@mimik/oauth-helper 1.9.6 → 1.10.0

package/README.md

@@ -108,7 +108,7 @@ Validate the request by inspecting the token. To be used for `system` and `user`
 | request | <code>object</code> | The request with a token in the header. |
 | definitions | <code>object</code> | Swagger security definitions to compare with. |
 | scopes | <code>Array.&lt;string&gt;</code> | List of swagger scopes associated whith the requested endpoint. |
-| next | [<code>requestCallback</code>](#requestCallback) | The callback that handles the response. The validation adds the following properties to the request: - in case of 'system' token: 'clientId', 'tokenType', 'customer', 'onBehlaf'. If the token is a cluster token the property 'cluster' is set to true. - in case of 'user' token: userId, appId, onBehalfId, 'onBehalf'. |
+| next | [<code>requestCallback</code>](#requestCallback) | The callback that handles the response. The validation adds the following properties to the request: - in case of 'system' token: 'claims', clientId', 'tokenType', 'customer', 'onBehlaf'. If the token is a cluster token the property 'cluster' is set to true. - in case of 'user' token: claims, userId, appId, onBehalfId, 'onBehalf'. The claims array contains the claims that are included on the scope of the recieved token. It there is no claims in the scope the claims property in request is an emtpy array. The scope must have the followimg format: `<action>:<resourceName>::<claims>`` where claims is a set of claims separatedby `,`. The is an exception for onBelf scope where the format is `onbBehalf:<action><resourceName>::<claims>`. The claims will be validated looking at the definitions property of the swagger file, by looking at at the top level properties of a definition named: `<resourceName>Claims`. If there is multiple scopes to use, the claims array will contain a concatenation of all the claims if present. |
 
 <a name="module_oauth-helper..apiTokenAdminSecurityHelper"></a>
 
@@ -123,7 +123,7 @@ Validate the request by inspecting the token. To be used for `admin` token.
 | request | <code>object</code> | The request with a token in the header. |
 | definitions | <code>object</code> | Swagger security definitions to compare with. |
 | scopes | <code>Array.&lt;string&gt;</code> | List of swagger scopes associated whith the requested endpoint. |
-| next | [<code>requestCallback</code>](#requestCallback) | The callback that handles the response. The validation adds the following properties to the request: 'clientId', tokenType', 'customer'. |
+| next | [<code>requestCallback</code>](#requestCallback) | The callback that handles the response. The validation adds the following properties to the request: 'claims', clientId', tokenType', 'customer'. The claims array contains the claims that are included on the scope of the recieved token. It there is no claims in the scope the claims property in request is an emtpy array. The scope must have the followimg format: `<action>:<resourceName>::<claims>`` where claims is a set of claims separatedby `,`. The is an exception for onBelf scope where the format is `onbBehalf:<action><resourceName>::<claims>`. The claims will be validated looking at the definitions property of the swagger file, by looking at at the top level properties of a definition named: `<resourceName>Claims`. If there is multiple scopes to use, the claims array will contain a concatenation of all the claims if present. |
 
 <a name="requestCallback"></a>
 

package/index.js

@@ -26,6 +26,11 @@ const CLIENT = '@clients';
 const AUTHORIZATION = 'authorization';
 const HEADER = 'header';
 const CLUSTER = 'cluster';
+const SCOPES_SEPARATOR = ' ';
+const CLAIMS_SEPARATOR = ',';
+const RESOURCE_SEPARATOR = ':';
+const SCOPE_CLAIMS_SEPARATOR = '::';
+const CLAIMS_DEFINITION = 'Claims';
 
 const tokens = {};
 
@@ -87,24 +92,55 @@ module.exports = (config) => {
     }
     return auth[1];
   };
-  const checkScopes = (tokenScopes, defScopes) => {
+  const checkScopes = (tokenScopes, defScopes, swagger) => {
     if (!tokenScopes) {
       throw new Error('no scope in authorization token');
     }
-    const currentScopes = tokenScopes.split(' ');
+    let claims = [];
+    let onBehalf = false;
 
     if (defScopes && defScopes.length !== 0) {
-      const intersects = _.intersection(currentScopes, defScopes);
+      const currentScopes = tokenScopes.split(SCOPES_SEPARATOR);
+      const intersects = [];
+      let resourceIndex = 1;
+
+      currentScopes.forEach((currentScope) => {
+        const analyzedScope = currentScope.split(SCOPE_CLAIMS_SEPARATOR);
+        const analyzedResource = analyzedScope[0].split(RESOURCE_SEPARATOR);
+        if (analyzedResource[0] === ON_BEHALF) {
+          onBehalf = true;
+          resourceIndex = 2; // legacy handling
+        }
+
+        if (defScopes.includes(analyzedScope[0])) {
+          if (analyzedScope[1]) {
+            const includedDefinitionName = `${analyzedResource[resourceIndex]}${CLAIMS_DEFINITION}`;
 
