@or-sdk/authorizer 0.24.17 → 0.24.18

package/src/OAuth/types.ts

@@ -6,10 +6,16 @@ export type OAuthConfig = {
    * token or function which return token
    */
   token: Token;
+  authKey: string;
   discoveryUrl: string;
   serviceName: string;
+  accountId?: string;
+  authName?: string;
+  dynamicCollection?: string;
+  eventManagerUrl?: string;
   keyValueCollection?: string;
-  authKey: string;
+  providersAccountId?: string;
+  sdkUrl?: string;
 };
 
 export type OAuthData = {
@@ -27,9 +33,18 @@ export type OAuthData = {
   accountId: string;
 };
 
+export type OAuthInitData = {
+  serviceName: string;
+  keyValueCollection: string;
+  authKey?: string;
+  authName?: string;
+  dynamicCollection: string;
+};
+
 export type CreateOAuthConfig = {
   /**
-   * Name of OAuth service definition. If service definition is not found in global library, it will be taken from local library
+   * Name of OAuth service definition.
+   * If service definition is not found in global library, it will be taken from local library
    */
   serviceName: string;
 
@@ -55,10 +70,87 @@ export type CreateOAuthConfig = {
    */
   token: Token;
 
+  /**
+   * URL of Discovery API
+   */
   discoveryUrl: string;
+
+  /**
+   * Account where to save the authorization data
+   */
+  destinationAccount: 'CURRENT' | 'PROVIDER' | 'CUSTOM';
+
+  /**
+   * URL of Event manager API
+   */
+  eventManagerUrl?: string;
+
+  /**
+   * Account ID of current account
+   */
+  accountId?: string;
+
+  /**
+   * Account ID of provider account
+   */
+  providersAccountId?: string;
+
+  /**
+   * Name of the dynamic collection where to store authorization data
+   */
+  dynamicCollection?: string;
+
+  /**
+   * User scopes (Slack only)
+   */
+  userScope?: string;
+
+  /**
+   * Flag whether nonce should be used
+   */
+  useNonce?: boolean;
+
+  /**
+   * Custom account ID (if destinationAccount === "CUSTOM")
+   */
+  customAccountId?: string;
+
+  /**
+   * Url of OneReach SDK api
+   */
+  sdkUrl?: string;
+
+  /**
+   * Flag to choose if token should be used with non-original accountId (SUPER-ADMIN only)
+   */
+  crossAccount?: boolean;
+
+  /**
+   * Flag to choose if alternative provider should be used for handling redirect
+   */
+  useNextProvider?: boolean;
+
+
+  /**
+   * Additional headers for code exchange request
+   */
+  additionalHeaders?: Record<string, unknown>;
+
+  /**
+   * Additional body data for code exchange request
+   */
+  additionalBodyData?: Record<string, unknown>;
+
+  /**
+   * Existing authorization key for reauthorization.
+   */
+  authKey?: string;
 };
 
-export type CreateOAuthInCollectionConfig = Omit<CreateOAuthConfig, 'discoveryUrl' | 'serviceName' | 'token' | 'keyValueCollection'>;
+export type CreateOAuthInCollectionConfig = Omit<CreateOAuthConfig, 'discoveryUrl' |
+'serviceName' |
+'token' |
+'keyValueCollection'>;
 
 export type CreateOAuthResult = {
   authorizeUrl: string;
@@ -92,40 +184,133 @@ export type CreateOAuthAppConfig = {
 
 export type OAuthCollectionConfig = {
   /**
-   * token or function which return token
+   * Token or function which return token
    */
   token: Token;
+
+  /**
+   * URL of Discovery API
+   */
   discoveryUrl: string;
-  serviceName: string;
+
+  /**
+   * Account ID of current account
+   */
+  accountId?: string;
+
+  /**
+   * Name of OAuth service definition.
+   * If service definition is not found in global library, it will be taken from local library
+   */
+  serviceName?: string;
+
   /**
    * Pass this if your using custom name for key-value collection that differs from serviceName
    */
   keyValueCollection?: string;
+
+  /**
+   * Account ID of provider account
+   */
+  providersAccountId?: string;
+
+  /*
+   * URL of Event manager API
+   */
+  eventManagerUrl?: string;
+
+  /**
+   * Url of OneReach SDK api
+   */
+  sdkUrl?: string;
+
+  /**
+   * Flag to treat accountId as custom, if false, accountId treated as current (default:true)
+   */
+  crossAccount: boolean;
 };
 
