npm - @nocobase/plugin-idp-oauth - Versions diffs - 2.1.0-alpha.10 - Mend

@nocobase/plugin-idp-oauth 2.1.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (451) hide show

package/dist/node_modules/oidc-provider/lib/models/id_token.js ADDED Viewed

@@ -0,0 +1,271 @@
+/* eslint-disable no-unused-expressions */
+import { format } from 'node:util';
+import * as crypto from 'node:crypto';
+import merge from '../helpers/_/merge.js';
+import epochTime from '../helpers/epoch_time.js';
+import * as JWT from '../helpers/jwt.js';
+import { InvalidClientMetadata } from '../helpers/errors.js';
+import instance from '../helpers/weak_cache.js';
+import isPlainObject from '../helpers/_/is_plain_object.js';
+const hashes = ['at_hash', 'c_hash', 's_hash'];
+function getHashArgs(alg) {
+  switch (alg) {
+    case 'RS256':
+    case 'PS256':
+    case 'ES256':
+    case 'HS256':
+      return 'sha256';
+    case 'RS384':
+    case 'PS384':
+    case 'ES384':
+    case 'HS384':
+      return 'sha384';
+    case 'RS512':
+    case 'PS512':
+    case 'ES512':
+    case 'HS512':
+    case 'Ed25519':
+    case 'EdDSA': // alias for Ed25519, Ed448 is not supported
+      return 'sha512';
+    case 'ML-DSA-44':
+    case 'ML-DSA-65':
+    case 'ML-DSA-87':
+      return ['shake256', { outputLength: 64 }];
+    default:
+      throw new Error('not implemented');
+  }
+}
+const messages = {
+  sig: {
+    idtoken: 'client secret is expired - cannot issue an ID Token (%s)',
+    logout: 'client secret is expired - cannot issue a Logout Token (%s)',
+    userinfo: 'client secret is expired - cannot respond with %s JWT UserInfo response',
+    introspection: 'client secret is expired - cannot respond with %s JWT Introspection response',
+  },
+  enc: {
+    idtoken: 'client secret is expired - cannot issue an encrypted ID Token (%s)',
+    logout: 'client secret is expired - cannot issue an encrypted Logout Token (%s)',
+    userinfo: 'client secret is expired - cannot respond with %s encrypted JWT UserInfo response',
+    introspection: 'client secret is expired - cannot respond with %s encrypted JWT Introspection response',
+  },
+};
+export default function getIdToken(provider) {
+  return class IdToken {
+    constructor(available, { ctx, client = ctx ? ctx.oidc.client : undefined }) {
+      if (!isPlainObject(available)) {
+        throw new TypeError('expected claims to be an object, are you sure claims() method resolves with or returns one?');
+      }
+      this.extra = {};
+      this.available = available;
+      this.client = client;
+      this.ctx = ctx;
+    }
+    static expiresIn(...args) {
+      const ttl = instance(provider).configuration.ttl[this.name];
+      if (typeof ttl === 'number') {
+        return ttl;
+      }
+      return ttl(...args);
+    }
+    set(key, value) { this.extra[key] = value; }
+    async payload() {
+      const mask = new provider.Claims(this.available, { ctx: this.ctx, client: this.client });
+      mask.scope(this.scope);
+      mask.mask(this.mask);
+      mask.rejected(this.rejected);
+      return merge({}, await mask.result(), this.extra);
+    }
+    async issue({ use, expiresAt = null } = {}) {
+      const { client } = this;
+      const expiresIn = expiresAt ? expiresAt - epochTime() : undefined;
+      let alg;
+      const payload = await this.payload();
+      let signOptions;
+      let encryption;
+      switch (use) {
+        case 'idtoken':
+          alg = client.idTokenSignedResponseAlg;
+          signOptions = {
+            audience: client.clientId,
+            expiresIn: (expiresIn || this.constructor.expiresIn(this.ctx, this, client)),
+            issuer: provider.issuer,
+            subject: payload.sub,
+          };
+          encryption = {
+            alg: client.idTokenEncryptedResponseAlg,
+            enc: client.idTokenEncryptedResponseEnc,
+          };
+          break;
+        case 'logout':
+          alg = client.idTokenSignedResponseAlg;
+          signOptions = {
+            audience: client.clientId,
+            issuer: provider.issuer,
+            subject: payload.sub,
+            typ: 'logout+jwt',
+            expiresIn: 120,
+          };
+          encryption = {
+            alg: client.idTokenEncryptedResponseAlg,
+            enc: client.idTokenEncryptedResponseEnc,
+          };
+          break;
+        case 'userinfo':
+          alg = client.userinfoSignedResponseAlg;
+          signOptions = {
+            audience: client.clientId,
+            issuer: provider.issuer,
+            subject: payload.sub,
+            expiresIn,
+          };
