@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/prompts/login.js

@@ -0,0 +1,162 @@
+/* eslint-disable camelcase */
+
+import * as errors from '../../errors.js';
+import instance from '../../weak_cache.js';
+import Prompt from '../prompt.js';
+import Check from '../check.js';
+
+export default () => new Prompt(
+  { name: 'login', requestable: true },
+
+  (ctx) => {
+    const { oidc } = ctx;
+
+    return {
+      ...(oidc.params.max_age === undefined ? undefined : { max_age: oidc.params.max_age }),
+      ...(oidc.params.login_hint === undefined
+        ? undefined
+        : { login_hint: oidc.params.login_hint }),
+      ...(oidc.params.id_token_hint === undefined
+        ? undefined
+        : { id_token_hint: oidc.params.id_token_hint }),
+    };
+  },
+
+  new Check('no_session', 'End-User authentication is required', (ctx) => {
+    const { oidc } = ctx;
+    if (oidc.session.accountId) {
+      return Check.NO_NEED_TO_PROMPT;
+    }
+
+    return Check.REQUEST_PROMPT;
+  }),
+
+  new Check('max_age', 'End-User authentication could not be obtained', (ctx) => {
+    const { oidc } = ctx;
+    if (oidc.params.max_age === undefined) {
+      return Check.NO_NEED_TO_PROMPT;
+    }
+
+    if (!oidc.session.accountId) {
+      return Check.REQUEST_PROMPT;
+    }
+
+    if (oidc.session.past(oidc.params.max_age) && (!ctx.oidc.result || !ctx.oidc.result.login)) {
+      return Check.REQUEST_PROMPT;
+    }
+
+    return Check.NO_NEED_TO_PROMPT;
+  }),
+
+  new Check(
+    'id_token_hint',
+    'id_token_hint and authenticated subject do not match',
+    async (ctx) => {
+      const { oidc } = ctx;
+      if (oidc.entities.IdTokenHint === undefined) {
+        return Check.NO_NEED_TO_PROMPT;
+      }
+
+      const { payload } = oidc.entities.IdTokenHint;
+
+      let sub = oidc.session.accountId;
+      if (sub === undefined) {
+        return Check.REQUEST_PROMPT;
+      }
+
+      if (oidc.client.subjectType === 'pairwise') {
+        sub = await instance(oidc.provider).configuration.pairwiseIdentifier(
+          ctx,
+          sub,
+          oidc.client,
+        );
+      }
+
+      if (payload.sub !== sub) {
+        return Check.REQUEST_PROMPT;
+      }
+
+      return Check.NO_NEED_TO_PROMPT;
+    },
+  ),
+
+  new Check(
+    'claims_id_token_sub_value',
+    'requested subject could not be obtained',
+    async (ctx) => {
+      const { oidc } = ctx;
+
+      if (
+        !oidc.claims.id_token
+          || !oidc.claims.id_token.sub
+          || !('value' in oidc.claims.id_token.sub)
+      ) {
+        return Check.NO_NEED_TO_PROMPT;
+      }
+
+      let sub = oidc.session.accountId;
+      if (sub === undefined) {
+        return Check.REQUEST_PROMPT;
+      }
+
+      if (oidc.client.subjectType === 'pairwise') {
+        sub = await instance(oidc.provider).configuration.pairwiseIdentifier(
+          ctx,
+          sub,
+          oidc.client,
+        );
+      }
+
+      if (oidc.claims.id_token.sub.value !== sub) {
+        return Check.REQUEST_PROMPT;
+      }
+
+      return Check.NO_NEED_TO_PROMPT;
+    },
+    ({ oidc }) => ({ sub: oidc.claims.id_token.sub }),
+  ),
+
+  new Check(
+    'essential_acrs',
+    'none of the requested ACRs could not be obtained',
+    (ctx) => {
+      const { oidc } = ctx;
+      const request = oidc.claims?.id_token?.acr ?? {};
