npm - @nocobase/plugin-idp-oauth - Versions diffs - 2.1.0-alpha.10 - Mend

@nocobase/plugin-idp-oauth 2.1.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (451) hide show

package/dist/node_modules/oidc-provider/lib/actions/authorization/interactions.js ADDED Viewed

@@ -0,0 +1,149 @@
+import upperFirst from '../../helpers/_/upper_first.js';
+import camelCase from '../../helpers/_/camel_case.js';
+import * as errors from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+import nanoid from '../../helpers/nanoid.js';
+export default async function interactions(resumeRouteName, ctx, next) {
+  const { oidc } = ctx;
+  let failedCheck;
+  let prompt;
+  const { policy, url: interactionUrl } = instance(oidc.provider).configuration.interactions;
+  for (const { name, checks, details: promptDetails } of policy) {
+    let results = (await Promise.all([...checks].map(async ({
+      reason, description, error, details, check,
+    }) => {
+      if (await check(ctx)) {
+        return {
+          [reason]: { error, description, details: await details(ctx) },
+        };
+      }
+      return undefined;
+    }))).filter(Boolean);
+    if (results.length) {
+      results = Object.assign({}, ...results);
+      prompt = {
+        name,
+        reasons: Object.keys(results),
+        details: Object.assign(
+          {},
+          await promptDetails(ctx),
+          ...Object.values(results).map((r) => r.details),
+        ),
+      };
+      const [[, { error, description }]] = Object.entries(results);
+      failedCheck = {
+        error: error || 'interaction_required',
+        error_description: description || 'interaction is required from the end-user',
+      };
+      break;
+    }
+  }
+  // no interaction requested
+  if (!prompt) {
+    // check there's an accountId to continue
+    if (!oidc.session.accountId) {
+      throw new errors.AccessDenied(undefined, 'authorization request resolved without requesting interactions but no account id was resolved');
+    }
+    // check there's something granted to continue
+    // if only claims parameter is used then it must be combined with openid scope anyway
+    // when no scope parameter was provided and none is injected by the AS policy access is
+    // denied rather then issuing a code/token without scopes
+    if (
+      !oidc.grant.getOIDCScopeFiltered(oidc.requestParamOIDCScopes)
+      && Object.keys(ctx.oidc.resourceServers)
+        .every(
+          (resource) => !oidc.grant.getResourceScopeFiltered(resource, oidc.requestParamScopes),
+        )
+      && !oidc.params.authorization_details
+    ) {
+      throw new errors.AccessDenied(undefined, 'authorization request resolved without requesting interactions but no scope was granted');
+    }
+    oidc.provider.emit('authorization.accepted', ctx);
+    await next();
+    return;
+  }
+  // if interaction needed but prompt=none => throw;
+  try {
+    if (oidc.promptPending('none')) {
+      const className = upperFirst(camelCase(failedCheck.error));
+      if (errors[className]) {
+        throw new errors[className](failedCheck.error_description);
+      }
+      throw new errors.CustomOIDCProviderError(failedCheck.error, failedCheck.error_description);
+    }
+  } catch (err) {
+    const code = /^(code|device)_/.test(oidc.route) ? 400 : 303;
+    err.status = code;
+    err.statusCode = code;
+    err.expose = true;
+    throw err;
+  }
+  const uid = nanoid();
+  const cookieOptions = instance(oidc.provider).configuration.cookies.short;
+  const returnTo = oidc.urlFor(resumeRouteName, {
+    uid,
+  });
+  const interactionSession = new oidc.provider.Interaction(uid, {
+    returnTo,
+    prompt,
+    lastSubmission: oidc.result,
+    accountId: oidc.session.accountId,
+    params: oidc.params.toPlainObject(),
+    trusted: oidc.trusted,
+    session: oidc.session,
+    grant: oidc.grant,
+    cid: oidc.entities.Interaction?.cid || nanoid(),
+    deviceCode: oidc.deviceCode?.jti,
+    parJti: oidc.entities.PushedAuthorizationRequest?.jti || oidc.entities.Interaction?.parJti,
+  });
+  let ttl = instance(ctx.oidc.provider).configuration.ttl.Interaction;
+  if (typeof ttl === 'function') {
+    ttl = ttl(ctx, interactionSession);
+  }
+  await interactionSession.save(ttl);
+  ctx.oidc.entity('Interaction', interactionSession);
+  const destination = await interactionUrl(ctx, interactionSession);
+  ctx.cookies.set(
+    oidc.provider.cookieName('interaction'),
+    uid,
+    {
+      path: new URL(destination, ctx.oidc.issuer).pathname,
+      ...cookieOptions,
+      maxAge: ttl * 1000,
+    },
+  );
+  ctx.cookies.set(
+    oidc.provider.cookieName('resume'),
+    uid,
+    {
+      ...cookieOptions,
+      path: new URL(returnTo).pathname,
+      domain: undefined,
+      httpOnly: true,
+      maxAge: ttl * 1000,
+    },
+  );
+  oidc.provider.emit('interaction.started', ctx, prompt);
+  ctx.status = 303;
+  ctx.redirect(destination);
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/load_account.js ADDED Viewed

