@oslokommune/auth-bff 1.6.1 → 2.0.0-beta2

package/dist/src/middleware/OidcMiddleware.js

@@ -0,0 +1,232 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _OidcMiddleware_instances, _OidcMiddleware_configManager, _OidcMiddleware_bffConfig, _OidcMiddleware_refreshPromises, _OidcMiddleware_openIdConfig_get, _OidcMiddleware_refreshTokens, _OidcMiddleware_getFreshTokens, _OidcMiddleware_getUserClaims, _OidcMiddleware_getAccessTokenExpiryTime;
+import * as openIdClient from "openid-client";
+import { OpenIdConfigManager } from "../OpenIdConfigManager.js";
+import { redact } from "../utils.js";
+export class OidcMiddleware {
+    /**
+     * @private
+     * @param config
+     * @param configManager
+     */
+    constructor(config, configManager) {
+        _OidcMiddleware_instances.add(this);
+        _OidcMiddleware_configManager.set(this, void 0);
+        _OidcMiddleware_bffConfig.set(this, void 0);
+        _OidcMiddleware_refreshPromises.set(this, {}
+        /**
+         * @private
+         * @param config
+         * @param configManager
+         */
+        );
+        __classPrivateFieldSet(this, _OidcMiddleware_configManager, configManager, "f");
+        __classPrivateFieldSet(this, _OidcMiddleware_bffConfig, config, "f");
+    }
+    static async create(config) {
+        const configManager = new OpenIdConfigManager(config);
+        await configManager.init();
+        return new OidcMiddleware(config, configManager);
+    }
+    get ensureFreshToken() {
+        return (req, res, next) => {
+            __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getFreshTokens).call(this, req).then(tokenResponse => {
+                if (tokenResponse) {
+                    req.tokenResponse = tokenResponse;
+                    next();
+                }
+                else {
+                    console.warn(`401: No valid tokens in session sid=${redact(req.session.id)}`);
+                    res.sendStatus(401);
+                }
+            }).catch(next);
+        };
+    }
+    get login() {
+        return async (req, res, next) => {
+            try {
+                const codeVerifier = openIdClient.randomPKCECodeVerifier();
+                const codeChallenge = await openIdClient.calculatePKCECodeChallenge(codeVerifier);
+                const stateKey = openIdClient.randomState();
+                const redirectUrl = req.query.redirectUrl; //TODO: håndtering av andre typer her?
+                const params = new URLSearchParams();
+                params.append('scope', "openid profile");
+                params.append('code_challenge', codeChallenge);
+                params.append('code_challenge_method', 'S256');
+                params.append('redirect_uri', __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").redirectUri);
+                params.append('state', stateKey);
+                __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").resources?.forEach(resource => {
+                    params.append('resource', resource);
+                });
+                const authorizationUrl = openIdClient.buildAuthorizationUrl(__classPrivateFieldGet(this, _OidcMiddleware_instances, "a", _OidcMiddleware_openIdConfig_get), params);
+                req.session.codeVerifier = codeVerifier;
+                req.session.stateKey = stateKey;
+                req.session.stateValue = { redirectUrl };
+                req.session.save(() => {
+                    res.redirect(authorizationUrl.toString());
+                });
+            }
+            catch (e) {
+                console.error(e);
+                next(e);
+            }
+        };
+    }
+    get callback() {
+        return async (req, res, next) => {
+            try {
+                const { codeVerifier, stateKey, stateValue } = req.session;
+                const url = new URL(`${req.protocol}://${req.headers.host}${req.originalUrl}`);
+                const tokenResponse = await openIdClient.authorizationCodeGrant(__classPrivateFieldGet(this, _OidcMiddleware_instances, "a", _OidcMiddleware_openIdConfig_get), url, {
+                    expectedState: stateKey,
+                    pkceCodeVerifier: codeVerifier
+                });
+                req.session.tokenResponse = tokenResponse;
+                req.session["idp-sid"] = tokenResponse.claims().sid;
+                req.session.userClaims = __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getUserClaims).call(this, tokenResponse);
+                req.session.accessTokenExpiresAt = __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getAccessTokenExpiryTime).call(this, tokenResponse);
+                delete req.session.codeVerifier;
+                delete req.session.stateKey;
+                delete req.session.stateValue;
+                req.session.save(() => {
+                    let redirectUrl = stateValue.redirectUrl;
+                    //only allow relative redirecturls:
+                    const absoluteUrlRegex = /^(?:[a-z+]+:)?\/\//;
+                    if (!redirectUrl || absoluteUrlRegex.test(redirectUrl)) {
+                        redirectUrl = __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").basePath || "/";
+                    }
+                    res.redirect(redirectUrl);
+                });
+            }
+            catch (e) {
+                console.error(e);
+                req.session.destroy(() => {
+                    next(e);
