npm - @openstax/ts-utils - Versions diffs - 1.33.1 → 1.34.0 - Mend

@openstax/ts-utils 1.33.1 → 1.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (504) hide show

package/packages/utils/src/services/authProvider/index.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import cookie from 'cookie';
+import type { FetchConfig } from '../../fetch';
+import { tuple } from '../../misc/helpers';
+import type { HttpHeaders, QueryParams } from '../../routing';
+import { getHeader } from '../../routing/helpers';
+import type { Logger } from '../logger';
+export type ConsentPreferences = {
+  consent_preferences: {
+    accepted: string[];
+    rejected: string[];
+  };
+};
+export type TokenUser = {
+  id: number;
+  name: string;
+  uuid: string;
+  faculty_status: string;
+  is_admin: boolean;
+};
+export type ApiUser = TokenUser & {
+  first_name: string;
+  last_name: string;
+  full_name: string;
+  contact_infos: Array<{
+    type: string;
+    value: string;
+    is_verified: boolean;
+    is_guessed_preferred: boolean;
+  }>;
+  applications: Array<{
+    id: number;
+    name: string;
+    roles: string[];
+  }>;
+  external_ids: string[];
+  is_not_gdpr_location: boolean;
+  self_reported_role: string;
+  signed_contract_names: string[];
+  using_openstax: boolean;
+} & Partial<ConsentPreferences>;
+export type User = TokenUser | ApiUser;
+export type AuthProvider = {
+  getAuthToken: () => Promise<string | null>;
+  getUser: () => Promise<User | undefined>;
+  /**
+   * gets second argument for `fetch` that has authentication token or cookie
+   */
+  getAuthorizedFetchConfig: () => Promise<FetchConfig>;
+  loadUserData: () => Promise<ApiUser | undefined>;
+};
+export type CookieAuthProviderRequest = {
+  cookies?: string[];
+  headers: HttpHeaders;
+  queryStringParameters?: QueryParams;
+};
+export type CookieAuthProvider<T extends AuthProvider = AuthProvider> = (
+  inputs: {request: CookieAuthProviderRequest; logger: Logger}
+) => T;
+export type StubAuthProvider = (user: User | undefined) => AuthProvider;
+export const stubAuthProvider = (user?: User) => {
+  const getUser = () => Promise.resolve(user);
+  return {
+    getAuthToken: () => Promise.resolve('authToken'),
+    getUser,
+    getAuthorizedFetchConfig: () => Promise.resolve(
+      user ? {headers: {Authorization: user.uuid}} : {}
+    ),
+    // This is not technically correct, but most tests won't care
+    loadUserData: getUser
+  } as AuthProvider;
+};
+export const getAuthTokenOrCookie = (request: CookieAuthProviderRequest, cookieName: string, queryKey = 'auth') => {
+  const authParam = request.queryStringParameters ? request.queryStringParameters[queryKey] : undefined;
+  const authHeader = getHeader(request.headers, 'authorization');
+  const cookieValue = cookie.parse(request.cookies?.join('; ') ?? '')[cookieName];
+  return typeof authParam === 'string'
+  ? tuple(authParam, {Authorization: `Bearer ${authParam}`})
+  : authHeader && authHeader.length >= 8 && authHeader.startsWith('Bearer ')
+    ? tuple(authHeader.slice(7), {Authorization: authHeader})
+    : cookieValue
+      ? tuple(cookieValue, {cookie: cookie.serialize(cookieName, cookieValue)})
+      : tuple(null, {});
+};