@@ -0,0 +1,15 @@
+import instance from '../../helpers/weak_cache.js';
+/*
+ * Loads the End-User's account referenced by the session.
+ */
+export default async function loadAccount(ctx, next) {
+  const { accountId } = ctx.oidc.session;
+  if (accountId) {
+    const account = await instance(ctx.oidc.provider).configuration.findAccount(ctx, accountId);
+    ctx.oidc.entity('Account', account);
+  }
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/load_grant.js ADDED Viewed

@@ -0,0 +1,29 @@
+import instance from '../../helpers/weak_cache.js';
+/*
+ * Load or establish a new Grant object when the user is known.
+ */
+export default async function loadGrant(ctx, next) {
+  const { loadExistingGrant } = instance(ctx.oidc.provider).configuration;
+  if (ctx.oidc.account) {
+    let grant = await loadExistingGrant(ctx);
+    if (grant) {
+      if (grant.accountId !== ctx.oidc.account.accountId) {
+        throw new Error('accountId mismatch');
+      }
+      if (grant.clientId !== ctx.oidc.client.clientId) {
+        throw new Error('clientId mismatch');
+      }
+      ctx.oidc.session.ensureClientContainer(ctx.oidc.params.client_id);
+      ctx.oidc.session.grantIdFor(ctx.oidc.params.client_id, grant.jti);
+    } else {
+      grant = new ctx.oidc.provider.Grant({
+        accountId: ctx.oidc.account.accountId,
+        clientId: ctx.oidc.client.clientId,
+      });
+    }
+    ctx.oidc.entity('Grant', grant);
+  }
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/load_pushed_authorization_request.js ADDED Viewed

@@ -0,0 +1,36 @@
+import { InvalidRequestUri, RequestUriNotSupported } from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+import { PUSHED_REQUEST_URN } from '../../consts/index.js';
+import rejectRequestAndUri from './reject_request_and_uri.js';
+/*
+ * Validates request_uri is a PAR one when PAR is enabled and loads it. Throws
+ */
+export default async function loadPushedAuthorizationRequest(ctx, next) {
+  const { pushedAuthorizationRequests } = instance(ctx.oidc.provider).features;
+  const { params, provider: { PushedAuthorizationRequest } } = ctx.oidc;
+  rejectRequestAndUri(ctx, () => {});
+  if (params.request_uri !== undefined) {
+    if (pushedAuthorizationRequests.enabled && params.request_uri.startsWith(PUSHED_REQUEST_URN)) {
+      if (!URL.canParse(params.request_uri)) {
+        throw new InvalidRequestUri('invalid request_uri');
+      }
+      const [, id] = params.request_uri.split(PUSHED_REQUEST_URN);
+      const pushedAuthorizationRequest = await PushedAuthorizationRequest.find(id, {
+        ignoreExpiration: true,
+      });
+      if (!pushedAuthorizationRequest?.isValid) {
+        throw new InvalidRequestUri('request_uri is invalid, expired, or was already used');
+      }
+      ctx.oidc.entity('PushedAuthorizationRequest', pushedAuthorizationRequest);
+      params.request = pushedAuthorizationRequest.request;
+    } else {
+      throw new RequestUriNotSupported();
+    }
+  }
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/oauth_required.js ADDED Viewed

@@ -0,0 +1,11 @@
+import presence from '../../helpers/validate_presence.js';
+/*
+ * Validates presence of mandatory OAuth2.0 parameters response_type, client_id and scope.
+ */
+export default function oauthRequired(ctx, next) {
+  // Validate: required oauth params
+  presence(ctx, 'response_type', 'client_id');
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/oidc_required.js ADDED Viewed

