@oslokommune/auth-bff 2.0.0-beta1 → 2.0.0-beta3

package/README.md

@@ -0,0 +1,344 @@
+# auth-bff
+
+A NodeJS Backend for frontend.
+
+Features:
+
+* Two "modes" of operation
+    * A vite plugin for use during development
+    * A standalone mode for use in production (e.g. inside a docker container)
+* Supports generic OIDC auth code flow clients
+* Has special support for `okdata`-generated Idporten clients
+* Handles login/logout and sessions (using DynamoDb as a store)
+* Proxies API calls
+* Serves a static web app
+* Includes simple React components for handling login-state
+
+See https://github.com/oslokommune/auth-bff-example for an example React app using this package.
+
+## Getting started
+
+### Dev mode
+
+1. Install package
+
+```shell
+npm install @oslokommune/auth-bff
+```
+
+2. Add plugin to your vite config
+
+```ts
+import {defineConfig} from 'vite'
+import bff from '@oslokommune/auth-bff/vite-plugin'
+
+export default defineConfig({
+  plugins: [
+    bff()
+  ],
+  ...
+})
+```
+
+3. Create a [config file](#configuration)
+
+4. Run!
+
+### Standalone mode
+
+1. Install package globally
+
+```shell
+npm install -g @oslokommune/auth-bff
+```
+
+2. Create a [config file](#configuration)
+
+3. Run with
+
+```shell
+auth-bff
+```
+
+## Running in Docker
+
+When running in docker you should specify the version to use, and make sure it matches the one used in package.json.
+
+Example dockerfile:
+```dockerfile
+FROM node:23-alpine AS base
+
+FROM base AS react-build
+WORKDIR /home/react
+COPY package*.json /home/react
+RUN npm install
+COPY . ./
+RUN npm run build
+
+FROM base
+WORKDIR /application
+EXPOSE 8080
+COPY --from=react-build /home/react/dist /application/dist
+ENV NODE_ENV=production
+RUN npm install -g @oslokommune/auth-bff@2.0.0-beta3
+COPY bff.config.json /application/
+CMD ["auth-bff"]
+```
+
+To use different configuration for different environments, you can create separate config files for each and select it at build time (using build args). 
+For example, with `bff.config.dev.json` and `bff.config.prod.json`:
+
+```dockerfile
+ARG ENVIRONMENT=''
+COPY bff.config.${ENVIRONMENT}.json /application/bff.config.json
+CMD ["auth-bff"]
+```
+
+Or select it at runtime, using an env var: 
+
+```dockerfile
+COPY bff.config*.json /application/
+CMD exec auth-bff --configFile bff.config.${ENVIRONMENT}.json
+```
+
+
+## Configuration
+
+Configuration is defined in json-files that look like this:
+
+```json
+{
+  "issuer": "https://example-issuer.com/",
+  "clientId": "example-client",
+  "clientSecret": "{ssm:/secret/from/parameter/store}",
+  "redirectUri": "http://localhost:3000/auth/callback",
+  "cookieSecure": false,
+  "cookieSameSite": false,
+  "postLogoutRedirectUri": "http://localhost:3000/",
+  "sessionSecret": "{env:SECRET_FROM_ENV}",
+  "sessionStoreType": "memory",
+  "proxyTargets": {
+    "/api": "http://localhost:8080/api"
+  }
+}
+```
+
+By default it looks for a file named `bff.config.json`, but this can be overridden:
+
+Vite:
+
+```ts
+plugins: [
+  bff({configFile: ['bff.config.local.json', 'bff.config.json']}) //First existing file is used
+]
+```
+
+Standalone:
+
+```shell
+auth-bff --configFile /path/to/bff.config.json
+```
+
+The config file supports two special forms for loading values from other sources. Primarily meant for loading secrets:
+
+Environment values:
+
+```json
+{
+  "sessionSecret": "{env:MY_SECRET}"
+}
+```
+
+AWS Parameter store:
+
+```json
+{
+  "sessionSecret": "{ssm:/name/of/parameter}"
+}
+```
+
+This loads from the configured AWS environment. For this to work on your local machine the `AWS_PROFILE` environment
+variable must be set, and you must be signed in to that profile
+
+ℹ️ [See `config.ts` for a description of all config parameters](src/config.ts) 
+
+## Using with ID-porten (via `okdata`):
+
+`auth-bff` Has special support for keys generated by [`okdata`](https://github.com/oslokommune/okdata-cli).
+
+1. Start by creating a new client and key using okdata:
+
+```shell
+~> okdata pubs create-client
+* Environment test
+* Team <team>
+* Client type ID-porten
+* Integration name  (identifying in which system or case this client will be used) <your name here>
+* Redirect URIs (comma-separated) http://localhost:3000/auth/callback
+* Post logout Redirect URIs (comma-separated) http://localhost:3000
+* Frontchannel logout URI http://localhost:3000/auth/logout
+* Client URI (back URI) http://localhost:3000
+...
+~> okdata pubs create-key
+* Environment test
+* Client <same client as above>
+* Where should the key be stored? Send the key to your AWS Parameter Store
+* AWS account number <accno>
+* AWS region eu-west-1 (Ireland)
+* Automatic key rotation will replace the key in SSM nightly on weekdays.
+  Enable automatic key rotation for this client? Yes
+...
+A new key has been created and the following parameters have been written to SSM:
+- /okdata/maskinporten/11111111-2222-3333-4444-555555555555/key.json
+...
+```
+
+2. Set the following options in the config file:
+
+```json
+{
+  "issuer": "https://test.idporten.no/",
+  "clientId": "11111111-2222-3333-4444-555555555555",
+  "okDataIdPortenKeyName": "/okdata/maskinporten/11111111-2222-3333-4444-555555555555/key.json",
+  ...
+}
+```
+
+3. Done!
+
+## Configuring session storage
+
+Currently only dynamoDb is supported for storing sessions in production. It requires some setup.
+To work properly, the table must have ttl enabled, and an extra index for the `idp-sid`-property (used to delete
+sessions during front-channel logout)
+
+> [!WARNING]  
+> If the table does not exist, it will be automatically created with settings not appropriate for production.
+
+
+Here is an example configuration in terraform
+
+```terraform
+resource "aws_dynamodb_table" "session_dynamodb_table" {
+  name         = "${local.environment}-${local.main_container_name}-sessions"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "id"