package/packages/utils/src/services/authProvider/stub.spec.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { ApiUser, stubAuthProvider, User } from '.';
+describe('stubAuthProvider', () => {
+  it ('gets auth token', async() => {
+    const provider = stubAuthProvider();
+    expect(await provider.getAuthToken()).toBe('authToken');
+  });
+  it ('gets user', async() => {
+    const userResponse = {} as User;
+    const provider = stubAuthProvider(userResponse);
+    expect(await provider.getUser()).toBe(userResponse);
+  });
+  it ('gets undefined user', async() => {
+    const provider = stubAuthProvider();
+    expect(await provider.getUser()).toBeUndefined();
+  });
+  it ('loads user data', async() => {
+    const userResponse = {} as ApiUser;
+    const provider = stubAuthProvider(userResponse);
+    expect(await provider.loadUserData()).toBe(userResponse);
+  });
+});

package/packages/utils/src/services/authProvider/subrequest.spec.ts ADDED Viewed

@@ -0,0 +1,105 @@
+import { GenericFetch } from '../../fetch';
+import { createCoreLogger } from '../logger';
+import { subrequestAuthProvider } from './subrequest';
+import { User } from '.';
+describe('cookie subrequest', () => {
+  let fetchSpy: jest.SpyInstance;
+  let initializer: { fetch: GenericFetch };
+  beforeEach(() => {
+    fetchSpy = jest.fn();
+    initializer = {fetch: fetchSpy as any};
+  });
+  const config = {
+    subrequest: {
+      cookieName: 'sweet_cookie',
+      accountsBase: 'accountsBase',
+    }
+  };
+  describe('no authorization header or authorization header doesn\'t start with "Bearer "', () => {
+    // To show blank Authorization headers are ignored (excluding "Bearer " prefix)
+    const request = {headers: {Authorization: 'Bearer '}};
+    const logger = createCoreLogger(jest.fn());
+    const middleware = {request, logger};
+    it('returns null auth token without a cookie', async() => {
+      const token = await subrequestAuthProvider(initializer)(config)(middleware).getAuthToken();
+      expect(token).toBeNull();
+    });
+    it('resolves undefined without a cookie', async() => {
+      const user = await subrequestAuthProvider(initializer)(config)(middleware).getUser();
+      expect(user).toBeUndefined();
+    });
+    it('resolves undefined without the right cookie', async() => {
+      const user = await subrequestAuthProvider(initializer)(config)({...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad']}}).getUser();
+      expect(user).toBeUndefined();
+    });
+    it('returns auth token from the right cookie', async() => {
+      const loader = subrequestAuthProvider(initializer)(config)({...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad', 'sweet_cookie=yum']}});
+      const token = await loader.getAuthToken();
+      expect(token).toBe('yum');
+    });
+    it('subrequests using the right cookie', async() => {
+      const userResponse = {} as User;
+      fetchSpy.mockReturnValue(Promise.resolve({headers: {get: () => null}, json: () => userResponse}));
+      const loader = subrequestAuthProvider(initializer)(config)({...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad', 'sweet_cookie=yum']}});
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(fetchSpy).toHaveBeenCalledTimes(1);
+      expect(fetchSpy).toHaveBeenCalledWith('accountsBase/api/user', {
+        headers: {cookie: 'sweet_cookie=yum'},
+      });
+      expect(user).toBe(userResponse);
+    });
+    it('generates empty fetch-config', async () => {
+      const provider = subrequestAuthProvider(initializer)(config)({...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad']}});
+      expect(await provider.getAuthorizedFetchConfig()).toEqual({});
+    });
+    it('generates authorized fetch-config', async () => {
+      const provider = subrequestAuthProvider(initializer)(config)({...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad', 'sweet_cookie=yum']}});
+      expect(await provider.getAuthorizedFetchConfig()).toEqual({headers: {cookie: 'sweet_cookie=yum'}});
+    });
+  });
+  describe('authorization header starts with "Bearer "', () => {
+    const request = {
+      headers: {Authorization: 'Bearer yummier'}, cookies: ['bad_cookie=bad-bad-bad', 'sweet_cookie=yum']
+    };
+    const logger = createCoreLogger(jest.fn());
+    const middleware = {request, logger};
+    it('returns auth token from the authorization header', async() => {
+      const loader = subrequestAuthProvider(initializer)(config)(middleware);
+      const token = await loader.getAuthToken();
+      expect(token).toBe('yummier');
+    });
+    it('subrequests using the authorization header', async() => {
+      const userResponse = {} as User;
+      fetchSpy.mockReturnValue(Promise.resolve({headers: {get: () => null}, json: () => userResponse}));
+      const loader = subrequestAuthProvider(initializer)(config)(middleware);
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(fetchSpy).toHaveBeenCalledTimes(1);
+      expect(fetchSpy).toHaveBeenCalledWith('accountsBase/api/user', {
+        headers: {cookie: 'sweet_cookie=yummier'},
+      });
+      expect(user).toBe(userResponse);
+    });
+    it('generates authorized fetch-config', async () => {
+      const provider = subrequestAuthProvider(initializer)(config)(middleware);
+      expect(await provider.getAuthorizedFetchConfig()).toEqual({headers: {Authorization: 'Bearer yummier'}});
+    });
+  });
+});

