npm - @open-mercato/enterprise - Versions diffs - 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6 - Mend

@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/src/modules/sso/lib/scim-mapper.ts ADDED Viewed

@@ -0,0 +1,88 @@
+import type { User } from '@open-mercato/core/modules/auth/data/entities'
+import type { SsoIdentity, SsoUserDeactivation } from '../data/entities'
+import { coerceBoolean } from './scim-utils'
+const SCIM_USER_SCHEMA = 'urn:ietf:params:scim:schemas:core:2.0:User'
+export interface ScimUserResource {
+  schemas: string[]
+  id: string
+  externalId?: string
+  userName: string
+  displayName?: string
+  name?: { givenName?: string; familyName?: string; formatted?: string }
+  emails?: Array<{ value: string; primary: boolean; type: string }>
+  active: boolean
+  meta: {
+    resourceType: string
+    created: string
+    lastModified: string
+    location: string
+  }
+}
+export function toScimUserResource(
+  user: User,
+  identity: SsoIdentity,
+  baseUrl: string,
+  deactivation?: SsoUserDeactivation | null,
+): ScimUserResource {
+  const isActive = !deactivation || deactivation.reactivatedAt != null
+  const nameParts = (user.name ?? '').split(' ')
+  const givenName = nameParts[0] || undefined
+  const familyName = nameParts.length > 1 ? nameParts.slice(1).join(' ') : undefined
+  return {
+    schemas: [SCIM_USER_SCHEMA],
+    id: identity.id,
+    ...(identity.externalId ? { externalId: identity.externalId } : {}),
+    userName: identity.idpEmail,
+    displayName: user.name ?? undefined,
+    name: (givenName || familyName) ? { givenName, familyName, formatted: user.name ?? undefined } : undefined,
+    emails: [{ value: identity.idpEmail, primary: true, type: 'work' }],
+    active: isActive,
+    meta: {
+      resourceType: 'User',
+      created: identity.createdAt.toISOString(),
+      lastModified: identity.updatedAt.toISOString(),
+      location: `${baseUrl}/api/sso/scim/v2/Users/${identity.id}`,
+    },
+  }
+}
+export interface ScimUserPayload {
+  userName?: string
+  externalId?: string
+  displayName?: string
+  givenName?: string
+  familyName?: string
+  email?: string
+  active?: boolean
+}
+export function fromScimUserPayload(payload: Record<string, unknown>): ScimUserPayload {
+  const result: ScimUserPayload = {}
+  if (typeof payload.userName === 'string') result.userName = payload.userName
+  if (typeof payload.externalId === 'string') result.externalId = payload.externalId
+  if (typeof payload.displayName === 'string') result.displayName = payload.displayName
+  if (payload.active !== undefined) {
+    result.active = coerceBoolean(payload.active)
+  }
+  const name = payload.name as Record<string, unknown> | undefined
+  if (name && typeof name === 'object') {
+    if (typeof name.givenName === 'string') result.givenName = name.givenName
+    if (typeof name.familyName === 'string') result.familyName = name.familyName
+  }
+  const emails = payload.emails as Array<Record<string, unknown>> | undefined
+  if (Array.isArray(emails) && emails.length > 0) {
+    const primary = emails.find((e) => e.primary === true) ?? emails[0]
+    if (typeof primary?.value === 'string') result.email = primary.value
+  }
+  return result
+}

