@oslokommune/auth-bff 1.0.0-beta19

package/dist/client.d.mts

@@ -0,0 +1,7 @@
+export class OidcClientManager {
+    constructor(config: any);
+    init(): Promise<void>;
+    get client(): any;
+    #private;
+}
+//# sourceMappingURL=client.d.mts.map

package/dist/client.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.mts","sourceRoot":"","sources":["../src/client.mjs"],"names":[],"mappings":"AAKA;IAME,yBAEC;IAED,sBASC;IAyDD,kBAEC;;CAEF"}

package/dist/client.mjs

@@ -0,0 +1,92 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _OidcClientManager_instances, _OidcClientManager_issuer, _OidcClientManager_config, _OidcClientManager_client, _OidcClientManager_p12ToJwks, _OidcClientManager_createKeyStoreFromOkData, _OidcClientManager_createClient;
+import forge from "node-forge";
+import * as jose from 'jose';
+import { Issuer } from "openid-client";
+import { getSsmParameter } from "./config.mjs";
+export class OidcClientManager {
+    constructor(config) {
+        _OidcClientManager_instances.add(this);
+        _OidcClientManager_issuer.set(this, void 0);
+        _OidcClientManager_config.set(this, void 0);
+        _OidcClientManager_client.set(this, void 0);
+        __classPrivateFieldSet(this, _OidcClientManager_config, config, "f");
+    }
+    init() {
+        return __awaiter(this, void 0, void 0, function* () {
+            __classPrivateFieldSet(this, _OidcClientManager_issuer, yield Issuer.discover(__classPrivateFieldGet(this, _OidcClientManager_config, "f").oidcDiscoveryUri), "f");
+            __classPrivateFieldSet(this, _OidcClientManager_client, yield __classPrivateFieldGet(this, _OidcClientManager_instances, "m", _OidcClientManager_createClient).call(this), "f");
+            if (__classPrivateFieldGet(this, _OidcClientManager_config, "f").okDataIdPortenKeyName) {
+                setInterval(() => __awaiter(this, void 0, void 0, function* () {
+                    __classPrivateFieldSet(this, _OidcClientManager_client, yield __classPrivateFieldGet(this, _OidcClientManager_instances, "m", _OidcClientManager_createClient).call(this), "f");
+                }), 5 * 60 * 1000);
+            }
+        });
+    }
+    get client() {
+        return __classPrivateFieldGet(this, _OidcClientManager_client, "f");
+    }
+}
+_OidcClientManager_issuer = new WeakMap(), _OidcClientManager_config = new WeakMap(), _OidcClientManager_client = new WeakMap(), _OidcClientManager_instances = new WeakSet(), _OidcClientManager_p12ToJwks = function _OidcClientManager_p12ToJwks(okdataP12) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const p12Der = forge.util.decode64(okdataP12.keystore);
+        const p12Asn1 = forge.asn1.fromDer(p12Der);
+        const p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, okdataP12.key_password);
+        const privateKey = p12.getBagsByFriendlyName(okdataP12.key_alias)[0].key;
+        const privateKeyAsn1 = forge.pki.privateKeyToAsn1(privateKey);
+        const privateKeyInfo = forge.pki.wrapRsaPrivateKey(privateKeyAsn1);
+        const pem = forge.pki.privateKeyInfoToPem(privateKeyInfo);
+        const k = yield jose.importPKCS8(pem, 'RS256', { extractable: true });
+        const jwk = yield jose.exportJWK(k);
+        jwk.kid = okdataP12.key_id;
+        jwk.use = 'sig';
+        jwk.alg = 'RS256';
+        return {
+            keys: [jwk]
+        };
+    });
+}, _OidcClientManager_createKeyStoreFromOkData = function _OidcClientManager_createKeyStoreFromOkData(ssmName) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const keyString = yield getSsmParameter(ssmName);
+        const okdataP12 = JSON.parse(keyString);
+        return yield __classPrivateFieldGet(this, _OidcClientManager_instances, "m", _OidcClientManager_p12ToJwks).call(this, okdataP12);
+    });
+}, _OidcClientManager_createClient = function _OidcClientManager_createClient() {
+    return __awaiter(this, void 0, void 0, function* () {
+        let keyStore;
+        if (__classPrivateFieldGet(this, _OidcClientManager_config, "f").okDataIdPortenKeyName) {
+            keyStore = yield __classPrivateFieldGet(this, _OidcClientManager_instances, "m", _OidcClientManager_createKeyStoreFromOkData).call(this, __classPrivateFieldGet(this, _OidcClientManager_config, "f").okDataIdPortenKeyName);
+        }
+        else if (__classPrivateFieldGet(this, _OidcClientManager_config, "f").keyStore) {
+            keyStore = __classPrivateFieldGet(this, _OidcClientManager_config, "f").keyStore;
+        }
+        return new (__classPrivateFieldGet(this, _OidcClientManager_issuer, "f").Client)({
+            client_id: __classPrivateFieldGet(this, _OidcClientManager_config, "f").clientId,
+            client_secret: __classPrivateFieldGet(this, _OidcClientManager_config, "f").clientSecret,
+            redirect_uris: [__classPrivateFieldGet(this, _OidcClientManager_config, "f").redirectUri],
+            response_types: ["code"],
+            token_endpoint_auth_method: __classPrivateFieldGet(this, _OidcClientManager_config, "f").clientSecret ? "client_secret_post" : "private_key_jwt",
+            token_endpoint_auth_signing_alg: "RS256",
+            post_logout_redirect_uris: __classPrivateFieldGet(this, _OidcClientManager_config, "f").postLogoutRedirectUris
+        }, keyStore);
+    });
+};

