@openstax/ts-utils 1.33.1 → 1.34.0

package/packages/utils/src/services/authProvider/browser.ts

@@ -0,0 +1,209 @@
+import { once } from '../..';
+import { ConfigProviderForConfig, resolveConfigValue } from '../../config';
+import { FetchConfig, GenericFetch } from '../../fetch';
+import { ifDefined } from '../../guards';
+import { METHOD, unsafePayloadValidator } from '../../routing';
+import { embeddedAuthProvider, PostMessageTypes, UserData } from './utils/embeddedAuthProvider';
+import { ApiUser, AuthProvider } from '.';
+
+type Config = {
+  accountsBase: string;
+};
+interface Initializer<C> {
+  configSpace?: C;
+  window: Window;
+}
+
+export type EventHandler = (e: {data: any; origin: string; source: Pick<Window, 'postMessage'>}) => void;
+
+export interface Window {
+  fetch: GenericFetch;
+  parent: Pick<Window, 'postMessage'>;
+  location: {search: string};
+  document: {referrer: string};
+  postMessage: (data: any, origin: string) => void;
+  addEventListener: (event: 'message', callback: EventHandler) => void;
+  removeEventListener: (event: 'message', callback: EventHandler) => void;
+}
+
+const isUserData = unsafePayloadValidator<ApiUser>();
+
+export type UpdatableUserFields = Partial<Pick<ApiUser, 'consent_preferences' | 'first_name' | 'last_name'>>;
+
+export type BrowserAuthProvider = AuthProvider & {
+  getAuthorizedUrl: (urlString: string) => string;
+  getAuthorizedLinkUrl: (urlString: string) => string;
+  getAuthorizedEmbedUrl: (urlString: string, extraParams?: { [key: string]: string }) => string;
+  updateUser: (updates: UpdatableUserFields) => Promise<UserData<ApiUser>>;
+};
+
+export const browserAuthProvider = <C extends string = 'auth'>({window, configSpace}: Initializer<C>) => (configProvider: {[_key in C]: ConfigProviderForConfig<Config>}): BrowserAuthProvider => {
+  const config = configProvider[ifDefined(configSpace, 'auth' as C)];
+  const accountsBase = once(() => resolveConfigValue(config.accountsBase));
+  const queryString = window.location.search;
+  const queryKey = 'auth';
+  const urlSearchParams = new URLSearchParams(queryString);
+  const authQuery = urlSearchParams.get(queryKey);
+  const referrer = window.document.referrer ? new URL(window.document.referrer) : undefined;
+  const isEmbedded = window.parent !== window;
+  const trustedParent = isEmbedded && referrer && referrer.hostname.match(/^(openstax\.org|((.*)(\.openstax\.org|local|localhost)))$/) ? referrer : undefined;
+  const {
+    embeddedQueryKey, embeddedQueryValue, getAuthorizedEmbedUrl
+  } = embeddedAuthProvider(() => getUserData(), { authQuery: { key: queryKey, value: authQuery }, window});
+  const embeddedQuery = urlSearchParams.get(embeddedQueryKey);
+
+  let userData: UserData<ApiUser> = { token: authQuery };
+
+  const getAuthToken = async () => {
+    return (await getUserData()).token;
+  };
+
+  const getAuthorizedLinkUrl = (urlString: string) => {
+    const url = new URL(urlString);
+
+    if (userData.token) {
+      url.searchParams.set(queryKey, userData.token);
+    }
+
+    return url.href;
+  };
+
+  const getAuthorizedUrl = (urlString: string) => {
+    const url = new URL(urlString);
+
+    if (authQuery) {
+      url.searchParams.set(queryKey, authQuery);
+    } else if (embeddedQuery) {
+      url.searchParams.set(queryKey, 'embedded');
+    }
+    if (embeddedQuery) {
+      url.searchParams.set(embeddedQueryKey, embeddedQuery);
+    }
+
+    return url.href;
+  };
+
+  // *note* that this does not actually prevent cookies from being sent on same-origin
+  // requests, i'm not sure if its possible to stop browsers from sending cookies in
+  // that case
+  const getAuthorizedFetchConfigFromData = (data: typeof userData): FetchConfig => {
+    const {token} = data;
+
+    return token ? {
+      headers: {Authorization: `Bearer ${token}`},
