@mimik/oauth-helper 2.2.0 → 3.0.1

package/README.md

@@ -22,13 +22,8 @@ const oauthHelper = require('@mimik/oauth-helper');
 ```
 
 * [oauth-helper](#module_oauth-helper)
-    * _async_
-        * [~rpAuth(type, options)](#module_oauth-helper..rpAuth) ⇒ <code>Promise</code>
-        * [~authProfile(method, id, correlationId, options)](#module_oauth-helper..authProfile) ⇒ <code>Promise</code>
-    * _callback_
-        * [~apiKeySecurityHelper(request, definitions, apiKey, next)](#module_oauth-helper..apiKeySecurityHelper)
-        * [~apiTokenSecurityHelper(request, definitions, scopes, next)](#module_oauth-helper..apiTokenSecurityHelper)
-        * [~apiTokenAdminSecurityHelper(request, definitions, scopes, next)](#module_oauth-helper..apiTokenAdminSecurityHelper)
+    * [~rpAuth(type, options)](#module_oauth-helper..rpAuth) ⇒ <code>Promise</code>
+    * [~authProfile(method, id, correlationId, options)](#module_oauth-helper..authProfile) ⇒ <code>Promise</code>
 
 <a name="module_oauth-helper..rpAuth"></a>
 
@@ -88,51 +83,6 @@ Make an authProfile request to mID.
 | correlationId | <code>UUID.&lt;string&gt;</code> | CorrelationId to associated with the request. |
 | options | <code>object</code> | Options to be added to the request. metrics can then be added to the options. |
 
-<a name="module_oauth-helper..apiKeySecurityHelper"></a>
-
-### oauth-helper~apiKeySecurityHelper(request, definitions, apiKey, next)
-Validate the request by checking the apiKey. To be used for `apikey`;
-
-**Kind**: inner method of [<code>oauth-helper</code>](#module_oauth-helper)  
-**Category**: callback  
-
-| Param | Type | Description |
-| --- | --- | --- |
-| request | <code>object</code> | The request with a token in the header. |
-| definitions | <code>object</code> | Swagger security definitions to compare with. |
-| apiKey | <code>Array.&lt;string&gt;</code> | APIky extracted from the defined location. |
-| next | [<code>requestCallback</code>](#requestCallback) | The callback that handles the response. The validation adds the following properties to the request: - apiKey Only the header location is allowed. |
-
-<a name="module_oauth-helper..apiTokenSecurityHelper"></a>
-
-### oauth-helper~apiTokenSecurityHelper(request, definitions, scopes, next)
-Validate the request by inspecting the token. To be used for `system` and `user` token.
-
-**Kind**: inner method of [<code>oauth-helper</code>](#module_oauth-helper)  
-**Category**: callback  
-
-| Param | Type | Description |
-| --- | --- | --- |
-| request | <code>object</code> | The request with a token in the header. |
-| definitions | <code>object</code> | Swagger security definitions to compare with. |
-| scopes | <code>Array.&lt;string&gt;</code> | List of swagger scopes associated whith the requested endpoint. |
-| next | [<code>requestCallback</code>](#requestCallback) | The callback that handles the response. The validation adds the following properties to the request: - in case of 'system' token: 'claims', clientId', 'tokenType', 'customer', 'onBehlaf'. If the token is a cluster token the property 'cluster' is set to true. - in case of 'user' token: claims, userId, appId, onBehalfId, 'onBehalf'. The claims array contains the claims that are included on the scope of the recieved token. It there is no claims in the scope the claims property in request is an emtpy array. The scope must have the followimg format: `<action>:<resourceName>::<claims>`` where claims is a set of claims separatedby `,`. The is an exception for onBelf scope where the format is `onbBehalf:<action><resourceName>::<claims>`. The claims will be validated looking at the definitions property of the swagger file, by looking at at the top level properties of a definition named: `<resourceName>Claims`. If there is multiple scopes to use, the claims array will contain a concatenation of all the claims if present. |
-
-<a name="module_oauth-helper..apiTokenAdminSecurityHelper"></a>
-
-### oauth-helper~apiTokenAdminSecurityHelper(request, definitions, scopes, next)
-Validate the request by inspecting the token. To be used for `admin` token.