+            if (!swagger || !swagger.swaggerObject || !swagger.swaggerObject.definitions) {
+              throw new Error(`missing ${includedDefinitionName} definition: no definitions`);
+            }
+            const includedDefinition = swagger.swaggerObject.definitions[includedDefinitionName];
+
+            if (!includedDefinition) {
+              throw new Error(`missing ${includedDefinitionName} definition`);
+            }
+            const includedClaims = analyzedScope[1].split(CLAIMS_SEPARATOR);
+            const definitionClaims = Object.keys(includedDefinition);
+            const claimsIntersects = _.intersection(includedClaims, definitionClaims);
+
+            if (claimsIntersects.length !== includedClaims.length) {
+              throw new Error(`incorrect claims included: ${_.difference(includedClaims, claimsIntersects)}`);
+            }
+            claims = claims.concat(claimsIntersects);
+          }
+          intersects.push(analyzedScope[0]);
+        }
+      });
       if (intersects.length === 0) {
         throw new Error(`incorrect scopes: ${tokenScopes}`);
       }
-
-      if (_.find(intersects, (scope) => scope.split(':')[0] === ON_BEHALF)) {
-        return true;
-      }
     }
-    return false;
+    return { onBehalf, claims };
   };
 
   const getToken = (type, origin, options, correlationId) => {
@@ -246,8 +282,13 @@ module.exports = (config) => {
    * @param {requestCallback} next - The callback that handles the response.
    *
    * The validation adds the following properties to the request:
-   * - in case of 'system' token: 'clientId', 'tokenType', 'customer', 'onBehlaf'. If the token is a cluster token the property 'cluster' is set to true.
-   * - in case of 'user' token: userId, appId, onBehalfId, 'onBehalf'.
+   * - in case of 'system' token: 'claims', clientId', 'tokenType', 'customer', 'onBehlaf'. If the token is a cluster token the property 'cluster' is set to true.
+   * - in case of 'user' token: claims, userId, appId, onBehalfId, 'onBehalf'.
+   *
+   * The claims array contains the claims that are included on the scope of the recieved token. It there is no claims in the scope the claims property in request is an emtpy array.
+   * The scope must have the followimg format: `<action>:<resourceName>::<claims>`` where claims is a set of claims separatedby `,`. The is an exception for onBelf scope where the format is `onbBehalf:<action><resourceName>::<claims>`.
+   * The claims will be validated looking at the definitions property of the swagger file, by looking at at the top level properties of a definition named: `<resourceName>Claims`.
+   * If there is multiple scopes to use, the claims array will contain a concatenation of all the claims if present.
    */
   const apiTokenSecurityHelper = (request, definitions, scopes, next) => {
     let authToken;
@@ -282,14 +323,15 @@ module.exports = (config) => {
         return;
       }
     }
-    let onBehalfOption = false;
+    let scopeResult;
 