package/dist/config-utils.d.mts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=config-utils.d.mts.map

package/dist/config-utils.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-utils.d.mts","sourceRoot":"","sources":["../src/config-utils.mjs"],"names":[],"mappings":""}

package/dist/config-utils.mjs

@@ -0,0 +1 @@
+export {};

package/dist/config.d.mts

@@ -0,0 +1,4 @@
+export function getEnv(env: any, defaultVal: any, parseFn: any): any;
+export function getSsmParameter(name: any, withDecryption?: boolean): Promise<any>;
+export function loadConfig(): Promise<any>;
+//# sourceMappingURL=config.d.mts.map

package/dist/config.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.mts","sourceRoot":"","sources":["../src/config.mjs"],"names":[],"mappings":"AAGA,qEAQC;AAGD,mFAMC;AAUD,2CAqBC"}

package/dist/config.mjs

@@ -0,0 +1,65 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import findup from 'findup-sync';
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
+export function getEnv(env, defaultVal, parseFn) {
+    if (process.env[env]) {
+        return parseFn ? parseFn(process.env[env]) : process.env[env];
+    }
+    else if (defaultVal !== undefined) {
+        return defaultVal;
+    }
+    else {
+        throw Error(`Missing env var: ${env}`);
+    }
+}
+let ssmClient;
+export function getSsmParameter(name_1) {
+    return __awaiter(this, arguments, void 0, function* (name, withDecryption = true) {
+        ssmClient !== null && ssmClient !== void 0 ? ssmClient : (ssmClient = new SSMClient({}));
+        return ssmClient.send(new GetParameterCommand({
+            Name: name,
+            WithDecryption: withDecryption
+        })).then(p => p.Parameter.Value);
+    });
+}
+const defaultConfig = {
+    basePath: "",
+    cookieSecure: true,
+    cookieSameSite: 'lax',
+    staticRootPath: './dist'
+};
+let config;
+export function loadConfig() {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a;
+        if (config)
+            return config;
+        const userConfigPath = findup('bff.config.json');
+        console.log('Loading config at', userConfigPath);
+        const { default: loadedConfig } = yield import(userConfigPath, { with: { type: 'json' } });
+        for (const [key, value] of Object.entries(loadedConfig)) {
+            if (typeof value === "string") {
+                const [, varType, varName] = (_a = value.match(/\{(\w+):(.*)}/)) !== null && _a !== void 0 ? _a : [];
+                if (varType === 'env') {
+                    loadedConfig[key] = getEnv(varName);
+                }
+                else if (varType === 'ssm') {
+                    loadedConfig[key] = yield getSsmParameter(varName);
+                }
+                else if (varType) {
+                    throw Error(`unknown varType: ${varType}`);
+                }
+            }
+        }
+        config = Object.assign(Object.assign({}, defaultConfig), loadedConfig);
+        return config;
+    });
+}

