@nu-art/user-account-backend 0.400.5

package/SlackReporter.d.ts

@@ -0,0 +1,8 @@
+import { Logger } from '@nu-art/ts-common';
+export declare class SlackReporter extends Logger {
+    private fallbackChannel;
+    report: string;
+    constructor(report: string);
+    sendReportToUser: (channel?: string) => Promise<void>;
+    sendReportToChannel: (channel?: string) => Promise<void>;
+}

package/SlackReporter.js

@@ -0,0 +1,27 @@
+import { Logger } from '@nu-art/ts-common';
+import { ModuleBE_Slack } from '@nu-art/slack-backend';
+import { MemKey_AccountEmail } from './_entity/session/index.js';
+export class SlackReporter extends Logger {
+    fallbackChannel = ModuleBE_Slack.getDefaultChannel();
+    report;
+    constructor(report) {
+        super('SlackReporter');
+        this.report = report;
+    }
+    sendReportToUser = async (channel) => {
+        try {
+            const userId = await ModuleBE_Slack.getUserIdByEmail(MemKey_AccountEmail.get());
+            if (!userId)
+                return this.sendReportToChannel(channel);
+            const dmId = await ModuleBE_Slack.openDM([userId]);
+            await ModuleBE_Slack.postMessage(this.report, dmId);
+        }
+        catch (err) {
+            this.logError('Failed to send report to user.\nSending to channel instead.\n', err);
+            return this.sendReportToChannel(channel);
+        }
+    };
+    sendReportToChannel = async (channel) => {
+        await ModuleBE_Slack.postMessage(this.report, channel ?? this.fallbackChannel);
+    };
+}

