npm - @oslokommune/auth-bff - Versions diffs - 2.0.0-beta4 → 2.0.0-beta6 - Mend

@oslokommune/auth-bff 2.0.0-beta4 → 2.0.0-beta6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +48 -16
package/dist/package.json +5 -5
package/dist/src/config.d.ts +5 -1
package/dist/src/config.d.ts.map +1 -1
package/dist/src/config.js +2 -1
package/dist/src/middleware/OidcMiddleware.js +1 -1
package/dist/src/server.js +0 -0
package/package.json +5 -5

package/README.md CHANGED Viewed

@@ -65,6 +65,7 @@ auth-bff
 When running in docker you should specify the version to use, and make sure it matches the one used in package.json.
 Example dockerfile:
 ```dockerfile
 FROM node:23-alpine AS base
@@ -80,12 +81,13 @@ WORKDIR /application
 EXPOSE 8080
 COPY --from=react-build /home/react/dist /application/dist
 ENV NODE_ENV=production
-RUN npm install -g @oslokommune/auth-bff@2.0.0-beta4
+RUN npm install -g @oslokommune/auth-bff@2.0.0-beta6
 COPY bff.config.json /application/
 CMD ["auth-bff"]
 ```
-To use different configuration for different environments, you can create separate config files for each and select it at build time (using build args).
+To use different configuration for different environments, you can create separate config files for each and select it
+at build time (using build args).
 For example, with `bff.config.dev.json` and `bff.config.prod.json`:
 ```dockerfile
@@ -94,14 +96,13 @@ COPY bff.config.${ENVIRONMENT}.json /application/bff.config.json
 CMD ["auth-bff"]
 ```
-Or select it at runtime, using an env var:
+Or select it at runtime, using an env var:
 ```dockerfile
 COPY bff.config*.json /application/
 CMD exec auth-bff --configFile bff.config.${ENVIRONMENT}.json
 ```
 ## Configuration
 Configuration is defined in json-files that look like this:
@@ -160,7 +161,7 @@ AWS Parameter store:
 This loads from the configured AWS environment. For this to work on your local machine the `AWS_PROFILE` environment
 variable must be set, and you must be signed in to that profile
-ℹ️ [See `config.ts` for a description of all config parameters](src/config.ts)
+ℹ️ [See `config.ts` for a description of all config parameters](src/config.ts)
 ## Using with ID-porten (via `okdata`):
@@ -204,8 +205,31 @@ A new key has been created and the following parameters have been written to SSM
 }
 ```
+Note that when using `okDataIdPortenKeyName`, that key is used for authentication, and `clientSecret` is not used.
+Also, since the key is fetched from Parameter Store, you must set AWS_PROFILE and be signed in to that profile when
+running locally.
 3. Done!
+## Using with Entra ID:
+When using the package with Entra ID, you need to get credentials from Azure. You need to collect following credentials in order to be able to use this package:
+* issuer
+* client id
+* client secret
+With Entra ID you need to make sure to remove `"okDataIdPortenKeyName"`from the configuration file and replace it with client secret.
+```json
+{
+  "issuer": "https://login.microsoftonline.com/{TENANT_ID}/v2.0",
+  "clientId": "1111111q-2bab-3333-c444-5555e556cb55",
+  "clientSecret": "7dW3Q~_sdfj3-4f5g-6789-h0i1-2j3k4l5m6n7",
+  ...
+}
+```
 ## Configuring session storage
 Currently only dynamoDb is supported for storing sessions in production. It requires some setup.
@@ -216,7 +240,8 @@ sessions during front-channel logout)
 > If the table does not exist, it will be automatically created with settings not appropriate for production.
-Here is an example configuration in terraform
+Here is an example configuration in terraform. If you are using (https://km.oslo.systems/)[Golden Path],
+you can simply copy this to a file in your application stack, and run `terraform apply`
 ```terraform
 resource "aws_dynamodb_table" "session_dynamodb_table" {
@@ -287,8 +312,8 @@ dynamodb:UpdateItem
 ## React component
-This package also includes a React component for handling authentication state. It will redirect to login if required
-and optionally automatically poll for changes to authentication state.
+This package also includes a React component for handling authentication state. It will redirect to login if required
+and optionally automatically poll for changes to authentication state.
 ### AuthContextProvider
@@ -297,28 +322,28 @@ import {AuthContextProvider} from "@oslokommune/auth-bff/react";
 import {PktLoader} from "@oslokommune/punkt-react";
 const fiveMinutes = 5 * 60 * 1000;