+                });
+            }
+        };
+    }
+    get user() {
+        return async (req, res, next) => {
+            try {
+                const tokenResponse = await __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getFreshTokens).call(this, req);
+                if (!tokenResponse) {
+                    console.log('/user 401: No tokenset');
+                    return res.sendStatus(401);
+                }
+                return res.send(req.session.userClaims);
+            }
+            catch (e) {
+                console.error(`Error in /user sid=${redact(req.session?.id)}`, e);
+                next(e);
+            }
+        };
+    }
+    get logout() {
+        return (req, res) => {
+            const tokenResponse = req.session.tokenResponse;
+            req.session.destroy(() => {
+                const endSessionUrl = openIdClient.buildEndSessionUrl(__classPrivateFieldGet(this, _OidcMiddleware_instances, "a", _OidcMiddleware_openIdConfig_get), {
+                    id_token_hint: tokenResponse?.id_token,
+                });
+                res.redirect(endSessionUrl.toString());
+            });
+        };
+    }
+    get frontChannelLogout() {
+        return async (req, res) => {
+            const { iss, sid } = req.query;
+            console.log(`Front channel logout: params iss=${iss}, sid=${redact(sid)}`);
+            if (sid) {
+                try {
+                    await req.destroySessionByIdpSid?.(sid);
+                }
+                catch (e) {
+                    console.error("Failed to destroy session", e);
+                }
+            }
+            res.sendStatus(200);
+        };
+    }
+}
+_OidcMiddleware_configManager = new WeakMap(), _OidcMiddleware_bffConfig = new WeakMap(), _OidcMiddleware_refreshPromises = new WeakMap(), _OidcMiddleware_instances = new WeakSet(), _OidcMiddleware_openIdConfig_get = function _OidcMiddleware_openIdConfig_get() {
+    return __classPrivateFieldGet(this, _OidcMiddleware_configManager, "f").openIdConfig;
+}, _OidcMiddleware_refreshTokens = async function _OidcMiddleware_refreshTokens(req, tokenResponse) {
+    var _a;
+    const sessionId = req.session.id;
+    const refreshToken = tokenResponse.refresh_token;
+    const doRefresh = async () => {
+        console.log(`Token refresh starting. sid=${redact(sessionId)}`);
+        try {
+            const tokenResponse = await openIdClient.refreshTokenGrant(__classPrivateFieldGet(this, _OidcMiddleware_instances, "a", _OidcMiddleware_openIdConfig_get), refreshToken);
+            console.log(`Token refresh OK. sid=${redact(sessionId)}`);
+            return tokenResponse;
+        }
+        catch (err) {
+            console.log(`Token refresh failed. sid=${redact(sessionId)}`, err);
+            return null;
+        }
+    };
+    const refreshPromise = (_a = __classPrivateFieldGet(this, _OidcMiddleware_refreshPromises, "f"))[refreshToken] ?? (_a[refreshToken] = doRefresh().finally(() => {
+        console.log(`Token refresh finished. Cleaning up. sid=${redact(sessionId)}`);
+        setTimeout(() => {
+            delete __classPrivateFieldGet(this, _OidcMiddleware_refreshPromises, "f")[refreshToken];
+        }, 10000);
+    }));
+    const refreshedTokenResponse = await refreshPromise;
+    if (refreshedTokenResponse) {
+        Object.assign(req.session.tokenResponse, refreshedTokenResponse);
+        req.session.accessTokenExpiresAt = __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getAccessTokenExpiryTime).call(this, refreshedTokenResponse);
+    }
+    else {
+        req.session.tokenResponse = null;
+    }
+    return req.session.tokenResponse;
+}, _OidcMiddleware_getFreshTokens = async function _OidcMiddleware_getFreshTokens(req) {
+    const tokenResponse = req.session.tokenResponse;
+    if (!tokenResponse) {
+        console.log(`No tokenResponse found in session sid=${redact(req.session.id)}`);
+        return;
+    }
+    const now = new Date().getTime();
+    const expiresAt = req.session.accessTokenExpiresAt || 0;
+    /*if(!expiresAt) {
+      //For at ting ikke skal eksplodere hvis man får inn en gammel session.
+      //TODO: denne kan fjernes når den har kjørt i prod i et døgn+
+      console.error('accessTokenExpiresAt was not set')
+      return
+    }*/
+    const expiresInSeconds = (expiresAt - now) / 1000;
+    if (expiresInSeconds < 5) {
+        console.log(`Access token expired. sid=${redact(req.session.id)}, expiresInSeconds=${expiresInSeconds}`);
+        return await __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_refreshTokens).call(this, req, tokenResponse);
+    }
+    else {
+        return tokenResponse;
+    }
+}, _OidcMiddleware_getUserClaims = function _OidcMiddleware_getUserClaims(tokenResponse) {
+    let claims = tokenResponse.claims();
+    if (__classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").userClaims) {
+        claims = __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").userClaims.reduce((acc, claim) => {
+            acc[claim] = claims[claim];
+            return acc;
+        }, {});
+    }
+    return claims;
+}, _OidcMiddleware_getAccessTokenExpiryTime = function _OidcMiddleware_getAccessTokenExpiryTime(tokenResponse) {
+    if (tokenResponse.expires_in !== undefined) {
+        const now = new Date();
+        now.setSeconds(now.getSeconds() + tokenResponse.expires_in);
+        return now.getTime();
+    }
+};