package/_entity/account/ModuleBE_AccountDB.d.ts

@@ -0,0 +1,97 @@
+import { DB_BaseObject, Dispatcher } from '@nu-art/ts-common';
+import { firestore } from 'firebase-admin';
+import { ModuleBE_BaseDB } from '@nu-art/thunderstorm-backend';
+import { FirestoreQuery } from '@nu-art/firebase-shared';
+import { _SessionKey_Account, Account_ChangePassword, Account_ChangeThumbnail, Account_CreateAccount, Account_Login, Account_RegisterAccount, Account_SetPassword, AccountEmail, AccountEmailWithDevice, AccountToAssertPassword, AccountToSpice, AccountType, DB_Account, DBProto_Account, PasswordAssertionConfig, SafeDB_Account, UI_Account } from '@nu-art/user-account-shared';
+import { BaseSessionClaims, CollectSessionData } from '../session/index.js';
+import Transaction = firestore.Transaction;
+type BaseAccount = {
+    email: string;
+    type: AccountType;
+};
+type SpicedAccount = BaseAccount & {
+    salt: string;
+    saltedPassword: string;
+};
+type AccountToCreate = SpicedAccount | BaseAccount;
+export interface OnNewUserRegistered {
+    __onNewUserRegistered(account: SafeDB_Account, transaction: Transaction): void;
+}
+export interface OnUserLogin {
+    __onUserLogin(account: SafeDB_Account, transaction: Transaction): void;
+}
+export interface OnPreLogout {
+    __onPreLogout: () => Promise<void>;
+}
+export declare const dispatch_onAccountLogin: Dispatcher<OnUserLogin, "__onUserLogin", [account: SafeDB_Account, transaction: firestore.Transaction], void>;
+export declare const dispatch_onPreLogout: Dispatcher<OnPreLogout, "__onPreLogout", [], void>;
+type Config = {
+    canRegister: boolean;
+    passwordAssertion?: PasswordAssertionConfig;
+    ignorePasswordAssertion?: boolean;
+};
+export declare class ModuleBE_AccountDB_Class extends ModuleBE_BaseDB<DBProto_Account, Config> implements CollectSessionData<_SessionKey_Account> {
+    readonly Middleware: () => Promise<void>;
+    constructor();
+    init(): void;
+    manipulateQuery(query: FirestoreQuery<DB_Account>): FirestoreQuery<DB_Account>;
+    canDeleteItems(dbItems: DB_Account[], transaction?: FirebaseFirestore.Transaction): Promise<void>;
+    __collectSessionData(data: BaseSessionClaims): Promise<{
+        key: "account";
+        value: {
+            hasPassword: boolean;
+            type: AccountType;
+            email: string;
+            description?: string | undefined;
+            displayName?: string | undefined;
+            thumbnail?: string | undefined;
+            _id: string;
+            __metadata1?: any;
+            __hardDelete?: boolean;
+            __created?: number | undefined;
+            __updated?: number | undefined;
+            _v?: string;
+            _originDocId?: import("@nu-art/ts-common").UniqueId;
+            salt?: string | undefined;
+            _auditorId?: string | undefined;
+            _newPasswordRequired?: boolean | undefined;
+            saltedPassword?: string | undefined;
+        };
+    }>;
+    protected preWriteProcessing(dbInstance: UI_Account, originalDbInstance: DBProto_Account['dbType'], transaction?: Transaction): Promise<void>;
+    impl: {
+        fixEmail: (objectWithEmail: {
+            email: string;
+        }) => void;
+        assertPasswordCheck: (accountToAssert: AccountToAssertPassword) => void;
+        spiceAccount: (accountToSpice: AccountToSpice) => SpicedAccount;
+        create: (accountToCreate: AccountToCreate, transaction: Transaction) => Promise<SafeDB_Account>;
+        setAccountMemKeys: (account: SafeDB_Account) => Promise<void>;
+        onAccountCreated: (account: SafeDB_Account, transaction: Transaction) => Promise<void>;
+        onAccountLogin: (account: SafeDB_Account, transaction: Transaction) => Promise<void>;
+        queryUnsafeAccount: (credentials: AccountEmail, transaction?: Transaction) => Promise<DB_Account>;
+        querySafeAccount: (credentials: AccountEmail, transaction?: Transaction) => Promise<SafeDB_Account>;
+    };
+    account: {
+        register: (accountWithPassword: Account_RegisterAccount["request"], transaction?: Transaction) => Promise<Account_RegisterAccount["response"]>;
+        login: (credentials: Account_Login["request"]) => Promise<Account_Login["response"]>;
+        create: (createAccountRequest: Account_CreateAccount["request"]) => Promise<Account_CreateAccount["response"]>;
+        saml: (oAuthAccount: AccountEmailWithDevice) => Promise<import("@nu-art/user-account-shared").DB_Session>;
+        changePassword: (passwordToChange: Account_ChangePassword["request"]) => Promise<Account_ChangePassword["response"]>;
+        setPassword: (passwordBody: Account_SetPassword["request"]) => Promise<Account_SetPassword["response"]>;
+        logout: () => Promise<void>;
+        getSessions: (query: DB_BaseObject) => Promise<{
+            sessions: import("@nu-art/user-account-shared").DB_Session[];
+        }>;
+        changeThumbnail: (request: Account_ChangeThumbnail["request"]) => Promise<Account_ChangeThumbnail["response"]>;
+    };
+    password: {
+        assertPasswordExistence: (email: string, password?: string, passwordCheck?: string) => void;
+        assertPasswordRules: (password: string) => void;
+        assertPasswordMatch: (safeAccount: SafeDB_Account, password: string) => Promise<void>;
+    };
+    private token;
+}
+export declare function makeAccountSafe(account: DB_Account): SafeDB_Account;
+export declare const ModuleBE_AccountDB: ModuleBE_AccountDB_Class;
+export {};