-    try { onBehalfOption = checkScopes(token.scope, scopes); }
+    try { scopeResult = checkScopes(token.scope, scopes, request.swagger); }
     catch (errScopes) {
       next(errScopes);
       return;
     }
-    if (onBehalfOption) request[TOKEN_PARAMS.onBehalf] = true;
+    if (scopeResult.onBehalf) request[TOKEN_PARAMS.onBehalf] = true;
+    request[TOKEN_PARAMS.claims] = scopeResult.claims;
     if (definitions.flow === IMPLICIT) {
       if (token.sub) request[TOKEN_PARAMS.userId] = token.sub;
       if (token.azp) request[TOKEN_PARAMS.appId] = token.azp;
@@ -319,7 +361,12 @@ module.exports = (config) => {
    * @param {string[]} scopes - List of swagger scopes associated whith the requested endpoint.
    * @param {requestCallback} next - The callback that handles the response.
    *
-   * The validation adds the following properties to the request: 'clientId', tokenType', 'customer'.
+   * The validation adds the following properties to the request: 'claims', clientId', tokenType', 'customer'.
+   *
+   * The claims array contains the claims that are included on the scope of the recieved token. It there is no claims in the scope the claims property in request is an emtpy array.
+   * The scope must have the followimg format: `<action>:<resourceName>::<claims>`` where claims is a set of claims separatedby `,`. The is an exception for onBelf scope where the format is `onbBehalf:<action><resourceName>::<claims>`.
+   * The claims will be validated looking at the definitions property of the swagger file, by looking at at the top level properties of a definition named: `<resourceName>Claims`.
+   * If there is multiple scopes to use, the claims array will contain a concatenation of all the claims if present.
    */
   const apiTokenAdminSecurityHelper = (request, definitions, scopes, next) => {
     let authToken;
@@ -341,6 +388,16 @@ module.exports = (config) => {
       next(new Error('invalid token: wrong type'));
       return;
     }
+    if (token.subType === SUB_ADMIN) {
+      if (!token.cust) {
+        next(new Error('invalid token: no customer'));
+        return;
+      }
+    }
+    else if (token.sub !== `${config.security.admin.externalId}${CLIENT}`) {
+      next(new Error(`jwt subject invalid: ${token.sub}`));
+      return;
+    }
     try {
       jwt.verify(authToken, keys(flow), jwtOptions(flow));
     }
@@ -357,21 +414,14 @@ module.exports = (config) => {
         return;
       }
     }
-    try { checkScopes(token.scope, scopes); }
+    let scopeResult;
+
+    try { scopeResult = checkScopes(token.scope, scopes, request.swagger); }
     catch (errScopes) {
       next(errScopes);
       return;
     }
-    if (token.subType === SUB_ADMIN) {
-      if (!token.cust) {
-        next(new Error('invalid token: no customer'));
-        return;
-      }
-    }
-    else if (token.sub !== `${config.security.admin.externalId}${CLIENT}`) {
-      next(new Error(`jwt subject invalid: ${token.sub}`));
-      return;
-    }
+    request[TOKEN_PARAMS.claims] = scopeResult.claims;
     if (token.subType) request[TOKEN_PARAMS.tokenType] = token.subType;
     if (token.sub) request[TOKEN_PARAMS.clientId] = token.sub;
     if (token.cust) request[TOKEN_PARAMS.customer] = token.cust;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mimik/oauth-helper",
-  "version": "1.9.6",
+  "version": "1.10.0",
   "description": "Oauth helper for mimik microservices",
   "main": "index.js",
   "scripts": {
@@ -31,33 +31,33 @@
     "@mimik/request-retry": "^2.0.6",
     "@mimik/response-helper": "^2.6.0",
     "@mimik/sumologic-winston-logger": "^1.6.6",
-    "@mimik/swagger-helper": "^2.5.0",
+    "@mimik/swagger-helper": "^2.5.1",
     "bluebird": "3.7.2",
     "jsonwebtoken": "8.5.1",
     "lodash": "4.17.21"
   },
   "devDependencies": {
     "@mimik/eslint-plugin-dependencies": "^2.4.1",
-    "@mimik/eslint-plugin-document-env": "^1.0.0",
+    "@mimik/eslint-plugin-document-env": "^1.0.1",
     "@mimik/request-helper": "^1.7.3",
-    "body-parser": "1.19.1",
-    "chai": "4.3.4",
-    "eslint": "8.4.1",
+    "body-parser": "1.19.2",
+    "chai": "4.3.6",
+    "eslint": "8.10.0",
     "eslint-config-airbnb": "18.2.1",
-    "eslint-plugin-import": "2.25.3",
+    "eslint-plugin-import": "2.25.4",
     "eslint-plugin-jsx-a11y": "6.5.1",
     "eslint-plugin-react": "7.27.1",
     "eslint-plugin-react-hooks": "4.3.0",
-    "express": "4.17.1",
-    "fancy-log": "1.3.3",
+    "express": "4.17.3",
+    "fancy-log": "2.0.0",
     "gulp": "4.0.2",
     "gulp-eslint": "6.0.0",
     "gulp-git": "2.10.1",
     "gulp-spawn-mocha": "6.0.0",
     "husky": "7.0.4",
-    "jsdoc-to-markdown": "7.1.0",
-    "mocha": "9.1.3",
-    "mochawesome": "7.0.1",
+    "jsdoc-to-markdown": "7.1.1",
+    "mocha": "9.2.1",
+    "mochawesome": "7.1.0",
     "nyc": "15.1.0"
   }
 }

package/test/oauthHelper.spec.js

@@ -40,6 +40,7 @@ const adminTokenAppWrongId = jwt.sign(payload.admin, config.appGeneric.security.
 const adminTokenAppNoScope = jwt.sign(payload.adminNoScope, config.appGeneric.security.generic.key, options.adminApp);
 const subAdminTokenApp = jwt.sign(payload.subAdmin, config.appGeneric.security.generic.key, options.adminApp);
 const subAdminTokenAppNoCustomer = jwt.sign(payload.subAdminNoCustomer, config.appGeneric.security.generic.key, options.adminApp);
+const tokenWithClaims = jwt.sign(payload.withClaims, config.implImplicit.security.implicit.key, options.implImplicit);
 