-
-**Kind**: inner method of [<code>oauth-helper</code>](#module_oauth-helper)  
-**Category**: callback  
-
-| Param | Type | Description |
-| --- | --- | --- |
-| request | <code>object</code> | The request with a token in the header. |
-| definitions | <code>object</code> | Swagger security definitions to compare with. |
-| scopes | <code>Array.&lt;string&gt;</code> | List of swagger scopes associated whith the requested endpoint. |
-| next | [<code>requestCallback</code>](#requestCallback) | The callback that handles the response. The validation adds the following properties to the request: 'claims', clientId', tokenType', 'customer'. The claims array contains the claims that are included on the scope of the recieved token. It there is no claims in the scope the claims property in request is an emtpy array. The scope must have the followimg format: `<action>:<resourceName>::<claims>`` where claims is a set of claims separatedby `,`. The is an exception for onBelf scope where the format is `onbBehalf:<action><resourceName>::<claims>`. The claims will be validated looking at the definitions property of the swagger file, by looking at at the top level properties of a definition named: `<resourceName>Claims`. If there is multiple scopes to use, the claims array will contain a concatenation of all the claims if present. |
-
 <a name="requestCallback"></a>
 
 ## requestCallback : <code>function</code>

package/index.js

@@ -1,11 +1,9 @@
 const Promise = require('bluebird');
 const jwt = require('jsonwebtoken');
-const _ = require('lodash');
 
 const { rpRetry } = require('@mimik/request-retry');
 const logger = require('@mimik/sumologic-winston-logger');
 const { getRichError } = require('@mimik/response-helper');
-const { TOKEN_PARAMS } = require('@mimik/swagger-helper');
 
 Promise.config({ cancellation: true });
 /**
@@ -15,22 +13,7 @@ Promise.config({ cancellation: true });
  */
 
 const TOKEN_REFRESH_TOLERANCE = 900; // in seconds
-const ON_BEHALF = 'onBehalf';
-const SUB_ADMIN = 'subAdmin';
-const ADMIN = 'admin';
-const USER = 'user';
-const NO_GENERIC = 'noGeneric';
-// const APPLICATION = 'application';
-const IMPLICIT = 'implicit';
-const CLIENT = '@clients';
-const AUTHORIZATION = 'authorization';
-const HEADER = 'header';
 const CLUSTER = 'cluster';
-const SCOPES_SEPARATOR = ' ';
-const CLAIMS_SEPARATOR = ',';
-const RESOURCE_SEPARATOR = ':';
-const SCOPE_CLAIMS_SEPARATOR = '::';
-const CLAIMS_DEFINITION = 'Claims';
 const CLIENT_CEDENTIALS = 'client_credentials';
 const REFRESH_TOKEN = 'refresh_token';
 
@@ -51,100 +34,7 @@ const createToken = (value) => {
 };
 
 module.exports = (config) => {
-  const { implicit, server, generic } = config.security;
-  const jwtOptions = (fl) => {
-    if (fl === IMPLICIT) { // user flow
-      return {
-        audience: (implicit && implicit.audience) || server.audience,
-        issuer: (implicit && implicit.issuer) || server.issuer,
-      };
-    }
-    // server to server or admin flow (application)
-    return {
-      audience: (generic.audience === NO_GENERIC) ? server.audience : generic.audience,
-      issuer: server.issuer,
-      // subject: `${config.serverSettings.id}@clients`,
-    };
-  };
-  const keys = (fl) => {
-    if (fl === IMPLICIT) { // user flow
-      return (implicit && implicit.key)
-        || ((generic.key === NO_GENERIC) ? server.accessKey : generic.key);
-    }
-    // server to server or admin flow (application)
-    return (generic.key === NO_GENERIC) ? server.accessKey : generic.key;
-  };
-  const checkHeaders = (headers) => {
-    if (!headers) {
-      throw new Error('missing header');
-    }
-    const authNames = Object.keys(headers).filter((key) => key.toLowerCase() === AUTHORIZATION);
-    const authNamesLength = authNames.length;
-
-    if (authNamesLength === 0) {
-      throw new Error(`missing ${AUTHORIZATION} header`);
-    }
-    if (authNamesLength !== 1) {
-      throw new Error(`duplicated ${AUTHORIZATION} header`);
-    }
-    const auth = headers[authNames[0]].split(' ');
-
-    if ((auth[0] !== 'bearer' && auth[0] !== 'Bearer') || auth.length !== 2) {
-      throw new Error(`authorization type incorrect: ${auth[0]}`);
-    }
-    return auth[1];
-  };
-  const checkScopes = (tokenScopes, defScopes, swagger) => {
-    if (!tokenScopes) {
-      throw new Error('no scope in authorization token');
-    }
-    let claims = [];
-    let onBehalf = false;
-
-    if (defScopes && defScopes.length !== 0) {
-      const currentScopes = tokenScopes.split(SCOPES_SEPARATOR);
-      const intersects = [];
-      let resourceIndex = 1;
-
-      currentScopes.forEach((currentScope) => {
-        const analyzedScope = currentScope.split(SCOPE_CLAIMS_SEPARATOR);
-        const analyzedResource = analyzedScope[0].split(RESOURCE_SEPARATOR);
-        if (analyzedResource[0] === ON_BEHALF) {
-          onBehalf = true;
-          resourceIndex = 2; // legacy handling
-        }
-
-        if (defScopes.includes(analyzedScope[0])) {
-          if (analyzedScope[1]) {
-            const includedDefinitionName = `${analyzedResource[resourceIndex]}${CLAIMS_DEFINITION}`;
-
-            if (!swagger || !swagger.swaggerObject || !swagger.swaggerObject.definitions) {
-              throw new Error(`missing ${includedDefinitionName} definition: no definitions`);
-            }
-            const includedDefinition = swagger.swaggerObject.definitions[includedDefinitionName];
-
-            if (!includedDefinition) {
-              throw new Error(`missing ${includedDefinitionName} definition`);
-            }
-            const includedClaims = analyzedScope[1].split(CLAIMS_SEPARATOR);
-            const definitionClaims = Object.keys(includedDefinition);
-            const claimsIntersects = _.intersection(includedClaims, definitionClaims);
-
-            if (claimsIntersects.length !== includedClaims.length) {
-              throw new Error(`incorrect claims included: ${_.difference(includedClaims, claimsIntersects)}`);
-            }
-            claims = claims.concat(claimsIntersects);
-          }
-          intersects.push(analyzedScope[0]);
-        }
-      });
-      if (intersects.length === 0) {
-        throw new Error(`incorrect scopes: ${tokenScopes}`);
-      }
-    }
-    return { onBehalf, claims };
-  };
-
+  const { server } = config.security;
   const getToken = (type, origin, correlationId, options) => {
     const tokenOptions = {
       method: 'POST',
@@ -292,190 +182,6 @@ module.exports = (config) => {
       });
   };
 
-  /**
-   * Validate the request by checking the apiKey. To be used for `apikey`;
-   *
-   * @function apiKeySecurityHelper
-   * @category callback
-   * @param {object} request - The request with a token in the header.