@@ -0,0 +1,27 @@
+import presence from '../../helpers/validate_presence.js';
+/*
+ * Validates presence of redirect_uri and conditionally nonce if specific implicit or hybrid flow
+ * are used.
+ * Validates that openid scope is present is OpenID Connect specific parameters are provided.
+ */
+export default function oidcRequired(ctx, next) {
+  const { params } = ctx.oidc;
+  const required = new Set(['redirect_uri']);
+  // Check for nonce if implicit or hybrid flow responding with id_token issued by the authorization
+  // endpoint
+  if (typeof params.response_type === 'string' && params.response_type.includes('id_token')) {
+    required.add('nonce');
+  }
+  // TODO: move this to a new helper function
+  if (ctx.oidc.isFapi('1.0 Final')) {
+    required.add(ctx.oidc.requestParamScopes.has('openid') ? 'nonce' : 'state');
+  }
+  presence(ctx, ...required);
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/one_redirect_uri_clients.js ADDED Viewed

@@ -0,0 +1,20 @@
+import instance from '../../helpers/weak_cache.js';
+/*
+ * If no redirect_uri is provided and client only pre-registered one unique value it is assumed
+ * to be the requested redirect_uri and used as if it was explicitly provided;
+ */
+export default function oneRedirectUriClients(ctx, next) {
+  if (!instance(ctx.oidc.provider).configuration.allowOmittingSingleRegisteredRedirectUri || ctx.oidc.isFapi('2.0')) {
+    return next();
+  }
+  const { params, client } = ctx.oidc;
+  if (params.redirect_uri === undefined && client.redirectUris.length === 1) {
+    ctx.oidc.redirectUriCheckPerformed = true;
+    [params.redirect_uri] = client.redirectUris;
+  }
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/process_request_object.js ADDED Viewed