+
+      if (!request?.essential || !request?.values) {
+        return Check.NO_NEED_TO_PROMPT;
+      }
+
+      if (!Array.isArray(oidc.claims.id_token.acr.values)) {
+        throw new errors.InvalidRequest('invalid claims.id_token.acr.values type');
+      }
+
+      if (request.values.includes(oidc.acr)) {
+        return Check.NO_NEED_TO_PROMPT;
+      }
+
+      return Check.REQUEST_PROMPT;
+    },
+    ({ oidc }) => ({ acr: oidc.claims.id_token.acr }),
+  ),
+
+  new Check(
+    'essential_acr',
+    'requested ACR could not be obtained',
+    (ctx) => {
+      const { oidc } = ctx;
+      const request = oidc.claims?.id_token?.acr ?? {};
+
+      if (!request?.essential || !request?.value) {
+        return Check.NO_NEED_TO_PROMPT;
+      }
+
+      if (request.value === oidc.acr) {
+        return Check.NO_NEED_TO_PROMPT;
+      }
+
+      return Check.REQUEST_PROMPT;
+    },
+    ({ oidc }) => ({ acr: oidc.claims.id_token.acr }),
+  ),
+);

package/dist/node_modules/oidc-provider/lib/helpers/jwt.js

@@ -0,0 +1,211 @@
+import {
+  CompactEncrypt,
+  CompactSign,
+  compactDecrypt,
+  compactVerify,
+  decodeJwt,
+  decodeProtectedHeader,
+  errors,
+} from 'jose';
+
+import { ExternalSigningKey } from './keystore.js';
+import * as base64url from './base64url.js';
+import epochTime from './epoch_time.js';
+
+const { JWEDecryptionFailed, JWKSNoMatchingKey, JWSSignatureVerificationFailed } = errors;
+
+function verifyAudience({ aud }, expected) {
+  if (Array.isArray(aud)) {
+    const match = aud.some((actual) => actual === expected);
+    if (!match) throw new Error(`jwt audience missing ${expected}`);
+  } else if (aud !== expected) {
+    throw new Error(`jwt audience missing ${expected}`);
+  }
+}
+
+export async function sign(payload, key, alg, options = {}) {
+  const protectedHeader = {
+    alg,
+    typ: options.typ,
+    ...options.fields,
+  };
+  const timestamp = epochTime();
+
+  const iat = options.noIat ? undefined : timestamp;
+
+  Object.assign(payload, {
+    aud: options.audience !== undefined ? options.audience : payload.aud,
+    exp: options.expiresIn !== undefined ? timestamp + options.expiresIn : payload.exp,
+    iat: payload.iat !== undefined ? payload.iat : iat,
+    iss: options.issuer !== undefined ? options.issuer : payload.iss,
+    sub: options.subject !== undefined ? options.subject : payload.sub,
+  });
+
+  if (key instanceof ExternalSigningKey) {
+    const parts = [
+      base64url.encode(JSON.stringify(protectedHeader)),
+      base64url.encode(JSON.stringify(payload)),
+    ];
+    const data = Buffer.from(parts.join('.'));
+    parts.push(base64url.encodeBuffer(await key.sign(data)));
+    return parts.join('.');
+  }
+
+  return new CompactSign(Buffer.from(JSON.stringify(payload)))
+    .setProtectedHeader(protectedHeader)
+    .sign(key);
+}
+
+export function decode(input) {
+  let jwt;
+
+  if (Buffer.isBuffer(input)) {
+    jwt = input.toString('utf8');
+  } else if (typeof input !== 'string') {
+    throw new TypeError('invalid JWT.decode input type');
+  } else {
+    jwt = input;
+  }
+
+  const { 0: protectedHeader, 1: payload, length } = jwt.split('.');
+
+  if (length !== 3) {
+    throw new TypeError('invalid JWT.decode input');
+  }
+
+  return {
+    header: JSON.parse(base64url.decode(protectedHeader)),
