@oslokommune/auth-bff 1.6.0 → 2.0.0-beta1

package/dist/package.json

@@ -0,0 +1,57 @@
+{
+    "name": "@oslokommune/auth-bff",
+    "version": "2.0.0-beta1",
+    "repository": "https://github.com/oslokommune/auth-bff.git",
+    "publishConfig": {
+        "access": "public"
+    },
+    "scripts": {
+        "build": "tsc",
+        "run": "node ./dist/server.mjs",
+        "build-and-publish": "tsc && npm publish",
+        "build-and-publish-prerelease": "tsc && npm publish --tag prerelease",
+        "test": "vitest"
+    },
+    "exports": {
+        "./vite-plugin": "./dist/src/vite-plugin.mjs",
+        "./react": "./dist/src/react/index.js"
+    },
+    "bin": {
+        "auth-bff": "dist/src/server.mjs"
+    },
+    "files": [
+        "/dist"
+    ],
+    "type": "module",
+    "author": "",
+    "license": "",
+    "description": "",
+    "devDependencies": {
+        "@types/compression": "^1.8.1",
+        "@types/express": "^4.17.22",
+        "@types/express-session": "^1.18.2",
+        "@types/node-forge": "1.3.13",
+        "@types/react": "17.0.87",
+        "@types/supertest": "^6.0.3",
+        "react": "17.0.2",
+        "supertest": "^7.2.2",
+        "typescript": "^5.9.3",
+        "vitest": "^4.0.18"
+    },
+    "dependencies": {
+        "@aws-sdk/client-dynamodb": "^3.817.0",
+        "@aws-sdk/client-ssm": "^3.817.0",
+        "command-line-args": "^6.0.1",
+        "compression": "^1.8.0",
+        "connect-dynamodb": "^3.0.5",
+        "express": "4.21.2",
+        "express-session": "1.18.2",
+        "find-up": "^7.0.0",
+        "helmet": "^8.1.0",
+        "http-proxy-middleware": "^3.0.5",
+        "jose": "^6.0.11",
+        "node-forge": "1.3.3",
+        "openid-client": "^6.8.1",
+        "string-replace-middleware": "^1.1.0"
+    }
+}

package/dist/src/OpenIdConfigManager.d.ts

@@ -0,0 +1,10 @@
+import * as client from 'openid-client';
+import { BffConfig } from "./config.js";
+export declare class OpenIdConfigManager {
+    #private;
+    constructor(config: BffConfig, serverMetadata?: client.ServerMetadata);
+    init(): Promise<void>;
+    updateOpenIdConfig(): Promise<void>;
+    get openIdConfig(): client.Configuration;
+}
+//# sourceMappingURL=OpenIdConfigManager.d.ts.map

package/dist/src/OpenIdConfigManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenIdConfigManager.d.ts","sourceRoot":"","sources":["../../src/OpenIdConfigManager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,MAAM,MAAM,eAAe,CAAA;AACvC,OAAO,EAAC,SAAS,EAAkB,MAAM,aAAa,CAAC;AASvD,qBAAa,mBAAmB;;gBAMlB,MAAM,EAAE,SAAS,EAAE,cAAc,CAAC,EAAE,MAAM,CAAC,cAAc;IAK/D,IAAI;IA4BJ,kBAAkB;IAuCxB,IAAI,YAAY,yBAEf;CAEF"}

