@openstax/ts-utils 1.34.0 → 1.35.0

package/packages/utils/src/services/authProvider/browser.ts

@@ -1,209 +0,0 @@
-import { once } from '../..';
-import { ConfigProviderForConfig, resolveConfigValue } from '../../config';
-import { FetchConfig, GenericFetch } from '../../fetch';
-import { ifDefined } from '../../guards';
-import { METHOD, unsafePayloadValidator } from '../../routing';
-import { embeddedAuthProvider, PostMessageTypes, UserData } from './utils/embeddedAuthProvider';
-import { ApiUser, AuthProvider } from '.';
-
-type Config = {
-  accountsBase: string;
-};
-interface Initializer<C> {
-  configSpace?: C;
-  window: Window;
-}
-
-export type EventHandler = (e: {data: any; origin: string; source: Pick<Window, 'postMessage'>}) => void;
-
-export interface Window {
-  fetch: GenericFetch;
-  parent: Pick<Window, 'postMessage'>;
-  location: {search: string};
-  document: {referrer: string};
-  postMessage: (data: any, origin: string) => void;
-  addEventListener: (event: 'message', callback: EventHandler) => void;
-  removeEventListener: (event: 'message', callback: EventHandler) => void;
-}
-
-const isUserData = unsafePayloadValidator<ApiUser>();
-
-export type UpdatableUserFields = Partial<Pick<ApiUser, 'consent_preferences' | 'first_name' | 'last_name'>>;
-
-export type BrowserAuthProvider = AuthProvider & {
-  getAuthorizedUrl: (urlString: string) => string;
-  getAuthorizedLinkUrl: (urlString: string) => string;
-  getAuthorizedEmbedUrl: (urlString: string, extraParams?: { [key: string]: string }) => string;
-  updateUser: (updates: UpdatableUserFields) => Promise<UserData<ApiUser>>;
-};
-
-export const browserAuthProvider = <C extends string = 'auth'>({window, configSpace}: Initializer<C>) => (configProvider: {[_key in C]: ConfigProviderForConfig<Config>}): BrowserAuthProvider => {
-  const config = configProvider[ifDefined(configSpace, 'auth' as C)];
-  const accountsBase = once(() => resolveConfigValue(config.accountsBase));
-  const queryString = window.location.search;
-  const queryKey = 'auth';
-  const urlSearchParams = new URLSearchParams(queryString);
-  const authQuery = urlSearchParams.get(queryKey);
-  const referrer = window.document.referrer ? new URL(window.document.referrer) : undefined;
-  const isEmbedded = window.parent !== window;
-  const trustedParent = isEmbedded && referrer && referrer.hostname.match(/^(openstax\.org|((.*)(\.openstax\.org|local|localhost)))$/) ? referrer : undefined;
-  const {
-    embeddedQueryKey, embeddedQueryValue, getAuthorizedEmbedUrl
-  } = embeddedAuthProvider(() => getUserData(), { authQuery: { key: queryKey, value: authQuery }, window});
-  const embeddedQuery = urlSearchParams.get(embeddedQueryKey);
-
-  let userData: UserData<ApiUser> = { token: authQuery };
-
-  const getAuthToken = async () => {
-    return (await getUserData()).token;
-  };
-
-  const getAuthorizedLinkUrl = (urlString: string) => {
-    const url = new URL(urlString);
-
-    if (userData.token) {
-      url.searchParams.set(queryKey, userData.token);
-    }
-
-    return url.href;
-  };
-
-  const getAuthorizedUrl = (urlString: string) => {
-    const url = new URL(urlString);
-
-    if (authQuery) {
-      url.searchParams.set(queryKey, authQuery);
-    } else if (embeddedQuery) {
-      url.searchParams.set(queryKey, 'embedded');
-    }
-    if (embeddedQuery) {
-      url.searchParams.set(embeddedQueryKey, embeddedQuery);
-    }
-
-    return url.href;
-  };
-
-  // *note* that this does not actually prevent cookies from being sent on same-origin
-  // requests, i'm not sure if its possible to stop browsers from sending cookies in
-  // that case
-  const getAuthorizedFetchConfigFromData = (data: typeof userData): FetchConfig => {
-    const {token} = data;
-
-    return token ? {
-      headers: {Authorization: `Bearer ${token}`},