package/dist/middleware/oidc-routes.d.mts

@@ -0,0 +1,2 @@
+export function oidcRoutes(oidcMiddleware: any): any;
+//# sourceMappingURL=oidc-routes.d.mts.map

package/dist/middleware/oidc-routes.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-routes.d.mts","sourceRoot":"","sources":["../../src/middleware/oidc-routes.mjs"],"names":[],"mappings":"AAEA,qDASC"}

package/dist/middleware/oidc-routes.mjs

@@ -0,0 +1,9 @@
+import express from "express";
+export function oidcRoutes(oidcMiddleware) {
+    const router = new express.Router();
+    router.get('/auth/login', oidcMiddleware.login);
+    router.get('/auth/callback', oidcMiddleware.callback);
+    router.get('/auth/logout', oidcMiddleware.logout);
+    router.get('/auth/user', oidcMiddleware.user);
+    return router;
+}

package/dist/middleware/oidc.d.mts

@@ -0,0 +1,16 @@
+export class OidcMiddleware {
+    static create(config: any): Promise<OidcMiddleware>;
+    /**
+     * @private
+     * @param config
+     * @param clientManager
+     */
+    private constructor();
+    get ensureFreshToken(): (req: any, _: any, next: any) => void;
+    get login(): (req: any, res: any) => void;
+    get callback(): (req: any, res: any) => Promise<void>;
+    get user(): (req: any, res: any) => Promise<any>;
+    get logout(): (req: any, res: any) => void;
+    #private;
+}
+//# sourceMappingURL=oidc.d.mts.map

package/dist/middleware/oidc.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.d.mts","sourceRoot":"","sources":["../../src/middleware/oidc.mjs"],"names":[],"mappings":"AAGA;IAcE,oDAIC;IAdD;;;;OAIG;IACH,sBAGC;IA4BD,yBACU,QAAG,EAAE,MAAC,EAAE,SAAI,UAMrB;IAED,cACU,QAAG,EAAE,QAAG,UAiBjB;IAED,iBACgB,QAAG,EAAE,QAAG,mBAqBvB;IAED,aACgB,QAAG,EAAE,QAAG,kBAQvB;IAED,eACU,QAAG,EAAE,QAAG,UAajB;;CACF"}

