@naylence/runtime 0.3.5-test.910 → 0.3.5-test.913

package/dist/esm/naylence/fame/http/openid-configuration-router.js

@@ -1,9 +1,8 @@
 /**
- * OpenID Connect Discovery configuration router for Express
+ * OpenID Connect Discovery configuration plugin for Fastify
  *
  * Provides /.well-known/openid-configuration endpoint for OAuth2/OIDC client auto-discovery
  */
-import express from 'express';
 import { getLogger } from '../util/logging.js';
 const logger = getLogger('naylence.fame.http.openid_configuration_router');
 const DEFAULT_PREFIX = '';
@@ -77,10 +76,10 @@ function getAllowedScopes(configScopes) {
     return configScopes ?? ['node.connect'];
 }
 /**
- * Create an Express router that implements OpenID Connect Discovery
+ * Create a Fastify plugin that implements OpenID Connect Discovery
  *
  * @param options - Router configuration options
- * @returns Express router with OpenID configuration endpoint
+ * @returns Fastify plugin with OpenID configuration endpoint
  *
  * Environment Variables:
  *   FAME_JWT_ISSUER: JWT issuer claim (optional)
@@ -89,17 +88,16 @@ function getAllowedScopes(configScopes) {
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createOpenIDConfigurationRouter } from '@naylence/runtime';
  *
- * const app = express();
- * app.use(createOpenIDConfigurationRouter({
+ * const app = Fastify();
+ * app.register(createOpenIDConfigurationRouter({
  *   issuer: 'https://auth.example.com',
  * }));
  * ```
  */
 export function createOpenIDConfigurationRouter(options = {}) {
-    const router = express.Router();
     const { prefix = DEFAULT_PREFIX, issuer, baseUrl, tokenEndpointPath = '/oauth/token', jwksEndpointPath = '/.well-known/jwks.json', allowedScopes: configAllowedScopes, algorithm: configAlgorithm, } = normalizeOpenIDConfigurationRouterOptions(options);
     // Resolve configuration with environment variable priority
     const defaultIssuer = process.env[ENV_VAR_JWT_ISSUER] ?? issuer ?? 'https://auth.fame.fabric';
@@ -115,27 +113,28 @@ export function createOpenIDConfigurationRouter(options = {}) {
         algorithm,
         allowedScopes,
     });
-    // OpenID Connect Discovery endpoint
-    router.get(`${prefix}/.well-known/openid-configuration`, (_req, res) => {
-        // Construct absolute URLs for endpoints
-        const tokenEndpoint = `${defaultBaseUrl.replace(/\/$/, '')}${tokenEndpointPath}`;
-        const jwksUri = `${defaultBaseUrl.replace(/\/$/, '')}${jwksEndpointPath}`;
-        const config = {
-            issuer: defaultIssuer,
-            token_endpoint: tokenEndpoint,
-            jwks_uri: jwksUri,
-            scopes_supported: allowedScopes,
-            response_types_supported: ['token'],
-            grant_types_supported: ['client_credentials'],
-            token_endpoint_auth_methods_supported: [
-                'client_secret_basic',
-                'client_secret_post',
-            ],
-            subject_types_supported: ['public'],
-            id_token_signing_alg_values_supported: [algorithm],
-        };
-        logger.debug('openid_config_served', { config });
-        res.json(config);
-    });
-    return router;
+    const plugin = async (instance) => {
+        instance.get(`${prefix}/.well-known/openid-configuration`, async (_request, reply) => {
+            // Construct absolute URLs for endpoints
+            const tokenEndpoint = `${defaultBaseUrl.replace(/\/$/, '')}${tokenEndpointPath}`;
+            const jwksUri = `${defaultBaseUrl.replace(/\/$/, '')}${jwksEndpointPath}`;
+            const config = {
+                issuer: defaultIssuer,
+                token_endpoint: tokenEndpoint,
+                jwks_uri: jwksUri,
+                scopes_supported: allowedScopes,
+                response_types_supported: ['token'],
+                grant_types_supported: ['client_credentials'],
+                token_endpoint_auth_methods_supported: [
+                    'client_secret_basic',
+                    'client_secret_post',
+                ],
+                subject_types_supported: ['public'],