-    } : {
-      credentials: 'include',
-    };
-  };
-  const getAuthorizedFetchConfig = async(): Promise<FetchConfig> => {
-    return getAuthorizedFetchConfigFromData(userData.token ? userData : await getUserData());
-  };
-
-  /*
-   * requests user identity from parent window via postMessage
-   */
-  const getParentWindowUser = () => new Promise<typeof userData>((resolve, reject) => {
-    if (!window.parent || !trustedParent) {
-      return reject(new Error('parent window is undefined or not trusted'));
-    }
-
-    const handler: EventHandler = (event) => {
-      if (event.data.type === PostMessageTypes.ReceiveUser && event.origin === trustedParent.origin) {
-        clearTimeout(timeout);
-        window.removeEventListener('message', handler);
-        resolve(event.data.userData);
-      }
-    };
-
-    window.addEventListener('message', handler);
-    window.parent.postMessage({type: PostMessageTypes.RequestUser}, trustedParent.origin);
-
-    const timeout = setTimeout(() => {
-      window.removeEventListener('message', handler);
-      reject(new Error('loading user identity timed out'));
-    }, 5000);
-  });
-
-  /*
-   * requests user identity from accounts api using given token or cookie
-   */
-  const getFetchUser = async() => {
-    const response = await window.fetch((await accountsBase()).replace(/\/+$/, '') + '/api/user?always_200=true',
-      getAuthorizedFetchConfigFromData(userData));
-    if (response.status === 200) {
-      const body = await response.json();
-      const user = isUserData(body) ? body : undefined;
-      return {...userData, user};
-    }
-
-    const message = await response.text();
-    throw new Error(`Error response from Accounts ${response.status}: ${message}`);
-  };
-
-  const getUserData = once(async() => {
-    // For backwards compatibility
-    if (authQuery === 'embedded') { return getParentWindowUser(); }
-
-    // getFetchUser() will throw here if authQuery is not set
-    return await (embeddedQuery === embeddedQueryValue ? getParentWindowUser() : getFetchUser());
-  });
-
-  const getUser = async() => {
-    return (await getUserData()).user;
-  };
-
-  const updateUser = async(updates: UpdatableUserFields) => {
-    const response = await window.fetch(
-      (await accountsBase()).replace(/\/+$/, '') + '/api/user',
-      {...getAuthorizedFetchConfigFromData(userData), method: METHOD.PUT, body: JSON.stringify(updates)}
-    );
-    if (response.status === 200) {
-      const user = await response.json();
-      if (isUserData(user)) {
-        return {...userData, user};
-      }
-    }
-
-    const message = await response.text();
-    throw new Error(`Error response from Accounts ${response.status}: ${message}`);
-  };
-
-  return {
-    /**
-     * gets the authentication token
-     */
-    getAuthToken,
-    /**
-     * adds auth parameters to the url. this is only safe to use when using javascript to navigate
-     * within the current window, eg `window.location = 'https://my.otherservice.com';` anchors
-     * should use getAuthorizedLinkUrl for their href.
-     *
-     * result unreliable unless `getUser` is resolved first.
-     */
-    getAuthorizedUrl,
-    /**
-     * all link href-s must be rendered with auth tokens so that they work when opened in a new tab
-     *
-     * result unreliable unless `getUser` is resolved first.
-     */
-    getAuthorizedLinkUrl,
-    /**
-     * gets an authorized url for an iframe src. sets params on the url and saves its
-     * origin to trust releasing user identity to it
-     */
-    getAuthorizedEmbedUrl,
-    /**
-     * gets second argument for `fetch` that has authentication token or cookie
-     */
-    getAuthorizedFetchConfig,
-    /**
-     * loads current user identity. does not reflect changes in identity after being called the first time.