 <AuthContextProvider authRequired={true} loaderComponent={<PktLoader/>} pollInterval={fiveMinues}>
   <App/>
 </AuthContextProvider>
 ```
-| Option         | Description                                                                                                                                           |
-|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
-| authRequired   | Whether authentication is required. If true, will redirect to login before rendering child components (default: true)                                 |
+| Option          | Description                                                                                                                                           |
+|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
+| authRequired    | Whether authentication is required. If true, will redirect to login before rendering child components (default: true)                                 |
 | loaderComponent | React component to display while loading auth state. (default: null)                                                                                  |
-| baseUrl        | Must be set to the same baseUrl as in the json config for login/logout to work correctly (default: '')                                                |
-| pollInterval   | Minimum interval in milliseconds between checks if session is still active. Will set authState to 'expired' if session is expired (default: disabled) |
+| baseUrl         | Must be set to the same baseUrl as in the json config for login/logout to work correctly (default: '')                                                |
+| pollInterval    | Minimum interval in milliseconds between checks if session is still active. Will set authState to 'expired' if session is expired (default: disabled) |
 ### useAuthContext
 Hook to get current AuthState. Must be called in a component inside the AuthContextProvider.
 ```tsx
 import {useAuthContext} from "@oslokommune/auth-bff/react";
 const {user, authState, login} = useAuthContext()
-if(authState === 'authenticated') {
+if (authState === 'authenticated') {
   console.log(`Hello, ${user.pid}`)
 } else {
   login()
@@ -334,6 +359,7 @@ if(authState === 'authenticated') {
 | authState | Current auth state. See table below for values                                                                                                                   |                                                                                                                                              |                                                                                                                                                         |
 #### AuthState
 | Value           | Description                                                                                                      |
 |-----------------|------------------------------------------------------------------------------------------------------------------|
 | pending         | Initial value before auth state has been determined                                                              |
@@ -342,3 +368,9 @@ if(authState === 'authenticated') {
 | expired         | User was authenticated, but the session has expired. Can be used to display message to user or redirect to login |                                                                                                                                              |                                                                                                                                                         |
 | error           | Failed to determine auth state                                                                                   |                                                                                                                                              |                                                                                                                                                         |
+## Content Security Policy
+To configure the content security policy returned by the server, use the `contentSecurityPolicy` config option. This
+configuration is passed almost as-is to (helmet)[https://github.com/helmetjs/helmet]. Since our configuration is json
+only, not all features are supported. To set a nonce, use the special form `"{nonce}"` instead. It will be replaced by a
+generated nonce for each request.

