@ministryofjustice/hmpps-prisoner-auth 0.0.1

package/README.md

@@ -0,0 +1,124 @@
+# Prisoner Auth
+
+## Installation
+
+### Quick installation
+
+The following steps will give an opinionated out of the box setup for applications where a launchpad user will be the main user in the system.
+
+1. Add the package `@ministryofjustice/hmpps-prisoner-auth` to your `package.json`
+```
+$ npm add --save @ministryofjustice/hmpps-prisoner-auth
+$ npm i
+```
+2. Copy the contents of [src/misc/install.diff](src/misc/install.diff) to your local folder
+```
+$ curl https://raw.githubusercontent.com/ministryofjustice/hmpps-prisoner-facing-typescript-lib/refs/heads/main/packages/prisoner-auth/src/misc/install.diff > install.diff
+```
+3. Apply the diff to carry out all the required changes
+```
+$ git apply install.diff
+```
+4. Make sure to look through the applied changes and remove the diff file before committing.
+
+### Manual installation
+
+1. Add the package `@ministryofjustice/hmpps-prisoner-auth` to your `package.json`
+```
+$ npm add --save @ministryofjustice/hmpps-prisoner-auth
+$ npm i
+```
+2. Modify `interfaces/hmppsUser.ts` to make the following additions:
+```
+# add prisoner-auth to the AuthSource type
+export type AuthSource = 'nomis' | 'delius' | 'external' | 'azuread' | 'prisoner-auth'
+
+# add LaunchpadUser to the HmppsUser type
+export type HmppsUser = PrisonUser | ProbationUser | ExternalUser | AzureADUser | LaunchpadUser
+```
+These changes will help smooth over alot of assumptions made in the typescript template about the type of fields the user will have.
+
+3. Modify `server/middleware/setupAuthentication.ts` to add prisoner auth as the passport strategy (see below for the full list of config options):
+```
+passport.use(
+  'prisoner-auth',
+  prisonerAuthStrategy(
+    {
+      launchpadAuthUrl: 'https://launchpad.instance.etc' ...
+    }
+  )
+)
+```
+Note: it is recommended to give the strategy a name ('prisoner-auth' here) for later referral with passport.authenticate middleware.
+
+4. Modify `server/middleware/setupAuthentication.ts` to remove any hmpps auth specific code and add in prisoner auth setup. The following code snippet is intended as a guide:
+```
+export default function setupAuthentication() {
+  const router = Router()
+
+  router.use(passport.initialize())
+  router.use(passport.session())
+  router.use(flash())
+
+  router.get('/autherror', (req, res) => {
+    res.status(401)
+    return res.render('autherror')
+  })
+
+  router.get('/sign-in', passport.authenticate('prisoner-auth'))
+
+  router.get('/sign-in/callback', (req, res, next) =>
+    passport.authenticate('prisoner-auth', {
+      successReturnToOrRedirect: req.session.returnTo || '/',
+      failureRedirect: '/autherror',
+    })(req, res, next),
+  )
+
+  router.use('/sign-out', (req, res, next) => {
+    if (req.user) {
+      req.logout(err => {
+        if (err) return next(err)
+        return req.session.destroy(() => res.redirect('/'))
+      })
+    } else res.redirect('/')
+  })
+
+  router.use(async (req, res, next) => {
+    if (!req.isAuthenticated()) {
+      req.session.returnTo = req.originalUrl
+      return res.redirect('/sign-in')
+    }
+
+    return prisonerAuth
+      .validateAndRefreshUser(req.user as LaunchpadUser)
+      .then(user => {
+        req.user = user
+        next()
+      })
+      .catch(() => res.redirect('/autherror'))
+  })
+  
+  router.use((req, res, next) => {
+    res.locals.user = req.user as HmppsUser
+    next()
+  })
+
+  return router
+}
+```
+5. You may wish to remove the following middleware from `server/app.ts` as they were not designed for use with `LaunchpadUser`:
+  - `authorisationMiddleware()` - this checks the users `ROLE_` which a launchpad user will not have.
+  - `setUpCurrentUser()` - this sets up the `res.locals.user` fields which a launchpad will have already (`name`, `displayName` etc).
+
+### Configuration Options
+
+| Option | Description |
+| - | - |
+| launchpadAuthUrl | The full URL of the launchpad auth instance you wish to authenticate against |
+| clientID | The client ID |
+| clientSecret | The client secret |
+| callbackURL | *Optional, The URL or path you wish launchpad to call back to in the auth flow. Defaults to `/signin/callback` |
+| scope | *Optional, One or more OpenIdConnect Scopes you require for the application. Defaults to `['user.basic.read', 'user.establishment.read', 'user.booking.read']` |
+| tokenMinimumLifespan | The least amount of time a token must have left before it is considered expired. Expressed as a TimeSpan. eg. `minutes(5)` or `nothing()`. |
+
+See `PrisonerAuthOptions` for full list and documentation for these options.