+          encryption = {
+            alg: client.userinfoEncryptedResponseAlg,
+            enc: client.userinfoEncryptedResponseEnc,
+          };
+          break;
+        case 'introspection':
+          alg = client.introspectionSignedResponseAlg;
+          signOptions = {
+            audience: client.clientId,
+            issuer: provider.issuer,
+            typ: 'token-introspection+jwt',
+          };
+          encryption = {
+            alg: client.introspectionEncryptedResponseAlg,
+            enc: client.introspectionEncryptedResponseEnc,
+          };
+          break;
+        case 'authorization':
+          alg = client.authorizationSignedResponseAlg;
+          signOptions = {
+            audience: client.clientId,
+            expiresIn: 120,
+            issuer: provider.issuer,
+            noIat: true,
+          };
+          encryption = {
+            alg: client.authorizationEncryptedResponseAlg,
+            enc: client.authorizationEncryptedResponseEnc,
+          };
+          break;
+        default:
+          throw new TypeError('invalid use option');
+      }
+      const signed = await (async () => {
+        if (typeof alg !== 'string') {
+          throw new Error();
+        }
+        let jwk;
+        let key;
+        if (alg.startsWith('HS')) {
+          if (use !== 'authorization') { // handled in checkResponseMode
+            client.checkClientSecretExpiration(format(messages.sig[use], alg));
+          }
+          [jwk] = client.symmetricKeyStore.selectForSign({ alg, use: 'sig' });
+          key = client.symmetricKeyStore.getKeyObject(jwk);
+        } else {
+          [jwk] = instance(provider).keystore.selectForSign({ alg, use: 'sig' });
+          key = instance(provider).keystore.getKeyObject(jwk);
+        }
+        if (use === 'idtoken') {
+          const digest = getHashArgs(alg);
+          for (const claim of hashes) {
+            if (payload[claim]) {
+              const hash = typeof digest === 'string'
+                ? crypto.hash(digest, payload[claim], 'buffer')
+                : crypto.createHash(...digest).update(payload[claim]).digest();
+              payload[claim] = hash.subarray(0, hash.byteLength / 2).toString('base64url');
+            }
+          }
+        }
+        if (jwk) {
+          signOptions.fields = { kid: jwk.kid };
+        }
+        return JWT.sign(payload, key, alg, signOptions);
+      })();
+      if (!encryption.enc) {
+        return signed;
+      }
+      if (/^(A|dir$)/.test(encryption.alg)) {
+        if (use !== 'authorization') { // handled in checkResponseMode
+          client.checkClientSecretExpiration(format(messages.enc[use], encryption.alg));
+        }
+      }
+      let jwk;
+      let encryptionKey;
+      if (encryption.alg === 'dir') {
+        [jwk] = client.symmetricKeyStore.selectForEncrypt({ alg: encryption.enc, use: 'enc' });
+        jwk && (encryptionKey = client.symmetricKeyStore.getKeyObject(jwk, true));
+      } else if (encryption.alg.startsWith('A')) {
+        [jwk] = client.symmetricKeyStore.selectForEncrypt({ alg: encryption.alg, use: 'enc' });
+        jwk && (encryptionKey = client.symmetricKeyStore.getKeyObject(jwk, true));
+      } else {
+        await client.asymmetricKeyStore.refresh();
+        [jwk] = client.asymmetricKeyStore.selectForEncrypt({ alg: encryption.alg, use: 'enc' });
+        jwk && (encryptionKey = client.asymmetricKeyStore.getKeyObject(jwk, true));
+      }
+      if (!encryptionKey) {
+        throw new InvalidClientMetadata(`no suitable encryption key found (${encryption.alg})`);
+      }
+      const { kid } = jwk;
+      return JWT.encrypt(signed, encryptionKey, {
+        enc: encryption.enc,
+        alg: encryption.alg,
+        fields: {
+          cty: 'JWT',
+          kid,
+          iss: signOptions.issuer,
+          aud: signOptions.audience,
+        },
+      });
+    }
+    static async validate(jwt, client) {
+      const alg = client.idTokenSignedResponseAlg;
+      let keyOrStore;
+      if (alg.startsWith('HS')) {
+        client.checkClientSecretExpiration('client secret is expired - cannot validate ID Token Hint');
+        keyOrStore = client.symmetricKeyStore;
+      } else {
+        keyOrStore = instance(provider).keystore;
+      }
+      const opts = {
+        ignoreExpiration: true,
+        audience: client.clientId,
+        issuer: provider.issuer,
+        clockTolerance: instance(provider).configuration.clockTolerance,
+        algorithm: alg,
+        subject: true,
+      };
+      return JWT.verify(jwt, keyOrStore, opts);
+    }
+  };
+}