+    } : {
+      credentials: 'include',
+    };
+  };
+  const getAuthorizedFetchConfig = async(): Promise<FetchConfig> => {
+    return getAuthorizedFetchConfigFromData(userData.token ? userData : await getUserData());
+  };
+
+  /*
+   * requests user identity from parent window via postMessage
+   */
+  const getParentWindowUser = () => new Promise<typeof userData>((resolve, reject) => {
+    if (!window.parent || !trustedParent) {
+      return reject(new Error('parent window is undefined or not trusted'));
+    }
+
+    const handler: EventHandler = (event) => {
+      if (event.data.type === PostMessageTypes.ReceiveUser && event.origin === trustedParent.origin) {
+        clearTimeout(timeout);
+        window.removeEventListener('message', handler);
+        resolve(event.data.userData);
+      }
+    };
+
+    window.addEventListener('message', handler);
+    window.parent.postMessage({type: PostMessageTypes.RequestUser}, trustedParent.origin);
+
+    const timeout = setTimeout(() => {
+      window.removeEventListener('message', handler);
+      reject(new Error('loading user identity timed out'));
+    }, 5000);
+  });
+
+  /*
+   * requests user identity from accounts api using given token or cookie
+   */
+  const getFetchUser = async() => {
+    const response = await window.fetch((await accountsBase()).replace(/\/+$/, '') + '/api/user?always_200=true',
+      getAuthorizedFetchConfigFromData(userData));
+    if (response.status === 200) {
+      const body = await response.json();
+      const user = isUserData(body) ? body : undefined;
+      return {...userData, user};
+    }
+
+    const message = await response.text();
+    throw new Error(`Error response from Accounts ${response.status}: ${message}`);
+  };
+
+  const getUserData = once(async() => {
+    // For backwards compatibility
+    if (authQuery === 'embedded') { return getParentWindowUser(); }
+
+    // getFetchUser() will throw here if authQuery is not set
+    return await (embeddedQuery === embeddedQueryValue ? getParentWindowUser() : getFetchUser());
+  });
+
+  const getUser = async() => {
+    return (await getUserData()).user;
+  };
+
+  const updateUser = async(updates: UpdatableUserFields) => {
+    const response = await window.fetch(
+      (await accountsBase()).replace(/\/+$/, '') + '/api/user',
+      {...getAuthorizedFetchConfigFromData(userData), method: METHOD.PUT, body: JSON.stringify(updates)}
+    );
+    if (response.status === 200) {
+      const user = await response.json();
+      if (isUserData(user)) {
+        return {...userData, user};
+      }
+    }
+
+    const message = await response.text();
+    throw new Error(`Error response from Accounts ${response.status}: ${message}`);
+  };
+
+  return {
+    /**
+     * gets the authentication token
+     */
+    getAuthToken,
+    /**
+     * adds auth parameters to the url. this is only safe to use when using javascript to navigate
+     * within the current window, eg `window.location = 'https://my.otherservice.com';` anchors
+     * should use getAuthorizedLinkUrl for their href.
+     *
+     * result unreliable unless `getUser` is resolved first.
+     */
+    getAuthorizedUrl,
+    /**
+     * all link href-s must be rendered with auth tokens so that they work when opened in a new tab
+     *
+     * result unreliable unless `getUser` is resolved first.
+     */
+    getAuthorizedLinkUrl,
+    /**
+     * gets an authorized url for an iframe src. sets params on the url and saves its
+     * origin to trust releasing user identity to it
+     */
+    getAuthorizedEmbedUrl,
+    /**
+     * gets second argument for `fetch` that has authentication token or cookie
+     */
+    getAuthorizedFetchConfig,
+    /**
+     * loads current user identity. does not reflect changes in identity after being called the first time.
