npm - @oslokommune/auth-bff - Versions diffs - 2.0.2 → 2.2.0 - Mend

@oslokommune/auth-bff 2.0.2 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/README.md +63 -3
package/dist/package.json +1 -1
package/dist/src/OpenIdConfigManager.d.ts +1 -1
package/dist/src/OpenIdConfigManager.d.ts.map +1 -1
package/dist/src/OpenIdConfigManager.js +1 -1
package/dist/src/config/config.d.ts +147 -0
package/dist/src/config/config.d.ts.map +1 -0
package/dist/src/config/config.js +54 -0
package/dist/src/config/variable-loaders.d.ts +3 -0
package/dist/src/config/variable-loaders.d.ts.map +1 -0
package/dist/src/config/variable-loaders.js +20 -0
package/dist/src/config.d.ts +17 -0
package/dist/src/config.d.ts.map +1 -1
package/dist/src/config.js +32 -15
package/dist/src/middleware/OidcMiddleware.d.ts +1 -1
package/dist/src/middleware/OidcMiddleware.d.ts.map +1 -1
package/dist/src/middleware/inject-config.d.ts +4 -0
package/dist/src/middleware/inject-config.d.ts.map +1 -0
package/dist/src/middleware/inject-config.js +10 -0
package/dist/src/middleware/proxy-routes.d.ts +1 -1
package/dist/src/middleware/proxy-routes.d.ts.map +1 -1
package/dist/src/middleware/proxy-routes.js +17 -0
package/dist/src/middleware/security-headers.d.ts +1 -1
package/dist/src/middleware/security-headers.d.ts.map +1 -1
package/dist/src/middleware/sessions/sessions.d.ts +1 -1
package/dist/src/middleware/sessions/sessions.d.ts.map +1 -1
package/dist/src/middleware/static-routes.d.ts +1 -1
package/dist/src/middleware/static-routes.d.ts.map +1 -1
package/dist/src/middleware/static-routes.js +3 -7
package/dist/src/server.js +1 -1
package/dist/src/vite-plugin.d.ts.map +1 -1
package/dist/src/vite-plugin.js +3 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -81,7 +81,7 @@ WORKDIR /application
 EXPOSE 8080
 COPY --from=build /home/app/dist /application/dist
 ENV NODE_ENV=production
-RUN npm install -g @oslokommune/auth-bff@2.0.2
+RUN npm install -g @oslokommune/auth-bff@2.1.0
 COPY bff.config.json /application/
 CMD ["auth-bff"]
 ```
@@ -140,6 +140,8 @@ Standalone:
 auth-bff --configFile /path/to/bff.config.json
 ```
+### Loading values from environment or AWS Parameter Store
 The config file supports two special forms for loading values from other sources. Primarily meant for loading secrets:
 Environment values:
@@ -162,7 +164,30 @@ This loads from the configured AWS environment. For this to work on your local m
 variable must be set, and you must be signed in to that profile
 > [!NOTE]
->️ See [`config.ts`](src/config.ts) for a description of all config parameters
+>️ See [`config.ts`](src/config/config.ts) for a description of all config parameters
+### Mixing public and protected routes
+If the application has some routes that should be reachable without an authenticated session (e.g. a
+public catalog or a download endpoint polled by CI), list them under `publicProxyTargets`:
+```json
+{
+  "proxyTargets": {
+    "/api": "http://localhost:8080/api"
+  },
+  "publicProxyTargets": {
+    "/api/public": "http://localhost:8080/api/public",
+    "/export.zip": "http://localhost:8080/export.zip"
+  }
+}
+```
+Public targets are proxied through anonymously — no session lookup, no Authorization header. The
+session cookie is stripped on the way through.
+Public targets are registered before protected ones, so overlapping paths resolve to the public
+mapping (e.g. `publicProxyTargets["/api/public"]` wins over `proxyTargets["/api"]`).
 ## Using with ID-porten (via `okdata`):
@@ -394,4 +419,39 @@ To use a nonce in your app, use `__CSP_NONCE__` in your html. It will be replace
 <script nonce="__CSP_NONCE__">
     ...
 </script>
-```
+```
+## Inject config
+If your application requires configuration that needs to be determined at runtime, you can use `injectConfig` to inject
+these values into a served html file:
+```json
+{
+  "injectConfig": {
+    "enableSomeFeature": true,
+    "publicToken": "{env:MY_PUBLIC_TOKEN}"
+  }
+}
+```
+Then add something this to your `index.html`:
+```html
+<script nonce="__CSP_NONCE__">
+    const injectedConfig = __INJECTED_CONFIG__
+</script>
+```
+When rendered, `__INJECTED_CONFIG__` will be replaced with the values from `injectConfig`:
+```html
+<script nonce="abcdef123456">
+    const injectedConfig = {
+        "enableSomeFeature": true,
+        "publicToken": "pub123abc"
+    }
+</script>
+```
+> [!WARNING]
+> Do not put any secrets or other sensitive values in the injected config, they will be publicly visible.