package/dist/src/middleware/oidc-routes.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-routes.d.mts","sourceRoot":"","sources":["../../../src/middleware/oidc-routes.mjs"],"names":[],"mappings":"AAEA,qDAUC"}

package/dist/src/middleware/oidc-routes.d.ts

@@ -0,0 +1,3 @@
+import { OidcMiddleware } from "./OidcMiddleware.js";
+export declare function oidcRoutes(oidcMiddleware: OidcMiddleware): import("express-serve-static-core").Router;
+//# sourceMappingURL=oidc-routes.d.ts.map

package/dist/src/middleware/oidc-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/oidc-routes.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAEnD,wBAAgB,UAAU,CAAC,cAAc,EAAE,cAAc,8CAUxD"}

package/dist/src/middleware/oidc-routes.js

@@ -0,0 +1,10 @@
+import express from "express";
+export function oidcRoutes(oidcMiddleware) {
+    const router = express.Router();
+    router.get('/auth/login', oidcMiddleware.login);
+    router.get('/auth/callback', oidcMiddleware.callback);
+    router.get('/auth/logout', oidcMiddleware.logout);
+    router.get('/auth/user', oidcMiddleware.user);
+    router.get('/auth/front-channel-logout', oidcMiddleware.frontChannelLogout);
+    return router;
+}

package/dist/src/middleware/proxy-routes.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-routes.d.mts","sourceRoot":"","sources":["../../../src/middleware/proxy-routes.mjs"],"names":[],"mappings":"AAGA,mEA4BC"}

package/dist/src/middleware/proxy-routes.d.ts

@@ -0,0 +1,4 @@
+import { BffConfig } from "../config.js";
+import { OidcMiddleware } from "./OidcMiddleware.js";
+export declare function proxyRoutes(config: BffConfig, oidcMiddleware: OidcMiddleware): import("express-serve-static-core").Router;
+//# sourceMappingURL=proxy-routes.d.ts.map

package/dist/src/middleware/proxy-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/proxy-routes.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AACvC,OAAO,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAEnD,wBAAgB,WAAW,CAAC,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,8CA6B5E"}

