@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/shared/error_handler.js

@@ -0,0 +1,59 @@
+import * as crypto from 'node:crypto';
+
+import debug from 'debug';
+
+import instance from '../helpers/weak_cache.js';
+import * as formHtml from '../helpers/user_code_form.js';
+import { ReRenderError } from '../helpers/re_render_errors.js';
+import errOut from '../helpers/err_out.js';
+
+const debugError = debug('oidc-provider:error');
+const serverError = debug('oidc-provider:server_error');
+const serverErrorTrace = debug('oidc-provider:server_error:trace');
+
+const userInputRoutes = new Set(['code_verification', 'device_resume']);
+
+export default function getErrorHandler(provider, eventName) {
+  return async function errorHandler(ctx, next) {
+    const {
+      features: { deviceFlow: { charset, userCodeInputSource } },
+    } = instance(provider).configuration;
+
+    try {
+      await next();
+    } catch (err) {
+      const out = errOut(err);
+      ctx.status = err.statusCode || 500;
+
+      if (err.expose && !(err instanceof ReRenderError)) {
+        debugError('path=%s method=%s error=%o detail=%s', ctx.path, ctx.method, out, err.error_detail);
+      } else if (!(err instanceof ReRenderError)) {
+        serverError('path=%s method=%s error=%o', ctx.path, ctx.method, err);
+        serverErrorTrace(err);
+      }
+
+      if (ctx.oidc?.session && userInputRoutes.has(ctx.oidc.route)) {
+        const secret = crypto.randomBytes(24).toString('hex');
+        ctx.oidc.session.state = { secret };
+
+        await userCodeInputSource(ctx, formHtml.input(ctx.oidc.urlFor('code_verification'), secret, err.userCode, charset), out, err);
+        if (err instanceof ReRenderError) { // render without emit
+          return;
+        }
+      } else if (ctx.accepts('json', 'html') === 'html') {
+        // this ^^ makes */* requests respond with json (curl, xhr, request libraries), while in
+        // browser requests end up rendering the html error instead
+        const { renderError } = instance(provider).configuration;
+        await renderError(ctx, out, err);
+      } else {
+        ctx.body = out;
+      }
+
+      if (out.error === 'server_error') {
+        provider.emit('server_error', ctx, err);
+      } else if (eventName) {
+        provider.emit(eventName, ctx, err);
+      }
+    }
+  };
+}

package/dist/node_modules/oidc-provider/lib/shared/jwt_client_auth.js

@@ -0,0 +1,79 @@
+import { InvalidClientAuth } from '../helpers/errors.js';
+import instance from '../helpers/weak_cache.js';
+import * as JWT from '../helpers/jwt.js';
+
+export default async function jwtClientAuth(ctx, keystore, filter) {
+  const {
+    clockTolerance,
+    assertJwtClientAuthClaimsAndHeader,
+    clientAuthSigningAlgValues,
+  } = instance(ctx.oidc.provider).configuration;
+
+  const acceptedAud = ctx.oidc.clientJwtAuthExpectedAudience();
+  const { header, payload } = JWT.decode(ctx.oidc.params.client_assertion);
+
+  if (ctx.oidc.client.clientAuthSigningAlg) {
+    if (header.alg !== ctx.oidc.client.clientAuthSigningAlg) {
+      throw new InvalidClientAuth('alg mismatch');
+    }
+  } else {
+    const algorithms = clientAuthSigningAlgValues.filter(filter);
+    if (!algorithms.includes(header.alg)) {
+      throw new InvalidClientAuth('alg mismatch');
+    }
+  }
+
+  if (!payload.exp) {
+    throw new InvalidClientAuth('expiration must be specified in the client_assertion JWT');
+  }
+
+  if (!payload.jti) {
+    throw new InvalidClientAuth('unique jti (JWT ID) must be provided in the client_assertion JWT');
+  }
+
+  if (!payload.iss) {
+    throw new InvalidClientAuth('iss (JWT issuer) must be provided in the client_assertion JWT');
+  }
+
+  if (payload.iss !== ctx.oidc.client.clientId) {
+    throw new InvalidClientAuth('iss (JWT issuer) must be the client_id');
+  }
+
+  if (!payload.aud) {
+    throw new InvalidClientAuth('aud (JWT audience) must be provided in the client_assertion JWT');
+  }
+
+  if (Array.isArray(payload.aud)) {
+    if (!payload.aud.some((aud) => acceptedAud.has(aud))) {
+      throw new InvalidClientAuth('list of audience (aud) must include the endpoint url, issuer identifier or token endpoint url');
+    }
+  } else if (!acceptedAud.has(payload.aud)) {
+    throw new InvalidClientAuth('audience (aud) must equal the endpoint url, issuer identifier or token endpoint url');
+  }
+
+  try {
+    await JWT.verify(ctx.oidc.params.client_assertion, keystore, {
+      clockTolerance,
+      ignoreAzp: true,
+    });
+  } catch (err) {
+    throw new InvalidClientAuth(err.message);
+  }
+
+  await assertJwtClientAuthClaimsAndHeader(
+    ctx,
+    structuredClone(payload),
+    structuredClone(header),
+    ctx.oidc.client,
+  );
+
+  const unique = await ctx.oidc.provider.ReplayDetection.unique(
+    payload.iss,
+    payload.jti,
+    payload.exp + clockTolerance,
+  );
+
+  if (!unique) {
+    throw new InvalidClientAuth('client assertion tokens must only be used once');
+  }
+}