-     */
-    getUser,
-    loadUserData: getUser,
-    /**
-     * updates user settings, for example the cookie consent preferences
-     */
-    updateUser,
-  };
-};

package/packages/utils/src/services/authProvider/decryption.spec.ts

@@ -1,337 +0,0 @@
-import { SessionExpiredError } from '../../errors';
-import { GenericFetch } from '../../fetch';
-import { createCoreLogger } from '../logger';
-import { decryptionAuthProvider } from './decryption';
-import { ApiUser, User } from '.';
-
-describe('decryptionAuthProvider', () => {
-  let fetchSpy: jest.SpyInstance;
-  let initializer: { fetch: GenericFetch };
-
-  beforeEach(() => {
-    jest.useFakeTimers();
-    jest.setSystemTime(new Date(2023, 3, 2));
-
-    fetchSpy = jest.fn();
-    initializer = {fetch: fetchSpy as any};
-  });
-
-  // These values are used in the Accounts local dev environment, not any real Accounts deployments
-  const config = {
-    decryption: {
-      accountsBase: 'accountsBase',
-      cookieName: 'oxa_dev',
-      encryptionPrivateKey: 'RvGHVZ/kvzUAA5Z3t68+FNhuMCJxkzv+', // cspell:disable-line
-      signaturePublicKey: `-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7JRnvbwTd2jGDWaW5Wc3
-HiBWd00ipH5FbmJe1fFeW/2Ji5w5MZ0evtorsV2lVBlP2G5THjmtHK1fdqC+2xiM
-nicxqGMn3C4T8EnS86knl0Yv3VEfDRZBoWsUX2s2y0xKu8Pvt6nbhrnkS8pi8+Au
-huT0ad/891aAhmp1QDkh+vI9NTYHb0mXYqMmJYZPJRL4eO6Z4j6djeHDz8D/TzWy
-Ah0cDEmTncO6YuJrf6CTi9eJce8pi+X8fhNTlZdfzIFE8BShAOxieYN1OV1RYmCT
-XD8jEL1ZgDxpIiZkB9u3tzUL1WZi7YENGouLhg9b/BUIw0dFXGkNErvtmDD7Ce8I
-twIDAQAB
------END PUBLIC KEY-----`,
-    }
-  };
-
-  // the below token expires at 2308840470 (2043-03-01T16:34:30.000Z)
-  // cspell:disable-next-line
-  const auth = 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..v-Ot9t9EvGRkzXVx.D4k0ebDXUM8PNjiuvfCHBP_lNgIEzUkU9ibXLt4QxZXifd6ULAMofiWjT87L_3QKS2QfbrRz3Acah9wSNW4TFrtl5khBioWg3xjaImPtshJnBL7fPtEZWhNBkhkO1R4YK2Fr2mo5d-Y3_mkINHHyF19kIJJox6HsPqNaUSob59G2QQyza0TxJQMDjybsArL3GOT2PnVy_HQuIZmLqpypaoPnEoJ_WwvjK1oyORdUsYhv8kPzF9fPNZZjj2moqHIw41cc0ajeyw4TTvfkaYBC2Ovs2lVovjlj4PiPq9nAq-vpVII1XHp7qZQtQcWY-pGiVTFrnUErqNjZHwYKd0Y6kMgm1aqP2P3Qrt7nLCqEZf--LOpugk1Uunc_xBbPTjSBs9KJS_doREMmzvs9eqmn_V1_dxMgn3pMyMCMdD5ZKA89fpd0oT7kLDDawY_UfSEpmX8dI2ouvbW8VWtphhLGhjhssCcIv_ksGae59TS-WqGstT3Jd9D-uAAyz0wIuegokQt-9m5JT9vebDPhIgoRA-NgflQFz0xP1ERiTDbWpODYY5vkg-qzhKJPgSTLBYgGTBVLZzzwSoEOhAp5R_mfxZULXWacCqJo4GPvZ6bgSJdhFq2ZQhOgT_WNV5wYYBu_NqNh0OHZ0zzgZRX0tmsvgCFr0_VXeO0apDpg_bp7W1EF3dnUopTfdYtl0YQ8xI3dTrOX4tbRQf5QBKyXARoch3ObDtlbbcF6BN55AJXBa5bkl4m2pb3fzyoobXCFiAjTDKgRi_Qf7wnEww35gFs74ST3H-QGRBCTC2zMFRbVZ-kNXERs6Re2Ez_df-cVdfXk0CWs9T0GT6oFZOz4meT2bj7L-x8Ugerr-_CUVaSjC3NwdrtfBrw9E-k1pTeJ9_dMYJMJ6w7-sVu7X8BRof-bh3pBBWH45b9RzCvXd2d-AyIoeag2ZRfkfLk5vdiWSOtNlXTIgM8IKxZYy8MrZpXqLPBK6pAiMZN8Ou94ZBvq.eMtwHum3NKJNDt0SmqdPZw';
-
-  // cspell:disable-next-line
-  const properlyEncodedCookieWithInvalidPayload = 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..A61VXXx1Ap9-XVPt.vbO8tIN8PK_m3Z7XyZf4Efxsj-Nc5pmPuYs8IBpymo323s9Hund_jJRAPI2TDJV-cna-Zhm2bYy6a64uCfyX-YFgrQV17cIkDOZXxV3_SdOGGcnXBe3RP-soCRY4ARlS3SWKPbjrh_1HUMZO30Rxh3r_LEKJRGiXAybrrb-Ii99ZYoy1z06iCC61aZGE-NaXYsp3mx4hdoO8HSLOLIyUa3rFJQTfKAq5GoRlsfKXZTUYiaHbLRWCY4tht7Jy8pKJp01pdFE2oP37Xf6gyvWmbnIuEyqGH3S9QSIkGM28sPjfdh5w-VYL_cF5-Cy3D6kplMra5dnZ1QIlgkJPycTxR2aQXitJXpIFOMgtD0L5-WxPRBgY_-85aHYIeZ3SA-5YrAiPDoj4H8QBZWVdbmLtJhPqtj8IBA8jV0sKbNwh2lky7bSGXEzG9jRdEE5WiD95rRV7WoEHMWtbvH8qZstzfbRmWzBNdJYLh828UpdkywrB2OzxkEiJhol8vg0GgEiaZFWhsCa5IVwfLJ_JSnR142L0znrF0DikLdFHdbIlhvxZ-yXvhlzLWRf3bCYqyuQP1Bq5J9bVGxxijWkLx8N9kB2FvhVYwa2-MLJCF2XX4NZT9w0WihSX5Rmwyeyf88OA-83Cg6ipkm-uW0Gfy2QiVacuV5hzuoPzG4WycZgXAbFHPTPN-nin_ul9tWeOpyFkWAjIuXhghUeUFl20xfZSE4xrNCN45ZJ9nxnPE4kA_g17VKSaZxzLnoHaxH4RHq2D7QydmFaxY_nqlbqz.sKv3xa1Vp4ZzZyVPpL3uXg';