package/dist/index.cjs.js

@@ -0,0 +1,182 @@
+'use strict';
+
+var OpenIDConnectStrategy = require('passport-openidconnect');
+var superagent = require('superagent');
+
+const tokenFromJwt = (token) => JSON.parse(Buffer.from(token.split('.')[1], 'base64').toString());
+const oauthClientToken = (clientId, clientSecret) => {
+    const token = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
+    return `Basic ${token}`;
+};
+const tokenFetcher = (userRefreshToken, tokenUrl, authorizationHeader) => {
+    return new Promise((resolve, reject) => {
+        superagent
+            .post(tokenUrl)
+            .set('Content-Type', 'application/x-www-form-urlencoded')
+            .set('Authorization', authorizationHeader)
+            .query({ refresh_token: userRefreshToken, grant_type: 'refresh_token' })
+            .end((err, res) => {
+            if (err)
+                reject(err);
+            const { id_token: idToken, access_token: accessToken, refresh_token: refreshToken } = res.body;
+            return resolve({ idToken, accessToken, refreshToken });
+        });
+    });
+};
+
+const userFromTokens = ({ idToken, accessToken, refreshToken }) => {
+    const { establishment, name, given_name: givenName, family_name: familyName, sub } = tokenFromJwt(idToken);
+    const authSource = 'prisoner-auth';
+    return {
+        authSource,
+        idToken,
+        refreshToken,
+        accessToken,
+        establishment,
+        name,
+        givenName,
+        familyName,
+        // The following fields are for compatibility with HmppsUser only
+        token: idToken,
+        username: name,
+        userId: sub,
+        displayName: name,
+        userRoles: [],
+    };
+};
+
+// A TimeSpan allows you to give meaning to a number and then read that number back and compare them in different formats
+// ie.
+// seconds(60).minutes === 1
+// seconds(30).seconds === 30
+// minutes(1).seconds === 60
+// milliseconds(1000).seconds === 1
+// milliseconds(2000).isEqualTo(seconds(2)) #=> true
+// minutes(5).
+// This allows a caller to just accept a TimeSpan and then work in the units it cares about
+const minutes = (numMinutes) => TimeSpan.minutes(numMinutes);
+const seconds = (numSeconds) => TimeSpan.seconds(numSeconds);
+const milliseconds = (numMilliseconds) => TimeSpan.milliseconds(numMilliseconds);
+const nothing = () => TimeSpan.nothing();
+// Get a time span in the future
+const timeFromNow = (fromNow) => milliseconds(Date.now() + fromNow.milliseconds);
+// Implementation
+class TimeSpan {
+    minutes;
+    seconds;
+    milliseconds;
+    constructor(numMinutes, numSeconds, numMilliseconds) {
+        this.minutes = numMinutes;
+        this.seconds = numSeconds;
+        this.milliseconds = numMilliseconds;
+    }
+    static minutes(numMinutes) {
+        return new TimeSpan(numMinutes, numMinutes * 60, TimeSpan.seconds(numMinutes * 60).milliseconds);
+    }
+    static seconds(numSeconds) {
+        return new TimeSpan(numSeconds / 60, numSeconds, numSeconds * 1000);
+    }
+    static milliseconds(numMilliseconds) {
+        return new TimeSpan(TimeSpan.seconds(numMilliseconds / 1000).minutes, numMilliseconds / 1000, numMilliseconds);
+    }
+    static nothing() {
+        return new TimeSpan(0, 0, 0);
+    }
+    isGreaterThan(t) {
+        return this.milliseconds > t.milliseconds;
+    }
+    isGreaterThanOrEqualTo(t) {
+        return this.milliseconds >= t.milliseconds;
+    }
+    isLessThan(t) {
+        return this.milliseconds < t.milliseconds;
+    }
+    isLessThanOrEqualTo(t) {
+        return this.milliseconds <= t.milliseconds;
+    }
+    isEqualTo(t) {
+        return this.milliseconds === t.milliseconds;
+    }
+}
+
+class PrisonerAuth {
+    launchpadAuthUrl;
+    authorizationUrl;
+    tokenUrl;
+    callbackUrl;
+    clientId;
+    clientSecret;
+    scope;
+    nonce;
+    tokenMinimumLifespan;
+    tokenFetcher;
+    constructor(options) {
+        this.launchpadAuthUrl = options.launchpadAuthUrl;
+        this.authorizationUrl = options.authorizationUrl ?? `${options.launchpadAuthUrl}/v1/oauth2/authorize`;
+        this.tokenUrl = options.tokenUrl ?? `${options.launchpadAuthUrl}/v1/oauth2/token`;
+        this.callbackUrl = options.callbackUrl ?? '/sign-in/callback';
+        this.clientId = options.clientId;
+        this.clientSecret = options.clientSecret;
+        this.scope = options.scope ?? ['user.basic.read', 'user.establishment.read', 'user.booking.read'];
+        this.nonce = options.nonce ?? true;
+        this.tokenMinimumLifespan = options.tokenMinimumLifespan;
+        this.tokenFetcher = options.tokenFetcher ?? tokenFetcher;
+    }
+    /**
+     *
+     * @returns OpenIDConnectStrategy ready for use with passport
+     */
+    passportStrategy() {
+        return new OpenIDConnectStrategy({
+            issuer: this.launchpadAuthUrl,
+            authorizationURL: this.authorizationUrl,
+            tokenURL: this.tokenUrl,
+            callbackURL: this.callbackUrl,
+            clientID: this.clientId,
+            clientSecret: this.clientSecret,
+            scope: this.scope,
+            userInfoURL: '',
+            skipUserProfile: true,
+            nonce: this.nonce ? 'true' : undefined,
+            customHeaders: { authorization: this.authorizationToken() },
+        }, ((_issuer, _profile, _context, idToken, accessToken, refreshToken, done) => done(null, userFromTokens({ idToken, accessToken, refreshToken }))));
+    }
+    /**
+     * Checks the expiry of a given LaunchpadUser idToken and refreshToken.
+     * - If the idToken has expired it will attempt to refresh it using the refreshToken.
+     * - If the refreshToken has expired it will throw an Error.