package/dist/node_modules/oidc-provider/lib/models/index.js ADDED Viewed

@@ -0,0 +1,37 @@
+import getAccessToken from './access_token.js';
+import getAuthorizationCode from './authorization_code.js';
+import getBaseModel from './base_model.js';
+import getBaseToken from './base_token.js';
+import getClient from './client.js';
+import getClientCredentials from './client_credentials.js';
+import getDeviceCode from './device_code.js';
+import getBackchannelAuthenticationRequest from './backchannel_authentication_request.js';
+import getIdToken from './id_token.js';
+import getInitialAccessToken from './initial_access_token.js';
+import getInteraction from './interaction.js';
+import getPushedAuthorizationRequest from './pushed_authorization_request.js';
+import getRefreshToken from './refresh_token.js';
+import getRegistrationAccessToken from './registration_access_token.js';
+import getReplayDetection from './replay_detection.js';
+import getSession from './session.js';
+import getGrant from './grant.js';
+export {
+  getAccessToken,
+  getAuthorizationCode,
+  getBackchannelAuthenticationRequest,
+  getBaseModel,
+  getBaseToken,
+  getClient,
+  getClientCredentials,
+  getDeviceCode,
+  getIdToken,
+  getInitialAccessToken,
+  getInteraction,
+  getPushedAuthorizationRequest,
+  getRefreshToken,
+  getRegistrationAccessToken,
+  getReplayDetection,
+  getSession,
+  getGrant,
+};

package/dist/node_modules/oidc-provider/lib/models/initial_access_token.js ADDED Viewed

@@ -0,0 +1,12 @@
+import apply from './mixins/apply.js';
+import hasFormat from './mixins/has_format.js';
+import hasPolicies from './mixins/has_policies.js';
+export default (provider) => class InitialAccessToken extends apply([
+  hasPolicies(provider),
+  hasFormat(provider, 'InitialAccessToken', provider.BaseToken),
+]) {
+  static get IN_PAYLOAD() {
+    return super.IN_PAYLOAD.filter((v) => v !== 'clientId');
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/interaction.js ADDED Viewed

@@ -0,0 +1,73 @@
+import instance from '../helpers/weak_cache.js';
+import epochTime from '../helpers/epoch_time.js';
+import hasFormat from './mixins/has_format.js';
+export default (provider) => class Interaction extends hasFormat(provider, 'Interaction', instance(provider).BaseModel) {
+  constructor(jti, payload) {
+    if (arguments.length === 2) {
+      if (payload.session instanceof instance(provider).BaseModel) {
+        const { session } = payload;
+        Object.assign(payload, session.accountId ? {
+          session: {
+            accountId: session.accountId,
+            ...(session.uid ? { uid: session.uid } : undefined),
+            ...(session.jti ? { cookie: session.jti } : undefined),
+            ...(session.acr ? { acr: session.acr } : undefined),
+            ...(session.amr ? { amr: session.amr } : undefined),
+          },
+        } : { session: undefined });
+      }
+      if (payload.grant instanceof instance(provider).BaseModel) {
+        const { grant } = payload;
+        if (grant.jti) {
+          Object.assign(payload, { grantId: grant.jti });
+        }
+      }
+      super({ jti, ...payload });
+    } else {
+      super(jti);
+    }
+  }
+  get uid() {
+    return this.jti;
+  }
+  set uid(value) {
+    this.jti = value;
+  }
+  async save(ttl) {
+    if (typeof ttl !== 'number') {
+      throw new TypeError('"ttl" argument must be a number');
+    }
+    return super.save(ttl);
+  }
+  async persist() {
+    if (typeof this.exp !== 'number') {
+      throw new TypeError('persist can only be called on previously persisted Interactions');
+    }
+    return this.save(this.exp - epochTime());
+  }
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'session',
+      'params',
+      'prompt',
+      'result',
+      'returnTo',
+      'trusted',
+      'grantId',
+      'lastSubmission',
+      'deviceCode',
+      'cid',
+      'parJti',
+    ];
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/apply.js ADDED Viewed