package/dist/middleware/oidc.mjs

@@ -0,0 +1,132 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _OidcMiddleware_instances, _OidcMiddleware_clientManager, _OidcMiddleware_config, _OidcMiddleware_getFreshTokenSet;
+import { generators, TokenSet } from "openid-client";
+import { OidcClientManager } from "../client.mjs";
+export class OidcMiddleware {
+    /**
+     * @private
+     * @param config
+     * @param clientManager
+     */
+    constructor(config, clientManager) {
+        _OidcMiddleware_instances.add(this);
+        _OidcMiddleware_clientManager.set(this, void 0);
+        _OidcMiddleware_config.set(this, void 0);
+        __classPrivateFieldSet(this, _OidcMiddleware_clientManager, clientManager, "f");
+        __classPrivateFieldSet(this, _OidcMiddleware_config, config, "f");
+    }
+    static create(config) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const clientManager = new OidcClientManager(config);
+            yield clientManager.init();
+            return new OidcMiddleware(config, clientManager);
+        });
+    }
+    get ensureFreshToken() {
+        return (req, _, next) => {
+            __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getFreshTokenSet).call(this, req).then(tokenSet => {
+                req.tokenSet = tokenSet;
+                next();
+            });
+        };
+    }
+    get login() {
+        return (req, res) => {
+            const codeVerifier = generators.codeVerifier();
+            const codeChallenge = generators.codeChallenge(codeVerifier);
+            const authorizationUrl = __classPrivateFieldGet(this, _OidcMiddleware_clientManager, "f").client.authorizationUrl({
+                scope: "openid profile",
+                code_challenge: codeChallenge,
+                code_challenge_method: "S256",
+                resource: __classPrivateFieldGet(this, _OidcMiddleware_config, "f").resources,
+            });
+            req.session.codeVerifier = codeVerifier;
+            req.session.save(() => {
+                res.redirect(authorizationUrl);
+            });
+        };
+    }
+    get callback() {
+        return (req, res) => __awaiter(this, void 0, void 0, function* () {
+            const params = __classPrivateFieldGet(this, _OidcMiddleware_clientManager, "f").client.callbackParams(req);
+            const codeVerifier = req.session.codeVerifier;
+            const redirectUri = `${req.protocol}://${req.headers.host}${__classPrivateFieldGet(this, _OidcMiddleware_config, "f").basePath}/auth/callback`;
+            try {
+                const tokenSet = yield __classPrivateFieldGet(this, _OidcMiddleware_clientManager, "f").client.callback(redirectUri, params, {
+                    code_verifier: codeVerifier
+                });
+                delete req.session.codeVerifier;
+                req.session.tokenSet = new TokenSet(tokenSet);
+                req.session.save(() => {
+                    res.redirect(__classPrivateFieldGet(this, _OidcMiddleware_config, "f").basePath || "/"); //TODO: skal denne kunne redirecte et annet sted?
+                });
+            }
+            catch (err) {
+                console.error(err);
+                res.status(500).send("Error during callback");
+            }
+        });
+    }
+    get user() {
+        return (req, res) => __awaiter(this, void 0, void 0, function* () {
+            const tokenSet = yield __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getFreshTokenSet).call(this, req);
+            if (!tokenSet) {
+                return res.sendStatus(401);
+            }
+            return res.send(tokenSet.claims());
+        });
+    }
+    get logout() {
+        return (req, res) => {
+            const tokenSet = req.session.tokenSet && new TokenSet(req.session.tokenSet);
+            //TODO: støtt frontchannel SLO
+            req.session.destroy(() => {
+                res.redirect(__classPrivateFieldGet(this, _OidcMiddleware_clientManager, "f").client.endSessionUrl({
+                    id_token_hint: tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.id_token,
+                }));
+            });
+        };
+    }
+}
+_OidcMiddleware_clientManager = new WeakMap(), _OidcMiddleware_config = new WeakMap(), _OidcMiddleware_instances = new WeakSet(), _OidcMiddleware_getFreshTokenSet = function _OidcMiddleware_getFreshTokenSet(req) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const tokenSet = req.session.tokenSet && new TokenSet(req.session.tokenSet);
+        if (!tokenSet) {
+            console.log("No tokenSet found in session");
+            return;
+        }
+        if (tokenSet.expired()) {
+            try {
+                const refreshedTokenSet = yield __classPrivateFieldGet(this, _OidcMiddleware_clientManager, "f").client.refresh(tokenSet.refresh_token);
+                Object.assign(req.session.tokenSet, refreshedTokenSet);
+                return new TokenSet(req.session.tokenSet);
+            }
+            catch (err) {
+                console.log("Token refresh failed", err);
+                req.session.tokenSet = null;
+            }
+        }
+        else {
+            return tokenSet;
+        }
+    });
+};

package/dist/middleware/proxy-routes.d.mts

@@ -0,0 +1,2 @@
+export function proxyRoutes(config: any, oidcMiddleware: any): any;
+//# sourceMappingURL=proxy-routes.d.mts.map

package/dist/middleware/proxy-routes.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-routes.d.mts","sourceRoot":"","sources":["../../src/middleware/proxy-routes.mjs"],"names":[],"mappings":"AAGA,mEA4BC"}