package/packages/utils/src/services/authProvider/subrequest.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import { once } from '../..';
+import { ConfigProviderForConfig, resolveConfigValue } from '../../config';
+import { GenericFetch } from '../../fetch';
+import { ifDefined } from '../../guards';
+import { loadUserData } from './utils/userSubrequest';
+import { ApiUser, CookieAuthProvider, getAuthTokenOrCookie } from '.';
+type Config = {
+  accountsBase: string;
+  cookieName: string;
+};
+interface Initializer<C> {
+  configSpace?: C;
+  fetch: GenericFetch;
+}
+export const subrequestAuthProvider = <C extends string = 'subrequest'>(initializer: Initializer<C>) => (configProvider: {[_key in C]: ConfigProviderForConfig<Config>}): CookieAuthProvider => {
+  const config = configProvider[ifDefined(initializer.configSpace, 'subrequest' as C)];
+  const cookieName = once(() => resolveConfigValue(config.cookieName));
+  const accountsBase = once(() => resolveConfigValue(config.accountsBase));
+  return ({request, logger}) => {
+    let user: ApiUser | undefined;
+    const getAuthToken = async() => getAuthTokenOrCookie(request, await cookieName())[0];
+    const getAuthorizedFetchConfig = async() => {
+      const [token, headers] = getAuthTokenOrCookie(request, await cookieName());
+      if (!token) {
+        return {};
+      }
+      return { headers };
+    };
+    const loadUser = async() => {
+      const resolvedCookieName = await cookieName();
+      const [token] = getAuthTokenOrCookie(request, resolvedCookieName);
+      if (!token) {
+        return undefined;
+      }
+      const user = await loadUserData(initializer.fetch, await accountsBase(), resolvedCookieName, token);
+      if (user) {
+        logger.setContext({user: user.uuid});
+      }
+      return user;
+    };
+    const getUser = async() => {
+      if (!user) {
+        user = await loadUser();
+      }
+      return user;
+    };
+    return {
+      getAuthToken,
+      getAuthorizedFetchConfig,
+      getUser,
+      loadUserData: getUser
+    };
+  };
+};

package/packages/utils/src/services/authProvider/utils/decryptAndVerify.spec.ts ADDED Viewed