+
+  on_demand_throughput {
+    max_read_request_units  = 20
+    max_write_request_units = 20
+  }
+
+  attribute {
+    name = "id"
+    type = "S"
+  }
+
+  attribute {
+    name = "idp-sid"
+    type = "S"
+  }
+
+  ttl {
+    enabled        = true
+    attribute_name = "expires"
+  }
+
+  global_secondary_index {
+    hash_key        = "idp-sid"
+    name            = "idp-sid-index"
+    projection_type = "KEYS_ONLY"
+    on_demand_throughput {
+      max_read_request_units  = 20
+      max_write_request_units = 20
+    }
+  }
+}
+```
+
+Then remember to update the config to use the new table:
+
+```json
+{
+  "sessionStoreOptions": {
+    "table": "myteam-dev-myservice-sessions"
+  }
+}
+```
+
+The read/write limits above are just an example, and can be changed/removed
+
+## Required AWS permissions
+
+When using SSM parameters or `okDataIdPortenKeyName` in the config, the service will need the `ssm:GetParameter`
+permission for each parameter
+
+If using dynamodb, the service will need the following permissions for the table
+
+```
+dynamodb:CreateTable
+dynamodb:DescribeTable
+dynamodb:PutItem
+dynamodb:DeleteItem
+dynamodb:GetItem
+dynamodb:Scan
+dynamodb:UpdateItem
+```
+
+## React component
+
+This package also includes a React component for handling authentication state. It will redirect to login if required 
+and optionally automatically poll for changes to authentication state. 
+
+### AuthContextProvider
+
+```tsx
+import {AuthContextProvider} from "@oslokommune/auth-bff/react";
+import {PktLoader} from "@oslokommune/punkt-react";
+
+const fiveMinutes = 5 * 60 * 1000;
+  
+<AuthContextProvider authRequired={true} loaderComponent={<PktLoader/>} pollInterval={fiveMinues}>
+  <App/>
+</AuthContextProvider>
+```
+
+| Option         | Description                                                                                                                                           |
+|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
+| authRequired   | Whether authentication is required. If true, will redirect to login before rendering child components (default: true)                                 |
+| loaderComponent | React component to display while loading auth state. (default: null)                                                                                  |
+| baseUrl        | Must be set to the same baseUrl as in the json config for login/logout to work correctly (default: '')                                                |
+| pollInterval   | Minimum interval in milliseconds between checks if session is still active. Will set authState to 'expired' if session is expired (default: disabled) |
+
+
+### useAuthContext
+
+Hook to get current AuthState. Must be called in a component inside the AuthContextProvider.
+```tsx
+import {useAuthContext} from "@oslokommune/auth-bff/react";
+
+const {user, authState, login} = useAuthContext()
+if(authState === 'authenticated') {
+  console.log(`Hello, ${user.pid}`)
+} else {
+  login()
+}
+
+```
+
+| Property  | Description                                                                                                                                                      |
+|-----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| user      | The currently logged in user, or null if not logged in. User object contains the id_token claims returned from the usr endpoint. See config option `userClaims`. |
+| login     | Function that will redirect to the login endpoint when invoked                                                                                                   |
+| logout    | Function that will redirect to the logout endpoint when invoked                                                                                                  |
+| authState | Current auth state. See table below for values                                                                                                                   |                                                                                                                                              |                                                                                                                                                         |
+
+#### AuthState
+| Value           | Description                                                                                                      |
+|-----------------|------------------------------------------------------------------------------------------------------------------|
+| pending         | Initial value before auth state has been determined                                                              |
+| authenticated   | User is authenticated.                                                                                           |
+| unauthenticated | User is not authenticated                                                                                        |
+| expired         | User was authenticated, but the session has expired. Can be used to display message to user or redirect to login |                                                                                                                                              |                                                                                                                                                         |
+| error           | Failed to determine auth state                                                                                   |                                                                                                                                              |                                                                                                                                                         |
+