+export type OAuthCollectionInitConfig = Pick<OAuthCollectionConfig, 'serviceName' | 'keyValueCollection'>;
+
 export type ServiceDefinitionConfig = {
-  serviceName: string;
-  requestDataType: string;
-  grantType?: string;
   authorizeUri: string;
+  authRequestAdditionalParams: string;
+  codeExchangeRequestAdditionalParams: string;
   exchangeTokenUri: string;
-  useRefresh: boolean;
-  expiresInPropertyName: string;
   expiresInDefaultValue?: number;
+  expiresInPropertyName: string;
+  grantType?: string;
   refreshUri?: string;
+  requestDataType: string;
   scopeType: ScopeType;
-  authRequestAdditionalParams: string;
-  codeExchangeRequestAdditionalParams: string;
+  serviceName: string;
+  useRefresh: boolean;
+  // eslint-disable-next-line
   environments?: Record<string, any>;
   authLinkAdditionalParams?: Record<string, string>[];
   displayServiceName?: string;
 };
 
+export type OAuthService = {
+  additionalFieldsForApp: unknown[];
+  addNonceToAuthRequest: boolean;
+  allowedScopes: [];
+  appHelp: string;
+  appTerm: string;
+  authLinkAdditionalParams: Record<string, string>[];
+  authorizationAndScopeHelp: string;
+  authorizeUri: string;
+  authRequestAdditionalParams: string;
+  codeExchangeRequestAdditionalParams: string;
+  defaultEnvironmentName: string;
+  disallowedScopes: [];
+  displayServiceName: string;
+  environments: Record<string, unknown>;
+  exchangeTokenUrl: string;
+  expiresInDefaultValue: number;
+  expiresInPropertyValue: string;
+  predefinedApps: [];
+  refreshUrl: string;
+  requestDataType: 'form' | 'json' | 'formData';
+  revokeHttpMethod: '' | 'GET' | 'POST' | 'PUT' | 'DELETE';
+  revokeUrl: string;
+  scopesDocumentationLink: string;
+  scopeType: 'JSON_ARRAY' | 'SPACE_DELIMITED' | 'COMMA_DELIMITED' | 'COMMA_DELIMITED_WITHOUT_WHITESPACE';
+  serviceName: string;
+  useRefresh: boolean;
+  grantType?: string;
+};
+
+export type OAuthDynamicCollection = {
+  name: string;
+  type: string;
+  service: string;
+  serviceConfigName: string;
+  authorizations: {
+    [key: string]: string;
+  };
+  appId?: string;
+  scope?: string;
+};
+
+export type LocalService = {
+  key: string;
+  value: ServiceDefinitionConfig;
+};
+
+export type StepContext = {
+  setShared(key: string, value: unknown, ttl: number): void;
+  getShared(key: string): unknown;
+  session: {
+    expirationDate: number;
+  };
+};
+
 export enum ScopeType {
   SPACE_DELIMITED = 'SPACE_DELIMITED',
   COMMA_DELIMITED = 'COMMA_DELIMITED',
   COMMA_DELIMITED_WITHOUT_WHITESPACE = 'COMMA_DELIMITED_WITHOUT_WHITESPACE',
-  JSON_ARRAY = 'JSON_ARRAY'
+  JSON_ARRAY = 'JSON_ARRAY',
 }
 
 

package/src/OAuth/utils/createAuthKey.ts

@@ -1,3 +1,11 @@
 export const createAuthKey = (id: string, authName: string, keyValueCollection: string, currentAccountId: string | null): string => {
   return `${id}::oauth::${authName}::${keyValueCollection}::${currentAccountId}`;
 };
+
+export function createDynamicKey(
+  id: string,
+  dynamicCollection: string,
+  serviceName: string,
+  currentAccountId: string | null): string {
+  return `${id}::oauth-collection::${dynamicCollection} authorization::${serviceName}::${currentAccountId}`;
+}