-
-  describe('no authorization header or authorization header doesn\'t start with "Bearer "', () => {
-    // To show blank Authorization headers are ignored (excluding "Bearer " prefix)
-    const request = {headers: {Authorization: 'Bearer '}};
-    const logger = createCoreLogger(jest.fn());
-    const middleware = {request, logger};
-
-    it('resolves undefined without a cookie', async() => {
-      const loader = decryptionAuthProvider(initializer)(config)(middleware);
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBeUndefined();
-      const user = await loader.getUser();
-      expect(user).toBeUndefined();
-      const userData = await loader.loadUserData();
-      expect(userData).toBeUndefined();
-    });
-
-    it('resolves undefined without the right cookie', async() => {
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad']}}
-      );
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBeUndefined();
-      const user = await loader.getUser();
-      expect(user).toBeUndefined();
-    });
-
-    it('resolves undefined user/null expiration with an invalid cookie', async() => {
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad', 'oxa_dev=invalid']}}
-      );
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBeNull();
-      const user = await loader.getUser();
-      expect(user).toBeUndefined();
-    });
-
-    it('returns the expiration date but not the user with an expired cookie', async() => {
-      jest.setSystemTime(new Date(2043, 2, 1, 17, 0));
-
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad', `oxa_dev=${auth}`]}}
-      );
-
-      expect(await loader.getTokenExpiration()).toBe(2308840470);
-      expect(await loader.getTokenExpiration(auth)).toBe(2308840470);
-
-      const getError = async () => {
-        try {
-          await loader.getUser();
-          throw new Error('should not be reachable');
-        } catch (e) {
-          return e;
-        }
-      };
-
-      expect(await getError()).toBeInstanceOf(SessionExpiredError);
-    });
-
-    it('returns empty fetch authorization', async() => {
-      const provider = decryptionAuthProvider(initializer)(config)(middleware);
-      expect(await provider.getAuthorizedFetchConfig()).toEqual({});
-    });
-
-    it('decrypts a valid SSO cookie', async() => {
-      const userResponse = {
-        applications: [],
-        id: 10001068,
-        is_test: false,
-        support_identifier: 'cs_585fb1a7',
-        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
-      } as unknown as User; // This old cookie is missing the following fields: name, faculty_status, is_admin
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, cookies: ['bad_cookie=bad-bad-bad', `oxa_dev=${auth}`]}}
-      );
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBe(2308840470);
-      await loader.getUser();
-      await loader.getUser();
-      const user = await loader.getUser();
-      expect(user).toStrictEqual(userResponse);
-    });
-  });
-
-  describe('authorization header starts with "Bearer "', () => {
-    // To show cookies are ignored when the Authorization header is present
-    const request = {cookies: ['bad_cookie=bad-bad-bad', `oxa_dev=${auth}`]};
-    const logger = createCoreLogger(jest.fn());
-    const middleware = {request, logger};
-
-    it('resolves undefined user/null expiration with an invalid token', async() => {
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, headers: {Authorization: 'Bearer invalid'}}}
-      );
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBeNull();
