@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/helpers/grant_common.js

@@ -0,0 +1,214 @@
+import upperFirst from './_/upper_first.js';
+import camelCase from './_/camel_case.js';
+import * as errors from './errors.js';
+import { CHALLENGE_OK_WINDOW } from './validate_dpop.js';
+import epochTime from './epoch_time.js';
+import filterClaims from './filter_claims.js';
+import resolveResource from './resolve_resource.js';
+import getCtxAccountClaims from './account_claims.js';
+import { setRefreshTokenBindings } from './set_rt_bindings.js';
+
+const { InvalidGrant } = errors;
+
+export function throwIfAsyncGrantError(entity) {
+  if (entity.error) {
+    const className = upperFirst(camelCase(entity.error));
+    if (errors[className]) {
+      throw new errors[className](entity.errorDescription);
+    }
+    throw new errors.CustomOIDCProviderError(entity.error, entity.errorDescription);
+  }
+}
+
+export function checkMtlsCert(ctx, getCertificate) {
+  if (ctx.oidc.client.tlsClientCertificateBoundAccessTokens) {
+    const cert = getCertificate(ctx);
+    if (!cert) {
+      throw new InvalidGrant('mutual TLS client certificate not provided');
+    }
+    return cert;
+  }
+  return undefined;
+}
+
+export function checkDpopRequired(ctx, dPoP) {
+  if (!dPoP && ctx.oidc.client.dpopBoundAccessTokens) {
+    throw new InvalidGrant('DPoP proof JWT not provided');
+  }
+}
+
+export async function validateGrant(ctx, grantId) {
+  const grant = await ctx.oidc.provider.Grant.find(grantId, {
+    ignoreExpiration: true,
+  });
+
+  if (!grant) {
+    throw new InvalidGrant('grant not found');
+  }
+
+  if (grant.isExpired) {
+    throw new InvalidGrant('grant is expired');
+  }
+
+  if (grant.clientId !== ctx.oidc.client.clientId) {
+    throw new InvalidGrant('client mismatch');
+  }
+
+  return grant;
+}
+
+export async function validateAccount(ctx, findAccount, code, entityLabel) {
+  const account = await findAccount(ctx, code.accountId, code);
+
+  if (!account) {
+    throw new InvalidGrant(`${entityLabel} invalid (referenced account not found)`);
+  }
+
+  return account;
+}
+
+export function checkAccountMismatch(code, grant) {
+  if (code.accountId !== grant.accountId) {
+    throw new InvalidGrant('accountId mismatch');
+  }
+}
+
+export function createAccessToken(ctx, AccessToken, source, gty) {
+  return new AccessToken({
+    accountId: source.accountId,
+    client: ctx.oidc.client,
+    expiresWithSession: source.expiresWithSession,
+    grantId: source.grantId,
+    gty,
+    sessionUid: source.sessionUid,
+    sid: source.sid,
+  });
+}
+
+export function applyMtlsBinding(at, cert) {
+  if (cert) {
+    at.setThumbprint('x5t', cert);
+  }
+}
+
+export async function applyDpopBinding(ctx, dPoP, at, allowReplay) {
+  if (dPoP) {
+    if (!allowReplay) {
+      const { ReplayDetection } = ctx.oidc.provider;
+      const unique = await ReplayDetection.unique(
+        ctx.oidc.client.clientId,
+        dPoP.jti,
+        epochTime() + CHALLENGE_OK_WINDOW,
+      );
+
+      ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+    }
+
+    at.setThumbprint('jkt', dPoP.thumbprint);
+  }
+}
+
+export async function resolveAndApplyResource(ctx, source, at, grant, {
+  userinfo, resourceIndicators,
+}, scope) {
+  const resource = await resolveResource(ctx, source, { userinfo, resourceIndicators }, scope);
+
+  /* eslint-disable no-param-reassign */
+  if (resource) {
+    const resourceServerInfo = await resourceIndicators
+      .getResourceServerInfo(ctx, resource, ctx.oidc.client);
+    at.resourceServer = new ctx.oidc.provider.ResourceServer(resource, resourceServerInfo);
+    at.scope = grant.getResourceScopeFiltered(resource, scope || source.scopes);
+  } else {
+    at.claims = source.claims;
+    at.scope = grant.getOIDCScopeFiltered(scope || source.scopes);
+  }
+  /* eslint-enable no-param-reassign */
+
+  return resource;
+}
+
+export async function createRefreshToken(ctx, source, at, gty, {
+  issueRefreshToken, RefreshToken,
+}) {
+  if (await issueRefreshToken(ctx, ctx.oidc.client, source)) {
+    const rt = new RefreshToken({
+      accountId: source.accountId,
+      acr: source.acr,
+      amr: source.amr,
+      authTime: source.authTime,
+      claims: source.claims,
+      client: ctx.oidc.client,
+      expiresWithSession: source.expiresWithSession,
+      grantId: source.grantId,
+      gty,
+      nonce: source.nonce,
+      resource: source.resource,
+      rotations: 0,
+      scope: source.scope,
+      sessionUid: source.sessionUid,
+      sid: source.sid,
+      rar: source.rar,
+    });
+
+    await setRefreshTokenBindings(ctx, at, rt);
+
+    ctx.oidc.entity('RefreshToken', rt);
+    return rt.save();
+  }
+
+  return undefined;
+}
+
+export async function issueIdToken(ctx, source, at, grant, {
+  conformIdTokenClaims, userinfo,
+}, scopeOverride) {
+  const scopes = scopeOverride || source.scopes;
+  if (!scopes.has('openid')) {
+    return undefined;
+  }
+
+  const { IdToken } = ctx.oidc.provider;
+  const claims = filterClaims(source.claims, 'id_token', grant);
+  const rejected = grant.getRejectedOIDCClaims();
+  const token = new IdToken({
+    ...await getCtxAccountClaims(
+      ctx,
+      'id_token',
+      typeof source.scope === 'string' ? source.scope : [...scopes].join(' '),
+      claims,
+      rejected,
+    ),
+    acr: source.acr,
+    amr: source.amr,
+    auth_time: source.authTime,
+  }, { ctx });
+
+  if (conformIdTokenClaims && userinfo.enabled && !at.aud) {
+    token.scope = 'openid';
+  } else {
+    token.scope = grant.getOIDCScopeFiltered(scopes);
+  }
+
+  token.mask = claims;
+  token.rejected = rejected;
+
+  token.set('nonce', source.nonce);
+  token.set('sid', source.sid);
+
+  return token.issue({ use: 'idtoken' });
+}
+
+export function buildTokenResponse(at, accessToken, {
+  idToken, refreshToken, source, rar,
+}) {
+  return {
+    access_token: accessToken,
+    expires_in: at.expiration,
+    id_token: idToken,
+    refresh_token: refreshToken,
+    scope: source.scope ? at.scope : (at.scope || undefined),
+    token_type: at.tokenType,
+    authorization_details: rar,
+  };
+}