package/src/OAuth/utils/createOAuthHelper.ts

@@ -0,0 +1,374 @@
+import { KeyValueStorage } from '@or-sdk/key-value-storage';
+import { Providers } from '@or-sdk/providers';
+import { EVENT_MANAGER_SERVICE_KEY } from '@or-sdk/event-manager';
+import { Discovery } from '@or-sdk/discovery';
+
+import { v4 as uuidv4 } from 'uuid';
+
+import {
+  OAuthApp,
+  CreateOAuthConfig,
+  ServiceDefinitionConfig,
+  OAuthDynamicCollection,
+  LocalService,
+} from './../types';
+
+import {
+  SERVICE_PROVIDER_PATH,
+  OAUTH_REDIRECT_PROVIDER_PATH,
+  NEXT_OAUTH_REDIRECT_PROVIDER_PATH,
+  PREDEFINED_APP,
+  TEMPORARY_DATA_EXPIRATION_TIME,
+} from './../../constants';
+
+import { formatScope } from './../utils/formatScope';
+import { ServiceDefinition } from './../utils/ServiceDefinition';
+import { createAuthKey, createDynamicKey } from './../utils/createAuthKey';
+
+export default class OAuthCreator {
+  private params: CreateOAuthConfig;
+  private app: OAuthApp | undefined;
+  private authKey = '';
+  private service: ServiceDefinition | undefined;
+  private readonly keyValueStorage: KeyValueStorage;
+  private readonly providers: Providers;
+
+  constructor(params: CreateOAuthConfig) {
+    this.params = params;
+
+    this.validateInput();
+
+    this.keyValueStorage = new KeyValueStorage({
+      accountId: params.crossAccount ? params.accountId : undefined,
+      sdkUrl: params.sdkUrl,
+      token: params.token,
+    });
+
+    this.providers = new Providers({
+      token: params.token,
+      eventManagerUrl: params.eventManagerUrl,
+      providersAccountId: params.providersAccountId,
+    });
+  }
+
+  public async getOAuthParams() {
+    if (this.params.authKey) {
+      await this.resolveReauthParams();
+    }
+
+    await this.resolveDiscoveryParams();
+
+    const res = await this.getAppAndService();
+
+    this.service = res.serviceDefinition;
+    this.app = res.currentApp;
+
+
+    this.getAuthKey();
+
+    const { redirectProviderUrl, redirectPath } = await this.saveTempData();
+
+    const authorizeUrl = this.formAuthUrl(redirectPath, redirectProviderUrl);
+
+    if (this.params.dynamicCollection) {
+      this.saveToDynamicCollection;
+    }
+
+    return {
+      oAuthParams: {
+        accountId: this.params.crossAccount ? this.params.accountId : undefined,
+        authKey: this.params.useNextProvider ? ('::' + this.authKey.split('::').slice(1, 3).join('::')) : this.authKey,
+        authName: this.params.authName,
+        discoveryUrl: this.params.discoveryUrl,
+        dynamicCollection: this.params.dynamicCollection,
+        eventManagerUrl: this.params.eventManagerUrl,
+        providersAccountId: this.params.providersAccountId,
+        serviceName: this.params.serviceName,
+        token: this.params.token,
+      },
+      authorizeUrl,
+    };
+  }
+
+  private validateInput() {
+    const {
+      accountId,
+      crossAccount = true,
+      destinationAccount = 'CURRENT',
+      eventManagerUrl,
+      providersAccountId,
+      sdkUrl,
+    } = this.params;
+
+    if (!this.params.authKey) {
+      if (!this.params.appId) {
+        throw new Error('Application ID is missing');
+      } else if (!this.params.authName) {
+        throw new Error('Authorization name is missing');
+      }
+    }
+
+    if (!this.params.serviceName) {
+      throw new Error('Service name is missing');
+    } else if (!this.params.token) {
+      throw new Error('Authorization token is missing');
+    }
+
+    if (!sdkUrl || !eventManagerUrl || !providersAccountId || !accountId) {
+      if (!this.params.discoveryUrl) {
+        throw new Error('Discovery URL is missing.');
+      }
+    }
+
+    this.params.destinationAccount = destinationAccount;
+    this.params.crossAccount = crossAccount;
+    this.params.keyValueCollection =
+      this.params.keyValueCollection || this.params.serviceName;
+  }
+
+  private async resolveDiscoveryParams() {
+    const { accountId, eventManagerUrl, providersAccountId } = this.params;
+    if (accountId && eventManagerUrl && providersAccountId) {