+     */
+    getUser,
+    loadUserData: getUser,
+    /**
+     * updates user settings, for example the cookie consent preferences
+     */
+    updateUser,
+  };
+};

package/packages/utils/src/services/authProvider/decryption.spec.ts

@@ -0,0 +1,337 @@
+import { SessionExpiredError } from '../../errors';
+import { GenericFetch } from '../../fetch';
+import { createCoreLogger } from '../logger';
+import { decryptionAuthProvider } from './decryption';
+import { ApiUser, User } from '.';
+
+describe('decryptionAuthProvider', () => {
+  let fetchSpy: jest.SpyInstance;
+  let initializer: { fetch: GenericFetch };
+
+  beforeEach(() => {
+    jest.useFakeTimers();
+    jest.setSystemTime(new Date(2023, 3, 2));
+
+    fetchSpy = jest.fn();
+    initializer = {fetch: fetchSpy as any};
+  });
+
+  // These values are used in the Accounts local dev environment, not any real Accounts deployments
+  const config = {
+    decryption: {
+      accountsBase: 'accountsBase',
+      cookieName: 'oxa_dev',
+      encryptionPrivateKey: 'RvGHVZ/kvzUAA5Z3t68+FNhuMCJxkzv+', // cspell:disable-line
+      signaturePublicKey: `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7JRnvbwTd2jGDWaW5Wc3
+HiBWd00ipH5FbmJe1fFeW/2Ji5w5MZ0evtorsV2lVBlP2G5THjmtHK1fdqC+2xiM
+nicxqGMn3C4T8EnS86knl0Yv3VEfDRZBoWsUX2s2y0xKu8Pvt6nbhrnkS8pi8+Au
+huT0ad/891aAhmp1QDkh+vI9NTYHb0mXYqMmJYZPJRL4eO6Z4j6djeHDz8D/TzWy
+Ah0cDEmTncO6YuJrf6CTi9eJce8pi+X8fhNTlZdfzIFE8BShAOxieYN1OV1RYmCT
+XD8jEL1ZgDxpIiZkB9u3tzUL1WZi7YENGouLhg9b/BUIw0dFXGkNErvtmDD7Ce8I
+twIDAQAB
+-----END PUBLIC KEY-----`,
+    }
+  };
+
+  // the below token expires at 2308840470 (2043-03-01T16:34:30.000Z)
+  // cspell:disable-next-line
+  const auth = 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..v-Ot9t9EvGRkzXVx.D4k0ebDXUM8PNjiuvfCHBP_lNgIEzUkU9ibXLt4QxZXifd6ULAMofiWjT87L_3QKS2QfbrRz3Acah9wSNW4TFrtl5khBioWg3xjaImPtshJnBL7fPtEZWhNBkhkO1R4YK2Fr2mo5d-Y3_mkINHHyF19kIJJox6HsPqNaUSob59G2QQyza0TxJQMDjybsArL3GOT2PnVy_HQuIZmLqpypaoPnEoJ_WwvjK1oyORdUsYhv8kPzF9fPNZZjj2moqHIw41cc0ajeyw4TTvfkaYBC2Ovs2lVovjlj4PiPq9nAq-vpVII1XHp7qZQtQcWY-pGiVTFrnUErqNjZHwYKd0Y6kMgm1aqP2P3Qrt7nLCqEZf--LOpugk1Uunc_xBbPTjSBs9KJS_doREMmzvs9eqmn_V1_dxMgn3pMyMCMdD5ZKA89fpd0oT7kLDDawY_UfSEpmX8dI2ouvbW8VWtphhLGhjhssCcIv_ksGae59TS-WqGstT3Jd9D-uAAyz0wIuegokQt-9m5JT9vebDPhIgoRA-NgflQFz0xP1ERiTDbWpODYY5vkg-qzhKJPgSTLBYgGTBVLZzzwSoEOhAp5R_mfxZULXWacCqJo4GPvZ6bgSJdhFq2ZQhOgT_WNV5wYYBu_NqNh0OHZ0zzgZRX0tmsvgCFr0_VXeO0apDpg_bp7W1EF3dnUopTfdYtl0YQ8xI3dTrOX4tbRQf5QBKyXARoch3ObDtlbbcF6BN55AJXBa5bkl4m2pb3fzyoobXCFiAjTDKgRi_Qf7wnEww35gFs74ST3H-QGRBCTC2zMFRbVZ-kNXERs6Re2Ez_df-cVdfXk0CWs9T0GT6oFZOz4meT2bj7L-x8Ugerr-_CUVaSjC3NwdrtfBrw9E-k1pTeJ9_dMYJMJ6w7-sVu7X8BRof-bh3pBBWH45b9RzCvXd2d-AyIoeag2ZRfkfLk5vdiWSOtNlXTIgM8IKxZYy8MrZpXqLPBK6pAiMZN8Ou94ZBvq.eMtwHum3NKJNDt0SmqdPZw';
+
+  // cspell:disable-next-line
+  const properlyEncodedCookieWithInvalidPayload = 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..A61VXXx1Ap9-XVPt.vbO8tIN8PK_m3Z7XyZf4Efxsj-Nc5pmPuYs8IBpymo323s9Hund_jJRAPI2TDJV-cna-Zhm2bYy6a64uCfyX-YFgrQV17cIkDOZXxV3_SdOGGcnXBe3RP-soCRY4ARlS3SWKPbjrh_1HUMZO30Rxh3r_LEKJRGiXAybrrb-Ii99ZYoy1z06iCC61aZGE-NaXYsp3mx4hdoO8HSLOLIyUa3rFJQTfKAq5GoRlsfKXZTUYiaHbLRWCY4tht7Jy8pKJp01pdFE2oP37Xf6gyvWmbnIuEyqGH3S9QSIkGM28sPjfdh5w-VYL_cF5-Cy3D6kplMra5dnZ1QIlgkJPycTxR2aQXitJXpIFOMgtD0L5-WxPRBgY_-85aHYIeZ3SA-5YrAiPDoj4H8QBZWVdbmLtJhPqtj8IBA8jV0sKbNwh2lky7bSGXEzG9jRdEE5WiD95rRV7WoEHMWtbvH8qZstzfbRmWzBNdJYLh828UpdkywrB2OzxkEiJhol8vg0GgEiaZFWhsCa5IVwfLJ_JSnR142L0znrF0DikLdFHdbIlhvxZ-yXvhlzLWRf3bCYqyuQP1Bq5J9bVGxxijWkLx8N9kB2FvhVYwa2-MLJCF2XX4NZT9w0WihSX5Rmwyeyf88OA-83Cg6ipkm-uW0Gfy2QiVacuV5hzuoPzG4WycZgXAbFHPTPN-nin_ul9tWeOpyFkWAjIuXhghUeUFl20xfZSE4xrNCN45ZJ9nxnPE4kA_g17VKSaZxzLnoHaxH4RHq2D7QydmFaxY_nqlbqz.sKv3xa1Vp4ZzZyVPpL3uXg';