package/dist/node_modules/oidc-provider/lib/helpers/html_safe.js

@@ -0,0 +1,19 @@
+export default function htmlSafe(input) {
+  if (typeof input === 'number' && Number.isFinite(input)) {
+    return `${input}`;
+  }
+
+  if (typeof input === 'string') {
+    return input.replace(/&/g, '&')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;');
+  }
+
+  if (typeof input === 'boolean') {
+    return input.toString();
+  }
+
+  return '';
+}

package/dist/node_modules/oidc-provider/lib/helpers/initialize_adapter.js

@@ -0,0 +1,24 @@
+import * as util from 'node:util';
+
+import MemoryAdapter from '../adapters/memory_adapter.js';
+
+import instance from './weak_cache.js';
+import * as attention from './attention.js';
+import isConstructable from './type_validators.js';
+
+export default function initializeAdapter(adapter = MemoryAdapter) {
+  if (adapter === MemoryAdapter) {
+    attention.warn('a quick start development-only in-memory adapter is used, you MUST change it in'
+    + ' order to not lose all stateful provider data upon restart and to be able to share these'
+    + ' between processes');
+  } else {
+    const constructable = isConstructable(adapter);
+    const executable = typeof adapter === 'function' && !util.types.isAsyncFunction(adapter);
+
+    if (!constructable && !executable) {
+      throw new Error('Expected "adapter" to be a constructor or a factory function, provide a valid adapter in Provider config.');
+    }
+  }
+
+  instance(this).Adapter = adapter;
+}