+    payload: JSON.parse(base64url.decode(payload)),
+  };
+}
+
+export function header(jwt) {
+  return JSON.parse(base64url.decode(jwt.toString().split('.')[0]));
+}
+
+export function assertPayload(payload, {
+  clockTolerance = 0, audience, ignoreExpiration,
+  ignoreAzp, ignoreIssued, ignoreNotBefore, issuer,
+  subject = false,
+} = {}) {
+  const timestamp = epochTime();
+
+  if (typeof payload !== 'object') throw new Error('payload is not of JWT type (JSON serialized object)');
+
+  if (payload.nbf !== undefined && !ignoreNotBefore) {
+    if (typeof payload.nbf !== 'number') throw new Error('invalid nbf value');
+    if (payload.nbf > timestamp + clockTolerance) throw new Error('jwt not active yet');
+  }
+
+  if (payload.iat !== undefined && !ignoreIssued) {
+    if (typeof payload.iat !== 'number') throw new Error('invalid iat value');
+    if (payload.exp === undefined && payload.iat > timestamp + clockTolerance) {
+      throw new Error('jwt issued in the future');
+    }
+  }
+
+  if (payload.exp !== undefined && !ignoreExpiration) {
+    if (typeof payload.exp !== 'number') throw new Error('invalid exp value');
+    if (timestamp - clockTolerance >= payload.exp) throw new Error('jwt expired');
+  }
+
+  if (payload.jti !== undefined && typeof payload.jti !== 'string') {
+    throw new Error('invalid jti value');
+  }
+
+  if (payload.iss !== undefined && typeof payload.iss !== 'string') {
+    throw new Error('invalid iss value');
+  }
+
+  if (subject && typeof payload.sub !== 'string') {
+    throw new Error('invalid sub value');
+  }
+
+  if (audience) {
+    verifyAudience(
+      payload,
+      audience,
+      !ignoreAzp,
+    );
+  }
+
+  if (issuer && payload.iss !== issuer) throw new Error('jwt issuer invalid');
+}
+
+export async function verify(jwt, keystore, options = {}) {
+  let verified;
+  let protectedHeader;
+  try {
+    protectedHeader = decodeProtectedHeader(jwt);
+
+    const keys = keystore.selectForVerify({ alg: protectedHeader.alg, kid: protectedHeader.kid });
+    if (keys.length === 0) {
+      throw new JWKSNoMatchingKey();
+    } else {
+      for (const key of keys) {
+        try {
+          verified = await compactVerify(
+            jwt,
+            await keystore.getKeyObject(key, true),
+            { algorithms: options.algorithm ? [options.algorithm] : undefined },
+          );
+        } catch {}
+      }
+    }
+
+    if (!verified) {
+      throw new JWSSignatureVerificationFailed();
+    }
+  } catch (err) {
+    if (typeof keystore.fresh !== 'function' || keystore.fresh()) {
+      throw err;
+    }
+
+    await keystore.refresh();
+    // eslint-disable-next-line prefer-rest-params
+    return verify(...arguments);
+  }
+
+  const payload = decodeJwt(jwt);
+  assertPayload(payload, options);
+
+  return { payload, header: protectedHeader };
+}
+
+export async function encrypt(cleartext, key, {
+  enc, alg, fields,
+} = {}) {
+  const protectedHeader = {
+    alg, enc, ...fields,
+  };
+
+  return new CompactEncrypt(Buffer.from(cleartext))
+    .setProtectedHeader(protectedHeader)
+    .encrypt(key);
+}
+
+export async function decrypt(jwe, keystore) {
+  const protectedHeader = decodeProtectedHeader(jwe);
+
+  const keys = keystore.selectForDecrypt({ alg: protectedHeader.alg === 'dir' ? protectedHeader.enc : protectedHeader.alg, kid: protectedHeader.kid, epk: protectedHeader.epk });