package/dist/src/OpenIdConfigManager.js

@@ -0,0 +1,77 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _OpenIdConfigManager_instances, _OpenIdConfigManager_bffConfig, _OpenIdConfigManager_openIdConfig, _OpenIdConfigManager_serverMetadata, _OpenIdConfigManager_p12ToJwk, _OpenIdConfigManager_createKeyFromOkData;
+// @ts-ignore
+import forge from 'node-forge';
+import * as jose from 'jose';
+import * as client from 'openid-client';
+import { getSsmParameter } from "./config.js";
+export class OpenIdConfigManager {
+    constructor(config, serverMetadata) {
+        _OpenIdConfigManager_instances.add(this);
+        _OpenIdConfigManager_bffConfig.set(this, void 0);
+        _OpenIdConfigManager_openIdConfig.set(this, void 0);
+        _OpenIdConfigManager_serverMetadata.set(this, void 0);
+        __classPrivateFieldSet(this, _OpenIdConfigManager_bffConfig, config, "f");
+        __classPrivateFieldSet(this, _OpenIdConfigManager_serverMetadata, serverMetadata, "f");
+    }
+    async init() {
+        await this.updateOpenIdConfig();
+        if (__classPrivateFieldGet(this, _OpenIdConfigManager_bffConfig, "f").okDataIdPortenKeyName) {
+            setInterval(async () => {
+                await this.updateOpenIdConfig();
+            }, 5 * 60 * 1000);
+        }
+    }
+    async updateOpenIdConfig() {
+        console.log('Updating OpenId config...');
+        let key;
+        if (__classPrivateFieldGet(this, _OpenIdConfigManager_bffConfig, "f").okDataIdPortenKeyName) {
+            console.log('Fetching okdata key');
+            key = await __classPrivateFieldGet(this, _OpenIdConfigManager_instances, "m", _OpenIdConfigManager_createKeyFromOkData).call(this, __classPrivateFieldGet(this, _OpenIdConfigManager_bffConfig, "f").okDataIdPortenKeyName);
+        }
+        const clientId = __classPrivateFieldGet(this, _OpenIdConfigManager_bffConfig, "f").clientId;
+        const clientMetadata = { client_secret: __classPrivateFieldGet(this, _OpenIdConfigManager_bffConfig, "f").clientSecret };
+        const clientAuth = key ? client.PrivateKeyJwt(key) : undefined;
+        if (__classPrivateFieldGet(this, _OpenIdConfigManager_openIdConfig, "f")) {
+            console.log('Reusing OpenId Config with new key');
+            __classPrivateFieldSet(this, _OpenIdConfigManager_openIdConfig, new client.Configuration(__classPrivateFieldGet(this, _OpenIdConfigManager_openIdConfig, "f").serverMetadata(), clientId, clientMetadata, clientAuth), "f");
+        }
+        else if (__classPrivateFieldGet(this, _OpenIdConfigManager_serverMetadata, "f")) {
+            console.log('Using OpenId Config with provided server metadata');
+            __classPrivateFieldSet(this, _OpenIdConfigManager_openIdConfig, new client.Configuration(__classPrivateFieldGet(this, _OpenIdConfigManager_serverMetadata, "f"), clientId, clientMetadata, clientAuth), "f");
+        }
+        else {
+            console.log('Fetching OpenId config');
+            __classPrivateFieldSet(this, _OpenIdConfigManager_openIdConfig, await client.discovery(new URL(__classPrivateFieldGet(this, _OpenIdConfigManager_bffConfig, "f").issuer), clientId, clientMetadata, clientAuth), "f");
+        }
+    }
+    get openIdConfig() {
+        return __classPrivateFieldGet(this, _OpenIdConfigManager_openIdConfig, "f");
+    }
+}
+_OpenIdConfigManager_bffConfig = new WeakMap(), _OpenIdConfigManager_openIdConfig = new WeakMap(), _OpenIdConfigManager_serverMetadata = new WeakMap(), _OpenIdConfigManager_instances = new WeakSet(), _OpenIdConfigManager_p12ToJwk = async function _OpenIdConfigManager_p12ToJwk(okdataP12) {
+    //TODO: dette er helt sikkert mulig å gjøre i færre steg...
+    const p12Der = forge.util.decode64(okdataP12.keystore);
+    const p12Asn1 = forge.asn1.fromDer(p12Der);
+    const p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, okdataP12.key_password);
+    const privateKey = p12.getBags({ friendlyName: okdataP12.key_alias }).friendlyName[0].key;
+    const privateKeyAsn1 = forge.pki.privateKeyToAsn1(privateKey);
+    const privateKeyInfo = forge.pki.wrapRsaPrivateKey(privateKeyAsn1);
+    const pem = forge.pki.privateKeyInfoToPem(privateKeyInfo);
+    const key = await jose.importPKCS8(pem, 'RS256', { extractable: true });
+    return { key: key, kid: okdataP12.key_id };
+}, _OpenIdConfigManager_createKeyFromOkData = async function _OpenIdConfigManager_createKeyFromOkData(ssmName) {
+    const keyString = await getSsmParameter(ssmName);
+    const okdataKey = JSON.parse(keyString);
+    return await __classPrivateFieldGet(this, _OpenIdConfigManager_instances, "m", _OpenIdConfigManager_p12ToJwk).call(this, okdataKey);
+};