package/_entity/account/ModuleBE_AccountDB.js

@@ -0,0 +1,333 @@
+import { ApiException, BadImplementationException, cloneObj, compare, dispatch_onApplicationException, Dispatcher, exists, generateHex, hashPasswordWithSalt, md5, MUSTNeverHappenException, Year } from '@nu-art/ts-common';
+import { addRoutes, createBodyServerApi, createQueryServerApi, ModuleBE_BaseDB } from '@nu-art/thunderstorm-backend';
+import { FirestoreInterfaceV3 } from '@nu-art/firebase-backend/firestore-v3/FirestoreInterfaceV3';
+import { HttpCodes } from '@nu-art/ts-common/core/exceptions/http-codes';
+import { ApiDef_Account, assertPasswordRules, DBDef_Accounts } from '@nu-art/user-account-shared';
+import { Header_Authorization, MemKey_AccountEmail, MemKey_AccountId, MemKey_AccountType, MemKey_DB_Session, ModuleBE_SessionDB, SessionKey_Account_BE, } from '../session/index.js';
+import { ModuleBE_FailedLoginAttemptDB } from '../failed-login-attempt/index.js';
+export const dispatch_onAccountLogin = new Dispatcher('__onUserLogin');
+const dispatch_onAccountRegistered = new Dispatcher('__onNewUserRegistered');
+export const dispatch_onPreLogout = new Dispatcher('__onPreLogout');
+export class ModuleBE_AccountDB_Class extends ModuleBE_BaseDB {
+    Middleware = async () => {
+        const account = SessionKey_Account_BE.get();
+        MemKey_AccountEmail.set(account.email);
+        MemKey_AccountId.set(account._id);
+        MemKey_AccountType.set(account.type);
+    };
+    constructor() {
+        super(DBDef_Accounts);
+    }
+    init() {
+        super.init();
+        addRoutes([
+            createQueryServerApi(ApiDef_Account._v1.refreshSession, async () => {
+                this.logInfo(`Refreshing session for account id = ${MemKey_AccountId.get()}`);
+            }),
+            createBodyServerApi(ApiDef_Account._v1.registerAccount, this.account.register),
+            createBodyServerApi(ApiDef_Account._v1.changePassword, this.account.changePassword),
+            createBodyServerApi(ApiDef_Account._v1.login, this.account.login),
+            createBodyServerApi(ApiDef_Account._v1.createAccount, this.account.create),
+            createQueryServerApi(ApiDef_Account._v1.logout, this.account.logout),
+            createBodyServerApi(ApiDef_Account._v1.createToken, this.token.create),
+            createBodyServerApi(ApiDef_Account._v1.setPassword, this.account.setPassword),
+            createQueryServerApi(ApiDef_Account._v1.getSessions, this.account.getSessions),
+            createBodyServerApi(ApiDef_Account._v1.changeThumbnail, this.account.changeThumbnail),
+            createQueryServerApi(ApiDef_Account._v1.getPasswordAssertionConfig, async () => ({
+                config: this.config.ignorePasswordAssertion
+                    ? undefined
+                    : this.config.passwordAssertion
+            }))
+        ]);
+    }
+    manipulateQuery(query) {
+        return {
+            ...query,
+            select: ['__created', '_v', '__updated', 'email', '_newPasswordRequired', 'type', '_id', 'thumbnail', 'displayName', '_auditorId', 'description']
+        };
+    }
+    canDeleteItems(dbItems, transaction) {
+        throw HttpCodes._5XX.NOT_IMPLEMENTED('Account Deletion is not implemented yet');
+    }
+    async __collectSessionData(data) {
+        const account = await this.query.uniqueAssert(data.accountId);
+        return {
+            key: 'account',
+            value: {
+                ...makeAccountSafe(account),
+                hasPassword: !!account.saltedPassword,
+            },
+        };
+    }
+    async preWriteProcessing(dbInstance, originalDbInstance, transaction) {
+        try {
+            dbInstance._auditorId = MemKey_AccountId.get();
+        }
+        catch (e) {
+            dbInstance._auditorId = dbInstance._id;
+        }
+    }
+    impl = {
+        fixEmail: (objectWithEmail) => {
+            objectWithEmail.email = objectWithEmail.email.toLowerCase();
+        },
+        assertPasswordCheck: (accountToAssert) => {
+            this.password.assertPasswordExistence(accountToAssert.email, accountToAssert.password, accountToAssert.passwordCheck);
+            this.password.assertPasswordRules(accountToAssert.password);
+        },
+        spiceAccount: (accountToSpice) => {
+            const salt = generateHex(32);
+            return {
+                email: accountToSpice.email,
+                type: 'user',
+                salt,
