@nsshunt/stsoauth2plugin 0.1.52 → 0.1.56

package/src/stsoauth2manager.ts

@@ -0,0 +1,365 @@
+import Debug from "debug";
+const debug = Debug(`proc:${process.pid}:stsoauth2manager.ts`);
+
+import { JSONObject, OAuth2ParameterType } from '@nsshunt/stsutils';
+
+import CryptoUtils from './Utils/CryptoUtils'
+import QueryParams from './Utils/QueryParams';
+
+import { IAuthorizeOptions, IAuthorizeResponse, IAuthorizeErrorResponse, AuthenticateEvent,
+	ISTSOAuth2ManagerOptions, IOauth2ListenerMessage, IOauth2ListenerMessageResponse, 
+	IOauth2ListenerCommand, ISTSOAuth2WorkerMessage, StsOauth2WorkerFactory } from './stsoauth2types'
+
+import { IStsStorage, ClientStorageType, ClientStorageFactory } from './stsStorage'
+
+import { Gauge, InstrumentBaseTelemetry } from '@nsshunt/stsinstrumentation'
+
+import jwt_decode from "jwt-decode";
+
+// STS Client SDK for SPAs
+export class STSOAuth2Manager {
+	#storageManager = null;
+	#router: any = null;
+	#store = null;
+	#cUtils = new CryptoUtils();
+	#qParams = new QueryParams();
+	#STORAGE_AUTHORIZE_OPTIONS_KEY = 'authorize_options.stsmda.com.au';
+	#STORAGE_SESSION_KEY = 'session.stsmda.com.au';
+	#aic = null;
+	#options: ISTSOAuth2ManagerOptions = null;
+	#messages: Record<number, IOauth2ListenerMessage> = { };
+	#oauth2ManagerPort: MessagePort;
+	#messageId = 0;
+	#messageHandlers: Record<number, any> = { }; // keyed by messageId
+	#messageTimeout = 1000;
+	#worker: Worker = null;
+	#transactionStore: IStsStorage<IAuthorizeOptions> = null; // Transient transaction data used to establish a session via OAuth2 authorize handshake
+
+	constructor(app, options: ISTSOAuth2ManagerOptions) {
+		this.#options = options;
+		this.#storageManager = app.config.globalProperties.$sts.storage;
+		this.#store = app.config.globalProperties.$store;
+		this.#aic = app.config.globalProperties.$sts.aic.PrimaryPublishInstrumentController;
+		this.#router = app.config.globalProperties.$router;
+
+		// Use session storage for the transient nature of the OAuth2 authorize handshake. Once completed, the storage will be removed.
+		this.#transactionStore = new ClientStorageFactory<IAuthorizeOptions>({clientStorageType: ClientStorageType.SESSION_STORAGE}).GetStorage();
+
+		this.#worker = this.#options.workerFactory();
+		
+		this.#worker.onmessage = (data: MessageEvent) => {
+			console.log(`this.#worker.onmessage = [${data}]`); // green
+		};
+
+		this.#worker.onerror = function(error) {
+			console.log(`this.#worker.onerror = [${JSON.stringify(error)}]`); // green
+		};
+
+		const { 
+			port1: oauth2ManagerPort, // process message port
+			port2: oauth2WorkerPort  // collector message port
+		} = new MessageChannel();
+		this.#oauth2ManagerPort = oauth2ManagerPort;
+
+		const workerMessage: ISTSOAuth2WorkerMessage = {
+			workerPort: oauth2WorkerPort,
+			options: this.#options.workerOptions
+		}
+
+		this.#worker.postMessage(workerMessage, [ oauth2WorkerPort ]);
+
+		this.#oauth2ManagerPort.onmessage = (data: MessageEvent) => {
+			this.#ProcessMessageResponse(data);
+		}
+
+		this.#SetupStoreNamespace();
+		this.#SetupRoute(app, this.#router);
+	}
+
+	#ProcessMessageResponse = (data: MessageEvent) => {
+		const messageResponse: IOauth2ListenerMessageResponse = data.data as IOauth2ListenerMessageResponse;
+		if (messageResponse.messageId === -1) {
+			// unsolicted message
+			switch (messageResponse.command) {
+			case IOauth2ListenerCommand.AUTHENTICATE_EVENT :
+				this.#HandleAuthenticateEvent(messageResponse.payload as string);
+				break;
+			case IOauth2ListenerCommand.ERROR :
+				this.#HandleErrorEvent(messageResponse.payload as JSONObject);
+				break;
+			case IOauth2ListenerCommand.LOG :
+				this.#HandleLogEvent(messageResponse.payload as string);
+				break;
+			case IOauth2ListenerCommand.UPDATE_INSTRUMENT :
+				this.#HandleUpdateInstrumentEvent(messageResponse.payload.instrumentName, messageResponse.payload.telemetry);
