npm - @monocloud/auth-node-core - Versions diffs - 0.1.1 → 0.1.2 - Mend

@monocloud/auth-node-core 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { MonoCloudAuthBaseError, MonoCloudHttpError, MonoCloudOPError, MonoCloudOidcClient, MonoCloudOidcClient as MonoCloudOidcClient$1, MonoCloudTokenError, MonoCloudValidationError, MonoCloudValidationError as MonoCloudValidationError$1 } from "@monocloud/auth-core";
+import { MonoCloudAuthBaseError, MonoCloudHttpError, MonoCloudOPError, MonoCloudOPError as MonoCloudOPError$1, MonoCloudOidcClient, MonoCloudOidcClient as MonoCloudOidcClient$1, MonoCloudTokenError, MonoCloudValidationError, MonoCloudValidationError as MonoCloudValidationError$1 } from "@monocloud/auth-core";
 import { createRemoteJWKSet, jwtVerify } from "jose";
 import { ensureLeadingSlash, findToken, getBoolean, getNumber, isAbsoluteUrl, isPresent, isSameHost, now, parseSpaceSeparated, parseSpaceSeparatedSet, removeTrailingSlash, setsEqual } from "@monocloud/auth-core/internal";
 import { decrypt, decryptAuthState, encrypt, encryptAuthState, generateNonce, generatePKCE, generateState, isUserInGroup, mergeArrays, parseCallbackParams } from "@monocloud/auth-core/utils";
@@ -237,6 +237,7 @@ const DEFAULT_OPTIONS = {
 		scopes: "openid profile email",
 		responseType: "code"
 	},
+	allowQueryParamOverrides: false,
 	session: {
 		cookie: {
 			httpOnly: true,
@@ -371,6 +372,7 @@ const optionsSchema = Joi.object({
 	federatedSignOut: boolRequired,
 	userInfo: boolRequired,
 	refetchUserInfo: boolRequired,
+	allowQueryParamOverrides: boolRequired,
 	defaultAuthParams: authParamSchema,
 	resources: Joi.array().items(indicatorOptionsSchema).optional(),
 	session: sessionSchema,
@@ -437,6 +439,7 @@ const getOptions = (options, throwOnError = true) => {
 	const MONOCLOUD_AUTH_FEDERATED_SIGNOUT = process.env.MONOCLOUD_AUTH_FEDERATED_SIGNOUT;
 	const MONOCLOUD_AUTH_USER_INFO = process.env.MONOCLOUD_AUTH_USER_INFO;
 	const MONOCLOUD_AUTH_REFETCH_USER_INFO = process.env.MONOCLOUD_AUTH_REFETCH_USER_INFO;
+	const MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES = process.env.MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES;
 	const MONOCLOUD_AUTH_SESSION_COOKIE_NAME = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_NAME;
 	const MONOCLOUD_AUTH_SESSION_COOKIE_PATH = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PATH;
 	const MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN;
@@ -485,6 +488,7 @@ const getOptions = (options, throwOnError = true) => {
 		federatedSignOut: (options === null || options === void 0 ? void 0 : options.federatedSignOut) ?? getBoolean(MONOCLOUD_AUTH_FEDERATED_SIGNOUT) ?? DEFAULT_OPTIONS.federatedSignOut,
 		userInfo: (options === null || options === void 0 ? void 0 : options.userInfo) ?? getBoolean(MONOCLOUD_AUTH_USER_INFO) ?? DEFAULT_OPTIONS.userInfo,
 		refetchUserInfo: (options === null || options === void 0 ? void 0 : options.refetchUserInfo) ?? getBoolean(MONOCLOUD_AUTH_REFETCH_USER_INFO) ?? DEFAULT_OPTIONS.refetchUserInfo,
+		allowQueryParamOverrides: (options === null || options === void 0 ? void 0 : options.allowQueryParamOverrides) ?? getBoolean(MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES) ?? DEFAULT_OPTIONS.allowQueryParamOverrides,
 		session: {
 			cookie: {
 				name: (options === null || options === void 0 || (_options$session = options.session) === null || _options$session === void 0 || (_options$session = _options$session.cookie) === null || _options$session === void 0 ? void 0 : _options$session.name) ?? MONOCLOUD_AUTH_SESSION_COOKIE_NAME ?? DEFAULT_OPTIONS.session.cookie.name,
@@ -563,7 +567,7 @@ var MonoCloudCoreClient = class {
 	*
 	* @param request - MonoCloud request object.
 	* @param response - MonoCloud response object.
-	* @param signInOptions - Optional configuration to customize the sign-in behavior.