-      const user = await loader.getUser();
-      expect(user).toBeUndefined();
-    });
-
-    it('returns the expiration date but not the user with an expired token', async() => {
-      jest.setSystemTime(new Date(2043, 2, 1, 16, 40));
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, headers: {Authorization: `Bearer ${auth}`}}}
-      );
-
-      expect(await loader.getTokenExpiration()).toBe(2308840470);
-      expect(await loader.getTokenExpiration(auth)).toBe(2308840470);
-
-      const getError = async () => {
-        try {
-          await loader.getUser();
-          throw new Error('should not be reachable');
-        } catch (e) {
-          return e;
-        }
-      };
-
-      expect(await getError()).toBeInstanceOf(SessionExpiredError);
-    });
-
-    it('resolves undefined user/null expiration with wonky token', async() => {
-      jest.setSystemTime(new Date(2043, 2, 1, 16, 40));
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {
-          ...middleware,
-          request: { ...request, headers: { Authorization: `Bearer ${properlyEncodedCookieWithInvalidPayload}` } }
-        }
-      );
-      await loader.getUser();
-      await loader.getUser();
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBeNull();
-      const user = await loader.getUser();
-      expect(user).toBeUndefined();
-    });
-
-    it('decrypts expired token within 5m clock tolerance', async() => {
-      jest.setSystemTime(new Date(2043, 2, 1, 16, 37));
-      const userResponse = {
-        applications: [],
-        id: 10001068,
-        is_test: false,
-        support_identifier: 'cs_585fb1a7',
-        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
-      } as unknown as User;
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, headers: {Authorization: `Bearer ${auth}`}}}
-      );
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBe(2308840470);
-      await loader.getUser();
-      await loader.getUser();
-      const user = await loader.getUser();
-      expect(user).toStrictEqual(userResponse);
-    });
-
-    it('decrypts a valid SSO token', async() => {
-      jest.setSystemTime(new Date(2043, 2, 1, 16, 30));
-      const userResponse = {
-        applications: [],
-        id: 10001068,
-        is_test: false,
-        support_identifier: 'cs_585fb1a7',
-        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
-      } as unknown as User;
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, headers: {Authorization: `Bearer ${auth}`}}}
-      );
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBe(2308840470);
-      await loader.getUser();
-      await loader.getUser();
-      const user = await loader.getUser();
-      expect(user).toStrictEqual(userResponse);
-    });
-
-    it('generates authorized fetch-config', async () => {
-      const provider = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, headers: {Authorization: `Bearer ${auth}`}}}
-      );
-      expect(await provider.getAuthorizedFetchConfig()).toEqual({headers: {Authorization: `Bearer ${auth}`}});
-    });
-  });
-
-  describe('auth queryString parameter', () => {
-    // To show the Authorization header and cookies are ignored when an auth queryString parameter is present
-    const request = {cookies: ['bad_cookie=bad-bad-bad', `oxa_dev=${auth}`], headers: { Authorization: 'Bearer bad' }};
-    const logger = createCoreLogger(jest.fn());
-    const middleware = {request, logger};
-
-    it('resolves undefined user/null expiration with an invalid token', async() => {
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, queryStringParameters: { auth: 'invalid' }}}