package/dist/src/middleware/proxy-routes.js

@@ -0,0 +1,28 @@
+import express from "express";
+import { createProxyMiddleware } from "http-proxy-middleware";
+export function proxyRoutes(config, oidcMiddleware) {
+    const router = express.Router();
+    for (const [path, target] of Object.entries(config.proxyTargets)) {
+        console.log(`Setting up auth proxy: ${path} -> ${target}`);
+        router.use(path, oidcMiddleware.ensureFreshToken, createProxyMiddleware({
+            target: target,
+            changeOrigin: true,
+            on: {
+                proxyReq: (proxyReq, req) => {
+                    const accessToken = req.tokenResponse?.access_token;
+                    if (!accessToken) {
+                        console.error("proxy: missing token");
+                        return;
+                    }
+                    proxyReq.setHeader("Authorization", `Bearer ${accessToken}`);
+                    proxyReq.removeHeader("Cookie");
+                },
+                proxyRes: (proxyRes, req) => {
+                    // @ts-ignore //TODO: proxyRes har en mystisk type som mangler req, men den er der
+                    console.log(`Proxied: ${req.method} ${req.originalUrl} -> ${proxyRes.req.protocol}//${proxyRes.req.host}${proxyRes.req.path}, status=${proxyRes.statusCode}`);
+                }
+            }
+        }));
+    }
+    return router;
+}

package/dist/{middleware → src/middleware}/proxy-routes.mjs

@@ -9,16 +9,16 @@ export function proxyRoutes(config, oidcMiddleware) {
             changeOrigin: true,
             on: {
                 proxyReq: (proxyReq, req, res) => {
-                    const tokenSet = req.tokenSet;
-                    if (!tokenSet) {
-                        console.error("proxy: missing tokenSet");
+                    const accessToken = req.tokenResponse?.access_token;
+                    if (!accessToken) {
+                        console.error("proxy: missing token");
                         return;
                     }
-                    proxyReq.setHeader("Authorization", `Bearer ${tokenSet.access_token}`);
+                    proxyReq.setHeader("Authorization", `Bearer ${accessToken}`);
                     proxyReq.removeHeader("Cookie");
                 },
                 proxyRes: (proxyRes, req, res) => {
-                    console.log(`Proxied ${req.originalUrl}: ${proxyRes.statusCode}`);
+                    console.log(`Proxied: ${req.method} ${req.originalUrl} -> ${proxyRes.req.protocol}//${proxyRes.req.host}${proxyRes.req.path}, status=${proxyRes.statusCode}`);
                 }
             }
         }));

package/dist/src/middleware/security-headers.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.mts","sourceRoot":"","sources":["../../../src/middleware/security-headers.mjs"],"names":[],"mappings":"AAGA,0FA+BC"}

package/dist/src/middleware/security-headers.d.ts

@@ -0,0 +1,4 @@
+import { Request, Response, NextFunction } from 'express';
+import { BffConfig } from "../config.js";
+export declare function securityHeaders(config: BffConfig): ((_: Request, res: Response, next: NextFunction) => void)[];
+//# sourceMappingURL=security-headers.d.ts.map

package/dist/src/middleware/security-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../../src/middleware/security-headers.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAC,MAAM,SAAS,CAAA;AACvD,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AAEvC,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,QAcR,OAAO,OAAO,QAAQ,QAAQ,YAAY,aAkBlF"}

package/dist/src/middleware/security-headers.js

@@ -0,0 +1,31 @@
+import crypto from "crypto";
+import helmet from "helmet";
+export function securityHeaders(config) {
+    const contentSecurityPolicy = config.contentSecurityPolicy;
+    if (contentSecurityPolicy?.directives) {
+        for (const [_, values] of Object.entries(contentSecurityPolicy.directives)) {
+            // @ts-ignore //TODO values her har type Iterable (som ikke har `entries()`), men er egentlig en array. Kan sikkert skrives om litt.
+            for (const [i, value] of values.entries()) {
+                if (value === '{nonce}') {
+                    values[i] = (_, res) => `'nonce-${res.locals.cspNonce}'`;
+                }
+            }
+        }
+    }
+    const generateCspNonceMiddleware = (_, res, next) => {
+        res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
+        next();
+    };
+    const helmetMiddleware = helmet({
+        strictTransportSecurity: {
+            maxAge: 31536000,
+            includeSubDomains: false,
+            preload: false,
+        },
+        contentSecurityPolicy: contentSecurityPolicy ?? false,
+    });
+    return [
+        generateCspNonceMiddleware,
+        helmetMiddleware
+    ];
+}