+                saltedPassword: hashPasswordWithSalt(salt, accountToSpice.password)
+            };
+        },
+        create: async (accountToCreate, transaction) => {
+            let dbAccount = (await this.query.custom({
+                where: { email: accountToCreate.email },
+                limit: 1
+            }, transaction))[0];
+            if (dbAccount)
+                throw new ApiException(422, `User with email "${accountToCreate.email}" already exists`);
+            dbAccount = await this.create.item(accountToCreate, transaction);
+            return makeAccountSafe(dbAccount);
+        },
+        setAccountMemKeys: async (account) => {
+            MemKey_AccountId.set(account._id);
+            MemKey_AccountEmail.set(account.email);
+        },
+        onAccountCreated: async (account, transaction) => {
+            await dispatch_onAccountRegistered.dispatchModuleAsync(account, transaction);
+        },
+        onAccountLogin: async (account, transaction) => {
+            await dispatch_onAccountLogin.dispatchModuleAsync(account, transaction);
+        },
+        queryUnsafeAccount: async (credentials, transaction) => {
+            const firestoreQuery = FirestoreInterfaceV3.buildQuery(this.collection, { where: { email: credentials.email } });
+            let results;
+            if (transaction)
+                results = (await transaction.get(firestoreQuery)).docs;
+            else
+                results = (await firestoreQuery.get()).docs;
+            if (results.length !== 1)
+                if (results.length === 0) {
+                    const apiException = new ApiException(401, `There is no account for email '${credentials.email}'.`);
+                    await dispatch_onApplicationException.dispatchModuleAsync(apiException, this);
+                    throw apiException;
+                }
+                else if (results.length > 1) {
+                    this.logWarningBold(`Too many accounts using this email! '${credentials.email}'`);
+                    throw new MUSTNeverHappenException('Too many accounts using this email');
+                }
+            return results[0].data();
+        },
+        querySafeAccount: async (credentials, transaction) => {
+            const account = await this.impl.queryUnsafeAccount(credentials, transaction);
+            return makeAccountSafe(account);
+        }
+    };
+    account = {
+        // this flow is for creating real human users with email and password
+        register: async (accountWithPassword, transaction) => {
+            if (!this.config.canRegister)
+                throw new ApiException(418, 'Registration is disabled!!');
+            this.impl.fixEmail(accountWithPassword);
+            this.impl.assertPasswordCheck(accountWithPassword);
+            const spicedAccount = this.impl.spiceAccount({
+                email: accountWithPassword.email,
+                password: accountWithPassword.password
+            });
+            const dbSafeAccount = await this.runTransaction(async (transaction) => {
+                const dbSafeAccount = await this.impl.create(spicedAccount, transaction);
+                await this.impl.setAccountMemKeys(dbSafeAccount);
+                await this.impl.onAccountCreated(dbSafeAccount, transaction);
+                return dbSafeAccount;
+            });
+            await this.account.login({
+                email: accountWithPassword.email,
+                deviceId: accountWithPassword.deviceId,
+                password: accountWithPassword.password
+            });
+            return { ...dbSafeAccount };
+        },
+        login: async (credentials) => {
+            this.impl.fixEmail(credentials);
+            const safeAccount = await this.runTransaction(async (transaction) => {
+                const dbAccount = await this.impl.queryUnsafeAccount({ email: credentials.email }, transaction);
+                await this.password.assertPasswordMatch(dbAccount, credentials.password);
+                const safeAccount = makeAccountSafe(dbAccount);
+                MemKey_AccountId.set(safeAccount._id);
+                await this.impl.onAccountLogin(safeAccount, transaction);
+                return safeAccount;
+            });
+            const initialClaims = {
+                accountId: safeAccount._id,
+                deviceId: credentials.deviceId,
+                label: 'password-login'
+            };
+            await ModuleBE_SessionDB._session.create.andReturn({ initialClaims });