package/dist/middleware/proxy-routes.mjs

@@ -0,0 +1,27 @@
+import express from "express";
+import { createProxyMiddleware } from "http-proxy-middleware";
+export function proxyRoutes(config, oidcMiddleware) {
+    const router = new express.Router();
+    for (const [path, target] of Object.entries(config.proxyTargets)) {
+        console.log(`Setting up auth proxy: ${path} -> ${target}`);
+        router.use(path, oidcMiddleware.ensureFreshToken, createProxyMiddleware({
+            target: target,
+            changeOrigin: true,
+            on: {
+                proxyReq: (proxyReq, req, res) => {
+                    const tokenSet = req.tokenSet;
+                    if (!tokenSet) {
+                        console.error("proxy: missing tokenSet");
+                        return res.status(401);
+                    }
+                    proxyReq.setHeader("Authorization", `Bearer ${tokenSet.access_token}`);
+                    proxyReq.removeHeader("Cookie");
+                },
+                proxyRes: (proxyRes, req, res) => {
+                    console.log(`proxyied ${req.originalUrl}: ${proxyRes.statusCode}`);
+                }
+            }
+        }));
+    }
+    return router;
+}

package/dist/middleware/security-headers.d.mts

@@ -0,0 +1,2 @@
+export function securityHeaders(config: any): ((req: any, res: any, next: any) => void)[];
+//# sourceMappingURL=security-headers.d.mts.map

package/dist/middleware/security-headers.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.mts","sourceRoot":"","sources":["../../src/middleware/security-headers.mjs"],"names":[],"mappings":"AAGA,0FA+BC"}

package/dist/middleware/security-headers.mjs

@@ -0,0 +1,30 @@
+import crypto from "crypto";
+import helmet from "helmet";
+export function securityHeaders(config) {
+    const contentSecurityPolicy = config.contentSecurityPolicy;
+    if (contentSecurityPolicy === null || contentSecurityPolicy === void 0 ? void 0 : contentSecurityPolicy.directives) {
+        for (const [_, values] of Object.entries(contentSecurityPolicy.directives)) {
+            for (const [i, value] of values.entries()) {
+                if (value === '{nonce}') {
+                    values[i] = (req, res) => `'nonce-${res.locals.cspNonce}'`;
+                }
+            }
+        }
+    }
+    const generateCspNonceMiddleware = (req, res, next) => {
+        res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
+        next();
+    };
+    const helmetMiddleware = helmet({
+        strictTransportSecurity: {
+            maxAge: 31536000,
+            includeSubDomains: false,
+            preload: false,
+        },
+        contentSecurityPolicy: contentSecurityPolicy !== null && contentSecurityPolicy !== void 0 ? contentSecurityPolicy : false,
+    });
+    return [
+        generateCspNonceMiddleware,
+        helmetMiddleware
+    ];
+}

package/dist/middleware/sessions.d.mts

@@ -0,0 +1,2 @@
+export function sessions(config: any): any;
+//# sourceMappingURL=sessions.d.mts.map

package/dist/middleware/sessions.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.mts","sourceRoot":"","sources":["../../src/middleware/sessions.mjs"],"names":[],"mappings":"AAQA,2CAwBC"}

package/dist/middleware/sessions.mjs

@@ -0,0 +1,34 @@
+import session from "express-session";
+import dynamoDbStore from "connect-dynamodb";
+function dynamoDbSessionStore(config = {}) {
+    const DynamoDbStore = dynamoDbStore({ session });
+    return new DynamoDbStore(config);
+}
+export function sessions(config) {
+    var _a;
+    let sessionStore;
+    if (config.sessionStoreType === 'memory') {
+        sessionStore = undefined;
+    }
+    else if (config.sessionStoreType === 'dynamodb') {
+        const sessionStoreOptions = (_a = config.sessionStoreOptions) !== null && _a !== void 0 ? _a : {};
+        sessionStore = dynamoDbSessionStore(sessionStoreOptions);
+    }
+    else if (config.sessionStoreType) {
+        throw Error(`unknown sessionStoreType ${config.sessionStoreType}`);
+    }
+    else {
+        throw Error('missing sessionStoreType');
+    }
+    return session({
+        secret: config.sessionSecret,
+        store: sessionStore,
+        resave: false,
+        saveUninitialized: false,
+        cookie: {
+            httpOnly: true,
+            secure: config.cookieSecure,
+            sameSite: config.cookieSameSite
+        },
+    });
+}

package/dist/middleware/static-routes.d.mts

@@ -0,0 +1,2 @@
+export function staticRoutes(config: any): any;
+//# sourceMappingURL=static-routes.d.mts.map