package/dist/{middleware → src/middleware}/security-headers.mjs

@@ -2,7 +2,7 @@ import crypto from "crypto";
 import helmet from "helmet";
 export function securityHeaders(config) {
     const contentSecurityPolicy = config.contentSecurityPolicy;
-    if (contentSecurityPolicy === null || contentSecurityPolicy === void 0 ? void 0 : contentSecurityPolicy.directives) {
+    if (contentSecurityPolicy?.directives) {
         for (const [_, values] of Object.entries(contentSecurityPolicy.directives)) {
             for (const [i, value] of values.entries()) {
                 if (value === '{nonce}') {
@@ -21,7 +21,7 @@ export function securityHeaders(config) {
             includeSubDomains: false,
             preload: false,
         },
-        contentSecurityPolicy: contentSecurityPolicy !== null && contentSecurityPolicy !== void 0 ? contentSecurityPolicy : false,
+        contentSecurityPolicy: contentSecurityPolicy ?? false,
     });
     return [
         generateCspNonceMiddleware,

package/dist/src/middleware/sessions/dynamoDbSessionStore.d.mts

@@ -0,0 +1,3 @@
+export function dynamoDbSessionStore(config?: {}): dynamoDbStore.DynamoDBStore<Record<string, unknown>>;
+import dynamoDbStore from "connect-dynamodb";
+//# sourceMappingURL=dynamoDbSessionStore.d.mts.map

package/dist/src/middleware/sessions/dynamoDbSessionStore.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamoDbSessionStore.d.mts","sourceRoot":"","sources":["../../../../src/middleware/sessions/dynamoDbSessionStore.mjs"],"names":[],"mappings":"AA6BA,wGAcC;0BA1CyB,kBAAkB"}

package/dist/src/middleware/sessions/dynamoDbSessionStore.d.ts

@@ -0,0 +1,3 @@
+import dynamoDbStore from "connect-dynamodb";
+export declare function dynamoDbSessionStore(config?: {}): dynamoDbStore.DynamoDBStore<Record<string, unknown>>;
+//# sourceMappingURL=dynamoDbSessionStore.d.ts.map

package/dist/src/middleware/sessions/dynamoDbSessionStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamoDbSessionStore.d.ts","sourceRoot":"","sources":["../../../../src/middleware/sessions/dynamoDbSessionStore.ts"],"names":[],"mappings":"AACA,OAAO,aAAqC,MAAM,kBAAkB,CAAC;AA6BrE,wBAAgB,oBAAoB,CAAC,MAAM,KAAK,wDAc/C"}

package/dist/src/middleware/sessions/dynamoDbSessionStore.js

@@ -0,0 +1,41 @@
+import { DeleteItemCommand, DynamoDBClient, QueryCommand } from "@aws-sdk/client-dynamodb";
+import dynamoDbStore from "connect-dynamodb";
+import session from "express-session";
+import { redact } from "../../utils.js";
+const destroyByIdpSid = (config, client) => {
+    return async (idpSid) => {
+        console.log(`Front channel logout: deleting session(s) with idp-sid=${redact(idpSid)}`);
+        const query = new QueryCommand({
+            TableName: config['table'],
+            IndexName: "idp-sid-index",
+            ExpressionAttributeValues: { ":sid": { S: idpSid } },
+            ExpressionAttributeNames: { "#k": "idp-sid" },
+            KeyConditionExpression: "#k = :sid",
+            ProjectionExpression: "id"
+        });
+        const res = await client.send(query);
+        await Promise.all(res.Items.map((item) => {
+            console.log(`Front channel logout: deleting session ${redact(item.id?.S, 10)}`);
+            return client.send(new DeleteItemCommand({
+                TableName: config['table'],
+                Key: { id: item.id }
+            }));
+        }));
+        console.log(`Front channel logout: completed. ${res.Count} session(s) deleted`);
+    };
+};
+export function dynamoDbSessionStore(config = {}) {
+    const client = new DynamoDBClient({});
+    const DynamoDbStore = dynamoDbStore(session);
+    const sessionStoreConfig = {
+        ...config,
+        client,
+        specialKeys: [
+            { name: "idp-sid", type: "S" }
+        ],
+        skipThrowMissingSpecialKeys: true
+    };
+    const sessionStore = new DynamoDbStore(sessionStoreConfig);
+    sessionStore.destroyByIdpSid = destroyByIdpSid(config, client);
+    return sessionStore;
+}