package/dist/node_modules/oidc-provider/lib/shared/no_cache.js

@@ -0,0 +1,4 @@
+export default async function noCache(ctx, next) {
+  ctx.set('cache-control', 'no-store');
+  await next();
+}

package/dist/node_modules/oidc-provider/lib/shared/reject_dupes.js

@@ -0,0 +1,45 @@
+import { InvalidRequest } from '../helpers/errors.js';
+import * as formatters from '../helpers/formatters.js';
+
+function exceptMap([key, value]) {
+  if (Array.isArray(value) && !this.has(key)) {
+    return key;
+  }
+  return undefined;
+}
+
+function onlyMap([key, value]) {
+  if (Array.isArray(value) && this.has(key)) {
+    return key;
+  }
+  return undefined;
+}
+
+function defaultMap([key, value]) {
+  return Array.isArray(value) ? key : undefined;
+}
+
+// eslint-disable-next-line default-param-last
+export default function rejectDupes({ except, only } = {}, ctx, next) {
+  let mapFn;
+
+  if (except) {
+    mapFn = exceptMap.bind(except);
+  } else if (only) {
+    mapFn = onlyMap.bind(only);
+  } else {
+    mapFn = defaultMap;
+  }
+
+  const dupes = Object.entries(ctx.oidc.params).map(mapFn);
+
+  if (dupes.some(Boolean)) {
+    const params = dupes.filter(Boolean);
+    params.forEach((param) => {
+      ctx.oidc.params[param] = undefined;
+    });
+    throw new InvalidRequest(`${formatters.formatList(params)} ${formatters.pluralize('parameter', params.length)} must not be provided twice`);
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/shared/reject_structured_tokens.js

@@ -0,0 +1,18 @@
+import { decodeProtectedHeader } from 'jose';
+
+import { UnsupportedTokenType } from '../helpers/errors.js';
+
+export default async function rejectStructuredTokens(ctx, next) {
+  const { params } = ctx.oidc;
+
+  let tokenIsJWT;
+  try {
+    tokenIsJWT = !!decodeProtectedHeader(params.token);
+  } catch {}
+
+  if (tokenIsJWT) {
+    throw new UnsupportedTokenType(`Structured JWT Tokens cannot be ${ctx.oidc.route === 'revocation' ? 'revoked' : 'introspected'} via the ${ctx.oidc.route}_endpoint`);
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/shared/selective_body.js

@@ -0,0 +1,60 @@
+import * as querystring from 'node:querystring';
+
+import raw from 'raw-body';
+
+import * as attention from '../helpers/attention.js';
+import { InvalidRequest } from '../helpers/errors.js';
+
+let warned;
+
+async function selectiveBody(cty, ctx, next) {
+  if (ctx.is(cty)) {
+    try {
+      let usedFallback;
+      const body = await (() => {
+        if (ctx.req.readable) {
+          return raw(ctx.req, {
+            length: ctx.request.length,
+            limit: '56kb',
+            encoding: ctx.charset,
+          });
+        }
+        if (!warned) {
+          warned = true;
+          /* eslint-disable no-multi-str */
+          attention.warn('already parsed request body detected, having upstream middleware parser \
+is not recommended, resolving to use req.body or request.body instead');
+          /* eslint-enable */
+        }
+        usedFallback = true;
+        return ctx.req.body || ctx.request.body;
+      })();
+
+      if (body instanceof Buffer || typeof body === 'string') {
+        if (cty === 'application/json') {
+          ctx.oidc.body = JSON.parse(body);
+        } else {
+          ctx.oidc.body = querystring.parse(body.toString());
+        }
+      } else if (usedFallback && cty === 'application/x-www-form-urlencoded') {
+        // get rid of possible upstream parsers that parse querystring with objects, arrays, etc
+        ctx.oidc.body = querystring.parse(querystring.stringify(body));
+      } else {
+        ctx.oidc.body = body;
+      }
+    } catch (err) {
+      throw new InvalidRequest('failed to parse the request body');
+    }
+
+    await next();
+  } else if (ctx.get('content-type')) {
+    throw new InvalidRequest(`only ${cty} content-type bodies are supported on ${ctx.method} ${ctx.path}`);
+  } else {
+    ctx.oidc.body = {};
+    await next();
+  }
+}
+
+export default selectiveBody;
+export const json = selectiveBody.bind(undefined, 'application/json');
+export const urlencoded = selectiveBody.bind(undefined, 'application/x-www-form-urlencoded');