+  let decrypted;
+  if (keys.length === 0) {
+    throw new JWKSNoMatchingKey();
+  } else {
+    for (const key of keys) {
+      try {
+        decrypted = await compactDecrypt(
+          jwe,
+          keystore.getKeyObject(key),
+          { maxDecompressedLength: 0 },
+        );
+      } catch {}
+    }
+  }
+
+  if (!decrypted) {
+    throw new JWEDecryptionFailed();
+  }
+
+  return Buffer.from(decrypted.plaintext);
+}

package/dist/node_modules/oidc-provider/lib/helpers/keystore.js

@@ -0,0 +1,301 @@
+/* eslint-disable class-methods-use-this, max-classes-per-file, no-plusplus */
+
+export class ExternalSigningKey {
+  #publicJwk;
+
+  #kid;
+
+  #alg;
+
+  get kid() {
+    return this.#kid;
+  }
+
+  set kid(value) {
+    this.#kid = value;
+  }
+
+  get alg() {
+    return this.#alg;
+  }
+
+  set alg(value) {
+    this.#alg = value;
+  }
+
+  get use() {
+    return 'sig';
+  }
+
+  #ensurePublicJwk() {
+    this.#publicJwk ||= this.keyObject().export({ format: 'jwk' });
+  }
+
+  get kty() {
+    this.#ensurePublicJwk();
+    return this.#publicJwk.kty;
+  }
+
+  get pub() {
+    this.#ensurePublicJwk();
+    return this.#publicJwk.pub;
+  }
+
+  get e() {
+    this.#ensurePublicJwk();
+    return this.#publicJwk.e;
+  }
+
+  get n() {
+    this.#ensurePublicJwk();
+    return this.#publicJwk.n;
+  }
+
+  get x() {
+    this.#ensurePublicJwk();
+    return this.#publicJwk.x;
+  }
+
+  get y() {
+    this.#ensurePublicJwk();
+    return this.#publicJwk.y;
+  }
+
+  get crv() {
+    this.#ensurePublicJwk();
+    return this.#publicJwk.crv;
+  }
+
+  get key_ops() {
+    return undefined;
+  }
+
+  get x5c() {
+    return undefined;
+  }
+
+  keyObject() {
+    throw new Error('not implemented');
+  }
+
+  sign() {
+    throw new Error('not implemented');
+  }
+}
+
+const keyscore = (key, { alg, use }) => {
+  let score = 0;
+
+  if (alg && key.alg) {
+    score++;
+  }
+
+  if (use && key.use) {
+    score++;
+  }
+
+  return score;
+};
+
+const getKtyFromJWSAlg = (alg) => {
+  switch (alg.substring(0, 2)) {
+    case 'RS':
+    case 'PS': return 'RSA';
+    case 'HS': return 'oct';
+    case 'ES': return 'EC';
+    case 'Ed': return 'OKP';
+    case 'ML': return 'AKP';
+    default:
+      throw new Error();
+  }
+};
+
+const getCrvFromJWSAlg = (alg) => {
+  switch (alg) {
+    case 'ES256': return 'P-256';
+    case 'ES384': return 'P-384';
+    case 'ES512': return 'P-521';
+    case 'EdDSA':
+    case 'Ed25519': return 'Ed25519';
+    default:
+      return undefined;
+  }
+};
+
+const getKtyFromJWEAlg = (alg, epk) => {
+  switch (alg[0]) {
+    case 'A': return 'oct';
+    case 'R': return 'RSA';
+    case 'E': {
+      if (epk) {
+        return epk.crv.startsWith('X') ? 'OKP' : 'EC';
+      }
+
+      return ['OKP', 'EC'];
+    }
+    default:
+      throw new Error();
+  }
+};
+
+const selectForDSA = Symbol();
+const selectForEncDec = Symbol();
+const filter = Symbol();
+
+function stripPrivate(jwk) {
+  const {
+    d, p, q, dp, dq, qi, oth, priv, ...pub
+  } = jwk;
+  return pub;
+}
+
+class KeyStore {
+  #keys;
+
+  #cachedPub;
+
+  constructor(keys = []) {
+    this.#keys = keys;
+  }
+
+  [selectForDSA](options, operation) {
+    const {
+      alg,
+      kid,