+            return safeAccount;
+        },
+        create: async (createAccountRequest) => {
+            const password = createAccountRequest.password;
+            let dbSafeAccount;
+            this.impl.fixEmail(createAccountRequest);
+            return this.runTransaction(async (transaction) => {
+                if (exists(password) || exists(createAccountRequest.passwordCheck)) {
+                    this.impl.assertPasswordCheck(createAccountRequest);
+                    const spicedAccount = this.impl.spiceAccount(createAccountRequest);
+                    dbSafeAccount = await this.impl.create(spicedAccount, transaction);
+                }
+                else
+                    dbSafeAccount = await this.impl.create(createAccountRequest, transaction);
+                await this.impl.onAccountCreated(dbSafeAccount, transaction);
+                return dbSafeAccount;
+            });
+        },
+        saml: async (oAuthAccount) => {
+            this.impl.fixEmail(oAuthAccount);
+            const dbSafeAccount = await this.runTransaction(async (transaction) => {
+                let dbSafeAccount;
+                try {
+                    dbSafeAccount = await this.impl.querySafeAccount({ ...oAuthAccount }, transaction);
+                    this.logInfo('SAML login account');
+                    MemKey_AccountId.set(dbSafeAccount._id);
+                    await this.impl.onAccountLogin(dbSafeAccount, transaction);
+                }
+                catch (e) {
+                    if (e.responseCode !== 401)
+                        throw e;
+                    this.logInfo('SAML register account');
+                    dbSafeAccount = await this.impl.create({ email: oAuthAccount.email, type: 'user' }, transaction);
+                    MemKey_AccountId.set(dbSafeAccount._id);
+                    await this.impl.onAccountCreated(dbSafeAccount, transaction);
+                }
+                return dbSafeAccount;
+            });
+            const initialClaims = { accountId: dbSafeAccount._id, deviceId: oAuthAccount.deviceId, label: 'saml-login' };
+            return ModuleBE_SessionDB._session.create({ initialClaims });
+        },
+        changePassword: async (passwordToChange) => {
+            return this.runTransaction(async (transaction) => {
+                const email = MemKey_AccountEmail.get();
+                const deviceId = MemKey_DB_Session.get().deviceId;
+                await this.account.login({ email, deviceId, password: passwordToChange.oldPassword }); // perform login to make sure the old password holds
+                if (!compare(passwordToChange.password, passwordToChange.passwordCheck))
+                    throw HttpCodes._4XX.UNAUTHORIZED('Password check mismatch');
+                const safeAccount = await this.impl.querySafeAccount({ email });
+                this.impl.assertPasswordCheck({
+                    email,
+                    password: passwordToChange.password,
+                    passwordCheck: passwordToChange.passwordCheck
+                });
+                const spicedAccount = this.impl.spiceAccount({ email, password: passwordToChange.password });
+                const updatedAccount = await this.set.item({
+                    ...safeAccount,
+                    salt: spicedAccount.salt,
+                    saltedPassword: spicedAccount.saltedPassword
+                }, transaction);
+                const initialClaims = {
+                    accountId: updatedAccount._id,
+                    deviceId,
+                    label: 'password-change'
+                };
+                await ModuleBE_SessionDB._session.create.andReturn({ initialClaims });
+                return makeAccountSafe(updatedAccount);
+            });
+        },
+        setPassword: async (passwordBody) => {
+            return this.runTransaction(async (transaction) => {
+                const email = MemKey_AccountEmail.get();
+                const deviceId = MemKey_DB_Session.get().deviceId;
+                const dbAccount = await this.impl.queryUnsafeAccount({ email }, transaction);
+                if (dbAccount.saltedPassword)
+                    throw HttpCodes._4XX.FORBIDDEN('account already has password');
+                const safeAccount = makeAccountSafe(dbAccount);
+                this.impl.assertPasswordCheck({ email, ...passwordBody });
