@memberjunction/server 5.15.0 → 5.16.0

package/dist/auth/tokenExpiredError.js

@@ -1,12 +0,0 @@
-import { GraphQLError } from 'graphql';
-export class TokenExpiredError extends GraphQLError {
-    constructor(expiryDate, message = 'The provided token has expired. Please authenticate again.') {
-        super(message, {
-            extensions: {
-                code: 'JWT_EXPIRED',
-                expiryDate: expiryDate.toISOString(),
-            },
-        });
-    }
-}
-//# sourceMappingURL=tokenExpiredError.js.map

package/dist/auth/tokenExpiredError.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"tokenExpiredError.js","sourceRoot":"","sources":["../../src/auth/tokenExpiredError.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,MAAM,OAAO,iBAAkB,SAAQ,YAAY;IACjD,YAAY,UAAgB,EAAE,OAAO,GAAG,4DAA4D;QAClG,KAAK,CAAC,OAAO,EAAE;YACb,UAAU,EAAE;gBACV,IAAI,EAAE,aAAa;gBACnB,UAAU,EAAE,UAAU,CAAC,WAAW,EAAE;aACrC;SACF,CAAC,CAAC;IACL,CAAC;CACF"}

package/src/auth/AuthProviderFactory.ts

@@ -1,182 +0,0 @@
-import { AuthProviderConfig } from '@memberjunction/core';
-import { IAuthProvider } from './IAuthProvider.js';
-import { BaseAuthProvider } from './BaseAuthProvider.js';
-import { MJGlobal } from '@memberjunction/global';
-
-// Import providers to ensure they're registered
-import './providers/Auth0Provider.js';
-import './providers/MSALProvider.js';
-import './providers/OktaProvider.js';
-import './providers/CognitoProvider.js';
-import './providers/GoogleProvider.js';
-
-/**
- * Factory and registry for managing authentication providers
- * Combines provider creation and lifecycle management in a single class
- */
-export class AuthProviderFactory {
-  private static instance: AuthProviderFactory;
-  private providers: Map<string, IAuthProvider> = new Map();
-  private issuerCache: Map<string, IAuthProvider> = new Map();
-  private issuerMultiCache: Map<string, IAuthProvider[]> = new Map();
-
-  private constructor() {}
-
-  /**
-   * Gets the singleton instance of the factory
-   */
-  static getInstance(): AuthProviderFactory {
-    if (!AuthProviderFactory.instance) {
-      AuthProviderFactory.instance = new AuthProviderFactory();
-    }
-    return AuthProviderFactory.instance;
-  }
-
-  /**
-   * Creates an authentication provider instance based on configuration
-   * Uses MJGlobal ClassFactory to instantiate the correct provider class
-   */
-  static createProvider(config: AuthProviderConfig): IAuthProvider {
-    try {
-      // Use MJGlobal ClassFactory to create the provider instance
-      // The provider type in config should match the key used in @RegisterClass
-      // The config is passed as a constructor parameter via the spread operator
-      const provider = MJGlobal.Instance.ClassFactory.CreateInstance<BaseAuthProvider>(
-        BaseAuthProvider,
-        config.type.toLowerCase(),
-        config
-      );
-      
-      if (!provider) {
-        throw new Error(`No provider registered for type: ${config.type}`);
-      }
-      
-      return provider;
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      throw new Error(`Failed to create authentication provider for type '${config.type}': ${message}`);
-    }
-  }
-
-  /**
-   * Registers a new authentication provider
-   */
-  register(provider: IAuthProvider): void {
-    if (!provider.validateConfig()) {