package/src/modules/sso/lib/scim-patch.ts ADDED Viewed

@@ -0,0 +1,88 @@
+/**
+ * SCIM PatchOp parser with Entra ID quirks:
+ * - Case-insensitive `op` (e.g., "Replace" vs "replace")
+ * - Boolean leniency ("False"/"True" strings → boolean)
+ * - Strict attribute allowlist
+ */
+import { coerceBoolean } from './scim-utils'
+export interface ScimPatchOperation {
+  op: string
+  path?: string
+  value?: unknown
+}
+const ALLOWED_PATHS = new Set([
+  'active',
+  'displayname',
+  'name.givenname',
+  'name.familyname',
+  'username',
+  'externalid',
+])
+export function parseScimPatchOperations(body: Record<string, unknown>): ScimPatchOperation[] {
+  const operations = body.Operations as Array<Record<string, unknown>> | undefined
+  if (!Array.isArray(operations)) {
+    throw new ScimPatchError('PatchOp body must contain Operations array')
+  }
+  return operations.map((rawOp) => {
+    const op = String(rawOp.op ?? '').toLowerCase()
+    if (!['add', 'replace', 'remove'].includes(op)) {
+      throw new ScimPatchError(`Unsupported SCIM PatchOp: ${rawOp.op}`)
+    }
+    const path = rawOp.path ? String(rawOp.path) : undefined
+    // Validate path against allowlist if present
+    if (path) {
+      const normalizedPath = path.toLowerCase()
+      if (!ALLOWED_PATHS.has(normalizedPath)) {
+        // Silently ignore unsupported attributes (Entra sends many)
+        return { op, path, value: undefined }
+      }
+    }
+    const value = normalizePatchValue(rawOp.value, path)
+    return { op, path, value }
+  }).filter((op) => {
+    // Filter out no-ops (unsupported paths where value was set to undefined)
+    if (op.op !== 'remove' && op.value === undefined && op.path) return false
+    return true
+  })
+}
+function normalizePatchValue(value: unknown, path?: string): unknown {
+  if (value === undefined || value === null) return value
+  // Handle boolean leniency for the `active` attribute
+  if (path && path.toLowerCase() === 'active') {
+    return coerceBoolean(value)
+  }
+  // Handle value objects (no-path operations)
+  if (!path && typeof value === 'object' && value !== null) {
+    const obj = value as Record<string, unknown>
+    const normalized: Record<string, unknown> = {}
+    for (const [key, val] of Object.entries(obj)) {
+      if (key.toLowerCase() === 'active') {
+        normalized[key] = coerceBoolean(val)
+      } else {
+        normalized[key] = val
+      }
+    }
+    return normalized
+  }
+  return value
+}
+export class ScimPatchError extends Error {
+  constructor(message: string) {
+    super(message)
+    this.name = 'ScimPatchError'
+  }
+}

package/src/modules/sso/lib/scim-response.ts ADDED Viewed

@@ -0,0 +1,40 @@
+export const SCIM_CONTENT_TYPE = 'application/scim+json'
+const SCIM_ERROR_SCHEMA = 'urn:ietf:params:scim:api:messages:2.0:Error'
+const SCIM_LIST_SCHEMA = 'urn:ietf:params:scim:api:messages:2.0:ListResponse'
+export function scimJson(data: unknown, status = 200): Response {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { 'Content-Type': SCIM_CONTENT_TYPE },
+  })
+}
+export function buildScimError(
+  status: number,
+  detail: string,
+  scimType?: string,
+): Record<string, unknown> {
+  const body: Record<string, unknown> = {
+    schemas: [SCIM_ERROR_SCHEMA],
+    status: String(status),
+    detail,
+  }
+  if (scimType) body.scimType = scimType
+  return body
+}
+export function buildListResponse(
+  resources: unknown[],
+  totalResults: number,
+  startIndex: number,
+  itemsPerPage: number,
+): Record<string, unknown> {
+  return {
+    schemas: [SCIM_LIST_SCHEMA],
+    totalResults,
+    startIndex,
+    itemsPerPage,
+    Resources: resources,
+  }
+}

package/src/modules/sso/lib/scim-utils.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export function coerceBoolean(value: unknown): boolean {
+  if (typeof value === 'boolean') return value
+  if (typeof value === 'string') return value.toLowerCase() === 'true'
+  return Boolean(value)
+}