+     *
+     * This method will always return a LaunchpadUser so it is suggested to updated your local copy and it will keep the tokens up to date.
+     *
+     * @param user - The LaunchpadUser instance to check token expiry on.
+     * @returns A LaunchpadUser is always returned, either the given user or a user with refreshed tokens.
+     * @throws Error is thrown if the refreshToken has expired, the user must sign in again from scratch.
+     */
+    async validateAndRefreshUser(user) {
+        const idToken = tokenFromJwt(user.idToken);
+        const refreshToken = tokenFromJwt(user.refreshToken);
+        const tokenExpiryTime = timeFromNow(this.tokenMinimumLifespan);
+        // Id Token still valid, return the current user
+        if (seconds(idToken.exp).isGreaterThanOrEqualTo(tokenExpiryTime)) {
+            return user;
+        }
+        // Refresh token expired, cannot continue
+        if (seconds(refreshToken.exp).isLessThan(tokenExpiryTime)) {
+            throw new Error('Refresh token expired');
+        }
+        // Refresh the user tokens
+        const newTokens = await this.tokenFetcher(user.refreshToken, this.tokenUrl, this.authorizationToken());
+        return userFromTokens(newTokens);
+    }
+    authorizationToken() {
+        return oauthClientToken(this.clientId, this.clientSecret);
+    }
+}
+
+exports.PrisonerAuth = PrisonerAuth;
+exports.TimeSpan = TimeSpan;
+exports.milliseconds = milliseconds;
+exports.minutes = minutes;
+exports.nothing = nothing;
+exports.seconds = seconds;
+//# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs.js","sources":["../src/main/tokens.ts","../src/main/launchpadUser.ts","../src/main/timeSpans.ts","../src/main/prisonerAuth.ts"],"sourcesContent":[null,null,null,null],"names":[],"mappings":";;;;;AA0CO,MAAM,YAAY,GAAG,CAAI,KAAa,KAAQ,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;AAE/G,MAAM,gBAAgB,GAAG,CAAC,QAAgB,EAAE,YAAoB,KAAY;AACjF,IAAA,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAC3E,OAAO,CAAA,MAAA,EAAS,KAAK,CAAA,CAAE;AACzB,CAAC;AAIM,MAAM,YAAY,GAAiB,CAAC,gBAAgB,EAAE,QAAQ,EAAE,mBAAmB,KAAI;IAC5F,OAAO,IAAI,OAAO,CAAY,CAAC,OAAO,EAAE,MAAM,KAAI;QAChD;aACG,IAAI,CAAC,QAAQ;AACb,aAAA,GAAG,CAAC,cAAc,EAAE,mCAAmC;AACvD,aAAA,GAAG,CAAC,eAAe,EAAE,mBAAmB;aACxC,KAAK,CAAC,EAAE,aAAa,EAAE,gBAAgB,EAAE,UAAU,EAAE,eAAe,EAAE;AACtE,aAAA,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,KAAI;AAChB,YAAA,IAAI,GAAG;gBAAE,MAAM,CAAC,GAAG,CAAC;AACpB,YAAA,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC,IAAI;YAC9F,OAAO,OAAO,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;AACxD,QAAA,CAAC,CAAC;AACN,IAAA,CAAC,CAAC;AACJ,CAAC;;AC5CM,MAAM,cAAc,GAAG,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAa,KAAmB;IACjG,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,YAAY,CAAU,OAAO,CAAC;IACnH,MAAM,UAAU,GAAG,eAAe;IAElC,OAAO;QACL,UAAU;QACV,OAAO;QACP,YAAY;QACZ,WAAW;QACX,aAAa;QACb,IAAI;QACJ,SAAS;QACT,UAAU;;AAGV,QAAA,KAAK,EAAE,OAAO;AACd,QAAA,QAAQ,EAAE,IAAI;AACd,QAAA,MAAM,EAAE,GAAG;AACX,QAAA,WAAW,EAAE,IAAI;AACjB,QAAA,SAAS,EAAE,EAAE;KACd;AACH,CAAC;;ACzCD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEO,MAAM,OAAO,GAAG,CAAC,UAAkB,KAAe,QAAQ,CAAC,OAAO,CAAC,UAAU;AAE7E,MAAM,OAAO,GAAG,CAAC,UAAkB,KAAe,QAAQ,CAAC,OAAO,CAAC,UAAU;AAE7E,MAAM,YAAY,GAAG,CAAC,eAAuB,KAAe,QAAQ,CAAC,YAAY,CAAC,eAAe;AAEjG,MAAM,OAAO,GAAG,MAAgB,QAAQ,CAAC,OAAO;AAKvD;AACO,MAAM,WAAW,GAAG,CAAC,OAAiB,KAAK,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC;AAEjG;MACa,QAAQ,CAAA;AACV,IAAA,OAAO;AAEP,IAAA,OAAO;AAEP,IAAA,YAAY;AAErB,IAAA,WAAA,CAAoB,UAAkB,EAAE,UAAkB,EAAE,eAAuB,EAAA;AACjF,QAAA,IAAI,CAAC,OAAO,GAAG,UAAU;AACzB,QAAA,IAAI,CAAC,OAAO,GAAG,UAAU;AACzB,QAAA,IAAI,CAAC,YAAY,GAAG,eAAe;IACrC;IAEA,OAAO,OAAO,CAAC,UAAkB,EAAA;QAC/B,OAAO,IAAI,QAAQ,CAAC,UAAU,EAAE,UAAU,GAAG,EAAE,EAAE,QAAQ,CAAC,OAAO,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,YAAY,CAAC;IAClG;IAEA,OAAO,OAAO,CAAC,UAAkB,EAAA;AAC/B,QAAA,OAAO,IAAI,QAAQ,CAAC,UAAU,GAAG,EAAE,EAAE,UAAU,EAAE,UAAU,GAAG,IAAI,CAAC;IACrE;IAEA,OAAO,YAAY,CAAC,eAAuB,EAAA;QACzC,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC,OAAO,EAAE,eAAe,GAAG,IAAI,EAAE,eAAe,CAAC;IAChH;AAEA,IAAA,OAAO,OAAO,GAAA;QACZ,OAAO,IAAI,QAAQ,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC9B;AAEA,IAAA,aAAa,CAAC,CAAW,EAAA;AACvB,QAAA,OAAO,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY;IAC3C;AAEA,IAAA,sBAAsB,CAAC,CAAW,EAAA;AAChC,QAAA,OAAO,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,YAAY;IAC5C;AAEA,IAAA,UAAU,CAAC,CAAW,EAAA;AACpB,QAAA,OAAO,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY;IAC3C;AAEA,IAAA,mBAAmB,CAAC,CAAW,EAAA;AAC7B,QAAA,OAAO,