+                const spicedAccount = this.impl.spiceAccount({ email, password: passwordBody.password });
+                const updatedAccount = await this.set.item({
+                    ...safeAccount,
+                    salt: spicedAccount.salt,
+                    saltedPassword: spicedAccount.saltedPassword
+                }, transaction);
+                const initialClaims = {
+                    accountId: updatedAccount._id,
+                    deviceId,
+                    label: 'password-set'
+                };
+                await ModuleBE_SessionDB._session.create.andReturn({ initialClaims });
+                return makeAccountSafe(updatedAccount);
+            });
+        },
+        logout: async () => {
+            const sessionId = Header_Authorization.get();
+            if (!sessionId)
+                throw HttpCodes._4XX.FORBIDDEN('Missing sessionId');
+            await dispatch_onPreLogout.dispatchModuleAsync();
+            await ModuleBE_SessionDB._session.invalidate.bySession();
+        },
+        getSessions: async (query) => {
+            return { sessions: await ModuleBE_SessionDB.query.where({ accountId: query._id }) };
+        },
+        changeThumbnail: async (request) => {
+            const account = await this.doc.unique(request.accountId);
+            if (!account)
+                throw HttpCodes._4XX.NOT_FOUND('Could not change account thumbnail', `Could not find account with id ${request.accountId}`);
+            await account.ref.update({ thumbnail: request.hash });
+            return {
+                account: (await account.get()),
+            };
+        }
+    };
+    password = {
+        assertPasswordExistence: (email, password, passwordCheck) => {
+            if (!password || !passwordCheck)
+                throw HttpCodes._4XX.BAD_REQUEST(`Did not receive a password`, `Did not receive a password for email ${email}.`);
+            if (password !== passwordCheck)
+                throw HttpCodes._4XX.BAD_REQUEST(`Password check does not match`, `Password does not match password check for email ${email}.`);
+        },
+        assertPasswordRules: (password) => {
+            const assertPassword = assertPasswordRules(password, this.config.passwordAssertion);
+            if (assertPassword)
+                throw new ApiException(444, `Password assertion failed`).setErrorBody({
+                    type: 'password-assertion-error',
+                    data: assertPassword,
+                });
+        },
+        assertPasswordMatch: async (safeAccount, password) => {
+            if (!safeAccount.salt || !safeAccount.saltedPassword)
+                throw new ApiException(401, 'Account was never logged in using username and password, probably logged using SAML');
+            if (hashPasswordWithSalt(safeAccount.salt, password) !== safeAccount.saltedPassword) {
+                await ModuleBE_FailedLoginAttemptDB.updateFailedLoginAttempt(safeAccount._id); // first update login attempt
+                throw new ApiException(401, 'Wrong username or password.');
+            }
+        }
+    };
+    // @ts-ignore
+    token = {
+        create: async ({ accountId, ttl, label }) => {
+            if (!exists(ttl) || ttl < Year)
+                throw HttpCodes._4XX.BAD_REQUEST('Invalid token TTL', `TTL value is invalid (${ttl})`);
+            const account = await this.query.unique(accountId);
+            if (!account)
+                throw new BadImplementationException(`Account not found for id ${accountId}`);
+            if (account.type !== 'service')
+                throw new BadImplementationException('Can not generate a token for a non service account');
+            const initialClaims = { accountId, deviceId: accountId, label };
+            const dbSession = await ModuleBE_SessionDB._session.create({ initialClaims }, ttl);
+            // sessionId here is the JWT that is created and placed inside DB_Session.sessionIdJWT
+            return { token: dbSession.sessionIdJwt };
+        },
+        invalidate: async (token) => await ModuleBE_SessionDB.delete.where({ _id: md5(token) }),
+        invalidateAll: async (accountId) => await ModuleBE_SessionDB.delete.where({ accountId })
+    };
+}
+export function makeAccountSafe(account) {
+    const uiAccount = cloneObj(account);
+    delete uiAccount.salt;
+    delete uiAccount.saltedPassword;
+    return uiAccount;
+}
+export const ModuleBE_AccountDB = new ModuleBE_AccountDB_Class();