package/dist/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@oslokommune/auth-bff",
-    "version": "2.0.2",
+    "version": "2.2.0",
     "repository": "https://github.com/oslokommune/auth-bff.git",
     "publishConfig": {
         "access": "public"

package/dist/src/OpenIdConfigManager.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import * as client from 'openid-client';
-import { BffConfig } from "./config.js";
+import { BffConfig } from "./config/config.js";
 export declare class OpenIdConfigManager {
     #private;
     constructor(config: BffConfig, serverMetadata?: client.ServerMetadata);

package/dist/src/OpenIdConfigManager.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"OpenIdConfigManager.d.ts","sourceRoot":"","sources":["../../src/OpenIdConfigManager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,MAAM,MAAM,eAAe,CAAA;AACvC,OAAO,EAAC,SAAS,~~EAAkB~~,MAAM,~~aAAa~~,CAAC;~~AASvD~~,qBAAa,mBAAmB;;gBAMlB,MAAM,EAAE,SAAS,EAAE,cAAc,CAAC,EAAE,MAAM,CAAC,cAAc;IAK/D,IAAI;IA4BJ,kBAAkB;IAuCxB,IAAI,YAAY,yBAEf;CAEF"}
1	+ {"version":3,"file":"OpenIdConfigManager.d.ts","sourceRoot":"","sources":["../../src/OpenIdConfigManager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,MAAM,MAAM,eAAe,CAAA;AACvC,OAAO,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAU7C,qBAAa,mBAAmB;;gBAMlB,MAAM,EAAE,SAAS,EAAE,cAAc,CAAC,EAAE,MAAM,CAAC,cAAc;IAK/D,IAAI;IA4BJ,kBAAkB;IAuCxB,IAAI,YAAY,yBAEf;CAEF"}

package/dist/src/OpenIdConfigManager.js CHANGED Viewed

@@ -14,7 +14,7 @@ var _OpenIdConfigManager_instances, _OpenIdConfigManager_bffConfig, _OpenIdConfi
 import forge from 'node-forge';
 import * as jose from 'jose';
 import * as client from 'openid-client';
-import { getSsmParameter } from "./config.js";
+import { getSsmParameter } from "./config/variable-loaders.js";
 export class OpenIdConfigManager {
     constructor(config, serverMetadata) {
         _OpenIdConfigManager_instances.add(this);