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,YAAY;IAC5C;AAEA,IAAA,SAAS,CAAC,CAAW,EAAA;AACnB,QAAA,OAAO,IAAI,CAAC,YAAY,KAAK,CAAC,CAAC,YAAY;IAC7C;AACD;;ACCa,MAAO,YAAY,CAAA;AACtB,IAAA,gBAAgB;AAEhB,IAAA,gBAAgB;AAEhB,IAAA,QAAQ;AAER,IAAA,WAAW;AAEX,IAAA,QAAQ;AAER,IAAA,YAAY;AAEZ,IAAA,KAAK;AAEL,IAAA,KAAK;AAEL,IAAA,oBAAoB;AAEpB,IAAA,YAAY;AAErB,IAAA,WAAA,CAAY,OAA4B,EAAA;AACtC,QAAA,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB;AAChD,QAAA,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,CAAA,EAAG,OAAO,CAAC,gBAAgB,CAAA,oBAAA,CAAsB;AACrG,QAAA,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAA,EAAG,OAAO,CAAC,gBAAgB,CAAA,gBAAA,CAAkB;QACjF,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,mBAAmB;AAC7D,QAAA,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ;AAChC,QAAA,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY;AACxC,QAAA,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,CAAC,iBAAiB,EAAE,yBAAyB,EAAE,mBAAmB,CAAC;QACjG,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,IAAI;AAClC,QAAA,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB;QACxD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,YAAY;IAC1D;AAEA;;;AAGG;IACH,gBAAgB,GAAA;QACd,OAAO,IAAI,qBAAqB,CAC9B;YACE,MAAM,EAAE,IAAI,CAAC,gBAAgB;YAC7B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;YACvC,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,KAAK,EAAE,IAAI,CAAC,KAAK;AACjB,YAAA,WAAW,EAAE,EAAE;AACf,YAAA,eAAe,EAAE,IAAI;YACrB,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG,MAAM,GAAG,SAAS;YACtC,aAAa,EAAE,EAAE,aAAa,EAAE,IAAI,CAAC,kBAAkB,EAAE,EAAE;AAC5D,SAAA,GACA,CACC,OAAe,EACf,QAAiB,EACjB,QAAgB,EAChB,OAAe,EACf,WAAmB,EACnB,YAAoB,EACpB,IAAoB,KACjB,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC,CAAC,EACxE;IACH;AAEA;;;;;;;;;;AAUG;IACH,MAAM,sBAAsB,CAAC,IAAmB,EAAA;QAC9C,MAAM,OAAO,GAAG,YAAY,CAAU,IAAI,CAAC,OAAO,CAAC;QACnD,MAAM,YAAY,GAAG,YAAY,CAAe,IAAI,CAAC,YAAY,CAAC;QAClE,MAAM,eAAe,GAAG,WAAW,CAAC,IAAI,CAAC,oBAAoB,CAAC;;AAG9D,QAAA,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE;AAChE,YAAA,OAAO,IAAI;QACb;;AAGA,QAAA,IAAI,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE;AACzD,YAAA,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC;QAC1C;;QAGA,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,kBAAkB,EAAE,CAAC;AACtG,QAAA,OAAO,cAAc,CAAC,SAAS,CAAC;IAClC;IAEQ,kBAAkB,GAAA;QACxB,OAAO,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC;IAC3D;AACD;;;;;;;;;"}

package/dist/index.d.ts

@@ -0,0 +1,162 @@
+import OpenIDConnectStrategy from 'passport-openidconnect';
+
+type IdToken = {
+    name: string;
+    given_name: string;
+    family_name: string;
+    nonce?: string;
+    iat: number;
+    aud: string;
+    sub: string;
+    exp: number;
+    booking: {
+        id: string;
+    };
+    establishment: {
+        agency_id: string;
+        name: string;
+        display_name: string;
+        youth: boolean;
+    };
+    iss: string;
+};
+type RawTokens = {
+    idToken: string;
+    refreshToken: string;
+    accessToken: string;
+};
+type Scope = 'user.basic.read' | 'user.establishment.read' | 'user.booking.read' | 'user.clients.read' | 'user.clients.delete';
+type TokenFetcher = (refreshToken: string, tokenUrl: string, authorizationHeader: string) => Promise<RawTokens>;
+
+type LaunchpadUser = {
+    authSource: 'prisoner-auth';
+    idToken: string;
+    refreshToken: string;
+    accessToken: string;
+    establishment: IdToken['establishment'];
+    name: string;
+    givenName: string;
+    familyName: string;
+    token: string;
+    username: string;
+    userId: string;
+    displayName: string;
+    userRoles: string[];
+};
+
+declare const minutes: (numMinutes: number) => TimeSpan;
+declare const seconds: (numSeconds: number) => TimeSpan;
+declare const milliseconds: (numMilliseconds: number) => TimeSpan;
+declare const nothing: () => TimeSpan;
+declare class TimeSpan {
+    readonly minutes: number;
+    readonly seconds: number;
+    readonly milliseconds: number;
+    private constructor();
+    static minutes(numMinutes: number): TimeSpan;
+    static seconds(numSeconds: number): TimeSpan;
+    static milliseconds(numMilliseconds: number): TimeSpan;
+    static nothing(): TimeSpan;
+    isGreaterThan(t: TimeSpan): boolean;
+    isGreaterThanOrEqualTo(t: TimeSpan): boolean;
+    isLessThan(t: TimeSpan): boolean;
+    isLessThanOrEqualTo(t: TimeSpan): boolean;
+    isEqualTo(t: TimeSpan): boolean;
+}
+
+type PrisonerAuthOptions = {
+    /** The full URL of the Launchpad Auth instance */
+    launchpadAuthUrl: string;
+    /**
+     * Optional: The full URL of the authorisation path on the Launchpad Auth instance.