+
+  describe('no authorization header or authorization header doesn\'t start with "Bearer "', () => {
+    // To show blank Authorization headers are ignored (excluding "Bearer " prefix)
+    const request = {headers: {Authorization: 'Bearer '}};
+    const logger = createCoreLogger(jest.fn());
+    const middleware = {request, logger};
+
+    it('resolves undefined without a cookie', async() => {
+      const loader = decryptionAuthProvider(initializer)(config)(middleware);
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBeUndefined();
+      const user = await loader.getUser();
+      expect(user).toBeUndefined();
+      const userData = await loader.loadUserData();
+      expect(userData).toBeUndefined();
+    });
+
+    it('resolves undefined without the right cookie', async() => {
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad']}}
+      );
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBeUndefined();
+      const user = await loader.getUser();
+      expect(user).toBeUndefined();
+    });
+
+    it('resolves undefined user/null expiration with an invalid cookie', async() => {
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad', 'oxa_dev=invalid']}}
+      );
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBeNull();
+      const user = await loader.getUser();
+      expect(user).toBeUndefined();
+    });
+
+    it('returns the expiration date but not the user with an expired cookie', async() => {
+      jest.setSystemTime(new Date(2043, 2, 1, 17, 0));
+
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad', `oxa_dev=${auth}`]}}
+      );
+
+      expect(await loader.getTokenExpiration()).toBe(2308840470);
+      expect(await loader.getTokenExpiration(auth)).toBe(2308840470);
+
+      const getError = async () => {
+        try {
+          await loader.getUser();
+          throw new Error('should not be reachable');
+        } catch (e) {
+          return e;
+        }
+      };
+
+      expect(await getError()).toBeInstanceOf(SessionExpiredError);
+    });
+
+    it('returns empty fetch authorization', async() => {
+      const provider = decryptionAuthProvider(initializer)(config)(middleware);
+      expect(await provider.getAuthorizedFetchConfig()).toEqual({});
+    });
+
+    it('decrypts a valid SSO cookie', async() => {
+      const userResponse = {
+        applications: [],
+        id: 10001068,
+        is_test: false,
+        support_identifier: 'cs_585fb1a7',
+        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
+      } as unknown as User; // This old cookie is missing the following fields: name, faculty_status, is_admin
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad', `oxa_dev=${auth}`]}}
+      );
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBe(2308840470);
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(user).toStrictEqual(userResponse);
+    });
+  });
+
+  describe('authorization header starts with "Bearer "', () => {
+    // To show cookies are ignored when the Authorization header is present
+    const request = {cookies: ['bad_cookie=bad-bad-bad', `oxa_dev=${auth}`]};
+    const logger = createCoreLogger(jest.fn());
+    const middleware = {request, logger};
+
+    it('resolves undefined user/null expiration with an invalid token', async() => {
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, headers: {Authorization: 'Bearer invalid'}}}
