npm - @nocobase/plugin-idp-oauth - Versions diffs - 2.1.0-alpha.10 - Mend

@nocobase/plugin-idp-oauth 2.1.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (451) hide show

package/dist/node_modules/oidc-provider/lib/helpers/revoke.js ADDED Viewed

@@ -0,0 +1,27 @@
+import instance from './weak_cache.js';
+export default async function revoke(ctx, grantId) {
+  const { oidc: { client, provider } } = ctx;
+  const { grantTypes, revokeGrantPolicy } = instance(provider).configuration;
+  const refreshToken = client ? client.grantTypeAllowed('refresh_token') : grantTypes.has('refresh_token');
+  const authorizationCode = client ? client.grantTypeAllowed('authorization_code') : grantTypes.has('authorization_code');
+  const deviceCode = client ? client.grantTypeAllowed('urn:ietf:params:oauth:grant-type:device_code') : grantTypes.has('urn:ietf:params:oauth:grant-type:device_code');
+  const backchannelAuthenticationRequest = client ? client.grantTypeAllowed('urn:openid:params:grant-type:ciba') : grantTypes.has('urn:openid:params:grant-type:ciba');
+  const revokeGrant = await revokeGrantPolicy(ctx);
+  await Promise.all(
+    [
+      provider.AccessToken,
+      refreshToken ? provider.RefreshToken : undefined,
+      authorizationCode ? provider.AuthorizationCode : undefined,
+      deviceCode ? provider.DeviceCode : undefined,
+      backchannelAuthenticationRequest ? provider.BackchannelAuthenticationRequest : undefined,
+    ]
+      .map((model) => model && model.revokeByGrantId(grantId))
+      .concat(revokeGrant ? provider.Grant.adapter.destroy(grantId) : undefined),
+  );
+  if (revokeGrant) {
+    ctx.oidc.provider.emit('grant.revoked', ctx, grantId);
+  }
+}

package/dist/node_modules/oidc-provider/lib/helpers/script_src_sha.js ADDED Viewed

@@ -0,0 +1,21 @@
+import * as crypto from 'node:crypto';
+export default function pushScriptSrcSha(ctx, script) {
+  const csp = ctx.response.get('content-security-policy');
+  if (csp) {
+    const directives = csp.split(';').reduce((acc, directive) => {
+      const [name, ...values] = directive.trim().split(/\s+/g);
+      acc[name] = values;
+      return acc;
+    }, {});
+    if (directives['script-src']) {
+      const digest = crypto.hash('sha256', script, 'base64');
+      directives['script-src'].push(`'sha256-${digest}'`);
+      const replaced = Object.entries(directives).map(([name, values]) => [name, ...values].join(' ')).join(';');
+      ctx.set('content-security-policy', replaced);
+    }
+  }
+  return script;
+}

package/dist/node_modules/oidc-provider/lib/helpers/sector_identifier.js ADDED Viewed

@@ -0,0 +1,19 @@
+import { InvalidClientMetadata } from './errors.js';
+export default (client) => {
+  if (client.subjectType === 'pairwise') {
+    if (!client.sectorIdentifierUri) {
+      switch (true) {
+        case client.responseTypes.length !== 0:
+          return new URL(client.redirectUris[0]).host;
+        case client.grantTypes.includes('urn:openid:params:grant-type:ciba'):
+        case client.grantTypes.includes('urn:ietf:params:oauth:grant-type:device_code'):
+          return new URL(client.jwksUri).host;
+        default:
+          throw new InvalidClientMetadata('could not determine a sector identifier');
+      }
+    }
+  }
+  return client.sectorIdentifierUri ? new URL(client.sectorIdentifierUri).host : undefined;
+};

package/dist/node_modules/oidc-provider/lib/helpers/sector_validate.js ADDED Viewed