package/dist/node_modules/oidc-provider/lib/helpers/initialize_app.js

@@ -0,0 +1,243 @@
+import { strict as assert } from 'node:assert';
+
+import Router from '@koa/router';
+
+import devInteractions from '../actions/interaction.js';
+import cors from '../shared/cors.js';
+import * as grants from '../actions/grants/index.js';
+import * as responseModes from '../response_modes/index.js';
+import error from '../shared/error_handler.js';
+import getAuthError from '../shared/authorization_error_handler.js';
+import {
+  getAuthorization, userinfo, getToken, jwks, registration, getRevocation,
+  getIntrospection, discovery, endSession, codeVerification, challenge,
+} from '../actions/index.js';
+
+import als from './als.js';
+import instance from './weak_cache.js';
+
+export default function initializeApp() {
+  const { configuration, features } = instance(this);
+  const maxAge = 3600;
+  function exposeHeaders({
+    dpop = features.dPoP.enabled && features.dPoP.nonceSecret,
+    attest = features.attestClientAuth.enabled,
+    wwwAuth = true,
+  } = {}) {
+    return [
+      dpop ? 'DPoP-Nonce' : undefined,
+      attest ? 'OAuth-Client-Attestation-Challenge' : undefined,
+      wwwAuth ? 'WWW-Authenticate' : undefined,
+    ].filter(Boolean);
+  }
+
+  const CORS = {
+    open: cors({ allowMethods: 'GET', maxAge }),
+    challenge: cors({ allowMethods: 'POST', maxAge, exposeHeaders: exposeHeaders({ wwwAuth: false }) }),
+    userinfo: cors({
+      allowMethods: 'GET,POST', clientBased: true, maxAge, exposeHeaders: exposeHeaders({ attest: false }),
+    }),
+    client: cors({
+      allowMethods: 'POST', clientBased: true, maxAge, exposeHeaders: exposeHeaders({ dpop: false }),
+    }),
+    clientWithDPoP: cors({
+      allowMethods: 'POST', clientBased: true, maxAge, exposeHeaders: exposeHeaders(),
+    }),
+    respond: () => {},
+  };
+
+  const router = new Router();
+  instance(this).router = router;
+
+  const ensureOIDC = async (ctx, next) => {
+    let oidcCtx;
+    Object.defineProperty(ctx, 'oidc', {
+      get: () => {
+        oidcCtx ||= new this.OIDCContext(ctx);
+        return oidcCtx;
+      },
+    });
+    return als.run(ctx, () => next());
+  };
+
+  const routeMap = new Map();
+  function normalizeRoute(name, route, ...stack) {
+    assert(typeof name === 'string' && name.charAt(0) !== '/', `invalid route name ${name}`);
+    assert(typeof route === 'string' && route.charAt(0) === '/', `invalid route ${route}`);
+    route = route.replace(/\/\//g, '/'); // eslint-disable-line no-param-reassign
+    stack.forEach((middleware) => assert.equal(typeof middleware, 'function'), 'invalid middleware');
+    routeMap.set(name, route);
+    return route;
+  }
+  async function ensureSessionSave(ctx, next) {
+    try {
+      await next();
+    } finally {
+      if (ctx.oidc.session?.touched && !ctx.oidc.session.destroyed) {
+        await ctx.oidc.session.persist();
+      }
+    }
+  }
+
+  const get = (name, route, ...stack) => {
+    route = normalizeRoute(name, route, ...stack); // eslint-disable-line no-param-reassign
+    router.get(name, route, ensureOIDC, ensureSessionSave, ...stack);
+  };
+  const post = (name, route, ...stack) => {
+    route = normalizeRoute(name, route, ...stack); // eslint-disable-line no-param-reassign
+    router.post(name, route, ensureOIDC, ensureSessionSave, ...stack);
+  };
+  const del = (name, route, ...stack) => {
+    route = normalizeRoute(name, route, ...stack); // eslint-disable-line no-param-reassign
+    router.delete(name, route, ensureOIDC, ...stack);
+  };
+  const put = (name, route, ...stack) => {
+    route = normalizeRoute(name, route, ...stack); // eslint-disable-line no-param-reassign
+    router.put(name, route, ensureOIDC, ...stack);
+  };
+  const options = (name, route, ...stack) => {
+    route = normalizeRoute(name, route, ...stack); // eslint-disable-line no-param-reassign