package/dist/package.json

@@ -1,23 +1,23 @@
 {
     "name": "@oslokommune/auth-bff",
-    "version": "2.0.0-beta1",
+    "version": "2.0.0-beta3",
     "repository": "https://github.com/oslokommune/auth-bff.git",
     "publishConfig": {
         "access": "public"
     },
     "scripts": {
         "build": "tsc",
-        "run": "node ./dist/server.mjs",
+        "run": "node ./dist/src/server.js",
         "build-and-publish": "tsc && npm publish",
         "build-and-publish-prerelease": "tsc && npm publish --tag prerelease",
         "test": "vitest"
     },
     "exports": {
-        "./vite-plugin": "./dist/src/vite-plugin.mjs",
+        "./vite-plugin": "./dist/src/vite-plugin.js",
         "./react": "./dist/src/react/index.js"
     },
     "bin": {
-        "auth-bff": "dist/src/server.mjs"
+        "auth-bff": "dist/src/server.js"
     },
     "files": [
         "/dist"
@@ -27,6 +27,7 @@
     "license": "",
     "description": "",
     "devDependencies": {
+        "@types/command-line-args": "^5.2.3",
         "@types/compression": "^1.8.1",
         "@types/express": "^4.17.22",
         "@types/express-session": "^1.18.2",
@@ -39,19 +40,19 @@
         "vitest": "^4.0.18"
     },
     "dependencies": {
-        "@aws-sdk/client-dynamodb": "^3.817.0",
-        "@aws-sdk/client-ssm": "^3.817.0",
+        "@aws-sdk/client-dynamodb": "^3.990.0",
+        "@aws-sdk/client-ssm": "^3.990.0",
         "command-line-args": "^6.0.1",
-        "compression": "^1.8.0",
+        "compression": "^1.8.1",
         "connect-dynamodb": "^3.0.5",
-        "express": "4.21.2",
-        "express-session": "1.18.2",
+        "express": "4.22.1",
+        "express-session": "1.19.0",
         "find-up": "^7.0.0",
         "helmet": "^8.1.0",
         "http-proxy-middleware": "^3.0.5",
-        "jose": "^6.0.11",
+        "jose": "^6.1.3",
         "node-forge": "1.3.3",
-        "openid-client": "^6.8.1",
+        "openid-client": "^6.8.2",
         "string-replace-middleware": "^1.1.0"
     }
 }

package/dist/src/config.d.ts

@@ -1,23 +1,126 @@
+import { HelmetOptions } from "helmet";
+import session from "express-session";
 export type BffConfig = {
+    /**
+     * The port at which the app will be served. Only used in standalone mode, to change the port used during development,
+     * set it in your vite config instead.
+     */
+    port: number;
+    /**
+     * The base root path. Change if app is served from a non-root path.
+     *
+     * Default: `/`
+     */
     basePath?: string;
+    /**
+     * The root path of the static resources to be served
+     *
+     * Default: `/dist`
+     */
     staticRootPath?: string;
+    /**
+     * The issuer
+     *
+     * Example: `https://test.idporten.no/`
+     */
     issuer: string;
+    /**
+     * The ID of the client
+     */
     clientId: string;
+    /**
+     * The client secret. Not used if `okDataIdPortenKeyName` is set.
+     */
     clientSecret?: string;
+    /**
+     * The redirect uri configured for the client
+     */
     redirectUri: string;
-    resources: Array<string>;
+    /**
+     * The intended audience for the tokens. Value(s) set here can be used to verify audience on the recipient end.
+     * See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-indicators-05.
+     *
+     * Example: `["https://example.com/api1", "https://example.com/api2"]`
+     */
+    resources?: Array<string>;
+    /**
+     * express-session cookie options, note that if this is set, the below cookie*-options will have no effect
+     */
+    cookie?: session.CookieOptions;
+    /**
+     * Sets the Path attribute of the cookie. Should most likely be the same as basePath. See https://expressjs.com/en/resources/middleware/session.html
+     *
+     * Default: `/`
+     */
     cookiePath?: string;
-    cookieSecure?: Boolean;
-    cookieSameSite: Boolean | string;
+    /**
+     * Sets the Secure attribute of the cookie. See https://expressjs.com/en/resources/middleware/session.html
+     *
+     * Default: `true`
+     */
+    cookieSecure?: boolean;
+    /**
+     * Sets the SameSite attribute of the cookie. See https://expressjs.com/en/resources/middleware/session.html
+     *
+     * Default: `"lax"`
+     */
+    cookieSameSite: boolean | "lax" | "none" | "strict";
+    /**
+     * The post logout redirect uri configured for the client
+     */
     postLogoutRedirectUri: string;
+    /**
+     * The name of the key that okdata stored in parameter store.
+     *
+     * Example: `/okdata/maskinporten/11111111-2222-3333-4444-555555555555/key.json`
+     */
     okDataIdPortenKeyName: string;
+    /**
+     * Secret used to sign sessions
+     */
     sessionSecret: string;
+    /**
+     * The type of session store used. Only `memory` and `dynamodb` currently supported. `memory` is only for dev use
+     */
     sessionStoreType: 'memory' | 'dynamodb';
+    /**
+     * Options that will be passed to the chosen sessionStore. Options depend on the type of store chosen
+     *
+     * Example: `{"table": "my-custom-dynamodb-table"}`
+     */
     sessionStoreOptions?: object;
+    /**
+     * Map of paths and remote targets that will be forwarded by the proxy
+     *
+     * Example: `{'/api': 'http://example.com/api'}`
+     */
     proxyTargets: {
         [path: string]: string;
     };
-    userClaims: Array<string>;
+    /**
+     * List of claims in the id_token that are returned by the /user-endpoint. By default all are returned
+     *
+     * Example: `["pid"]`
+     */
+    userClaims?: Array<string>;
+    /**
+     * Content security policy configuration passed to helmet.
+     * See https://github.com/helmetjs/helmet for details. Note that since the config in limited to json,
+     * some features are not supported. To set a nonce value, use the special value `"{nonce}"` instead.
+     *
+     *
+     * Example:
+     * ```json
+     *     {
+     *       "directives": {
+     *         "default-src": ["'self'", "https://*.oslo.kommune.no", "https://*.oslo.systems"],
+     *         "script-src": ["'self'", "{nonce}"],
+     *       ...
+     *       }
+     *     }
+     * ```
+     */
+    contentSecurityPolicy?: Exclude<HelmetOptions['contentSecurityPolicy'], Boolean>;
 };
 export declare function getEnv(env: string, defaultVal?: string, parseFn?: (val: string) => string): string;
 export declare function getSsmParameter(name: string, withDecryption?: boolean): Promise<string>;