+      kty = getKtyFromJWSAlg(alg),
+      crv = getCrvFromJWSAlg(alg),
+    } = options;
+
+    const scoring = { alg, use: 'sig' };
+
+    return this[filter]((jwk) => {
+      let candidate = jwk.kty === kty;
+
+      if (candidate && typeof kid === 'string') {
+        candidate = kid === jwk.kid;
+      }
+
+      if (candidate && (typeof jwk.alg === 'string' || kty === 'AKP')) {
+        candidate = alg === jwk.alg;
+      }
+
+      if (candidate && typeof jwk.use === 'string') {
+        candidate = jwk.use === 'sig';
+      }
+
+      if (candidate && crv) {
+        candidate = jwk.crv === crv;
+      }
+
+      if (candidate && Array.isArray(jwk.key_ops)) {
+        candidate = jwk.key_ops.includes(operation);
+      }
+
+      return candidate;
+    }, scoring);
+  }
+
+  selectForVerify(options) {
+    return this[selectForDSA](options, 'verify');
+  }
+
+  selectForSign(options) {
+    return this[selectForDSA](options, 'sign');
+  }
+
+  [selectForEncDec](options, operation) {
+    const {
+      alg,
+      kid,
+      epk,
+      kty = getKtyFromJWEAlg(alg, epk),
+    } = options;
+
+    const scoring = { alg, use: 'enc' };
+
+    return this[filter]((jwk) => {
+      let candidate = Array.isArray(kty) ? kty.includes(jwk.kty) : jwk.kty === kty;
+
+      if (candidate && kid !== undefined) {
+        candidate = kid === jwk.kid;
+      }
+
+      if (candidate && jwk.alg !== undefined) {
+        candidate = alg === jwk.alg;
+      }
+
+      if (candidate && jwk.use !== undefined) {
+        candidate = jwk.use === 'enc';
+      }
+
+      if (candidate && epk) {
+        candidate = epk.crv === jwk.crv;
+      }
+
+      if (candidate && Array.isArray(jwk.key_ops)) {
+        switch (kty) {
+          case 'RSA': {
+            candidate = jwk.key_ops.includes(operation);
+            break;
+          }
+          case 'EC':
+          case 'OKP': {
+            if (operation === 'decrypt') candidate = jwk.key_ops.includes('deriveBits');
+            break;
+          }
+          default:
+        }
+      }
+
+      return candidate;
+    }, scoring);
+  }
+
+  selectForDecrypt(options) {
+    return this[selectForEncDec](options, 'decrypt');
+  }
+
+  selectForEncrypt(options) {
+    return this[selectForEncDec](options, 'encrypt');
+  }
+
+  [filter](selector, scoring) {
+    return this.#keys
+      .filter(selector)
+      .sort((first, second) => keyscore(second, scoring) - keyscore(first, scoring));
+  }
+
+  add(key) {
+    this.#keys.push(key);
+  }
+
+  clear() {
+    this.#keys = [];
+  }
+
+  getKeyObject(input, getPublic = false) {
+    if (input instanceof ExternalSigningKey) {
+      return getPublic ? input.keyObject() : input;
+    }
+
+    if (input.kty === 'oct' || (!input.d && !input.priv) || !getPublic) {
+      return input;
+    }
+
+    this.#cachedPub ||= new WeakMap();
+
+    if (!this.#cachedPub.has(input)) {
+      this.#cachedPub.set(input, stripPrivate(input));
+    }
+
+    return this.#cachedPub.get(input);
+  }
+
+  * [Symbol.iterator]() {
+    for (const key of this.#keys) {
+      yield key;
+    }
+  }
+}
+
+export default KeyStore;

package/dist/node_modules/oidc-provider/lib/helpers/nanoid.js

@@ -0,0 +1,5 @@
+import { customAlphabet, urlAlphabet } from 'nanoid';
+
+const nanoid = customAlphabet(urlAlphabet, 43);
+
+export default nanoid;