@openinc/parse-server-opendash 3.10.3 → 3.10.4

package/dist/functions/openinc-auth-login-microsoft.js

@@ -7,7 +7,6 @@ exports.init = init;
 const crypto_1 = require("crypto");
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
-const https_1 = __importDefault(require("https"));
 const config_1 = require("../features/config");
 const types_1 = require("../types");
 const tenantId = config_1.ConfigInstance.getInstance().get("MICROSOFT_TENANT_ID") ||
@@ -16,222 +15,67 @@ const tenantId = config_1.ConfigInstance.getInstance().get("MICROSOFT_TENANT_ID"
 const appId = config_1.ConfigInstance.getInstance().get("MICROSOFT_APP_ID") ||
     process.env.MICROSOFT_APP_ID ||
     process.env.OI_MICROSOFT_APP_ID;
-// Setup JWKS client for Microsoft - use tenant-specific endpoint with common as fallback
-const getTenantJwksUri = () => `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`;
-const getCommonJwksUri = () => `https://login.microsoftonline.com/common/discovery/v2.0/keys`;
+// Simple, standard Microsoft v2.0 endpoint with app-specific parameter
 const client = (0, jwks_rsa_1.default)({
-    jwksUri: getTenantJwksUri(),
-    cache: false, // Disable cache temporarily for debugging
-    timeout: 30000, // 30 seconds
+    jwksUri: `https://login.microsoftonline.com/${tenantId}/discovery/keys?appid=${appId}`,
+    cache: true,
+    cacheMaxAge: 12 * 60 * 60 * 1000, // 12 hours
+    timeout: 30000,
 });
-// Fallback client for common endpoint if tenant-specific fails
-const clientCommon = (0, jwks_rsa_1.default)({
-    jwksUri: getCommonJwksUri(),
-    cache: false, // Disable cache temporarily for debugging
-    timeout: 30000, // 30 seconds
-});
-// Manual JWKS fetch function to bypass jwks-rsa library issues
-function fetchJWKSManually(uri) {
-    return new Promise((resolve, reject) => {
-        console.log("Making manual HTTPS request to:", uri);
-        https_1.default
-            .get(uri, (res) => {
-            let data = "";
-            console.log("Response status:", res.statusCode);
-            console.log("Response headers:", res.headers);
-            res.on("data", (chunk) => {
-                data += chunk;
-            });
-            res.on("end", () => {
-                try {
-                    const jwks = JSON.parse(data);
-                    console.log("Successfully fetched JWKS manually, found", jwks.keys?.length, "keys");
-                    resolve(jwks);
-                }
-                catch (error) {
-                    console.error("Failed to parse JWKS JSON:", error);
-                    reject(error);
-                }
-            });
-        })
-            .on("error", (error) => {
-            console.error("HTTPS request failed:", error);
-            reject(error);
-        });
-    });
-}
-// Convert JWK to PEM format
-function jwkToPem(jwk) {
-    // For Microsoft tokens, we can use the x5c (certificate chain) directly
-    if (jwk.x5c && jwk.x5c[0]) {
-        return `-----BEGIN CERTIFICATE-----\n${jwk.x5c[0]}\n-----END CERTIFICATE-----`;
-    }
-    // If no x5c, we'd need to construct from n and e, but Microsoft usually provides x5c
-    throw new Error("No x5c certificate chain found in JWK - cannot convert to PEM");
-}
 function getKey(header, callback) {
-    console.log("JWT Header:", header);
-    console.log("Tenant ID:", tenantId);
-    console.log("App ID:", appId);
     if (!header.kid) {
-        console.error("No kid found in token header");
         return callback(new Error("No kid found in token header"));
     }
-    console.log("Attempting to get signing key for kid:", header.kid);
-    // Try manual fetch first to bypass jwks-rsa issues
-    console.log("Trying manual JWKS fetch...");
-    fetchJWKSManually(getTenantJwksUri())
-        .then((jwks) => {
-        const key = jwks.keys.find((k) => k.kid === header.kid);
-        if (!key) {
-            console.log("Key not found in tenant-specific JWKS, trying common endpoint...");
-            return fetchJWKSManually(getCommonJwksUri()).then((commonJwks) => {
-                const commonKey = commonJwks.keys.find((k) => k.kid === header.kid);
-                if (!commonKey) {
-                    throw new Error(`Key with kid ${header.kid} not found in either endpoint`);
-                }
-                return commonKey;
-            });
-        }
-        return key; // Return the key directly, not wrapped
-    })
-        .then((key) => {
-        if (!key) {
-            throw new Error("No key found");
-        }
-        // Convert to PEM format using x5c if available
-        if (key.x5c && key.x5c[0]) {