package/dist/src/config.d.ts

@@ -0,0 +1,25 @@
+export type BffConfig = {
+    basePath?: string;
+    staticRootPath?: string;
+    issuer: string;
+    clientId: string;
+    clientSecret?: string;
+    redirectUri: string;
+    resources: Array<string>;
+    cookiePath?: string;
+    cookieSecure?: Boolean;
+    cookieSameSite: Boolean | string;
+    postLogoutRedirectUri: string;
+    okDataIdPortenKeyName: string;
+    sessionSecret: string;
+    sessionStoreType: 'memory' | 'dynamodb';
+    sessionStoreOptions?: object;
+    proxyTargets: {
+        [path: string]: string;
+    };
+    userClaims: Array<string>;
+};
+export declare function getEnv(env: string, defaultVal?: string, parseFn?: (val: string) => string): string;
+export declare function getSsmParameter(name: string, withDecryption?: boolean): Promise<string>;
+export declare function loadConfig(configFile?: string): Promise<BffConfig>;
+//# sourceMappingURL=config.d.ts.map

package/dist/src/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,SAAS,GAAG;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACxB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,OAAO,GAAG,MAAM,CAAA;IAChC,qBAAqB,EAAE,MAAM,CAAA;IAC7B,qBAAqB,EAAE,MAAM,CAAA;IAC7B,aAAa,EAAE,MAAM,CAAA;IACrB,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,YAAY,EAAE;QAAC,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAC,CAAA;IACtC,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;CAC1B,CAAA;AAED,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,UAQzF;AAGD,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,GAAE,OAAc,mBAMjF;AAWD,wBAAsB,UAAU,CAAC,UAAU,GAAE,MAA0B,sBAyBtE"}

package/dist/src/config.js

@@ -0,0 +1,55 @@
+import { findUp } from 'find-up';
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
+export function getEnv(env, defaultVal, parseFn) {
+    if (process.env[env]) {
+        return parseFn ? parseFn(process.env[env]) : process.env[env];
+    }
+    else if (defaultVal !== undefined) {
+        return defaultVal;
+    }
+    else {
+        throw Error(`Missing env var: ${env}`);
+    }
+}
+let ssmClient;
+export async function getSsmParameter(name, withDecryption = true) {
+    ssmClient ?? (ssmClient = new SSMClient({}));
+    return ssmClient.send(new GetParameterCommand({
+        Name: name,
+        WithDecryption: withDecryption
+    })).then(p => p.Parameter.Value);
+}
+const defaultConfig = {
+    basePath: "",
+    cookiePath: '/',
+    cookieSecure: true,
+    cookieSameSite: 'lax',
+    staticRootPath: './dist'
+};
+let config;
+export async function loadConfig(configFile = 'bff.config.json') {
+    if (config)
+        return config;
+    const userConfigPath = await findUp(configFile);
+    if (!userConfigPath) {
+        throw Error(`Could not find config file ${configFile}`);
+    }
+    console.log('Loading config at', userConfigPath);
+    const { default: loadedConfig } = await import(userConfigPath, { with: { type: 'json' } });
+    for (const [key, value] of Object.entries(loadedConfig)) {
+        if (typeof value === "string") {
+            const [, varType, varName] = value.match(/\{(\w+):(.*)}/) ?? [];
+            if (varType === 'env') {
+                loadedConfig[key] = getEnv(varName);
+            }
+            else if (varType === 'ssm') {
+                loadedConfig[key] = await getSsmParameter(varName);
+            }
+            else if (varType) {
+                throw Error(`unknown varType: ${varType}`);
+            }
+        }
+    }
+    config = { ...defaultConfig, ...loadedConfig };
+    return config;
+}