+                id_token_signing_alg_values_supported: [algorithm],
+            };
+            logger.debug('openid_config_served', { config });
+            reply.send(config);
+        });
+    };
+    return plugin;
 }

package/dist/esm/naylence/fame/node/admission/admission-profile-factory.js

@@ -8,18 +8,28 @@ const ENV_VAR_JWT_AUDIENCE = 'FAME_JWT_AUDIENCE';
 const ENV_VAR_ADMISSION_TOKEN_URL = 'FAME_ADMISSION_TOKEN_URL';
 const ENV_VAR_ADMISSION_CLIENT_ID = 'FAME_ADMISSION_CLIENT_ID';
 const ENV_VAR_ADMISSION_CLIENT_SECRET = 'FAME_ADMISSION_CLIENT_SECRET';
+const ENV_VAR_ADMISSION_AUTHORIZE_URL = 'FAME_ADMISSION_AUTHORIZE_URL';
+const ENV_VAR_ADMISSION_REDIRECT_URL = 'FAME_ADMISSION_REDIRECT_URL';
+const ENV_VAR_ADMISSION_LOGIN_HINT_PARAM = 'FAME_ADMISSION_LOGIN_HINT_PARAM';
+const ENV_VAR_ADMISSION_CODE_CHALLENGE_METHOD = 'FAME_ADMISSION_CODE_CHALLENGE_METHOD';
+const ENV_VAR_ADMISSION_CODE_VERIFIER_LENGTH = 'FAME_ADMISSION_CODE_VERIFIER_LENGTH';
+const ENV_VAR_ADMISSION_CLOCK_SKEW_SECONDS = 'FAME_ADMISSION_CLOCK_SKEW_SECONDS';
 const ENV_VAR_DIRECT_ADMISSION_URL = 'FAME_DIRECT_ADMISSION_URL';
 const ENV_VAR_DIRECT_INPAGE_CHANNEL = 'FAME_DIRECT_INPAGE_CHANNEL';
 const ENV_VAR_ADMISSION_SERVICE_URL = 'FAME_ADMISSION_SERVICE_URL';
 const DEFAULT_INPAGE_CHANNEL = 'naylence-fabric';
 const PROFILE_NAME_WELCOME = 'welcome';
+const PROFILE_NAME_WELCOME_PKCE = 'welcome-pkce';
+const PROFILE_NAME_WELCOME_PKCE_ALIAS = 'welcome_pkce';
 const PROFILE_NAME_DIRECT = 'direct';
 const PROFILE_NAME_DIRECT_HTTP = 'direct-http';
 const PROFILE_NAME_DIRECT_INPAGE = 'direct-inpage';
+const PROFILE_NAME_DIRECT_PKCE = 'direct-pkce';
 const PROFILE_NAME_OPEN = 'open';
 const PROFILE_NAME_NOOP = 'noop';
 const PROFILE_NAME_NONE = 'none';
 const PROFILE_NAME_DIRECT_INPAGE_ALIAS = 'direct_inpage';
+const PROFILE_NAME_DIRECT_PKCE_ALIAS = 'direct_pkce';
 function createOAuthTokenProviderConfig() {
     const tokenUrl = Expressions.env(ENV_VAR_ADMISSION_TOKEN_URL);
     const clientId = Expressions.env(ENV_VAR_ADMISSION_CLIENT_ID);
@@ -37,8 +47,41 @@ function createOAuthTokenProviderConfig() {
         audience,
     };
 }
+function createOAuthPkceTokenProviderConfig() {
+    const authorizeUrl = Expressions.env(ENV_VAR_ADMISSION_AUTHORIZE_URL);
+    const tokenUrl = Expressions.env(ENV_VAR_ADMISSION_TOKEN_URL);
+    const redirectUri = Expressions.env(ENV_VAR_ADMISSION_REDIRECT_URL);
+    const clientId = Expressions.env(ENV_VAR_ADMISSION_CLIENT_ID);
+    const loginHintParam = Expressions.env(ENV_VAR_ADMISSION_LOGIN_HINT_PARAM, 'login_hint');
+    const audience = Expressions.env(ENV_VAR_JWT_AUDIENCE);
+    const codeChallengeMethod = Expressions.env(ENV_VAR_ADMISSION_CODE_CHALLENGE_METHOD, 'S256');
+    const codeVerifierLength = Expressions.env(ENV_VAR_ADMISSION_CODE_VERIFIER_LENGTH, '64');
+    const clockSkewSeconds = Expressions.env(ENV_VAR_ADMISSION_CLOCK_SKEW_SECONDS, '30');
+    return {
+        type: 'OAuth2PkceTokenProvider',
+        authorizeUrl,
+        authorize_url: authorizeUrl,
+        tokenUrl,
+        token_url: tokenUrl,
+        redirectUri,
+        redirect_uri: redirectUri,
+        clientId,
+        client_id: clientId,
+        loginHintParam,
+        login_hint_param: loginHintParam,
+        scopes: ['node.connect'],
+        audience,
+        codeChallengeMethod,
+        code_challenge_method: codeChallengeMethod,
+        codeVerifierLength,
+        code_verifier_length: codeVerifierLength,
+        clockSkewSeconds,
+        clock_skew_seconds: clockSkewSeconds,
+    };
+}
 const welcomeIsRoot = Expressions.env(ENV_VAR_IS_ROOT, 'false');
 const welcomeTokenProvider = createOAuthTokenProviderConfig();
+const welcomePkceTokenProvider = createOAuthPkceTokenProviderConfig();
 const WELCOME_SERVICE_PROFILE = {
     type: 'WelcomeServiceClient',
     is_root: welcomeIsRoot,
@@ -52,6 +95,19 @@ const WELCOME_SERVICE_PROFILE = {
         tokenProvider: welcomeTokenProvider,
     },
 };
+const WELCOME_SERVICE_PKCE_PROFILE = {
+    type: 'WelcomeServiceClient',
+    is_root: welcomeIsRoot,
+    isRoot: welcomeIsRoot,
+    url: Expressions.env(ENV_VAR_ADMISSION_SERVICE_URL),