package/dist/middleware/static-routes.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"static-routes.d.mts","sourceRoot":"","sources":["../../src/middleware/static-routes.mjs"],"names":[],"mappings":"AAIA,+CAiBC"}

package/dist/middleware/static-routes.mjs

@@ -0,0 +1,19 @@
+import express from "express";
+import { stringReplace } from "string-replace-middleware";
+import path from "path";
+export function staticRoutes(config) {
+    const router = new express.Router();
+    router.use(stringReplace({
+        '__CSP_NONCE__': (req, res) => res.locals.cspNonce
+    }, {
+        contentTypeFilterRegexp: /^text\/html/
+    }));
+    const staticPath = path.resolve(process.cwd(), config.staticRootPath);
+    console.log(`Serving static content from '${staticPath}'`);
+    router.use(express.static(staticPath, { index: false }));
+    router.get('*', function (req, res) {
+        res.set('Cache-Control', 'no-store');
+        res.sendFile(path.resolve(staticPath, 'index.html'));
+    });
+    return router;
+}

package/dist/react/AuthContext.d.ts

@@ -0,0 +1,8 @@
+export type AuthContextProps = {
+    state: 'pending' | 'authenticated' | 'unauthenticated';
+    user?: {
+        pid: string;
+    };
+};
+export declare const AuthContext: any;
+//# sourceMappingURL=AuthContext.d.ts.map

package/dist/react/AuthContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthContext.d.ts","sourceRoot":"","sources":["../../src/react/AuthContext.tsx"],"names":[],"mappings":"AAEA,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,SAAS,GAAG,eAAe,GAAG,iBAAiB,CAAC;IACvD,IAAI,CAAC,EAAE;QAAC,GAAG,EAAE,MAAM,CAAA;KAAC,CAAA;CAAC,CAAA;AAEvB,eAAO,MAAM,WAAW,KAAyD,CAAA"}

package/dist/react/AuthContext.jsx

@@ -0,0 +1,2 @@
+import { createContext } from "react";
+export const AuthContext = createContext(undefined);

package/dist/react/AuthContextProvider.d.ts

@@ -0,0 +1,9 @@
+import { ReactNode } from "react";
+type AuthContextProviderProps = {
+    children: ReactNode;
+    authRequired?: boolean;
+    loaderComponent: ReactNode;
+};
+export declare function AuthContextProvider({ children, authRequired, loaderComponent }: AuthContextProviderProps): any;
+export {};
+//# sourceMappingURL=AuthContextProvider.d.ts.map

package/dist/react/AuthContextProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthContextProvider.d.ts","sourceRoot":"","sources":["../../src/react/AuthContextProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAQ,SAAS,EAA8B,MAAM,OAAO,CAAC;AAGpE,KAAK,wBAAwB,GAAG;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,EAAE,SAAS,CAAA;CAC3B,CAAA;AAED,wBAAgB,mBAAmB,CAAC,EAAC,QAAQ,EAAE,YAAoB,EAAE,eAAsB,EAAC,EAAE,wBAAwB,OA6BrH"}

package/dist/react/AuthContextProvider.jsx

@@ -0,0 +1,29 @@
+import { React, useEffect, useRef, useState } from "react";
+import { AuthContext } from "./AuthContext";
+export function AuthContextProvider({ children, authRequired = false, loaderComponent = null }) {
+    const [user, setUser] = useState(undefined);
+    const [state, setState] = useState('pending');
+    const userPromise = useRef(undefined);
+    useEffect(() => {
+        var _a;
+        ((_a = userPromise.current) !== null && _a !== void 0 ? _a : (userPromise.current = fetch('/auth/user').then(res => res.ok && res.json())))
+            .then(json => {
+            if (json) {
+                setUser(json);
+                setState('authenticated');
+            }
+            else {
+                setState('unauthenticated');
+            }
+        });
+    }, []);
+    useEffect(() => {
+        if (authRequired && state === 'unauthenticated') {
+            window.location.assign('/auth/login');
+        }
+    }, [authRequired, state]);
+    return (<AuthContext.Provider value={{ user, state }}>
+      {(authRequired && state !== 'authenticated' || !authRequired && state === 'pending') && loaderComponent}
+      {(authRequired && state === 'authenticated' || !authRequired && state !== 'pending') && children}
+    </AuthContext.Provider>);
+}