package/dist/src/config/config.d.ts ADDED Viewed

@@ -0,0 +1,147 @@
+import { HelmetOptions } from "helmet";
+import session from "express-session";
+export type BffConfig = {
+    /**
+     * The port at which the app will be served. Only used in standalone mode, to change the port used during development,
+     * set it in your vite config instead.
+     */
+    port: number;
+    /**
+     * The base root path. Change if app is served from a non-root path.
+     *
+     * Default: `/`
+     */
+    basePath?: string;
+    /**
+     * The root path of the static resources to be served
+     *
+     * Default: `/dist`
+     */
+    staticRootPath?: string;
+    /**
+     * The issuer
+     *
+     * Example: `https://test.idporten.no/`
+     */
+    issuer: string;
+    /**
+     * The ID of the client
+     */
+    clientId: string;
+    /**
+     * Sets the scope parameter. Values are case-sensitive. Multiple values must be sepratated by space. Default: `openid profile`
+     */
+    scope: string;
+    /**
+     * The client secret. Not used if `okDataIdPortenKeyName` is set.
+     */
+    clientSecret?: string;
+    /**
+     * The redirect uri configured for the client
+     */
+    redirectUri: string;
+    /**
+     * The intended audience for the tokens. Value(s) set here can be used to verify audience on the recipient end.
+     * See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-indicators-05.
+     *
+     * Example: `["https://example.com/api1", "https://example.com/api2"]`
+     */
+    resources?: Array<string>;
+    /**
+     * express-session cookie options, note that if this is set, the below cookie*-options will have no effect
+     */
+    cookie?: session.CookieOptions;
+    /**
+     * Sets the Path attribute of the cookie. Should most likely be the same as basePath. See https://expressjs.com/en/resources/middleware/session.html
+     *
+     * Default: `/`
+     */
+    cookiePath?: string;
+    /**
+     * Sets the Secure attribute of the cookie. See https://expressjs.com/en/resources/middleware/session.html
+     *
+     * Default: `true`
+     */
+    cookieSecure?: boolean;
+    /**
+     * Sets the SameSite attribute of the cookie. See https://expressjs.com/en/resources/middleware/session.html
+     *
+     * Default: `"lax"`
+     */
+    cookieSameSite: boolean | "lax" | "none" | "strict";
+    /**
+     * The post logout redirect uri configured for the client
+     */
+    postLogoutRedirectUri: string;
+    /**
+     * The name of the key that okdata stored in parameter store.
+     *
+     * Example: `/okdata/maskinporten/11111111-2222-3333-4444-555555555555/key.json`
+     */
+    okDataIdPortenKeyName?: string;
+    /**
+     * Secret used to sign sessions. This can be any string, but should have at least 32 bytes of entropy in production.
+     */
+    sessionSecret: string;
+    /**
+     * The type of session store used. Only `memory` and `dynamodb` currently supported. `memory` is only for dev use
+     */
+    sessionStoreType: 'memory' | 'dynamodb';
+    /**
+     * Options that will be passed to the chosen sessionStore. Options depend on the type of store chosen
+     *
+     * Example: `{"table": "my-custom-dynamodb-table"}`
+     */
+    sessionStoreOptions?: object;
+    /**
+     * Map of paths and remote targets that will be forwarded by the proxy
+     *
+     * Example: `{'/api': 'http://example.com/api'}`
+     */
+    proxyTargets: {
+        [path: string]: string;
+    };
+    /**
+     * Like `proxyTargets`, but requests pass through anonymously — no session lookup, no Authorization
+     * header. Registered before `proxyTargets`, so a public path takes precedence over an overlapping
+     * protected one.
+     *
+     * Example: `{'/api/public': 'http://example.com/api/public'}`
+     */
+    publicProxyTargets?: {
+        [path: string]: string;
+    };
+    /**
+     * List of claims in the id_token that are returned by the /user-endpoint. By default all are returned
+     *
+     * Example: `["pid"]`
+     */
+    userClaims?: Array<string>;
+    /**
+     * Content security policy configuration passed to helmet.
+     * See https://github.com/helmetjs/helmet for details. Note that since the config in limited to json,
+     * some features are not supported. To set a nonce value, use the special value `"{nonce}"` instead.
+     *
+     *
+     * Example:
+     * ```json
+     *     {
+     *       "directives": {
+     *         "default-src": ["'self'", "https://*.oslo.kommune.no", "https://*.oslo.systems"],
+     *         "script-src": ["'self'", "{nonce}"],
+     *       ...
+     *       }
+     *     }
+     * ```
+     */
+    contentSecurityPolicy?: Exclude<HelmetOptions['contentSecurityPolicy'], Boolean>;
+    /**
+     * These values will be injected into index.html, replacing any `__INJECTED_CONFIG__` if present
+     */
+    injectConfig?: string | boolean | number | null | {
+        [k: string]: string | boolean | number | null;
+    };
+};
+export declare function replaceConfigValues(value: unknown): any;
+export declare function loadConfig(configFile?: string | Array<string>): Promise<BffConfig>;
+//# sourceMappingURL=config.d.ts.map