+				break;
+			default :
+				throw new Error(`ProcessMessageResponse command [${messageResponse.command}] not valid.`);
+			}
+		} else {
+			const callBack = this.#messageHandlers[messageResponse.messageId];
+			if (callBack) {
+				callBack(messageResponse);
+			} else {
+				throw new Error(`Message: [${messageResponse.messageId}] does not exists in callBacks.`);
+			}
+		}
+	}
+
+	#PostMessage = (message: IOauth2ListenerMessage): Promise<IOauth2ListenerMessageResponse> => {
+		message.messageId = this.#messageId++;
+
+		return new Promise<IOauth2ListenerMessageResponse>((resolve, reject) => {
+			// Setup message timeout
+			const timeout: NodeJS.Timeout = setTimeout(() => {
+				delete this.#messageHandlers[message.messageId];
+				reject(`Message: [${message.messageId}] timeout error after: [${this.#messageTimeout}] ms.`);
+			}, this.#messageTimeout);
+
+			// Setup message callback based on messageId
+			this.#messageHandlers[message.messageId] = (response: IOauth2ListenerMessageResponse) => {
+				clearTimeout(timeout);
+				delete this.#messageHandlers[message.messageId];
+				resolve(response);
+			}
+
+			// Send the message
+			this.#oauth2ManagerPort.postMessage(message);	
+		});
+	}
+
+	#HandleLogEvent = (message: string): void => {
+		if (this.#aic) {
+			this.#aic.LogEx(message);
+		}
+		debug(message);
+	}
+
+	// UpdateInstrument = (instrumentName: Gauge, telemetry: InstrumentBaseTelemetry): void => {
+	#HandleUpdateInstrumentEvent = (instrumentName: Gauge, telemetry: InstrumentBaseTelemetry): void => {
+		if (this.#aic) {
+			this.#aic.UpdateInstrument(instrumentName, telemetry);
+		}
+	}
+
+	// Will come from message channel
+	#HandleErrorEvent = (error: JSONObject): void => {
+		this.#store.commit('AuthorizeError', { 
+			message: error
+		});
+		// plugin to do this ...
+		setTimeout(() => {
+			this.#router.replace('/error'); //@@ was push
+		}, 0);
+	}
+
+	#HandleAuthenticateEvent: AuthenticateEvent = (id_token: string): void => {
+		if (this.#options.authenticateEvent) {
+			this.#options.authenticateEvent(id_token);
+		}
+		this.#store.commit('stsOAuth2SDK/SessionData', id_token);
+	}
+
+	#SetupRoute = (app, router) => {
+		router.beforeEach(async (to, from) => {
+			const store = app.config.globalProperties.$store;
+			const sts = app.config.globalProperties.$sts;
+	
+			debug(`beforeEach: from: [${from.path}], to: [${to.path}]`); // gray
+			if (store.getters['stsOAuth2SDK/LoggedIn'] === false) {
+				console.log(`Not logged in`);
+				// Not logged in
+				if (to.path.localeCompare('/authorize') === 0) {
+					console.log(`to = /authorize`);
+					return true;
+				} else if (to.path.localeCompare('/consent') === 0) {
+					// Need to check if we are in the correct state, if not - drop back to the start of the process
+					if (typeof store.getters.Session.sessionId !== 'undefined') {
+						return true;
+					}
+				}
+				if (to.path.localeCompare('/logout') === 0) {
+					return true;
+				}
+				if (to.path.localeCompare('/error') === 0) {
+					return true;
+				}
+				if (to.path.localeCompare('/logout') === 0) {
+					return true;
+				}
+		
+				const str = to.query;
+				// Check if this route is from a redirect from the authorization server
+				if (str[OAuth2ParameterType.CODE] || str[OAuth2ParameterType.ERROR]) {
+			
+					console.log(`#SetupRout:str = [${str}]`);
+
+					const retVal: boolean = await sts.om.HandleRedirect(str);
+					if (retVal) {
+						// Success
+						setTimeout(() => {
+							window.history.replaceState(
+								{},
+								document.title,
+								window.location.origin + '/');
+						}, 0);
+						return true;
+					} else {
+						// Error
+						//@@ need the error data here - or use the vuex store ?
+						this.#router.replace('/error'); //@@ was push
+
+						//@@ should replaceState be used as in above?