-      throw new Error(`Invalid configuration for provider: ${provider.name}`);
-    }
-
-    this.providers.set(provider.name, provider);
-    
-    // Clear issuer caches when registering new provider
-    this.issuerCache.clear();
-    this.issuerMultiCache.clear();
-    
-    console.log(`Registered auth provider: ${provider.name} with issuer: ${provider.issuer}`);
-  }
-
-  /**
-   * Gets a provider by its issuer URL
-   */
-  getByIssuer(issuer: string): IAuthProvider | undefined {
-    // Check cache first
-    if (this.issuerCache.has(issuer)) {
-      return this.issuerCache.get(issuer);
-    }
-
-    // Search through providers
-    for (const provider of this.providers.values()) {
-      if (provider.matchesIssuer(issuer)) {
-        // Cache for future lookups
-        this.issuerCache.set(issuer, provider);
-        return provider;
-      }
-    }
-
-    return undefined;
-  }
-
-  /**
-   * Gets all providers matching an issuer URL.
-   * Unlike getByIssuer() which returns only the first match, this returns
-   * all providers for a given issuer. This is needed when multiple apps
-   * (e.g. MJExplorer + MJCentral) share the same Auth0 domain but have
-   * different audiences (client IDs).
-   */
-  getAllByIssuer(issuer: string): IAuthProvider[] {
-    // Check multi-provider cache first
-    if (this.issuerMultiCache.has(issuer)) {
-      return this.issuerMultiCache.get(issuer)!;
-    }
-
-    const matches: IAuthProvider[] = [];
-    for (const provider of this.providers.values()) {
-      if (provider.matchesIssuer(issuer)) {
-        matches.push(provider);
-      }
-    }
-
-    if (matches.length > 0) {
-      this.issuerMultiCache.set(issuer, matches);
-    }
-
-    return matches;
-  }
-
-  /**
-   * Gets a provider by its name
-   */
-  getByName(name: string): IAuthProvider | undefined {
-    return this.providers.get(name);
-  }
-
-  /**
-   * Gets all registered providers
-   */
-  getAllProviders(): IAuthProvider[] {
-    return Array.from(this.providers.values());
-  }
-
-  /**
-   * Checks if any providers are registered
-   */
-  hasProviders(): boolean {
-    return this.providers.size > 0;
-  }
-
-  /**
-   * Clears all registered providers (useful for testing)
-   */
-  clear(): void {
-    this.providers.clear();
-    this.issuerCache.clear();
-    this.issuerMultiCache.clear();
-  }
-
-  /**
-   * Gets all registered provider types from the ClassFactory
-   */
-  static getRegisteredProviderTypes(): string[] {
-    // Get all registrations for BaseAuthProvider from ClassFactory
-    const registrations = MJGlobal.Instance.ClassFactory.GetAllRegistrations(BaseAuthProvider);
-    // Extract unique keys (provider types) from registrations
-    const providerTypes = registrations
-      .map(reg => reg.Key)
-      .filter((key): key is string => key !== null && key !== undefined);
-    // Return unique provider types
-    return Array.from(new Set(providerTypes));
-  }
-
-  /**
-   * Checks if a provider type is registered
-   */
-  static isProviderTypeRegistered(type: string): boolean {
-    try {
-      // Try to get the registration for this specific type
-      const registration = MJGlobal.Instance.ClassFactory.GetRegistration(BaseAuthProvider, type.toLowerCase());
-      return registration !== null && registration !== undefined;
-    } catch {
-      return false;
-    }
-  }
-}

