@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/helpers/oidc_context.js

@@ -0,0 +1,284 @@
+/* eslint-disable max-classes-per-file */
+import * as events from 'node:events';
+
+import isPlainObject from './_/is_plain_object.js';
+import omitBy from './_/omit_by.js';
+import { InvalidRequest, InvalidToken } from './errors.js';
+import instance from './weak_cache.js';
+import resolveResponseMode from './resolve_response_mode.js';
+
+const COOKIES = Symbol();
+
+export class NoAccessTokenProvided extends InvalidToken {
+  constructor() {
+    super();
+    // eslint-disable-next-line no-multi-assign
+    this.error_detail = this.error_description = 'no access token provided';
+  }
+}
+
+export default function getContext(provider) {
+  const {
+    acceptQueryParamAccessTokens,
+    features: {
+      dPoP: dPoPConfig,
+      fapi,
+    },
+    scopes: oidcScopes,
+  } = instance(provider).configuration;
+
+  class OIDCContext extends events.EventEmitter {
+    #requestParamClaims = null;
+
+    #accessToken = null;
+
+    #fapiProfile = null;
+
+    constructor(ctx) {
+      super();
+      this.ctx = ctx;
+      this.route = ctx._matchedRouteName;
+      this.redirectUriCheckPerformed = false;
+      this.entities = {};
+      this.claims = {};
+      this.resourceServers = {};
+    }
+
+    get cookies() {
+      if (!this[COOKIES]) {
+        this[COOKIES] = provider.createContext(this.ctx.req, this.ctx.res).cookies;
+        this[COOKIES].secure = !this[COOKIES].secure && this.ctx.secure
+          ? true : this[COOKIES].secure;
+      }
+
+      return this[COOKIES];
+    }
+
+    get fapiProfile() {
+      if (this.#fapiProfile === null) {
+        this.#fapiProfile = fapi.profile(this.ctx, this.client);
+      }
+
+      return this.#fapiProfile;
+    }
+
+    isFapi(...oneOf) {
+      const i = oneOf.indexOf(this.fapiProfile);
+      return i !== -1 ? oneOf[i] : undefined;
+    }
+
+    get issuer() { // eslint-disable-line class-methods-use-this
+      return provider.issuer;
+    }
+
+    get provider() { // eslint-disable-line class-methods-use-this
+      return provider;
+    }
+
+    entity(key, value) {
+      this.entities[key] = value;
+
+      if (key === 'Client') {
+        this.emit('assign.client', this.ctx, value);
+      }
+    }
+
+    urlFor(name, opt) {
+      const { originalUrl } = this.ctx.req;
+      const mountPath = originalUrl?.substring(0, originalUrl?.indexOf(this.ctx.request.url))
+        || this.ctx.mountPath // koa-mount
+        || this.ctx.req.baseUrl // expressApp.use('/op', provider.callback());
+        || ''; // no mount
+
+      return new URL(provider.pathFor(name, { mountPath, ...opt }), this.ctx.href).href;
+    }
+
+    promptPending(name) {
+      if (this.ctx.oidc.route.endsWith('resume')) {
+        const should = new Set([...this.prompts]);
+        Object.keys(this.result || {}).forEach(Set.prototype.delete.bind(should));
+
+        return should.has(name);
+      }
+
+      // first pass
+      return this.prompts.has(name);
+    }
+
+    get requestParamClaims() {
+      if (this.#requestParamClaims) {
+        return this.#requestParamClaims;
+      }
+      const requestParamClaims = new Set();
+
+      if (this.params.claims) {
+        const {
+          userinfo, id_token: idToken,
+        } = JSON.parse(this.params.claims);
+
+        const claims = instance(provider).configuration.claimsSupported;
+        if (userinfo) {
+          Object.entries(userinfo).forEach(([claim, value]) => {
+            if (claims.has(claim) && (value === null || isPlainObject(value))) {
+              requestParamClaims.add(claim);
+            }
+          });
+        }
+
+        if (idToken) {
+          Object.entries(idToken).forEach(([claim, value]) => {
+            if (claims.has(claim) && (value === null || isPlainObject(value))) {
+              requestParamClaims.add(claim);
+            }
+          });
+        }
+      }
+