+						return false;
+					}
+				}
+		
+				const sessionRestored = await sts.om.RestoreSession();
+				console.log(`#SetupRoute:sessionRestored [${sessionRestored}]`);
+
+				if (sessionRestored !== true) {
+					console.log('Session not restored - Need to Authorize');
+					sts.om.Authorize();
+					return false;
+				} else {
+					return '/';
+					//router.replace({ path: '/' })
+				}
+			} else {
+				// Prevent pages if already logged in
+				if (to.path.localeCompare('/consent') === 0) {
+					return '/';
+					/*
+					router.replace({ path: '/' })
+					return false;
+					*/
+				}
+				if (to.path.localeCompare('/authorize') === 0) {
+					router.replace({ path: '/' })
+					return false;
+				}
+				if (to.path.localeCompare('/logout') === 0) {
+					router.replace({ path: '/' })
+					return false;
+				}
+				return true;
+		
+				/*
+				if (to.path.localeCompare('/') === 0) {
+					// In case press the back button in the browser shows previous query string params, replace them ...
+					setTimeout(() => {
+						window.history.replaceState(
+							{},
+							document.title,
+							window.location.origin + '/');
+					}, 0);
+					return true;
+				}
+				*/
+			}
+		})
+	}
+
+	// Replace with pinia
+	// https://pinia.vuejs.org/
+	// https://seb-l.github.io/pinia-plugin-persist/
+	#SetupStoreNamespace = () => {
+		this.#store.registerModule('stsOAuth2SDK', {
+			namespaced: true,
+		
+			state () {
+				return {
+					// STS Client SDK options. These are parameters initiated by the client SPA and used for the end-to-end transaction processing.
+					//authorizeOptions: { },
+		
+					sessionData: { },
+				}
+			},
+		
+			getters: {
+				SessionData (state) {
+					return state.sessionData;
+				},
+				LoggedIn (state) {
+					if (typeof state.sessionData === 'undefined') {
+						return false;
+					}
+					if (state.sessionData === null) {
+						return false;
+					}
+					return true;
+				},
+				UserDetails (state) {
+					//if (state.sessionData && state.sessionData.id_token) {
+					if (state.sessionData) {
+						const id_token = state.sessionData;
+						const decodedIdToken = jwt_decode(id_token);
+						return decodedIdToken;
+					} else {
+						return null;
+					}
+				}
+			},
+		
+			mutations: {
+				SessionData (state, sessionData) {
+					state.sessionData = sessionData;
+					console.log(`commit [sessionData]: ${JSON.stringify(sessionData)}`)
+				},
+			}
+		}, { preserveState: true });
+	}
+		
+	RestoreSession = async(): Promise<boolean> => {
+		try {
+			const response: IOauth2ListenerMessageResponse = await this.#PostMessage({ command: IOauth2ListenerCommand.RESTORE_SESSION });
+			return response.payload;
+		} catch (error) {
+			console.log(`RestoreSession Error: ${error}`); //red
+			return false;
+		}
+	}
+
+	Authorize = async (): Promise<void> => {
+		try {
+			const response: IOauth2ListenerMessageResponse = await this.#PostMessage({ command: IOauth2ListenerCommand.AUTHORIZE });
+			this.#transactionStore.set(this.#STORAGE_AUTHORIZE_OPTIONS_KEY, response.payload.authorizeOptions);
+			const url = response.payload.url;
+			window.location.replace(url);
+		} catch (error) {
+			console.log(`Authorize Error: ${error}`); // red
+		}
+	}
+
+	HandleRedirect = async (queryVars: JSONObject): Promise<boolean> => {
+		try {
+			let response: IOauth2ListenerMessageResponse = null;
+			if (queryVars[OAuth2ParameterType.CODE]) {
+
+				const authorizeOptions: IAuthorizeOptions = this.#transactionStore.get(this.#STORAGE_AUTHORIZE_OPTIONS_KEY) as IAuthorizeOptions;
+				this.#transactionStore.remove(this.#STORAGE_AUTHORIZE_OPTIONS_KEY);
+
+				response = await this.#PostMessage({ command: IOauth2ListenerCommand.HANDLE_REDIRECT, payload: {
+					queryVars: queryVars as IAuthorizeResponse,
+					authorizeOptions
+				}});
+			} else {
+				response = await this.#PostMessage({ command: IOauth2ListenerCommand.HANDLE_REDIRECT, payload: queryVars as IAuthorizeErrorResponse });
+			}
+			return response.payload;
+		} catch (error) {
+			console.log(`HandleRedirect Error: ${error}`); // red
+			return false;
+		}
+	}
+
+	Logout = async (): Promise<boolean> => {
+		try {
+			const response: IOauth2ListenerMessageResponse = await this.#PostMessage({ command: IOauth2ListenerCommand.LOGOUT });
+			return response.payload;
+		} catch (error) {
+			console.log(`Logout Error: ${error}`); // red
+			return false;
+		}
+	}
+}

package/src/stsoauth2types.ts

@@ -0,0 +1,133 @@
+export enum AuthorizeOptionsResponseType {
+	CODE = 'code',
+	ID_TOKEN = 'id_token',
+	TOKEN = 'token'
+}
+
+export enum AuthorizeOptionsResponseMode {
+	QUERY = 'query',
+	FRAGMENT = 'fragment',
+	FORM_POST = 'form_post'
+}
+
+// https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
+export interface IAuthorizeOptions {
+	client_id: string,
+	nonce: string,
+	response_type: AuthorizeOptionsResponseType[], // Must include: 'code' and may include: 'id_token' and/or 'token'
+	redirect_uri: string,
+	response_mode: AuthorizeOptionsResponseMode
+	scope: string, // A space-separated list of scopes that you want the user to consent to. For the /authorize leg of the request, this parameter can cover multiple resources. This value allows your app to get consent for multiple web APIs you want to call.