package/dist/node_modules/oidc-provider/lib/shared/session.js

@@ -0,0 +1,68 @@
+import instance from '../helpers/weak_cache.js';
+
+export default async function sessionHandler(ctx, next) {
+  ctx.oidc.session = new Proxy(await ctx.oidc.provider.Session.get(ctx), {
+    set(obj, prop, value) {
+      switch (prop) {
+        case 'touched':
+          Reflect.defineProperty(obj, 'touched', { writable: true, value });
+          break;
+        case 'destroyed':
+          Reflect.defineProperty(obj, 'destroyed', { configurable: false, writable: true, value });
+          Reflect.defineProperty(obj, 'touched', { configurable: false, writable: false, value: false });
+          break;
+        case 'accountId':
+          if (typeof value !== 'string' || !value) {
+            throw new TypeError(`accountId must be a non-empty string, got: ${typeof value}`);
+          }
+        default: // eslint-disable-line no-fallthrough
+          Reflect.set(obj, prop, value);
+          Reflect.defineProperty(obj, 'touched', { writable: true, value: true });
+      }
+
+      return true;
+    },
+  });
+
+  try {
+    await next();
+  } finally {
+    const sessionCookieName = ctx.oidc.provider.cookieName('session');
+    const longRegExp = new RegExp(`^${sessionCookieName}(?:\\.sig)?=`);
+
+    // refresh the session duration
+    if ((!ctx.oidc.session.new || ctx.oidc.session.touched) && !ctx.oidc.session.destroyed) {
+      let ttl = instance(ctx.oidc.provider).configuration.ttl.Session;
+
+      if (typeof ttl === 'function') {
+        ttl = ttl(ctx, ctx.oidc.session);
+      }
+
+      ctx.oidc.cookies.set(
+        sessionCookieName,
+        ctx.oidc.session.id,
+        instance(ctx.oidc.provider).configuration.cookies.long,
+      );
+      await ctx.oidc.session.save(ttl);
+    }
+
+    let setCookie = ctx.response.get('set-cookie');
+    if (setCookie) {
+      if (typeof setCookie === 'string') {
+        setCookie = [setCookie];
+      }
+      setCookie.forEach((cookie, index, ary) => {
+        /* eslint-disable no-param-reassign */
+        if (
+          !cookie.includes('expires=Thu, 01 Jan 1970')
+          && cookie.match(longRegExp)
+          && !ctx.oidc.session.transient
+          && ctx.oidc.session.exp
+        ) {
+          ary[index] += `; expires=${new Date(ctx.oidc.session.exp * 1000).toUTCString()}`;
+        }
+        /* eslint-enable */
+      });
+    }
+  }
+}

package/dist/node_modules/oidc-provider/lib/shared/set_www_authenticate_header.js