+    supported_transports: ['websocket'],
+    supportedTransports: ['websocket'],
+    auth: {
+        type: 'BearerTokenHeaderAuth',
+        token_provider: welcomePkceTokenProvider,
+        tokenProvider: welcomePkceTokenProvider,
+    },
+};
 const directGrantTokenProvider = createOAuthTokenProviderConfig();
 const directGrant = {
     type: 'WebSocketConnectionGrant',
@@ -71,6 +127,25 @@ const DIRECT_PROFILE = {
     connection_grants: directGrants,
     connectionGrants: directGrants,
 };
+const directPkceTokenProvider = createOAuthPkceTokenProviderConfig();
+const directPkceGrant = {
+    type: 'WebSocketConnectionGrant',
+    purpose: GRANT_PURPOSE_NODE_ATTACH,
+    url: Expressions.env(ENV_VAR_DIRECT_ADMISSION_URL),
+    auth: {
+        type: 'WebSocketSubprotocolAuth',
+        token_provider: directPkceTokenProvider,
+        tokenProvider: directPkceTokenProvider,
+    },
+    ttl: 0,
+    durable: false,
+};
+const directPkceGrants = [directPkceGrant];
+const DIRECT_PKCE_PROFILE = {
+    type: 'DirectAdmissionClient',
+    connection_grants: directPkceGrants,
+    connectionGrants: directPkceGrants,
+};
 const directHttpTokenProvider = createOAuthTokenProviderConfig();
 const directHttpGrant = {
     type: 'HttpConnectionGrant',
@@ -138,7 +213,11 @@ const NOOP_PROFILE = {
 };
 const PROFILE_MAP = {
     [PROFILE_NAME_WELCOME]: WELCOME_SERVICE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE]: WELCOME_SERVICE_PKCE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE_ALIAS]: WELCOME_SERVICE_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT]: DIRECT_PROFILE,
+    [PROFILE_NAME_DIRECT_PKCE]: DIRECT_PKCE_PROFILE,
+    [PROFILE_NAME_DIRECT_PKCE_ALIAS]: DIRECT_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT_HTTP]: DIRECT_HTTP_PROFILE,
     [PROFILE_NAME_DIRECT_INPAGE]: DIRECT_INPAGE_PROFILE,
     [PROFILE_NAME_DIRECT_INPAGE_ALIAS]: DIRECT_INPAGE_PROFILE,

package/dist/esm/naylence/fame/security/auth/oauth2-pkce-token-provider-factory.js

@@ -0,0 +1,134 @@
+import { CredentialProviderFactory, } from '../credential/credential-provider-factory.js';
+import { normalizeSecretSource, } from '../credential/secret-source.js';
+import { safeImport } from '../../util/lazy-import.js';
+import { TOKEN_PROVIDER_FACTORY_BASE_TYPE, TokenProviderFactory, } from './token-provider-factory.js';
+let oauth2PkceTokenProviderModulePromise = null;
+async function getOAuth2PkceTokenProviderModule() {
+    if (!oauth2PkceTokenProviderModulePromise) {
+        oauth2PkceTokenProviderModulePromise = safeImport(() => import('./oauth2-pkce-token-provider.js'), 'oauth2-pkce-token-provider');
+    }
+    return oauth2PkceTokenProviderModulePromise;
+}
+function ensureNonEmptyString(value, field) {
+    if (typeof value !== 'string' || value.trim().length === 0) {
+        throw new Error(`OAuth2PkceTokenProvider ${field} must be a non-empty string`);
+    }
+    return value.trim();
+}
+function normalizeScopes(value) {
+    if (Array.isArray(value)) {
+        const scopes = value
+            .map((scope) => (typeof scope === 'string' ? scope.trim() : ''))
+            .filter((scope) => scope.length > 0);
+        return scopes;
+    }
+    if (typeof value === 'string' && value.trim().length > 0) {
+        return value
+            .split(/[\s,]+/u)
+            .map((scope) => scope.trim())
+            .filter((scope) => scope.length > 0);
+    }
+    return [];
+}
+function normalizeConfig(config) {
+    if (!config) {
+        throw new Error('OAuth2PkceTokenProvider requires configuration');
+    }
+    const candidate = config;
+    const authorizeUrl = ensureNonEmptyString(candidate.authorizeUrl ?? candidate.authorize_url, 'authorizeUrl');
+    const tokenUrl = ensureNonEmptyString(candidate.tokenUrl ?? candidate.token_url, 'tokenUrl');
+    const redirectUri = ensureNonEmptyString(candidate.redirectUri ?? candidate.redirect_uri, 'redirectUri');
+    const clientId = ensureNonEmptyString(candidate.clientId ?? candidate.client_id, 'clientId');
+    const usernameSource = (candidate.username ??
