npm - @openinc/parse-server-opendash - Versions diffs - 3.10.2 → 3.10.3 - Mend

@openinc/parse-server-opendash 3.10.2 → 3.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/functions/openinc-auth-login-microsoft.js +137 -43
package/package.json +1 -1

package/dist/functions/openinc-auth-login-microsoft.js CHANGED Viewed

@@ -7,6 +7,7 @@ exports.init = init;
 const crypto_1 = require("crypto");
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const https_1 = __importDefault(require("https"));
 const config_1 = require("../features/config");
 const types_1 = require("../types");
 const tenantId = config_1.ConfigInstance.getInstance().get("MICROSOFT_TENANT_ID") ||
@@ -15,23 +16,59 @@ const tenantId = config_1.ConfigInstance.getInstance().get("MICROSOFT_TENANT_ID"
 const appId = config_1.ConfigInstance.getInstance().get("MICROSOFT_APP_ID") ||
     process.env.MICROSOFT_APP_ID ||
     process.env.OI_MICROSOFT_APP_ID;
-// Setup JWKS client for Microsoft - try v2.0 first, fallback to v1.0
-const getJwksUri = (version = "v2.0") => `https://login.microsoftonline.com/${tenantId}/discovery/${version}/keys`;
+// Setup JWKS client for Microsoft - use tenant-specific endpoint with common as fallback
+const getTenantJwksUri = () => `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`;
+const getCommonJwksUri = () => `https://login.microsoftonline.com/common/discovery/v2.0/keys`;
 const client = (0, jwks_rsa_1.default)({
-    jwksUri: getJwksUri(),
-    cache: true,
-    cacheMaxEntries: 5,
-    cacheMaxAge: 1000 * 60 * 60 * 24, // 24 hours
+    jwksUri: getTenantJwksUri(),
+    cache: false, // Disable cache temporarily for debugging
     timeout: 30000, // 30 seconds
 });
-// Fallback client for v1.0 if v2.0 fails
-const clientV1 = (0, jwks_rsa_1.default)({
-    jwksUri: getJwksUri("v1.0"),
-    cache: true,
-    cacheMaxEntries: 5,
-    cacheMaxAge: 1000 * 60 * 60 * 24, // 24 hours
+// Fallback client for common endpoint if tenant-specific fails
+const clientCommon = (0, jwks_rsa_1.default)({
+    jwksUri: getCommonJwksUri(),
+    cache: false, // Disable cache temporarily for debugging
     timeout: 30000, // 30 seconds
 });
+// Manual JWKS fetch function to bypass jwks-rsa library issues
+function fetchJWKSManually(uri) {
+    return new Promise((resolve, reject) => {
+        console.log("Making manual HTTPS request to:", uri);
+        https_1.default
+            .get(uri, (res) => {
+            let data = "";
+            console.log("Response status:", res.statusCode);
+            console.log("Response headers:", res.headers);
+            res.on("data", (chunk) => {
+                data += chunk;
+            });
+            res.on("end", () => {
+                try {
+                    const jwks = JSON.parse(data);
+                    console.log("Successfully fetched JWKS manually, found", jwks.keys?.length, "keys");
+                    resolve(jwks);
+                }
+                catch (error) {
+                    console.error("Failed to parse JWKS JSON:", error);
+                    reject(error);
+                }
+            });
+        })
+            .on("error", (error) => {
+            console.error("HTTPS request failed:", error);
+            reject(error);
+        });
+    });
+}
+// Convert JWK to PEM format
+function jwkToPem(jwk) {
+    // For Microsoft tokens, we can use the x5c (certificate chain) directly
+    if (jwk.x5c && jwk.x5c[0]) {
+        return `-----BEGIN CERTIFICATE-----\n${jwk.x5c[0]}\n-----END CERTIFICATE-----`;
+    }
+    // If no x5c, we'd need to construct from n and e, but Microsoft usually provides x5c
+    throw new Error("No x5c certificate chain found in JWK - cannot convert to PEM");
+}
 function getKey(header, callback) {
     console.log("JWT Header:", header);
     console.log("Tenant ID:", tenantId);
@@ -41,44 +78,85 @@ function getKey(header, callback) {
         return callback(new Error("No kid found in token header"));
     }
     console.log("Attempting to get signing key for kid:", header.kid);
-    client.getSigningKey(header.kid, (err, key) => {
-        if (err) {
-            console.error("Error with v2.0 endpoint, trying v1.0:", err);
-            // Try v1.0 endpoint as fallback
-            clientV1.getSigningKey(header.kid, (errV1, keyV1) => {
-                if (errV1) {
-                    console.error("Error with v1.0 endpoint:", errV1);
-                    return callback(errV1);
-                }
-                if (!keyV1) {
-                    console.error("No key returned from v1.0 JWKS client");
-                    return callback(new Error("Key not found in v1.0 endpoint"));
-                }
-                try {
-                    const signingKey = keyV1.getPublicKey();
-                    console.log("Successfully retrieved signing key from v1.0 endpoint");
-                    callback(null, signingKey);
-                }
-                catch (keyError) {
-                    console.error("Error extracting public key from v1.0:", keyError);
-                    callback(keyError instanceof Error ? keyError : new Error(String(keyError)));
+    // Try manual fetch first to bypass jwks-rsa issues
+    console.log("Trying manual JWKS fetch...");
+    fetchJWKSManually(getTenantJwksUri())
+        .then((jwks) => {
+        const key = jwks.keys.find((k) => k.kid === header.kid);
+        if (!key) {
+            console.log("Key not found in tenant-specific JWKS, trying common endpoint...");
+            return fetchJWKSManually(getCommonJwksUri()).then((commonJwks) => {
+                const commonKey = commonJwks.keys.find((k) => k.kid === header.kid);
+                if (!commonKey) {
+                    throw new Error(`Key with kid ${header.kid} not found in either endpoint`);