+      this.#requestParamClaims = requestParamClaims;
+
+      return requestParamClaims;
+    }
+
+    clientJwtAuthExpectedAudience() {
+      return new Set([this.issuer, this.urlFor('token'), this.urlFor(this.route)]);
+    }
+
+    get requestParamScopes() {
+      return new Set(this.params.scope?.split(' '));
+    }
+
+    get requestParamOIDCScopes() {
+      return new Set(this.params.scope?.split(' ').filter(Set.prototype.has.bind(oidcScopes)));
+    }
+
+    resolvedClaims() {
+      const rejected = this.session.rejectedClaimsFor(this.params.client_id);
+      const claims = structuredClone(this.claims);
+      claims.rejected = [...rejected];
+
+      return claims;
+    }
+
+    get responseMode() {
+      if (typeof this.params.response_mode === 'string') {
+        return this.params.response_mode;
+      }
+
+      if (this.params.response_type !== undefined) {
+        return resolveResponseMode(this.params.response_type);
+      }
+
+      return undefined;
+    }
+
+    get acr() {
+      return this.session.acr;
+    }
+
+    get amr() {
+      return this.session.amr;
+    }
+
+    get prompts() {
+      return new Set(this.params.prompt ? this.params.prompt.split(' ') : []);
+    }
+
+    get registrationAccessToken() {
+      return this.entities.RegistrationAccessToken;
+    }
+
+    get deviceCode() {
+      return this.entities.DeviceCode;
+    }
+
+    get authorizationCode() {
+      return this.entities.AuthorizationCode;
+    }
+
+    get refreshToken() {
+      return this.entities.RefreshToken;
+    }
+
+    get accessToken() {
+      return this.entities.AccessToken;
+    }
+
+    get account() {
+      return this.entities.Account;
+    }
+
+    get client() {
+      return this.entities.Client;
+    }
+
+    get grant() {
+      return this.entities.Grant;
+    }
+
+    getAccessToken({
+      acceptDPoP = false, acceptQueryParam = acceptQueryParamAccessTokens && !fapi.enabled,
+    } = {}) {
+      if (this.#accessToken) {
+        return this.#accessToken;
+      }
+
+      const { ctx } = this;
+      const mechanisms = omitBy({
+        body: ctx.is('application/x-www-form-urlencoded') && ctx.oidc.body?.access_token,
+        header: ctx.headers.authorization,
+        query: ctx.query.access_token,
+      }, (value) => typeof value !== 'string' || !value);
+
+      let mechanism;
+      let length;
+      let token;
+
+      try {
+        ({ 0: [mechanism, token], length } = Object.entries(mechanisms));
+      } catch (err) {}
+
+      if (!length) {
+        throw new NoAccessTokenProvided();
+      }
+
+      if (length > 1) {
+        throw new InvalidRequest('access token must only be provided using one mechanism');
+      }
+
+      if (!acceptQueryParam && mechanism === 'query') {
+        throw new InvalidRequest('access tokens must not be provided via query parameter');
+      }
+
+      const dpop = acceptDPoP && dPoPConfig.enabled && ctx.get('DPoP');
+
+      if (mechanism === 'header') {
+        const header = token;
+        const { 0: scheme, 1: value, length: parts } = header.split(' ');
+
+        if (parts !== 2) {
+          throw new InvalidRequest('invalid authorization header value format');
+        }
+
+        if (dpop && scheme.toLowerCase() !== 'dpop') {
+          throw new InvalidRequest('authorization header scheme must be `DPoP` when DPoP is used');
+        } else if (!dpop && scheme.toLowerCase() === 'dpop') {
+          throw new InvalidRequest('`DPoP` header not provided');
+        } else if (!dpop && scheme.toLowerCase() !== 'bearer') {
+          throw new InvalidRequest('authorization header scheme must be `Bearer`');
+        }
+
+        token = value;
+      }
+
+      if (dpop && mechanism !== 'header') {
+        throw new InvalidRequest('`DPoP` tokens must be provided via an authorization header');
+      }
+
+      this.#accessToken = token;
+
+      return token;
+    }
+  }
+
+  return OIDCContext;
+}