@@ -0,0 +1,4 @@
+export default function apply(mixins) {
+  const klass = mixins.pop();
+  return mixins.reduce((mixed, mixin) => mixin(mixed), klass);
+}

package/dist/node_modules/oidc-provider/lib/models/mixins/consumable.js ADDED Viewed

@@ -0,0 +1,17 @@
+export default (superclass) => class extends superclass {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'consumed',
+    ];
+  }
+  async consume() {
+    await this.adapter.consume(this.jti);
+    this.emit('consumed');
+  }
+  get isValid() {
+    return !this.consumed && !this.isExpired;
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/has_format.js ADDED Viewed

@@ -0,0 +1,46 @@
+import instance from '../../helpers/weak_cache.js';
+import formatsGenerator from '../formats/index.js';
+const DEFAULT = 'opaque';
+function AccessTokenFormat(ctx, token) {
+  return token.resourceServer?.accessTokenFormat ?? 'opaque';
+}
+export default (provider, type, superclass) => {
+  const formats = formatsGenerator(provider);
+  let FORMAT;
+  if (type === 'AccessToken' || type === 'ClientCredentials') {
+    FORMAT = AccessTokenFormat;
+  } else {
+    FORMAT = DEFAULT;
+  }
+  if (FORMAT !== DEFAULT || type === 'base') {
+    const dynamic = typeof FORMAT === 'function';
+    if (!dynamic) {
+      if (!formats[FORMAT]) throw new TypeError(`unsupported format specified (${FORMAT})`);
+      if (FORMAT === 'dynamic') throw new TypeError('dynamic format must be configured as a function');
+    }
+    const {
+      generateTokenId,
+      getValueAndPayload,
+    } = formats[dynamic ? 'dynamic' : FORMAT];
+    const klass = class extends superclass {};
+    klass.prototype.generateTokenId = generateTokenId;
+    klass.prototype.getValueAndPayload = getValueAndPayload;
+    klass.prototype.constructor.verify = formats.opaque.verify;
+    if (dynamic) {
+      instance(provider).dynamic ||= {};
+      instance(provider).dynamic[type] = FORMAT;
+    }
+    return klass;
+  }
+  return superclass;
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/has_grant_id.js ADDED Viewed

@@ -0,0 +1,12 @@
+export default (superclass) => class extends superclass {
+  static async revokeByGrantId(grantId) {
+    await this.adapter.revokeByGrantId(grantId);
+  }
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'grantId',
+    ];
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/has_grant_type.js ADDED Viewed

@@ -0,0 +1,8 @@
+export default (superclass) => class extends superclass {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'gty',
+    ];
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/has_policies.js ADDED Viewed

@@ -0,0 +1,38 @@
+import instance from '../../helpers/weak_cache.js';
+function validate(provider, policies) {
+  if (!Array.isArray(policies)) {
+    throw new TypeError('policies must be an array');
+  }
+  if (!policies.length) {
+    throw new TypeError('policies must not be empty');
+  }
+  policies.forEach((policy) => {
+    if (typeof policy !== 'string') {
+      throw new TypeError('policies must be strings');
+    }
+    if (!instance(provider).features.registration.policies[policy]) {
+      throw new TypeError(`policy ${policy} not configured`);
+    }
+  });
+}
+export default (provider) => (superclass) => class extends superclass {
+  async save() {
+    if (typeof this.policies !== 'undefined') validate(provider, this.policies);
+    return super.save();
+  }
+  static async find(...args) {
+    const result = await super.find(...args);
+    if (result && typeof result.policies !== 'undefined') validate(provider, result.policies);
+    return result;
+  }
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'policies',
+    ];
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/is_attestation_constrained.js ADDED Viewed