package/dist/src/config/config.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/config/config.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,aAAa,EAAC,MAAM,QAAQ,CAAC;AACrC,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAGtC,MAAM,MAAM,SAAS,GAAG;IACtB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACzB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC,aAAa,CAAA;IAC9B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB;;;;OAIG;IACH,cAAc,EAAE,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAA;IACnD;;OAEG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAA;IAC9B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B;;;;OAIG;IACH,YAAY,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IACxC;;;;;;OAMG;IACH,kBAAkB,CAAC,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IAC/C;;;;OAIG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B;;;;;;;;;;;;;;;;OAgBG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAA;IAChF;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,IAAI,GAAG;QAAC,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,IAAI,CAAA;KAAC,CAAA;CAClG,CAAA;AAaD,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,OAAO,OAuBvD;AAED,wBAAsB,UAAU,CAAC,UAAU,GAAE,MAAM,GAAG,KAAK,CAAC,MAAM,CAAqB,sBActF"}

package/dist/src/config/config.js ADDED Viewed

@@ -0,0 +1,54 @@
+import { findUp } from 'find-up';
+import { getEnv, getSsmParameter } from "./variable-loaders.js";
+const defaultConfig = {
+    basePath: "",
+    cookiePath: '/',
+    cookieSecure: true,
+    cookieSameSite: 'lax',
+    staticRootPath: './dist',
+    scope: 'openid profile'
+};
+let config;
+export async function replaceConfigValues(value) {
+    if (typeof value === "string") {
+        const [, varType, varName] = value.match(/\{(\w+):(.*)}/) ?? [];
+        if (varType === 'env') {
+            return getEnv(varName);
+        }
+        else if (varType === 'ssm') {
+            return await getSsmParameter(varName);
+        }
+        else if (varType) {
+            throw Error(`unknown varType: ${varType}`);
+        }
+        else {
+            return value;
+        }
+    }
+    else if (Array.isArray(value)) {
+        return Promise.all(value.map(replaceConfigValues));
+    }
+    else if (typeof value === "object" && value != null) {
+        const res = {};
+        for (const [key, val] of Object.entries(value)) {
+            res[key] = await replaceConfigValues(val);
+        }
+        return res;
+    }
+    else {
+        return value;
+    }
+}
+export async function loadConfig(configFile = 'bff.config.json') {
+    if (config)
+        return config;
+    const userConfigPath = await findUp(configFile);
+    if (!userConfigPath) {
+        throw Error(`Could not find config file ${configFile}`);
+    }
+    console.log('Loading config at', userConfigPath);
+    const { default: loadedConfig } = await import(userConfigPath, { with: { type: 'json' } });
+    const processedConfig = await replaceConfigValues(loadedConfig);
+    config = { ...defaultConfig, ...processedConfig };
+    return config;
+}

package/dist/src/config/variable-loaders.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export declare function getEnv(env: string, defaultVal?: string, parseFn?: (val: string) => string): string;
+export declare function getSsmParameter(name: string, withDecryption?: boolean): Promise<string>;
+//# sourceMappingURL=variable-loaders.d.ts.map

package/dist/src/config/variable-loaders.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"variable-loaders.d.ts","sourceRoot":"","sources":["../../../src/config/variable-loaders.ts"],"names":[],"mappings":"AAEA,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,UAQzF;AAID,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,GAAE,OAAc,mBAMjF"}

package/dist/src/config/variable-loaders.js ADDED Viewed

@@ -0,0 +1,20 @@
+import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
+export function getEnv(env, defaultVal, parseFn) {
+    if (process.env[env]) {
+        return parseFn ? parseFn(process.env[env]) : process.env[env];
+    }
+    else if (defaultVal !== undefined) {
+        return defaultVal;
+    }
+    else {
+        throw Error(`Missing env var: ${env}`);
+    }
+}
+let ssmClient;
+export async function getSsmParameter(name, withDecryption = true) {
+    ssmClient ?? (ssmClient = new SSMClient({}));
+    return ssmClient.send(new GetParameterCommand({
+        Name: name,
+        WithDecryption: withDecryption
+    })).then(p => p.Parameter.Value);
+}