@@ -0,0 +1,52 @@
+import appendWWWAuthenticate from '../helpers/append_www_authenticate.js';
+import instance from '../helpers/weak_cache.js';
+import { InvalidDpopProof, UseDpopNonce } from '../helpers/errors.js';
+import { NoAccessTokenProvided } from '../helpers/oidc_context.js';
+
+export default function getSetWWWAuthenticateHeader({ tokenProperty = 'accessToken', includeScope = true, dpop } = {}) {
+  return async function setWWWAuthenticateHeader(ctx, next) {
+    try {
+      await next();
+    } catch (err) {
+      if (!err.expose || (dpop === false && err.statusCode !== 401)) throw err;
+
+      const conf = instance(ctx.oidc.provider);
+      const dpopEnabled = dpop !== false && conf.features.dPoP.enabled;
+      const scope = includeScope ? err.scope : undefined;
+      const algs = dpopEnabled ? conf.configuration.dPoPSigningAlgValues.join(' ') : undefined;
+
+      if (err instanceof NoAccessTokenProvided) {
+        appendWWWAuthenticate(ctx, 'Bearer', { realm: ctx.oidc.issuer, scope });
+        if (dpopEnabled) {
+          appendWWWAuthenticate(ctx, 'DPoP', { realm: ctx.oidc.issuer, scope, algs });
+        }
+
+        throw err;
+      }
+
+      let scheme = 'Bearer';
+
+      if (dpopEnabled) {
+        if (/dpop/i.test(err.error_description) || ctx.oidc[tokenProperty]?.jkt || ctx.get('DPoP')) {
+          scheme = 'DPoP';
+        }
+
+        // DPoP proof validation errors are not 401 by default, make them so
+        if (err instanceof InvalidDpopProof || err instanceof UseDpopNonce) {
+          // eslint-disable-next-line no-multi-assign
+          err.status = err.statusCode = 401;
+        }
+      }
+
+      appendWWWAuthenticate(ctx, scheme, {
+        realm: ctx.oidc.issuer,
+        error: err.error ?? err.message,
+        error_description: err.error_description,
+        scope,
+        ...(scheme === 'DPoP' ? { algs } : undefined),
+      });
+
+      throw err;
+    }
+  };
+}

package/dist/node_modules/oidc-provider/lib/views/index.js

@@ -0,0 +1,22 @@
+import { Eta } from 'eta/core';
+
+import layoutTemplate from './layout.js';
+import loginTemplate from './login.js';
+import interactionTemplate from './interaction.js';
+
+let eta;
+
+export const interaction = (locals) => {
+  eta ||= new Eta();
+  return eta.render(interactionTemplate, locals);
+};
+
+export const layout = (locals) => {
+  eta ||= new Eta();
+  return eta.render(layoutTemplate, locals);
+};
+
+export const login = (locals) => {
+  eta ||= new Eta();
+  return eta.render(loginTemplate, locals);
+};