package/dist/{middleware → src/middleware}/sessions/dynamoDbSessionStore.mjs

@@ -1,18 +1,9 @@
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 import { DeleteItemCommand, DynamoDBClient, QueryCommand } from "@aws-sdk/client-dynamodb";
 import dynamoDbStore from "connect-dynamodb";
 import session from "express-session";
 import { redact } from "../../utils.js";
 const destroyByIdpSid = (config, client) => {
-    return (idpSid) => __awaiter(void 0, void 0, void 0, function* () {
+    return async (idpSid) => {
         console.log(`Front channel logout: deleting session(s) with idp-sid=${redact(idpSid)}`);
         const query = new QueryCommand({
             TableName: config.table,
@@ -22,24 +13,28 @@ const destroyByIdpSid = (config, client) => {
             KeyConditionExpression: "#k = :sid",
             ProjectionExpression: "id"
         });
-        const res = yield client.send(query);
-        yield Promise.all(res.Items.map((item) => {
-            var _a;
-            console.log(`Front channel logout: deleting session ${redact((_a = item.id) === null || _a === void 0 ? void 0 : _a.S, 10)}`);
+        const res = await client.send(query);
+        await Promise.all(res.Items.map((item) => {
+            console.log(`Front channel logout: deleting session ${redact(item.id?.S, 10)}`);
             return client.send(new DeleteItemCommand({
                 TableName: config.table,
                 Key: { id: item.id }
             }));
         }));
         console.log(`Front channel logout: completed. ${res.Count} session(s) deleted`);
-    });
+    };
 };
 export function dynamoDbSessionStore(config = {}) {
     const client = new DynamoDBClient({});
     const DynamoDbStore = dynamoDbStore({ session });
-    const sessionStoreConfig = Object.assign(Object.assign({}, config), { client, specialKeys: [
+    const sessionStoreConfig = {
+        ...config,
+        client,
+        specialKeys: [
             { name: "idp-sid", type: "S" }
-        ], skipThrowMissingSpecialKeys: true });
+        ],
+        skipThrowMissingSpecialKeys: true
+    };
     const sessionStore = new DynamoDbStore(sessionStoreConfig);
     sessionStore.destroyByIdpSid = destroyByIdpSid(config, client);
     return sessionStore;

package/dist/src/middleware/sessions/memorySessionStore.d.mts

@@ -0,0 +1,3 @@
+export function memorySessionStore(config?: {}): session.MemoryStore;
+import session from "express-session";
+//# sourceMappingURL=memorySessionStore.d.mts.map

package/dist/src/middleware/sessions/memorySessionStore.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memorySessionStore.d.mts","sourceRoot":"","sources":["../../../../src/middleware/sessions/memorySessionStore.mjs"],"names":[],"mappings":"AAQA,qEAIC;oBAZmB,iBAAiB"}

package/dist/src/middleware/sessions/memorySessionStore.d.ts

@@ -0,0 +1,3 @@
+import session from "express-session";
+export declare function memorySessionStore(config?: object): session.Store;
+//# sourceMappingURL=memorySessionStore.d.ts.map

package/dist/src/middleware/sessions/memorySessionStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memorySessionStore.d.ts","sourceRoot":"","sources":["../../../../src/middleware/sessions/memorySessionStore.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAQtC,wBAAgB,kBAAkB,CAAC,MAAM,GAAE,MAAW,iBAIrD"}

package/dist/src/middleware/sessions/memorySessionStore.js

@@ -0,0 +1,11 @@
+import session from "express-session";
+import { redact } from "../../utils.js";
+const destroyByIdpSid = async (idpSid) => {
+    // This is not supposed to be used outside localhost, so it is not implemented
+    console.log(`Pretending to destroyByIdpSid. idp-sid=${redact(idpSid)}`);
+};
+export function memorySessionStore(config = {}) {
+    const sessionStore = new session.MemoryStore(config);
+    sessionStore.destroyByIdpSid = destroyByIdpSid;
+    return sessionStore;
+}

package/dist/src/middleware/sessions/sessions.d.mts

@@ -0,0 +1,2 @@
+export function sessions(config: any): import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>[];
+//# sourceMappingURL=sessions.d.mts.map