@@ -0,0 +1,55 @@
+import { STATUS_CODES } from 'node:http';
+import instance from './weak_cache.js';
+import { InvalidClientMetadata } from './errors.js';
+import fetchRequest from './fetch_request.js';
+import fetchBodyCheck from './fetch_body_check.js';
+export default async function sectorValidate(provider, client) {
+  if (!instance(provider).configuration.sectorIdentifierUriValidate(client)) {
+    return;
+  }
+  const response = await fetchRequest(provider, new URL(client.sectorIdentifierUri).href, {
+    method: 'GET',
+    headers: {
+      accept: 'application/json',
+    },
+  }).catch((err) => {
+    throw new InvalidClientMetadata('could not load sector_identifier_uri response', err.message);
+  });
+  if (response.status !== 200) {
+    throw new InvalidClientMetadata(`unexpected sector_identifier_uri response status code, expected 200 OK, got ${response.status} ${STATUS_CODES[response.status]}`);
+  }
+  let body;
+  try {
+    body = (await fetchBodyCheck(provider, 'sector_identifier_uri', response)).toString();
+  } catch (err) {
+    throw new InvalidClientMetadata('could not load sector_identifier_uri response', err.message);
+  }
+  try {
+    body = JSON.parse(body);
+  } catch (err) {
+    throw new InvalidClientMetadata('failed to parse sector_identifier_uri JSON response', err.message);
+  }
+  try {
+    if (!Array.isArray(body)) throw new Error('sector_identifier_uri must return single JSON array');
+    if (client.responseTypes.length) {
+      const match = client.redirectUris.every((uri) => body.includes(uri));
+      if (!match) throw new Error('all registered redirect_uris must be included in the sector_identifier_uri response');
+    }
+    if (
+      client.grantTypes.includes('urn:openid:params:grant-type:ciba')
+      || client.grantTypes.includes('urn:ietf:params:oauth:grant-type:device_code')
+    ) {
+      if (!body.includes(client.jwksUri)) throw new Error("client's jwks_uri must be included in the sector_identifier_uri response");
+    }
+  } catch (err) {
+    throw new InvalidClientMetadata(err.message);
+  }
+}

package/dist/node_modules/oidc-provider/lib/helpers/set_rt_bindings.js ADDED Viewed

@@ -0,0 +1,21 @@
+/* eslint-disable no-param-reassign */
+export async function setRefreshTokenBindings(ctx, at, rt) {
+  switch (ctx.oidc.client.clientAuthMethod) {
+    case 'none':
+      if (at.jkt) {
+        rt.jkt = at.jkt;
+      }
+      if (at['x5t#S256']) {
+        rt['x5t#S256'] = at['x5t#S256'];
+      }
+      break;
+    case 'attest_jwt_client_auth': {
+      await rt.setAttestBinding(ctx);
+      break;
+    }
+    default:
+      break;
+  }
+}

package/dist/node_modules/oidc-provider/lib/helpers/token_find.js ADDED Viewed

@@ -0,0 +1,51 @@
+export function createTokenFinder(provider, grantTypeHandlers) {
+  const { AccessToken, ClientCredentials, RefreshToken } = provider;
+  function getAccessToken(token) {
+    return AccessToken.find(token);
+  }
+  function getClientCredentials(token) {
+    if (!grantTypeHandlers.has('client_credentials')) {
+      return undefined;
+    }
+    return ClientCredentials.find(token);
+  }
+  function getRefreshToken(token) {
+    if (!grantTypeHandlers.has('refresh_token')) {
+      return undefined;
+    }
+    return RefreshToken.find(token);
+  }
+  function findResult(results) {
+    return results.find((found) => !!found);
+  }
+  return async function findTokenByHint(tokenValue, tokenTypeHint) {
+    switch (tokenTypeHint) {
+      case 'access_token':
+      case 'urn:ietf:params:oauth:token-type:access_token':
+        return Promise.all([
+          getAccessToken(tokenValue),
+          getClientCredentials(tokenValue),
+        ])
+          .then(findResult)
+          .then((result) => result || getRefreshToken(tokenValue));
+      case 'refresh_token':
+      case 'urn:ietf:params:oauth:token-type:refresh_token':
+        return getRefreshToken(tokenValue)
+          .then((result) => result || Promise.all([
+            getAccessToken(tokenValue),
+            getClientCredentials(tokenValue),
+          ]).then(findResult));
+      default:
+        return Promise.all([
+          getAccessToken(tokenValue),
+          getClientCredentials(tokenValue),
+          getRefreshToken(tokenValue),
+        ]).then(findResult);
+    }
+  };
+}

package/dist/node_modules/oidc-provider/lib/helpers/type_validators.js ADDED Viewed