-   * @param {object} definitions - Swagger security definitions to compare with.
-   * @param {string[]} apiKey - APIky extracted from the defined location.
-   * @param {requestCallback} next - The callback that handles the response.
-   *
-   * The validation adds the following properties to the request:
-   * - apiKey
-   * Only the header location is allowed.
-   */
-  const apiKeySecurityHelper = (request, definitions, apiKey, next) => {
-    if (definitions.in !== HEADER) {
-      next(new Error(`invalid location: only ${HEADER} is accepted`));
-      return;
-    }
-    if (config.security.apiKeys.includes(apiKey)) {
-      request.apiKey = apiKey;
-      next(null);
-      return;
-    }
-    next(new Error('invalid API key'));
-  };
-
-  /**
-   * Validate the request by inspecting the token. To be used for `system` and `user` token.
-   *
-   * @function apiTokenSecurityHelper
-   * @category callback
-   * @param {object} request - The request with a token in the header.
-   * @param {object} definitions - Swagger security definitions to compare with.
-   * @param {string[]} scopes - List of swagger scopes associated whith the requested endpoint.
-   * @param {requestCallback} next - The callback that handles the response.
-   *
-   * The validation adds the following properties to the request:
-   * - in case of 'system' token: 'claims', clientId', 'tokenType', 'customer', 'onBehlaf'. If the token is a cluster token the property 'cluster' is set to true.
-   * - in case of 'user' token: claims, userId, appId, onBehalfId, 'onBehalf'.
-   *
-   * The claims array contains the claims that are included on the scope of the recieved token. It there is no claims in the scope the claims property in request is an emtpy array.
-   * The scope must have the followimg format: `<action>:<resourceName>::<claims>`` where claims is a set of claims separatedby `,`. The is an exception for onBelf scope where the format is `onbBehalf:<action><resourceName>::<claims>`.
-   * The claims will be validated looking at the definitions property of the swagger file, by looking at at the top level properties of a definition named: `<resourceName>Claims`.
-   * If there is multiple scopes to use, the claims array will contain a concatenation of all the claims if present.
-   */
-  const apiTokenSecurityHelper = (request, definitions, scopes, next) => {
-    let authToken;
-    const { flow } = definitions;
-
-    try { authToken = checkHeaders(request.headers); }
-    catch (err) {
-      next(err);
-      return;
-    }
-    const token = jwt.decode(authToken);
-
-    if (!token) {
-      next(new Error('invalid token'));
-      return;
-    }
-    if (token.subType === ADMIN || token.subType === SUB_ADMIN) {
-      next(new Error('invalid token: wrong type'));
-      return;
-    }
-    try { jwt.verify(authToken, keys(flow), jwtOptions(flow)); }
-    catch (err) {
-      if (flow !== IMPLICIT && generic.previousKey) { // backward compatibility
-        try { jwt.verify(authToken, generic.previousKey, jwtOptions(flow)); }
-        catch (secondErr) {
-          next(secondErr);
-          return;
-        }
-      }
-      else {
-        next(err);
-        return;
-      }
-    }
-    let scopeResult;
-
-    try { scopeResult = checkScopes(token.scope, scopes, request.swagger); }
-    catch (errScopes) {
-      next(errScopes);
-      return;
-    }
-    if (scopeResult.onBehalf) request[TOKEN_PARAMS.onBehalf] = true;
-    request[TOKEN_PARAMS.claims] = scopeResult.claims;
-    if (definitions.flow === IMPLICIT) {
-      if (token.sub) request[TOKEN_PARAMS.userId] = token.sub;
-      if (token.azp) request[TOKEN_PARAMS.appId] = token.azp;
-      if (token.may_act && token.may_act.sub) {
-        request[TOKEN_PARAMS.onBehalfId] = token.sub;
-        request[TOKEN_PARAMS.userId] = token.may_act.sub;
-      }
-      request.tokenType = USER;
-      next(null);
-      return;
-    }
-    // server to server or admin flow (application)
-    if (token.sub) request[TOKEN_PARAMS.clientId] = token.sub;
-    if (token.subType) request[TOKEN_PARAMS.tokenType] = token.subType;
-    if (token.cust) request[TOKEN_PARAMS.customer] = token.cust;
-    if (token.type === CLUSTER) request[TOKEN_PARAMS.cluster] = true;
-    next(null);
-  };
-
-  /**
-   * Validate the request by inspecting the token. To be used for `admin` token.