+	* @param signInOptions - Configuration to customize the sign-in behavior.
 	* @returns A promise that resolves when the callback processing and redirection are complete.
 	*
 	* @throws {@link MonoCloudValidationError} When validation of parameters or state fails.
@@ -597,18 +601,26 @@ var MonoCloudCoreClient = class {
 				appState = await this.options.onSetApplicationState(request);
 				if (appState === null || appState === void 0 || typeof appState !== "object" || Array.isArray(appState)) throw new MonoCloudValidationError$1("Invalid Application State. Expected state to be an object");
 			}
-			const retUrl = request.getQuery("return_url") ?? opt.returnUrl;
+			const query = this.options.allowQueryParamOverrides ? {
+				returnUrl: request.getQuery("return_url"),
+				authenticatorHint: request.getQuery("authenticator_hint"),
+				scope: request.getQuery("scope"),
+				resource: request.getQuery("resource"),
+				display: request.getQuery("display"),
+				uiLocales: request.getQuery("ui_locales"),
+				acrValues: request.getQuery("acr_values"),
+				loginHint: request.getQuery("login_hint"),
+				prompt: request.getQuery("prompt"),
+				maxAge: parseInt(request.getQuery("max_age"), 10)
+			} : {};
+			const retUrl = query.returnUrl ?? opt.returnUrl;
 			if (typeof retUrl === "string" && retUrl && (!isAbsoluteUrl(retUrl) || isSameHost(this.options.appUrl, retUrl))) opt.returnUrl = retUrl;
 			const { error } = signInOptionsSchema.validate(opt, { abortEarly: true });
 			if (error) throw new MonoCloudValidationError$1(error.details[0].message);
 			const state = generateState();
 			const nonce = generateNonce();
 			const { codeChallenge, codeVerifier } = await generatePKCE();
-			const maxAgeQuery = request.getQuery("max_age");
-			if (typeof maxAgeQuery === "string" && maxAgeQuery) {
-				const parsedMaxAge = parseInt(maxAgeQuery, 10);
-				if (!isNaN(parsedMaxAge)) opt.authParams.maxAge = parsedMaxAge;
-			}
+			if (!isNaN(query.maxAge)) opt.authParams.maxAge = query.maxAge;
 			const returnUrl = encodeURIComponent(opt.returnUrl ?? this.options.appUrl);
 			let params = {
 				redirectUri: `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`,
@@ -617,30 +629,28 @@ var MonoCloudCoreClient = class {
 				state,
 				codeChallenge
 			};
-			const authenticatorHint = request.getQuery("authenticator_hint") ?? opt.authParams.authenticatorHint;
+			const authenticatorHint = query.authenticatorHint ?? opt.authParams.authenticatorHint;
 			if (typeof authenticatorHint === "string" && authenticatorHint) params.authenticatorHint = authenticatorHint;
-			const reqScope = request.getQuery("scope");
-			const scopes = (typeof reqScope === "string" ? reqScope : void 0) ?? opt.authParams.scopes;
+			const scopes = (typeof query.scope === "string" ? query.scope : void 0) ?? opt.authParams.scopes;
 			if (scopes) {
 				const { error: e } = scopesValidationSchema.validate(scopes, { abortEarly: true });
 				if (!e) params.scopes = scopes;
 			}
-			const reqResource = request.getQuery("resource");
-			const resource = (typeof reqResource === "string" ? reqResource : void 0) ?? opt.authParams.resource;
+			const resource = (typeof query.resource === "string" ? query.resource : void 0) ?? opt.authParams.resource;
 			if (resource) {
 				const { error: e } = resourceValidationSchema.validate(resource, { abortEarly: true });
 				if (!e) params.resource = resource;
 			}
-			const display = request.getQuery("display") ?? opt.authParams.display;
+			const display = query.display ?? opt.authParams.display;
 			if (typeof display === "string" && display) params.display = display;
-			const uiLocales = request.getQuery("ui_locales") ?? opt.authParams.uiLocales;
+			const uiLocales = query.uiLocales ?? opt.authParams.uiLocales;
 			if (typeof uiLocales === "string" && uiLocales) params.uiLocales = uiLocales;
-			const acrValues = request.getQuery("acr_values") ?? opt.authParams.acrValues;
+			const acrValues = query.acrValues ?? opt.authParams.acrValues;
 			if (typeof acrValues === "string" && acrValues) params.acrValues = acrValues.split(" ").map((x) => x.trim()).filter((x) => x !== "");
-			const loginHint = request.getQuery("login_hint") ?? opt.authParams.loginHint;