+      return;
+    }
+
+    const discovery = new Discovery({
+      token: this.params.token,
+      discoveryUrl: this.params.discoveryUrl,
+    });
+
+    if (!accountId) {
+      this.params.accountId = await discovery.getCurrentAccountId().catch(() => {
+        throw new Error('Could not request current account ID');
+      });
+    }
+
+    if (!eventManagerUrl) {
+      this.params.eventManagerUrl = await discovery.getServiceUrl(EVENT_MANAGER_SERVICE_KEY).catch(() => {
+        throw new Error('Could not request current Event Manager URL');
+      });
+    }
+
+    if (!providersAccountId) {
+      this.params.providersAccountId = await discovery.getProvidersAccountId().catch(() => {
+        throw new Error('Could not request provider`s account ID');
+      });
+    }
+  }
+
+  private async getAppAndService() {
+
+    const services = await this.providers.makeRequest<{
+      [key: string]: ServiceDefinitionConfig;
+    }>({
+      method: 'GET',
+      route: SERVICE_PROVIDER_PATH,
+      params: {
+        type: 'list',
+      },
+    }).catch(() => { throw new Error('Could not request services list'); });
+
+    const localServices = await this.keyValueStorage.listKeys(
+      '__authorization_service_predefined_services_local',
+      undefined,
+      true
+    ) as unknown as Record<string, LocalService[]>;
+
+    localServices.items.forEach(el => (services[el.key] = el.value));
+
+    const currentServiceData = services[this.params.serviceName];
+    if (!currentServiceData) {
+      throw new Error('Service name is incorrect');
+    }
+
+    const apps = await this.keyValueStorage.getValueByKey(
+      this.params.keyValueCollection as string,
+      '__authorizer_apps'
+    );
+
+    if (!apps || !apps.value) {
+      throw new Error('Apps are missing in service collection');
+    }
+
+    // eslint-disable-next-line
+    const currentApp = (apps.value as any).find(
+      (app: { label: string; value: OAuthApp; }) => app.value.appId === this.params.appId
+    ).value;
+
+    return {
+      currentApp,
+      serviceDefinition: new ServiceDefinition(
+        currentServiceData,
+        currentApp.authLinkParams,
+        currentApp.environment
+      ),
+    };
+  }
+
+  private async resolveReauthParams() {
+    const old_auth_record = await this.keyValueStorage.getValueByKey(
+      this.params.keyValueCollection as string,
+      this.params.authKey as string
+    );
+
+    const old_auth: Record<string, string> = old_auth_record.value as unknown as Record<string, string>;
+
+    if (!old_auth) {
+      throw new Error('Could not reauthorize non-existing authorization');
+    }
+
+    if (old_auth.isRemote) {
+      throw new Error('Reauthorization of remote authorizations is not implemented.');
+    }
+
+    this.params.appId = old_auth.appId;
+    this.params.scope = old_auth.scope as unknown as string[];
+    this.params.authName = old_auth.authName;
+  }
+
+  private getAuthKey() {
+    const id = uuidv4();
+
+    if (this.params.authKey) {
+      if (this.params.authKey[0] === ':') {
+        this.params.useNextProvider = true;
+        this.authKey = id + this.params.authKey;
+
+      } else {
+        this.params.useNextProvider = false;
+        this.authKey = this.params.authKey;
+      }
+
+    } else {
+      const keyAccountId = this.params.destinationAccount === 'CURRENT' ? this.params.accountId :
+        this.params.destinationAccount === 'PROVIDER' ? this.params.providersAccountId :
+          this.params.destinationAccount === 'CUSTOM' ? this.params.customAccountId : null;
+
+      this.authKey = this.params.dynamicCollection ?
+        createDynamicKey(id, this.params.dynamicCollection, this.params.serviceName, keyAccountId || null) :
+        createAuthKey(id, this.params.authName, this.params.keyValueCollection as string, keyAccountId || null);
+
+    }
+  }
+
+  private async saveTempData() {
+    const redirectPath = this.params.useNextProvider ? NEXT_OAUTH_REDIRECT_PROVIDER_PATH : OAUTH_REDIRECT_PROVIDER_PATH;