-   *
-   * @function apiTokenAdminSecurityHelper
-   * @category callback
-   * @param {object} request - The request with a token in the header.
-   * @param {object} definitions - Swagger security definitions to compare with.
-   * @param {string[]} scopes - List of swagger scopes associated whith the requested endpoint.
-   * @param {requestCallback} next - The callback that handles the response.
-   *
-   * The validation adds the following properties to the request: 'claims', clientId', tokenType', 'customer'.
-   *
-   * The claims array contains the claims that are included on the scope of the recieved token. It there is no claims in the scope the claims property in request is an emtpy array.
-   * The scope must have the followimg format: `<action>:<resourceName>::<claims>`` where claims is a set of claims separatedby `,`. The is an exception for onBelf scope where the format is `onbBehalf:<action><resourceName>::<claims>`.
-   * The claims will be validated looking at the definitions property of the swagger file, by looking at at the top level properties of a definition named: `<resourceName>Claims`.
-   * If there is multiple scopes to use, the claims array will contain a concatenation of all the claims if present.
-   */
-  const apiTokenAdminSecurityHelper = (request, definitions, scopes, next) => {
-    let authToken;
-    const { flow } = definitions;
-
-    try { authToken = checkHeaders(request.headers); }
-    catch (err) {
-      next(err);
-      return;
-    }
-
-    const token = jwt.decode(authToken);
-
-    if (!token) {
-      next(new Error('invalid token'));
-      return;
-    }
-    if (token.subType !== ADMIN && token.subType !== SUB_ADMIN) {
-      next(new Error('invalid token: wrong type'));
-      return;
-    }
-    if (token.subType === SUB_ADMIN) {
-      if (!token.cust) {
-        next(new Error('invalid token: no customer'));
-        return;
-      }
-    }
-    else if (token.sub !== `${config.security.admin.externalId}${CLIENT}`) {
-      next(new Error(`jwt subject invalid: ${token.sub}`));
-      return;
-    }
-    try {
-      jwt.verify(authToken, keys(flow), jwtOptions(flow));
-    }
-    catch (err) {
-      if (generic.previousKey) { // backward compatibility
-        try { jwt.verify(authToken, generic.previousKey, jwtOptions(flow)); }
-        catch (secondErr) {
-          next(secondErr);
-          return;
-        }
-      }
-      else {
-        next(err);
-        return;
-      }
-    }
-    let scopeResult;
-
-    try { scopeResult = checkScopes(token.scope, scopes, request.swagger); }
-    catch (errScopes) {
-      next(errScopes);
-      return;
-    }
-    request[TOKEN_PARAMS.claims] = scopeResult.claims;
-    if (token.subType) request[TOKEN_PARAMS.tokenType] = token.subType;
-    if (token.sub) request[TOKEN_PARAMS.clientId] = token.sub;
-    if (token.cust) request[TOKEN_PARAMS.customer] = token.cust;
-    next(null);
-  };
-
   /**
    * Make an authProfile request to mID.