package/dist/src/middleware/OidcMiddleware.d.ts

@@ -0,0 +1,20 @@
+import { OpenIdConfigManager } from "../OpenIdConfigManager.js";
+import { BffConfig } from "../config.js";
+import type { Request, Response, NextFunction } from 'express';
+export declare class OidcMiddleware {
+    #private;
+    /**
+     * @private
+     * @param config
+     * @param configManager
+     */
+    constructor(config: BffConfig, configManager: OpenIdConfigManager);
+    static create(config: BffConfig): Promise<OidcMiddleware>;
+    get ensureFreshToken(): (req: Request, res: Response, next: NextFunction) => void;
+    get login(): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+    get callback(): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+    get user(): (req: Request, res: Response, next: NextFunction) => Promise<Response<any, Record<string, any>>>;
+    get logout(): (req: Request, res: Response) => void;
+    get frontChannelLogout(): (req: Request, res: Response) => Promise<void>;
+}
+//# sourceMappingURL=OidcMiddleware.d.ts.map

package/dist/src/middleware/OidcMiddleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/OidcMiddleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,mBAAmB,EAAC,MAAM,2BAA2B,CAAC;AAE9D,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AACvC,OAAO,KAAK,EAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAC,MAAM,SAAS,CAAA;AAK5D,qBAAa,cAAc;;IAKzB;;;;OAIG;gBACS,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,mBAAmB;WASpD,MAAM,CAAC,MAAM,EAAE,SAAS;IAgErC,IAAI,gBAAgB,KACV,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,UAWxD;IAED,IAAI,KAAK,KACO,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBA+B9D;IAqBD,IAAI,QAAQ,KACI,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBAuC9D;IAED,IAAI,IAAI,KACQ,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,iDAa9D;IAED,IAAI,MAAM,KACA,KAAK,OAAO,EAAE,KAAK,QAAQ,UASpC;IAED,IAAI,kBAAkB,KACN,KAAK,OAAO,EAAE,KAAK,QAAQ,mBAc1C;CACF"}