package/dist/src/config.d.ts CHANGED Viewed

@@ -101,6 +101,16 @@ export type BffConfig = {
     proxyTargets: {
         [path: string]: string;
     };
+    /**
+     * Like `proxyTargets`, but requests pass through anonymously — no session lookup, no Authorization
+     * header. Registered before `proxyTargets`, so a public path takes precedence over an overlapping
+     * protected one.
+     *
+     * Example: `{'/api/public': 'http://example.com/api/public'}`
+     */
+    publicProxyTargets?: {
+        [path: string]: string;
+    };
     /**
      * List of claims in the id_token that are returned by the /user-endpoint. By default all are returned
      *
@@ -125,8 +135,15 @@ export type BffConfig = {
      * ```
      */
     contentSecurityPolicy?: Exclude<HelmetOptions['contentSecurityPolicy'], Boolean>;
+    /**
+     * These values will be injected into index.html, replacing any `__INJECTED_CONFIG__` if present
+     */
+    injectConfig?: string | {
+        [k: string]: any;
+    };
 };
 export declare function getEnv(env: string, defaultVal?: string, parseFn?: (val: string) => string): string;
 export declare function getSsmParameter(name: string, withDecryption?: boolean): Promise<string>;
+export declare function replaceConfigValues(value: unknown): any;
 export declare function loadConfig(configFile?: string | Array<string>): Promise<BffConfig>;
 //# sourceMappingURL=config.d.ts.map

package/dist/src/config.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,aAAa,EAAC,MAAM,QAAQ,CAAC;AACrC,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAEtC,MAAM,MAAM,SAAS,GAAG;IACtB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACzB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC,aAAa,CAAA;IAC9B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB;;;;OAIG;IACH,cAAc,EAAE,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAA;IACnD;;OAEG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B;;;;OAIG;IACH,YAAY,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IACxC;;;;OAIG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B;;;;;;;;;;;;;;;;OAgBG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAA;~~CACjF~~,CAAA;AAWD,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,UAQzF;AAID,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,GAAE,OAAc,mBAMjF;AAID,wBAAsB,UAAU,CAAC,UAAU,GAAE,MAAM,GAAG,KAAK,CAAC,MAAM,CAAqB,~~sBAyBtF~~"}
1	+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,aAAa,EAAC,MAAM,QAAQ,CAAC;AACrC,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAEtC,MAAM,MAAM,SAAS,GAAG;IACtB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IACzB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC,aAAa,CAAA;IAC9B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB;;;;OAIG;IACH,cAAc,EAAE,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAA;IACnD;;OAEG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAA;IAC7B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,gBAAgB,EAAE,QAAQ,GAAG,UAAU,CAAA;IACvC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B;;;;OAIG;IACH,YAAY,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IACxC;;;;;;OAMG;IACH,kBAAkB,CAAC,EAAE;QAAE,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IAC/C;;;;OAIG;IACH,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1B;;;;;;;;;;;;;;;;OAgBG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAA;IAChF;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,GAAG;QAAC,CAAC,CAAC,EAAE,MAAM,GAAG,GAAG,CAAA;KAAC,CAAA;CAC3C,CAAA;AAWD,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,UAQzF;AAID,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,GAAE,OAAc,mBAMjF;AAID,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,OAAO,OAuBvD;AAED,wBAAsB,UAAU,CAAC,UAAU,GAAE,MAAM,GAAG,KAAK,CAAC,MAAM,CAAqB,sBActF"}

package/dist/src/config.js CHANGED Viewed

@@ -28,6 +28,36 @@ export async function getSsmParameter(name, withDecryption = true) {
     })).then(p => p.Parameter.Value);
 }
 let config;
+export async function replaceConfigValues(value) {
+    if (typeof value === "string") {
+        const [, varType, varName] = value.match(/\{(\w+):(.*)}/) ?? [];
+        if (varType === 'env') {
+            return getEnv(varName);
+        }
+        else if (varType === 'ssm') {
+            return await getSsmParameter(varName);
+        }
+        else if (varType) {
+            throw Error(`unknown varType: ${varType}`);
+        }
+        else {
+            return value;
+        }
+    }
+    else if (Array.isArray(value)) {
+        return Promise.all(value.map(replaceConfigValues));
+    }
+    else if (typeof value === "object" && value != null) {
+        const res = {};
+        for (const [key, val] of Object.entries(value)) {
+            res[key] = await replaceConfigValues(val);
+        }
+        return res;
+    }
+    else {
+        return value;
+    }
+}
 export async function loadConfig(configFile = 'bff.config.json') {
     if (config)
         return config;
@@ -37,20 +67,7 @@ export async function loadConfig(configFile = 'bff.config.json') {
     }
     console.log('Loading config at', userConfigPath);
     const { default: loadedConfig } = await import(userConfigPath, { with: { type: 'json' } });
-    for (const [key, value] of Object.entries(loadedConfig)) {
-        if (typeof value === "string") {
-            const [, varType, varName] = value.match(/\{(\w+):(.*)}/) ?? [];
-            if (varType === 'env') {
-                loadedConfig[key] = getEnv(varName);
-            }
-            else if (varType === 'ssm') {
-                loadedConfig[key] = await getSsmParameter(varName);
-            }
-            else if (varType) {
-                throw Error(`unknown varType: ${varType}`);
-            }
-        }
-    }
-    config = { ...defaultConfig, ...loadedConfig };
+    const processedConfig = await replaceConfigValues(loadedConfig);
+    config = { ...defaultConfig, ...processedConfig };
     return config;
 }