package/dist/src/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,SAAS,GAAG;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACxB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,OAAO,GAAG,MAAM,CAAA;IAChC,qBAAqB,EAAE,MAAM,CAAA;IAC7B,qBAAqB,EAAE,MAAM,CAAA;IAC7B,aAAa,EAAE,MAAM,CAAA;IACrB,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,YAAY,EAAE;QAAC,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAC,CAAA;IACtC,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;CAC1B,CAAA;AAED,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,UAQzF;AAGD,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,GAAE,OAAc,mBAMjF;AAWD,wBAAsB,UAAU,CAAC,UAAU,GAAE,MAA0B,sBAyBtE"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,aAAa,EAAC,MAAM,QAAQ,CAAC;AACrC,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAEtC,MAAM,MAAM,SAAS,GAAG;IACtB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACzB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC,aAAa,CAAA;IAC9B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB;;;;OAIG;IACH,cAAc,EAAE,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAA;IACnD;;OAEG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B;;;;OAIG;IACH,YAAY,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IACxC;;;;OAIG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B;;;;;;;;;;;;;;;;OAgBG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAA;CACjF,CAAA;AAUD,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,UAQzF;AAID,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,GAAE,OAAc,mBAMjF;AAKD,wBAAsB,UAAU,CAAC,UAAU,GAAE,MAA0B,sBAyBtE"}

package/dist/src/config.js

@@ -1,5 +1,12 @@
 import { findUp } from 'find-up';
 import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
+const defaultConfig = {
+    basePath: "",
+    cookiePath: '/',
+    cookieSecure: true,
+    cookieSameSite: 'lax',
+    staticRootPath: './dist'
+};
 export function getEnv(env, defaultVal, parseFn) {
     if (process.env[env]) {
         return parseFn ? parseFn(process.env[env]) : process.env[env];
@@ -19,13 +26,6 @@ export async function getSsmParameter(name, withDecryption = true) {
         WithDecryption: withDecryption
     })).then(p => p.Parameter.Value);
 }
-const defaultConfig = {
-    basePath: "",
-    cookiePath: '/',
-    cookieSecure: true,
-    cookieSameSite: 'lax',
-    staticRootPath: './dist'
-};
 let config;
 export async function loadConfig(configFile = 'bff.config.json') {
     if (config)

package/dist/src/middleware/OidcMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OidcMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/OidcMiddleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,mBAAmB,EAAC,MAAM,2BAA2B,CAAC;AAE9D,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AACvC,OAAO,KAAK,EAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAC,MAAM,SAAS,CAAA;AAK5D,qBAAa,cAAc;;IAKzB;;;;OAIG;gBACS,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,mBAAmB;WASpD,MAAM,CAAC,MAAM,EAAE,SAAS;IAgErC,IAAI,gBAAgB,KACV,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,UAWxD;IAED,IAAI,KAAK,KACO,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBA+B9D;IAqBD,IAAI,QAAQ,KACI,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBAuC9D;IAED,IAAI,IAAI,KACQ,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,iDAa9D;IAED,IAAI,MAAM,KACA,KAAK,OAAO,EAAE,KAAK,QAAQ,UASpC;IAED,IAAI,kBAAkB,KACN,KAAK,OAAO,EAAE,KAAK,QAAQ,mBAc1C;CACF"}
+{"version":3,"file":"OidcMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/OidcMiddleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,mBAAmB,EAAC,MAAM,2BAA2B,CAAC;AAE9D,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AACvC,OAAO,KAAK,EAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAC,MAAM,SAAS,CAAA;AAK5D,qBAAa,cAAc;;IAKzB;;;;OAIG;gBACS,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,mBAAmB;WASpD,MAAM,CAAC,MAAM,EAAE,SAAS;IAgErC,IAAI,gBAAgB,KACV,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,UAWxD;IAED,IAAI,KAAK,KACO,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBA+B9D;IAqBD,IAAI,QAAQ,KACI,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBAuC9D;IAED,IAAI,IAAI,KACQ,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,iDAc9D;IAED,IAAI,MAAM,KACA,KAAK,OAAO,EAAE,KAAK,QAAQ,UASpC;IAED,IAAI,kBAAkB,KACN,KAAK,OAAO,EAAE,KAAK,QAAQ,mBAc1C;CACF"}