package/dist/src/middleware/OidcMiddleware.js

@@ -0,0 +1,231 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _OidcMiddleware_instances, _OidcMiddleware_configManager, _OidcMiddleware_bffConfig, _OidcMiddleware_refreshPromises, _OidcMiddleware_openIdConfig_get, _OidcMiddleware_refreshTokens, _OidcMiddleware_getFreshTokens, _OidcMiddleware_getUserClaims, _OidcMiddleware_getAccessTokenExpiryTime;
+import * as openIdClient from "openid-client";
+import { OpenIdConfigManager } from "../OpenIdConfigManager.js";
+import { redact } from "../utils.js";
+export class OidcMiddleware {
+    /**
+     * @private
+     * @param config
+     * @param configManager
+     */
+    constructor(config, configManager) {
+        _OidcMiddleware_instances.add(this);
+        _OidcMiddleware_configManager.set(this, void 0);
+        _OidcMiddleware_bffConfig.set(this, void 0);
+        _OidcMiddleware_refreshPromises.set(this, {}
+        /**
+         * @private
+         * @param config
+         * @param configManager
+         */
+        );
+        __classPrivateFieldSet(this, _OidcMiddleware_configManager, configManager, "f");
+        __classPrivateFieldSet(this, _OidcMiddleware_bffConfig, config, "f");
+    }
+    static async create(config) {
+        const configManager = new OpenIdConfigManager(config);
+        await configManager.init();
+        return new OidcMiddleware(config, configManager);
+    }
+    get ensureFreshToken() {
+        return (req, res, next) => {
+            __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getFreshTokens).call(this, req).then(tokenResponse => {
+                if (tokenResponse) {
+                    req.tokenResponse = tokenResponse;
+                    next();
+                }
+                else {
+                    console.warn(`401: No valid tokens in session sid=${redact(req.session.id)}`);
+                    res.sendStatus(401);
+                }
+            }).catch(next);
+        };
+    }
+    get login() {
+        return async (req, res, next) => {
+            try {
+                const codeVerifier = openIdClient.randomPKCECodeVerifier();
+                const codeChallenge = await openIdClient.calculatePKCECodeChallenge(codeVerifier);
+                const stateKey = openIdClient.randomState();
+                const redirectUrl = req.query.redirectUrl; //TODO: håndtering av andre typer her?
+                const params = new URLSearchParams();
+                params.append('scope', "openid profile");
+                params.append('code_challenge', codeChallenge);
+                params.append('code_challenge_method', 'S256');
+                params.append('redirect_uri', __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").redirectUri);
+                params.append('state', stateKey);
+                __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").resources?.forEach(resource => {
+                    params.append('resource', resource);
+                });
+                const authorizationUrl = openIdClient.buildAuthorizationUrl(__classPrivateFieldGet(this, _OidcMiddleware_instances, "a", _OidcMiddleware_openIdConfig_get), params);
+                req.session.codeVerifier = codeVerifier;
+                req.session.stateKey = stateKey;
+                req.session.stateValue = { redirectUrl };
+                req.session.save(() => {
+                    res.redirect(authorizationUrl.toString());
+                });
+            }
+            catch (e) {
+                console.error(e);
+                next(e);
+            }
+        };
+    }
+    get callback() {
+        return async (req, res, next) => {
+            try {
+                const { codeVerifier, stateKey, stateValue } = req.session;
+                const url = new URL(`${req.protocol}://${req.headers.host}${req.originalUrl}`);
+                const tokenResponse = await openIdClient.authorizationCodeGrant(__classPrivateFieldGet(this, _OidcMiddleware_instances, "a", _OidcMiddleware_openIdConfig_get), url, {
+                    expectedState: stateKey,
+                    pkceCodeVerifier: codeVerifier
+                });
+                req.session.tokenResponse = tokenResponse;
+                req.session["idp-sid"] = tokenResponse.claims().sid;
+                req.session.userClaims = __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getUserClaims).call(this, tokenResponse);
+                req.session.accessTokenExpiresAt = __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getAccessTokenExpiryTime).call(this, tokenResponse);
+                delete req.session.codeVerifier;
+                delete req.session.stateKey;
+                delete req.session.stateValue;
+                req.session.save(() => {
+                    let redirectUrl = stateValue.redirectUrl;
+                    //only allow relative redirecturls:
+                    const absoluteUrlRegex = /^(?:[a-z+]+:)?\/\//;
+                    if (!redirectUrl || absoluteUrlRegex.test(redirectUrl)) {
+                        redirectUrl = __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").basePath || "/";
+                    }
+                    res.redirect(redirectUrl);
+                });
+            }
+            catch (e) {
+                console.error(e);
+                req.session.destroy(() => {
+                    next(e);