package/dist/src/middleware/OidcMiddleware.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { OpenIdConfigManager } from "../OpenIdConfigManager.js";
-import { BffConfig } from "../config.js";
+import { BffConfig } from "../config/config.js";
 import type { Request, Response, NextFunction } from 'express';
 export declare class OidcMiddleware {
     #private;

package/dist/src/middleware/OidcMiddleware.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"OidcMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/OidcMiddleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,mBAAmB,EAAC,MAAM,2BAA2B,CAAC;AAE9D,OAAO,EAAC,SAAS,EAAC,MAAM,~~cAAc~~,CAAC;~~AACvC~~,OAAO,KAAK,EAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAC,MAAM,SAAS,CAAA;AAK5D,qBAAa,cAAc;;IAKzB;;;;OAIG;gBACS,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,mBAAmB;WASpD,MAAM,CAAC,MAAM,EAAE,SAAS;IAgErC,IAAI,gBAAgB,KACV,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,UAWxD;IAED,IAAI,KAAK,KACO,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBA+B9D;IAqBD,IAAI,QAAQ,KACI,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBAuC9D;IAED,IAAI,IAAI,KACQ,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,iDAc9D;IAED,IAAI,MAAM,KACA,KAAK,OAAO,EAAE,KAAK,QAAQ,UASpC;IAED,IAAI,kBAAkB,KACN,KAAK,OAAO,EAAE,KAAK,QAAQ,mBAc1C;CACF"}
1	+ {"version":3,"file":"OidcMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/OidcMiddleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,mBAAmB,EAAC,MAAM,2BAA2B,CAAC;AAE9D,OAAO,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAC9C,OAAO,KAAK,EAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAC,MAAM,SAAS,CAAA;AAK5D,qBAAa,cAAc;;IAKzB;;;;OAIG;gBACS,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,mBAAmB;WASpD,MAAM,CAAC,MAAM,EAAE,SAAS;IAgErC,IAAI,gBAAgB,KACV,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,UAWxD;IAED,IAAI,KAAK,KACO,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBA+B9D;IAqBD,IAAI,QAAQ,KACI,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBAuC9D;IAED,IAAI,IAAI,KACQ,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,iDAc9D;IAED,IAAI,MAAM,KACA,KAAK,OAAO,EAAE,KAAK,QAAQ,UASpC;IAED,IAAI,kBAAkB,KACN,KAAK,OAAO,EAAE,KAAK,QAAQ,mBAc1C;CACF"}

package/dist/src/middleware/inject-config.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import { BffConfig } from "../config/config.js";
+import { Request, Response } from "express";
+export declare function injectConfig(config: BffConfig): (req: Request, originalResponse: Response, next: import("express").NextFunction) => void;
+//# sourceMappingURL=inject-config.d.ts.map

package/dist/src/middleware/inject-config.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"inject-config.d.ts","sourceRoot":"","sources":["../../../src/middleware/inject-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,MAAM,SAAS,CAAC;AAG1C,wBAAgB,YAAY,CAAC,MAAM,EAAE,SAAS,4FAQ7C"}

package/dist/src/middleware/inject-config.js ADDED Viewed

@@ -0,0 +1,10 @@
+import { stringReplace } from "string-replace-middleware";
+export function injectConfig(config) {
+    const injectConfigString = JSON.stringify(config.injectConfig)?.replace(/[&'<>]/g, '_ILLEGAL_CHAR_');
+    return stringReplace({
+        '__CSP_NONCE__': (_, res) => res.locals.cspNonce,
+        '__INJECTED_CONFIG__': injectConfigString,
+    }, {
+        contentTypeFilterRegexp: /^text\/html/
+    });
+}