package/dist/node_modules/oidc-provider/lib/views/interaction.js

@@ -0,0 +1,171 @@
+export const source = `<div class="login-client-image">
+  <% if (it.client.logoUri) { %><img src="<%= it.client.logoUri %>"><% } %>
+</div>
+
+<ul>
+<% if ([it.details.missingOIDCScope, it.details.missingOIDCClaims, it.details.missingResourceScopes, it.details.rar].filter(Boolean).length === 0) { %>
+  <li>the client is asking you to confirm previously given authorization</li>
+<% } %>
+
+<% let missingOIDCScope = new Set(it.details.missingOIDCScope); missingOIDCScope.delete('openid'); missingOIDCScope.delete('offline_access') %>
+<% if (missingOIDCScope.size) { %>
+  <li>scopes:</li>
+  <ul>
+    <% missingOIDCScope.forEach((scope) => { %>
+      <li><%= scope %></li>
+    <% }) %>
+  </ul>
+<% } %>
+
+<% let missingOIDCClaims = new Set(it.details.missingOIDCClaims); ['sub', 'sid', 'auth_time', 'acr', 'amr', 'iss'].forEach(Set.prototype.delete.bind(missingOIDCClaims)) %>
+<% if (missingOIDCClaims.size) { %>
+  <li>claims:</li>
+  <ul>
+    <% missingOIDCClaims.forEach((claim) => { %>
+      <li><%= claim %></li>
+    <% }) %>
+  </ul>
+<% } %>
+
+<% let missingResourceScopes = it.details.missingResourceScopes %>
+<% if (missingResourceScopes) { %>
+  <% for (const [indicator, scopes] of Object.entries(it.details.missingResourceScopes)) { %>
+    <li><%= indicator %>:</li>
+    <ul>
+      <% scopes.forEach((scope) => { %>
+        <li><%= scope %></li>
+      <% }) %>
+    </ul>
+  <% } %>
+<% } %>
+
+<% let rar = it.details.rar %>
+<% if (rar) { %>
+  <li>authorization_details:</li>
+  <ul>
+    <% for (const { type, ...detail } of it.details.rar) { %>
+      <li><pre><%= JSON.stringify({ type, ...detail }, null, 4) %></pre></li>
+    <% } %>
+  </ul>
+<% } %>
+
+<% if (it.params.scope?.includes('offline_access')) { %>
+  <li>
+  the client is asking to have offline access to this authorization
+    <% if ((!it.details.missingOIDCScope) || !it.details.missingOIDCScope.includes('offline_access')) { %>
+      (which you've previously granted)
+    <% } %>
+  </li>
+<% } %>
+
+</ul>
+
+<form autocomplete="off" action="<%= it.submitUrl %>" method="post">
+  <input type="hidden" name="prompt" value="consent"/>
+  <button autofocus type="submit" class="login login-submit">Continue</button>
+</form>
+`;
+
+/* eslint-disable */
+export default function interaction(it, options) {
+  let include = (template, data) => this.render(template, data, options);
+  let includeAsync = (template, data) => this.renderAsync(template, data, options);
+
+  let __eta = { res: "", e: this.config.escapeFunction, f: this.config.filterFunction };
+
+  function layout(path, data) {
+    __eta.layout = path;
+    __eta.layoutData = data;
+  }
+
+  __eta.res += '<div class="login-client-image">\n  ';
+  if (it.client.logoUri) {
+    __eta.res += '<img src="';
+    __eta.res += __eta.e(it.client.logoUri);
+    __eta.res += '">';
+  }
+  __eta.res += "</div>\n\n<ul>\n";
+  if (
+    [
+      it.details.missingOIDCScope,
+      it.details.missingOIDCClaims,
+      it.details.missingResourceScopes,
+      it.details.rar,
+    ].filter(Boolean).length === 0
+  ) {
+    __eta.res += "  <li>the client is asking you to confirm previously given authorization</li>\n";
+  }
+  __eta.res += "\n";
+  let missingOIDCScope = new Set(it.details.missingOIDCScope);
+  missingOIDCScope.delete("openid");
+  missingOIDCScope.delete("offline_access");
+  if (missingOIDCScope.size) {
+    __eta.res += "  <li>scopes:</li>\n  <ul>\n    ";
+    missingOIDCScope.forEach((scope) => {
+      __eta.res += "      <li>";
+      __eta.res += __eta.e(scope);
+      __eta.res += "</li>\n    ";
+    });
+    __eta.res += "  </ul>\n";
+  }
+  __eta.res += "\n";
+  let missingOIDCClaims = new Set(it.details.missingOIDCClaims);
+  ["sub", "sid", "auth_time", "acr", "amr", "iss"].forEach(
+    Set.prototype.delete.bind(missingOIDCClaims)
+  );
+  if (missingOIDCClaims.size) {
+    __eta.res += "  <li>claims:</li>\n  <ul>\n    ";
+    missingOIDCClaims.forEach((claim) => {
+      __eta.res += "      <li>";
+      __eta.res += __eta.e(claim);
+      __eta.res += "</li>\n    ";
+    });
+    __eta.res += "  </ul>\n";
+  }
+  __eta.res += "\n";
+  let missingResourceScopes = it.details.missingResourceScopes;
+  if (missingResourceScopes) {
+    __eta.res += "  ";
+    for (const [indicator, scopes] of Object.entries(it.details.missingResourceScopes)) {
+      __eta.res += "    <li>";
+      __eta.res += __eta.e(indicator);
+      __eta.res += ":</li>\n    <ul>\n      ";
+      scopes.forEach((scope) => {
+        __eta.res += "        <li>";
+        __eta.res += __eta.e(scope);
+        __eta.res += "</li>\n      ";
+      });
+      __eta.res += "    </ul>\n  ";
+    }
+  }
+  __eta.res += "\n";
+  let rar = it.details.rar;
+  if (rar) {
+    __eta.res += "  <li>authorization_details:</li>\n  <ul>\n    ";
+    for (const { type, ...detail } of it.details.rar) {
+      __eta.res += "      <li><pre>";
+      __eta.res += __eta.e(JSON.stringify({ type, ...detail }, null, 4));
+      __eta.res += "</pre></li>\n    ";
+    }
+    __eta.res += "  </ul>\n";
+  }
+  __eta.res += "\n";
+  if (it.params.scope?.includes("offline_access")) {
+    __eta.res +=
+      "  <li>\n  the client is asking to have offline access to this authorization\n    ";
+    if (!it.details.missingOIDCScope || !it.details.missingOIDCScope.includes("offline_access")) {
+      __eta.res += "      (which you've previously granted)\n    ";
+    }
+    __eta.res += "  </li>\n";
+  }
+  __eta.res += '\n</ul>\n\n<form autocomplete="off" action="';
+  __eta.res += __eta.e(it.submitUrl);
+  __eta.res +=
+    '" method="post">\n  <input type="hidden" name="prompt" value="consent"/>\n  <button autofocus type="submit" class="login login-submit">Continue</button>\n</form>\n';
+
+  if (__eta.layout) {
+    __eta.res = include(__eta.layout, { ...it, body: __eta.res, ...__eta.layoutData });
+  }
+
+  return __eta.res;
+}