+                });
+            }
+        };
+    }
+    get user() {
+        return async (req, res, next) => {
+            try {
+                const tokenResponse = await __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getFreshTokens).call(this, req);
+                if (!tokenResponse) {
+                    return res.sendStatus(401);
+                }
+                return res.send(req.session.userClaims);
+            }
+            catch (e) {
+                console.error(`Error in /user sid=${redact(req.session?.id)}`, e);
+                next(e);
+            }
+        };
+    }
+    get logout() {
+        return (req, res) => {
+            const tokenResponse = req.session.tokenResponse;
+            req.session.destroy(() => {
+                const endSessionUrl = openIdClient.buildEndSessionUrl(__classPrivateFieldGet(this, _OidcMiddleware_instances, "a", _OidcMiddleware_openIdConfig_get), {
+                    id_token_hint: tokenResponse?.id_token,
+                });
+                res.redirect(endSessionUrl.toString());
+            });
+        };
+    }
+    get frontChannelLogout() {
+        return async (req, res) => {
+            const { iss, sid } = req.query;
+            console.log(`Front channel logout: params iss=${iss}, sid=${redact(sid)}`);
+            if (sid) {
+                try {
+                    await req.destroySessionByIdpSid?.(sid);
+                }
+                catch (e) {
+                    console.error("Failed to destroy session", e);
+                }
+            }
+            res.sendStatus(200);
+        };
+    }
+}
+_OidcMiddleware_configManager = new WeakMap(), _OidcMiddleware_bffConfig = new WeakMap(), _OidcMiddleware_refreshPromises = new WeakMap(), _OidcMiddleware_instances = new WeakSet(), _OidcMiddleware_openIdConfig_get = function _OidcMiddleware_openIdConfig_get() {
+    return __classPrivateFieldGet(this, _OidcMiddleware_configManager, "f").openIdConfig;
+}, _OidcMiddleware_refreshTokens = async function _OidcMiddleware_refreshTokens(req, tokenResponse) {
+    var _a;
+    const sessionId = req.session.id;
+    const refreshToken = tokenResponse.refresh_token;
+    const doRefresh = async () => {
+        console.log(`Token refresh starting. sid=${redact(sessionId)}`);
+        try {
+            const tokenResponse = await openIdClient.refreshTokenGrant(__classPrivateFieldGet(this, _OidcMiddleware_instances, "a", _OidcMiddleware_openIdConfig_get), refreshToken);
+            console.log(`Token refresh OK. sid=${redact(sessionId)}`);
+            return tokenResponse;
+        }
+        catch (err) {
+            console.log(`Token refresh failed. sid=${redact(sessionId)}`, err);
+            return null;
+        }
+    };
+    const refreshPromise = (_a = __classPrivateFieldGet(this, _OidcMiddleware_refreshPromises, "f"))[refreshToken] ?? (_a[refreshToken] = doRefresh().finally(() => {
+        console.log(`Token refresh finished. Cleaning up. sid=${redact(sessionId)}`);
+        setTimeout(() => {
+            delete __classPrivateFieldGet(this, _OidcMiddleware_refreshPromises, "f")[refreshToken];
+        }, 10000);
+    }));
+    const refreshedTokenResponse = await refreshPromise;
+    if (refreshedTokenResponse) {
+        Object.assign(req.session.tokenResponse, refreshedTokenResponse);
+        req.session.accessTokenExpiresAt = __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getAccessTokenExpiryTime).call(this, refreshedTokenResponse);
+    }
+    else {
+        req.session.tokenResponse = null;
+    }
+    return req.session.tokenResponse;
+}, _OidcMiddleware_getFreshTokens = async function _OidcMiddleware_getFreshTokens(req) {
+    const tokenResponse = req.session.tokenResponse;
+    if (!tokenResponse) {
+        console.log(`No tokenResponse found in session sid=${redact(req.session.id)}`);
+        return;
+    }
+    const now = new Date().getTime();
+    const expiresAt = req.session.accessTokenExpiresAt || 0;
+    /*if(!expiresAt) {
+      //For at ting ikke skal eksplodere hvis man får inn en gammel session.
+      //TODO: denne kan fjernes når den har kjørt i prod i et døgn+
+      console.error('accessTokenExpiresAt was not set')
+      return
+    }*/
+    const expiresInSeconds = (expiresAt - now) / 1000;
+    if (expiresInSeconds < 5) {
+        console.log(`Access token expired. sid=${redact(req.session.id)}, expiresInSeconds=${expiresInSeconds}`);
+        return await __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_refreshTokens).call(this, req, tokenResponse);
+    }
+    else {
+        return tokenResponse;
+    }
+}, _OidcMiddleware_getUserClaims = function _OidcMiddleware_getUserClaims(tokenResponse) {
+    let claims = tokenResponse.claims();
+    if (__classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").userClaims) {
+        claims = __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").userClaims.reduce((acc, claim) => {
+            acc[claim] = claims[claim];
+            return acc;
+        }, {});
+    }
+    return claims;
+}, _OidcMiddleware_getAccessTokenExpiryTime = function _OidcMiddleware_getAccessTokenExpiryTime(tokenResponse) {
+    if (tokenResponse.expires_in !== undefined) {
+        const now = new Date();
+        now.setSeconds(now.getSeconds() + tokenResponse.expires_in);
+        return now.getTime();
+    }
+};