package/dist/src/middleware/OidcMiddleware.js

@@ -121,6 +121,7 @@ export class OidcMiddleware {
             try {
                 const tokenResponse = await __classPrivateFieldGet(this, _OidcMiddleware_instances, "m", _OidcMiddleware_getFreshTokens).call(this, req);
                 if (!tokenResponse) {
+                    console.log('/user 401: No tokenset');
                     return res.sendStatus(401);
                 }
                 return res.send(req.session.userClaims);

package/dist/src/middleware/oidc-routes.d.ts

@@ -0,0 +1,3 @@
+import { OidcMiddleware } from "./OidcMiddleware.js";
+export declare function oidcRoutes(oidcMiddleware: OidcMiddleware): import("express-serve-static-core").Router;
+//# sourceMappingURL=oidc-routes.d.ts.map

package/dist/src/middleware/oidc-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/oidc-routes.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAEnD,wBAAgB,UAAU,CAAC,cAAc,EAAE,cAAc,8CAUxD"}

package/dist/src/middleware/oidc-routes.js

@@ -0,0 +1,10 @@
+import express from "express";
+export function oidcRoutes(oidcMiddleware) {
+    const router = express.Router();
+    router.get('/auth/login', oidcMiddleware.login);
+    router.get('/auth/callback', oidcMiddleware.callback);
+    router.get('/auth/logout', oidcMiddleware.logout);
+    router.get('/auth/user', oidcMiddleware.user);
+    router.get('/auth/front-channel-logout', oidcMiddleware.frontChannelLogout);
+    return router;
+}

package/dist/src/middleware/proxy-routes.d.ts

@@ -0,0 +1,4 @@
+import { BffConfig } from "../config.js";
+import { OidcMiddleware } from "./OidcMiddleware.js";
+export declare function proxyRoutes(config: BffConfig, oidcMiddleware: OidcMiddleware): import("express-serve-static-core").Router;
+//# sourceMappingURL=proxy-routes.d.ts.map

package/dist/src/middleware/proxy-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/proxy-routes.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AACvC,OAAO,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAEnD,wBAAgB,WAAW,CAAC,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,8CA6B5E"}

package/dist/src/middleware/proxy-routes.js

@@ -0,0 +1,28 @@
+import express from "express";
+import { createProxyMiddleware } from "http-proxy-middleware";
+export function proxyRoutes(config, oidcMiddleware) {
+    const router = express.Router();
+    for (const [path, target] of Object.entries(config.proxyTargets)) {
+        console.log(`Setting up auth proxy: ${path} -> ${target}`);
+        router.use(path, oidcMiddleware.ensureFreshToken, createProxyMiddleware({
+            target: target,
+            changeOrigin: true,
+            on: {
+                proxyReq: (proxyReq, req) => {
+                    const accessToken = req.tokenResponse?.access_token;
+                    if (!accessToken) {
+                        console.error("proxy: missing token");
+                        return;
+                    }
+                    proxyReq.setHeader("Authorization", `Bearer ${accessToken}`);
+                    proxyReq.removeHeader("Cookie");
+                },
+                proxyRes: (proxyRes, req) => {
+                    // @ts-ignore //TODO: proxyRes har en mystisk type som mangler req, men den er der
+                    console.log(`Proxied: ${req.method} ${req.originalUrl} -> ${proxyRes.req.protocol}//${proxyRes.req.host}${proxyRes.req.path}, status=${proxyRes.statusCode}`);
+                }
+            }
+        }));
+    }
+    return router;
+}

package/dist/src/middleware/proxy-routes.mjs

@@ -18,7 +18,7 @@ export function proxyRoutes(config, oidcMiddleware) {
                     proxyReq.removeHeader("Cookie");
                 },
                 proxyRes: (proxyRes, req, res) => {
-                    console.log(`Proxied ${req.originalUrl} -> ${target}${req.originalUrl}: ${proxyRes.statusCode}`);
+                    console.log(`Proxied: ${req.method} ${req.originalUrl} -> ${proxyRes.req.protocol}//${proxyRes.req.host}${proxyRes.req.path}, status=${proxyRes.statusCode}`);
                 }
             }
         }));

package/dist/src/middleware/security-headers.d.ts

@@ -0,0 +1,4 @@
+import { Request, Response, NextFunction } from 'express';
+import { BffConfig } from "../config.js";
+export declare function securityHeaders(config: BffConfig): ((_: Request, res: Response, next: NextFunction) => void)[];
+//# sourceMappingURL=security-headers.d.ts.map

