@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/actions/authorization/respond.js

@@ -0,0 +1,46 @@
+import instance from '../../helpers/weak_cache.js';
+import { InvalidRequestUri } from '../../helpers/errors.js';
+import processResponseTypes from '../../helpers/process_response_types.js';
+
+/*
+ * Based on the authorization request response mode either redirects with parameters in query or
+ * fragment or renders auto-submitting form with the response members as hidden fields.
+ *
+ * If session management is supported stores User-Agent readable cookie with the session stated
+ * used by the OP iframe to detect session state changes.
+ *
+ * @emits: authorization.success
+ */
+export default async function respond(ctx) {
+  let pushedAuthorizationRequest = ctx.oidc.entities.PushedAuthorizationRequest;
+
+  if (!pushedAuthorizationRequest && ctx.oidc.entities.Interaction?.parJti) {
+    pushedAuthorizationRequest = await ctx.oidc.provider.PushedAuthorizationRequest.find(
+      ctx.oidc.entities.Interaction.parJti,
+      { ignoreExpiration: true },
+    );
+  }
+
+  if (pushedAuthorizationRequest?.consumed) {
+    throw new InvalidRequestUri('request_uri is invalid, expired, or was already used');
+  }
+  await pushedAuthorizationRequest?.consume();
+
+  const out = await processResponseTypes(ctx);
+
+  const { oidc: { params } } = ctx;
+
+  if (params.state !== undefined) {
+    out.state = params.state;
+  }
+
+  const { responseMode } = ctx.oidc;
+  if (!out.id_token && !responseMode.includes('jwt')) {
+    out.iss = ctx.oidc.provider.issuer;
+  }
+
+  ctx.oidc.provider.emit('authorization.success', ctx, out);
+
+  const handler = instance(ctx.oidc.provider).responseModes.get(responseMode);
+  await handler(ctx, params.redirect_uri, out);
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/resume.js

@@ -0,0 +1,111 @@
+import upperFirst from '../../helpers/_/upper_first.js';
+import camelCase from '../../helpers/_/camel_case.js';
+import nanoid from '../../helpers/nanoid.js';
+import * as errors from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+import Params from '../../helpers/params.js';
+import formPost from '../../response_modes/form_post.js';
+import epochTime from '../../helpers/epoch_time.js';
+
+export default async function resumeAction(allowList, resumeRouteName, ctx, next) {
+  const cookieOptions = instance(ctx.oidc.provider).configuration.cookies.short;
+
+  const cookieId = ctx.cookies.get(
+    ctx.oidc.provider.cookieName('resume'),
+    cookieOptions,
+  );
+
+  if (!cookieId) {
+    throw new errors.SessionNotFound('authorization request has expired');
+  }
+
+  const interactionSession = await ctx.oidc.provider.Interaction.find(cookieId);
+  if (!interactionSession) {
+    throw new errors.SessionNotFound('interaction session not found');
+  }
+  ctx.oidc.entity('Interaction', interactionSession);
+
+  if (cookieId !== interactionSession.uid) {
+    throw new errors.SessionNotFound('authorization session and cookie identifier mismatch');
+  }
+
+  const {
+    result,
+    params: storedParams = {},
+    trusted = [],
+    session: originSession,
+  } = interactionSession;
+
+  const { session } = ctx.oidc;
+
+  if (originSession?.uid && originSession.uid !== session.uid) {
+    throw new errors.SessionNotFound('interaction session and authentication session mismatch');
+  }
+
+  if (
+    result?.login
+    && session.accountId
+    && session.accountId !== result.login.accountId
+  ) {
+    if (interactionSession.session?.uid) {
+      delete interactionSession.session.uid;
+      await interactionSession.save(interactionSession.exp - epochTime());
+    }
+
+    session.state = {
+      secret: nanoid(),
+      clientId: storedParams.client_id,
+      postLogoutRedirectUri: ctx.oidc.urlFor(ctx.oidc.route, ctx.params),
+    };
+
+    formPost(ctx, ctx.oidc.urlFor('end_session_confirm'), {
+      xsrf: session.state.secret,
+      logout: 'yes',
+    });
+
+    return;
+  }
+
+  await interactionSession.destroy();
+
+  const params = new (Params(allowList))(storedParams);
+  ctx.oidc.params = params;
+  ctx.oidc.trusted = trusted;
+  ctx.oidc.redirectUriCheckPerformed = true;
+
+  const clearOpts = {
+    ...cookieOptions,
+    path: new URL(ctx.oidc.urlFor(resumeRouteName, { uid: interactionSession.uid })).pathname,
+  };
+  ctx.cookies.set(
+    ctx.oidc.provider.cookieName('resume'),
+    null,
+    clearOpts,
+  );
+
+  if (result?.error) {
+    const className = upperFirst(camelCase(result.error));
+    if (errors[className]) {
+      throw new errors[className](result.error_description);
+    }
+    throw new errors.CustomOIDCProviderError(result.error, result.error_description);
+  }
+
+  if (result?.login) {
+    const {
+      remember = true, accountId, ts: loginTs, amr, acr,
+    } = result.login;
+
+    session.loginAccount({
+      accountId, loginTs, amr, acr, transient: !remember,
+    });
+  }
+
+  ctx.oidc.result = result;
+
+  if (!session.new) {
+    session.resetIdentifier();
+  }
+
+  await next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/strip_outside_jar_params.js