+    router.options(name, route, ensureOIDC, ...stack);
+  };
+
+  const { routes, enableHttpPostMethods } = configuration;
+
+  for (const { handler, parameters, grantType } of Object.values(grants)) {
+    const { grantTypeHandlers } = instance(this);
+    if (configuration.grantTypes.has(grantType) && !grantTypeHandlers.has(grantType)) {
+      let dupes;
+      if (features.resourceIndicators.enabled) {
+        parameters.add('resource');
+        dupes = new Set(['resource']);
+      }
+      if (features.richAuthorizationRequests.enabled) {
+        parameters.add('authorization_details');
+      }
+      this.registerGrantType(grantType, handler, parameters, dupes);
+    }
+  }
+
+  ['query', 'fragment', 'form_post'].forEach((mode) => {
+    this.registerResponseMode(mode, responseModes[mode]);
+  });
+
+  if (features.webMessageResponseMode.enabled) {
+    this.registerResponseMode('web_message', responseModes.webMessage);
+  }
+
+  if (features.jwtResponseModes.enabled) {
+    this.registerResponseMode('jwt', responseModes.jwt);
+
+    ['query', 'fragment', 'form_post'].forEach((mode) => {
+      this.registerResponseMode(`${mode}.jwt`, responseModes.jwt);
+    });
+
+    if (features.webMessageResponseMode.enabled) {
+      this.registerResponseMode('web_message.jwt', responseModes.jwt);
+    }
+  }
+
+  const authorization = getAuthorization(this, 'authorization');
+  const authError = getAuthError(this);
+  get('authorization', routes.authorization, authError, ...authorization);
+  if (enableHttpPostMethods) {
+    post('authorization', routes.authorization, authError, ...authorization);
+  }
+
+  const resume = getAuthorization(this, 'resume');
+  get('resume', `${routes.authorization}/:uid`, authError, ...resume);
+
+  if (features.userinfo.enabled) {
+    get('userinfo', routes.userinfo, CORS.userinfo, error(this, 'userinfo.error'), ...userinfo);
+    post('userinfo', routes.userinfo, CORS.userinfo, error(this, 'userinfo.error'), ...userinfo);
+    options('cors.userinfo', routes.userinfo, CORS.userinfo, CORS.respond);
+  }
+
+  const token = getToken(this);
+  post('token', routes.token, error(this, 'grant.error'), CORS.clientWithDPoP, ...token);
+  options('cors.token', routes.token, CORS.clientWithDPoP, CORS.respond);
+
+  get('jwks', routes.jwks, CORS.open, error(this, 'jwks.error'), jwks);
+  options('cors.jwks', routes.jwks, CORS.open, CORS.respond);
+
+  const oauthDiscoveryRoute = '/.well-known/oauth-authorization-server';
+  get('discovery', oauthDiscoveryRoute, CORS.open, error(this, 'discovery.error'), discovery);
+  options('cors.discovery', oauthDiscoveryRoute, CORS.open, CORS.respond);
+
+  const openidDiscoveryRoute = '/.well-known/openid-configuration';
+  get('discovery', openidDiscoveryRoute, CORS.open, error(this, 'discovery.error'), discovery);
+  options('cors.discovery', openidDiscoveryRoute, CORS.open, CORS.respond);
+
+  if (features.attestClientAuth.enabled) {
+    post('challenge', routes.challenge, error(this, 'challenge.error'), CORS.challenge, ...challenge);
+    options('cors.challenge', routes.challenge, CORS.challenge, CORS.respond);
+  }
+
+  if (features.registration.enabled) {
+    const clientRoute = `${routes.registration}/:clientId`;
+
+    post('registration', routes.registration, error(this, 'registration_create.error'), ...registration.post);
+    get('client', clientRoute, error(this, 'registration_read.error'), ...registration.get);
+
+    if (features.registrationManagement.enabled) {
+      put('client_update', clientRoute, error(this, 'registration_update.error'), ...registration.put);
+      del('client_delete', clientRoute, error(this, 'registration_delete.error'), ...registration.del);
+    }
+  }
+
+  if (features.revocation.enabled) {
+    const revocation = getRevocation(this);