package/dist/src/middleware/security-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../../src/middleware/security-headers.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAC,MAAM,SAAS,CAAA;AACvD,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AAEvC,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,QAcR,OAAO,OAAO,QAAQ,QAAQ,YAAY,aAkBlF"}

package/dist/src/middleware/security-headers.js

@@ -0,0 +1,31 @@
+import crypto from "crypto";
+import helmet from "helmet";
+export function securityHeaders(config) {
+    const contentSecurityPolicy = config.contentSecurityPolicy;
+    if (contentSecurityPolicy?.directives) {
+        for (const [_, values] of Object.entries(contentSecurityPolicy.directives)) {
+            // @ts-ignore //TODO values her har type Iterable (som ikke har `entries()`), men er egentlig en array. Kan sikkert skrives om litt.
+            for (const [i, value] of values.entries()) {
+                if (value === '{nonce}') {
+                    values[i] = (_, res) => `'nonce-${res.locals.cspNonce}'`;
+                }
+            }
+        }
+    }
+    const generateCspNonceMiddleware = (_, res, next) => {
+        res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
+        next();
+    };
+    const helmetMiddleware = helmet({
+        strictTransportSecurity: {
+            maxAge: 31536000,
+            includeSubDomains: false,
+            preload: false,
+        },
+        contentSecurityPolicy: contentSecurityPolicy ?? false,
+    });
+    return [
+        generateCspNonceMiddleware,
+        helmetMiddleware
+    ];
+}

package/dist/src/middleware/sessions/dynamoDbSessionStore.d.ts

@@ -0,0 +1,3 @@
+import dynamoDbStore from "connect-dynamodb";
+export declare function dynamoDbSessionStore(config?: {}): dynamoDbStore.DynamoDBStore<Record<string, unknown>>;
+//# sourceMappingURL=dynamoDbSessionStore.d.ts.map

package/dist/src/middleware/sessions/dynamoDbSessionStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamoDbSessionStore.d.ts","sourceRoot":"","sources":["../../../../src/middleware/sessions/dynamoDbSessionStore.ts"],"names":[],"mappings":"AACA,OAAO,aAAqC,MAAM,kBAAkB,CAAC;AA6BrE,wBAAgB,oBAAoB,CAAC,MAAM,KAAK,wDAc/C"}

package/dist/src/middleware/sessions/dynamoDbSessionStore.js

@@ -0,0 +1,41 @@
+import { DeleteItemCommand, DynamoDBClient, QueryCommand } from "@aws-sdk/client-dynamodb";
+import dynamoDbStore from "connect-dynamodb";
+import session from "express-session";
+import { redact } from "../../utils.js";
+const destroyByIdpSid = (config, client) => {
+    return async (idpSid) => {
+        console.log(`Front channel logout: deleting session(s) with idp-sid=${redact(idpSid)}`);
+        const query = new QueryCommand({
+            TableName: config['table'],
+            IndexName: "idp-sid-index",
+            ExpressionAttributeValues: { ":sid": { S: idpSid } },
+            ExpressionAttributeNames: { "#k": "idp-sid" },
+            KeyConditionExpression: "#k = :sid",
+            ProjectionExpression: "id"
+        });
+        const res = await client.send(query);
+        await Promise.all(res.Items.map((item) => {
+            console.log(`Front channel logout: deleting session ${redact(item.id?.S, 10)}`);
+            return client.send(new DeleteItemCommand({
+                TableName: config['table'],
+                Key: { id: item.id }
+            }));
+        }));
+        console.log(`Front channel logout: completed. ${res.Count} session(s) deleted`);
+    };
+};
+export function dynamoDbSessionStore(config = {}) {
+    const client = new DynamoDBClient({});
+    const DynamoDbStore = dynamoDbStore(session);
+    const sessionStoreConfig = {
+        ...config,
+        client,
+        specialKeys: [
+            { name: "idp-sid", type: "S" }
+        ],
+        skipThrowMissingSpecialKeys: true
+    };
+    const sessionStore = new DynamoDbStore(sessionStoreConfig);
+    sessionStore.destroyByIdpSid = destroyByIdpSid(config, client);
+    return sessionStore;
+}

package/dist/src/middleware/sessions/memorySessionStore.d.ts

@@ -0,0 +1,3 @@
+import session from "express-session";
+export declare function memorySessionStore(config?: object): session.Store;
+//# sourceMappingURL=memorySessionStore.d.ts.map

package/dist/src/middleware/sessions/memorySessionStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memorySessionStore.d.ts","sourceRoot":"","sources":["../../../../src/middleware/sessions/memorySessionStore.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAQtC,wBAAgB,kBAAkB,CAAC,MAAM,GAAE,MAAW,iBAIrD"}

package/dist/src/middleware/sessions/memorySessionStore.js

@@ -0,0 +1,11 @@
+import session from "express-session";
+import { redact } from "../../utils.js";
+const destroyByIdpSid = async (idpSid) => {
+    // This is not supposed to be used outside localhost, so it is not implemented
+    console.log(`Pretending to destroyByIdpSid. idp-sid=${redact(idpSid)}`);
+};
+export function memorySessionStore(config = {}) {
+    const sessionStore = new session.MemoryStore(config);
+    sessionStore.destroyByIdpSid = destroyByIdpSid;
+    return sessionStore;
+}