package/dist/src/middleware/proxy-routes.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { BffConfig } from "../config.js";
+import { BffConfig } from "../config/config.js";
 import { OidcMiddleware } from "./OidcMiddleware.js";
 export declare function proxyRoutes(config: BffConfig, oidcMiddleware: OidcMiddleware): import("express-serve-static-core").Router;
 //# sourceMappingURL=proxy-routes.d.ts.map

package/dist/src/middleware/proxy-routes.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"proxy-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/proxy-routes.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,SAAS,EAAC,MAAM,~~cAAc~~,CAAC;~~AACvC~~,OAAO,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAEnD,wBAAgB,WAAW,CAAC,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,~~8CA6B5E~~"}
1	+ {"version":3,"file":"proxy-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/proxy-routes.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAEnD,wBAAgB,WAAW,CAAC,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,8CAoD5E"}

package/dist/src/middleware/proxy-routes.js CHANGED Viewed

@@ -2,6 +2,23 @@ import express from "express";
 import { createProxyMiddleware } from "http-proxy-middleware";
 export function proxyRoutes(config, oidcMiddleware) {
     const router = express.Router();
+    // Public targets first so they win over overlapping protected paths.
+    for (const [path, target] of Object.entries(config.publicProxyTargets ?? {})) {
+        console.log(`Setting up public proxy: ${path} -> ${target}`);
+        router.use(path, createProxyMiddleware({
+            target: target,
+            changeOrigin: true,
+            on: {
+                proxyReq: (proxyReq) => {
+                    proxyReq.removeHeader("Cookie");
+                },
+                proxyRes: (proxyRes, req) => {
+                    // @ts-ignore //TODO: proxyRes har en mystisk type som mangler req, men den er der
+                    console.log(`Proxied (public): ${req.method} ${req.originalUrl} -> ${proxyRes.req.protocol}//${proxyRes.req.host}${proxyRes.req.path}, status=${proxyRes.statusCode}`);
+                }
+            }
+        }));
+    }
     for (const [path, target] of Object.entries(config.proxyTargets)) {
         console.log(`Setting up auth proxy: ${path} -> ${target}`);
         router.use(path, oidcMiddleware.ensureFreshToken, createProxyMiddleware({

package/dist/src/middleware/security-headers.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
 import { Request, Response, NextFunction } from 'express';
-import { BffConfig } from "../config.js";
+import { BffConfig } from "../config/config.js";
 export declare function securityHeaders(config: BffConfig): ((_: Request, res: Response, next: NextFunction) => void)[];
 //# sourceMappingURL=security-headers.d.ts.map

package/dist/src/middleware/security-headers.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../../src/middleware/security-headers.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAC,MAAM,SAAS,CAAA;AACvD,OAAO,EAAC,SAAS,EAAC,MAAM,~~cAAc~~,CAAC;~~AAEvC~~,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,QAcR,OAAO,OAAO,QAAQ,QAAQ,YAAY,aAkBlF"}
1	+ {"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../../src/middleware/security-headers.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAC,MAAM,SAAS,CAAA;AACvD,OAAO,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAE9C,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,QAcR,OAAO,OAAO,QAAQ,QAAQ,YAAY,aAkBlF"}

package/dist/src/middleware/sessions/sessions.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
-import { BffConfig } from "../../config.js";
+import { BffConfig } from "../../config/config.js";
 export declare function sessions(config: BffConfig): import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>[];
 //# sourceMappingURL=sessions.d.ts.map

package/dist/src/middleware/sessions/sessions.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../../../src/middleware/sessions/sessions.ts"],"names":[],"mappings":"AAGA,OAAO,EAAC,SAAS,EAAC,MAAM,~~iBAAiB~~,CAAC;~~AAG1C~~,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,kJAiCzC"}
1	+ {"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../../../src/middleware/sessions/sessions.ts"],"names":[],"mappings":"AAGA,OAAO,EAAC,SAAS,EAAC,MAAM,wBAAwB,CAAC;AAGjD,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,kJAiCzC"}