 describe('OauthHelper Unit Tests', () => {
   before(() => {
@@ -137,6 +138,107 @@ describe('OauthHelper Unit Tests', () => {
         expect(err.message).to.equal(`incorrect scopes: ${scope.regular}`);
       });
     });
+    it('should generate an error missing definition: no definition', () => {
+      oauthImplImplicit.apiTokenSecurityHelper({ headers: { authorization: `Bearer ${tokenWithClaims}` } }, definition.implicit, scope.forClaims, (err) => {
+        if (!err) throw new Error('cannot be successful');
+        expect(err.message).to.equal('missing userClaims definition: no definitions');
+      });
+    });
+    it('should generate an error missing definition', () => {
+      oauthImplImplicit.apiTokenSecurityHelper({
+        headers: { authorization: `Bearer ${tokenWithClaims}` },
+        swagger: {
+          swaggerObject: {
+            definitions: {
+              testClaims: {
+                test: 'test',
+              },
+            },
+          },
+        },
+      }, definition.implicit, scope.forClaims, (err) => {
+        if (!err) throw new Error('cannot be successful');
+        expect(err.message).to.equal('missing userClaims definition');
+      });
+    });
+    it('should generate an error incorrect claims included', () => {
+      oauthImplImplicit.apiTokenSecurityHelper({
+        headers: { authorization: `Bearer ${tokenWithClaims}` },
+        swagger: {
+          swaggerObject: {
+            definitions: {
+              userClaims: {
+                test: 'test',
+              },
+            },
+          },
+        },
+      }, definition.implicit, scope.forClaims, (err) => {
+        if (!err) throw new Error('cannot be successful');
+        expect(err.message).to.equal('incorrect claims included: lastName,firstName');
+      });
+    });
+    it('should generate an error incorrect claims included', () => {
+      oauthImplImplicit.apiTokenSecurityHelper({
+        headers: { authorization: `Bearer ${tokenWithClaims}` },
+        swagger: {
+          swaggerObject: {
+            definitions: {
+              userClaims: {
+                lastName: 'test',
+                test: 'test',
+              },
+            },
+          },
+        },
+      }, definition.implicit, scope.forClaims, (err) => {
+        if (!err) throw new Error('cannot be successful');
+        expect(err.message).to.equal('incorrect claims included: firstName');
+      });
+    });
+    it('should return a token and request contains claims', () => {
+      const request = {
+        headers: { authorization: `Bearer ${tokenWithClaims}` },
+        swagger: {
+          swaggerObject: {
+            definitions: {
+              userClaims: {
+                lastName: 'test',
+                firstName: 'test',
+                test: 'test',
+              },
+            },
+          },
+        },
+      };
+      oauthImplImplicit.apiTokenSecurityHelper(request, definition.implicit, scope.forClaims, (err) => {
+        if (err) throw err;
+        expect(request.claims).to.deep.equal(['lastName', 'firstName']);
+      });
+    });
+    it('should return a token and request contains multiple claims', () => {
+      const request = {
+        headers: { authorization: `Bearer ${tokenWithClaims}` },
+        swagger: {
+          swaggerObject: {
+            definitions: {
+              userClaims: {
+                lastName: 'test',
+                firstName: 'test',
+                test: 'test',
+              },
+              usersClaims: {
+                email: 'test',
+              },
+            },
+          },
+        },
+      };
+      oauthImplImplicit.apiTokenSecurityHelper(request, definition.implicit, scope.forClaimsMultiple, (err) => {
+        if (err) throw err;
+        expect(request.claims).to.deep.equal(['lastName', 'firstName', 'email']);
+      });
+    });
     it('should have update request implicit with authorization', () => {
       const request = {
         headers: {

package/test/testConfig.js

@@ -216,9 +216,12 @@ const config = {
 const scope = {
   regular: 'test:1 test:2 test:3',
   onBehalf: 'test:1 onBehalf:1',
+  withClaims: 'get:user::lastName,firstName get:users::email',
   scopes: ['test:1', 'test:2', 'test:3'],
   otherScopes: ['test:4', 'test:5'],
   onBehalfScopes: ['onBehalf:1', 'test:6'],
+  forClaims: ['get:user'],
+  forClaimsMultiple: ['get:user', 'get:users'],
 };
 const cust = 'testCustomer';
 const subType = 'testType';
@@ -251,6 +254,12 @@ const payload = {
     subType,
     cust,
   },
+  withClaims: {
+    scope: scope.withClaims,
+    subType,
+    azp,
+    cust,
+  },
   exchange: {
     scope: scope.regular,
     subType,