {
+  email?: string;
+  firstName?: string;
+  lastName?: string;
+  fullName?: string;
+  preferredUsername?: string;
+} => {
+  const factory = AuthProviderFactory.getInstance();
+  const issuer = payload.iss;
+  if (!issuer) {
+    // Fallback to default extraction
+    const preferredUsername = payload.preferred_username as string | undefined;
+    return {
+      email: payload.email as string | undefined || preferredUsername,
+      firstName: payload.given_name as string | undefined,
+      lastName: payload.family_name as string | undefined,
+      fullName: payload.name as string | undefined,
+      preferredUsername
+    };
   }
-  if (missingAzureConfig) {
-    console.warn('MSAL configuration not found in environment variables');
+  const provider = factory.getByIssuer(issuer);
+  if (!provider) {
+    // Fallback to default extraction
+    const fullName = payload.name as string | undefined;
+    const preferredUsername = payload.preferred_username as string | undefined;
+    return {
+      email: payload.email as string | undefined || preferredUsername,
+      firstName: payload.given_name as string | undefined || fullName?.split(' ')[0],
+      lastName: payload.family_name as string | undefined || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+      fullName,
+      preferredUsername
+    };
   }
-  jwksClient({ jwksUri })
-    .getSigningKey(header.kid)
-    .then((key) => {
-      cb(null, 'publicKey' in key ? key.publicKey : key.rsaPublicKey);
-    })
-    .catch((err) => console.error(err));
+  return provider.extractUserInfo(payload);
 };
 export const getSystemUser = async (dataSource?: sql.ConnectionPool, attemptCacheUpdateIfNeeded: boolean = true): Promise<UserInfo> => {
@@ -200,3 +265,6 @@ export const verifyUserRecord = async (
   return user;
 };
+// Initialize providers on module load
+initializeAuthProviders();

package/src/auth/initializeProviders.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { configInfo } from '../config.js';
+import { AuthProviderConfig, LogError, LogStatus } from '@memberjunction/core';
+import { AuthProviderFactory } from './AuthProviderFactory.js';
+/**
+ * Initialize authentication providers from configuration
+ */
+export function initializeAuthProviders(): void {
+  const factory = AuthProviderFactory.getInstance();
+  // Clear any existing providers
+  factory.clear();
+  // Initialize providers from authProviders config
+  if (configInfo.authProviders && configInfo.authProviders.length > 0) {
+    for (const providerConfig of configInfo.authProviders) {
+      try {
+        const provider = AuthProviderFactory.createProvider(providerConfig as AuthProviderConfig);
+        factory.register(provider);
+        LogStatus(`Registered auth provider: ${provider.name} (type: ${providerConfig.type})`);
+      } catch (error) {
+        LogError(`Failed to initialize auth provider ${providerConfig.name}: ${error}`);
+      }
+    }
+  }
+  // Validate we have at least one provider
+  if (!factory.hasProviders()) {
+    LogError('No authentication providers configured. Please configure authProviders array in mj.config.cjs');
+  }
+}

package/src/auth/providers/Auth0Provider.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { RegisterClass } from '@memberjunction/global';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Auth0 authentication provider implementation
+ */
+@RegisterClass(BaseAuthProvider, 'auth0')
+export class Auth0Provider extends BaseAuthProvider {
+  constructor(config: AuthProviderConfig) {
+    super(config);
+  }
+  /**
+   * Extracts user information from Auth0 JWT payload
+   */
+  extractUserInfo(payload: JwtPayload): AuthUserInfo {
+    // Auth0 uses standard OIDC claims
+    const email = payload.email as string | undefined;
+    const fullName = payload.name as string | undefined;
+    const firstName = payload.given_name as string | undefined;
+    const lastName = payload.family_name as string | undefined;
+    const preferredUsername = payload.preferred_username as string | undefined || email;
+    return {
+      email,
+      firstName: firstName || fullName?.split(' ')[0],
+      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+      fullName,
+      preferredUsername
+    };
+  }
+  /**
+   * Validates Auth0-specific configuration
+   */
+  validateConfig(): boolean {
+    const baseValid = super.validateConfig();
+    const hasClientId = !!this.config.clientId;
+    const hasDomain = !!this.config.domain;
+    return baseValid && hasClientId && hasDomain;
+  }
+}