+     *
+     * If omitted, authorizationUrl will default to $launchpadAuthUrl/v1/oauth2/authorize
+     */
+    authorizationUrl?: string;
+    /**
+     * Optional: The full URL of the token path on the Launchpad Auth instance.
+     *
+     * If omitted, tokenUrl will default to $launchpadAuthUrl/v1/oauth2/token
+     */
+    tokenUrl?: string;
+    /**
+     * Optional: The URL or path that Launchpad Auth will be told to call back to with the tokens.
+     *
+     * If omitted, callbackUrl will default to /sign-in/callback
+     */
+    callbackUrl?: string;
+    /** The Client ID of this application to send to Launchpad Auth */
+    clientId: string;
+    /** The Client Secret of this application to send to Launchpad Auth */
+    clientSecret: string;
+    /**
+     * Optional: The scope or scopes to request on behalf of the user.
+     *
+     * If omitted, scope will default to user.basic.read, user.establishment.read and user.booking.read
+     */
+    scope?: Scope | Scope[];
+    /**
+     * Optional: Whether or not to use nonce, not recommended to be disabled except for integration tests
+     *
+     * If ommitted. defaults to true
+     */
+    nonce?: boolean;
+    /**
+     * A time span specifying the least amount of time a token must have left before it is considered expired.
+     *
+     * @example
+     *
+     * Token will be considered expired when its exp value is in the past.
+     * ```ts
+     * nothing()
+     * ```
+     *
+     * Token will be considered expired unless its exp value is **AT LEAST 5** minutes in the future from time of checking.
+     * ```ts
+     * minutes(5)
+     * ```
+     *
+     * @see TimeSpan
+     */
+    tokenMinimumLifespan: TimeSpan;
+    /**
+     * Optional: Token fetcher implementation. Intended for unit testing PrisonerAuth
+     *
+     * @see TokenFetcher
+     */
+    tokenFetcher?: TokenFetcher;
+};
+declare class PrisonerAuth {
+    readonly launchpadAuthUrl: string;
+    readonly authorizationUrl: string;
+    readonly tokenUrl: string;
+    readonly callbackUrl: string;
+    readonly clientId: string;
+    readonly clientSecret: string;
+    readonly scope: Scope | Scope[];
+    readonly nonce: boolean;
+    readonly tokenMinimumLifespan: TimeSpan;
+    readonly tokenFetcher: TokenFetcher;
+    constructor(options: PrisonerAuthOptions);
+    /**
+     *
+     * @returns OpenIDConnectStrategy ready for use with passport
+     */
+    passportStrategy(): OpenIDConnectStrategy;
+    /**
+     * Checks the expiry of a given LaunchpadUser idToken and refreshToken.
+     * - If the idToken has expired it will attempt to refresh it using the refreshToken.
+     * - If the refreshToken has expired it will throw an Error.
+     *
+     * This method will always return a LaunchpadUser so it is suggested to updated your local copy and it will keep the tokens up to date.
+     *
+     * @param user - The LaunchpadUser instance to check token expiry on.
+     * @returns A LaunchpadUser is always returned, either the given user or a user with refreshed tokens.
+     * @throws Error is thrown if the refreshToken has expired, the user must sign in again from scratch.