+			const loginHint = query.loginHint ?? opt.authParams.loginHint;
 			if (typeof loginHint === "string" && loginHint) params.loginHint = loginHint;
 			let prompt;
-			if (typeof request.getQuery("prompt") === "string") prompt = request.getQuery("prompt");
+			if (typeof query.prompt === "string") prompt = query.prompt;
 			else prompt = opt.register ? "create" : opt.authParams.prompt;
 			if (prompt) params.prompt = prompt;
 			/* v8 ignore next -- @preserve */
@@ -700,6 +710,7 @@ var MonoCloudCoreClient = class {
 			if (!isAbsoluteUrl(url)) fullUrl = `${this.options.appUrl}${ensureLeadingSlash(url)}`;
 			const callbackParams = parseCallbackParams(method.toLowerCase() === "post" ? new URLSearchParams(body) : new URL(fullUrl).searchParams);
 			if (callbackParams.state !== monoCloudState.state) throw new MonoCloudValidationError$1("Invalid state");
+			if (isPresent(callbackParams.error)) throw new MonoCloudOPError$1(callbackParams.error, callbackParams.errorDescription);
 			const redirectUri = (callbackOptions === null || callbackOptions === void 0 ? void 0 : callbackOptions.redirectUri) ?? `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`;
 			if (!callbackParams.code) throw new MonoCloudValidationError$1("Authorization code not found in callback params");
 			const appState = JSON.parse(monoCloudState.appState);
@@ -733,7 +744,6 @@ var MonoCloudCoreClient = class {
 					return response.done();
 				}
 			} catch {}
-			/* c8 ignore stop */
 			response.redirect(this.options.appUrl);
 		} catch (error) {
 			if (typeof (callbackOptions === null || callbackOptions === void 0 ? void 0 : callbackOptions.onError) === "function") return callbackOptions.onError(error);
@@ -766,7 +776,7 @@ var MonoCloudCoreClient = class {
 				const { error } = userInfoOptionsSchema.validate(userinfoOptions, { abortEarly: true });
 				if (error) throw new MonoCloudValidationError$1(error.details[0].message);
 			}
-			const refetchUserInfo = (userinfoOptions === null || userinfoOptions === void 0 ? void 0 : userinfoOptions.refresh) ?? this.options.refetchUserInfo;
+			const refetchUserInfo = (this.options.allowQueryParamOverrides ? { refresh: getBoolean(request.getQuery("refresh")) } : {}).refresh ?? (userinfoOptions === null || userinfoOptions === void 0 ? void 0 : userinfoOptions.refresh) ?? this.options.refetchUserInfo;
 			const session = await this.sessionService.getSession(request, response, !refetchUserInfo);
 			if (!session) {
 				response.setNoCache();
@@ -813,11 +823,14 @@ var MonoCloudCoreClient = class {
 				const { error } = signOutOptionsSchema.validate(signOutOptions, { abortEarly: true });
 				if (error) throw new MonoCloudValidationError$1(error.details[0].message);
 			}
+			const query = this.options.allowQueryParamOverrides ? {
+				postLogoutUrl: request.getQuery("post_logout_url"),
+				federated: getBoolean(request.getQuery("federated"))
+			} : {};
 			let returnUrl = this.options.postLogoutRedirectUri ?? (signOutOptions === null || signOutOptions === void 0 ? void 0 : signOutOptions.postLogoutRedirectUri) ?? this.options.appUrl;
-			const retUrl = request.getQuery("post_logout_url");
-			if (typeof retUrl === "string" && retUrl) {
-				const { error } = signOutOptionsSchema.validate({ postLogoutRedirectUri: retUrl });
-				if (!error) returnUrl = retUrl;
+			if (query.postLogoutUrl) {
+				const { error } = signOutOptionsSchema.validate({ postLogoutRedirectUri: query.postLogoutUrl });
+				if (!error) returnUrl = query.postLogoutUrl;
 			}
 			if (!isAbsoluteUrl(returnUrl)) returnUrl = `${this.options.appUrl}${ensureLeadingSlash(returnUrl)}`;
 			const session = await this.sessionService.getSession(request, response, false);
@@ -826,7 +839,7 @@ var MonoCloudCoreClient = class {
 				return response.done();
 			}
 			await this.sessionService.removeSession(request, response);
-			if (!((signOutOptions === null || signOutOptions === void 0 ? void 0 : signOutOptions.federatedSignOut) ?? this.options.federatedSignOut)) {
+			if (!(query.federated ?? (signOutOptions === null || signOutOptions === void 0 ? void 0 : signOutOptions.federatedSignOut) ?? this.options.federatedSignOut)) {
 				response.redirect(returnUrl);
 				return response.done();
 			}