package/src/auth/BaseAuthProvider.ts

@@ -1,137 +0,0 @@
-import { JwtHeader, JwtPayload, SigningKeyCallback } from 'jsonwebtoken';
-import jwksClient from 'jwks-rsa';
-import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
-import { IAuthProvider } from './IAuthProvider.js';
-import https from 'https';
-import http from 'http';
-
-/**
- * Base implementation of IAuthProvider with common functionality
- * Concrete providers should extend this class and use @RegisterClass decorator
- * with BaseAuthProvider as the base class
- */
-export abstract class BaseAuthProvider implements IAuthProvider {
-  name: string;
-  issuer: string;
-  audience: string;
-  jwksUri: string;
-  /** OAuth client ID for this provider (used by OAuth proxy for upstream auth) */
-  clientId?: string;
-  protected config: AuthProviderConfig;
-  protected jwksClient: jwksClient.JwksClient;
-
-  constructor(config: AuthProviderConfig) {
-    this.config = config;
-    this.name = config.name;
-    this.issuer = config.issuer;
-    this.audience = config.audience;
-    this.jwksUri = config.jwksUri;
-    this.clientId = config.clientId;
-
-    // Create HTTP agent with keep-alive to prevent socket hangups
-    const agent = this.jwksUri.startsWith('https')
-      ? new https.Agent({
-          keepAlive: true,
-          keepAliveMsecs: 30000,
-          maxSockets: 50,
-          maxFreeSockets: 10,
-          timeout: 60000
-        })
-      : new http.Agent({
-          keepAlive: true,
-          keepAliveMsecs: 30000,
-          maxSockets: 50,
-          maxFreeSockets: 10,
-          timeout: 60000
-        });
-
-    // Initialize JWKS client with connection pooling and extended timeout
-    this.jwksClient = jwksClient({
-      jwksUri: this.jwksUri,
-      cache: true,
-      cacheMaxEntries: 5,
-      cacheMaxAge: 600000, // 10 minutes
-      timeout: 60000, // 60 seconds (increased from default 30s)
-      requestAgent: agent
-    });
-  }
-
-  /**
-   * Validates that required configuration is present
-   */
-  validateConfig(): boolean {
-    return !!(this.name && this.issuer && this.audience && this.jwksUri);
-  }
-
-  /**
-   * Gets the signing key for token verification with retry logic
-   */
-  getSigningKey(header: JwtHeader, callback: SigningKeyCallback): void {
-    this.getSigningKeyWithRetry(header, 3, 1000)
-      .then((key) => {
-        const signingKey = 'publicKey' in key ? key.publicKey : key.rsaPublicKey;
-        callback(null, signingKey);
-      })
-      .catch((err) => {
-        console.error(`Error getting signing key for provider ${this.name} after retries:`, err);
-        callback(err);
-      });
-  }
-
-  /**
-   * Retrieves signing key with exponential backoff retry logic
-   */
-  private async getSigningKeyWithRetry(
-    header: JwtHeader,
-    maxRetries: number,
-    initialDelayMs: number
-  ): Promise<jwksClient.SigningKey> {
-    let lastError: Error | undefined;
-
-    for (let attempt = 0; attempt <= maxRetries; attempt++) {
-      try {
-        return await this.jwksClient.getSigningKey(header.kid);
-      } catch (err) {
-        lastError = err instanceof Error ? err : new Error(String(err));
-
-        // Check if this is a connection error that's worth retrying
-        const isRetryableError =
-          lastError.message.includes('socket hang up') ||
-          lastError.message.includes('ECONNRESET') ||
-          lastError.message.includes('ETIMEDOUT') ||
-          lastError.message.includes('ENOTFOUND') ||
-          lastError.message.includes('EAI_AGAIN');
-
-        if (!isRetryableError || attempt === maxRetries) {
-          throw lastError;
-        }
-
-        // Exponential backoff: wait longer between each retry
-        const delayMs = initialDelayMs * Math.pow(2, attempt);
-        console.warn(
-          `Attempt ${attempt + 1}/${maxRetries + 1} failed for provider ${this.name}. ` +
-          `Retrying in ${delayMs}ms... Error: ${lastError.message}`
-        );
-
-        await new Promise(resolve => setTimeout(resolve, delayMs));
-      }
-    }
-
-    throw lastError || new Error('Failed to retrieve signing key');
-  }
-
-  /**
-   * Checks if a given issuer URL belongs to this provider
-   */
-  matchesIssuer(issuer: string): boolean {
-    // Handle trailing slashes and case sensitivity
-    const normalizedIssuer = issuer.toLowerCase().replace(/\/$/, '');
-    const normalizedProviderIssuer = this.issuer.toLowerCase().replace(/\/$/, '');
-    return normalizedIssuer === normalizedProviderIssuer;
-  }
-
-  /**
-   * Abstract method for extracting user info - must be implemented by each provider
-   */
-  abstract extractUserInfo(payload: JwtPayload): AuthUserInfo;
-}

package/src/auth/IAuthProvider.ts

@@ -1,54 +0,0 @@
-import { JwtHeader, JwtPayload, SigningKeyCallback } from 'jsonwebtoken';
-import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
-
-/**
- * Interface for authentication providers in MemberJunction
- * Enables support for any OAuth 2.0/OIDC compliant provider
- */
-export interface IAuthProvider {
-  /**
-   * Unique name identifier for this provider
-   */
-  name: string;
-
-  /**
-   * The issuer URL for this provider (must match the 'iss' claim in tokens)
-   */
-  issuer: string;
-
-  /**
-   * The expected audience for tokens from this provider
-   */
-  audience: string;
-
-  /**
-   * The JWKS endpoint URL for retrieving signing keys
-   */
-  jwksUri: string;
-
-  /**
-   * OAuth client ID for this provider (optional, used by OAuth proxy for upstream authentication)
-   */
-  clientId?: string;
-
-  /**
-   * Validates that the provider configuration is complete and valid
-   */
-  validateConfig(): boolean;
-
-  /**
-   * Gets the signing key for token verification
-   */
-  getSigningKey(header: JwtHeader, callback: SigningKeyCallback): void;
-
-  /**
-   * Extracts user information from the JWT payload
-   * Different providers use different claim names
-   */
-  extractUserInfo(payload: JwtPayload): AuthUserInfo;
-
-  /**
-   * Checks if a given issuer URL belongs to this provider
-   */
-  matchesIssuer(issuer: string): boolean;
-}