@@ -0,0 +1,19 @@
+/*
+ * Makes sure that
+ * - unauthenticated clients send the JAR Request Object
+ * - either JAR or plain request is provided
+ * - request_uri is not used
+ */
+export default function stripOutsideJarParams(ctx, next) {
+  const JAR = !!ctx.oidc.params.request;
+
+  for (const [param, value] of Object.entries(ctx.oidc.params)) {
+    if (value !== undefined) {
+      if (JAR && (param !== 'client_id' && param !== 'request')) {
+        ctx.oidc.params[param] = undefined;
+      }
+    }
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/unsupported_rar.js

@@ -0,0 +1,9 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+
+export default async function unsupportedRar(ctx, next) {
+  if (ctx.oidc.params.authorization_details !== undefined) {
+    throw new InvalidRequest(`authorization_details is unsupported at the ${ctx.oidc.route}_endpoint`);
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/challenge.js

@@ -0,0 +1,22 @@
+import instance from '../helpers/weak_cache.js';
+import noCache from '../shared/no_cache.js';
+
+export default [
+  noCache,
+  function challenge(ctx) {
+    const { DPoPNonces, AttestChallenges } = instance(ctx.oidc.provider);
+
+    ctx.body = {};
+
+    const nextNonce = DPoPNonces?.nextChallenge();
+    if (nextNonce) {
+      ctx.set('dpop-nonce', nextNonce);
+    }
+
+    const nextChallenge = AttestChallenges?.nextChallenge();
+    if (nextChallenge) {
+      ctx.set('oauth-client-attestation-challenge', nextChallenge);
+      ctx.body.attestation_challenge = nextChallenge;
+    }
+  },
+];

package/dist/node_modules/oidc-provider/lib/actions/code_verification.js

@@ -0,0 +1,122 @@
+import * as crypto from 'node:crypto';
+
+import sessionMiddleware from '../shared/session.js';
+import paramsMiddleware from '../shared/assemble_params.js';
+import bodyParser from '../shared/conditional_body.js';
+import rejectDupes from '../shared/reject_dupes.js';
+import instance from '../helpers/weak_cache.js';
+import { InvalidClient, InvalidRequest } from '../helpers/errors.js';
+import * as formHtml from '../helpers/user_code_form.js';
+import formPost from '../response_modes/form_post.js';
+import { normalize, denormalize } from '../helpers/user_codes.js';
+import {
+  NoCodeError, NotFoundError, ExpiredError, AlreadyUsedError, AbortedError,
+} from '../helpers/re_render_errors.js';
+
+const parseBody = bodyParser.bind(undefined, 'application/x-www-form-urlencoded');
+
+export const get = [
+  sessionMiddleware,
+  paramsMiddleware.bind(undefined, new Set(['user_code'])),
+  async function renderCodeVerification(ctx) {
+    const { charset, userCodeInputSource } = instance(ctx.oidc.provider).features.deviceFlow;
+
+    // TODO: generic xsrf middleware to remove this
+    const secret = crypto.randomBytes(24).toString('hex');
+    ctx.oidc.session.state = { secret };
+
+    const action = ctx.oidc.urlFor('code_verification');
+    if (ctx.oidc.params.user_code) {
+      formPost(ctx, action, {
+        xsrf: secret,
+        user_code: ctx.oidc.params.user_code,
+      });
+    } else {
+      await userCodeInputSource(ctx, formHtml.input(action, secret, undefined, charset));
+    }
+  },
+];
+
+export const post = [
+  sessionMiddleware,
+  parseBody,
+  paramsMiddleware.bind(undefined, new Set(['xsrf', 'user_code', 'confirm', 'abort'])),
+  rejectDupes.bind(undefined, {}),
+
+  async function codeVerificationCSRF(ctx, next) {
+    if (!ctx.oidc.session.state) {
+      throw new InvalidRequest('could not find device form details');
+    }
+    if (ctx.oidc.session.state.secret !== ctx.oidc.params.xsrf) {
+      throw new InvalidRequest('xsrf token invalid');
+    }
+    await next();
+  },
+
+  async function loadDeviceCodeByUserInput(ctx, next) {
+    const { userCodeConfirmSource, mask } = instance(ctx.oidc.provider).features.deviceFlow;
+    const { user_code: userCode, confirm, abort } = ctx.oidc.params;
+
+    if (!userCode) {
+      throw new NoCodeError();
+    }
+
+    const normalized = normalize(userCode);
+    const code = await ctx.oidc.provider.DeviceCode.findByUserCode(
+      normalized,
+      { ignoreExpiration: true },
+    );
+
+    if (!code) {
+      throw new NotFoundError(userCode);
+    }
+
+    if (code.isExpired) {
+      throw new ExpiredError(userCode);
+    }
+
+    if (code.error || code.accountId || code.inFlight) {
+      throw new AlreadyUsedError(userCode);
+    }
+
+    ctx.oidc.entity('DeviceCode', code);
+
+    if (abort) {
+      Object.assign(code, {
+        error: 'access_denied',
+        errorDescription: 'End-User aborted interaction',
+      });
+
+      await code.save();
+      throw new AbortedError();
+    }
+
+    if (!confirm) {
+      const client = await ctx.oidc.provider.Client.find(code.clientId);
+      if (!client) {
+        throw new InvalidClient('client is invalid', 'client not found');
+      }
+      ctx.oidc.entity('Client', client);
+
+      const action = ctx.oidc.urlFor('code_verification');
+      await userCodeConfirmSource(
+        ctx,
+        formHtml.confirm(action, ctx.oidc.session.state.secret, userCode),
+        client,
+        code.deviceInfo,
+        denormalize(normalized, mask),
+      );
+      return;
+    }
+
+    code.inFlight = true;
+    await code.save();
+
+    await next();
+  },
+
+  function cleanup(ctx, next) {
+    ctx.oidc.session.state = undefined;
+    return next();
+  },
+];