@@ -0,0 +1,128 @@
+import { createCipheriv, generateKeyPair, randomBytes, sign } from 'crypto';
+import { decryptJwe, verifyJws } from './decryptAndVerify';
+describe('decryptJwe', () => {
+  const header = { alg: 'dir', enc: 'A256GCM' };
+  const plaintext = 'plaintext';
+  const key = randomBytes(32);
+  const iv = randomBytes(12);
+  beforeEach(() => {
+    header.alg = 'dir';
+    header.enc = 'A256GCM';
+  });
+  const createJwe = () => {
+    const headerBuffer = Buffer.from(JSON.stringify(header));
+    // The AAD encoding is weird
+    const aad = Buffer.from(headerBuffer.toString('base64url'));
+    const encryptedKey = Buffer.from('');
+    const cipher = createCipheriv('aes-256-gcm', key, iv, { authTagLength: 16 });
+    cipher.setAAD(aad, { plaintextLength: plaintext.length });
+    const cipherText = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return [
+      headerBuffer, encryptedKey, iv, cipherText, authTag
+    ].map((buffer) => buffer.toString('base64url')).join('.');
+  };
+  it('decrypts a valid JWE', () => {
+    expect(decryptJwe(createJwe(), key)).toBe(plaintext);
+  });
+  it('returns undefined if the jwe has the wrong number of parts', () => {
+    const jwe = createJwe();
+    expect(decryptJwe(jwe.split('.').slice(0, 4).join('.'), key)).toBeUndefined();
+    expect(decryptJwe(`${jwe}.extra`, key)).toBeUndefined();
+    const [header, _, iv, cipherText, authTag] = jwe.split('.');
+    expect(decryptJwe([header, 'something', iv, cipherText, authTag].join('.'), key)).toBeUndefined();
+  });
+  it('returns undefined if the alg or enc are unsupported', () => {
+    header.alg = 'RSA-OAEP-256';
+    expect(decryptJwe(createJwe(), key)).toBeUndefined();
+    header.alg = 'dir';
+    header.enc = 'A128GCM';
+    expect(decryptJwe(createJwe(), key)).toBeUndefined();
+  });
+  it('returns undefined if the cipherText or authTag are invalid', () => {
+    const jweParts = createJwe().split('.');
+    expect(decryptJwe(jweParts.slice(0, 3).concat(['invalid', jweParts[4]]).join('.'), key)).toBeUndefined();
+    expect(decryptJwe(jweParts.slice(0, 4).concat(['invalid']).join('.'), key)).toBeUndefined();
+  });
+});
+describe('verifyJws', () => {
+  const header = { alg: 'RS256', typ: 'JWT' };
+  const payload = { test: true };
+  let payloadString = JSON.stringify(payload);
+  const keys = new Promise<{ publicKey: string; privateKey: string }>((resolve, reject) => generateKeyPair(
+    'rsa',
+    {
+      modulusLength: 4096,
+      publicKeyEncoding: {
+        type: 'spki',
+        format: 'pem'
+      },
+      privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'pem',
+      }
+    },
+    (err, publicKey, privateKey) => err ? reject(err) : resolve({ publicKey, privateKey })
+  ));
+  beforeEach(() => {
+    header.alg = 'RS256';
+    header.typ = 'JWT';
+  });
+  const createJws = async() => {
+    const { privateKey } = await keys;
+    const signedContent = [
+      Buffer.from(JSON.stringify(header)),
+      Buffer.from(payloadString)
+    ].map((buffer) => buffer.toString('base64url')).join('.');
+    const signature = sign('RSA-SHA256', Buffer.from(signedContent), privateKey);
+    return `${signedContent}.${signature.toString('base64url')}`;
+  };
+  it('verifies a valid JWS signature', async() => {
+    const { publicKey } = await keys;
+    expect(verifyJws(await createJws(), publicKey)).toEqual(payload);
+  });
+  it('returns undefined if the jws has the wrong number of parts', async() => {
+    const { publicKey } = await keys;
+    const jws = await createJws();
+    expect(verifyJws(jws.split('.').slice(0, 2).join('.'), publicKey)).toBeUndefined();
+    expect(verifyJws(`${jws}.extra`, publicKey)).toBeUndefined();
+  });
+  it('returns undefined if the alg or typ are unsupported', async() => {
+    const { publicKey } = await keys;
+    header.alg = 'ES256';
+    expect(verifyJws(await createJws(), publicKey)).toBeUndefined();
+    header.alg = 'RS256';
+    header.typ = 'JWS';
+    expect(verifyJws(await createJws(), publicKey)).toBeUndefined();
+  });
+  it('returns undefined if the payload is not valid JSON', async() => {
+    payloadString = 'test';
+    const { publicKey } = await keys;
+    expect(verifyJws(await createJws(), publicKey)).toBeUndefined();
+  });
+  it('returns undefined if the signature is invalid', async() => {
+    const { publicKey } = await keys;
+    const jws = await createJws();
+    expect(verifyJws(jws.split('.').slice(0, 2).concat(['invalid']).join('.'), publicKey)).toBeUndefined();
+  });
+});