-            const cert = jwkToPem(key);
-            console.log("Successfully retrieved signing key using manual fetch");
-            callback(null, cert);
-        }
-        else {
-            throw new Error("No x5c certificate chain found in key");
-        }
-    })
-        .catch((manualError) => {
-        console.error("Manual JWKS fetch failed, falling back to jwks-rsa library:", manualError);
-        // Fallback to original jwks-rsa approach
-        console.log("Trying tenant-specific JWKS endpoint with jwks-rsa...");
-        console.log("Tenant JWKS URI:", getTenantJwksUri());
-        client.getSigningKey(header.kid, (err, key) => {
-            if (err) {
-                console.error("Error with tenant-specific endpoint, trying common endpoint:", err);
-                console.log("Trying common JWKS endpoint as fallback...");
-                console.log("Common JWKS URI:", getCommonJwksUri());
-                // Try common endpoint as fallback
-                clientCommon.getSigningKey(header.kid, (errCommon, keyCommon) => {
-                    if (errCommon) {
-                        console.error("Error with common endpoint:", errCommon);
-                        return callback(errCommon);
-                    }
-                    if (!keyCommon) {
-                        console.error("No key returned from common JWKS client");
-                        return callback(new Error("Key not found in common endpoint"));
-                    }
-                    try {
-                        const signingKey = keyCommon.getPublicKey();
-                        console.log("Successfully retrieved signing key from common endpoint");
-                        callback(null, signingKey);
-                    }
-                    catch (keyError) {
-                        console.error("Error extracting public key from common endpoint:", keyError);
-                        callback(keyError instanceof Error
-                            ? keyError
-                            : new Error(String(keyError)));
-                    }
-                });
-                return;
-            }
-            if (!key) {
-                console.error("No key returned from tenant-specific JWKS client");
-                return callback(new Error("Key not found"));
-            }
-            try {
-                const signingKey = key.getPublicKey();
-                console.log("Successfully retrieved signing key from tenant-specific endpoint");
-                callback(null, signingKey);
-            }
-            catch (keyError) {
-                console.error("Error extracting public key:", keyError);
-                callback(keyError instanceof Error ? keyError : new Error(String(keyError)));
-            }
-        });
+    client.getSigningKey(header.kid, (err, key) => {
+        if (err)
+            return callback(err);
+        if (!key)
+            return callback(new Error("Key not found"));
+        callback(null, key.getPublicKey());
     });
 }
 async function init(name) {
     Parse.Cloud.define(name, async (request) => {
-        console.log("Logging in with microsoft...");
         const token = request.params.token;
         const account = request.params.account;
-        const defaultTenant = await new Parse.Query(types_1.Tenant)
-            .ascending("createdAt")
-            .first({ useMasterKey: true });
         if (!token) {
             throw new Parse.Error(Parse.Error.INVALID_JSON, "Token missing");
         }
-        // Validate Microsoft configuration
         if (!tenantId || !appId) {
-            console.error("Missing Microsoft configuration:", {
-                tenantId: !!tenantId,
-                appId: !!appId,
-            });
             throw new Parse.Error(Parse.Error.INVALID_JSON, "Microsoft authentication not properly configured");
         }
-        const verifiedPayload = await new Promise((resolve, reject) => {
-            console.log("Starting JWT verification...");
-            console.log("Token length:", token.length);
+        // DEBUGGING: Decode token without verification to see what we're dealing with
+        console.log("=== DEBUGGING TOKEN ===");
+        try {
+            const tokenParts = token.split(".");
+            const payload = JSON.parse(Buffer.from(tokenParts[1], "base64").toString());
+            console.log("Token audience (aud):", payload.aud);
+            console.log("Token issuer (iss):", payload.iss);
             console.log("Expected audience:", appId);
             console.log("Expected issuer:", `https://login.microsoftonline.com/${tenantId}/v2.0`);