                 }
+                return commonKey;
             });
-            return;
         }
+        return key; // Return the key directly, not wrapped
+    })
+        .then((key) => {
         if (!key) {
-            console.error("No key returned from JWKS client");
-            return callback(new Error("Key not found"));
+            throw new Error("No key found");
         }
-        try {
-            const signingKey = key.getPublicKey();
-            console.log("Successfully retrieved signing key");
-            callback(null, signingKey);
+        // Convert to PEM format using x5c if available
+        if (key.x5c && key.x5c[0]) {
+            const cert = jwkToPem(key);
+            console.log("Successfully retrieved signing key using manual fetch");
+            callback(null, cert);
         }
-        catch (keyError) {
-            console.error("Error extracting public key:", keyError);
-            callback(keyError instanceof Error ? keyError : new Error(String(keyError)));
+        else {
+            throw new Error("No x5c certificate chain found in key");
         }
+    })
+        .catch((manualError) => {
+        console.error("Manual JWKS fetch failed, falling back to jwks-rsa library:", manualError);
+        // Fallback to original jwks-rsa approach
+        console.log("Trying tenant-specific JWKS endpoint with jwks-rsa...");
+        console.log("Tenant JWKS URI:", getTenantJwksUri());
+        client.getSigningKey(header.kid, (err, key) => {
+            if (err) {
+                console.error("Error with tenant-specific endpoint, trying common endpoint:", err);
+                console.log("Trying common JWKS endpoint as fallback...");
+                console.log("Common JWKS URI:", getCommonJwksUri());
+                // Try common endpoint as fallback
+                clientCommon.getSigningKey(header.kid, (errCommon, keyCommon) => {
+                    if (errCommon) {
+                        console.error("Error with common endpoint:", errCommon);
+                        return callback(errCommon);
+                    }
+                    if (!keyCommon) {
+                        console.error("No key returned from common JWKS client");
+                        return callback(new Error("Key not found in common endpoint"));
+                    }
+                    try {
+                        const signingKey = keyCommon.getPublicKey();
+                        console.log("Successfully retrieved signing key from common endpoint");
+                        callback(null, signingKey);
+                    }
+                    catch (keyError) {
+                        console.error("Error extracting public key from common endpoint:", keyError);
+                        callback(keyError instanceof Error
+                            ? keyError
+                            : new Error(String(keyError)));
+                    }
+                });
+                return;
+            }
+            if (!key) {
+                console.error("No key returned from tenant-specific JWKS client");
+                return callback(new Error("Key not found"));
+            }
+            try {
+                const signingKey = key.getPublicKey();
+                console.log("Successfully retrieved signing key from tenant-specific endpoint");
+                callback(null, signingKey);
+            }
+            catch (keyError) {
+                console.error("Error extracting public key:", keyError);
+                callback(keyError instanceof Error ? keyError : new Error(String(keyError)));
+            }
+        });
     });
 }
 async function init(name) {
@@ -117,12 +195,18 @@ async function init(name) {
                         iss: payload.iss,
                         tid: payload.tid,
                         ver: payload.ver,
+                        oid: payload.oid,
+                        preferred_username: payload.preferred_username,
                     });
                 }
             }
             catch (decodeError) {
                 console.error("Failed to decode token for debugging:", decodeError);
             }
+            console.log("Verifying JWT with the following settings:");
+            console.log("- Audience:", appId);
+            console.log("- Issuer:", `https://login.microsoftonline.com/${tenantId}/v2.0`);
+            console.log("- Algorithm: RS256");
             jsonwebtoken_1.default.verify(token, getKey, {
                 audience: appId,
                 issuer: `https://login.microsoftonline.com/${tenantId}/v2.0`,
@@ -132,9 +216,19 @@ async function init(name) {
                     console.error("JWT verification failed:", err);
                     console.error("Error name:", err.name);
                     console.error("Error message:", err.message);
+                    if (err.name === "TokenExpiredError") {
+                        console.error("Token has expired");
+                    }
+                    else if (err.name === "JsonWebTokenError") {
+                        console.error("Invalid token");
+                    }
+                    else if (err.name === "NotBeforeError") {
+                        console.error("Token not active yet");
+                    }
                     return reject(err);
                 }
                 console.log("JWT verification successful");
+                console.log("Verified payload contains oid:", decoded?.oid);
                 resolve(decoded);
             });
         });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openinc/parse-server-opendash",
-  "version": "3.10.2",
+  "version": "3.10.3",
   "description": "Parse Server Cloud Code for open.INC Stack.",
   "packageManager": "pnpm@10.13.1",
   "keywords": [