+     */
+    validateAndRefreshUser(user: LaunchpadUser): Promise<LaunchpadUser>;
+    private authorizationToken;
+}
+
+export { PrisonerAuth, TimeSpan, milliseconds, minutes, nothing, seconds };
+export type { LaunchpadUser, PrisonerAuthOptions };

package/dist/index.esm.js

@@ -0,0 +1,175 @@
+import OpenIDConnectStrategy from 'passport-openidconnect';
+import superagent from 'superagent';
+
+const tokenFromJwt = (token) => JSON.parse(Buffer.from(token.split('.')[1], 'base64').toString());
+const oauthClientToken = (clientId, clientSecret) => {
+    const token = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
+    return `Basic ${token}`;
+};
+const tokenFetcher = (userRefreshToken, tokenUrl, authorizationHeader) => {
+    return new Promise((resolve, reject) => {
+        superagent
+            .post(tokenUrl)
+            .set('Content-Type', 'application/x-www-form-urlencoded')
+            .set('Authorization', authorizationHeader)
+            .query({ refresh_token: userRefreshToken, grant_type: 'refresh_token' })
+            .end((err, res) => {
+            if (err)
+                reject(err);
+            const { id_token: idToken, access_token: accessToken, refresh_token: refreshToken } = res.body;
+            return resolve({ idToken, accessToken, refreshToken });
+        });
+    });
+};
+
+const userFromTokens = ({ idToken, accessToken, refreshToken }) => {
+    const { establishment, name, given_name: givenName, family_name: familyName, sub } = tokenFromJwt(idToken);
+    const authSource = 'prisoner-auth';
+    return {
+        authSource,
+        idToken,
+        refreshToken,
+        accessToken,
+        establishment,
+        name,
+        givenName,
+        familyName,
+        // The following fields are for compatibility with HmppsUser only
+        token: idToken,
+        username: name,
+        userId: sub,
+        displayName: name,
+        userRoles: [],
+    };
+};
+
+// A TimeSpan allows you to give meaning to a number and then read that number back and compare them in different formats
+// ie.
+// seconds(60).minutes === 1
+// seconds(30).seconds === 30
+// minutes(1).seconds === 60
+// milliseconds(1000).seconds === 1
+// milliseconds(2000).isEqualTo(seconds(2)) #=> true
+// minutes(5).
+// This allows a caller to just accept a TimeSpan and then work in the units it cares about
+const minutes = (numMinutes) => TimeSpan.minutes(numMinutes);
+const seconds = (numSeconds) => TimeSpan.seconds(numSeconds);
+const milliseconds = (numMilliseconds) => TimeSpan.milliseconds(numMilliseconds);
+const nothing = () => TimeSpan.nothing();
+// Get a time span in the future
+const timeFromNow = (fromNow) => milliseconds(Date.now() + fromNow.milliseconds);
+// Implementation
+class TimeSpan {
+    minutes;
+    seconds;
+    milliseconds;
+    constructor(numMinutes, numSeconds, numMilliseconds) {
+        this.minutes = numMinutes;
+        this.seconds = numSeconds;
+        this.milliseconds = numMilliseconds;
+    }
+    static minutes(numMinutes) {
+        return new TimeSpan(numMinutes, numMinutes * 60, TimeSpan.seconds(numMinutes * 60).milliseconds);
+    }
+    static seconds(numSeconds) {
+        return new TimeSpan(numSeconds / 60, numSeconds, numSeconds * 1000);
+    }
+    static milliseconds(numMilliseconds) {
+        return new TimeSpan(TimeSpan.seconds(numMilliseconds / 1000).minutes, numMilliseconds / 1000, numMilliseconds);
+    }
+    static nothing() {
+        return new TimeSpan(0, 0, 0);
+    }
+    isGreaterThan(t) {
+        return this.milliseconds > t.milliseconds;
+    }
+    isGreaterThanOrEqualTo(t) {
+        return this.milliseconds >= t.milliseconds;
+    }
+    isLessThan(t) {
+        return this.milliseconds < t.milliseconds;
+    }
+    isLessThanOrEqualTo(t) {
+        return this.milliseconds <= t.milliseconds;
+    }
+    isEqualTo(t) {
+        return this.milliseconds === t.milliseconds;
+    }
+}
+
+class PrisonerAuth {
+    launchpadAuthUrl;
+    authorizationUrl;
+    tokenUrl;
+    callbackUrl;
+    clientId;
+    clientSecret;
+    scope;
+    nonce;
+    tokenMinimumLifespan;
+    tokenFetcher;
+    constructor(options) {
+        this.launchpadAuthUrl = options.launchpadAuthUrl;
+        this.authorizationUrl = options.authorizationUrl ?? `${options.launchpadAuthUrl}/v1/oauth2/authorize`;
+        this.tokenUrl = options.tokenUrl ?? `${options.launchpadAuthUrl}/v1/oauth2/token`;
+        this.callbackUrl = options.callbackUrl ?? '/sign-in/callback';
+        this.clientId = options.clientId;
+        this.clientSecret = options.clientSecret;
+        this.scope = options.scope ?? ['user.basic.read', 'user.establishment.read', 'user.booking.read'];
+        this.nonce = options.nonce ?? true;
+        this.tokenMinimumLifespan = options.tokenMinimumLifespan;
+        this.tokenFetcher = options.tokenFetcher ?? tokenFetcher;
+    }
+    /**
+     *
+     * @returns OpenIDConnectStrategy ready for use with passport
+     */
+    passportStrategy() {
+        return new OpenIDConnectStrategy({
+            issuer: this.launchpadAuthUrl,
+            authorizationURL: this.authorizationUrl,
+            tokenURL: this.tokenUrl,
+            callbackURL: this.callbackUrl,
+            clientID: this.clientId,
+            clientSecret: this.clientSecret,
+            scope: this.scope,
+            userInfoURL: '',
+            skipUserProfile: true,
+            nonce: this.nonce ? 'true' : undefined,
+            customHeaders: { authorization: this.authorizationToken() },
+        }, ((_issuer, _profile, _context, idToken, accessToken, refreshToken, done) => done(null, userFromTokens({ idToken, accessToken, refreshToken }))));
+    }
+    /**
+     * Checks the expiry of a given LaunchpadUser idToken and refreshToken.