package/dist/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@oslokommune/auth-bff",
-    "version": "2.0.0-beta4",
+    "version": "2.0.0-beta6",
     "repository": "https://github.com/oslokommune/auth-bff.git",
     "publishConfig": {
         "access": "public"
@@ -37,11 +37,11 @@
         "react": "17.0.2",
         "supertest": "^7.2.2",
         "typescript": "^5.9.3",
-        "vitest": "^4.0.18"
+        "vitest": "^4.1.2"
     },
     "dependencies": {
-        "@aws-sdk/client-dynamodb": "^3.990.0",
-        "@aws-sdk/client-ssm": "^3.990.0",
+        "@aws-sdk/client-dynamodb": "^3.1018.0",
+        "@aws-sdk/client-ssm": "^3.1018.0",
         "command-line-args": "^6.0.1",
         "compression": "^1.8.1",
         "connect-dynamodb": "^3.0.5",
@@ -51,7 +51,7 @@
         "helmet": "^8.1.0",
         "http-proxy-middleware": "^3.0.5",
         "jose": "^6.1.3",
-        "node-forge": "1.3.3",
+        "node-forge": "1.4.0",
         "openid-client": "^6.8.2",
         "string-replace-middleware": "^1.1.0"
     }

package/dist/src/config.d.ts CHANGED Viewed

@@ -28,6 +28,10 @@ export type BffConfig = {
      * The ID of the client
      */
     clientId: string;
+    /**
+     * Sets the scope parameter. Values are case-sensitive. Multiple values must be sepratated by space. Default: `openid profile`
+     */
+    scope: string;
     /**
      * The client secret. Not used if `okDataIdPortenKeyName` is set.
      */
@@ -76,7 +80,7 @@ export type BffConfig = {
      */
     okDataIdPortenKeyName: string;
     /**
-     * Secret used to sign sessions
+     * Secret used to sign sessions. This can be any string, but should have at least 32 bytes of entropy in production.
      */
     sessionSecret: string;
     /**

package/dist/src/config.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,aAAa,EAAC,MAAM,QAAQ,CAAC;AACrC,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAEtC,MAAM,MAAM,SAAS,GAAG;IACtB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACzB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC,aAAa,CAAA;IAC9B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB;;;;OAIG;IACH,cAAc,EAAE,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAA;IACnD;;OAEG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B;;;;OAIG;IACH,YAAY,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IACxC;;;;OAIG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B;;;;;;;;;;;;;;;;OAgBG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAA;CACjF,CAAA;~~AAUD~~,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,UAQzF;AAID,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,GAAE,OAAc,mBAMjF;AAID,wBAAsB,UAAU,CAAC,UAAU,GAAE,MAAM,GAAG,KAAK,CAAC,MAAM,CAAqB,sBAyBtF"}
1	+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,aAAa,EAAC,MAAM,QAAQ,CAAC;AACrC,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAEtC,MAAM,MAAM,SAAS,GAAG;IACtB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACzB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC,aAAa,CAAA;IAC9B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB;;;;OAIG;IACH,cAAc,EAAE,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAA;IACnD;;OAEG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B;;;;OAIG;IACH,YAAY,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IACxC;;;;OAIG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B;;;;;;;;;;;;;;;;OAgBG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAA;CACjF,CAAA;AAWD,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,UAQzF;AAID,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,GAAE,OAAc,mBAMjF;AAID,wBAAsB,UAAU,CAAC,UAAU,GAAE,MAAM,GAAG,KAAK,CAAC,MAAM,CAAqB,sBAyBtF"}

package/dist/src/config.js CHANGED Viewed

@@ -5,7 +5,8 @@ const defaultConfig = {
     cookiePath: '/',
     cookieSecure: true,
     cookieSameSite: 'lax',
-    staticRootPath: './dist'
+    staticRootPath: './dist',
+    scope: 'openid profile'
 };
 export function getEnv(env, defaultVal, parseFn) {
     if (process.env[env]) {

package/dist/src/middleware/OidcMiddleware.js CHANGED Viewed

@@ -60,7 +60,7 @@ export class OidcMiddleware {
                 const stateKey = openIdClient.randomState();
                 const redirectUrl = req.query.redirectUrl; //TODO: håndtering av andre typer her?
                 const params = new URLSearchParams();
-                params.append('scope', "openid profile");
+                params.append('scope', __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").scope);
                 params.append('code_challenge', codeChallenge);
                 params.append('code_challenge_method', 'S256');
                 params.append('redirect_uri', __classPrivateFieldGet(this, _OidcMiddleware_bffConfig, "f").redirectUri);

package/dist/src/server.js CHANGED Viewed

File without changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@oslokommune/auth-bff",
-  "version": "2.0.0-beta4",
+  "version": "2.0.0-beta6",
   "repository": "https://github.com/oslokommune/auth-bff.git",
   "publishConfig": {
     "access": "public"
@@ -37,11 +37,11 @@
     "react": "17.0.2",
     "supertest": "^7.2.2",
     "typescript": "^5.9.3",
-    "vitest": "^4.0.18"
+    "vitest": "^4.1.2"
   },
   "dependencies": {
-    "@aws-sdk/client-dynamodb": "^3.990.0",
-    "@aws-sdk/client-ssm": "^3.990.0",
+    "@aws-sdk/client-dynamodb": "^3.1018.0",
+    "@aws-sdk/client-ssm": "^3.1018.0",
     "command-line-args": "^6.0.1",
     "compression": "^1.8.1",
     "connect-dynamodb": "^3.0.5",
@@ -51,7 +51,7 @@
     "helmet": "^8.1.0",
     "http-proxy-middleware": "^3.0.5",
     "jose": "^6.1.3",
-    "node-forge": "1.3.3",
+    "node-forge": "1.4.0",
     "openid-client": "^6.8.2",
     "string-replace-middleware": "^1.1.0"
   }