    *
@@ -515,9 +221,6 @@ module.exports = (config) => {
 
   return {
     rpAuth,
-    apiKeySecurityHelper,
-    apiTokenSecurityHelper,
-    apiTokenAdminSecurityHelper,
     authProfile,
   };
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mimik/oauth-helper",
-  "version": "2.2.0",
+  "version": "3.0.1",
   "description": "Oauth helper for mimik microservices",
   "main": "index.js",
   "scripts": {
@@ -29,25 +29,23 @@
     "url": "https://bitbucket.org/mimiktech/oauth-helper"
   },
   "dependencies": {
-    "@mimik/request-retry": "^2.1.4",
-    "@mimik/response-helper": "^2.6.3",
-    "@mimik/sumologic-winston-logger": "^1.6.15",
-    "@mimik/swagger-helper": "^3.0.3",
+    "@mimik/request-retry": "^3.0.1",
+    "@mimik/response-helper": "^3.0.1",
+    "@mimik/sumologic-winston-logger": "^1.6.20",
     "bluebird": "3.7.2",
-    "jsonwebtoken": "9.0.0",
-    "lodash": "4.17.21"
+    "jsonwebtoken": "9.0.2"
   },
   "devDependencies": {
-    "@mimik/eslint-plugin-dependencies": "^2.4.5",
-    "@mimik/eslint-plugin-document-env": "^1.0.5",
-    "@mimik/request-helper": "^1.7.8",
+    "@mimik/eslint-plugin-dependencies": "^2.4.6",
+    "@mimik/eslint-plugin-document-env": "^1.0.6",
+    "@mimik/request-helper": "^1.7.10",
     "body-parser": "1.20.2",
-    "chai": "4.3.7",
-    "eslint": "8.38.0",
+    "chai": "4.3.10",
+    "eslint": "8.55.0",
     "eslint-config-airbnb": "19.0.4",
-    "eslint-plugin-import": "2.27.5",
-    "eslint-plugin-jsx-a11y": "6.7.1",
-    "eslint-plugin-react": "7.32.2",
+    "eslint-plugin-import": "2.29.0",
+    "eslint-plugin-jsx-a11y": "6.8.0",
+    "eslint-plugin-react": "7.33.2",
     "eslint-plugin-react-hooks": "4.6.0",
     "express": "4.18.2",
     "husky": "8.0.3",

package/test/oauthHelper.spec.js

@@ -1,4 +1,3 @@
-const jwt = require('jsonwebtoken');
 const chai = require('chai');
 
 require('./testEnv');
@@ -9,395 +8,24 @@ const { rpRetry } = require('@mimik/request-retry');
 const oauthHelper = require('../index');
 const {
   config,
-  payload,
-  options,
-  definition,
-  scope,
 } = require('./testConfig');
 const mockServer = require('./serversMock');
 
 const { expect } = chai;
 chai.should();
 
-const USER = 'user';
-const UNKNOWN = 'unknown';
-
 const correlationId = getCorrelationId('--test-OauthHelper--');
-const oauthImplImplicit = oauthHelper(config.implImplicit);
 // const oauthImplNoGeneric = oauthHelper(config.implNoGeneric);
 // const oauthImplGeneric = oauthHelper(config.implGeneric);
 const oauthAppGeneric = oauthHelper(config.appGeneric);
-const oauthAppNoGeneric = oauthHelper(config.appNoGeneric);
 const oauthAppUnknownIssuer = oauthHelper(config.appUnknownIssuer);
 // const oauthAppExpiredToken = oauthHelper(config.appExpiredToken);
 const oauthAppExpiredTokenAndFail = oauthHelper(config.appExpiredTokenAndFail);
 
-const tokenImpl = jwt.sign(payload.regular, config.implImplicit.security.implicit.key, options.implImplicit);
-const tokenImplNoScope = jwt.sign(payload.noScope, config.implImplicit.security.implicit.key, options.implImplicit);
-const tokenImplOnBehalf = jwt.sign(payload.onBehalf, config.implImplicit.security.implicit.key, options.implImplicit);
-const tokenImplExchange = jwt.sign(payload.exchange, config.implImplicit.security.implicit.key, options.implImplicit);
-const tokenApp = jwt.sign(payload.regular, config.appGeneric.security.generic.key, options.appGeneric);
-const adminTokenApp = jwt.sign(payload.admin, config.appGeneric.security.generic.key, options.adminApp);
-const adminTokenAppWrongId = jwt.sign(payload.admin, config.appGeneric.security.generic.key, options.adminAppWrongId);
-const adminTokenAppNoScope = jwt.sign(payload.adminNoScope, config.appGeneric.security.generic.key, options.adminApp);
-const subAdminTokenApp = jwt.sign(payload.subAdmin, config.appGeneric.security.generic.key, options.adminApp);
-const subAdminTokenAppNoCustomer = jwt.sign(payload.subAdminNoCustomer, config.appGeneric.security.generic.key, options.adminApp);
-const tokenWithClaims = jwt.sign(payload.withClaims, config.implImplicit.security.implicit.key, options.implImplicit);
-
 describe('OauthHelper Unit Tests', () => {
   before(() => {
     mockServer.listen();
   });
-  describe('apiKeySecurityHelper(request, definitions, scopes, next)', () => {
-    it('no header should generate an error invalid API key', () => {
-      oauthAppGeneric.apiKeySecurityHelper({}, definition.apiKey, UNKNOWN, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.include('invalid API key');
-      });
-    });
-    it('header with no name should generate an error invalid API key', () => {
-      oauthAppGeneric.apiKeySecurityHelper({ headers: {} }, definition.apiKey, UNKNOWN, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.include('invalid API key');
-      });
-    });
-    it('header with wrong name should generate an error invalid API key', () => {
-      oauthAppGeneric.apiKeySecurityHelper({ headers: { authorization: 'Unknown 1234' } }, definition.apiKey, UNKNOWN, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.include('invalid API key');
-      });
-    });
-    it('should generate an error because of invalid API key', () => {
-      oauthAppGeneric.apiKeySecurityHelper({ headers: { api_key: UNKNOWN } }, definition.apiKey, UNKNOWN, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.include('invalid API key');
-      });
-    });
-    it('should be successful with request update', () => {