package/src/auth/providers/Auth0Provider.ts

@@ -1,45 +0,0 @@
-import { JwtPayload } from 'jsonwebtoken';
-import { RegisterClass } from '@memberjunction/global';
-import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
-import { BaseAuthProvider } from '../BaseAuthProvider.js';
-
-/**
- * Auth0 authentication provider implementation
- */
-@RegisterClass(BaseAuthProvider, 'auth0')
-export class Auth0Provider extends BaseAuthProvider {
-  constructor(config: AuthProviderConfig) {
-    super(config);
-  }
-
-  /**
-   * Extracts user information from Auth0 JWT payload
-   */
-  extractUserInfo(payload: JwtPayload): AuthUserInfo {
-    // Auth0 uses standard OIDC claims
-    const email = payload.email as string | undefined;
-    const fullName = payload.name as string | undefined;
-    const firstName = payload.given_name as string | undefined;
-    const lastName = payload.family_name as string | undefined;
-    const preferredUsername = payload.preferred_username as string | undefined || email;
-
-    return {
-      email,
-      firstName: firstName || fullName?.split(' ')[0],
-      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
-      fullName,
-      preferredUsername
-    };
-  }
-
-  /**
-   * Validates Auth0-specific configuration
-   */
-  validateConfig(): boolean {
-    const baseValid = super.validateConfig();
-    const hasClientId = !!this.config.clientId;
-    const hasDomain = !!this.config.domain;
-    
-    return baseValid && hasClientId && hasDomain;
-  }
-}

package/src/auth/providers/CognitoProvider.ts

@@ -1,50 +0,0 @@
-import { JwtPayload } from 'jsonwebtoken';
-import { RegisterClass } from '@memberjunction/global';
-import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
-import { BaseAuthProvider } from '../BaseAuthProvider.js';
-
-
-/**
- * AWS Cognito authentication provider implementation
- */
-@RegisterClass(BaseAuthProvider, 'cognito')
-export class CognitoProvider extends BaseAuthProvider {
-  constructor(config: AuthProviderConfig) {
-    super(config);
-  }
-
-  /**
-   * Extracts user information from Cognito JWT payload
-   */
-  extractUserInfo(payload: JwtPayload): AuthUserInfo {
-    // Cognito uses custom claims with 'cognito:' prefix for some fields
-    const email = payload.email as string | undefined || 
-                  payload['cognito:username'] as string | undefined;
-    const fullName = payload.name as string | undefined;
-    const firstName = payload.given_name as string | undefined;
-    const lastName = payload.family_name as string | undefined;
-    const preferredUsername = payload['cognito:username'] as string | undefined || 
-                             payload.preferred_username as string | undefined || 
-                             email;
-
-    return {
-      email,
-      firstName: firstName || fullName?.split(' ')[0],
-      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
-      fullName,
-      preferredUsername
-    };
-  }
-
-  /**
-   * Validates Cognito-specific configuration
-   */
-  validateConfig(): boolean {
-    const baseValid = super.validateConfig();
-    const hasClientId = !!this.config.clientId;
-    const hasRegion = !!this.config.region;
-    const hasUserPoolId = !!this.config.userPoolId;
-    
-    return baseValid && hasClientId && hasRegion && hasUserPoolId;
-  }
-}