package/dist/src/middleware/static-routes.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
-import { BffConfig } from "../config.js";
+import { BffConfig } from "../config/config.js";
 export declare function staticRoutes(config: BffConfig): import("express-serve-static-core").Router;
 //# sourceMappingURL=static-routes.d.ts.map

package/dist/src/middleware/static-routes.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"static-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/static-routes.ts"],"names":[],"mappings":"AAGA,OAAO,EAAC,SAAS,EAAC,MAAM,~~cAAc~~,CAAC;~~AAEvC~~,wBAAgB,YAAY,CAAC,MAAM,EAAE,SAAS,~~8CAiB7C~~"}
1	+ {"version":3,"file":"static-routes.d.ts","sourceRoot":"","sources":["../../../src/middleware/static-routes.ts"],"names":[],"mappings":"AAGA,OAAO,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAG9C,wBAAgB,YAAY,CAAC,MAAM,EAAE,SAAS,8CAY7C"}

package/dist/src/middleware/static-routes.js CHANGED Viewed

@@ -1,19 +1,15 @@
 import express from "express";
-import { stringReplace } from "string-replace-middleware";
 import path from "path";
+import { injectConfig } from "./inject-config.js";
 export function staticRoutes(config) {
     const router = express.Router();
-    router.use(stringReplace({
-        '__CSP_NONCE__': (_, res) => res.locals.cspNonce
-    }, {
-        contentTypeFilterRegexp: /^text\/html/
-    }));
+    router.use(injectConfig(config));
     const staticPath = path.resolve(process.cwd(), config.staticRootPath);
     console.log(`Serving static content from '${staticPath}'`);
     router.use(express.static(staticPath, { index: false }));
     router.get('*', function (_, res) {
         res.set('Cache-Control', 'no-store');
-        res.sendFile(path.resolve(staticPath, 'index.html'));
+        res.sendFile(path.resolve(staticPath, 'index.html'), { etag: false });
     });
     return router;
 }

package/dist/src/server.js CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import express from "express";
 import compression from "compression";
-import { loadConfig } from './config.js';
+import { loadConfig } from './config/config.js';
 import { proxyRoutes } from "./middleware/proxy-routes.js";
 import { staticRoutes } from "./middleware/static-routes.js";
 import { securityHeaders } from "./middleware/security-headers.js";

package/dist/src/vite-plugin.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"vite-plugin.d.ts","sourceRoot":"","sources":["../../src/vite-plugin.ts"],"names":[],"mappings":"AAGA,OAAO,EAAgB,MAAM,EAAC,MAAM,MAAM,CAAA;~~AAsB1C~~,MAAM,CAAC,OAAO,UAAU,GAAG,CAAC,EAAC,UAAU,EAAC,GAAE;IAAC,UAAU,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAA;CAAM,GAAG,MAAM,CAO5F"}
1	+ {"version":3,"file":"vite-plugin.d.ts","sourceRoot":"","sources":["../../src/vite-plugin.ts"],"names":[],"mappings":"AAGA,OAAO,EAAgB,MAAM,EAAC,MAAM,MAAM,CAAA;AAwB1C,MAAM,CAAC,OAAO,UAAU,GAAG,CAAC,EAAC,UAAU,EAAC,GAAE;IAAC,UAAU,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAA;CAAM,GAAG,MAAM,CAO5F"}

package/dist/src/vite-plugin.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import express from "express";
-import { loadConfig } from "./config.js";
+import { loadConfig } from "./config/config.js";
 import { OidcMiddleware } from "./middleware/OidcMiddleware.js";
+import { injectConfig } from "./middleware/inject-config.js";
 function configureServer(configFilePath) {
     return async ({ middlewares }) => {
         const { oidcRoutes } = await import("./middleware/oidc-routes.js");
@@ -13,6 +14,7 @@ function configureServer(configFilePath) {
         app.use(sessions(config));
         app.use(basePath, oidcRoutes(oidcMiddleware));
         app.use(basePath, proxyRoutes(config, oidcMiddleware));
+        app.use(basePath, injectConfig(config));
         middlewares.use(app);
     };
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@oslokommune/auth-bff",
-  "version": "2.0.2",
+  "version": "2.2.0",
   "repository": "https://github.com/oslokommune/auth-bff.git",
   "publishConfig": {
     "access": "public"