package/_entity/account/ModuleBE_SAML.d.ts

@@ -0,0 +1,37 @@
+import { IdentityProvider, IdentityProviderOptions, ServiceProviderOptions } from 'saml2-js';
+import { Module } from '@nu-art/ts-common';
+import { SAML_Assert, SAML_Login } from '@nu-art/user-account-shared';
+/**
+ * SAML config, when filling in the RTDB, should look like this:
+ * ```
+ * ModuleBE_SAML: {
+ *   idConfig: {
+ *     sso_login_url: string - the accounts.google url for login
+ *     sso_logout_url: string - the accounts.google url for login (optional)
+ *     certificates: string[] - only one necessary, the cert for login
+ *     ignore_signature: boolean - should be true
+ *   },
+ *   spConfig: {
+ *   		allow_unencrypted_assertion: boolean - should be true
+ *			assert_endpoint: string - the BE endpoint for the account assertion
+ *			entity_id: string - the entityID from the google SAML project.
+ *   }
+ * }
+ * ```
+ */
+type SamlConfig = {
+    idConfig: IdentityProviderOptions;
+    spConfig: ServiceProviderOptions;
+};
+export declare class ModuleBE_SAML_Class extends Module<SamlConfig> {
+    identityProvider: IdentityProvider;
+    constructor();
+    protected init(): void;
+    assertSaml: (body: SAML_Assert["request"]) => Promise<SAML_Assert["response"]>;
+    loginRequest: (loginContext: SAML_Login["request"]) => Promise<{
+        loginUrl: string;
+    }>;
+    private assertImpl;
+}
+export declare const ModuleBE_SAML: ModuleBE_SAML_Class;
+export {};