package/dist/node_modules/oidc-provider/lib/actions/discovery.js

@@ -0,0 +1,151 @@
+/* eslint-disable max-len */
+
+import defaults from '../helpers/_/defaults.js';
+import instance from '../helpers/weak_cache.js';
+
+export default function discovery(ctx) {
+  const { configuration, features } = instance(ctx.oidc.provider);
+
+  ctx.body = {
+    acr_values_supported: configuration.acrValues.size ? [...configuration.acrValues] : undefined,
+    authorization_endpoint: ctx.oidc.urlFor('authorization'),
+    device_authorization_endpoint: features.deviceFlow.enabled
+      ? ctx.oidc.urlFor('device_authorization')
+      : undefined,
+    claims_parameter_supported: features.claimsParameter.enabled,
+    claims_supported: [...configuration.claimsSupported],
+    code_challenge_methods_supported: ['S256'],
+    end_session_endpoint: features.rpInitiatedLogout.enabled
+      ? ctx.oidc.urlFor('end_session')
+      : undefined,
+    grant_types_supported: [...configuration.grantTypes],
+    issuer: ctx.oidc.issuer,
+    jwks_uri: ctx.oidc.urlFor('jwks'),
+    registration_endpoint: features.registration.enabled
+      ? ctx.oidc.urlFor('registration')
+      : undefined,
+    authorization_response_iss_parameter_supported: true,
+    response_modes_supported: ['form_post', 'fragment', 'query'],
+    response_types_supported: configuration.responseTypes,
+    scopes_supported: [...configuration.scopes],
+    subject_types_supported: [...configuration.subjectTypes],
+    token_endpoint_auth_methods_supported: [...configuration.clientAuthMethods],
+    token_endpoint_auth_signing_alg_values_supported: configuration.clientAuthSigningAlgValues,
+    token_endpoint: ctx.oidc.urlFor('token'),
+  };
+
+  const { pushedAuthorizationRequests, requestObjects, richAuthorizationRequests } = features;
+
+  ctx.body.id_token_signing_alg_values_supported = configuration.idTokenSigningAlgValues;
+  if (features.encryption.enabled) {
+    ctx.body.id_token_encryption_alg_values_supported = configuration.idTokenEncryptionAlgValues;
+    ctx.body.id_token_encryption_enc_values_supported = configuration.idTokenEncryptionEncValues;
+  }
+
+  if (pushedAuthorizationRequests.enabled) {
+    ctx.body.pushed_authorization_request_endpoint = ctx.oidc.urlFor(
+      'pushed_authorization_request',
+    );
+    ctx.body.require_pushed_authorization_requests = pushedAuthorizationRequests.requirePushedAuthorizationRequests ? true : undefined;
+  }
+
+  ctx.body.request_uri_parameter_supported = false;
+  if (requestObjects.enabled) {
+    ctx.body.request_parameter_supported = true;
+    ctx.body.request_object_signing_alg_values_supported = configuration.requestObjectSigningAlgValues;
+    ctx.body.require_signed_request_object = requestObjects.requireSignedRequestObject
+      ? true
+      : undefined;
+
+    if (features.encryption.enabled) {
+      ctx.body.request_object_encryption_alg_values_supported = configuration.requestObjectEncryptionAlgValues;
+      ctx.body.request_object_encryption_enc_values_supported = configuration.requestObjectEncryptionEncValues;
+    }
+  }
+
+  if (features.userinfo.enabled) {
+    ctx.body.userinfo_endpoint = ctx.oidc.urlFor('userinfo');
+    if (features.jwtUserinfo.enabled) {