@@ -0,0 +1,8 @@
+const hasPrototype = (target) => target.prototype !== null && typeof target.prototype === 'object';
+const isContructor = (fn) => fn.constructor instanceof Function
+  && fn.constructor.name !== undefined;
+export default (constructable) => constructable instanceof Function
+      && hasPrototype(constructable)
+      && isContructor(constructable.constructor);

package/dist/node_modules/oidc-provider/lib/helpers/user_code_form.js ADDED Viewed

@@ -0,0 +1,19 @@
+import htmlSafe from './html_safe.js';
+export function input(action, csrfToken, code, charset) {
+  const attributes = charset === 'digits' ? 'pattern="[0-9]*" inputmode="numeric" ' : '';
+  return `<form id="op.deviceInputForm" novalidate method="post" action="${action}">
+  <input type="hidden" name="xsrf" value="${csrfToken}"/>
+  <input
+    ${code ? `value="${htmlSafe(code)}" ` : ''}${attributes}type="text" name="user_code" placeholder="Enter code" onfocus="this.select(); this.onfocus = undefined;" autofocus autocomplete="off"></input>
+  </form>`;
+}
+export function confirm(action, csrfToken, code) {
+  return `<form id="op.deviceConfirmForm" method="post" action="${action}">
+<input type="hidden" name="xsrf" value="${csrfToken}"/>
+<input type="hidden" name="user_code" value="${htmlSafe(code)}"/>
+<input type="hidden" name="confirm" value="yes"/>
+</form>`;
+}

package/dist/node_modules/oidc-provider/lib/helpers/user_codes.js ADDED Viewed

@@ -0,0 +1,38 @@
+import { customAlphabet } from 'nanoid';
+const CHARSETS = {
+  'base-20': 'BCDFGHJKLMNPQRSTVWXZ',
+  digits: '0123456789',
+};
+export function generate(charset, mask) {
+  const length = mask.split('*').length - 1;
+  if (typeof CHARSETS[charset] !== 'function') {
+    CHARSETS[charset] = customAlphabet(CHARSETS[charset]);
+  }
+  const generated = CHARSETS[charset](length).split('');
+  return mask.split('').map((p) => {
+    if (p === '*') {
+      return generated.shift();
+    }
+    return p;
+  }).join('');
+}
+export function denormalize(normalized, mask) {
+  const chars = normalized.split('');
+  return mask.split('').map((p) => {
+    if (p === '*') {
+      return chars.shift();
+    }
+    return p;
+  }).join('');
+}
+export function normalize(input) {
+  return input
+    .replace(/[a-z]/g, (char) => char.toUpperCase())
+    .replace(/\W/g, () => '');
+}

package/dist/node_modules/oidc-provider/lib/helpers/valid_url.js ADDED Viewed

@@ -0,0 +1,8 @@
+export function isHttpsUri(uri) {
+  return URL.parse(uri)?.protocol === 'https:';
+}
+export function isWebUri(uri) {
+  const protocol = URL.parse(uri)?.protocol;
+  return protocol === 'https:' || protocol === 'http:';
+}

package/dist/node_modules/oidc-provider/lib/helpers/validate_dpop.js ADDED Viewed