-      );
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBeNull();
-      const user = await loader.getUser();
-      expect(user).toBeUndefined();
-    });
-
-    it('returns the expiration date but not the user with an expired token', async() => {
-      jest.setSystemTime(new Date(2043, 2, 1, 16, 40));
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, queryStringParameters: { auth }}}
-      );
-
-      expect(await loader.getTokenExpiration()).toBe(2308840470);
-      expect(await loader.getTokenExpiration(auth)).toBe(2308840470);
-
-      const getError = async () => {
-        try {
-          await loader.getUser();
-          throw new Error('should not be reachable');
-        } catch (e) {
-          return e;
-        }
-      };
-
-      expect(await getError()).toBeInstanceOf(SessionExpiredError);
-    });
-
-    it('resolves undefined user/null expiration with wonky token', async() => {
-      jest.setSystemTime(new Date(2043, 2, 1, 16, 40));
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {
-          ...middleware,
-          request: { ...request, queryStringParameters: { auth: properlyEncodedCookieWithInvalidPayload } }
-        }
-      );
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBeNull();
-      await loader.getUser();
-      await loader.getUser();
-      const user = await loader.getUser();
-      expect(user).toBeUndefined();
-    });
-
-    it('decrypts expired token within 5m clock tolerance', async() => {
-      jest.setSystemTime(new Date(2043, 2, 1, 16, 37));
-      const userResponse = {
-        applications: [],
-        id: 10001068,
-        is_test: false,
-        support_identifier: 'cs_585fb1a7',
-        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
-      } as unknown as User;
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, queryStringParameters: { auth }}}
-      );
-      expect(await loader.getTokenExpiration()).toBe(2308840470);
-      expect(await loader.getTokenExpiration(auth)).toBe(2308840470);
-      await loader.getUser();
-      await loader.getUser();
-      const user = await loader.getUser();
-      expect(user).toStrictEqual(userResponse);
-    });
-
-    it('decrypts a valid SSO token', async() => {
-      jest.setSystemTime(new Date(2043, 2, 1, 16, 30));
-      const userResponse = {
-        applications: [],
-        id: 10001068,
-        is_test: false,
-        support_identifier: 'cs_585fb1a7',
-        uuid: '1b2dc73a-a792-462b-9b0f-59bd22bac26d',
-      } as unknown as User;
-      const loader = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, queryStringParameters: { auth }}}
-      );
-      const exp = await loader.getTokenExpiration();
-      expect(exp).toBe(2308840470);
-      await loader.getUser();
-      await loader.getUser();
-      const user = await loader.getUser();
-      expect(user).toStrictEqual(userResponse);
-    });
-
-    it('generates authorized fetch-config', async () => {
-      const provider = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, queryStringParameters: { auth }}}
-      );
-      expect(await provider.getAuthorizedFetchConfig()).toEqual({headers: {Authorization: `Bearer ${auth}`}});
-    });
-
-    it('can load the complete user data', async () => {
-      const provider = decryptionAuthProvider(initializer)(config)(
-        {...middleware, request: {...request, queryStringParameters: { auth }}}
-      );
-      const userData = { id: 1 } as ApiUser;
-      fetchSpy.mockReturnValueOnce(Promise.resolve({ json: () => userData }));
-      expect(await provider.loadUserData()).toEqual(userData);
-    });
-  });
-});