package/packages/utils/src/services/authProvider/utils/decryptAndVerify.ts ADDED Viewed

@@ -0,0 +1,106 @@
+import { createDecipheriv, verify } from 'crypto';
+import type { User } from '..';
+import { isPlainObject } from '../../../guards';
+export const decryptJwe = (jwe: string, encryptionPrivateKey: Buffer | string) => {
+  const jweParts = jwe.split('.', 6);
+  if (jweParts.length !== 5 || jweParts[1]) { return undefined; } // Invalid/unsupported JWE
+  const header = JSON.parse(Buffer.from(jweParts[0], 'base64url').toString());
+  if (header.alg !== 'dir' || header.enc !== 'A256GCM') {
+    // Unsupported signature/encryption algorithm
+    return undefined;
+  }
+  const aad = Buffer.from(jweParts[0]);
+  const iv = Buffer.from(jweParts[2], 'base64url');
+  const cipherText = Buffer.from(jweParts[3], 'base64url');
+  const authTag = Buffer.from(jweParts[4], 'base64url');
+  // Verify token signature and decrypt
+  const decipher = createDecipheriv('aes-256-gcm', encryptionPrivateKey, iv, { authTagLength: 16 });
+  decipher.setAAD(aad, { plaintextLength: cipherText.length });
+  try {
+    decipher.setAuthTag(authTag);
+    return `${decipher.update(cipherText)}${decipher.final()}`;
+  } catch(error: any) {
+    // Invalid cipherText or authTag
+    return undefined;
+  }
+};
+type MaybeAccountsSSOToken = {
+  iss?: string;
+  sub?: User | string;
+  aud?: string;
+  exp?: number;
+  nbf?: number;
+  iat?: number;
+  jti?: string;
+};
+const issuer = 'OpenStax Accounts';
+const audience = 'OpenStax';
+const clockTolerance = 300; // 5 minutes
+export const verifyJws = (jws: string, signaturePublicKey: Buffer | string): MaybeAccountsSSOToken | undefined => {
+  const jwsParts = jws.split('.', 4);
+  if (jwsParts.length !== 3) { return undefined; } // Invalid JWS
+  const header = JSON.parse(Buffer.from(jwsParts[0], 'base64url').toString());
+  if (header.alg !== 'RS256' || header.typ !== 'JWT') { return undefined; } // Unsupported JWS
+  const signedContent = Buffer.from(`${jwsParts[0]}.${jwsParts[1]}`);
+  const signature = Buffer.from(jwsParts[2], 'base64url');
+  if (!verify('RSA-SHA256', signedContent, signaturePublicKey, signature)) {
+    return undefined;
+  }
+  const payload = Buffer.from(jwsParts[1], 'base64url').toString();
+  try {
+    return JSON.parse(payload);
+  } catch(error: any) {
+    return undefined;
+  }
+};
+/**
+ * Decrypts and verifies a SSO cookie.
+ *
+ * @param token the encrypted token
+ * @param encryptionPrivateKey the private key used to encrypt the token
+ * @param signaturePublicKey the public key used to verify the decrypted token
+ * @returns {user: User; exp: number} (success) or {error: string} (failure)
+ */
+export const decryptAndVerify = (
+  token: string, encryptionPrivateKey: string, signaturePublicKey: string
+): {user: User; exp: number} | {error: string; exp?: number} => {
+  const timestamp = Math.floor(Date.now() / 1000);
+  const jws = decryptJwe(token, encryptionPrivateKey);
+  if (!jws) { return {error: 'invalid token'}; }
+  const payload = verifyJws(jws, signaturePublicKey);
+  // Ensure payload contains all the claims we expect
+  // Normally "sub" would be a string but Accounts uses an object for it instead
+  if (!isPlainObject(payload) ||
+      !isPlainObject(payload.sub) || !payload.sub.uuid ||
+      payload.iss !== issuer ||
+      payload.aud !== audience ||
+      !payload.exp ||
+      !payload.nbf || payload.nbf > timestamp + clockTolerance ||
+      !payload.iat || payload.iat > timestamp + clockTolerance ||
+      !payload.jti) {
+    return {error: 'invalid token'};
+  }
+  if (payload.exp < timestamp - clockTolerance) {
+    return {error: 'expired token', exp: payload.exp};
+  }
+  return {user: payload.sub, exp: payload.exp};
+};