@@ -0,0 +1,129 @@
+import * as crypto from 'node:crypto';
+import {
+  jwtVerify,
+  EmbeddedJWK,
+  calculateJwkThumbprint,
+} from 'jose';
+import { InvalidDpopProof, UseDpopNonce } from './errors.js';
+import instance from './weak_cache.js';
+import epochTime from './epoch_time.js';
+import { CHALLENGE_OK_WINDOW } from './challenge.js';
+export { CHALLENGE_OK_WINDOW };
+const weakMap = new WeakMap();
+export default async (ctx, accessToken) => {
+  if (weakMap.has(ctx)) {
+    return weakMap.get(ctx);
+  }
+  const {
+    features: { dPoP: dPoPConfig },
+    dPoPSigningAlgValues,
+  } = instance(ctx.oidc.provider).configuration;
+  if (!dPoPConfig.enabled) {
+    return undefined;
+  }
+  const proof = ctx.get('DPoP');
+  if (!proof) {
+    return undefined;
+  }
+  const { DPoPNonces } = instance(ctx.oidc.provider);
+  const requireNonce = dPoPConfig.requireNonce(ctx);
+  if (typeof requireNonce !== 'boolean') {
+    throw new Error('features.dPoP.requireNonce must return a boolean');
+  }
+  if (requireNonce && !DPoPNonces) {
+    throw new Error('features.dPoP.nonceSecret configuration is missing');
+  }
+  const nextNonce = DPoPNonces?.nextChallenge();
+  let payload;
+  let protectedHeader;
+  try {
+    ({ protectedHeader, payload } = await jwtVerify(proof, EmbeddedJWK, { algorithms: dPoPSigningAlgValues, typ: 'dpop+jwt' }));
+    if (typeof payload.iat !== 'number' || !payload.iat) {
+      throw new InvalidDpopProof('DPoP proof must have a iat number property');
+    }
+    if (typeof payload.jti !== 'string' || !payload.jti) {
+      throw new InvalidDpopProof('DPoP proof must have a jti string property');
+    }
+    if (payload.nonce !== undefined && typeof payload.nonce !== 'string') {
+      throw new InvalidDpopProof('DPoP proof nonce must be a string');
+    }
+    if (!payload.nonce) {
+      const now = epochTime();
+      const diff = Math.abs(now - payload.iat);
+      if (diff > CHALLENGE_OK_WINDOW) {
+        if (nextNonce) {
+          ctx.set('dpop-nonce', nextNonce);
+          throw new UseDpopNonce('DPoP proof iat is not recent enough, use a DPoP nonce instead');
+        }
+        throw new InvalidDpopProof('DPoP proof iat is not recent enough');
+      }
+    } else if (!DPoPNonces) {
+      throw new InvalidDpopProof('DPoP nonces are not supported');
+    }
+    if (payload.htm !== ctx.method) {
+      throw new InvalidDpopProof('DPoP proof htm mismatch');
+    }
+    {
+      const expected = new URL(ctx.oidc.urlFor(ctx.oidc.route)).href;
+      const actual = URL.parse(payload.htu);
+      if (!actual) return false;
+      actual.hash = '';
+      actual.search = '';
+      if (actual?.href !== expected) {
+        throw new InvalidDpopProof('DPoP proof htu mismatch');
+      }
+    }
+    if (accessToken) {
+      const ath = crypto.hash('sha256', accessToken, 'base64url');
+      if (payload.ath !== ath) {
+        throw new InvalidDpopProof('DPoP proof ath mismatch');
+      }
+    }
+  } catch (err) {
+    if (err instanceof InvalidDpopProof || err instanceof UseDpopNonce) {
+      throw err;
+    }
+    throw new InvalidDpopProof('invalid DPoP key binding', err.message);
+  }
+  if (!payload.nonce && requireNonce) {
+    ctx.set('dpop-nonce', nextNonce);
+    throw new UseDpopNonce('nonce is required in the DPoP proof');
+  }
+  if (payload.nonce && !DPoPNonces.checkChallenge(payload.nonce)) {
+    ctx.set('dpop-nonce', nextNonce);
+    throw new UseDpopNonce('invalid nonce in DPoP proof');
+  }
+  if (payload.nonce !== nextNonce) {
+    ctx.set('dpop-nonce', nextNonce);
+  }
+  const thumbprint = await calculateJwkThumbprint(protectedHeader.jwk);
+  const result = { thumbprint, jti: payload.jti, iat: payload.iat };
+  weakMap.set(ctx, result);
+  return result;
+};

package/dist/node_modules/oidc-provider/lib/helpers/validate_presence.js ADDED Viewed