package/dist/src/middleware/oidc-routes.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-routes.d.mts","sourceRoot":"","sources":["../../../src/middleware/oidc-routes.mjs"],"names":[],"mappings":"AAEA,qDAUC"}

package/dist/src/middleware/proxy-routes.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-routes.d.mts","sourceRoot":"","sources":["../../../src/middleware/proxy-routes.mjs"],"names":[],"mappings":"AAGA,mEA4BC"}

package/dist/{middleware → src/middleware}/proxy-routes.mjs

@@ -9,16 +9,16 @@ export function proxyRoutes(config, oidcMiddleware) {
             changeOrigin: true,
             on: {
                 proxyReq: (proxyReq, req, res) => {
-                    const tokenSet = req.tokenSet;
-                    if (!tokenSet) {
-                        console.error("proxy: missing tokenSet");
+                    const accessToken = req.tokenResponse?.access_token;
+                    if (!accessToken) {
+                        console.error("proxy: missing token");
                         return;
                     }
-                    proxyReq.setHeader("Authorization", `Bearer ${tokenSet.access_token}`);
+                    proxyReq.setHeader("Authorization", `Bearer ${accessToken}`);
                     proxyReq.removeHeader("Cookie");
                 },
                 proxyRes: (proxyRes, req, res) => {
-                    console.log(`Proxied ${req.originalUrl}: ${proxyRes.statusCode}`);
+                    console.log(`Proxied ${req.originalUrl} -> ${target}${req.originalUrl}: ${proxyRes.statusCode}`);
                 }
             }
         }));

package/dist/src/middleware/security-headers.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.mts","sourceRoot":"","sources":["../../../src/middleware/security-headers.mjs"],"names":[],"mappings":"AAGA,0FA+BC"}

package/dist/{middleware → src/middleware}/security-headers.mjs

@@ -2,7 +2,7 @@ import crypto from "crypto";
 import helmet from "helmet";
 export function securityHeaders(config) {
     const contentSecurityPolicy = config.contentSecurityPolicy;
-    if (contentSecurityPolicy === null || contentSecurityPolicy === void 0 ? void 0 : contentSecurityPolicy.directives) {
+    if (contentSecurityPolicy?.directives) {
         for (const [_, values] of Object.entries(contentSecurityPolicy.directives)) {
             for (const [i, value] of values.entries()) {
                 if (value === '{nonce}') {
@@ -21,7 +21,7 @@ export function securityHeaders(config) {
             includeSubDomains: false,
             preload: false,
         },
-        contentSecurityPolicy: contentSecurityPolicy !== null && contentSecurityPolicy !== void 0 ? contentSecurityPolicy : false,
+        contentSecurityPolicy: contentSecurityPolicy ?? false,
     });
     return [
         generateCspNonceMiddleware,