+     * - If the idToken has expired it will attempt to refresh it using the refreshToken.
+     * - If the refreshToken has expired it will throw an Error.
+     *
+     * This method will always return a LaunchpadUser so it is suggested to updated your local copy and it will keep the tokens up to date.
+     *
+     * @param user - The LaunchpadUser instance to check token expiry on.
+     * @returns A LaunchpadUser is always returned, either the given user or a user with refreshed tokens.
+     * @throws Error is thrown if the refreshToken has expired, the user must sign in again from scratch.
+     */
+    async validateAndRefreshUser(user) {
+        const idToken = tokenFromJwt(user.idToken);
+        const refreshToken = tokenFromJwt(user.refreshToken);
+        const tokenExpiryTime = timeFromNow(this.tokenMinimumLifespan);
+        // Id Token still valid, return the current user
+        if (seconds(idToken.exp).isGreaterThanOrEqualTo(tokenExpiryTime)) {
+            return user;
+        }
+        // Refresh token expired, cannot continue
+        if (seconds(refreshToken.exp).isLessThan(tokenExpiryTime)) {
+            throw new Error('Refresh token expired');
+        }
+        // Refresh the user tokens
+        const newTokens = await this.tokenFetcher(user.refreshToken, this.tokenUrl, this.authorizationToken());
+        return userFromTokens(newTokens);
+    }
+    authorizationToken() {
+        return oauthClientToken(this.clientId, this.clientSecret);
+    }
+}
+
+export { PrisonerAuth, TimeSpan, milliseconds, minutes, nothing, seconds };
+//# sourceMappingURL=index.esm.js.map

package/dist/index.esm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.esm.js","sources":["../src/main/tokens.ts","../src/main/launchpadUser.ts","../src/main/timeSpans.ts","../src/main/prisonerAuth.ts"],"sourcesContent":[null,null,null,null],"names":[],"mappings":";;;AA0CO,MAAM,YAAY,GAAG,CAAI,KAAa,KAAQ,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;AAE/G,MAAM,gBAAgB,GAAG,CAAC,QAAgB,EAAE,YAAoB,KAAY;AACjF,IAAA,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAC3E,OAAO,CAAA,MAAA,EAAS,KAAK,CAAA,CAAE;AACzB,CAAC;AAIM,MAAM,YAAY,GAAiB,CAAC,gBAAgB,EAAE,QAAQ,EAAE,mBAAmB,KAAI;IAC5F,OAAO,IAAI,OAAO,CAAY,CAAC,OAAO,EAAE,MAAM,KAAI;QAChD;aACG,IAAI,CAAC,QAAQ;AACb,aAAA,GAAG,CAAC,cAAc,EAAE,mCAAmC;AACvD,aAAA,GAAG,CAAC,eAAe,EAAE,mBAAmB;aACxC,KAAK,CAAC,EAAE,aAAa,EAAE,gBAAgB,EAAE,UAAU,EAAE,eAAe,EAAE;AACtE,aAAA,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,KAAI;AAChB,YAAA,IAAI,GAAG;gBAAE,MAAM,CAAC,GAAG,CAAC;AACpB,YAAA,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC,IAAI;YAC9F,OAAO,OAAO,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;AACxD,QAAA,CAAC,CAAC;AACN,IAAA,CAAC,CAAC;AACJ,CAAC;;AC5CM,MAAM,cAAc,GAAG,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAa,KAAmB;IACjG,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,YAAY,CAAU,OAAO,CAAC;IACnH,MAAM,UAAU,GAAG,eAAe;IAElC,OAAO;QACL,UAAU;QACV,OAAO;QACP,YAAY;QACZ,WAAW;QACX,aAAa;QACb,IAAI;QACJ,SAAS;QACT,UAAU;;AAGV,QAAA,KAAK,EAAE,OAAO;AACd,QAAA,QAAQ,EAAE,IAAI;AACd,QAAA,MAAM,EAAE,GAAG;AACX,QAAA,WAAW,EAAE,IAAI;AACjB,QAAA,SAAS,EAAE,EAAE;KACd;AACH,CAAC;;ACzCD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEO,MAAM,OAAO,GAAG,CAAC,UAAkB,KAAe,QAAQ,CAAC,OAAO,CAAC,UAAU;AAE7E,MAAM,OAAO,GAAG,CAAC,UAAkB,KAAe,QAAQ,CAAC,OAAO,CAAC,UAAU;AAE7E,MAAM,YAAY,GAAG,CAAC,eAAuB,KAAe,QAAQ,CAAC,YAAY,CAAC,eAAe;AAEjG,MAAM,OAAO,GAAG,MAAgB,QAAQ,CAAC,OAAO;AAKvD;AACO,MAAM,WAAW,GAAG,CAAC,OAAiB,KAAK,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC;AAEjG;MACa,QAAQ,CAAA;AACV,IAAA,OAAO;AAEP,IAAA,OAAO;AAEP,IAAA,YAAY;AAErB,IAAA,WAAA,CAAoB,UAAkB,EAAE,UAAkB,EAAE,eAAuB,EAAA;AACjF,QAAA,IAAI,CAAC,OAAO,GAAG,UAAU;AACzB,QAAA,IAAI,CAAC,OAAO,GAAG,UAAU;AACzB,QAAA,IAAI,CAAC,YAAY,GAAG,eAAe;IACrC;IAEA,OAAO,OAAO,CAAC,UAAkB,EAAA;QAC/B,OAAO,IAAI,QAAQ,CAAC,UAAU,EAAE,UAAU,GAAG,EAAE,EAAE,QAAQ,CAAC,OAAO,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