package/dist/react/UseAuthContext.d.ts

@@ -0,0 +1,2 @@
+export declare function useAuthContext(required?: boolean): any;
+//# sourceMappingURL=UseAuthContext.d.ts.map

package/dist/react/UseAuthContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"UseAuthContext.d.ts","sourceRoot":"","sources":["../../src/react/UseAuthContext.tsx"],"names":[],"mappings":"AAGA,wBAAgB,cAAc,CAAC,QAAQ,GAAE,OAAe,OAOvD"}

package/dist/react/UseAuthContext.jsx

@@ -0,0 +1,10 @@
+import { useContext } from "react";
+import { AuthContext } from "./AuthContext";
+export function useAuthContext(required = false) {
+    const authContext = useContext(AuthContext);
+    if (required && (authContext === null || authContext === void 0 ? void 0 : authContext.state) === 'unauthenticated') {
+        window.location.assign('/auth/login');
+        return;
+    }
+    return authContext;
+}

package/dist/react/index.d.ts

@@ -0,0 +1,4 @@
+export * from './AuthContext';
+export * from './AuthContextProvider';
+export * from './UseAuthContext';
+//# sourceMappingURL=index.d.ts.map

package/dist/react/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAA;AAC7B,cAAc,uBAAuB,CAAA;AACrC,cAAc,kBAAkB,CAAA"}

package/dist/react/index.js

@@ -0,0 +1,3 @@
+export * from './AuthContext';
+export * from './AuthContextProvider';
+export * from './UseAuthContext';

package/dist/server.d.mts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=server.d.mts.map

package/dist/server.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.mts","sourceRoot":"","sources":["../src/server.mjs"],"names":[],"mappings":""}

package/dist/server.mjs

@@ -0,0 +1,40 @@
+#!/usr/bin/env node
+import express from "express";
+import compression from "compression";
+import { loadConfig } from './config.mjs';
+import { proxyRoutes } from "./middleware/proxy-routes.mjs";
+import { staticRoutes } from "./middleware/static-routes.mjs";
+import { securityHeaders } from "./middleware/security-headers.mjs";
+import { sessions } from "./middleware/sessions.mjs";
+import { oidcRoutes } from "./middleware/oidc-routes.mjs";
+import { OidcMiddleware } from "./middleware/oidc.mjs";
+const config = await loadConfig();
+const port = process.env.port || config.port || 8080;
+const oidcMiddleware = await OidcMiddleware.create(config);
+const app = express();
+app.set('trust proxy', true); // TODO: sjekk om denne kan/bør være strengere: https://expressjs.com/en/api.html#trust.proxy.options.table
+app.disable("x-powered-by");
+app.use((req, res, next) => {
+    //request logging
+    next();
+    console.log(`${req.method} ${req.originalUrl}`);
+});
+app.use(compression());
+app.use(sessions(config));
+app.use(securityHeaders(config));
+app.get("/health", (req, res) => {
+    res.send("OK");
+});
+const basePath = config.basePath || "/";
+app.use(basePath, oidcRoutes(oidcMiddleware));
+app.use(basePath, proxyRoutes(config, oidcMiddleware));
+app.use(basePath, staticRoutes(config));
+const server = app.listen(port, () => {
+    console.log(`Server started on port ${port}`);
+});
+process.on('SIGTERM', () => {
+    console.log('SIGTERM received. Closing...');
+    server.close(() => {
+        console.log('Server closed');
+    });
+});

package/dist/vite-plugin.d.mts

@@ -0,0 +1,20 @@
+/**
+ *
+ * @returns {{
+ *  name: string,
+ *  apply: 'serve',
+ *  configureServer: ((function({middlewares: *}): Promise<void>)|*),
+ *  configurePreviewServer: ((function({middlewares: *}): Promise<void>)|*)
+ * }}
+ */
+export default function bff(): {
+    name: string;
+    apply: "serve";
+    configureServer: (((arg0: {
+        middlewares: any;
+    }) => Promise<void>) | any);
+    configurePreviewServer: (((arg0: {
+        middlewares: any;
+    }) => Promise<void>) | any);
+};
+//# sourceMappingURL=vite-plugin.d.mts.map