package/dist/src/middleware/sessions/dynamoDbSessionStore.d.mts

@@ -0,0 +1,3 @@
+export function dynamoDbSessionStore(config?: {}): dynamoDbStore.DynamoDBStore<Record<string, unknown>>;
+import dynamoDbStore from "connect-dynamodb";
+//# sourceMappingURL=dynamoDbSessionStore.d.mts.map

package/dist/src/middleware/sessions/dynamoDbSessionStore.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamoDbSessionStore.d.mts","sourceRoot":"","sources":["../../../../src/middleware/sessions/dynamoDbSessionStore.mjs"],"names":[],"mappings":"AA6BA,wGAcC;0BA1CyB,kBAAkB"}

package/dist/{middleware → src/middleware}/sessions/dynamoDbSessionStore.mjs

@@ -1,18 +1,9 @@
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 import { DeleteItemCommand, DynamoDBClient, QueryCommand } from "@aws-sdk/client-dynamodb";
 import dynamoDbStore from "connect-dynamodb";
 import session from "express-session";
 import { redact } from "../../utils.js";
 const destroyByIdpSid = (config, client) => {
-    return (idpSid) => __awaiter(void 0, void 0, void 0, function* () {
+    return async (idpSid) => {
         console.log(`Front channel logout: deleting session(s) with idp-sid=${redact(idpSid)}`);
         const query = new QueryCommand({
             TableName: config.table,
@@ -22,24 +13,28 @@ const destroyByIdpSid = (config, client) => {
             KeyConditionExpression: "#k = :sid",
             ProjectionExpression: "id"
         });
-        const res = yield client.send(query);
-        yield Promise.all(res.Items.map((item) => {
-            var _a;
-            console.log(`Front channel logout: deleting session ${redact((_a = item.id) === null || _a === void 0 ? void 0 : _a.S, 10)}`);
+        const res = await client.send(query);
+        await Promise.all(res.Items.map((item) => {
+            console.log(`Front channel logout: deleting session ${redact(item.id?.S, 10)}`);
             return client.send(new DeleteItemCommand({
                 TableName: config.table,
                 Key: { id: item.id }
             }));
         }));
         console.log(`Front channel logout: completed. ${res.Count} session(s) deleted`);
-    });
+    };
 };
 export function dynamoDbSessionStore(config = {}) {
     const client = new DynamoDBClient({});
     const DynamoDbStore = dynamoDbStore({ session });
-    const sessionStoreConfig = Object.assign(Object.assign({}, config), { client, specialKeys: [
+    const sessionStoreConfig = {
+        ...config,
+        client,
+        specialKeys: [
             { name: "idp-sid", type: "S" }
-        ], skipThrowMissingSpecialKeys: true });
+        ],
+        skipThrowMissingSpecialKeys: true
+    };
     const sessionStore = new DynamoDbStore(sessionStoreConfig);
     sessionStore.destroyByIdpSid = destroyByIdpSid(config, client);
     return sessionStore;

package/dist/src/middleware/sessions/memorySessionStore.d.mts

@@ -0,0 +1,3 @@
+export function memorySessionStore(config?: {}): session.MemoryStore;
+import session from "express-session";
+//# sourceMappingURL=memorySessionStore.d.mts.map

package/dist/src/middleware/sessions/memorySessionStore.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memorySessionStore.d.mts","sourceRoot":"","sources":["../../../../src/middleware/sessions/memorySessionStore.mjs"],"names":[],"mappings":"AAQA,qEAIC;oBAZmB,iBAAiB"}

package/dist/src/middleware/sessions/sessions.d.mts

@@ -0,0 +1,2 @@
+export function sessions(config: any): import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>[];
+//# sourceMappingURL=sessions.d.mts.map

package/dist/src/middleware/sessions/sessions.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.mts","sourceRoot":"","sources":["../../../../src/middleware/sessions/sessions.mjs"],"names":[],"mappings":"AAIA,sLAiCC"}