package/src/auth/providers/GoogleProvider.ts

@@ -1,45 +0,0 @@
-import { JwtPayload } from 'jsonwebtoken';
-import { RegisterClass } from '@memberjunction/global';
-import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
-import { BaseAuthProvider } from '../BaseAuthProvider.js';
-
-
-/**
- * Google Identity Platform authentication provider implementation
- */
-@RegisterClass(BaseAuthProvider, 'google')
-export class GoogleProvider extends BaseAuthProvider {
-  constructor(config: AuthProviderConfig) {
-    super(config);
-  }
-
-  /**
-   * Extracts user information from Google JWT payload
-   */
-  extractUserInfo(payload: JwtPayload): AuthUserInfo {
-    // Google uses standard OIDC claims
-    const email = payload.email as string | undefined;
-    const fullName = payload.name as string | undefined;
-    const firstName = payload.given_name as string | undefined;
-    const lastName = payload.family_name as string | undefined;
-    const preferredUsername = email; // Google typically uses email as username
-
-    return {
-      email,
-      firstName: firstName || fullName?.split(' ')[0],
-      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
-      fullName,
-      preferredUsername
-    };
-  }
-
-  /**
-   * Validates Google-specific configuration
-   */
-  validateConfig(): boolean {
-    const baseValid = super.validateConfig();
-    const hasClientId = !!this.config.clientId;
-    
-    return baseValid && hasClientId;
-  }
-}

package/src/auth/providers/MSALProvider.ts

@@ -1,45 +0,0 @@
-import { JwtPayload } from 'jsonwebtoken';
-import { RegisterClass } from '@memberjunction/global';
-import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
-import { BaseAuthProvider } from '../BaseAuthProvider.js';
-
-/**
- * Microsoft Authentication Library (MSAL) provider implementation
- */
-@RegisterClass(BaseAuthProvider, 'msal')
-export class MSALProvider extends BaseAuthProvider {
-  constructor(config: AuthProviderConfig) {
-    super(config);
-  }
-
-  /**
-   * Extracts user information from MSAL/Azure AD JWT payload
-   */
-  extractUserInfo(payload: JwtPayload): AuthUserInfo {
-    // MSAL/Azure AD uses some custom claims
-    const email = payload.email as string | undefined || payload.preferred_username as string | undefined;
-    const fullName = payload.name as string | undefined;
-    const firstName = payload.given_name as string | undefined;
-    const lastName = payload.family_name as string | undefined;
-    const preferredUsername = payload.preferred_username as string | undefined;
-
-    return {
-      email,
-      firstName: firstName || fullName?.split(' ')[0],
-      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
-      fullName,
-      preferredUsername
-    };
-  }
-
-  /**
-   * Validates MSAL-specific configuration
-   */
-  validateConfig(): boolean {
-    const baseValid = super.validateConfig();
-    const hasClientId = !!this.config.clientId;
-    const hasTenantId = !!this.config.tenantId;
-    
-    return baseValid && hasClientId && hasTenantId;
-  }
-}

package/src/auth/providers/OktaProvider.ts

@@ -1,46 +0,0 @@
-import { JwtPayload } from 'jsonwebtoken';
-import { RegisterClass } from '@memberjunction/global';
-import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
-import { BaseAuthProvider } from '../BaseAuthProvider.js';
-
-
-/**
- * Okta authentication provider implementation
- */
-@RegisterClass(BaseAuthProvider, 'okta')
-export class OktaProvider extends BaseAuthProvider {
-  constructor(config: AuthProviderConfig) {
-    super(config);
-  }
-
-  /**
-   * Extracts user information from Okta JWT payload
-   */
-  extractUserInfo(payload: JwtPayload): AuthUserInfo {
-    // Okta uses standard OIDC claims plus some custom ones
-    const email = payload.email as string | undefined || payload.preferred_username as string | undefined;
-    const fullName = payload.name as string | undefined;
-    const firstName = payload.given_name as string | undefined;
-    const lastName = payload.family_name as string | undefined;
-    const preferredUsername = payload.preferred_username as string | undefined || email;
-
-    return {
-      email,
-      firstName: firstName || fullName?.split(' ')[0],
-      lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
-      fullName,
-      preferredUsername
-    };
-  }
-
-  /**
-   * Validates Okta-specific configuration
-   */
-  validateConfig(): boolean {
-    const baseValid = super.validateConfig();
-    const hasClientId = !!this.config.clientId;
-    const hasDomain = !!this.config.domain;
-    
-    return baseValid && hasClientId && hasDomain;
-  }
-}

package/src/auth/tokenExpiredError.ts

@@ -1,12 +0,0 @@
-import { GraphQLError } from 'graphql';
-
-export class TokenExpiredError extends GraphQLError {
-  constructor(expiryDate: Date, message = 'The provided token has expired. Please authenticate again.') {
-    super(message, {
-      extensions: {
-        code: 'JWT_EXPIRED',
-        expiryDate: expiryDate.toISOString(),
-      },
-    });
-  }
-}