+      );
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBeNull();
+      const user = await loader.getUser();
+      expect(user).toBeUndefined();
+    });
+
+    it('returns the expiration date but not the user with an expired token', async() => {
+      jest.setSystemTime(new Date(2043, 2, 1, 16, 40));
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, headers: {Authorization: `Bearer ${auth}`}}}
+      );
+
+      expect(await loader.getTokenExpiration()).toBe(2308840470);
+      expect(await loader.getTokenExpiration(auth)).toBe(2308840470);
+
+      const getError = async () => {
+        try {
+          await loader.getUser();
+          throw new Error('should not be reachable');
+        } catch (e) {
+          return e;
+        }
+      };
+
+      expect(await getError()).toBeInstanceOf(SessionExpiredError);
+    });
+
+    it('resolves undefined user/null expiration with wonky token', async() => {
+      jest.setSystemTime(new Date(2043, 2, 1, 16, 40));
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {
+          ...middleware,
+          request: { ...request, headers: { Authorization: `Bearer ${properlyEncodedCookieWithInvalidPayload}` } }
+        }
+      );
+      await loader.getUser();
+      await loader.getUser();
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBeNull();
+      const user = await loader.getUser();
+      expect(user).toBeUndefined();
+    });
+
+    it('decrypts expired token within 5m clock tolerance', async() => {
+      jest.setSystemTime(new Date(2043, 2, 1, 16, 37));
+      const userResponse = {
+        applications: [],
+        id: 10001068,
+        is_test: false,
+        support_identifier: 'cs_585fb1a7',
+        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
+      } as unknown as User;
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, headers: {Authorization: `Bearer ${auth}`}}}
+      );
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBe(2308840470);
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(user).toStrictEqual(userResponse);
+    });
+
+    it('decrypts a valid SSO token', async() => {
+      jest.setSystemTime(new Date(2043, 2, 1, 16, 30));
+      const userResponse = {
+        applications: [],
+        id: 10001068,
+        is_test: false,
+        support_identifier: 'cs_585fb1a7',
+        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
+      } as unknown as User;
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, headers: {Authorization: `Bearer ${auth}`}}}
+      );
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBe(2308840470);
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(user).toStrictEqual(userResponse);
+    });
+
+    it('generates authorized fetch-config', async () => {
+      const provider = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, headers: {Authorization: `Bearer ${auth}`}}}
+      );
+      expect(await provider.getAuthorizedFetchConfig()).toEqual({headers: {Authorization: `Bearer ${auth}`}});
+    });
+  });
+
+  describe('auth queryString parameter', () => {
+    // To show the Authorization header and cookies are ignored when an auth queryString parameter is present
+    const request = {cookies: ['bad_cookie=bad-bad-bad', `oxa_dev=${auth}`], headers: { Authorization: 'Bearer bad' }};
+    const logger = createCoreLogger(jest.fn());
+    const middleware = {request, logger};
+
+    it('resolves undefined user/null expiration with an invalid token', async() => {
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, queryStringParameters: { auth: 'invalid' }}}