-      const request = {
-        headers: {
-          api_key: '12345',
-        },
-      };
-      oauthAppGeneric.apiKeySecurityHelper(request, definition.apiKey, request.headers.api_key, (err) => {
-        if (err) throw err;
-        expect(request.apiKey).to.equal('12345');
-      });
-    });
-  });
-  describe('apiTokenSecurityHelper(request, definitions, scopes, next)', () => {
-    it('should generate an error missing header', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({}, definition.implicit, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('missing header');
-      });
-    });
-    it('should generate an error missing authorization header', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({ headers: {} }, definition.implicit, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('missing authorization header');
-      });
-    });
-    it('should generate an error duplicated authorization header', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({ headers: { authorization: '1234', Authorization: '4321' } }, definition.implicit, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('duplicated authorization header');
-      });
-    });
-    it('should generate an error authorization type incorrect', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({ headers: { authorization: 'Unknown 1234' } }, definition.implicit, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('authorization type incorrect: Unknown');
-      });
-    });
-    it('should generate an error invalid token', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({ headers: { authorization: 'Bearer 1234' } }, definition.implicit, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('invalid token');
-      });
-    });
-    it('should generate an error invalid token: wrong type', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({ headers: { authorization: `Bearer ${adminTokenApp}` } }, definition.implicit, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('invalid token: wrong type');
-      });
-    });
-    it('should generate an error invalid signature', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({ headers: { authorization: `Bearer ${tokenApp}` } }, definition.implicit, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('invalid signature');
-      });
-    });
-    it('should generate an error no scope in authorization token', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({ headers: { authorization: `Bearer ${tokenImplNoScope}` } }, definition.implicit, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('no scope in authorization token');
-      });
-    });
-    it('should generate an error incorrect scopes', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({ headers: { authorization: `Bearer ${tokenImpl}` } }, definition.implicit, scope.otherScopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal(`incorrect scopes: ${scope.regular}`);
-      });
-    });
-    it('should generate an error missing definition: no definition', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({ headers: { authorization: `Bearer ${tokenWithClaims}` } }, definition.implicit, scope.forClaims, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('missing userClaims definition: no definitions');
-      });
-    });
-    it('should generate an error missing definition', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({
-        headers: { authorization: `Bearer ${tokenWithClaims}` },
-        swagger: {
-          swaggerObject: {
-            definitions: {
-              testClaims: {
-                test: 'test',
-              },
-            },
-          },
-        },
-      }, definition.implicit, scope.forClaims, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('missing userClaims definition');
-      });
-    });
-    it('should generate an error incorrect claims included', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({
-        headers: { authorization: `Bearer ${tokenWithClaims}` },
-        swagger: {
-          swaggerObject: {
-            definitions: {
-              userClaims: {
-                test: 'test',
-              },
-            },
-          },
-        },
-      }, definition.implicit, scope.forClaims, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('incorrect claims included: lastName,firstName');
-      });
-    });
-    it('should generate an error incorrect claims included', () => {
-      oauthImplImplicit.apiTokenSecurityHelper({
-        headers: { authorization: `Bearer ${tokenWithClaims}` },
-        swagger: {
-          swaggerObject: {
-            definitions: {
-              userClaims: {
-                lastName: 'test',
-                test: 'test',
-              },
-            },
-          },
-        },
-      }, definition.implicit, scope.forClaims, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('incorrect claims included: firstName');
-      });
-    });
-    it('should return a token and request contains claims', () => {
-      const request = {
-        headers: { authorization: `Bearer ${tokenWithClaims}` },
-        swagger: {
-          swaggerObject: {
-            definitions: {
-              userClaims: {
-                lastName: 'test',
-                firstName: 'test',
-                test: 'test',
-              },
-            },
-          },
-        },
-      };