+    const redirectProviderUrl = `${this.params.eventManagerUrl}/http/${this.params.providersAccountId}${redirectPath}`;
+    const serviceDefinition = this.service as ServiceDefinition;
+
+    // eslint-disable-next-line
+    const authConfigs: any = {
+      ...(this.params.additionalBodyData || {}),
+      grant_type: 'authorization_code',
+      redirect_uri: redirectProviderUrl,
+      appId: this.params.appId,
+    };
+
+    if (this.params.scope) {
+      authConfigs.scope = this.params.authKey ?
+        this.params.scope :
+        formatScope(this.params.scope, serviceDefinition.scopeType);
+    }
+
+    const configs = {
+      [serviceDefinition.requestDataType]: authConfigs,
+    };
+
+    const tempAuthData = {
+      accountId: this.params.accountId,
+      additionalHeaders: this.params.additionalHeaders || {},
+      configs,
+      displayServiceName: serviceDefinition.displayServiceName,
+      expiresInDefaultValue: serviceDefinition.expiresInDefaultValue,
+      isCustomApp: this.params.appId !== PREDEFINED_APP,
+      name: this.params.authName,
+      refreshUri: serviceDefinition.refreshUri,
+      requestDataType: serviceDefinition.requestDataType,
+      service: this.params.keyValueCollection,
+      serviceConfigName: this.params.serviceName,
+      storeAccount: this.params.destinationAccount,
+      storeCustomAccountId: this.params.destinationAccount === 'CUSTOM' ? this.params.customAccountId : undefined,
+      urlToExchangeToken: serviceDefinition.exchangeTokenUri,
+    };
+
+    const authDataExpire = Date.now() + TEMPORARY_DATA_EXPIRATION_TIME;
+    await this.keyValueStorage.setValueByKey(
+      '__authorizer_temp-uuid',
+      this.authKey.split('::')[0],
+      tempAuthData,
+      authDataExpire
+    );
+    return {
+      redirectPath,
+      redirectProviderUrl,
+    };
+  }
+
+  private formAuthUrl(redirectPath: string, redirectProviderUrl: string) {
+    const serviceDefinition = this.service as ServiceDefinition;
+    const currentApp = this.app as OAuthApp;
+
+    const authUrl = new URL(serviceDefinition.authorizeUri);
+    const additionalParams: { [key: string]: string; } = JSON.parse(
+      serviceDefinition.authRequestAdditionalParams
+    );
+
+    Object.entries(additionalParams.queryParams).forEach(([key, value]) => {
+      authUrl.searchParams.append(key, value);
+    });
+    authUrl.searchParams.append('response_type', 'code');
+    authUrl.searchParams.append('client_id', currentApp.clientId);
+    authUrl.searchParams.append('redirect_uri', redirectProviderUrl);
+    authUrl.searchParams.append('state', this.authKey);
+
+    if (this.params.scope) {
+
+      authUrl.searchParams.append(
+        'scope',
+        this.params.authKey ?
+          this.params.scope as unknown as string :
+          formatScope(this.params.scope, serviceDefinition.scopeType)
+      );
+    }
+
+    if (this.params.userScope) {
+      authUrl.searchParams.append('user_scope', this.params.userScope);
+    }
+
+    if (this.params.useNonce) {
+      authUrl.searchParams.append('nonce', uuidv4());
+    }
+
+    return authUrl.href;
+  }
+
+  private async saveToDynamicCollection() {
+    const { value } = await this.keyValueStorage.getValueByKey(
+      '__authorizer_dynamic_collections',
+      this.params.dynamicCollection as string
+    );
+
+    const collection = (value || {
+      name: this.params.dynamicCollection,
+      type: 'oauth',
+      service: this.params.serviceName,
+      serviceConfigName: this.params.serviceName,
+      authorizations: {},
+    }) as OAuthDynamicCollection;
+
+    if (collection.authorizations[this.params.authName]) {
+      await this.keyValueStorage.deleteKey(
+        this.params.serviceName,
+        collection.authorizations[this.params.authName]
+      );
+    }
+
+    collection.authorizations[this.params.authName] = this.authKey;
+
+    await this.keyValueStorage.setValueByKey(
+      '__authorizer_dynamic_collections',
+      this.params.dynamicCollection as string,
+      collection
+    );
+  }
+}