+      ctx.body.userinfo_signing_alg_values_supported = configuration.userinfoSigningAlgValues;
+      if (features.encryption.enabled) {
+        ctx.body.userinfo_encryption_alg_values_supported = configuration.userinfoEncryptionAlgValues;
+        ctx.body.userinfo_encryption_enc_values_supported = configuration.userinfoEncryptionEncValues;
+      }
+    }
+  }
+
+  if (features.webMessageResponseMode.enabled) {
+    ctx.body.response_modes_supported.push('web_message');
+  }
+
+  if (features.jwtResponseModes.enabled) {
+    ctx.body.response_modes_supported.push('jwt');
+
+    ctx.body.response_modes_supported.push('query.jwt');
+    ctx.body.response_modes_supported.push('fragment.jwt');
+    ctx.body.response_modes_supported.push('form_post.jwt');
+
+    if (features.webMessageResponseMode.enabled) {
+      ctx.body.response_modes_supported.push('web_message.jwt');
+    }
+
+    ctx.body.authorization_signing_alg_values_supported = configuration.authorizationSigningAlgValues;
+
+    if (features.encryption.enabled) {
+      ctx.body.authorization_encryption_alg_values_supported = configuration.authorizationEncryptionAlgValues;
+      ctx.body.authorization_encryption_enc_values_supported = configuration.authorizationEncryptionEncValues;
+    }
+  }
+
+  if (features.introspection.enabled) {
+    ctx.body.introspection_endpoint = ctx.oidc.urlFor('introspection');
+  }
+
+  if (features.jwtIntrospection.enabled) {
+    ctx.body.introspection_signing_alg_values_supported = configuration.introspectionSigningAlgValues;
+    if (features.encryption.enabled) {
+      ctx.body.introspection_encryption_alg_values_supported = configuration.introspectionEncryptionAlgValues;
+      ctx.body.introspection_encryption_enc_values_supported = configuration.introspectionEncryptionEncValues;
+    }
+  }
+
+  if (features.dPoP.enabled) {
+    ctx.body.dpop_signing_alg_values_supported = configuration.dPoPSigningAlgValues;
+  }
+
+  if (features.revocation.enabled) {
+    ctx.body.revocation_endpoint = ctx.oidc.urlFor('revocation');
+  }
+
+  if (features.backchannelLogout.enabled) {
+    ctx.body.backchannel_logout_supported = true;
+    ctx.body.backchannel_logout_session_supported = true;
+  }
+
+  if (features.mTLS.enabled && features.mTLS.certificateBoundAccessTokens) {
+    ctx.body.tls_client_certificate_bound_access_tokens = true;
+  }
+
+  if (features.ciba.enabled) {
+    ctx.body.backchannel_authentication_endpoint = ctx.oidc.urlFor('backchannel_authentication');
+    ctx.body.backchannel_token_delivery_modes_supported = [...features.ciba.deliveryModes];
+    ctx.body.backchannel_user_code_parameter_supported = true;
+    ctx.body.backchannel_authentication_request_signing_alg_values_supported = requestObjects.enabled
+      ? configuration.requestObjectSigningAlgValues.filter((alg) => !alg.startsWith('HS'))
+      : undefined;
+  }
+
+  if (richAuthorizationRequests.enabled) {
+    ctx.body.authorization_details_types_supported = Object.keys(richAuthorizationRequests.types);
+  }
+
+  if (features.attestClientAuth.enabled) {
+    ctx.body.challenge_endpoint = ctx.oidc.urlFor('challenge');
+  }
+
+  if (features.clientIdMetadataDocument.enabled) {
+    ctx.body.client_id_metadata_document_supported = true;
+  }
+
+  defaults(ctx.body, configuration.discovery);
+}