+      );
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBeNull();
+      const user = await loader.getUser();
+      expect(user).toBeUndefined();
+    });
+
+    it('returns the expiration date but not the user with an expired token', async() => {
+      jest.setSystemTime(new Date(2043, 2, 1, 16, 40));
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, queryStringParameters: { auth }}}
+      );
+
+      expect(await loader.getTokenExpiration()).toBe(2308840470);
+      expect(await loader.getTokenExpiration(auth)).toBe(2308840470);
+
+      const getError = async () => {
+        try {
+          await loader.getUser();
+          throw new Error('should not be reachable');
+        } catch (e) {
+          return e;
+        }
+      };
+
+      expect(await getError()).toBeInstanceOf(SessionExpiredError);
+    });
+
+    it('resolves undefined user/null expiration with wonky token', async() => {
+      jest.setSystemTime(new Date(2043, 2, 1, 16, 40));
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {
+          ...middleware,
+          request: { ...request, queryStringParameters: { auth: properlyEncodedCookieWithInvalidPayload } }
+        }
+      );
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBeNull();
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(user).toBeUndefined();
+    });
+
+    it('decrypts expired token within 5m clock tolerance', async() => {
+      jest.setSystemTime(new Date(2043, 2, 1, 16, 37));
+      const userResponse = {
+        applications: [],
+        id: 10001068,
+        is_test: false,
+        support_identifier: 'cs_585fb1a7',
+        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
+      } as unknown as User;
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, queryStringParameters: { auth }}}
+      );
+      expect(await loader.getTokenExpiration()).toBe(2308840470);
+      expect(await loader.getTokenExpiration(auth)).toBe(2308840470);
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(user).toStrictEqual(userResponse);
+    });
+
+    it('decrypts a valid SSO token', async() => {
+      jest.setSystemTime(new Date(2043, 2, 1, 16, 30));
+      const userResponse = {
+        applications: [],
+        id: 10001068,
+        is_test: false,
+        support_identifier: 'cs_585fb1a7',
+        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
+      } as unknown as User;
+      const loader = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, queryStringParameters: { auth }}}
+      );
+      const exp = await loader.getTokenExpiration();
+      expect(exp).toBe(2308840470);
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(user).toStrictEqual(userResponse);
+    });
+
+    it('generates authorized fetch-config', async () => {
+      const provider = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, queryStringParameters: { auth }}}
+      );
+      expect(await provider.getAuthorizedFetchConfig()).toEqual({headers: {Authorization: `Bearer ${auth}`}});
+    });
+
+    it('can load the complete user data', async () => {
+      const provider = decryptionAuthProvider(initializer)(config)(
+        {...middleware, request: {...request, queryStringParameters: { auth }}}
+      );
+      const userData = { id: 1 } as ApiUser;
+      fetchSpy.mockReturnValueOnce(Promise.resolve({ json: () => userData }));
+      expect(await provider.loadUserData()).toEqual(userData);
+    });
+  });
+});

package/packages/utils/src/services/authProvider/decryption.ts

@@ -0,0 +1,98 @@
+import type { ConfigProviderForConfig } from '../../config';