package/dist/node_modules/oidc-provider/lib/helpers/params.js

@@ -0,0 +1,27 @@
+import { strict as assert } from 'node:assert';
+
+import omitBy from './_/omit_by.js';
+
+const cache = new WeakMap();
+
+export default function getParams(allowList) {
+  if (!cache.has(allowList)) {
+    assert(allowList, 'allowList must be present');
+
+    const klass = class Params {
+      constructor(params) {
+        allowList.forEach((prop) => {
+          this[prop] = params[prop] || undefined;
+        });
+      }
+
+      toPlainObject() {
+        return omitBy({ ...this }, (val) => typeof val === 'undefined');
+      }
+    };
+
+    cache.set(allowList, klass);
+  }
+
+  return cache.get(allowList);
+}

package/dist/node_modules/oidc-provider/lib/helpers/pkce.js

@@ -0,0 +1,30 @@
+import * as crypto from 'node:crypto';
+
+import { InvalidGrant } from './errors.js';
+import checkFormat from './pkce_format.js';
+import constantEquals from './constant_equals.js';
+
+export default function checkPKCE(verifier, challenge, method) {
+  if (verifier) {
+    checkFormat(verifier, 'code_verifier');
+  }
+
+  if (verifier || challenge) {
+    try {
+      let expected = verifier;
+      if (!expected) throw new Error();
+
+      if (method === 'S256') {
+        expected = crypto.hash('sha256', expected, 'base64url');
+      } else {
+        throw new Error();
+      }
+
+      if (!constantEquals(challenge, expected)) {
+        throw new Error();
+      }
+    } catch (err) {
+      throw new InvalidGrant('PKCE verification failed');
+    }
+  }
+}

package/dist/node_modules/oidc-provider/lib/helpers/pkce_format.js

@@ -0,0 +1,17 @@
+import { InvalidRequest } from './errors.js';
+
+const check = /[^\w.\-~]/;
+
+export default (input, param) => {
+  if (input.length < 43) {
+    throw new InvalidRequest(`${param} must be a string with a minimum length of 43 characters`);
+  }
+
+  if (input.length > 128) {
+    throw new InvalidRequest(`${param} must be a string with a maximum length of 128 characters`);
+  }
+
+  if (check.test(input)) {
+    throw new InvalidRequest(`${param} contains invalid characters`);
+  }
+};