package/_entity/account/ModuleBE_SAML.js

@@ -0,0 +1,92 @@
+/*
+ * User secured registration and login management system..
+ *
+ * Copyright (C) 2020 Adam van der Kruk aka TacB0sS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { IdentityProvider, ServiceProvider } from 'saml2-js';
+import { __stringify, ApiException, decode, ImplementationMissingException, LogLevel, Module, MUSTNeverHappenException } from '@nu-art/ts-common';
+import { addRoutes, createBodyServerApi, createQueryServerApi } from '@nu-art/thunderstorm-backend';
+import { MemKey_HttpResponse } from '@nu-art/thunderstorm-backend/modules/server/consts';
+import { ModuleBE_AccountDB } from './ModuleBE_AccountDB.js';
+import { ApiDef_SAML, QueryParam_Email, QueryParam_RedirectUrl, QueryParam_SessionId } from '@nu-art/user-account-shared';
+import { MemKey_AccountEmail } from '../session/index.js';
+export class ModuleBE_SAML_Class extends Module {
+    identityProvider;
+    constructor() {
+        super();
+        this.setMinLevel(LogLevel.Debug);
+    }
+    init() {
+        super.init();
+        if (!this.config.idConfig)
+            throw new ImplementationMissingException('Config must contain idConfig');
+        if (!this.config.spConfig)
+            throw new ImplementationMissingException('Config must contain spConfig');
+        addRoutes([
+            createQueryServerApi(ApiDef_SAML._v1.loginSaml, this.loginRequest),
+            createBodyServerApi(ApiDef_SAML._v1.assertSAML, this.assertSaml),
+        ]);
+        this.config.idConfig.certificates = this.config.idConfig.certificates.map(cert => decode(cert));
+        this.identityProvider = new IdentityProvider(this.config.idConfig);
+    }
+    assertSaml = async (body) => {
+        try {
+            this.logDebug('assertion called with body:', body);
+            const data = await this.assertImpl(body);
+            this.logDebug(`Got data from assertion ${__stringify(data)}`);
+            const accountWithoutPassword = { email: data.userId.toLowerCase(), deviceId: data.loginContext.deviceId, type: 'user' };
+            MemKey_AccountEmail.set(accountWithoutPassword.email);
+            const dbSession = await ModuleBE_AccountDB.account.saml(accountWithoutPassword);
+            let redirectUrl = data.loginContext[QueryParam_RedirectUrl];
+            redirectUrl = redirectUrl.replace(new RegExp(QueryParam_SessionId.toUpperCase(), 'g'), encodeURIComponent(dbSession.sessionIdJwt));
+            redirectUrl = redirectUrl.replace(new RegExp(QueryParam_Email.toUpperCase(), 'g'), encodeURIComponent(accountWithoutPassword.email));
+            MemKey_HttpResponse.get().redirect(302, redirectUrl);
+        }
+        catch (error) {
+            throw new ApiException(401, 'Error authenticating user', error);
+        }
+    };
+    loginRequest = async (loginContext) => {
+        return new Promise((resolve, rejected) => {
+            const sp = new ServiceProvider(this.config.spConfig);
+            const options = {
+                relay_state: __stringify(loginContext)
+            };
+            sp.create_login_request_url(this.identityProvider, options, (error, loginUrl, requestId) => {
+                console.log('SAML 2');
+                if (error)
+                    return rejected(error);
+                resolve({ loginUrl });
+            });
+        });
+    };
+    assertImpl = async (request_body) => new Promise((resolve, rejected) => {
+        const assertBody = { request_body };
+        const sp = new ServiceProvider(this.config.spConfig);
+        sp.post_assert(this.identityProvider, assertBody, async (error, response) => {
+            if (error)
+                return rejected(error);
+            const relay_state = assertBody.request_body.RelayState;
+            if (!relay_state)
+                return rejected(new MUSTNeverHappenException('LoginContext lost along the way'));
+            resolve({
+                userId: response.user.name_id,
+                loginContext: JSON.parse(relay_state),
+                fullResponse: response
+            });
+        });
+    });
+}
+export const ModuleBE_SAML = new ModuleBE_SAML_Class();

package/_entity/account/index.d.ts

@@ -0,0 +1,3 @@
+export * from './ModuleBE_AccountDB.js';
+export * from './ModuleBE_SAML.js';
+export * from './module-pack.js';

package/_entity/account/index.js

@@ -0,0 +1,3 @@
+export * from './ModuleBE_AccountDB.js';
+export * from './ModuleBE_SAML.js';
+export * from './module-pack.js';

package/_entity/account/module-pack.d.ts

@@ -0,0 +1,3 @@
+import { Module } from '@nu-art/ts-common';
+export declare const ModulePackBE_AccountDB: Module[];
+export declare const ModulePackBE_SAML: Module[];

package/_entity/account/module-pack.js

@@ -0,0 +1,7 @@
+import { createApisForDBModuleV3 } from '@nu-art/thunderstorm-backend';
+import { ModuleBE_AccountDB } from './ModuleBE_AccountDB.js';
+import { ModuleBE_SAML } from './ModuleBE_SAML.js';
+export const ModulePackBE_AccountDB = [
+    ModuleBE_AccountDB, createApisForDBModuleV3(ModuleBE_AccountDB),
+];
+export const ModulePackBE_SAML = [ModuleBE_SAML];