@@ -0,0 +1,214 @@
+import * as JWT from '../../helpers/jwt.js';
+import instance from '../../helpers/weak_cache.js';
+import { InvalidRequest, InvalidRequestObject, OIDCProviderError } from '../../helpers/errors.js';
+import isPlainObject from '../../helpers/_/is_plain_object.js';
+/*
+ * Decrypts and validates the content of provided request parameter and replaces the parameters
+ * provided via OAuth2.0 authorization request with these
+ */
+export default async function processRequestObject(PARAM_LIST, rejectDupesMiddleware, ctx, next) {
+  const { params, client, route } = ctx.oidc;
+  const pushedRequestObject = 'PushedAuthorizationRequest' in ctx.oidc.entities;
+  if (client.requirePushedAuthorizationRequests && route === 'authorization' && !pushedRequestObject) {
+    throw new InvalidRequest('Pushed Authorization Request must be used');
+  }
+  const isBackchannelAuthentication = route === 'backchannel_authentication';
+  const { configuration, features } = instance(ctx.oidc.provider);
+  if (
+    params.request === undefined
+    && (
+      client.requireSignedRequestObject
+      || (client.backchannelAuthenticationRequestSigningAlg && isBackchannelAuthentication)
+    )
+  ) {
+    throw new InvalidRequest('Request Object must be used by this client');
+  }
+  if (params.request === undefined) {
+    return next();
+  }
+  let trusted = false; // signed or encrypted by client confidential material
+  if (features.encryption.enabled && params.request.split('.').length === 5) {
+    if (isBackchannelAuthentication) {
+      throw new InvalidRequest('Encrypted Request Objects are not supported by CIBA');
+    }
+    try {
+      const header = JWT.header(params.request);
+      if (!configuration.requestObjectEncryptionAlgValues.includes(header.alg)) {
+        throw new TypeError('unsupported encrypted request alg');
+      }
+      if (!configuration.requestObjectEncryptionEncValues.includes(header.enc)) {
+        throw new TypeError('unsupported encrypted request enc');
+      }
+      let decrypted;
+      if (/^(A|dir$)/.test(header.alg)) {
+        client.checkClientSecretExpiration('could not decrypt the Request Object - the client secret used for its encryption is expired', 'invalid_request_object');
+        decrypted = await JWT.decrypt(params.request, client.symmetricKeyStore);
+        trusted = true;
+      } else {
+        decrypted = await JWT.decrypt(params.request, instance(ctx.oidc.provider).keystore);
+      }
+      params.request = decrypted.toString('utf8');
+      if (ctx.oidc.body) {
+        ctx.oidc.body.request = params.request;
+      }
+    } catch (err) {
+      if (err instanceof OIDCProviderError) {
+        throw err;
+      }
+      throw new InvalidRequestObject('could not decrypt request object', err.message);
+    }
+  }
+  let decoded;
+  try {
+    decoded = JWT.decode(params.request);
+  } catch (err) {
+    throw new InvalidRequestObject('could not parse Request Object', err.message);
+  }
+  const { payload, header: { alg } } = decoded;
+  const request = Object.entries(payload).reduce((acc, [key, value]) => {
+    if (PARAM_LIST.has(key)) {
+      if (key === 'claims' && isPlainObject(value)) {
+        acc[key] = JSON.stringify(value);
+      } else if (key === 'authorization_details' && Array.isArray(value)) {
+        acc[key] = JSON.stringify(value);
+      } else if (Array.isArray(value)) {
+        acc[key] = value;
+      } else if (typeof value !== 'string') {
+        acc[key] = String(value);
+      } else {
+        acc[key] = value;
+      }
+    }
+    return acc;
+  }, {});
+  rejectDupesMiddleware({ oidc: { params: request } }, () => {});
+  const original = {};
+  for (const param of ['state', 'response_mode', 'response_type']) {
+    original[param] = params[param];
+    if (request[param] !== undefined) {
+      params[param] = request[param];
+    }
+  }
+  if (request.request !== undefined || request.request_uri !== undefined) {
+    throw new InvalidRequestObject('Request Object must not contain request or request_uri properties');
+  }
+  if (
+    original.response_type
+    && request.response_type !== undefined
+    && request.response_type !== original.response_type
+  ) {
+    throw new InvalidRequestObject('request response_type must equal the one in request parameters');
+  }
+  if (
+    params.client_id
+    && request.client_id !== undefined
+    && request.client_id !== params.client_id
+  ) {
+    throw new InvalidRequestObject('request client_id must equal the one in request parameters');
+  }
+  if (route === 'pushed_authorization_request') {
+    if (request.client_id !== ctx.oidc.client.clientId) {
+      throw new InvalidRequestObject('request client_id must equal the authenticated client\'s client_id');
+    }
+  }
+  if (request.client_id !== undefined && request.client_id !== client.clientId) {
+    throw new InvalidRequestObject('request client_id mismatch');
+  }
+  if (!pushedRequestObject && !configuration.requestObjectSigningAlgValues.includes(alg)) {
+    throw new InvalidRequestObject('unsupported signed request alg');
+  }
+  const prop = isBackchannelAuthentication ? 'backchannelAuthenticationRequestSigningAlg' : 'requestObjectSigningAlg';
+  if (!pushedRequestObject && client[prop] && alg !== client[prop]) {
+    throw new InvalidRequestObject('the preregistered alg must be used in request or request_uri');
+  }
+  const opts = {
+    issuer: client.clientId,
+    audience: ctx.oidc.issuer,
+    clockTolerance: configuration.clockTolerance,
+    ignoreAzp: true,
+  };
+  try {
+    JWT.assertPayload(payload, opts);
+  } catch (err) {
+    throw new InvalidRequestObject('Request Object claims are invalid', err.message);
+  }
+  await features.requestObjects.assertJwtClaimsAndHeader(
+    ctx,
+    structuredClone(decoded.payload),
+    structuredClone(decoded.header),
+    client,
+  );
+  if (pushedRequestObject) {
+    ({ trusted } = pushedRequestObject);
+  } else {
+    try {
+      if (alg.startsWith('HS')) {
+        client.checkClientSecretExpiration('could not validate the Request Object - the client secret used for its signature is expired', 'invalid_request_object');
+        await JWT.verify(params.request, client.symmetricKeyStore, opts);
+      } else {
+        await JWT.verify(params.request, client.asymmetricKeyStore, opts);
+      }
+      trusted = true;
+    } catch (err) {
+      if (err instanceof OIDCProviderError) {
+        throw err;
+      }
+      throw new InvalidRequestObject('could not validate Request Object', err.message);
+    }
+  }
+  if (trusted) {
+    ctx.oidc.trusted = Object.keys(request);
+  }
+  params.request = undefined;
+  Object.keys(params).forEach((key) => {
+    if (key in request) {
+      // use value from Request Object
+      params[key] = request[key];
+    } else {
+      // ignore all OAuth 2.0 parameters outside of Request Object
+      params[key] = undefined;
+    }
+  });
+  if (pushedRequestObject && ctx.oidc.entities.PushedAuthorizationRequest.dpopJkt) {
+    params.dpop_jkt = ctx.oidc.entities.PushedAuthorizationRequest.dpopJkt;
+    ctx.oidc.trusted?.push('dpop_jkt');
+  }
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/pushed_authorization_request_remap_errors.js ADDED Viewed

@@ -0,0 +1,17 @@
+import { InvalidRedirectUri } from '../../helpers/errors.js';
+/*
+ * Remaps the Pushed Authorization Request Endpoint errors thrown in downstream middlewares.
+ */
+export default async function requestObjectRemapErrors(ctx, next) {
+  return next().catch((err) => {
+    if (err instanceof InvalidRedirectUri) {
+      Object.assign(err, {
+        message: 'invalid_request',
+        error: 'invalid_request',
+      });
+    }
+    throw err;
+  });
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/pushed_authorization_request_response.js ADDED Viewed