+import { resolveConfigValue } from '../../config/resolveConfigValue';
+import { SessionExpiredError } from '../../errors';
+import { GenericFetch } from '../../fetch';
+import { ifDefined } from '../../guards';
+import { once } from '../../misc/helpers';
+import { decryptAndVerify } from './utils/decryptAndVerify';
+import { loadUserData } from './utils/userSubrequest';
+import { ApiUser, AuthProvider, CookieAuthProvider, getAuthTokenOrCookie, TokenUser } from '.';
+
+type Config = {
+  accountsBase: string;
+  cookieName: string;
+  encryptionPrivateKey: string;
+  signaturePublicKey: string;
+};
+
+interface Initializer<C> {
+  configSpace?: C;
+  fetch: GenericFetch;
+}
+
+export type DecryptionAuthProvider = AuthProvider & {
+  /*
+   * the token can optionally be fed in via the tokenString (useful in lti-gateway)
+   * null result means no expiration
+   * undefined result means unknown (because the authProvider cannot decrypt the token, etc)
+   */
+  getTokenExpiration: (tokenString?: string) => Promise<number | null | undefined>;
+  loadUserData: () => Promise<ApiUser | undefined>;
+};
+export const decryptionAuthProvider = <C extends string = 'decryption'>(initializer: Initializer<C>) => (configProvider: {[_key in C]: ConfigProviderForConfig<Config>}): CookieAuthProvider<DecryptionAuthProvider> => {
+  const config = configProvider[ifDefined(initializer.configSpace, 'decryption' as C)];
+  const accountsBase = once(() => resolveConfigValue(config.accountsBase));
+  const cookieName = once(() => resolveConfigValue(config.cookieName));
+  const encryptionPrivateKey = once(() => resolveConfigValue(config.encryptionPrivateKey));
+  const signaturePublicKey = once(() => resolveConfigValue(config.signaturePublicKey));
+
+  return ({request, logger}) => {
+    let user: TokenUser | undefined;
+    let userData: ApiUser | undefined;
+
+    const getAuthToken = async() => getAuthTokenOrCookie(request, await cookieName())[0];
+    const getAuthorizedFetchConfig = async() => {
+      const [token, headers] = getAuthTokenOrCookie(request, await cookieName());
+      if (!token) {
+        return {};
+      }
+      return { headers };
+    };
+    const getDecryptedPayload = async(tokenString?: string) => {
+      const token = tokenString ?? await getAuthToken();
+      if (!token) {
+        return undefined;
+      }
+
+      return decryptAndVerify(token, await encryptionPrivateKey(), await signaturePublicKey());
+    };
+    const getUser = async() => {
+      if (!user) {
+        const result = await getDecryptedPayload();
+        if (!result) { return undefined; }
+
+        if ('error' in result && result.error == 'expired token') {
+          throw new SessionExpiredError();
+        }
+
+        if ('user' in result) {
+          logger.setContext({user: result.user.uuid});
+          user = result.user;
+        }
+      }
+      return user;
+    };
+
+    return {
+      getAuthToken,
+      getAuthorizedFetchConfig,
+      getTokenExpiration: async(tokenString?: string) => {
+        const payload = await getDecryptedPayload(tokenString);
+        return payload ? (payload.exp ?? null) : undefined;
+      },
+      getUser,
+      loadUserData: async() => {
+        if (!userData) {
+          const token = await getAuthToken();
+
+          if (!token) {
+            return undefined;
+          }
+
+          userData = await loadUserData(initializer.fetch, await accountsBase(), await cookieName(), token);
+        }
+        return userData;
+      },
+    };
+  };
+};