package/dist/node_modules/oidc-provider/lib/helpers/process_response_types.js

@@ -0,0 +1,202 @@
+import { InvalidTarget } from './errors.js';
+import instance from './weak_cache.js';
+import filterClaims from './filter_claims.js';
+import combinedScope from './combined_scope.js';
+import getCtxAccountClaims from './account_claims.js';
+
+async function tokenHandler(ctx) {
+  const { accountId } = ctx.oidc.session;
+
+  const token = new ctx.oidc.provider.AccessToken({
+    accountId,
+    client: ctx.oidc.client,
+    grantId: ctx.oidc.session.grantIdFor(ctx.oidc.client.clientId),
+    gty: 'implicit',
+    sessionUid: ctx.oidc.session.uid,
+    sid: ctx.oidc.session.sidFor(ctx.oidc.client.clientId),
+  });
+
+  const {
+    expiresWithSession,
+    features: { resourceIndicators },
+  } = instance(ctx.oidc.provider).configuration;
+
+  let { resource } = ctx.oidc.params;
+
+  if (Array.isArray(resource)) {
+    resource = await resourceIndicators.defaultResource(ctx, ctx.oidc.client, resource);
+  }
+
+  if (Array.isArray(resource)) {
+    throw new InvalidTarget('only a single resource indicator value must be requested/resolved during Access Token Request');
+  }
+
+  const { grant } = ctx.oidc;
+
+  if (resource) {
+    const resourceServer = ctx.oidc.resourceServers[resource];
+    if (!resourceServer) throw new InvalidTarget();
+    token.resourceServer = resourceServer;
+    token.scope = grant.getResourceScopeFiltered(resource, ctx.oidc.requestParamScopes);
+  } else {
+    token.claims = ctx.oidc.claims;
+    token.scope = grant.getOIDCScopeFiltered(ctx.oidc.requestParamOIDCScopes);
+  }
+
+  if (!token.resourceServer || token.resourceServer.accessTokenFormat === 'opaque') {
+    if (await expiresWithSession(ctx, token)) {
+      token.expiresWithSession = true;
+    } else {
+      ctx.oidc.session.authorizationFor(ctx.oidc.client.clientId).persistsLogout = true;
+    }
+  }
+
+  ctx.oidc.entity('AccessToken', token);
+
+  const result = {
+    access_token: await token.save(),
+    expires_in: token.expiration,
+    token_type: token.tokenType,
+    scope: token.scope,
+  };
+
+  return result;
+}
+
+async function codeHandler(ctx) {
+  const {
+    expiresWithSession,
+    features: {
+      richAuthorizationRequests,
+    },
+  } = instance(ctx.oidc.provider).configuration;
+
+  const { grant } = ctx.oidc;
+
+  const scopeSet = combinedScope(grant, ctx.oidc.requestParamScopes, ctx.oidc.resourceServers);
+
+  const code = new ctx.oidc.provider.AuthorizationCode({
+    accountId: ctx.oidc.session.accountId,
+    acr: ctx.oidc.acr,
+    amr: ctx.oidc.amr,
+    authTime: ctx.oidc.session.authTime(),
+    claims: ctx.oidc.claims,
+    client: ctx.oidc.client,
+    codeChallenge: ctx.oidc.params.code_challenge,
+    codeChallengeMethod: ctx.oidc.params.code_challenge_method,
+    grantId: ctx.oidc.session.grantIdFor(ctx.oidc.client.clientId),
+    nonce: ctx.oidc.params.nonce,
+    redirectUri: ctx.oidc.params.redirect_uri,
+    resource: Object.keys(ctx.oidc.resourceServers),
+    scope: [...scopeSet].join(' '),
+    sessionUid: ctx.oidc.session.uid,
+    dpopJkt: ctx.oidc.params.dpop_jkt,
+  });
+
+  if (ctx.oidc.entities.PushedAuthorizationRequest?.attestationJkt) {
+    code.attestationJkt = ctx.oidc.entities.PushedAuthorizationRequest.attestationJkt;
+  }
+
+  if (richAuthorizationRequests.enabled) {
+    code.rar = await richAuthorizationRequests.rarForAuthorizationCode(ctx);
+  }
+
+  if (Object.keys(code.claims).length === 0) {
+    delete code.claims;
+  }
+
+  // eslint-disable-next-line default-case
+  switch (code.resource.length) {
+    case 0:
+      delete code.resource;
+      break;
+    case 1:
+      [code.resource] = code.resource;
+      break;
+  }
+
+  if (await expiresWithSession(ctx, code)) {
+    code.expiresWithSession = true;
+  } else {
+    ctx.oidc.session.authorizationFor(ctx.oidc.client.clientId).persistsLogout = true;
+  }
+
+  if (ctx.oidc.client.includeSid() || (ctx.oidc.claims.id_token && 'sid' in ctx.oidc.claims.id_token)) {
+    code.sid = ctx.oidc.session.sidFor(ctx.oidc.client.clientId);
+  }
+
+  ctx.oidc.entity('AuthorizationCode', code);
+
+  return { code: await code.save() };
+}
+
+async function idTokenHandler(ctx) {
+  const claims = filterClaims(ctx.oidc.claims, 'id_token', ctx.oidc.grant);
+  const rejected = ctx.oidc.grant.getRejectedOIDCClaims();
+  const scope = ctx.oidc.grant.getOIDCScopeFiltered(ctx.oidc.requestParamScopes);
+  const idToken = new ctx.oidc.provider.IdToken({
+    ...await getCtxAccountClaims(ctx, 'id_token', scope, claims, rejected),
+    acr: ctx.oidc.acr,
+    amr: ctx.oidc.amr,
+    auth_time: ctx.oidc.session.authTime(),
+  }, { ctx });
+
+  const {
+    conformIdTokenClaims, features: { userinfo },
+  } = instance(ctx.oidc.provider).configuration;
+
+  if (conformIdTokenClaims && userinfo.enabled && ctx.oidc.params.response_type !== 'id_token' && !ctx.oidc.params.resource) {
+    idToken.scope = 'openid';
+  } else {
+    idToken.scope = scope;
+  }
+
+  idToken.mask = claims;
+  idToken.rejected = rejected;
+
+  idToken.set('nonce', ctx.oidc.params.nonce);
+
+  if (ctx.oidc.client.includeSid() || (ctx.oidc.claims.id_token && 'sid' in ctx.oidc.claims.id_token)) {
+    idToken.set('sid', ctx.oidc.session.sidFor(ctx.oidc.client.clientId));
+  }
+
+  return { id_token: idToken };
+}
+
+/*
+ * Resolves each requested response type to a single response object. If one of the hybrid
+ * response types is used an appropriate _hash is also pushed on to the id_token.
+ */
+export default async function processResponseTypes(ctx) {
+  const responses = ctx.oidc.params.response_type.split(' ');
+  const response = Object.assign({}, ...await Promise.all(responses.map((responseType) => {
+    switch (responseType) {
+      case 'code':
+        return codeHandler(ctx);
+      case 'token':
+        return tokenHandler(ctx);
+      case 'id_token':
+        return idTokenHandler(ctx);
+      default:
+        return {};
+    }
+  })));
+
+  if ('id_token' in response) {
+    if ('access_token' in response) {
+      response.id_token.set('at_hash', response.access_token);
+    }
+
+    if ('code' in response) {
+      response.id_token.set('c_hash', response.code);
+    }
+
+    if (ctx.oidc.params.state && ctx.oidc.isFapi('1.0 Final')) {
+      response.id_token.set('s_hash', ctx.oidc.params.state);
+    }
+
+    response.id_token = await response.id_token.issue({ use: 'idtoken' });
+  }
+
+  return response;
+}