,YAAY,CAAC;IAClG;IAEA,OAAO,OAAO,CAAC,UAAkB,EAAA;AAC/B,QAAA,OAAO,IAAI,QAAQ,CAAC,UAAU,GAAG,EAAE,EAAE,UAAU,EAAE,UAAU,GAAG,IAAI,CAAC;IACrE;IAEA,OAAO,YAAY,CAAC,eAAuB,EAAA;QACzC,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC,OAAO,EAAE,eAAe,GAAG,IAAI,EAAE,eAAe,CAAC;IAChH;AAEA,IAAA,OAAO,OAAO,GAAA;QACZ,OAAO,IAAI,QAAQ,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC9B;AAEA,IAAA,aAAa,CAAC,CAAW,EAAA;AACvB,QAAA,OAAO,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY;IAC3C;AAEA,IAAA,sBAAsB,CAAC,CAAW,EAAA;AAChC,QAAA,OAAO,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,YAAY;IAC5C;AAEA,IAAA,UAAU,CAAC,CAAW,EAAA;AACpB,QAAA,OAAO,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY;IAC3C;AAEA,IAAA,mBAAmB,CAAC,CAAW,EAAA;AAC7B,QAAA,OAAO,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,YAAY;IAC5C;AAEA,IAAA,SAAS,CAAC,CAAW,EAAA;AACnB,QAAA,OAAO,IAAI,CAAC,YAAY,KAAK,CAAC,CAAC,YAAY;IAC7C;AACD;;ACCa,MAAO,YAAY,CAAA;AACtB,IAAA,gBAAgB;AAEhB,IAAA,gBAAgB;AAEhB,IAAA,QAAQ;AAER,IAAA,WAAW;AAEX,IAAA,QAAQ;AAER,IAAA,YAAY;AAEZ,IAAA,KAAK;AAEL,IAAA,KAAK;AAEL,IAAA,oBAAoB;AAEpB,IAAA,YAAY;AAErB,IAAA,WAAA,CAAY,OAA4B,EAAA;AACtC,QAAA,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB;AAChD,QAAA,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,CAAA,EAAG,OAAO,CAAC,gBAAgB,CAAA,oBAAA,CAAsB;AACrG,QAAA,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAA,EAAG,OAAO,CAAC,gBAAgB,CAAA,gBAAA,CAAkB;QACjF,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,mBAAmB;AAC7D,QAAA,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ;AAChC,QAAA,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY;AACxC,QAAA,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,CAAC,iBAAiB,EAAE,yBAAyB,EAAE,mBAAmB,CAAC;QACjG,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,IAAI;AAClC,QAAA,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB;QACxD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,YAAY;IAC1D;AAEA;;;AAGG;IACH,gBAAgB,GAAA;QACd,OAAO,IAAI,qBAAqB,CAC9B;YACE,MAAM,EAAE,IAAI,CAAC,gBAAgB;YAC7B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;YACvC,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,KAAK,EAAE,IAAI,CAAC,KAAK;AACjB,YAAA,WAAW,EAAE,EAAE;AACf,YAAA,eAAe,EAAE,IAAI;YACrB,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG,MAAM,GAAG,SAAS;YACtC,aAAa,EAAE,EAAE,aAAa,EAAE,IAAI,CAAC,kBAAkB,EAAE,EAAE;AAC5D,SAAA,GACA,CACC,OAAe,EACf,QAAiB,EACjB,QAAgB,EAChB,OAAe,EACf,WAAmB,EACnB,YAAoB,EACpB,IAAoB,KACjB,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC,CAAC,EACxE;IACH;AAEA;;;;;;;;;;AAUG;IACH,MAAM,sBAAsB,CAAC,IAAmB,EAAA;QAC9C,MAAM,OAAO,GAAG,YAAY,CAAU,IAAI,CAAC,OAAO,CAAC;QACnD,MAAM,YAAY,GAAG,YAAY,CAAe,IAAI,CAAC,YAAY,CAAC;QAClE,MAAM,eAAe,GAAG,WAAW,CAAC,IAAI,CAAC,oBAAoB,CAAC;;AAG9D,QAAA,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE;AAChE,YAAA,OAAO,IAAI;QACb;;AAGA,QAAA,IAAI,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE;AACzD,YAAA,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC;QAC1C;;QAGA,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,kBAAkB,EAAE,CAAC;AACtG,QAAA,OAAO,cAAc,CAAC,SAAS,CAAC;IAClC;IAEQ,kBAAkB,GAAA;QACxB,OAAO,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC;IAC3D;AACD;;;;"}

package/dist/main/index.d.ts

@@ -0,0 +1,3 @@
+export { default as PrisonerAuth, type PrisonerAuthOptions } from './prisonerAuth';
+export { minutes, seconds, milliseconds, nothing, TimeSpan } from './timeSpans';
+export type { LaunchpadUser } from './launchpadUser';

package/dist/main/launchpadAuthStrategy.d.ts

@@ -0,0 +1,11 @@
+import OpenIDConnectStrategy from 'passport-openidconnect';
+type Scope = 'user.basic.read' | 'user.establishment.read' | 'user.booking.read';
+type LaunchpadAuthStrategyOptions = {
+    launchpadUrl: string;
+    clientID: string;
+    clientSecret: string;
+    callbackURL?: string;
+    scope?: Scope | Scope[];
+};
+export declare function launchpadAuthStrategy(options: LaunchpadAuthStrategyOptions): OpenIDConnectStrategy;
+export {};