-            // Decode token payload for debugging (without verification)
-            try {
-                const tokenParts = token.split(".");
-                if (tokenParts.length === 3) {
-                    const header = JSON.parse(Buffer.from(tokenParts[0], "base64").toString());
-                    const payload = JSON.parse(Buffer.from(tokenParts[1], "base64").toString());
-                    console.log("Token header (unverified):", header);
-                    console.log("Token payload (unverified):", {
-                        aud: payload.aud,
-                        iss: payload.iss,
-                        tid: payload.tid,
-                        ver: payload.ver,
-                        oid: payload.oid,
-                        preferred_username: payload.preferred_username,
-                    });
-                }
-            }
-            catch (decodeError) {
-                console.error("Failed to decode token for debugging:", decodeError);
-            }
-            console.log("Verifying JWT with the following settings:");
-            console.log("- Audience:", appId);
-            console.log("- Issuer:", `https://login.microsoftonline.com/${tenantId}/v2.0`);
-            console.log("- Algorithm: RS256");
+            console.log("Audience match:", payload.aud === appId);
+            console.log("Issuer match:", payload.iss === `https://login.microsoftonline.com/${tenantId}/v2.0`);
+        }
+        catch (e) {
+            console.error("Failed to decode token:", e);
+        }
+        console.log("=== END DEBUGGING ===");
+        const verifiedPayload = await new Promise((resolve, reject) => {
             jsonwebtoken_1.default.verify(token, getKey, {
                 audience: appId,
                 issuer: `https://login.microsoftonline.com/${tenantId}/v2.0`,
-                algorithms: ["RS256"], // Microsoft uses RS256
+                algorithms: ["RS256"],
             }, (err, decoded) => {
                 if (err) {
-                    console.error("JWT verification failed:", err);
-                    console.error("Error name:", err.name);
-                    console.error("Error message:", err.message);
-                    if (err.name === "TokenExpiredError") {
-                        console.error("Token has expired");
-                    }
-                    else if (err.name === "JsonWebTokenError") {
-                        console.error("Invalid token");
-                    }
-                    else if (err.name === "NotBeforeError") {
-                        console.error("Token not active yet");
-                    }
+                    console.error("JWT verification failed:", err.message);
                     return reject(err);
                 }
-                console.log("JWT verification successful");
-                console.log("Verified payload contains oid:", decoded?.oid);
                 resolve(decoded);
             });
         });
+        const defaultTenant = await new Parse.Query(types_1.Tenant)
+            .ascending("createdAt")
+            .first({ useMasterKey: true });
         let user = await new Parse.Query(Parse.User)
             .equalTo("username", verifiedPayload.oid)
             .first({ useMasterKey: true });
@@ -239,7 +83,7 @@ async function init(name) {
             user = new Parse.User();
             user.set("username", verifiedPayload.oid);
             user.set("email", account.username);
-            user.set("password", (0, crypto_1.randomBytes)(16).toString("hex")); // Generate a random password
+            user.set("password", (0, crypto_1.randomBytes)(16).toString("hex"));
             user.set("name", verifiedPayload.name || verifiedPayload.preferred_username);
             user.set("tenant", defaultTenant);
             user = await user.signUp(null, { useMasterKey: true });
@@ -249,7 +93,7 @@ async function init(name) {
         const session = new Parse.Object("_Session");
         session.set("user", user);
         session.set("sessionToken", sessionToken);
-        session.set("expiresAt", new Date(Date.now() + 24 * 60 * 60 * 1000 * 7)); // 7 day expiration
+        session.set("expiresAt", new Date(Date.now() + 24 * 60 * 60 * 1000 * 7));
         const savedSession = await session.save(null, { useMasterKey: true });
         return savedSession.get("sessionToken");
     });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openinc/parse-server-opendash",
-  "version": "3.10.3",
+  "version": "3.10.4",
   "description": "Parse Server Cloud Code for open.INC Stack.",
   "packageManager": "pnpm@10.13.1",
   "keywords": [