package/dist/node_modules/oidc-provider/lib/helpers/re_render_errors.js

@@ -0,0 +1,39 @@
+/* eslint-disable max-classes-per-file */
+
+export class ReRenderError extends Error {
+  constructor(message, userCode) {
+    super(message);
+    if (userCode) this.userCode = userCode;
+    this.message = message;
+    this.name = this.constructor.name;
+    this.status = 200;
+    this.statusCode = 200;
+    this.expose = true;
+    Error.captureStackTrace(this, this.constructor);
+  }
+}
+export class NotFoundError extends ReRenderError {
+  constructor(userCode) {
+    super('the code was not found', userCode);
+  }
+}
+export class ExpiredError extends ReRenderError {
+  constructor(userCode) {
+    super('the code has expired', userCode);
+  }
+}
+export class AbortedError extends ReRenderError {
+  constructor() {
+    super('the interaction was aborted');
+  }
+}
+export class AlreadyUsedError extends ReRenderError {
+  constructor(userCode) {
+    super('code has already been used', userCode);
+  }
+}
+export class NoCodeError extends ReRenderError {
+  constructor() {
+    super('no code submitted');
+  }
+}

package/dist/node_modules/oidc-provider/lib/helpers/redirect_uri.js

@@ -0,0 +1,16 @@
+export default function redirectUri(uri, payload, mode) {
+  const parsed = new URL(uri);
+
+  switch (mode) {
+    case 'fragment':
+      parsed.hash = new URLSearchParams(payload).toString();
+      break;
+    default:
+      for (const [k, v] of Object.entries(payload)) {
+        parsed.searchParams.set(k, v);
+      }
+      break;
+  }
+
+  return parsed.href;
+}

package/dist/node_modules/oidc-provider/lib/helpers/resolve_resource.js

@@ -0,0 +1,33 @@
+import { InvalidTarget } from './errors.js';
+
+export default async (ctx, model, config, scopes = model.scopes) => {
+  let resource;
+  if (config.resourceIndicators.enabled) {
+    // eslint-disable-next-line default-case
+    switch (true) {
+      case !!ctx.oidc.params.resource:
+        resource = ctx.oidc.params.resource;
+        break;
+      case !model.resource:
+      case Array.isArray(model.resource) && model.resource.length === 0:
+        break;
+      case model.resource && !!(await config.resourceIndicators.useGrantedResource(ctx, model)):
+      case !ctx.oidc.params.resource && (!config.userinfo.enabled || !scopes.has('openid')):
+        resource = model.resource;
+        break;
+    }
+
+    if (Array.isArray(resource)) {
+      resource = await config.resourceIndicators.defaultResource(ctx, ctx.oidc.client, resource);
+    }
+
+    if (Array.isArray(resource)) {
+      throw new InvalidTarget('only a single resource indicator value must be requested/resolved during Access Token Request');
+    }
+
+    if (resource && !model.resourceIndicators.has(resource)) {
+      throw new InvalidTarget();
+    }
+  }
+  return resource;
+};

package/dist/node_modules/oidc-provider/lib/helpers/resolve_response_mode.js

@@ -0,0 +1,7 @@
+export default function resolve(responseType) {
+  return typeof responseType === 'string' && responseType.includes('token') ? 'fragment' : 'query';
+}
+
+export function isFrontChannel(responseType) {
+  return resolve(responseType) === 'fragment';
+}

package/dist/node_modules/oidc-provider/lib/helpers/resource_server.js

@@ -0,0 +1,20 @@
+/* eslint-disable no-underscore-dangle */
+
+export default class ResourceServer {
+  constructor(identifier, data) {
+    this._identifier = identifier;
+    this.audience = data.audience;
+    this.scope = data.scope;
+    this.accessTokenTTL = data.accessTokenTTL;
+    this.accessTokenFormat = data.accessTokenFormat;
+    this.jwt = data.jwt;
+  }
+
+  get scopes() {
+    return new Set(this.scope?.split(' '));
+  }
+
+  identifier() {
+    return this._identifier;
+  }
+}