package/dist/src/middleware/sessions/sessions.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.mts","sourceRoot":"","sources":["../../../../src/middleware/sessions/sessions.mjs"],"names":[],"mappings":"AAIA,sLAiCC"}

package/dist/src/middleware/sessions/sessions.d.ts

@@ -0,0 +1,3 @@
+import { BffConfig } from "../../config.js";
+export declare function sessions(config: BffConfig): import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>[];
+//# sourceMappingURL=sessions.d.ts.map

package/dist/src/middleware/sessions/sessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../../../src/middleware/sessions/sessions.ts"],"names":[],"mappings":"AAGA,OAAO,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAG1C,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,kJAiCzC"}

package/dist/src/middleware/sessions/sessions.js

@@ -0,0 +1,39 @@
+import session from "express-session";
+import { dynamoDbSessionStore } from "./dynamoDbSessionStore.js";
+import { memorySessionStore } from "./memorySessionStore.js";
+export function sessions(config) {
+    let sessionStore;
+    if (config.sessionStoreType === 'memory') {
+        const sessionStoreOptions = config.sessionStoreOptions ?? {};
+        sessionStore = memorySessionStore(sessionStoreOptions);
+    }
+    else if (config.sessionStoreType === 'dynamodb') {
+        const sessionStoreOptions = config.sessionStoreOptions ?? {};
+        sessionStore = dynamoDbSessionStore(sessionStoreOptions);
+    }
+    else if (config.sessionStoreType) {
+        throw Error(`unknown sessionStoreType ${config.sessionStoreType}`);
+    }
+    else {
+        throw Error('missing sessionStoreType');
+    }
+    return [
+        session({
+            secret: config.sessionSecret,
+            store: sessionStore,
+            resave: false,
+            saveUninitialized: false,
+            cookie: config.cookie || {
+                httpOnly: true,
+                path: config.cookiePath,
+                secure: config.cookieSecure,
+                sameSite: config.cookieSameSite
+            },
+        }),
+        (req, _, next) => {
+            // make this function available to request handlers
+            req.destroySessionByIdpSid = sessionStore?.destroyByIdpSid;
+            next();
+        }
+    ];
+}

package/dist/{middleware → src/middleware}/sessions/sessions.mjs

@@ -2,14 +2,13 @@ import session from "express-session";
 import { dynamoDbSessionStore } from "./dynamoDbSessionStore.mjs";
 import { memorySessionStore } from "./memorySessionStore.mjs";
 export function sessions(config) {
-    var _a, _b;
     let sessionStore;
     if (config.sessionStoreType === 'memory') {
-        const sessionStoreOptions = (_a = config.sessionStoreOptions) !== null && _a !== void 0 ? _a : {};
+        const sessionStoreOptions = config.sessionStoreOptions ?? {};
         sessionStore = memorySessionStore(sessionStoreOptions);
     }
     else if (config.sessionStoreType === 'dynamodb') {
-        const sessionStoreOptions = (_b = config.sessionStoreOptions) !== null && _b !== void 0 ? _b : {};
+        const sessionStoreOptions = config.sessionStoreOptions ?? {};
         sessionStore = dynamoDbSessionStore(sessionStoreOptions);
     }
     else if (config.sessionStoreType) {
@@ -33,7 +32,7 @@ export function sessions(config) {
         }),
         (req, _, next) => {
             // make this function available to request handlers
-            req.destroySessionByIdpSid = sessionStore === null || sessionStore === void 0 ? void 0 : sessionStore.destroyByIdpSid;
+            req.destroySessionByIdpSid = sessionStore?.destroyByIdpSid;
             next();
         }
     ];

package/dist/src/middleware/static-routes.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"static-routes.d.mts","sourceRoot":"","sources":["../../../src/middleware/static-routes.mjs"],"names":[],"mappings":"AAIA,+CAiBC"}

package/dist/src/middleware/static-routes.d.ts

@@ -0,0 +1,3 @@
+import { BffConfig } from "../config.js";
+export declare function staticRoutes(config: BffConfig): import("express-serve-static-core").Router;
+//# sourceMappingURL=static-routes.d.ts.map

package/dist/src/middleware/static-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"static-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/static-routes.ts"],"names":[],"mappings":"AAGA,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AAEvC,wBAAgB,YAAY,CAAC,MAAM,EAAE,SAAS,8CAiB7C"}