+    post('revocation', routes.revocation, error(this, 'revocation.error'), CORS.client, ...revocation);
+    options('cors.revocation', routes.revocation, CORS.client, CORS.respond);
+  }
+
+  if (features.introspection.enabled) {
+    const introspection = getIntrospection(this);
+    post('introspection', routes.introspection, error(this, 'introspection.error'), CORS.client, ...introspection);
+    options('cors.introspection', routes.introspection, CORS.client, CORS.respond);
+  }
+
+  post('end_session_confirm', `${routes.end_session}/confirm`, error(this, 'end_session_confirm.error'), ...endSession.confirm);
+
+  if (features.rpInitiatedLogout.enabled) {
+    if (enableHttpPostMethods) {
+      post('end_session', routes.end_session, error(this, 'end_session.error'), ...endSession.init);
+    }
+    get('end_session', routes.end_session, error(this, 'end_session.error'), ...endSession.init);
+    get('end_session_success', `${routes.end_session}/success`, error(this, 'end_session_success.error'), ...endSession.success);
+  }
+
+  if (features.deviceFlow.enabled) {
+    const deviceAuthorization = getAuthorization(this, 'device_authorization');
+    post('device_authorization', routes.device_authorization, error(this, 'device_authorization.error'), CORS.client, ...deviceAuthorization);
+    options('cors.device_authorization', routes.device_authorization, CORS.client, CORS.respond);
+
+    const postCodeVerification = getAuthorization(this, 'code_verification');
+    get('code_verification', routes.code_verification, error(this, 'code_verification.error'), ...codeVerification.get);
+    post('code_verification', routes.code_verification, error(this, 'code_verification.error'), ...codeVerification.post, ...postCodeVerification);
+
+    const deviceResume = getAuthorization(this, 'device_resume');
+    get('device_resume', `${routes.code_verification}/:uid`, error(this, 'device_resume.error'), ...deviceResume);
+  }
+
+  if (features.pushedAuthorizationRequests.enabled) {
+    const pushedAuthorizationRequests = getAuthorization(this, 'pushed_authorization_request');
+    post('pushed_authorization_request', routes.pushed_authorization_request, error(this, 'pushed_authorization_request.error'), CORS.clientWithDPoP, ...pushedAuthorizationRequests);
+    options('cors.pushed_authorization_request', routes.pushed_authorization_request, CORS.clientWithDPoP, CORS.respond);
+  }
+
+  if (features.ciba.enabled) {
+    const ciba = getAuthorization(this, 'backchannel_authentication');
+    post('backchannel_authentication', routes.backchannel_authentication, error(this, 'backchannel_authentication.error'), ...ciba);
+  }
+
+  if (features.devInteractions.enabled) {
+    const interaction = devInteractions(this);
+
+    get('interaction', '/interaction/:uid', error(this), ...interaction.render);
+    post('submit', '/interaction/:uid', error(this), ...interaction.submit);
+    get('abort', '/interaction/:uid/abort', error(this), ...interaction.abort);
+  }
+
+  return router.routes();
+}

package/dist/node_modules/oidc-provider/lib/helpers/initialize_clients.js

@@ -0,0 +1,24 @@
+import instance from './weak_cache.js';
+import isPlainObject from './_/is_plain_object.js';
+import { InvalidClientMetadata } from './errors.js';
+
+export default function initializeClients(clients = []) {
+  let staticClients;
+
+  for (const metadata of clients) {
+    if (!isPlainObject(metadata) || !metadata.client_id) {
+      throw new InvalidClientMetadata('client_id is mandatory property for statically configured clients');
+    }
+
+    if (staticClients?.has(metadata.client_id)) {
+      throw new InvalidClientMetadata('client_id must be unique amongst statically configured clients');
+    }
+
+    staticClients ||= new Map();
+    staticClients.set(metadata.client_id, structuredClone(metadata));
+  }
+
+  if (staticClients) {
+    instance(this).staticClients = staticClients;
+  }
+}