package/src/auth/providers/CognitoProvider.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { RegisterClass } from '@memberjunction/global';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * AWS Cognito authentication provider implementation
+ */
+@RegisterClass(BaseAuthProvider, 'cognito')
+export class CognitoProvider extends BaseAuthProvider {
+  constructor(config: AuthProviderConfig) {
+    super(config);
+  }
+  /**
+   * Extracts user information from Cognito JWT payload
+   */
+  extractUserInfo(payload: JwtPayload): AuthUserInfo {
+    // Cognito uses custom claims with 'cognito:' prefix for some fields
+    const email = payload.email as string | undefined ||
+                  payload['cognito:username'] as string | undefined;
+    const fullName = payload.name as string | undefined;
+    const firstName = payload.given_name as string | undefined;
+    const lastName = payload.family_name as string | undefined;
+    const preferredUsername = payload['cognito:username'] as string | undefined ||
+                             payload.preferred_username as string | undefined ||
+                             email;
+    return {
+      email,
+      firstName: firstName || fullName?.split(' ')[0],
+      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+      fullName,
+      preferredUsername
+    };
+  }
+  /**
+   * Validates Cognito-specific configuration
+   */
+  validateConfig(): boolean {
+    const baseValid = super.validateConfig();
+    const hasClientId = !!this.config.clientId;
+    const hasRegion = !!this.config.region;
+    const hasUserPoolId = !!this.config.userPoolId;
+    return baseValid && hasClientId && hasRegion && hasUserPoolId;
+  }
+}

package/src/auth/providers/GoogleProvider.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { RegisterClass } from '@memberjunction/global';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Google Identity Platform authentication provider implementation
+ */
+@RegisterClass(BaseAuthProvider, 'google')
+export class GoogleProvider extends BaseAuthProvider {
+  constructor(config: AuthProviderConfig) {
+    super(config);
+  }
+  /**
+   * Extracts user information from Google JWT payload
+   */
+  extractUserInfo(payload: JwtPayload): AuthUserInfo {
+    // Google uses standard OIDC claims
+    const email = payload.email as string | undefined;
+    const fullName = payload.name as string | undefined;
+    const firstName = payload.given_name as string | undefined;
+    const lastName = payload.family_name as string | undefined;
+    const preferredUsername = email; // Google typically uses email as username
+    return {
+      email,
+      firstName: firstName || fullName?.split(' ')[0],
+      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+      fullName,
+      preferredUsername
+    };
+  }
+  /**
+   * Validates Google-specific configuration
+   */
+  validateConfig(): boolean {
+    const baseValid = super.validateConfig();
+    const hasClientId = !!this.config.clientId;
+    return baseValid && hasClientId;
+  }
+}

package/src/auth/providers/MSALProvider.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { RegisterClass } from '@memberjunction/global';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Microsoft Authentication Library (MSAL) provider implementation
+ */
+@RegisterClass(BaseAuthProvider, 'msal')
+export class MSALProvider extends BaseAuthProvider {
+  constructor(config: AuthProviderConfig) {
+    super(config);
+  }
+  /**
+   * Extracts user information from MSAL/Azure AD JWT payload
+   */
+  extractUserInfo(payload: JwtPayload): AuthUserInfo {
+    // MSAL/Azure AD uses some custom claims
+    const email = payload.email as string | undefined || payload.preferred_username as string | undefined;
+    const fullName = payload.name as string | undefined;
+    const firstName = payload.given_name as string | undefined;
+    const lastName = payload.family_name as string | undefined;
+    const preferredUsername = payload.preferred_username as string | undefined;
+    return {
+      email,
+      firstName: firstName || fullName?.split(' ')[0],
+      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+      fullName,
+      preferredUsername
+    };
+  }
+  /**
+   * Validates MSAL-specific configuration
+   */
+  validateConfig(): boolean {
+    const baseValid = super.validateConfig();
+    const hasClientId = !!this.config.clientId;
+    const hasTenantId = !!this.config.tenantId;
+    return baseValid && hasClientId && hasTenantId;
+  }
+}

package/src/auth/providers/OktaProvider.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { RegisterClass } from '@memberjunction/global';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Okta authentication provider implementation
+ */
+@RegisterClass(BaseAuthProvider, 'okta')
+export class OktaProvider extends BaseAuthProvider {
+  constructor(config: AuthProviderConfig) {
+    super(config);
+  }
+  /**
+   * Extracts user information from Okta JWT payload
+   */
+  extractUserInfo(payload: JwtPayload): AuthUserInfo {
+    // Okta uses standard OIDC claims plus some custom ones
+    const email = payload.email as string | undefined || payload.preferred_username as string | undefined;
+    const fullName = payload.name as string | undefined;
+    const firstName = payload.given_name as string | undefined;
+    const lastName = payload.family_name as string | undefined;
+    const preferredUsername = payload.preferred_username as string | undefined || email;
+    return {
+      email,
+      firstName: firstName || fullName?.split(' ')[0],
+      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+      fullName,
+      preferredUsername
+    };
+  }
+  /**
+   * Validates Okta-specific configuration
+   */
+  validateConfig(): boolean {
+    const baseValid = super.validateConfig();
+    const hasClientId = !!this.config.clientId;
+    const hasDomain = !!this.config.domain;
+    return baseValid && hasClientId && hasDomain;
+  }
+}