@@ -0,0 +1,15 @@
+import * as jose from 'jose';
+export default (superclass) => class extends superclass {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'attestationJkt',
+    ];
+  }
+  async setAttestBinding(ctx) {
+    const { cnf: { jwk } } = jose.decodeJwt(ctx.get('oauth-client-attestation'));
+    this.attestationJkt = await jose.calculateJwkThumbprint(jwk);
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/is_sender_constrained.js ADDED Viewed

@@ -0,0 +1,50 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+import certificateThumbprint from '../../helpers/certificate_thumbprint.js';
+const x5t = 'x5t#S256';
+const jkt = 'jkt';
+export default (superclass) => class extends superclass {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      x5t,
+      jkt,
+    ];
+  }
+  setThumbprint(prop, input) {
+    switch (prop) {
+      case 'x5t':
+        if (this[jkt]) {
+          throw new InvalidRequest('multiple proof-of-posession mechanisms are not allowed');
+        }
+        this[x5t] = certificateThumbprint(input);
+        break;
+      case 'jkt':
+        if (this[x5t]) {
+          throw new InvalidRequest('multiple proof-of-posession mechanisms are not allowed');
+        }
+        this[jkt] = input;
+        break;
+      default:
+        throw new Error('unsupported');
+    }
+  }
+  isSenderConstrained() {
+    if (this[jkt] || this[x5t]) {
+      return true;
+    }
+    return false;
+  }
+  get tokenType() {
+    if (this[jkt]) {
+      return 'DPoP';
+    }
+    return 'Bearer';
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/is_session_bound.js ADDED Viewed

@@ -0,0 +1,38 @@
+export default (provider) => (superclass) => class extends superclass {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'sessionUid',
+      'expiresWithSession',
+    ];
+  }
+  static async find(...args) {
+    const token = await super.find(...args);
+    const ignoreSessionBinding = args[1] && args[1].ignoreSessionBinding === true;
+    if (!token?.expiresWithSession || ignoreSessionBinding) {
+      return token;
+    }
+    const session = await provider.Session.findByUid(token.sessionUid);
+    // related session was not found
+    if (!session) {
+      return undefined;
+    }
+    // token and session principal are now different
+    if (token.accountId !== session.accountId) {
+      return undefined;
+    }
+    // token and session grantId are now different
+    if (token.grantId !== session.grantIdFor(token.clientId)) {
+      return undefined;
+    }
+    return token;
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/set_audience.js ADDED Viewed

@@ -0,0 +1,21 @@
+import { InvalidTarget } from '../../helpers/errors.js';
+export default (superclass) => class extends superclass {
+  setAudience(audience) {
+    if (Array.isArray(audience)) {
+      if (audience.length === 0) {
+        return;
+      }
+      if (audience.length > 1) {
+        throw new InvalidTarget('only a single audience value is supported');
+      }
+      // eslint-disable-next-line no-param-reassign
+      [audience] = audience;
+    } else if (typeof audience !== 'string' || !audience) {
+      throw new InvalidTarget();
+    }
+    this.aud = audience;
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/stores_auth.js ADDED Viewed

@@ -0,0 +1,16 @@
+export default (superclass) => class extends superclass {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'accountId',
+      'acr',
+      'amr',
+      'authTime',
+      'claims',
+      'nonce',
+      'resource',
+      'scope',
+      'sid',
+    ];
+  }
+};

package/dist/node_modules/oidc-provider/lib/models/mixins/stores_pkce.js ADDED Viewed

@@ -0,0 +1,9 @@
+export default (superclass) => class extends superclass {
+  static get IN_PAYLOAD() {
+    return [
+      ...super.IN_PAYLOAD,
+      'codeChallenge',
+      'codeChallengeMethod',
+    ];
+  }
+};