@@ -0,0 +1,17 @@
+import * as formatters from './formatters.js';
+import { InvalidRequest } from './errors.js';
+export default function validatePresence(ctx, ...required) {
+  const { params } = ctx.oidc;
+  const missing = required.map((param) => {
+    if (params[param] === undefined) {
+      return param;
+    }
+    return undefined;
+  }).filter(Boolean);
+  if (missing.length) {
+    throw new InvalidRequest(`missing required ${formatters.pluralize('parameter', missing.length)} ${formatters.formatList(missing)}`);
+  }
+}

package/dist/node_modules/oidc-provider/lib/helpers/weak_cache.js ADDED Viewed

@@ -0,0 +1,11 @@
+const map = new WeakMap();
+export function get(ctx) {
+  return map.get(ctx);
+}
+export function set(ctx, value) {
+  return map.set(ctx, value);
+}
+export default get;

package/dist/node_modules/oidc-provider/lib/index.js ADDED Viewed

@@ -0,0 +1,21 @@
+/* eslint-disable import/first */
+// eslint-disable-next-line import/order
+import * as attention from './helpers/attention.js';
+const deno = typeof Deno !== 'undefined';
+const bun = typeof Bun !== 'undefined';
+const workerd = typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers';
+const minimal = 'Jod';
+const release = globalThis.process?.release;
+if (!release?.lts || release?.lts.charCodeAt(0) < minimal.charCodeAt(0) || deno || bun || workerd) {
+  attention.warn('Unsupported runtime. Use Node.js v22.x LTS, or a later LTS release.');
+}
+import { Provider } from './provider.js';
+import * as errors from './helpers/errors.js';
+import * as interactionPolicy from './helpers/interaction_policy/index.js';
+export default Provider;
+export { errors, interactionPolicy, Provider };
+export { ExternalSigningKey } from './helpers/keystore.js';

package/dist/node_modules/oidc-provider/lib/models/access_token.js ADDED Viewed

@@ -0,0 +1,31 @@
+import apply from './mixins/apply.js';
+import hasFormat from './mixins/has_format.js';
+import hasGrantType from './mixins/has_grant_type.js';
+import hasGrantId from './mixins/has_grant_id.js';
+import isSenderConstrained from './mixins/is_sender_constrained.js';
+import isSessionBound from './mixins/is_session_bound.js';
+import setAudience from './mixins/set_audience.js';
+export default (provider) => class AccessToken extends apply([
+  hasGrantType,
+  hasGrantId,
+  isSenderConstrained,
+  isSessionBound(provider),
+  setAudience,
+  hasFormat(provider, 'AccessToken', provider.BaseToken),
+]) {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'accountId',
+      'aud',
+      'rar',
+      'claims',
+      'extra',
+      'grantId',
+      'scope',
+      'sid',
+    ];
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/authorization_code.js ADDED Viewed

@@ -0,0 +1,27 @@
+import apply from './mixins/apply.js';
+import consumable from './mixins/consumable.js';
+import hasFormat from './mixins/has_format.js';
+import hasGrantId from './mixins/has_grant_id.js';
+import isAttestationConstrained from './mixins/is_attestation_constrained.js';
+import isSessionBound from './mixins/is_session_bound.js';
+import storesAuth from './mixins/stores_auth.js';
+import storesPKCE from './mixins/stores_pkce.js';
+export default (provider) => class AuthorizationCode extends apply([
+  consumable,
+  isSessionBound(provider),
+  hasGrantId,
+  isAttestationConstrained,
+  storesAuth,
+  storesPKCE,
+  hasFormat(provider, 'AuthorizationCode', provider.BaseToken),
+]) {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'redirectUri',
+      'dpopJkt',
+      'rar',
+    ];
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/backchannel_authentication_request.js ADDED Viewed

@@ -0,0 +1,26 @@
+import apply from './mixins/apply.js';
+import consumable from './mixins/consumable.js';
+import hasFormat from './mixins/has_format.js';
+import hasGrantId from './mixins/has_grant_id.js';
+import isAttestationConstrained from './mixins/is_attestation_constrained.js';
+import isSessionBound from './mixins/is_session_bound.js';
+import storesAuth from './mixins/stores_auth.js';
+export default (provider) => class BackchannelAuthenticationRequest extends apply([
+  consumable,
+  hasGrantId,
+  isAttestationConstrained,
+  isSessionBound(provider),
+  storesAuth,
+  hasFormat(provider, 'BackchannelAuthenticationRequest', provider.BaseToken),
+]) {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'error',
+      'errorDescription',
+      'params',
+      'rar',
+    ];
+  }
+};