package/src/modules/sso/lib/state-cookie.ts ADDED Viewed

@@ -0,0 +1,79 @@
+import crypto from 'node:crypto'
+import type { SsoFlowState } from './types'
+const ALGORITHM = 'aes-256-gcm'
+const IV_LENGTH = 12
+const TAG_LENGTH = 16
+const TTL_MS = 5 * 60 * 1000
+const HKDF_SALT = Buffer.from('open-mercato-sso-state-v1')
+const HKDF_INFO = Buffer.from('sso-state-cookie')
+function deriveKey(secret: string): Buffer {
+  return Buffer.from(crypto.hkdfSync('sha256', secret, HKDF_SALT, HKDF_INFO, 32))
+}
+function getSecret(): string {
+  const secret = process.env.SSO_STATE_SECRET || process.env.JWT_SECRET
+  if (!secret) throw new Error('SSO_STATE_SECRET or JWT_SECRET must be set')
+  return secret
+}
+export function encryptStateCookie(payload: SsoFlowState): string {
+  const secret = getSecret()
+  const key = deriveKey(secret)
+  const iv = crypto.randomBytes(IV_LENGTH)
+  const json = JSON.stringify(payload)
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
+  const ciphertext = Buffer.concat([cipher.update(json, 'utf8'), cipher.final()])
+  const tag = cipher.getAuthTag()
+  const combined = Buffer.concat([iv, tag, ciphertext])
+  return combined.toString('base64url')
+}
+export function decryptStateCookie(cookie: string): SsoFlowState | null {
+  try {
+    const secret = getSecret()
+    const key = deriveKey(secret)
+    const combined = Buffer.from(cookie, 'base64url')
+    if (combined.length < IV_LENGTH + TAG_LENGTH) return null
+    const iv = combined.subarray(0, IV_LENGTH)
+    const tag = combined.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH)
+    const ciphertext = combined.subarray(IV_LENGTH + TAG_LENGTH)
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv)
+    decipher.setAuthTag(tag)
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf8')
+    const payload = JSON.parse(decrypted) as SsoFlowState
+    if (payload.expiresAt < Date.now()) return null
+    return payload
+  } catch {
+    return null
+  }
+}
+export function createFlowState(params: {
+  configId: string
+  returnUrl: string
+}): { state: SsoFlowState; codeVerifier: string } {
+  const state = crypto.randomBytes(32).toString('base64url')
+  const nonce = crypto.randomBytes(16).toString('base64url')
+  const codeVerifier = crypto.randomBytes(32).toString('base64url')
+  return {
+    state: {
+      state,
+      nonce,
+      codeVerifier,
+      configId: params.configId,
+      returnUrl: params.returnUrl,
+      expiresAt: Date.now() + TTL_MS,
+    },
+    codeVerifier,
+  }
+}

package/src/modules/sso/lib/types.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import type { SsoConfig } from '../data/entities'
+export interface SsoProtocolProvider {
+  readonly protocol: 'oidc' | 'saml'
+  buildAuthUrl(
+    config: SsoConfig,
+    params: {
+      state: string
+      nonce: string
+      redirectUri: string
+      codeVerifier?: string
+      clientSecret?: string
+    },
+  ): Promise<string>
+  handleCallback(
+    config: SsoConfig,
+    params: {
+      callbackParams: Record<string, string>
+      redirectUri: string
+      expectedState: string
+      expectedNonce: string
+      codeVerifier?: string
+      clientSecret?: string
+    },
+  ): Promise<SsoIdentityPayload>
+  validateConfig(
+    config: SsoConfig,
+    params?: { clientSecret?: string },
+  ): Promise<{ ok: boolean; error?: string }>
+}
+export interface SsoIdentityPayload {
+  subject: string
+  email: string
+  emailVerified: boolean
+  name?: string
+  groups?: string[]
+}
+export interface SsoFlowState {
+  state: string
+  nonce: string
+  codeVerifier: string
+  configId: string
+  returnUrl: string
+  expiresAt: number
+}