-      oauthImplImplicit.apiTokenSecurityHelper(request, definition.implicit, scope.forClaims, (err) => {
-        if (err) throw err;
-        expect(request.claims).to.deep.equal(['lastName', 'firstName']);
-      });
-    });
-    it('should return a token and request contains multiple claims', () => {
-      const request = {
-        headers: { authorization: `Bearer ${tokenWithClaims}` },
-        swagger: {
-          swaggerObject: {
-            definitions: {
-              userClaims: {
-                lastName: 'test',
-                firstName: 'test',
-                test: 'test',
-              },
-              usersClaims: {
-                email: 'test',
-              },
-            },
-          },
-        },
-      };
-      oauthImplImplicit.apiTokenSecurityHelper(request, definition.implicit, scope.forClaimsMultiple, (err) => {
-        if (err) throw err;
-        expect(request.claims).to.deep.equal(['lastName', 'firstName', 'email']);
-      });
-    });
-    it('should have update request implicit with authorization', () => {
-      const request = {
-        headers: {
-          authorization: `Bearer ${tokenImpl}`,
-        },
-      };
-      oauthImplImplicit.apiTokenSecurityHelper(request, definition.implicit, scope.scopes, (err) => {
-        if (err) throw err;
-        expect(request.userId).to.equal(options.implImplicit.subject);
-        expect(request.tokenType).to.equal(USER);
-        expect(request.onBehalf).to.equal(undefined);
-        expect(request.appId).to.equal(payload.regular.azp);
-      });
-    });
-    it('should have update request implicit with Authorization', () => {
-      const request = {
-        headers: {
-          Authorization: `Bearer ${tokenImpl}`,
-        },
-      };
-      oauthImplImplicit.apiTokenSecurityHelper(request, definition.implicit, scope.scopes, (err) => {
-        if (err) throw err;
-        expect(request.userId).to.equal(options.implImplicit.subject);
-        expect(request.tokenType).to.equal(USER);
-        expect(request.onBehalf).to.equal(undefined);
-        expect(request.appId).to.equal(payload.regular.azp);
-      });
-    });
-    it('should have update request with onBehalf', () => {
-      const request = {
-        headers: {
-          authorization: `Bearer ${tokenImplOnBehalf}`,
-        },
-      };
-      oauthImplImplicit.apiTokenSecurityHelper(request, definition.implicit, scope.onBehalfScopes, (err) => {
-        if (err) throw err;
-        expect(request.userId).to.equal(options.implImplicit.subject);
-        expect(request.tokenType).to.equal(USER);
-        expect(request.onBehalf).to.equal(true);
-        expect(request.appId).to.equal(undefined);
-      });
-    });
-    it('should have update request with exchange', () => {
-      const request = {
-        headers: {
-          authorization: `Bearer ${tokenImplExchange}`,
-        },
-      };
-      oauthImplImplicit.apiTokenSecurityHelper(request, definition.implicit, scope.scopes, (err) => {
-        if (err) throw err;
-        expect(request.userId).to.equal(payload.exchange.may_act.sub);
-        expect(request.onBehalfId).to.equal(options.implImplicit.subject);
-        expect(request.tokenType).to.equal(USER);
-      });
-    });
-    it('should have update request application', () => {
-      const request = {
-        headers: {
-          authorization: `Bearer ${tokenApp}`,
-        },
-      };
-      oauthAppGeneric.apiTokenSecurityHelper(request, definition.application, scope.scopes, (err) => {
-        if (err) throw err;
-        expect(request.clientId).to.equal(options.appGeneric.subject);
-        expect(request.customer).to.equal(payload.regular.cust);
-        expect(request.tokenType).to.equal(payload.regular.subType);
-      });
-    });
-  });
-  describe('apiTokenAdminSecurityHelper(request, definitions, scopes, next)', () => {
-    it('should generate an error missing header', () => {
-      oauthAppGeneric.apiTokenAdminSecurityHelper({}, definition.application, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('missing header');
-      });
-    });
-    it('should generate an error missing authorization header', () => {
-      oauthAppGeneric.apiTokenAdminSecurityHelper({ headers: {} }, definition.application, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('missing authorization header');
-      });
-    });
-    it('should generate an error authorization type incorrect', () => {
-      oauthAppGeneric.apiTokenAdminSecurityHelper({ headers: { authorization: 'Unknown 1234' } }, definition.application, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('authorization type incorrect: Unknown');
-      });
-    });
-    it('should generate an error invalid token', () => {
-      oauthAppGeneric.apiTokenAdminSecurityHelper({ headers: { authorization: 'Bearer 1234' } }, definition.application, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('invalid token');
-      });
-    });
-    it('should generate an error invalid token: wrong type', () => {
-      oauthAppGeneric.apiTokenAdminSecurityHelper({ headers: { authorization: `Bearer ${tokenApp}` } }, definition.application, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('invalid token: wrong type');
-      });
-    });
-    it('should generate an error invalid signature', () => {
-      oauthAppNoGeneric.apiTokenAdminSecurityHelper({ headers: { authorization: `Bearer ${adminTokenApp}` } }, definition.application, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('invalid signature');