+	state: string, // Client application state (if required)
+	code_challenge: string,
+	code_challenge_method: string, //@@ enum S256
+	code_verifier?: string
+}
+
+export interface IAuthorizeResponse {
+	state: string, // state passed to authorize end-point
+	code: string // authorization code
+}
+
+export interface IAuthorizeErrorResponse {
+	error: string, 
+	error_description: string 
+}
+
+export enum OAuthGrantTypes {
+	CLIENT_CREDENTIALS = 'client_credentials',
+	AUTHORIZATION_CODE = 'authorization_code',
+	REFRESH_TOKEN = 'refresh_token'
+}
+
+export interface IAuthorizationCodeFlowParameters {
+	client_id: string,
+	scope: string,
+	code: string,
+	redirect_uri: string, // URI
+	grant_type: OAuthGrantTypes, // 'authorization_code', //@@ need enum
+	code_verifier: string
+}
+
+export interface IRefreshFlowParameters {
+	client_id: string,
+	scope: string,
+	refresh_token: string, // JWT
+	grant_type: OAuthGrantTypes // 'refresh_token' //@@ enum
+}
+
+export interface ITokenResponse {
+    access_token: string, // JWT
+    token_type: string, //@@ "Bearer" only
+    expires_in: number,
+    scope: string,
+    refresh_token: string, // JWT
+    id_token: string, // JWT
+}
+
+export interface ITokenErrorResponse {
+	error: string,
+	error_description: string,
+	error_codes: number[],
+	timestamp: number
+	details: unknown //@@ STS attribute ?
+	//"trace_id": "255d1aef-8c98-452f-ac51-23d051240864", //@@ MS attribute
+	//"correlation_id": "fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7" //@@ MS attribute
+}
+
+export type AuthenticateEvent = (id_token: string) => void;
+
+// ---------------
+
+export enum IOauth2ListenerCommand {
+	RESTORE_SESSION = 'RestoreSession',
+	AUTHORIZE = 'Authorize',
+	HANDLE_REDIRECT = 'HandleRedirect',
+	LOGOUT = 'Logout',
+	AUTHENTICATE_EVENT = 'AuthenticateEvent',
+	ERROR = 'Error',
+	LOG = '__LOG',
+	UPDATE_INSTRUMENT = '__UPDATE_INSTRUMENT'
+}
+
+export interface IOauth2ListenerMessage {
+	messageId?: number
+	command: IOauth2ListenerCommand
+	payload?: any
+}
+
+export interface IOauth2ListenerMessageResponse {
+	messageId: number
+	command: IOauth2ListenerCommand
+	payload: any
+}
+
+export type StsOauth2WorkerFactory = () => Worker
+
+export interface ISTSOAuth2WorkerOptions {
+	client_id: string
+	scope: string
+	redirect_uri: string
+	audience: string
+	
+	brokerendpoint: string
+	brokerport: string
+	brokerapiroot: string
+	
+	authorizeendpoint: string
+	authorizeport: string
+	authorizeapiroot: string
+	
+	timeout: number
+}
+
+export interface ISTSOAuth2ManagerOptions {
+	authenticateEvent?: AuthenticateEvent
+	workerFactory?: StsOauth2WorkerFactory
+	workerOptions: ISTSOAuth2WorkerOptions
+}
+
+export interface ISTSOAuth2WorkerMessage {
+	workerPort: MessagePort,
+	options: ISTSOAuth2WorkerOptions
+}