@@ -0,0 +1,65 @@
+import { UnsecuredJWT } from 'jose';
+import { PUSHED_REQUEST_URN } from '../../consts/index.js';
+import epochTime from '../../helpers/epoch_time.js';
+import * as JWT from '../../helpers/jwt.js';
+const MAX_TTL = 60;
+export default async function pushedAuthorizationRequestResponse(ctx) {
+  let request;
+  let ttl;
+  let dpopJkt;
+  const now = epochTime();
+  if (ctx.oidc.body.request) {
+    ({ request } = ctx.oidc.body);
+    const { payload: { exp, dpop_jkt: thumbprint } } = JWT.decode(request);
+    ttl = exp - now;
+    if (!Number.isInteger(ttl) || ttl > MAX_TTL) {
+      ttl = MAX_TTL;
+    }
+    dpopJkt = thumbprint || ctx.oidc.params.dpop_jkt;
+  } else {
+    ttl = MAX_TTL;
+    const payload = { ...ctx.oidc.params };
+    if (payload.claims) {
+      payload.claims = JSON.parse(payload.claims);
+    }
+    if (payload.authorization_details) {
+      payload.authorization_details = JSON.parse(payload.authorization_details);
+    }
+    request = new UnsecuredJWT(payload)
+      .setIssuedAt(now)
+      .setIssuer(ctx.oidc.client.clientId)
+      .setAudience(ctx.oidc.issuer)
+      .setExpirationTime(now + MAX_TTL)
+      .setNotBefore(now)
+      .encode();
+    dpopJkt = ctx.oidc.params.dpop_jkt;
+  }
+  const requestObject = new ctx.oidc.provider.PushedAuthorizationRequest({
+    request,
+    dpopJkt,
+    trusted: ctx.oidc.client.clientAuthMethod !== 'none' || !!ctx.oidc.trusted?.length,
+  });
+  if (ctx.oidc.client.clientAuthMethod === 'attest_jwt_client_auth') {
+    await requestObject.setAttestBinding(ctx);
+  }
+  const id = await requestObject.save(ttl);
+  ctx.oidc.entity('PushedAuthorizationRequest', requestObject);
+  ctx.status = 201;
+  ctx.body = {
+    expires_in: ttl,
+    request_uri: `${PUSHED_REQUEST_URN}${id}`,
+  };
+  ctx.oidc.provider.emit('pushed_authorization_request.success', ctx, ctx.oidc.client);
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/reject_registration.js ADDED Viewed

@@ -0,0 +1,12 @@
+import { RegistrationNotSupported } from '../../helpers/errors.js';
+/*
+ * Rejects registration parameter as not supported.
+ */
+export default function rejectRegistration(ctx, next) {
+  if (ctx.oidc.params.registration !== undefined) {
+    throw new RegistrationNotSupported();
+  }
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/reject_request_and_uri.js ADDED Viewed

@@ -0,0 +1,12 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+/*
+ * Rejects when request and request_uri are used together.
+ */
+export default function rejectRequestAndUri(ctx, next) {
+  if (ctx.oidc.params.request !== undefined && ctx.oidc.params.request_uri !== undefined) {
+    throw new InvalidRequest('request and request_uri parameters MUST NOT be used together');
+  }
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/reject_unsupported.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { InvalidRequest, RequestNotSupported, RequestUriNotSupported } from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+/*
+ * Rejects request and request_uri parameters when not supported. Also rejects wmrm's relay mode.
+ */
+export default function rejectUnsupported(ctx, next) {
+  const {
+    requestObjects,
+    pushedAuthorizationRequests,
+    webMessageResponseMode,
+  } = instance(ctx.oidc.provider).features;
+  const { params } = ctx.oidc;
+  if (params.request !== undefined && !requestObjects.enabled) {
+    throw new RequestNotSupported();
+  }
+  if (
+    params.request_uri !== undefined
+    && (ctx.oidc.route !== 'authorization' || !pushedAuthorizationRequests.enabled)
+  ) {
+    throw new RequestUriNotSupported();
+  }
+  if (webMessageResponseMode.enabled && params.response_mode?.includes('web_message') && params.web_message_uri) {
+    const error = new InvalidRequest('Web Message Response Mode Relay Mode is not supported');
+    error.allow_redirect = false;
+    throw error;
+  }
+  return next();
+}