package/dist/src/middleware/sessions/sessions.d.ts

@@ -0,0 +1,3 @@
+import { BffConfig } from "../../config.js";
+export declare function sessions(config: BffConfig): import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>[];
+//# sourceMappingURL=sessions.d.ts.map

package/dist/src/middleware/sessions/sessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../../../src/middleware/sessions/sessions.ts"],"names":[],"mappings":"AAGA,OAAO,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAG1C,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,kJAiCzC"}

package/dist/src/middleware/sessions/sessions.js

@@ -0,0 +1,39 @@
+import session from "express-session";
+import { dynamoDbSessionStore } from "./dynamoDbSessionStore.js";
+import { memorySessionStore } from "./memorySessionStore.js";
+export function sessions(config) {
+    let sessionStore;
+    if (config.sessionStoreType === 'memory') {
+        const sessionStoreOptions = config.sessionStoreOptions ?? {};
+        sessionStore = memorySessionStore(sessionStoreOptions);
+    }
+    else if (config.sessionStoreType === 'dynamodb') {
+        const sessionStoreOptions = config.sessionStoreOptions ?? {};
+        sessionStore = dynamoDbSessionStore(sessionStoreOptions);
+    }
+    else if (config.sessionStoreType) {
+        throw Error(`unknown sessionStoreType ${config.sessionStoreType}`);
+    }
+    else {
+        throw Error('missing sessionStoreType');
+    }
+    return [
+        session({
+            secret: config.sessionSecret,
+            store: sessionStore,
+            resave: false,
+            saveUninitialized: false,
+            cookie: config.cookie || {
+                httpOnly: true,
+                path: config.cookiePath,
+                secure: config.cookieSecure,
+                sameSite: config.cookieSameSite
+            },
+        }),
+        (req, _, next) => {
+            // make this function available to request handlers
+            req.destroySessionByIdpSid = sessionStore?.destroyByIdpSid;
+            next();
+        }
+    ];
+}

package/dist/src/middleware/static-routes.d.ts

@@ -0,0 +1,3 @@
+import { BffConfig } from "../config.js";
+export declare function staticRoutes(config: BffConfig): import("express-serve-static-core").Router;
+//# sourceMappingURL=static-routes.d.ts.map

package/dist/src/middleware/static-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"static-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/static-routes.ts"],"names":[],"mappings":"AAGA,OAAO,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AAEvC,wBAAgB,YAAY,CAAC,MAAM,EAAE,SAAS,8CAiB7C"}

package/dist/src/middleware/static-routes.js

@@ -0,0 +1,19 @@
+import express from "express";
+import { stringReplace } from "string-replace-middleware";
+import path from "path";
+export function staticRoutes(config) {
+    const router = express.Router();
+    router.use(stringReplace({
+        '__CSP_NONCE__': (_, res) => res.locals.cspNonce
+    }, {
+        contentTypeFilterRegexp: /^text\/html/
+    }));
+    const staticPath = path.resolve(process.cwd(), config.staticRootPath);
+    console.log(`Serving static content from '${staticPath}'`);
+    router.use(express.static(staticPath, { index: false }));
+    router.get('*', function (_, res) {
+        res.set('Cache-Control', 'no-store');
+        res.sendFile(path.resolve(staticPath, 'index.html'));
+    });
+    return router;
+}

package/dist/src/server.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=server.d.ts.map

package/dist/src/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/server.ts"],"names":[],"mappings":""}

package/dist/src/server.js

@@ -0,0 +1,43 @@
+#!/usr/bin/env node
+import express from "express";
+import compression from "compression";
+import { loadConfig } from './config.js';
+import { proxyRoutes } from "./middleware/proxy-routes.js";
+import { staticRoutes } from "./middleware/static-routes.js";
+import { securityHeaders } from "./middleware/security-headers.js";
+import { sessions } from "./middleware/sessions/sessions.js";
+import { oidcRoutes } from "./middleware/oidc-routes.js";
+import { OidcMiddleware } from "./middleware/OidcMiddleware.js";
+import commandLineArgs from "command-line-args";
+import packageJson from "../package.json" with { type: 'json' };
+const options = commandLineArgs([{ name: 'configFile' }]);
+const config = await loadConfig(options.configFile);
+const port = process.env.port || config.port || 8080;
+const oidcMiddleware = await OidcMiddleware.create(config);
+const requestLogger = (req, _, next) => {
+    next();
+    console.log(`${req.method} ${req.originalUrl}, referer=${req.get('Referer')}, user-agent=${req.get('User-Agent')}`);
+};
+const app = express();
+app.set('trust proxy', true); // TODO: sjekk om denne kan/bør være strengere: https://expressjs.com/en/api.html#trust.proxy.options.table
+app.disable("x-powered-by");
+app.use(compression());
+app.use(sessions(config));
+app.use(securityHeaders(config));
+app.get("/health", (_, res) => {
+    res.send("OK");
+});
+const basePath = config.basePath || "/";
+app.use(basePath, oidcRoutes(oidcMiddleware));
+app.use(requestLogger); //NB, må stå her for å ikke logge auth-requestene over
+app.use(basePath, proxyRoutes(config, oidcMiddleware));
+app.use(basePath, staticRoutes(config));
+const server = app.listen(port, () => {
+    console.log(`auth-bff ${packageJson.version} started on port ${port}`);
+});
+process.on('SIGTERM', () => {
+    console.log('SIGTERM received. Closing...');
+    server.close(() => {
+        console.log('Server closed');
+    });
+});