package/packages/utils/src/services/authProvider/decryption.ts

@@ -1,98 +0,0 @@
-import type { ConfigProviderForConfig } from '../../config';
-import { resolveConfigValue } from '../../config/resolveConfigValue';
-import { SessionExpiredError } from '../../errors';
-import { GenericFetch } from '../../fetch';
-import { ifDefined } from '../../guards';
-import { once } from '../../misc/helpers';
-import { decryptAndVerify } from './utils/decryptAndVerify';
-import { loadUserData } from './utils/userSubrequest';
-import { ApiUser, AuthProvider, CookieAuthProvider, getAuthTokenOrCookie, TokenUser } from '.';
-
-type Config = {
-  accountsBase: string;
-  cookieName: string;
-  encryptionPrivateKey: string;
-  signaturePublicKey: string;
-};
-
-interface Initializer<C> {
-  configSpace?: C;
-  fetch: GenericFetch;
-}
-
-export type DecryptionAuthProvider = AuthProvider & {
-  /*
-   * the token can optionally be fed in via the tokenString (useful in lti-gateway)
-   * null result means no expiration
-   * undefined result means unknown (because the authProvider cannot decrypt the token, etc)
-   */
-  getTokenExpiration: (tokenString?: string) => Promise<number | null | undefined>;
-  loadUserData: () => Promise<ApiUser | undefined>;
-};
-export const decryptionAuthProvider = <C extends string = 'decryption'>(initializer: Initializer<C>) => (configProvider: {[_key in C]: ConfigProviderForConfig<Config>}): CookieAuthProvider<DecryptionAuthProvider> => {
-  const config = configProvider[ifDefined(initializer.configSpace, 'decryption' as C)];
-  const accountsBase = once(() => resolveConfigValue(config.accountsBase));
-  const cookieName = once(() => resolveConfigValue(config.cookieName));
-  const encryptionPrivateKey = once(() => resolveConfigValue(config.encryptionPrivateKey));
-  const signaturePublicKey = once(() => resolveConfigValue(config.signaturePublicKey));
-
-  return ({request, logger}) => {
-    let user: TokenUser | undefined;
-    let userData: ApiUser | undefined;
-
-    const getAuthToken = async() => getAuthTokenOrCookie(request, await cookieName())[0];
-    const getAuthorizedFetchConfig = async() => {
-      const [token, headers] = getAuthTokenOrCookie(request, await cookieName());
-      if (!token) {
-        return {};
-      }
-      return { headers };
-    };
-    const getDecryptedPayload = async(tokenString?: string) => {
-      const token = tokenString ?? await getAuthToken();
-      if (!token) {
-        return undefined;
-      }
-
-      return decryptAndVerify(token, await encryptionPrivateKey(), await signaturePublicKey());
-    };
-    const getUser = async() => {
-      if (!user) {
-        const result = await getDecryptedPayload();
-        if (!result) { return undefined; }
-
-        if ('error' in result && result.error == 'expired token') {
-          throw new SessionExpiredError();
-        }
-
-        if ('user' in result) {
-          logger.setContext({user: result.user.uuid});
-          user = result.user;
-        }
-      }
-      return user;
-    };
-
-    return {
-      getAuthToken,
-      getAuthorizedFetchConfig,
-      getTokenExpiration: async(tokenString?: string) => {
-        const payload = await getDecryptedPayload(tokenString);
-        return payload ? (payload.exp ?? null) : undefined;
-      },
-      getUser,
-      loadUserData: async() => {
-        if (!userData) {
-          const token = await getAuthToken();
-
-          if (!token) {
-            return undefined;
-          }
-
-          userData = await loadUserData(initializer.fetch, await accountsBase(), await cookieName(), token);
-        }
-        return userData;
-      },
-    };
-  };
-};