package/packages/utils/src/services/authProvider/utils/embeddedAuthProvider.spec.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { Window } from '../browser';
+import { embeddedAuthProvider } from './embeddedAuthProvider';
+describe('embeddedAuthProvider', () => {
+  let addEventListener: jest.SpyInstance;
+  let removeEventListener: jest.SpyInstance;
+  let window: Window;
+  beforeEach(() => {
+    addEventListener = jest.fn();
+    removeEventListener = jest.fn();
+    window = {addEventListener, removeEventListener} as any;
+  });
+  it('mounts', () => {
+    embeddedAuthProvider(jest.fn(), {window});
+    expect(addEventListener).toHaveBeenCalled();
+  });
+  it('unmounts', () => {
+    const {unmount} = embeddedAuthProvider(jest.fn(), {window});
+    unmount();
+    expect(removeEventListener).toHaveBeenCalled();
+  });
+});

package/packages/utils/src/services/authProvider/utils/embeddedAuthProvider.ts ADDED Viewed

@@ -0,0 +1,57 @@
+import queryString from 'query-string';
+import { User } from '..';
+import { EventHandler, Window } from '../browser';
+export type UserData<T = User> = {
+  user?: T;
+  token: string | null;
+};
+type UserDataLoader = () => Promise<UserData>;
+export enum PostMessageTypes {
+  ReceiveUser = 'receive-user',
+  RequestUser = 'request-user',
+}
+export const embeddedAuthProvider = (
+  getUserData: UserDataLoader,
+  { authQuery, window }: { authQuery?: { key: string; value: string | null }; window: Window }
+) => {
+  const trustedEmbeds = new Set<string>();
+  const embeddedQueryKey = 'embedded';
+  const embeddedQueryValue = 'true';
+  const messageHandler: EventHandler = event => {
+    if (event.data.type === PostMessageTypes.RequestUser && trustedEmbeds.has(event.origin)) {
+      getUserData().then(data => {
+        event.source.postMessage({type: PostMessageTypes.ReceiveUser, userData: data}, event.origin);
+      });
+    }
+  };
+  window.addEventListener('message', messageHandler);
+  const getAuthorizedEmbedUrl = (urlString: string, extraParams?: { [key: string]: string }) => {
+    const url = new URL(urlString);
+    trustedEmbeds.add(url.origin);
+    const params = queryString.parse(url.search);
+    url.search = queryString.stringify({
+      ...params,
+      ...extraParams,
+      ...(authQuery && authQuery.value ? { [authQuery.key]: authQuery.value } : {auth: 'embedded' }),
+      [embeddedQueryKey]: embeddedQueryValue,
+      subcontent: 'true',
+    });
+    return url.href;
+  };
+  return {
+    embeddedQueryKey,
+    embeddedQueryValue,
+    getAuthorizedEmbedUrl,
+    unmount: () => {
+      window.removeEventListener('message', messageHandler);
+    }
+  };
+};