package/dist/src/utils.d.ts

@@ -1,2 +1,2 @@
-export function redact(string: any, length?: number): string;
+export declare function redact(string: string, length?: number): string;
 //# sourceMappingURL=utils.d.ts.map

package/dist/src/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/utils.js"],"names":[],"mappings":"AAAA,6DAEC"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/utils.ts"],"names":[],"mappings":"AAAA,wBAAgB,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,GAAE,MAAU,UAExD"}

package/dist/src/vite-plugin.d.ts

@@ -0,0 +1,5 @@
+import { Plugin } from 'vite';
+export default function bff({ configFile }?: {
+    configFile?: string;
+}): Plugin;
+//# sourceMappingURL=vite-plugin.d.ts.map

package/dist/src/vite-plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vite-plugin.d.ts","sourceRoot":"","sources":["../../src/vite-plugin.ts"],"names":[],"mappings":"AAGA,OAAO,EAAgB,MAAM,EAAC,MAAM,MAAM,CAAA;AAsB1C,MAAM,CAAC,OAAO,UAAU,GAAG,CAAC,EAAC,UAAU,EAAC,GAAE;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAM,GAAG,MAAM,CAO5E"}

package/dist/src/vite-plugin.js

@@ -0,0 +1,26 @@
+import express from "express";
+import { loadConfig } from "./config.js";
+import { OidcMiddleware } from "./middleware/OidcMiddleware.js";
+function configureServer(configFilePath) {
+    return async ({ middlewares }) => {
+        const { oidcRoutes } = await import("./middleware/oidc-routes.js");
+        const { proxyRoutes } = await import("./middleware/proxy-routes.js");
+        const { sessions } = await import("./middleware/sessions/sessions.js");
+        const config = await loadConfig(configFilePath);
+        const oidcMiddleware = await OidcMiddleware.create(config);
+        const basePath = config.basePath || "/";
+        const app = express();
+        app.use(sessions(config));
+        app.use(basePath, oidcRoutes(oidcMiddleware));
+        app.use(basePath, proxyRoutes(config, oidcMiddleware));
+        middlewares.use(app);
+    };
+}
+export default function bff({ configFile } = {}) {
+    return {
+        name: 'bff',
+        apply: 'serve',
+        configureServer: configureServer(configFile),
+        configurePreviewServer: configureServer(configFile)
+    };
+}

package/package.json

@@ -1,23 +1,23 @@
 {
   "name": "@oslokommune/auth-bff",
-  "version": "2.0.0-beta1",
+  "version": "2.0.0-beta3",
   "repository": "https://github.com/oslokommune/auth-bff.git",
   "publishConfig": {
     "access": "public"
   },
   "scripts": {
     "build": "tsc",
-    "run": "node ./dist/server.mjs",
+    "run": "node ./dist/src/server.js",
     "build-and-publish": "tsc && npm publish",
     "build-and-publish-prerelease": "tsc && npm publish --tag prerelease",
     "test": "vitest"
   },
   "exports": {
-    "./vite-plugin": "./dist/src/vite-plugin.mjs",
+    "./vite-plugin": "./dist/src/vite-plugin.js",
     "./react": "./dist/src/react/index.js"
   },
   "bin": {
-    "auth-bff": "dist/src/server.mjs"
+    "auth-bff": "dist/src/server.js"
   },
   "files": [
     "/dist"
@@ -27,6 +27,7 @@
   "license": "",
   "description": "",
   "devDependencies": {
+    "@types/command-line-args": "^5.2.3",
     "@types/compression": "^1.8.1",
     "@types/express": "^4.17.22",
     "@types/express-session": "^1.18.2",
@@ -39,19 +40,19 @@
     "vitest": "^4.0.18"
   },
   "dependencies": {
-    "@aws-sdk/client-dynamodb": "^3.817.0",
-    "@aws-sdk/client-ssm": "^3.817.0",
+    "@aws-sdk/client-dynamodb": "^3.990.0",
+    "@aws-sdk/client-ssm": "^3.990.0",
     "command-line-args": "^6.0.1",
-    "compression": "^1.8.0",
+    "compression": "^1.8.1",
     "connect-dynamodb": "^3.0.5",
-    "express": "4.21.2",
-    "express-session": "1.18.2",
+    "express": "4.22.1",
+    "express-session": "1.19.0",
     "find-up": "^7.0.0",
     "helmet": "^8.1.0",
     "http-proxy-middleware": "^3.0.5",
-    "jose": "^6.0.11",
+    "jose": "^6.1.3",
     "node-forge": "1.3.3",
-    "openid-client": "^6.8.1",
+    "openid-client": "^6.8.2",
     "string-replace-middleware": "^1.1.0"
   }
 }