+        candidate.username_source);
+    const clientSecretSource = (candidate.clientSecret ??
+        candidate.client_secret);
+    const scopes = normalizeScopes(candidate.scopes ?? candidate.scope);
+    const normalized = {
+        authorizeUrl,
+        tokenUrl,
+        redirectUri,
+        clientId,
+        scopes,
+    };
+    if (usernameSource) {
+        normalized.usernameConfig = normalizeSecretSource(usernameSource);
+    }
+    if (clientSecretSource) {
+        normalized.clientSecretConfig = normalizeSecretSource(clientSecretSource);
+    }
+    const audienceCandidate = candidate.audience ?? candidate.aud;
+    if (typeof audienceCandidate === 'string' && audienceCandidate.trim().length > 0) {
+        normalized.audience = audienceCandidate.trim();
+    }
+    const codeChallengeMethod = candidate.codeChallengeMethod ?? candidate.code_challenge_method;
+    if (typeof codeChallengeMethod === 'string' && codeChallengeMethod.trim().length > 0) {
+        normalized.codeChallengeMethod = codeChallengeMethod.trim();
+    }
+    const codeVerifierLength = candidate.codeVerifierLength ?? candidate.code_verifier_length;
+    if (typeof codeVerifierLength === 'number' && Number.isFinite(codeVerifierLength)) {
+        normalized.codeVerifierLength = codeVerifierLength;
+    }
+    const clockSkewSeconds = candidate.clockSkewSeconds ?? candidate.clock_skew_seconds;
+    if (typeof clockSkewSeconds === 'number' && Number.isFinite(clockSkewSeconds)) {
+        normalized.clockSkewSeconds = clockSkewSeconds;
+    }
+    const loginHintParam = candidate.loginHintParam ?? candidate.login_hint_param;
+    if (typeof loginHintParam === 'string' && loginHintParam.trim().length > 0) {
+        normalized.loginHintParam = loginHintParam.trim();
+    }
+    return normalized;
+}
+export const FACTORY_META = {
+    base: TOKEN_PROVIDER_FACTORY_BASE_TYPE,
+    key: 'OAuth2PkceTokenProvider',
+};
+export class OAuth2PkceTokenProviderFactory extends TokenProviderFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'OAuth2PkceTokenProvider';
+    }
+    async create(config) {
+        const normalized = normalizeConfig(config);
+        const [usernameProvider, clientSecretProvider] = await Promise.all([
+            normalized.usernameConfig
+                ? CredentialProviderFactory.createCredentialProvider(normalized.usernameConfig)
+                : Promise.resolve(undefined),
+            normalized.clientSecretConfig
+                ? CredentialProviderFactory.createCredentialProvider(normalized.clientSecretConfig)
+                : Promise.resolve(undefined),
+        ]);
+        const options = {
+            authorizeUrl: normalized.authorizeUrl,
+            tokenUrl: normalized.tokenUrl,
+            redirectUri: normalized.redirectUri,
+            clientId: normalized.clientId,
+            scopes: normalized.scopes,
+        };
+        if (usernameProvider) {
+            options.usernameProvider = usernameProvider;
+        }
+        if (clientSecretProvider) {
+            options.clientSecretProvider = clientSecretProvider;
+        }
+        if (normalized.audience) {
+            options.audience = normalized.audience;
+        }
+        if (normalized.codeChallengeMethod) {
+            options.codeChallengeMethod = normalized.codeChallengeMethod
+                .toUpperCase();
+        }
+        if (normalized.codeVerifierLength) {
+            options.codeVerifierLength = normalized.codeVerifierLength;
+        }
+        if (normalized.clockSkewSeconds) {
+            options.clockSkewSeconds = normalized.clockSkewSeconds;
+        }
+        if (normalized.loginHintParam) {
+            options.loginHintParam = normalized.loginHintParam;
+        }
+        const { OAuth2PkceTokenProvider } = await getOAuth2PkceTokenProviderModule();
+        return new OAuth2PkceTokenProvider(options);
+    }
+}
+export default OAuth2PkceTokenProviderFactory;