package/dist/vite-plugin.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vite-plugin.d.mts","sourceRoot":"","sources":["../src/vite-plugin.mjs"],"names":[],"mappings":"AAuBA;;;;;;;;GAQG;AACH,+BAPa;IACT,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;IACf,eAAe,EAAE,CAAC,CAAC,CAAS,IAAgB,EAAhB;QAAC,WAAW,EAAE,GAAC,CAAA;KAAC,KAAG,OAAO,CAAC,IAAI,CAAC,CAAC,GAAC,GAAC,CAAC,CAAC;IACjE,sBAAsB,EAAE,CAAC,CAAC,CAAS,IAAgB,EAAhB;QAAC,WAAW,EAAE,GAAC,CAAA;KAAC,KAAG,OAAO,CAAC,IAAI,CAAC,CAAC,GAAC,GAAC,CAAC,CAAA;CACvE,CASH"}

package/dist/vite-plugin.mjs

@@ -0,0 +1,45 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import express from "express";
+import { loadConfig } from "./config.mjs";
+import { OidcMiddleware } from "./middleware/oidc.mjs";
+import { securityHeaders } from "./middleware/security-headers.mjs";
+function configureServer(_a) {
+    return __awaiter(this, arguments, void 0, function* ({ middlewares }) {
+        const { oidcRoutes } = yield import("./middleware/oidc-routes.mjs");
+        const { proxyRoutes } = yield import("./middleware/proxy-routes.mjs");
+        const { sessions } = yield import("./middleware/sessions.mjs");
+        const config = yield loadConfig();
+        const oidcMiddleware = yield OidcMiddleware.create(config);
+        const basePath = "" || "/";
+        const app = express();
+        app.use(sessions(config));
+        app.use(basePath, oidcRoutes(oidcMiddleware));
+        app.use(basePath, proxyRoutes(config, oidcMiddleware));
+        middlewares.use(app);
+    });
+}
+/**
+ *
+ * @returns {{
+ *  name: string,
+ *  apply: 'serve',
+ *  configureServer: ((function({middlewares: *}): Promise<void>)|*),
+ *  configurePreviewServer: ((function({middlewares: *}): Promise<void>)|*)
+ * }}
+ */
+export default function bff() {
+    return {
+        name: 'bff',
+        apply: 'serve',
+        configureServer: configureServer,
+        configurePreviewServer: configureServer
+    };
+}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@oslokommune/auth-bff",
+  "version": "1.0.0-beta19",
+  "repository": "https://github.com/oslokommune/auth-bff.git",
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "run": "node ./dist/server.mjs",
+    "build-and-publish": "tsc && npm publish"
+  },
+  "exports": {
+    "./vite-plugin": "./dist/vite-plugin.mjs",
+    "./react": "./dist/react/index.js"
+  },
+  "bin": {
+    "auth-bff": "dist/server.mjs"
+  },
+  "files": ["/dist"],
+  "type": "module",
+  "author": "",
+  "license": "",
+  "description": "",
+  "devDependencies": {
+    "@types/express": "^4.17.22",
+    "react": "17.0.2",
+    "typescript": "^5.8.3"
+  },
+  "dependencies": {
+    "@aws-sdk/client-dynamodb": "^3.817.0",
+    "@aws-sdk/client-ssm": "^3.817.0",
+    "compression": "^1.8.0",
+    "connect-dynamodb": "^3.0.5",
+    "express": "^4.21.2",
+    "express-session": "^1.18.1",
+    "findup-sync": "^5.0.0",
+    "helmet": "^8.1.0",
+    "http-proxy-middleware": "^3.0.5",
+    "jose": "^6.0.11",
+    "node-forge": "^1.3.1",
+    "openid-client": "^5.7.1",
+    "string-replace-middleware": "^1.1.0"
+  }
+}