-      });
-    });
-    it('should generate an error no scope in authorization token', () => {
-      oauthAppGeneric.apiTokenAdminSecurityHelper({ headers: { authorization: `Bearer ${adminTokenAppNoScope}` } }, definition.application, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('no scope in authorization token');
-      });
-    });
-    it('should generate an error incorrect scopes', () => {
-      oauthAppGeneric.apiTokenAdminSecurityHelper({ headers: { authorization: `Bearer ${adminTokenApp}` } }, definition.application, scope.otherScopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal(`incorrect scopes: ${scope.regular}`);
-      });
-    });
-    it('should generate an error jwt subject invalid', () => {
-      oauthAppGeneric.apiTokenAdminSecurityHelper({ headers: { authorization: `Bearer ${adminTokenAppWrongId}` } }, definition.application, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal(`jwt subject invalid: ${options.adminAppWrongId.subject}`);
-      });
-    });
-    it('should generate an error invalid token: no customer', () => {
-      oauthAppGeneric.apiTokenAdminSecurityHelper({ headers: { authorization: `Bearer ${subAdminTokenAppNoCustomer}` } }, definition.application, scope.scopes, (err) => {
-        if (!err) throw new Error('cannot be successful');
-        expect(err.message).to.equal('invalid token: no customer');
-      });
-    });
-    it('should have update request admin', () => {
-      const request = {
-        headers: {
-          authorization: `Bearer ${adminTokenApp}`,
-        },
-      };
-      oauthAppGeneric.apiTokenAdminSecurityHelper(request, definition.application, scope.scopes, (err) => {
-        if (err) throw err;
-        expect(request.clientId).to.equal(options.adminApp.subject);
-        expect(request.tokenType).to.equal(payload.admin.subType);
-        expect(request.customer).to.equal(payload.admin.cust);
-      });
-    });
-    it('should have update request subAdmin', () => {
-      const request = {
-        headers: {
-          authorization: `Bearer ${subAdminTokenApp}`,
-        },
-      };
-      oauthAppGeneric.apiTokenAdminSecurityHelper(request, definition.application, scope.scopes, (err) => {
-        if (err) throw err;
-        expect(request.clientId).to.equal(options.adminApp.subject);
-        expect(request.tokenType).to.equal(payload.subAdmin.subType);
-        expect(request.customer).to.equal(payload.subAdmin.cust);
-      });
-    });
-  });
   describe('rpAuth(type, options)', function test() {
     this.timeout(200000);
     const requestOptions = {

package/test/testConfig.js

@@ -1,11 +1,4 @@
 const NO_GENERIC = 'noGeneric';
-const APPLICATION = 'application';
-const IMPLICIT = 'implicit';
-const SUB_ADMIN = 'subAdmin';
-const ADMIN = 'admin';
-const CLIENT = '@clients';
-const API_KEY = 'api_key';
-const HEADER = 'header';
 
 const config = {
   implImplicit: {
@@ -213,111 +206,7 @@ const config = {
     },
   },
 };
-const scope = {
-  regular: 'test:1 test:2 test:3',
-  onBehalf: 'test:1 onBehalf:1',
-  withClaims: 'get:user::lastName,firstName get:users::email',
-  scopes: ['test:1', 'test:2', 'test:3'],
-  otherScopes: ['test:4', 'test:5'],
-  onBehalfScopes: ['onBehalf:1', 'test:6'],
-  forClaims: ['get:user'],
-  forClaimsMultiple: ['get:user', 'get:users'],
-};
-const cust = 'testCustomer';
-const subType = 'testType';
-const azp = 'applicationId';
-const definition = {
-  implicit: {
-    flow: IMPLICIT,
-  },
-  application: {
-    flow: APPLICATION,
-  },
-  apiKey: {
-    name: API_KEY,
-    in: HEADER,
-  },
-};
-const payload = {
-  regular: {
-    scope: scope.regular,
-    subType,
-    azp,
-    cust,
-  },
-  noScope: {
-    subType,
-    cust,
-  },
-  onBehalf: {
-    scope: scope.onBehalf,
-    subType,
-    cust,
-  },
-  withClaims: {
-    scope: scope.withClaims,
-    subType,
-    azp,
-    cust,
-  },
-  exchange: {
-    scope: scope.regular,
-    subType,
-    cust,
-    may_act: {
-      sub: 'managerId',
-    },
-  },
-  admin: {
-    scope: scope.regular,
-    subType: ADMIN,
-    cust,
-  },
-  adminNoScope: {
-    subType: ADMIN,
-    cust,
-  },
-  subAdmin: {
-    scope: scope.regular,
-    subType: SUB_ADMIN,
-    cust,
-  },
-  subAdminNoCustomer: {
-    scope: scope.regular,
-    subType: SUB_ADMIN,
-  },
-};
-const options = {
-  implImplicit: {
-    expiresIn: Date.now() + 100000,
-    audience: config.implImplicit.security.implicit.audience,
-    issuer: config.implImplicit.security.implicit.issuer,
-    subject: 'userId',
-  },
-  appGeneric: {
-    expiresIn: Date.now() + 100000,
-    audience: config.appGeneric.security.generic.audience,
-    issuer: config.appGeneric.security.server.issuer,
-    subject: `${config.appGeneric.server.id}${CLIENT}`,
-  },
-  adminApp: {
-    expiresIn: Date.now() + 100000,
-    audience: config.appGeneric.security.generic.audience,
-    issuer: config.appGeneric.security.server.issuer,
-    subject: `${config.appGeneric.security.admin.externalId}${CLIENT}`,
-  },
-  adminAppWrongId: {
-    expiresIn: Date.now() + 100000,
-    audience: config.appGeneric.security.generic.audience,
-    issuer: config.appGeneric.security.server.issuer,
-    subject: `wrongId${CLIENT}`,
-  },
-};
 
 module.exports = {
   config,
-  payload,
-  options,
-  definition,
-  scope,
 };